From jhrozek at redhat.com Wed Dec 1 12:25:23 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 1 Dec 2010 13:25:23 +0100 Subject: [Freeipa-devel] [PATCH] Make the migration plugin more configurable In-Reply-To: <4CED898B.8000205@redhat.com> References: <20101115115657.GB19666@zeppelin.brq.redhat.com> <4CE6CD4F.3090101@redhat.com> <4CEA8953.4030507@redhat.com> <4CEA8A8B.3000901@redhat.com> <4CED2BBB.8090902@redhat.com> <4CED898B.8000205@redhat.com> Message-ID: <20101201122522.GA24690@zeppelin.brq.redhat.com> On Wed, Nov 24, 2010 at 04:54:19PM -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >On 11/22/2010 04:21 PM, Jakub Hrozek wrote: > >>On 11/22/2010 04:16 PM, Jakub Hrozek wrote: > >>>The code handles it (I just ran a quick test with --schema=RFC2307bis). > >> > >>>It just iterates through all members of a group -- be it user member of > >>>group member, it's just a DN for the plugin. > >> > >>> Jakub > >> > >>Sorry, I found another bug in the plugin. I'll send a new patch shortly, > >>so please don't waste time reviewing this one. > > > >New patch is attached. It fixes two more bugs of the original plugin - > >determines whether a group member is a user or a nested group by > >checking the DN, not just the RDN attribute name and does not hardcode > >primary keys. > > Will this blow up in convert_members_rfc2307bis() if a member isn't > contained in the users and groups containers? Should there be a > failsafe to skip over things that don't match (along with > appropriate reporting)? It wouldn't blow up but add the original DN into the member attribute which is probably worse. Thanks for catching this. I modified the patch to log all migrated users and groups with info() and skip those that don't match any of the containers while logging these entries with error(). > Or if one of users or groups search bases > isn't provided? > If one of them isn't provided, a default would be used. > It definitely doesn't like this: > # ipa migrate-ds --user-container='' > --group-container='cn=groups,cn=accounts' ldap://ds.example.com:389 > > When passed the right set of options it does seem to do the right thing. > Sorry, but I don't quite understand the "--user-container=''" switch. Does it mean the users are rooted at the Base DN? Can you post the error or relevant log info? Please note that the default objectclass is person. -------------- next part -------------- >From 1b0f43c4449bd26ffe6c57a594f3eaf367cda2c4 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 26 Oct 2010 16:10:42 -0400 Subject: [PATCH] Make the migration plugin more configurable This patch adds new options to the migration plugin: * the option to fine-tune the objectclass of users or groups being imported * the option to select the LDAP schema (RFC2307 or RFC2307bis) Also makes the logic that decides whether an entry is a nested group or user (for RFC2307bis) smarter by looking at the DNS. Does not hardcode primary keys for migrated entries. https://fedorahosted.org/freeipa/ticket/429 --- ipalib/plugins/migration.py | 136 ++++++++++++++++++++++++++++++++++--------- 1 files changed, 108 insertions(+), 28 deletions(-) diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 6dc9934..213c0ee 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -26,9 +26,10 @@ Example: Migrate users and groups from DS to IPA import logging import re +import ldap as _ldap from ipalib import api, errors, output -from ipalib import Command, List, Password, Str, Flag +from ipalib import Command, List, Password, Str, Flag, StrEnum from ipalib.cli import to_cli if api.env.in_server and api.env.context in ['lite', 'server']: try: @@ -44,8 +45,10 @@ from ipalib.text import Gettext # FIXME: remove once the other Gettext FIXME is _krb_err_msg = _('Kerberos principal %s already exists. Use \'ipa user-mod\' to set it manually.') _grp_err_msg = _('Failed to add user to the default group. Use \'ipa group-add-member\' to add manually.') +_supported_schemas = (u'RFC2307bis', u'RFC2307') -def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx): + +def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs): # get default primary group for new users if 'def_group_dn' not in ctx: def_group = config.get('ipadefaultprimarygroup') @@ -90,37 +93,80 @@ def _post_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx): # GROUP MIGRATION CALLBACKS AND VARS -def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx): - def convert_members(member_attr, overwrite=False): +def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs): + def convert_members_rfc2307bis(member_attr, search_bases, overwrite=False): """ Convert DNs in member attributes to work in IPA. """ new_members = [] entry_attrs.setdefault(member_attr, []) for m in entry_attrs[member_attr]: - col = m.find(',') - if col == -1: + try: + # what str2dn returns looks like [[('cn', 'foo', 4)], [('dc', 'example', 1)], [('dc', 'com', 1)]] + rdn = _ldap.dn.str2dn(m ,flags=_ldap.DN_FORMAT_LDAPV3)[0] + rdnval = rdn[0][1] + except IndexError: + api.log.error('Malformed DN %s has no RDN?' % m) + continue + + if m.lower().endswith(search_bases['user']): + api.log.info('migrating user %s' % m) + m = '%s=%s,%s' % (api.Object.user.primary_key.name, + rdnval, + api.env.container_user) + elif m.lower().endswith(search_bases['group']): + api.log.info('migrating group %s' % m) + m = '%s=%s,%s' % (api.Object.group.primary_key.name, + rdnval, + api.env.container_group) + else: + api.log.error('entry %s does not belong into any known container' % m) continue - if m.startswith('uid'): - m = '%s,%s' % (m[0:col], api.env.container_user) - elif m.startswith('cn'): - m = '%s,%s' % (m[0:col], api.env.container_group) + m = ldap.normalize_dn(m) new_members.append(m) + del entry_attrs[member_attr] if overwrite: entry_attrs['member'] = [] entry_attrs['member'] += new_members + def convert_members_rfc2307(member_attr): + """ + Convert usernames in member attributes to work in IPA. + """ + new_members = [] + entry_attrs.setdefault(member_attr, []) + for m in entry_attrs[member_attr]: + memberdn = '%s=%s,%s' % (api.Object.user.primary_key.name, + m, + api.env.container_user) + new_members.append(ldap.normalize_dn(memberdn)) + entry_attrs['member'] = new_members + + schema = kwargs.get('schema', None) entry_attrs['ipauniqueid'] = 'autogenerate' - convert_members('member', overwrite=True) - convert_members('uniquemember') + if schema == 'RFC2307bis': + search_bases = kwargs.get('search_bases', None) + if not search_bases: + raise ValueError('Search bases not specified') + + convert_members_rfc2307bis('member', search_bases, overwrite=True) + convert_members_rfc2307bis('uniquemember', search_bases) + elif schema == 'RFC2307': + convert_members_rfc2307('memberuid') + else: + raise ValueError('Schema %s not supported' % schema) return dn # DS MIGRATION PLUGIN +def construct_filter(template, oc_list): + oc_subfilter = ''.join([ '(objectclass=%s)' % oc for oc in oc_list]) + return template % oc_subfilter + def validate_ldapuri(ugettext, ldapuri): m = re.match('^ldaps?://[-\w\.]+(:\d+)?$', ldapuri) if not m: @@ -152,14 +198,18 @@ class migrate_ds(Command): # # If pre_callback return value evaluates to False, migration # of the current object is aborted. - 'user': ( - '(&(objectClass=person)(uid=*))', - _pre_migrate_user, _post_migrate_user - ), - 'group': ( - '(&(|(objectClass=groupOfUniqueNames)(objectClass=groupOfNames))(cn=*))', - _pre_migrate_group, None - ), + 'user': { + 'filter_template' : '(&(|%s)(uid=*))', + 'oc_option' : 'userobjectclass', + 'pre_callback' : _pre_migrate_user, + 'post_callback' : _post_migrate_user + }, + 'group': { + 'filter_template' : '(&(|%s)(cn=*))', + 'oc_option' : 'groupobjectclass', + 'pre_callback' : _pre_migrate_group, + 'post_callback' : None + }, } migrate_order = ('user', 'group') @@ -196,6 +246,28 @@ class migrate_ds(Command): default=u'ou=groups', autofill=True, ), + List('userobjectclass?', + cli_name='user_objectclass', + label=_('User object class'), + doc=_('Comma-separated list of objectclasses used to search for user entries in DS'), + default=(u'person',), + autofill=True, + ), + List('groupobjectclass?', + cli_name='group_objectclass', + label=_('Group object class'), + doc=_('Comma-separated list of objectclasses used to search for group entries in DS'), + default=(u'groupOfUniqueNames', u'groupOfNames'), + autofill=True, + ), + StrEnum('schema?', + cli_name='schema', + label=_('LDAP schema'), + doc=_('The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis'), + values=_supported_schemas, + default=_supported_schemas[0], + autofill=True, + ), Flag('continue?', doc=_('Continous operation mode. Errors are reported but the process continues'), default=False, @@ -267,19 +339,26 @@ can use their Kerberos accounts.''') else: options[p.name] = tuple() + def _get_search_bases(self, options, ds_base_dn, migrate_order): + search_bases = dict() + for ldap_obj_name in migrate_order: + search_bases[ldap_obj_name] = '%s,%s' % ( + options['%scontainer' % to_cli(ldap_obj_name)], ds_base_dn + ) + return search_bases + def migrate(self, ldap, config, ds_ldap, ds_base_dn, options): """ Migrate objects from DS to LDAP. """ migrated = {} # {'OBJ': ['PKEY1', 'PKEY2', ...], ...} failed = {} # {'OBJ': {'PKEY1': 'Failed 'cos blabla', ...}, ...} + search_bases = self._get_search_bases(options, ds_base_dn, self.migrate_order) for ldap_obj_name in self.migrate_order: ldap_obj = self.api.Object[ldap_obj_name] - search_filter = self.migrate_objects[ldap_obj_name][0] - search_base = '%s,%s' % ( - options['%scontainer' % to_cli(ldap_obj_name)], ds_base_dn - ) + search_filter = construct_filter(self.migrate_objects[ldap_obj_name]['filter_template'], + options[to_cli(self.migrate_objects[ldap_obj_name]['oc_option'])]) exclude = options['exclude_%ss' % to_cli(ldap_obj_name)] context = {} @@ -289,7 +368,7 @@ can use their Kerberos accounts.''') # FIXME: with limits set, we get a strange 'Success' exception try: (entries, truncated) = ds_ldap.find_entries( - search_filter, ['*'], search_base, ds_ldap.SCOPE_ONELEVEL#, + search_filter, ['*'], search_bases[ldap_obj_name], ds_ldap.SCOPE_ONELEVEL#, #time_limit=0, size_limit=0 ) except errors.NotFound: @@ -319,11 +398,12 @@ can use their Kerberos accounts.''') ) ) - callback = self.migrate_objects[ldap_obj_name][1] + callback = self.migrate_objects[ldap_obj_name]['pre_callback'] if callable(callback): dn = callback( ldap, pkey, dn, entry_attrs, failed[ldap_obj_name], - config, context + config, context, schema = options['schema'], + search_bases = search_bases ) if not dn: continue @@ -335,7 +415,7 @@ can use their Kerberos accounts.''') else: migrated[ldap_obj_name].append(pkey) - callback = self.migrate_objects[ldap_obj_name][2] + callback = self.migrate_objects[ldap_obj_name]['post_callback'] if callable(callback): callback( ldap, pkey, dn, entry_attrs, failed[ldap_obj_name], -- 1.7.3.2 From jhrozek at redhat.com Wed Dec 1 12:34:30 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 1 Dec 2010 13:34:30 +0100 Subject: [Freeipa-devel] [PATCH] 621 drop install/tools/README In-Reply-To: <4CF54A28.9060101@redhat.com> References: <4CF54A28.9060101@redhat.com> Message-ID: <20101201123429.GA25239@zeppelin.brq.redhat.com> On Tue, Nov 30, 2010 at 02:02:00PM -0500, Rob Crittenden wrote: > The README in install/tools is really for v1 and contains almost > nothing useful for v2 so I'm proposing to drop it altogether. > > I'm also adding a link to the QuickStart guide on the trac wiki. The > guide itself needs a lot of work but its a start. > > rob Ack From rcritten at redhat.com Wed Dec 1 18:24:08 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Dec 2010 13:24:08 -0500 Subject: [Freeipa-devel] [PATCH] 612 re-implimit permissions In-Reply-To: <20101124093614.2e8efd30@willson.li.ssimo.org> References: <4CE5F907.1030607@redhat.com> <20101124093614.2e8efd30@willson.li.ssimo.org> Message-ID: <4CF692C8.2080709@redhat.com> Simo Sorce wrote: > On Thu, 18 Nov 2010 23:11:51 -0500 > Rob Crittenden wrote: > >> Re-implement access control using an updated model. >> >> The new model is based on permissions, privileges and roles. Most >> importantly it corrects the reverse membership that caused problems >> in the previous implementation. You add permission to privileges and >> privileges to roles, not the other way around (even though it works >> that way behind the scenes). >> >> A permission object is a combination of a simple group and an aci. >> The linkage between the aci and the permission is the description of >> the permission. This shows as the name/description of the aci. >> >> ldap:///self and groups granting groups (v1-style) are not supported >> by this model (it will be provided separately). >> >> ticket 445 >> >> WARNING. The patch is humongous and changes a whole slew of stuff. It >> patches cleanly against the master right now but it is quite delicate >> so the sooner this is reviewed (without pushing anything else) the >> better. >> >> The self-tests all pass for me as well as some spot checking. >> >> Also note that I currently define a single role and it has no >> privileges. We will need to fill that in soon. > > > Sorry Rob, but before I can ACK a change of this proportion in the > Security model I want a wiki page with the model explained clearly and > in detail. > > I am vetoing this patch until we have that. > > Note, I am *not* saying the patch is wrong, only that reviewing it w/o > a reference model is basically impossible and it touches sensitive > security stuff so I can't just let it pass hoping we got everything > right. > > Simo. > As requested, here are my notes on the design: http://freeipa.org/page/Permissions I re-based the patch. To test this, try the following. It sets up the helpdesk role to be able to do user administration. It then creates a new user and adds them that role. Finally become that user and try to add a new user, it should be successful. $ kinit admin $ ipa user-add --first=tim --last=user tuser1 --password $ ipa user-add --first=jed --last=butler jbutler FAIL $ ipa role-add-member --users=tuser1 helpdesk $ ipa role-add-privilege --privileges=useradmin helpdesk $ kinit tuser1 $ ipa user-add --first=jed --last=butler jbutler SUCCESS You might also want to play around with the permissions and privileges, you can find out what is available with: $ ipa permission-find $ ipa privilege-find rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-612-2-permission.patch Type: text/x-patch Size: 221077 bytes Desc: not available URL: From edewata at redhat.com Wed Dec 1 20:25:56 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 01 Dec 2010 14:25:56 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0105-action-panel-sibling In-Reply-To: <4CF57D25.1000306@redhat.com> References: <4CF57D25.1000306@redhat.com> Message-ID: <4CF6AF54.6080401@redhat.com> On 11/30/2010 4:39 PM, Adam Young wrote: > A note on this patch: I changed the labels on a couple of the entities > for consitancy sake, including: > > Added 'HBAC' to the label for HBAC services > Capitalized SUDO > Removed the word Rule from the SUDO label > > Not sure if these will have any effect on the CLI. I suspect not, and > that the QW team isn't writing tests for SUDO yet that makes use of the > Label field. ACK and pushed to master. -- Endi S. Dewata From rcritten at redhat.com Wed Dec 1 21:01:46 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Dec 2010 16:01:46 -0500 Subject: [Freeipa-devel] [PATCH] 612 re-implimit permissions In-Reply-To: <20101124093614.2e8efd30@willson.li.ssimo.org> References: <4CE5F907.1030607@redhat.com> <20101124093614.2e8efd30@willson.li.ssimo.org> Message-ID: <4CF6B7BA.10906@redhat.com> Simo Sorce wrote: > On Thu, 18 Nov 2010 23:11:51 -0500 > Rob Crittenden wrote: > >> Re-implement access control using an updated model. >> >> The new model is based on permissions, privileges and roles. Most >> importantly it corrects the reverse membership that caused problems >> in the previous implementation. You add permission to privileges and >> privileges to roles, not the other way around (even though it works >> that way behind the scenes). >> >> A permission object is a combination of a simple group and an aci. >> The linkage between the aci and the permission is the description of >> the permission. This shows as the name/description of the aci. >> >> ldap:///self and groups granting groups (v1-style) are not supported >> by this model (it will be provided separately). >> >> ticket 445 >> >> WARNING. The patch is humongous and changes a whole slew of stuff. It >> patches cleanly against the master right now but it is quite delicate >> so the sooner this is reviewed (without pushing anything else) the >> better. >> >> The self-tests all pass for me as well as some spot checking. >> >> Also note that I currently define a single role and it has no >> privileges. We will need to fill that in soon. > > > Sorry Rob, but before I can ACK a change of this proportion in the > Security model I want a wiki page with the model explained clearly and > in detail. > > I am vetoing this patch until we have that. > > Note, I am *not* saying the patch is wrong, only that reviewing it w/o > a reference model is basically impossible and it touches sensitive > security stuff so I can't just let it pass hoping we got everything > right. > > Simo. > Adam found a bug when installing the DNS server. Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-612-3-permission.patch Type: text/x-patch Size: 221822 bytes Desc: not available URL: From ayoung at redhat.com Wed Dec 1 22:07:27 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 01 Dec 2010 17:07:27 -0500 Subject: [Freeipa-devel] [PATCH] 612 re-implimit permissions In-Reply-To: <4CF6B7BA.10906@redhat.com> References: <4CE5F907.1030607@redhat.com> <20101124093614.2e8efd30@willson.li.ssimo.org> <4CF6B7BA.10906@redhat.com> Message-ID: <4CF6C71F.3060306@redhat.com> The attached patch is required on top of the changes, as the admin user no longer has any rolegroup, and thus would see the self service api. It should be pushed with this patch. On 12/01/2010 04:01 PM, Rob Crittenden wrote: > Simo Sorce wrote: >> On Thu, 18 Nov 2010 23:11:51 -0500 >> Rob Crittenden wrote: >> >>> Re-implement access control using an updated model. >>> >>> The new model is based on permissions, privileges and roles. Most >>> importantly it corrects the reverse membership that caused problems >>> in the previous implementation. You add permission to privileges and >>> privileges to roles, not the other way around (even though it works >>> that way behind the scenes). >>> >>> A permission object is a combination of a simple group and an aci. >>> The linkage between the aci and the permission is the description of >>> the permission. This shows as the name/description of the aci. >>> >>> ldap:///self and groups granting groups (v1-style) are not supported >>> by this model (it will be provided separately). >>> >>> ticket 445 >>> >>> WARNING. The patch is humongous and changes a whole slew of stuff. It >>> patches cleanly against the master right now but it is quite delicate >>> so the sooner this is reviewed (without pushing anything else) the >>> better. >>> >>> The self-tests all pass for me as well as some spot checking. >>> >>> Also note that I currently define a single role and it has no >>> privileges. We will need to fill that in soon. >> >> >> Sorry Rob, but before I can ACK a change of this proportion in the >> Security model I want a wiki page with the model explained clearly and >> in detail. >> >> I am vetoing this patch until we have that. >> >> Note, I am *not* saying the patch is wrong, only that reviewing it w/o >> a reference model is basically impossible and it touches sensitive >> security stuff so I can't just let it pass hoping we got everything >> right. >> >> Simo. >> > > Adam found a bug when installing the DNS server. Updated patch attached. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0107-admin-determination.patch Type: text/x-patch Size: 1552 bytes Desc: not available URL: From ayoung at redhat.com Wed Dec 1 22:45:34 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 01 Dec 2010 17:45:34 -0500 Subject: [Freeipa-devel] [PATCH] 612 re-implimit permissions In-Reply-To: <4CF6C71F.3060306@redhat.com> References: <4CE5F907.1030607@redhat.com> <20101124093614.2e8efd30@willson.li.ssimo.org> <4CF6B7BA.10906@redhat.com> <4CF6C71F.3060306@redhat.com> Message-ID: <4CF6D00E.60500@redhat.com> On 12/01/2010 05:07 PM, Adam Young wrote: > The attached patch is required on top of the changes, as the admin > user no longer has any rolegroup, and thus would see the self service > api. It should be pushed with this patch. posted the wrong version. THis one checks for presence of the group admins. > > > > On 12/01/2010 04:01 PM, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Thu, 18 Nov 2010 23:11:51 -0500 >>> Rob Crittenden wrote: >>> >>>> Re-implement access control using an updated model. >>>> >>>> The new model is based on permissions, privileges and roles. Most >>>> importantly it corrects the reverse membership that caused problems >>>> in the previous implementation. You add permission to privileges and >>>> privileges to roles, not the other way around (even though it works >>>> that way behind the scenes). >>>> >>>> A permission object is a combination of a simple group and an aci. >>>> The linkage between the aci and the permission is the description of >>>> the permission. This shows as the name/description of the aci. >>>> >>>> ldap:///self and groups granting groups (v1-style) are not supported >>>> by this model (it will be provided separately). >>>> >>>> ticket 445 >>>> >>>> WARNING. The patch is humongous and changes a whole slew of stuff. It >>>> patches cleanly against the master right now but it is quite delicate >>>> so the sooner this is reviewed (without pushing anything else) the >>>> better. >>>> >>>> The self-tests all pass for me as well as some spot checking. >>>> >>>> Also note that I currently define a single role and it has no >>>> privileges. We will need to fill that in soon. >>> >>> >>> Sorry Rob, but before I can ACK a change of this proportion in the >>> Security model I want a wiki page with the model explained clearly and >>> in detail. >>> >>> I am vetoing this patch until we have that. >>> >>> Note, I am *not* saying the patch is wrong, only that reviewing it w/o >>> a reference model is basically impossible and it touches sensitive >>> security stuff so I can't just let it pass hoping we got everything >>> right. >>> >>> Simo. >>> >> >> Adam found a bug when installing the DNS server. Updated patch attached. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0107-2-admin-determination.patch Type: text/x-patch Size: 1594 bytes Desc: not available URL: From rcritten at redhat.com Wed Dec 1 22:51:04 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Dec 2010 17:51:04 -0500 Subject: [Freeipa-devel] [PATCH] 612 re-implimit permissions In-Reply-To: <4CF6D00E.60500@redhat.com> References: <4CE5F907.1030607@redhat.com> <20101124093614.2e8efd30@willson.li.ssimo.org> <4CF6B7BA.10906@redhat.com> <4CF6C71F.3060306@redhat.com> <4CF6D00E.60500@redhat.com> Message-ID: <4CF6D158.90308@redhat.com> Adam Young wrote: > On 12/01/2010 05:07 PM, Adam Young wrote: >> The attached patch is required on top of the changes, as the admin >> user no longer has any rolegroup, and thus would see the self service >> api. It should be pushed with this patch. > posted the wrong version. THis one checks for presence of the group admins. Ack rob From rcritten at redhat.com Wed Dec 1 22:53:37 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Dec 2010 17:53:37 -0500 Subject: [Freeipa-devel] [PATCH] 624 clear up config-show --all Message-ID: <4CF6D1F1.1000707@redhat.com> There were some missing labels in config-show --all, I've added them. I also moved the aci one level higher so it doesn't show (it was confusing). I've made the cert subject base read-only. This isn't something trivially changed. I'm leaving cn without a label, there isn't anything clever to add for it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-624-config.patch Type: text/x-patch Size: 3648 bytes Desc: not available URL: From davido at redhat.com Thu Dec 2 00:48:23 2010 From: davido at redhat.com (David O'Brien) Date: Thu, 02 Dec 2010 10:48:23 +1000 Subject: [Freeipa-devel] [PATCH] 619 more aci target docs In-Reply-To: <4CED6D5F.3050507@redhat.com> References: <4CED6D5F.3050507@redhat.com> Message-ID: <4CF6ECD7.1080600@redhat.com> Rob Crittenden wrote: > I added some more documentation and examples to the aci plugin on targets. > > ticket 310 > > rob > NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/"This is primarily meant to be able to allow users to add/remove members of a specific group only."/"This is primarily designed to enable users to add or remove members of a specific group." (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need "primarily". If it does something else, what is it?) I couldn't grok 100% the "subtree" target description. s/"... the ACI is allowed to do, they are one or more of:"/"... the ACI is allowed to do, and are one or more of:" For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the "addusers" taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From ayoung at redhat.com Thu Dec 2 01:23:18 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 01 Dec 2010 20:23:18 -0500 Subject: [Freeipa-devel] [PATCH] 612 re-implimit permissions In-Reply-To: <4CF6D158.90308@redhat.com> References: <4CE5F907.1030607@redhat.com> <20101124093614.2e8efd30@willson.li.ssimo.org> <4CF6B7BA.10906@redhat.com> <4CF6C71F.3060306@redhat.com> <4CF6D00E.60500@redhat.com> <4CF6D158.90308@redhat.com> Message-ID: <4CF6F506.9030201@redhat.com> On 12/01/2010 05:51 PM, Rob Crittenden wrote: > Adam Young wrote: >> On 12/01/2010 05:07 PM, Adam Young wrote: >>> The attached patch is required on top of the changes, as the admin >>> user no longer has any rolegroup, and thus would see the self service >>> api. It should be pushed with this patch. >> posted the wrong version. THis one checks for presence of the group >> admins. > > Ack > > rob Pushed to master. realized that this can be pushed as is. From ssorce at redhat.com Thu Dec 2 01:56:23 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 1 Dec 2010 20:56:23 -0500 Subject: [Freeipa-devel] [PATCH] 612 re-implimit permissions In-Reply-To: <4CF6B7BA.10906@redhat.com> References: <4CE5F907.1030607@redhat.com> <20101124093614.2e8efd30@willson.li.ssimo.org> <4CF6B7BA.10906@redhat.com> Message-ID: <20101201205623.128cd1e8@willson.li.ssimo.org> On Wed, 01 Dec 2010 16:01:46 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 18 Nov 2010 23:11:51 -0500 > > Rob Crittenden wrote: > > > >> Re-implement access control using an updated model. > >> > >> The new model is based on permissions, privileges and roles. Most > >> importantly it corrects the reverse membership that caused problems > >> in the previous implementation. You add permission to privileges > >> and privileges to roles, not the other way around (even though it > >> works that way behind the scenes). > >> > >> A permission object is a combination of a simple group and an aci. > >> The linkage between the aci and the permission is the description > >> of the permission. This shows as the name/description of the aci. > >> > >> ldap:///self and groups granting groups (v1-style) are not > >> supported by this model (it will be provided separately). > >> > >> ticket 445 > >> > >> WARNING. The patch is humongous and changes a whole slew of stuff. > >> It patches cleanly against the master right now but it is quite > >> delicate so the sooner this is reviewed (without pushing anything > >> else) the better. > >> > >> The self-tests all pass for me as well as some spot checking. > >> > >> Also note that I currently define a single role and it has no > >> privileges. We will need to fill that in soon. > > > > > > Sorry Rob, but before I can ACK a change of this proportion in the > > Security model I want a wiki page with the model explained clearly > > and in detail. > > > > I am vetoing this patch until we have that. > > > > Note, I am *not* saying the patch is wrong, only that reviewing it > > w/o a reference model is basically impossible and it touches > > sensitive security stuff so I can't just let it pass hoping we got > > everything right. > > > > Simo. > > > > Adam found a bug when installing the DNS server. Updated patch > attached. Ack and pushed to master. I noticed a small glitch in the output of ipa role-add-privilege, it doesn't show the privilege just added, just the members. I think this can be addressed separately. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Thu Dec 2 01:56:29 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 01 Dec 2010 19:56:29 -0600 Subject: [Freeipa-devel] [PATCH] Multicolumn enrollment dialog Message-ID: <4CF6FCCD.905@redhat.com> Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/112/ The enrollment dialog has been modified to use scrollable tables that supports multiple columns to display the search results and selected entries. The columns are specified by calling create_adder_column() on the association facet. By default the tables will use only one column which is to display the primary keys. The following enrollment dialogs have been modified to use multiple columns: - Group's member_user - Service's managedby_host - HBAC Service Group's member_hbacsvc - SUDO Command Group's member_sudocmd The ipa_association_table_widget's add() and remove() have been moved into ipa_association_facet so they can be customized by facet's subclass. The ipa_table's add_row() has been renamed to add_record(). Some old code has been removed from ipa_facet_create_action_panel(). The code was used to generate association links from a single facet. It's no longer needed because now each association has its own facet. The test data has been updated. The IPA.nested_tabs() has been fixed to return the entity itself if IPA.tab_set is not defined. This is needed to pass unit test. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0042-Multicolumn-enrollment-dialog.patch Type: text/x-patch Size: 34984 bytes Desc: not available URL: From ayoung at redhat.com Thu Dec 2 02:37:10 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 01 Dec 2010 21:37:10 -0500 Subject: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests. In-Reply-To: <4CED674E.30703@redhat.com> References: <4CEBD19D.9050707@redhat.com> <4CEC77D4.8030208@redhat.com> <4CECD0C8.3030009@redhat.com> <4CED2D94.9020506@redhat.com> <4CED674E.30703@redhat.com> Message-ID: <4CF70656.40701@redhat.com> On 11/24/2010 02:28 PM, Pavel Z?na wrote: > On 2010-11-24 16:21, Adam Young wrote: >> On 11/24/2010 03:46 AM, Pavel Zuna wrote: >>> On 11/24/2010 03:26 AM, Adam Young wrote: >>>> On 11/23/2010 09:37 AM, Pavel Zuna wrote: >>>>> Finally managed to rewrite the DNS plugin again. Sorry, it took so >>>>> long, we had training in the office and I also had a nasty bug in >>>>> baseldap.py I couldn't find. >>>>> >>>>> Anyway, this version has it all: >>>>> - changes we agreed on meeting, the "resource" abstraction is gone >>>>> and >>>>> we now only have zones and records = adding new record automatically >>>>> updates and existing entry or creates it if it wasn't there and >>>>> deleting the last record deletes the whole entry - all of it >>>>> transparent to the user >>>>> - unit tests >>>>> - ipa help documentation >>>>> >>>>> Fixes tickets: >>>>> #36 >>>>> #450 >>>>> >>>>> I also closed bug #654412. >>>>> >>>>> It has a new patch sequence number, because it depends on another >>>>> patch with a higher number and didn't want to create forward >>>>> dependencies. >>>>> >>>>> Depends on my patches number: >>>>> 35 (will repost if needed) >>>>> 38 (posted a while ago on freeipa-devel) >>>>> >>>>> Pavel >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>>> I keep getting an error when doing simple things like install and ipa >>>> help: >>>> [ayoung at ipa freeipa]$ ./ipa help dns2 >>>> ipa: ERROR: AttributeError: cannot override NameSpace.idnsname value >>>> Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)', >>>> domain='ipa', localedir=None), label=Gettext('Zone name', >>>> domain='ipa', >>>> localedir=None), multivalue=False, normalizer=, >>>> primary_key=True, query=True, required=True) with Str('idnsname', >>>> attribute=True, cli_name='name', doc=Gettext('Record name', >>>> domain='ipa', localedir=None), label=Gettext('Record name', >>>> domain='ipa', localedir=None), multivalue=False, primary_key=True, >>>> query=True, required=True) >>>> Traceback (most recent call last): >>>> File "/home/ayoung/devel/freeipa/ipalib/cli.py", line 962, in run >>>> api.finalize() >>>> File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 615, in >>>> finalize >>>> p.instance.finalize() >>>> File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 724, in >>>> finalize >>>> self._create_param_namespace('args') >>>> File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 350, in >>>> _create_param_namespace >>>> sort=False >>>> File "/home/ayoung/devel/freeipa/ipalib/base.py", line 407, in >>>> __init__ >>>> (self.__class__.__name__, name, self.__map[name], member) >>>> AttributeError: cannot override NameSpace.idnsname value >>>> Str('idnsname', >>>> cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa', >>>> localedir=None), label=Gettext('Zone name', domain='ipa', >>>> localedir=None), multivalue=False, normalizer=, >>>> primary_key=True, query=True, required=True) with Str('idnsname', >>>> attribute=True, cli_name='name', doc=Gettext('Record name', >>>> domain='ipa', localedir=None), label=Gettext('Record name', >>>> domain='ipa', localedir=None), multivalue=False, primary_key=True, >>>> query=True, required=True) >>>> ipa: ERROR: an internal error has occurred >>>> >>> >>> That's because you need my patch number 35 for it to work... >>> >>> Pavel >> >> OK, with that change, the patch applies and works. >> >> I've tested: creating a zone >> Creating an a record >> Adding an a record entry to an existing entry (calling ipa dnsrecord-add >> a second time with just a different ip address) >> Adding an aaaa record. >> Deleting one and multiple aaaa records >> >> >> One thing that is a little counter intuitive is that you have to specify >> which records to delete: just running >> ipa dnsrecord-del ayoung.test.ipa.redhat.com hiphop doesn't delete all >> records with the A name of hiphop. I think this is the right behavior, >> but it should be better documented. > > Ok, I'm going to add a few lines about it in the docstring (ipa help). > > Maybe we should have an option to delete all records associated with a > resource name. For example when someone is deleting a host from DNS > and wants all of its records gone. > >> >> Have to hold off on pushing it due to F14: python-netaddr Isn't in F14, >> so we are adding a new python package with this plugin, too. >> >> > > Pavel ACK and pushed to master Note that I got an OK on the added dependency on python-netaddr. From edewata at redhat.com Thu Dec 2 02:39:52 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 01 Dec 2010 20:39:52 -0600 Subject: [Freeipa-devel] [PATCH] UI for host managedby Message-ID: <4CF706F8.8080204@redhat.com> Hi, Please review the attached patch. Thanks! A custom facet has been added to manage the host's managedby attribute. The facet defines the add and remove methods, the columns for the association table and enrollment dialog, and the link for the primary key column. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0043-UI-for-host-managedby.patch Type: text/x-patch Size: 2888 bytes Desc: not available URL: From edewata at redhat.com Thu Dec 2 05:02:35 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 01 Dec 2010 23:02:35 -0600 Subject: [Freeipa-devel] [PATCH] Certificate management with self-signed CA Message-ID: <4CF7286B.3060007@redhat.com> Hi, Please review the attached patch. Thanks! The certificate_status_widget has been modified to check for the environment variable ra_plugin to determine the CA used by IPA server. If self-signed CA is used, some operations will not be available (e.g. checking certificate status, revoking/restoring certificate), so the corresponding interface will be hidden. Other operations such as creating new certificate and viewing certificate are still available. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0044-Certificate-management-with-self-signed-CA.patch Type: text/x-patch Size: 4996 bytes Desc: not available URL: From jzeleny at redhat.com Thu Dec 2 12:21:16 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 2 Dec 2010 13:21:16 +0100 Subject: [Freeipa-devel] [PATCH] Some fixes in HBAC module In-Reply-To: <201011251015.59118.jzeleny@redhat.com> References: <201011251015.59118.jzeleny@redhat.com> Message-ID: <201012021321.17194.jzeleny@redhat.com> Jan Zelen? wrote: > I'm posting two patches fixing some issues with the HBAC plugin: > > https://fedorahosted.org/freeipa/ticket/487 > https://fedorahosted.org/freeipa/ticket/494 > https://fedorahosted.org/freeipa/ticket/495 Could someone please take a look at 0007? Thanks Jan From jhrozek at redhat.com Thu Dec 2 14:21:47 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 02 Dec 2010 15:21:47 +0100 Subject: [Freeipa-devel] [PATCH] 018 Normalize and convert default params, too Message-ID: <4CF7AB7B.1000701@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/555 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz3q3oACgkQHsardTLnvCUaegCeJLcTFgO4fWVRJNObu15IX8v3 N7UAniWpckSzQuWqi1hL9Jnm9kv7ktK1 =AWdp -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-018-Normalize-convert-defaults.patch Type: text/x-patch Size: 924 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-018-Normalize-convert-defaults.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From ayoung at redhat.com Thu Dec 2 14:33:14 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Dec 2010 09:33:14 -0500 Subject: [Freeipa-devel] [PATCH] 018 Normalize and convert default params, too In-Reply-To: <4CF7AB7B.1000701@redhat.com> References: <4CF7AB7B.1000701@redhat.com> Message-ID: <4CF7AE2A.4050001@redhat.com> This seems to make sense. Can you provide some context before I ACK? On 12/02/2010 09:21 AM, Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > https://fedorahosted.org/freeipa/ticket/555 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkz3q3oACgkQHsardTLnvCUaegCeJLcTFgO4fWVRJNObu15IX8v3 > N7UAniWpckSzQuWqi1hL9Jnm9kv7ktK1 > =AWdp > -----END PGP SIGNATURE----- > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Dec 2 14:37:40 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 02 Dec 2010 15:37:40 +0100 Subject: [Freeipa-devel] [PATCH] 018 Normalize and convert default params, too In-Reply-To: <4CF7AE2A.4050001@redhat.com> References: <4CF7AB7B.1000701@redhat.com> <4CF7AE2A.4050001@redhat.com> Message-ID: <4CF7AF34.2060803@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/02/2010 03:33 PM, Adam Young wrote: > This seems to make sense. Can you provide some context before I ACK? We're discussing it with Rob in the ticket, too: https://fedorahosted.org/freeipa/ticket/555 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz3rzQACgkQHsardTLnvCV4VgCdG1IzBG/zVxpuKP4I7Olpskz2 xPsAn27by5mhTW4Lv9HWCB22K4EGDxor =mVQX -----END PGP SIGNATURE----- From ayoung at redhat.com Thu Dec 2 15:19:47 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Dec 2010 10:19:47 -0500 Subject: [Freeipa-devel] [PATCH] Multicolumn enrollment dialog In-Reply-To: <4CF6FCCD.905@redhat.com> References: <4CF6FCCD.905@redhat.com> Message-ID: <4CF7B913.5060403@redhat.com> On 12/01/2010 08:56 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > https://fedorahosted.org/reviewboard/r/112/ > > The enrollment dialog has been modified to use scrollable tables that > supports multiple columns to display the search results and selected > entries. The columns are specified by calling create_adder_column() > on the association facet. By default the tables will use only one > column which is to display the primary keys. > > The following enrollment dialogs have been modified to use multiple > columns: > - Group's member_user > - Service's managedby_host > - HBAC Service Group's member_hbacsvc > - SUDO Command Group's member_sudocmd > > The ipa_association_table_widget's add() and remove() have been moved > into ipa_association_facet so they can be customized by facet's > subclass. The ipa_table's add_row() has been renamed to add_record(). > > Some old code has been removed from ipa_facet_create_action_panel(). > The code was used to generate association links from a single facet. > It's no longer needed because now each association has its own facet. > > The test data has been updated. The IPA.nested_tabs() has been fixed > to return the entity itself if IPA.tab_set is not defined. This is > needed to pass unit test. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Looks good. Some nits. Move the "width: 200px" into the style sheet. We should have a css class that is used for all of the checkbox columns. Why are the is create_adder_column on the association facet and not the adder object? Shouldn't it be adder.add_column? Remove the parentesis in these and just ue the plural. var header_message = that.other_entity + '(s) enrolled in ' + that.entity_name + ' ' + that.pkey; That string actually needs to come from the association definition. I realize that these are autogenerated, but the generic word "enrolled" doesn't work for the majority of the associations. For instance, user should say: "groups containing user kfrog". You can use the plural name of the object out of the meta data for the other entity: IPA.metadata[entity].object_name_plural. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Dec 2 15:30:32 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 02 Dec 2010 16:30:32 +0100 Subject: [Freeipa-devel] [PATCH] 622 fix passwd output In-Reply-To: <4CF55ADB.5010101@redhat.com> References: <4CF55ADB.5010101@redhat.com> Message-ID: <4CF7BB98.2090602@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/30/2010 09:13 PM, Rob Crittenden wrote: > A couple of Password attributes had no label so prompting looked bad. > > When printing exceptions we need to convert the label and error to > unicode so translations work. > > Use standard output routines instead of output_for_cli() in passwd plugin. > > ticket 352 > > rob > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz3u5gACgkQHsardTLnvCX+5wCgj9+YGMzU7NZ+IEJsZiI46TDi u3UAoLWWZ3DPokwf/5QDpYiL+HWIi5JQ =UL2a -----END PGP SIGNATURE----- From rcritten at redhat.com Thu Dec 2 16:09:25 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 Dec 2010 11:09:25 -0500 Subject: [Freeipa-devel] [PATCH] 625 Provide attrs for ACI UI Message-ID: <4CF7C4B5.6000108@redhat.com> Provide available attributes for all objects for use in creating permissions (ACIs). This is provided in the meta data call. Also tell whether an object is bindable (has password or kerberos key) for use in the future selfservice plugin. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-625-aci.patch Type: text/x-patch Size: 4703 bytes Desc: not available URL: From rcritten at redhat.com Thu Dec 2 16:25:08 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 Dec 2010 11:25:08 -0500 Subject: [Freeipa-devel] [PATCH] 619 more aci target docs In-Reply-To: <4CF6ECD7.1080600@redhat.com> References: <4CED6D5F.3050507@redhat.com> <4CF6ECD7.1080600@redhat.com> Message-ID: <4CF7C864.3050809@redhat.com> David O'Brien wrote: > Rob Crittenden wrote: >> I added some more documentation and examples to the aci plugin on >> targets. >> >> ticket 310 >> >> rob >> > NACK > > Running behind with reviews, sorry. Just a few minor fixes: > > s/targetted/targeted/ > s/"This is primarily meant to be able to allow users to add/remove > members of a specific group only."/"This is primarily designed to enable > users to add or remove members of a specific group." > > (I _think_ I understood that ok, and didn't change the meaning. Further, > if this target is only designed for this purpose, you don't need > "primarily". If it does something else, what is it?) > > I couldn't grok 100% the "subtree" target description. > > s/"... the ACI is allowed to do, they are one or more of:"/"... the ACI > is allowed to do, and are one or more of:" > > For consistency's sake, s/lets/allows/ etc. Also see below: > allows members of the "addusers" taskgroup > lets members of the editors... group? > lets members of the admin group > > You might need to review the examples a bit. > > cheers Updated patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-619-2-aci.patch Type: text/x-patch Size: 4703 bytes Desc: not available URL: From ayoung at redhat.com Thu Dec 2 16:41:33 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Dec 2010 11:41:33 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0108-remove-task-and-role-groups Message-ID: <4CF7CC3D.1010708@redhat.com> These will be replaced with the new ACI entities shortly. But they have to be removed, as they break the webUI as is. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0108-remove-task-and-role-groups.patch Type: text/x-patch Size: 2835 bytes Desc: not available URL: From edewata at redhat.com Thu Dec 2 16:50:10 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 02 Dec 2010 10:50:10 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0108-remove-task-and-role-groups In-Reply-To: <4CF7CC3D.1010708@redhat.com> References: <4CF7CC3D.1010708@redhat.com> Message-ID: <4CF7CE42.1080806@redhat.com> On 12/2/2010 10:41 AM, Adam Young wrote: > These will be replaced with the new ACI entities shortly. But they have > to be removed, as they break the webUI as is. ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Thu Dec 2 17:12:37 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Dec 2010 12:12:37 -0500 Subject: [Freeipa-devel] [PATCH] Certificate management with self-signed CA In-Reply-To: <4CF7286B.3060007@redhat.com> References: <4CF7286B.3060007@redhat.com> Message-ID: <4CF7D385.5040307@redhat.com> On 12/02/2010 12:02 AM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The certificate_status_widget has been modified to check for the > environment variable ra_plugin to determine the CA used by IPA > server. If self-signed CA is used, some operations will not be > available (e.g. checking certificate status, revoking/restoring > certificate), so the corresponding interface will be hidden. Other > operations such as creating new certificate and viewing certificate > are still available. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Dec 2 17:14:47 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Dec 2010 12:14:47 -0500 Subject: [Freeipa-devel] [PATCH] Multicolumn enrollment dialog In-Reply-To: <4CF7B913.5060403@redhat.com> References: <4CF6FCCD.905@redhat.com> <4CF7B913.5060403@redhat.com> Message-ID: <4CF7D407.1080407@redhat.com> On 12/02/2010 10:19 AM, Adam Young wrote: > On 12/01/2010 08:56 PM, Endi Sukma Dewata wrote: >> Hi, >> >> Please review the attached patch. Thanks! >> >> https://fedorahosted.org/reviewboard/r/112/ >> >> The enrollment dialog has been modified to use scrollable tables that >> supports multiple columns to display the search results and selected >> entries. The columns are specified by calling create_adder_column() >> on the association facet. By default the tables will use only one >> column which is to display the primary keys. >> >> The following enrollment dialogs have been modified to use multiple >> columns: >> - Group's member_user >> - Service's managedby_host >> - HBAC Service Group's member_hbacsvc >> - SUDO Command Group's member_sudocmd >> >> The ipa_association_table_widget's add() and remove() have been moved >> into ipa_association_facet so they can be customized by facet's >> subclass. The ipa_table's add_row() has been renamed to add_record(). >> >> Some old code has been removed from ipa_facet_create_action_panel(). >> The code was used to generate association links from a single facet. >> It's no longer needed because now each association has its own facet. >> >> The test data has been updated. The IPA.nested_tabs() has been fixed >> to return the entity itself if IPA.tab_set is not defined. This is >> needed to pass unit test. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Looks good. Some nits. > > Move the "width: 200px" into the style sheet. We should have a css > class that is used for all of the checkbox columns. > > Why are the is create_adder_column on the association facet and not > the adder object? Shouldn't it be adder.add_column? > Remove the parentesis in these and just ue the plural. var > header_message = that.other_entity + '(s) enrolled in ' + > that.entity_name + ' ' + that.pkey; > > That string actually needs to come from the association definition. I > realize that these are autogenerated, but the generic word "enrolled" > doesn't work for the majority of the associations. For instance, user > should say: "groups containing user kfrog". You can use the plural > name of the object out of the meta data for the other entity: > IPA.metadata[entity].object_name_plural. > > > > > > > > > > > > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Dec 2 17:37:40 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Dec 2010 12:37:40 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0106-associate-search Message-ID: <4CF7D964.5040303@redhat.com> Had this one ready for review, but Endi's recent association changes meant I had to rebase it. Hence the -2. patch version -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0106-2-associate-search.patch Type: text/x-patch Size: 1247 bytes Desc: not available URL: From edewata at redhat.com Thu Dec 2 18:11:49 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 02 Dec 2010 12:11:49 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0106-associate-search In-Reply-To: <4CF7D964.5040303@redhat.com> References: <4CF7D964.5040303@redhat.com> Message-ID: <4CF7E165.50704@redhat.com> On 12/2/2010 11:37 AM, Adam Young wrote: > Had this one ready for review, but Endi's recent association changes > meant I had to rebase it. Hence the -2. patch version ACK and pushed to master. -- Endi S. Dewata From rcritten at redhat.com Thu Dec 2 18:25:54 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 Dec 2010 13:25:54 -0500 Subject: [Freeipa-devel] [PATCH] 619 more aci target docs In-Reply-To: <4CF7C864.3050809@redhat.com> References: <4CED6D5F.3050507@redhat.com> <4CF6ECD7.1080600@redhat.com> <4CF7C864.3050809@redhat.com> Message-ID: <4CF7E4B2.7050109@redhat.com> Rob Crittenden wrote: > David O'Brien wrote: >> Rob Crittenden wrote: >>> I added some more documentation and examples to the aci plugin on >>> targets. >>> >>> ticket 310 >>> >>> rob >>> >> NACK >> >> Running behind with reviews, sorry. Just a few minor fixes: >> >> s/targetted/targeted/ >> s/"This is primarily meant to be able to allow users to add/remove >> members of a specific group only."/"This is primarily designed to enable >> users to add or remove members of a specific group." >> >> (I _think_ I understood that ok, and didn't change the meaning. Further, >> if this target is only designed for this purpose, you don't need >> "primarily". If it does something else, what is it?) >> >> I couldn't grok 100% the "subtree" target description. >> >> s/"... the ACI is allowed to do, they are one or more of:"/"... the ACI >> is allowed to do, and are one or more of:" >> >> For consistency's sake, s/lets/allows/ etc. Also see below: >> allows members of the "addusers" taskgroup >> lets members of the editors... group? >> lets members of the admin group >> >> You might need to review the examples a bit. >> >> cheers > > Updated patch. > > rob > Ok, the right updated patch this time. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-619-2-aci.patch Type: text/x-patch Size: 3955 bytes Desc: not available URL: From ayoung at redhat.com Thu Dec 2 18:45:48 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Dec 2010 13:45:48 -0500 Subject: [Freeipa-devel] [PATCH] UI for host managedby In-Reply-To: <4CF706F8.8080204@redhat.com> References: <4CF706F8.8080204@redhat.com> Message-ID: <4CF7E95C.7080206@redhat.com> On 12/01/2010 09:39 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > A custom facet has been added to manage the host's managedby attribute. > The facet defines the add and remove methods, the columns for the > association table and enrollment dialog, and the link for the primary > key column. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Thu Dec 2 20:48:49 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 2 Dec 2010 15:48:49 -0500 Subject: [Freeipa-devel] [PATCH] 618 handle membership better In-Reply-To: <4CEC20A3.4070609@redhat.com> References: <4CEC20A3.4070609@redhat.com> Message-ID: <20101202154849.136a9d4a@willson.li.ssimo.org> On Tue, 23 Nov 2010 15:14:27 -0500 Rob Crittenden wrote: > Use better description for group names in help and always prompt for > members > > When running -[add|remove]-member completely interactively it > didn't prompt for managing membership, it just reported that 0 > members were handled which was rather confusing. > > This will work via a shell if you want to echo too: > > $ echo "" | ipa group-add-member g1 > > This returns 0 members because nothing is read for users or group > members. > > $ echo -e "g1\nadmin\n" | ipa group-add-member > > This adds the user admin to the group g1. It adds it as a user > because user membership is prompted for first. > > ticket 415 > > rob ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Dec 2 21:06:20 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 Dec 2010 16:06:20 -0500 Subject: [Freeipa-devel] [PATCH] 018 Normalize and convert default params, too In-Reply-To: <4CF7AF34.2060803@redhat.com> References: <4CF7AB7B.1000701@redhat.com> <4CF7AE2A.4050001@redhat.com> <4CF7AF34.2060803@redhat.com> Message-ID: <4CF80A4C.20305@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/02/2010 03:33 PM, Adam Young wrote: >> This seems to make sense. Can you provide some context before I ACK? > > We're discussing it with Rob in the ticket, too: > https://fedorahosted.org/freeipa/ticket/555 It works for me, ack and pushed to master rob From rcritten at redhat.com Thu Dec 2 21:10:57 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 Dec 2010 16:10:57 -0500 Subject: [Freeipa-devel] [PATCH] Some fixes in HBAC module In-Reply-To: <201011251015.59118.jzeleny@redhat.com> References: <201011251015.59118.jzeleny@redhat.com> Message-ID: <4CF80B61.2060607@redhat.com> Jan Zelen? wrote: > I'm posting two patches fixing some issues with the HBAC plugin: > > https://fedorahosted.org/freeipa/ticket/487 > https://fedorahosted.org/freeipa/ticket/494 > https://fedorahosted.org/freeipa/ticket/495 > Ack patch 0007, pushed to master. rob From rcritten at redhat.com Thu Dec 2 21:22:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 Dec 2010 16:22:27 -0500 Subject: [Freeipa-devel] [PATCH] 618 handle membership better In-Reply-To: <20101202154849.136a9d4a@willson.li.ssimo.org> References: <4CEC20A3.4070609@redhat.com> <20101202154849.136a9d4a@willson.li.ssimo.org> Message-ID: <4CF80E13.90104@redhat.com> Simo Sorce wrote: > On Tue, 23 Nov 2010 15:14:27 -0500 > Rob Crittenden wrote: > >> Use better description for group names in help and always prompt for >> members >> >> When running-[add|remove]-member completely interactively it >> didn't prompt for managing membership, it just reported that 0 >> members were handled which was rather confusing. >> >> This will work via a shell if you want to echo too: >> >> $ echo "" | ipa group-add-member g1 >> >> This returns 0 members because nothing is read for users or group >> members. >> >> $ echo -e "g1\nadmin\n" | ipa group-add-member >> >> This adds the user admin to the group g1. It adds it as a user >> because user membership is prompted for first. >> >> ticket 415 >> >> rob > > ACK. > > Simo. > Rebased and pushed to master rob From rcritten at redhat.com Thu Dec 2 21:27:04 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 Dec 2010 16:27:04 -0500 Subject: [Freeipa-devel] [PATCH] 621 drop install/tools/README In-Reply-To: <20101201123429.GA25239@zeppelin.brq.redhat.com> References: <4CF54A28.9060101@redhat.com> <20101201123429.GA25239@zeppelin.brq.redhat.com> Message-ID: <4CF80F28.10405@redhat.com> Jakub Hrozek wrote: > On Tue, Nov 30, 2010 at 02:02:00PM -0500, Rob Crittenden wrote: >> The README in install/tools is really for v1 and contains almost >> nothing useful for v2 so I'm proposing to drop it altogether. >> >> I'm also adding a link to the QuickStart guide on the trac wiki. The >> guide itself needs a lot of work but its a start. >> >> rob > > Ack pushed to master From rcritten at redhat.com Thu Dec 2 21:32:17 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 Dec 2010 16:32:17 -0500 Subject: [Freeipa-devel] [PATCH] 622 fix passwd output In-Reply-To: <4CF7BB98.2090602@redhat.com> References: <4CF55ADB.5010101@redhat.com> <4CF7BB98.2090602@redhat.com> Message-ID: <4CF81061.9010809@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/30/2010 09:13 PM, Rob Crittenden wrote: >> A couple of Password attributes had no label so prompting looked bad. >> >> When printing exceptions we need to convert the label and error to >> unicode so translations work. >> >> Use standard output routines instead of output_for_cli() in passwd plugin. >> >> ticket 352 >> >> rob >> > > Ack pushed to master From ayoung at redhat.com Thu Dec 2 21:43:11 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Dec 2010 16:43:11 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0110-tooltips Message-ID: <4CF812EF.3080307@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0110-tooltips.patch Type: text/x-patch Size: 1475 bytes Desc: not available URL: From ssorce at redhat.com Thu Dec 2 21:47:15 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 2 Dec 2010 16:47:15 -0500 Subject: [Freeipa-devel] [PATCH] Do not create reverse zone by default In-Reply-To: <20101115115320.GA19666@zeppelin.brq.redhat.com> References: <20101115115320.GA19666@zeppelin.brq.redhat.com> Message-ID: <20101202164715.48ba91a1@willson.li.ssimo.org> On Mon, 15 Nov 2010 12:53:22 +0100 Jakub Hrozek wrote: > Prompt for creation of reverse zone, with the default for unattended > installations being False. > > https://fedorahosted.org/freeipa/ticket/418 > ACK and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Thu Dec 2 23:13:23 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 02 Dec 2010 17:13:23 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0110-tooltips In-Reply-To: <4CF812EF.3080307@redhat.com> References: <4CF812EF.3080307@redhat.com> Message-ID: <4CF82813.3040804@redhat.com> On 12/2/2010 3:43 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Dec 3 00:53:58 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 02 Dec 2010 18:53:58 -0600 Subject: [Freeipa-devel] [PATCH] Fixed association links Message-ID: <4CF83FA6.1080202@redhat.com> Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/113/ The create_association_facets() has been modified such that it does not generate duplicate links. This is done by assigning the proper labels and hiding non-assignable associations. Each association will get a label based on the attribute used: - memberof: Membership - member.*: Member - managedby: Managed by - enrolledby: Enrolled by The following associations will be hidden: - memberindirect The internal.py was modified to return localized labels. The test data has been updated. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0045-Fixed-association-links.patch Type: text/x-patch Size: 8022 bytes Desc: not available URL: From edewata at redhat.com Fri Dec 3 02:50:05 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 02 Dec 2010 20:50:05 -0600 Subject: [Freeipa-devel] [PATCH] Fixed buttons in enrollment dialog Message-ID: <4CF85ADD.9090109@redhat.com> Hi, Please review the attached patch. Thanks! The Find, Add, and Remove buttons in the enrollment dialog have been replaced with ipa_buttons. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0046-Fixed-buttons-in-enrollment-dialog.patch Type: text/x-patch Size: 3545 bytes Desc: not available URL: From ayoung at redhat.com Fri Dec 3 02:52:56 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Dec 2010 21:52:56 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0111-dns2-ui Message-ID: <4CF85B88.6010109@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0111-dns2-ui.patch Type: text/x-patch Size: 79552 bytes Desc: not available URL: From ayoung at redhat.com Fri Dec 3 03:09:10 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Dec 2010 22:09:10 -0500 Subject: [Freeipa-devel] [PATCH] Fixed buttons in enrollment dialog In-Reply-To: <4CF85ADD.9090109@redhat.com> References: <4CF85ADD.9090109@redhat.com> Message-ID: <4CF85F56.6090306@redhat.com> On 12/02/2010 09:50 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The Find, Add, and Remove buttons in the enrollment dialog have > been replaced with ipa_buttons. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Dec 3 03:15:53 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Dec 2010 22:15:53 -0500 Subject: [Freeipa-devel] [PATCH] Fixed buttons in enrollment dialog In-Reply-To: <4CF85ADD.9090109@redhat.com> References: <4CF85ADD.9090109@redhat.com> Message-ID: <4CF860E9.7060201@redhat.com> On 12/02/2010 09:50 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The Find, Add, and Remove buttons in the enrollment dialog have > been replaced with ipa_buttons. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel You should be filtering out Host-> Enrolled by Users as well. This is a single entity field, and it is automatically filled out when the user enrolls the host in IPA. That will fix https://fedorahosted.org/freeipa/ticket/377 Don't forget to update test/date/ipa_init.json with the new messages. Rest of it looks good. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jzeleny at redhat.com Fri Dec 3 07:48:36 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Fri, 3 Dec 2010 08:48:36 +0100 Subject: [Freeipa-devel] [PATCH] Added some fields to user object In-Reply-To: <201011221910.21059.jzeleny@redhat.com> References: <201011221525.44652.jzeleny@redhat.com> <4CEA801E.2020908@redhat.com> <201011221910.21059.jzeleny@redhat.com> Message-ID: <201012030848.36337.jzeleny@redhat.com> Jan Zelen? wrote: > Adam Young wrote: > > On 11/22/2010 09:25 AM, Jan Zelen? wrote: > > > Some fields were missing from user object, this change adds them > > > along with their l10n > > > > > > https://fedorahosted.org/freeipa/ticket/305 > > > > NACK > > > > Did a user-show and got this stack trace > > Sorry for that, left a dash there. This should be better. This updated version seems to be forgotten. Can someone please review it? Thanks Jan From jzeleny at redhat.com Fri Dec 3 08:40:01 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Fri, 3 Dec 2010 09:40:01 +0100 Subject: [Freeipa-devel] [PATCH] Document that the default group has to exist Message-ID: <201012030940.01945.jzeleny@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=654117#c4 -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Document-that-the-default-group-has-to-exist.patch Type: text/x-patch Size: 1454 bytes Desc: not available URL: From jzeleny at redhat.com Fri Dec 3 10:00:26 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Fri, 3 Dec 2010 11:00:26 +0100 Subject: [Freeipa-devel] [PATCH] Document that the default group has to exist In-Reply-To: <201012030940.01945.jzeleny@redhat.com> References: <201012030940.01945.jzeleny@redhat.com> Message-ID: <201012031100.26205.jzeleny@redhat.com> Jan Zelen? wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=654117#c4 Sending corrected patch. A little modification of the doc formulation and renaming the patch so it follows the guidelines. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0011-Document-that-the-default-group-has-to-exist.patch Type: text/x-patch Size: 1398 bytes Desc: not available URL: From jhrozek at redhat.com Fri Dec 3 13:15:32 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 03 Dec 2010 14:15:32 +0100 Subject: [Freeipa-devel] [PATCH] Document that the default group has to exist In-Reply-To: <201012031100.26205.jzeleny@redhat.com> References: <201012030940.01945.jzeleny@redhat.com> <201012031100.26205.jzeleny@redhat.com> Message-ID: <4CF8ED74.2010006@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/03/2010 11:00 AM, Jan Zelen? wrote: > Jan Zelen? wrote: >> https://bugzilla.redhat.com/show_bug.cgi?id=654117#c4 > > Sending corrected patch. A little modification of the doc formulation and > renaming the patch so it follows the guidelines. > > Jan > > The patch applies and the message makes sense - Ack. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz47XQACgkQHsardTLnvCWAswCgkV3IiCOVea178uptAXPCwQQi LOoAnjRwC1L30J+0ruJTg3vMcQBPrQi+ =rqR8 -----END PGP SIGNATURE----- From ayoung at redhat.com Fri Dec 3 15:19:58 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 03 Dec 2010 10:19:58 -0500 Subject: [Freeipa-devel] [PATCH] Added some fields to user object In-Reply-To: <201011221525.44652.jzeleny@redhat.com> References: <201011221525.44652.jzeleny@redhat.com> Message-ID: <4CF90A9E.7090603@redhat.com> On 11/22/2010 09:25 AM, Jan Zelen? wrote: > Some fields were missing from user object, this change adds them > along with their l10n > > https://fedorahosted.org/freeipa/ticket/305 > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From kybaker at redhat.com Fri Dec 3 16:17:38 2010 From: kybaker at redhat.com (Kyle Baker) Date: Fri, 3 Dec 2010 11:17:38 -0500 (EST) Subject: [Freeipa-devel] Additional classes and small code additions Message-ID: <1574094211.415661291393058811.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> In order to properly style the rest of the UI from the style sheet I need separate classes made for a few page elements. I need separate classes for: ? Buttons in the action panel. The text in the buttons share properties with the top tier selected elements ? Separate style for the tabs that do not inherit styles from the rest of the buttons. They share the ui-state-default class ? The bottom td in the lists that specify the number users who matched. The goal is to have the list a min-height. This could be done multiple ways. This could be done by specifying a minimum amount of tds empty or filled. Specifying list height distorts cell sizes. The other reason is to have 1px line at the bottom of the list. ?Even when pages list pages don't have search capability we still should have a class for those to specify spacing. We are currently using .search-controls we need a separate one for non search list pages. We also need to put this in all of the non-search list pages in the code. ?The text based -/+ are not working in the detail pages. The - shows by default and does not look clickable. We need to make these another separate buttons class. We still want to use the -/+ shapes but as the ui-icon style. This also needs to be specified outside of the style sheet. -Kyle From edewata at redhat.com Fri Dec 3 16:49:04 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 03 Dec 2010 10:49:04 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0111-dns2-ui In-Reply-To: <4CF85B88.6010109@redhat.com> References: <4CF85B88.6010109@redhat.com> Message-ID: <4CF91F80.2090905@redhat.com> On 12/2/2010 8:52 PM, Adam Young wrote: > ACK and pushed to master. Note that after updating DNS zone details the fields will become disabled. This can be fixed in a follow up. -- Endi S. Dewata From edewata at redhat.com Fri Dec 3 17:39:07 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 03 Dec 2010 11:39:07 -0600 Subject: [Freeipa-devel] [PATCH] Fixed association links In-Reply-To: <4CF83FA6.1080202@redhat.com> References: <4CF83FA6.1080202@redhat.com> Message-ID: <4CF92B3B.7030600@redhat.com> On 12/2/2010 9:15 PM, Adam Young wrote: > You should be filtering out Host-> Enrolled by Users as well. > This is a single entity field, and it is automatically filled out when the user enrolls the host in IPA. > That will fix > https://fedorahosted.org/freeipa/ticket/377 > > Don't forget to update test/date/ipa_init.json with the new messages. > > Rest of it looks good. Attached is an updated patch. The enrolledby is now filtered out as well. The plugin and test data have been updated to match the wordings in ticket #511. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0045-2-Fixed-association-links.patch Type: text/x-patch Size: 7838 bytes Desc: not available URL: From edewata at redhat.com Fri Dec 3 17:51:33 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 03 Dec 2010 11:51:33 -0600 Subject: [Freeipa-devel] [PATCH] Removed HBAC Access Time Message-ID: <4CF92E25.6050906@redhat.com> Hi, Please review the attached patch. Thanks! The interface for access time has been removed from HBAC details page. The code has been commented out, but not removed. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0047-Removed-HBAC-Access-Time.patch Type: text/x-patch Size: 1877 bytes Desc: not available URL: From ayoung at redhat.com Fri Dec 3 18:00:10 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 03 Dec 2010 13:00:10 -0500 Subject: [Freeipa-devel] [PATCH] Fixed association links In-Reply-To: <4CF92B3B.7030600@redhat.com> References: <4CF83FA6.1080202@redhat.com> <4CF92B3B.7030600@redhat.com> Message-ID: <4CF9302A.7010404@redhat.com> On 12/03/2010 12:39 PM, Endi Sukma Dewata wrote: > On 12/2/2010 9:15 PM, Adam Young wrote: >> You should be filtering out Host-> Enrolled by Users as well. >> This is a single entity field, and it is automatically filled out >> when the user enrolls the host in IPA. >> That will fix >> https://fedorahosted.org/freeipa/ticket/377 >> >> Don't forget to update test/date/ipa_init.json with the new messages. >> >> Rest of it looks good. > > Attached is an updated patch. > > The enrolledby is now filtered out as well. The plugin and test data > have been updated to match the wordings in ticket #511. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Dec 3 18:00:21 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 03 Dec 2010 13:00:21 -0500 Subject: [Freeipa-devel] [PATCH] Removed HBAC Access Time In-Reply-To: <4CF92E25.6050906@redhat.com> References: <4CF92E25.6050906@redhat.com> Message-ID: <4CF93035.9010906@redhat.com> On 12/03/2010 12:51 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The interface for access time has been removed from HBAC details > page. The code has been commented out, but not removed. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Dec 3 18:06:52 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 03 Dec 2010 13:06:52 -0500 Subject: [Freeipa-devel] [PATCH] 625 Provide attrs for ACI UI In-Reply-To: <4CF7C4B5.6000108@redhat.com> References: <4CF7C4B5.6000108@redhat.com> Message-ID: <4CF931BC.6040209@redhat.com> On 12/02/2010 11:09 AM, Rob Crittenden wrote: > Provide available attributes for all objects for use in creating > permissions (ACIs). This is provided in the meta data call. > > Also tell whether an object is bindable (has password or kerberos key) > for use in the future selfservice plugin. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Dec 3 18:25:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Dec 2010 13:25:53 -0500 Subject: [Freeipa-devel] [PATCH] 626 don't fetch cos for global pwpolicy Message-ID: <4CF93631.7060408@redhat.com> The global pwpolicy group by definition doesn't have a cos entry. Don't look for one. ticket 523 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-626-pwpolicy.patch Type: text/x-patch Size: 1498 bytes Desc: not available URL: From ssorce at redhat.com Fri Dec 3 18:39:10 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 3 Dec 2010 13:39:10 -0500 Subject: [Freeipa-devel] [PATCH] 626 don't fetch cos for global pwpolicy In-Reply-To: <4CF93631.7060408@redhat.com> References: <4CF93631.7060408@redhat.com> Message-ID: <20101203133910.324e634e@willson.li.ssimo.org> On Fri, 03 Dec 2010 13:25:53 -0500 Rob Crittenden wrote: > The global pwpolicy group by definition doesn't have a cos entry. > Don't look for one. > > ticket 523 > > rob ack Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Dec 3 18:51:12 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Dec 2010 13:51:12 -0500 Subject: [Freeipa-devel] [PATCH] 626 don't fetch cos for global pwpolicy In-Reply-To: <20101203133910.324e634e@willson.li.ssimo.org> References: <4CF93631.7060408@redhat.com> <20101203133910.324e634e@willson.li.ssimo.org> Message-ID: <4CF93C20.4020209@redhat.com> Simo Sorce wrote: > On Fri, 03 Dec 2010 13:25:53 -0500 > Rob Crittenden wrote: > >> The global pwpolicy group by definition doesn't have a cos entry. >> Don't look for one. >> >> ticket 523 >> >> rob > > ack > > Simo. > pushed to master From rcritten at redhat.com Fri Dec 3 19:06:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Dec 2010 14:06:53 -0500 Subject: [Freeipa-devel] [PATCH] 627 drop accessTime from HBAC in framework Message-ID: <4CF93FCD.1000408@redhat.com> Drop accessTime in the management framework. I've done it through comments as much as I could to make it easier to revive it later. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-627-hbac.patch Type: text/x-patch Size: 7252 bytes Desc: not available URL: From rcritten at redhat.com Fri Dec 3 20:07:42 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Dec 2010 15:07:42 -0500 Subject: [Freeipa-devel] [PATCH] Document that the default group has to exist In-Reply-To: <201012031100.26205.jzeleny@redhat.com> References: <201012030940.01945.jzeleny@redhat.com> <201012031100.26205.jzeleny@redhat.com> Message-ID: <4CF94E0E.6080801@redhat.com> Jan Zelen? wrote: > Jan Zelen? wrote: >> https://bugzilla.redhat.com/show_bug.cgi?id=654117#c4 > > Sending corrected patch. A little modification of the doc formulation and > renaming the patch so it follows the guidelines. > > Jan Can't we do a group-show in the mod pre_callback to see if the group exists? rob From edewata at redhat.com Fri Dec 3 20:35:37 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 03 Dec 2010 14:35:37 -0600 Subject: [Freeipa-devel] SUDO UI and CLI discrepancies Message-ID: <4CF95499.4040602@redhat.com> Hi, Attached is the UI spec for SUDO. There are some differences with the current CLI implementation. 1. The UI needs a rule status with values active & inactive. The CLI doesn't have this attribute. HBAC has ipaenabledflag attribute which can be managed using hbac-enable/disable operations. 2. The UI needs a user category for the "Who" section. The CLI doesn't have this attribute. HBAC has usercategory attribute which can be managed using hbac-add/mod operations. 3. The UI needs a host category for the "Access this host" section. The CLI doesn't have this attribute. HBAC has hostcategory attribute which can be managed using hbac-add/mod operations. 4. The UI needs separate allow-command and deny-command categories for the "Run Command(s)" section. The CLI only has a single cmdcategory. 5. The UI needs separate run-as-user and run-as-group categories for the "As Whom" section. The UI also needs a way to manage the list of users/groups for the run-as-user, and the list of groups for the run-as-group. The CLI doesn't have these attributes or operations. 6. According to ticket #534, the UI needs to support adding external user, groups, and host. The current CLI doesn't seem to accept external values. This blocks https://fedorahosted.org/freeipa/ticket/534. Should I open a ticket for each of the above issues? Thanks. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: IPA_Sudo.pdf Type: application/pdf Size: 399581 bytes Desc: not available URL: From ayoung at redhat.com Fri Dec 3 21:52:02 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 03 Dec 2010 16:52:02 -0500 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: <20101130233844.GF5731@redhat.com> References: <20101130233844.GF5731@redhat.com> Message-ID: <4CF96682.5030503@redhat.com> On 11/30/2010 06:38 PM, Nalin Dahyabhai wrote: > This is what I've got now; I think it's correct. > > - fix quoting in the netgroup compat configuration entry > - don't bother looking for members of netgroups by looking for entries > which list "memberOf: $netgroup" -- the netgroup should list them as > "member" or "memberUser" or "memberHost" values > - use newer slapi-nis functionality to produce cn=sudoers > - drop the real cn=sudoers container to make room for the compat > container > > Feel free to adjust the "schema-compat-container-group" for the > "cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config" entry -- the > location of the compat sudo entries is of no concern to me. > > Cheers, > > Nalin > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel can anyone ACK/NACK this? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Dec 3 21:50:50 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Dec 2010 16:50:50 -0500 Subject: [Freeipa-devel] [PATCH] 628 use KDC schema file Message-ID: <4CF9663A.9090609@redhat.com> Rather than shipping and maintaining our own kerberos schema file use the one provided by MIT instead. ticket 505 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-628-schema.patch Type: text/x-patch Size: 22451 bytes Desc: not available URL: From nalin at redhat.com Fri Dec 3 22:21:59 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 3 Dec 2010 17:21:59 -0500 Subject: [Freeipa-devel] [PATCH] 628 use KDC schema file In-Reply-To: <4CF9663A.9090609@redhat.com> References: <4CF9663A.9090609@redhat.com> Message-ID: <20101203222159.GB25845@redhat.com> On Fri, Dec 03, 2010 at 04:50:50PM -0500, Rob Crittenden wrote: > Rather than shipping and maintaining our own kerberos schema file > use the one provided by MIT instead. nak: That file's generated from another LDIF file while building the Fedora package, so it's not going to be there on other distributions. I think we have to keep carrying it. Cheers, Nalin From rcritten at redhat.com Fri Dec 3 22:27:18 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Dec 2010 17:27:18 -0500 Subject: [Freeipa-devel] [PATCH] 629 optimize queries when searching for indirect members Message-ID: <4CF96EC6.8090901@redhat.com> Ensure list of attrs to retrieve is unique, optimize getting indirect members This fixes search where we were asking for the member attribute 10 or more times. When retrieving indirect members make sure we always pass around the size and time limits so we don't have to look it up with every call to find_entries() I saw this while doing a group_find and watching the LDAP access log. ticket 557 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-629-query.patch Type: text/x-patch Size: 2435 bytes Desc: not available URL: From rcritten at redhat.com Fri Dec 3 22:36:06 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Dec 2010 17:36:06 -0500 Subject: [Freeipa-devel] [PATCH] 630 check for correct option in delete Message-ID: <4CF970D6.20903@redhat.com> I've pushed this under the 1-liner rule. We changed the continue-deleting-on-error from --continuous to --continue. Looks like we missed one. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-630-delete.patch Type: text/x-patch Size: 891 bytes Desc: not available URL: From ssorce at redhat.com Fri Dec 3 23:26:36 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 3 Dec 2010 18:26:36 -0500 Subject: [Freeipa-devel] [PATCH] 0023 Compiles plugin against the right ldap libraries Message-ID: <20101203182636.457682a2@willson.li.ssimo.org> In Fedora 14, 389-ds started linking against openldap libraries instead of the old mozldap libraries. This patch allows us to conditionally build plugins against openldap as well. Failure to do so may cause symbol clashes when the plugin is used by directory server because then we get 2 different ldap libraries loaded at the same time. The spec file has already been changed to build plugins --with-openldap by default. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0023-Make-use-of-mozldap-vs-openldap-for-plugins-selectab.patch Type: text/x-patch Size: 10144 bytes Desc: not available URL: From rmeggins at redhat.com Sat Dec 4 00:25:20 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 03 Dec 2010 17:25:20 -0700 Subject: [Freeipa-devel] [PATCH] 0023 Compiles plugin against the right ldap libraries In-Reply-To: <20101203182636.457682a2@willson.li.ssimo.org> References: <20101203182636.457682a2@willson.li.ssimo.org> Message-ID: <4CF98A70.50803@redhat.com> On 12/03/2010 04:26 PM, Simo Sorce wrote: > In Fedora 14, 389-ds started linking against openldap libraries instead > of the old mozldap libraries. > > This patch allows us to conditionally build plugins against openldap as > well. Failure to do so may cause symbol clashes when the plugin is used > by directory server because then we get 2 different ldap libraries > loaded at the same time. > > The spec file has already been changed to build plugins --with-openldap > by default. ack but only if the goal is to remove use of #define LDAP_DEPRECATED 1 - I can help with this > Simo. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Sat Dec 4 15:14:57 2010 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 4 Dec 2010 10:14:57 -0500 Subject: [Freeipa-devel] [PATCH] 0023 Compiles plugin against the right ldap libraries In-Reply-To: <4CF98A70.50803@redhat.com> References: <20101203182636.457682a2@willson.li.ssimo.org> <4CF98A70.50803@redhat.com> Message-ID: <20101204101457.09092b2e@willson.li.ssimo.org> On Fri, 03 Dec 2010 17:25:20 -0700 Rich Megginson wrote: > On 12/03/2010 04:26 PM, Simo Sorce wrote: > > In Fedora 14, 389-ds started linking against openldap libraries > > instead of the old mozldap libraries. > > > > This patch allows us to conditionally build plugins against > > openldap as well. Failure to do so may cause symbol clashes when > > the plugin is used by directory server because then we get 2 > > different ldap libraries loaded at the same time. > > > > The spec file has already been changed to build plugins > > --with-openldap by default. > ack but only if the goal is to remove use of #define LDAP_DEPRECATED > 1 - I can help with this The only reason I kept that is that we use ldap_explode_dn(), that function is not itself deprecated (ie it is not under LDAP_DEPRECATED ifdefs although a comment syas it is deprecated), but it returns char **, and the only function that frees a char ** is ldap_free_value(). This one is under LDAP_DEPRECATED and says you shoud use ldap_free_value_len(), but that functions takes a struct berval as argument. I think there are only 2 places/plugins where those deprecated functions are used. So if you want to open a ticket to remove them feel free, but I would do that as a separate patch. The goal of this patch was to do as few modifications as possible to the plugins themselves. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Sat Dec 4 20:23:04 2010 From: ayoung at redhat.com (Adam Young) Date: Sat, 04 Dec 2010 15:23:04 -0500 Subject: [Freeipa-devel] Additional classes and small code additions In-Reply-To: <1574094211.415661291393058811.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1574094211.415661291393058811.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CFAA328.9020804@redhat.com> On 12/03/2010 11:17 AM, Kyle Baker wrote: > In order to properly style the rest of the UI from the style sheet I need separate classes made for a few page elements. I need separate classes for: > > ? Buttons in the action panel. The text in the buttons share properties with the top tier selected elements > > ? Separate style for the tabs that do not inherit styles from the rest of the buttons. They share the ui-state-default class > > ? The bottom td in the lists that specify the number users who matched. The goal is to have the list a min-height. This could be done multiple ways. This could be done by specifying a minimum amount of tds empty or filled. Specifying list height distorts cell sizes. The other reason is to have 1px line at the bottom of the list. > > ?Even when pages list pages don't have search capability we still should have a class for those to specify spacing. We are currently using .search-controls we need a separate one for non search list pages. We also need to put this in all of the non-search list pages in the code. > > ?The text based -/+ are not working in the detail pages. The - shows by default and does not look clickable. We need to make these another separate buttons class. We still want to use the -/+ shapes but as the ui-icon style. This also needs to be specified outside of the style sheet. > > -Kyle > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel OK, I'll try to get you something before Tuesday. From jhrozek at redhat.com Sun Dec 5 14:14:29 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 05 Dec 2010 15:14:29 +0100 Subject: [Freeipa-devel] [PATCH] 019 Do not migrate krbPrincipalKey Message-ID: <4CFB9E45.1090101@redhat.com> https://fedorahosted.org/freeipa/ticket/455 This patch depends on my patch 015 (in thread "Make the migration plugin more configurable") -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-019-Do-not-migrate-krbPrincipalKey.patch Type: text/x-patch Size: 1379 bytes Desc: not available URL: From davido at redhat.com Sun Dec 5 22:57:59 2010 From: davido at redhat.com (David O'Brien) Date: Mon, 06 Dec 2010 08:57:59 +1000 Subject: [Freeipa-devel] [PATCH] 619 more aci target docs In-Reply-To: <4CF7E4B2.7050109@redhat.com> References: <4CED6D5F.3050507@redhat.com> <4CF6ECD7.1080600@redhat.com> <4CF7C864.3050809@redhat.com> <4CF7E4B2.7050109@redhat.com> Message-ID: <4CFC18F7.4090009@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> David O'Brien wrote: >>> Rob Crittenden wrote: >>>> I added some more documentation and examples to the aci plugin on >>>> targets. >>>> >>>> ticket 310 >>>> >>>> rob >>>> >>> NACK >>> >>> Running behind with reviews, sorry. Just a few minor fixes: >>> >>> s/targetted/targeted/ >>> s/"This is primarily meant to be able to allow users to add/remove >>> members of a specific group only."/"This is primarily designed to enable >>> users to add or remove members of a specific group." >>> >>> (I _think_ I understood that ok, and didn't change the meaning. Further, >>> if this target is only designed for this purpose, you don't need >>> "primarily". If it does something else, what is it?) >>> >>> I couldn't grok 100% the "subtree" target description. >>> >>> s/"... the ACI is allowed to do, they are one or more of:"/"... the ACI >>> is allowed to do, and are one or more of:" >>> >>> For consistency's sake, s/lets/allows/ etc. Also see below: >>> allows members of the "addusers" taskgroup >>> lets members of the editors... group? >>> lets members of the admin group >>> >>> You might need to review the examples a bit. >>> >>> cheers >> >> Updated patch. >> >> rob >> > > Ok, the right updated patch this time. > > rob I might be nit-picking now... This might be a function of how the underlying code works in combination with using US English, but why do we have both "zip code" and "postal code"? + Add an ACI that allows members of the admin group manage the street and zipcode of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode "admins edit address of editors" If "postalcode" is required in the ACI, and "Zip Code" is en-US, then that's fine. And, "...the admin group TO manage..." "admins edit THE address of editors" Like I said, this might be nit-picking for man pages, but what can I say? I'm a writer. ACK from me with those couple of updates. -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From jzeleny at redhat.com Mon Dec 6 08:35:03 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 6 Dec 2010 09:35:03 +0100 Subject: [Freeipa-devel] [PATCH] 627 drop accessTime from HBAC in framework In-Reply-To: <4CF93FCD.1000408@redhat.com> References: <4CF93FCD.1000408@redhat.com> Message-ID: <201012060935.03759.jzeleny@redhat.com> Rob Crittenden wrote: > Drop accessTime in the management framework. > > I've done it through comments as much as I could to make it easier to > revive it later. > > rob ACK -- Jan From jzeleny at redhat.com Mon Dec 6 08:56:56 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 6 Dec 2010 09:56:56 +0100 Subject: [Freeipa-devel] [PATCH] 629 optimize queries when searching for indirect members In-Reply-To: <4CF96EC6.8090901@redhat.com> References: <4CF96EC6.8090901@redhat.com> Message-ID: <201012060956.56053.jzeleny@redhat.com> Rob Crittenden wrote: > Ensure list of attrs to retrieve is unique, optimize getting indirect > members > > This fixes search where we were asking for the member attribute 10 or > more times. > > When retrieving indirect members make sure we always pass around the > size and time limits so we don't have to look it up with every call to > find_entries() > > I saw this while doing a group_find and watching the LDAP access log. > > ticket 557 > > rob ACK -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From jzeleny at redhat.com Mon Dec 6 11:01:12 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 6 Dec 2010 12:01:12 +0100 Subject: [Freeipa-devel] [PATCH] 019 Do not migrate krbPrincipalKey In-Reply-To: <4CFB9E45.1090101@redhat.com> References: <4CFB9E45.1090101@redhat.com> Message-ID: <201012061201.12332.jzeleny@redhat.com> Jakub Hrozek wrote: > https://fedorahosted.org/freeipa/ticket/455 > > This patch depends on my patch 015 (in thread "Make the migration plugin > more configurable") ACK -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From jzeleny at redhat.com Mon Dec 6 12:19:51 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 6 Dec 2010 13:19:51 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <4CDB5CA0.9020906@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201011081054.00482.jzeleny@redhat.com> <4CDB5CA0.9020906@redhat.com> Message-ID: <201012061319.51666.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Jan Zelen? wrote: > >> Now each plugin can define its topic as a 2-tuple, where the first > >> item is the name of topic it belongs to and the second item is > >> a description of such topic. Topic descriptions must be the same > >> for all modules belonging to the topic. > >> > >> By using this topics, it is possible to group plugins as we see fit. > >> When asking for help for a particular topic, help for all modules > >> in given topic is written. > >> > >> ipa help - show all topics (until now it showed all plugins) > >> ipa help - show details to given topic > >> > >> https://fedorahosted.org/freeipa/ticket/410 > > > > Sorry for the wrong sequence number, sending the correct one now. > > I think this is a good start but I find the output hard to read, both > with a single topic (like user) or multiple (like sudo). The dashed > lines and the extra spaces make my eyes cross a bit > > What I don't have is any good suggestion to change it up. I realize you > are jamming together discrete things that may or may not look nice > together. > > I suppose a few suggestions might be: > > - a SEEALSO-like where you print the topics at the bottom so it is > obvious that multiple things are jammed together > - A single dashed-line all the way across (more or less) with a single > space before and after might be a less jarring separator. IIRC we have > some output code that should handle screen sizes for you. > - I'm not sure if combining all the commands into a single list is the > right thing or not. It may not be necessary with the SEEALSO. > > So nack for now but this is headed in the right direction. > > rob After the last discussion at the meeting, I started to work on this again. The goal is to implement suggested idea with SEE ALSO topics. But there is one more issue to solve. It occurred to me that hbac topic would contain 3 subtopics: hbac, hbacsvc and hbacsvcgroup. Now the issue is when I type: ipa help hbac How should the program distinguish the topic hbac from the hbac subtopic? The simplest solution here is to rename the module, but that doesn't seem right to me. Other solution could be to rename the topic, but that would be against the basic reason why we should implement topic grouping. Any suggestions? Frankly, I'm wonder if the topic-based grouping is worth the effort, but I have an idea a little bit different from this approach. When typing ipa help hbac* user would receive a filtered list of topics, where only topics with module name starting with "hbac" would be. The result would look like this: ipa help hbac* Usage: ipa [global-options] COMMAND ... Help topics: hbac Host-based access control hbacsvc HBAC Services hbacsvcgroup HBAC Service Groups The only limitation of this concept is that topic groups wouldn't be "stable". For example the result of ipa help hbac would be different from ipa help hbacsvc. Also some incorrect grouping might occur (host and hostgroup at the moment). Before I start working on this, I'd like to know your opinions. Thanks Jan From dpal at redhat.com Mon Dec 6 14:45:55 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 06 Dec 2010 09:45:55 -0500 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <201012061319.51666.jzeleny@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201011081054.00482.jzeleny@redhat.com> <4CDB5CA0.9020906@redhat.com> <201012061319.51666.jzeleny@redhat.com> Message-ID: <4CFCF723.9000503@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: > >> Jan Zelen? wrote: >> >>> Jan Zelen? wrote: >>> >>>> Now each plugin can define its topic as a 2-tuple, where the first >>>> item is the name of topic it belongs to and the second item is >>>> a description of such topic. Topic descriptions must be the same >>>> for all modules belonging to the topic. >>>> >>>> By using this topics, it is possible to group plugins as we see fit. >>>> When asking for help for a particular topic, help for all modules >>>> in given topic is written. >>>> >>>> ipa help - show all topics (until now it showed all plugins) >>>> ipa help - show details to given topic >>>> >>>> https://fedorahosted.org/freeipa/ticket/410 >>>> >>> Sorry for the wrong sequence number, sending the correct one now. >>> >> I think this is a good start but I find the output hard to read, both >> with a single topic (like user) or multiple (like sudo). The dashed >> lines and the extra spaces make my eyes cross a bit >> >> What I don't have is any good suggestion to change it up. I realize you >> are jamming together discrete things that may or may not look nice >> together. >> >> I suppose a few suggestions might be: >> >> - a SEEALSO-like where you print the topics at the bottom so it is >> obvious that multiple things are jammed together >> - A single dashed-line all the way across (more or less) with a single >> space before and after might be a less jarring separator. IIRC we have >> some output code that should handle screen sizes for you. >> - I'm not sure if combining all the commands into a single list is the >> right thing or not. It may not be necessary with the SEEALSO. >> >> So nack for now but this is headed in the right direction. >> >> rob >> > > After the last discussion at the meeting, I started to work on this again. The > goal is to implement suggested idea with SEE ALSO topics. But there is one > more issue to solve. It occurred to me that hbac topic would contain 3 > subtopics: hbac, hbacsvc and hbacsvcgroup. Now the issue is when I type: > > ipa help hbac > > How should the program distinguish the topic hbac from the hbac subtopic? The > simplest solution here is to rename the module, but that doesn't seem right to > me. Other solution could be to rename the topic, but that would be against the > basic reason why we should implement topic grouping. Any suggestions? > > Frankly, I'm wonder if the topic-based grouping is worth the effort, but I have > an idea a little bit different from this approach. When typing > > ipa help hbac* > > user would receive a filtered list of topics, where only topics with module > name starting with "hbac" would be. The result would look like this: > > ipa help hbac* > Usage: ipa [global-options] COMMAND ... > > Help topics: > hbac Host-based access control > hbacsvc HBAC Services > hbacsvcgroup HBAC Service Groups > > The only limitation of this concept is that topic groups wouldn't be "stable". > For example the result of ipa help hbac would be different from ipa help > hbacsvc. Also some incorrect grouping might occur (host and hostgroup at the > moment). Before I start working on this, I'd like to know your opinions. > > May be use hbac for the high level topic group and hbacrule for the hbac rule management? This way there is no name collision. I do not know how big of a change it is and how it would affect UI/CLI/man etc. At this point of the project we need to try to minimize changes. It will affect SUDO too... Other approach might be to allow subtopics as another parameter: Usage: ipa help topic subtopic ipa help hbac hbac May be for the purpose of help we can do: ipa help hbac Usage: ipa [global-options] COMMAND ... Help subtopics: rule Host-based access control rules service HBAC Services group HBAC Service Groups ipa help hbac rule ... ipa help hbac service ... ipa help hbac group ... Will that work? AFAIU this will not have any impact on the commands and would not require any changes to the UI/CLI other than to the help system itself. Thanks Dmitri > Thanks > Jan > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jzeleny at redhat.com Mon Dec 6 15:27:19 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 6 Dec 2010 16:27:19 +0100 Subject: [Freeipa-devel] =?iso-8859-1?q?=5BPATCH=5D_0023_Compiles_plugin_a?= =?iso-8859-1?q?gainst_the_right_ldap=09libraries?= In-Reply-To: <20101204101457.09092b2e@willson.li.ssimo.org> References: <20101203182636.457682a2@willson.li.ssimo.org> <4CF98A70.50803@redhat.com> <20101204101457.09092b2e@willson.li.ssimo.org> Message-ID: <201012061627.19709.jzeleny@redhat.com> Simo Sorce wrote: > On Fri, 03 Dec 2010 17:25:20 -0700 > > Rich Megginson wrote: > > On 12/03/2010 04:26 PM, Simo Sorce wrote: > > > In Fedora 14, 389-ds started linking against openldap libraries > > > instead of the old mozldap libraries. > > > > > > This patch allows us to conditionally build plugins against > > > openldap as well. Failure to do so may cause symbol clashes when > > > the plugin is used by directory server because then we get 2 > > > different ldap libraries loaded at the same time. > > > > > > The spec file has already been changed to build plugins > > > --with-openldap by default. > > > > ack but only if the goal is to remove use of #define LDAP_DEPRECATED > > 1 - I can help with this > > The only reason I kept that is that we use ldap_explode_dn(), that > function is not itself deprecated (ie it is not under LDAP_DEPRECATED > ifdefs although a comment syas it is deprecated), but it returns char > **, and the only function that frees a char ** is ldap_free_value(). > This one is under LDAP_DEPRECATED and says you shoud use > ldap_free_value_len(), but that functions takes a struct berval as > argument. > > I think there are only 2 places/plugins where those deprecated > functions are used. So if you want to open a ticket to remove them feel > free, but I would do that as a separate patch. > The goal of this patch was to do as few modifications as possible to > the plugins themselves. I can confirm this patch solves some installation issues on F14, so if Rob agrees, I'd like to ack this. -- Jan From jzeleny at redhat.com Mon Dec 6 16:15:19 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 6 Dec 2010 17:15:19 +0100 Subject: [Freeipa-devel] [PATCH] Document that the default group has to exist In-Reply-To: <4CF94E0E.6080801@redhat.com> References: <201012030940.01945.jzeleny@redhat.com> <201012031100.26205.jzeleny@redhat.com> <4CF94E0E.6080801@redhat.com> Message-ID: <201012061715.19883.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Jan Zelen? wrote: > >> https://bugzilla.redhat.com/show_bug.cgi?id=654117#c4 > > > > Sending corrected patch. A little modification of the doc formulation and > > renaming the patch so it follows the guidelines. > > > > Jan > > Can't we do a group-show in the mod pre_callback to see if the group > exists? > > rob Here is the patch, thanks for that suggestion. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0012-Check-if-the-group-exists.patch Type: text/x-patch Size: 1198 bytes Desc: not available URL: From rcritten at redhat.com Mon Dec 6 16:22:38 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Dec 2010 11:22:38 -0500 Subject: [Freeipa-devel] [PATCH] 0023 Compiles plugin against the right ldap libraries In-Reply-To: <201012061627.19709.jzeleny@redhat.com> References: <20101203182636.457682a2@willson.li.ssimo.org> <4CF98A70.50803@redhat.com> <20101204101457.09092b2e@willson.li.ssimo.org> <201012061627.19709.jzeleny@redhat.com> Message-ID: <4CFD0DCE.80809@redhat.com> Jan Zelen? wrote: > Simo Sorce wrote: >> On Fri, 03 Dec 2010 17:25:20 -0700 >> >> Rich Megginson wrote: >>> On 12/03/2010 04:26 PM, Simo Sorce wrote: >>>> In Fedora 14, 389-ds started linking against openldap libraries >>>> instead of the old mozldap libraries. >>>> >>>> This patch allows us to conditionally build plugins against >>>> openldap as well. Failure to do so may cause symbol clashes when >>>> the plugin is used by directory server because then we get 2 >>>> different ldap libraries loaded at the same time. >>>> >>>> The spec file has already been changed to build plugins >>>> --with-openldap by default. >>> >>> ack but only if the goal is to remove use of #define LDAP_DEPRECATED >>> 1 - I can help with this >> >> The only reason I kept that is that we use ldap_explode_dn(), that >> function is not itself deprecated (ie it is not under LDAP_DEPRECATED >> ifdefs although a comment syas it is deprecated), but it returns char >> **, and the only function that frees a char ** is ldap_free_value(). >> This one is under LDAP_DEPRECATED and says you shoud use >> ldap_free_value_len(), but that functions takes a struct berval as >> argument. >> >> I think there are only 2 places/plugins where those deprecated >> functions are used. So if you want to open a ticket to remove them feel >> free, but I would do that as a separate patch. >> The goal of this patch was to do as few modifications as possible to >> the plugins themselves. > > I can confirm this patch solves some installation issues on F14, so if Rob > agrees, I'd like to ack this. Works for me too, ack. rob From rcritten at redhat.com Mon Dec 6 16:25:00 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Dec 2010 11:25:00 -0500 Subject: [Freeipa-devel] [PATCH] Document that the default group has to exist In-Reply-To: <201012031100.26205.jzeleny@redhat.com> References: <201012030940.01945.jzeleny@redhat.com> <201012031100.26205.jzeleny@redhat.com> Message-ID: <4CFD0E5C.9090109@redhat.com> Jan Zelen? wrote: > Jan Zelen? wrote: >> https://bugzilla.redhat.com/show_bug.cgi?id=654117#c4 > > Sending corrected patch. A little modification of the doc formulation and > renaming the patch so it follows the guidelines. > > Jan ack, pushed to master rob From rcritten at redhat.com Mon Dec 6 16:25:41 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Dec 2010 11:25:41 -0500 Subject: [Freeipa-devel] [PATCH] Document that the default group has to exist In-Reply-To: <201012061715.19883.jzeleny@redhat.com> References: <201012030940.01945.jzeleny@redhat.com> <201012031100.26205.jzeleny@redhat.com> <4CF94E0E.6080801@redhat.com> <201012061715.19883.jzeleny@redhat.com> Message-ID: <4CFD0E85.7060406@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> Jan Zelen? wrote: >>>> https://bugzilla.redhat.com/show_bug.cgi?id=654117#c4 >>> >>> Sending corrected patch. A little modification of the doc formulation and >>> renaming the patch so it follows the guidelines. >>> >>> Jan >> >> Can't we do a group-show in the mod pre_callback to see if the group >> exists? >> >> rob > > Here is the patch, thanks for that suggestion. > > Jan ack, pushed to master From rcritten at redhat.com Mon Dec 6 16:42:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Dec 2010 11:42:26 -0500 Subject: [Freeipa-devel] [PATCH] 627 drop accessTime from HBAC in framework In-Reply-To: <201012060935.03759.jzeleny@redhat.com> References: <4CF93FCD.1000408@redhat.com> <201012060935.03759.jzeleny@redhat.com> Message-ID: <4CFD1272.4020605@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Drop accessTime in the management framework. >> >> I've done it through comments as much as I could to make it easier to >> revive it later. >> >> rob > > ACK > > -- > Jan pushed to master From rcritten at redhat.com Mon Dec 6 16:43:36 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Dec 2010 11:43:36 -0500 Subject: [Freeipa-devel] [PATCH] 628 use KDC schema file In-Reply-To: <20101203222159.GB25845@redhat.com> References: <4CF9663A.9090609@redhat.com> <20101203222159.GB25845@redhat.com> Message-ID: <4CFD12B8.1050802@redhat.com> Nalin Dahyabhai wrote: > On Fri, Dec 03, 2010 at 04:50:50PM -0500, Rob Crittenden wrote: >> Rather than shipping and maintaining our own kerberos schema file >> use the one provided by MIT instead. > > nak: That file's generated from another LDIF file while building the > Fedora package, so it's not going to be there on other distributions. I > think we have to keep carrying it. > > Cheers, > > Nalin What if we do both? Use the one provided by the KDC if it exists otherwise fall back to our own? It might be handy to be able to detect features based on attribute availability. rob From rcritten at redhat.com Mon Dec 6 16:44:08 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Dec 2010 11:44:08 -0500 Subject: [Freeipa-devel] [PATCH] 629 optimize queries when searching for indirect members In-Reply-To: <201012060956.56053.jzeleny@redhat.com> References: <4CF96EC6.8090901@redhat.com> <201012060956.56053.jzeleny@redhat.com> Message-ID: <4CFD12D8.7030401@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Ensure list of attrs to retrieve is unique, optimize getting indirect >> members >> >> This fixes search where we were asking for the member attribute 10 or >> more times. >> >> When retrieving indirect members make sure we always pass around the >> size and time limits so we don't have to look it up with every call to >> find_entries() >> >> I saw this while doing a group_find and watching the LDAP access log. >> >> ticket 557 >> >> rob > > ACK > pushed to master From rcritten at redhat.com Mon Dec 6 16:46:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Dec 2010 11:46:48 -0500 Subject: [Freeipa-devel] [PATCH] 619 more aci target docs In-Reply-To: <4CFC18F7.4090009@redhat.com> References: <4CED6D5F.3050507@redhat.com> <4CF6ECD7.1080600@redhat.com> <4CF7C864.3050809@redhat.com> <4CF7E4B2.7050109@redhat.com> <4CFC18F7.4090009@redhat.com> Message-ID: <4CFD1378.4070701@redhat.com> David O'Brien wrote: > Rob Crittenden wrote: >> Rob Crittenden wrote: >>> David O'Brien wrote: >>>> Rob Crittenden wrote: >>>>> I added some more documentation and examples to the aci plugin on >>>>> targets. >>>>> >>>>> ticket 310 >>>>> >>>>> rob >>>>> >>>> NACK >>>> >>>> Running behind with reviews, sorry. Just a few minor fixes: >>>> >>>> s/targetted/targeted/ >>>> s/"This is primarily meant to be able to allow users to add/remove >>>> members of a specific group only."/"This is primarily designed to >>>> enable >>>> users to add or remove members of a specific group." >>>> >>>> (I _think_ I understood that ok, and didn't change the meaning. >>>> Further, >>>> if this target is only designed for this purpose, you don't need >>>> "primarily". If it does something else, what is it?) >>>> >>>> I couldn't grok 100% the "subtree" target description. >>>> >>>> s/"... the ACI is allowed to do, they are one or more of:"/"... the ACI >>>> is allowed to do, and are one or more of:" >>>> >>>> For consistency's sake, s/lets/allows/ etc. Also see below: >>>> allows members of the "addusers" taskgroup >>>> lets members of the editors... group? >>>> lets members of the admin group >>>> >>>> You might need to review the examples a bit. >>>> >>>> cheers >>> >>> Updated patch. >>> >>> rob >>> >> >> Ok, the right updated patch this time. >> >> rob > I might be nit-picking now... > > This might be a function of how the underlying code works in combination > with using US English, but why do we have both "zip code" and "postal > code"? > > + Add an ACI that allows members of the admin group manage the street > and zipcode of those in the editors group: > + ipa aci-add --permissions=write --memberof=editors --group=admins > --attrs=street,postalcode "admins edit address of editors" > > If "postalcode" is required in the ACI, and "Zip Code" is en-US, then > that's fine. > > And, > "...the admin group TO manage..." > "admins edit THE address of editors" > > Like I said, this might be nit-picking for man pages, but what can I > say? I'm a writer. > > ACK from me with those couple of updates. Yeah, the LDAP attribute is postalCode. Updates applied, pushed to master. thanks rob From ayoung at redhat.com Mon Dec 6 17:06:53 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 06 Dec 2010 12:06:53 -0500 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <201012061319.51666.jzeleny@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201011081054.00482.jzeleny@redhat.com> <4CDB5CA0.9020906@redhat.com> <201012061319.51666.jzeleny@redhat.com> Message-ID: <4CFD182D.3040605@redhat.com> On 12/06/2010 07:19 AM, Jan Zelen? wrote: > Rob Crittenden wrote: > >> Jan Zelen? wrote: >> >>> Jan Zelen? wrote: >>> >>>> Now each plugin can define its topic as a 2-tuple, where the first >>>> item is the name of topic it belongs to and the second item is >>>> a description of such topic. Topic descriptions must be the same >>>> for all modules belonging to the topic. >>>> >>>> By using this topics, it is possible to group plugins as we see fit. >>>> When asking for help for a particular topic, help for all modules >>>> in given topic is written. >>>> >>>> ipa help - show all topics (until now it showed all plugins) >>>> ipa help - show details to given topic >>>> >>>> https://fedorahosted.org/freeipa/ticket/410 >>>> >>> Sorry for the wrong sequence number, sending the correct one now. >>> >> I think this is a good start but I find the output hard to read, both >> with a single topic (like user) or multiple (like sudo). The dashed >> lines and the extra spaces make my eyes cross a bit >> >> What I don't have is any good suggestion to change it up. I realize you >> are jamming together discrete things that may or may not look nice >> together. >> >> I suppose a few suggestions might be: >> >> - a SEEALSO-like where you print the topics at the bottom so it is >> obvious that multiple things are jammed together >> - A single dashed-line all the way across (more or less) with a single >> space before and after might be a less jarring separator. IIRC we have >> some output code that should handle screen sizes for you. >> - I'm not sure if combining all the commands into a single list is the >> right thing or not. It may not be necessary with the SEEALSO. >> >> So nack for now but this is headed in the right direction. >> >> rob >> > After the last discussion at the meeting, I started to work on this again. The > goal is to implement suggested idea with SEE ALSO topics. But there is one > more issue to solve. It occurred to me that hbac topic would contain 3 > subtopics: hbac, hbacsvc and hbacsvcgroup. Now the issue is when I type: > > ipa help hbac > > How should the program distinguish the topic hbac from the hbac subtopic? The > simplest solution here is to rename the module, but that doesn't seem right to > me. Other solution could be to rename the topic, but that would be against the > basic reason why we should implement topic grouping. Any suggestions? > > Frankly, I'm wonder if the topic-based grouping is worth the effort, but I have > an idea a little bit different from this approach. When typing > > ipa help hbac* > > user would receive a filtered list of topics, where only topics with module > name starting with "hbac" would be. The result would look like this: > > ipa help hbac* > That syntax would break in a bASH. It would try to match files in the PWD that start with habc, and report an error if there were none. > Usage: ipa [global-options] COMMAND ... > > Help topics: > hbac Host-based access control > hbacsvc HBAC Services > hbacsvcgroup HBAC Service Groups > > The only limitation of this concept is that topic groups wouldn't be "stable". > For example the result of ipa help hbac would be different from ipa help > hbacsvc. Also some incorrect grouping might occur (host and hostgroup at the > moment). Before I start working on this, I'd like to know your opinions. > > Thanks > Jan > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > From ayoung at redhat.com Mon Dec 6 17:07:55 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 06 Dec 2010 12:07:55 -0500 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <4CFCF723.9000503@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201011081054.00482.jzeleny@redhat.com> <4CDB5CA0.9020906@redhat.com> <201012061319.51666.jzeleny@redhat.com> <4CFCF723.9000503@redhat.com> Message-ID: <4CFD186B.6050208@redhat.com> On 12/06/2010 09:45 AM, Dmitri Pal wrote: > Jan Zelen? wrote: > >> Rob Crittenden wrote: >> >> >>> Jan Zelen? wrote: >>> >>> >>>> Jan Zelen? wrote: >>>> >>>> >>>>> Now each plugin can define its topic as a 2-tuple, where the first >>>>> item is the name of topic it belongs to and the second item is >>>>> a description of such topic. Topic descriptions must be the same >>>>> for all modules belonging to the topic. >>>>> >>>>> By using this topics, it is possible to group plugins as we see fit. >>>>> When asking for help for a particular topic, help for all modules >>>>> in given topic is written. >>>>> >>>>> ipa help - show all topics (until now it showed all plugins) >>>>> ipa help - show details to given topic >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/410 >>>>> >>>>> >>>> Sorry for the wrong sequence number, sending the correct one now. >>>> >>>> >>> I think this is a good start but I find the output hard to read, both >>> with a single topic (like user) or multiple (like sudo). The dashed >>> lines and the extra spaces make my eyes cross a bit >>> >>> What I don't have is any good suggestion to change it up. I realize you >>> are jamming together discrete things that may or may not look nice >>> together. >>> >>> I suppose a few suggestions might be: >>> >>> - a SEEALSO-like where you print the topics at the bottom so it is >>> obvious that multiple things are jammed together >>> - A single dashed-line all the way across (more or less) with a single >>> space before and after might be a less jarring separator. IIRC we have >>> some output code that should handle screen sizes for you. >>> - I'm not sure if combining all the commands into a single list is the >>> right thing or not. It may not be necessary with the SEEALSO. >>> >>> So nack for now but this is headed in the right direction. >>> >>> rob >>> >>> >> After the last discussion at the meeting, I started to work on this again. The >> goal is to implement suggested idea with SEE ALSO topics. But there is one >> more issue to solve. It occurred to me that hbac topic would contain 3 >> subtopics: hbac, hbacsvc and hbacsvcgroup. Now the issue is when I type: >> >> ipa help hbac >> >> How should the program distinguish the topic hbac from the hbac subtopic? The >> simplest solution here is to rename the module, but that doesn't seem right to >> me. Other solution could be to rename the topic, but that would be against the >> basic reason why we should implement topic grouping. Any suggestions? >> >> Frankly, I'm wonder if the topic-based grouping is worth the effort, but I have >> an idea a little bit different from this approach. When typing >> >> ipa help hbac* >> >> user would receive a filtered list of topics, where only topics with module >> name starting with "hbac" would be. The result would look like this: >> >> ipa help hbac* >> Usage: ipa [global-options] COMMAND ... >> >> Help topics: >> hbac Host-based access control >> hbacsvc HBAC Services >> hbacsvcgroup HBAC Service Groups >> >> The only limitation of this concept is that topic groups wouldn't be "stable". >> For example the result of ipa help hbac would be different from ipa help >> hbacsvc. Also some incorrect grouping might occur (host and hostgroup at the >> moment). Before I start working on this, I'd like to know your opinions. >> >> >> > May be use hbac for the high level topic group and hbacrule for the hbac > rule management? > +1. I was going to sugget that myself. We should rename the HBAC entity to HBAC Rule, and that makes Sudo and HBAC consistant. Note that DNS2 does this, with the top level entity being the dnszone. > This way there is no name collision. I do not know how big of a change > it is and how it would affect UI/CLI/man etc. > At this point of the project we need to try to minimize changes. It will > affect SUDO too... > > Other approach might be to allow subtopics as another parameter: > > Usage: ipa help topic subtopic > > ipa help hbac hbac > > May be for the purpose of help we can do: > > ipa help hbac > Usage: ipa [global-options] COMMAND ... > > Help subtopics: > rule Host-based access control rules > service HBAC Services > group HBAC Service Groups > > > ipa help hbac rule > > ... > > ipa help hbac service > > ... > > ipa help hbac group > > ... > > Will that work? AFAIU this will not have any impact on the commands and > would not require any changes to the UI/CLI other than to the help > system itself. > > Thanks > Dmitri > > >> Thanks >> Jan >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> > > From edewata at redhat.com Mon Dec 6 17:12:21 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 06 Dec 2010 11:12:21 -0600 Subject: [Freeipa-devel] [PATCH] HBAC Service Groups adjustments Message-ID: <4CFD1975.7070809@redhat.com> Hi, Please review the attached patch. Thanks! The association facet for HBAC Service Groups has been removed and replaced with an association table in the details page. The ipa_association_table_widget has been modified to support multiple columns in the table itself and in the adder dialog. The ipa_association_adder_dialog and ipa_association_facet have been refactored. The ipa_sudorule_association_widget and ipa_rule_association_widget has been removed because their functionalities have been merged into ipa_association_table_widget. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0048-HBAC-Service-Groups-adjustments.patch Type: text/x-patch Size: 44822 bytes Desc: not available URL: From ayoung at redhat.com Mon Dec 6 17:16:06 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 06 Dec 2010 12:16:06 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0112-entity-i18n Message-ID: <4CFD1A56.3070804@redhat.com> Note that this does not cover HBAC or SUDO, as Edewate is currently working on those. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0112-entity-i18n.patch Type: text/x-patch Size: 30433 bytes Desc: not available URL: From ssorce at redhat.com Mon Dec 6 17:28:29 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 6 Dec 2010 12:28:29 -0500 Subject: [Freeipa-devel] [PATCH] 0023 Compiles plugin against the right ldap libraries In-Reply-To: <4CFD0DCE.80809@redhat.com> References: <20101203182636.457682a2@willson.li.ssimo.org> <4CF98A70.50803@redhat.com> <20101204101457.09092b2e@willson.li.ssimo.org> <201012061627.19709.jzeleny@redhat.com> <4CFD0DCE.80809@redhat.com> Message-ID: <20101206122829.55b986b4@willson.li.ssimo.org> On Mon, 06 Dec 2010 11:22:38 -0500 Rob Crittenden wrote: > Jan Zelen? wrote: > > Simo Sorce wrote: > >> On Fri, 03 Dec 2010 17:25:20 -0700 > >> > >> Rich Megginson wrote: > >>> On 12/03/2010 04:26 PM, Simo Sorce wrote: > >>>> In Fedora 14, 389-ds started linking against openldap libraries > >>>> instead of the old mozldap libraries. > >>>> > >>>> This patch allows us to conditionally build plugins against > >>>> openldap as well. Failure to do so may cause symbol clashes when > >>>> the plugin is used by directory server because then we get 2 > >>>> different ldap libraries loaded at the same time. > >>>> > >>>> The spec file has already been changed to build plugins > >>>> --with-openldap by default. > >>> > >>> ack but only if the goal is to remove use of #define > >>> LDAP_DEPRECATED 1 - I can help with this > >> > >> The only reason I kept that is that we use ldap_explode_dn(), that > >> function is not itself deprecated (ie it is not under > >> LDAP_DEPRECATED ifdefs although a comment syas it is deprecated), > >> but it returns char **, and the only function that frees a char ** > >> is ldap_free_value(). This one is under LDAP_DEPRECATED and says > >> you shoud use ldap_free_value_len(), but that functions takes a > >> struct berval as argument. > >> > >> I think there are only 2 places/plugins where those deprecated > >> functions are used. So if you want to open a ticket to remove them > >> feel free, but I would do that as a separate patch. > >> The goal of this patch was to do as few modifications as possible > >> to the plugins themselves. > > > > I can confirm this patch solves some installation issues on F14, so > > if Rob agrees, I'd like to ack this. > > Works for me too, ack. Pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Mon Dec 6 17:35:42 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 6 Dec 2010 17:35:42 +0000 Subject: [Freeipa-devel] [PATCH] Hostgroups - Netgroups Managed Entries Message-ID: Hello, Please review the attached patch. It is meant to address: https://fedorahosted.org/freeipa/ticket/543 This patch adds support for the default behavior of adding/deleting/modifing an ipaNetgroup anytime an ipaHostgroup is added/deleted/modified. As requested by the ticket, the cli does not display these managed entries when performing: ipa netgroup-find From edewata at redhat.com Mon Dec 6 17:56:43 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 06 Dec 2010 11:56:43 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0112-entity-i18n In-Reply-To: <4CFD1A56.3070804@redhat.com> References: <4CFD1A56.3070804@redhat.com> Message-ID: <4CFD23DB.5040907@redhat.com> On 12/6/2010 11:16 AM, Adam Young wrote: > Note that this does not cover HBAC or SUDO, as Edewate is currently > working on those. ACK and pushed to master. -- Endi S. Dewata From rcritten at redhat.com Mon Dec 6 20:12:00 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Dec 2010 15:12:00 -0500 Subject: [Freeipa-devel] [PATCH] 631 Add IA5String type Message-ID: <4CFD4390.2070603@redhat.com> Some attributes we use are IA5Strings which have a very limited character set. Add a parameter type for that so we can catch the bad type up front and give a more reasonable error message than "syntax error". ticket 496 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-631-ia5str.patch Type: text/x-patch Size: 9345 bytes Desc: not available URL: From JR.Aquino at citrix.com Mon Dec 6 20:26:35 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 6 Dec 2010 20:26:35 +0000 Subject: [Freeipa-devel] [PATCH] Hostgroups - Netgroups Managed Entries In-Reply-To: Message-ID: I'm sure it helps to actually attach the patch file... On 12/6/10 9:35 AM, "JR Aquino" wrote: >Hello, > >Please review the attached patch. > >It is meant to address: >https://fedorahosted.org/freeipa/ticket/543 > >This patch adds support for the default behavior of >adding/deleting/modifing an ipaNetgroup anytime an ipaHostgroup is >added/deleted/modified. > >As requested by the ticket, the cli does not display these managed entries >when performing: ipa netgroup-find > > > >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Hostgroup-and-Netgroup-Managed-Entry.patch Type: application/octet-stream Size: 2614 bytes Desc: 0001-Hostgroup-and-Netgroup-Managed-Entry.patch URL: From ayoung at redhat.com Mon Dec 6 20:29:16 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 06 Dec 2010 15:29:16 -0500 Subject: [Freeipa-devel] [PATCH] HBAC Service Groups adjustments In-Reply-To: <4CFD1975.7070809@redhat.com> References: <4CFD1975.7070809@redhat.com> Message-ID: <4CFD479C.7080001@redhat.com> On 12/06/2010 12:12 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The association facet for HBAC Service Groups has been removed > and replaced with an association table in the details page. > > The ipa_association_table_widget has been modified to support > multiple columns in the table itself and in the adder dialog. > The ipa_association_adder_dialog and ipa_association_facet have > been refactored. > > The ipa_sudorule_association_widget and ipa_rule_association_widget > has been removed because their functionalities have been merged into > ipa_association_table_widget. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon Dec 6 21:17:54 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 06 Dec 2010 15:17:54 -0600 Subject: [Freeipa-devel] [PATCH] Column i18n Message-ID: <4CFD5302.4060000@redhat.com> Hi, Please review the attached patch. Thanks! The ipa_column has been modified to get the label from metadata during initialization. The ipa_table_widget has been modified to initialize the columns. Hard-coded labels have been removed from column declarations. The ipa_adder_dialog has been modified to execute a search at the end of setup. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0049-Column-i18n.patch Type: text/x-patch Size: 21446 bytes Desc: not available URL: From edewata at redhat.com Mon Dec 6 21:33:19 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 06 Dec 2010 15:33:19 -0600 Subject: [Freeipa-devel] [PATCH] SUDO Command Groups adjustments Message-ID: <4CFD569F.8070902@redhat.com> Hi, Please review the attached patch. Thanks! The association facet for SUDO Command Groups has been removed and replaced with an association table in the details page. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0050-SUDO-Command-Groups-adjustments.patch Type: text/x-patch Size: 2990 bytes Desc: not available URL: From edewata at redhat.com Mon Dec 6 23:23:26 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 06 Dec 2010 17:23:26 -0600 Subject: [Freeipa-devel] [PATCH] Dialog i18n Message-ID: <4CFD706E.1070002@redhat.com> Hi, Please review the attached patch. Thanks! The ipa_add_dialog has been fixed to initialize the fields which will get the labels from metadata. Hard-coded labels have been removed from field declarations. The superior() method has been removed because it doesn't work with multi-level inheritance. Superclass method for now is called using _ (e.g. widget_init). -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0051-Dialog-i18n.patch Type: text/x-patch Size: 20621 bytes Desc: not available URL: From ssorce at redhat.com Mon Dec 6 23:51:54 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 6 Dec 2010 18:51:54 -0500 Subject: [Freeipa-devel] [PATCH] 0024 - Better random ranges Message-ID: <20101206185154.0f7d2614@willson.li.ssimo.org> This patch reduced the size of the default range (from 1 million to 200.000) and also changes the way the range is selected. Instead of starting at a completely random number, it selects 1 out of 10000 random 200k ranges so that the range starts at multiples of 200k. This makes it so that 2 different installs either do not overlap at all or overlap completely (once in 10k times) instead of potentially partially overlapping. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0024-Give-back-smaller-and-more-readable-ranges-by-defaul.patch Type: text/x-patch Size: 2169 bytes Desc: not available URL: From ayoung at redhat.com Tue Dec 7 01:11:08 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 06 Dec 2010 20:11:08 -0500 Subject: [Freeipa-devel] [PATCH] Column i18n In-Reply-To: <4CFD5302.4060000@redhat.com> References: <4CFD5302.4060000@redhat.com> Message-ID: <4CFD89AC.6090704@redhat.com> On 12/06/2010 04:17 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The ipa_column has been modified to get the label from metadata > during initialization. The ipa_table_widget has been modified to > initialize the columns. Hard-coded labels have been removed from > column declarations. > > The ipa_adder_dialog has been modified to execute a search at the > end of setup. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master. I appended the ipa_init.json metadate update. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Dec 7 01:14:29 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 06 Dec 2010 20:14:29 -0500 Subject: [Freeipa-devel] [PATCH] SUDO Command Groups adjustments In-Reply-To: <4CFD569F.8070902@redhat.com> References: <4CFD569F.8070902@redhat.com> Message-ID: <4CFD8A75.7050806@redhat.com> On 12/06/2010 04:33 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The association facet for SUDO Command Groups has been removed and > replaced with an association table in the details page. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master. Note that the buttons on my machine are superimposed over the Description column. We'll need to adjust that, along with the rest of the buttons cleanup. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Dec 7 01:16:54 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 06 Dec 2010 20:16:54 -0500 Subject: [Freeipa-devel] [PATCH] Dialog i18n In-Reply-To: <4CFD706E.1070002@redhat.com> References: <4CFD706E.1070002@redhat.com> Message-ID: <4CFD8B06.9000805@redhat.com> On 12/06/2010 06:23 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The ipa_add_dialog has been fixed to initialize the fields which > will get the labels from metadata. Hard-coded labels have been > removed from field declarations. > > The superior() method has been removed because it doesn't work with > multi-level inheritance. Superclass method for now is called using > _ (e.g. widget_init). > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From jzeleny at redhat.com Tue Dec 7 10:58:58 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Tue, 7 Dec 2010 11:58:58 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <4CFD182D.3040605@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201012061319.51666.jzeleny@redhat.com> <4CFD182D.3040605@redhat.com> Message-ID: <201012071158.58586.jzeleny@redhat.com> Adam Young wrote: > > After the last discussion at the meeting, I started to work on this > > again. The goal is to implement suggested idea with SEE ALSO topics. But > > there is one more issue to solve. It occurred to me that hbac topic > > would contain 3 subtopics: hbac, hbacsvc and hbacsvcgroup. Now the issue > > is when I type: > > > > ipa help hbac > > > > How should the program distinguish the topic hbac from the hbac subtopic? > > The simplest solution here is to rename the module, but that doesn't > > seem right to me. Other solution could be to rename the topic, but that > > would be against the basic reason why we should implement topic > > grouping. Any suggestions? > > > > Frankly, I'm wonder if the topic-based grouping is worth the effort, but > > I have an idea a little bit different from this approach. When typing > > > > ipa help hbac* > > > > user would receive a filtered list of topics, where only topics with > > module name starting with "hbac" would be. The result would look like > > this: > > > > ipa help hbac* > > That syntax would break in a bASH. It would try to match files in the > PWD that start with habc, and report an error if there were none. I am aware of that, but it is the same for yum, rpm, ..., you name it. In such cases you either need to use a backslash or quotes. It was just a suggestion anyway. I think we already resolved the underline issue by deciding to rename the hbac module, so there is no need to discuss this option any more. > > Usage: ipa [global-options] COMMAND ... > > > > Help topics: > > hbac Host-based access control > > hbacsvc HBAC Services > > hbacsvcgroup HBAC Service Groups > > > > The only limitation of this concept is that topic groups wouldn't be > > "stable". For example the result of ipa help hbac would be different > > from ipa help hbacsvc. Also some incorrect grouping might occur (host > > and hostgroup at the moment). Before I start working on this, I'd like > > to know your opinions. > > > > Thanks > > Jan -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From jzeleny at redhat.com Tue Dec 7 12:39:53 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Tue, 7 Dec 2010 13:39:53 +0100 Subject: [Freeipa-devel] [PATCH] 631 Add IA5String type In-Reply-To: <4CFD4390.2070603@redhat.com> References: <4CFD4390.2070603@redhat.com> Message-ID: <201012071339.53533.jzeleny@redhat.com> Rob Crittenden wrote: > Some attributes we use are IA5Strings which have a very limited > character set. Add a parameter type for that so we can catch the bad > type up front and give a more reasonable error message than "syntax error". > > ticket 496 > > rob I noticed that you only switched ipaHomesRootDir attribute to IA5String type. Are there no other candidates for this? Other thing which I don't fully understand is changing ipausersearchfields, ipagroupsearchfields, automountinformation and automountkey to IA5String. Other than that the patch is ok. Jan From sgallagh at redhat.com Tue Dec 7 12:40:36 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 07 Dec 2010 07:40:36 -0500 Subject: [Freeipa-devel] [PATCH] 0024 - Better random ranges In-Reply-To: <20101206185154.0f7d2614@willson.li.ssimo.org> References: <20101206185154.0f7d2614@willson.li.ssimo.org> Message-ID: <4CFE2B44.9090001@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/06/2010 06:51 PM, Simo Sorce wrote: > > This patch reduced the size of the default range (from 1 million to > 200.000) and also changes the way the range is selected. > Instead of starting at a completely random number, it selects 1 out of > 10000 random 200k ranges so that the range starts at multiples of 200k. > > This makes it so that 2 different installs either do not overlap at all > or overlap completely (once in 10k times) instead of potentially > partially overlapping. > Instead of using a random number here, why don't we do something more predictable (so installing FreeIPA on the same machine will hit the same range). Something we used to do at my old job was base it on the IPv4 address of the primary network adapter in the machine. Basically, we could take the integer representation of the IP address, take the modulus 10000 of it, and choose the range from that. This would also provide a guarantee that replicas on the same network would get unique ranges (instead of a 1 in 10,000 chance of doubling up). These are just suggestions. The patch as it exists right now looks fine to me (though I haven't tested it). - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+Kz8ACgkQeiVVYja6o6PqdQCePglfhYZRDYJXhOuawrCuarCt SOwAn3g/kl7zvWWRRC7QegTWdb5Asjsm =eT2Z -----END PGP SIGNATURE----- From jzeleny at redhat.com Tue Dec 7 12:53:53 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Tue, 7 Dec 2010 13:53:53 +0100 Subject: [Freeipa-devel] [PATCH] 0024 - Better random ranges In-Reply-To: <20101206185154.0f7d2614@willson.li.ssimo.org> References: <20101206185154.0f7d2614@willson.li.ssimo.org> Message-ID: <201012071353.53741.jzeleny@redhat.com> Simo Sorce wrote: > This patch reduced the size of the default range (from 1 million to > 200.000) and also changes the way the range is selected. > Instead of starting at a completely random number, it selects 1 out of > 10000 random 200k ranges so that the range starts at multiples of 200k. > > This makes it so that 2 different installs either do not overlap at all > or overlap completely (once in 10k times) instead of potentially > partially overlapping. > > Simo. Do I understand correctly that this change is just to make IDs more readable? I don't get why two installs need to have either complete overlapping or no overlapping at all. Also, you have a typo in Rob's name ;-) Thanks Jan From jhrozek at redhat.com Tue Dec 7 13:08:28 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 07 Dec 2010 14:08:28 +0100 Subject: [Freeipa-devel] [PATCH] 020 Fix kwargs usage in automount plugin Message-ID: <4CFE31CC.4040705@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/580 To test, simply run: ipa automountlocation-add baltimore ipa automountmap-add baltimore auto.share ipa automountkey-add baltimore auto.master /share --info=auto.share ipa automountkey-add baltimore auto.share man - --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man" ipa automountlocation-tofiles baltimore Also the -import command was fixed: ipa automountlocation-add testimport ipa automountlocation-import testimport /etc/auto.master Without this patch, the -tofiles or -import calls would blow up with something like "ipa: ERROR: 'automountlocation' is required" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+McwACgkQHsardTLnvCWD7gCfd9Xlplv52VTqr2qaO0YM3CPb Ov8An2OdWukIunZh3nK1jmOE4irXvq9o =hO0Y -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-020-Fix-kwargs-usage-in-automount-plugin.patch Type: text/x-patch Size: 3902 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-020-Fix-kwargs-usage-in-automount-plugin.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From pzuna at redhat.com Tue Dec 7 13:08:15 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 07 Dec 2010 14:08:15 +0100 Subject: [Freeipa-devel] [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain). Message-ID: <4CFE31BF.4070407@redhat.com> Fixes an attribute name mismatch in the config plugin. Ticket #573 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0044-configattr.patch Type: text/x-patch Size: 1000 bytes Desc: not available URL: From ssorce at redhat.com Tue Dec 7 13:13:15 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 7 Dec 2010 08:13:15 -0500 Subject: [Freeipa-devel] [PATCH] 0024 - Better random ranges In-Reply-To: <4CFE2B44.9090001@redhat.com> References: <20101206185154.0f7d2614@willson.li.ssimo.org> <4CFE2B44.9090001@redhat.com> Message-ID: <20101207081315.0774d0b4@willson.li.ssimo.org> On Tue, 07 Dec 2010 07:40:36 -0500 Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/06/2010 06:51 PM, Simo Sorce wrote: > > > > This patch reduced the size of the default range (from 1 million to > > 200.000) and also changes the way the range is selected. > > Instead of starting at a completely random number, it selects 1 out > > of 10000 random 200k ranges so that the range starts at multiples > > of 200k. > > > > This makes it so that 2 different installs either do not overlap at > > all or overlap completely (once in 10k times) instead of potentially > > partially overlapping. > > > > Instead of using a random number here, why don't we do something more > predictable (so installing FreeIPA on the same machine will hit the > same range). > > Something we used to do at my old job was base it on the IPv4 address > of the primary network adapter in the machine. Basically, we could > take the integer representation of the IP address, take the modulus > 10000 of it, and choose the range from that. That's not needed, if you want to force a specific range you can simply pass an option to the installer. > This would also provide a guarantee that replicas on the same network > would get unique ranges (instead of a 1 in 10,000 chance of doubling > up). Replicas take a cut of the range from the first master, sharing the assigned initial range between them (see the DNA plugin[1] Shared config to understand how it works) > These are just suggestions. The patch as it exists right now looks > fine to me (though I haven't tested it). I have tested it :) Simo. [1] http://directory.fedoraproject.org/wiki/DNA_Plugin -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 7 13:19:28 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 7 Dec 2010 08:19:28 -0500 Subject: [Freeipa-devel] [PATCH] 0024 - Better random ranges In-Reply-To: <201012071353.53741.jzeleny@redhat.com> References: <20101206185154.0f7d2614@willson.li.ssimo.org> <201012071353.53741.jzeleny@redhat.com> Message-ID: <20101207081928.4baecea6@willson.li.ssimo.org> On Tue, 7 Dec 2010 13:53:53 +0100 Jan Zelen? wrote: > Simo Sorce wrote: > > This patch reduced the size of the default range (from 1 million to > > 200.000) and also changes the way the range is selected. > > Instead of starting at a completely random number, it selects 1 out > > of 10000 random 200k ranges so that the range starts at multiples > > of 200k. > > > > This makes it so that 2 different installs either do not overlap at > > all or overlap completely (once in 10k times) instead of potentially > > partially overlapping. > > > > Simo. > > Do I understand correctly that this change is just to make IDs more > readable? I don't get why two installs need to have either complete > overlapping or no overlapping at all. So that normally 2 installations have completely separate IDs, and a third at most overlap with one of them but not partially with both. Makes it easier to deal with conflicts IMO. It also makes it somewhat easier to build tests that look at specific patterns and aid the admin understanding the id numbers at first. > Also, you have a typo in Rob's name ;-) Ouch! Sorry Rob. attached corrected version Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0024-2-Give-back-smaller-and-more-readable-ranges-by-defaul.patch Type: text/x-patch Size: 2170 bytes Desc: not available URL: From sgallagh at redhat.com Tue Dec 7 13:21:20 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 07 Dec 2010 08:21:20 -0500 Subject: [Freeipa-devel] [PATCH] 0024 - Better random ranges In-Reply-To: <20101207081315.0774d0b4@willson.li.ssimo.org> References: <20101206185154.0f7d2614@willson.li.ssimo.org> <4CFE2B44.9090001@redhat.com> <20101207081315.0774d0b4@willson.li.ssimo.org> Message-ID: <4CFE34D0.206@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/07/2010 08:13 AM, Simo Sorce wrote: > On Tue, 07 Dec 2010 07:40:36 -0500 > Stephen Gallagher wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 12/06/2010 06:51 PM, Simo Sorce wrote: >>> >>> This patch reduced the size of the default range (from 1 million to >>> 200.000) and also changes the way the range is selected. >>> Instead of starting at a completely random number, it selects 1 out >>> of 10000 random 200k ranges so that the range starts at multiples >>> of 200k. >>> >>> This makes it so that 2 different installs either do not overlap at >>> all or overlap completely (once in 10k times) instead of potentially >>> partially overlapping. >>> >> >> Instead of using a random number here, why don't we do something more >> predictable (so installing FreeIPA on the same machine will hit the >> same range). >> >> Something we used to do at my old job was base it on the IPv4 address >> of the primary network adapter in the machine. Basically, we could >> take the integer representation of the IP address, take the modulus >> 10000 of it, and choose the range from that. > > That's not needed, if you want to force a specific range you can simply > pass an option to the installer. > >> This would also provide a guarantee that replicas on the same network >> would get unique ranges (instead of a 1 in 10,000 chance of doubling >> up). > > Replicas take a cut of the range from the first master, sharing the > assigned initial range between them (see the DNA plugin[1] Shared > config to understand how it works) > >> These are just suggestions. The patch as it exists right now looks >> fine to me (though I haven't tested it). > > I have tested it :) > > Simo. > > [1] http://directory.fedoraproject.org/wiki/DNA_Plugin > In that case: ack. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+NNAACgkQeiVVYja6o6ODEgCgnsbBx5gGBNU8Jrb8IfnaaXhv LVAAoKU7aCwJ5Uut7hmoLxeOMEJyb4I1 =avc3 -----END PGP SIGNATURE----- From jhrozek at redhat.com Tue Dec 7 13:24:22 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 07 Dec 2010 14:24:22 +0100 Subject: [Freeipa-devel] [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain). In-Reply-To: <4CFE31BF.4070407@redhat.com> References: <4CFE31BF.4070407@redhat.com> Message-ID: <4CFE3586.1050104@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/07/2010 02:08 PM, Pavel Zuna wrote: > Fixes an attribute name mismatch in the config plugin. > > Ticket #573 > > Pavel > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+NYYACgkQHsardTLnvCX5agCguBo49SALkHD5mV+A1wNOK7Bi ifcAnR2mcVCJRwde07/rHm5CaSIhsslr =C7Wj -----END PGP SIGNATURE----- From ssorce at redhat.com Tue Dec 7 13:36:54 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 7 Dec 2010 08:36:54 -0500 Subject: [Freeipa-devel] [PATCH] 0024 - Better random ranges In-Reply-To: <4CFE34D0.206@redhat.com> References: <20101206185154.0f7d2614@willson.li.ssimo.org> <4CFE2B44.9090001@redhat.com> <20101207081315.0774d0b4@willson.li.ssimo.org> <4CFE34D0.206@redhat.com> Message-ID: <20101207083654.5cd7e00b@willson.li.ssimo.org> On Tue, 07 Dec 2010 08:21:20 -0500 Stephen Gallagher wrote: > >> Something we used to do at my old job was base it on the IPv4 > >> address of the primary network adapter in the machine. Basically, > >> we could take the integer representation of the IP address, take > >> the modulus 10000 of it, and choose the range from that. > > > > That's not needed, if you want to force a specific range you can > > simply pass an option to the installer. > > > >> This would also provide a guarantee that replicas on the same > >> network would get unique ranges (instead of a 1 in 10,000 chance > >> of doubling up). > > > > Replicas take a cut of the range from the first master, sharing the > > assigned initial range between them (see the DNA plugin[1] Shared > > config to understand how it works) > > > >> These are just suggestions. The patch as it exists right now looks > >> fine to me (though I haven't tested it). > > > > I have tested it :) > > > > Simo. > > > > [1] http://directory.fedoraproject.org/wiki/DNA_Plugin > > > > > In that case: ack. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Dec 7 15:34:44 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Dec 2010 10:34:44 -0500 Subject: [Freeipa-devel] [PATCH] 631 Add IA5String type In-Reply-To: <201012071339.53533.jzeleny@redhat.com> References: <4CFD4390.2070603@redhat.com> <201012071339.53533.jzeleny@redhat.com> Message-ID: <4CFE5414.7010104@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Some attributes we use are IA5Strings which have a very limited >> character set. Add a parameter type for that so we can catch the bad >> type up front and give a more reasonable error message than "syntax error". >> >> ticket 496 >> >> rob > > I noticed that you only switched ipaHomesRootDir attribute to IA5String type. > Are there no other candidates for this? Other thing which I don't fully > understand is changing ipausersearchfields, ipagroupsearchfields, > automountinformation and automountkey to IA5String. Other than that the patch > is ok. > > Jan No, I did switch the others, exactly the ones you mention. rob From rcritten at redhat.com Tue Dec 7 15:39:21 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Dec 2010 10:39:21 -0500 Subject: [Freeipa-devel] [PATCH] Make the migration plugin more configurable In-Reply-To: <20101201122522.GA24690@zeppelin.brq.redhat.com> References: <20101115115657.GB19666@zeppelin.brq.redhat.com> <4CE6CD4F.3090101@redhat.com> <4CEA8953.4030507@redhat.com> <4CEA8A8B.3000901@redhat.com> <4CED2BBB.8090902@redhat.com> <4CED898B.8000205@redhat.com> <20101201122522.GA24690@zeppelin.brq.redhat.com> Message-ID: <4CFE5529.4020805@redhat.com> Jakub Hrozek wrote: > On Wed, Nov 24, 2010 at 04:54:19PM -0500, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 11/22/2010 04:21 PM, Jakub Hrozek wrote: >>>> On 11/22/2010 04:16 PM, Jakub Hrozek wrote: >>>>> The code handles it (I just ran a quick test with --schema=RFC2307bis). >>>> >>>>> It just iterates through all members of a group -- be it user member of >>>>> group member, it's just a DN for the plugin. >>>> >>>>> Jakub >>>> >>>> Sorry, I found another bug in the plugin. I'll send a new patch shortly, >>>> so please don't waste time reviewing this one. >>> >>> New patch is attached. It fixes two more bugs of the original plugin - >>> determines whether a group member is a user or a nested group by >>> checking the DN, not just the RDN attribute name and does not hardcode >>> primary keys. >> >> Will this blow up in convert_members_rfc2307bis() if a member isn't >> contained in the users and groups containers? Should there be a >> failsafe to skip over things that don't match (along with >> appropriate reporting)? > > It wouldn't blow up but add the original DN into the member attribute > which is probably worse. Thanks for catching this. I modified the patch > to log all migrated users and groups with info() and skip those that > don't match any of the containers while logging these entries with > error(). > >> Or if one of users or groups search bases >> isn't provided? >> > > If one of them isn't provided, a default would be used. > >> It definitely doesn't like this: >> # ipa migrate-ds --user-container='' >> --group-container='cn=groups,cn=accounts' ldap://ds.example.com:389 >> >> When passed the right set of options it does seem to do the right thing. >> > > Sorry, but I don't quite understand the "--user-container=''" switch. > Does it mean the users are rooted at the Base DN? Can you post the error > or relevant log info? Please note that the default objectclass is > person. The empty user-container isn't related to this patch so ACK, pushed to master. The error I'm seeing in the Apache error log is: [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] Traceback (most recent call last): [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/share/ipa/wsgi.py", line 27, in application [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return api.Backend.session(environ, start_response) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 142, in __call__ [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return self.route(environ, start_response) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 154, in route [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return app(environ, start_response) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 234, in __call__ [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] response = self.wsgi_execute(environ) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 211, in wsgi_execute [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] result = self.Command[name](*args, **options) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in __call__ [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] ret = self.run(*args, **options) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 690, in run [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return self.execute(*args, **options) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line 380, in execute [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] ldap, config, ds_ldap, ds_base_dn, options [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line 300, in migrate [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] search_filter, ['*'], search_base, ds_ldap.SCOPE_ONELEVEL#, [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 188, in new_f [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return f(*new_args, **kwargs) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 199, in new_f [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return args[0].decode(f(*args, **kwargs)) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 516, in find_entries [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] base_dn = self.normalize_dn(base_dn) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 343, in normalize_dn [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] rdns = explode_dn(dn) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib64/python2.6/site-packages/ldap/dn.py", line 79, in explode_dn [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] dn_decomp = str2dn(dn,flags) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib64/python2.6/site-packages/ldap/dn.py", line 53, in str2dn [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] return ldap.functions._ldap_function_call(_ldap.str2dn,dn,flags) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] File "/usr/lib64/python2.6/site-packages/ldap/functions.py", line 57, in _ldap_function_call [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] result = func(*args,**kwargs) [Tue Dec 07 10:38:10 2010] [error] [client 192.168.166.32] DECODING_ERROR rob From rcritten at redhat.com Tue Dec 7 15:39:30 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Dec 2010 10:39:30 -0500 Subject: [Freeipa-devel] [PATCH] 019 Do not migrate krbPrincipalKey In-Reply-To: <4CFB9E45.1090101@redhat.com> References: <4CFB9E45.1090101@redhat.com> Message-ID: <4CFE5532.7040901@redhat.com> Jakub Hrozek wrote: > https://fedorahosted.org/freeipa/ticket/455 > > This patch depends on my patch 015 (in thread "Make the migration plugin > more configurable") ack, pushed to master From jzeleny at redhat.com Tue Dec 7 15:42:08 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 7 Dec 2010 16:42:08 +0100 Subject: [Freeipa-devel] [PATCH] 631 Add IA5String type In-Reply-To: <4CFE5414.7010104@redhat.com> References: <4CFD4390.2070603@redhat.com> <201012071339.53533.jzeleny@redhat.com> <4CFE5414.7010104@redhat.com> Message-ID: <201012071642.08965.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Rob Crittenden wrote: > >> Some attributes we use are IA5Strings which have a very limited > >> character set. Add a parameter type for that so we can catch the bad > >> type up front and give a more reasonable error message than "syntax > >> error". > >> > >> ticket 496 > >> > >> rob > > > > I noticed that you only switched ipaHomesRootDir attribute to IA5String > > type. Are there no other candidates for this? Other thing which I don't > > fully understand is changing ipausersearchfields, ipagroupsearchfields, > > automountinformation and automountkey to IA5String. Other than that the > > patch is ok. > > > > Jan > > No, I did switch the others, exactly the ones you mention. > > rob Oh, sorry for that, I was just expecting them to be changed in some LDIF file, like ipaHomesRootDir. ACK. Jan From rcritten at redhat.com Tue Dec 7 16:50:42 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Dec 2010 11:50:42 -0500 Subject: [Freeipa-devel] [PATCH] 632 add migration cmd docs Message-ID: <4CFE65E2.8060601@redhat.com> Add some documentation to the migrate-ds command. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-632-migration.patch Type: text/x-patch Size: 2206 bytes Desc: not available URL: From ssorce at redhat.com Tue Dec 7 16:53:45 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 7 Dec 2010 11:53:45 -0500 Subject: [Freeipa-devel] [PATCH] 0025 Restructure startup code for IPA servers Message-ID: <20101207115345.1a2a9ca6@willson.li.ssimo.org> With this patch we stop relying on the system to init single ipa components and instead introduce a "ipa" init script that takes care of properly starting/stopping all relevant components. Components are listed with a generic label in LDAP, per server. At startup the ipa init script will always start drisrv, then use the local socket to query it anonymously[*] and get the list of service to start with a ordering paramater. And it will then proceed to start each single service. On failure it will shut them all down. On stoppping ti shuts them down in inverse order. Only the ipa service is enabled with chkconfig, all other handled services are off in chkconfig and started by the ipa service instead. [*] We can create an account if we think this is not good enough, but I would ask to have a separate ticket and handle this change as an additional patch if we feel the need to do that. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0025-Introduce-ipa-control-script-that-reads-configuratio.patch Type: text/x-patch Size: 21995 bytes Desc: not available URL: From ayoung at redhat.com Tue Dec 7 19:01:43 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 07 Dec 2010 14:01:43 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0113-nested-entity-navigation Message-ID: <4CFE8497.2070301@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0113-nested-entity-navigation.patch Type: text/x-patch Size: 1333 bytes Desc: not available URL: From edewata at redhat.com Tue Dec 7 19:07:10 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 07 Dec 2010 13:07:10 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0113-nested-entity-navigation In-Reply-To: <4CFE8497.2070301@redhat.com> References: <4CFE8497.2070301@redhat.com> Message-ID: <4CFE85DE.6020004@redhat.com> On 12/7/2010 1:01 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From dpal at redhat.com Tue Dec 7 20:07:20 2010 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 07 Dec 2010 15:07:20 -0500 Subject: [Freeipa-devel] Updated SUDO spec Message-ID: <4CFE93F8.2060406@redhat.com> Changes were made to the command section of the details screen. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Tue Dec 7 20:40:44 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 07 Dec 2010 14:40:44 -0600 Subject: [Freeipa-devel] [PATCH] Navigation updates Message-ID: <4CFE9BCC.2060009@redhat.com> Hi, Please review the attached patch. Thanks! The entity.default_facet has been removed, instead the first facet registered to the entity will be considered as the default facet. So, the 'setup' parameter has been removed from tab definitions because it's no longer necessary. The ipa_details_only_setup() has been removed as well. An 'entity' parameter has been added to tab definitions to specify which entity corresponds to a tab item. The tab label has been changed to use entity label if available. Some hard-coded labels have been removed. The unit tests have been updated. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0052-Navigation-updates.patch Type: text/x-patch Size: 14775 bytes Desc: not available URL: From dpal at redhat.com Tue Dec 7 20:53:01 2010 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 07 Dec 2010 15:53:01 -0500 Subject: [Freeipa-devel] Updated SUDO spec In-Reply-To: <4CFE93F8.2060406@redhat.com> References: <4CFE93F8.2060406@redhat.com> Message-ID: <4CFE9EAD.9000607@redhat.com> Dmitri Pal wrote: > Changes were made to the command section of the details screen. > > And now with the file -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: IPA_Sudov3.pdf Type: application/pdf Size: 399023 bytes Desc: not available URL: From rcritten at redhat.com Tue Dec 7 21:33:33 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Dec 2010 16:33:33 -0500 Subject: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin Message-ID: <4CFEA82D.3050101@redhat.com> Add plugin for manage self-service ACIs This is just a thin wrapper around the aci plugin, controlling what types of ACIs can be added. Right now only ACIs in the basedn can be managed with this plugin. I've got an e-mail into the UI folks to see if we can enhance this and ask the type of object we're creating a selfservice entry for. This way we can put the aci into the proper container. Otherwise I'm going to need to follow up to this and move a couple of self-service ACI's that are now in containers into the basedn. ticket 531 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-633-self.patch Type: text/x-patch Size: 14165 bytes Desc: not available URL: From rcritten at redhat.com Tue Dec 7 21:41:21 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Dec 2010 16:41:21 -0500 Subject: [Freeipa-devel] [PATCH] Fix default attributes in config plugin (ipadefaultemaildomain). In-Reply-To: <4CFE3586.1050104@redhat.com> References: <4CFE31BF.4070407@redhat.com> <4CFE3586.1050104@redhat.com> Message-ID: <4CFEAA01.4000606@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/07/2010 02:08 PM, Pavel Zuna wrote: >> Fixes an attribute name mismatch in the config plugin. >> >> Ticket #573 >> >> Pavel >> > > Ack pushed to master From rcritten at redhat.com Tue Dec 7 22:17:58 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Dec 2010 17:17:58 -0500 Subject: [Freeipa-devel] [PATCH] 020 Fix kwargs usage in automount plugin In-Reply-To: <4CFE31CC.4040705@redhat.com> References: <4CFE31CC.4040705@redhat.com> Message-ID: <4CFEB296.4020800@redhat.com> Jakub Hrozek wrote: > ipa automountlocation-add baltimore > ipa automountmap-add baltimore auto.share > ipa automountkey-add baltimore auto.master /share --info=auto.share > ipa automountkey-add baltimore auto.share man > - --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man" > ipa automountlocation-tofiles baltimore > Ack, pushed to master. Note that the tests are pretty badly broken for automount. I'll have a patch out to fix them shortly. rob From rcritten at redhat.com Tue Dec 7 22:19:40 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Dec 2010 17:19:40 -0500 Subject: [Freeipa-devel] [PATCH] 634 fix automount tests Message-ID: <4CFEB2FC.4000406@redhat.com> While testing Jakub's patch I discovered that the automount tests were pretty badly broken (not related to his changes). This should fix things. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-634-test.patch Type: text/x-patch Size: 8128 bytes Desc: not available URL: From ayoung at redhat.com Tue Dec 7 22:54:48 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 07 Dec 2010 17:54:48 -0500 Subject: [Freeipa-devel] [PATCH] Navigation updates In-Reply-To: <4CFE9BCC.2060009@redhat.com> References: <4CFE9BCC.2060009@redhat.com> Message-ID: <4CFEBB38.5060303@redhat.com> On 12/07/2010 03:40 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The entity.default_facet has been removed, instead the first facet > registered to the entity will be considered as the default facet. > So, the 'setup' parameter has been removed from tab definitions > because it's no longer necessary. The ipa_details_only_setup() has > been removed as well. > > An 'entity' parameter has been added to tab definitions to specify > which entity corresponds to a tab item. The tab label has been > changed to use entity label if available. > > Some hard-coded labels have been removed. The unit tests have been > updated. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Wed Dec 8 00:25:07 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 8 Dec 2010 00:25:07 +0000 Subject: [Freeipa-devel] [PATCH 2] Adding user/host category and ipaenabledflag Message-ID: This patch is for ticket: https://fedorahosted.org/freeipa/ticket/570 This patch Addresses items: 1. The UI needs a rule status with values active & inactive. The CLI doesn't have this attribute. HBAC has ipaenabledflag attribute which can be managed using hbac-enable/disable operations. 2. The UI needs a user category for the "Who" section. The CLI doesn't have this attribute. HBAC has usercategory attribute which can be managed using hbac-add/mod operations. 3. The UI needs a host category for the "Access this host" section. The CLI doesn't have this attribute. HBAC has hostcategory attribute which can be managed using hbac-add/mod operations. Please review. -Jr -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Adding-user-host-category-and-ipaenabledflag.patch Type: application/octet-stream Size: 1920 bytes Desc: 0002-Adding-user-host-category-and-ipaenabledflag.patch URL: From ssorce at redhat.com Wed Dec 8 01:22:39 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 7 Dec 2010 20:22:39 -0500 Subject: [Freeipa-devel] [PATCH] 0026 Split replica installation in dsinstance Message-ID: <20101207202239.52f71195@willson.li.ssimo.org> This patch allows patch 0025 to work properly for replica installation so it is a prereq for it now. It split installation so that certain steps can be done after the tree has been replicated without having them wiped out, like the creation of the replica master entry under cn=masters,cn=ipa,cn=etc It also introduce a dependency on the replica file having the ca.crt in it. And installs it by default under /etc/ipa/ca.crt (the httpinstance later on also stores it also under /usr/share/ipa/html/ca.crt) This patch also makes sure the memberof fixup task is run *after* initial replication, just to make sure. Technically the memberof plugin is already activated so memberof entries should be properly created while replication goes through. But better be thorough. replication is now started within dsinstance.py and not after ds is setup as one of the dsinstance creation steps. Initial testing gave no issues to me. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Dec 8 03:15:04 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 07 Dec 2010 22:15:04 -0500 Subject: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin In-Reply-To: <4CFEA82D.3050101@redhat.com> References: <4CFEA82D.3050101@redhat.com> Message-ID: <4CFEF838.8090204@redhat.com> On 12/07/2010 04:33 PM, Rob Crittenden wrote: > Add plugin for manage self-service ACIs > > This is just a thin wrapper around the aci plugin, controlling what > types of ACIs can be added. > > Right now only ACIs in the basedn can be managed with this plugin. > > I've got an e-mail into the UI folks to see if we can enhance this and > ask the type of object we're creating a selfservice entry for. This > way we can put the aci into the proper container. > > Otherwise I'm going to need to follow up to this and move a couple of > self-service ACI's that are now in containers into the basedn. > > ticket 531 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK: 1. When I created a permission this way: ipa selfservice-add Self-Service name: testthisbabyout Attributes: departmentnumber ----------------------------------- Added selfservice "testthisbabyout" ----------------------------------- Self-Service name: testthisbabyout Permissions: d3JpdGU= Attributes: departmentnumber Note the garbage string in there for permissions. THen I tried this: [root at ipa freeipa]# ipa selfservice-del testthisbabyout --permissions=write --attrs=departmentnumber Usage: ipa [global-options] selfservice-del NAME ipa: error: no such option: --permissions Tried a a couple of other options, too. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Dec 8 03:17:34 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 07 Dec 2010 22:17:34 -0500 Subject: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin In-Reply-To: <4CFEA82D.3050101@redhat.com> References: <4CFEA82D.3050101@redhat.com> Message-ID: <4CFEF8CE.2080807@redhat.com> On 12/07/2010 04:33 PM, Rob Crittenden wrote: > Add plugin for manage self-service ACIs > > This is just a thin wrapper around the aci plugin, controlling what > types of ACIs can be added. > > Right now only ACIs in the basedn can be managed with this plugin. > > I've got an e-mail into the UI folks to see if we can enhance this and > ask the type of object we're creating a selfservice entry for. This > way we can put the aci into the proper container. > > Otherwise I'm going to need to follow up to this and move a couple of > self-service ACI's that are now in containers into the basedn. > > ticket 531 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Probably related to the failure above, after that, doin ipa permission-find gave an error with the following in the log: Sun Dec 05 20:09:51 2010] [error] ipa: ERROR: non-public: TypeError: tuple indices must be integers, not str [Sun Dec 05 20:09:51 2010] [error] Traceback (most recent call last): [Sun Dec 05 20:09:51 2010] [error] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 211, in wsgi_execute [Sun Dec 05 20:09:51 2010] [error] result = self.Command[name](*args, **options) [Sun Dec 05 20:09:51 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in __call__ [Sun Dec 05 20:09:51 2010] [error] ret = self.run(*args, **options) [Sun Dec 05 20:09:51 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 690, in run [Sun Dec 05 20:09:51 2010] [error] return self.execute(*args, **options) [Sun Dec 05 20:09:51 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line 1228, in execute [Sun Dec 05 20:09:51 2010] [error] more = callback(ldap, entries, truncated, *args, **options) [Sun Dec 05 20:09:51 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py", line 313, in post_callback [Sun Dec 05 20:09:51 2010] [error] if aci['permission'] == entry['cn']: [Sun Dec 05 20:09:51 2010] [error] TypeError: tuple indices must be integers, not str -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Dec 8 03:54:16 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Dec 2010 22:54:16 -0500 Subject: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin In-Reply-To: <4CFEF8CE.2080807@redhat.com> References: <4CFEA82D.3050101@redhat.com> <4CFEF8CE.2080807@redhat.com> Message-ID: <4CFF0168.3020208@redhat.com> Adam Young wrote: > On 12/07/2010 04:33 PM, Rob Crittenden wrote: >> Add plugin for manage self-service ACIs >> >> This is just a thin wrapper around the aci plugin, controlling what >> types of ACIs can be added. >> >> Right now only ACIs in the basedn can be managed with this plugin. >> >> I've got an e-mail into the UI folks to see if we can enhance this and >> ask the type of object we're creating a selfservice entry for. This >> way we can put the aci into the proper container. >> >> Otherwise I'm going to need to follow up to this and move a couple of >> self-service ACI's that are now in containers into the basedn. >> >> ticket 531 >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Probably related to the failure above, after that, doin ipa > permission-find gave an error with the following in the log: > > > Sun Dec 05 20:09:51 2010] [error] ipa: ERROR: non-public: TypeError: > tuple indices must be integers, not str > [Sun Dec 05 20:09:51 2010] [error] Traceback (most recent call last): > [Sun Dec 05 20:09:51 2010] [error] File > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 211, in > wsgi_execute > [Sun Dec 05 20:09:51 2010] [error] result = self.Command[name](*args, > **options) > [Sun Dec 05 20:09:51 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in __call__ > [Sun Dec 05 20:09:51 2010] [error] ret = self.run(*args, **options) > [Sun Dec 05 20:09:51 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 690, in run > [Sun Dec 05 20:09:51 2010] [error] return self.execute(*args, **options) > [Sun Dec 05 20:09:51 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line > 1228, in execute > [Sun Dec 05 20:09:51 2010] [error] more = callback(ldap, entries, > truncated, *args, **options) > [Sun Dec 05 20:09:51 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py", line > 313, in post_callback > [Sun Dec 05 20:09:51 2010] [error] if aci['permission'] == entry['cn']: > [Sun Dec 05 20:09:51 2010] [error] TypeError: tuple indices must be > integers, not str This would be a separate problem, can you file a ticket on it? rob From rcritten at redhat.com Wed Dec 8 03:56:03 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Dec 2010 22:56:03 -0500 Subject: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin In-Reply-To: <4CFEF838.8090204@redhat.com> References: <4CFEA82D.3050101@redhat.com> <4CFEF838.8090204@redhat.com> Message-ID: <4CFF01D3.9010204@redhat.com> Adam Young wrote: > On 12/07/2010 04:33 PM, Rob Crittenden wrote: >> Add plugin for manage self-service ACIs >> >> This is just a thin wrapper around the aci plugin, controlling what >> types of ACIs can be added. >> >> Right now only ACIs in the basedn can be managed with this plugin. >> >> I've got an e-mail into the UI folks to see if we can enhance this and >> ask the type of object we're creating a selfservice entry for. This >> way we can put the aci into the proper container. >> >> Otherwise I'm going to need to follow up to this and move a couple of >> self-service ACI's that are now in containers into the basedn. >> >> ticket 531 >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > NACK: > > 1. When I created a permission this way: > > ipa selfservice-add > Self-Service name: testthisbabyout > Attributes: departmentnumber > ----------------------------------- > Added selfservice "testthisbabyout" > ----------------------------------- > Self-Service name: testthisbabyout > Permissions: d3JpdGU= > Attributes: departmentnumber > > > > Note the garbage string in there for permissions. It's a base64-encoded string: >>> import base64 >>> base64.b64decode('d3JpdGU=') 'write' Not sure how that slipped in there, but fixable. > > THen I tried this: > [root at ipa freeipa]# ipa selfservice-del testthisbabyout > --permissions=write --attrs=departmentnumber > Usage: ipa [global-options] selfservice-del NAME > > ipa: error: no such option: --permissions You just need the name of the selfservice aci when deleting, the other arguments aren't used. This one is ok. rob From rcritten at redhat.com Wed Dec 8 04:23:36 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Dec 2010 23:23:36 -0500 Subject: [Freeipa-devel] [PATCH] 635 wait for memberof plugin when doing reverse members Message-ID: <4CFF0848.3030903@redhat.com> Give the memberof plugin time to work when adding/removing reverse members. When we add/remove reverse members it looks like we're operating on group A but we're really operating on group B. This adds/removes the member attribute on group B and the memberof plugin adds the memberof attribute into group A. We need to give the memberof plugin a chance to do its work so loop a few times, reading the entry to see if the number of memberof is more or less what we expect. Bail out if it is taking too long. ticket 560 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-635-memberof.patch Type: text/x-patch Size: 5044 bytes Desc: not available URL: From rcritten at redhat.com Wed Dec 8 04:28:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Dec 2010 23:28:53 -0500 Subject: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin In-Reply-To: <4CFF01D3.9010204@redhat.com> References: <4CFEA82D.3050101@redhat.com> <4CFEF838.8090204@redhat.com> <4CFF01D3.9010204@redhat.com> Message-ID: <4CFF0985.7090003@redhat.com> Rob Crittenden wrote: > Adam Young wrote: >> On 12/07/2010 04:33 PM, Rob Crittenden wrote: >>> Add plugin for manage self-service ACIs >>> >>> This is just a thin wrapper around the aci plugin, controlling what >>> types of ACIs can be added. >>> >>> Right now only ACIs in the basedn can be managed with this plugin. >>> >>> I've got an e-mail into the UI folks to see if we can enhance this and >>> ask the type of object we're creating a selfservice entry for. This >>> way we can put the aci into the proper container. >>> >>> Otherwise I'm going to need to follow up to this and move a couple of >>> self-service ACI's that are now in containers into the basedn. >>> >>> ticket 531 >>> >>> rob >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> NACK: >> >> 1. When I created a permission this way: >> >> ipa selfservice-add >> Self-Service name: testthisbabyout >> Attributes: departmentnumber >> ----------------------------------- >> Added selfservice "testthisbabyout" >> ----------------------------------- >> Self-Service name: testthisbabyout >> Permissions: d3JpdGU= >> Attributes: departmentnumber >> >> >> >> Note the garbage string in there for permissions. > > It's a base64-encoded string: > > >>> import base64 > >>> base64.b64decode('d3JpdGU=') > 'write' > > Not sure how that slipped in there, but fixable. > >> >> THen I tried this: >> [root at ipa freeipa]# ipa selfservice-del testthisbabyout >> --permissions=write --attrs=departmentnumber >> Usage: ipa [global-options] selfservice-del NAME >> >> ipa: error: no such option: --permissions > > You just need the name of the selfservice aci when deleting, the other > arguments aren't used. This one is ok. > > rob Turns out to be a one-character fix. I didn't make the default a unicode value so it was base64-encoded. --- selfservice.py 2010-12-07 23:24:45.000000000 -0500 +++ selfservice.py.fixed 2010-12-07 23:28:02.000000000 -0500 @@ -101,7 +101,7 @@ def execute(self, aciname, **kw): if not 'permissions' in kw: - kw['permissions'] = ('write',) + kw['permissions'] = (u'write',) kw['selfaci'] = True result = api.Command['aci_add'](aciname, **kw)['result'] rob From jzeleny at redhat.com Wed Dec 8 07:25:25 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 8 Dec 2010 08:25:25 +0100 Subject: [Freeipa-devel] [PATCH] 0026 Split replica installation in dsinstance In-Reply-To: <20101207202239.52f71195@willson.li.ssimo.org> References: <20101207202239.52f71195@willson.li.ssimo.org> Message-ID: <201012080825.26030.jzeleny@redhat.com> Simo Sorce wrote: > This patch allows patch 0025 to work properly for replica installation > so it is a prereq for it now. > > It split installation so that certain steps can be done after the tree > has been replicated without having them wiped out, like the creation of > the replica master entry under cn=masters,cn=ipa,cn=etc > > It also introduce a dependency on the replica file having the ca.crt in > it. And installs it by default under /etc/ipa/ca.crt (the httpinstance > later on also stores it also under /usr/share/ipa/html/ca.crt) > > This patch also makes sure the memberof fixup task is run *after* > initial replication, just to make sure. Technically the memberof > plugin is already activated so memberof entries should be properly > created while replication goes through. But better be thorough. > > replication is now started within dsinstance.py and not after ds is > setup as one of the dsinstance creation steps. > > Initial testing gave no issues to me. > > Simo. Can you please attach the patch? ;-) Thanks Jan From jhrozek at redhat.com Wed Dec 8 11:22:46 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 08 Dec 2010 12:22:46 +0100 Subject: [Freeipa-devel] [PATCH] 020 Fix kwargs usage in automount plugin In-Reply-To: <4CFEB296.4020800@redhat.com> References: <4CFE31CC.4040705@redhat.com> <4CFEB296.4020800@redhat.com> Message-ID: <4CFF6A86.8030102@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/07/2010 11:17 PM, Rob Crittenden wrote: > Note that the tests are pretty badly broken for automount. I'll have a > patch out to fix them shortly. > > rob Yep, I noticed and I thought that it was part of https://fedorahosted.org/freeipa/ticket/359 which I've got assigned.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz/aoUACgkQHsardTLnvCWuiQCfX2MZcRQMlyZetCFEiwlw+9ex +2UAn1M56M6ZUEtLAdbbPYQW/B0o9UlP =N62S -----END PGP SIGNATURE----- From jhrozek at redhat.com Wed Dec 8 11:28:58 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 08 Dec 2010 12:28:58 +0100 Subject: [Freeipa-devel] [PATCH] 020 Fix kwargs usage in automount plugin In-Reply-To: <4CFF6A86.8030102@redhat.com> References: <4CFE31CC.4040705@redhat.com> <4CFEB296.4020800@redhat.com> <4CFF6A86.8030102@redhat.com> Message-ID: <4CFF6BFA.2030007@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/08/2010 12:22 PM, Jakub Hrozek wrote: > Yep, I noticed and I thought that it was part of > https://fedorahosted.org/freeipa/ticket/359 which I've got assigned. OK, I think the ticket would now shrink into fixing the case Dmitri explained in the opening comment.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz/a/oACgkQHsardTLnvCWNTQCgmETFZZvAwtHUjDwiGee0pvYU TfoAoLJDL6mg7zCt9NDcjhRM3/cOdlxO =AS2J -----END PGP SIGNATURE----- From jhrozek at redhat.com Wed Dec 8 11:42:39 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 08 Dec 2010 12:42:39 +0100 Subject: [Freeipa-devel] [PATCH] 632 add migration cmd docs In-Reply-To: <4CFE65E2.8060601@redhat.com> References: <4CFE65E2.8060601@redhat.com> Message-ID: <4CFF6F2F.2060902@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/07/2010 05:50 PM, Rob Crittenden wrote: > Add some documentation to the migrate-ds command. > > rob > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz/by8ACgkQHsardTLnvCV1XQCgw2UlwVDpJ6KYwJHGkVg3MDbJ qbUAoOE4rXu6jBxUCc7wzXvyPEFcs4AN =3+EP -----END PGP SIGNATURE----- From ssorce at redhat.com Wed Dec 8 12:59:44 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 8 Dec 2010 07:59:44 -0500 Subject: [Freeipa-devel] [PATCH] 0026 Split replica installation in dsinstance In-Reply-To: <201012080825.26030.jzeleny@redhat.com> References: <20101207202239.52f71195@willson.li.ssimo.org> <201012080825.26030.jzeleny@redhat.com> Message-ID: <20101208075944.48796495@willson.li.ssimo.org> On Wed, 8 Dec 2010 08:25:25 +0100 Jan Zelen? wrote: > Simo Sorce wrote: > > This patch allows patch 0025 to work properly for replica > > installation so it is a prereq for it now. > > > > It split installation so that certain steps can be done after the > > tree has been replicated without having them wiped out, like the > > creation of the replica master entry under cn=masters,cn=ipa,cn=etc > > > > It also introduce a dependency on the replica file having the > > ca.crt in it. And installs it by default under /etc/ipa/ca.crt (the > > httpinstance later on also stores it also > > under /usr/share/ipa/html/ca.crt) > > > > This patch also makes sure the memberof fixup task is run *after* > > initial replication, just to make sure. Technically the memberof > > plugin is already activated so memberof entries should be properly > > created while replication goes through. But better be thorough. > > > > replication is now started within dsinstance.py and not after ds is > > setup as one of the dsinstance creation steps. > > > > Initial testing gave no issues to me. > > > > Simo. > > Can you please attach the patch? ;-) Oh, I thought you'd just trust me :-D Attached. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0026-Split-dsinstance-configuration.patch Type: text/x-patch Size: 12735 bytes Desc: not available URL: From ayoung at redhat.com Wed Dec 8 14:39:03 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 08 Dec 2010 09:39:03 -0500 Subject: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin In-Reply-To: <4CFF0168.3020208@redhat.com> References: <4CFEA82D.3050101@redhat.com> <4CFEF8CE.2080807@redhat.com> <4CFF0168.3020208@redhat.com> Message-ID: <4CFF9887.8000906@redhat.com> On 12/07/2010 10:54 PM, Rob Crittenden wrote: > Adam Young wrote: >> On 12/07/2010 04:33 PM, Rob Crittenden wrote: >>> Add plugin for manage self-service ACIs >>> >>> This is just a thin wrapper around the aci plugin, controlling what >>> types of ACIs can be added. >>> >>> Right now only ACIs in the basedn can be managed with this plugin. >>> >>> I've got an e-mail into the UI folks to see if we can enhance this and >>> ask the type of object we're creating a selfservice entry for. This >>> way we can put the aci into the proper container. >>> >>> Otherwise I'm going to need to follow up to this and move a couple of >>> self-service ACI's that are now in containers into the basedn. >>> >>> ticket 531 >>> >>> rob >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Probably related to the failure above, after that, doin ipa >> permission-find gave an error with the following in the log: >> >> >> Sun Dec 05 20:09:51 2010] [error] ipa: ERROR: non-public: TypeError: >> tuple indices must be integers, not str >> [Sun Dec 05 20:09:51 2010] [error] Traceback (most recent call last): >> [Sun Dec 05 20:09:51 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 211, in >> wsgi_execute >> [Sun Dec 05 20:09:51 2010] [error] result = self.Command[name](*args, >> **options) >> [Sun Dec 05 20:09:51 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in >> __call__ >> [Sun Dec 05 20:09:51 2010] [error] ret = self.run(*args, **options) >> [Sun Dec 05 20:09:51 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 690, in run >> [Sun Dec 05 20:09:51 2010] [error] return self.execute(*args, **options) >> [Sun Dec 05 20:09:51 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line >> 1228, in execute >> [Sun Dec 05 20:09:51 2010] [error] more = callback(ldap, entries, >> truncated, *args, **options) >> [Sun Dec 05 20:09:51 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py", line >> 313, in post_callback >> [Sun Dec 05 20:09:51 2010] [error] if aci['permission'] == entry['cn']: >> [Sun Dec 05 20:09:51 2010] [error] TypeError: tuple indices must be >> integers, not str > > This would be a separate problem, can you file a ticket on it? > > rob Well, it happened after I applied the patch, so I think it is probably due to the selfservice patch. Is it really a new issue, or is it a regression that shouldn't have been introduced? From jhrozek at redhat.com Wed Dec 8 14:50:41 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 08 Dec 2010 15:50:41 +0100 Subject: [Freeipa-devel] [PATCH] 0020 Make pkinit optional in ipa-replica-prepare In-Reply-To: <20101122155453.4b352eb0@willson.li.ssimo.org> References: <20101122133457.124d41d0@willson.li.ssimo.org> <20101122141944.63c998ad@willson.li.ssimo.org> <20101122155453.4b352eb0@willson.li.ssimo.org> Message-ID: <4CFF9B41.50902@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/22/2010 09:54 PM, Simo Sorce wrote: >> A copy&paste from ipa-server-install was a bit too optimistic. >> > Attached a new patch that actually works (tested). > After some more testing I find out that ipa-replica-install was broken > too. > Attaching revised patch that addresses all replica installation issues > I found so far related to the pkinit change. > > Simo. Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz/m0EACgkQHsardTLnvCXz5ACg57EtpkGNnOJWNlzJ//TtwvRr n/0AoIqaSay5LUEo81xu55TtNSCdL8S0 =QGmx -----END PGP SIGNATURE----- From ssorce at redhat.com Wed Dec 8 14:55:14 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 8 Dec 2010 09:55:14 -0500 Subject: [Freeipa-devel] [PATCH] 0020 Make pkinit optional in ipa-replica-prepare In-Reply-To: <4CFF9B41.50902@redhat.com> References: <20101122133457.124d41d0@willson.li.ssimo.org> <20101122141944.63c998ad@willson.li.ssimo.org> <20101122155453.4b352eb0@willson.li.ssimo.org> <4CFF9B41.50902@redhat.com> Message-ID: <20101208095514.0dfe7f0e@willson.li.ssimo.org> On Wed, 08 Dec 2010 15:50:41 +0100 Jakub Hrozek wrote: > > After some more testing I find out that ipa-replica-install was > > broken too. > > Attaching revised patch that addresses all replica installation > > issues I found so far related to the pkinit change. > > > > Simo. > > Ack Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Dec 8 15:01:38 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 08 Dec 2010 10:01:38 -0500 Subject: [Freeipa-devel] [PATCH 2] Adding user/host category and ipaenabledflag In-Reply-To: References: Message-ID: <4CFF9DD2.50202@redhat.com> On 12/07/2010 07:25 PM, JR Aquino wrote: > This patch is for ticket: > https://fedorahosted.org/freeipa/ticket/570 > > This patch Addresses items: > 1. The UI needs a rule status with values active& inactive. The CLI doesn't have this attribute. HBAC has ipaenabledflag attribute which can be managed using hbac-enable/disable operations. > 2. The UI needs a user category for the "Who" section. The CLI doesn't have this attribute. HBAC has usercategory attribute which can be managed using hbac-add/mod operations. > 3. The UI needs a host category for the "Access this host" section. The CLI doesn't have this attribute. HBAC has hostcategory attribute which can be managed using hbac-add/mod operations. > > Please review. > > -Jr > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel FOr the future, please format the patch name like this: freeipa-jraquino-0002-Adding-user-host-category-and-ipaenabledflag.patch -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed Dec 8 15:33:22 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 08 Dec 2010 16:33:22 +0100 Subject: [Freeipa-devel] [PATCH] 634 fix automount tests In-Reply-To: <4CFEB2FC.4000406@redhat.com> References: <4CFEB2FC.4000406@redhat.com> Message-ID: <4CFFA542.4070506@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/07/2010 11:19 PM, Rob Crittenden wrote: > While testing Jakub's patch I discovered that the automount tests were > pretty badly broken (not related to his changes). This should fix things. > > rob > > > All tests pass now. Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz/pUIACgkQHsardTLnvCWVfgCdFfjTaK75RUZisGtOiunin0Vy 84EAoJ9g1rJJOq8M+SSf6RJKu6trWDJx =WbRj -----END PGP SIGNATURE----- From jzeleny at redhat.com Wed Dec 8 15:37:39 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 8 Dec 2010 16:37:39 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <201011080926.12248.jzeleny@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> Message-ID: <201012081637.39615.jzeleny@redhat.com> Jan Zelen? wrote: > Now each plugin can define its topic as a 2-tuple, where the first > item is the name of topic it belongs to and the second item is > a description of such topic. Topic descriptions must be the same > for all modules belonging to the topic. > > By using this topics, it is possible to group plugins as we see fit. > When asking for help for a particular topic, help for all modules > in given topic is written. > > ipa help - show all topics (until now it showed all plugins) > ipa help - show details to given topic > > https://fedorahosted.org/freeipa/ticket/410 So here it is: I'm sending couple patches which resolve the ticket and implement grouping the way we previously discussed. Please feel free to send me any recommendations if anything should be modified. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0013-Rename-hbac-module-to-hbacrule.patch Type: text/x-patch Size: 51368 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0014-Changed-concept-of-ipa-help.patch Type: text/x-patch Size: 8298 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0015-Initial-grouping-of-ipalib-plugins-for-ipa-help.patch Type: text/x-patch Size: 3070 bytes Desc: not available URL: From edewata at redhat.com Wed Dec 8 15:39:10 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 08 Dec 2010 09:39:10 -0600 Subject: [Freeipa-devel] [PATCH 2] Adding user/host category and ipaenabledflag In-Reply-To: References: Message-ID: <4CFFA69E.4000707@redhat.com> On 12/7/2010 6:25 PM, JR Aquino wrote: > This patch Addresses items: > 1. The UI needs a rule status with values active& inactive. The CLI doesn't have this attribute. HBAC has ipaenabledflag attribute which can be managed using hbac-enable/disable operations. > 2. The UI needs a user category for the "Who" section. The CLI doesn't have this attribute. HBAC has usercategory attribute which can be managed using hbac-add/mod operations. > 3. The UI needs a host category for the "Access this host" section. The CLI doesn't have this attribute. HBAC has hostcategory attribute which can be managed using hbac-add/mod operations. Hi JR, thanks for the patch. I have tested it, items #2 and #3 work. However, for item #1 it's still missing the sudorule-enable/disable operations which are needed to set the ipaenabledflag. This patch itself is fine, so I pushed it to master. You could submit the enable/disable operations in a separate patch. Thanks! -- Endi S. Dewata From rcritten at redhat.com Wed Dec 8 16:02:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Dec 2010 11:02:26 -0500 Subject: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin In-Reply-To: <4CFF9887.8000906@redhat.com> References: <4CFEA82D.3050101@redhat.com> <4CFEF8CE.2080807@redhat.com> <4CFF0168.3020208@redhat.com> <4CFF9887.8000906@redhat.com> Message-ID: <4CFFAC12.8070504@redhat.com> Adam Young wrote: > On 12/07/2010 10:54 PM, Rob Crittenden wrote: >> Adam Young wrote: >>> On 12/07/2010 04:33 PM, Rob Crittenden wrote: >>>> Add plugin for manage self-service ACIs >>>> >>>> This is just a thin wrapper around the aci plugin, controlling what >>>> types of ACIs can be added. >>>> >>>> Right now only ACIs in the basedn can be managed with this plugin. >>>> >>>> I've got an e-mail into the UI folks to see if we can enhance this and >>>> ask the type of object we're creating a selfservice entry for. This >>>> way we can put the aci into the proper container. >>>> >>>> Otherwise I'm going to need to follow up to this and move a couple of >>>> self-service ACI's that are now in containers into the basedn. >>>> >>>> ticket 531 >>>> >>>> rob >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Probably related to the failure above, after that, doin ipa >>> permission-find gave an error with the following in the log: >>> >>> >>> Sun Dec 05 20:09:51 2010] [error] ipa: ERROR: non-public: TypeError: >>> tuple indices must be integers, not str >>> [Sun Dec 05 20:09:51 2010] [error] Traceback (most recent call last): >>> [Sun Dec 05 20:09:51 2010] [error] File >>> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 211, in >>> wsgi_execute >>> [Sun Dec 05 20:09:51 2010] [error] result = self.Command[name](*args, >>> **options) >>> [Sun Dec 05 20:09:51 2010] [error] File >>> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in >>> __call__ >>> [Sun Dec 05 20:09:51 2010] [error] ret = self.run(*args, **options) >>> [Sun Dec 05 20:09:51 2010] [error] File >>> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 690, in run >>> [Sun Dec 05 20:09:51 2010] [error] return self.execute(*args, **options) >>> [Sun Dec 05 20:09:51 2010] [error] File >>> "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line >>> 1228, in execute >>> [Sun Dec 05 20:09:51 2010] [error] more = callback(ldap, entries, >>> truncated, *args, **options) >>> [Sun Dec 05 20:09:51 2010] [error] File >>> "/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py", line >>> 313, in post_callback >>> [Sun Dec 05 20:09:51 2010] [error] if aci['permission'] == entry['cn']: >>> [Sun Dec 05 20:09:51 2010] [error] TypeError: tuple indices must be >>> integers, not str >> >> This would be a separate problem, can you file a ticket on it? >> >> rob > > > Well, it happened after I applied the patch, so I think it is probably > due to the selfservice patch. Is it really a new issue, or is it a > regression that shouldn't have been introduced? > > Ok, not sure how my patch affected this but here is an updated patch with it fixed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-633-2-self.patch Type: text/x-patch Size: 14816 bytes Desc: not available URL: From JR.Aquino at citrix.com Wed Dec 8 16:03:56 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 8 Dec 2010 16:03:56 +0000 Subject: [Freeipa-devel] [PATCH 3] Adding CLI Enable/Disable Operations for SudoRules In-Reply-To: <4CFFA69E.4000707@redhat.com> Message-ID: This patch address's the CLI Operations needed to toggle enable / disable on the SudoRules. I will need to work with Nalin to adjust the Compat Plugin so that 'disabled' rules are ignored for Compat translation. On 12/8/10 7:39 AM, "Endi Sukma Dewata" wrote: >On 12/7/2010 6:25 PM, JR Aquino wrote: >> This patch Addresses items: >> 1. The UI needs a rule status with values active& inactive. The CLI >>doesn't have this attribute. HBAC has ipaenabledflag attribute which can >>be managed using hbac-enable/disable operations. >> 2. The UI needs a user category for the "Who" section. The CLI >>doesn't have this attribute. HBAC has usercategory attribute which can >>be managed using hbac-add/mod operations. >> 3. The UI needs a host category for the "Access this host" section. >>The CLI doesn't have this attribute. HBAC has hostcategory attribute >>which can be managed using hbac-add/mod operations. > >Hi JR, thanks for the patch. I have tested it, items #2 and #3 work. >However, for item #1 it's still missing the sudorule-enable/disable >operations which are needed to set the ipaenabledflag. > >This patch itself is fine, so I pushed it to master. You could submit >the enable/disable operations in a separate patch. Thanks! > >-- >Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0003-Enable-Disable-SudoRule.patch Type: application/octet-stream Size: 2870 bytes Desc: freeipa-jraquino-0003-Enable-Disable-SudoRule.patch URL: From edewata at redhat.com Wed Dec 8 16:35:25 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 08 Dec 2010 10:35:25 -0600 Subject: [Freeipa-devel] [PATCH 3] Adding CLI Enable/Disable Operations for SudoRules In-Reply-To: References: Message-ID: <4CFFB3CD.5060705@redhat.com> On 12/8/2010 10:03 AM, JR Aquino wrote: > This patch address's the CLI Operations needed to toggle enable / disable > on the SudoRules. Thanks for such a quick response! ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Wed Dec 8 17:48:27 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 08 Dec 2010 12:48:27 -0500 Subject: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin In-Reply-To: <4CFFAC12.8070504@redhat.com> References: <4CFEA82D.3050101@redhat.com> <4CFEF8CE.2080807@redhat.com> <4CFF0168.3020208@redhat.com> <4CFF9887.8000906@redhat.com> <4CFFAC12.8070504@redhat.com> Message-ID: <4CFFC4EB.404@redhat.com> On 12/08/2010 11:02 AM, Rob Crittenden wrote: > Adam Young wrote: >> On 12/07/2010 10:54 PM, Rob Crittenden wrote: >>> Adam Young wrote: >>>> On 12/07/2010 04:33 PM, Rob Crittenden wrote: >>>>> Add plugin for manage self-service ACIs >>>>> >>>>> This is just a thin wrapper around the aci plugin, controlling what >>>>> types of ACIs can be added. >>>>> >>>>> Right now only ACIs in the basedn can be managed with this plugin. >>>>> >>>>> I've got an e-mail into the UI folks to see if we can enhance this >>>>> and >>>>> ask the type of object we're creating a selfservice entry for. This >>>>> way we can put the aci into the proper container. >>>>> >>>>> Otherwise I'm going to need to follow up to this and move a couple of >>>>> self-service ACI's that are now in containers into the basedn. >>>>> >>>>> ticket 531 >>>>> >>>>> rob >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> Probably related to the failure above, after that, doin ipa >>>> permission-find gave an error with the following in the log: >>>> >>>> >>>> Sun Dec 05 20:09:51 2010] [error] ipa: ERROR: non-public: TypeError: >>>> tuple indices must be integers, not str >>>> [Sun Dec 05 20:09:51 2010] [error] Traceback (most recent call last): >>>> [Sun Dec 05 20:09:51 2010] [error] File >>>> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line >>>> 211, in >>>> wsgi_execute >>>> [Sun Dec 05 20:09:51 2010] [error] result = self.Command[name](*args, >>>> **options) >>>> [Sun Dec 05 20:09:51 2010] [error] File >>>> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in >>>> __call__ >>>> [Sun Dec 05 20:09:51 2010] [error] ret = self.run(*args, **options) >>>> [Sun Dec 05 20:09:51 2010] [error] File >>>> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 690, in >>>> run >>>> [Sun Dec 05 20:09:51 2010] [error] return self.execute(*args, >>>> **options) >>>> [Sun Dec 05 20:09:51 2010] [error] File >>>> "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line >>>> 1228, in execute >>>> [Sun Dec 05 20:09:51 2010] [error] more = callback(ldap, entries, >>>> truncated, *args, **options) >>>> [Sun Dec 05 20:09:51 2010] [error] File >>>> "/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py", line >>>> 313, in post_callback >>>> [Sun Dec 05 20:09:51 2010] [error] if aci['permission'] == >>>> entry['cn']: >>>> [Sun Dec 05 20:09:51 2010] [error] TypeError: tuple indices must be >>>> integers, not str >>> >>> This would be a separate problem, can you file a ticket on it? >>> >>> rob >> >> >> Well, it happened after I applied the patch, so I think it is probably >> due to the selfservice patch. Is it really a new issue, or is it a >> regression that shouldn't have been introduced? >> >> > > Ok, not sure how my patch affected this but here is an updated patch > with it fixed. > > rob So far so good, but it still has the issue with the perms being displayed Base64. From ayoung at redhat.com Wed Dec 8 17:50:18 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 08 Dec 2010 12:50:18 -0500 Subject: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin In-Reply-To: <4CFFC4EB.404@redhat.com> References: <4CFEA82D.3050101@redhat.com> <4CFEF8CE.2080807@redhat.com> <4CFF0168.3020208@redhat.com> <4CFF9887.8000906@redhat.com> <4CFFAC12.8070504@redhat.com> <4CFFC4EB.404@redhat.com> Message-ID: <4CFFC55A.7040705@redhat.com> On 12/08/2010 12:48 PM, Adam Young wrote: > On 12/08/2010 11:02 AM, Rob Crittenden wrote: >> Adam Young wrote: >>> On 12/07/2010 10:54 PM, Rob Crittenden wrote: >>>> Adam Young wrote: >>>>> On 12/07/2010 04:33 PM, Rob Crittenden wrote: >>>>>> Add plugin for manage self-service ACIs >>>>>> >>>>>> This is just a thin wrapper around the aci plugin, controlling what >>>>>> types of ACIs can be added. >>>>>> >>>>>> Right now only ACIs in the basedn can be managed with this plugin. >>>>>> >>>>>> I've got an e-mail into the UI folks to see if we can enhance >>>>>> this and >>>>>> ask the type of object we're creating a selfservice entry for. This >>>>>> way we can put the aci into the proper container. >>>>>> >>>>>> Otherwise I'm going to need to follow up to this and move a >>>>>> couple of >>>>>> self-service ACI's that are now in containers into the basedn. >>>>>> >>>>>> ticket 531 >>>>>> >>>>>> rob >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> Probably related to the failure above, after that, doin ipa >>>>> permission-find gave an error with the following in the log: >>>>> >>>>> >>>>> Sun Dec 05 20:09:51 2010] [error] ipa: ERROR: non-public: TypeError: >>>>> tuple indices must be integers, not str >>>>> [Sun Dec 05 20:09:51 2010] [error] Traceback (most recent call last): >>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line >>>>> 211, in >>>>> wsgi_execute >>>>> [Sun Dec 05 20:09:51 2010] [error] result = self.Command[name](*args, >>>>> **options) >>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in >>>>> __call__ >>>>> [Sun Dec 05 20:09:51 2010] [error] ret = self.run(*args, **options) >>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 690, >>>>> in run >>>>> [Sun Dec 05 20:09:51 2010] [error] return self.execute(*args, >>>>> **options) >>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>> "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line >>>>> 1228, in execute >>>>> [Sun Dec 05 20:09:51 2010] [error] more = callback(ldap, entries, >>>>> truncated, *args, **options) >>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>> "/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py", line >>>>> 313, in post_callback >>>>> [Sun Dec 05 20:09:51 2010] [error] if aci['permission'] == >>>>> entry['cn']: >>>>> [Sun Dec 05 20:09:51 2010] [error] TypeError: tuple indices must be >>>>> integers, not str >>>> >>>> This would be a separate problem, can you file a ticket on it? >>>> >>>> rob >>> >>> >>> Well, it happened after I applied the patch, so I think it is probably >>> due to the selfservice patch. Is it really a new issue, or is it a >>> regression that shouldn't have been introduced? >>> >>> >> >> Ok, not sure how my patch affected this but here is an updated patch >> with it fixed. >> >> rob > > So far so good, but it still has the issue with the perms being > displayed Base64. This is only the case for the CLI. It looks right when fetched via JSON and CURL. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ayoung at redhat.com Wed Dec 8 17:53:41 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 08 Dec 2010 12:53:41 -0500 Subject: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin In-Reply-To: <4CFFC4EB.404@redhat.com> References: <4CFEA82D.3050101@redhat.com> <4CFEF8CE.2080807@redhat.com> <4CFF0168.3020208@redhat.com> <4CFF9887.8000906@redhat.com> <4CFFAC12.8070504@redhat.com> <4CFFC4EB.404@redhat.com> Message-ID: <4CFFC625.2000809@redhat.com> On 12/08/2010 12:48 PM, Adam Young wrote: > On 12/08/2010 11:02 AM, Rob Crittenden wrote: >> Adam Young wrote: >>> On 12/07/2010 10:54 PM, Rob Crittenden wrote: >>>> Adam Young wrote: >>>>> On 12/07/2010 04:33 PM, Rob Crittenden wrote: >>>>>> Add plugin for manage self-service ACIs >>>>>> >>>>>> This is just a thin wrapper around the aci plugin, controlling what >>>>>> types of ACIs can be added. >>>>>> >>>>>> Right now only ACIs in the basedn can be managed with this plugin. >>>>>> >>>>>> I've got an e-mail into the UI folks to see if we can enhance >>>>>> this and >>>>>> ask the type of object we're creating a selfservice entry for. This >>>>>> way we can put the aci into the proper container. >>>>>> >>>>>> Otherwise I'm going to need to follow up to this and move a >>>>>> couple of >>>>>> self-service ACI's that are now in containers into the basedn. >>>>>> >>>>>> ticket 531 >>>>>> >>>>>> rob >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> Probably related to the failure above, after that, doin ipa >>>>> permission-find gave an error with the following in the log: >>>>> >>>>> >>>>> Sun Dec 05 20:09:51 2010] [error] ipa: ERROR: non-public: TypeError: >>>>> tuple indices must be integers, not str >>>>> [Sun Dec 05 20:09:51 2010] [error] Traceback (most recent call last): >>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line >>>>> 211, in >>>>> wsgi_execute >>>>> [Sun Dec 05 20:09:51 2010] [error] result = self.Command[name](*args, >>>>> **options) >>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in >>>>> __call__ >>>>> [Sun Dec 05 20:09:51 2010] [error] ret = self.run(*args, **options) >>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 690, >>>>> in run >>>>> [Sun Dec 05 20:09:51 2010] [error] return self.execute(*args, >>>>> **options) >>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>> "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line >>>>> 1228, in execute >>>>> [Sun Dec 05 20:09:51 2010] [error] more = callback(ldap, entries, >>>>> truncated, *args, **options) >>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>> "/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py", line >>>>> 313, in post_callback >>>>> [Sun Dec 05 20:09:51 2010] [error] if aci['permission'] == >>>>> entry['cn']: >>>>> [Sun Dec 05 20:09:51 2010] [error] TypeError: tuple indices must be >>>>> integers, not str >>>> >>>> This would be a separate problem, can you file a ticket on it? >>>> >>>> rob >>> >>> >>> Well, it happened after I applied the patch, so I think it is probably >>> due to the selfservice patch. Is it really a new issue, or is it a >>> regression that shouldn't have been introduced? >>> >>> >> >> Ok, not sure how my patch affected this but here is an updated patch >> with it fixed. >> >> rob > > So far so good, but it still has the issue with the perms being > displayed Base64. Note that this is only on what is shown back the the user after they execute the command and are prompted for the permissions > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From rcritten at redhat.com Wed Dec 8 18:31:17 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Dec 2010 13:31:17 -0500 Subject: [Freeipa-devel] [PATCH] 636 Properly handle multi-valued attributes when using setattr/addattr Message-ID: <4CFFCEF5.4090804@redhat.com> The problem was that the normalizer was returning each value as a tuple which we were then appending to a list, so it looked like [(u'value1',), (u'value2',),...]. If there was a single value we could end up adding a tuple to a list which would fail. Additionally python-ldap doesn't like lists of lists so it was failing later in the process as well. I've added some simple tests for setattr and addattr. ticket 565 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-636-attr.patch Type: text/x-patch Size: 9132 bytes Desc: not available URL: From rcritten at redhat.com Wed Dec 8 18:34:51 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Dec 2010 13:34:51 -0500 Subject: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin In-Reply-To: <4CFFC625.2000809@redhat.com> References: <4CFEA82D.3050101@redhat.com> <4CFEF8CE.2080807@redhat.com> <4CFF0168.3020208@redhat.com> <4CFF9887.8000906@redhat.com> <4CFFAC12.8070504@redhat.com> <4CFFC4EB.404@redhat.com> <4CFFC625.2000809@redhat.com> Message-ID: <4CFFCFCB.2090804@redhat.com> Adam Young wrote: > On 12/08/2010 12:48 PM, Adam Young wrote: >> On 12/08/2010 11:02 AM, Rob Crittenden wrote: >>> Adam Young wrote: >>>> On 12/07/2010 10:54 PM, Rob Crittenden wrote: >>>>> Adam Young wrote: >>>>>> On 12/07/2010 04:33 PM, Rob Crittenden wrote: >>>>>>> Add plugin for manage self-service ACIs >>>>>>> >>>>>>> This is just a thin wrapper around the aci plugin, controlling what >>>>>>> types of ACIs can be added. >>>>>>> >>>>>>> Right now only ACIs in the basedn can be managed with this plugin. >>>>>>> >>>>>>> I've got an e-mail into the UI folks to see if we can enhance >>>>>>> this and >>>>>>> ask the type of object we're creating a selfservice entry for. This >>>>>>> way we can put the aci into the proper container. >>>>>>> >>>>>>> Otherwise I'm going to need to follow up to this and move a >>>>>>> couple of >>>>>>> self-service ACI's that are now in containers into the basedn. >>>>>>> >>>>>>> ticket 531 >>>>>>> >>>>>>> rob >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Freeipa-devel mailing list >>>>>>> Freeipa-devel at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>> Probably related to the failure above, after that, doin ipa >>>>>> permission-find gave an error with the following in the log: >>>>>> >>>>>> >>>>>> Sun Dec 05 20:09:51 2010] [error] ipa: ERROR: non-public: TypeError: >>>>>> tuple indices must be integers, not str >>>>>> [Sun Dec 05 20:09:51 2010] [error] Traceback (most recent call last): >>>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>>> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line >>>>>> 211, in >>>>>> wsgi_execute >>>>>> [Sun Dec 05 20:09:51 2010] [error] result = self.Command[name](*args, >>>>>> **options) >>>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>>> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in >>>>>> __call__ >>>>>> [Sun Dec 05 20:09:51 2010] [error] ret = self.run(*args, **options) >>>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>>> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 690, >>>>>> in run >>>>>> [Sun Dec 05 20:09:51 2010] [error] return self.execute(*args, >>>>>> **options) >>>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>>> "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line >>>>>> 1228, in execute >>>>>> [Sun Dec 05 20:09:51 2010] [error] more = callback(ldap, entries, >>>>>> truncated, *args, **options) >>>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>>> "/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py", line >>>>>> 313, in post_callback >>>>>> [Sun Dec 05 20:09:51 2010] [error] if aci['permission'] == >>>>>> entry['cn']: >>>>>> [Sun Dec 05 20:09:51 2010] [error] TypeError: tuple indices must be >>>>>> integers, not str >>>>> >>>>> This would be a separate problem, can you file a ticket on it? >>>>> >>>>> rob >>>> >>>> >>>> Well, it happened after I applied the patch, so I think it is probably >>>> due to the selfservice patch. Is it really a new issue, or is it a >>>> regression that shouldn't have been introduced? >>>> >>>> >>> >>> Ok, not sure how my patch affected this but here is an updated patch >>> with it fixed. >>> >>> rob >> >> So far so good, but it still has the issue with the perms being >> displayed Base64. > > Note that this is only on what is shown back the the user after they > execute the command and are prompted for the permissions Updated patch attached rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-633-3-self.patch Type: text/x-patch Size: 14817 bytes Desc: not available URL: From ayoung at redhat.com Wed Dec 8 19:12:58 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 08 Dec 2010 14:12:58 -0500 Subject: [Freeipa-devel] [PATCH] 633 add selfservice aci plugin In-Reply-To: <4CFFCFCB.2090804@redhat.com> References: <4CFEA82D.3050101@redhat.com> <4CFEF8CE.2080807@redhat.com> <4CFF0168.3020208@redhat.com> <4CFF9887.8000906@redhat.com> <4CFFAC12.8070504@redhat.com> <4CFFC4EB.404@redhat.com> <4CFFC625.2000809@redhat.com> <4CFFCFCB.2090804@redhat.com> Message-ID: <4CFFD8BA.7080104@redhat.com> On 12/08/2010 01:34 PM, Rob Crittenden wrote: > Adam Young wrote: >> On 12/08/2010 12:48 PM, Adam Young wrote: >>> On 12/08/2010 11:02 AM, Rob Crittenden wrote: >>>> Adam Young wrote: >>>>> On 12/07/2010 10:54 PM, Rob Crittenden wrote: >>>>>> Adam Young wrote: >>>>>>> On 12/07/2010 04:33 PM, Rob Crittenden wrote: >>>>>>>> Add plugin for manage self-service ACIs >>>>>>>> >>>>>>>> This is just a thin wrapper around the aci plugin, controlling >>>>>>>> what >>>>>>>> types of ACIs can be added. >>>>>>>> >>>>>>>> Right now only ACIs in the basedn can be managed with this plugin. >>>>>>>> >>>>>>>> I've got an e-mail into the UI folks to see if we can enhance >>>>>>>> this and >>>>>>>> ask the type of object we're creating a selfservice entry for. >>>>>>>> This >>>>>>>> way we can put the aci into the proper container. >>>>>>>> >>>>>>>> Otherwise I'm going to need to follow up to this and move a >>>>>>>> couple of >>>>>>>> self-service ACI's that are now in containers into the basedn. >>>>>>>> >>>>>>>> ticket 531 >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Freeipa-devel mailing list >>>>>>>> Freeipa-devel at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>> Probably related to the failure above, after that, doin ipa >>>>>>> permission-find gave an error with the following in the log: >>>>>>> >>>>>>> >>>>>>> Sun Dec 05 20:09:51 2010] [error] ipa: ERROR: non-public: >>>>>>> TypeError: >>>>>>> tuple indices must be integers, not str >>>>>>> [Sun Dec 05 20:09:51 2010] [error] Traceback (most recent call >>>>>>> last): >>>>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>>>> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line >>>>>>> 211, in >>>>>>> wsgi_execute >>>>>>> [Sun Dec 05 20:09:51 2010] [error] result = >>>>>>> self.Command[name](*args, >>>>>>> **options) >>>>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>>>> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in >>>>>>> __call__ >>>>>>> [Sun Dec 05 20:09:51 2010] [error] ret = self.run(*args, **options) >>>>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>>>> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 690, >>>>>>> in run >>>>>>> [Sun Dec 05 20:09:51 2010] [error] return self.execute(*args, >>>>>>> **options) >>>>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>>>> "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line >>>>>>> 1228, in execute >>>>>>> [Sun Dec 05 20:09:51 2010] [error] more = callback(ldap, entries, >>>>>>> truncated, *args, **options) >>>>>>> [Sun Dec 05 20:09:51 2010] [error] File >>>>>>> "/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py", >>>>>>> line >>>>>>> 313, in post_callback >>>>>>> [Sun Dec 05 20:09:51 2010] [error] if aci['permission'] == >>>>>>> entry['cn']: >>>>>>> [Sun Dec 05 20:09:51 2010] [error] TypeError: tuple indices must be >>>>>>> integers, not str >>>>>> >>>>>> This would be a separate problem, can you file a ticket on it? >>>>>> >>>>>> rob >>>>> >>>>> >>>>> Well, it happened after I applied the patch, so I think it is >>>>> probably >>>>> due to the selfservice patch. Is it really a new issue, or is it a >>>>> regression that shouldn't have been introduced? >>>>> >>>>> >>>> >>>> Ok, not sure how my patch affected this but here is an updated patch >>>> with it fixed. >>>> >>>> rob >>> >>> So far so good, but it still has the issue with the perms being >>> displayed Base64. >> >> Note that this is only on what is shown back the the user after they >> execute the command and are prompted for the permissions > > Updated patch attached ACK. Pushed to master > > rob From rcritten at redhat.com Wed Dec 8 19:30:03 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Dec 2010 14:30:03 -0500 Subject: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes. In-Reply-To: <4CF57A43.8090006@redhat.com> References: <4CF34E28.2040209@redhat.com> <4CF46A18.3020906@redhat.com> <4CF57A43.8090006@redhat.com> Message-ID: <4CFFDCBB.9080505@redhat.com> Pavel Z?na wrote: > On 2010-11-30 04:06, Rob Crittenden wrote: >> Pavel Z?na wrote: >>> LDAPSearch base class has now the ability to generate additional >>> options for objects with member attributes. These options are >>> used to filter search results - search only for objects without >>> the specified members. >>> >>> Any class that extends LDAPSearch can benefit from this functionality. >>> This patch enables it for the following objects: >>> group, netgroup, rolegroup, hostgroup, taskgroup >>> >>> Example: >>> ipa group-find --no-users=admin >>> >>> Only direct members are taken into account, but if we need indirect >>> members as well - it's not a problem. >>> >>> Ticket #288 >>> >>> Pavel >> >> This works as advertised but I wonder what would happen if a huge list >> of members was passed in to ignore. Is there a limit on the search >> filter size (remember that the member will be translated into a full dn >> so will quickly grow in size). >> >> Should we impose a cofigurable limit on the # of members to be excluded? >> >> Is there a max search filter size and should we check that we haven't >> exceeded that before doing a search? >> >> rob > > I tried it out with more than a 1000 users and was getting an unwilling > to perform error (search filter nested too deep). > > After a little bit of investigation, I figured the filter was being > generated like this: > > (&(&(!(a=v))(!(a2=v2)))) > > We were going deeper with each additional DN! > > I updated the patch to generate the filter like this instead: > > (!(|(a=v)(a2=v2))) > > Tried it again with more than 1000 users (~55Kb) - it worked and wasn't > even slow. > > Updated patch attached. > > I also had to fix a bug in ldap2 filter generator, as a result this > patch depends on my patch number 43. > > Pavel You'll need to rebase this against master but otherwise ACK. It might be a small optimization to de-dupe the no-users list but it isn't a priority. rob From rcritten at redhat.com Wed Dec 8 19:31:10 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Dec 2010 14:31:10 -0500 Subject: [Freeipa-devel] [PATCH] Fix search filter generator in ldap2 for NOT operator. In-Reply-To: <4CF57A8C.9050707@redhat.com> References: <4CF57A8C.9050707@redhat.com> Message-ID: <4CFFDCFE.6010307@redhat.com> Pavel Z?na wrote: > Search filters generated from attributes with multiple values were > incorrect when the NOT operator was used (ldap.MATCH_NONE). > > Pavel ack, pushed to master From ayoung at redhat.com Wed Dec 8 21:42:57 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 08 Dec 2010 16:42:57 -0500 Subject: [Freeipa-devel] [PATCH] one liner for removing URL from error message Message-ID: <4CFFFBE1.7070702@redhat.com> Pushed under the one liner rule. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-remove-URL-from-error-messages.patch Type: text/x-patch Size: 899 bytes Desc: not available URL: From rcritten at redhat.com Wed Dec 8 21:54:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Dec 2010 16:54:48 -0500 Subject: [Freeipa-devel] [PATCH] 637 group to group delegation Message-ID: <4CFFFEA8.6000609@redhat.com> Round out our trio of access control plugins. This adds group to group delegation where you can grant group A the ability to write a set of attributes of group B (v1-style delegation). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-637-delegation.patch Type: text/x-patch Size: 15944 bytes Desc: not available URL: From JR.Aquino at citrix.com Wed Dec 8 22:10:56 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 8 Dec 2010 22:10:56 +0000 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: <20101130233844.GF5731@redhat.com> Message-ID: I just had a chance to revisit this. It appears that the host piece still doesn't work quite right. This time, I am missing the sudoHost translation entirely. dn: ipaUniqueID=e52c8e06-0315-11e0-b2dd-8a3d259cb0b9,cn=sudorules,dc=example,dc =com objectClass: ipaassociation objectClass: ipasudorule ipaEnabledFlag: TRUE cn: devel ipaUniqueID: e52c8e06-0315-11e0-b2dd-8a3d259cb0b9 memberAllowCmd: cn=readonly,cn=sudocmdgroups,cn=accounts,dc=example,dc=com memberHost: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com memberUser: cn=ops,cn=groups,cn=accounts,dc=example,dc=com dn: cn=devel,cn=sudoers,dc=example,dc=com objectClass: sudoRole sudoUser: %ops sudoCommand: /usr/bin/less cn: devel On 11/30/10 3:38 PM, "Nalin Dahyabhai" wrote: >This is what I've got now; I think it's correct. > > - fix quoting in the netgroup compat configuration entry > - don't bother looking for members of netgroups by looking for entries > which list "memberOf: $netgroup" -- the netgroup should list them as > "member" or "memberUser" or "memberHost" values > - use newer slapi-nis functionality to produce cn=sudoers > - drop the real cn=sudoers container to make room for the compat > container > >Feel free to adjust the "schema-compat-container-group" for the >"cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config" entry -- the >location of the compat sudo entries is of no concern to me. > >Cheers, > >Nalin >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel From rcritten at redhat.com Wed Dec 8 22:26:45 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Dec 2010 17:26:45 -0500 Subject: [Freeipa-devel] [PATCH] 638 be smarter with alwaysask option Message-ID: <4D000625.7010500@redhat.com> The alwaysask option for params was meant to prompt for things that are needed but not strictly required, like when adding members to a group. We don't need to prompt if something is provided on the command-line though. ticket 604 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-638-ask.patch Type: text/x-patch Size: 1254 bytes Desc: not available URL: From rcritten at redhat.com Wed Dec 8 22:28:47 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Dec 2010 17:28:47 -0500 Subject: [Freeipa-devel] [PATCH] 634 fix automount tests In-Reply-To: <4CFFA542.4070506@redhat.com> References: <4CFEB2FC.4000406@redhat.com> <4CFFA542.4070506@redhat.com> Message-ID: <4D00069F.3070207@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/07/2010 11:19 PM, Rob Crittenden wrote: >> While testing Jakub's patch I discovered that the automount tests were >> pretty badly broken (not related to his changes). This should fix things. >> >> rob >> >> >> > > All tests pass now. > > Ack pushed to master From JR.Aquino at citrix.com Wed Dec 8 22:30:03 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 8 Dec 2010 22:30:03 +0000 Subject: [Freeipa-devel] [PATCH 4] dbe instead of lde (ipa-compat-manage/ipa-nis-manage) Message-ID: The error handling refers to lde as a typo... When the exception occurs due to a database error, it gets captured as: dbe. This is a One line bug fix for compat and nis tools -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jaquino-0004-dbe-instead-of-lde.patch Type: application/octet-stream Size: 1489 bytes Desc: freeipa-jaquino-0004-dbe-instead-of-lde.patch URL: From nalin at redhat.com Wed Dec 8 23:08:39 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 8 Dec 2010 18:08:39 -0500 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: References: <20101130233844.GF5731@redhat.com> Message-ID: <20101208230839.GB2766@redhat.com> On Wed, Dec 08, 2010 at 10:10:56PM +0000, JR Aquino wrote: > I just had a chance to revisit this. > > It appears that the host piece still doesn't work quite right. > > This time, I am missing the sudoHost translation entirely. > > dn: > ipaUniqueID=e52c8e06-0315-11e0-b2dd-8a3d259cb0b9,cn=sudorules,dc=example,dc > =com > objectClass: ipaassociation > objectClass: ipasudorule > ipaEnabledFlag: TRUE > cn: devel > ipaUniqueID: e52c8e06-0315-11e0-b2dd-8a3d259cb0b9 > memberAllowCmd: cn=readonly,cn=sudocmdgroups,cn=accounts,dc=example,dc=com > memberHost: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com > memberUser: cn=ops,cn=groups,cn=accounts,dc=example,dc=com > > dn: cn=devel,cn=sudoers,dc=example,dc=com > objectClass: sudoRole > sudoUser: %ops > sudoCommand: /usr/bin/less > cn: devel This is what I see when I manually add the ipaSudoRule entry to my test server: dn: cn=devel,cn=sudoers,dc=example,dc=com objectClass: sudoRole sudoUser: %ops sudoHost: auth4.ops.expertcity.com sudoCommand: /usr/bin/less cn: devel That's assuming the group and host entries you're using are still the same as the sample ones from a while back, of course. In the currently proposed configuration, the expansion of memberHost attribute values depends on functionality that's new in slapi-nis 0.20 and later. Which version are you using? Nalin From JR.Aquino at citrix.com Wed Dec 8 23:12:34 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 8 Dec 2010 23:12:34 +0000 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: <20101208230839.GB2766@redhat.com> Message-ID: >This is what I see when I manually add the ipaSudoRule entry to my test >server: > > dn: cn=devel,cn=sudoers,dc=example,dc=com > objectClass: sudoRole > sudoUser: %ops > sudoHost: auth4.ops.expertcity.com > sudoCommand: /usr/bin/less > cn: devel > >That's assuming the group and host entries you're using are still the >same as the sample ones from a while back, of course. > >In the currently proposed configuration, the expansion of memberHost >attribute values depends on functionality that's new in slapi-nis 0.20 >and later. Which version are you using? > >Nalin After a refresh: I can confirm that I also have the same info as you. I guess the piece that is still missing then is: Instead of: sudoHost: hostname.com It should be: sudoHost: +production <- which is the group assigned to the ipasudorule. From nalin at redhat.com Wed Dec 8 23:19:21 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 8 Dec 2010 18:19:21 -0500 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: References: <20101208230839.GB2766@redhat.com> Message-ID: <20101208231921.GC2766@redhat.com> On Wed, Dec 08, 2010 at 11:12:34PM +0000, JR Aquino wrote: > I guess the piece that is still missing then is: > > Instead of: > > sudoHost: hostname.com > > It should be: > > sudoHost: +production <- which is the group assigned to the ipasudorule. The memberHost "cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com" in the rule is a hostgroup but not a netgroup, so I think it's doing the right thing by resolving the group down to its members' names. Nalin From JR.Aquino at citrix.com Wed Dec 8 23:24:47 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 8 Dec 2010 23:24:47 +0000 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: <20101208231921.GC2766@redhat.com> Message-ID: I should have included all three here is the ipanetgroup that corresponds to the prod hostgroup: dn: ipaUniqueID=b470b738-0315-11e0-8f01-8a3d259cb0b9,cn=ng,cn=alt,dc=example,dc =com objectClass: ipaobject objectClass: ipaassociation objectClass: ipanisnetgroup cn: prod description: prod nisDomainName: example.com ipaUniqueID: b470b738-0315-11e0-8f01-8a3d259cb0b9 memberHost: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com On 12/8/10 3:19 PM, "Nalin Dahyabhai" wrote: >On Wed, Dec 08, 2010 at 11:12:34PM +0000, JR Aquino wrote: >> I guess the piece that is still missing then is: >> >> Instead of: >> >> sudoHost: hostname.com >> >> It should be: >> >> sudoHost: +production <- which is the group assigned to the ipasudorule. > >The memberHost "cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com" in >the rule is a hostgroup but not a netgroup, so I think it's doing the >right thing by resolving the group down to its members' names. > >Nalin From ssorce at redhat.com Wed Dec 8 23:48:01 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 8 Dec 2010 18:48:01 -0500 Subject: [Freeipa-devel] [PATCH/0027] Configure ntp as the first thing Message-ID: <20101208184801.4623792e@willson.li.ssimo.org> We must insure as much as possible that the time is correct on the system before installing any component to avoid bad dates in certs, ds entries and krb keys. Fixes bug #595 -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0027-Move-ntp-configuration-up-top.patch Type: text/x-patch Size: 1900 bytes Desc: not available URL: From ssorce at redhat.com Wed Dec 8 23:52:13 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 8 Dec 2010 18:52:13 -0500 Subject: [Freeipa-devel] [PATCH/0028] Make selfsign CA creation an independent step Message-ID: <20101208185213.0a99e2f8@willson.li.ssimo.org> When we are creating a selfsign file based CA, do it at the same time we would do the dogtag CA creation instead of doing it within the dsinstance. Also move around or changes some other related minor details to clean-up a bit the code. Automatically publishes the CA cert to /etc/ipa/ca.crt, this fixes #544 as now the code gets the cert from there and the cert is put there at CA creation time before any instance has been invoked. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0028-Move-Selfsigned-CA-creation-out-of-dsinstance.patch Type: text/x-patch Size: 18580 bytes Desc: not available URL: From jzeleny at redhat.com Thu Dec 9 08:38:38 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 9 Dec 2010 09:38:38 +0100 Subject: [Freeipa-devel] [PATCH] 635 wait for memberof plugin when doing reverse members In-Reply-To: <4CFF0848.3030903@redhat.com> References: <4CFF0848.3030903@redhat.com> Message-ID: <201012090938.38310.jzeleny@redhat.com> Rob Crittenden wrote: > Give the memberof plugin time to work when adding/removing reverse members. > > When we add/remove reverse members it looks like we're operating on > group A but we're really operating on group B. This adds/removes the > member attribute on group B and the memberof plugin adds the memberof > attribute into group A. > > We need to give the memberof plugin a chance to do its work so loop a > few times, reading the entry to see if the number of memberof is more or > less what we expect. Bail out if it is taking too long. > > ticket 560 > > rob About that FIXME you got there: I'm not sure if it wouldn't be better to handle the possible exception right in the wait_for_memberof method (I guess it depends on what exception are we expecting and what are we going to do with it?). If you want the exception to reach the calling function, I'd like to see some kind of exception handling in that function - either to let the user know that the error occurred during this waiting or maybe to disregard the exception and continue normal operation. Some nitpicking: I'm confused - in the doc string you state that "this will loop for 6+ seconds" and a couple lines below, you have a comment "Don't sleep for more that 6 seconds" - is there a mistake ar are these two statements unrelated? Jan From jzeleny at redhat.com Thu Dec 9 08:54:57 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 9 Dec 2010 09:54:57 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <201012081637.39615.jzeleny@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201012081637.39615.jzeleny@redhat.com> Message-ID: <201012090954.57062.jzeleny@redhat.com> Jan Zelen? wrote: > Jan Zelen? wrote: > > Now each plugin can define its topic as a 2-tuple, where the first > > item is the name of topic it belongs to and the second item is > > a description of such topic. Topic descriptions must be the same > > for all modules belonging to the topic. > > > > By using this topics, it is possible to group plugins as we see fit. > > When asking for help for a particular topic, help for all modules > > in given topic is written. > > > > ipa help - show all topics (until now it showed all plugins) > > ipa help - show details to given topic > > > > https://fedorahosted.org/freeipa/ticket/410 > > So here it is: I'm sending couple patches which resolve the ticket and > implement grouping the way we previously discussed. Please feel free to > send me any recommendations if anything should be modified. Here's updated version of 0014 (changed type detection from type(var) is type({}) to type(var) is dict) Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0014-02-Changed-concept-of-ipa-help.patch Type: text/x-patch Size: 8290 bytes Desc: not available URL: From jzeleny at redhat.com Thu Dec 9 09:20:18 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 9 Dec 2010 10:20:18 +0100 Subject: [Freeipa-devel] [PATCH] 636 Properly handle multi-valued attributes when using setattr/addattr In-Reply-To: <4CFFCEF5.4090804@redhat.com> References: <4CFFCEF5.4090804@redhat.com> Message-ID: <201012091020.18425.jzeleny@redhat.com> Rob Crittenden wrote: > The problem was that the normalizer was returning each value as a tuple > which we were then appending to a list, so it looked like [(u'value1',), > (u'value2',),...]. If there was a single value we could end up adding a > tuple to a list which would fail. Additionally python-ldap doesn't like > lists of lists so it was failing later in the process as well. > > I've added some simple tests for setattr and addattr. > > ticket 565 One question? Why are you removing radiusprofile string in chunk #3? Other than that the patch is fine. Jan From jzeleny at redhat.com Thu Dec 9 09:31:02 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 9 Dec 2010 10:31:02 +0100 Subject: [Freeipa-devel] [PATCH] 638 be smarter with alwaysask option In-Reply-To: <4D000625.7010500@redhat.com> References: <4D000625.7010500@redhat.com> Message-ID: <201012091031.02903.jzeleny@redhat.com> Rob Crittenden wrote: > The alwaysask option for params was meant to prompt for things that are > needed but not strictly required, like when adding members to a group. > > We don't need to prompt if something is provided on the command-line > though. > > ticket 604 > > rob ACK Jan From jzeleny at redhat.com Thu Dec 9 09:33:05 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 9 Dec 2010 10:33:05 +0100 Subject: [Freeipa-devel] [PATCH 4] dbe instead of lde (ipa-compat-manage/ipa-nis-manage) In-Reply-To: References: Message-ID: <201012091033.05281.jzeleny@redhat.com> JR Aquino wrote: > The error handling refers to lde as a typo... When the exception occurs > due to a database error, it gets captured as: dbe. > > This is a One line bug fix for compat and nis tools ACK Jan From jzeleny at redhat.com Thu Dec 9 09:37:47 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 9 Dec 2010 10:37:47 +0100 Subject: [Freeipa-devel] [PATCH/0027] Configure ntp as the first thing In-Reply-To: <20101208184801.4623792e@willson.li.ssimo.org> References: <20101208184801.4623792e@willson.li.ssimo.org> Message-ID: <201012091037.47369.jzeleny@redhat.com> Simo Sorce wrote: > We must insure as much as possible that the time is correct on the > system before installing any component to avoid bad dates in certs, ds > entries and krb keys. > > Fixes bug #595 ACK Jan From pzuna at redhat.com Thu Dec 9 12:41:11 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 09 Dec 2010 13:41:11 +0100 Subject: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes. In-Reply-To: <4CFFDCBB.9080505@redhat.com> References: <4CF34E28.2040209@redhat.com> <4CF46A18.3020906@redhat.com> <4CF57A43.8090006@redhat.com> <4CFFDCBB.9080505@redhat.com> Message-ID: <4D00CE67.4010208@redhat.com> On 12/08/2010 08:30 PM, Rob Crittenden wrote: > Pavel Z?na wrote: >> On 2010-11-30 04:06, Rob Crittenden wrote: >>> Pavel Z?na wrote: >>>> LDAPSearch base class has now the ability to generate additional >>>> options for objects with member attributes. These options are >>>> used to filter search results - search only for objects without >>>> the specified members. >>>> >>>> Any class that extends LDAPSearch can benefit from this functionality. >>>> This patch enables it for the following objects: >>>> group, netgroup, rolegroup, hostgroup, taskgroup >>>> >>>> Example: >>>> ipa group-find --no-users=admin >>>> >>>> Only direct members are taken into account, but if we need indirect >>>> members as well - it's not a problem. >>>> >>>> Ticket #288 >>>> >>>> Pavel >>> >>> This works as advertised but I wonder what would happen if a huge list >>> of members was passed in to ignore. Is there a limit on the search >>> filter size (remember that the member will be translated into a full dn >>> so will quickly grow in size). >>> >>> Should we impose a cofigurable limit on the # of members to be excluded? >>> >>> Is there a max search filter size and should we check that we haven't >>> exceeded that before doing a search? >>> >>> rob >> >> I tried it out with more than a 1000 users and was getting an unwilling >> to perform error (search filter nested too deep). >> >> After a little bit of investigation, I figured the filter was being >> generated like this: >> >> (&(&(!(a=v))(!(a2=v2)))) >> >> We were going deeper with each additional DN! >> >> I updated the patch to generate the filter like this instead: >> >> (!(|(a=v)(a2=v2))) >> >> Tried it again with more than 1000 users (~55Kb) - it worked and wasn't >> even slow. >> >> Updated patch attached. >> >> I also had to fix a bug in ldap2 filter generator, as a result this >> patch depends on my patch number 43. >> >> Pavel > > You'll need to rebase this against master but otherwise ACK. > > It might be a small optimization to de-dupe the no-users list but it > isn't a priority. > > rob Re-based patch attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0042-3-filterenroll.patch Type: text/x-patch Size: 4576 bytes Desc: not available URL: From ssorce at redhat.com Thu Dec 9 13:30:16 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 9 Dec 2010 08:30:16 -0500 Subject: [Freeipa-devel] [PATCH/0027] Configure ntp as the first thing In-Reply-To: <201012091037.47369.jzeleny@redhat.com> References: <20101208184801.4623792e@willson.li.ssimo.org> <201012091037.47369.jzeleny@redhat.com> Message-ID: <20101209083016.4909f4b3@willson.li.ssimo.org> On Thu, 9 Dec 2010 10:37:47 +0100 Jan Zelen? wrote: > Simo Sorce wrote: > > We must insure as much as possible that the time is correct on the > > system before installing any component to avoid bad dates in certs, > > ds entries and krb keys. > > > > Fixes bug #595 > > ACK Pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From pzuna at redhat.com Thu Dec 9 13:52:42 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 09 Dec 2010 14:52:42 +0100 Subject: [Freeipa-devel] [PATCH] Introduce new env variable, enable_dns=True, if IPA is managing DNS. Message-ID: <4D00DF2A.4090606@redhat.com> if api.env.enable_dns: print "DNS is managed by IPA" ==== ipa env | grep "enable_dns: True" > /devnull && echo "DNS is managed by IPA" ==== Ticket #600 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0045-dnsenv.patch Type: text/x-patch Size: 1507 bytes Desc: not available URL: From jhrozek at redhat.com Thu Dec 9 14:00:21 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 09 Dec 2010 15:00:21 +0100 Subject: [Freeipa-devel] [PATCH] 0025 Restructure startup code for IPA servers In-Reply-To: <20101207115345.1a2a9ca6@willson.li.ssimo.org> References: <20101207115345.1a2a9ca6@willson.li.ssimo.org> Message-ID: <4D00E0F5.2060301@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/07/2010 05:53 PM, Simo Sorce wrote: > > With this patch we stop relying on the system to init single ipa > components and instead introduce a "ipa" init script that takes care of > properly starting/stopping all relevant components. > > Components are listed with a generic label in LDAP, per server. > At startup the ipa init script will always start drisrv, then use the > local socket to query it anonymously[*] and get the list of service to > start with a ordering paramater. > > And it will then proceed to start each single service. > On failure it will shut them all down. > > On stoppping ti shuts them down in inverse order. > > Only the ipa service is enabled with chkconfig, all other handled > services are off in chkconfig and started by the ipa service instead. > > [*] We can create an account if we think this is not good enough, but I > would ask to have a separate ticket and handle this change as an > additional patch if we feel the need to do that. > > Simo. The patch seems to work fine, I just have one question: the script uses #!/usr/bin/env python as the interpreter. While this is generally used in python scripts to allow multiple interpreters, I recall it was discouraged in Fedora (and I'm pretty sure[1] it is discouraged in RHEL, although that could be solved by a RHEL-specific patch) So do we prefer /usr/bin/python or /usr/bin/env python ? Jakub [1] https://bugzilla.redhat.com/show_bug.cgi?id=521940 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0A4PQACgkQHsardTLnvCUPWgCfbGF0DX6SD+S7njabAN0E/k8C 6qcAn3OqsH9XDq6AMV1l/xyZ+GTYQVNL =BKpA -----END PGP SIGNATURE----- From dpal at redhat.com Thu Dec 9 14:17:22 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 9 Dec 2010 09:17:22 -0500 (EST) Subject: [Freeipa-devel] [PATCH] Introduce new env variable, enable_dns=True, if IPA is managing DNS. In-Reply-To: <4D00DF2A.4090606@redhat.com> Message-ID: <1180048278.367621291904242433.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> Question: Do we support situation when one replica has DNS and another does not? In other words is DNS integration an instance property or a domain property? I do not know is it a good or a bad thing but if it is per instance the UI/CLI from the same client will act differently depending on the DNS configuration of the instance. Might be very confusing. At least we need to document it to set the right expectations. Otherwise if the CLI/UI failed over to not DNS enabled replica the admin would be puzzled why his command line stopped working or where the DNS panel in the UI. Thoughts? ----- Original Message ----- From: "Pavel Zuna" To: "freeipa-devel" Sent: Thursday, December 9, 2010 8:52:42 AM GMT -05:00 US/Canada Eastern Subject: [Freeipa-devel] [PATCH] Introduce new env variable, enable_dns=True, if IPA is managing DNS. if api.env.enable_dns: print "DNS is managed by IPA" ==== ipa env | grep "enable_dns: True" > /devnull && echo "DNS is managed by IPA" ==== Ticket #600 Pavel _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From ssorce at redhat.com Thu Dec 9 14:54:24 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 9 Dec 2010 09:54:24 -0500 Subject: [Freeipa-devel] [PATCH] 0025 Restructure startup code for IPA servers In-Reply-To: <4D00E0F5.2060301@redhat.com> References: <20101207115345.1a2a9ca6@willson.li.ssimo.org> <4D00E0F5.2060301@redhat.com> Message-ID: <20101209095424.388b8f10@willson.li.ssimo.org> On Thu, 09 Dec 2010 15:00:21 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/07/2010 05:53 PM, Simo Sorce wrote: > > > > With this patch we stop relying on the system to init single ipa > > components and instead introduce a "ipa" init script that takes > > care of properly starting/stopping all relevant components. > > > > Components are listed with a generic label in LDAP, per server. > > At startup the ipa init script will always start drisrv, then use > > the local socket to query it anonymously[*] and get the list of > > service to start with a ordering paramater. > > > > And it will then proceed to start each single service. > > On failure it will shut them all down. > > > > On stoppping ti shuts them down in inverse order. > > > > Only the ipa service is enabled with chkconfig, all other handled > > services are off in chkconfig and started by the ipa service > > instead. > > > > [*] We can create an account if we think this is not good enough, > > but I would ask to have a separate ticket and handle this change as > > an additional patch if we feel the need to do that. > > > > Simo. > > The patch seems to work fine, I just have one question: the script > uses #!/usr/bin/env python as the interpreter. While this is > generally used in python scripts to allow multiple interpreters, I > recall it was discouraged in Fedora (and I'm pretty sure[1] it is > discouraged in RHEL, although that could be solved by a RHEL-specific > patch) > > So do we prefer /usr/bin/python or /usr/bin/env python ? > > Jakub > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=521940 I just copied that part from another of our scripts. If you think we should change this, I would open a generic ticket and go through all the python script and make a consistent change to all of them. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Thu Dec 9 15:31:49 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 09 Dec 2010 09:31:49 -0600 Subject: [Freeipa-devel] [PATCH] SUDO adjustments Message-ID: <4D00F665.4050001@redhat.com> Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/114/ The SUDO rule details facet has been updated to support the latest UI spec. The facet consists of 5 sections: general, users, hosts, commands, and run-as. The general section contains the SUDO rule description and status. If the status is changed, the sudorule-enable/disable will be invoked. The other sections contain radio buttons for the association category and tables for the members. When a member is added or removed, the category will be adjusted appropriately. If the category is changed to 'all', 'allow', or 'deny', all members will be removed. The last section is currently not working because backend support is not yet available. The adder dialog boxes for users, groups, and hosts has been modified to accept external identities. The layout for the base adder dialog was updated. The base dialog class was updated to support templates. The SUDO dialog boxes were implemented using templates. New CSS classes were added to ipa.css. The HBAC rule details facet has been updated as well. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0053-SUDO-adjustments.patch Type: text/x-patch Size: 84011 bytes Desc: not available URL: From rcritten at redhat.com Thu Dec 9 15:36:14 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Dec 2010 10:36:14 -0500 Subject: [Freeipa-devel] [PATCH] 635 wait for memberof plugin when doing reverse members In-Reply-To: <201012090938.38310.jzeleny@redhat.com> References: <4CFF0848.3030903@redhat.com> <201012090938.38310.jzeleny@redhat.com> Message-ID: <4D00F76E.8020800@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Give the memberof plugin time to work when adding/removing reverse members. >> >> When we add/remove reverse members it looks like we're operating on >> group A but we're really operating on group B. This adds/removes the >> member attribute on group B and the memberof plugin adds the memberof >> attribute into group A. >> >> We need to give the memberof plugin a chance to do its work so loop a >> few times, reading the entry to see if the number of memberof is more or >> less what we expect. Bail out if it is taking too long. >> >> ticket 560 >> >> rob > > About that FIXME you got there: I'm not sure if it wouldn't be better to > handle the possible exception right in the wait_for_memberof method (I guess > it depends on what exception are we expecting and what are we going to do with > it?). If you want the exception to reach the calling function, I'd like to see > some kind of exception handling in that function - either to let the user know > that the error occurred during this waiting or maybe to disregard the > exception and continue normal operation. The types of exceptions could run the gambit but I was wondering what would happen if we were looping and some other user deleted the role. The next search for it would fail with NotFound. Granted this isn't a very friendly message to return to someone after adding a member to the group but it does sort of make sense (someone deleted it concurrently). It seemed best to just let this filter up to the caller. > > Some nitpicking: I'm confused - in the doc string you state that "this will > loop for 6+ seconds" and a couple lines below, you have a comment "Don't sleep > for more that 6 seconds" - is there a mistake ar are these two statements > unrelated? Yeah, I was afraid that might be confusing. I'll wait .3 seconds 20 times so 6 seconds. There are a few LDAP calls which take a bit of time as well, so it will be 6+ seconds if it goes the whole time. rob From rcritten at redhat.com Thu Dec 9 15:36:56 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Dec 2010 10:36:56 -0500 Subject: [Freeipa-devel] [PATCH] 636 Properly handle multi-valued attributes when using setattr/addattr In-Reply-To: <201012091020.18425.jzeleny@redhat.com> References: <4CFFCEF5.4090804@redhat.com> <201012091020.18425.jzeleny@redhat.com> Message-ID: <4D00F798.3070003@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> The problem was that the normalizer was returning each value as a tuple >> which we were then appending to a list, so it looked like [(u'value1',), >> (u'value2',),...]. If there was a single value we could end up adding a >> tuple to a list which would fail. Additionally python-ldap doesn't like >> lists of lists so it was failing later in the process as well. >> >> I've added some simple tests for setattr and addattr. >> >> ticket 565 > > One question? Why are you removing radiusprofile string in chunk #3? Other than > that the patch is fine. I had removed it from the default user objectclasses in another patch and hadn't removed it here. I'm removing it now so the tests I added pass. rob From rcritten at redhat.com Thu Dec 9 16:30:57 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Dec 2010 11:30:57 -0500 Subject: [Freeipa-devel] [PATCH] 637 group to group delegation In-Reply-To: <4CFFFEA8.6000609@redhat.com> References: <4CFFFEA8.6000609@redhat.com> Message-ID: <4D010441.1000609@redhat.com> Rob Crittenden wrote: > Round out our trio of access control plugins. This adds group to group > delegation where you can grant group A the ability to write a set of > attributes of group B (v1-style delegation). > > rob I'm withdrawing this patch, needs more work. rob From ayoung at redhat.com Thu Dec 9 16:35:30 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 09 Dec 2010 11:35:30 -0500 Subject: [Freeipa-devel] [PATCH] Introduce new env variable, enable_dns=True, if IPA is managing DNS. In-Reply-To: <1180048278.367621291904242433.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> References: <1180048278.367621291904242433.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> Message-ID: <4D010552.2010804@redhat.com> On 12/09/2010 09:17 AM, Dmitri Pal wrote: > Question: > > Do we support situation when one replica has DNS and another does not? > In other words is DNS integration an instance property or a domain property? > I do not know is it a good or a bad thing but if it is per instance the UI/CLI from the same client will act differently depending on the DNS configuration of the instance. > Might be very confusing. At least we need to document it to set the right expectations. Otherwise if the CLI/UI failed over to not DNS enabled replica the admin would be puzzled why his command line stopped working or where the DNS panel in the UI. > > Thoughts? > In those cases, the LDAP values will get syncronized, but the DNS server just won't show them, right? My understanding is that, In this patch, the value is put into the config file, and so it will reflect the state of the server, not the LDAP database. Thus, this is the right approach. > ----- Original Message ----- > From: "Pavel Zuna" > To: "freeipa-devel" > Sent: Thursday, December 9, 2010 8:52:42 AM GMT -05:00 US/Canada Eastern > Subject: [Freeipa-devel] [PATCH] Introduce new env variable, enable_dns=True, if IPA is managing DNS. > > if api.env.enable_dns: > print "DNS is managed by IPA" > > ==== > > ipa env | grep "enable_dns: True"> /devnull&& echo "DNS is managed by IPA" > > ==== > > Ticket #600 > > Pavel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > From edewata at redhat.com Thu Dec 9 16:54:34 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 09 Dec 2010 10:54:34 -0600 Subject: [Freeipa-devel] [PATCH] Section header prefix update Message-ID: <4D0109CA.1050407@redhat.com> Hi, Please review the attached patch. This should fix this ticket: https://fedorahosted.org/freeipa/ticket/552 The '+' and '-' signs before the section headers in details facet are now enclosed in square brackets. The section content is now hidden/shown using slideToggle(). The ipa_details_create() and ipa_details_setup() have been moved into ipa_details_facet. Thanks! -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0054-Section-header-prefix-update.patch Type: text/x-patch Size: 7545 bytes Desc: not available URL: From dpal at redhat.com Thu Dec 9 17:56:52 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 09 Dec 2010 12:56:52 -0500 Subject: [Freeipa-devel] [PATCH] Introduce new env variable, enable_dns=True, if IPA is managing DNS. In-Reply-To: <4D010552.2010804@redhat.com> References: <1180048278.367621291904242433.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> <4D010552.2010804@redhat.com> Message-ID: <4D011864.4090404@redhat.com> Adam Young wrote: > On 12/09/2010 09:17 AM, Dmitri Pal wrote: >> Question: >> >> Do we support situation when one replica has DNS and another does not? >> In other words is DNS integration an instance property or a domain >> property? >> I do not know is it a good or a bad thing but if it is per instance >> the UI/CLI from the same client will act differently depending on the >> DNS configuration of the instance. >> Might be very confusing. At least we need to document it to set the >> right expectations. Otherwise if the CLI/UI failed over to not DNS >> enabled replica the admin would be puzzled why his command line >> stopped working or where the DNS panel in the UI. >> >> Thoughts? >> > In those cases, the LDAP values will get syncronized, but the DNS > server just won't show them, right? > > My understanding is that, In this patch, the value is put into the > config file, and so it will reflect the state of the server, not the > LDAP database. Thus, this is the right approach. No it is not the right approach. We do not care about a server. As long as there is any replica that runs DNS all replicas should show the DNS UI. The decision must be made on the replicated data rather than local config. > > > >> ----- Original Message ----- >> From: "Pavel Zuna" >> To: "freeipa-devel" >> Sent: Thursday, December 9, 2010 8:52:42 AM GMT -05:00 US/Canada Eastern >> Subject: [Freeipa-devel] [PATCH] Introduce new env variable, >> enable_dns=True, if IPA is managing DNS. >> >> if api.env.enable_dns: >> print "DNS is managed by IPA" >> >> ==== >> >> ipa env | grep "enable_dns: True"> /devnull&& echo "DNS is managed >> by IPA" >> >> ==== >> >> Ticket #600 >> >> Pavel >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu Dec 9 18:03:28 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 09 Dec 2010 13:03:28 -0500 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: <20101208231921.GC2766@redhat.com> References: <20101208230839.GB2766@redhat.com> <20101208231921.GC2766@redhat.com> Message-ID: <4D0119F0.9000209@redhat.com> Nalin Dahyabhai wrote: > On Wed, Dec 08, 2010 at 11:12:34PM +0000, JR Aquino wrote: > >> I guess the piece that is still missing then is: >> >> Instead of: >> >> sudoHost: hostname.com >> >> It should be: >> >> sudoHost: +production <- which is the group assigned to the ipasudorule. >> > > The memberHost "cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com" in > the rule is a hostgroup but not a netgroup, so I think it's doing the > right thing by resolving the group down to its members' names. > > JR, Can we check that we are running with the same test data set? In the data set that Nalin uses the sudo rule points to a host group so according to the rules it gets expanded. Have you implemented a capability to add a netgroup to the the memberHost in the SUDO plugin? If you make a netgroup a member of the SUDO rule the compat plugin will do what you expect. Thanks Dmitri > Nalin > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From JR.Aquino at citrix.com Thu Dec 9 18:25:28 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 9 Dec 2010 18:25:28 +0000 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: <4D0119F0.9000209@redhat.com> Message-ID: On 12/9/10 10:03 AM, "Dmitri Pal" wrote: >Nalin Dahyabhai wrote: >> On Wed, Dec 08, 2010 at 11:12:34PM +0000, JR Aquino wrote: >> >>> I guess the piece that is still missing then is: >>> >>> Instead of: >>> >>> sudoHost: hostname.com >>> >>> It should be: >>> >>> sudoHost: +production <- which is the group assigned to the >>>ipasudorule. >>> >> >> The memberHost "cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com" in >> the rule is a hostgroup but not a netgroup, so I think it's doing the >> right thing by resolving the group down to its members' names. >> >> >JR, > >Can we check that we are running with the same test data set? >In the data set that Nalin uses the sudo rule points to a host group so >according to the rules it gets expanded. >Have you implemented a capability to add a netgroup to the the >memberHost in the SUDO plugin? >If you make a netgroup a member of the SUDO rule the compat plugin will >do what you expect. > >Thanks >Dmitri Dmitri, you were absolutely correct!!! Thank you for setting me straight. Changing the memberhost in the sudorole from a hostgroup to a netgroup solved the issue. It is representing correctly as +prod now! Observation: A ticket was created for me to design a 'Managed Entry' plugin which automatically mirrored netgroups out of hostgroups which are created. FreeIPA's implementation of sudo has thus far been separated between, an IPAsudo object, and a compat translated sudo object. Might it be a more lasting solution to have the compat and sudo plugin refer to the hostgroup object and allow for the Managed Entry and 'NIS Compat' pieces handle the sudo native translations? That way we have a stand alone ipa centric model that allows us to completely strip away the translation pieces when they are no longer necessary (when sudo supports sssd). Or would it make more sense to just modify the sudo plugin to allow for: a single host, a hostgroup, and a netgroup as options for the memberHost attr? Thoughts? From ssorce at redhat.com Thu Dec 9 18:34:18 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 9 Dec 2010 13:34:18 -0500 (EST) Subject: [Freeipa-devel] [PATCH] Introduce new env variable, enable_dns=True, if IPA is managing DNS. In-Reply-To: <4D00DF2A.4090606@redhat.com> Message-ID: <1982415185.475451291919658489.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Pavel Zuna" wrote: > if api.env.enable_dns: > print "DNS is managed by IPA" > > ==== > > ipa env | grep "enable_dns: True" > /devnull && echo "DNS is managed > by IPA" > > ==== > > Ticket #600 Nack, sorry the approach is completely wrong. As discussed on IRC you should search the LDAP server and see if the DNS service is enabled for at least one master under cn=masters,cn=ipa,cn=etc,$SUFFIX This new data is only available after my patch 0025 is pushed. Simo. From dpal at redhat.com Thu Dec 9 18:58:32 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 09 Dec 2010 13:58:32 -0500 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: References: Message-ID: <4D0126D8.2030307@redhat.com> JR Aquino wrote: > On 12/9/10 10:03 AM, "Dmitri Pal" wrote: > > >> Nalin Dahyabhai wrote: >> >>> On Wed, Dec 08, 2010 at 11:12:34PM +0000, JR Aquino wrote: >>> >>> >>>> I guess the piece that is still missing then is: >>>> >>>> Instead of: >>>> >>>> sudoHost: hostname.com >>>> >>>> It should be: >>>> >>>> sudoHost: +production <- which is the group assigned to the >>>> ipasudorule. >>>> >>>> >>> The memberHost "cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com" in >>> the rule is a hostgroup but not a netgroup, so I think it's doing the >>> right thing by resolving the group down to its members' names. >>> >>> >>> >> JR, >> >> Can we check that we are running with the same test data set? >> In the data set that Nalin uses the sudo rule points to a host group so >> according to the rules it gets expanded. >> Have you implemented a capability to add a netgroup to the the >> memberHost in the SUDO plugin? >> If you make a netgroup a member of the SUDO rule the compat plugin will >> do what you expect. >> >> Thanks >> Dmitri >> > > Dmitri, you were absolutely correct!!! > > Thank you for setting me straight. > > Changing the memberhost in the sudorole from a hostgroup to a netgroup > solved the issue. It is representing correctly as +prod now! > > Observation: > > A ticket was created for me to design a 'Managed Entry' plugin which > automatically mirrored netgroups out of hostgroups which are created. > > FreeIPA's implementation of sudo has thus far been separated between, an > IPAsudo object, and a compat translated sudo object. > > Might it be a more lasting solution to have the compat and sudo plugin > refer to the hostgroup object and allow for the Managed Entry and 'NIS > Compat' pieces handle the sudo native translations? > > That way we have a stand alone ipa centric model that allows us to > completely strip away the translation pieces when they are no longer > necessary (when sudo supports sssd). > > Or would it make more sense to just modify the sudo plugin to allow for: a > single host, a hostgroup, and a netgroup as options for the memberHost > attr? > > I think this is how it is designed right now. The migration to host groups will be slow and painful. I think that approach we planned covers all main use cases and provides enough flexibility for administrators transition from old models and concepts to the new ones. There will be need to the compatibility for older clients for the years to come. > Thoughts? > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From JR.Aquino at citrix.com Thu Dec 9 19:11:57 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 9 Dec 2010 19:11:57 +0000 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: <4D0126D8.2030307@redhat.com> Message-ID: >I think this is how it is designed right now. >The migration to host groups will be slow and painful. >I think that approach we planned covers all main use cases and provides >enough flexibility for administrators transition from old models and >concepts to the new ones. >There will be need to the compatibility for older clients for the years >to come. The design doc seems to disagree: http://freeipa.org/page/SUDO_Schema_Design objectclass: ipaSudoRule ... memberHost: cn=VirtGuests,cn=hostgroups,cn=accounts,... ... Just to review, so that I can make sure the patch is posted correctly: The current Sudo Compat Plugin functions as long as: An IPASudoRule can consist of: memberUser: memberAllowCmd: memberDenyCmd: memberHost: ??? ^ The Schema Design originally suggested that for an ipaSudoRule an ipaHostGroup would be used. This ipaHostGroup would then be duplicated into a ipaNetGroup (Managed Entry). This ipaNetGroup would then be translated into an ldap backed nisNetGroup (Compat). I am ok changing the sudorule plugin to point memberHost to an ipaNetgroup, however, I think we need to be correct and clear in all the previous references. There are a LOT of moving parts behind the scenes to make this work natively, so the chance for confusion is very high. What I was suggesting, was that perhaps its not necessary to change the sudorule plugin if the eventual end goal is to utilize hostgroups natively. The compat pieces and Managed Entry pieces already handle the translation as elegantly as they can given the circumstances. Is there a negative aspect of having the SudoCompat piece look to an ipaHostgroup for its conversion? Thanks! -JR From nalin at redhat.com Thu Dec 9 19:19:43 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 9 Dec 2010 14:19:43 -0500 Subject: [Freeipa-devel] [PATCH] 628 use KDC schema file In-Reply-To: <4CFD12B8.1050802@redhat.com> References: <4CF9663A.9090609@redhat.com> <20101203222159.GB25845@redhat.com> <4CFD12B8.1050802@redhat.com> Message-ID: <20101209191943.GE28006@redhat.com> On Mon, Dec 06, 2010 at 11:43:36AM -0500, Rob Crittenden wrote: > What if we do both? Use the one provided by the KDC if it exists > otherwise fall back to our own? Then you're basically depending on me getting the generated LDIF right every time. I haven't previously done much validation of the result, and it turns out that I missed a couple of syntax problems during the initial import for Fedora's branch for 1.9. If we can spot any problems in that LDIF quickly enough when the krb5 package gets updated, then we'll probably be fine, otherwise I'd be worried about unintentionally breaking IPA. Up to you, I guess. Nalin From dpal at redhat.com Thu Dec 9 19:59:55 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 09 Dec 2010 14:59:55 -0500 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: References: Message-ID: <4D01353B.7090703@redhat.com> JR Aquino wrote: >> I think this is how it is designed right now. >> The migration to host groups will be slow and painful. >> I think that approach we planned covers all main use cases and provides >> enough flexibility for administrators transition from old models and >> concepts to the new ones. >> There will be need to the compatibility for older clients for the years >> to come. >> > > The design doc seems to disagree: > http://freeipa.org/page/SUDO_Schema_Design > > objectclass: ipaSudoRule > ... > memberHost: cn=VirtGuests,cn=hostgroups,cn=accounts,... > ... > > Just to review, so that I can make sure the patch is posted correctly: > > The current Sudo Compat Plugin functions as long as: > An IPASudoRule can consist of: > > memberUser: > memberAllowCmd: > memberDenyCmd: > memberHost: ??? > > ^ The Schema Design originally suggested that for an ipaSudoRule an > ipaHostGroup would be used. > http://www.freeipa.org/page/SUDO_Schema_Design#Why_we_must_support_netgroups_in_the_SUDO_rules.3F Last paragraph of the section. Also see last open question and answer to it on the page :-) However... read further... > This ipaHostGroup would then be duplicated into a ipaNetGroup (Managed > Entry). > This ipaNetGroup would then be translated into an ldap backed nisNetGroup > (Compat). > > I am ok changing the sudorule plugin to point memberHost to an > ipaNetgroup, however, I think we need to be correct and clear in all the > previous references. > There are a LOT of moving parts behind the scenes to make this work > natively, so the chance for confusion is very high. > > What I was suggesting, was that perhaps its not necessary to change the > sudorule plugin if the eventual end goal is to utilize hostgroups > natively. The compat pieces and Managed Entry pieces already handle the > translation as elegantly as they can given the circumstances. > > Is there a negative aspect of having the SudoCompat piece look to an > ipaHostgroup for its conversion? > I just talked to Nalin and you might be right we can eliminate the need to support the netgroups in the sudo rule for hosts altogether. Since each host group will have a corresponding netgroup (until it is explicitly turned off by admin and it can be turned off only when the clients do not need netgroups any more which will be many years from now) the compat plugin can check if there is a corresponding netgroup, and if there is, use netgroup notation in the generated SUDO rule instead of expanding the rule to contain the host attributes verbatim. This looks like a nice and elegant solution but this means that we *require* the use of the host groups with netgroups. So if the deployment has a netgroup that has hosts A,B,C we require the hosts A,B & C be put into a host group. If admin just creates a new netgroup with hosts A, B, C in IPA he would not be able to use this netgroup in the SUDO part at all. May be it is Ok. It will really discourage people from using the netgroups. If we can require admins to always create a top level host group for any netgroup they want to have for whatever reason and this is acceptable then we can avoid allowing direct referencing netgroups in the rule and thus do not need to add this capability to SUDO plugin. It will actually save some future work on SSSD too since it would not need to resolve the netgroups - just host groups. After some thinking IMO the right approach would be: 1) Adjust the compat plugin as described above 2) Do not add capability to SODO mgmt plugin to point to the netgroup in the SUDO rule 3) Document the considerations about the netgroups migration (https://fedorahosted.org/freeipa/ticket/37) Thoughts? > Thanks! > > -JR > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Thu Dec 9 20:00:12 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Dec 2010 15:00:12 -0500 Subject: [Freeipa-devel] [PATCH] 639 Fix a slew of tests. Message-ID: <4D01354C.6000008@redhat.com> - Skip the DNS tests if DNS isn't configured - Add new attributes to user entries (displayname, cn and initials) - Make the nsaccountlock value consistent - Fix the cert subject for cert tests All but 2 tests pass for me now, both related to renaming objects. There is already a ticket for that. This relies on the objectclass fix in patch 636. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-639-tests.patch Type: text/x-patch Size: 8098 bytes Desc: not available URL: From rcritten at redhat.com Thu Dec 9 20:05:46 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Dec 2010 15:05:46 -0500 Subject: [Freeipa-devel] [PATCH] 632 add migration cmd docs In-Reply-To: <4CFF6F2F.2060902@redhat.com> References: <4CFE65E2.8060601@redhat.com> <4CFF6F2F.2060902@redhat.com> Message-ID: <4D01369A.2010309@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/07/2010 05:50 PM, Rob Crittenden wrote: >> Add some documentation to the migrate-ds command. >> >> rob >> > > Ack pushed to master From rcritten at redhat.com Thu Dec 9 20:07:15 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Dec 2010 15:07:15 -0500 Subject: [Freeipa-devel] [PATCH] 638 be smarter with alwaysask option In-Reply-To: <201012091031.02903.jzeleny@redhat.com> References: <4D000625.7010500@redhat.com> <201012091031.02903.jzeleny@redhat.com> Message-ID: <4D0136F3.30109@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> The alwaysask option for params was meant to prompt for things that are >> needed but not strictly required, like when adding members to a group. >> >> We don't need to prompt if something is provided on the command-line >> though. >> >> ticket 604 >> >> rob > > ACK > pushed to master From JR.Aquino at citrix.com Thu Dec 9 20:29:37 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 9 Dec 2010 20:29:37 +0000 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: <4D01353B.7090703@redhat.com> Message-ID: On 12/9/10 11:59 AM, "Dmitri Pal" wrote: >http://www.freeipa.org/page/SUDO_Schema_Design#Why_we_must_support_netgrou >ps_in_the_SUDO_rules.3F >Last paragraph of the section. Also see last open question and answer to >it on the page :-) > >However... read further... Ah Ha! >I just talked to Nalin and you might be right we can eliminate the need >to support the netgroups in the sudo rule for hosts altogether. >Since each host group will have a corresponding netgroup (until it is >explicitly turned off by admin and it can be turned off only when the >clients do not need netgroups any more which will be many years from >now) the compat plugin can check if there is a corresponding netgroup, >and if there is, use netgroup notation in the generated SUDO rule >instead of expanding the rule to contain the host attributes verbatim. > >This looks like a nice and elegant solution but this means that we >*require* the use of the host groups with netgroups. So if the >deployment has a netgroup that has hosts A,B,C we require the hosts A,B >& C be put into a host group. If admin just creates a new netgroup with >hosts A, B, C in IPA he would not be able to use this netgroup in the >SUDO part at all. May be it is Ok. It will really discourage people from >using the netgroups. If we can require admins to always create a top >level host group for any netgroup they want to have for whatever reason >and this is acceptable then we can avoid allowing direct referencing >netgroups in the rule and thus do not need to add this capability to >SUDO plugin. It will actually save some future work on SSSD too since it >would not need to resolve the netgroups - just host groups. Agreed. As a side note to think about: Currently, with the proposed Managed Plungins, netgroups which are created as a result of the hostgroup creation, are not searchable via the IPA Cli. This requested by Item #3 (https://fedorahosted.org/freeipa/ticket/543). This generally means that by default, all hostgroups get an implied (but invisible) netgroup. The only netgroups that turn up in the search are those created directly through the cli. Not sure how this effects the greater world at large. > >After some thinking IMO the right approach would be: >1) Adjust the compat plugin as described above >2) Do not add capability to SODO mgmt plugin to point to the netgroup in >the SUDO rule >3) Document the considerations about the netgroups migration >(https://fedorahosted.org/freeipa/ticket/37) I agree, this sounds like the most sane path to follow. I do think it would be courteous to the potential nis/netgroup users of the world, for us to be very clear about the backend behavior regarding the Managed Entries though. From nalin at redhat.com Thu Dec 9 20:34:52 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 9 Dec 2010 15:34:52 -0500 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: <4D01353B.7090703@redhat.com> References: <4D01353B.7090703@redhat.com> Message-ID: <20101209203452.GF28006@redhat.com> On Thu, Dec 09, 2010 at 02:59:55PM -0500, Dmitri Pal wrote: > 1) Adjust the compat plugin as described above Attached for testing. Patch 0001 we've seen before; 0002's new. Nalin -------------- next part -------------- >From 1afcb4d6163f5b8137cb1f2e832714e046345ca7 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 30 Nov 2010 18:25:33 -0500 Subject: [PATCH 1/2] sudo and netgroup schema compat updates - fix quoting of netgroup entries - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container --- install/share/bootstrap-template.ldif | 6 ----- install/share/schema_compat.uldif | 37 ++++++++++++++++++++++++++++---- ipa.spec.in | 2 +- 3 files changed, 33 insertions(+), 12 deletions(-) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 4f10f07..81eb5d6 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -64,12 +64,6 @@ objectClass: top objectClass: nsContainer cn: sudorules -dn: cn=SUDOers,$SUFFIX -changetype: add -objectClass: nsContainer -objectClass: top -cn: SUDOers - dn: cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index 22e3141..52c8d5a 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -47,7 +47,6 @@ default:schema-compat-entry-attribute: objectclass=posixGroup default:schema-compat-entry-attribute: gidNumber=%{gidNumber} default:schema-compat-entry-attribute: memberUid=%{memberUid} default:schema-compat-entry-attribute: memberUid=%deref("member","uid") -default:schema-compat-entry-attribute: memberUid=%referred("cn=users","memberOf","uid") dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config add:objectClass: top @@ -56,14 +55,42 @@ add:cn: ng add:schema-compat-container-group: 'cn=compat, $SUFFIX' add:schema-compat-container-rdn: cn=ng add:schema-compat-check-access: yes -add:schema-compat-search-base: 'cn=ng,cn=alt,$SUFFIX' -add:schema-compat-search-filter: !(cn=ng) +add:schema-compat-search-base: 'cn=ng, cn=alt, $SUFFIX' +add:schema-compat-search-filter: (objectclass=ipaNisNetgroup) add:schema-compat-entry-rdn: cn=%{cn} add:schema-compat-entry-attribute: objectclass=nisNetgroup add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r("member","cn")' -add:schema-compat-entry-attribute: 'memberNisNetgroup=%referred_r("cn=ng","memberOf","cn")' -add:schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) +add:schema-compat-entry-attribute: 'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})' + +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add:objectClass: top +add:objectClass: extensibleObject +add:cn: sudoers +add:schema-compat-container-group: 'cn=SUDOers, $SUFFIX' +add:schema-compat-search-base: 'cn=sudorules, $SUFFIX' +add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) +add:schema-compat-entry-rdn: cn=%{cn} +add:schema-compat-entry-attribute: objectclass=sudoRole +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(objectclass=ipaHostGroup)\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref(\"memberDenyCmd\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref_r(\"memberDenyCmd\",\"member\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoRunAsUser=%{ipaSudoRunAsExtUser}' +add:schema-compat-entry-attribute: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")' +add:schema-compat-entry-attribute: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}' +add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")' +add:schema-compat-entry-attribute: 'sudoOption=%{ipaSudoOpt}' # Enable anonymous VLV browsing for Solaris dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config only:aci: '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )' + diff --git a/ipa.spec.in b/ipa.spec.in index 2597dad..4cafc0e 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -91,7 +91,7 @@ Requires: libcap Requires: selinux-policy %endif Requires(post): selinux-policy-base -Requires: slapi-nis >= 0.15 +Requires: slapi-nis >= 0.21 Requires: pki-ca >= 1.3.6 Requires: pki-silent >= 1.3.4 -- 1.7.3.3 -------------- next part -------------- >From 8f16f88dc9553f3f83c44160ee05d431800ee1be Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Thu, 9 Dec 2010 15:31:13 -0500 Subject: [PATCH 2/2] sudo: treat mepOriginEntry hostgroups differently - if a hostgroup named by the memberHost attribute is not also a mepOriginEntry, proceed as before - if a hostgroup named by the memberHost attribute is also a mepOriginEntry, read its "cn" attribute, prepend a "+" to it, and call it done --- install/share/schema_compat.uldif | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index 52c8d5a..fcd993a 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -78,7 +78,8 @@ add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","% add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")' add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")' -add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(objectclass=ipaHostGroup)\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")")' add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")' add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")' -- 1.7.3.3 From ayoung at redhat.com Thu Dec 9 20:53:21 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 09 Dec 2010 15:53:21 -0500 Subject: [Freeipa-devel] [PATCH] SUDO adjustments In-Reply-To: <4D00F665.4050001@redhat.com> References: <4D00F665.4050001@redhat.com> Message-ID: <4D0141C1.2030609@redhat.com> On 12/09/2010 10:31 AM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > https://fedorahosted.org/reviewboard/r/114/ > > The SUDO rule details facet has been updated to support the latest UI > spec. The facet consists of 5 sections: general, users, hosts, commands, > and run-as. > > The general section contains the SUDO rule description and status. If > the status is changed, the sudorule-enable/disable will be invoked. > > The other sections contain radio buttons for the association category > and tables for the members. When a member is added or removed, the > category will be adjusted appropriately. If the category is changed to > 'all', 'allow', or 'deny', all members will be removed. > > The last section is currently not working because backend support is > not yet available. > > The adder dialog boxes for users, groups, and hosts has been modified > to accept external identities. The layout for the base adder dialog > was updated. The base dialog class was updated to support templates. > The SUDO dialog boxes were implemented using templates. New CSS > classes were added to ipa.css. > > The HBAC rule details facet has been updated as well. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Dec 9 20:57:18 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 09 Dec 2010 15:57:18 -0500 Subject: [Freeipa-devel] [PATCH] Section header prefix update In-Reply-To: <4D0109CA.1050407@redhat.com> References: <4D0109CA.1050407@redhat.com> Message-ID: <4D0142AE.3030805@redhat.com> On 12/09/2010 11:54 AM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. This should fix this ticket: > > https://fedorahosted.org/freeipa/ticket/552 > > The '+' and '-' signs before the section headers in details facet > are now enclosed in square brackets. The section content is now > hidden/shown using slideToggle(). > > The ipa_details_create() and ipa_details_setup() have been moved > into ipa_details_facet. > > Thanks! > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Dec 9 21:17:54 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 09 Dec 2010 15:17:54 -0600 Subject: [Freeipa-devel] [PATCH] Account activation adjustment Message-ID: <4D014782.5010704@redhat.com> Hi, Please review the attached patch. This should fix this bug: https://fedorahosted.org/freeipa/ticket/462 The user details facet has been modified such that when the account is activated/deactivated the page will be reloaded. Some methods in the framework have been changed: - The ipa_widget.clear() has been removed because it can be replaced by existing reset(). - The ipa_widget.set_values() has been renamed into update(). Thanks! -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0055-Account-activation-adjustment.patch Type: text/x-patch Size: 15779 bytes Desc: not available URL: From ayoung at redhat.com Thu Dec 9 21:49:35 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 09 Dec 2010 16:49:35 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0114-Section-header-prefix-update Message-ID: <4D014EEF.2000005@redhat.com> This patch was mostly done by Kyle Baker. I just rebased it by hand. Need to change the authorship on it. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0114-Section-header-prefix-update.patch Type: text/x-patch Size: 7545 bytes Desc: not available URL: From ayoung at redhat.com Thu Dec 9 22:02:34 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 09 Dec 2010 17:02:34 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0114-Section-header-prefix-update In-Reply-To: <4D014EEF.2000005@redhat.com> References: <4D014EEF.2000005@redhat.com> Message-ID: <4D0151FA.6060403@redhat.com> On 12/09/2010 04:49 PM, Adam Young wrote: > This patch was mostly done by Kyle Baker. I just rebased it by hand. > Need to change the authorship on it. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Disregard this patch, submitted the wrong one by mistake -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Dec 9 22:04:11 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 09 Dec 2010 17:04:11 -0500 Subject: [Freeipa-devel] admiyo-0115-button-and-table-styling. Message-ID: <4D01525B.2070709@redhat.com> This is the proper patch. Majority of the work was done by Kyle Baker. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0115-button-and-table-styling.patch Type: text/x-patch Size: 14998 bytes Desc: not available URL: From edewata at redhat.com Thu Dec 9 22:02:25 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 09 Dec 2010 16:02:25 -0600 Subject: [Freeipa-devel] [PATCH] Account activation adjustment In-Reply-To: <4D014782.5010704@redhat.com> References: <4D014782.5010704@redhat.com> Message-ID: <4D0151F1.101@redhat.com> On 12/9/2010 3:17 PM, Endi Sukma Dewata wrote: > Please review the attached patch. This should fix this bug: > > https://fedorahosted.org/freeipa/ticket/462 > > The user details facet has been modified such that when the account > is activated/deactivated the page will be reloaded. > > Some methods in the framework have been changed: > - The ipa_widget.clear() has been removed because it can be replaced > by existing reset(). > - The ipa_widget.set_values() has been renamed into update(). Forgot to include the latest changes. Attached is a new patch. Thanks! -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0055-2-Account-activation-adjustment.patch Type: text/x-patch Size: 15959 bytes Desc: not available URL: From kybaker at redhat.com Thu Dec 9 22:22:01 2010 From: kybaker at redhat.com (Kyle Baker) Date: Thu, 9 Dec 2010 17:22:01 -0500 (EST) Subject: [Freeipa-devel] admiyo-0115-button-and-table-styling. In-Reply-To: <4D01525B.2070709@redhat.com> Message-ID: <1182766443.502331291933321692.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> NACK. This has many problems. ----- "Adam Young" wrote: > This is the proper patch. Majority of the work was done by Kyle > Baker. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ayoung at redhat.com Thu Dec 9 22:39:50 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 09 Dec 2010 17:39:50 -0500 Subject: [Freeipa-devel] admiyo-0115-button-and-table-styling. In-Reply-To: <1182766443.502331291933321692.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1182766443.502331291933321692.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D015AB6.8010703@redhat.com> On 12/09/2010 05:22 PM, Kyle Baker wrote: > NACK. This has many problems. > ----- "Adam Young" wrote: > > >> This is the proper patch. Majority of the work was done by Kyle >> Baker. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Updated with style differences, images, and fonts -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0115-2-button-and-table-styling.patch Type: text/x-patch Size: 96129 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri Dec 10 00:11:02 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 10 Dec 2010 00:11:02 +0000 Subject: [Freeipa-devel] [PATCH 5] managed entry hostgroup netgroup support Message-ID: These 2 patches address all of the items within (https://fedorahosted.org/freeipa/ticket/543) Included are: * ldif for the hostgroup -to- netgroup Managed Entry Plugin * dsinstance modifications to correctly install the ldif * management script (ipa-host-net-manage) * man page for documentation * Makefile mods for installation of management script and man page * ipa.spec.in and ipa.1 to reflect inclusion Please review. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0005-managed-entry-hostgroup-netgroup-support.patch Type: application/octet-stream Size: 4264 bytes Desc: freeipa-jraquino-0005-managed-entry-hostgroup-netgroup-support.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0006-managed-entry-hostgroup-netgroup-support.patch Type: application/octet-stream Size: 11906 bytes Desc: freeipa-jraquino-0006-managed-entry-hostgroup-netgroup-support.patch URL: From jzeleny at redhat.com Fri Dec 10 07:04:14 2010 From: jzeleny at redhat.com (Jan Zeleny) Date: Fri, 10 Dec 2010 08:04:14 +0100 Subject: [Freeipa-devel] =?iso-8859-1?q?=5BPATCH=5D_636_Properly_handle_mu?= =?iso-8859-1?q?lti-valued=09attributes_when_using_setattr/addattr?= In-Reply-To: <4D00F798.3070003@redhat.com> References: <4CFFCEF5.4090804@redhat.com> <201012091020.18425.jzeleny@redhat.com> <4D00F798.3070003@redhat.com> Message-ID: <201012100804.15028.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Rob Crittenden wrote: > >> The problem was that the normalizer was returning each value as a tuple > >> which we were then appending to a list, so it looked like [(u'value1',), > >> (u'value2',),...]. If there was a single value we could end up adding a > >> tuple to a list which would fail. Additionally python-ldap doesn't like > >> lists of lists so it was failing later in the process as well. > >> > >> I've added some simple tests for setattr and addattr. > >> > >> ticket 565 > > > > One question? Why are you removing radiusprofile string in chunk #3? > > Other than that the patch is fine. > > I had removed it from the default user objectclasses in another patch > and hadn't removed it here. I'm removing it now so the tests I added pass. > > rob Ok, Ack. Jan From jzeleny at redhat.com Fri Dec 10 07:19:17 2010 From: jzeleny at redhat.com (Jan Zeleny) Date: Fri, 10 Dec 2010 08:19:17 +0100 Subject: [Freeipa-devel] [PATCH] 635 wait for memberof plugin when doing reverse members In-Reply-To: <4D00F76E.8020800@redhat.com> References: <4CFF0848.3030903@redhat.com> <201012090938.38310.jzeleny@redhat.com> <4D00F76E.8020800@redhat.com> Message-ID: <201012100819.17570.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Rob Crittenden wrote: > >> Give the memberof plugin time to work when adding/removing reverse > >> members. > >> > >> When we add/remove reverse members it looks like we're operating on > >> group A but we're really operating on group B. This adds/removes the > >> member attribute on group B and the memberof plugin adds the memberof > >> attribute into group A. > >> > >> We need to give the memberof plugin a chance to do its work so loop a > >> few times, reading the entry to see if the number of memberof is more or > >> less what we expect. Bail out if it is taking too long. > >> > >> ticket 560 > >> > >> rob > > > > About that FIXME you got there: I'm not sure if it wouldn't be better to > > handle the possible exception right in the wait_for_memberof method (I > > guess it depends on what exception are we expecting and what are we > > going to do with it?). If you want the exception to reach the calling > > function, I'd like to see some kind of exception handling in that > > function - either to let the user know that the error occurred during > > this waiting or maybe to disregard the exception and continue normal > > operation. > > The types of exceptions could run the gambit but I was wondering what > would happen if we were looping and some other user deleted the role. > The next search for it would fail with NotFound. Granted this isn't a > very friendly message to return to someone after adding a member to the > group but it does sort of make sense (someone deleted it concurrently). > It seemed best to just let this filter up to the caller. Yes, I understand that. But my point was that it would be more user friendy to catch this exception in the calling function and adjust the error message to the situation. Otherwise user can get completely out-of-context error message, like "user not found" when working with groups or something like that. > > > Some nitpicking: I'm confused - in the doc string you state that "this > > will loop for 6+ seconds" and a couple lines below, you have a comment > > "Don't sleep for more that 6 seconds" - is there a mistake ar are these > > two statements unrelated? > > Yeah, I was afraid that might be confusing. I'll wait .3 seconds 20 > times so 6 seconds. There are a few LDAP calls which take a bit of time > as well, so it will be 6+ seconds if it goes the whole time. Ok, thanks for explanation Jan From jhrozek at redhat.com Fri Dec 10 11:43:59 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 10 Dec 2010 12:43:59 +0100 Subject: [Freeipa-devel] [PATCH] 0025 Restructure startup code for IPA servers In-Reply-To: <20101209095424.388b8f10@willson.li.ssimo.org> References: <20101207115345.1a2a9ca6@willson.li.ssimo.org> <4D00E0F5.2060301@redhat.com> <20101209095424.388b8f10@willson.li.ssimo.org> Message-ID: <4D02127F.7020302@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/09/2010 03:54 PM, Simo Sorce wrote: > On Thu, 09 Dec 2010 15:00:21 +0100 > Jakub Hrozek wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 12/07/2010 05:53 PM, Simo Sorce wrote: >>> >>> With this patch we stop relying on the system to init single ipa >>> components and instead introduce a "ipa" init script that takes >>> care of properly starting/stopping all relevant components. >>> >>> Components are listed with a generic label in LDAP, per server. >>> At startup the ipa init script will always start drisrv, then use >>> the local socket to query it anonymously[*] and get the list of >>> service to start with a ordering paramater. >>> >>> And it will then proceed to start each single service. >>> On failure it will shut them all down. >>> >>> On stoppping ti shuts them down in inverse order. >>> >>> Only the ipa service is enabled with chkconfig, all other handled >>> services are off in chkconfig and started by the ipa service >>> instead. >>> >>> [*] We can create an account if we think this is not good enough, >>> but I would ask to have a separate ticket and handle this change as >>> an additional patch if we feel the need to do that. >>> >>> Simo. >> >> The patch seems to work fine, I just have one question: the script >> uses #!/usr/bin/env python as the interpreter. While this is >> generally used in python scripts to allow multiple interpreters, I >> recall it was discouraged in Fedora (and I'm pretty sure[1] it is >> discouraged in RHEL, although that could be solved by a RHEL-specific >> patch) >> >> So do we prefer /usr/bin/python or /usr/bin/env python ? >> >> Jakub >> >> [1] https://bugzilla.redhat.com/show_bug.cgi?id=521940 > > I just copied that part from another of our scripts. > If you think we should change this, I would open a generic ticket and > go through all the python script and make a consistent change to all of > them. OK: https://fedorahosted.org/freeipa/ticket/608 I think we should at least discuss it -- we would need to change the interpreter for RHEL anyway..in Fedora/upstream, I don't have a strong opinion. Other comments: Since the ipactl script is written in Python and /sbin/service ipa $action is called in %preun and %postun we also need to add Requires(preun): python and Requires(postun): python. Also, I noticed (unrelated to this patch) that we are missing the pre/post Requires on chkconfig and initscripts. Why do we still use chkconfig --add and --del for ipa_kpasswd instead of using enabling it in KrbInstance.__enable()? What are the second elements in the SERVICE_LIST[service_name] tuples? Otherwise looks good and works fine. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0CEn8ACgkQHsardTLnvCWazwCeKzq2mtTJq1GKGGjOLeeVevod WtoAoK2ShwMhOO5c5YAmdSuHw+2f72Ws =V9Tp -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Dec 10 13:03:08 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 10 Dec 2010 14:03:08 +0100 Subject: [Freeipa-devel] [PATCH] 0026 Split replica installation in dsinstance In-Reply-To: <20101208075944.48796495@willson.li.ssimo.org> References: <20101207202239.52f71195@willson.li.ssimo.org> <201012080825.26030.jzeleny@redhat.com> <20101208075944.48796495@willson.li.ssimo.org> Message-ID: <4D02250C.3030203@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/08/2010 01:59 PM, Simo Sorce wrote: > On Wed, 8 Dec 2010 08:25:25 +0100 > Jan Zelen? wrote: > >> Simo Sorce wrote: >>> This patch allows patch 0025 to work properly for replica >>> installation so it is a prereq for it now. >>> >>> It split installation so that certain steps can be done after the >>> tree has been replicated without having them wiped out, like the >>> creation of the replica master entry under cn=masters,cn=ipa,cn=etc >>> >>> It also introduce a dependency on the replica file having the >>> ca.crt in it. And installs it by default under /etc/ipa/ca.crt (the >>> httpinstance later on also stores it also >>> under /usr/share/ipa/html/ca.crt) >>> >>> This patch also makes sure the memberof fixup task is run *after* >>> initial replication, just to make sure. Technically the memberof >>