From mpcolino at gmail.com Fri May 1 14:30:43 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Fri, 1 May 2009 16:30:43 +0200 Subject: [Freeipa-devel] Re: Need Advice on "DEB" packaging. In-Reply-To: References: <1240053527.5138.1.camel@crow> <49EC6A7E.6030009@redhat.com> Message-ID: Hi everyone again, I solved the first problem about not finding tevent libs with this: export TEVENT_LIBS=$(DESTDIR)/usr/include/samba-4.0/ export TEVENT_CFLAGS="-I $(DESTDIR)/usr/include/samba-4.0/" But I till have no clue on how to compile "server" as I still have the same problem. > Second: > With tevent libs "linked" the way I said before, I try to build > everything but, when building server, I find this: > [snip] > In file included from providers/data_provider.h:30, > ? ? ? ? ? ? ? ? from providers/dp_auth_util.c:22: > /usr/include/samba-4.0/ldb.h:789: error: expected '=', ',', ';', 'asm' > or '__attribute__' before 'ldb_request_is_done' > /usr/include/samba-4.0/ldb.h:849: error: expected declaration > specifiers or '...' before '*' token > /usr/include/samba-4.0/ldb.h:849: error: 'bool' declared as function > returning a function > [snip] I'm using samba4 libs since there is no tevent in samba3. Can you give me some advice on how to face this? Thanks a lot. M* From sgallagh at redhat.com Fri May 1 14:46:29 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 01 May 2009 10:46:29 -0400 Subject: [Freeipa-devel] Re: Need Advice on "DEB" packaging. In-Reply-To: References: <1240053527.5138.1.camel@crow> <49EC6A7E.6030009@redhat.com> Message-ID: <49FB0B45.5060305@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miguel P.C. wrote: > Hi everyone again, > > I solved the first problem about not finding tevent libs with this: > export TEVENT_LIBS=$(DESTDIR)/usr/include/samba-4.0/ > export TEVENT_CFLAGS="-I $(DESTDIR)/usr/include/samba-4.0/" > > But I till have no clue on how to compile "server" as I still have the > same problem. >> Second: >> With tevent libs "linked" the way I said before, I try to build >> everything but, when building server, I find this: >> [snip] >> In file included from providers/data_provider.h:30, >> from providers/dp_auth_util.c:22: >> /usr/include/samba-4.0/ldb.h:789: error: expected '=', ',', ';', 'asm' >> or '__attribute__' before 'ldb_request_is_done' >> /usr/include/samba-4.0/ldb.h:849: error: expected declaration >> specifiers or '...' before '*' token >> /usr/include/samba-4.0/ldb.h:849: error: 'bool' declared as function >> returning a function >> [snip] > Miguel, it looks like you have something wrong in your compiler chain. "bool" is a reserved word for a basic type. What version of GCC are you using? We've built with GCC 4.3.2 and 4.4.0 successfully. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn7C0EACgkQeiVVYja6o6NEJgCgoDMeJOEplXgRbVixO+1ABY2R ZucAniY7+cXvBpNDSZ07XzNZ//mpNCaW =Sc/C -----END PGP SIGNATURE----- From mpcolino at gmail.com Sat May 2 07:40:45 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Sat, 02 May 2009 09:40:45 +0200 Subject: [Freeipa-devel] Re: Need Advice on "DEB" packaging. In-Reply-To: <49FB0B45.5060305@redhat.com> References: <1240053527.5138.1.camel@crow> <49EC6A7E.6030009@redhat.com> <49FB0B45.5060305@redhat.com> Message-ID: <1241250045.4204.6.camel@crow> > Miguel, it looks like you have something wrong in your compiler chain. > "bool" is a reserved word for a basic type. What version of GCC are you > using? > We've built with GCC 4.3.2 and 4.4.0 successfully. GCC version 4.3.3 [migpc at crow:~]$ find /var/cache/pbuilder/ | grep gcc /var/cache/pbuilder/aptcache/gcc-4.3_4.3.3-5ubuntu4_i386.deb /var/cache/pbuilder/aptcache/gcc_4%3a4.3.3-1ubuntu1_i386.deb /var/cache/pbuilder/aptcache/gcc-4.3-base_4.3.3-5ubuntu4_i386.deb /var/cache/pbuilder/aptcache/libgcc1_1%3a4.3.3-5ubuntu4_i386.deb I'll check all the build dependencies to see if something is wrong or missing .... > - -- > Stephen Gallagher > RHCE 804006346421761 M* -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Esto es una parte de mensaje firmado digitalmente URL: From sgallagh at redhat.com Mon May 4 11:54:37 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 04 May 2009 07:54:37 -0400 Subject: [Freeipa-devel] Re: Need Advice on "DEB" packaging. In-Reply-To: <1241250045.4204.6.camel@crow> References: <1240053527.5138.1.camel@crow> <49EC6A7E.6030009@redhat.com> <49FB0B45.5060305@redhat.com> <1241250045.4204.6.camel@crow> Message-ID: <49FED77D.5040008@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miguel P.C. wrote: >> Miguel, it looks like you have something wrong in your compiler chain. >> "bool" is a reserved word for a basic type. What version of GCC are you >> using? >> We've built with GCC 4.3.2 and 4.4.0 successfully. > > GCC version 4.3.3 > > [migpc at crow:~]$ find /var/cache/pbuilder/ | grep gcc > /var/cache/pbuilder/aptcache/gcc-4.3_4.3.3-5ubuntu4_i386.deb > /var/cache/pbuilder/aptcache/gcc_4%3a4.3.3-1ubuntu1_i386.deb > /var/cache/pbuilder/aptcache/gcc-4.3-base_4.3.3-5ubuntu4_i386.deb > /var/cache/pbuilder/aptcache/libgcc1_1%3a4.3.3-5ubuntu4_i386.deb > > I'll check all the build dependencies to see if something is wrong or > missing .... > >> - -- >> Stephen Gallagher >> RHCE 804006346421761 > > M* > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Miguel, would it be possible for us to schedule an hour sometime tomorrow or Wednesday to work together more directly on this problem? Ahead of time, could you tell me what distribution of Ubuntu you are doing your development on and what patches you've applied to get the source to build in that environment? I'd like to put together a VM and see if I can duplicate your results to make it easier to debug. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn+13kACgkQeiVVYja6o6ObvACgmOLRuQ0FzNKK+PIliSGvoYUe Q/QAnjLlboGyqrHh25HFBcOhgrb/+PTe =SKBm -----END PGP SIGNATURE----- From mpcolino at gmail.com Mon May 4 15:58:33 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Mon, 4 May 2009 17:58:33 +0200 Subject: [Freeipa-devel] Re: Need Advice on "DEB" packaging. In-Reply-To: <49FED77D.5040008@redhat.com> References: <1240053527.5138.1.camel@crow> <49EC6A7E.6030009@redhat.com> <49FB0B45.5060305@redhat.com> <1241250045.4204.6.camel@crow> <49FED77D.5040008@redhat.com> Message-ID: Hi! > Ahead of time, could you tell me what distribution of Ubuntu you are > doing your development on and what patches you've applied to get the > source to build in that environment? I'm using Ubuntu 9.04 "Jaunty". To build the packages I'm using "pbuilder" to have a, let's say, pristine environment to work every time I try to build. > I'd like to put together a VM and > see if I can duplicate your results to make it easier to debug. Just install Ubuntu 9.04 in the VM and follow the Ubuntu Packaging Guide: https://wiki.ubuntu.com/PackagingGuide/Complete If I'm not wrong I installed the following packages (some simply meta-packages): * build-essential * ubuntu-dev-tools * dev-scripts * dh-make * pbuilder Then I created the environmet with the following command line: $ sudo pbuilder create When used w/o options it simply creates it with the same version of the system you are working on. Then I wrote the files needed to create a debian package up to the point when build is needed (no further testing). I attach those files as they are not big at all. Afterwards I download the source file (sssd-0.3.3.tar.gz) unpack it, unpack the debian directory inside the unpacked source (no tongue-twister intended) and copy it to sssd_0.3.3.orig.tar.gz. Finally I go into sssd-0.3.3 directory and run pdebuild. This creates the environment with the specified build-deps (included in the "debian/control" file) and tries to compile/build the package. Hope this helps. (My 0.02 ?) M* > - -- > Stephen Gallagher > RHCE 804006346421761 > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkn+13kACgkQeiVVYja6o6ObvACgmOLRuQ0FzNKK+PIliSGvoYUe > Q/QAnjLlboGyqrHh25HFBcOhgrb/+PTe > =SKBm > -----END PGP SIGNATURE----- > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-debian-sssd-0.3.3.tar.gz Type: application/x-gzip Size: 14529 bytes Desc: not available URL: From mpcolino at gmail.com Mon May 4 16:19:08 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Mon, 4 May 2009 18:19:08 +0200 Subject: [Freeipa-devel] Re: Need Advice on "DEB" packaging. In-Reply-To: References: <1240053527.5138.1.camel@crow> <49EC6A7E.6030009@redhat.com> <49FB0B45.5060305@redhat.com> <1241250045.4204.6.camel@crow> <49FED77D.5040008@redhat.com> Message-ID: Forgto one step. After setting up the pbuilder environment, you need to add Universe support to it: https://wiki.ubuntu.com/PbuilderHowto#Universe%20support From sgallagh at redhat.com Mon May 4 17:10:59 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 04 May 2009 13:10:59 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fixes for porting to Debian-based platforms Message-ID: <49FF21A3.7060709@redhat.com> Very minor changes to header file location. Added a more strict check for PAM libraries. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fixes-for-porting-SSSD-to-Debian-based-platforms.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Mon May 4 17:15:28 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 04 May 2009 13:15:28 -0400 Subject: [Freeipa-devel] Re: Need Advice on "DEB" packaging. In-Reply-To: References: <1240053527.5138.1.camel@crow> <49EC6A7E.6030009@redhat.com> <49FB0B45.5060305@redhat.com> <1241250045.4204.6.camel@crow> <49FED77D.5040008@redhat.com> Message-ID: <49FF22B0.1030605@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miguel P.C. wrote: > Hi! > >> Ahead of time, could you tell me what distribution of Ubuntu you are >> doing your development on and what patches you've applied to get the >> source to build in that environment? > > I'm using Ubuntu 9.04 "Jaunty". > To build the packages I'm using "pbuilder" to have a, let's say, > pristine environment to work every time I try to build. > >> I'd like to put together a VM and >> see if I can duplicate your results to make it easier to debug. > > Just install Ubuntu 9.04 in the VM and follow the Ubuntu Packaging Guide: > https://wiki.ubuntu.com/PackagingGuide/Complete > > If I'm not wrong I installed the following packages (some simply meta-packages): > * build-essential > * ubuntu-dev-tools > * dev-scripts > * dh-make > * pbuilder > > Then I created the environmet with the following command line: > $ sudo pbuilder create > When used w/o options it simply creates it with the same version of > the system you are working on. > > Then I wrote the files needed to create a debian package up to the > point when build is needed (no further testing). I attach those files > as they are not big at all. > > Afterwards I download the source file (sssd-0.3.3.tar.gz) unpack it, > unpack the debian directory inside the unpacked source (no > tongue-twister intended) and copy it to sssd_0.3.3.orig.tar.gz. > > Finally I go into sssd-0.3.3 directory and run pdebuild. This creates > the environment with the specified build-deps (included in the > "debian/control" file) and tries to compile/build the package. > > Hope this helps. (My 0.02 ?) > > M* > > > >> - -- >> Stephen Gallagher >> RHCE 804006346421761 >> >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >> >> iEYEARECAAYFAkn+13kACgkQeiVVYja6o6ObvACgmOLRuQ0FzNKK+PIliSGvoYUe >> Q/QAnjLlboGyqrHh25HFBcOhgrb/+PTe >> =SKBm >> -----END PGP SIGNATURE----- >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Miguel, I have sent a patch to the freeipa-devel-list with some header file changes to solve the compilation issues you were seeing. There are still problems remaining, however. Ubuntu's libldb-samba4-dev package does not include the ldb_module.h header (and associated files), so it is impossible to build the LDB modules we need within the SSSD. You need to contact the LDB package maintainer for Ubuntu and arrange for this functionality to be included. Until that is done, you won't be able to build the SSSD. At the same time, you should request of the Ubuntu Samba maintainers to produce a libtevent and libtevent-dev package separate from samba4-common and python-samba4-dev (respectively) that includes a pkg-config file for TEvent. This will simplify building the SSSD. In the meantime, the following environment variables will work around this problem: export TEVENT_LIBS="/usr/lib/python2.6/dist-packages/tevent.so" export TEVENT_CFLAGS="-I/usr/include/samba-4.0/" - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn/IrAACgkQeiVVYja6o6NtAACZAUO3Lc7UgUzgXEVhblbSH97o 1hsAn3FqdgpibjxQCkhdu2OUeJrtOm9J =urci -----END PGP SIGNATURE----- From jderose at redhat.com Mon May 4 17:26:28 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 04 May 2009 11:26:28 -0600 Subject: [Freeipa-devel] Re: Need Advice on "DEB" packaging. In-Reply-To: <49FED77D.5040008@redhat.com> References: <1240053527.5138.1.camel@crow> <49EC6A7E.6030009@redhat.com> <49FB0B45.5060305@redhat.com> <1241250045.4204.6.camel@crow> <49FED77D.5040008@redhat.com> Message-ID: <1241457988.13868.1.camel@jgd-dsk> On Mon, 2009-05-04 at 07:54 -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Miguel P.C. wrote: > >> Miguel, it looks like you have something wrong in your compiler chain. > >> "bool" is a reserved word for a basic type. What version of GCC are you > >> using? > >> We've built with GCC 4.3.2 and 4.4.0 successfully. > > > > GCC version 4.3.3 > > > > [migpc at crow:~]$ find /var/cache/pbuilder/ | grep gcc > > /var/cache/pbuilder/aptcache/gcc-4.3_4.3.3-5ubuntu4_i386.deb > > /var/cache/pbuilder/aptcache/gcc_4%3a4.3.3-1ubuntu1_i386.deb > > /var/cache/pbuilder/aptcache/gcc-4.3-base_4.3.3-5ubuntu4_i386.deb > > /var/cache/pbuilder/aptcache/libgcc1_1%3a4.3.3-5ubuntu4_i386.deb > > > > I'll check all the build dependencies to see if something is wrong or > > missing .... > > > >> - -- > >> Stephen Gallagher > >> RHCE 804006346421761 > > > > M* > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Miguel, would it be possible for us to schedule an hour sometime > tomorrow or Wednesday to work together more directly on this problem? I would like to get in on this too. Plus, it would give me a chance to learn how to build SSSD. ;) > Ahead of time, could you tell me what distribution of Ubuntu you are > doing your development on and what patches you've applied to get the > source to build in that environment? I'd like to put together a VM and > see if I can duplicate your results to make it easier to debug. > > - -- > Stephen Gallagher > RHCE 804006346421761 > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkn+13kACgkQeiVVYja6o6ObvACgmOLRuQ0FzNKK+PIliSGvoYUe > Q/QAnjLlboGyqrHh25HFBcOhgrb/+PTe > =SKBm > -----END PGP SIGNATURE----- > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ssorce at redhat.com Mon May 4 18:01:52 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 04 May 2009 14:01:52 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fixes for porting to Debian-based platforms In-Reply-To: <49FF21A3.7060709@redhat.com> References: <49FF21A3.7060709@redhat.com> Message-ID: <1241460112.29148.160.camel@localhost.localdomain> On Mon, 2009-05-04 at 13:10 -0400, Stephen Gallagher wrote: > Very minor changes to header file location. > > Added a more strict check for PAM libraries. Ack -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Mon May 4 18:16:34 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 04 May 2009 14:16:34 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fixes for porting to Debian-based platforms In-Reply-To: <1241460112.29148.160.camel@localhost.localdomain> References: <49FF21A3.7060709@redhat.com> <1241460112.29148.160.camel@localhost.localdomain> Message-ID: <49FF3102.6080406@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Mon, 2009-05-04 at 13:10 -0400, Stephen Gallagher wrote: >> Very minor changes to header file location. >> >> Added a more strict check for PAM libraries. > > Ack > Pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn/MQIACgkQeiVVYja6o6PooACeKYigM4E8P9lhhycvRby5Btpv YnEAoLBjwcGd2jw/M+ChImivuYUsIGob =n2bZ -----END PGP SIGNATURE----- From jderose at redhat.com Mon May 4 19:41:05 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 04 May 2009 13:41:05 -0600 Subject: [Freeipa-devel] [PATCH] add signing cert profile to installer In-Reply-To: <49E8F241.3030302@redhat.com> References: <49E8A213.2010502@redhat.com> <49E8F241.3030302@redhat.com> Message-ID: <1241466065.13868.91.camel@jgd-dsk> On Fri, 2009-04-17 at 17:18 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > This patch adds a signing cert profile to dogtag that we use to generate > > an object signing cert that will work with signtool. We use this to > > create the signed jar file in order to do autoconfiguration in Firefox. > > > > This patch also does some file permission cleanup and fixes a few > > leaking fds. > > > > I goofed on the commit. It only contained the new file. Here is a > revised patch. > > rob ack. There are aspects of this patch that I don't fully understand as I still haven't delved into the installer much, but as far as I can tell this all looks shiny. One note to all of us, I think eventually we still need to relocate the modules in ipapython into ipalib and/or ipaserver... unless there is a compelling reason they should be in their own package. From jderose at redhat.com Mon May 4 20:00:43 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 04 May 2009 14:00:43 -0600 Subject: [Freeipa-devel] [PATCH] 184 change dogtag port In-Reply-To: <49EF6FA4.7090601@redhat.com> References: <49EF6FA4.7090601@redhat.com> Message-ID: <1241467243.13868.103.camel@jgd-dsk> On Wed, 2009-04-22 at 15:27 -0400, Rob Crittenden wrote: > Dogtag keeps telling me that I should use port 9444 and not 9443 so I'm > going to listen. > > rob ack if Andrew is okay with it. Andrew, I thought that during an IRC conversation you originally told me the ca_ssl_port should be 9443. Did I just goof up? Should the default be 9443 or 9444? From rcritten at redhat.com Mon May 4 20:31:29 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 May 2009 16:31:29 -0400 Subject: [Freeipa-devel] [PATCH] 199 convert uidnumber to string Message-ID: <49FF50A1.4030409@redhat.com> We need to convert the uidnumber to a string when adding/modifying users to avoid a type error on the LDAP side. Pavel, I'm not sure whether this is handled automagically or not in your version of the plugin. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-199-uidnumber.patch Type: text/x-patch Size: 1259 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Mon May 4 20:31:24 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 04 May 2009 14:31:24 -0600 Subject: [Freeipa-devel] [PATCH] 188 Add temporary certdb library In-Reply-To: <49EF74AF.9090702@redhat.com> References: <49EF74AF.9090702@redhat.com> Message-ID: <1241469084.13868.138.camel@jgd-dsk> On Wed, 2009-04-22 at 15:49 -0400, Rob Crittenden wrote: > Add a new class for handling temporary NSS certificate database. The > only current consumer is the join plugin. > > This patch also contains the start of issuing server certs in the join > plugin. > > rob ack. This patches requires python-nss, but that was added in freeipa-191-nss.patch. From jderose at redhat.com Mon May 4 20:46:01 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 04 May 2009 14:46:01 -0600 Subject: [Freeipa-devel] [PATCH] 190 Use dogtag functions In-Reply-To: <49EF750F.6090307@redhat.com> References: <49EF750F.6090307@redhat.com> Message-ID: <1241469961.13868.162.camel@jgd-dsk> On Wed, 2009-04-22 at 15:50 -0400, Rob Crittenden wrote: > Use the CA cert fetch function in the CA installer. > > rob ack. From rcritten at redhat.com Mon May 4 20:56:48 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 May 2009 16:56:48 -0400 Subject: [Freeipa-devel] [PATCH] add signing cert profile to installer In-Reply-To: <1241466065.13868.91.camel@jgd-dsk> References: <49E8A213.2010502@redhat.com> <49E8F241.3030302@redhat.com> <1241466065.13868.91.camel@jgd-dsk> Message-ID: <49FF5690.8030708@redhat.com> Jason Gerard DeRose wrote: > On Fri, 2009-04-17 at 17:18 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> This patch adds a signing cert profile to dogtag that we use to generate >>> an object signing cert that will work with signtool. We use this to >>> create the signed jar file in order to do autoconfiguration in Firefox. >>> >>> This patch also does some file permission cleanup and fixes a few >>> leaking fds. >>> >> I goofed on the commit. It only contained the new file. Here is a >> revised patch. >> >> rob > > ack. There are aspects of this patch that I don't fully understand as I > still haven't delved into the installer much, but as far as I can tell > this all looks shiny. pushed to master > > One note to all of us, I think eventually we still need to relocate the > modules in ipapython into ipalib and/or ipaserver... unless there is a > compelling reason they should be in their own package. > The reason it is there now it is it is common code for the server and client but isn't quite framework code. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 4 20:57:01 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 May 2009 16:57:01 -0400 Subject: [Freeipa-devel] [PATCH] 188 Add temporary certdb library In-Reply-To: <1241469084.13868.138.camel@jgd-dsk> References: <49EF74AF.9090702@redhat.com> <1241469084.13868.138.camel@jgd-dsk> Message-ID: <49FF569D.9070402@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-04-22 at 15:49 -0400, Rob Crittenden wrote: >> Add a new class for handling temporary NSS certificate database. The >> only current consumer is the join plugin. >> >> This patch also contains the start of issuing server certs in the join >> plugin. >> >> rob > > ack. This patches requires python-nss, but that was added in > freeipa-191-nss.patch. > > > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 4 20:58:25 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 May 2009 16:58:25 -0400 Subject: [Freeipa-devel] [PATCH] 190 Use dogtag functions In-Reply-To: <1241469961.13868.162.camel@jgd-dsk> References: <49EF750F.6090307@redhat.com> <1241469961.13868.162.camel@jgd-dsk> Message-ID: <49FF56F1.8030403@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-04-22 at 15:50 -0400, Rob Crittenden wrote: >> Use the CA cert fetch function in the CA installer. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Mon May 4 20:59:55 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 04 May 2009 14:59:55 -0600 Subject: [Freeipa-devel] [PATCH] Add python-nss as a dependency In-Reply-To: <49EF88C8.6010609@redhat.com> References: <49EF88C8.6010609@redhat.com> Message-ID: <1241470795.13868.190.camel@jgd-dsk> On Wed, 2009-04-22 at 17:14 -0400, Rob Crittenden wrote: > Add the python-nss package as a dependency. > > rob ack. We might consider adding BuildRequires: python-nss also. Eventually I'd like all the unit tests to run when we build the rpm, so I assume we'd need python-nss installed so we don't get an ImportError. From rcritten at redhat.com Mon May 4 21:02:12 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 May 2009 17:02:12 -0400 Subject: [Freeipa-devel] [PATCH] Add python-nss as a dependency In-Reply-To: <1241470795.13868.190.camel@jgd-dsk> References: <49EF88C8.6010609@redhat.com> <1241470795.13868.190.camel@jgd-dsk> Message-ID: <49FF57D4.7060906@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-04-22 at 17:14 -0400, Rob Crittenden wrote: >> Add the python-nss package as a dependency. >> >> rob > > ack. > > We might consider adding BuildRequires: python-nss also. Eventually I'd > like all the unit tests to run when we build the rpm, so I assume we'd > need python-nss installed so we don't get an ImportError. > Ok we can add it when the time comes. pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Mon May 4 21:17:11 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 04 May 2009 15:17:11 -0600 Subject: [Freeipa-devel] [PATCH] fix replication installation In-Reply-To: <49F76FE0.2060605@redhat.com> References: <49F76FE0.2060605@redhat.com> Message-ID: <1241471831.13868.213.camel@jgd-dsk> On Tue, 2009-04-28 at 17:06 -0400, Rob Crittenden wrote: > This patch fixes replication creation and installation. This is only for > the certutil-based self-signed CA. It will not work with dogtag. > > rob ack. From jderose at redhat.com Mon May 4 21:24:26 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 04 May 2009 15:24:26 -0600 Subject: [Freeipa-devel] [PATCH] 180 Don't hardcode requestId In-Reply-To: <49F77374.6040506@redhat.com> References: <49F77374.6040506@redhat.com> Message-ID: <1241472266.13868.223.camel@jgd-dsk> On Tue, 2009-04-28 at 17:21 -0400, Rob Crittenden wrote: > During dogtag installation we request and issue the RA user certificate. > Don't hardcode the requestId as it is available in the output when we > issue the request to the CA. > > rob ack, but I can't get this to apply to my tree, probably because stuff got pretty out-of-sync (which I take credit for). From jderose at redhat.com Mon May 4 21:26:37 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 04 May 2009 15:26:37 -0600 Subject: [Freeipa-devel] [PATCH] 197 add posixGroup to objectclass if gidnumber is set In-Reply-To: <49F90C59.3070208@redhat.com> References: <49F90C59.3070208@redhat.com> Message-ID: <1241472397.13868.226.camel@jgd-dsk> On Wed, 2009-04-29 at 22:26 -0400, Rob Crittenden wrote: > We added posixGroup to the objectclass list if --posix was passed in but > not if one wanted to set an explicit gidnumber. This caused an > objectclass violation. Add this objectclass if --gid is passed in. > > rob ack. From jderose at redhat.com Mon May 4 21:37:08 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 04 May 2009 15:37:08 -0600 Subject: [Freeipa-devel] [PATCH] allow password to be sent in via pipe In-Reply-To: <49F9F711.9030300@redhat.com> References: <49F9F711.9030300@redhat.com> Message-ID: <1241473028.13868.246.camel@jgd-dsk> On Thu, 2009-04-30 at 15:08 -0400, Rob Crittenden wrote: > When reading a password, if there is no tty, read from stdin instead. > > This will allow one to pipe a password in: > > echo -e "secret123\secret123\n" | ipa password someuser > > rob ack, good start. One thing we might want to change is I don't think you should have to provide the password twice from stdin. I think this would be better: if stdin.isatty(): # prompt with getpass() # prompt again with getpass() to confirm else: stdin.readline().strip() # Just once This will make it easier when scripting with ipa (which I assume is when this feature would most likely be used). Also, this use is pretty ambiguous in cases where you have a command that has more than one Password param. I don't think we have anything like this in IPA yet, but we might down the road. From rcritten at redhat.com Mon May 4 21:41:45 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 May 2009 17:41:45 -0400 Subject: [Freeipa-devel] [PATCH] fix replication installation In-Reply-To: <1241471831.13868.213.camel@jgd-dsk> References: <49F76FE0.2060605@redhat.com> <1241471831.13868.213.camel@jgd-dsk> Message-ID: <49FF6119.8010104@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-04-28 at 17:06 -0400, Rob Crittenden wrote: >> This patch fixes replication creation and installation. This is only for >> the certutil-based self-signed CA. It will not work with dogtag. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 4 21:42:26 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 May 2009 17:42:26 -0400 Subject: [Freeipa-devel] [PATCH] 180 Don't hardcode requestId In-Reply-To: <1241472266.13868.223.camel@jgd-dsk> References: <49F77374.6040506@redhat.com> <1241472266.13868.223.camel@jgd-dsk> Message-ID: <49FF6142.6030104@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-04-28 at 17:21 -0400, Rob Crittenden wrote: >> During dogtag installation we request and issue the RA user certificate. >> Don't hardcode the requestId as it is available in the output when we >> issue the request to the CA. >> >> rob > > ack, but I can't get this to apply to my tree, probably because stuff > got pretty out-of-sync (which I take credit for). > Doesn't apply in master either. I'll rebase and send out a fresh patch just in case. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 4 21:42:41 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 May 2009 17:42:41 -0400 Subject: [Freeipa-devel] [PATCH] 197 add posixGroup to objectclass if gidnumber is set In-Reply-To: <1241472397.13868.226.camel@jgd-dsk> References: <49F90C59.3070208@redhat.com> <1241472397.13868.226.camel@jgd-dsk> Message-ID: <49FF6151.3070405@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-04-29 at 22:26 -0400, Rob Crittenden wrote: >> We added posixGroup to the objectclass list if --posix was passed in but >> not if one wanted to set an explicit gidnumber. This caused an >> objectclass violation. Add this objectclass if --gid is passed in. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 4 21:43:39 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 May 2009 17:43:39 -0400 Subject: [Freeipa-devel] [PATCH] allow password to be sent in via pipe In-Reply-To: <1241473028.13868.246.camel@jgd-dsk> References: <49F9F711.9030300@redhat.com> <1241473028.13868.246.camel@jgd-dsk> Message-ID: <49FF618B.1020603@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-04-30 at 15:08 -0400, Rob Crittenden wrote: >> When reading a password, if there is no tty, read from stdin instead. >> >> This will allow one to pipe a password in: >> >> echo -e "secret123\secret123\n" | ipa password someuser >> >> rob > > ack, good start. > > One thing we might want to change is I don't think you should have to > provide the password twice from stdin. I think this would be better: > > if stdin.isatty(): > # prompt with getpass() > # prompt again with getpass() to confirm > else: > stdin.readline().strip() # Just once > > This will make it easier when scripting with ipa (which I assume is when > this feature would most likely be used). > > Also, this use is pretty ambiguous in cases where you have a command > that has more than one Password param. I don't think we have anything > like this in IPA yet, but we might down the road. > > Yeah, I thought the double-read was a bit goofy too but it at least gets us moving in the right direction :-) rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 4 21:48:02 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 May 2009 17:48:02 -0400 Subject: [Freeipa-devel] [PATCH] 180 Don't hardcode requestId In-Reply-To: <49FF6142.6030104@redhat.com> References: <49F77374.6040506@redhat.com> <1241472266.13868.223.camel@jgd-dsk> <49FF6142.6030104@redhat.com> Message-ID: <49FF6292.9040401@redhat.com> Rob Crittenden wrote: > Jason Gerard DeRose wrote: >> On Tue, 2009-04-28 at 17:21 -0400, Rob Crittenden wrote: >>> During dogtag installation we request and issue the RA user >>> certificate. Don't hardcode the requestId as it is available in the >>> output when we issue the request to the CA. >>> >>> rob >> >> ack, but I can't get this to apply to my tree, probably because stuff >> got pretty out-of-sync (which I take credit for). >> > > Doesn't apply in master either. I'll rebase and send out a fresh patch > just in case. > > rob Ok, doesn't apply because I included this in a later patch. Move along, nothing to see here :-) rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 4 22:00:54 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 May 2009 18:00:54 -0400 Subject: [Freeipa-devel] [PATCH] 183 Fix some python style issues in host plugin In-Reply-To: <1240457317.7344.79.camel@jgd-dsk> References: <49EF6F5E.1060706@redhat.com> <1240457317.7344.79.camel@jgd-dsk> Message-ID: <49FF6596.8060301@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-04-22 at 15:26 -0400, Rob Crittenden wrote: >> Fix some python style issues in the host plugin. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Tue May 5 05:49:25 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 04 May 2009 23:49:25 -0600 Subject: [Freeipa-devel] [PATCH] jderose 003 update TODO Message-ID: <1241502565.29481.70.camel@jgd-dsk> This patch updates the TODO file based on discussion between Rob, Pavel, and I. I also changed it to have consistent reStructuredText formatting, which I've become I big fan of lately. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jderose-003-update-TODO.patch Type: text/x-patch Size: 6371 bytes Desc: not available URL: From jhrozek at redhat.com Tue May 5 12:06:46 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 05 May 2009 14:06:46 +0200 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes In-Reply-To: <1241122416.29148.43.camel@localhost.localdomain> References: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> <49F9CBAA.3020401@redhat.com> <1241115941.29393.57.camel@zeppelin.englab.brq.redhat.com> <1241122416.29148.43.camel@localhost.localdomain> Message-ID: <1241525206.26178.33.camel@zeppelin.englab.brq.redhat.com> On Thu, 2009-04-30 at 16:13 -0400, Simo Sorce wrote: > NACK, you cannot allocate memory in a signal handler. > > Please use tevent signal handlers in monitor's main. > > Simo. attached. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Use-tevent-for-shutdown-signals-remove-old-pidfile.patch Type: text/x-patch Size: 4487 bytes Desc: not available URL: From jhrozek at redhat.com Tue May 5 12:09:54 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 05 May 2009 14:09:54 +0200 Subject: [Freeipa-devel] [PATCH] Check for valid ID ranges and ID overlaps between domains Message-ID: <1241525394.26178.37.camel@zeppelin.englab.brq.redhat.com> attached. Also if get_monitor_config returns != EOK in update_monitor_config, aborts the rest of update_monitor_config..I guess that if the config is wrong, we just want to carry on with the 'last known good config'. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Check-for-valid-ID-range-domains-overlap.patch Type: text/x-patch Size: 2336 bytes Desc: not available URL: From jhrozek at redhat.com Tue May 5 12:11:34 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 05 May 2009 14:11:34 +0200 Subject: [Freeipa-devel] [PATCH] Chdir to / when daemonizing Message-ID: <1241525494.26178.39.camel@zeppelin.englab.brq.redhat.com> att. Rationale: starting the daemon on a remote filesystem Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Chdir-to-when-daemonizing.patch Type: text/x-patch Size: 1149 bytes Desc: not available URL: From ssorce at redhat.com Tue May 5 12:39:33 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 05 May 2009 12:39:33 +0000 Subject: [Freeipa-devel] [PATCH] Chdir to / when daemonizing In-Reply-To: <1241525494.26178.39.camel@zeppelin.englab.brq.redhat.com> References: <1241525494.26178.39.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1241527173.29148.182.camel@localhost.localdomain> On Tue, 2009-05-05 at 14:11 +0200, Jakub Hrozek wrote: > att. > > Rationale: starting the daemon on a remote filesystem very good catch, ack (should we chroot to something like /var/lib/sssd instead of / ?) Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 5 12:43:55 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 05 May 2009 08:43:55 -0400 Subject: [Freeipa-devel] [PATCH] Check for valid ID ranges and ID overlaps between domains In-Reply-To: <1241525394.26178.37.camel@zeppelin.englab.brq.redhat.com> References: <1241525394.26178.37.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1241527435.29148.185.camel@localhost.localdomain> On Tue, 2009-05-05 at 14:09 +0200, Jakub Hrozek wrote: > attached. > > Also if get_monitor_config returns != EOK in update_monitor_config, > aborts the rest of update_monitor_config..I guess that if the config > is > wrong, we just want to carry on with the 'last known good config'. nack We do not require to always set id ranges, they are optional and more a filter than anything else. At most overlapping ranges should give a warning, and absence of ranges in a domain is fine too. Second I don't get the utility of the double while loop in that function, what's for ? Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Tue May 5 12:44:09 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 05 May 2009 08:44:09 -0400 Subject: [Freeipa-devel] [PATCH] Check for valid ID ranges and ID overlaps between domains In-Reply-To: <1241525394.26178.37.camel@zeppelin.englab.brq.redhat.com> References: <1241525394.26178.37.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A003499.6080909@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > attached. > > Also if get_monitor_config returns != EOK in update_monitor_config, > aborts the rest of update_monitor_config..I guess that if the config is > wrong, we just want to carry on with the 'last known good config'. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I disagree completely with that assertion. If the config is wrong, we do not want to silently continue with the old config. If the administrator was updating the configuration to fix a security hole, update UID ranges or otherwise prevent access to certain individuals or ranges, then we cannot fall back to using the old config. Loudly failing is the only safe play here. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoANJUACgkQeiVVYja6o6MHwQCfRz8E81Z6H/EzJgSTmmEBqjCf 2SMAn2J16B+qR7sBn6mM1moJlj3UYVmZ =D2a9 -----END PGP SIGNATURE----- From rcritten at redhat.com Tue May 5 17:26:15 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 May 2009 13:26:15 -0400 Subject: [Freeipa-devel] [PATCH] 200 update service plugin Message-ID: <4A0076B7.3050903@redhat.com> Makes the service plugin a lot more robust by adding a principal validator and normalizer. Update the objectclasses. I had left them a bit bare while we were still designing what they would look like. Add --certificate argument so we can store certs in services. Use the crud.Search method for service-find. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-200-service.patch Type: application/mbox Size: 8072 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 5 18:48:10 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 May 2009 14:48:10 -0400 Subject: [Freeipa-devel] [PATCH] 201 A new exception Message-ID: <4A0089EA.3040201@redhat.com> Add a new exception for Base64 decode failures and make MalformedServicePrincipal take an argument expanding on why it is malformed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-201-errors.patch Type: application/mbox Size: 1902 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 5 19:20:21 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 May 2009 15:20:21 -0400 Subject: [Freeipa-devel] [PATCH] 202 Store certificates in service records Message-ID: <4A009175.4020207@redhat.com> When we issue a server cert we want to store it in the service record. I also cleaned up some argument names to match the current standard. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-202-certs.patch Type: application/mbox Size: 5394 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mpcolino at gmail.com Tue May 5 20:06:20 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Tue, 5 May 2009 22:06:20 +0200 Subject: [Freeipa-devel] Re: Need Advice on "DEB" packaging. In-Reply-To: <49FF22B0.1030605@redhat.com> References: <1240053527.5138.1.camel@crow> <49EC6A7E.6030009@redhat.com> <49FB0B45.5060305@redhat.com> <1241250045.4204.6.camel@crow> <49FED77D.5040008@redhat.com> <49FF22B0.1030605@redhat.com> Message-ID: Hi! not much free time lately :-) I did submit the bugs to Lauchpad (Ubuntu) > There are still problems remaining, however. Ubuntu's libldb-samba4-dev > package does not include the ldb_module.h header (and associated files), > so it is impossible to build the LDB modules we need within the SSSD. > You need to contact the LDB package maintainer for Ubuntu and arrange > for this functionality to be included. Until that is done, you won't be > able to build the SSSD. Bug: https://bugs.edge.launchpad.net/ubuntu/+source/samba4/+bug/372405 > At the same time, you should request of the Ubuntu Samba maintainers to > produce a libtevent and libtevent-dev package separate from > samba4-common and python-samba4-dev (respectively) that includes a > pkg-config file for TEvent. This will simplify building the SSSD. In the > meantime, the following environment variables will work around this problem: > export TEVENT_LIBS="/usr/lib/python2.6/dist-packages/tevent.so" > export TEVENT_CFLAGS="-I/usr/include/samba-4.0/" Bug: https://bugs.edge.launchpad.net/ubuntu/+source/samba4/+bug/372399 From mpcolino at gmail.com Tue May 5 20:21:13 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Tue, 5 May 2009 22:21:13 +0200 Subject: [Freeipa-devel] Re: Need Advice on "DEB" packaging. In-Reply-To: <1241457988.13868.1.camel@jgd-dsk> References: <1240053527.5138.1.camel@crow> <49EC6A7E.6030009@redhat.com> <49FB0B45.5060305@redhat.com> <1241250045.4204.6.camel@crow> <49FED77D.5040008@redhat.com> <1241457988.13868.1.camel@jgd-dsk> Message-ID: Hi Jason! > I would like to get in on this too. ?Plus, it would give me a chance to > learn how to build SSSD. ?;) I already posted some little instructions and files related to them in a previous message. Please feel free to contact me if you want/need more information on what I've done (which, in fact, in not so much). Kind regards, M* From rcritten at redhat.com Tue May 5 21:26:41 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 May 2009 17:26:41 -0400 Subject: [Freeipa-devel] [PATCH 203 Don't issue SSL cert on domain join Message-ID: <4A00AF11.5070900@redhat.com> We decided not to issue an SSL cert when a machine joins the IPA domain. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-203-join.patch Type: application/mbox Size: 3301 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Wed May 6 00:42:17 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 05 May 2009 18:42:17 -0600 Subject: [Freeipa-devel] [PATCH] 199 convert uidnumber to string In-Reply-To: <49FF50A1.4030409@redhat.com> References: <49FF50A1.4030409@redhat.com> Message-ID: <1241570537.5091.20.camel@jgd-dsk> On Mon, 2009-05-04 at 16:31 -0400, Rob Crittenden wrote: > We need to convert the uidnumber to a string when adding/modifying users > to avoid a type error on the LDAP side. > > Pavel, I'm not sure whether this is handled automagically or not in your > version of the plugin. > > rob ack. This is fine as a stop gap, but we really need a better solution in the long run. So the UID is always in integer, correct? Do all LDAP "types" need to be sent as strings, or is this just a case where we are using a more restrictive type in IPA than the attribute in LDAP? From jderose at redhat.com Wed May 6 01:17:27 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 05 May 2009 19:17:27 -0600 Subject: [Freeipa-devel] [PATCH] 200 update service plugin In-Reply-To: <4A0076B7.3050903@redhat.com> References: <4A0076B7.3050903@redhat.com> Message-ID: <1241572647.5091.21.camel@jgd-dsk> On Tue, 2009-05-05 at 13:26 -0400, Rob Crittenden wrote: > Makes the service plugin a lot more robust by adding a principal > validator and normalizer. > > Update the objectclasses. I had left them a bit bare while we were still > designing what they would look like. > > Add --certificate argument so we can store certs in services. > > Use the crud.Search method for service-find. > > rob ack. From jderose at redhat.com Wed May 6 02:08:52 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 05 May 2009 20:08:52 -0600 Subject: [Freeipa-devel] [PATCH] 201 A new exception In-Reply-To: <4A0089EA.3040201@redhat.com> References: <4A0089EA.3040201@redhat.com> Message-ID: <1241575732.5091.47.camel@jgd-dsk> On Tue, 2009-05-05 at 14:48 -0400, Rob Crittenden wrote: > Add a new exception for Base64 decode failures and make > MalformedServicePrincipal take an argument expanding on why it is malformed. > > rob ack. From mpcolino at gmail.com Wed May 6 06:05:22 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Wed, 6 May 2009 08:05:22 +0200 Subject: [Freeipa-devel] Reply to "tevent" packaging problems in samba4 Message-ID: Hello everyone I posted a bug in Launchpad.net (Ubuntu's infrastructure) [Bug 372399] about the "tevent" packaging issues. I received an answer that, if completely true, could be an issue for future versions of sssd. I haven't made all the investigation needed to see how are the samba peoble going to evolve around this but, let me (only once) cross post this. Cheers, M* ---------- Forwarded message ---------- From: Jelmer Vernooij Date: Tue, May 5, 2009 at 22:47 Subject: [Bug 372399] Re: tevent packaging problems in samba4 To: mpcolino at gmail.com tevent has its own package these days (not yet synced from Debian as far as I can see) and ships its own pkg-config file already. Newer versions of samba4 no longer ship tevent.h. ** Changed in: samba4 (Ubuntu) ? ? ? Status: New => Fix Committed ** Changed in: samba4 (Ubuntu) ? ? Assignee: (unassigned) => Jelmer Vernooij (jelmer) -- tevent packaging problems in samba4 https://bugs.launchpad.net/bugs/372399 You received this bug notification because you are a direct subscriber of the bug. From sgallagh at redhat.com Wed May 6 10:21:47 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 06 May 2009 06:21:47 -0400 Subject: [Freeipa-devel] Reply to "tevent" packaging problems in samba4 In-Reply-To: References: Message-ID: <4A0164BB.1060007@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miguel P.C. wrote: > Hello everyone > > I posted a bug in Launchpad.net (Ubuntu's infrastructure) [Bug 372399] > about the "tevent" packaging issues. > I received an answer that, if completely true, could be an issue for > future versions of sssd. > > I haven't made all the investigation needed to see how are the samba > peoble going to evolve around this but, let me (only once) cross post > this. > > Cheers, > > M* > > > > ---------- Forwarded message ---------- > From: Jelmer Vernooij > Date: Tue, May 5, 2009 at 22:47 > Subject: [Bug 372399] Re: tevent packaging problems in samba4 > To: mpcolino at gmail.com > > > tevent has its own package these days (not yet synced from Debian as far > as I can see) and ships its own pkg-config file already. Newer versions > of samba4 no longer ship tevent.h. > > ** Changed in: samba4 (Ubuntu) > Status: New => Fix Committed > > ** Changed in: samba4 (Ubuntu) > Assignee: (unassigned) => Jelmer Vernooij (jelmer) > > -- > tevent packaging problems in samba4 > https://bugs.launchpad.net/bugs/372399 > You received this bug notification because you are a direct subscriber > of the bug. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I saw that on the Launchpad bug as well. This is actually good news. What it means is that someone in the Debian project has already done the work you requested on TEvent. What needs to be done now is to have that work merged into Ubuntu (which is a Debian derivative). Please follow up on that Launchpad bug and turn that into a request to sync the Debian package into Ubuntu. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoBZLQACgkQeiVVYja6o6NLVwCgmYEhll74HR02D/+GKNQwVaJg ZGYAniOMcmWAKGP6eWJJY/lBIn2XTEJx =Nq61 -----END PGP SIGNATURE----- From rcritten at redhat.com Wed May 6 11:40:44 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 May 2009 07:40:44 -0400 Subject: [Freeipa-devel] [PATCH] 199 convert uidnumber to string In-Reply-To: <1241570537.5091.20.camel@jgd-dsk> References: <49FF50A1.4030409@redhat.com> <1241570537.5091.20.camel@jgd-dsk> Message-ID: <4A01773C.2020406@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-05-04 at 16:31 -0400, Rob Crittenden wrote: >> We need to convert the uidnumber to a string when adding/modifying users >> to avoid a type error on the LDAP side. >> >> Pavel, I'm not sure whether this is handled automagically or not in your >> version of the plugin. >> >> rob > > ack. > > This is fine as a stop gap, but we really need a better solution in the > long run. > > So the UID is always in integer, correct? Do all LDAP "types" need to > be sent as strings, or is this just a case where we are using a more > restrictive type in IPA than the attribute in LDAP? > Pavel is working on some smarter schema handling in the new LDAP plugin. I think that will handle the type conversions for us. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 6 15:18:41 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 May 2009 11:18:41 -0400 Subject: [Freeipa-devel] [PATCH] 204 fix netgroups test Message-ID: <4A01AA51.5030907@redhat.com> I added a new required attribute to the netgroups plugin, add this to the test as well. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-204-tests.patch Type: application/mbox Size: 903 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 6 15:29:00 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 May 2009 11:29:00 -0400 Subject: [Freeipa-devel] [PATCH] 200 update service plugin In-Reply-To: <1241572647.5091.21.camel@jgd-dsk> References: <4A0076B7.3050903@redhat.com> <1241572647.5091.21.camel@jgd-dsk> Message-ID: <4A01ACBC.7060908@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-05-05 at 13:26 -0400, Rob Crittenden wrote: >> Makes the service plugin a lot more robust by adding a principal >> validator and normalizer. >> >> Update the objectclasses. I had left them a bit bare while we were still >> designing what they would look like. >> >> Add --certificate argument so we can store certs in services. >> >> Use the crud.Search method for service-find. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 6 15:29:06 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 May 2009 11:29:06 -0400 Subject: [Freeipa-devel] [PATCH] 201 A new exception In-Reply-To: <1241575732.5091.47.camel@jgd-dsk> References: <4A0089EA.3040201@redhat.com> <1241575732.5091.47.camel@jgd-dsk> Message-ID: <4A01ACC2.5000905@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-05-05 at 14:48 -0400, Rob Crittenden wrote: >> Add a new exception for Base64 decode failures and make >> MalformedServicePrincipal take an argument expanding on why it is malformed. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From yzhang at redhat.com Wed May 6 19:46:25 2009 From: yzhang at redhat.com (yi zhang) Date: Wed, 06 May 2009 12:46:25 -0700 Subject: [Freeipa-devel] nis plug-in setup question Message-ID: <4A01E911.80807@redhat.com> Nalin: I need your help to determine whether I have any missed step(s) in my configuration. I am trying to config IPA (v2) server as NIS server. And here is the config I have in ds --- dn: cn=NIS Server, cn=plugins, cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: NIS Server nsslapd-pluginPath: /usr/lib/dirsrv/plugins/nisserver-plugin.so nsslapd-pluginInitfunc: nis_plugin_init nsslapd-pluginType: object nsslapd-pluginEnabled: on nsslapd-pluginDescription: NIS Server Plugin nsslapd-pluginVendor: redhat.com nsslapd-pluginVersion: 0 nsslapd-pluginID: nis-plugin nis-tcp-wrappers-name: ypserv nsslapd-pluginarg0: 514 ------------- dn: nis-domain=idm.lab.bos.redhat.com+nis-map=users,cn=NIS Server,cn=plugins,cn=config objectclass: extensibleObject nis-domain: idm.lab.bos.redhat.com nis-map: users nis-base: ou=People, dc=example, dc=com nis-base: ou=nisGroup, ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com nis-filter: (objectClass=posixAccount) nis-key-format: %{uid} nis-value-format: %{uid}:%{userPassword-:*}:%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some Unnamed User}}:%{homeDirectory}:%{loginShell:-/bin/bash} nis-disallowed-chars: : ----------------- I have such data there: [root at mv32a-vm nis-plugin]# /usr/lib/mozldap/ldapsearch -D "cn=directory manager" -w redhat123 -s sub -b "ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" "uid=nisuser*" version: 1 dn: uid=nisuser12, ou=nisGroup, ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat, dc=com objectClass: top objectClass: posixAccount cn: nisuser uid: nisuser12 uidNumber: 30001 gidNumber: 3001 homeDirectory: /home/nisuser01 loginShell: /bin/bash userPassword: {SSHA}n0nwUjq6mn9e2jU8ZOotg6vjN3GA/g20R3jPyw== =========== After I config one nis client connect to this server (mv32a-vm.idm.lab.bos.redhat.com), [root at mv64a-vm ~]# authconfig-tui Stopping portmap: [ OK ] Starting portmap: [ OK ] Shutting down NIS services: [ OK ] Turning on allow_ypbind SELinux boolean Binding to the NIS domain: [ OK ] Listening for an NIS domain server.. [root at mv64a-vm ~]# [root at mv64a-vm ~]# [root at mv64a-vm ~]# [root at mv64a-vm ~]# [root at mv64a-vm ~]# getent passwd | grep nisuser [root at mv64a-vm ~]# rpcinfo -p mv32a-vm.idm.lab.bos.redhat.com program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 918 status 100024 1 tcp 921 status 100021 1 udp 36144 nlockmgr 100021 3 udp 36144 nlockmgr 100021 4 udp 36144 nlockmgr 100021 1 tcp 39591 nlockmgr 100021 3 tcp 39591 nlockmgr 100021 4 tcp 39591 nlockmgr 100004 2 udp 541 ypserv 100004 2 tcp 541 ypserv [root at mv64a-vm ~]# ssh nisuser12 at mv64a-vm.idm.lab.bos.redhat.com The authenticity of host 'mv64a-vm.idm.lab.bos.redhat.com (10.16.98.120)' can't be established. RSA key fingerprint is db:dc:f5:7b:85:4b:2f:d7:be:27:40:5d:b8:0a:c0:a6. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'mv64a-vm.idm.lab.bos.redhat.com,10.16.98.120' (RSA) to the list of known hosts. nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: Permission denied, please try again. nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: Permission denied, please try again. nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: Permission denied (publickey,gssapi-with-mic,password). [root at mv64a-vm ~]# vi /var/log/secure May 6 03:23:57 mv64a-vm sshd[2979]: pam_succeed_if(sshd:auth): error retrieving information about user nisuser12 May 6 03:23:58 mv64a-vm sshd[2979]: Failed password for invalid user nisuser12 from 10.16.98.120 port 55116 ssh2 May 6 03:23:59 mv64a-vm sshd[2980]: Connection closed by 10.16.98.120 May 6 03:23:59 mv64a-vm sshd[2979]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=mv64a-vm.idm.lab.bos.redhat.com yp.conf on client (mv64a-vm) has only one line domain idm.lab.bos.redhat.com server mv32a-vm.idm.lab.bos.redhat.com /etc/nsswitch.conf has hosts: files nis dns firewall is not an issue, i stopped iptables on both client and server What I did wrong? Thanks Yi From rcritten at redhat.com Wed May 6 20:09:44 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 May 2009 16:09:44 -0400 Subject: [Freeipa-devel] nis plug-in setup question In-Reply-To: <4A01E911.80807@redhat.com> References: <4A01E911.80807@redhat.com> Message-ID: <4A01EE88.9000102@redhat.com> yi zhang wrote: > Nalin: > I need your help to determine whether I have any missed step(s) in my > configuration. > > I am trying to config IPA (v2) server as NIS server. And here is the > config I have in ds > --- > dn: cn=NIS Server, cn=plugins, cn=config > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > cn: NIS Server > nsslapd-pluginPath: /usr/lib/dirsrv/plugins/nisserver-plugin.so > nsslapd-pluginInitfunc: nis_plugin_init > nsslapd-pluginType: object > nsslapd-pluginEnabled: on > nsslapd-pluginDescription: NIS Server Plugin > nsslapd-pluginVendor: redhat.com > nsslapd-pluginVersion: 0 > nsslapd-pluginID: nis-plugin > nis-tcp-wrappers-name: ypserv > nsslapd-pluginarg0: 514 > ------------- > dn: nis-domain=idm.lab.bos.redhat.com+nis-map=users,cn=NIS > Server,cn=plugins,cn=config > objectclass: extensibleObject > nis-domain: idm.lab.bos.redhat.com > nis-map: users > nis-base: ou=People, dc=example, dc=com > nis-base: ou=nisGroup, ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > nis-filter: (objectClass=posixAccount) > nis-key-format: %{uid} > nis-value-format: > %{uid}:%{userPassword-:*}:%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some > Unnamed User}}:%{homeDirectory}:%{loginShell:-/bin/bash} > nis-disallowed-chars: : > ----------------- > > I have such data there: > > [root at mv32a-vm nis-plugin]# /usr/lib/mozldap/ldapsearch -D "cn=directory > manager" -w redhat123 -s sub -b > "ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" "uid=nisuser*" > version: 1 > dn: uid=nisuser12, ou=nisGroup, > ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat, > dc=com > objectClass: top > objectClass: posixAccount > cn: nisuser > uid: nisuser12 > uidNumber: 30001 > gidNumber: 3001 > homeDirectory: /home/nisuser01 > loginShell: /bin/bash > userPassword: {SSHA}n0nwUjq6mn9e2jU8ZOotg6vjN3GA/g20R3jPyw== > > =========== > > After I config one nis client connect to this server > (mv32a-vm.idm.lab.bos.redhat.com), > > [root at mv64a-vm ~]# authconfig-tui > Stopping portmap: [ OK ] > Starting portmap: [ OK ] > Shutting down NIS services: [ OK ] > Turning on allow_ypbind SELinux boolean > Binding to the NIS domain: [ OK ] > Listening for an NIS domain server.. > [root at mv64a-vm ~]# > [root at mv64a-vm ~]# > [root at mv64a-vm ~]# > [root at mv64a-vm ~]# > [root at mv64a-vm ~]# getent passwd | grep nisuser > [root at mv64a-vm ~]# rpcinfo -p mv32a-vm.idm.lab.bos.redhat.com > program vers proto port > 100000 2 tcp 111 portmapper > 100000 2 udp 111 portmapper > 100024 1 udp 918 status > 100024 1 tcp 921 status > 100021 1 udp 36144 nlockmgr > 100021 3 udp 36144 nlockmgr > 100021 4 udp 36144 nlockmgr > 100021 1 tcp 39591 nlockmgr > 100021 3 tcp 39591 nlockmgr > 100021 4 tcp 39591 nlockmgr > 100004 2 udp 541 ypserv > 100004 2 tcp 541 ypserv > [root at mv64a-vm ~]# ssh nisuser12 at mv64a-vm.idm.lab.bos.redhat.com > The authenticity of host 'mv64a-vm.idm.lab.bos.redhat.com > (10.16.98.120)' can't be established. > RSA key fingerprint is db:dc:f5:7b:85:4b:2f:d7:be:27:40:5d:b8:0a:c0:a6. > Are you sure you want to continue connecting (yes/no)? yes > Warning: Permanently added > 'mv64a-vm.idm.lab.bos.redhat.com,10.16.98.120' (RSA) to the list of > known hosts. > nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: > Permission denied, please try again. > nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: > Permission denied, please try again. > nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: > Permission denied (publickey,gssapi-with-mic,password). > > [root at mv64a-vm ~]# vi /var/log/secure > May 6 03:23:57 mv64a-vm sshd[2979]: pam_succeed_if(sshd:auth): error > retrieving information about user nisuser12 > May 6 03:23:58 mv64a-vm sshd[2979]: Failed password for invalid user > nisuser12 from 10.16.98.120 port 55116 ssh2 > May 6 03:23:59 mv64a-vm sshd[2980]: Connection closed by 10.16.98.120 > May 6 03:23:59 mv64a-vm sshd[2979]: PAM 2 more authentication failures; > logname= uid=0 euid=0 tty=ssh ruser= rhost=mv64a-vm.idm.lab.bos.redhat.com > > yp.conf on client (mv64a-vm) has only one line > domain idm.lab.bos.redhat.com server mv32a-vm.idm.lab.bos.redhat.com > > /etc/nsswitch.conf has > hosts: files nis dns > > firewall is not an issue, i stopped iptables on both client and server > > What I did wrong? > > Thanks I have code and config that will do this for you sort of automagically in IPA (at least for passwd and group). I haven't tested it with nss yet but it works with ypcat. Nalin is working on an issue in slapi-nis I found today and once that's resolved I'll feel comfortable releasing my patch, then you can give it a go. So if can hold off a day or two it may be better to test my configuration. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nalin at redhat.com Wed May 6 20:52:34 2009 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 6 May 2009 16:52:34 -0400 Subject: [Freeipa-devel] Re: nis plug-in setup question In-Reply-To: <4A01E911.80807@redhat.com> References: <4A01E911.80807@redhat.com> Message-ID: <20090506205234.GA3054@redhat.com> On Wed, May 06, 2009 at 12:46:25PM -0700, yi zhang wrote: > Nalin: > I need your help to determine whether I have any missed step(s) in my > configuration. > > I am trying to config IPA (v2) server as NIS server. And here is the > config I have in ds > --- > dn: cn=NIS Server, cn=plugins, cn=config > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > cn: NIS Server > nsslapd-pluginPath: /usr/lib/dirsrv/plugins/nisserver-plugin.so > nsslapd-pluginInitfunc: nis_plugin_init > nsslapd-pluginType: object > nsslapd-pluginEnabled: on > nsslapd-pluginDescription: NIS Server Plugin > nsslapd-pluginVendor: redhat.com > nsslapd-pluginVersion: 0 > nsslapd-pluginID: nis-plugin > nis-tcp-wrappers-name: ypserv > nsslapd-pluginarg0: 514 Looks fine. > dn: nis-domain=idm.lab.bos.redhat.com+nis-map=users,cn=NIS > Server,cn=plugins,cn=config > objectclass: extensibleObject > nis-domain: idm.lab.bos.redhat.com > nis-map: users > nis-base: ou=People, dc=example, dc=com > nis-base: ou=nisGroup, ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > nis-filter: (objectClass=posixAccount) > nis-key-format: %{uid} > nis-value-format: > %{uid}:%{userPassword-:*}:%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some > Unnamed User}}:%{homeDirectory}:%{loginShell:-/bin/bash} > nis-disallowed-chars: : This is the problem. NIS clients expect the maps which serve up information about users to be named "passwd.byname" (keyed by user name) and "passwd.byuid" (keyed by UID). You need both. These names are hard-coded into the clients, so the maps you define must have the names that the clients expect them to have. The plugin has defaults built-in for maps named "passwd.byname", "passwd.byuid" and many of the commonly-used maps, so you can omit the 'nis-filter', 'nis-key-format', 'nis-value-format', and 'nis-disallowed-chars' settings for those maps to save yourself some work. (Run "nisserver-plugin-defs -m passwd.byname" if you want to examine the defaults for a map with that name.) In the 'nis-value-format' you're using above, "%{userPassword-:*}" should probably be "%{userPassword:-*}" if I understand what you're trying to do. > I have such data there: > > [root at mv32a-vm nis-plugin]# /usr/lib/mozldap/ldapsearch -D "cn=directory > manager" -w redhat123 -s sub -b > "ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" "uid=nisuser*" > version: 1 > dn: uid=nisuser12, ou=nisGroup, > ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat, > dc=com > objectClass: top > objectClass: posixAccount > cn: nisuser > uid: nisuser12 > uidNumber: 30001 > gidNumber: 3001 > homeDirectory: /home/nisuser01 > loginShell: /bin/bash > userPassword: {SSHA}n0nwUjq6mn9e2jU8ZOotg6vjN3GA/g20R3jPyw== There's a very good chance that a POSIX client won't be able to verify passwords using a {SSHA} password, not portably anyway. You can really only depend on {CRYPT} hashed passwords, and then you want to strip off the {CRYPT} before handing the value to the client. The compiled-in default uses a regex substitution to (try to) get the right thing to happen here. The point I'm dancing around is that I recommend using the defaults for maps like this one. My hope is that most people won't have to worry about working out the right key- and value format specifiers to use in their configurations. > After I config one nis client connect to this server > (mv32a-vm.idm.lab.bos.redhat.com), > > [root at mv64a-vm ~]# authconfig-tui > Stopping portmap: [ OK ] > Starting portmap: [ OK ] > Shutting down NIS services: [ OK ] > Turning on allow_ypbind SELinux boolean > Binding to the NIS domain: [ OK ] > Listening for an NIS domain server.. Looks good. > [root at mv64a-vm ~]# > [root at mv64a-vm ~]# > [root at mv64a-vm ~]# > [root at mv64a-vm ~]# > [root at mv64a-vm ~]# getent passwd | grep nisuser > [root at mv64a-vm ~]# rpcinfo -p mv32a-vm.idm.lab.bos.redhat.com > program vers proto port > 100000 2 tcp 111 portmapper > 100000 2 udp 111 portmapper > 100024 1 udp 918 status > 100024 1 tcp 921 status > 100021 1 udp 36144 nlockmgr > 100021 3 udp 36144 nlockmgr > 100021 4 udp 36144 nlockmgr > 100021 1 tcp 39591 nlockmgr > 100021 3 tcp 39591 nlockmgr > 100021 4 tcp 39591 nlockmgr > 100004 2 udp 541 ypserv > 100004 2 tcp 541 ypserv That looks right, except that your configuration appears to be specifying port 514, and the server appears to be listening on port 541. > [root at mv64a-vm ~]# ssh nisuser12 at mv64a-vm.idm.lab.bos.redhat.com > The authenticity of host 'mv64a-vm.idm.lab.bos.redhat.com > (10.16.98.120)' can't be established. > RSA key fingerprint is db:dc:f5:7b:85:4b:2f:d7:be:27:40:5d:b8:0a:c0:a6. > Are you sure you want to continue connecting (yes/no)? yes > Warning: Permanently added > 'mv64a-vm.idm.lab.bos.redhat.com,10.16.98.120' (RSA) to the list of > known hosts. > nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: > Permission denied, please try again. > nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: > Permission denied, please try again. > nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: > Permission denied (publickey,gssapi-with-mic,password). > > [root at mv64a-vm ~]# vi /var/log/secure > May 6 03:23:57 mv64a-vm sshd[2979]: pam_succeed_if(sshd:auth): error > retrieving information about user nisuser12 This is consistent with the client's NIS support not finding a passwd.byname map, or not finding an entry that matches the user in it. [snip] > yp.conf on client (mv64a-vm) has only one line > domain idm.lab.bos.redhat.com server mv32a-vm.idm.lab.bos.redhat.com That looks right. > /etc/nsswitch.conf has > hosts: files nis dns > > firewall is not an issue, i stopped iptables on both client and server > > What I did wrong? If you're looking for user information, then the 'passwd:' line is the interesting one, though authconfig should have set that up correctly. HTH, Nalin From ssorce at redhat.com Wed May 6 21:38:51 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 06 May 2009 17:38:51 -0400 Subject: [Freeipa-devel] Re: nis plug-in setup question In-Reply-To: <20090506205234.GA3054@redhat.com> References: <4A01E911.80807@redhat.com> <20090506205234.GA3054@redhat.com> Message-ID: <1241645931.30223.152.camel@localhost.localdomain> On Wed, 2009-05-06 at 16:52 -0400, Nalin Dahyabhai wrote: > > In the 'nis-value-format' you're using above, "%{userPassword-:*}" > should probably be "%{userPassword:-*}" if I understand what you're > trying to do. We should never expose the userPassword attribute anyway, we should just return '*' or 'x' or 'KRB' .... Simo. -- Simo Sorce * Red Hat, Inc * New York From yzhang at redhat.com Wed May 6 22:10:23 2009 From: yzhang at redhat.com (yi zhang) Date: Wed, 06 May 2009 15:10:23 -0700 Subject: [Freeipa-devel] nis plug-in setup question In-Reply-To: <4A01EE88.9000102@redhat.com> References: <4A01E911.80807@redhat.com> <4A01EE88.9000102@redhat.com> Message-ID: <4A020ACF.2000005@redhat.com> Rob Crittenden wrote: > yi zhang wrote: >> Nalin: >> I need your help to determine whether I have any missed step(s) in my >> configuration. >> >> I am trying to config IPA (v2) server as NIS server. And here is the >> config I have in ds >> --- >> dn: cn=NIS Server, cn=plugins, cn=config >> objectClass: top >> objectClass: nsSlapdPlugin >> objectClass: extensibleObject >> cn: NIS Server >> nsslapd-pluginPath: /usr/lib/dirsrv/plugins/nisserver-plugin.so >> nsslapd-pluginInitfunc: nis_plugin_init >> nsslapd-pluginType: object >> nsslapd-pluginEnabled: on >> nsslapd-pluginDescription: NIS Server Plugin >> nsslapd-pluginVendor: redhat.com >> nsslapd-pluginVersion: 0 >> nsslapd-pluginID: nis-plugin >> nis-tcp-wrappers-name: ypserv >> nsslapd-pluginarg0: 514 >> ------------- >> dn: nis-domain=idm.lab.bos.redhat.com+nis-map=users,cn=NIS >> Server,cn=plugins,cn=config >> objectclass: extensibleObject >> nis-domain: idm.lab.bos.redhat.com >> nis-map: users >> nis-base: ou=People, dc=example, dc=com >> nis-base: ou=nisGroup, >> ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com >> nis-filter: (objectClass=posixAccount) >> nis-key-format: %{uid} >> nis-value-format: >> %{uid}:%{userPassword-:*}:%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some >> Unnamed User}}:%{homeDirectory}:%{loginShell:-/bin/bash} >> nis-disallowed-chars: : >> ----------------- >> >> I have such data there: >> >> [root at mv32a-vm nis-plugin]# /usr/lib/mozldap/ldapsearch -D >> "cn=directory manager" -w redhat123 -s sub -b >> "ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" "uid=nisuser*" >> version: 1 >> dn: uid=nisuser12, ou=nisGroup, >> ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat, >> dc=com >> objectClass: top >> objectClass: posixAccount >> cn: nisuser >> uid: nisuser12 >> uidNumber: 30001 >> gidNumber: 3001 >> homeDirectory: /home/nisuser01 >> loginShell: /bin/bash >> userPassword: {SSHA}n0nwUjq6mn9e2jU8ZOotg6vjN3GA/g20R3jPyw== >> >> =========== >> >> After I config one nis client connect to this server >> (mv32a-vm.idm.lab.bos.redhat.com), >> >> [root at mv64a-vm ~]# authconfig-tui >> Stopping portmap: [ OK ] >> Starting portmap: [ OK ] >> Shutting down NIS services: [ OK ] >> Turning on allow_ypbind SELinux boolean >> Binding to the NIS domain: [ OK ] >> Listening for an NIS domain server.. >> [root at mv64a-vm ~]# >> [root at mv64a-vm ~]# >> [root at mv64a-vm ~]# >> [root at mv64a-vm ~]# >> [root at mv64a-vm ~]# getent passwd | grep nisuser >> [root at mv64a-vm ~]# rpcinfo -p mv32a-vm.idm.lab.bos.redhat.com >> program vers proto port >> 100000 2 tcp 111 portmapper >> 100000 2 udp 111 portmapper >> 100024 1 udp 918 status >> 100024 1 tcp 921 status >> 100021 1 udp 36144 nlockmgr >> 100021 3 udp 36144 nlockmgr >> 100021 4 udp 36144 nlockmgr >> 100021 1 tcp 39591 nlockmgr >> 100021 3 tcp 39591 nlockmgr >> 100021 4 tcp 39591 nlockmgr >> 100004 2 udp 541 ypserv >> 100004 2 tcp 541 ypserv >> [root at mv64a-vm ~]# ssh nisuser12 at mv64a-vm.idm.lab.bos.redhat.com >> The authenticity of host 'mv64a-vm.idm.lab.bos.redhat.com >> (10.16.98.120)' can't be established. >> RSA key fingerprint is db:dc:f5:7b:85:4b:2f:d7:be:27:40:5d:b8:0a:c0:a6. >> Are you sure you want to continue connecting (yes/no)? yes >> Warning: Permanently added >> 'mv64a-vm.idm.lab.bos.redhat.com,10.16.98.120' (RSA) to the list of >> known hosts. >> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: >> Permission denied, please try again. >> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: >> Permission denied, please try again. >> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: >> Permission denied (publickey,gssapi-with-mic,password). >> >> [root at mv64a-vm ~]# vi /var/log/secure >> May 6 03:23:57 mv64a-vm sshd[2979]: pam_succeed_if(sshd:auth): error >> retrieving information about user nisuser12 >> May 6 03:23:58 mv64a-vm sshd[2979]: Failed password for invalid user >> nisuser12 from 10.16.98.120 port 55116 ssh2 >> May 6 03:23:59 mv64a-vm sshd[2980]: Connection closed by 10.16.98.120 >> May 6 03:23:59 mv64a-vm sshd[2979]: PAM 2 more authentication >> failures; logname= uid=0 euid=0 tty=ssh ruser= >> rhost=mv64a-vm.idm.lab.bos.redhat.com >> >> yp.conf on client (mv64a-vm) has only one line >> domain idm.lab.bos.redhat.com server mv32a-vm.idm.lab.bos.redhat.com >> >> /etc/nsswitch.conf has >> hosts: files nis dns >> >> firewall is not an issue, i stopped iptables on both client and server >> >> What I did wrong? >> >> Thanks > > I have code and config that will do this for you sort of automagically > in IPA (at least for passwd and group). I haven't tested it with nss > yet but it works with ypcat. What is the command to config it, and what are the procedures? Thanks! Yi > > Nalin is working on an issue in slapi-nis I found today and once > that's resolved I'll feel comfortable releasing my patch, then you can > give it a go. > > So if can hold off a day or two it may be better to test my > configuration. > > rob From rcritten at redhat.com Thu May 7 01:42:24 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 May 2009 21:42:24 -0400 Subject: [Freeipa-devel] nis plug-in setup question In-Reply-To: <4A020ACF.2000005@redhat.com> References: <4A01E911.80807@redhat.com> <4A01EE88.9000102@redhat.com> <4A020ACF.2000005@redhat.com> Message-ID: <4A023C80.6070508@redhat.com> yi zhang wrote: > Rob Crittenden wrote: >> yi zhang wrote: >>> Nalin: >>> I need your help to determine whether I have any missed step(s) in my >>> configuration. >>> >>> I am trying to config IPA (v2) server as NIS server. And here is the >>> config I have in ds >>> --- >>> dn: cn=NIS Server, cn=plugins, cn=config >>> objectClass: top >>> objectClass: nsSlapdPlugin >>> objectClass: extensibleObject >>> cn: NIS Server >>> nsslapd-pluginPath: /usr/lib/dirsrv/plugins/nisserver-plugin.so >>> nsslapd-pluginInitfunc: nis_plugin_init >>> nsslapd-pluginType: object >>> nsslapd-pluginEnabled: on >>> nsslapd-pluginDescription: NIS Server Plugin >>> nsslapd-pluginVendor: redhat.com >>> nsslapd-pluginVersion: 0 >>> nsslapd-pluginID: nis-plugin >>> nis-tcp-wrappers-name: ypserv >>> nsslapd-pluginarg0: 514 >>> ------------- >>> dn: nis-domain=idm.lab.bos.redhat.com+nis-map=users,cn=NIS >>> Server,cn=plugins,cn=config >>> objectclass: extensibleObject >>> nis-domain: idm.lab.bos.redhat.com >>> nis-map: users >>> nis-base: ou=People, dc=example, dc=com >>> nis-base: ou=nisGroup, >>> ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com >>> nis-filter: (objectClass=posixAccount) >>> nis-key-format: %{uid} >>> nis-value-format: >>> %{uid}:%{userPassword-:*}:%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some >>> Unnamed User}}:%{homeDirectory}:%{loginShell:-/bin/bash} >>> nis-disallowed-chars: : >>> ----------------- >>> >>> I have such data there: >>> >>> [root at mv32a-vm nis-plugin]# /usr/lib/mozldap/ldapsearch -D >>> "cn=directory manager" -w redhat123 -s sub -b >>> "ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" "uid=nisuser*" >>> version: 1 >>> dn: uid=nisuser12, ou=nisGroup, >>> ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat, >>> dc=com >>> objectClass: top >>> objectClass: posixAccount >>> cn: nisuser >>> uid: nisuser12 >>> uidNumber: 30001 >>> gidNumber: 3001 >>> homeDirectory: /home/nisuser01 >>> loginShell: /bin/bash >>> userPassword: {SSHA}n0nwUjq6mn9e2jU8ZOotg6vjN3GA/g20R3jPyw== >>> >>> =========== >>> >>> After I config one nis client connect to this server >>> (mv32a-vm.idm.lab.bos.redhat.com), >>> >>> [root at mv64a-vm ~]# authconfig-tui >>> Stopping portmap: [ OK ] >>> Starting portmap: [ OK ] >>> Shutting down NIS services: [ OK ] >>> Turning on allow_ypbind SELinux boolean >>> Binding to the NIS domain: [ OK ] >>> Listening for an NIS domain server.. >>> [root at mv64a-vm ~]# >>> [root at mv64a-vm ~]# >>> [root at mv64a-vm ~]# >>> [root at mv64a-vm ~]# >>> [root at mv64a-vm ~]# getent passwd | grep nisuser >>> [root at mv64a-vm ~]# rpcinfo -p mv32a-vm.idm.lab.bos.redhat.com >>> program vers proto port >>> 100000 2 tcp 111 portmapper >>> 100000 2 udp 111 portmapper >>> 100024 1 udp 918 status >>> 100024 1 tcp 921 status >>> 100021 1 udp 36144 nlockmgr >>> 100021 3 udp 36144 nlockmgr >>> 100021 4 udp 36144 nlockmgr >>> 100021 1 tcp 39591 nlockmgr >>> 100021 3 tcp 39591 nlockmgr >>> 100021 4 tcp 39591 nlockmgr >>> 100004 2 udp 541 ypserv >>> 100004 2 tcp 541 ypserv >>> [root at mv64a-vm ~]# ssh nisuser12 at mv64a-vm.idm.lab.bos.redhat.com >>> The authenticity of host 'mv64a-vm.idm.lab.bos.redhat.com >>> (10.16.98.120)' can't be established. >>> RSA key fingerprint is db:dc:f5:7b:85:4b:2f:d7:be:27:40:5d:b8:0a:c0:a6. >>> Are you sure you want to continue connecting (yes/no)? yes >>> Warning: Permanently added >>> 'mv64a-vm.idm.lab.bos.redhat.com,10.16.98.120' (RSA) to the list of >>> known hosts. >>> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: >>> Permission denied, please try again. >>> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: >>> Permission denied, please try again. >>> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password: >>> Permission denied (publickey,gssapi-with-mic,password). >>> >>> [root at mv64a-vm ~]# vi /var/log/secure >>> May 6 03:23:57 mv64a-vm sshd[2979]: pam_succeed_if(sshd:auth): error >>> retrieving information about user nisuser12 >>> May 6 03:23:58 mv64a-vm sshd[2979]: Failed password for invalid user >>> nisuser12 from 10.16.98.120 port 55116 ssh2 >>> May 6 03:23:59 mv64a-vm sshd[2980]: Connection closed by 10.16.98.120 >>> May 6 03:23:59 mv64a-vm sshd[2979]: PAM 2 more authentication >>> failures; logname= uid=0 euid=0 tty=ssh ruser= >>> rhost=mv64a-vm.idm.lab.bos.redhat.com >>> >>> yp.conf on client (mv64a-vm) has only one line >>> domain idm.lab.bos.redhat.com server mv32a-vm.idm.lab.bos.redhat.com >>> >>> /etc/nsswitch.conf has >>> hosts: files nis dns >>> >>> firewall is not an issue, i stopped iptables on both client and server >>> >>> What I did wrong? >>> >>> Thanks >> >> I have code and config that will do this for you sort of automagically >> in IPA (at least for passwd and group). I haven't tested it with nss >> yet but it works with ypcat. > What is the command to config it, and what are the procedures? Sorry, I wasn't very clear. I haven't committed the changes yet. I expect to do so tomorrow morning once I re-test with Nalin's new package. rob > Thanks! > > Yi >> >> Nalin is working on an issue in slapi-nis I found today and once >> that's resolved I'll feel comfortable releasing my patch, then you can >> give it a go. >> >> So if can hold off a day or two it may be better to test my >> configuration. >> >> rob > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Thu May 7 06:00:15 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 07 May 2009 00:00:15 -0600 Subject: [Freeipa-devel] [PATCH] 199 convert uidnumber to string In-Reply-To: <4A01773C.2020406@redhat.com> References: <49FF50A1.4030409@redhat.com> <1241570537.5091.20.camel@jgd-dsk> <4A01773C.2020406@redhat.com> Message-ID: <1241676015.5263.11.camel@jgd-dsk> On Wed, 2009-05-06 at 07:40 -0400, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > On Mon, 2009-05-04 at 16:31 -0400, Rob Crittenden wrote: > >> We need to convert the uidnumber to a string when adding/modifying users > >> to avoid a type error on the LDAP side. > >> > >> Pavel, I'm not sure whether this is handled automagically or not in your > >> version of the plugin. > >> > >> rob > > > > ack. > > > > This is fine as a stop gap, but we really need a better solution in the > > long run. > > > > So the UID is always in integer, correct? Do all LDAP "types" need to > > be sent as strings, or is this just a case where we are using a more > > restrictive type in IPA than the attribute in LDAP? > > > > Pavel is working on some smarter schema handling in the new LDAP plugin. > I think that will handle the type conversions for us. > > rob Still confused about the LDAP type, though: so is there such a thing as an LDAP integer type? Why exactly are we converting to a string representation of the integer? From sbose at redhat.com Thu May 7 08:01:05 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 07 May 2009 10:01:05 +0200 Subject: [Freeipa-devel] [PATCH] cleanup and fixes for pam_sss Message-ID: <4A029541.1020500@redhat.com> Hi, this patch provides some cleanup to pam_sss and better option handling. It should fix https://bugzilla.redhat.com/show_bug.cgi?id=498531 . bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-cleanup-and-fixes-for-pam_sss.patch Type: text/x-patch Size: 25160 bytes Desc: not available URL: From jderose at redhat.com Thu May 7 08:06:25 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 07 May 2009 02:06:25 -0600 Subject: [Freeipa-devel] [PATCH] 202 Store certificates in service records In-Reply-To: <4A009175.4020207@redhat.com> References: <4A009175.4020207@redhat.com> Message-ID: <1241683585.5263.74.camel@jgd-dsk> On Tue, 2009-05-05 at 15:20 -0400, Rob Crittenden wrote: > When we issue a server cert we want to store it in the service record. > > I also cleaned up some argument names to match the current standard. > > rob ack. From jderose at redhat.com Thu May 7 08:13:24 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 07 May 2009 02:13:24 -0600 Subject: [Freeipa-devel] [PATCH 203 Don't issue SSL cert on domain join In-Reply-To: <4A00AF11.5070900@redhat.com> References: <4A00AF11.5070900@redhat.com> Message-ID: <1241684004.5263.75.camel@jgd-dsk> On Tue, 2009-05-05 at 17:26 -0400, Rob Crittenden wrote: > We decided not to issue an SSL cert when a machine joins the IPA domain. > > rob ack. From jderose at redhat.com Thu May 7 08:15:36 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 07 May 2009 02:15:36 -0600 Subject: [Freeipa-devel] [PATCH] 204 fix netgroups test In-Reply-To: <4A01AA51.5030907@redhat.com> References: <4A01AA51.5030907@redhat.com> Message-ID: <1241684136.5263.76.camel@jgd-dsk> On Wed, 2009-05-06 at 11:18 -0400, Rob Crittenden wrote: > I added a new required attribute to the netgroups plugin, add this to > the test as well. > > rob ack. From sbose at redhat.com Thu May 7 10:11:58 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 07 May 2009 12:11:58 +0200 Subject: [Freeipa-devel] [PATCH] cleanup and fixes for pam_sss In-Reply-To: <4A029541.1020500@redhat.com> References: <4A029541.1020500@redhat.com> Message-ID: <4A02B3EE.6070508@redhat.com> Sumit Bose schrieb: > Hi, > > this patch provides some cleanup to pam_sss and better option handling. > It should fix https://bugzilla.redhat.com/show_bug.cgi?id=498531 . > sorry, there is a problem with return values in the previous patch, please use this one. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-cleanup-and-fixes-for-pam_sss.patch Type: text/x-patch Size: 25170 bytes Desc: not available URL: From sbose at redhat.com Thu May 7 12:58:25 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 07 May 2009 14:58:25 +0200 Subject: [Freeipa-devel] [PATCH] added syslog support to pam_sss Message-ID: <4A02DAF1.4010609@redhat.com> Hi, this patch adds basic syslog support for pam_sss and is a bit related to https://fedorahosted.org/sssd/ticket/32 . bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-added-syslog-support-to-pam_sss.patch Type: text/x-patch Size: 3692 bytes Desc: not available URL: From rcritten at redhat.com Thu May 7 13:16:18 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 May 2009 09:16:18 -0400 Subject: [Freeipa-devel] [PATCH] 199 convert uidnumber to string In-Reply-To: <1241676015.5263.11.camel@jgd-dsk> References: <49FF50A1.4030409@redhat.com> <1241570537.5091.20.camel@jgd-dsk> <4A01773C.2020406@redhat.com> <1241676015.5263.11.camel@jgd-dsk> Message-ID: <4A02DF22.8030000@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-05-06 at 07:40 -0400, Rob Crittenden wrote: >> Jason Gerard DeRose wrote: >>> On Mon, 2009-05-04 at 16:31 -0400, Rob Crittenden wrote: >>>> We need to convert the uidnumber to a string when adding/modifying users >>>> to avoid a type error on the LDAP side. >>>> >>>> Pavel, I'm not sure whether this is handled automagically or not in your >>>> version of the plugin. >>>> >>>> rob >>> ack. >>> >>> This is fine as a stop gap, but we really need a better solution in the >>> long run. >>> >>> So the UID is always in integer, correct? Do all LDAP "types" need to >>> be sent as strings, or is this just a case where we are using a more >>> restrictive type in IPA than the attribute in LDAP? >>> >> Pavel is working on some smarter schema handling in the new LDAP plugin. >> I think that will handle the type conversions for us. >> >> rob > > Still confused about the LDAP type, though: so is there such a thing as > an LDAP integer type? Why exactly are we converting to a string > representation of the integer? > We're converting because python-ldap blew up, reporting an incorrect type with the uid. Converting to a string makes it work. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Thu May 7 13:42:11 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 07 May 2009 09:42:11 -0400 Subject: [Freeipa-devel] [PATCH] added syslog support to pam_sss In-Reply-To: <4A02DAF1.4010609@redhat.com> References: <4A02DAF1.4010609@redhat.com> Message-ID: <4A02E533.7080207@redhat.com> On 05/07/2009 08:58 AM, Sumit Bose wrote: > Hi, > > this patch adds basic syslog support for pam_sss and is a bit related to > https://fedorahosted.org/sssd/ticket/32 . > > bye, > Sumit > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack. Looks fine to me. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 7 14:53:22 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 May 2009 10:53:22 -0400 Subject: [Freeipa-devel] [PATCH] add NIS support Message-ID: <4A02F5E2.1020707@redhat.com> Add tool to enable the slapi-nis NIS plugin. This is a DS plugin that acts as a basic NIS server. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-205-nis.patch Type: application/mbox Size: 13585 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 7 14:54:23 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 May 2009 10:54:23 -0400 Subject: [Freeipa-devel] [PATCH] 202 Store certificates in service records In-Reply-To: <1241683585.5263.74.camel@jgd-dsk> References: <4A009175.4020207@redhat.com> <1241683585.5263.74.camel@jgd-dsk> Message-ID: <4A02F61F.5030000@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-05-05 at 15:20 -0400, Rob Crittenden wrote: >> When we issue a server cert we want to store it in the service record. >> >> I also cleaned up some argument names to match the current standard. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 7 14:54:30 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 May 2009 10:54:30 -0400 Subject: [Freeipa-devel] [PATCH 203 Don't issue SSL cert on domain join In-Reply-To: <1241684004.5263.75.camel@jgd-dsk> References: <4A00AF11.5070900@redhat.com> <1241684004.5263.75.camel@jgd-dsk> Message-ID: <4A02F626.9010408@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-05-05 at 17:26 -0400, Rob Crittenden wrote: >> We decided not to issue an SSL cert when a machine joins the IPA domain. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 7 14:54:39 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 May 2009 10:54:39 -0400 Subject: [Freeipa-devel] [PATCH] 204 fix netgroups test In-Reply-To: <1241684136.5263.76.camel@jgd-dsk> References: <4A01AA51.5030907@redhat.com> <1241684136.5263.76.camel@jgd-dsk> Message-ID: <4A02F62F.70305@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-05-06 at 11:18 -0400, Rob Crittenden wrote: >> I added a new required attribute to the netgroups plugin, add this to >> the test as well. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From yzhang at redhat.com Thu May 7 15:18:34 2009 From: yzhang at redhat.com (yi zhang) Date: Thu, 07 May 2009 08:18:34 -0700 Subject: [Freeipa-devel] [PATCH] add NIS support In-Reply-To: <4A02F5E2.1020707@redhat.com> References: <4A02F5E2.1020707@redhat.com> Message-ID: <4A02FBCA.9030504@redhat.com> Rob Crittenden wrote: > Add tool to enable the slapi-nis NIS plugin. This is a DS plugin that > acts as a basic NIS server. > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rob: Can we have a little bit more info? such as when the patch would be in daily build, and how to use it? Thanks Yi -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu May 7 15:35:23 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 May 2009 11:35:23 -0400 Subject: [Freeipa-devel] [PATCH] add NIS support In-Reply-To: <4A02FBCA.9030504@redhat.com> References: <4A02F5E2.1020707@redhat.com> <4A02FBCA.9030504@redhat.com> Message-ID: <4A02FFBB.8020309@redhat.com> yi zhang wrote: > Rob Crittenden wrote: >> Add tool to enable the slapi-nis NIS plugin. This is a DS plugin that >> acts as a basic NIS server. >> >> rob >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Rob: > Can we have a little bit more info? such as when the patch would be in > daily build, and how to use it? > The patch needs to be reviewed before it may be committed. That process is not predictable. To enable/disable the plugin use the ipa-nis-manage command. The DS will need to be restarted for the change to take effect. I'm just configuring passwd, group and netgroup currently though the plugin defines a slew of default maps. Also note that netgroup is available but not populated yet. That will come in a future patch. I tested with: % ypcat -h ipaserver.example.com -d example.com passwd rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Thu May 7 22:03:22 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 07 May 2009 16:03:22 -0600 Subject: [Freeipa-devel] [PATCH] jderose 004 make srpms Message-ID: <1241733802.7650.25.camel@jgd-dsk> This is actually Rob's patch that adds a `make srpms` target. I tested it and it seems to work fine. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jderose-004-make-srpms.patch Type: text/x-patch Size: 834 bytes Desc: not available URL: From sbose at redhat.com Fri May 8 08:03:28 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 08 May 2009 10:03:28 +0200 Subject: [Freeipa-devel] [PATCH] allow different protocol versions for PAM and NSS Message-ID: <4A03E750.40800@redhat.com> Hi, this patch adds support for different version numbers of the PAM and NSS communication with the specific responder. I have not changed the logic of the get_version request, i.e. the client (pam_sss or libnss_sss) sends a get_version request to the responder, the responder sends back his version number and the client proceeds if the version number meet his expectation. Maybe it would make sense to switch the logic here, i.e. the client send his version number and the responder says ACK if he can support the version and NACK otherwise. This way we can theoretically support more than one version for either PAM or NSS communication on the responder side, although I do not know if there ever will be a use case for this. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-allow-different-protocol-versions-for-PAM-and-NSS.patch Type: text/x-patch Size: 5394 bytes Desc: not available URL: From sgallagh at redhat.com Fri May 8 10:54:34 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 08 May 2009 06:54:34 -0400 Subject: [Freeipa-devel] [PATCH] allow different protocol versions for PAM and NSS In-Reply-To: <4A03E750.40800@redhat.com> References: <4A03E750.40800@redhat.com> Message-ID: <4A040F6A.1050704@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sumit Bose wrote: > Hi, > > this patch adds support for different version numbers of the PAM and NSS > communication with the specific responder. > > I have not changed the logic of the get_version request, i.e. the client > (pam_sss or libnss_sss) sends a get_version request to the responder, > the responder sends back his version number and the client proceeds if > the version number meet his expectation. Maybe it would make sense to > switch the logic here, i.e. the client send his version number and the > responder says ACK if he can support the version and NACK otherwise. > This way we can theoretically support more than one version for either > PAM or NSS communication on the responder side, although I do not know > if there ever will be a use case for this. > > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I can think of a use-case: Consider upgrading of the SSSD. Any long-running process that is currently loaded with our sss_client will continue to use the old version until such time as it is reloaded. Unless we want to require full system reboots on SSSD upgrade, we need to be able to support at least one prior version of the protocol. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoED2cACgkQeiVVYja6o6OhvACeLKVa8LE1UVft10rcXmjP+pyP 2W4AnjE+2BSx4TXkWkEMtFewJFM+gf+X =DO47 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 8 12:19:57 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 08 May 2009 08:19:57 -0400 Subject: [Freeipa-devel] [PATCH] allow different protocol versions for PAM and NSS In-Reply-To: <4A03E750.40800@redhat.com> References: <4A03E750.40800@redhat.com> Message-ID: <1241785197.10366.1.camel@localhost.localdomain> On Fri, 2009-05-08 at 10:03 +0200, Sumit Bose wrote: > Hi, > > this patch adds support for different version numbers of the PAM and > NSS > communication with the specific responder. > > I have not changed the logic of the get_version request, i.e. the > client > (pam_sss or libnss_sss) sends a get_version request to the responder, > the responder sends back his version number and the client proceeds if > the version number meet his expectation. Maybe it would make sense to > switch the logic here, i.e. the client send his version number and the > responder says ACK if he can support the version and NACK otherwise. > This way we can theoretically support more than one version for either > PAM or NSS communication on the responder side, although I do not know > if there ever will be a use case for this. I like the approach. Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Fri May 8 12:25:17 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 08 May 2009 14:25:17 +0200 Subject: [Freeipa-devel] [PATCH] allow different protocol versions for PAM and NSS In-Reply-To: <4A040F6A.1050704@redhat.com> References: <4A03E750.40800@redhat.com> <4A040F6A.1050704@redhat.com> Message-ID: <4A0424AD.1020301@redhat.com> Stephen Gallagher schrieb: > Sumit Bose wrote: >> Hi, > >> this patch adds support for different version numbers of the PAM and NSS >> communication with the specific responder. > >> I have not changed the logic of the get_version request, i.e. the client >> (pam_sss or libnss_sss) sends a get_version request to the responder, >> the responder sends back his version number and the client proceeds if >> the version number meet his expectation. Maybe it would make sense to >> switch the logic here, i.e. the client send his version number and the >> responder says ACK if he can support the version and NACK otherwise. >> This way we can theoretically support more than one version for either >> PAM or NSS communication on the responder side, although I do not know >> if there ever will be a use case for this. > >> bye, >> Sumit > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > I can think of a use-case: Consider upgrading of the SSSD. Any > long-running process that is currently loaded with our sss_client will > continue to use the old version until such time as it is reloaded. > Unless we want to require full system reboots on SSSD upgrade, we need > to be able to support at least one prior version of the protocol. > good point. So I start making the necessary changes. bye, Sumit From sbose at redhat.com Fri May 8 14:09:58 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 08 May 2009 16:09:58 +0200 Subject: [Freeipa-devel] [PATCH] added support for more than one protocol version to the responder Message-ID: <4A043D36.5010408@redhat.com> Hi, with this patch the sss_client sends his protocol version to the server. If the server finds this number in his list of supported versions it returns the version number. If he doesn't find it or if the client has not send a version number it will return the first version number from the list. In the case of an error 0 is returned. For the time being I think it is ok to have the supported versions hardcoded in nsssrv_cmd.c and pamsrv_cmd.c, because the request are evaluated there. If you prefer some other I will change it. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fix-to-regular-expression-extraction-the-version-str.patch Type: text/x-patch Size: 892 bytes Desc: not available URL: From sbose at redhat.com Fri May 8 14:11:56 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 08 May 2009 16:11:56 +0200 Subject: [Freeipa-devel] [PATCH] added support for more than one protocol version to the responder In-Reply-To: <4A043D36.5010408@redhat.com> References: <4A043D36.5010408@redhat.com> Message-ID: <4A043DAC.3010500@redhat.com> Sumit Bose schrieb: > Hi, > > with this patch the sss_client sends his protocol version to the server. > If the server finds this number in his list of supported versions it > returns the version number. If he doesn't find it or if the client has > not send a version number it will return the first version number from > the list. In the case of an error 0 is returned. > > For the time being I think it is ok to have the supported versions > hardcoded in nsssrv_cmd.c and pamsrv_cmd.c, because the request are > evaluated there. If you prefer some other I will change it. > sorry, wrong patch attached -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-added-support-for-more-than-one-protocol-version-to.patch Type: text/x-patch Size: 4656 bytes Desc: not available URL: From ssorce at redhat.com Fri May 8 15:03:59 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 08 May 2009 11:03:59 -0400 Subject: [Freeipa-devel] [PATCH] Chdir to / when daemonizing In-Reply-To: <1241527173.29148.182.camel@localhost.localdomain> References: <1241525494.26178.39.camel@zeppelin.englab.brq.redhat.com> <1241527173.29148.182.camel@localhost.localdomain> Message-ID: <1241795039.10366.29.camel@localhost.localdomain> On Tue, 2009-05-05 at 12:39 +0000, Simo Sorce wrote: > On Tue, 2009-05-05 at 14:11 +0200, Jakub Hrozek wrote: > > att. > > > > Rationale: starting the daemon on a remote filesystem > > very good catch, > ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri May 8 15:04:20 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 08 May 2009 11:04:20 -0400 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes In-Reply-To: <1241525206.26178.33.camel@zeppelin.englab.brq.redhat.com> References: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> <49F9CBAA.3020401@redhat.com> <1241115941.29393.57.camel@zeppelin.englab.brq.redhat.com> <1241122416.29148.43.camel@localhost.localdomain> <1241525206.26178.33.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1241795060.10366.30.camel@localhost.localdomain> On Tue, 2009-05-05 at 14:06 +0200, Jakub Hrozek wrote: > On Thu, 2009-04-30 at 16:13 -0400, Simo Sorce wrote: > > NACK, you cannot allocate memory in a signal handler. > > > > Please use tevent signal handlers in monitor's main. > > > > Simo. > > attached. ack and pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri May 8 15:04:41 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 08 May 2009 11:04:41 -0400 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes In-Reply-To: <1241124347.16180.2.camel@hendrix> References: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> <49F9CBAA.3020401@redhat.com> <1241109926.29393.48.camel@zeppelin.englab.brq.redhat.com> <49F9DBD7.20704@redhat.com> <1241122113.29148.42.camel@localhost.localdomain> <1241124347.16180.2.camel@hendrix> Message-ID: <1241795081.10366.31.camel@localhost.localdomain> On Thu, 2009-04-30 at 22:45 +0200, Jakub Hrozek wrote: > > OK, that makes it a one-liner. ack and pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri May 8 15:05:01 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 08 May 2009 11:05:01 -0400 Subject: [Freeipa-devel] [PATCH] Some more return value fixes (ticket #30) In-Reply-To: <49FA228A.3000502@redhat.com> References: <1241125950.29148.44.camel@localhost.localdomain> <49FA228A.3000502@redhat.com> Message-ID: <1241795101.10366.32.camel@localhost.localdomain> On Fri, 2009-05-01 at 00:13 +0200, Sumit Bose wrote: > Simo Sorce schrieb: > > see subj > > > > ACK > pushed -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 8 15:16:50 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 May 2009 11:16:50 -0400 Subject: [Freeipa-devel] [PATCH] 206 enhanced NotFound exception Message-ID: <4A044CE2.5070404@redhat.com> Add a reason message to the NotFound exception so we can better report *what* was not found. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-206-errors.patch Type: application/mbox Size: 9086 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 8 15:41:26 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 May 2009 11:41:26 -0400 Subject: [Freeipa-devel] [PATCH] jderose 004 make srpms In-Reply-To: <1241733802.7650.25.camel@jgd-dsk> References: <1241733802.7650.25.camel@jgd-dsk> Message-ID: <4A0452A6.8060305@redhat.com> Jason Gerard DeRose wrote: > This is actually Rob's patch that adds a `make srpms` target. I tested > it and it seems to work fine. > Jason, was this patch enough or did you need the one that didn't run through autogen.sh too? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 8 18:12:10 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 May 2009 14:12:10 -0400 Subject: [Freeipa-devel] [PATCH] improve cert revocation_reason argument Message-ID: <4A0475FA.1080309@redhat.com> Add a min/max range and some documentation on the revocation_reason argument. I think it would be a bit much to iterate all the reasons for revocation here so I didn't include that. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-207-cert.patch Type: application/mbox Size: 936 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 8 18:17:33 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 May 2009 14:17:33 -0400 Subject: [Freeipa-devel] [PATCH] 208 tighten integration of hosts and services Message-ID: <4A04773D.4080803@redhat.com> This patch more tightly couples services and hosts: - A host is required in order to create a service. - When removing a host all services are removed. - When a service is removed its certificate is revoked. This makes removing a host a pretty destructive, irreversible act. I'm working on a way to prompt the command-line user before executing the command. That will come as a later patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-208-host.patch Type: application/mbox Size: 6831 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 8 19:36:42 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 08 May 2009 15:36:42 -0400 Subject: [Freeipa-devel] [PATCH] improve cert revocation_reason argument In-Reply-To: <4A0475FA.1080309@redhat.com> References: <4A0475FA.1080309@redhat.com> Message-ID: <1241811402.10366.156.camel@localhost.localdomain> On Fri, 2009-05-08 at 14:12 -0400, Rob Crittenden wrote: > Add a min/max range and some documentation on the revocation_reason > argument. I think it would be a bit much to iterate all the reasons for > revocation here so I didn't include that. Uhmmm using the product, would you be able to pick the right one without having to look at docs ? If not I guess most admins would be tempted to pick one at random ... Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri May 8 19:39:34 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 08 May 2009 15:39:34 -0400 Subject: [Freeipa-devel] [PATCH] 208 tighten integration of hosts and services In-Reply-To: <4A04773D.4080803@redhat.com> References: <4A04773D.4080803@redhat.com> Message-ID: <1241811574.10366.159.camel@localhost.localdomain> On Fri, 2009-05-08 at 14:17 -0400, Rob Crittenden wrote: > This patch more tightly couples services and hosts: > > - A host is required in order to create a service. nack, assuming I understand what this mean :) I think we need to be able to give out service keytabs and certificates to non-enrolled hosts for a long time. I am not sure it is a good idea to force someone to create a fake host just to get a keytab/certificate. > - When removing a host all services are removed. ack > - When a service is removed its certificate is revoked. ack > This makes removing a host a pretty destructive, irreversible act. I'm > working on a way to prompt the command-line user before executing the > command. That will come as a later patch. Yeah that would be nice. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 8 19:49:58 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 May 2009 15:49:58 -0400 Subject: [Freeipa-devel] [PATCH] 208 tighten integration of hosts and services In-Reply-To: <1241811574.10366.159.camel@localhost.localdomain> References: <4A04773D.4080803@redhat.com> <1241811574.10366.159.camel@localhost.localdomain> Message-ID: <4A048CE6.1040902@redhat.com> Simo Sorce wrote: > On Fri, 2009-05-08 at 14:17 -0400, Rob Crittenden wrote: >> This patch more tightly couples services and hosts: >> >> - A host is required in order to create a service. > > nack, assuming I understand what this mean :) > I think we need to be able to give out service keytabs and certificates > to non-enrolled hosts for a long time. > I am not sure it is a good idea to force someone to create a fake host > just to get a keytab/certificate. Define fake host. This doesn't force them to do an enrollment, just to create a host entry ala: ipa host-add foo.example.com. >> - When removing a host all services are removed. > > ack > >> - When a service is removed its certificate is revoked. > > ack > >> This makes removing a host a pretty destructive, irreversible act. I'm >> working on a way to prompt the command-line user before executing the >> command. That will come as a later patch. > > Yeah that would be nice. > > Simo. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 8 19:51:16 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 May 2009 15:51:16 -0400 Subject: [Freeipa-devel] [PATCH] improve cert revocation_reason argument In-Reply-To: <1241811402.10366.156.camel@localhost.localdomain> References: <4A0475FA.1080309@redhat.com> <1241811402.10366.156.camel@localhost.localdomain> Message-ID: <4A048D34.2060801@redhat.com> Simo Sorce wrote: > On Fri, 2009-05-08 at 14:12 -0400, Rob Crittenden wrote: >> Add a min/max range and some documentation on the revocation_reason >> argument. I think it would be a bit much to iterate all the reasons for >> revocation here so I didn't include that. > > > Uhmmm using the product, would you be able to pick the right one without > having to look at docs ? > If not I guess most admins would be tempted to pick one at random ... > > Simo. > OptionParser formatting leaves a *lot* to be desired. I'm not sure encoding the strings would be any better than forcing them to do a man first. In the UI I think we'll be able to show a textual representation, things are always uglier on the command-line. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 8 20:14:21 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 08 May 2009 16:14:21 -0400 Subject: [Freeipa-devel] [PATCH] 208 tighten integration of hosts and services In-Reply-To: <4A048CE6.1040902@redhat.com> References: <4A04773D.4080803@redhat.com> <1241811574.10366.159.camel@localhost.localdomain> <4A048CE6.1040902@redhat.com> Message-ID: <1241813661.10366.162.camel@localhost.localdomain> On Fri, 2009-05-08 at 15:49 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Fri, 2009-05-08 at 14:17 -0400, Rob Crittenden wrote: > >> This patch more tightly couples services and hosts: > >> > >> - A host is required in order to create a service. > > > > nack, assuming I understand what this mean :) > > I think we need to be able to give out service keytabs and certificates > > to non-enrolled hosts for a long time. > > I am not sure it is a good idea to force someone to create a fake host > > just to get a keytab/certificate. > > Define fake host. This doesn't force them to do an enrollment, just to > create a host entry ala: ipa host-add foo.example.com. Yes this is what I mean by fake host, and the problem is that you will have host entries that are not enrolled. It is a problem for reporting, it is also a problem for running things like finding dead hosts. I'd prefer not to have fake hosts if at all possible, it causes problems in other areas. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri May 8 20:15:23 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 08 May 2009 16:15:23 -0400 Subject: [Freeipa-devel] [PATCH] improve cert revocation_reason argument In-Reply-To: <4A048D34.2060801@redhat.com> References: <4A0475FA.1080309@redhat.com> <1241811402.10366.156.camel@localhost.localdomain> <4A048D34.2060801@redhat.com> Message-ID: <1241813723.10366.163.camel@localhost.localdomain> On Fri, 2009-05-08 at 15:51 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Fri, 2009-05-08 at 14:12 -0400, Rob Crittenden wrote: > >> Add a min/max range and some documentation on the revocation_reason > >> argument. I think it would be a bit much to iterate all the reasons for > >> revocation here so I didn't include that. > > > > > > Uhmmm using the product, would you be able to pick the right one without > > having to look at docs ? > > If not I guess most admins would be tempted to pick one at random ... > > > > Simo. > > > > OptionParser formatting leaves a *lot* to be desired. I'm not sure > encoding the strings would be any better than forcing them to do a man > first. In the UI I think we'll be able to show a textual representation, > things are always uglier on the command-line. In this case I will reluctantly ack :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri May 8 20:31:30 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 08 May 2009 16:31:30 -0400 Subject: [Freeipa-devel] [PATCH] cleanup and fixes for pam_sss In-Reply-To: <4A02B3EE.6070508@redhat.com> References: <4A029541.1020500@redhat.com> <4A02B3EE.6070508@redhat.com> Message-ID: <1241814690.10366.164.camel@localhost.localdomain> On Thu, 2009-05-07 at 12:11 +0200, Sumit Bose wrote: > Sumit Bose schrieb: > > Hi, > > > > this patch provides some cleanup to pam_sss and better option > handling. > > It should fix https://bugzilla.redhat.com/show_bug.cgi?id=498531 . > > > sorry, there is a problem with return values in the previous patch, > please use this one. ack and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri May 8 20:31:55 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 08 May 2009 16:31:55 -0400 Subject: [Freeipa-devel] [PATCH] added syslog support to pam_sss In-Reply-To: <4A02E533.7080207@redhat.com> References: <4A02DAF1.4010609@redhat.com> <4A02E533.7080207@redhat.com> Message-ID: <1241814715.10366.165.camel@localhost.localdomain> On Thu, 2009-05-07 at 09:42 -0400, Stephen Gallagher wrote: > On 05/07/2009 08:58 AM, Sumit Bose wrote: > > Hi, > > > > this patch adds basic syslog support for pam_sss and is a bit related to > > https://fedorahosted.org/sssd/ticket/32 . > > > > ____________________________________________________________________ > Ack. Looks fine to me. Pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 8 21:25:00 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 May 2009 17:25:00 -0400 Subject: [Freeipa-devel] [PATCH] 208 tighten integration of hosts and services In-Reply-To: <1241813661.10366.162.camel@localhost.localdomain> References: <4A04773D.4080803@redhat.com> <1241811574.10366.159.camel@localhost.localdomain> <4A048CE6.1040902@redhat.com> <1241813661.10366.162.camel@localhost.localdomain> Message-ID: <4A04A32C.6010100@redhat.com> Simo Sorce wrote: > On Fri, 2009-05-08 at 15:49 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Fri, 2009-05-08 at 14:17 -0400, Rob Crittenden wrote: >>>> This patch more tightly couples services and hosts: >>>> >>>> - A host is required in order to create a service. >>> nack, assuming I understand what this mean :) >>> I think we need to be able to give out service keytabs and certificates >>> to non-enrolled hosts for a long time. >>> I am not sure it is a good idea to force someone to create a fake host >>> just to get a keytab/certificate. >> Define fake host. This doesn't force them to do an enrollment, just to >> create a host entry ala: ipa host-add foo.example.com. > > Yes this is what I mean by fake host, and the problem is that you will > have host entries that are not enrolled. > It is a problem for reporting, it is also a problem for running things > like finding dead hosts. > I'd prefer not to have fake hosts if at all possible, it causes problems > in other areas. > > Simo. Ok, but I think fake is the wrong word to use for them. Unenrolled is more precise. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 8 21:45:11 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 May 2009 17:45:11 -0400 Subject: [Freeipa-devel] [PATCH] 208 tighten integration of hosts and services In-Reply-To: <4A04A32C.6010100@redhat.com> References: <4A04773D.4080803@redhat.com> <1241811574.10366.159.camel@localhost.localdomain> <4A048CE6.1040902@redhat.com> <1241813661.10366.162.camel@localhost.localdomain> <4A04A32C.6010100@redhat.com> Message-ID: <4A04A7E7.6060106@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Fri, 2009-05-08 at 15:49 -0400, Rob Crittenden wrote: >>> Simo Sorce wrote: >>>> On Fri, 2009-05-08 at 14:17 -0400, Rob Crittenden wrote: >>>>> This patch more tightly couples services and hosts: >>>>> >>>>> - A host is required in order to create a service. >>>> nack, assuming I understand what this mean :) >>>> I think we need to be able to give out service keytabs and certificates >>>> to non-enrolled hosts for a long time. >>>> I am not sure it is a good idea to force someone to create a fake host >>>> just to get a keytab/certificate. >>> Define fake host. This doesn't force them to do an enrollment, just >>> to create a host entry ala: ipa host-add foo.example.com. >> >> Yes this is what I mean by fake host, and the problem is that you will >> have host entries that are not enrolled. >> It is a problem for reporting, it is also a problem for running things >> like finding dead hosts. >> I'd prefer not to have fake hosts if at all possible, it causes problems >> in other areas. >> >> Simo. > > Ok, but I think fake is the wrong word to use for them. Unenrolled is > more precise. Attached is a revised patch. Simo already acked these pieces so I'll push this to master. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-208-2-host.patch Type: application/mbox Size: 4448 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mpcolino at gmail.com Mon May 11 07:42:28 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Mon, 11 May 2009 09:42:28 +0200 Subject: [Freeipa-devel] FreeIPA for Ubuntu, actions taken in Launchpad. In-Reply-To: References: Message-ID: Hi Everybody, I did some work related to promoting FreeIPA in the Ubuntu world. The main focus, as I said previously, was to get FreeIPA packages for Ubuntu. (Main ones being SSSD and freeipa-client) Some [needs-packaging] bugs were created: * FreeIPA: https://bugs.launchpad.net/ubuntu/+bug/259547 * SSSD: https://bugs.launchpad.net/ubuntu/+bug/369744 Some compilation problems bugs also: * tevent: https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/372399 * ldb: https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/372405 A FreeIPA team and project for packaging were also set up: * Team: https://launchpad.net/~freeipa * Project: http://launchpad.net/freeipa ... with some related resources: * Package Archive: https://launchpad.net/~freeipa/+archive/ppa * Mailing List: freeipa at lists.launchpad.net * Blueprints: https://blueprints.launchpad.net/~freeipa Next thing I'll probably try will be packaging the samba 4 libs and retry packaging SSSD on top of them. I hope that this is not Off-Topic, and at the same time, this can be helpful to the project. Best regards, M* P.S.: Sorry if I'm giving you a bit of an "ubuntu overdose", but please understand, that right now I'm working with it. :-) From jderose at redhat.com Mon May 11 09:00:44 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 11 May 2009 03:00:44 -0600 Subject: [Freeipa-devel] [PATCH] jderose 005 improve Env in-tree behaviour Message-ID: <1242032444.17521.22.camel@jgd-dsk> Breakage warning: this patch renames the api.env 'conf_dir' variable to 'confdir'. greppin' through the tree showed that this var wasn't being used by any of the built-in plugins, but 3rd party plugins should take note. This patch does some cleanup with regard to how the automagic Env variables are generated when in-tree vs. when installed. It: * Correctly forces the xmlrpc tests to run with in_tree=True so config files possibly installed in /etc/ipa/ aren't read, can't break the test. On my VM this was causing the test to run against the installed IPA mod_python server rather than the in-tree lite-xmlrpc.py script. * Fixes Env._finalize_core() and Env._finalize() unit tests so they run with in_tree=True so possible files in /etc/ipa/ don't cause problems. * Renames env.conf_dir to env.confdir. env.conf now defaults to /.conf * Adds env.logdir variable. env.log now defaults to /.log * Does some other misc. Env cleanup. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jderose-005-improve-Env-in-tree-behaviour.patch Type: text/x-patch Size: 17706 bytes Desc: not available URL: From jhrozek at redhat.com Mon May 11 09:23:39 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 11 May 2009 11:23:39 +0200 Subject: [Freeipa-devel] [PATCH] Manpages generation Message-ID: <1242033819.24047.20.camel@zeppelin.englab.brq.redhat.com> The attached patch provides a set of make rules for generating UNIX manual pages from DocBook 4.5 source as well as sample manpage for sss_useradd. Automatic generation of manual pages during "make" process is tunable with config parameter "--with-manpages". To rebuild the man pages separately, use the "make doc" target. Before building, the manpages are validated using a DTD schema. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Manpage-generation.patch Type: text/x-patch Size: 12501 bytes Desc: not available URL: From sgallagh at redhat.com Mon May 11 11:46:02 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 11 May 2009 07:46:02 -0400 Subject: [Freeipa-devel] FreeIPA for Ubuntu, actions taken in Launchpad. In-Reply-To: References: Message-ID: <4A080FFA.8080101@redhat.com> On 05/11/2009 03:42 AM, Miguel P.C. wrote: > Hi Everybody, > > I did some work related to promoting FreeIPA in the Ubuntu world. > > The main focus, as I said previously, was to get FreeIPA packages for Ubuntu. > (Main ones being SSSD and freeipa-client) > > Some [needs-packaging] bugs were created: > * FreeIPA: https://bugs.launchpad.net/ubuntu/+bug/259547 > * SSSD: https://bugs.launchpad.net/ubuntu/+bug/369744 > > Some compilation problems bugs also: > * tevent: https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/372399 > * ldb: https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/372405 > > A FreeIPA team and project for packaging were also set up: > * Team: https://launchpad.net/~freeipa > * Project: http://launchpad.net/freeipa > > ... with some related resources: > * Package Archive: https://launchpad.net/~freeipa/+archive/ppa > * Mailing List: freeipa at lists.launchpad.net > * Blueprints: https://blueprints.launchpad.net/~freeipa > > Next thing I'll probably try will be packaging the samba 4 libs and > retry packaging SSSD on top of them. > > I hope that this is not Off-Topic, and at the same time, this can be > helpful to the project. > > Best regards, > > M* > > P.S.: Sorry if I'm giving you a bit of an "ubuntu overdose", but > please understand, that right now I'm working with it. :-) > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Miguel, this is absolutely not off-topic. We're very glad to have your involvement in the project. We want SSSD supported on every platform that will have us. We sincerely appreciate your keeping us up to date on your progress. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mpcolino at gmail.com Mon May 11 13:18:11 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Mon, 11 May 2009 15:18:11 +0200 Subject: [Freeipa-devel] FreeIPA for Ubuntu, actions taken in Launchpad. In-Reply-To: <4A080FFA.8080101@redhat.com> References: <4A080FFA.8080101@redhat.com> Message-ID: Hi Steven, [... snip ...] > Miguel, this is absolutely not off-topic. We're very glad to have your > involvement in the project. We want SSSD supported on every platform > that will have us. > > We sincerely appreciate your keeping us up to date on your progress. [... snip ...] Thank you very much, Steven. I'll try to keep the list informed. M* From sgallagh at redhat.com Mon May 11 14:05:10 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 11 May 2009 10:05:10 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Update configure tests for LDB and POPT Message-ID: <4A083096.6080307@redhat.com> We need to ensure that configure fails if the popt libraries aren't present or if LDB module support is unavailable. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Update-configure-rules-for-LDB-and-POPT.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From pzuna at redhat.com Mon May 11 14:56:16 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 11 May 2009 16:56:16 +0200 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <49F9E524.7040804@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> Message-ID: <4A083C90.40104@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> Rob Crittenden wrote: >>> Pavel Zuna wrote: >>>> By the way, there's a little bug I discovered while testing this >>>> plugin. It affects the old group plugin as well. When trying to >>>> modify a group into a posixGroup, gidNumber doesn't get generated >>>> automatically resulting in a object violation LDAP error. Solution >>>> is to generate it ourselves, but I didn't know how it works, so I >>>> commented that part out for now. (/FIXME in vim) >>>> >>> >>> This should be fixed in FDS 1.2. Can you update and give it a try? >>> >>> rob >> Sure, just updated and you're right, it works. :) >> Updated patch attached. >> >> Pavel > > nack. This won't handle someone using group-mod to set a specific > gidnumber. The posixGroup objectclass won't be added. > > rob Fixed patch attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-group-plugin-port-to-new-LDAP-backend.patch Type: application/mbox Size: 23066 bytes Desc: not available URL: From pzuna at redhat.com Mon May 11 14:57:59 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 11 May 2009 16:57:59 +0200 Subject: [Freeipa-devel] [PATCH] 199 convert uidnumber to string In-Reply-To: <4A02DF22.8030000@redhat.com> References: <49FF50A1.4030409@redhat.com> <1241570537.5091.20.camel@jgd-dsk> <4A01773C.2020406@redhat.com> <1241676015.5263.11.camel@jgd-dsk> <4A02DF22.8030000@redhat.com> Message-ID: <4A083CF7.2020209@redhat.com> Rob Crittenden wrote: > Jason Gerard DeRose wrote: >> On Wed, 2009-05-06 at 07:40 -0400, Rob Crittenden wrote: >>> Jason Gerard DeRose wrote: >>>> On Mon, 2009-05-04 at 16:31 -0400, Rob Crittenden wrote: >>>>> We need to convert the uidnumber to a string when adding/modifying >>>>> users to avoid a type error on the LDAP side. >>>>> >>>>> Pavel, I'm not sure whether this is handled automagically or not in >>>>> your version of the plugin. >>>>> >>>>> rob >>>> ack. >>>> >>>> This is fine as a stop gap, but we really need a better solution in the >>>> long run. >>>> >>>> So the UID is always in integer, correct? Do all LDAP "types" need to >>>> be sent as strings, or is this just a case where we are using a more >>>> restrictive type in IPA than the attribute in LDAP? >>>> >>> Pavel is working on some smarter schema handling in the new LDAP >>> plugin. I think that will handle the type conversions for us. >>> >>> rob >> >> Still confused about the LDAP type, though: so is there such a thing as >> an LDAP integer type? Why exactly are we converting to a string >> representation of the integer? >> > > We're converting because python-ldap blew up, reporting an incorrect > type with the uid. Converting to a string makes it work. > > rob python-ldap requires all attribute values to be strings. The conversion was done automatically by args_options_2_entry Command method, but: 1) plugins that were written prior to it's introduction are not using it 2) it blows up for unicode strings composed of non-ASCII characters (although this problem isn't specific to this method only) There is an integer type in LDAP or more precisely an integer SYNTAX, but integers are still stored as text. As pointed out by Simo (iirc) they have a practically unlimited range, so we can't use the python int type when retrieving them back. (Well, we can in most cases, but it shouldn't be done automatically.) The new LDAP backends accepts any python type and makes it's own safe conversions based on the schema. Pavel From sgallagh at redhat.com Mon May 11 15:17:32 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 11 May 2009 11:17:32 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Separate confdb API from setup Message-ID: <4A08418C.3020402@redhat.com> Refactoring the confdb to pull the setup code into its own .c file that can be linked only to those programs like the Monitor that need it. This removes the dependency on ini_config and collection from all other processes that talk to the confdb. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Separate-confdb-API-from-confdb-setup.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jhrozek at redhat.com Mon May 11 16:43:35 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 11 May 2009 18:43:35 +0200 Subject: [Freeipa-devel] [PATCH] Check for valid ID ranges and ID overlaps between domains In-Reply-To: <1241527435.29148.185.camel@localhost.localdomain> References: <1241525394.26178.37.camel@zeppelin.englab.brq.redhat.com> <1241527435.29148.185.camel@localhost.localdomain> Message-ID: <1242060215.3365.25.camel@zeppelin.englab.brq.redhat.com> On Tue, 2009-05-05 at 08:43 -0400, Simo Sorce wrote: > > nack > > We do not require to always set id ranges, they are optional and more > a > filter than anything else. > At most overlapping ranges should give a warning, and absence of > ranges > in a domain is fine too. OK, a new incarnation of the patch that just prints a DEBUG(1, ..) is attached. > > Second I don't get the utility of the double while loop in that > function, what's for ? Since the domain limits are pretty arbitrary and not sorted in any way, compares the first domain with all others starting with the next (=second), then second domain with all others starting with the next (=third), .. I think that adds up to (n^2)/2 cycles for n domains. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Check-for-valid-ID-range-domains-overlap.patch Type: text/x-patch Size: 1936 bytes Desc: not available URL: From sgallagh at redhat.com Mon May 11 17:23:46 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 11 May 2009 13:23:46 -0400 Subject: [Freeipa-devel] [PATCH] Check for valid ID ranges and ID overlaps between domains In-Reply-To: <1242060215.3365.25.camel@zeppelin.englab.brq.redhat.com> References: <1241525394.26178.37.camel@zeppelin.englab.brq.redhat.com> <1241527435.29148.185.camel@localhost.localdomain> <1242060215.3365.25.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A085F22.8090802@redhat.com> On 05/11/2009 12:43 PM, Jakub Hrozek wrote: > On Tue, 2009-05-05 at 08:43 -0400, Simo Sorce wrote: >> nack >> >> We do not require to always set id ranges, they are optional and more >> a >> filter than anything else. >> At most overlapping ranges should give a warning, and absence of >> ranges >> in a domain is fine too. > > OK, a new incarnation of the patch that just prints a DEBUG(1, ..) is > attached. > >> Second I don't get the utility of the double while loop in that >> function, what's for ? > > Since the domain limits are pretty arbitrary and not sorted in any way, > compares the first domain with all others starting with the next > (=second), then second domain with all others starting with the next > (=third), .. > > I think that adds up to (n^2)/2 cycles for n domains. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack. If a domain has an invalid range specified, it should be an error, not a warning. (e.g. id_min >= id_max, id_min or id_max < 0, etc.) Also, I'd prefer if you used a variable name other than "first" for the outer loop. It gives the impression that you're always comparing against the first domain in the list. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sbose at redhat.com Mon May 11 17:56:38 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 11 May 2009 19:56:38 +0200 Subject: [Freeipa-devel] [PATCH][SSSD] Separate confdb API from setup In-Reply-To: <4A08418C.3020402@redhat.com> References: <4A08418C.3020402@redhat.com> Message-ID: <4A0866D6.4000500@redhat.com> Stephen Gallagher schrieb: > Refactoring the confdb to pull the setup code into its own .c file that > can be linked only to those programs like the Monitor that need it. This > removes the dependency on ini_config and collection from all other > processes that talk to the confdb. > > ACK, with fix to "confdb/confdb_setup.c:84: warning: implicit declaration of function 'sysdb_error_to_errno'" bye, Sumit From sgallagh at redhat.com Mon May 11 18:20:40 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 11 May 2009 14:20:40 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Separate confdb API from setup In-Reply-To: <4A0866D6.4000500@redhat.com> References: <4A08418C.3020402@redhat.com> <4A0866D6.4000500@redhat.com> Message-ID: <4A086C78.6090506@redhat.com> On 05/11/2009 01:56 PM, Sumit Bose wrote: > Stephen Gallagher schrieb: >> Refactoring the confdb to pull the setup code into its own .c file that >> can be linked only to those programs like the Monitor that need it. This >> removes the dependency on ini_config and collection from all other >> processes that talk to the confdb. >> >> > ACK, with fix to "confdb/confdb_setup.c:84: warning: implicit > declaration of function 'sysdb_error_to_errno'" > > bye, > Sumit Added missing #include "db/sysdb.h" and pushed to master. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Mon May 11 18:43:34 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 11 May 2009 14:43:34 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Clean up warnings in monitor.c Message-ID: <4A0871D6.3090005@redhat.com> GCC 4.4.0 reveals more warnings than previous versions. Clean up function prototype, return without value and pointer signedness warnings. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-warnings-in-monitor.c.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Mon May 11 19:12:05 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 11 May 2009 15:12:05 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Clean up warnings in monitor.c In-Reply-To: <4A0871D6.3090005@redhat.com> References: <4A0871D6.3090005@redhat.com> Message-ID: <4A087885.1070405@redhat.com> Updated patch, also cleaning up warning in confdb.c On 05/11/2009 02:43 PM, Stephen Gallagher wrote: > GCC 4.4.0 reveals more warnings than previous versions. > > Clean up function prototype, return without value and pointer signedness > warnings. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-warnings-in-monitor.c-and-confdb.c.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 11 19:37:51 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 May 2009 15:37:51 -0400 Subject: [Freeipa-devel] [PATCH] jderose 004 make srpms In-Reply-To: <1241733802.7650.25.camel@jgd-dsk> References: <1241733802.7650.25.camel@jgd-dsk> Message-ID: <4A087E8F.3000303@redhat.com> Jason Gerard DeRose wrote: > This is actually Rob's patch that adds a `make srpms` target. I tested > it and it seems to work fine. > > ack, pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 11 20:21:16 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 May 2009 16:21:16 -0400 Subject: [Freeipa-devel] [PATCH] jderose 005 improve Env in-tree behaviour In-Reply-To: <1242032444.17521.22.camel@jgd-dsk> References: <1242032444.17521.22.camel@jgd-dsk> Message-ID: <4A0888BC.4090102@redhat.com> Jason Gerard DeRose wrote: > Breakage warning: this patch renames the api.env 'conf_dir' variable to > 'confdir'. greppin' through the tree showed that this var wasn't being > used by any of the built-in plugins, but 3rd party plugins should take > note. > > This patch does some cleanup with regard to how the automagic Env > variables are generated when in-tree vs. when installed. It: > > * Correctly forces the xmlrpc tests to run with in_tree=True so config > files possibly installed in /etc/ipa/ aren't read, can't break the > test. On my VM this was causing the test to run against the > installed IPA mod_python server rather than the in-tree > lite-xmlrpc.py script. > > * Fixes Env._finalize_core() and Env._finalize() unit tests so they run > with in_tree=True so possible files in /etc/ipa/ don't cause problems. > > * Renames env.conf_dir to env.confdir. env.conf now defaults to > /.conf > > * Adds env.logdir variable. env.log now defaults to /.log > > * Does some other misc. Env cleanup. > ack and pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 11 20:36:20 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 May 2009 16:36:20 -0400 Subject: [Freeipa-devel] [PATCH] 210 drop binary subtype Message-ID: <4A088C44.6010809@redhat.com> Rich M of the 389 team tells me that the ;binary subtype is not required for the userCertificate attribute so I'm dropping it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-210-binary.patch Type: application/mbox Size: 953 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 11 20:38:18 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 May 2009 16:38:18 -0400 Subject: [Freeipa-devel] [PATCH] 211 fix a comment and a couple of typos Message-ID: <4A088CBA.9070006@redhat.com> A couple of cosmetic fixes. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-211-typo.patch Type: application/mbox Size: 1719 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Mon May 11 22:41:06 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 11 May 2009 16:41:06 -0600 Subject: [Freeipa-devel] [PATCH] add NIS support In-Reply-To: <4A02FFBB.8020309@redhat.com> References: <4A02F5E2.1020707@redhat.com> <4A02FBCA.9030504@redhat.com> <4A02FFBB.8020309@redhat.com> Message-ID: <1242081666.6546.11.camel@jgd-dsk> On Thu, 2009-05-07 at 11:35 -0400, Rob Crittenden wrote: > yi zhang wrote: > > Rob Crittenden wrote: > >> Add tool to enable the slapi-nis NIS plugin. This is a DS plugin that > >> acts as a basic NIS server. > >> > >> rob ack. I don't understand all the details, but "Rob did it, so it must be right!". To the extent that I understand this patch, I reviewed it and things look fine. I couldn't install IPA after I built the rpms because I got a "Missing Dependency: slapi-nis >= 0.14" under Fedora 10. Is this package build-able under Fedora 10, or do I need to test this under Fedora 11? Anyway, it seems we need to get this committed to move forward. > >> ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Freeipa-devel mailing list > >> Freeipa-devel at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Rob: > > Can we have a little bit more info? such as when the patch would be in > > daily build, and how to use it? > > > > The patch needs to be reviewed before it may be committed. That process > is not predictable. > > To enable/disable the plugin use the ipa-nis-manage command. The DS will > need to be restarted for the change to take effect. > > I'm just configuring passwd, group and netgroup currently though the > plugin defines a slew of default maps. > > Also note that netgroup is available but not populated yet. That will > come in a future patch. > > I tested with: > > % ypcat -h ipaserver.example.com -d example.com passwd > > rob > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From jderose at redhat.com Mon May 11 22:52:09 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 11 May 2009 16:52:09 -0600 Subject: [Freeipa-devel] [PATCH] 206 enhanced NotFound exception In-Reply-To: <4A044CE2.5070404@redhat.com> References: <4A044CE2.5070404@redhat.com> Message-ID: <1242082329.6546.12.camel@jgd-dsk> On Fri, 2009-05-08 at 11:16 -0400, Rob Crittenden wrote: > Add a reason message to the NotFound exception so we can better report > *what* was not found. > > rob ack. From jderose at redhat.com Mon May 11 22:58:37 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 11 May 2009 16:58:37 -0600 Subject: [Freeipa-devel] [PATCH] improve cert revocation_reason argument In-Reply-To: <4A0475FA.1080309@redhat.com> References: <4A0475FA.1080309@redhat.com> Message-ID: <1242082717.6546.17.camel@jgd-dsk> On Fri, 2009-05-08 at 14:12 -0400, Rob Crittenden wrote: > Add a min/max range and some documentation on the revocation_reason > argument. I think it would be a bit much to iterate all the reasons for > revocation here so I didn't include that. > > rob ack. As mentioned in this thread, we need to come up with a better way to make this self-documented on the CLI (well, and on the UI), but this is at least a start. We need these Enums to be able to be defined with a list of (value, description) pairs... which raises a question: do we want to translate these descriptions? My opinion is yes, at least when presented via the Web UI, but probably when presented via the CLI also. From jderose at redhat.com Mon May 11 23:04:48 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 11 May 2009 17:04:48 -0600 Subject: [Freeipa-devel] [PATCH] 208 tighten integration of hosts and services In-Reply-To: <4A04A7E7.6060106@redhat.com> References: <4A04773D.4080803@redhat.com> <1241811574.10366.159.camel@localhost.localdomain> <4A048CE6.1040902@redhat.com> <1241813661.10366.162.camel@localhost.localdomain> <4A04A32C.6010100@redhat.com> <4A04A7E7.6060106@redhat.com> Message-ID: <1242083088.6546.18.camel@jgd-dsk> On Fri, 2009-05-08 at 17:45 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Simo Sorce wrote: > >> On Fri, 2009-05-08 at 15:49 -0400, Rob Crittenden wrote: > >>> Simo Sorce wrote: > >>>> On Fri, 2009-05-08 at 14:17 -0400, Rob Crittenden wrote: > >>>>> This patch more tightly couples services and hosts: > >>>>> > >>>>> - A host is required in order to create a service. > >>>> nack, assuming I understand what this mean :) > >>>> I think we need to be able to give out service keytabs and certificates > >>>> to non-enrolled hosts for a long time. > >>>> I am not sure it is a good idea to force someone to create a fake host > >>>> just to get a keytab/certificate. > >>> Define fake host. This doesn't force them to do an enrollment, just > >>> to create a host entry ala: ipa host-add foo.example.com. > >> > >> Yes this is what I mean by fake host, and the problem is that you will > >> have host entries that are not enrolled. > >> It is a problem for reporting, it is also a problem for running things > >> like finding dead hosts. > >> I'd prefer not to have fake hosts if at all possible, it causes problems > >> in other areas. > >> > >> Simo. > > > > Ok, but I think fake is the wrong word to use for them. Unenrolled is > > more precise. > > Attached is a revised patch. Simo already acked these pieces so I'll > push this to master. For what's it's worth, ack. ;) From jderose at redhat.com Mon May 11 23:07:09 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 11 May 2009 17:07:09 -0600 Subject: [Freeipa-devel] [PATCH] 210 drop binary subtype In-Reply-To: <4A088C44.6010809@redhat.com> References: <4A088C44.6010809@redhat.com> Message-ID: <1242083229.6546.19.camel@jgd-dsk> On Mon, 2009-05-11 at 16:36 -0400, Rob Crittenden wrote: > Rich M of the 389 team tells me that the ;binary subtype is not required > for the userCertificate attribute so I'm dropping it. > > rob ack. From sbose at redhat.com Tue May 12 06:38:17 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 12 May 2009 08:38:17 +0200 Subject: [Freeipa-devel] [PATCH][SSSD] Clean up warnings in monitor.c In-Reply-To: <4A087885.1070405@redhat.com> References: <4A0871D6.3090005@redhat.com> <4A087885.1070405@redhat.com> Message-ID: <4A091959.3050700@redhat.com> Stephen Gallagher schrieb: > Updated patch, also cleaning up warning in confdb.c > > On 05/11/2009 02:43 PM, Stephen Gallagher wrote: >> GCC 4.4.0 reveals more warnings than previous versions. >> >> Clean up function prototype, return without value and pointer signedness >> warnings. >> All changes make sense to me. Wouldn't it be nicer to have "opt_config_file = talloc_strdup(NULL, CONFDB_DEFAULT_CONFIG_FILE);" after server_setup? Then you can use main_ctx and do not have to create a top level context for opt_config_file. bye, Sumit From sbose at redhat.com Tue May 12 08:14:03 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 12 May 2009 10:14:03 +0200 Subject: [Freeipa-devel] [PATCH] added more flexible handling of client protocol Message-ID: <4A092FCB.30507@redhat.com> Hi, this is the combined version of the two previous patches concerning the version of the client protocol. Additionally it safe the current version in the client context of the responder and introduces static array which hold the version number together with a data and a description. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-added-more-flexible-handling-of-client-protocol.patch Type: text/x-patch Size: 7482 bytes Desc: not available URL: From sgallagh at redhat.com Tue May 12 12:33:18 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 12 May 2009 08:33:18 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Clean up warnings in monitor.c In-Reply-To: <4A091959.3050700@redhat.com> References: <4A0871D6.3090005@redhat.com> <4A087885.1070405@redhat.com> <4A091959.3050700@redhat.com> Message-ID: <4A096C8E.9010404@redhat.com> On 05/12/2009 02:38 AM, Sumit Bose wrote: > Stephen Gallagher schrieb: >> Updated patch, also cleaning up warning in confdb.c >> >> On 05/11/2009 02:43 PM, Stephen Gallagher wrote: >>> GCC 4.4.0 reveals more warnings than previous versions. >>> >>> Clean up function prototype, return without value and pointer signedness >>> warnings. >>> > > All changes make sense to me. Wouldn't it be nicer to have > "opt_config_file = talloc_strdup(NULL, CONFDB_DEFAULT_CONFIG_FILE);" > after server_setup? Then you can use main_ctx and do not have to create > a top level context for opt_config_file. > > bye, > Sumit I'd rather not have it be a child of the server_setup, actually. Valgrind can't tell if it's lost at that point. However, I have modified the code so that it's explicitly talloc_free()-ed immediately after monitor configuration. I checked to make sure that it was talloc_strdup()-ed into the confdb_file_ctx inside, so it's safe to remove it. Please see the new patch. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-warnings-in-monitor.c-and-confdb.c.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 12 13:05:56 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 12 May 2009 09:05:56 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Clean up warnings in monitor.c In-Reply-To: <4A096C8E.9010404@redhat.com> References: <4A0871D6.3090005@redhat.com> <4A087885.1070405@redhat.com> <4A091959.3050700@redhat.com> <4A096C8E.9010404@redhat.com> Message-ID: <4A097434.9080905@redhat.com> On 05/12/2009 08:33 AM, Stephen Gallagher wrote: > On 05/12/2009 02:38 AM, Sumit Bose wrote: >> Stephen Gallagher schrieb: >>> Updated patch, also cleaning up warning in confdb.c >>> >>> On 05/11/2009 02:43 PM, Stephen Gallagher wrote: >>>> GCC 4.4.0 reveals more warnings than previous versions. >>>> >>>> Clean up function prototype, return without value and pointer signedness >>>> warnings. >>>> >> All changes make sense to me. Wouldn't it be nicer to have >> "opt_config_file = talloc_strdup(NULL, CONFDB_DEFAULT_CONFIG_FILE);" >> after server_setup? Then you can use main_ctx and do not have to create >> a top level context for opt_config_file. >> >> bye, >> Sumit > > I'd rather not have it be a child of the server_setup, actually. > Valgrind can't tell if it's lost at that point. However, I have modified > the code so that it's explicitly talloc_free()-ed immediately after > monitor configuration. I checked to make sure that it was > talloc_strdup()-ed into the confdb_file_ctx inside, so it's safe to > remove it. > > Please see the new patch. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel One more update from review request in IRC. Move the 'return 6' after the if-else -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 12 13:06:22 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 12 May 2009 09:06:22 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Clean up warnings in monitor.c In-Reply-To: <4A096C8E.9010404@redhat.com> References: <4A0871D6.3090005@redhat.com> <4A087885.1070405@redhat.com> <4A091959.3050700@redhat.com> <4A096C8E.9010404@redhat.com> Message-ID: <4A09744E.9060608@redhat.com> On 05/12/2009 08:33 AM, Stephen Gallagher wrote: > On 05/12/2009 02:38 AM, Sumit Bose wrote: >> Stephen Gallagher schrieb: >>> Updated patch, also cleaning up warning in confdb.c >>> >>> On 05/11/2009 02:43 PM, Stephen Gallagher wrote: >>>> GCC 4.4.0 reveals more warnings than previous versions. >>>> >>>> Clean up function prototype, return without value and pointer signedness >>>> warnings. >>>> >> All changes make sense to me. Wouldn't it be nicer to have >> "opt_config_file = talloc_strdup(NULL, CONFDB_DEFAULT_CONFIG_FILE);" >> after server_setup? Then you can use main_ctx and do not have to create >> a top level context for opt_config_file. >> >> bye, >> Sumit > > I'd rather not have it be a child of the server_setup, actually. > Valgrind can't tell if it's lost at that point. However, I have modified > the code so that it's explicitly talloc_free()-ed immediately after > monitor configuration. I checked to make sure that it was > talloc_strdup()-ed into the confdb_file_ctx inside, so it's safe to > remove it. > > Please see the new patch. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This time with patch attached. Move the return 6 after the if-else. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-warnings-in-monitor.c-and-confdb.c.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sbose at redhat.com Tue May 12 13:29:25 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 12 May 2009 15:29:25 +0200 Subject: [Freeipa-devel] [PATCH][SSSD] Clean up warnings in monitor.c In-Reply-To: <4A09744E.9060608@redhat.com> References: <4A0871D6.3090005@redhat.com> <4A087885.1070405@redhat.com> <4A091959.3050700@redhat.com> <4A096C8E.9010404@redhat.com> <4A09744E.9060608@redhat.com> Message-ID: <4A0979B5.9010607@redhat.com> Stephen Gallagher schrieb: > On 05/12/2009 08:33 AM, Stephen Gallagher wrote: >> On 05/12/2009 02:38 AM, Sumit Bose wrote: >>> Stephen Gallagher schrieb: >>>> Updated patch, also cleaning up warning in confdb.c >>>> >>>> On 05/11/2009 02:43 PM, Stephen Gallagher wrote: >>>>> GCC 4.4.0 reveals more warnings than previous versions. >>>>> >>>>> Clean up function prototype, return without value and pointer signedness >>>>> warnings. >>>>> >>> All changes make sense to me. Wouldn't it be nicer to have >>> "opt_config_file = talloc_strdup(NULL, CONFDB_DEFAULT_CONFIG_FILE);" >>> after server_setup? Then you can use main_ctx and do not have to create >>> a top level context for opt_config_file. >>> >>> bye, >>> Sumit >> I'd rather not have it be a child of the server_setup, actually. >> Valgrind can't tell if it's lost at that point. However, I have modified >> the code so that it's explicitly talloc_free()-ed immediately after >> monitor configuration. I checked to make sure that it was >> talloc_strdup()-ed into the confdb_file_ctx inside, so it's safe to >> remove it. >> >> Please see the new patch. >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > This time with patch attached. > > Move the return 6 after the if-else. > ACK bye, Sumit From pzuna at redhat.com Tue May 12 12:42:05 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 12 May 2009 14:42:05 +0200 Subject: [Freeipa-devel] [PATCH] 211 fix a comment and a couple of typos In-Reply-To: <4A088CBA.9070006@redhat.com> References: <4A088CBA.9070006@redhat.com> Message-ID: <4A096E9D.6000909@redhat.com> Rob Crittenden wrote: > A couple of cosmetic fixes. > > rob ack. Pavel From sgallagh at redhat.com Tue May 12 13:43:29 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 12 May 2009 09:43:29 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Clean up warnings in monitor.c In-Reply-To: <4A0979B5.9010607@redhat.com> References: <4A0871D6.3090005@redhat.com> <4A087885.1070405@redhat.com> <4A091959.3050700@redhat.com> <4A096C8E.9010404@redhat.com> <4A09744E.9060608@redhat.com> <4A0979B5.9010607@redhat.com> Message-ID: <4A097D01.1000904@redhat.com> On 05/12/2009 09:29 AM, Sumit Bose wrote: > Stephen Gallagher schrieb: >> On 05/12/2009 08:33 AM, Stephen Gallagher wrote: >>> On 05/12/2009 02:38 AM, Sumit Bose wrote: >>>> Stephen Gallagher schrieb: >>>>> Updated patch, also cleaning up warning in confdb.c >>>>> >>>>> On 05/11/2009 02:43 PM, Stephen Gallagher wrote: >>>>>> GCC 4.4.0 reveals more warnings than previous versions. >>>>>> >>>>>> Clean up function prototype, return without value and pointer signedness >>>>>> warnings. >>>>>> >>>> All changes make sense to me. Wouldn't it be nicer to have >>>> "opt_config_file = talloc_strdup(NULL, CONFDB_DEFAULT_CONFIG_FILE);" >>>> after server_setup? Then you can use main_ctx and do not have to create >>>> a top level context for opt_config_file. >>>> >>>> bye, >>>> Sumit >>> I'd rather not have it be a child of the server_setup, actually. >>> Valgrind can't tell if it's lost at that point. However, I have modified >>> the code so that it's explicitly talloc_free()-ed immediately after >>> monitor configuration. I checked to make sure that it was >>> talloc_strdup()-ed into the confdb_file_ctx inside, so it's safe to >>> remove it. >>> >>> Please see the new patch. >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> This time with patch attached. >> >> Move the return 6 after the if-else. >> > ACK > > bye, > Sumit Pushed to master. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From stephen at gallagherhome.com Tue May 12 16:14:25 2009 From: stephen at gallagherhome.com (Stephen Gallagher) Date: Tue, 12 May 2009 12:14:25 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Refactor automake build for common libraries Message-ID: <4A09A061.9040902@gallagherhome.com> Patch 1: Allow the individual features of the common libraries to be configured and built independently. This means it's possible to build the libcollection.a without also building dhash and ini_config (if we want to eventually ship this as its own independent library) Patch 2: Allow the creation of a single combined library for all SSSD dependencies. This is a non-default config flag, but it will allow us to ship all of our dependencies in a single file until such time as they are stabilized enough to release separately. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Enable-modular-build-of-common-SSSD-libraries.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Enable-building-a-single-libsssd_utils.so-from-commo.patch URL: From nalin at redhat.com Tue May 12 17:16:49 2009 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 12 May 2009 13:16:49 -0400 Subject: [Freeipa-devel] [PATCH] add NIS support In-Reply-To: <1242081666.6546.11.camel@jgd-dsk> References: <4A02F5E2.1020707@redhat.com> <4A02FBCA.9030504@redhat.com> <4A02FFBB.8020309@redhat.com> <1242081666.6546.11.camel@jgd-dsk> Message-ID: <20090512171649.GC18998@redhat.com> On Mon, May 11, 2009 at 04:41:06PM -0600, Jason Gerard DeRose wrote: > To the extent that I understand this patch, I reviewed it and things > look fine. I couldn't install IPA after I built the rpms because I got > a "Missing Dependency: slapi-nis >= 0.14" under Fedora 10. Is this > package build-able under Fedora 10, or do I need to test this under > Fedora 11? 0.15 was in updates-testing for F-9/F-10/F-11 until this morning; I've pushed the button for it be moved to stable since it seems to have fixed the bugs Rob uncovered in 0.11 and later. The F-12 build failed with a dependency error because the icu package has been upgraded; I've kicked off a scratch rebuild to see if that's all that's required to fix it. To get back to your question, I'd like for it to build on everything that 389 does, but I've only directly tried it on glibc-based systems. Cheers, Nalin From pzuna at redhat.com Tue May 12 17:51:43 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 12 May 2009 19:51:43 +0200 Subject: [Freeipa-devel] [PATCHES] Fix counting of successfully added members. Add checks for use_ldap2 in group2. Some cosmetic changes. + Add hostgroup plugin port to new LDAP backend. + Add netgroup plugin port to new LDAP backend. Message-ID: <4A09B72F.2090902@redhat.com> Patch 0001: Fix counting of successfully added members. Add checks for use_ldap2 in group2. Some cosmetic changes. Patch 0002: Add hostgroup plugin port to new LDAP backend. Patch 0003: Add netgroup plugin port to new LDAP backend. I think the patch names say it all. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-counting-of-successfully-added-members.-Add-chec.patch Type: application/mbox Size: 6306 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Add-hostgroup-plugin-port-to-new-LDAP-backend.patch Type: application/mbox Size: 8093 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Add-netgroup-plugin-port-to-new-LDAP-backend.patch Type: application/mbox Size: 12629 bytes Desc: not available URL: From sgallagh at redhat.com Tue May 12 19:39:06 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 12 May 2009 15:39:06 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Refactor automake build for common libraries In-Reply-To: <4A09A061.9040902@gallagherhome.com> References: <4A09A061.9040902@gallagherhome.com> Message-ID: <4A09D05A.4030604@redhat.com> On 05/12/2009 12:14 PM, Stephen Gallagher wrote: > Patch 1: Allow the individual features of the common libraries to be > configured and built independently. This means it's possible to build > the libcollection.a without also building dhash and ini_config (if we > want to eventually ship this as its own independent library) > > Patch 2: Allow the creation of a single combined library for all SSSD > dependencies. This is a non-default config flag, but it will allow us to > ship all of our dependencies in a single file until such time as they > are stabilized enough to release separately. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Updating patch 0001 with a missed change to common/ini/Makefile.am Patch 0002 remains the same. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Enable-modular-build-of-common-SSSD-libraries.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Enable-building-a-single-libsssd_utils.so-from-commo.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 12 19:39:47 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 12 May 2009 15:39:47 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert SSSD build system to Automake Message-ID: <4A09D083.3090604@redhat.com> -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Import-libreplace-macro-files-into-server-tree.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0004-Convert-SSSD-to-Automake-build-system.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Tue May 12 21:32:22 2009 From: mnagy at redhat.com (Martin Nagy) Date: Tue, 12 May 2009 23:32:22 +0200 Subject: [Freeipa-devel] [PATCH] Integrate the DNS LDAP back-end Message-ID: <20090512233222.2c5d79d8@notas> Hi, this patch series will integrate the LDAP driver into the FreeIPA install script (better late than never..). To get the driver code: git clone git://github.com/mnagy/bind-dyndb-ldap.git There's a README file with instructions for building and installing. The plug-in is available in F-11, but since getting updates there is pretty hard, you'll be better off with the git tree and make install, I won't be updating the package in F-11 very often, at least not for now. Unfortunately, I found a bug when testing the driver with IPA that will cause any read queries to be denied. I'll try to fix that as soon as possible. You will also need the latest bind package either from the F-11 or devel branch (at least version 9.6.1-0.3.b1). Or you can grab a patch from http://github.com/mnagy/bind-dynamic_db/downloads For now the plug-in will bind anonymously and won't be able to update. It could do that, but for now I would have to put the DS password to the config file.. I don't expect that we want to be able to dynamically update the initial zone, so hopefully this is ok for now. I tried to install freeipa with this patch on a clean VM and didn't hit any problems (well, yeah, I did, but I fixed them before submitting ;). Any questions and criticism is welcome. Thanks. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Move-the-__ldap_mod-function-to-the-Service-class.patch Type: text/x-patch Size: 8515 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Change-DNS-LDAP-attributes.patch Type: text/x-patch Size: 8859 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Use-LDAP-instead-of-flat-file-for-zone-storage.patch Type: text/x-patch Size: 10141 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Use-root.-HOST.-DOMAIN.-instead-of-root.-DOMAIN.patch Type: text/x-patch Size: 714 bytes Desc: not available URL: From jderose at redhat.com Wed May 13 01:09:09 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 12 May 2009 19:09:09 -0600 Subject: [Freeipa-devel] [PATCH] jderose 006 Fix doctests Message-ID: <1242176949.4376.10.camel@jgd-dsk> At some point I accidentally sent a patch where the --with-doctest option in the ./make-test script was commented out. This patch re-enables the doctests and fixes all the docstrings that have since become broken. I also had to add an --exclude="plugins" option to ./make-test: when enable_ra is False, cert.py and ra.py raise SkipPluginModule, which causes an un-handled exception for nose. I'll revisit this later when I think of a better solution. Speaking of the ra plugin: Rob, is the dogtag/ra plugin still optional at this point, or is it fundamentally integrated with the installer now? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jderose-006-fix-doctests.patch Type: text/x-patch Size: 5626 bytes Desc: not available URL: From jderose at redhat.com Wed May 13 01:22:07 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 12 May 2009 19:22:07 -0600 Subject: [Freeipa-devel] [PATCHES] Fix counting of successfully added members. Add checks for use_ldap2 in group2. Some cosmetic changes. + Add hostgroup plugin port to new LDAP backend. + Add netgroup plugin port to new LDAP backend. In-Reply-To: <4A09B72F.2090902@redhat.com> References: <4A09B72F.2090902@redhat.com> Message-ID: <1242177727.4376.12.camel@jgd-dsk> On Tue, 2009-05-12 at 19:51 +0200, Pavel Zuna wrote: > Patch 0001: Fix counting of successfully added members. Add checks for use_ldap2 > in group2. Some cosmetic changes. > > Patch 0002: Add hostgroup plugin port to new LDAP backend. > > Patch 0003: Add netgroup plugin port to new LDAP backend. > > I think the patch names say it all. > > Pavel Pavel, are there other patches that still need acking, are missing from master? Your 0001 patch changes basegroup2.py, which isn't in master. From jderose at redhat.com Wed May 13 07:52:00 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 13 May 2009 01:52:00 -0600 Subject: [Freeipa-devel] [PATCH] jderose 007 part1 of limiting param to certain contexts Message-ID: <1242201120.24342.14.camel@jgd-dsk> Both Andrew and Rob have requested the ability to limit a parameter to certain contexts (server, cli, webui, whatever). I had started work on this a while ago (not all of it ever made it into master), but my previous work only allowed you to specify contexts you wanted a param active in... you couldn't instead specify contexts you *didn't* want a param to be active in. So this patch removes the Param.limit_to kwarg and adds Param.incude and Param.exclude kwargs. For example: Str('webui', include=['webui']) # Only active when in 'webui' context. Str('client_only', exclude=['server']) # All contexts except 'server' Only the 'include' or 'exclude' kwarg can be specified at once; if you provide both, a ValueError is raised. This patch also adds a new frontend.UsesParams base class with methods implementing the filtering. This new functionality doesn't do anything yet till I change Command and Object to subclass from UsesParams, which will come in a separate patch. Lastly, this patch also includes fairly extensive tests for these new features (UsesParams is at this point tested only through doctests). -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jderose-007-part1-of-limiting-param-to-certain-contexts.patch Type: text/x-patch Size: 11614 bytes Desc: not available URL: From sbose at redhat.com Wed May 13 09:42:46 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 13 May 2009 11:42:46 +0200 Subject: [Freeipa-devel] [PATCH] Manpages generation In-Reply-To: <1242033819.24047.20.camel@zeppelin.englab.brq.redhat.com> References: <1242033819.24047.20.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A0A9616.3020105@redhat.com> Jakub Hrozek schrieb: > The attached patch provides a set of make rules for generating UNIX > manual pages from DocBook 4.5 source as well as sample manpage for > sss_useradd. Automatic generation of manual pages during "make" process > is tunable with config parameter "--with-manpages". To rebuild the man > pages separately, use the "make doc" target. Before building, the > manpages are validated using a DTD schema. > Hi Jakub, I like the patch and it works for me, but I have a few comments: - there is a whitespace error in sss_useradd.8.xml at line 34 - why are you using the profile version of the stylesheet - can you add libxml2 and libxslt to the build requirements in sssd.spec - I would prefer to have the man pages build by default and a --without-manpages configure option for people who do not want to install the xml/xslt stuff to generate the man pages bye, Sumit From pzuna at redhat.com Wed May 13 11:12:58 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 13 May 2009 13:12:58 +0200 Subject: [Freeipa-devel] [PATCHES] Fix counting of successfully added members. Add checks for use_ldap2 in group2. Some cosmetic changes. + Add hostgroup plugin port to new LDAP backend. + Add netgroup plugin port to new LDAP backend. In-Reply-To: <1242177727.4376.12.camel@jgd-dsk> References: <4A09B72F.2090902@redhat.com> <1242177727.4376.12.camel@jgd-dsk> Message-ID: <4A0AAB3A.7020705@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-05-12 at 19:51 +0200, Pavel Zuna wrote: >> Patch 0001: Fix counting of successfully added members. Add checks for use_ldap2 >> in group2. Some cosmetic changes. >> >> Patch 0002: Add hostgroup plugin port to new LDAP backend. >> >> Patch 0003: Add netgroup plugin port to new LDAP backend. >> >> I think the patch names say it all. >> >> Pavel > > Pavel, are there other patches that still need acking, are missing from > master? Your 0001 patch changes basegroup2.py, which isn't in master. Yeah, there's the group plugin port patch i posted in the '[PATCH] Add group plugin port to new LDAP backend.' thread. I attached it to this email. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-group-plugin-port-to-new-LDAP-backend.patch Type: application/mbox Size: 23066 bytes Desc: not available URL: From sgallagh at redhat.com Wed May 13 11:56:19 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 13 May 2009 07:56:19 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert SSSD build system to Automake In-Reply-To: <4A09D083.3090604@redhat.com> References: <4A09D083.3090604@redhat.com> Message-ID: <4A0AB563.5080105@redhat.com> On 05/12/2009 03:39 PM, Stephen Gallagher wrote: > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Updating patches. I forgot to remove the obsolete files server.mk and rules.mk. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Import-libreplace-macro-files-into-server-tree.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0004-Convert-SSSD-to-Automake-build-system.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Wed May 13 12:01:44 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 13 May 2009 08:01:44 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert SSSD build system to Automake In-Reply-To: <4A0AB563.5080105@redhat.com> References: <4A09D083.3090604@redhat.com> <4A0AB563.5080105@redhat.com> Message-ID: <4A0AB6A8.20601@redhat.com> On 05/13/2009 07:56 AM, Stephen Gallagher wrote: > On 05/12/2009 03:39 PM, Stephen Gallagher wrote: >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Updating patches. I forgot to remove the obsolete files server.mk and > rules.mk. > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel One more try, this time fixing some whitespace mistakes as well. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Import-libreplace-macro-files-into-server-tree.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0004-Convert-SSSD-to-Automake-build-system.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From pzuna at redhat.com Wed May 13 13:34:34 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 13 May 2009 15:34:34 +0200 Subject: [Freeipa-devel] [PATCHES] Add new env variables: container_taskgroup, container_rolegroup and container_netgroup. + Add rolegroup plugin port to new LDAP backend. + Add taskgroup plugin port to new LDAP backend. + Add defaultoptions plugin port to new LDAP backend. Message-ID: <4A0ACC6A.6050407@redhat.com> 0001: Add new env variables: container_taskgroup, container_rolegroup and container_netgroup 0002: Add rolegroup plugin port to new LDAP backend. 0003: Add taskgroup plugin port to new LDAP backend. 0004: Add defaultoptions plugin port to new LDAP backend. With the last patch, I took the liberty to change the plugin name from 'defaultoptions' to 'config' as I find the former to be a bit clumsy. Also instead of displaying the LDAP entry after modifying options, I choose to display a human-readable list of what has changed. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-new-env-variables-container_taskgroup-containe.patch Type: application/mbox Size: 1331 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Add-rolegroup-plugin-port-to-new-LDAP-backend.patch Type: application/mbox Size: 4148 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Add-taskgroup-plugin-port-to-new-LDAP-backend.patch Type: application/mbox Size: 6918 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Add-defaultoptions-plugin-port-to-new-LDAP-backend.patch Type: application/mbox Size: 6522 bytes Desc: not available URL: From pzuna at redhat.com Wed May 13 16:51:45 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 13 May 2009 18:51:45 +0200 Subject: [Freeipa-devel] [PATCH] Add pwpolicy plugin port to new LDAP backend. Message-ID: <4A0AFAA1.6030307@redhat.com> Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-pwpolicy-plugin-port-to-new-LDAP-backend.patch Type: application/mbox Size: 5341 bytes Desc: not available URL: From jhrozek at redhat.com Wed May 13 16:53:50 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 13 May 2009 18:53:50 +0200 Subject: [Freeipa-devel] [PATCH] Manpages generation In-Reply-To: <4A0A9616.3020105@redhat.com> References: <1242033819.24047.20.camel@zeppelin.englab.brq.redhat.com> <4A0A9616.3020105@redhat.com> Message-ID: <1242233630.17793.26.camel@zeppelin.englab.brq.redhat.com> On Wed, 2009-05-13 at 11:42 +0200, Sumit Bose wrote: > Jakub Hrozek schrieb: > > The attached patch provides a set of make rules for generating UNIX > > manual pages from DocBook 4.5 source as well as sample manpage for > > sss_useradd. Automatic generation of manual pages during "make" process > > is tunable with config parameter "--with-manpages". To rebuild the man > > pages separately, use the "make doc" target. Before building, the > > manpages are validated using a DTD schema. > > > > Hi Jakub, > > I like the patch and it works for me, but I have a few comments: > > - there is a whitespace error in sss_useradd.8.xml at line 34 Fixed, thanks > - why are you using the profile version of the stylesheet A bug, sorry. Fixed now. > - can you add libxml2 and libxslt to the build requirements in sssd.spec > - I would prefer to have the man pages build by default and a > --without-manpages configure option for people who do not want to > install the xml/xslt stuff to generate the man pages Done, too, although the packaging might change when we migrate to Automake. I also recall that Simo did want to include the groff-formatted manpages in the release tarballs. Simo, did you have something the "build-docs" script in Samba4 tree in mind? Thank you for the review! Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Manpage-generation.patch Type: text/x-patch Size: 14053 bytes Desc: not available URL: From jhrozek at redhat.com Wed May 13 16:54:02 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 13 May 2009 18:54:02 +0200 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes In-Reply-To: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> References: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1242233642.17793.27.camel@zeppelin.englab.brq.redhat.com> On Thu, 2009-04-30 at 17:49 +0200, Jakub Hrozek wrote: > The first one reads the config file before calling server_setup() > which > daemonizes, so errors in config file are caught before becoming a > daemon. Would it make sense to do as many configuration steps (from > monitor_process_init() - like actually initializing confdb etc.) as > possible before the daemonization? > > Fix initscript return codes is pretty straightforward - just return > correct values in initscript functions. These two patches should > address > ticket #28. I rebased the 0001-Read-the-config-before-startup patch so it can be applied on top of the recent commits. Are there any other changes needed before this patch and the 0002-Fix-initscript-return-codes.patch from the original message can be applied? Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Read-the-config-before-startup-fail-if-cannot-be-re.patch Type: text/x-patch Size: 2033 bytes Desc: not available URL: From rcritten at redhat.com Wed May 13 18:04:17 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 14:04:17 -0400 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <4A083C90.40104@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> Message-ID: <4A0B0BA1.8080608@redhat.com> Pavel Zuna wrote: > Rob Crittenden wrote: >> Pavel Zuna wrote: >>> Rob Crittenden wrote: >>>> Pavel Zuna wrote: >>>>> By the way, there's a little bug I discovered while testing this >>>>> plugin. It affects the old group plugin as well. When trying to >>>>> modify a group into a posixGroup, gidNumber doesn't get generated >>>>> automatically resulting in a object violation LDAP error. Solution >>>>> is to generate it ourselves, but I didn't know how it works, so I >>>>> commented that part out for now. (/FIXME in vim) >>>>> >>>> >>>> This should be fixed in FDS 1.2. Can you update and give it a try? >>>> >>>> rob >>> Sure, just updated and you're right, it works. :) >>> Updated patch attached. >>> >>> Pavel >> >> nack. This won't handle someone using group-mod to set a specific >> gidnumber. The posixGroup objectclass won't be added. >> >> rob > Fixed patch attached. > > Pavel The basegroup2 part looks ok but nack on group2. I think we should stick with using lower-case attribute names as a rule of thumb rather than camel case. In any case you test for the string posixGroup is in the list of objectclasses, this test needs to be case insensitive. I also wonder if we should be using ldap.get_entry(). Why use this over group-show? I'm not sure if the logic around setting gidnumber is right. If you set the gidnumber but aren't using the --posix flag it looks like it will always append posixgroup to the list of objectclasses. I'm pretty sure the LDAP server is going to reject the update. I suppose making a list(set(objectclasses)) would work for de-duping. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 13 18:16:04 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 14:16:04 -0400 Subject: [Freeipa-devel] [PATCH] add NIS support In-Reply-To: <1242081666.6546.11.camel@jgd-dsk> References: <4A02F5E2.1020707@redhat.com> <4A02FBCA.9030504@redhat.com> <4A02FFBB.8020309@redhat.com> <1242081666.6546.11.camel@jgd-dsk> Message-ID: <4A0B0E64.2050102@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-05-07 at 11:35 -0400, Rob Crittenden wrote: >> yi zhang wrote: >>> Rob Crittenden wrote: >>>> Add tool to enable the slapi-nis NIS plugin. This is a DS plugin that >>>> acts as a basic NIS server. >>>> >>>> rob > > ack. > > I don't understand all the details, but "Rob did it, so it must be > right!". > > To the extent that I understand this patch, I reviewed it and things > look fine. I couldn't install IPA after I built the rpms because I got > a "Missing Dependency: slapi-nis >= 0.14" under Fedora 10. Is this > package build-able under Fedora 10, or do I need to test this under > Fedora 11? > > Anyway, it seems we need to get this committed to move forward. The required version of slapi-nis has been pushed out to the Fedora mirrors. Pushed to master. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 13 18:16:22 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 14:16:22 -0400 Subject: [Freeipa-devel] [PATCH] 206 enhanced NotFound exception In-Reply-To: <1242082329.6546.12.camel@jgd-dsk> References: <4A044CE2.5070404@redhat.com> <1242082329.6546.12.camel@jgd-dsk> Message-ID: <4A0B0E76.2040900@redhat.com> Jason Gerard DeRose wrote: > On Fri, 2009-05-08 at 11:16 -0400, Rob Crittenden wrote: >> Add a reason message to the NotFound exception so we can better report >> *what* was not found. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 13 18:16:41 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 14:16:41 -0400 Subject: [Freeipa-devel] [PATCH] improve cert revocation_reason argument In-Reply-To: <1242082717.6546.17.camel@jgd-dsk> References: <4A0475FA.1080309@redhat.com> <1242082717.6546.17.camel@jgd-dsk> Message-ID: <4A0B0E89.2000705@redhat.com> Jason Gerard DeRose wrote: > On Fri, 2009-05-08 at 14:12 -0400, Rob Crittenden wrote: >> Add a min/max range and some documentation on the revocation_reason >> argument. I think it would be a bit much to iterate all the reasons for >> revocation here so I didn't include that. >> >> rob > > ack. > > As mentioned in this thread, we need to come up with a better way to > make this self-documented on the CLI (well, and on the UI), but this is > at least a start. > > We need these Enums to be able to be defined with a list of (value, > description) pairs... which raises a question: do we want to translate > these descriptions? My opinion is yes, at least when presented via the > Web UI, but probably when presented via the CLI also. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 13 18:17:12 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 14:17:12 -0400 Subject: [Freeipa-devel] [PATCH] 208 tighten integration of hosts and services In-Reply-To: <1242083088.6546.18.camel@jgd-dsk> References: <4A04773D.4080803@redhat.com> <1241811574.10366.159.camel@localhost.localdomain> <4A048CE6.1040902@redhat.com> <1241813661.10366.162.camel@localhost.localdomain> <4A04A32C.6010100@redhat.com> <4A04A7E7.6060106@redhat.com> <1242083088.6546.18.camel@jgd-dsk> Message-ID: <4A0B0EA8.7090906@redhat.com> Jason Gerard DeRose wrote: > On Fri, 2009-05-08 at 17:45 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Simo Sorce wrote: >>>> On Fri, 2009-05-08 at 15:49 -0400, Rob Crittenden wrote: >>>>> Simo Sorce wrote: >>>>>> On Fri, 2009-05-08 at 14:17 -0400, Rob Crittenden wrote: >>>>>>> This patch more tightly couples services and hosts: >>>>>>> >>>>>>> - A host is required in order to create a service. >>>>>> nack, assuming I understand what this mean :) >>>>>> I think we need to be able to give out service keytabs and certificates >>>>>> to non-enrolled hosts for a long time. >>>>>> I am not sure it is a good idea to force someone to create a fake host >>>>>> just to get a keytab/certificate. >>>>> Define fake host. This doesn't force them to do an enrollment, just >>>>> to create a host entry ala: ipa host-add foo.example.com. >>>> Yes this is what I mean by fake host, and the problem is that you will >>>> have host entries that are not enrolled. >>>> It is a problem for reporting, it is also a problem for running things >>>> like finding dead hosts. >>>> I'd prefer not to have fake hosts if at all possible, it causes problems >>>> in other areas. >>>> >>>> Simo. >>> Ok, but I think fake is the wrong word to use for them. Unenrolled is >>> more precise. >> Attached is a revised patch. Simo already acked these pieces so I'll >> push this to master. > > For what's it's worth, ack. ;) > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 13 18:17:28 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 14:17:28 -0400 Subject: [Freeipa-devel] [PATCH] 210 drop binary subtype In-Reply-To: <1242083229.6546.19.camel@jgd-dsk> References: <4A088C44.6010809@redhat.com> <1242083229.6546.19.camel@jgd-dsk> Message-ID: <4A0B0EB8.3030300@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-05-11 at 16:36 -0400, Rob Crittenden wrote: >> Rich M of the 389 team tells me that the ;binary subtype is not required >> for the userCertificate attribute so I'm dropping it. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 13 18:21:57 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 14:21:57 -0400 Subject: [Freeipa-devel] [PATCH] jderose 006 Fix doctests In-Reply-To: <1242176949.4376.10.camel@jgd-dsk> References: <1242176949.4376.10.camel@jgd-dsk> Message-ID: <4A0B0FC5.6050805@redhat.com> Jason Gerard DeRose wrote: > At some point I accidentally sent a patch where the --with-doctest > option in the ./make-test script was commented out. This patch > re-enables the doctests and fixes all the docstrings that have since > become broken. > > I also had to add an --exclude="plugins" option to ./make-test: when > enable_ra is False, cert.py and ra.py raise SkipPluginModule, which > causes an un-handled exception for nose. I'll revisit this later when I > think of a better solution. > > Speaking of the ra plugin: Rob, is the dogtag/ra plugin still optional > at this point, or is it fundamentally integrated with the installer now? ack and pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sbose at redhat.com Wed May 13 18:52:01 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 13 May 2009 20:52:01 +0200 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert SSSD build system to Automake In-Reply-To: <4A0AB6A8.20601@redhat.com> References: <4A09D083.3090604@redhat.com> <4A0AB563.5080105@redhat.com> <4A0AB6A8.20601@redhat.com> Message-ID: <4A0B16D1.1050201@redhat.com> Stephen Gallagher schrieb: > On 05/13/2009 07:56 AM, Stephen Gallagher wrote: >> On 05/12/2009 03:39 PM, Stephen Gallagher wrote: >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Updating patches. I forgot to remove the obsolete files server.mk and >> rules.mk. >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > One more try, this time fixing some whitespace mistakes as well. > It would be nice if the m4 file can be placed in a common subdirectory. Maybe even better if the libreplace m4 files can be read from the replace directory. The patch should update BUILD.txt and sssd.spec in the top level directory, too. Are you planning to migrate sss_client, too? bye, Sumit From pzuna at redhat.com Wed May 13 18:56:50 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 13 May 2009 20:56:50 +0200 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <4A0B0BA1.8080608@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> Message-ID: <4A0B17F2.4050504@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> Rob Crittenden wrote: >>> Pavel Zuna wrote: >>>> Rob Crittenden wrote: >>>>> Pavel Zuna wrote: >>>>>> By the way, there's a little bug I discovered while testing this >>>>>> plugin. It affects the old group plugin as well. When trying to >>>>>> modify a group into a posixGroup, gidNumber doesn't get generated >>>>>> automatically resulting in a object violation LDAP error. Solution >>>>>> is to generate it ourselves, but I didn't know how it works, so I >>>>>> commented that part out for now. (/FIXME in vim) >>>>>> >>>>> >>>>> This should be fixed in FDS 1.2. Can you update and give it a try? >>>>> >>>>> rob >>>> Sure, just updated and you're right, it works. :) >>>> Updated patch attached. >>>> >>>> Pavel >>> >>> nack. This won't handle someone using group-mod to set a specific >>> gidnumber. The posixGroup objectclass won't be added. >>> >>> rob >> Fixed patch attached. >> >> Pavel > > The basegroup2 part looks ok but nack on group2. > > I think we should stick with using lower-case attribute names as a rule > of thumb rather than camel case. In any case you test for the string > posixGroup is in the list of objectclasses, this test needs to be case > insensitive. When no attributes to retrieve are specified, python-ldap retrieves them all in the original form - camel case. If we specify them, then it returns them in the same form as we requested them. The new LDAP backend doesn't use CIDicts anymore, but only the normal python dict type, so everything is case sensitive. Of course I can make it return attribute names always as lowercase if that's what we want. > I also wonder if we should be using ldap.get_entry(). Why use this over > group-show? It's faster, because we call get_entry directly and because we can request objectClass attribute only. Why invoke an IPA command instead of a making a direct call? > I'm not sure if the logic around setting gidnumber is right. If you set > the gidnumber but aren't using the --posix flag it looks like it will > always append posixgroup to the list of objectclasses. I'm pretty sure > the LDAP server is going to reject the update. I suppose making a > list(set(objectclasses)) would work for de-duping. You're right, it's broken. I'll fix it. Pavel From rcritten at redhat.com Wed May 13 20:04:49 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 16:04:49 -0400 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <4A0B17F2.4050504@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> Message-ID: <4A0B27E1.1080200@redhat.com> Pavel Zuna wrote: > Rob Crittenden wrote: >> Pavel Zuna wrote: >>> Rob Crittenden wrote: >>>> Pavel Zuna wrote: >>>>> Rob Crittenden wrote: >>>>>> Pavel Zuna wrote: >>>>>>> By the way, there's a little bug I discovered while testing this >>>>>>> plugin. It affects the old group plugin as well. When trying to >>>>>>> modify a group into a posixGroup, gidNumber doesn't get generated >>>>>>> automatically resulting in a object violation LDAP error. >>>>>>> Solution is to generate it ourselves, but I didn't know how it >>>>>>> works, so I commented that part out for now. (/FIXME in vim) >>>>>>> >>>>>> >>>>>> This should be fixed in FDS 1.2. Can you update and give it a try? >>>>>> >>>>>> rob >>>>> Sure, just updated and you're right, it works. :) >>>>> Updated patch attached. >>>>> >>>>> Pavel >>>> >>>> nack. This won't handle someone using group-mod to set a specific >>>> gidnumber. The posixGroup objectclass won't be added. >>>> >>>> rob >>> Fixed patch attached. >>> >>> Pavel >> >> The basegroup2 part looks ok but nack on group2. >> >> I think we should stick with using lower-case attribute names as a >> rule of thumb rather than camel case. In any case you test for the >> string posixGroup is in the list of objectclasses, this test needs to >> be case insensitive. > When no attributes to retrieve are specified, python-ldap retrieves them > all in the original form - camel case. If we specify them, then it > returns them in the same form as we requested them. The new LDAP backend > doesn't use CIDicts anymore, but only the normal python dict type, so > everything is case sensitive. Of course I can make it return attribute > names always as lowercase if that's what we want. I think we need consistent naming otherwise all sorts of odd bugs can creep in. >> I also wonder if we should be using ldap.get_entry(). Why use this >> over group-show? > It's faster, because we call get_entry directly and because we can > request objectClass attribute only. Why invoke an IPA command instead of > a making a direct call? Well, I felt the same way but Jason convinced me that by limiting the places we do actual LDAP calls will be beneficial in the long-run. The command is run internally, not over XML-RPC, so there isn't a whole lot of additional overhead. Part of the idea, which we haven't really utilized much yet, is to try to make the backend easily replacable. > >> I'm not sure if the logic around setting gidnumber is right. If you >> set the gidnumber but aren't using the --posix flag it looks like it >> will always append posixgroup to the list of objectclasses. I'm pretty >> sure the LDAP server is going to reject the update. I suppose making a >> list(set(objectclasses)) would work for de-duping. > You're right, it's broken. I'll fix it. > > Pavel ok rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 13 21:01:07 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 17:01:07 -0400 Subject: [Freeipa-devel] [PATCH] 212 fix argument passing to _handle_errors() Message-ID: <4A0B3513.7040509@redhat.com> I was passing in some non-existent arguments in some cases to _handle_errors(). Also ensure that we have something to pass something to notfound(). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-212-errors.patch Type: application/mbox Size: 2411 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 13 21:08:25 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 17:08:25 -0400 Subject: [Freeipa-devel] [PATCH] 213 use the csv module for ldapupdate Message-ID: <4A0B36C9.3020709@redhat.com> In ldapupdate I wanted to make things easy on update writers and them pass in a comma-separated string to make a multi-valued attribute, like: add:objectclass: top, person, inetorgperson This is my last attempt at working around this "feature" before simply dropping it. It has turned out to be almost more trouble than it is worth. In any case, this patch drops my hackish lex-based parser for the python csv module. This works a bit nicer anyway. You do have to be a bit careful about mixing ' and " though. What I've done is set the quote string to whatever the first character of a line is, defaulting to ". In other words, if you want the quote character to be ', then pass it as the first character in the update line. Something like: add:name:'"Here is a quoted value, and another", "and one more"' This breaks down to 2 values to be added: "Here is a quoted value, and another" "and one more" rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-213-csv.patch Type: application/mbox Size: 4317 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 13 21:10:56 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 17:10:56 -0400 Subject: [Freeipa-devel] [PATCH] 214 csv parsing updates Message-ID: <4A0B3760.2050003@redhat.com> Patches to two update files impacted by the csv parsing change. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-214-update.patch Type: application/mbox Size: 25877 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 13 21:14:11 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 17:14:11 -0400 Subject: [Freeipa-devel] [PATCH] 215 netgroup compat Message-ID: <4A0B3823.4010903@redhat.com> Add a schema-compat configuration to translate our netgroup configuration into a standard netgroup triple. I'm including this in nis because that is really the only place it is interesting. So to use this requires that both the schema-compat and nis plugins are enabled. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-215-nis.patch Type: application/mbox Size: 1849 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 13 21:18:04 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 17:18:04 -0400 Subject: [Freeipa-devel] [PATCH] 217 change attribute used for hostnames Message-ID: <4A0B390C.6090709@redhat.com> This goes along with the netgroup patch. We were using commonname to store the hostname. This made translating hosts into triples difficult because the same attribute was used to identify hosts and well as hostgroups. So we decided to use a new attribute, fqdn, instead. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-217-fqdn.patch Type: application/mbox Size: 5865 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From yzhang at redhat.com Wed May 13 22:50:39 2009 From: yzhang at redhat.com (yi zhang) Date: Wed, 13 May 2009 15:50:39 -0700 Subject: [Freeipa-devel] nis plugin test plan Message-ID: <4A0B4EBF.2010500@redhat.com> Hi: The test plan for nis plugin is here: http://rome.sjc.redhat.com/mediawiki/index.php/IPA_NIS_plugin_test_plan Please review it and give me your feedback. We are still working on this feature (it is almost ready as I am writing this email), I still not clear about how to configure this plug in. I will keep bugging Rob and Nalin to dig it out and place them in this test plan. (And send to Doc guys -- is it David or Deon this time?) Cheers! Yi -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu May 14 01:44:37 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 21:44:37 -0400 Subject: [Freeipa-devel] [PATCH] 217 change attribute used for hostnames In-Reply-To: <4A0B390C.6090709@redhat.com> References: <4A0B390C.6090709@redhat.com> Message-ID: <4A0B7785.6070501@redhat.com> Rob Crittenden wrote: > This goes along with the netgroup patch. > > We were using commonname to store the hostname. This made translating > hosts into triples difficult because the same attribute was used to > identify hosts and well as hostgroups. > > So we decided to use a new attribute, fqdn, instead. > > rob Sad to say I have to nack my own patch :-( I need to make fqdn a MUST attribute and also update the test cases. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sbose at redhat.com Thu May 14 09:51:32 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 14 May 2009 11:51:32 +0200 Subject: [Freeipa-devel] [PATCH] Manpages generation In-Reply-To: <1242233630.17793.26.camel@zeppelin.englab.brq.redhat.com> References: <1242033819.24047.20.camel@zeppelin.englab.brq.redhat.com> <4A0A9616.3020105@redhat.com> <1242233630.17793.26.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A0BE9A4.1080902@redhat.com> Jakub Hrozek schrieb: > On Wed, 2009-05-13 at 11:42 +0200, Sumit Bose wrote: >> Jakub Hrozek schrieb: >>> The attached patch provides a set of make rules for generating UNIX >>> manual pages from DocBook 4.5 source as well as sample manpage for >>> sss_useradd. Automatic generation of manual pages during "make" process >>> is tunable with config parameter "--with-manpages". To rebuild the man >>> pages separately, use the "make doc" target. Before building, the >>> manpages are validated using a DTD schema. >>> >> Hi Jakub, >> >> I like the patch and it works for me, but I have a few comments: >> >> - there is a whitespace error in sss_useradd.8.xml at line 34 > Fixed, thanks > >> - why are you using the profile version of the stylesheet > A bug, sorry. Fixed now. > >> - can you add libxml2 and libxslt to the build requirements in sssd.spec >> - I would prefer to have the man pages build by default and a >> --without-manpages configure option for people who do not want to >> install the xml/xslt stuff to generate the man pages > > Done, too, although the packaging might change when we migrate to > Automake. I don not know how to tell autotools to do this, but it would be nice to have something similar to: -doc:: $(MANPAGES) +doc:: $(if $(HAVE_MANPAGES),$(MANPAGES), \ + $(info Please use configure option --with-manpages to enable in Makefile.in to avoid strange messages when 'make doc' is called after configure --without-manpages. > > I also recall that Simo did want to include the groff-formatted manpages > in the release tarballs. Simo, did you have something the "build-docs" > script in Samba4 tree in mind? > +1 for groff-formatted manpages in the tarballs ACK for the patch, but I think you should talk to Stephen if this patch or the autotools patch should come first. bye, Sumit From sbose at redhat.com Thu May 14 09:54:45 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 14 May 2009 11:54:45 +0200 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert SSSD build system to Automake In-Reply-To: <4A0B16D1.1050201@redhat.com> References: <4A09D083.3090604@redhat.com> <4A0AB563.5080105@redhat.com> <4A0AB6A8.20601@redhat.com> <4A0B16D1.1050201@redhat.com> Message-ID: <4A0BEA65.80500@redhat.com> Sumit Bose schrieb: > Stephen Gallagher schrieb: >> On 05/13/2009 07:56 AM, Stephen Gallagher wrote: >>> On 05/12/2009 03:39 PM, Stephen Gallagher wrote: >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Updating patches. I forgot to remove the obsolete files server.mk and >>> rules.mk. >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> One more try, this time fixing some whitespace mistakes as well. >> > > It would be nice if the m4 file can be placed in a common subdirectory. > Maybe even better if the libreplace m4 files can be read from the > replace directory. > > The patch should update BUILD.txt and sssd.spec in the top level > directory, too. > > Are you planning to migrate sss_client, too? > It was possible to call CFLAGS="-g -Wall -Wextra" make to append options to CFLAGS without rerunning configure. Is there a macro to enable this with autotools, too? bye, Sumit From sbose at redhat.com Thu May 14 10:58:45 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 14 May 2009 12:58:45 +0200 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert SSSD build system to Automake In-Reply-To: <4A0BEA65.80500@redhat.com> References: <4A09D083.3090604@redhat.com> <4A0AB563.5080105@redhat.com> <4A0AB6A8.20601@redhat.com> <4A0B16D1.1050201@redhat.com> <4A0BEA65.80500@redhat.com> Message-ID: <4A0BF965.4000106@redhat.com> Sumit Bose schrieb: > Sumit Bose schrieb: >> Stephen Gallagher schrieb: >>> On 05/13/2009 07:56 AM, Stephen Gallagher wrote: >>>> On 05/12/2009 03:39 PM, Stephen Gallagher wrote: >>>>> ------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> Updating patches. I forgot to remove the obsolete files server.mk and >>>> rules.mk. >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> One more try, this time fixing some whitespace mistakes as well. >>> >> It would be nice if the m4 file can be placed in a common subdirectory. >> Maybe even better if the libreplace m4 files can be read from the >> replace directory. >> >> The patch should update BUILD.txt and sssd.spec in the top level >> directory, too. >> >> Are you planning to migrate sss_client, too? >> > > It was possible to call > > CFLAGS="-g -Wall -Wextra" make > > > to append options to CFLAGS without rerunning configure. Is there a > macro to enable this with autotools, too? > yet another comment. This patch stores all *.o, *.lo, libs and binary files in the top level directory. Although 'make clean' removes them all, it would be much nicer if they are build in the directories of the source files. bye, Sumit From sgallagh at redhat.com Thu May 14 11:47:38 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 14 May 2009 07:47:38 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert SSSD build system to Automake In-Reply-To: <4A0BF965.4000106@redhat.com> References: <4A09D083.3090604@redhat.com> <4A0AB563.5080105@redhat.com> <4A0AB6A8.20601@redhat.com> <4A0B16D1.1050201@redhat.com> <4A0BEA65.80500@redhat.com> <4A0BF965.4000106@redhat.com> Message-ID: <4A0C04DA.2080907@redhat.com> On 05/14/2009 06:58 AM, Sumit Bose wrote: > Sumit Bose schrieb: >> Sumit Bose schrieb: >>> Stephen Gallagher schrieb: >>>> On 05/13/2009 07:56 AM, Stephen Gallagher wrote: >>>>> On 05/12/2009 03:39 PM, Stephen Gallagher wrote: >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> Updating patches. I forgot to remove the obsolete files server.mk and >>>>> rules.mk. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> One more try, this time fixing some whitespace mistakes as well. >>>> >>> It would be nice if the m4 file can be placed in a common subdirectory. >>> Maybe even better if the libreplace m4 files can be read from the >>> replace directory. >>> >>> The patch should update BUILD.txt and sssd.spec in the top level >>> directory, too. >>> >>> Are you planning to migrate sss_client, too? >>> >> It was possible to call >> >> CFLAGS="-g -Wall -Wextra" make >> >> >> to append options to CFLAGS without rerunning configure. Is there a >> macro to enable this with autotools, too? >> > > yet another comment. This patch stores all *.o, *.lo, libs and binary > files in the top level directory. Although 'make clean' removes them > all, it would be much nicer if they are build in the directories of the > source files. > > bye, > Sumit I'll try to address all of your concerns: 1) I'm working on seeing if I can pull the m4 files into a subdirectory. I'll release a new patch shortly, I hope. 2) Change the syntax to: make CFLAGS="-g -Wall -Wextra" (The variable substitution needs to follow the command in order to be treated as a substitution in the Makefile) 3) As far as storing the .o files in the top level directory, this is just how automake is doing it internally. However, one of the distinct advantages to automake is the availability of parallel builds. E.g. create a directory called x86_64, then run ../configure from that directory. It will generate symlinks for the source files and headers, etc. and then you can perform the build there. Cleanup is as simple as rm -Rf x86_64. In order to have them build individually from the subdirectories, I'd need to set up a recursive automake to generate static libraries in each of the directories, which is something I intentionally avoided, because most of those object files need to be linked into the shared objects such as the plugins. Linking static libraries into a shared object is non-portable (and throws a noisy warning if you do it) -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sbose at redhat.com Thu May 14 11:50:44 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 14 May 2009 13:50:44 +0200 Subject: [Freeipa-devel] [PATCH] added check for NULL values Message-ID: <4A0C0594.5060902@redhat.com> Hi, this patch makes the handing of NULL values in pam_data a bit more flexible and introduces a additional check in pam_reply. The check is necessary because pam_reply might get called before the domain structure is initialized, e.g. if the client data is invalid. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-added-check-for-NULL-values.patch Type: text/x-patch Size: 2461 bytes Desc: not available URL: From sbose at redhat.com Thu May 14 12:24:03 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 14 May 2009 14:24:03 +0200 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert SSSD build system to Automake In-Reply-To: <4A0C04DA.2080907@redhat.com> References: <4A09D083.3090604@redhat.com> <4A0AB563.5080105@redhat.com> <4A0AB6A8.20601@redhat.com> <4A0B16D1.1050201@redhat.com> <4A0BEA65.80500@redhat.com> <4A0BF965.4000106@redhat.com> <4A0C04DA.2080907@redhat.com> Message-ID: <4A0C0D63.6050604@redhat.com> Stephen Gallagher schrieb: > > 2) Change the syntax to: > make CFLAGS="-g -Wall -Wextra" > (The variable substitution needs to follow the command in order to be > treated as a substitution in the Makefile) > great, please consider the following patch to avoid to add the flags twice. diff --git a/server/Makefile.am b/server/Makefile.am index 822c8c2..d8fdc6d 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -95,7 +95,7 @@ AM_CPPFLAGS = -Wall \ -DSHADOW_UTILS_PATH=\"$(SHADOW_UTILS_PATH)\" \ -DSSSD_INTROSPECT_PATH=\"$(dbusinstropectdir)\" \ -DSSSD_CONF_DIR=\"$(sssdconfdir)\" \ - -DUSE_MMAP=1 $(CFLAGS) + -DUSE_MMAP=1 SSSD_DEBUG_OBJ = \ util/debug.c > 3) As far as storing the .o files in the top level directory, this is > just how automake is doing it internally. However, one of the distinct > advantages to automake is the availability of parallel builds. E.g. > create a directory called x86_64, then run ../configure from that > directory. It will generate symlinks for the source files and headers, > etc. and then you can perform the build there. Cleanup is as simple as > rm -Rf x86_64. > > In order to have them build individually from the subdirectories, I'd > need to set up a recursive automake to generate static libraries in each > of the directories, which is something I intentionally avoided, because > most of those object files need to be linked into the shared objects > such as the plugins. Linking static libraries into a shared object is > non-portable (and throws a noisy warning if you do it) > yes, I like this build directory feature. I have tried the following patch which at least keeps the .o and .lo files together with the .c files. diff --git a/server/configure.ac b/server/configure.ac index b533385..abec03b 100644 --- a/server/configure.ac +++ b/server/configure.ac @@ -17,7 +17,8 @@ AC_CONFIG_AUX_DIR([build]) AC_LIBREPLACE_ALL_CHECKS -AM_INIT_AUTOMAKE([-Wall foreign]) +AM_INIT_AUTOMAKE([-Wall foreign subdir-objects]) +AM_PROG_CC_C_O AC_PROG_LIBTOOL AC_CONFIG_MACRO_DIR([m4]) bye, Sumit From sgallagh at redhat.com Thu May 14 12:36:08 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 14 May 2009 08:36:08 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert SSSD build system to Automake In-Reply-To: <4A0C0D63.6050604@redhat.com> References: <4A09D083.3090604@redhat.com> <4A0AB563.5080105@redhat.com> <4A0AB6A8.20601@redhat.com> <4A0B16D1.1050201@redhat.com> <4A0BEA65.80500@redhat.com> <4A0BF965.4000106@redhat.com> <4A0C04DA.2080907@redhat.com> <4A0C0D63.6050604@redhat.com> Message-ID: <4A0C1038.9020601@redhat.com> On 05/14/2009 08:24 AM, Sumit Bose wrote: > Stephen Gallagher schrieb: >> 2) Change the syntax to: >> make CFLAGS="-g -Wall -Wextra" >> (The variable substitution needs to follow the command in order to be >> treated as a substitution in the Makefile) >> > > great, please consider the following patch to avoid to add the flags twice. > > diff --git a/server/Makefile.am b/server/Makefile.am > index 822c8c2..d8fdc6d 100644 > --- a/server/Makefile.am > +++ b/server/Makefile.am > @@ -95,7 +95,7 @@ AM_CPPFLAGS = -Wall \ > -DSHADOW_UTILS_PATH=\"$(SHADOW_UTILS_PATH)\" \ > -DSSSD_INTROSPECT_PATH=\"$(dbusinstropectdir)\" \ > -DSSSD_CONF_DIR=\"$(sssdconfdir)\" \ > - -DUSE_MMAP=1 $(CFLAGS) > + -DUSE_MMAP=1 > > SSSD_DEBUG_OBJ = \ > util/debug.c > I think I copied that verbatim from the old code. Good catch, I'll add that. > >> 3) As far as storing the .o files in the top level directory, this is >> just how automake is doing it internally. However, one of the distinct >> advantages to automake is the availability of parallel builds. E.g. >> create a directory called x86_64, then run ../configure from that >> directory. It will generate symlinks for the source files and headers, >> etc. and then you can perform the build there. Cleanup is as simple as >> rm -Rf x86_64. >> >> In order to have them build individually from the subdirectories, I'd >> need to set up a recursive automake to generate static libraries in each >> of the directories, which is something I intentionally avoided, because >> most of those object files need to be linked into the shared objects >> such as the plugins. Linking static libraries into a shared object is >> non-portable (and throws a noisy warning if you do it) >> > > yes, I like this build directory feature. I have tried the following > patch which at least keeps the .o and .lo files together with the .c files. > > diff --git a/server/configure.ac b/server/configure.ac > index b533385..abec03b 100644 > --- a/server/configure.ac > +++ b/server/configure.ac > @@ -17,7 +17,8 @@ AC_CONFIG_AUX_DIR([build]) > > AC_LIBREPLACE_ALL_CHECKS > > -AM_INIT_AUTOMAKE([-Wall foreign]) > +AM_INIT_AUTOMAKE([-Wall foreign subdir-objects]) > +AM_PROG_CC_C_O > AC_PROG_LIBTOOL > AC_CONFIG_MACRO_DIR([m4]) > > > bye, > Sumit > > I didn't know about that trick. I'll add it. Can you point me at a good reference for common/popular autoconf macros like that? -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Thu May 14 12:47:42 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 14 May 2009 08:47:42 -0400 Subject: [Freeipa-devel] [PATCH] added check for NULL values In-Reply-To: <4A0C0594.5060902@redhat.com> References: <4A0C0594.5060902@redhat.com> Message-ID: <4A0C12EE.4010901@redhat.com> On 05/14/2009 07:50 AM, Sumit Bose wrote: > Hi, > > this patch makes the handing of NULL values in pam_data a bit more > flexible and introduces a additional check in pam_reply. The check is > necessary because pam_reply might get called before the domain structure > is initialized, e.g. if the client data is invalid. > > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jhrozek at redhat.com Thu May 14 12:50:46 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 14 May 2009 14:50:46 +0200 Subject: [Freeipa-devel] [PATCH] More useful error message when adding user/group that already exists Message-ID: <1242305446.24298.41.camel@zeppelin.englab.brq.redhat.com> jlaska (rightfully) complained in RHBZ #498462 about a cryptic error message when the sss_* tools add a user or group that already exists. The attached patch catches EEXIST and prints a more precise error message in sss_useradd and sss_groupadd. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-More-useful-error-message-when-adding-user-group-tha.patch Type: text/x-patch Size: 1845 bytes Desc: not available URL: From jhrozek at redhat.com Thu May 14 12:50:46 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 14 May 2009 14:50:46 +0200 Subject: [Freeipa-devel] [PATCH] Check for valid ID ranges and ID overlaps between domains In-Reply-To: <4A085F22.8090802@redhat.com> References: <1241525394.26178.37.camel@zeppelin.englab.brq.redhat.com> <1241527435.29148.185.camel@localhost.localdomain> <1242060215.3365.25.camel@zeppelin.englab.brq.redhat.com> <4A085F22.8090802@redhat.com> Message-ID: <1242305446.24298.42.camel@zeppelin.englab.brq.redhat.com> On Mon, 2009-05-11 at 13:23 -0400, Stephen Gallagher wrote: > Nack. If a domain has an invalid range specified, it should be an > error, > not a warning. (e.g. id_min >= id_max, id_min or id_max < 0, etc.) > > Also, I'd prefer if you used a variable name other than "first" for > the > outer loop. It gives the impression that you're always comparing > against > the first domain in the list. > Another iteration attached. Returns EINVAL on invalid range, only prints DEBUG(1,...) on overlap. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Check-for-valid-ID-range-domains-overlap.patch Type: text/x-patch Size: 2018 bytes Desc: not available URL: From sgallagh at redhat.com Thu May 14 13:00:33 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 14 May 2009 09:00:33 -0400 Subject: [Freeipa-devel] [PATCH] Check for valid ID ranges and ID overlaps between domains In-Reply-To: <1242305446.24298.42.camel@zeppelin.englab.brq.redhat.com> References: <1241525394.26178.37.camel@zeppelin.englab.brq.redhat.com> <1241527435.29148.185.camel@localhost.localdomain> <1242060215.3365.25.camel@zeppelin.englab.brq.redhat.com> <4A085F22.8090802@redhat.com> <1242305446.24298.42.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A0C15F1.6050203@redhat.com> On 05/14/2009 08:50 AM, Jakub Hrozek wrote: > On Mon, 2009-05-11 at 13:23 -0400, Stephen Gallagher wrote: >> Nack. If a domain has an invalid range specified, it should be an >> error, >> not a warning. (e.g. id_min >= id_max, id_min or id_max < 0, etc.) >> >> Also, I'd prefer if you used a variable name other than "first" for >> the >> outer loop. It gives the impression that you're always comparing >> against >> the first domain in the list. >> > > Another iteration attached. Returns EINVAL on invalid range, only prints > DEBUG(1,...) on overlap. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jhrozek at redhat.com Thu May 14 13:00:54 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 14 May 2009 15:00:54 +0200 Subject: [Freeipa-devel] [PATCH] Manpages generation In-Reply-To: <4A0BE9A4.1080902@redhat.com> References: <1242033819.24047.20.camel@zeppelin.englab.brq.redhat.com> <4A0A9616.3020105@redhat.com> <1242233630.17793.26.camel@zeppelin.englab.brq.redhat.com> <4A0BE9A4.1080902@redhat.com> Message-ID: <1242306054.24298.44.camel@zeppelin.englab.brq.redhat.com> On Thu, 2009-05-14 at 11:51 +0200, Sumit Bose wrote: > > Done, too, although the packaging might change when we migrate to > > Automake. > > I don not know how to tell autotools to do this, but it would be nice > to > have something similar to: > > -doc:: $(MANPAGES) > +doc:: $(if $(HAVE_MANPAGES),$(MANPAGES), \ > + $(info Please use configure option --with-manpages to enable > > in Makefile.in to avoid strange messages when 'make doc' is called > after > configure --without-manpages. > Thanks, added to the attached version of the patch. > +1 for groff-formatted manpages in the tarballs > > ACK for the patch, but I think you should talk to Stephen if this > patch > or the autotools patch should come first. We discussed this on IRC with Stephen and he'd like to move this patch first as the autotools conversion is likely to take some more time. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Manpage-generation.patch Type: text/x-patch Size: 14150 bytes Desc: not available URL: From sgallagh at redhat.com Thu May 14 13:01:34 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 14 May 2009 09:01:34 -0400 Subject: [Freeipa-devel] [PATCH] More useful error message when adding user/group that already exists In-Reply-To: <1242305446.24298.41.camel@zeppelin.englab.brq.redhat.com> References: <1242305446.24298.41.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A0C162E.9060605@redhat.com> On 05/14/2009 08:50 AM, Jakub Hrozek wrote: > jlaska (rightfully) complained in RHBZ #498462 about a cryptic error > message when the sss_* tools add a user or group that already exists. > The attached patch catches EEXIST and prints a more precise error > message in sss_useradd and sss_groupadd. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 14 13:30:50 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 May 2009 09:30:50 -0400 Subject: [Freeipa-devel] [PATCH] 216 own apache config files Message-ID: <4A0C1D0A.3060804@redhat.com> The IPA Installer creates 2 Apache configuration files that aren't owned by the ipa-server package. This patch rectifies that. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-216-spec.patch Type: application/mbox Size: 1271 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 14 15:32:39 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 May 2009 11:32:39 -0400 Subject: [Freeipa-devel] [PATCH] Manpages generation In-Reply-To: <1242306054.24298.44.camel@zeppelin.englab.brq.redhat.com> References: <1242033819.24047.20.camel@zeppelin.englab.brq.redhat.com> <4A0A9616.3020105@redhat.com> <1242233630.17793.26.camel@zeppelin.englab.brq.redhat.com> <4A0BE9A4.1080902@redhat.com> <1242306054.24298.44.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1242315159.3695.13.camel@localhost.localdomain> On Thu, 2009-05-14 at 15:00 +0200, Jakub Hrozek wrote: > On Thu, 2009-05-14 at 11:51 +0200, Sumit Bose wrote: > > > Done, too, although the packaging might change when we migrate to > > > Automake. > > > > I don not know how to tell autotools to do this, but it would be nice > > to > > have something similar to: > > > > -doc:: $(MANPAGES) > > +doc:: $(if $(HAVE_MANPAGES),$(MANPAGES), \ > > + $(info Please use configure option --with-manpages to enable > > > > in Makefile.in to avoid strange messages when 'make doc' is called > > after > > configure --without-manpages. > > > > Thanks, added to the attached version of the patch. I still see --with-manpages and not --without-manpages, have you attached the right patch ?? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 14 15:42:37 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 May 2009 11:42:37 -0400 Subject: [Freeipa-devel] [PATCH] added check for NULL values In-Reply-To: <4A0C0594.5060902@redhat.com> References: <4A0C0594.5060902@redhat.com> Message-ID: <1242315757.3695.14.camel@localhost.localdomain> On Thu, 2009-05-14 at 13:50 +0200, Sumit Bose wrote: > Hi, > > this patch makes the handing of NULL values in pam_data a bit more > flexible and introduces a additional check in pam_reply. The check is > necessary because pam_reply might get called before the domain structure > is initialized, e.g. if the client data is invalid. ack and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 14 15:42:55 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 May 2009 11:42:55 -0400 Subject: [Freeipa-devel] [PATCH] More useful error message when adding user/group that already exists In-Reply-To: <1242305446.24298.41.camel@zeppelin.englab.brq.redhat.com> References: <1242305446.24298.41.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1242315775.3695.15.camel@localhost.localdomain> On Thu, 2009-05-14 at 14:50 +0200, Jakub Hrozek wrote: > jlaska (rightfully) complained in RHBZ #498462 about a cryptic error > message when the sss_* tools add a user or group that already exists. > The attached patch catches EEXIST and prints a more precise error > message in sss_useradd and sss_groupadd. Ack and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 14 15:43:16 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 May 2009 11:43:16 -0400 Subject: [Freeipa-devel] [PATCH] Check for valid ID ranges and ID overlaps between domains In-Reply-To: <1242305446.24298.42.camel@zeppelin.englab.brq.redhat.com> References: <1241525394.26178.37.camel@zeppelin.englab.brq.redhat.com> <1241527435.29148.185.camel@localhost.localdomain> <1242060215.3365.25.camel@zeppelin.englab.brq.redhat.com> <4A085F22.8090802@redhat.com> <1242305446.24298.42.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1242315796.3695.16.camel@localhost.localdomain> On Thu, 2009-05-14 at 14:50 +0200, Jakub Hrozek wrote: > On Mon, 2009-05-11 at 13:23 -0400, Stephen Gallagher wrote: > > Nack. If a domain has an invalid range specified, it should be an > > error, > > not a warning. (e.g. id_min >= id_max, id_min or id_max < 0, etc.) > > > > Also, I'd prefer if you used a variable name other than "first" for > > the > > outer loop. It gives the impression that you're always comparing > > against > > the first domain in the list. > > > > Another iteration attached. Returns EINVAL on invalid range, only prints > DEBUG(1,...) on overlap. Ack and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 14 15:43:31 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 May 2009 11:43:31 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Update configure tests for LDB and POPT In-Reply-To: <4A083096.6080307@redhat.com> References: <4A083096.6080307@redhat.com> Message-ID: <1242315811.3695.17.camel@localhost.localdomain> On Mon, 2009-05-11 at 10:05 -0400, Stephen Gallagher wrote: > We need to ensure that configure fails if the popt libraries aren't > present or if LDB module support is unavailable. Ack and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 14 15:43:53 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 May 2009 11:43:53 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Refactor automake build for common libraries In-Reply-To: <4A09D05A.4030604@redhat.com> References: <4A09A061.9040902@gallagherhome.com> <4A09D05A.4030604@redhat.com> Message-ID: <1242315833.3695.18.camel@localhost.localdomain> On Tue, 2009-05-12 at 15:39 -0400, Stephen Gallagher wrote: > On 05/12/2009 12:14 PM, Stephen Gallagher wrote: > > Patch 1: Allow the individual features of the common libraries to be > > configured and built independently. This means it's possible to build > > the libcollection.a without also building dhash and ini_config (if we > > want to eventually ship this as its own independent library) > > > > Patch 2: Allow the creation of a single combined library for all SSSD > > dependencies. This is a non-default config flag, but it will allow us to > > ship all of our dependencies in a single file until such time as they > > are stabilized enough to release separately. > > > Updating patch 0001 with a missed change to common/ini/Makefile.am > > Patch 0002 remains the same. Ack and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 14 15:44:21 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 May 2009 11:44:21 -0400 Subject: [Freeipa-devel] [PATCH] Manpages generation In-Reply-To: <1242315159.3695.13.camel@localhost.localdomain> References: <1242033819.24047.20.camel@zeppelin.englab.brq.redhat.com> <4A0A9616.3020105@redhat.com> <1242233630.17793.26.camel@zeppelin.englab.brq.redhat.com> <4A0BE9A4.1080902@redhat.com> <1242306054.24298.44.camel@zeppelin.englab.brq.redhat.com> <1242315159.3695.13.camel@localhost.localdomain> Message-ID: <1242315861.3695.19.camel@localhost.localdomain> On Thu, 2009-05-14 at 11:32 -0400, Simo Sorce wrote: > On Thu, 2009-05-14 at 15:00 +0200, Jakub Hrozek wrote: > > On Thu, 2009-05-14 at 11:51 +0200, Sumit Bose wrote: > > > > Done, too, although the packaging might change when we migrate to > > > > Automake. > > > > > > I don not know how to tell autotools to do this, but it would be nice > > > to > > > have something similar to: > > > > > > -doc:: $(MANPAGES) > > > +doc:: $(if $(HAVE_MANPAGES),$(MANPAGES), \ > > > + $(info Please use configure option --with-manpages to enable > > > > > > in Makefile.in to avoid strange messages when 'make doc' is called > > > after > > > configure --without-manpages. > > > > > > > Thanks, added to the attached version of the patch. > > I still see --with-manpages and not --without-manpages, have you > attached the right patch ?? Forgive me, Sumit explained the autoconf magic. Ack and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 14 15:54:35 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 May 2009 15:54:35 +0000 Subject: [Freeipa-devel] [PATCHES] Password caching related patches Message-ID: <1242316475.3695.25.camel@localhost.localdomain> The following set of patches is not strictly related but they are somewhat interdependent. Feel free to ack/nack and comment individually. 0001 Fix the crypt functions. - make them *not* use static buffers, that's just plain wrong - fix indentation where possible - fix naming so that exported functions do not have too generic names that may conflict (name space) 0002 Prevents accepting a blank password - I think we can all agree that allowing blank passwords is not a good idea, however if someone feels strongly about allowing no password logins we should probably make a patch that looks up the individual user record and read an attribute where the specific user is allowed toi use blank passwords (IMHO) 0003 Split ldap backend - mostly so that each single file is easily digestible but also so that in theory you can mix and match (ldap user + krb pwd or local user + ldap pwd, etc...) 0004 Move password caching decision into backends - this is so that backends can have better control (per user caching/other more complex stuff) Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-crypt-functions-to-not-use-static-buffers.patch Type: text/x-patch Size: 27723 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Prevent-accepting-blank-passwords.patch Type: text/x-patch Size: 1097 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Split-ldap-backend-into-auth-and-identity-files.patch Type: text/x-patch Size: 74032 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Move-actual-password-caching-into-sysdb.patch Type: text/x-patch Size: 24799 bytes Desc: not available URL: From sgallagh at redhat.com Thu May 14 16:29:08 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 14 May 2009 12:29:08 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Treat the local provider as a special case Message-ID: <4A0C46D4.1060503@redhat.com> This patch will address https://fedorahosted.org/sssd/ticket/38 -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Treat-the-local-provider-as-a-special-case.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From pzuna at redhat.com Thu May 14 17:33:04 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 14 May 2009 19:33:04 +0200 Subject: [Freeipa-devel] [PATCH] 212 fix argument passing to _handle_errors() In-Reply-To: <4A0B3513.7040509@redhat.com> References: <4A0B3513.7040509@redhat.com> Message-ID: <4A0C55D0.4010207@redhat.com> Rob Crittenden wrote: > I was passing in some non-existent arguments in some cases to > _handle_errors(). Also ensure that we have something to pass something > to notfound(). > > rob ack. Pavel From pzuna at redhat.com Thu May 14 17:49:07 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 14 May 2009 19:49:07 +0200 Subject: [Freeipa-devel] [PATCH] Add Encoder base class and method decorators to encode arguments/decode return values. Also - unit tests. Message-ID: <4A0C5993.5040005@redhat.com> I was reviewing value encoding/decoding in the new LDAP backend after yesterday's e-mail mini-discussion regarding attribute names with Rob. In a lot of functions that pass values directly to python-ldap we have to encode arguments coming from plugins and decode values coming from python-ldap in return. To save some code and possible save future backends from this encoding hell, I wrote an Encoder base class and a two function decorators. They're supposed to be used like this: # import important stuff from ipalib.encoder import Encoder, encode_args, decode_retval class ldap2(CrudBackend, Encoder): # some code @encode_args(1, 2, 3) @decode_retval() def find_entries(self, filter, attrs_list=None, base_dn='', scope=_ldap.SCOPE_SUBTREE, time_limit=1, size_limit=3000): # we don't have to care about encoding/decoding here anymore # and it saves at least 10 lines of code in this method, yay! # some more code Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-Encoder-base-class-and-method-decorators-to-enco.patch Type: application/mbox Size: 15058 bytes Desc: not available URL: From jderose at redhat.com Thu May 14 19:59:32 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 14 May 2009 13:59:32 -0600 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <4A0B17F2.4050504@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> Message-ID: <1242331172.9095.2.camel@jgd-dsk> On Wed, 2009-05-13 at 20:56 +0200, Pavel Zuna wrote: > Rob Crittenden wrote: > > Pavel Zuna wrote: > >> Rob Crittenden wrote: > >>> Pavel Zuna wrote: > >>>> Rob Crittenden wrote: > >>>>> Pavel Zuna wrote: > >>>>>> By the way, there's a little bug I discovered while testing this > >>>>>> plugin. It affects the old group plugin as well. When trying to > >>>>>> modify a group into a posixGroup, gidNumber doesn't get generated > >>>>>> automatically resulting in a object violation LDAP error. Solution > >>>>>> is to generate it ourselves, but I didn't know how it works, so I > >>>>>> commented that part out for now. (/FIXME in vim) > >>>>>> > >>>>> > >>>>> This should be fixed in FDS 1.2. Can you update and give it a try? > >>>>> > >>>>> rob > >>>> Sure, just updated and you're right, it works. :) > >>>> Updated patch attached. > >>>> > >>>> Pavel > >>> > >>> nack. This won't handle someone using group-mod to set a specific > >>> gidnumber. The posixGroup objectclass won't be added. > >>> > >>> rob > >> Fixed patch attached. > >> > >> Pavel > > > > The basegroup2 part looks ok but nack on group2. > > > > I think we should stick with using lower-case attribute names as a rule > > of thumb rather than camel case. In any case you test for the string > > posixGroup is in the list of objectclasses, this test needs to be case > > insensitive. > When no attributes to retrieve are specified, python-ldap retrieves them all in > the original form - camel case. If we specify them, then it returns them in the > same form as we requested them. The new LDAP backend doesn't use CIDicts > anymore, but only the normal python dict type, so everything is case sensitive. > Of course I can make it return attribute names always as lowercase if that's > what we want. +1. I personally think this is the best approach. > > I also wonder if we should be using ldap.get_entry(). Why use this over > > group-show? > It's faster, because we call get_entry directly and because we can request > objectClass attribute only. Why invoke an IPA command instead of a making a > direct call? > > > I'm not sure if the logic around setting gidnumber is right. If you set > > the gidnumber but aren't using the --posix flag it looks like it will > > always append posixgroup to the list of objectclasses. I'm pretty sure > > the LDAP server is going to reject the update. I suppose making a > > list(set(objectclasses)) would work for de-duping. > You're right, it's broken. I'll fix it. > > Pavel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From jderose at redhat.com Thu May 14 20:18:42 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 14 May 2009 14:18:42 -0600 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <4A0B27E1.1080200@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <4A0B27E1.1080200@redhat.com> Message-ID: <1242332322.9095.17.camel@jgd-dsk> On Wed, 2009-05-13 at 16:04 -0400, Rob Crittenden wrote: > Pavel Zuna wrote: > > Rob Crittenden wrote: > >> Pavel Zuna wrote: > >>> Rob Crittenden wrote: > >>>> Pavel Zuna wrote: > >>>>> Rob Crittenden wrote: > >>>>>> Pavel Zuna wrote: > >>>>>>> By the way, there's a little bug I discovered while testing this > >>>>>>> plugin. It affects the old group plugin as well. When trying to > >>>>>>> modify a group into a posixGroup, gidNumber doesn't get generated > >>>>>>> automatically resulting in a object violation LDAP error. > >>>>>>> Solution is to generate it ourselves, but I didn't know how it > >>>>>>> works, so I commented that part out for now. (/FIXME in vim) > >>>>>>> > >>>>>> > >>>>>> This should be fixed in FDS 1.2. Can you update and give it a try? > >>>>>> > >>>>>> rob > >>>>> Sure, just updated and you're right, it works. :) > >>>>> Updated patch attached. > >>>>> > >>>>> Pavel > >>>> > >>>> nack. This won't handle someone using group-mod to set a specific > >>>> gidnumber. The posixGroup objectclass won't be added. > >>>> > >>>> rob > >>> Fixed patch attached. > >>> > >>> Pavel > >> > >> The basegroup2 part looks ok but nack on group2. > >> > >> I think we should stick with using lower-case attribute names as a > >> rule of thumb rather than camel case. In any case you test for the > >> string posixGroup is in the list of objectclasses, this test needs to > >> be case insensitive. > > When no attributes to retrieve are specified, python-ldap retrieves them > > all in the original form - camel case. If we specify them, then it > > returns them in the same form as we requested them. The new LDAP backend > > doesn't use CIDicts anymore, but only the normal python dict type, so > > everything is case sensitive. Of course I can make it return attribute > > names always as lowercase if that's what we want. > > I think we need consistent naming otherwise all sorts of odd bugs can > creep in. > > >> I also wonder if we should be using ldap.get_entry(). Why use this > >> over group-show? > > It's faster, because we call get_entry directly and because we can > > request objectClass attribute only. Why invoke an IPA command instead of > > a making a direct call? > > Well, I felt the same way but Jason convinced me that by limiting the > places we do actual LDAP calls will be beneficial in the long-run. The > command is run internally, not over XML-RPC, so there isn't a whole lot > of additional overhead. > > Part of the idea, which we haven't really utilized much yet, is to try > to make the backend easily replacable. Well, first question, is this Backend.ldap.get_entry(), or a direct call to the python-ldap bindings? I feel very strongly that no plugins should talk directly to python-ldap (except Backend.ldap). But if this is whether to retrieve the group entry via Command.group_show() or Backend.ldap.get_entry(), I think it depends on what attributes are needed. If we want the same attributes as Command.group_show() returns, we should call it so we aren't defining the list of (or logic behind) the attributes to choose in multiple places. If we need all the attributes, calling Backend.ldap.get_entry() is probably best. > > > >> I'm not sure if the logic around setting gidnumber is right. If you > >> set the gidnumber but aren't using the --posix flag it looks like it > >> will always append posixgroup to the list of objectclasses. I'm pretty > >> sure the LDAP server is going to reject the update. I suppose making a > >> list(set(objectclasses)) would work for de-duping. > > You're right, it's broken. I'll fix it. > > > > Pavel > > ok > > rob > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ssorce at redhat.com Thu May 14 23:06:29 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 May 2009 19:06:29 -0400 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <1242331172.9095.2.camel@jgd-dsk> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <1242331172.9095.2.camel@jgd-dsk> Message-ID: <1242342389.3695.45.camel@localhost.localdomain> On Thu, 2009-05-14 at 13:59 -0600, Jason Gerard DeRose wrote: > > When no attributes to retrieve are specified, python-ldap retrieves > them all in > > the original form - camel case. If we specify them, then it returns > them in the > > same form as we requested them. The new LDAP backend doesn't use > CIDicts > > anymore, but only the normal python dict type, so everything is case > sensitive. > > Of course I can make it return attribute names always as lowercase > if that's > > what we want. > > +1. I personally think this is the best approach. I would seriously prefer case-insensitive dictionaries unless there is some strong technical/performance reason not to. The point is that LDAP *is* case insensitive for attribute names, and we are going to hit bugs (like we did before we had CIDIcts) if we do not acknowledge this fact and try to ignore it or dumb it down. If we are ever going to provide an ldap browser for example it would be strongly desirable to show attributes and values in the same case they were returned by the LDAP server. So do we have a strong technical case for why we can't keep using CIDicts ? Simo. -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Fri May 15 03:57:22 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 15 May 2009 03:57:22 +0000 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <1242342389.3695.45.camel@localhost.localdomain> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <1242331172.9095.2.camel@jgd-dsk> <1242342389.3695.45.camel@localhost.localdomain> Message-ID: <1242359842.9095.194.camel@jgd-dsk> On Thu, 2009-05-14 at 19:06 -0400, Simo Sorce wrote: > On Thu, 2009-05-14 at 13:59 -0600, Jason Gerard DeRose wrote: > > > When no attributes to retrieve are specified, python-ldap retrieves > > them all in > > > the original form - camel case. If we specify them, then it returns > > them in the > > > same form as we requested them. The new LDAP backend doesn't use > > CIDicts > > > anymore, but only the normal python dict type, so everything is case > > sensitive. > > > Of course I can make it return attribute names always as lowercase > > if that's > > > what we want. > > > > +1. I personally think this is the best approach. > > > I would seriously prefer case-insensitive dictionaries unless there is > some strong technical/performance reason not to. Yes, there is. We want the processing pipeline to use least-common-denominator data types so that it's easy glue in existing tools, libraries, extension modules, etc. Some libraries/extensions that expect a dict might fail if passed a CIDict. And they certainly wont know to return our special CIDict. I also use the (*args, **kw) calling semantics often in the pipeline, which will cause our CIDict to disappear the first time it's passed as **keyword arguments. And there will be a performance hit in the Python code as I used/abused the dict type extensively in order to keep the processing pipeline generic and flexible. The builtin dict type is implemented in C and is very fast... but as soon as we subclass it and start overriding methods, that performance gets blown out the window big time. I'd have to do some benchmarks, but my shoot from the hip guess is that operations on the CIDict are probably in the ballpark of 50 times slower than operations on the builtin dict. Although I personally feel the above least-common-denominator issue is a more important reason not to use the CIDict. > The point is that LDAP *is* case insensitive for attribute names, and we > are going to hit bugs (like we did before we had CIDIcts) if we do not > acknowledge this fact and try to ignore it or dumb it down. There is no reason using lowercase keys will cause bugs. In fact, it will reduce the chances for them. Direct interaction with LDAP only occurs within the Backend.ldap plugin. All the ldap plugin has to do is lowercase the keys of entries it pulls. By putting this small amount of babysitting in the ldap plugin, we prevent unexpected corner cases from exploding out into the other 95% of the code. And we make it much easier for existing code-bases to integrate with IPA. IHMO, this is without a doubt the simplest and most maintainable approach. > If we are ever going to provide an ldap browser for example it would be > strongly desirable to show attributes and values in the same case they > were returned by the LDAP server. This use case, while interesting, is also an odd ball... IPA, correct me if I'm wrong, is largely designed to hide the LDAP details. We could always change the Backend.ldap methods to accept a flag to preserve the case for special consumers like an LDAP browser. But there's no reason to complicate the rest of the code (which is also the great majority of the code) by making this the default, IHMO. > So do we have a strong technical case for why we can't keep using > CIDicts ? By the way, as far as I know, CIDicts aren't being used at all in the v2 codebase. They've never been part of the plugin architecture and I don't think they've been used in any of the plugins. > Simo. So there's my two cents. Now the question is, did I convenience you? ;) -Jason From pzuna at redhat.com Fri May 15 10:22:53 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 15 May 2009 12:22:53 +0200 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <1242332322.9095.17.camel@jgd-dsk> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <4A0B27E1.1080200@redhat.com> <1242332322.9095.17.camel@jgd-dsk> Message-ID: <4A0D427D.1020300@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-05-13 at 16:04 -0400, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> Rob Crittenden wrote: >>>> Pavel Zuna wrote: >>>>> Rob Crittenden wrote: >>>>>> Pavel Zuna wrote: >>>>>>> Rob Crittenden wrote: >>>>>>>> Pavel Zuna wrote: >>>>>>>>> By the way, there's a little bug I discovered while testing this >>>>>>>>> plugin. It affects the old group plugin as well. When trying to >>>>>>>>> modify a group into a posixGroup, gidNumber doesn't get generated >>>>>>>>> automatically resulting in a object violation LDAP error. >>>>>>>>> Solution is to generate it ourselves, but I didn't know how it >>>>>>>>> works, so I commented that part out for now. (/FIXME in vim) >>>>>>>>> >>>>>>>> This should be fixed in FDS 1.2. Can you update and give it a try? >>>>>>>> >>>>>>>> rob >>>>>>> Sure, just updated and you're right, it works. :) >>>>>>> Updated patch attached. >>>>>>> >>>>>>> Pavel >>>>>> nack. This won't handle someone using group-mod to set a specific >>>>>> gidnumber. The posixGroup objectclass won't be added. >>>>>> >>>>>> rob >>>>> Fixed patch attached. >>>>> >>>>> Pavel >>>> The basegroup2 part looks ok but nack on group2. >>>> >>>> I think we should stick with using lower-case attribute names as a >>>> rule of thumb rather than camel case. In any case you test for the >>>> string posixGroup is in the list of objectclasses, this test needs to >>>> be case insensitive. >>> When no attributes to retrieve are specified, python-ldap retrieves them >>> all in the original form - camel case. If we specify them, then it >>> returns them in the same form as we requested them. The new LDAP backend >>> doesn't use CIDicts anymore, but only the normal python dict type, so >>> everything is case sensitive. Of course I can make it return attribute >>> names always as lowercase if that's what we want. >> I think we need consistent naming otherwise all sorts of odd bugs can >> creep in. >> >>>> I also wonder if we should be using ldap.get_entry(). Why use this >>>> over group-show? >>> It's faster, because we call get_entry directly and because we can >>> request objectClass attribute only. Why invoke an IPA command instead of >>> a making a direct call? >> Well, I felt the same way but Jason convinced me that by limiting the >> places we do actual LDAP calls will be beneficial in the long-run. The >> command is run internally, not over XML-RPC, so there isn't a whole lot >> of additional overhead. >> >> Part of the idea, which we haven't really utilized much yet, is to try >> to make the backend easily replacable. > > Well, first question, is this Backend.ldap.get_entry(), or a direct call > to the python-ldap bindings? I feel very strongly that no plugins > should talk directly to python-ldap (except Backend.ldap). > > But if this is whether to retrieve the group entry via > Command.group_show() or Backend.ldap.get_entry(), I think it depends on > what attributes are needed. If we want the same attributes as > Command.group_show() returns, we should call it so we aren't defining > the list of (or logic behind) the attributes to choose in multiple > places. If we need all the attributes, calling Backend.ldap.get_entry() > is probably best. In this context, we need only the 'objectClass' attribute that group_show doesn't return normally unless we pass it the '--all' option and then we get a lot of attributes we don't need as side effect. Generally speaking, I think the decision of what call is made should go like this: We need to get attribute A,B,C,... (even if they happen to be the same as group_show returns)? Call get_entry. We need to get the same attributes group_show returns (whatever those may be)? Call group_show. >>>> I'm not sure if the logic around setting gidnumber is right. If you >>>> set the gidnumber but aren't using the --posix flag it looks like it >>>> will always append posixgroup to the list of objectclasses. I'm pretty >>>> sure the LDAP server is going to reject the update. I suppose making a >>>> list(set(objectclasses)) would work for de-duping. >>> You're right, it's broken. I'll fix it. >>> >>> Pavel >> ok >> >> rob Pavel From pzuna at redhat.com Fri May 15 10:35:23 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 15 May 2009 12:35:23 +0200 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <1242359842.9095.194.camel@jgd-dsk> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <1242331172.9095.2.camel@jgd-dsk> <1242342389.3695.45.camel@localhost.localdomain> <1242359842.9095.194.camel@jgd-dsk> Message-ID: <4A0D456B.5080007@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-05-14 at 19:06 -0400, Simo Sorce wrote: >> On Thu, 2009-05-14 at 13:59 -0600, Jason Gerard DeRose wrote: >>>> When no attributes to retrieve are specified, python-ldap retrieves >>> them all in >>>> the original form - camel case. If we specify them, then it returns >>> them in the >>>> same form as we requested them. The new LDAP backend doesn't use >>> CIDicts >>>> anymore, but only the normal python dict type, so everything is case >>> sensitive. >>>> Of course I can make it return attribute names always as lowercase >>> if that's >>>> what we want. >>> +1. I personally think this is the best approach. >> >> I would seriously prefer case-insensitive dictionaries unless there is >> some strong technical/performance reason not to. > > Yes, there is. We want the processing pipeline to use > least-common-denominator data types so that it's easy glue in existing > tools, libraries, extension modules, etc. Some libraries/extensions > that expect a dict might fail if passed a CIDict. And they certainly > wont know to return our special CIDict. > > I also use the (*args, **kw) calling semantics often in the pipeline, > which will cause our CIDict to disappear the first time it's passed as > **keyword arguments. > > And there will be a performance hit in the Python code as I used/abused > the dict type extensively in order to keep the processing pipeline > generic and flexible. The builtin dict type is implemented in C and is > very fast... but as soon as we subclass it and start overriding methods, > that performance gets blown out the window big time. I'd have to do > some benchmarks, but my shoot from the hip guess is that operations on > the CIDict are probably in the ballpark of 50 times slower than > operations on the builtin dict. Although I personally feel the above > least-common-denominator issue is a more important reason not to use the > CIDict. > >> The point is that LDAP *is* case insensitive for attribute names, and we >> are going to hit bugs (like we did before we had CIDIcts) if we do not >> acknowledge this fact and try to ignore it or dumb it down. > > There is no reason using lowercase keys will cause bugs. In fact, it > will reduce the chances for them. Direct interaction with LDAP only > occurs within the Backend.ldap plugin. All the ldap plugin has to do is > lowercase the keys of entries it pulls. By putting this small amount of > babysitting in the ldap plugin, we prevent unexpected corner cases from > exploding out into the other 95% of the code. And we make it much > easier for existing code-bases to integrate with IPA. IHMO, this is > without a doubt the simplest and most maintainable approach. > >> If we are ever going to provide an ldap browser for example it would be >> strongly desirable to show attributes and values in the same case they >> were returned by the LDAP server. > > This use case, while interesting, is also an odd ball... IPA, correct me > if I'm wrong, is largely designed to hide the LDAP details. > > We could always change the Backend.ldap methods to accept a flag to > preserve the case for special consumers like an LDAP browser. But > there's no reason to complicate the rest of the code (which is also the > great majority of the code) by making this the default, IHMO. Take a look at the Encoder class I posted on freeipa-devel yesterday. It's far from perfect, but it could solves some of these issues. By default, 'decode_postprocessor' will be set to 'string.lower()' in the LDAP backend and postprocessing will be active for keys only (case of values will remain untouched). If a consumer wants to switch postprocessing off and get the original case, it can do so before making the backend call. The only possible problem I can see at the moment is that these settings are effective for the whole backend and probably not thread-safe (one plugin changing the setting for all other plugins using the backend at the same time). >> So do we have a strong technical case for why we can't keep using >> CIDicts ? > > By the way, as far as I know, CIDicts aren't being used at all in the v2 > codebase. They've never been part of the plugin architecture and I > don't think they've been used in any of the plugins. > >> Simo. > > So there's my two cents. Now the question is, did I convenience > you? ;) > > -Jason > Pavel From sbose at redhat.com Fri May 15 10:33:18 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 15 May 2009 12:33:18 +0200 Subject: [Freeipa-devel] [PATCH] added new pam client protocol Message-ID: <4A0D44EE.8050909@redhat.com> Hi, this patch introduces a new version of the pam client protocol. I think it is more flexible as the current \0-terminated-string format. Now every item has a type (PAM_USER, PAM_TTY, ...), a size and a value. With the help of the size information it is possible to ignore unknown types. This way we can add new items without changing the underlying protocol and client and server can be updated independently. As an example the pam client adds its current locale which is currently not understood by the server. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-added-new-pam-client-protocol.patch Type: text/x-patch Size: 13043 bytes Desc: not available URL: From rcritten at redhat.com Fri May 15 13:40:26 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 May 2009 09:40:26 -0400 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <4A0D427D.1020300@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <4A0B27E1.1080200@redhat.com> <1242332322.9095.17.camel@jgd-dsk> <4A0D427D.1020300@redhat.com> Message-ID: <4A0D70CA.6010205@redhat.com> Pavel Zuna wrote: > Jason Gerard DeRose wrote: >> On Wed, 2009-05-13 at 16:04 -0400, Rob Crittenden wrote: >>> Pavel Zuna wrote: >>>> Rob Crittenden wrote: >>>>> Pavel Zuna wrote: >>>>>> Rob Crittenden wrote: >>>>>>> Pavel Zuna wrote: >>>>>>>> Rob Crittenden wrote: >>>>>>>>> Pavel Zuna wrote: >>>>>>>>>> By the way, there's a little bug I discovered while testing >>>>>>>>>> this plugin. It affects the old group plugin as well. When >>>>>>>>>> trying to modify a group into a posixGroup, gidNumber doesn't >>>>>>>>>> get generated automatically resulting in a object violation >>>>>>>>>> LDAP error. Solution is to generate it ourselves, but I didn't >>>>>>>>>> know how it works, so I commented that part out for now. >>>>>>>>>> (/FIXME in vim) >>>>>>>>>> >>>>>>>>> This should be fixed in FDS 1.2. Can you update and give it a try? >>>>>>>>> >>>>>>>>> rob >>>>>>>> Sure, just updated and you're right, it works. :) >>>>>>>> Updated patch attached. >>>>>>>> >>>>>>>> Pavel >>>>>>> nack. This won't handle someone using group-mod to set a specific >>>>>>> gidnumber. The posixGroup objectclass won't be added. >>>>>>> >>>>>>> rob >>>>>> Fixed patch attached. >>>>>> >>>>>> Pavel >>>>> The basegroup2 part looks ok but nack on group2. >>>>> >>>>> I think we should stick with using lower-case attribute names as a >>>>> rule of thumb rather than camel case. In any case you test for the >>>>> string posixGroup is in the list of objectclasses, this test needs >>>>> to be case insensitive. >>>> When no attributes to retrieve are specified, python-ldap retrieves >>>> them all in the original form - camel case. If we specify them, then >>>> it returns them in the same form as we requested them. The new LDAP >>>> backend doesn't use CIDicts anymore, but only the normal python dict >>>> type, so everything is case sensitive. Of course I can make it >>>> return attribute names always as lowercase if that's what we want. >>> I think we need consistent naming otherwise all sorts of odd bugs can >>> creep in. >>> >>>>> I also wonder if we should be using ldap.get_entry(). Why use this >>>>> over group-show? >>>> It's faster, because we call get_entry directly and because we can >>>> request objectClass attribute only. Why invoke an IPA command >>>> instead of a making a direct call? >>> Well, I felt the same way but Jason convinced me that by limiting the >>> places we do actual LDAP calls will be beneficial in the long-run. >>> The command is run internally, not over XML-RPC, so there isn't a >>> whole lot of additional overhead. >>> >>> Part of the idea, which we haven't really utilized much yet, is to >>> try to make the backend easily replacable. >> >> Well, first question, is this Backend.ldap.get_entry(), or a direct call >> to the python-ldap bindings? I feel very strongly that no plugins >> should talk directly to python-ldap (except Backend.ldap). >> >> But if this is whether to retrieve the group entry via >> Command.group_show() or Backend.ldap.get_entry(), I think it depends on >> what attributes are needed. If we want the same attributes as >> Command.group_show() returns, we should call it so we aren't defining >> the list of (or logic behind) the attributes to choose in multiple >> places. If we need all the attributes, calling Backend.ldap.get_entry() >> is probably best. > In this context, we need only the 'objectClass' attribute that > group_show doesn't return normally unless we pass it the '--all' option > and then we get a lot of attributes we don't need as side effect. The biggest downside is that you'd get the members which really could be quite large. I think a better solution is to be able to pass into group-show (and really any/all of the plugins) the attributes you want to see, with a reasonable default and the --all options available too. The problem with getting the entry within another plugin is you may require knowledge of the schema to do so. If the schema changes, like it did with host recently, you'd have to know to go and change it in other places. When I changed the DN of the host entries the only plugin that changed was host. rob > Generally speaking, I think the decision of what call is made should go > like this: > We need to get attribute A,B,C,... (even if they happen to be the same > as group_show returns)? Call get_entry. > We need to get the same attributes group_show returns (whatever those > may be)? Call group_show. > >>>>> I'm not sure if the logic around setting gidnumber is right. If you >>>>> set the gidnumber but aren't using the --posix flag it looks like >>>>> it will always append posixgroup to the list of objectclasses. I'm >>>>> pretty sure the LDAP server is going to reject the update. I >>>>> suppose making a list(set(objectclasses)) would work for de-duping. >>>> You're right, it's broken. I'll fix it. >>>> >>>> Pavel >>> ok >>> >>> rob > > Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 15 14:12:59 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 May 2009 10:12:59 -0400 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <4A0D70CA.6010205@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <4A0B27E1.1080200@redhat.com> <1242332322.9095.17.camel@jgd-dsk> <4A0D427D.1020300@redhat.com> <4A0D70CA.6010205@redhat.com> Message-ID: <1242396779.3695.76.camel@localhost.localdomain> On Fri, 2009-05-15 at 09:40 -0400, Rob Crittenden wrote: > > In this context, we need only the 'objectClass' attribute that > > group_show doesn't return normally unless we pass it the '--all' > option > > and then we get a lot of attributes we don't need as side effect. > > The biggest downside is that you'd get the members which really could > be > quite large. I think a better solution is to be able to pass into > group-show (and really any/all of the plugins) the attributes you > want > to see, with a reasonable default and the --all options available too. This actually crucial, we have requests to store the user picture in a user attribute. The picture can even be megabytes, you really do *not* want to downloads megabytes per entry unless you really really want the picture. It is bad practice in LDAP queries not to request the specific attributes you are interested in. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 15 14:13:49 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 May 2009 10:13:49 -0400 Subject: [Freeipa-devel] [PATCH] 217 change attribute used for hostnames In-Reply-To: <4A0B7785.6070501@redhat.com> References: <4A0B390C.6090709@redhat.com> <4A0B7785.6070501@redhat.com> Message-ID: <4A0D789D.5070907@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> This goes along with the netgroup patch. >> >> We were using commonname to store the hostname. This made translating >> hosts into triples difficult because the same attribute was used to >> identify hosts and well as hostgroups. >> >> So we decided to use a new attribute, fqdn, instead. >> >> rob > > Sad to say I have to nack my own patch :-( > > I need to make fqdn a MUST attribute and also update the test cases. > > rob > Revised patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-217-2-fqdn.patch Type: application/mbox Size: 17170 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 15 14:15:33 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 May 2009 10:15:33 -0400 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <1242359842.9095.194.camel@jgd-dsk> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <1242331172.9095.2.camel@jgd-dsk> <1242342389.3695.45.camel@localhost.localdomain> <1242359842.9095.194.camel@jgd-dsk> Message-ID: <1242396933.3695.79.camel@localhost.localdomain> On Fri, 2009-05-15 at 03:57 +0000, Jason Gerard DeRose wrote: > > So there's my two cents. Now the question is, did I convenience > you? ;) I am not sure you "convenience" me but you may have convinced me. I understand the technical issues better now, although I would rather see if that's really 50x or not, and how much that would influence the overall performance. We can settle for always casefolding, but how much of an impact is it to always lower case all attribute names on each query ? Simo. -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Fri May 15 17:56:31 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 15 May 2009 11:56:31 -0600 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <4A0D427D.1020300@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <4A0B27E1.1080200@redhat.com> <1242332322.9095.17.camel@jgd-dsk> <4A0D427D.1020300@redhat.com> Message-ID: <1242410191.7315.0.camel@jgd-dsk> On Fri, 2009-05-15 at 12:22 +0200, Pavel Zuna wrote: > Jason Gerard DeRose wrote: > > On Wed, 2009-05-13 at 16:04 -0400, Rob Crittenden wrote: > >> Pavel Zuna wrote: > >>> Rob Crittenden wrote: > >>>> Pavel Zuna wrote: > >>>>> Rob Crittenden wrote: > >>>>>> Pavel Zuna wrote: > >>>>>>> Rob Crittenden wrote: > >>>>>>>> Pavel Zuna wrote: > >>>>>>>>> By the way, there's a little bug I discovered while testing this > >>>>>>>>> plugin. It affects the old group plugin as well. When trying to > >>>>>>>>> modify a group into a posixGroup, gidNumber doesn't get generated > >>>>>>>>> automatically resulting in a object violation LDAP error. > >>>>>>>>> Solution is to generate it ourselves, but I didn't know how it > >>>>>>>>> works, so I commented that part out for now. (/FIXME in vim) > >>>>>>>>> > >>>>>>>> This should be fixed in FDS 1.2. Can you update and give it a try? > >>>>>>>> > >>>>>>>> rob > >>>>>>> Sure, just updated and you're right, it works. :) > >>>>>>> Updated patch attached. > >>>>>>> > >>>>>>> Pavel > >>>>>> nack. This won't handle someone using group-mod to set a specific > >>>>>> gidnumber. The posixGroup objectclass won't be added. > >>>>>> > >>>>>> rob > >>>>> Fixed patch attached. > >>>>> > >>>>> Pavel > >>>> The basegroup2 part looks ok but nack on group2. > >>>> > >>>> I think we should stick with using lower-case attribute names as a > >>>> rule of thumb rather than camel case. In any case you test for the > >>>> string posixGroup is in the list of objectclasses, this test needs to > >>>> be case insensitive. > >>> When no attributes to retrieve are specified, python-ldap retrieves them > >>> all in the original form - camel case. If we specify them, then it > >>> returns them in the same form as we requested them. The new LDAP backend > >>> doesn't use CIDicts anymore, but only the normal python dict type, so > >>> everything is case sensitive. Of course I can make it return attribute > >>> names always as lowercase if that's what we want. > >> I think we need consistent naming otherwise all sorts of odd bugs can > >> creep in. > >> > >>>> I also wonder if we should be using ldap.get_entry(). Why use this > >>>> over group-show? > >>> It's faster, because we call get_entry directly and because we can > >>> request objectClass attribute only. Why invoke an IPA command instead of > >>> a making a direct call? > >> Well, I felt the same way but Jason convinced me that by limiting the > >> places we do actual LDAP calls will be beneficial in the long-run. The > >> command is run internally, not over XML-RPC, so there isn't a whole lot > >> of additional overhead. > >> > >> Part of the idea, which we haven't really utilized much yet, is to try > >> to make the backend easily replacable. > > > > Well, first question, is this Backend.ldap.get_entry(), or a direct call > > to the python-ldap bindings? I feel very strongly that no plugins > > should talk directly to python-ldap (except Backend.ldap). > > > > But if this is whether to retrieve the group entry via > > Command.group_show() or Backend.ldap.get_entry(), I think it depends on > > what attributes are needed. If we want the same attributes as > > Command.group_show() returns, we should call it so we aren't defining > > the list of (or logic behind) the attributes to choose in multiple > > places. If we need all the attributes, calling Backend.ldap.get_entry() > > is probably best. > In this context, we need only the 'objectClass' attribute that > group_show doesn't return normally unless we pass it the '--all' option > and then we get a lot of attributes we don't need as side effect. > > Generally speaking, I think the decision of what call is made should go > like this: > We need to get attribute A,B,C,... (even if they happen to be the same > as group_show returns)? Call get_entry. > We need to get the same attributes group_show returns (whatever those > may be)? Call group_show. +1 Well said. > >>>> I'm not sure if the logic around setting gidnumber is right. If you > >>>> set the gidnumber but aren't using the --posix flag it looks like it > >>>> will always append posixgroup to the list of objectclasses. I'm pretty > >>>> sure the LDAP server is going to reject the update. I suppose making a > >>>> list(set(objectclasses)) would work for de-duping. > >>> You're right, it's broken. I'll fix it. > >>> > >>> Pavel > >> ok > >> > >> rob > > Pavel From jderose at redhat.com Fri May 15 18:13:11 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 15 May 2009 12:13:11 -0600 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <4A0D70CA.6010205@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <4A0B27E1.1080200@redhat.com> <1242332322.9095.17.camel@jgd-dsk> <4A0D427D.1020300@redhat.com> <4A0D70CA.6010205@redhat.com> Message-ID: <1242411191.7315.15.camel@jgd-dsk> On Fri, 2009-05-15 at 09:40 -0400, Rob Crittenden wrote: > Pavel Zuna wrote: > > Jason Gerard DeRose wrote: > >> On Wed, 2009-05-13 at 16:04 -0400, Rob Crittenden wrote: > >>> Pavel Zuna wrote: > >>>> Rob Crittenden wrote: > >>>>> Pavel Zuna wrote: > >>>>>> Rob Crittenden wrote: > >>>>>>> Pavel Zuna wrote: > >>>>>>>> Rob Crittenden wrote: > >>>>>>>>> Pavel Zuna wrote: > >>>>>>>>>> By the way, there's a little bug I discovered while testing > >>>>>>>>>> this plugin. It affects the old group plugin as well. When > >>>>>>>>>> trying to modify a group into a posixGroup, gidNumber doesn't > >>>>>>>>>> get generated automatically resulting in a object violation > >>>>>>>>>> LDAP error. Solution is to generate it ourselves, but I didn't > >>>>>>>>>> know how it works, so I commented that part out for now. > >>>>>>>>>> (/FIXME in vim) > >>>>>>>>>> > >>>>>>>>> This should be fixed in FDS 1.2. Can you update and give it a try? > >>>>>>>>> > >>>>>>>>> rob > >>>>>>>> Sure, just updated and you're right, it works. :) > >>>>>>>> Updated patch attached. > >>>>>>>> > >>>>>>>> Pavel > >>>>>>> nack. This won't handle someone using group-mod to set a specific > >>>>>>> gidnumber. The posixGroup objectclass won't be added. > >>>>>>> > >>>>>>> rob > >>>>>> Fixed patch attached. > >>>>>> > >>>>>> Pavel > >>>>> The basegroup2 part looks ok but nack on group2. > >>>>> > >>>>> I think we should stick with using lower-case attribute names as a > >>>>> rule of thumb rather than camel case. In any case you test for the > >>>>> string posixGroup is in the list of objectclasses, this test needs > >>>>> to be case insensitive. > >>>> When no attributes to retrieve are specified, python-ldap retrieves > >>>> them all in the original form - camel case. If we specify them, then > >>>> it returns them in the same form as we requested them. The new LDAP > >>>> backend doesn't use CIDicts anymore, but only the normal python dict > >>>> type, so everything is case sensitive. Of course I can make it > >>>> return attribute names always as lowercase if that's what we want. > >>> I think we need consistent naming otherwise all sorts of odd bugs can > >>> creep in. > >>> > >>>>> I also wonder if we should be using ldap.get_entry(). Why use this > >>>>> over group-show? > >>>> It's faster, because we call get_entry directly and because we can > >>>> request objectClass attribute only. Why invoke an IPA command > >>>> instead of a making a direct call? > >>> Well, I felt the same way but Jason convinced me that by limiting the > >>> places we do actual LDAP calls will be beneficial in the long-run. > >>> The command is run internally, not over XML-RPC, so there isn't a > >>> whole lot of additional overhead. > >>> > >>> Part of the idea, which we haven't really utilized much yet, is to > >>> try to make the backend easily replacable. > >> > >> Well, first question, is this Backend.ldap.get_entry(), or a direct call > >> to the python-ldap bindings? I feel very strongly that no plugins > >> should talk directly to python-ldap (except Backend.ldap). > >> > >> But if this is whether to retrieve the group entry via > >> Command.group_show() or Backend.ldap.get_entry(), I think it depends on > >> what attributes are needed. If we want the same attributes as > >> Command.group_show() returns, we should call it so we aren't defining > >> the list of (or logic behind) the attributes to choose in multiple > >> places. If we need all the attributes, calling Backend.ldap.get_entry() > >> is probably best. > > In this context, we need only the 'objectClass' attribute that > > group_show doesn't return normally unless we pass it the '--all' option > > and then we get a lot of attributes we don't need as side effect. > > The biggest downside is that you'd get the members which really could be > quite large. I think a better solution is to be able to pass into > group-show (and really any/all of the plugins) the attributes you want > to see, with a reasonable default and the --all options available too. > > The problem with getting the entry within another plugin is you may > require knowledge of the schema to do so. If the schema changes, like it > did with host recently, you'd have to know to go and change it in other > places. When I changed the DN of the host entries the only plugin that > changed was host. > > rob Hmmm, yeah, good point. I think I am retracting my earlier +1. Oh, I've been thinking about how to specify what attributes are pulled by default when an entry is retrieved: I think we should add flag to the Param to indicate whether it should be included. This keeps things easily plugable. Although we haven't used them yet, the Attribute plugins are designed to add another Param (in the case of LDAP stuff, an LDAP attribute) to a corresponding Object plugin. So you could add a new Param to Object.user, which would automatically get picked up by all the user crud methods. If we have the list of attributes to retrieve hard-coded in Command.user_show(), an Attribute plugin can't be included in the list of attributes to pull without overriding the Command.user_show plugin. What do you two think? > > Generally speaking, I think the decision of what call is made should go > > like this: > > We need to get attribute A,B,C,... (even if they happen to be the same > > as group_show returns)? Call get_entry. > > We need to get the same attributes group_show returns (whatever those > > may be)? Call group_show. > > > >>>>> I'm not sure if the logic around setting gidnumber is right. If you > >>>>> set the gidnumber but aren't using the --posix flag it looks like > >>>>> it will always append posixgroup to the list of objectclasses. I'm > >>>>> pretty sure the LDAP server is going to reject the update. I > >>>>> suppose making a list(set(objectclasses)) would work for de-duping. > >>>> You're right, it's broken. I'll fix it. > >>>> > >>>> Pavel > >>> ok > >>> > >>> rob > > > > Pavel > From rcritten at redhat.com Fri May 15 18:51:51 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 May 2009 14:51:51 -0400 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <1242411191.7315.15.camel@jgd-dsk> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <4A0B27E1.1080200@redhat.com> <1242332322.9095.17.camel@jgd-dsk> <4A0D427D.1020300@redhat.com> <4A0D70CA.6010205@redhat.com> <1242411191.7315.15.camel@jgd-dsk> Message-ID: <4A0DB9C7.3030802@redhat.com> Jason Gerard DeRose wrote: > On Fri, 2009-05-15 at 09:40 -0400, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> Jason Gerard DeRose wrote: >>>> On Wed, 2009-05-13 at 16:04 -0400, Rob Crittenden wrote: >>>>> Pavel Zuna wrote: >>>>>> Rob Crittenden wrote: >>>>>>> Pavel Zuna wrote: >>>>>>>> Rob Crittenden wrote: >>>>>>>>> Pavel Zuna wrote: >>>>>>>>>> Rob Crittenden wrote: >>>>>>>>>>> Pavel Zuna wrote: >>>>>>>>>>>> By the way, there's a little bug I discovered while testing >>>>>>>>>>>> this plugin. It affects the old group plugin as well. When >>>>>>>>>>>> trying to modify a group into a posixGroup, gidNumber doesn't >>>>>>>>>>>> get generated automatically resulting in a object violation >>>>>>>>>>>> LDAP error. Solution is to generate it ourselves, but I didn't >>>>>>>>>>>> know how it works, so I commented that part out for now. >>>>>>>>>>>> (/FIXME in vim) >>>>>>>>>>>> >>>>>>>>>>> This should be fixed in FDS 1.2. Can you update and give it a try? >>>>>>>>>>> >>>>>>>>>>> rob >>>>>>>>>> Sure, just updated and you're right, it works. :) >>>>>>>>>> Updated patch attached. >>>>>>>>>> >>>>>>>>>> Pavel >>>>>>>>> nack. This won't handle someone using group-mod to set a specific >>>>>>>>> gidnumber. The posixGroup objectclass won't be added. >>>>>>>>> >>>>>>>>> rob >>>>>>>> Fixed patch attached. >>>>>>>> >>>>>>>> Pavel >>>>>>> The basegroup2 part looks ok but nack on group2. >>>>>>> >>>>>>> I think we should stick with using lower-case attribute names as a >>>>>>> rule of thumb rather than camel case. In any case you test for the >>>>>>> string posixGroup is in the list of objectclasses, this test needs >>>>>>> to be case insensitive. >>>>>> When no attributes to retrieve are specified, python-ldap retrieves >>>>>> them all in the original form - camel case. If we specify them, then >>>>>> it returns them in the same form as we requested them. The new LDAP >>>>>> backend doesn't use CIDicts anymore, but only the normal python dict >>>>>> type, so everything is case sensitive. Of course I can make it >>>>>> return attribute names always as lowercase if that's what we want. >>>>> I think we need consistent naming otherwise all sorts of odd bugs can >>>>> creep in. >>>>> >>>>>>> I also wonder if we should be using ldap.get_entry(). Why use this >>>>>>> over group-show? >>>>>> It's faster, because we call get_entry directly and because we can >>>>>> request objectClass attribute only. Why invoke an IPA command >>>>>> instead of a making a direct call? >>>>> Well, I felt the same way but Jason convinced me that by limiting the >>>>> places we do actual LDAP calls will be beneficial in the long-run. >>>>> The command is run internally, not over XML-RPC, so there isn't a >>>>> whole lot of additional overhead. >>>>> >>>>> Part of the idea, which we haven't really utilized much yet, is to >>>>> try to make the backend easily replacable. >>>> Well, first question, is this Backend.ldap.get_entry(), or a direct call >>>> to the python-ldap bindings? I feel very strongly that no plugins >>>> should talk directly to python-ldap (except Backend.ldap). >>>> >>>> But if this is whether to retrieve the group entry via >>>> Command.group_show() or Backend.ldap.get_entry(), I think it depends on >>>> what attributes are needed. If we want the same attributes as >>>> Command.group_show() returns, we should call it so we aren't defining >>>> the list of (or logic behind) the attributes to choose in multiple >>>> places. If we need all the attributes, calling Backend.ldap.get_entry() >>>> is probably best. >>> In this context, we need only the 'objectClass' attribute that >>> group_show doesn't return normally unless we pass it the '--all' option >>> and then we get a lot of attributes we don't need as side effect. >> The biggest downside is that you'd get the members which really could be >> quite large. I think a better solution is to be able to pass into >> group-show (and really any/all of the plugins) the attributes you want >> to see, with a reasonable default and the --all options available too. >> >> The problem with getting the entry within another plugin is you may >> require knowledge of the schema to do so. If the schema changes, like it >> did with host recently, you'd have to know to go and change it in other >> places. When I changed the DN of the host entries the only plugin that >> changed was host. >> >> rob > > Hmmm, yeah, good point. I think I am retracting my earlier +1. > > Oh, I've been thinking about how to specify what attributes are pulled > by default when an entry is retrieved: I think we should add flag to the > Param to indicate whether it should be included. This keeps things > easily plugable. > > Although we haven't used them yet, the Attribute plugins are designed to > add another Param (in the case of LDAP stuff, an LDAP attribute) to a > corresponding Object plugin. So you could add a new Param to > Object.user, which would automatically get picked up by all the user > crud methods. If we have the list of attributes to retrieve hard-coded > in Command.user_show(), an Attribute plugin can't be included in the > list of attributes to pull without overriding the Command.user_show > plugin. > > What do you two think? But we can never know all possible attributes. We will always need some generic way to pass in a name/value pair and hope for the best, unless we want to slurp in the schema on the framework side and use that as a baseline. And speaking of LDAP plugins, a critical missing piece of the new LDAP backend is support for the command-line tools. They all currently use the IPAdmin class. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Fri May 15 18:55:28 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 15 May 2009 12:55:28 -0600 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <1242396933.3695.79.camel@localhost.localdomain> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <1242331172.9095.2.camel@jgd-dsk> <1242342389.3695.45.camel@localhost.localdomain> <1242359842.9095.194.camel@jgd-dsk> <1242396933.3695.79.camel@localhost.localdomain> Message-ID: <1242413728.7315.69.camel@jgd-dsk> On Fri, 2009-05-15 at 10:15 -0400, Simo Sorce wrote: > On Fri, 2009-05-15 at 03:57 +0000, Jason Gerard DeRose wrote: > > > > So there's my two cents. Now the question is, did I convenience > > you? ;) > > I am not sure you "convenience" me but you may have convinced me. Hehe, how is it that the Italian is always the one who catches my bad English usage/spelling mistakes? Actually, you and Steve both gang up on me. ;) > I understand the technical issues better now, although I would rather > see if that's really 50x or not, and how much that would influence the > overall performance. I'll setup a test. My 50x is just a wild guess, but I'd be very surprised if it was any less than 10x slower. Like I said, even if there was no performance impact, the compatibility issue alone is reason enough not to use CIDict, IHMO. > We can settle for always casefolding, but how much of an impact is it to > always lower case all attribute names on each query ? This will have little impact because we only do it once when the dict enters the pipeline. The pipeline does rounds and rounds of dict gymnastics (hehe)... we do set operations on dicts, they are copied, merged, we do a zillion membership tests, iterate through keys and values again and again, etc. So having slowdown in these numerous operations in the middle of the pipeline will have a much larger effect than slowdown in a single operation at an entry point. > Simo. > From jderose at redhat.com Fri May 15 18:57:56 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 15 May 2009 12:57:56 -0600 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <4A0DB9C7.3030802@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <4A0B27E1.1080200@redhat.com> <1242332322.9095.17.camel@jgd-dsk> <4A0D427D.1020300@redhat.com> <4A0D70CA.6010205@redhat.com> <1242411191.7315.15.camel@jgd-dsk> <4A0DB9C7.3030802@redhat.com> Message-ID: <1242413876.7315.70.camel@jgd-dsk> On Fri, 2009-05-15 at 14:51 -0400, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > On Fri, 2009-05-15 at 09:40 -0400, Rob Crittenden wrote: > >> Pavel Zuna wrote: > >>> Jason Gerard DeRose wrote: > >>>> On Wed, 2009-05-13 at 16:04 -0400, Rob Crittenden wrote: > >>>>> Pavel Zuna wrote: > >>>>>> Rob Crittenden wrote: > >>>>>>> Pavel Zuna wrote: > >>>>>>>> Rob Crittenden wrote: > >>>>>>>>> Pavel Zuna wrote: > >>>>>>>>>> Rob Crittenden wrote: > >>>>>>>>>>> Pavel Zuna wrote: > >>>>>>>>>>>> By the way, there's a little bug I discovered while testing > >>>>>>>>>>>> this plugin. It affects the old group plugin as well. When > >>>>>>>>>>>> trying to modify a group into a posixGroup, gidNumber doesn't > >>>>>>>>>>>> get generated automatically resulting in a object violation > >>>>>>>>>>>> LDAP error. Solution is to generate it ourselves, but I didn't > >>>>>>>>>>>> know how it works, so I commented that part out for now. > >>>>>>>>>>>> (/FIXME in vim) > >>>>>>>>>>>> > >>>>>>>>>>> This should be fixed in FDS 1.2. Can you update and give it a try? > >>>>>>>>>>> > >>>>>>>>>>> rob > >>>>>>>>>> Sure, just updated and you're right, it works. :) > >>>>>>>>>> Updated patch attached. > >>>>>>>>>> > >>>>>>>>>> Pavel > >>>>>>>>> nack. This won't handle someone using group-mod to set a specific > >>>>>>>>> gidnumber. The posixGroup objectclass won't be added. > >>>>>>>>> > >>>>>>>>> rob > >>>>>>>> Fixed patch attached. > >>>>>>>> > >>>>>>>> Pavel > >>>>>>> The basegroup2 part looks ok but nack on group2. > >>>>>>> > >>>>>>> I think we should stick with using lower-case attribute names as a > >>>>>>> rule of thumb rather than camel case. In any case you test for the > >>>>>>> string posixGroup is in the list of objectclasses, this test needs > >>>>>>> to be case insensitive. > >>>>>> When no attributes to retrieve are specified, python-ldap retrieves > >>>>>> them all in the original form - camel case. If we specify them, then > >>>>>> it returns them in the same form as we requested them. The new LDAP > >>>>>> backend doesn't use CIDicts anymore, but only the normal python dict > >>>>>> type, so everything is case sensitive. Of course I can make it > >>>>>> return attribute names always as lowercase if that's what we want. > >>>>> I think we need consistent naming otherwise all sorts of odd bugs can > >>>>> creep in. > >>>>> > >>>>>>> I also wonder if we should be using ldap.get_entry(). Why use this > >>>>>>> over group-show? > >>>>>> It's faster, because we call get_entry directly and because we can > >>>>>> request objectClass attribute only. Why invoke an IPA command > >>>>>> instead of a making a direct call? > >>>>> Well, I felt the same way but Jason convinced me that by limiting the > >>>>> places we do actual LDAP calls will be beneficial in the long-run. > >>>>> The command is run internally, not over XML-RPC, so there isn't a > >>>>> whole lot of additional overhead. > >>>>> > >>>>> Part of the idea, which we haven't really utilized much yet, is to > >>>>> try to make the backend easily replacable. > >>>> Well, first question, is this Backend.ldap.get_entry(), or a direct call > >>>> to the python-ldap bindings? I feel very strongly that no plugins > >>>> should talk directly to python-ldap (except Backend.ldap). > >>>> > >>>> But if this is whether to retrieve the group entry via > >>>> Command.group_show() or Backend.ldap.get_entry(), I think it depends on > >>>> what attributes are needed. If we want the same attributes as > >>>> Command.group_show() returns, we should call it so we aren't defining > >>>> the list of (or logic behind) the attributes to choose in multiple > >>>> places. If we need all the attributes, calling Backend.ldap.get_entry() > >>>> is probably best. > >>> In this context, we need only the 'objectClass' attribute that > >>> group_show doesn't return normally unless we pass it the '--all' option > >>> and then we get a lot of attributes we don't need as side effect. > >> The biggest downside is that you'd get the members which really could be > >> quite large. I think a better solution is to be able to pass into > >> group-show (and really any/all of the plugins) the attributes you want > >> to see, with a reasonable default and the --all options available too. > >> > >> The problem with getting the entry within another plugin is you may > >> require knowledge of the schema to do so. If the schema changes, like it > >> did with host recently, you'd have to know to go and change it in other > >> places. When I changed the DN of the host entries the only plugin that > >> changed was host. > >> > >> rob > > > > Hmmm, yeah, good point. I think I am retracting my earlier +1. > > > > Oh, I've been thinking about how to specify what attributes are pulled > > by default when an entry is retrieved: I think we should add flag to the > > Param to indicate whether it should be included. This keeps things > > easily plugable. > > > > Although we haven't used them yet, the Attribute plugins are designed to > > add another Param (in the case of LDAP stuff, an LDAP attribute) to a > > corresponding Object plugin. So you could add a new Param to > > Object.user, which would automatically get picked up by all the user > > crud methods. If we have the list of attributes to retrieve hard-coded > > in Command.user_show(), an Attribute plugin can't be included in the > > list of attributes to pull without overriding the Command.user_show > > plugin. > > > > What do you two think? > > But we can never know all possible attributes. We will always need some > generic way to pass in a name/value pair and hope for the best, unless > we want to slurp in the schema on the framework side and use that as a > baseline. > > And speaking of LDAP plugins, a critical missing piece of the new LDAP > backend is support for the command-line tools. They all currently use > the IPAdmin class. Do you mean the installer/updater scripts, like ipa-server-install and whatnot? > rob From ssorce at redhat.com Fri May 15 19:02:32 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 May 2009 15:02:32 -0400 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <4A0DB9C7.3030802@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <4A0B17F2.4050504@redhat.com> <4A0B27E1.1080200@redhat.com> <1242332322.9095.17.camel@jgd-dsk> <4A0D427D.1020300@redhat.com> <4A0D70CA.6010205@redhat.com> <1242411191.7315.15.camel@jgd-dsk> <4A0DB9C7.3030802@redhat.com> Message-ID: <1242414152.3695.96.camel@localhost.localdomain> On Fri, 2009-05-15 at 14:51 -0400, Rob Crittenden wrote: > > But we can never know all possible attributes. We will always need > some > generic way to pass in a name/value pair and hope for the best, > unless > we want to slurp in the schema on the framework side and use that as > a > baseline. And that may still not cover some operational attributes. I am also wondering if there is a way to use/retrieve controls/extended operations, as in some cases it may be needed (get keytab). Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri May 15 22:58:29 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 May 2009 18:58:29 -0400 Subject: [Freeipa-devel] [PATCH] offline mode for proxy provider Message-ID: <1242428309.3695.105.camel@localhost.localdomain> As per subject. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Implement-approximate-offline-detection-in-proxy.patch Type: text/x-patch Size: 6970 bytes Desc: not available URL: From ssorce at redhat.com Sun May 17 16:14:24 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 17 May 2009 12:14:24 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Treat the local provider as a special case In-Reply-To: <4A0C46D4.1060503@redhat.com> References: <4A0C46D4.1060503@redhat.com> Message-ID: <1242576864.3695.111.camel@localhost.localdomain> On Thu, 2009-05-14 at 12:29 -0400, Stephen Gallagher wrote: > This patch will address https://fedorahosted.org/sssd/ticket/38 ack and pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Sun May 17 16:14:40 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 17 May 2009 12:14:40 -0400 Subject: [Freeipa-devel] [PATCH] added new pam client protocol In-Reply-To: <4A0D44EE.8050909@redhat.com> References: <4A0D44EE.8050909@redhat.com> Message-ID: <1242576880.3695.112.camel@localhost.localdomain> On Fri, 2009-05-15 at 12:33 +0200, Sumit Bose wrote: > Hi, > > this patch introduces a new version of the pam client protocol. I > think > it is more flexible as the current \0-terminated-string format. Now > every item has a type (PAM_USER, PAM_TTY, ...), a size and a value. > With > the help of the size information it is possible to ignore unknown > types. > This way we can add new items without changing the underlying protocol > and client and server can be updated independently. As an example the > pam client adds its current locale which is currently not understood > by > the server. ack and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Sun May 17 16:14:54 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 17 May 2009 12:14:54 -0400 Subject: [Freeipa-devel] [PATCH] added more flexible handling of client protocol In-Reply-To: <4A092FCB.30507@redhat.com> References: <4A092FCB.30507@redhat.com> Message-ID: <1242576894.3695.113.camel@localhost.localdomain> On Tue, 2009-05-12 at 10:14 +0200, Sumit Bose wrote: > > Hi, > > this is the combined version of the two previous patches concerning > the > version of the client protocol. Additionally it safe the current > version > in the client context of the responder and introduces static array > which > hold the version number together with a data and a description. ack and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Sun May 17 16:18:30 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 17 May 2009 12:18:30 -0400 Subject: [Freeipa-devel] Pushed build fixes Message-ID: <1242577110.3695.117.camel@localhost.localdomain> Hi, I've pushed a few build fixes as they were necessary to be able to actually build, so I skipped the normal review to keep the tree in buildable state for all. Please, when you send patches that add/remove files or change configure/makefiles make sure you test your changes on a tree where you have run git clean -f -d -x (beware this will remove *every* file not committed). This will make sure that your patch will let the tree build cleanly. This is the commit I pushed: http://git.fedorahosted.org/git/sssd.git?p=sssd.git;a=commit;h=2011c5c332083582d6b0dc8424dfc794a8f06cca Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Sun May 17 16:23:00 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 17 May 2009 12:23:00 -0400 Subject: [Freeipa-devel] [PATCH] InfoPipe tests In-Reply-To: <1239641168.24119.14.camel@hendrix> References: <1239641168.24119.14.camel@hendrix> Message-ID: <1242577380.3695.119.camel@localhost.localdomain> On Mon, 2009-04-13 at 18:46 +0200, Jakub Hrozek wrote: > I wrote these before I knew that the current InfoPipe incarnation was > going down the drain...but maybe at least parts will be useful anyway. > These tests test the Infopipe methods that require the caller to be root > as per the infp_get_permissions() check, so they reside in a separate > test binary called tests/infopipe-privileged-tests. > > The second patch fixes some typos in the Introspection XML file. > > Jakub Do we still want to push these patches ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Sun May 17 16:23:41 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 17 May 2009 12:23:41 -0400 Subject: [Freeipa-devel] [PATCH] fix --setup-bind In-Reply-To: <49F60B5A.2080804@redhat.com> References: <49F60B5A.2080804@redhat.com> Message-ID: <1242577421.3695.120.camel@localhost.localdomain> On Mon, 2009-04-27 at 15:45 -0400, Rob Crittenden wrote: > Fix the --setup-bind option. This creates the zone file used for > auto-discovery. I guess I never tested this since changing the installer > code. > > Pushed to master under the 1-liner rule. This was causing the installer > to bail out. ack Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Sun May 17 16:25:56 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 17 May 2009 12:25:56 -0400 Subject: [Freeipa-devel] [PATCH] jderose 003 update TODO In-Reply-To: <1241502565.29481.70.camel@jgd-dsk> References: <1241502565.29481.70.camel@jgd-dsk> Message-ID: <1242577556.3695.122.camel@localhost.localdomain> On Mon, 2009-05-04 at 23:49 -0600, Jason Gerard DeRose wrote: > This patch updates the TODO file based on discussion between Rob, > Pavel, > and I. > > I also changed it to have consistent reStructuredText formatting, > which > I've become I big fan of lately. ;) ack Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Mon May 18 09:59:01 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 18 May 2009 11:59:01 +0200 Subject: [Freeipa-devel] [PATCHES] Password caching related patches In-Reply-To: <1242316475.3695.25.camel@localhost.localdomain> References: <1242316475.3695.25.camel@localhost.localdomain> Message-ID: <4A113165.3080403@redhat.com> Simo Sorce schrieb: > The following set of patches is not strictly related but they are > somewhat interdependent. > > Feel free to ack/nack and comment individually. > > 0001 Fix the crypt functions. > - make them *not* use static buffers, that's just plain wrong > - fix indentation where possible > - fix naming so that exported functions do not have too generic names > that may conflict (name space) ACK > > 0002 Prevents accepting a blank password > - I think we can all agree that allowing blank passwords is not a good > idea, however if someone feels strongly about allowing no password > logins we should probably make a patch that looks up the individual user > record and read an attribute where the specific user is allowed toi use > blank passwords (IMHO) > ACK > 0003 Split ldap backend > - mostly so that each single file is easily digestible but also so that > in theory you can mix and match (ldap user + krb pwd or local user + > ldap pwd, etc...) > the changes from commit c051ec69a66f3d5c6ae611262ed639c31f93e88e are missing this means that offline support does not work > 0004 Move password caching decision into backends > - this is so that backends can have better control (per user > caching/other more complex stuff) > see above > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From sgallagh at redhat.com Mon May 18 11:17:33 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 18 May 2009 07:17:33 -0400 Subject: [Freeipa-devel] [PATCH] InfoPipe tests In-Reply-To: <1242577380.3695.119.camel@localhost.localdomain> References: <1239641168.24119.14.camel@hendrix> <1242577380.3695.119.camel@localhost.localdomain> Message-ID: <4A1143CD.4070102@redhat.com> On 05/17/2009 12:23 PM, Simo Sorce wrote: > On Mon, 2009-04-13 at 18:46 +0200, Jakub Hrozek wrote: >> I wrote these before I knew that the current InfoPipe incarnation was >> going down the drain...but maybe at least parts will be useful anyway. >> These tests test the Infopipe methods that require the caller to be root >> as per the infp_get_permissions() check, so they reside in a separate >> test binary called tests/infopipe-privileged-tests. >> >> The second patch fixes some typos in the Introspection XML file. >> >> Jakub > > Do we still want to push these patches ? > > Simo. > If they apply cleanly, I don't see any reason not to, since the work is already done. If they don't apply cleanly, it's probably not worth the effort. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Mon May 18 11:59:02 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 18 May 2009 07:59:02 -0400 Subject: [Freeipa-devel] [PATCH] offline mode for proxy provider In-Reply-To: <1242428309.3695.105.camel@localhost.localdomain> References: <1242428309.3695.105.camel@localhost.localdomain> Message-ID: <4A114D86.1000006@redhat.com> On 05/15/2009 06:58 PM, Simo Sorce wrote: > As per subject. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Simo, this patch does not apply cleanly on the current master. Please rebase and I will review it. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon May 18 12:40:15 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 18 May 2009 08:40:15 -0400 Subject: [Freeipa-devel] [PATCH] offline mode for proxy provider In-Reply-To: <4A114D86.1000006@redhat.com> References: <1242428309.3695.105.camel@localhost.localdomain> <4A114D86.1000006@redhat.com> Message-ID: <1242650415.3695.127.camel@localhost.localdomain> On Mon, 2009-05-18 at 07:59 -0400, Stephen Gallagher wrote: > On 05/15/2009 06:58 PM, Simo Sorce wrote: > > As per subject. > Simo, this patch does not apply cleanly on the current master. Please > rebase and I will review it. > Does not apply because it requires the previous set of patches that move password caching in the backend. I'm working on fixing the regression I introduced, although you can apply them just for testing if you want. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon May 18 13:33:25 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 18 May 2009 09:33:25 -0400 Subject: [Freeipa-devel] [PATCHES] Password caching related patches In-Reply-To: <4A113165.3080403@redhat.com> References: <1242316475.3695.25.camel@localhost.localdomain> <4A113165.3080403@redhat.com> Message-ID: <1242653605.3695.131.camel@localhost.localdomain> On Mon, 2009-05-18 at 11:59 +0200, Sumit Bose wrote: > Simo Sorce schrieb: > > The following set of patches is not strictly related but they are > > somewhat interdependent. > > > > Feel free to ack/nack and comment individually. > > > > 0001 Fix the crypt functions. > > - make them *not* use static buffers, that's just plain wrong > > - fix indentation where possible > > - fix naming so that exported functions do not have too generic names > > that may conflict (name space) > > ACK > > > > > 0002 Prevents accepting a blank password > > - I think we can all agree that allowing blank passwords is not a good > > idea, however if someone feels strongly about allowing no password > > logins we should probably make a patch that looks up the individual user > > record and read an attribute where the specific user is allowed toi use > > blank passwords (IMHO) > > > > ACK > > > 0003 Split ldap backend > > - mostly so that each single file is easily digestible but also so that > > in theory you can mix and match (ldap user + krb pwd or local user + > > ldap pwd, etc...) > > > > the changes from commit c051ec69a66f3d5c6ae611262ed639c31f93e88e are > missing this means that offline support does not work > > > 0004 Move password caching decision into backends > > - this is so that backends can have better control (per user > > caching/other more complex stuff) > > > > see above > Attached a new patch that replaces 0003. 0004 applies cleanly on top, so please ack or nack on its own value. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Split-ldap-backend-into-auth-and-identity-files.patch Type: text/x-patch Size: 75640 bytes Desc: not available URL: From ssorce at redhat.com Mon May 18 14:05:47 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 18 May 2009 10:05:47 -0400 Subject: [Freeipa-devel] [PATCHES] Password caching related patches In-Reply-To: <1242653605.3695.131.camel@localhost.localdomain> References: <1242316475.3695.25.camel@localhost.localdomain> <4A113165.3080403@redhat.com> <1242653605.3695.131.camel@localhost.localdomain> Message-ID: <1242655547.3695.135.camel@localhost.localdomain> On Mon, 2009-05-18 at 09:33 -0400, Simo Sorce wrote: > Attached a new patch that replaces 0003. > 0004 applies cleanly on top, so please ack or nack on its own value. Ok, after some further thought I've re-split this patch in 2 logical ones. One just renames the old file, and a new one splits it, doing it this way I found a couple of errors in my previous patch too, and they are now corrected. All other patches apply w/o any problem. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Move-ldap_be.c-into-ldap-ldap_auth.c.patch Type: text/x-patch Size: 50792 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Split-ldap-backend-into-auth-and-identity-files.patch Type: text/x-patch Size: 30419 bytes Desc: not available URL: From sbose at redhat.com Mon May 18 16:01:18 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 18 May 2009 18:01:18 +0200 Subject: [Freeipa-devel] [PATCHES] Password caching related patches In-Reply-To: <1242655547.3695.135.camel@localhost.localdomain> References: <1242316475.3695.25.camel@localhost.localdomain> <4A113165.3080403@redhat.com> <1242653605.3695.131.camel@localhost.localdomain> <1242655547.3695.135.camel@localhost.localdomain> Message-ID: <4A11864E.3030509@redhat.com> Simo Sorce schrieb: > On Mon, 2009-05-18 at 09:33 -0400, Simo Sorce wrote: >> Attached a new patch that replaces 0003. >> 0004 applies cleanly on top, so please ack or nack on its own value. > > Ok, after some further thought I've re-split this patch in 2 logical > ones. > One just renames the old file, and a new one splits it, doing it this > way I found a couple of errors in my previous patch too, and they are > now corrected. > > All other patches apply w/o any problem. > > ACK to both From sbose at redhat.com Mon May 18 16:02:50 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 18 May 2009 18:02:50 +0200 Subject: [Freeipa-devel] [PATCHES] Password caching related patches In-Reply-To: <1242653605.3695.131.camel@localhost.localdomain> References: <1242316475.3695.25.camel@localhost.localdomain> <4A113165.3080403@redhat.com> <1242653605.3695.131.camel@localhost.localdomain> Message-ID: <4A1186AA.4020001@redhat.com> Simo Sorce schrieb: > On Mon, 2009-05-18 at 11:59 +0200, Sumit Bose wrote: >> Simo Sorce schrieb: >>> The following set of patches is not strictly related but they are >>> somewhat interdependent. >>> >>> Feel free to ack/nack and comment individually. >>> >>> 0001 Fix the crypt functions. >>> - make them *not* use static buffers, that's just plain wrong >>> - fix indentation where possible >>> - fix naming so that exported functions do not have too generic names >>> that may conflict (name space) >> ACK >> >>> 0002 Prevents accepting a blank password >>> - I think we can all agree that allowing blank passwords is not a good >>> idea, however if someone feels strongly about allowing no password >>> logins we should probably make a patch that looks up the individual user >>> record and read an attribute where the specific user is allowed toi use >>> blank passwords (IMHO) >>> >> ACK >> >>> 0003 Split ldap backend >>> - mostly so that each single file is easily digestible but also so that >>> in theory you can mix and match (ldap user + krb pwd or local user + >>> ldap pwd, etc...) >>> >> the changes from commit c051ec69a66f3d5c6ae611262ed639c31f93e88e are >> missing this means that offline support does not work >> >>> 0004 Move password caching decision into backends >>> - this is so that backends can have better control (per user >>> caching/other more complex stuff) >>> >> see above >> > > Attached a new patch that replaces 0003. > 0004 applies cleanly on top, so please ack or nack on its own value. > ACK to 0004 bye, Sumit From ssorce at redhat.com Mon May 18 19:30:36 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 18 May 2009 15:30:36 -0400 Subject: [Freeipa-devel] [PATCHES] Password caching related patches In-Reply-To: <4A11864E.3030509@redhat.com> References: <1242316475.3695.25.camel@localhost.localdomain> <4A113165.3080403@redhat.com> <1242653605.3695.131.camel@localhost.localdomain> <1242655547.3695.135.camel@localhost.localdomain> <4A11864E.3030509@redhat.com> Message-ID: <1242675036.3546.17.camel@localhost.localdomain> On Mon, 2009-05-18 at 18:01 +0200, Sumit Bose wrote: > Simo Sorce schrieb: > > On Mon, 2009-05-18 at 09:33 -0400, Simo Sorce wrote: > >> Attached a new patch that replaces 0003. > >> 0004 applies cleanly on top, so please ack or nack on its own value. > > > > Ok, after some further thought I've re-split this patch in 2 logical > > ones. > > One just renames the old file, and a new one splits it, doing it this > > way I found a couple of errors in my previous patch too, and they are > > now corrected. > > > > All other patches apply w/o any problem. > > > > > ACK to both Thanks, pushed all patches in this thread. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Mon May 18 19:46:00 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 18 May 2009 15:46:00 -0400 Subject: [Freeipa-devel] [PATCH] offline mode for proxy provider In-Reply-To: <1242428309.3695.105.camel@localhost.localdomain> References: <1242428309.3695.105.camel@localhost.localdomain> Message-ID: <4A11BAF8.6080606@redhat.com> On 05/15/2009 06:58 PM, Simo Sorce wrote: > As per subject. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon May 18 20:09:16 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 18 May 2009 16:09:16 -0400 Subject: [Freeipa-devel] [PATCH] offline mode for proxy provider In-Reply-To: <4A11BAF8.6080606@redhat.com> References: <1242428309.3695.105.camel@localhost.localdomain> <4A11BAF8.6080606@redhat.com> Message-ID: <1242677356.3546.18.camel@localhost.localdomain> On Mon, 2009-05-18 at 15:46 -0400, Stephen Gallagher wrote: > On 05/15/2009 06:58 PM, Simo Sorce wrote: > > As per subject. > Ack. pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Mon May 18 20:48:03 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 18 May 2009 14:48:03 -0600 Subject: [Freeipa-devel] [PATCH] 213 use the csv module for ldapupdate In-Reply-To: <4A0B36C9.3020709@redhat.com> References: <4A0B36C9.3020709@redhat.com> Message-ID: <1242679683.5418.0.camel@jgd-dsk> On Wed, 2009-05-13 at 17:08 -0400, Rob Crittenden wrote: > In ldapupdate I wanted to make things easy on update writers and them > pass in a comma-separated string to make a multi-valued attribute, like: > > add:objectclass: top, person, inetorgperson > > This is my last attempt at working around this "feature" before simply > dropping it. It has turned out to be almost more trouble than it is worth. > > In any case, this patch drops my hackish lex-based parser for the python > csv module. This works a bit nicer anyway. You do have to be a bit > careful about mixing ' and " though. > > What I've done is set the quote string to whatever the first character > of a line is, defaulting to ". In other words, if you want the quote > character to be ', then pass it as the first character in the update line. > > Something like: > > add:name:'"Here is a quoted value, and another", "and one more"' > > This breaks down to 2 values to be added: > > "Here is a quoted value, and another" > "and one more" > > rob ack. From jderose at redhat.com Mon May 18 21:00:54 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 18 May 2009 15:00:54 -0600 Subject: [Freeipa-devel] [PATCH] 214 csv parsing updates In-Reply-To: <4A0B3760.2050003@redhat.com> References: <4A0B3760.2050003@redhat.com> Message-ID: <1242680454.5418.3.camel@jgd-dsk> On Wed, 2009-05-13 at 17:10 -0400, Rob Crittenden wrote: > Patches to two update files impacted by the csv parsing change. > > rob This patch wont apply. I'm working on a clean clone master of master with your 213 patch applied. I also tried it without the 213 patch applied in case the order was reversed, still no luck. Am I missing some other patch? From jderose at redhat.com Mon May 18 21:05:02 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 18 May 2009 15:05:02 -0600 Subject: [Freeipa-devel] [PATCH] 215 netgroup compat In-Reply-To: <4A0B3823.4010903@redhat.com> References: <4A0B3823.4010903@redhat.com> Message-ID: <1242680702.5418.4.camel@jgd-dsk> On Wed, 2009-05-13 at 17:14 -0400, Rob Crittenden wrote: > Add a schema-compat configuration to translate our netgroup > configuration into a standard netgroup triple. I'm including this in nis > because that is really the only place it is interesting. > > So to use this requires that both the schema-compat and nis plugins are > enabled. > > rob ack. From jderose at redhat.com Mon May 18 21:10:12 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 18 May 2009 15:10:12 -0600 Subject: [Freeipa-devel] [PATCH] 216 own apache config files In-Reply-To: <4A0C1D0A.3060804@redhat.com> References: <4A0C1D0A.3060804@redhat.com> Message-ID: <1242681012.5418.5.camel@jgd-dsk> On Thu, 2009-05-14 at 09:30 -0400, Rob Crittenden wrote: > The IPA Installer creates 2 Apache configuration files that aren't owned > by the ipa-server package. This patch rectifies that. > > rob ack. From jderose at redhat.com Mon May 18 21:12:55 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 18 May 2009 15:12:55 -0600 Subject: [Freeipa-devel] [PATCH] 217 change attribute used for hostnames In-Reply-To: <4A0D789D.5070907@redhat.com> References: <4A0B390C.6090709@redhat.com> <4A0B7785.6070501@redhat.com> <4A0D789D.5070907@redhat.com> Message-ID: <1242681175.5418.6.camel@jgd-dsk> On Fri, 2009-05-15 at 10:13 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Rob Crittenden wrote: > >> This goes along with the netgroup patch. > >> > >> We were using commonname to store the hostname. This made translating > >> hosts into triples difficult because the same attribute was used to > >> identify hosts and well as hostgroups. > >> > >> So we decided to use a new attribute, fqdn, instead. > >> > >> rob > > > > Sad to say I have to nack my own patch :-( > > > > I need to make fqdn a MUST attribute and also update the test cases. > > > > rob > > > > Revised patch. > > rob ack. From jderose at redhat.com Mon May 18 21:29:58 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 18 May 2009 15:29:58 -0600 Subject: [Freeipa-devel] [PATCH] Add Encoder base class and method decorators to encode arguments/decode return values. Also - unit tests. In-Reply-To: <4A0C5993.5040005@redhat.com> References: <4A0C5993.5040005@redhat.com> Message-ID: <1242682198.5418.9.camel@jgd-dsk> On Thu, 2009-05-14 at 19:49 +0200, Pavel Zuna wrote: > I was reviewing value encoding/decoding in the new LDAP backend after > yesterday's e-mail mini-discussion regarding attribute names with Rob. In a lot > of functions that pass values directly to python-ldap we have to encode > arguments coming from plugins and decode values coming from python-ldap in > return. To save some code and possible save future backends from this encoding > hell, I wrote an Encoder base class and a two function decorators. They're > supposed to be used like this: > > # import important stuff > from ipalib.encoder import Encoder, encode_args, decode_retval > > class ldap2(CrudBackend, Encoder): > > # some code > > @encode_args(1, 2, 3) > @decode_retval() > def find_entries(self, filter, attrs_list=None, base_dn='', > scope=_ldap.SCOPE_SUBTREE, time_limit=1, size_limit=3000): > # we don't have to care about encoding/decoding here anymore > # and it saves at least 10 lines of code in this method, yay! > > # some more code > > Pavel ack. I'm sure this will need some tuning as we start using it, but it looks like a great start and we should get it committed so we can move forward. From sgallagh at redhat.com Mon May 18 21:31:16 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 18 May 2009 17:31:16 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Big automake conversion Message-ID: <4A11D3A4.5090402@redhat.com> Warning: these patches are large. General comments: I have changed the versioning of the shared objects that we build in order to be more in keeping with the GNU coding style. Instead of keeping the shared object version in line with the sssd version, they will instead be versioned by their own interface. As such, I have re-versioned them to .1.0.0 at this time. I am building our shared libraries with libtool. I have already had the requisite debate with certain parties, and I will be responsible for maintaining this. 0001: Fix some problems with the automake build in the common directories so that parallel builds work. 0002: Hack together a Makefile.am for building libreplace recursively 0003: Convert the entire SSSD server daemon, plugins, etc. to automake 0004: Convert the sss_client libraries to automake. 0005: Convert the top-level of the SSSD to automake. The sssd.spec %install section uses a workaround to deal with the fact that our automake build is installing a bunch of files we don't need. I'm going to fix this eventually, but for the time being it was easier to simply remove them from the buildroot before packaging. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Enable-parallel-builds-for-the-common-libraries.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Enable-automake-builds-for-libreplace.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Enable-automake-builds-for-sssd-server.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0004-Enable-automake-builds-for-sss_client.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0005-Convert-top-level-of-SSSD-to-automake.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Mon May 18 21:50:48 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 18 May 2009 15:50:48 -0600 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <4A0B0BA1.8080608@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> Message-ID: <1242683448.5418.12.camel@jgd-dsk> On Wed, 2009-05-13 at 14:04 -0400, Rob Crittenden wrote: > Pavel Zuna wrote: > > Rob Crittenden wrote: > >> Pavel Zuna wrote: > >>> Rob Crittenden wrote: > >>>> Pavel Zuna wrote: > >>>>> By the way, there's a little bug I discovered while testing this > >>>>> plugin. It affects the old group plugin as well. When trying to > >>>>> modify a group into a posixGroup, gidNumber doesn't get generated > >>>>> automatically resulting in a object violation LDAP error. Solution > >>>>> is to generate it ourselves, but I didn't know how it works, so I > >>>>> commented that part out for now. (/FIXME in vim) > >>>>> > >>>> > >>>> This should be fixed in FDS 1.2. Can you update and give it a try? > >>>> > >>>> rob > >>> Sure, just updated and you're right, it works. :) > >>> Updated patch attached. > >>> > >>> Pavel > >> > >> nack. This won't handle someone using group-mod to set a specific > >> gidnumber. The posixGroup objectclass won't be added. > >> > >> rob > > Fixed patch attached. > > > > Pavel > > The basegroup2 part looks ok but nack on group2. So is there an update on this yet, Pavel? I was trying to review your 0001-Fix-counting..., 0002-Add-houstgroup..., and 0003-Add-netgroup... patches, but they depend on this patch here. > > I think we should stick with using lower-case attribute names as a rule > of thumb rather than camel case. In any case you test for the string > posixGroup is in the list of objectclasses, this test needs to be case > insensitive. > > I also wonder if we should be using ldap.get_entry(). Why use this over > group-show? > > I'm not sure if the logic around setting gidnumber is right. If you set > the gidnumber but aren't using the --posix flag it looks like it will > always append posixgroup to the list of objectclasses. I'm pretty sure > the LDAP server is going to reject the update. I suppose making a > list(set(objectclasses)) would work for de-duping. > > rob From sbose at redhat.com Tue May 19 08:02:28 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 19 May 2009 10:02:28 +0200 Subject: [Freeipa-devel] [PATCHES][SSSD] Big automake conversion In-Reply-To: <4A11D3A4.5090402@redhat.com> References: <4A11D3A4.5090402@redhat.com> Message-ID: <4A126794.6070209@redhat.com> Stephen Gallagher schrieb: > Warning: these patches are large. > > General comments: > I have changed the versioning of the shared objects that we build in > order to be more in keeping with the GNU coding style. Instead of > keeping the shared object version in line with the sssd version, they > will instead be versioned by their own interface. As such, I have > re-versioned them to .1.0.0 at this time. > I am building our shared libraries with libtool. I have already had > the requisite debate with certain parties, and I will be responsible for > maintaining this. > > 0001: Fix some problems with the automake build in the common > directories so that parallel builds work. > > 0002: Hack together a Makefile.am for building libreplace recursively > > 0003: Convert the entire SSSD server daemon, plugins, etc. to automake > > 0004: Convert the sss_client libraries to automake. > > 0005: Convert the top-level of the SSSD to automake. > The sssd.spec %install section uses a workaround to deal with the fact > that our automake build is installing a bunch of files we don't need. > I'm going to fix this eventually, but for the time being it was easier > to simply remove them from the buildroot before packaging. > > ACK to all. The patches apply cleanly, everything is build and it even works in koji (http://koji.fedoraproject.org/koji/taskinfo?taskID=1362791). Great work. I have only one minor request, can you update BUILD.txt? bye, Sumit From pzuna at redhat.com Tue May 19 08:29:33 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 19 May 2009 10:29:33 +0200 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <1242683448.5418.12.camel@jgd-dsk> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <1242683448.5418.12.camel@jgd-dsk> Message-ID: <4A126DED.6040307@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-05-13 at 14:04 -0400, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> Rob Crittenden wrote: >>>> Pavel Zuna wrote: >>>>> Rob Crittenden wrote: >>>>>> Pavel Zuna wrote: >>>>>>> By the way, there's a little bug I discovered while testing this >>>>>>> plugin. It affects the old group plugin as well. When trying to >>>>>>> modify a group into a posixGroup, gidNumber doesn't get generated >>>>>>> automatically resulting in a object violation LDAP error. Solution >>>>>>> is to generate it ourselves, but I didn't know how it works, so I >>>>>>> commented that part out for now. (/FIXME in vim) >>>>>>> >>>>>> This should be fixed in FDS 1.2. Can you update and give it a try? >>>>>> >>>>>> rob >>>>> Sure, just updated and you're right, it works. :) >>>>> Updated patch attached. >>>>> >>>>> Pavel >>>> nack. This won't handle someone using group-mod to set a specific >>>> gidnumber. The posixGroup objectclass won't be added. >>>> >>>> rob >>> Fixed patch attached. >>> >>> Pavel >> The basegroup2 part looks ok but nack on group2. > > So is there an update on this yet, Pavel? I was trying to review your > 0001-Fix-counting..., 0002-Add-houstgroup..., and 0003-Add-netgroup... > patches, but they depend on this patch here. Attached, but camelCase is still there for now. I'm currently testing the Encoder class with ldap2 and will post a patch soon that makes all plugins2 use lowercase when referring to LDAP attributes. >> I think we should stick with using lower-case attribute names as a rule >> of thumb rather than camel case. In any case you test for the string >> posixGroup is in the list of objectclasses, this test needs to be case >> insensitive. >> >> I also wonder if we should be using ldap.get_entry(). Why use this over >> group-show? >> >> I'm not sure if the logic around setting gidnumber is right. If you set >> the gidnumber but aren't using the --posix flag it looks like it will >> always append posixgroup to the list of objectclasses. I'm pretty sure >> the LDAP server is going to reject the update. I suppose making a >> list(set(objectclasses)) would work for de-duping. >> >> rob > Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-group-plugin-port-to-new-LDAP-backend.patch Type: application/mbox Size: 23087 bytes Desc: not available URL: From sbose at redhat.com Tue May 19 10:09:05 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 19 May 2009 12:09:05 +0200 Subject: [Freeipa-devel] [PATCH] added prototype for sysdb_set_cached_password Message-ID: <4A128541.70400@redhat.com> Hi, this patch just add as missing sysdb prototype. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-added-prototype-for-sysdb_set_cached_password.patch Type: text/x-patch Size: 1025 bytes Desc: not available URL: From sbose at redhat.com Tue May 19 10:11:07 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 19 May 2009 12:11:07 +0200 Subject: [Freeipa-devel] [PATCH] call tevent_add_fd only once Message-ID: <4A1285BB.1050709@redhat.com> Hi, this patch fixes the usage of tevent_add_fd in ldap_auth.c. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-call-tevent_add_fd-only-once.patch Type: text/x-patch Size: 5037 bytes Desc: not available URL: From sgallagh at redhat.com Tue May 19 11:38:43 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 19 May 2009 07:38:43 -0400 Subject: [Freeipa-devel] [PATCH] added prototype for sysdb_set_cached_password In-Reply-To: <4A128541.70400@redhat.com> References: <4A128541.70400@redhat.com> Message-ID: <4A129A43.8000607@redhat.com> On 05/19/2009 06:09 AM, Sumit Bose wrote: > Hi, > > this patch just add as missing sysdb prototype. > > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 19 11:42:05 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 19 May 2009 07:42:05 -0400 Subject: [Freeipa-devel] [PATCH] call tevent_add_fd only once In-Reply-To: <4A1285BB.1050709@redhat.com> References: <4A1285BB.1050709@redhat.com> Message-ID: <4A129B0D.9060907@redhat.com> On 05/19/2009 06:11 AM, Sumit Bose wrote: > Hi, > > this patch fixes the usage of tevent_add_fd in ldap_auth.c. > > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 19 11:55:34 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 19 May 2009 07:55:34 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Big automake conversion In-Reply-To: <4A126794.6070209@redhat.com> References: <4A11D3A4.5090402@redhat.com> <4A126794.6070209@redhat.com> Message-ID: <4A129E36.9040106@redhat.com> On 05/19/2009 04:02 AM, Sumit Bose wrote: > Stephen Gallagher schrieb: >> Warning: these patches are large. >> >> General comments: >> I have changed the versioning of the shared objects that we build in >> order to be more in keeping with the GNU coding style. Instead of >> keeping the shared object version in line with the sssd version, they >> will instead be versioned by their own interface. As such, I have >> re-versioned them to .1.0.0 at this time. >> I am building our shared libraries with libtool. I have already had >> the requisite debate with certain parties, and I will be responsible for >> maintaining this. >> >> 0001: Fix some problems with the automake build in the common >> directories so that parallel builds work. >> >> 0002: Hack together a Makefile.am for building libreplace recursively >> >> 0003: Convert the entire SSSD server daemon, plugins, etc. to automake >> >> 0004: Convert the sss_client libraries to automake. >> >> 0005: Convert the top-level of the SSSD to automake. >> The sssd.spec %install section uses a workaround to deal with the fact >> that our automake build is installing a bunch of files we don't need. >> I'm going to fix this eventually, but for the time being it was easier >> to simply remove them from the buildroot before packaging. >> >> > ACK to all. > > The patches apply cleanly, everything is build and it even works in koji > (http://koji.fedoraproject.org/koji/taskinfo?taskID=1362791). Great work. > > I have only one minor request, can you update BUILD.txt? > > bye, > Sumit BUILD.txt updated (affects only patch 0005, but reattaching all five for convenience) -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Enable-parallel-builds-for-the-common-libraries.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Enable-automake-builds-for-libreplace.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Enable-automake-builds-for-sssd-server.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0004-Enable-automake-builds-for-sss_client.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0005-Convert-top-level-of-SSSD-to-automake.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 19 12:13:06 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 19 May 2009 08:13:06 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Big automake conversion In-Reply-To: <4A129E36.9040106@redhat.com> References: <4A11D3A4.5090402@redhat.com> <4A126794.6070209@redhat.com> <4A129E36.9040106@redhat.com> Message-ID: <4A12A252.7000800@redhat.com> On 05/19/2009 07:55 AM, Stephen Gallagher wrote: > On 05/19/2009 04:02 AM, Sumit Bose wrote: >> Stephen Gallagher schrieb: >>> Warning: these patches are large. >>> >>> General comments: >>> I have changed the versioning of the shared objects that we build in >>> order to be more in keeping with the GNU coding style. Instead of >>> keeping the shared object version in line with the sssd version, they >>> will instead be versioned by their own interface. As such, I have >>> re-versioned them to .1.0.0 at this time. >>> I am building our shared libraries with libtool. I have already had >>> the requisite debate with certain parties, and I will be responsible for >>> maintaining this. >>> >>> 0001: Fix some problems with the automake build in the common >>> directories so that parallel builds work. >>> >>> 0002: Hack together a Makefile.am for building libreplace recursively >>> >>> 0003: Convert the entire SSSD server daemon, plugins, etc. to automake >>> >>> 0004: Convert the sss_client libraries to automake. >>> >>> 0005: Convert the top-level of the SSSD to automake. >>> The sssd.spec %install section uses a workaround to deal with the fact >>> that our automake build is installing a bunch of files we don't need. >>> I'm going to fix this eventually, but for the time being it was easier >>> to simply remove them from the buildroot before packaging. >>> >>> >> ACK to all. >> >> The patches apply cleanly, everything is build and it even works in koji >> (http://koji.fedoraproject.org/koji/taskinfo?taskID=1362791). Great work. >> >> I have only one minor request, can you update BUILD.txt? >> >> bye, >> Sumit > > BUILD.txt updated (affects only patch 0005, but reattaching all five for > convenience) > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Correct a minor typo in BUILD.txt in patch 0005: -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0005-Convert-top-level-of-SSSD-to-automake.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 19 12:27:53 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 19 May 2009 08:27:53 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Big automake conversion In-Reply-To: <4A12A252.7000800@redhat.com> References: <4A11D3A4.5090402@redhat.com> <4A126794.6070209@redhat.com> <4A129E36.9040106@redhat.com> <4A12A252.7000800@redhat.com> Message-ID: <4A12A5C9.4040603@redhat.com> On 05/19/2009 08:13 AM, Stephen Gallagher wrote: > On 05/19/2009 07:55 AM, Stephen Gallagher wrote: >> On 05/19/2009 04:02 AM, Sumit Bose wrote: >>> Stephen Gallagher schrieb: >>>> Warning: these patches are large. >>>> >>>> General comments: >>>> I have changed the versioning of the shared objects that we build in >>>> order to be more in keeping with the GNU coding style. Instead of >>>> keeping the shared object version in line with the sssd version, they >>>> will instead be versioned by their own interface. As such, I have >>>> re-versioned them to .1.0.0 at this time. >>>> I am building our shared libraries with libtool. I have already had >>>> the requisite debate with certain parties, and I will be responsible for >>>> maintaining this. >>>> >>>> 0001: Fix some problems with the automake build in the common >>>> directories so that parallel builds work. >>>> >>>> 0002: Hack together a Makefile.am for building libreplace recursively >>>> >>>> 0003: Convert the entire SSSD server daemon, plugins, etc. to automake >>>> >>>> 0004: Convert the sss_client libraries to automake. >>>> >>>> 0005: Convert the top-level of the SSSD to automake. >>>> The sssd.spec %install section uses a workaround to deal with the fact >>>> that our automake build is installing a bunch of files we don't need. >>>> I'm going to fix this eventually, but for the time being it was easier >>>> to simply remove them from the buildroot before packaging. >>>> >>>> >>> ACK to all. >>> >>> The patches apply cleanly, everything is build and it even works in koji >>> (http://koji.fedoraproject.org/koji/taskinfo?taskID=1362791). Great work. >>> >>> I have only one minor request, can you update BUILD.txt? >>> >>> bye, >>> Sumit >> BUILD.txt updated (affects only patch 0005, but reattaching all five for >> convenience) >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Correct a minor typo in BUILD.txt in patch 0005: > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This set of patches updates BUILD.txt correctly (sorry about that) and also modifies all the configure.ac files to direct bug reports to freeipa-devel at redhat.com instead of my personal email address. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Enable-parallel-builds-for-the-common-libraries.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Enable-automake-builds-for-libreplace.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Enable-automake-builds-for-sssd-server.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0004-Enable-automake-builds-for-sss_client.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0005-Convert-top-level-of-SSSD-to-automake.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0006-Use-freeipa-devel-redhat.com-for-bug-reports.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sbose at redhat.com Tue May 19 12:39:50 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 19 May 2009 14:39:50 +0200 Subject: [Freeipa-devel] [PATCHES][SSSD] Big automake conversion In-Reply-To: <4A12A5C9.4040603@redhat.com> References: <4A11D3A4.5090402@redhat.com> <4A126794.6070209@redhat.com> <4A129E36.9040106@redhat.com> <4A12A252.7000800@redhat.com> <4A12A5C9.4040603@redhat.com> Message-ID: <4A12A896.80304@redhat.com> Stephen Gallagher schrieb: > On 05/19/2009 08:13 AM, Stephen Gallagher wrote: >> On 05/19/2009 07:55 AM, Stephen Gallagher wrote: >>> On 05/19/2009 04:02 AM, Sumit Bose wrote: >>>> Stephen Gallagher schrieb: >>>>> Warning: these patches are large. >>>>> >>>>> General comments: >>>>> I have changed the versioning of the shared objects that we build in >>>>> order to be more in keeping with the GNU coding style. Instead of >>>>> keeping the shared object version in line with the sssd version, they >>>>> will instead be versioned by their own interface. As such, I have >>>>> re-versioned them to .1.0.0 at this time. >>>>> I am building our shared libraries with libtool. I have already had >>>>> the requisite debate with certain parties, and I will be responsible for >>>>> maintaining this. >>>>> >>>>> 0001: Fix some problems with the automake build in the common >>>>> directories so that parallel builds work. >>>>> >>>>> 0002: Hack together a Makefile.am for building libreplace recursively >>>>> >>>>> 0003: Convert the entire SSSD server daemon, plugins, etc. to automake >>>>> >>>>> 0004: Convert the sss_client libraries to automake. >>>>> >>>>> 0005: Convert the top-level of the SSSD to automake. >>>>> The sssd.spec %install section uses a workaround to deal with the fact >>>>> that our automake build is installing a bunch of files we don't need. >>>>> I'm going to fix this eventually, but for the time being it was easier >>>>> to simply remove them from the buildroot before packaging. >>>>> >>>>> >>>> ACK to all. >>>> >>>> The patches apply cleanly, everything is build and it even works in koji >>>> (http://koji.fedoraproject.org/koji/taskinfo?taskID=1362791). Great work. >>>> >>>> I have only one minor request, can you update BUILD.txt? >>>> >>>> bye, >>>> Sumit >>> BUILD.txt updated (affects only patch 0005, but reattaching all five for >>> convenience) >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Correct a minor typo in BUILD.txt in patch 0005: >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > This set of patches updates BUILD.txt correctly (sorry about that) and > also modifies all the configure.ac files to direct bug reports to > freeipa-devel at redhat.com instead of my personal email address. > still an ACK from me bye, Sumit From rcritten at redhat.com Tue May 19 13:48:12 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 09:48:12 -0400 Subject: [Freeipa-devel] [PATCH] 212 fix argument passing to _handle_errors() In-Reply-To: <4A0C55D0.4010207@redhat.com> References: <4A0B3513.7040509@redhat.com> <4A0C55D0.4010207@redhat.com> Message-ID: <4A12B89C.2040008@redhat.com> Pavel Zuna wrote: > Rob Crittenden wrote: >> I was passing in some non-existent arguments in some cases to >> _handle_errors(). Also ensure that we have something to pass something >> to notfound(). >> >> rob > ack. > > Pavel pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 19 13:48:40 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 09:48:40 -0400 Subject: [Freeipa-devel] [PATCH] 213 use the csv module for ldapupdate In-Reply-To: <1242679683.5418.0.camel@jgd-dsk> References: <4A0B36C9.3020709@redhat.com> <1242679683.5418.0.camel@jgd-dsk> Message-ID: <4A12B8B8.6090307@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-05-13 at 17:08 -0400, Rob Crittenden wrote: >> In ldapupdate I wanted to make things easy on update writers and them >> pass in a comma-separated string to make a multi-valued attribute, like: >> >> add:objectclass: top, person, inetorgperson >> >> This is my last attempt at working around this "feature" before simply >> dropping it. It has turned out to be almost more trouble than it is worth. >> >> In any case, this patch drops my hackish lex-based parser for the python >> csv module. This works a bit nicer anyway. You do have to be a bit >> careful about mixing ' and " though. >> >> What I've done is set the quote string to whatever the first character >> of a line is, defaulting to ". In other words, if you want the quote >> character to be ', then pass it as the first character in the update line. >> >> Something like: >> >> add:name:'"Here is a quoted value, and another", "and one more"' >> >> This breaks down to 2 values to be added: >> >> "Here is a quoted value, and another" >> "and one more" >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 19 13:52:55 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 09:52:55 -0400 Subject: [Freeipa-devel] [PATCH] 214 csv parsing updates In-Reply-To: <1242680454.5418.3.camel@jgd-dsk> References: <4A0B3760.2050003@redhat.com> <1242680454.5418.3.camel@jgd-dsk> Message-ID: <4A12B9B7.90500@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-05-13 at 17:10 -0400, Rob Crittenden wrote: >> Patches to two update files impacted by the csv parsing change. >> >> rob > > This patch wont apply. I'm working on a clean clone master of master > with your 213 patch applied. I also tried it without the 213 patch > applied in case the order was reversed, still no luck. > > Am I missing some other patch? > It relied on a patch you acked earlier, 192 Add task and ACI so ipa-getkeytab can be delegated. I just pushed this and now this patch (214) applies cleanly so you can take a better look. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 19 13:53:19 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 09:53:19 -0400 Subject: [Freeipa-devel] [PATCH] 215 netgroup compat In-Reply-To: <1242680702.5418.4.camel@jgd-dsk> References: <4A0B3823.4010903@redhat.com> <1242680702.5418.4.camel@jgd-dsk> Message-ID: <4A12B9CF.5020008@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-05-13 at 17:14 -0400, Rob Crittenden wrote: >> Add a schema-compat configuration to translate our netgroup >> configuration into a standard netgroup triple. I'm including this in nis >> because that is really the only place it is interesting. >> >> So to use this requires that both the schema-compat and nis plugins are >> enabled. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 19 13:53:34 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 09:53:34 -0400 Subject: [Freeipa-devel] [PATCH] 216 own apache config files In-Reply-To: <1242681012.5418.5.camel@jgd-dsk> References: <4A0C1D0A.3060804@redhat.com> <1242681012.5418.5.camel@jgd-dsk> Message-ID: <4A12B9DE.2080506@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-05-14 at 09:30 -0400, Rob Crittenden wrote: >> The IPA Installer creates 2 Apache configuration files that aren't owned >> by the ipa-server package. This patch rectifies that. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 19 13:53:56 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 09:53:56 -0400 Subject: [Freeipa-devel] [PATCH] 217 change attribute used for hostnames In-Reply-To: <1242681175.5418.6.camel@jgd-dsk> References: <4A0B390C.6090709@redhat.com> <4A0B7785.6070501@redhat.com> <4A0D789D.5070907@redhat.com> <1242681175.5418.6.camel@jgd-dsk> Message-ID: <4A12B9F4.1060103@redhat.com> Jason Gerard DeRose wrote: > On Fri, 2009-05-15 at 10:13 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> This goes along with the netgroup patch. >>>> >>>> We were using commonname to store the hostname. This made translating >>>> hosts into triples difficult because the same attribute was used to >>>> identify hosts and well as hostgroups. >>>> >>>> So we decided to use a new attribute, fqdn, instead. >>>> >>>> rob >>> Sad to say I have to nack my own patch :-( >>> >>> I need to make fqdn a MUST attribute and also update the test cases. >>> >>> rob >>> >> Revised patch. >> >> rob > > ack. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 19 13:55:18 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 09:55:18 -0400 Subject: [Freeipa-devel] [PATCH] jderose 003 update TODO In-Reply-To: <1242577556.3695.122.camel@localhost.localdomain> References: <1241502565.29481.70.camel@jgd-dsk> <1242577556.3695.122.camel@localhost.localdomain> Message-ID: <4A12BA46.90405@redhat.com> Simo Sorce wrote: > On Mon, 2009-05-04 at 23:49 -0600, Jason Gerard DeRose wrote: >> This patch updates the TODO file based on discussion between Rob, >> Pavel, >> and I. >> >> I also changed it to have consistent reStructuredText formatting, >> which >> I've become I big fan of lately. ;) > > ack > > Simo. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 19 13:56:34 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 09:56:34 -0400 Subject: [Freeipa-devel] [PATCH] Add Encoder base class and method decorators to encode arguments/decode return values. Also - unit tests. In-Reply-To: <1242682198.5418.9.camel@jgd-dsk> References: <4A0C5993.5040005@redhat.com> <1242682198.5418.9.camel@jgd-dsk> Message-ID: <4A12BA92.9080100@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-05-14 at 19:49 +0200, Pavel Zuna wrote: >> I was reviewing value encoding/decoding in the new LDAP backend after >> yesterday's e-mail mini-discussion regarding attribute names with Rob. In a lot >> of functions that pass values directly to python-ldap we have to encode >> arguments coming from plugins and decode values coming from python-ldap in >> return. To save some code and possible save future backends from this encoding >> hell, I wrote an Encoder base class and a two function decorators. They're >> supposed to be used like this: >> >> # import important stuff >> from ipalib.encoder import Encoder, encode_args, decode_retval >> >> class ldap2(CrudBackend, Encoder): >> >> # some code >> >> @encode_args(1, 2, 3) >> @decode_retval() >> def find_entries(self, filter, attrs_list=None, base_dn='', >> scope=_ldap.SCOPE_SUBTREE, time_limit=1, size_limit=3000): >> # we don't have to care about encoding/decoding here anymore >> # and it saves at least 10 lines of code in this method, yay! >> >> # some more code >> >> Pavel > > ack. I'm sure this will need some tuning as we start using it, but it > looks like a great start and we should get it committed so we can move > forward. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 19 14:55:20 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 10:55:20 -0400 Subject: [Freeipa-devel] [PATCH] 218 add memberOf as MAY to ipaHost Message-ID: <4A12C858.5030507@redhat.com> Add memberOf as a MAY attribute to the ipaHost objectclass. This will resolve BZ 499731. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-218-memberof.patch Type: application/mbox Size: 1842 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 19 16:38:28 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 19 May 2009 12:38:28 -0400 Subject: [Freeipa-devel] [PATCH] added prototype for sysdb_set_cached_password In-Reply-To: <4A129A43.8000607@redhat.com> References: <4A128541.70400@redhat.com> <4A129A43.8000607@redhat.com> Message-ID: <1242751108.3546.43.camel@localhost.localdomain> On Tue, 2009-05-19 at 07:38 -0400, Stephen Gallagher wrote: > On 05/19/2009 06:09 AM, Sumit Bose wrote: > > Hi, > > > > this patch just add as missing sysdb prototype. > > Ack pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 19 16:38:48 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 19 May 2009 12:38:48 -0400 Subject: [Freeipa-devel] [PATCH] call tevent_add_fd only once In-Reply-To: <4A129B0D.9060907@redhat.com> References: <4A1285BB.1050709@redhat.com> <4A129B0D.9060907@redhat.com> Message-ID: <1242751128.3546.44.camel@localhost.localdomain> On Tue, 2009-05-19 at 07:42 -0400, Stephen Gallagher wrote: > On 05/19/2009 06:11 AM, Sumit Bose wrote: > > Hi, > > > > this patch fixes the usage of tevent_add_fd in ldap_auth.c. > > Ack pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 19 16:44:24 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 19 May 2009 12:44:24 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Big automake conversion In-Reply-To: <4A12A896.80304@redhat.com> References: <4A11D3A4.5090402@redhat.com> <4A126794.6070209@redhat.com> <4A129E36.9040106@redhat.com> <4A12A252.7000800@redhat.com> <4A12A5C9.4040603@redhat.com> <4A12A896.80304@redhat.com> Message-ID: <1242751464.3546.47.camel@localhost.localdomain> On Tue, 2009-05-19 at 14:39 +0200, Sumit Bose wrote: > > still an ACK from me Ok all patches have been pushed. They are not perfect and we already found a couple minor nitpicks. esp. sssd is building against DSOs for the collection and init libraries instead of static versions, so make rpms is busted. Steve promised to solve this issues with priority one, so I am pushing what we have and will review an appropriate patch as soon as it is ready. Note, make install works because it installs *everything*, that's also a bug that Steve will fix in due time. Simo. -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Tue May 19 17:54:11 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 19 May 2009 11:54:11 -0600 Subject: [Freeipa-devel] [PATCH] 214 csv parsing updates In-Reply-To: <4A12B9B7.90500@redhat.com> References: <4A0B3760.2050003@redhat.com> <1242680454.5418.3.camel@jgd-dsk> <4A12B9B7.90500@redhat.com> Message-ID: <1242755651.6135.13.camel@jgd-dsk> On Tue, 2009-05-19 at 09:52 -0400, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > On Wed, 2009-05-13 at 17:10 -0400, Rob Crittenden wrote: > >> Patches to two update files impacted by the csv parsing change. > >> > >> rob > > > > This patch wont apply. I'm working on a clean clone master of master > > with your 213 patch applied. I also tried it without the 213 patch > > applied in case the order was reversed, still no luck. > > > > Am I missing some other patch? > > > > It relied on a patch you acked earlier, 192 Add task and ACI so > ipa-getkeytab can be delegated. I just pushed this and now this patch > (214) applies cleanly so you can take a better look. > > rob ack. pushed to master. From sgallagh at redhat.com Tue May 19 17:58:14 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 19 May 2009 13:58:14 -0400 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes In-Reply-To: <1242233642.17793.27.camel@zeppelin.englab.brq.redhat.com> References: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> <1242233642.17793.27.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A12F336.6050606@redhat.com> On 05/13/2009 12:54 PM, Jakub Hrozek wrote: > On Thu, 2009-04-30 at 17:49 +0200, Jakub Hrozek wrote: >> The first one reads the config file before calling server_setup() >> which >> daemonizes, so errors in config file are caught before becoming a >> daemon. Would it make sense to do as many configuration steps (from >> monitor_process_init() - like actually initializing confdb etc.) as >> possible before the daemonization? >> >> Fix initscript return codes is pretty straightforward - just return >> correct values in initscript functions. These two patches should >> address >> ticket #28. > > I rebased the 0001-Read-the-config-before-startup patch so it can be > applied on top of the recent commits. > > Are there any other changes needed before this patch and the > 0002-Fix-initscript-return-codes.patch from the original message can be > applied? > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel 0001: ACK 0002: ACK -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 19 18:16:43 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 19 May 2009 14:16:43 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix RPM generation in SSSD Message-ID: <4A12F78B.70102@redhat.com> See commit message for other comments. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-RPM-generation-issues-with-sssd.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 19 19:28:02 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 15:28:02 -0400 Subject: [Freeipa-devel] [PATCH] 219 enable portmap/rpcbind when enabling the nis listener Message-ID: <4A130842.5020106@redhat.com> When enabling the NIS plugin try to chkconfig on either the portmap or rpcbind service to start on boot and alert the user to start them when they restart dirsrv. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-219-chkconfig.patch Type: application/mbox Size: 1823 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Tue May 19 19:57:10 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 19 May 2009 13:57:10 -0600 Subject: [Freeipa-devel] [PATCH] jderose 008 fix errors.NotFound doctest Message-ID: <1242763030.6135.16.camel@jgd-dsk> The docstring in errors.NotFound wasn't passing the doctest anymore. This is a trivial fix. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jderose-008-fix-errors.NotFound-doctest.patch Type: text/x-patch Size: 834 bytes Desc: not available URL: From rcritten at redhat.com Tue May 19 20:13:24 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 16:13:24 -0400 Subject: [Freeipa-devel] [PATCH] jderose 008 fix errors.NotFound doctest In-Reply-To: <1242763030.6135.16.camel@jgd-dsk> References: <1242763030.6135.16.camel@jgd-dsk> Message-ID: <4A1312E4.4050406@redhat.com> Jason Gerard DeRose wrote: > The docstring in errors.NotFound wasn't passing the doctest anymore. > This is a trivial fix. > > ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 19 20:14:13 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 16:14:13 -0400 Subject: [Freeipa-devel] [PATCH] jderose 008 fix errors.NotFound doctest In-Reply-To: <1242763030.6135.16.camel@jgd-dsk> References: <1242763030.6135.16.camel@jgd-dsk> Message-ID: <4A131315.8060702@redhat.com> Jason Gerard DeRose wrote: > The docstring in errors.NotFound wasn't passing the doctest anymore. > This is a trivial fix. ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 19 20:15:23 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 16:15:23 -0400 Subject: [Freeipa-devel] [PATCH] jderose 007 part1 of limiting param to certain contexts In-Reply-To: <1242201120.24342.14.camel@jgd-dsk> References: <1242201120.24342.14.camel@jgd-dsk> Message-ID: <4A13135B.6030105@redhat.com> Jason Gerard DeRose wrote: > Both Andrew and Rob have requested the ability to limit a parameter to > certain contexts (server, cli, webui, whatever). > > I had started work on this a while ago (not all of it ever made it into > master), but my previous work only allowed you to specify contexts you > wanted a param active in... you couldn't instead specify contexts you > *didn't* want a param to be active in. > > So this patch removes the Param.limit_to kwarg and adds Param.incude and > Param.exclude kwargs. For example: > > Str('webui', include=['webui']) # Only active when in 'webui' context. > > Str('client_only', exclude=['server']) # All contexts except 'server' > > Only the 'include' or 'exclude' kwarg can be specified at once; if you > provide both, a ValueError is raised. > > This patch also adds a new frontend.UsesParams base class with methods > implementing the filtering. This new functionality doesn't do anything > yet till I change Command and Object to subclass from UsesParams, which > will come in a separate patch. > > Lastly, this patch also includes fairly extensive tests for these new > features (UsesParams is at this point tested only through doctests). ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Tue May 19 20:45:55 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 19 May 2009 14:45:55 -0600 Subject: [Freeipa-devel] [PATCH] jderose 008 fix errors.NotFound doctest In-Reply-To: <4A131315.8060702@redhat.com> References: <1242763030.6135.16.camel@jgd-dsk> <4A131315.8060702@redhat.com> Message-ID: <1242765955.6135.17.camel@jgd-dsk> On Tue, 2009-05-19 at 16:14 -0400, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > The docstring in errors.NotFound wasn't passing the doctest anymore. > > This is a trivial fix. > > ack pushed to master. From jderose at redhat.com Tue May 19 20:46:17 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 19 May 2009 14:46:17 -0600 Subject: [Freeipa-devel] [PATCH] jderose 007 part1 of limiting param to certain contexts In-Reply-To: <4A13135B.6030105@redhat.com> References: <1242201120.24342.14.camel@jgd-dsk> <4A13135B.6030105@redhat.com> Message-ID: <1242765977.6135.18.camel@jgd-dsk> On Tue, 2009-05-19 at 16:15 -0400, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > Both Andrew and Rob have requested the ability to limit a parameter to > > certain contexts (server, cli, webui, whatever). > > > > I had started work on this a while ago (not all of it ever made it into > > master), but my previous work only allowed you to specify contexts you > > wanted a param active in... you couldn't instead specify contexts you > > *didn't* want a param to be active in. > > > > So this patch removes the Param.limit_to kwarg and adds Param.incude and > > Param.exclude kwargs. For example: > > > > Str('webui', include=['webui']) # Only active when in 'webui' context. > > > > Str('client_only', exclude=['server']) # All contexts except 'server' > > > > Only the 'include' or 'exclude' kwarg can be specified at once; if you > > provide both, a ValueError is raised. > > > > This patch also adds a new frontend.UsesParams base class with methods > > implementing the filtering. This new functionality doesn't do anything > > yet till I change Command and Object to subclass from UsesParams, which > > will come in a separate patch. > > > > Lastly, this patch also includes fairly extensive tests for these new > > features (UsesParams is at this point tested only through doctests). > > ack pushed to master. From ssorce at redhat.com Wed May 20 14:22:50 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 May 2009 10:22:50 -0400 Subject: [Freeipa-devel] Re: [PATCH][SSSD] Fix RPM generation in SSSD In-Reply-To: <4A12F78B.70102@redhat.com> References: <4A12F78B.70102@redhat.com> Message-ID: <1242829370.3546.81.camel@localhost.localdomain> On Tue, 2009-05-19 at 14:16 -0400, Stephen Gallagher wrote: > See commit message for other comments. Looks fine but I think we need the following patch too. If you ack mine I'll push both. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-spec-file.patch Type: text/x-patch Size: 1607 bytes Desc: not available URL: From sgallagh at redhat.com Wed May 20 14:25:02 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 20 May 2009 10:25:02 -0400 Subject: [Freeipa-devel] Re: [PATCH][SSSD] Fix RPM generation in SSSD In-Reply-To: <1242829370.3546.81.camel@localhost.localdomain> References: <4A12F78B.70102@redhat.com> <1242829370.3546.81.camel@localhost.localdomain> Message-ID: <4A1412BE.6070707@redhat.com> On 05/20/2009 10:22 AM, Simo Sorce wrote: > On Tue, 2009-05-19 at 14:16 -0400, Stephen Gallagher wrote: >> See commit message for other comments. > > Looks fine but I think we need the following patch too. > If you ack mine I'll push both. > > Simo. > Ack -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed May 20 15:46:52 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 May 2009 11:46:52 -0400 Subject: [Freeipa-devel] Re: [PATCH][SSSD] Fix RPM generation in SSSD In-Reply-To: <4A1412BE.6070707@redhat.com> References: <4A12F78B.70102@redhat.com> <1242829370.3546.81.camel@localhost.localdomain> <4A1412BE.6070707@redhat.com> Message-ID: <1242834412.3546.89.camel@localhost.localdomain> On Wed, 2009-05-20 at 10:25 -0400, Stephen Gallagher wrote: > On 05/20/2009 10:22 AM, Simo Sorce wrote: > > On Tue, 2009-05-19 at 14:16 -0400, Stephen Gallagher wrote: > >> See commit message for other comments. > > > > Looks fine but I think we need the following patch too. > > If you ack mine I'll push both. > > > > Simo. > > > Ack ok pushed both Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed May 20 17:35:17 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 May 2009 13:35:17 -0400 Subject: [Freeipa-devel] [PATCH] 220 raise exception if can't get CA chain Message-ID: <4A143F55.1020305@redhat.com> If we can't retrieve the CA chain either because the data returned is bogus or the CA can't provide it then we should handle it gracefully. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-220-chain.patch Type: application/mbox Size: 2508 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed May 20 17:47:15 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 May 2009 13:47:15 -0400 Subject: [Freeipa-devel] [PATCH] 220 raise exception if can't get CA chain In-Reply-To: <4A143F55.1020305@redhat.com> References: <4A143F55.1020305@redhat.com> Message-ID: <1242841635.3546.98.camel@localhost.localdomain> On Wed, 2009-05-20 at 13:35 -0400, Rob Crittenden wrote: > If we can't retrieve the CA chain either because the data returned is > bogus or the CA can't provide it then we should handle it gracefully. ack Simo. -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Wed May 20 22:03:16 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 20 May 2009 16:03:16 -0600 Subject: [Freeipa-devel] [PATCH] jderose 009 part 2 of limiting param to certain contexts Message-ID: <1242856996.2455.38.camel@jgd-dsk> This patch finishes my work to allow one to limit a parameter to only certain contexts, is the follow up to my 007 patch. This patch is fairly large but as far as I can tell is also totally benign: all the unit tests and doctests still pass (including the xmlrpc tests). Plus, as currently no plugins are using the `include` or `exclude` kwarg in their parameters, it should not change any high-level behavior. I renamed my `UsesParams` base class from the 007 patch to `HasParam`, from which now both `Command` and `Object` subclass. The context-based filtering is now enabled for the 'Command.args`, `Command.options`, and `Object.params` parameter namespaces. This patch includes docstrings that hopefully explain how this all works. Because the docstrings are much easier to read via the epydoc generated documentation, I built the documentation and uploaded it to my fedorapeople page: http://jderose.fedorapeople.org/freeipa2-dev-doc/ For reviewing this patch, I would start with the Param.use_in_context() docstring: http://jderose.fedorapeople.org/freeipa2-dev-doc/ipalib.parameters.Param-class.html#use_in_context And then read the HasParam class docstring: http://jderose.fedorapeople.org/freeipa2-dev-doc/ipalib.frontend.HasParam-class.html I'll no doubt have additional small follow up patches soon, but I'd like to get this committed so we don't get too far out of sync. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jderose-009-part2-of-limiting-param-to-certain-contexts.patch Type: text/x-patch Size: 31583 bytes Desc: not available URL: From jderose at redhat.com Wed May 20 22:52:37 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 20 May 2009 16:52:37 -0600 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <4A126DED.6040307@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> <49F9E524.7040804@redhat.com> <4A083C90.40104@redhat.com> <4A0B0BA1.8080608@redhat.com> <1242683448.5418.12.camel@jgd-dsk> <4A126DED.6040307@redhat.com> Message-ID: <1242859957.2455.39.camel@jgd-dsk> ack. pushed to master. On Tue, 2009-05-19 at 10:29 +0200, Pavel Zuna wrote: > Jason Gerard DeRose wrote: > > On Wed, 2009-05-13 at 14:04 -0400, Rob Crittenden wrote: > >> Pavel Zuna wrote: > >>> Rob Crittenden wrote: > >>>> Pavel Zuna wrote: > >>>>> Rob Crittenden wrote: > >>>>>> Pavel Zuna wrote: > >>>>>>> By the way, there's a little bug I discovered while testing this > >>>>>>> plugin. It affects the old group plugin as well. When trying to > >>>>>>> modify a group into a posixGroup, gidNumber doesn't get generated > >>>>>>> automatically resulting in a object violation LDAP error. Solution > >>>>>>> is to generate it ourselves, but I didn't know how it works, so I > >>>>>>> commented that part out for now. (/FIXME in vim) > >>>>>>> > >>>>>> This should be fixed in FDS 1.2. Can you update and give it a try? > >>>>>> > >>>>>> rob > >>>>> Sure, just updated and you're right, it works. :) > >>>>> Updated patch attached. > >>>>> > >>>>> Pavel > >>>> nack. This won't handle someone using group-mod to set a specific > >>>> gidnumber. The posixGroup objectclass won't be added. > >>>> > >>>> rob > >>> Fixed patch attached. > >>> > >>> Pavel > >> The basegroup2 part looks ok but nack on group2. > > > > So is there an update on this yet, Pavel? I was trying to review your > > 0001-Fix-counting..., 0002-Add-houstgroup..., and 0003-Add-netgroup... > > patches, but they depend on this patch here. > > Attached, but camelCase is still there for now. I'm currently testing > the Encoder class with ldap2 and will post a patch soon that makes all > plugins2 use lowercase when referring to LDAP attributes. > > >> I think we should stick with using lower-case attribute names as a rule > >> of thumb rather than camel case. In any case you test for the string > >> posixGroup is in the list of objectclasses, this test needs to be case > >> insensitive. > >> > >> I also wonder if we should be using ldap.get_entry(). Why use this over > >> group-show? > >> > >> I'm not sure if the logic around setting gidnumber is right. If you set > >> the gidnumber but aren't using the --posix flag it looks like it will > >> always append posixgroup to the list of objectclasses. I'm pretty sure > >> the LDAP server is going to reject the update. I suppose making a > >> list(set(objectclasses)) would work for de-duping. > >> > >> rob > > > Pavel From jderose at redhat.com Wed May 20 22:57:13 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 20 May 2009 16:57:13 -0600 Subject: [Freeipa-devel] [PATCHES] Fix counting of successfully added members. Add checks for use_ldap2 in group2. Some cosmetic changes. + Add hostgroup plugin port to new LDAP backend. + Add netgroup plugin port to new LDAP backend. In-Reply-To: <4A09B72F.2090902@redhat.com> References: <4A09B72F.2090902@redhat.com> Message-ID: <1242860233.2455.40.camel@jgd-dsk> On Tue, 2009-05-12 at 19:51 +0200, Pavel Zuna wrote: > Patch 0001: Fix counting of successfully added members. Add checks for use_ldap2 > in group2. Some cosmetic changes. > > Patch 0002: Add hostgroup plugin port to new LDAP backend. > > Patch 0003: Add netgroup plugin port to new LDAP backend. > > I think the patch names say it all. > > Pavel ack to all three. pushed to master. From jhrozek at redhat.com Thu May 21 11:58:05 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 21 May 2009 13:58:05 +0200 Subject: [Freeipa-devel] [PATCH] Fix version extraction in release script Message-ID: <1242907085.29353.1.camel@zeppelin.englab.brq.redhat.com> att. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-version-extraction-in-release-script.patch Type: text/x-patch Size: 764 bytes Desc: not available URL: From sgallagh at redhat.com Thu May 21 12:11:10 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 21 May 2009 08:11:10 -0400 Subject: [Freeipa-devel] [PATCH] Fix version extraction in release script In-Reply-To: <1242907085.29353.1.camel@zeppelin.englab.brq.redhat.com> References: <1242907085.29353.1.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1544DE.3090409@redhat.com> On 05/21/2009 07:58 AM, Jakub Hrozek wrote: > att. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nice catch. I missed that completely. Ack. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From pzuna at redhat.com Thu May 21 13:44:18 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 21 May 2009 15:44:18 +0200 Subject: [Freeipa-devel] [PATCH] Fix bug in group2-mod command. Message-ID: <4A155AB2.3060005@redhat.com> It was fixed in the last "Add group plugin port to new LDAP backend. patch and reintroduced by "Fix counting of successfully added members. Add checks for use_ldap2 in group2. Some cosmetic changes." patch. This fixes it again. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-bug-in-group2-mod-command.patch Type: application/mbox Size: 1254 bytes Desc: not available URL: From pzuna at redhat.com Thu May 21 14:12:40 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 21 May 2009 16:12:40 +0200 Subject: [Freeipa-devel] [PATCH] jderose 009 part 2 of limiting param to certain contexts In-Reply-To: <1242856996.2455.38.camel@jgd-dsk> References: <1242856996.2455.38.camel@jgd-dsk> Message-ID: <4A156158.1000802@redhat.com> Jason Gerard DeRose wrote: > This patch finishes my work to allow one to limit a parameter to only > certain contexts, is the follow up to my 007 patch. > > This patch is fairly large but as far as I can tell is also totally > benign: all the unit tests and doctests still pass (including the xmlrpc > tests). Plus, as currently no plugins are using the `include` or > `exclude` kwarg in their parameters, it should not change any high-level > behavior. > > I renamed my `UsesParams` base class from the 007 patch to `HasParam`, > from which now both `Command` and `Object` subclass. The context-based > filtering is now enabled for the 'Command.args`, `Command.options`, and > `Object.params` parameter namespaces. > > This patch includes docstrings that hopefully explain how this all > works. Because the docstrings are much easier to read via the epydoc > generated documentation, I built the documentation and uploaded it to my > fedorapeople page: > > http://jderose.fedorapeople.org/freeipa2-dev-doc/ > > For reviewing this patch, I would start with the Param.use_in_context() > docstring: > > http://jderose.fedorapeople.org/freeipa2-dev-doc/ipalib.parameters.Param-class.html#use_in_context > > And then read the HasParam class docstring: > > http://jderose.fedorapeople.org/freeipa2-dev-doc/ipalib.frontend.HasParam-class.html > > I'll no doubt have additional small follow up patches soon, but I'd like > to get this committed so we don't get too far out of sync. ack. Pavel From sgallagh at redhat.com Thu May 21 14:36:55 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 21 May 2009 10:36:55 -0400 Subject: [Freeipa-devel] [PATCH] Fix version extraction in release script In-Reply-To: <4A1544DE.3090409@redhat.com> References: <1242907085.29353.1.camel@zeppelin.englab.brq.redhat.com> <4A1544DE.3090409@redhat.com> Message-ID: <4A156707.9010208@redhat.com> On 05/21/2009 08:11 AM, Stephen Gallagher wrote: > On 05/21/2009 07:58 AM, Jakub Hrozek wrote: >> att. >> >> Jakub >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Nice catch. I missed that completely. > > Ack. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Actually, I'm going to revise my ack on this. Should we update this script to use "make dist-gzip", since this now works accurately? -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Thu May 21 15:20:41 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 21 May 2009 11:20:41 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix libtool build Message-ID: <4A157149.7070506@redhat.com> Several other general build system fixes are included. See commit message for more details. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Clean-up-automake-build-to-work-on-older-versions-of.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jhrozek at redhat.com Thu May 21 16:09:19 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 21 May 2009 18:09:19 +0200 Subject: [Freeipa-devel] [PATCH] Fix version extraction in release script In-Reply-To: <4A156707.9010208@redhat.com> References: <1242907085.29353.1.camel@zeppelin.englab.brq.redhat.com> <4A1544DE.3090409@redhat.com> <4A156707.9010208@redhat.com> Message-ID: <1242922159.29353.17.camel@zeppelin.englab.brq.redhat.com> On Thu, 2009-05-21 at 10:36 -0400, Stephen Gallagher wrote: > Actually, I'm going to revise my ack on this. Should we update this > script to use "make dist-gzip", since this now works accurately? > The main difference I see is that git-archive is given a "tree-ish", in our case the git tag for the version we're making the archive for and will use only that. In contrast, make dist-gzip would tar up everything in the current directory. I don't have a strong preference between these two. FWIW, attached is a version that uses make dist-gzip for generating the tarball.. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-release.sh.patch Type: text/x-patch Size: 892 bytes Desc: not available URL: From sgallagh at redhat.com Thu May 21 16:12:50 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 21 May 2009 12:12:50 -0400 Subject: [Freeipa-devel] [PATCH] Fix version extraction in release script In-Reply-To: <1242922159.29353.17.camel@zeppelin.englab.brq.redhat.com> References: <1242907085.29353.1.camel@zeppelin.englab.brq.redhat.com> <4A1544DE.3090409@redhat.com> <4A156707.9010208@redhat.com> <1242922159.29353.17.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A157D82.6090405@redhat.com> On 05/21/2009 12:09 PM, Jakub Hrozek wrote: > On Thu, 2009-05-21 at 10:36 -0400, Stephen Gallagher wrote: >> Actually, I'm going to revise my ack on this. Should we update this >> script to use "make dist-gzip", since this now works accurately? >> > > The main difference I see is that git-archive is given a "tree-ish", in > our case the git tag for the version we're making the archive for and > will use only that. In contrast, make dist-gzip would tar up everything > in the current directory. > > I don't have a strong preference between these two. FWIW, attached is a > version that uses make dist-gzip for generating the tarball.. > > Jakub make dist-gzip doesn't tar up everything in the directory. It tars up only those files known to automake. (It is an autogenerated make target). Frankly, the output of git-archive and make dist-gzip should be identical, or else we have made a mistake in our automake somewhere. I'd rather use make dist-gzip because it will be more obvious that we forgot something in the makefiles (because builds from the tar will break). -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 21 18:06:19 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 May 2009 14:06:19 -0400 Subject: [Freeipa-devel] [PATCH] Fix version extraction in release script In-Reply-To: <4A157D82.6090405@redhat.com> References: <1242907085.29353.1.camel@zeppelin.englab.brq.redhat.com> <4A1544DE.3090409@redhat.com> <4A156707.9010208@redhat.com> <1242922159.29353.17.camel@zeppelin.englab.brq.redhat.com> <4A157D82.6090405@redhat.com> Message-ID: <1242929179.32121.5.camel@localhost.localdomain> On Thu, 2009-05-21 at 12:12 -0400, Stephen Gallagher wrote: > On 05/21/2009 12:09 PM, Jakub Hrozek wrote: > > On Thu, 2009-05-21 at 10:36 -0400, Stephen Gallagher wrote: > >> Actually, I'm going to revise my ack on this. Should we update this > >> script to use "make dist-gzip", since this now works accurately? > >> > > > > The main difference I see is that git-archive is given a "tree-ish", in > > our case the git tag for the version we're making the archive for and > > will use only that. In contrast, make dist-gzip would tar up everything > > in the current directory. > > > > I don't have a strong preference between these two. FWIW, attached is a > > version that uses make dist-gzip for generating the tarball.. > > > > Jakub > > make dist-gzip doesn't tar up everything in the directory. It tars up > only those files known to automake. (It is an autogenerated make target). > > Frankly, the output of git-archive and make dist-gzip should be > identical, or else we have made a mistake in our automake somewhere. > > I'd rather use make dist-gzip because it will be more obvious that we > forgot something in the makefiles (because builds from the tar will break). git-archive takes from a git tag, this assures that whatever we release is what we want to release. If you really want to use make dist then you should do a git-archive, unpack it, make dist-gzip in the unpacked dir an use this new tarball, a bit convoluted tho, and usually redundant. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu May 21 18:34:00 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 May 2009 14:34:00 -0400 Subject: [Freeipa-devel] [PATCH] jderose 009 part 2 of limiting param to certain contexts In-Reply-To: <4A156158.1000802@redhat.com> References: <1242856996.2455.38.camel@jgd-dsk> <4A156158.1000802@redhat.com> Message-ID: <4A159E98.7000501@redhat.com> Pavel Zuna wrote: > Jason Gerard DeRose wrote: >> This patch finishes my work to allow one to limit a parameter to only >> certain contexts, is the follow up to my 007 patch. >> >> This patch is fairly large but as far as I can tell is also totally >> benign: all the unit tests and doctests still pass (including the xmlrpc >> tests). Plus, as currently no plugins are using the `include` or >> `exclude` kwarg in their parameters, it should not change any high-level >> behavior. >> >> I renamed my `UsesParams` base class from the 007 patch to `HasParam`, >> from which now both `Command` and `Object` subclass. The context-based >> filtering is now enabled for the 'Command.args`, `Command.options`, and >> `Object.params` parameter namespaces. >> >> This patch includes docstrings that hopefully explain how this all >> works. Because the docstrings are much easier to read via the epydoc >> generated documentation, I built the documentation and uploaded it to my >> fedorapeople page: >> >> http://jderose.fedorapeople.org/freeipa2-dev-doc/ >> >> For reviewing this patch, I would start with the Param.use_in_context() >> docstring: >> >> http://jderose.fedorapeople.org/freeipa2-dev-doc/ipalib.parameters.Param-class.html#use_in_context >> >> >> And then read the HasParam class docstring: >> >> http://jderose.fedorapeople.org/freeipa2-dev-doc/ipalib.frontend.HasParam-class.html >> >> >> I'll no doubt have additional small follow up patches soon, but I'd like >> to get this committed so we don't get too far out of sync. > > ack. > > Pavel Pushed to master. I also pushed the attached patch which resolves a couple of minor issues with it causing the build to break. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-221-fix.patch Type: application/mbox Size: 1908 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 21 19:33:33 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 May 2009 15:33:33 -0400 Subject: [Freeipa-devel] [PATCH] 222 generic kerberos exception format Message-ID: <4A15AC8D.1010801@redhat.com> I swear I added this already but here is a format string for the KerberosError exception so we can handle generic errors in a similar way that other kerberos tools do (display cryptic error messages). In some cases we'll catch a specific error and display a nicer message, this is just a catch-all. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-222-kerberos.patch Type: application/mbox Size: 1103 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 21 19:35:39 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 May 2009 15:35:39 -0400 Subject: [Freeipa-devel] [PATCH] 223 move ipalib in packaging Message-ID: <4A15AD0B.3020409@redhat.com> Move the ipalib python package to the ipa-python RPM sub-package. Jason and I had discussed renaming this to ipa-common to make a little more sense. I'll do that in the future, it is going to require a bit more testing than simply moving some files around. Also bumping up minimum version of slapi-nis to 0.15. I think we'll end up at an even higher minimum at some point once they get into the repos. This will do for now. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-223-spec.patch Type: application/mbox Size: 1425 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Thu May 21 20:10:30 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 21 May 2009 14:10:30 -0600 Subject: [Freeipa-devel] [PATCH] jderose 009 part 2 of limiting param to certain contexts In-Reply-To: <4A159E98.7000501@redhat.com> References: <1242856996.2455.38.camel@jgd-dsk> <4A156158.1000802@redhat.com> <4A159E98.7000501@redhat.com> Message-ID: <1242936630.10171.1.camel@jgd-dsk> On Thu, 2009-05-21 at 14:34 -0400, Rob Crittenden wrote: > Pavel Zuna wrote: > > Jason Gerard DeRose wrote: > >> This patch finishes my work to allow one to limit a parameter to only > >> certain contexts, is the follow up to my 007 patch. > >> > >> This patch is fairly large but as far as I can tell is also totally > >> benign: all the unit tests and doctests still pass (including the xmlrpc > >> tests). Plus, as currently no plugins are using the `include` or > >> `exclude` kwarg in their parameters, it should not change any high-level > >> behavior. > >> > >> I renamed my `UsesParams` base class from the 007 patch to `HasParam`, > >> from which now both `Command` and `Object` subclass. The context-based > >> filtering is now enabled for the 'Command.args`, `Command.options`, and > >> `Object.params` parameter namespaces. > >> > >> This patch includes docstrings that hopefully explain how this all > >> works. Because the docstrings are much easier to read via the epydoc > >> generated documentation, I built the documentation and uploaded it to my > >> fedorapeople page: > >> > >> http://jderose.fedorapeople.org/freeipa2-dev-doc/ > >> > >> For reviewing this patch, I would start with the Param.use_in_context() > >> docstring: > >> > >> http://jderose.fedorapeople.org/freeipa2-dev-doc/ipalib.parameters.Param-class.html#use_in_context > >> > >> > >> And then read the HasParam class docstring: > >> > >> http://jderose.fedorapeople.org/freeipa2-dev-doc/ipalib.frontend.HasParam-class.html > >> > >> > >> I'll no doubt have additional small follow up patches soon, but I'd like > >> to get this committed so we don't get too far out of sync. > > > > ack. > > > > Pavel > > Pushed to master. > > I also pushed the attached patch which resolves a couple of minor issues > with it causing the build to break. > > rob Thanks. I forgot to mention that I'm now raising a TypeError if take_args, takes_options, or takes_params is a list instead of a tuple. Rob requested this a long time ago and I finally got around to it. From sgallagh at redhat.com Thu May 21 20:30:30 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 21 May 2009 16:30:30 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Implement Gettext framework for sss_clients Message-ID: <4A15B9E6.4010308@redhat.com> Contains only one example string, but the framework is now in place. This patch depends on the previous Automake patch I sent out. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Initial-gettext-framework-for-sss_clients.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Thu May 21 20:51:23 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 21 May 2009 14:51:23 -0600 Subject: [Freeipa-devel] [PATCH] 219 enable portmap/rpcbind when enabling the nis listener In-Reply-To: <4A130842.5020106@redhat.com> References: <4A130842.5020106@redhat.com> Message-ID: <1242939083.10171.4.camel@jgd-dsk> On Tue, 2009-05-19 at 15:28 -0400, Rob Crittenden wrote: > When enabling the NIS plugin try to chkconfig on either the portmap or > rpcbind service to start on boot and alert the user to start them when > they restart dirsrv. > > rob ack. pushed to master. From jderose at redhat.com Thu May 21 20:51:46 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 21 May 2009 14:51:46 -0600 Subject: [Freeipa-devel] [PATCH] 220 raise exception if can't get CA chain In-Reply-To: <4A143F55.1020305@redhat.com> References: <4A143F55.1020305@redhat.com> Message-ID: <1242939106.10171.5.camel@jgd-dsk> On Wed, 2009-05-20 at 13:35 -0400, Rob Crittenden wrote: > If we can't retrieve the CA chain either because the data returned is > bogus or the CA can't provide it then we should handle it gracefully. > > rob ack, but i can't get it to apply to master. From yzhang at redhat.com Thu May 21 21:11:34 2009 From: yzhang at redhat.com (yi zhang) Date: Thu, 21 May 2009 14:11:34 -0700 Subject: [Freeipa-devel] [PATCH] 219 enable portmap/rpcbind when enabling the nis listener In-Reply-To: <1242939083.10171.4.camel@jgd-dsk> References: <4A130842.5020106@redhat.com> <1242939083.10171.4.camel@jgd-dsk> Message-ID: <4A15C386.1080107@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-05-19 at 15:28 -0400, Rob Crittenden wrote: > >> When enabling the NIS plugin try to chkconfig on either the portmap or >> rpcbind service to start on boot and alert the user to start them when >> they restart dirsrv. >> >> rob >> According to Rob's last comment about how to enable nis plugin, the sequence is service portmap start -> service rpcbind start -> ipa-compat-manage enable -> ipa-nis-manage enable -> service dirsrv restart. Does this fix/patch changes the way we enable/disable nis plugin? and when the nis is disabled, are we going to chkconfig portmap or rpcbind back? Thanks Yi > > ack. pushed to master. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu May 21 21:20:30 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 May 2009 17:20:30 -0400 Subject: [Freeipa-devel] [PATCH] 219 enable portmap/rpcbind when enabling the nis listener In-Reply-To: <4A15C386.1080107@redhat.com> References: <4A130842.5020106@redhat.com> <1242939083.10171.4.camel@jgd-dsk> <4A15C386.1080107@redhat.com> Message-ID: <4A15C59E.2020402@redhat.com> yi zhang wrote: > Jason Gerard DeRose wrote: >> On Tue, 2009-05-19 at 15:28 -0400, Rob Crittenden wrote: >> >>> When enabling the NIS plugin try to chkconfig on either the portmap or >>> rpcbind service to start on boot and alert the user to start them when >>> they restart dirsrv. >>> >>> rob >>> > According to Rob's last comment about how to enable nis plugin, the > sequence is service portmap start -> service rpcbind start -> > ipa-compat-manage enable -> ipa-nis-manage enable -> service dirsrv restart. > > Does this fix/patch changes the way we enable/disable nis plugin? and > when the nis is disabled, are we going to chkconfig portmap or rpcbind > back? > Hmm, interesting point. Right not it will be left on if you disable the NIS service. There isn't a downside to leaving it on (other than service exposure), perhaps a message warning them to verify it might be in order though. This doesn't start the service, just makes sure it will be enabled the next time the server is booted. So this is a long way of waying that yes, you still need to run through that process for now (and perhaps always, we'll see). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Thu May 21 21:23:57 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 21 May 2009 15:23:57 -0600 Subject: [Freeipa-devel] [PATCH] Fix bug in group2-mod command. In-Reply-To: <4A155AB2.3060005@redhat.com> References: <4A155AB2.3060005@redhat.com> Message-ID: <1242941037.10171.6.camel@jgd-dsk> On Thu, 2009-05-21 at 15:44 +0200, Pavel Zuna wrote: > It was fixed in the last "Add group plugin port to new LDAP backend. patch and > reintroduced by "Fix counting of successfully added members. Add checks for > use_ldap2 in group2. Some cosmetic changes." patch. This fixes it again. > > Pavel ack. pushed to master. From rcritten at redhat.com Thu May 21 21:34:01 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 May 2009 17:34:01 -0400 Subject: [Freeipa-devel] [PATCH] 220 raise exception if can't get CA chain In-Reply-To: <1242939106.10171.5.camel@jgd-dsk> References: <4A143F55.1020305@redhat.com> <1242939106.10171.5.camel@jgd-dsk> Message-ID: <4A15C8C9.7020504@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-05-20 at 13:35 -0400, Rob Crittenden wrote: >> If we can't retrieve the CA chain either because the data returned is >> bogus or the CA can't provide it then we should handle it gracefully. >> >> rob > > ack, but i can't get it to apply to master. > Rebased in errors.py and pushed to master. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Thu May 21 21:55:09 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 21 May 2009 15:55:09 -0600 Subject: [Freeipa-devel] [PATCH] 222 generic kerberos exception format In-Reply-To: <4A15AC8D.1010801@redhat.com> References: <4A15AC8D.1010801@redhat.com> Message-ID: <1242942909.10171.7.camel@jgd-dsk> On Thu, 2009-05-21 at 15:33 -0400, Rob Crittenden wrote: > I swear I added this already but here is a format string for the > KerberosError exception so we can handle generic errors in a similar way > that other kerberos tools do (display cryptic error messages). > > In some cases we'll catch a specific error and display a nicer message, > this is just a catch-all. > > rob ack. pushed to master. From jderose at redhat.com Thu May 21 21:55:23 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 21 May 2009 15:55:23 -0600 Subject: [Freeipa-devel] [PATCH] 223 move ipalib in packaging In-Reply-To: <4A15AD0B.3020409@redhat.com> References: <4A15AD0B.3020409@redhat.com> Message-ID: <1242942923.10171.8.camel@jgd-dsk> On Thu, 2009-05-21 at 15:35 -0400, Rob Crittenden wrote: > Move the ipalib python package to the ipa-python RPM sub-package. > > Jason and I had discussed renaming this to ipa-common to make a little > more sense. I'll do that in the future, it is going to require a bit > more testing than simply moving some files around. > > Also bumping up minimum version of slapi-nis to 0.15. I think we'll end > up at an even higher minimum at some point once they get into the repos. > This will do for now. > > rob ack. pushed to master. From yzhang at redhat.com Thu May 21 22:09:10 2009 From: yzhang at redhat.com (yi zhang) Date: Thu, 21 May 2009 15:09:10 -0700 Subject: [Freeipa-devel] how to set/modify ipa user's password in non-interactive mode Message-ID: <4A15D106.4090409@redhat.com> Hi: I am trying to create a user with initial password with "ipa add-user" command in non-interactive mode. but no success. I tried ipa user-add --first=user --last=002 --home=/usershome/u002 --shell=/usr/bash --password=test123 u002 -- no luck ipa user-add --first=user --last=002 --home=/usershome/u002 --shell=/usr/bash --password u002 -- brings me in interactive mode I tried to create it first and then run "ipa passwd u002" but no luck as well # ipa passwd u002 password: Enter password again to verify: ipa: ERROR: an internal error has occured <<--found a typo here, should be "occurred" Any idea how I can do it in one line of code? Thanks Yi -------------- next part -------------- An HTML attachment was scrubbed... URL: From yzhang at redhat.com Thu May 21 22:31:55 2009 From: yzhang at redhat.com (yi zhang) Date: Thu, 21 May 2009 15:31:55 -0700 Subject: [Freeipa-devel] how to set/modify ipa user's password in non-interactive mode In-Reply-To: <4A15D106.4090409@redhat.com> References: <4A15D106.4090409@redhat.com> Message-ID: <4A15D65B.3060300@redhat.com> yi zhang wrote: > Hi: > I am trying to create a user with initial password with "ipa add-user" > command in non-interactive mode. but no success. > > I tried > ipa user-add --first=user --last=002 --home=/usershome/u002 > --shell=/usr/bash --password=test123 u002 > -- no luck > > ipa user-add --first=user --last=002 --home=/usershome/u002 > --shell=/usr/bash --password u002 > -- brings me in interactive mode just find a dirty way: yes thisisapassword | ipa user-add --first=user --last=002 --home=/usershome/u002 --shell=/usr/bash --password u002 and it works > > I tried to create it first and then run "ipa passwd u002" but no luck > as well > # ipa passwd u002 > password: > Enter password again to verify: > ipa: ERROR: an internal error has occured <<--found a typo here, > should be "occurred" > > Any idea how I can do it in one line of code? > > Thanks > > Yi > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri May 22 02:42:21 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 May 2009 22:42:21 -0400 Subject: [Freeipa-devel] [PATCH] Two trivial patches pushed Message-ID: <4A16110D.2050203@redhat.com> The first patch fixes a simply typo in our error messages, occured->occurred. The second fixes password setting on python 2.4 systems. The version of python-ldap we have doesn't like None for the old password. I've pushed both of these to master. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-224-typo.patch Type: application/mbox Size: 1416 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-225-passwd.patch Type: application/mbox Size: 945 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sbose at redhat.com Fri May 22 08:13:04 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 22 May 2009 10:13:04 +0200 Subject: [Freeipa-devel] [PATCH][SSSD] Fix libtool build In-Reply-To: <4A157149.7070506@redhat.com> References: <4A157149.7070506@redhat.com> Message-ID: <4A165E90.2040400@redhat.com> Stephen Gallagher schrieb: > Several other general build system fixes are included. > See commit message for more details. > I needed the attached changes to make all warnings go away when running autoreconf. Most important, there is still an LT_INIT in dhash/configure.ac. The other changes are all in replace/. Simo, shall I send the replace cleanups, except the one for configure.ac, to samba-technical? bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-more-autotools-cleanup.patch Type: text/x-patch Size: 5421 bytes Desc: not available URL: From sgallagh at redhat.com Fri May 22 10:36:04 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 22 May 2009 06:36:04 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix libtool build In-Reply-To: <4A165E90.2040400@redhat.com> References: <4A157149.7070506@redhat.com> <4A165E90.2040400@redhat.com> Message-ID: <4A168014.2080109@redhat.com> On 05/22/2009 04:13 AM, Sumit Bose wrote: > Stephen Gallagher schrieb: >> Several other general build system fixes are included. >> See commit message for more details. >> > > I needed the attached changes to make all warnings go away when running > autoreconf. Most important, there is still an LT_INIT in > dhash/configure.ac. > > The other changes are all in replace/. > > Simo, shall I send the replace cleanups, except the one for > configure.ac, to samba-technical? > > bye, > Sumit Sumit, thank you. I didn't realize I had missed the dhash change, but unfortunately that patch isn't sufficient (as it will still be building the shared objects). I will modify my patch and include the complete fix. I'm aware of the m4 issues, but I had opted to ignore them for the time being, since they were in a 3rd-party library. If this fixes them, however, then I'm perfectly willing to include them. Once I send my updated patch, please re-submit these warning fixes as a separate patch. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Fri May 22 10:47:34 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 22 May 2009 06:47:34 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix libtool build In-Reply-To: <4A168014.2080109@redhat.com> References: <4A157149.7070506@redhat.com> <4A165E90.2040400@redhat.com> <4A168014.2080109@redhat.com> Message-ID: <4A1682C6.1080802@redhat.com> On 05/22/2009 06:36 AM, Stephen Gallagher wrote: > > Sumit, thank you. I didn't realize I had missed the dhash change, but > unfortunately that patch isn't sufficient (as it will still be building > the shared objects). I will modify my patch and include the complete fix. > Sumit, sorry. I made that review from the diff alone, and didn't realize that it was in fact complete because I'd converted the Makefile.am to perform a noinst_ build. So you were right, that was a complete fix for the problem. I have incorporated it into an updated patch, attached. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Clean-up-automake-build-to-work-on-older-versions-of.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From pzuna at redhat.com Fri May 22 11:19:26 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 22 May 2009 13:19:26 +0200 Subject: [Freeipa-devel] [PATCHES] Fix bug where finalized IPA object where trying to modify their member variables in Encoder methods. + Make ldap2 always return attribute names as lowercase. Add Encoder to ldap2 base class and use encode_args/decode_retval where applicable. + Patch 0003: Make plugins2 use lowercase when reffering to LDAP attributes. Message-ID: <4A168A3E.80807@redhat.com> Patch 0001: Fix bug where finalized IPA object where trying to modify their member variables in Encoder methods. I was trying to modify settings of the encoder inside its methods, but this is impossible, because IPA API doesn't allow it after it was finalized. Patch 0002: Make ldap2 always return attribute names as lowercase. Add Encoder to ldap2 base class and use encode_args/decode_retval where applicable. Patch 0003: Make plugins2 use lowercase when reffering to LDAP attributes. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-bug-where-finalized-IPA-object-where-trying-to-m.patch Type: application/mbox Size: 10363 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Make-ldap2-always-return-attribute-names-as-lowercas.patch Type: application/mbox Size: 15663 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Make-plugins2-use-lowercase-when-reffering-to-LDAP-a.patch Type: application/mbox Size: 20987 bytes Desc: not available URL: From ssorce at redhat.com Fri May 22 12:46:24 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 May 2009 08:46:24 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix libtool build In-Reply-To: <4A165E90.2040400@redhat.com> References: <4A157149.7070506@redhat.com> <4A165E90.2040400@redhat.com> Message-ID: <1242996384.32121.16.camel@localhost.localdomain> On Fri, 2009-05-22 at 10:13 +0200, Sumit Bose wrote: > > Simo, shall I send the replace cleanups, except the one for > configure.ac, to samba-technical? Sure, if they apply (remember we do not use libtool in samba). Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Fri May 22 12:49:45 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 22 May 2009 08:49:45 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix libtool build In-Reply-To: <1242996384.32121.16.camel@localhost.localdomain> References: <4A157149.7070506@redhat.com> <4A165E90.2040400@redhat.com> <1242996384.32121.16.camel@localhost.localdomain> Message-ID: <4A169F69.2020109@redhat.com> On 05/22/2009 08:46 AM, Simo Sorce wrote: > On Fri, 2009-05-22 at 10:13 +0200, Sumit Bose wrote: >> Simo, shall I send the replace cleanups, except the one for >> configure.ac, to samba-technical? > > Sure, if they apply (remember we do not use libtool in samba). > > Simo. > His changes aren't for libtool, they're fixes for unquoted strings in m4 files. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Fri May 22 17:37:39 2009 From: mnagy at redhat.com (Martin Nagy) Date: Fri, 22 May 2009 19:37:39 +0200 Subject: [Freeipa-devel] [PATCH] Integrate the DNS LDAP back-end In-Reply-To: <20090512233222.2c5d79d8@notas> References: <20090512233222.2c5d79d8@notas> Message-ID: <20090522193739.5a427a4e@wolverine.englab.brq.redhat.com> New series. It's based on the current top of the tree. I removed the "recursion no" from named.conf, since right now it breaks the driver. Also some cosmetic changes, but otherwise the same.. Martin On Tue, 12 May 2009 23:32:22 +0200, Martin Nagy wrote: > Hi, > this patch series will integrate the LDAP driver into the FreeIPA > install script (better late than never..). To get the driver code: > > git clone git://github.com/mnagy/bind-dyndb-ldap.git > > There's a README file with instructions for building and installing. > The plug-in is available in F-11, but since getting updates there is > pretty hard, you'll be better off with the git tree and make install, > I won't be updating the package in F-11 very often, at least not for > now. Unfortunately, I found a bug when testing the driver with IPA > that will cause any read queries to be denied. I'll try to fix that > as soon as possible. > > You will also need the latest bind package either from the F-11 or > devel branch (at least version 9.6.1-0.3.b1). Or you can grab a patch > from http://github.com/mnagy/bind-dynamic_db/downloads > > For now the plug-in will bind anonymously and won't be able to update. > It could do that, but for now I would have to put the DS password to > the config file.. I don't expect that we want to be able to > dynamically update the initial zone, so hopefully this is ok for now. > > I tried to install freeipa with this patch on a clean VM and didn't > hit any problems (well, yeah, I did, but I fixed them before > submitting ;). Any questions and criticism is welcome. Thanks. > > Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Move-the-__ldap_mod-function-to-the-Service-class.patch Type: text/x-patch Size: 8515 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Change-DNS-LDAP-attributes.patch Type: text/x-patch Size: 8859 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Use-LDAP-instead-of-flat-file-for-zone-storage.patch Type: text/x-patch Size: 9681 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Use-root.-HOST.-DOMAIN.-instead-of-root.-DOMAIN.patch Type: text/x-patch Size: 714 bytes Desc: not available URL: From jderose at redhat.com Fri May 22 22:09:36 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 22 May 2009 16:09:36 -0600 Subject: [Freeipa-devel] [PATCHES] Fix bug where finalized IPA object where trying to modify their member variables in Encoder methods. + Make ldap2 always return attribute names as lowercase. Add Encoder to ldap2 base class and use encode_args/decode_retval where applicable. + Patch 0003: Make plugins2 use lowercase when reffering to LDAP attributes. In-Reply-To: <4A168A3E.80807@redhat.com> References: <4A168A3E.80807@redhat.com> Message-ID: <1243030176.10552.6.camel@jgd-dsk> On Fri, 2009-05-22 at 13:19 +0200, Pavel Zuna wrote: > Patch 0001: Fix bug where finalized IPA object where trying to modify their > member variables in Encoder methods. > > I was trying to modify settings of the encoder inside its methods, but this is > impossible, because IPA API doesn't allow it after it was finalized. > > Patch 0002: Make ldap2 always return attribute names as lowercase. Add Encoder > to ldap2 base class and use encode_args/decode_retval where applicable. > > Patch 0003: Make plugins2 use lowercase when reffering to LDAP attributes. > > > Pavel ack to all 3. pushed to master. One of these patches introduces a failure in a unit test, and there has been one lingering failure for a while, so please fix these and submit a patch. I'd much rather have you submit an additional fix than nack these patches. Here are the traces from the failed tests (when run with ./make-test): ====================================================================== ERROR: Failure: AttributeError (type object 'Encoder' has no attribute 'encode_to') ---------------------------------------------------------------------- Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/nose/loader.py", line 364, in loadTestsFromName addr.filename, addr.module) File "/usr/lib/python2.5/site-packages/nose/importer.py", line 39, in importFromPath return self.importFromDir(dir_path, fqname) File "/usr/lib/python2.5/site-packages/nose/importer.py", line 84, in importFromDir mod = load_module(part_fqname, fh, filename, desc) File "/root/freeipa/tests/test_ipalib/test_encoder.py", line 30, in _test_str_e = u'?????????'.encode(Encoder.encode_to) AttributeError: type object 'Encoder' has no attribute 'encode_to' ====================================================================== ERROR: Test `ipalib.frontend.Command.args_options_2_entry` method. ---------------------------------------------------------------------- Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/nose/case.py", line 182, in runTest self.test(*self.arg) File "/root/freeipa/tests/test_ipalib/test_frontend.py", line 466, in test_args_options_2_entry e = o.run(*args, **kw) File "/root/freeipa/tests/test_ipalib/test_frontend.py", line 459, in run return self.args_options_2_entry(*args, **kw) File "/root/freeipa/ipalib/frontend.py", line 473, in args_options_2_entry return dict(self.__attributes_2_entry(kw)) File "/root/freeipa/ipalib/frontend.py", line 476, in __attributes_2_entry if self.api.env.use_ldap2: AttributeError: 'NoneType' object has no attribute 'env' ---------------------------------------------------------------------- From sbose at redhat.com Mon May 25 08:33:38 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 25 May 2009 10:33:38 +0200 Subject: [Freeipa-devel] [PATCH][SSSD] Implement Gettext framework for sss_clients In-Reply-To: <4A15B9E6.4010308@redhat.com> References: <4A15B9E6.4010308@redhat.com> Message-ID: <4A1A57E2.9080103@redhat.com> Stephen Gallagher schrieb: > Contains only one example string, but the framework is now in place. > > This patch depends on the previous Automake patch I sent out. > Hi, this patch works for me, but I think most of the autogenerated files and binaray *.gmo file should not be in the repository. It should be enough to have: po/Makevars, po/POTFILES.in, po/LINGUAS, po/$domain.pot, po/*.po All other files will be created by autoreconf calling autopoint/gettextize. Can you change the spec file line form +%{_datadir}/locale/es/LC_MESSAGES/sss_client.mo to +%{_datadir}/locale/*/LC_MESSAGES/sss_client.mo bye, Sumit From pzuna at redhat.com Mon May 25 09:15:49 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 25 May 2009 11:15:49 +0200 Subject: [Freeipa-devel] [PATCH] Fix bug in Encoder where tuples were encoded into lists. Fix Encoder and Command.args_options_2_entry unit tests. Message-ID: <4A1A61C5.9020703@redhat.com> Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-bug-in-Encoder-where-tuples-were-encoded-into-li.patch Type: application/mbox Size: 10182 bytes Desc: not available URL: From jhrozek at redhat.com Mon May 25 12:28:57 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 25 May 2009 14:28:57 +0200 Subject: [Freeipa-devel] [PATCH] InfoPipe tests In-Reply-To: <4A1143CD.4070102@redhat.com> References: <1239641168.24119.14.camel@hendrix> <1242577380.3695.119.camel@localhost.localdomain> <4A1143CD.4070102@redhat.com> Message-ID: <1243254537.24078.3.camel@zeppelin.englab.brq.redhat.com> On Mon, 2009-05-18 at 07:17 -0400, Stephen Gallagher wrote: > > Do we still want to push these patches ? > > > > Simo. > > > > If they apply cleanly, I don't see any reason not to, since the work > is > already done. If they don't apply cleanly, it's probably not worth the > effort. It was just packaging that did not apply, the actual tests did. Also I noticed that we didn't package InfoPipe correctly - I know it's a very low priority, but since it's in tree, it should work. A simple fix is attached. Also the rebased tests are attached, the rebasing only concerned Makefile.am. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0006-Fix-typos-in-the-Introspection-XML-file.patch Type: text/x-patch Size: 2278 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0007-Add-some-more-InfoPipe-tests.patch Type: text/x-patch Size: 22466 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0008-Fix-infopipe-packaging.patch Type: text/x-patch Size: 1188 bytes Desc: not available URL: From jhrozek at redhat.com Mon May 25 12:31:37 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 25 May 2009 14:31:37 +0200 Subject: [Freeipa-devel] [PATCH] fix manual UID assigment in sss_useradd In-Reply-To: <49F59908.2000405@redhat.com> References: <1240588170.24700.31.camel@zeppelin.englab.brq.redhat.com> <49F59908.2000405@redhat.com> Message-ID: <1243254697.24078.5.camel@zeppelin.englab.brq.redhat.com> On Mon, 2009-04-27 at 07:37 -0400, Stephen Gallagher wrote: > > Unless this is an MPG domain, we cannot guarantee that gid==uid is > available. I think what we need to do here is this: If it's an MPG > domain, set them equal. If it's a non-MPG domain, get the next > available > GID and use that. att. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Fix-manual-UID-assignment-in-sysdb.patch Type: text/x-patch Size: 2346 bytes Desc: not available URL: From jhrozek at redhat.com Mon May 25 12:35:18 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 25 May 2009 14:35:18 +0200 Subject: [Freeipa-devel] [PATCH] Don't segfault on adding user outside domains Message-ID: <1243254918.24078.8.camel@zeppelin.englab.brq.redhat.com> Found this when working on tools testsuite.. If the user enters UID outside any domain ranges, we invoke the legacy tools. But that was broken since the code read on domain->xxx even in this case, when domain == NULL. Fix attached. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0011-Don-t-segfault-on-adding-user-outside-domains.patch Type: text/x-patch Size: 1029 bytes Desc: not available URL: From jhrozek at redhat.com Mon May 25 12:41:24 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 25 May 2009 14:41:24 +0200 Subject: [Freeipa-devel] [PATCH] Do not fire up backend search when the data provider is local Message-ID: <1243255284.24078.13.camel@zeppelin.englab.brq.redhat.com> This is related to the fact that we special-case native local backend by specifying "provider=local" in the config file..the current code would ask the data provider resulting in Invalid Domain errors: --- [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [someuser at LOCAL] [sssd[nss]] [nss_dp_send_acct_req] (4): Sending request for [LOCAL][1][core][name=someuser] [sssd[dp]] [dp_get_account_info] (4): Got request for [LOCAL][1][core][name=someuser] [sssd[nss]] [nss_dp_get_reply] (4): Got reply (3, 22, Invalid Domain) from Data Provider [sssd[nss]] [nss_cmd_getpwnam_dp_callback] (2): Unable to get information from Data Provider Error: 3, 22, Invalid Domain Will try to return what we have in cache --- The attached patch special-cases the check_provider test from "is set" to "is set to anything else than local" Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0010-Do-not-fire-up-backend-search-when-the-data-provider.patch Type: text/x-patch Size: 8457 bytes Desc: not available URL: From jhrozek at redhat.com Mon May 25 13:16:07 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 25 May 2009 15:16:07 +0200 Subject: [Freeipa-devel] [PATCH] Fix version extraction in release script In-Reply-To: <1242929179.32121.5.camel@localhost.localdomain> References: <1242907085.29353.1.camel@zeppelin.englab.brq.redhat.com> <4A1544DE.3090409@redhat.com> <4A156707.9010208@redhat.com> <1242922159.29353.17.camel@zeppelin.englab.brq.redhat.com> <4A157D82.6090405@redhat.com> <1242929179.32121.5.camel@localhost.localdomain> Message-ID: <1243257367.24078.18.camel@zeppelin.englab.brq.redhat.com> On Thu, 2009-05-21 at 14:06 -0400, Simo Sorce wrote: > git-archive takes from a git tag, this assures that whatever we > release > is what we want to release. If you really want to use make dist then > you > should do a git-archive, unpack it, make dist-gzip in the unpacked dir > an use this new tarball, a bit convoluted tho, and usually redundant. > > Simo. att. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-release.sh.patch Type: text/x-patch Size: 1458 bytes Desc: not available URL: From jhrozek at redhat.com Mon May 25 16:14:17 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 25 May 2009 18:14:17 +0200 Subject: [Freeipa-devel] [PATCH] Adjust sysdb tests to the new confdb interface and improve sysdb test coverage Message-ID: <1243268057.7841.2.camel@zeppelin.englab.brq.redhat.com> Convert existing tests into new confdb and sysdb API (the tests still used char *domain instead of struct sss_domain_info *) and add missing tests. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Adjust-sysdb-tests-to-the-new-confdb-interface-and-i.patch Type: text/x-patch Size: 31597 bytes Desc: not available URL: From jhrozek at redhat.com Tue May 26 09:07:30 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 26 May 2009 11:07:30 +0200 Subject: [Freeipa-devel] [PATCH] Move useradd defaults to confdb Message-ID: <1243328850.24283.8.camel@zeppelin.englab.brq.redhat.com> Previously, sss_useradd defaults were hardcoded with no way to change user's default shell or base for home directory. This patch moves them into config/user_defaults. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Move-useradd-defaults-to-confdb.patch Type: text/x-patch Size: 2573 bytes Desc: not available URL: From mpcolino at gmail.com Tue May 26 10:53:58 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Tue, 26 May 2009 12:53:58 +0200 Subject: [Freeipa-devel] Git version (pre 0.4) config problems under Ubuntu Message-ID: Hello all, I've been pretty busy but still trying to keep track on the project's progress. The steps I've taken are: 1.- upgrade to Karmic alpha 1 2.- Install build deps 3.- autoreconf -i -f 4.- ./configure --prefix=/opt/sssd this is when I get the following message: checking for LDB... yes checking ldb.h usability... no checking ldb.h presence... no checking for ldb.h... no configure: error: LDB header files are not installed configure: error: ./configure failed for server but LBD header is installed: [migpc at ella:~/Code/sssd/tmp/sssd]$ find /usr/ | grep ldb\.h /usr/include/samba-4.0/ldb.h There are two packages for lbd, I'm normally using "libldb-samba4-dev". Then I try with "libldb-dev" [migpc at ella:~/Code/sssd/tmp/sssd]$ find /usr/ | grep ldb\.h /usr/include/ldb.h /usr/include/ldb_handlers.h but I get exactly the same error. Any suggestion on what can be done or where should I look to solve the problem? BTW, some little suggestions: 1.- popt may be included in BUILD.txt as dependency. 2.- a proper "make clean" or equivalent would be really good to have in the root dir in order to ease packaging Thanks for making sssd so much easier to work with. M* From sgallagh at redhat.com Tue May 26 11:04:52 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 May 2009 07:04:52 -0400 Subject: [Freeipa-devel] [PATCH] InfoPipe tests In-Reply-To: <1243254537.24078.3.camel@zeppelin.englab.brq.redhat.com> References: <1239641168.24119.14.camel@hendrix> <1242577380.3695.119.camel@localhost.localdomain> <4A1143CD.4070102@redhat.com> <1243254537.24078.3.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1BCCD4.3090001@redhat.com> On 05/25/2009 08:28 AM, Jakub Hrozek wrote: > On Mon, 2009-05-18 at 07:17 -0400, Stephen Gallagher wrote: >>> Do we still want to push these patches ? >>> >>> Simo. >>> >> If they apply cleanly, I don't see any reason not to, since the work >> is >> already done. If they don't apply cleanly, it's probably not worth the >> effort. > > It was just packaging that did not apply, the actual tests did. Also I > noticed that we didn't package InfoPipe correctly - I know it's a very > low priority, but since it's in tree, it should work. A simple fix is > attached. > > Also the rebased tests are attached, the rebasing only concerned > Makefile.am. > > Jakub Ack to all three. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sbose at redhat.com Tue May 26 11:33:03 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 26 May 2009 13:33:03 +0200 Subject: [Freeipa-devel] [PATCH] Do not fire up backend search when the data provider is local In-Reply-To: <1243255284.24078.13.camel@zeppelin.englab.brq.redhat.com> References: <1243255284.24078.13.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1BD36F.7010308@redhat.com> Jakub Hrozek schrieb: > This is related to the fact that we special-case native local backend by > specifying "provider=local" in the config file..the current code would > ask the data provider resulting in Invalid Domain errors: > > --- > [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [someuser at LOCAL] > [sssd[nss]] [nss_dp_send_acct_req] (4): Sending request for > [LOCAL][1][core][name=someuser] > [sssd[dp]] [dp_get_account_info] (4): Got request for > [LOCAL][1][core][name=someuser] > [sssd[nss]] [nss_dp_get_reply] (4): Got reply (3, 22, Invalid Domain) > from Data Provider > [sssd[nss]] [nss_cmd_getpwnam_dp_callback] (2): Unable to get > information from Data Provider > Error: 3, 22, Invalid Domain > Will try to return what we have in cache > --- > > The attached patch special-cases the check_provider test from "is set" > to "is set to anything else than local" > > Jakub > Hi, please remove the changes to pamsrv_cmd.c, because it is planned that the authentication code for LOCAL will move to a separate backend. bye, Sumit From sgallagh at redhat.com Tue May 26 11:33:24 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 May 2009 07:33:24 -0400 Subject: [Freeipa-devel] [PATCH] fix manual UID assigment in sss_useradd In-Reply-To: <1243254697.24078.5.camel@zeppelin.englab.brq.redhat.com> References: <1240588170.24700.31.camel@zeppelin.englab.brq.redhat.com> <49F59908.2000405@redhat.com> <1243254697.24078.5.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1BD384.8080703@redhat.com> On 05/25/2009 08:31 AM, Jakub Hrozek wrote: > On Mon, 2009-04-27 at 07:37 -0400, Stephen Gallagher wrote: >> Unless this is an MPG domain, we cannot guarantee that gid==uid is >> available. I think what we need to do here is this: If it's an MPG >> domain, set them equal. If it's a non-MPG domain, get the next >> available >> GID and use that. > > att. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 26 11:44:08 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 May 2009 07:44:08 -0400 Subject: [Freeipa-devel] [PATCH] Don't segfault on adding user outside domains In-Reply-To: <1243254918.24078.8.camel@zeppelin.englab.brq.redhat.com> References: <1243254918.24078.8.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1BD608.3060001@redhat.com> On 05/25/2009 08:35 AM, Jakub Hrozek wrote: > Found this when working on tools testsuite.. > > If the user enters UID outside any domain ranges, we invoke the legacy > tools. But that was broken since the code read on domain->xxx even in > this case, when domain == NULL. Fix attached. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack. The only way to enter the useradd_legacy() function is for the domain to be NULL. There will never be a case where the USERADD_UID_MIN/MAX will be used. I think we need to rethink how to generate that portion of the parameter, because we want to ensure that the legacy useradd doesn't step on the toes of one of our domains. Perhaps try creating local users where the USERADD_UID_MAX is the value of the lowest supported domain, except where this is impossible (we have a domain handling UID 1), in which case we set the USERADD_UID_MIN to the highest max domain range. If this is also impossible (such as having a domain with no maximum), then exit out and instruct the user to specify the uid and gid manually because no automatic value could be determined. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 26 12:01:15 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 May 2009 08:01:15 -0400 Subject: [Freeipa-devel] [PATCH] Adjust sysdb tests to the new confdb interface and improve sysdb test coverage In-Reply-To: <1243268057.7841.2.camel@zeppelin.englab.brq.redhat.com> References: <1243268057.7841.2.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1BDA0B.5050708@redhat.com> On 05/25/2009 12:14 PM, Jakub Hrozek wrote: > Convert existing tests into new confdb and sysdb API (the tests still > used char *domain instead of struct sss_domain_info *) and add missing > tests. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack Your tests are not cleaning up after themselves properly. Running the test suite a second time results in failures. See attached log. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: test-results.log URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 26 12:05:21 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 May 2009 08:05:21 -0400 Subject: [Freeipa-devel] [PATCH] Move useradd defaults to confdb In-Reply-To: <1243328850.24283.8.camel@zeppelin.englab.brq.redhat.com> References: <1243328850.24283.8.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1BDB01.6080703@redhat.com> On 05/26/2009 05:07 AM, Jakub Hrozek wrote: > Previously, sss_useradd defaults were hardcoded with no way to > change user's default shell or base for home directory. This patch moves > them into config/user_defaults. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack You need to update the config file parser to recognize these new values, or else they will not appear in the confdb database. I'm also unsure of whether this should be a global option or a per-domain option. Right now we can only create native users, but we don't know yet whether we're going to support user creation for other domains using these tools. But since we don't at the moment, it's probably fine for this to be a global config right now. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 26 12:20:08 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 May 2009 08:20:08 -0400 Subject: [Freeipa-devel] Git version (pre 0.4) config problems under Ubuntu In-Reply-To: References: Message-ID: <4A1BDE78.8070500@redhat.com> On 05/26/2009 06:53 AM, Miguel P.C. wrote: > Hello all, > > I've been pretty busy but still trying to keep track on the project's progress. > The steps I've taken are: > > 1.- upgrade to Karmic alpha 1 > 2.- Install build deps > 3.- autoreconf -i -f > 4.- ./configure --prefix=/opt/sssd > > this is when I get the following message: > checking for LDB... yes > checking ldb.h usability... no > checking ldb.h presence... no > checking for ldb.h... no > configure: error: LDB header files are not installed > configure: error: ./configure failed for server > > > but LBD header is installed: > [migpc at ella:~/Code/sssd/tmp/sssd]$ find /usr/ | grep ldb\.h > /usr/include/samba-4.0/ldb.h > Your ldb.h headers are not installed in a place that GCC searches for headers by default. You will need to append "-I/usr/include/samba-4.0" to your CPPFLAGS to tell GCC (and configure) where to find the headers. > There are two packages for lbd, I'm normally using > "libldb-samba4-dev". Then I try with "libldb-dev" > > [migpc at ella:~/Code/sssd/tmp/sssd]$ find /usr/ | grep ldb\.h > /usr/include/ldb.h > /usr/include/ldb_handlers.h > > but I get exactly the same error. > Any suggestion on what can be done or where should I look to solve the problem? I doubt it's exactly the same error. Would you gzip your config.log for each one (specifying which is which) and send them to the list so I can take a closer look? > BTW, some little suggestions: > 1.- popt may be included in BUILD.txt as dependency. You're right. I'll add that. > 2.- a proper "make clean" or equivalent would be really good to have > in the root dir in order to ease packaging With the new automake changes, 'make distclean' should work perfectly. Also, 'make dist-gzip' should produce an appropriate tarball. > > Thanks for making sssd so much easier to work with. > > M* > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 26 12:41:37 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 May 2009 08:41:37 -0400 Subject: [Freeipa-devel] [PATCH] Move useradd defaults to confdb In-Reply-To: <4A1BDB01.6080703@redhat.com> References: <1243328850.24283.8.camel@zeppelin.englab.brq.redhat.com> <4A1BDB01.6080703@redhat.com> Message-ID: <4A1BE381.8090807@redhat.com> On 05/26/2009 08:05 AM, Stephen Gallagher wrote: > > Nack > > You need to update the config file parser to recognize these new values, > or else they will not appear in the confdb database. > > I'm also unsure of whether this should be a global option or a > per-domain option. Right now we can only create native users, but we > don't know yet whether we're going to support user creation for other > domains using these tools. But since we don't at the moment, it's > probably fine for this to be a global config right now. Sorry, I was mistaken about this. I forgot that I did in fact write the confdb parser to take in additional options without changing the parser. So I rescind this nack. Ack :) -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 26 12:51:29 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 08:51:29 -0400 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes In-Reply-To: <1242233642.17793.27.camel@zeppelin.englab.brq.redhat.com> References: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> <1242233642.17793.27.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1243342289.7279.1.camel@localhost.localdomain> On Wed, 2009-05-13 at 18:54 +0200, Jakub Hrozek wrote: > On Thu, 2009-04-30 at 17:49 +0200, Jakub Hrozek wrote: > > The first one reads the config file before calling server_setup() > > which > > daemonizes, so errors in config file are caught before becoming a > > daemon. Would it make sense to do as many configuration steps (from > > monitor_process_init() - like actually initializing confdb etc.) as > > possible before the daemonization? > > > > Fix initscript return codes is pretty straightforward - just return > > correct values in initscript functions. These two patches should > > address > > ticket #28. > > I rebased the 0001-Read-the-config-before-startup patch so it can be > applied on top of the recent commits. > > Are there any other changes needed before this patch and the > 0002-Fix-initscript-return-codes.patch from the original message can be > applied? Pushed both. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 26 12:53:02 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 08:53:02 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix libtool build In-Reply-To: <4A165E90.2040400@redhat.com> References: <4A157149.7070506@redhat.com> <4A165E90.2040400@redhat.com> Message-ID: <1243342382.7279.2.camel@localhost.localdomain> On Fri, 2009-05-22 at 10:13 +0200, Sumit Bose wrote: > Stephen Gallagher schrieb: > > Several other general build system fixes are included. > > See commit message for more details. > > > > I needed the attached changes to make all warnings go away when running > autoreconf. Most important, there is still an LT_INIT in > dhash/configure.ac. > > The other changes are all in replace/. Pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Tue May 26 12:54:37 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 26 May 2009 14:54:37 +0200 Subject: [Freeipa-devel] [PATCH] Do not fire up backend search when the data provider is local In-Reply-To: <4A1BD36F.7010308@redhat.com> References: <1243255284.24078.13.camel@zeppelin.englab.brq.redhat.com> <4A1BD36F.7010308@redhat.com> Message-ID: <1243342477.24283.15.camel@zeppelin.englab.brq.redhat.com> On Tue, 2009-05-26 at 13:33 +0200, Sumit Bose wrote: > Hi, > > please remove the changes to pamsrv_cmd.c, because it is planned that > the authentication code for LOCAL will move to a separate backend. > > bye, > Sumit OK, a new incarnation of the patch is attached, does not touch pamsrv_cmd.c. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Do-not-fire-up-backend-search-when-the-data-provider.patch Type: text/x-patch Size: 7478 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From ssorce at redhat.com Tue May 26 12:55:09 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 08:55:09 -0400 Subject: [Freeipa-devel] [PATCH] InfoPipe tests In-Reply-To: <1243254537.24078.3.camel@zeppelin.englab.brq.redhat.com> References: <1239641168.24119.14.camel@hendrix> <1242577380.3695.119.camel@localhost.localdomain> <4A1143CD.4070102@redhat.com> <1243254537.24078.3.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1243342509.7279.3.camel@localhost.localdomain> On Mon, 2009-05-25 at 14:28 +0200, Jakub Hrozek wrote: > On Mon, 2009-05-18 at 07:17 -0400, Stephen Gallagher wrote: > > > Do we still want to push these patches ? > > > > > > Simo. > > > > > > > If they apply cleanly, I don't see any reason not to, since the work > > is > > already done. If they don't apply cleanly, it's probably not worth the > > effort. > > It was just packaging that did not apply, the actual tests did. Also I > noticed that we didn't package InfoPipe correctly - I know it's a very > low priority, but since it's in tree, it should work. A simple fix is > attached. > > Also the rebased tests are attached, the rebasing only concerned > Makefile.am. Pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 26 12:56:03 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 08:56:03 -0400 Subject: [Freeipa-devel] [PATCH] fix manual UID assigment in sss_useradd In-Reply-To: <1243254697.24078.5.camel@zeppelin.englab.brq.redhat.com> References: <1240588170.24700.31.camel@zeppelin.englab.brq.redhat.com> <49F59908.2000405@redhat.com> <1243254697.24078.5.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1243342563.7279.4.camel@localhost.localdomain> On Mon, 2009-05-25 at 14:31 +0200, Jakub Hrozek wrote: > On Mon, 2009-04-27 at 07:37 -0400, Stephen Gallagher wrote: > > > > Unless this is an MPG domain, we cannot guarantee that gid==uid is > > available. I think what we need to do here is this: If it's an MPG > > domain, set them equal. If it's a non-MPG domain, get the next > > available > > GID and use that. > > att. pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 26 13:11:39 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 09:11:39 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix libtool build In-Reply-To: <4A1682C6.1080802@redhat.com> References: <4A157149.7070506@redhat.com> <4A165E90.2040400@redhat.com> <4A168014.2080109@redhat.com> <4A1682C6.1080802@redhat.com> Message-ID: <1243343499.7279.5.camel@localhost.localdomain> On Fri, 2009-05-22 at 06:47 -0400, Stephen Gallagher wrote: > On 05/22/2009 06:36 AM, Stephen Gallagher wrote: > > > > Sumit, thank you. I didn't realize I had missed the dhash change, but > > unfortunately that patch isn't sufficient (as it will still be building > > the shared objects). I will modify my patch and include the complete fix. > > > > Sumit, sorry. I made that review from the diff alone, and didn't realize > that it was in fact complete because I'd converted the Makefile.am to > perform a noinst_ build. So you were right, that was a complete fix for > the problem. I have incorporated it into an updated patch, attached. Merged and pushed the second patch too. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 26 13:13:11 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 09:13:11 -0400 Subject: [Freeipa-devel] [PATCH] Move useradd defaults to confdb In-Reply-To: <1243328850.24283.8.camel@zeppelin.englab.brq.redhat.com> References: <1243328850.24283.8.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1243343591.7279.6.camel@localhost.localdomain> On Tue, 2009-05-26 at 11:07 +0200, Jakub Hrozek wrote: > Previously, sss_useradd defaults were hardcoded with no way to > change user's default shell or base for home directory. This patch moves > them into config/user_defaults. Pushed, Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Tue May 26 13:16:39 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 May 2009 09:16:39 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Link backends against internal crypto library Message-ID: <4A1BEBB7.1090806@redhat.com> This will fix https://fedorahosted.org/sssd/ticket/39 I didn't realize that the proxy (and possibly the ldap) backends needed to be linked against our internal NSS_SHA512 implementation. I've added that library to the linker. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Link-proxy-backend-against-internal-crypto-library.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jhrozek at redhat.com Tue May 26 13:43:55 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 26 May 2009 15:43:55 +0200 Subject: [Freeipa-devel] [PATCH] Fix version extraction in release script In-Reply-To: <1243257367.24078.18.camel@zeppelin.englab.brq.redhat.com> References: <1242907085.29353.1.camel@zeppelin.englab.brq.redhat.com> <4A1544DE.3090409@redhat.com> <4A156707.9010208@redhat.com> <1242922159.29353.17.camel@zeppelin.englab.brq.redhat.com> <4A157D82.6090405@redhat.com> <1242929179.32121.5.camel@localhost.localdomain> <1243257367.24078.18.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1243345435.24283.24.camel@zeppelin.englab.brq.redhat.com> On Mon, 2009-05-25 at 15:16 +0200, Jakub Hrozek wrote: > On Thu, 2009-05-21 at 14:06 -0400, Simo Sorce wrote: > > git-archive takes from a git tag, this assures that whatever we > > release > > is what we want to release. If you really want to use make dist then > > you > > should do a git-archive, unpack it, make dist-gzip in the unpacked > dir > > an use this new tarball, a bit convoluted tho, and usually > redundant. > > > > Simo. > > att. > > Jakub > One more change. Simo found out that the clean-up trap would be executed in the subdirectory. This patch moves back to the top-level directory before cleaning up. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-release.sh.patch Type: text/x-patch Size: 1566 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Tue May 26 13:57:05 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 May 2009 09:57:05 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Implement Gettext framework for sss_clients In-Reply-To: <4A1A57E2.9080103@redhat.com> References: <4A15B9E6.4010308@redhat.com> <4A1A57E2.9080103@redhat.com> Message-ID: <4A1BF531.3080108@redhat.com> On 05/25/2009 04:33 AM, Sumit Bose wrote: > Stephen Gallagher schrieb: >> Contains only one example string, but the framework is now in place. >> >> This patch depends on the previous Automake patch I sent out. >> > > Hi, > > this patch works for me, but I think most of the autogenerated files and > binaray *.gmo file should not be in the repository. It should be enough > to have: > > po/Makevars, po/POTFILES.in, po/LINGUAS, po/$domain.pot, po/*.po > > All other files will be created by autoreconf calling autopoint/gettextize. > > Can you change the spec file line form > > +%{_datadir}/locale/es/LC_MESSAGES/sss_client.mo > > to > > +%{_datadir}/locale/*/LC_MESSAGES/sss_client.mo > > > bye, > Sumit I have incorporated your suggestions into this new patch. The included files are now, I believe, the minimum set necessary to build. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Initial-gettext-framework-for-sss_clients.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Tue May 26 14:04:30 2009 From: mnagy at redhat.com (Martin Nagy) Date: Tue, 26 May 2009 16:04:30 +0200 Subject: [Freeipa-devel] [PATCH] Integrate the DNS LDAP back-end In-Reply-To: <20090522193739.5a427a4e@wolverine.englab.brq.redhat.com> References: <20090512233222.2c5d79d8@notas> <20090522193739.5a427a4e@wolverine.englab.brq.redhat.com> Message-ID: <20090526160430.7b87772a@wolverine.englab.brq.redhat.com> On Fri, 22 May 2009 19:37:39 +0200, Martin Nagy wrote: > +dn: idnsName=$DOMAIN,cn=dns,$SUFFIX > +changetype: add > +objectClass: top > +objectClass: idnsZone > +objectClass: idnsRecord > +idnsName: $DOMAIN > +idnsZoneActive: True > +idnsAllowDynUpdate: True > +idnsUpdatePolicy: { grant $REALM krb5-self * A; } Argh. This should have been without the '{' and '}'.. Will remove before push (if I get acks). Martin From sbose at redhat.com Tue May 26 14:24:21 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 26 May 2009 16:24:21 +0200 Subject: [Freeipa-devel] [PATCH][SSSD] Link backends against internal crypto library In-Reply-To: <4A1BEBB7.1090806@redhat.com> References: <4A1BEBB7.1090806@redhat.com> Message-ID: <4A1BFB95.1070701@redhat.com> Stephen Gallagher schrieb: > This will fix https://fedorahosted.org/sssd/ticket/39 > > I didn't realize that the proxy (and possibly the ldap) backends needed > to be linked against our internal NSS_SHA512 implementation. I've added > that library to the linker. > ACK bye, Sumit From jhrozek at redhat.com Tue May 26 14:57:37 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 26 May 2009 16:57:37 +0200 Subject: [Freeipa-devel] [PATCH] Fix version extraction in release script In-Reply-To: <1243345435.24283.24.camel@zeppelin.englab.brq.redhat.com> References: <1242907085.29353.1.camel@zeppelin.englab.brq.redhat.com> <4A1544DE.3090409@redhat.com> <4A156707.9010208@redhat.com> <1242922159.29353.17.camel@zeppelin.englab.brq.redhat.com> <4A157D82.6090405@redhat.com> <1242929179.32121.5.camel@localhost.localdomain> <1243257367.24078.18.camel@zeppelin.englab.brq.redhat.com> <1243345435.24283.24.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1243349857.24283.29.camel@zeppelin.englab.brq.redhat.com> On Tue, 2009-05-26 at 15:43 +0200, Jakub Hrozek wrote: > One more change. Simo found out that the clean-up trap would be > executed > in the subdirectory. This patch moves back to the top-level directory > before cleaning up. > > Jakub Yet one more change in handling the exit trap -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-release.sh.patch Type: text/x-patch Size: 1541 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From mpcolino at gmail.com Tue May 26 15:06:52 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Tue, 26 May 2009 17:06:52 +0200 Subject: [Freeipa-devel] SSSD version pre-0.4 config problems under Ubuntu Message-ID: Hi again. First of all, sorry for the worst error report ever ... :-) > Your ldb.h headers are not installed in a place that GCC searches for > headers by default. You will need to append "-I/usr/include/samba-4.0" > to your CPPFLAGS to tell GCC (and configure) where to find the headers. This is the try of that with libldb-samba4-dev (with ldb.h in /usr/include/samba-4.0), after "autoreconf -i -f": [migpc at ella]:~$ find /usr/ | grep ldb\.h$ /usr/include/samba-4.0/ldb.h [migpc at ella]:~$ ?CPPFLAGS="-I /usr/include/samba-4.0" ./configure --prefix=/opt/sssd [... snip ...] checking for LDB... yes checking ldb.h usability... no checking ldb.h presence... yes configure: WARNING: ldb.h: present but cannot be compiled configure: WARNING: ldb.h: ? ? check for missing prerequisite headers? configure: WARNING: ldb.h: see the Autoconf documentation configure: WARNING: ldb.h: ? ? section "Present But Cannot Be Compiled" configure: WARNING: ldb.h: proceeding with the preprocessor's result configure: WARNING: ldb.h: in the future, the compiler will take precedence configure: WARNING: ? ? ## --------------------------------------- ## configure: WARNING: ? ? ## Report this to freeipa-devel at redhat.com ## configure: WARNING: ? ? ## --------------------------------------- ## checking for ldb.h... yes checking for ldb_init in -lldb... yes checking ldb_module.h usability... no checking ldb_module.h presence... no checking for ldb_module.h... no configure: error: LDB header files are not installed configure: error: ./configure failed for server I also send attached the full "configure" result, and "config.log" >> [migpc at ella:~/Code/sssd/tmp/sssd]$ find /usr/ | grep ldb\.h >> /usr/include/ldb.h >> /usr/include/ldb_handlers.h >> >> but I get exactly the same error. >> Any suggestion on what can be done or where should I look to solve the problem? > > I doubt it's exactly the same error. Would you gzip your config.log for > each one (specifying which is which) and send them to the list so I can > take a closer look? Ok. I attach the output for "configure" with libldb-dev. [migpc at ella:~]$ find /usr/ | grep ldb\.h$ /usr/include/ldb.h [migpc at ella:~/Code/sssd/tmp/sssd]$ ./configure --prefix=/opt/sssd | tee ../0002-configure_with_libldb-dev_karmic.txt [... snip ...] checking for LDB... yes checking ldb.h usability... no checking ldb.h presence... no checking for ldb.h... no configure: error: LDB header files are not installed configure: error: ./configure failed for server Also attach both, configure result and config.log >> BTW, some little suggestions: >> 1.- popt may be included in BUILD.txt as dependency. > You're right. I'll add that. Thank you. >> 2.- a proper "make clean" or equivalent would be really good to have >> in the root dir in order to ease packaging > > With the new automake changes, 'make distclean' should work perfectly. > Also, 'make dist-gzip' should produce an appropriate tarball. Thanks again!. Really. I should have re-read Makefile more carefully. I'll try to re-check everything when I get home. Regards. M* -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-configure_with_libldb-samba4-dev_karmic.txt.bz2 Type: application/x-bzip2 Size: 4538 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-configure_with_libldb-dev_karmic.txt.bz2 Type: application/x-bzip2 Size: 4480 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-config_log_with_libldb-samba4-dev_karmic.log.bz2 Type: application/x-bzip2 Size: 1894 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-config_log_with_libldb-dev_karmic.log.bz2 Type: application/x-bzip2 Size: 1894 bytes Desc: not available URL: From ssorce at redhat.com Tue May 26 15:25:09 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 11:25:09 -0400 Subject: [Freeipa-devel] [PATCH] silent warnings Message-ID: <1243351509.7279.8.camel@localhost.localdomain> Most are just harmless warnings but some may be real bugs. I haven't addressed the tests/ breakage as Jaukb already had patches for that. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Silence-warnings.patch Type: text/x-patch Size: 9567 bytes Desc: not available URL: From ssorce at redhat.com Tue May 26 15:26:32 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 11:26:32 -0400 Subject: [Freeipa-devel] [PATCH] Fix version extraction in release script In-Reply-To: <1243349857.24283.29.camel@zeppelin.englab.brq.redhat.com> References: <1242907085.29353.1.camel@zeppelin.englab.brq.redhat.com> <4A1544DE.3090409@redhat.com> <4A156707.9010208@redhat.com> <1242922159.29353.17.camel@zeppelin.englab.brq.redhat.com> <4A157D82.6090405@redhat.com> <1242929179.32121.5.camel@localhost.localdomain> <1243257367.24078.18.camel@zeppelin.englab.brq.redhat.com> <1243345435.24283.24.camel@zeppelin.englab.brq.redhat.com> <1243349857.24283.29.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1243351592.7279.9.camel@localhost.localdomain> On Tue, 2009-05-26 at 16:57 +0200, Jakub Hrozek wrote: > On Tue, 2009-05-26 at 15:43 +0200, Jakub Hrozek wrote: > > One more change. Simo found out that the clean-up trap would be > > executed > > in the subdirectory. This patch moves back to the top-level directory > > before cleaning up. > > > > Jakub > > Yet one more change in handling the exit trap ack and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 26 15:27:22 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 11:27:22 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Link backends against internal crypto library In-Reply-To: <4A1BFB95.1070701@redhat.com> References: <4A1BEBB7.1090806@redhat.com> <4A1BFB95.1070701@redhat.com> Message-ID: <1243351642.7279.10.camel@localhost.localdomain> On Tue, 2009-05-26 at 16:24 +0200, Sumit Bose wrote: > Stephen Gallagher schrieb: > > This will fix https://fedorahosted.org/sssd/ticket/39 > > > > I didn't realize that the proxy (and possibly the ldap) backends needed > > to be linked against our internal NSS_SHA512 implementation. I've added > > that library to the linker. > > > > ACK Pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 26 15:31:02 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 11:31:02 -0400 Subject: [Freeipa-devel] [PATCH] Do not fire up backend search when the data provider is local In-Reply-To: <1243342477.24283.15.camel@zeppelin.englab.brq.redhat.com> References: <1243255284.24078.13.camel@zeppelin.englab.brq.redhat.com> <4A1BD36F.7010308@redhat.com> <1243342477.24283.15.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1243351862.7279.11.camel@localhost.localdomain> On Tue, 2009-05-26 at 14:54 +0200, Jakub Hrozek wrote: > > OK, a new incarnation of the patch is attached, does not touch > pamsrv_cmd.c. ack, and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Tue May 26 15:54:02 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 May 2009 11:54:02 -0400 Subject: [Freeipa-devel] SSSD version pre-0.4 config problems under Ubuntu In-Reply-To: References: Message-ID: <4A1C109A.8080406@redhat.com> On 05/26/2009 11:06 AM, Miguel P.C. wrote: > Hi again. > > First of all, sorry for the worst error report ever ... :-) > >> Your ldb.h headers are not installed in a place that GCC searches for >> headers by default. You will need to append "-I/usr/include/samba-4.0" >> to your CPPFLAGS to tell GCC (and configure) where to find the headers. > > This is the try of that with libldb-samba4-dev (with ldb.h in > /usr/include/samba-4.0), after "autoreconf -i -f": > [migpc at ella]:~$ find /usr/ | grep ldb\.h$ > /usr/include/samba-4.0/ldb.h > [migpc at ella]:~$ CPPFLAGS="-I /usr/include/samba-4.0" ./configure > --prefix=/opt/sssd > [... snip ...] > checking for LDB... yes > checking ldb.h usability... no > checking ldb.h presence... yes > configure: WARNING: ldb.h: present but cannot be compiled > configure: WARNING: ldb.h: check for missing prerequisite headers? > configure: WARNING: ldb.h: see the Autoconf documentation > configure: WARNING: ldb.h: section "Present But Cannot Be Compiled" > configure: WARNING: ldb.h: proceeding with the preprocessor's result > configure: WARNING: ldb.h: in the future, the compiler will take precedence > configure: WARNING: ## --------------------------------------- ## > configure: WARNING: ## Report this to freeipa-devel at redhat.com ## > configure: WARNING: ## --------------------------------------- ## > checking for ldb.h... yes > checking for ldb_init in -lldb... yes > checking ldb_module.h usability... no > checking ldb_module.h presence... no > checking for ldb_module.h... no > configure: error: LDB header files are not installed > configure: error: ./configure failed for server > > I also send attached the full "configure" result, and "config.log" Sorry, in my earlier mail I wasn't descriptive enough. I need the config.log from the 'server' directory (configure is recursively run in that directory) as it is the one that will have the errors listed. That was my error. >>> [migpc at ella:~/Code/sssd/tmp/sssd]$ find /usr/ | grep ldb\.h >>> /usr/include/ldb.h >>> /usr/include/ldb_handlers.h >>> >>> but I get exactly the same error. >>> Any suggestion on what can be done or where should I look to solve the problem? >> I doubt it's exactly the same error. Would you gzip your config.log for >> each one (specifying which is which) and send them to the list so I can >> take a closer look? > > Ok. I attach the output for "configure" with libldb-dev. > [migpc at ella:~]$ find /usr/ | grep ldb\.h$ > /usr/include/ldb.h > [migpc at ella:~/Code/sssd/tmp/sssd]$ ./configure --prefix=/opt/sssd | > tee ../0002-configure_with_libldb-dev_karmic.txt > [... snip ...] > checking for LDB... yes > checking ldb.h usability... no > checking ldb.h presence... no > checking for ldb.h... no > configure: error: LDB header files are not installed > configure: error: ./configure failed for server > > Also attach both, configure result and config.log > >>> BTW, some little suggestions: >>> 1.- popt may be included in BUILD.txt as dependency. >> You're right. I'll add that. > Thank you. > >>> 2.- a proper "make clean" or equivalent would be really good to have >>> in the root dir in order to ease packaging >> With the new automake changes, 'make distclean' should work perfectly. >> Also, 'make dist-gzip' should produce an appropriate tarball. > Thanks again!. Really. > I should have re-read Makefile more carefully. > > I'll try to re-check everything when I get home. > > Regards. > > M* > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 26 15:55:40 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 May 2009 11:55:40 -0400 Subject: [Freeipa-devel] [PATCH] silent warnings In-Reply-To: <1243351509.7279.8.camel@localhost.localdomain> References: <1243351509.7279.8.camel@localhost.localdomain> Message-ID: <4A1C10FC.8040401@redhat.com> On 05/26/2009 11:25 AM, Simo Sorce wrote: > Most are just harmless warnings but some may be real bugs. > I haven't addressed the tests/ breakage as Jaukb already had patches for > that. > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sbose at redhat.com Tue May 26 16:08:09 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 26 May 2009 18:08:09 +0200 Subject: [Freeipa-devel] [PATCH] fix a wrong timeout Message-ID: <4A1C13E9.7090906@redhat.com> Hi, just too many timeouts :) bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fix-a-wrong-timeout.patch Type: text/x-patch Size: 1387 bytes Desc: not available URL: From ssorce at redhat.com Tue May 26 16:16:07 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 12:16:07 -0400 Subject: [Freeipa-devel] [PATCH] silent warnings In-Reply-To: <4A1C10FC.8040401@redhat.com> References: <1243351509.7279.8.camel@localhost.localdomain> <4A1C10FC.8040401@redhat.com> Message-ID: <1243354567.7279.18.camel@localhost.localdomain> On Tue, 2009-05-26 at 11:55 -0400, Stephen Gallagher wrote: > On 05/26/2009 11:25 AM, Simo Sorce wrote: > > Most are just harmless warnings but some may be real bugs. > > I haven't addressed the tests/ breakage as Jaukb already had patches > for > > that. > Ack pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 26 16:24:11 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 12:24:11 -0400 Subject: [Freeipa-devel] [PATCH] fix a wrong timeout In-Reply-To: <4A1C13E9.7090906@redhat.com> References: <4A1C13E9.7090906@redhat.com> Message-ID: <1243355051.7279.19.camel@localhost.localdomain> On Tue, 2009-05-26 at 18:08 +0200, Sumit Bose wrote: > Hi, > > just too many timeouts :) patch looks ok, but it does not apply on master and line numbers differ quite a bit, can you make sure you are not missing other changes/it is ok to rebase on master ? Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Tue May 26 16:53:58 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 26 May 2009 18:53:58 +0200 Subject: [Freeipa-devel] [PATCH] Adjust sysdb tests to the new confdb interface and improve sysdb test coverage In-Reply-To: <4A1BDA0B.5050708@redhat.com> References: <1243268057.7841.2.camel@zeppelin.englab.brq.redhat.com> <4A1BDA0B.5050708@redhat.com> Message-ID: <1243356838.24283.39.camel@zeppelin.englab.brq.redhat.com> On Tue, 2009-05-26 at 08:01 -0400, Stephen Gallagher wrote: > Nack > Your tests are not cleaning up after themselves properly. Running the > test suite a second time results in failures. See attached log. > Oops, you're right, copy-and-paste error which resulted in cleaning only half of the database.. This is fixed now. Thank you for the review. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Adjust-sysdb-tests-to-the-new-confdb-interface-and-i.patch Type: text/x-patch Size: 33118 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From pzuna at redhat.com Tue May 26 16:57:59 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 26 May 2009 18:57:59 +0200 Subject: [Freeipa-devel] [PATCH] Clone options of crud.Update and crud.Search with autofill=False. Message-ID: <4A1C1F97.6040805@redhat.com> Prior to this patch, when modifying some other attribute, an autofill attribute was always (re)set to its default value. This bug was also interfering with plugins2 when searching by a specific attribute. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Clone-options-of-crud.Update-and-crud.Search-with-au.patch Type: application/mbox Size: 1442 bytes Desc: not available URL: From pzuna at redhat.com Tue May 26 17:11:28 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 26 May 2009 19:11:28 +0200 Subject: [Freeipa-devel] [PATCH] Make it easier to search for a single entry by attribute value (find_entry_by_attr). Fix minor search filter generation issues. Message-ID: <4A1C22C0.3080506@redhat.com> New method in ldap2: find_entry_by_attr Allows searching for a single entry by attribute and object class. It provides similar functionality to ldap.find_entry_dn, but it can be used to retrieve the whole entry as well. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-it-easier-to-search-for-a-single-entry-by-attri.patch Type: application/mbox Size: 2359 bytes Desc: not available URL: From sgallagh at redhat.com Tue May 26 17:31:37 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 May 2009 13:31:37 -0400 Subject: [Freeipa-devel] [PATCH] Adjust sysdb tests to the new confdb interface and improve sysdb test coverage In-Reply-To: <1243356838.24283.39.camel@zeppelin.englab.brq.redhat.com> References: <1243268057.7841.2.camel@zeppelin.englab.brq.redhat.com> <4A1BDA0B.5050708@redhat.com> <1243356838.24283.39.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1C2779.9090002@redhat.com> On 05/26/2009 12:53 PM, Jakub Hrozek wrote: > On Tue, 2009-05-26 at 08:01 -0400, Stephen Gallagher wrote: >> Nack >> Your tests are not cleaning up after themselves properly. Running the >> test suite a second time results in failures. See attached log. >> > > Oops, you're right, copy-and-paste error which resulted in cleaning only > half of the database.. This is fixed now. Thank you for the review. > > Jakub Ack. Though it's worth noting that I had to suppress whitespace errors to get it to apply. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 26 17:36:36 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 May 2009 13:36:36 -0400 Subject: [Freeipa-devel] [PATCH] Clone options of crud.Update and crud.Search with autofill=False. In-Reply-To: <4A1C1F97.6040805@redhat.com> References: <4A1C1F97.6040805@redhat.com> Message-ID: <4A1C28A4.2060009@redhat.com> Pavel Zuna wrote: > Prior to this patch, when modifying some other attribute, an autofill > attribute was always (re)set to its default value. This bug was also > interfering with plugins2 when searching by a specific attribute. > > Pavel ack, pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 26 17:40:31 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 May 2009 13:40:31 -0400 Subject: [Freeipa-devel] [PATCH] Make it easier to search for a single entry by attribute value (find_entry_by_attr). Fix minor search filter generation issues. In-Reply-To: <4A1C22C0.3080506@redhat.com> References: <4A1C22C0.3080506@redhat.com> Message-ID: <4A1C298F.1050909@redhat.com> Pavel Zuna wrote: > New method in ldap2: find_entry_by_attr > Allows searching for a single entry by attribute and object class. > > It provides similar functionality to ldap.find_entry_dn, but it can be > used to retrieve the whole entry as well. > > Pavel > ack, pushed to master. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sbose at redhat.com Tue May 26 17:58:44 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 26 May 2009 19:58:44 +0200 Subject: [Freeipa-devel] [PATCH] fix a wrong timeout In-Reply-To: <4A1C13E9.7090906@redhat.com> References: <4A1C13E9.7090906@redhat.com> Message-ID: <4A1C2DD4.90005@redhat.com> Sumit Bose schrieb: > Hi, > > just too many timeouts :) > > bye, > Sumit > rebased to current master bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fix-a-wrong-timeout.patch Type: text/x-patch Size: 1443 bytes Desc: not available URL: From ssorce at redhat.com Tue May 26 18:05:08 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 14:05:08 -0400 Subject: [Freeipa-devel] [PATCH] fix a wrong timeout In-Reply-To: <4A1C2DD4.90005@redhat.com> References: <4A1C13E9.7090906@redhat.com> <4A1C2DD4.90005@redhat.com> Message-ID: <1243361108.7279.23.camel@localhost.localdomain> On Tue, 2009-05-26 at 19:58 +0200, Sumit Bose wrote: > > rebased to current master pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 26 18:05:25 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 14:05:25 -0400 Subject: [Freeipa-devel] [PATCH] Adjust sysdb tests to the new confdb interface and improve sysdb test coverage In-Reply-To: <1243356838.24283.39.camel@zeppelin.englab.brq.redhat.com> References: <1243268057.7841.2.camel@zeppelin.englab.brq.redhat.com> <4A1BDA0B.5050708@redhat.com> <1243356838.24283.39.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1243361125.7279.24.camel@localhost.localdomain> On Tue, 2009-05-26 at 18:53 +0200, Jakub Hrozek wrote: > > Oops, you're right, copy-and-paste error which resulted in cleaning > only > half of the database.. This is fixed now. Thank you for the review. pushed, Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 26 18:08:41 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 14:08:41 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Implement Gettext framework for sss_clients In-Reply-To: <4A1BF531.3080108@redhat.com> References: <4A15B9E6.4010308@redhat.com> <4A1A57E2.9080103@redhat.com> <4A1BF531.3080108@redhat.com> Message-ID: <1243361321.7279.25.camel@localhost.localdomain> On Tue, 2009-05-26 at 09:57 -0400, Stephen Gallagher wrote: > diff --git a/sss_client/po/sss_client.pot > b/sss_client/po/sss_client.pot > new file mode 100644 > index 0000000..b92cb44 > --- /dev/null > +++ b/sss_client/po/sss_client.pot > @@ -0,0 +1,21 @@ > +# SOME DESCRIPTIVE TITLE. > +# Copyright (C) YEAR Red Hat, Inc. > +# This file is distributed under the same license as the PACKAGE > package. > +# FIRST AUTHOR , YEAR. > +# > +#, fuzzy > +msgid "" > +msgstr "" > +"Project-Id-Version: sss_client 0.4.0\n" > +"Report-Msgid-Bugs-To: freeipa-devel at redhat.com\n" > +"POT-Creation-Date: 2009-05-21 14:10-0400\n" > +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" > +"Last-Translator: FULL NAME \n" > +"Language-Team: LANGUAGE \n" > +"MIME-Version: 1.0\n" > +"Content-Type: text/plain; charset=CHARSET\n" > +"Content-Transfer-Encoding: 8bit\n" > + Looks like you forgot to fill the above stuff. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 26 18:15:37 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 14:15:37 -0400 Subject: [Freeipa-devel] [PATCH] 218 add memberOf as MAY to ipaHost In-Reply-To: <4A12C858.5030507@redhat.com> References: <4A12C858.5030507@redhat.com> Message-ID: <1243361737.7279.26.camel@localhost.localdomain> On Tue, 2009-05-19 at 10:55 -0400, Rob Crittenden wrote: > Add memberOf as a MAY attribute to the ipaHost objectclass. > > This will resolve BZ 499731. ack Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue May 26 18:25:59 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 May 2009 14:25:59 -0400 Subject: [Freeipa-devel] [PATCH] 184 change dogtag port In-Reply-To: <1241467243.13868.103.camel@jgd-dsk> References: <49EF6FA4.7090601@redhat.com> <1241467243.13868.103.camel@jgd-dsk> Message-ID: <4A1C3437.5060904@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-04-22 at 15:27 -0400, Rob Crittenden wrote: >> Dogtag keeps telling me that I should use port 9444 and not 9443 so I'm >> going to listen. >> >> rob > > ack if Andrew is okay with it. > > Andrew, I thought that during an IRC conversation you originally told me > the ca_ssl_port should be 9443. Did I just goof up? Should the default > be 9443 or 9444? > I went ahead and pushed this. Dogtag would have log entries like "received this request on port 9443, you should use 9444". rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 26 18:26:26 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 May 2009 14:26:26 -0400 Subject: [Freeipa-devel] [PATCH] 218 add memberOf as MAY to ipaHost In-Reply-To: <1243361737.7279.26.camel@localhost.localdomain> References: <4A12C858.5030507@redhat.com> <1243361737.7279.26.camel@localhost.localdomain> Message-ID: <4A1C3452.6030407@redhat.com> Simo Sorce wrote: > On Tue, 2009-05-19 at 10:55 -0400, Rob Crittenden wrote: >> Add memberOf as a MAY attribute to the ipaHost objectclass. >> >> This will resolve BZ 499731. > > ack > > Simo. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Tue May 26 18:30:53 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 26 May 2009 14:30:53 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Implement Gettext framework for sss_clients In-Reply-To: <1243361321.7279.25.camel@localhost.localdomain> References: <4A15B9E6.4010308@redhat.com> <4A1A57E2.9080103@redhat.com> <4A1BF531.3080108@redhat.com> <1243361321.7279.25.camel@localhost.localdomain> Message-ID: <4A1C355D.2070307@redhat.com> On 05/26/2009 02:08 PM, Simo Sorce wrote: > > Looks like you forgot to fill the above stuff. > Simo. > Fixed and attached a new patch. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Initial-gettext-framework-for-sss_clients.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 26 18:50:20 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 May 2009 14:50:20 -0400 Subject: [Freeipa-devel] [PATCHES] Add new env variables: container_taskgroup, container_rolegroup and container_netgroup. + Add rolegroup plugin port to new LDAP backend. + Add taskgroup plugin port to new LDAP backend. + Add defaultoptions plugin port to new LDAP backend. In-Reply-To: <4A0ACC6A.6050407@redhat.com> References: <4A0ACC6A.6050407@redhat.com> Message-ID: <4A1C39EC.7030505@redhat.com> Pavel Zuna wrote: > 0001: Add new env variables: container_taskgroup, container_rolegroup > and container_netgroup > > 0002: Add rolegroup plugin port to new LDAP backend. > > 0003: Add taskgroup plugin port to new LDAP backend. > > 0004: Add defaultoptions plugin port to new LDAP backend. > > With the last patch, I took the liberty to change the plugin name from > 'defaultoptions' to 'config' as I find the former to be a bit clumsy. > Also instead of displaying the LDAP entry after modifying options, I > choose to display a human-readable list of what has changed. > > Pavel ack all and pushed to master. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 26 18:52:04 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 May 2009 14:52:04 -0400 Subject: [Freeipa-devel] [PATCH] Add pwpolicy plugin port to new LDAP backend. In-Reply-To: <4A0AFAA1.6030307@redhat.com> References: <4A0AFAA1.6030307@redhat.com> Message-ID: <4A1C3A54.7040302@redhat.com> Pavel Zuna wrote: > > Pavel Sorry for the delay in the review. You are mixing camel-case and lower-case in attribute names. With your ok I'll convert it to lower-case and commit. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 26 18:58:29 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 14:58:29 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Implement Gettext framework for sss_clients In-Reply-To: <4A1C355D.2070307@redhat.com> References: <4A15B9E6.4010308@redhat.com> <4A1A57E2.9080103@redhat.com> <4A1BF531.3080108@redhat.com> <1243361321.7279.25.camel@localhost.localdomain> <4A1C355D.2070307@redhat.com> Message-ID: <1243364309.7279.31.camel@localhost.localdomain> On Tue, 2009-05-26 at 14:30 -0400, Stephen Gallagher wrote: > On 05/26/2009 02:08 PM, Simo Sorce wrote: > > > > > Looks like you forgot to fill the above stuff. > > Simo. > > > > Fixed and attached a new patch. Pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue May 26 20:53:11 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 May 2009 16:53:11 -0400 Subject: [Freeipa-devel] [PATCH] require password only once from a pipe Message-ID: <4A1C56B7.9080305@redhat.com> When reading the password in from a pipe require that it be provided only once. This will let people do: % echo "secret123" | ipa user-add --first=Joe --last=Robinson jrobinson or % echo "secret123" | ipa passwd jrobinson rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-226-pipe.patch Type: application/mbox Size: 2196 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sbose at redhat.com Tue May 26 21:14:16 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 26 May 2009 23:14:16 +0200 Subject: [Freeipa-devel] [PATCH] added pam_probe and session state Message-ID: <4A1C5BA8.3010602@redhat.com> Hi, this patch add a new, initial pam call to the pam client protocol and let the pam responder save the states of previous pam operations. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-added-pam_probe-and-session-state.patch Type: text/x-patch Size: 15750 bytes Desc: not available URL: From mpcolino at gmail.com Wed May 27 10:44:55 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Wed, 27 May 2009 12:44:55 +0200 Subject: [Freeipa-devel] SSSD version pre-0.4 config problems under Ubuntu In-Reply-To: <4A1C109A.8080406@redhat.com> References: <4A1C109A.8080406@redhat.com> Message-ID: Hi again, [... snip ...] > Sorry, in my earlier mail I wasn't descriptive enough. I need the > config.log from the 'server' directory (configure is recursively run in > that directory) as it is the one that will have the errors listed. That > was my error. [... snip ...] Attached. More info second try was with: libldb-dev_1%3a0.9.3~git20090221-1_i386.deb In my opinion this should be the one to use under Ubuntu for SSSD. Am I right? M* -------------- next part -------------- A non-text attachment was scrubbed... Name: 0005-config_log_server_with_libldb-samba4-dev_karmic.log.bz2 Type: application/x-bzip2 Size: 7419 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0006-config_log_server_with_libldb-dev_karmic.log.bz2 Type: application/x-bzip2 Size: 6633 bytes Desc: not available URL: From sbose at redhat.com Wed May 27 11:54:11 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 27 May 2009 13:54:11 +0200 Subject: [Freeipa-devel] [PATCH] gettext cleanups Message-ID: <4A1D29E3.3040409@redhat.com> Hi, if you add AM_GNU_GETTEXT_VERSION to configure.ac autopoint can generate even more files. Only m4/Changlog is not generated anymore, but I think it is not needed. I also added a change to support archaic 32bit architectures. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-gettext-cleanups.patch Type: text/x-patch Size: 39064 bytes Desc: not available URL: From pzuna at redhat.com Wed May 27 13:51:04 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 27 May 2009 15:51:04 +0200 Subject: [Freeipa-devel] [PATCH] Add pwpolicy plugin port to new LDAP backend. In-Reply-To: <4A1C3A54.7040302@redhat.com> References: <4A0AFAA1.6030307@redhat.com> <4A1C3A54.7040302@redhat.com> Message-ID: <4A1D4548.7010902@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> >> Pavel > > Sorry for the delay in the review. > > You are mixing camel-case and lower-case in attribute names. With your > ok I'll convert it to lower-case and commit. > > rob Sure, those patches were submitted before the *-case discussion. Pavel From rcritten at redhat.com Wed May 27 14:02:35 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 May 2009 10:02:35 -0400 Subject: [Freeipa-devel] [PATCH] Add pwpolicy plugin port to new LDAP backend. In-Reply-To: <4A1D4548.7010902@redhat.com> References: <4A0AFAA1.6030307@redhat.com> <4A1C3A54.7040302@redhat.com> <4A1D4548.7010902@redhat.com> Message-ID: <4A1D47FB.1080601@redhat.com> Pavel Zuna wrote: > Rob Crittenden wrote: >> Pavel Zuna wrote: >>> >>> Pavel >> >> Sorry for the delay in the review. >> >> You are mixing camel-case and lower-case in attribute names. With your >> ok I'll convert it to lower-case and commit. >> >> rob > Sure, those patches were submitted before the *-case discussion. > > Pavel Done and pushed to master rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 27 14:04:50 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 May 2009 10:04:50 -0400 Subject: [Freeipa-devel] [PATCH] Integrate the DNS LDAP back-end In-Reply-To: <20090522193739.5a427a4e@wolverine.englab.brq.redhat.com> References: <20090512233222.2c5d79d8@notas> <20090522193739.5a427a4e@wolverine.englab.brq.redhat.com> Message-ID: <4A1D4882.5050307@redhat.com> Martin Nagy wrote: > New series. It's based on the current top of the tree. I removed the > "recursion no" from named.conf, since right now it breaks the driver. > Also some cosmetic changes, but otherwise the same.. > > Martin Looks good. ack x4. rob > > On Tue, 12 May 2009 23:32:22 +0200, Martin Nagy > wrote: > >> Hi, >> this patch series will integrate the LDAP driver into the FreeIPA >> install script (better late than never..). To get the driver code: >> >> git clone git://github.com/mnagy/bind-dyndb-ldap.git >> >> There's a README file with instructions for building and installing. >> The plug-in is available in F-11, but since getting updates there is >> pretty hard, you'll be better off with the git tree and make install, >> I won't be updating the package in F-11 very often, at least not for >> now. Unfortunately, I found a bug when testing the driver with IPA >> that will cause any read queries to be denied. I'll try to fix that >> as soon as possible. >> >> You will also need the latest bind package either from the F-11 or >> devel branch (at least version 9.6.1-0.3.b1). Or you can grab a patch >> from http://github.com/mnagy/bind-dynamic_db/downloads >> >> For now the plug-in will bind anonymously and won't be able to update. >> It could do that, but for now I would have to put the DS password to >> the config file.. I don't expect that we want to be able to >> dynamically update the initial zone, so hopefully this is ok for now. >> >> I tried to install freeipa with this patch on a clean VM and didn't >> hit any problems (well, yeah, I did, but I fixed them before >> submitting ;). Any questions and criticism is welcome. Thanks. >> >> Martin >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From pzuna at redhat.com Wed May 27 15:01:22 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 27 May 2009 17:01:22 +0200 Subject: [Freeipa-devel] [PATCHES] Fix bug in ldap2.normalize_dn. + Add service plugin port to new LDAP backend. + Add host plugin port to new LDAP backend. Message-ID: <4A1D55C2.6030504@redhat.com> 0001: Fix bug in ldap2.normalize_dn. DN was always returned as lower-case, sometimes resulting in 2 RDN values with different cases when creating entries. 0002: Add service plugin port to new LDAP backend. 0003: Add host plugin port to new LDAP backend. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-bug-in-ldap2.normalize_dn.patch Type: application/mbox Size: 975 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Add-service-plugin-port-to-new-LDAP-backend.patch Type: application/mbox Size: 11912 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Add-host-plugin-port-to-new-LDAP-backend.patch Type: application/mbox Size: 11887 bytes Desc: not available URL: From pzuna at redhat.com Wed May 27 17:30:49 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 27 May 2009 19:30:49 +0200 Subject: [Freeipa-devel] [PATCH] Fix bug in host plugins, where host*-mod on 'localityname' attribute were creating new values instead of modifying them. Message-ID: <4A1D78C9.3080006@redhat.com> Fixes bug [499018]: https://bugzilla.redhat.com/show_bug.cgi?id=499018 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-bug-in-host-plugins-where-host-mod-on-localit.patch Type: application/mbox Size: 1833 bytes Desc: not available URL: From sgallagh at redhat.com Wed May 27 19:10:21 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 27 May 2009 15:10:21 -0400 Subject: [Freeipa-devel] SSSD version pre-0.4 config problems under Ubuntu In-Reply-To: References: <4A1C109A.8080406@redhat.com> Message-ID: <4A1D901D.4040808@redhat.com> On 05/27/2009 06:44 AM, Miguel P.C. wrote: > Hi again, > > [... snip ...] >> Sorry, in my earlier mail I wasn't descriptive enough. I need the >> config.log from the 'server' directory (configure is recursively run in >> that directory) as it is the one that will have the errors listed. That >> was my error. > [... snip ...] > > Attached. > > More info second try was with: libldb-dev_1%3a0.9.3~git20090221-1_i386.deb > In my opinion this should be the one to use under Ubuntu for SSSD. Am I right? > > M* > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Miguel, I did some digging into this problem today, and here's what I've found. The correct package to build against will be libldb-dev, not libldb-samba-4.0-dev, as you suspected. Unfortunately, however, the libldb-dev package in Ubuntu/Debian has a very serious bug. The ldb.h header internally requires a header from libreplace, which is not packaged for Debian. I spoke with jelmer on IRC and he and Simo are going to work on getting a new upstream build with fixes ready, and a Debian package will follow from that. Until that fixed package is available, I'm afraid we're at a standstill. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed May 27 22:14:27 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 27 May 2009 18:14:27 -0400 Subject: [Freeipa-devel] [PATCH] fix enumerations Message-ID: <1243462467.7279.85.camel@localhost.localdomain> This took some time to grok ... Ii needed an astral conjunction just to experience it in the first place, I'm glad I had it, this could have gone unnoticed for a long time and pop up the strangest ways later on ... Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-enumerations-bug-42.patch Type: text/x-patch Size: 8265 bytes Desc: not available URL: From sbose at redhat.com Thu May 28 08:05:20 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 28 May 2009 10:05:20 +0200 Subject: [Freeipa-devel] [PATCH] gettext cleanups In-Reply-To: <4A1D29E3.3040409@redhat.com> References: <4A1D29E3.3040409@redhat.com> Message-ID: <4A1E45C0.6010807@redhat.com> Sumit Bose schrieb: > Hi, > > if you add AM_GNU_GETTEXT_VERSION to configure.ac autopoint can generate > even more files. Only m4/Changlog is not generated anymore, but I think > it is not needed. I also added a change to support archaic 32bit > architectures. > Hi, this new version add some changes that allow 'make dist' to run without making changes to pot or po files under version control. Please note that the pot file should not be edited manually, but only new versions created automatically by xgettext should be pushed to the repository. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-gettext-cleanups.patch Type: text/x-patch Size: 41333 bytes Desc: not available URL: From sbose at redhat.com Thu May 28 08:09:07 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 28 May 2009 10:09:07 +0200 Subject: [Freeipa-devel] [PATCH] Do not fire up backend search when the data provider is local In-Reply-To: <1243342477.24283.15.camel@zeppelin.englab.brq.redhat.com> References: <1243255284.24078.13.camel@zeppelin.englab.brq.redhat.com> <4A1BD36F.7010308@redhat.com> <1243342477.24283.15.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1E46A3.8020404@redhat.com> Jakub Hrozek schrieb: > On Tue, 2009-05-26 at 13:33 +0200, Sumit Bose wrote: >> Hi, >> >> please remove the changes to pamsrv_cmd.c, because it is planned that >> the authentication code for LOCAL will move to a separate backend. >> >> bye, >> Sumit > > OK, a new incarnation of the patch is attached, does not touch > pamsrv_cmd.c. > Hi Jakub, I'm sorry. I should have read the patch more carefully and not only the introduction. Now I see that you only changed the NSS calls in pamsrv_cmd.c. Please resend your changes to pamsrv_cmd.c and I will ACK them. Thanks, Sumit From jhrozek at redhat.com Thu May 28 09:51:24 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 28 May 2009 11:51:24 +0200 Subject: [Freeipa-devel] [PATCH] Do not fire up backend search when the data provider is local In-Reply-To: <4A1E46A3.8020404@redhat.com> References: <1243255284.24078.13.camel@zeppelin.englab.brq.redhat.com> <4A1BD36F.7010308@redhat.com> <1243342477.24283.15.camel@zeppelin.englab.brq.redhat.com> <4A1E46A3.8020404@redhat.com> Message-ID: <1243504284.7870.12.camel@zeppelin.englab.brq.redhat.com> On Thu, 2009-05-28 at 10:09 +0200, Sumit Bose wrote: > Hi Jakub, > > I'm sorry. I should have read the patch more carefully and not only > the > introduction. Now I see that you only changed the NSS calls in > pamsrv_cmd.c. Please resend your changes to pamsrv_cmd.c and I will > ACK > them. > > Thanks, > Sumit New patch attached. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-special-case-NSS-calls-in-PAM-code.patch Type: text/x-patch Size: 1463 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From jhrozek at redhat.com Thu May 28 09:51:35 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 28 May 2009 11:51:35 +0200 Subject: [Freeipa-devel] [PATCH] Make Data Provider a mandatory service Message-ID: <1243504295.7870.13.camel@zeppelin.englab.brq.redhat.com> The attached patch adds "dp" into the list of active services if not already there. I know that Data Provider will be undergoing changes down the road, but this might help making the configuration more fool-proof until then. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-Data-Provider-a-mandatory-service.patch Type: text/x-patch Size: 1789 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From sbose at redhat.com Thu May 28 10:38:48 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 28 May 2009 12:38:48 +0200 Subject: [Freeipa-devel] [PATCH] Do not fire up backend search when the data provider is local In-Reply-To: <1243504284.7870.12.camel@zeppelin.englab.brq.redhat.com> References: <1243255284.24078.13.camel@zeppelin.englab.brq.redhat.com> <4A1BD36F.7010308@redhat.com> <1243342477.24283.15.camel@zeppelin.englab.brq.redhat.com> <4A1E46A3.8020404@redhat.com> <1243504284.7870.12.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1E69B8.1040605@redhat.com> Jakub Hrozek schrieb: > On Thu, 2009-05-28 at 10:09 +0200, Sumit Bose wrote: >> Hi Jakub, >> >> I'm sorry. I should have read the patch more carefully and not only >> the >> introduction. Now I see that you only changed the NSS calls in >> pamsrv_cmd.c. Please resend your changes to pamsrv_cmd.c and I will >> ACK >> them. >> >> Thanks, >> Sumit > > New patch attached. > ACK bye, Sumit From sgallagh at redhat.com Thu May 28 11:33:48 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 28 May 2009 07:33:48 -0400 Subject: [Freeipa-devel] [PATCH] fix enumerations In-Reply-To: <1243462467.7279.85.camel@localhost.localdomain> References: <1243462467.7279.85.camel@localhost.localdomain> Message-ID: <4A1E769C.5000004@redhat.com> On 05/27/2009 06:14 PM, Simo Sorce wrote: > This took some time to grok ... > > Ii needed an astral conjunction just to experience it in the first > place, I'm glad I had it, this could have gone unnoticed for a long time > and pop up the strangest ways later on ... > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack. Good catch. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Thu May 28 11:44:10 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 28 May 2009 07:44:10 -0400 Subject: [Freeipa-devel] [PATCH] Make Data Provider a mandatory service In-Reply-To: <1243504295.7870.13.camel@zeppelin.englab.brq.redhat.com> References: <1243504295.7870.13.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1E790A.7080205@redhat.com> On 05/28/2009 05:51 AM, Jakub Hrozek wrote: > The attached patch adds "dp" into the list of active services if not > already there. I know that Data Provider will be undergoing changes down > the road, but this might help making the configuration more fool-proof > until then. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Please use strcasecmp() instead of strcmp() when searching for the services. Why are you realloc()-ing to i+2? i+1 is sufficient because you're replacing one spot already allocated. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Thu May 28 11:49:07 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 28 May 2009 07:49:07 -0400 Subject: [Freeipa-devel] [PATCH] gettext cleanups In-Reply-To: <4A1E45C0.6010807@redhat.com> References: <4A1D29E3.3040409@redhat.com> <4A1E45C0.6010807@redhat.com> Message-ID: <4A1E7A33.6080605@redhat.com> On 05/28/2009 04:05 AM, Sumit Bose wrote: > Sumit Bose schrieb: >> Hi, >> >> if you add AM_GNU_GETTEXT_VERSION to configure.ac autopoint can generate >> even more files. Only m4/Changlog is not generated anymore, but I think >> it is not needed. I also added a change to support archaic 32bit >> architectures. >> > > Hi, > > this new version add some changes that allow 'make dist' to run without > making changes to pot or po files under version control. Please note > that the pot file should not be edited manually, but only new versions > created automatically by xgettext should be pushed to the repository. > > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack, and thanks for sorting this out. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jhrozek at redhat.com Thu May 28 12:19:27 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 28 May 2009 14:19:27 +0200 Subject: [Freeipa-devel] [PATCH] Make Data Provider a mandatory service In-Reply-To: <4A1E790A.7080205@redhat.com> References: <1243504295.7870.13.camel@zeppelin.englab.brq.redhat.com> <4A1E790A.7080205@redhat.com> Message-ID: <1243513167.7870.19.camel@zeppelin.englab.brq.redhat.com> On Thu, 2009-05-28 at 07:44 -0400, Stephen Gallagher wrote: > Please use strcasecmp() instead of strcmp() when searching for the > services. > done. > Why are you realloc()-ing to i+2? i+1 is sufficient because you're > replacing one spot already allocated. Because i is not the number of strings, but rather index of the ending NULL. The number of strings is i+1, so you need to realloc to i+2. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-Data-Provider-a-mandatory-service.patch Type: text/x-patch Size: 1705 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Thu May 28 12:33:51 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 28 May 2009 08:33:51 -0400 Subject: [Freeipa-devel] [PATCH] Make Data Provider a mandatory service In-Reply-To: <1243513167.7870.19.camel@zeppelin.englab.brq.redhat.com> References: <1243504295.7870.13.camel@zeppelin.englab.brq.redhat.com> <4A1E790A.7080205@redhat.com> <1243513167.7870.19.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1E84AF.8080709@redhat.com> On 05/28/2009 08:19 AM, Jakub Hrozek wrote: > On Thu, 2009-05-28 at 07:44 -0400, Stephen Gallagher wrote: >> Please use strcasecmp() instead of strcmp() when searching for the >> services. >> > > done. > >> Why are you realloc()-ing to i+2? i+1 is sufficient because you're >> replacing one spot already allocated. > > Because i is not the number of strings, but rather index of the ending > NULL. The number of strings is i+1, so you need to realloc to i+2. > > Jakub You're right, I wasn't paying attention. Please make on additional change regarding the realloc. If talloc_realloc returns NULL, you've leaked the original memory, since it's only freed on success. It should look something like: char *tmp_array = talloc_realloc(ctx, ctx->services, char *, i+2) if (tmp_array == NULL) { return ENOMEM; } ctx->services = tmp_array; At least this way, the ctx->services value remains reachable. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Thu May 28 13:07:01 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 28 May 2009 09:07:01 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Build non-versioned libraries Message-ID: <4A1E8C75.9040400@redhat.com> PAM, NSS and Memberof are no longer going to be built versioned, as we don't need them to be. (The first two must correspond to external interfaces, and the latter is internal-only). -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Build-non-versioned-sss_pam.so-libnss_sss.so-and-me.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jhrozek at redhat.com Thu May 28 13:14:16 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 28 May 2009 15:14:16 +0200 Subject: [Freeipa-devel] [PATCH] Make Data Provider a mandatory service In-Reply-To: <4A1E84AF.8080709@redhat.com> References: <1243504295.7870.13.camel@zeppelin.englab.brq.redhat.com> <4A1E790A.7080205@redhat.com> <1243513167.7870.19.camel@zeppelin.englab.brq.redhat.com> <4A1E84AF.8080709@redhat.com> Message-ID: <1243516456.7870.25.camel@zeppelin.englab.brq.redhat.com> On Thu, 2009-05-28 at 08:33 -0400, Stephen Gallagher wrote: > You're right, I wasn't paying attention. Please make on additional > change regarding the realloc. If talloc_realloc returns NULL, you've > leaked the original memory, since it's only freed on success. It > should > look something like: > > char *tmp_array = talloc_realloc(ctx, ctx->services, char *, i+2) > if (tmp_array == NULL) { > return ENOMEM; > } > ctx->services = tmp_array; > > At least this way, the ctx->services value remains reachable. > You are right, done and attached. To my defense, I've seen this potentially bad usage elsewhere in the code (i.e. confdb.c:372). Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-Data-Provider-a-mandatory-service.patch Type: text/x-patch Size: 1772 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Thu May 28 13:20:14 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 28 May 2009 09:20:14 -0400 Subject: [Freeipa-devel] [PATCH] Make Data Provider a mandatory service In-Reply-To: <1243516456.7870.25.camel@zeppelin.englab.brq.redhat.com> References: <1243504295.7870.13.camel@zeppelin.englab.brq.redhat.com> <4A1E790A.7080205@redhat.com> <1243513167.7870.19.camel@zeppelin.englab.brq.redhat.com> <4A1E84AF.8080709@redhat.com> <1243516456.7870.25.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1E8F8E.3020803@redhat.com> On 05/28/2009 09:14 AM, Jakub Hrozek wrote: > On Thu, 2009-05-28 at 08:33 -0400, Stephen Gallagher wrote: >> You're right, I wasn't paying attention. Please make on additional >> change regarding the realloc. If talloc_realloc returns NULL, you've >> leaked the original memory, since it's only freed on success. It >> should >> look something like: >> >> char *tmp_array = talloc_realloc(ctx, ctx->services, char *, i+2) >> if (tmp_array == NULL) { >> return ENOMEM; >> } >> ctx->services = tmp_array; >> >> At least this way, the ctx->services value remains reachable. >> > > You are right, done and attached. To my defense, I've seen this > potentially bad usage elsewhere in the code (i.e. confdb.c:372). > > Jakub Ack -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 28 13:57:28 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 May 2009 13:57:28 +0000 Subject: [Freeipa-devel] [PATH] Fix warnings in crypt function on 32 bit system Message-ID: <1243519048.7279.92.camel@localhost.localdomain> We were doing a bad cast that was probably an error on 32bit machines. This patch should fix it. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Use-PTR_2_INT-for-alignment-calculations.patch Type: text/x-patch Size: 1703 bytes Desc: not available URL: From ssorce at redhat.com Thu May 28 14:01:57 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 May 2009 10:01:57 -0400 Subject: [Freeipa-devel] [PATCH] Make Data Provider a mandatory service In-Reply-To: <1243516456.7870.25.camel@zeppelin.englab.brq.redhat.com> References: <1243504295.7870.13.camel@zeppelin.englab.brq.redhat.com> <4A1E790A.7080205@redhat.com> <1243513167.7870.19.camel@zeppelin.englab.brq.redhat.com> <4A1E84AF.8080709@redhat.com> <1243516456.7870.25.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1243519317.7279.94.camel@localhost.localdomain> On Thu, 2009-05-28 at 15:14 +0200, Jakub Hrozek wrote: > On Thu, 2009-05-28 at 08:33 -0400, Stephen Gallagher wrote: > > You're right, I wasn't paying attention. Please make on additional > > change regarding the realloc. If talloc_realloc returns NULL, you've > > leaked the original memory, since it's only freed on success. It > > should > > look something like: > > > > char *tmp_array = talloc_realloc(ctx, ctx->services, char *, i+2) > > if (tmp_array == NULL) { > > return ENOMEM; > > } > > ctx->services = tmp_array; > > > > At least this way, the ctx->services value remains reachable. > > > > You are right, done and attached. To my defense, I've seen this > potentially bad usage elsewhere in the code (i.e. confdb.c:372). There is a fundamental difference in confdb.c, there we use a mem_ctx we always free at the end of the function, so we are not leaking memory, and we are not interested in the original value of the memory if we fail that realloc. So that use of talloc_realloc() is correct in that context. Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Thu May 28 15:21:14 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 28 May 2009 17:21:14 +0200 Subject: [Freeipa-devel] [PATH] Fix warnings in crypt function on 32 bit system In-Reply-To: <1243519048.7279.92.camel@localhost.localdomain> References: <1243519048.7279.92.camel@localhost.localdomain> Message-ID: <4A1EABEA.6040808@redhat.com> Simo Sorce schrieb: > We were doing a bad cast that was probably an error on 32bit machines. > This patch should fix it. > > Simo. > ACK bye, Sumit From sgallagh at redhat.com Thu May 28 18:12:50 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 28 May 2009 14:12:50 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Eliminate the "rootdse" error messages Message-ID: <4A1ED422.6050304@redhat.com> Suppress "rootdse" error messages. We will trap all LDB debug messages and pipe them into our internal DEBUG() function. LDB FATAL and ERROR messages will still be printed by default, WARNING and TRACE functions will be at debug level 3 and 9, respectively. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Suppress-rootdse-error-messages.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Thu May 28 18:14:42 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 28 May 2009 14:14:42 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Eliminate the "rootdse" error messages In-Reply-To: <4A1ED422.6050304@redhat.com> References: <4A1ED422.6050304@redhat.com> Message-ID: <4A1ED492.5060804@redhat.com> On 05/28/2009 02:12 PM, Stephen Gallagher wrote: > Suppress "rootdse" error messages. > > We will trap all LDB debug messages and pipe them into our > internal DEBUG() function. LDB FATAL and ERROR messages will still > be printed by default, WARNING and TRACE functions will be at > debug level 3 and 9, respectively. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Sorry, that patch also includes a fix for a minor bug in the sysdb-test.c that I found while using it to test this patch. sysdb-test.c throws a warning at debug level 2 if enumeration is not available on the LOCAL domain. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 28 18:37:29 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 May 2009 14:37:29 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Eliminate the "rootdse" error messages In-Reply-To: <4A1ED492.5060804@redhat.com> References: <4A1ED422.6050304@redhat.com> <4A1ED492.5060804@redhat.com> Message-ID: <1243535849.7279.98.camel@localhost.localdomain> On Thu, 2009-05-28 at 14:14 -0400, Stephen Gallagher wrote: > On 05/28/2009 02:12 PM, Stephen Gallagher wrote: > > Suppress "rootdse" error messages. > > > > We will trap all LDB debug messages and pipe them into our > > internal DEBUG() function. LDB FATAL and ERROR messages will still > > be printed by default, WARNING and TRACE functions will be at > > debug level 3 and 9, respectively. > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Sorry, that patch also includes a fix for a minor bug in the > sysdb-test.c that I found while using it to test this patch. > sysdb-test.c throws a warning at debug level 2 if enumeration is not > available on the LOCAL domain. Please set LDB_DEBUG_ERROR as level 1 not level 0, we want to be able to distinguish between the 2 Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Thu May 28 18:43:20 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 28 May 2009 14:43:20 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Eliminate the "rootdse" error messages In-Reply-To: <1243535849.7279.98.camel@localhost.localdomain> References: <4A1ED422.6050304@redhat.com> <4A1ED492.5060804@redhat.com> <1243535849.7279.98.camel@localhost.localdomain> Message-ID: <4A1EDB48.5030600@redhat.com> On 05/28/2009 02:37 PM, Simo Sorce wrote: > > Please set LDB_DEBUG_ERROR as level 1 not level 0, we want to be able to > distinguish between the 2 > > Simo. > Fixed. I also decided to break the sysdb patch out into a separate commit, since it's not logically part of the rootdse fix. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Suppress-rootdse-error-messages.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Enable-enumeration-in-sysdb-tests.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 28 19:42:42 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 May 2009 15:42:42 -0400 Subject: [Freeipa-devel] [PATCH] Do not fire up backend search when the data provider is local In-Reply-To: <1243504284.7870.12.camel@zeppelin.englab.brq.redhat.com> References: <1243255284.24078.13.camel@zeppelin.englab.brq.redhat.com> <4A1BD36F.7010308@redhat.com> <1243342477.24283.15.camel@zeppelin.englab.brq.redhat.com> <4A1E46A3.8020404@redhat.com> <1243504284.7870.12.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1243539762.7279.101.camel@localhost.localdomain> On Thu, 2009-05-28 at 11:51 +0200, Jakub Hrozek wrote: > On Thu, 2009-05-28 at 10:09 +0200, Sumit Bose wrote: > > Hi Jakub, > > > > I'm sorry. I should have read the patch more carefully and not only > > the > > introduction. Now I see that you only changed the NSS calls in > > pamsrv_cmd.c. Please resend your changes to pamsrv_cmd.c and I will > > ACK > > them. > > > > Thanks, > > Sumit > > New patch attached. ack and pushed. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 28 19:42:58 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 May 2009 15:42:58 -0400 Subject: [Freeipa-devel] [PATCH] fix enumerations In-Reply-To: <4A1E769C.5000004@redhat.com> References: <1243462467.7279.85.camel@localhost.localdomain> <4A1E769C.5000004@redhat.com> Message-ID: <1243539778.7279.102.camel@localhost.localdomain> On Thu, 2009-05-28 at 07:33 -0400, Stephen Gallagher wrote: > > Ack. Good catch. pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 28 19:43:13 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 May 2009 15:43:13 -0400 Subject: [Freeipa-devel] [PATCH] gettext cleanups In-Reply-To: <4A1E7A33.6080605@redhat.com> References: <4A1D29E3.3040409@redhat.com> <4A1E45C0.6010807@redhat.com> <4A1E7A33.6080605@redhat.com> Message-ID: <1243539793.7279.103.camel@localhost.localdomain> On Thu, 2009-05-28 at 07:49 -0400, Stephen Gallagher wrote: > > Ack, and thanks for sorting this out. pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 28 19:45:14 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 May 2009 15:45:14 -0400 Subject: [Freeipa-devel] [PATCH] gettext cleanups In-Reply-To: <1243539793.7279.103.camel@localhost.localdomain> References: <4A1D29E3.3040409@redhat.com> <4A1E45C0.6010807@redhat.com> <4A1E7A33.6080605@redhat.com> <1243539793.7279.103.camel@localhost.localdomain> Message-ID: <1243539914.7279.105.camel@localhost.localdomain> On Thu, 2009-05-28 at 15:43 -0400, Simo Sorce wrote: > On Thu, 2009-05-28 at 07:49 -0400, Stephen Gallagher wrote: > > > > Ack, and thanks for sorting this out. > > pushed btw I merged once again changes to .po and .pot files as the line number in master was different from what was specified in the patch ... I guess this means that whoever changes pam_sss.c will have th duty to run make dist and make sure that .po and .pot changes are part of the patch as well... Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 28 19:45:32 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 May 2009 15:45:32 -0400 Subject: [Freeipa-devel] [PATCH] Make Data Provider a mandatory service In-Reply-To: <1243516456.7870.25.camel@zeppelin.englab.brq.redhat.com> References: <1243504295.7870.13.camel@zeppelin.englab.brq.redhat.com> <4A1E790A.7080205@redhat.com> <1243513167.7870.19.camel@zeppelin.englab.brq.redhat.com> <4A1E84AF.8080709@redhat.com> <1243516456.7870.25.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1243539932.7279.106.camel@localhost.localdomain> On Thu, 2009-05-28 at 15:14 +0200, Jakub Hrozek wrote: > > You are right, done and attached. To my defense, I've seen this > potentially bad usage elsewhere in the code (i.e. confdb.c:372). pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 28 19:45:48 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 May 2009 15:45:48 -0400 Subject: [Freeipa-devel] [PATH] Fix warnings in crypt function on 32 bit system In-Reply-To: <4A1EABEA.6040808@redhat.com> References: <1243519048.7279.92.camel@localhost.localdomain> <4A1EABEA.6040808@redhat.com> Message-ID: <1243539948.7279.107.camel@localhost.localdomain> On Thu, 2009-05-28 at 17:21 +0200, Sumit Bose wrote: > Simo Sorce schrieb: > > We were doing a bad cast that was probably an error on 32bit > machines. > > This patch should fix it. > > > > Simo. > > > > ACK pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 28 19:46:15 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 May 2009 15:46:15 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Eliminate the "rootdse" error messages In-Reply-To: <4A1EDB48.5030600@redhat.com> References: <4A1ED422.6050304@redhat.com> <4A1ED492.5060804@redhat.com> <1243535849.7279.98.camel@localhost.localdomain> <4A1EDB48.5030600@redhat.com> Message-ID: <1243539975.7279.108.camel@localhost.localdomain> On Thu, 2009-05-28 at 14:43 -0400, Stephen Gallagher wrote: > > Fixed. I also decided to break the sysdb patch out into a separate > commit, since it's not logically part of the rootdse fix. Thanks, 2 patches makes much more sense. pushed both Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 28 19:46:39 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 May 2009 15:46:39 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Build non-versioned libraries In-Reply-To: <4A1E8C75.9040400@redhat.com> References: <4A1E8C75.9040400@redhat.com> Message-ID: <1243539999.7279.109.camel@localhost.localdomain> On Thu, 2009-05-28 at 09:07 -0400, Stephen Gallagher wrote: > PAM, NSS and Memberof are no longer going to be built versioned, as we > don't need them to be. (The first two must correspond to external > interfaces, and the latter is internal-only). ack and pushed -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Thu May 28 21:21:58 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 28 May 2009 23:21:58 +0200 Subject: [Freeipa-devel] [PATCH] Add more manpages Message-ID: <1243545718.30689.6.camel@hendrix> The attached patch adds manpages for the sss_* tools that don't have one and also for the sssd daemon itself. It would be very helpful if some native English speaker could proof-read them to make sure they are written in actual English and not Czenglish. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-more-manpages.patch Type: application/mbox Size: 26591 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From ssorce at redhat.com Fri May 29 00:29:24 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 May 2009 20:29:24 -0400 Subject: [Freeipa-devel] [PATCHES] NSS srv/cli communication and packet validation Message-ID: <1243556964.7279.121.camel@localhost.localdomain> While working with the group enumeration bug I identified an annoying segfault that was happening because we were sending bad packets. I think I have identified the issues, then during testing I realized that the group enumeration patch introduced a bug in the user enumeration path ... doh! So here are the 3 related patches. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-potential-integer-oveflow.patch Type: text/x-patch Size: 2365 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Standardize-style-and-fix-potential-lenght-check.patch Type: text/x-patch Size: 4039 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Fix-user-enumeration-bug.patch Type: text/x-patch Size: 970 bytes Desc: not available URL: From sbose at redhat.com Fri May 29 06:51:15 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 29 May 2009 08:51:15 +0200 Subject: [Freeipa-devel] [PATCH] gettext cleanups In-Reply-To: <1243539914.7279.105.camel@localhost.localdomain> References: <4A1D29E3.3040409@redhat.com> <4A1E45C0.6010807@redhat.com> <4A1E7A33.6080605@redhat.com> <1243539793.7279.103.camel@localhost.localdomain> <1243539914.7279.105.camel@localhost.localdomain> Message-ID: <4A1F85E3.1020302@redhat.com> Simo Sorce schrieb: > On Thu, 2009-05-28 at 15:43 -0400, Simo Sorce wrote: >> On Thu, 2009-05-28 at 07:49 -0400, Stephen Gallagher wrote: >>> Ack, and thanks for sorting this out. >> pushed > > btw I merged once again changes to .po and .pot files as the line number > in master was different from what was specified in the patch ... > > I guess this means that whoever changes pam_sss.c will have th duty to > run make dist and make sure that .po and .pot changes are part of the > patch as well... > > Simo. > The line numbers in the .po files can be supressed with --no-location which can be added to XGETTEXT_OPTIONS in Makevars. But I do not know if it is a good or bad idea to use this. bye, Sumit From sbose at redhat.com Fri May 29 10:04:27 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 29 May 2009 12:04:27 +0200 Subject: [Freeipa-devel] [PATCH] link sssd_be with -E Message-ID: <4A1FB32B.8000800@redhat.com> Hi, I miss my debug messages :) This patch add -Wl,-E to the linker flags of sssd_be to restore the state before the autotools transition. But it might make sense to keep the backends self-contained and allow a backend_debug_level parameter in the config file. If you prefer it that way, please NACK this patch and I will provide a new one where this parameter is evaluated in the backend. bye, Sumit From sbose at redhat.com Fri May 29 10:20:37 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 29 May 2009 12:20:37 +0200 Subject: [Freeipa-devel] [PATCH] link sssd_be with -E In-Reply-To: <4A1FB32B.8000800@redhat.com> References: <4A1FB32B.8000800@redhat.com> Message-ID: <4A1FB6F5.2070202@redhat.com> now with patch attached :) Sumit Bose schrieb: > Hi, > > I miss my debug messages :) > > This patch add -Wl,-E to the linker flags of sssd_be to restore the > state before the autotools transition. > > But it might make sense to keep the backends self-contained and allow a > backend_debug_level parameter in the config file. If you prefer it that > way, please NACK this patch and I will provide a new one where this > parameter is evaluated in the backend. > > bye, > Sumit > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-link-sssd_be-with-E.patch Type: text/x-patch Size: 803 bytes Desc: not available URL: From sgallagh at redhat.com Fri May 29 11:25:38 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 29 May 2009 07:25:38 -0400 Subject: [Freeipa-devel] [PATCH] gettext cleanups In-Reply-To: <4A1F85E3.1020302@redhat.com> References: <4A1D29E3.3040409@redhat.com> <4A1E45C0.6010807@redhat.com> <4A1E7A33.6080605@redhat.com> <1243539793.7279.103.camel@localhost.localdomain> <1243539914.7279.105.camel@localhost.localdomain> <4A1F85E3.1020302@redhat.com> Message-ID: <4A1FC632.6030109@redhat.com> On 05/29/2009 02:51 AM, Sumit Bose wrote: > Simo Sorce schrieb: >> On Thu, 2009-05-28 at 15:43 -0400, Simo Sorce wrote: >>> On Thu, 2009-05-28 at 07:49 -0400, Stephen Gallagher wrote: >>>> Ack, and thanks for sorting this out. >>> pushed >> btw I merged once again changes to .po and .pot files as the line number >> in master was different from what was specified in the patch ... >> >> I guess this means that whoever changes pam_sss.c will have th duty to >> run make dist and make sure that .po and .pot changes are part of the >> patch as well... >> >> Simo. >> > The line numbers in the .po files can be supressed with --no-location > which can be added to XGETTEXT_OPTIONS in Makevars. But I do not know if > it is a good or bad idea to use this. > > bye, > Sumit > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel My suggestion would be to move the actual strings into a -i18n header (e.g. pam-i18n.h) and just use #defines in the actual code. Then we only need to worry about updating the translations if the translation string headers are modified. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Fri May 29 12:04:40 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 29 May 2009 08:04:40 -0400 Subject: [Freeipa-devel] [PATCH] Add more manpages In-Reply-To: <1243545718.30689.6.camel@hendrix> References: <1243545718.30689.6.camel@hendrix> Message-ID: <4A1FCF58.9010004@redhat.com> On 05/28/2009 05:21 PM, Jakub Hrozek wrote: > The attached patch adds manpages for the sss_* tools that don't have one > and also for the sssd daemon itself. > > It would be very helpful if some native English speaker could proof-read > them to make sure they are written in actual English and not Czenglish. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel The manpage for sssd references sssd.conf(5), but that manpage isn't yet available. I've attached a patch that applies atop yours with some grammatical corrections and a few other minor changes. I reasoned it made sense to create a separate patch to more easily tell what changes I was proposing. For the record, your English is better than most native speakers that I know. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Proposed-manpage-cleanup.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Fri May 29 12:27:44 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 29 May 2009 08:27:44 -0400 Subject: [Freeipa-devel] [PATCHES] NSS srv/cli communication and packet validation In-Reply-To: <1243556964.7279.121.camel@localhost.localdomain> References: <1243556964.7279.121.camel@localhost.localdomain> Message-ID: <4A1FD4C0.3030604@redhat.com> On 05/28/2009 08:29 PM, Simo Sorce wrote: > While working with the group enumeration bug I identified an annoying > segfault that was happening because we were sending bad packets. > > I think I have identified the issues, then during testing I realized > that the group enumeration patch introduced a bug in the user > enumeration path ... doh! > > So here are the 3 related patches. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel 0001: Ack 0002: Ack 0003: Ack -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jhrozek at redhat.com Fri May 29 12:34:04 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 29 May 2009 14:34:04 +0200 Subject: [Freeipa-devel] [PATCH] Add more manpages In-Reply-To: <4A1FCF58.9010004@redhat.com> References: <1243545718.30689.6.camel@hendrix> <4A1FCF58.9010004@redhat.com> Message-ID: <1243600444.431.27.camel@zeppelin.englab.brq.redhat.com> On Fri, 2009-05-29 at 08:04 -0400, Stephen Gallagher wrote: > The manpage for sssd references sssd.conf(5), but that manpage isn't > yet > available. > I know, I just wanted to speed up the process by sending what I had complete at the time. > I've attached a patch that applies atop yours with some grammatical > corrections and a few other minor changes. I reasoned it made sense to > create a separate patch to more easily tell what changes I was > proposing. For the record, your English is better than most native > speakers that I know. Thank you for the review, I agree with all the changes. Should I resend with your changes squashed in or is it OK to keep both? Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From sbose at redhat.com Fri May 29 12:34:34 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 29 May 2009 14:34:34 +0200 Subject: [Freeipa-devel] [PATCH] move LOCAL auth into a separate backend Message-ID: <4A1FD65A.4020908@redhat.com> Hi, this patch moves the authentication/PAM components for the LOCAL backend from the responder to a separate backend. I have mostly copied the old code to the new location and added the backend glue-code. Additionally I have change the logic how pam_status is handled. It is now set to PAM_SYSTEM_ERR in the beginning and has to be change explicitly when a pam operation succeeds. I would like to make sssd_be a little more flexible by allowing backends to implement either auth or id without the necessity to add the glue-code for the other. If this is a good idea I can write a patch. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-move-LOCAL-auth-into-a-separate-backend.patch Type: text/x-patch Size: 34513 bytes Desc: not available URL: From sgallagh at redhat.com Fri May 29 12:43:17 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 29 May 2009 08:43:17 -0400 Subject: [Freeipa-devel] [PATCH] Add more manpages In-Reply-To: <1243600444.431.27.camel@zeppelin.englab.brq.redhat.com> References: <1243545718.30689.6.camel@hendrix> <4A1FCF58.9010004@redhat.com> <1243600444.431.27.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1FD865.3020003@redhat.com> On 05/29/2009 08:34 AM, Jakub Hrozek wrote: > On Fri, 2009-05-29 at 08:04 -0400, Stephen Gallagher wrote: >> The manpage for sssd references sssd.conf(5), but that manpage isn't >> yet >> available. >> > > I know, I just wanted to speed up the process by sending what I had > complete at the time. No problem, just wanted to make sure you hadn't forgotten to include it. > >> I've attached a patch that applies atop yours with some grammatical >> corrections and a few other minor changes. I reasoned it made sense to >> create a separate patch to more easily tell what changes I was >> proposing. For the record, your English is better than most native >> speakers that I know. > > Thank you for the review, I agree with all the changes. Should I resend > with your changes squashed in or is it OK to keep both? > > Jakub Squash them together. There's no real benefit to having them separate. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Fri May 29 12:52:33 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 29 May 2009 08:52:33 -0400 Subject: [Freeipa-devel] [PATCH] move LOCAL auth into a separate backend In-Reply-To: <4A1FD65A.4020908@redhat.com> References: <4A1FD65A.4020908@redhat.com> Message-ID: <4A1FDA91.8010108@redhat.com> On 05/29/2009 08:34 AM, Sumit Bose wrote: > Hi, > > this patch moves the authentication/PAM components for the LOCAL backend > from the responder to a separate backend. I have mostly copied the old > code to the new location and added the backend glue-code. Additionally I > have change the logic how pam_status is handled. It is now set to > PAM_SYSTEM_ERR in the beginning and has to be change explicitly when a > pam operation succeeds. > > I would like to make sssd_be a little more flexible by allowing backends > to implement either auth or id without the necessity to add the > glue-code for the other. If this is a good idea I can write a patch. Please do. This will be useful also for the Kerberos auth backend. > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I'd like to see the individual back-ends stored in their own directories (keeping the trend set by the LDAP back-end). Can you move the LOCAL_auth backend into a "LOCAL" subdirectory? Similarly, (though probably in a separate patch) I'd like to see the proxy moved down a level as well. Basically I want it to be easy and less cluttered if we decide to add back-end-specific helper files, so everything can be kept in one place. On to the review: It's only in the comments, but the header for LOCAL_auth.c reads: "PAM e credentials" I'm not sure what you meant to write there. Maybe "Native LOCAL Backend" would be accurate. Other than that, I'd say it looks pretty good to me. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 29 12:52:38 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 29 May 2009 08:52:38 -0400 Subject: [Freeipa-devel] [PATCHES] NSS srv/cli communication and packet validation In-Reply-To: <4A1FD4C0.3030604@redhat.com> References: <1243556964.7279.121.camel@localhost.localdomain> <4A1FD4C0.3030604@redhat.com> Message-ID: <1243601558.7279.133.camel@localhost.localdomain> On Fri, 2009-05-29 at 08:27 -0400, Stephen Gallagher wrote: > On 05/28/2009 08:29 PM, Simo Sorce wrote: > > While working with the group enumeration bug I identified an annoying > > segfault that was happening because we were sending bad packets. > > > > I think I have identified the issues, then during testing I realized > > that the group enumeration patch introduced a bug in the user > > enumeration path ... doh! > > > > So here are the 3 related patches. > > 0001: Ack > 0002: Ack > 0003: Ack pushed, and also added some more file to .gitignore Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Fri May 29 13:06:09 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 29 May 2009 15:06:09 +0200 Subject: [Freeipa-devel] [PATCH] move LOCAL auth into a separate backend In-Reply-To: <4A1FDA91.8010108@redhat.com> References: <4A1FD65A.4020908@redhat.com> <4A1FDA91.8010108@redhat.com> Message-ID: <4A1FDDC1.8030106@redhat.com> Stephen Gallagher schrieb: > > I'd like to see the individual back-ends stored in their own directories > (keeping the trend set by the LDAP back-end). Can you move the > LOCAL_auth backend into a "LOCAL" subdirectory? > > Similarly, (though probably in a separate patch) I'd like to see the > proxy moved down a level as well. > > Basically I want it to be easy and less cluttered if we decide to add > back-end-specific helper files, so everything can be kept in one place. > > On to the review: > It's only in the comments, but the header for LOCAL_auth.c reads: > "PAM e credentials" > I'm not sure what you meant to write there. Maybe "Native LOCAL Backend" > would be accurate. > > Other than that, I'd say it looks pretty good to me. > valid points, new version attached bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-move-LOCAL-auth-into-a-separate-backend.patch Type: text/x-patch Size: 34509 bytes Desc: not available URL: From ssorce at redhat.com Fri May 29 13:08:43 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 29 May 2009 09:08:43 -0400 Subject: [Freeipa-devel] [PATCH] move LOCAL auth into a separate backend In-Reply-To: <4A1FD65A.4020908@redhat.com> References: <4A1FD65A.4020908@redhat.com> Message-ID: <1243602523.7279.144.camel@localhost.localdomain> On Fri, 2009-05-29 at 14:34 +0200, Sumit Bose wrote: > Hi, > > this patch moves the authentication/PAM components for the LOCAL backend > from the responder to a separate backend. I have mostly copied the old > code to the new location and added the backend glue-code. Additionally I > have change the logic how pam_status is handled. It is now set to > PAM_SYSTEM_ERR in the beginning and has to be change explicitly when a > pam operation succeeds. > > I would like to make sssd_be a little more flexible by allowing backends > to implement either auth or id without the necessity to add the > glue-code for the other. If this is a good idea I can write a patch. You don't need to add any glue code. sssd_be already opens 2 different .so files (they may be the same file of course), and just loads either the id part or the auth part. The problem here (and the reason why I didn't provide this patch myself) is that LOCAL is a special "non"-backend. I am yet not sure I like the idea of moving LOCAL auth in a backend. Our model is that auth backends make sense only as dependent on an id backend. But LOCAL has no id backend in its own right because it is all just available in the cache. If we want to make this a complete real backend on its own then maybe we should separate the LOCAL database and the cache database in 2 file. Create a real LOCAL backend, and live with the fact we have duplicate data (once in LOCAL.ldb and once in cache.ldb) This seems a bit redundant, but it would allow someone to rm cache.ldb without fear of losing actual accounts. If we all agree that clear interface separation and data separation is enough of a goal to offset some duplication then maybe this is what we should do. This will probably require also some work on sysdb as we will have to account for 2 different databases. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Fri May 29 13:09:28 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 29 May 2009 09:09:28 -0400 Subject: [Freeipa-devel] [PATCH] move LOCAL auth into a separate backend In-Reply-To: <4A1FDDC1.8030106@redhat.com> References: <4A1FD65A.4020908@redhat.com> <4A1FDA91.8010108@redhat.com> <4A1FDDC1.8030106@redhat.com> Message-ID: <4A1FDE88.1000903@redhat.com> On 05/29/2009 09:06 AM, Sumit Bose wrote: > Stephen Gallagher schrieb: >> I'd like to see the individual back-ends stored in their own directories >> (keeping the trend set by the LDAP back-end). Can you move the >> LOCAL_auth backend into a "LOCAL" subdirectory? >> >> Similarly, (though probably in a separate patch) I'd like to see the >> proxy moved down a level as well. >> >> Basically I want it to be easy and less cluttered if we decide to add >> back-end-specific helper files, so everything can be kept in one place. >> >> On to the review: >> It's only in the comments, but the header for LOCAL_auth.c reads: >> "PAM e credentials" >> I'm not sure what you meant to write there. Maybe "Native LOCAL Backend" >> would be accurate. >> >> Other than that, I'd say it looks pretty good to me. >> > valid points, new version attached > > bye, > Sumit Ack -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 29 13:11:17 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 29 May 2009 09:11:17 -0400 Subject: [Freeipa-devel] [PATCH] move LOCAL auth into a separate backend In-Reply-To: <4A1FDE88.1000903@redhat.com> References: <4A1FD65A.4020908@redhat.com> <4A1FDA91.8010108@redhat.com> <4A1FDDC1.8030106@redhat.com> <4A1FDE88.1000903@redhat.com> Message-ID: <1243602677.7279.145.camel@localhost.localdomain> On Fri, 2009-05-29 at 09:09 -0400, Stephen Gallagher wrote: > On 05/29/2009 09:06 AM, Sumit Bose wrote: > > Stephen Gallagher schrieb: > >> I'd like to see the individual back-ends stored in their own directories > >> (keeping the trend set by the LDAP back-end). Can you move the > >> LOCAL_auth backend into a "LOCAL" subdirectory? > >> > >> Similarly, (though probably in a separate patch) I'd like to see the > >> proxy moved down a level as well. > >> > >> Basically I want it to be easy and less cluttered if we decide to add > >> back-end-specific helper files, so everything can be kept in one place. > >> > >> On to the review: > >> It's only in the comments, but the header for LOCAL_auth.c reads: > >> "PAM e credentials" > >> I'm not sure what you meant to write there. Maybe "Native LOCAL Backend" > >> would be accurate. > >> > >> Other than that, I'd say it looks pretty good to me. > >> > > valid points, new version attached > > > > bye, > > Sumit > > Ack NACK, see my other email. Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Fri May 29 13:15:01 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 29 May 2009 15:15:01 +0200 Subject: [Freeipa-devel] [PATCH] Add more manpages In-Reply-To: <4A1FD865.3020003@redhat.com> References: <1243545718.30689.6.camel@hendrix> <4A1FCF58.9010004@redhat.com> <1243600444.431.27.camel@zeppelin.englab.brq.redhat.com> <4A1FD865.3020003@redhat.com> Message-ID: <1243602901.431.32.camel@zeppelin.englab.brq.redhat.com> On Fri, 2009-05-29 at 08:43 -0400, Stephen Gallagher wrote: > Squash them together. There's no real benefit to having them separate. Done and attached. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-more-manpages.patch Type: text/x-patch Size: 27712 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Fri May 29 13:16:28 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 29 May 2009 09:16:28 -0400 Subject: [Freeipa-devel] [PATCH] Add more manpages In-Reply-To: <1243602901.431.32.camel@zeppelin.englab.brq.redhat.com> References: <1243545718.30689.6.camel@hendrix> <4A1FCF58.9010004@redhat.com> <1243600444.431.27.camel@zeppelin.englab.brq.redhat.com> <4A1FD865.3020003@redhat.com> <1243602901.431.32.camel@zeppelin.englab.brq.redhat.com> Message-ID: <4A1FE02C.7070904@redhat.com> On 05/29/2009 09:15 AM, Jakub Hrozek wrote: > On Fri, 2009-05-29 at 08:43 -0400, Stephen Gallagher wrote: >> Squash them together. There's no real benefit to having them separate. > > Done and attached. > > Jakub Ack -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Fri May 29 14:19:54 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 29 May 2009 10:19:54 -0400 Subject: [Freeipa-devel] [PATCH] Add more manpages In-Reply-To: <4A1FE02C.7070904@redhat.com> References: <1243545718.30689.6.camel@hendrix> <4A1FCF58.9010004@redhat.com> <1243600444.431.27.camel@zeppelin.englab.brq.redhat.com> <4A1FD865.3020003@redhat.com> <1243602901.431.32.camel@zeppelin.englab.brq.redhat.com> <4A1FE02C.7070904@redhat.com> Message-ID: <4A1FEF0A.3030608@redhat.com> On 05/29/2009 09:16 AM, Stephen Gallagher wrote: > On 05/29/2009 09:15 AM, Jakub Hrozek wrote: >> On Fri, 2009-05-29 at 08:43 -0400, Stephen Gallagher wrote: >>> Squash them together. There's no real benefit to having them separate. >> Done and attached. >> >> Jakub > > Ack > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I'm rescinding my ack. I reviewed that the changes had been merged, but I just now attempted to apply this patch and git gives the following errors: [sgallagh at sgallagh providers (master)]$ git am /tmp/0001-Add-more-manpages.patch Applying: Add more manpages /home/sgallagh/workspace/sssd/.git/rebase-apply/patch:27: trailing whitespace. dist_man_MANS = man/sss_useradd.8 man/sss_userdel.8 man/sss_usermod.8 \ /home/sgallagh/workspace/sssd/.git/rebase-apply/patch:28: trailing whitespace. man/sss_groupadd.8 man/sss_groupdel.8 man/sss_groupmod.8 \ /home/sgallagh/workspace/sssd/.git/rebase-apply/patch:29: trailing whitespace. man/sssd.8 fatal: git apply: bad git-diff - expected /dev/null on line 36 Patch failed at 0001 Add more manpages When you have resolved this problem run "git am --resolved". If you would prefer to skip this patch, instead run "git am --skip". To restore the original branch and stop patching run "git am --abort". -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From kwade at redhat.com Fri May 29 14:39:50 2009 From: kwade at redhat.com (Karsten Wade) Date: Fri, 29 May 2009 07:39:50 -0700 Subject: [Freeipa-devel] Self-intro: Karsten Wade Message-ID: <20090529143950.GW4333@calliope.phig.org> Hi: This is my self-intro to the FreeIPA community. It's a bit long, but I'm sure it's worth it. ;-) I've been lurking on this list and around the fringes for some time[1], and I now have an idea of what sort of contribution I can make. But first some background so my ideas make sense ... I'm Karsten Wade (quaid), some of you may know me from my work in the Fedora Project (past Docs Team lead and Board member, currently Fedoran-all-over-the-place). I work on Red Hat's Community Architecture team[2], which includes former Fedora Project leaders Max Spevack and Greg Dekoengisberg. Our team's job is to: * Distill Red Hat's broad and deep knowledge on how to create, participate in, and grow open communities. * Share that knowledge and tactics with nascent and evolving communities /where needed/ in a series of community consulting engagements. * Help define Red Hat's global community strategy, which stretches beyond software to cover customer, partner, sales, and so forth. FreeIPA is obviously rocking very hard. The work on v2 is intense; I've been reading this list unfiltered to my inbox for months, so I have an idea of how many patches have been flying through. ;-D The work load and enthusiasm are impressive. Last October I met with some of the team leaders underpinning parts of FreeIPA (Rich Megginson, Matthew Harmson, and Dmitri Pal). This was part of Community Architecture's goal to talk with various upstream projects that are in earlier stages of life. As a result, I asked to work with FreeIPA. Red Hat is involved with a large amount of upstream work[3], and most of these are long standing, providing the source material for our knowledge distillation. If I can help get that clear and useful information from one upstream to this one, that's a pretty good use of my time. FreeIPA is at a stage in evolution that is not uncommon in projects where there is a large presence from one major corporate sponsor. There is a lot of work going on in the open, but it is mainly @redhat.com talking with @redhat.com[4]. Although many of you are experienced open source contributors, you are naturally limited in your ability to just grab FreeIPA by the collar and say, "You are now a completely community run project, go!" That has to grow in to being, and helping make that happen is what I have to contribute: 1. Growing the participant and contributor base beyond Red Hat, at an appropriate rate to an appropriate size. 2. Creating or finishing the parts of the project that allow it to scale. 3. Measuring and demonstrating the existence and value of that growth. Specific ideas around all that are best left for a separate email and some wiki pages. Speaking of which ... now that I am self-intro'd, and if you are still reading this far :), can someone give me write access to the wiki?[5] Thanks! Cheers - Karsten [1] Way back when, I was Red Hat's senior tech writer leading the work on directory and certificate system documentation; one of my few accomplishments was deciding, defining, and kicking-off the conversion of ~5000 pages of DS/CS documentation from FrameMaker to DocBook XML. Yee-ha! [2] http://fedoraproject.org/wiki/Community_Architecture [3] http://fedoraproject.org/wiki/Red_Hat_contributions [4] We like to say, "This is incurring the costs of proprietary, closed source software development without any of the supposed benefits." [5] [[User:Quaid]] please. -- Karsten 'quaid' Wade, Community Gardener http://quaid.fedorapeople.org AD0E0C41 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From ssorce at redhat.com Fri May 29 15:21:28 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 29 May 2009 11:21:28 -0400 Subject: [Freeipa-devel] Self-intro: Karsten Wade In-Reply-To: <20090529143950.GW4333@calliope.phig.org> References: <20090529143950.GW4333@calliope.phig.org> Message-ID: <1243610488.7279.192.camel@localhost.localdomain> On Fri, 2009-05-29 at 07:39 -0700, Karsten Wade wrote: > Specific ideas around all that are best left for a separate email and > some wiki pages. Speaking of which ... now that I am self-intro'd, > and if you are still reading this far :), can someone give me write > access to the wiki?[5] Thanks! Thank you for your introductory email, contact me directly (irc/email/phone) to get your account password. Simo. -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Fri May 29 20:10:44 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 29 May 2009 14:10:44 -0600 Subject: [Freeipa-devel] [PATCH] jderose 010 improve epydoc generation Message-ID: <1243627844.6269.8.camel@jgd-dsk> This patch cleans up the ./make-doc script and starts to incorporate it into the Makefile. In summary, it: 1. Adds a doc/api/README file 2. Cleans up ./make-doc, which now outputs the epydoc pages in doc/api 3. Adds a BuildRequires for `epydoc` and `python-docutils` to ipa.spec.in 4. Adds a `doc` target in the Makefile Rob, when you have time could you incorporate this properly into the Makefile and spec file? Or if you could walk me through the process on IRC. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jderose-010-improve-epydoc-generation.patch Type: text/x-patch Size: 3468 bytes Desc: not available URL: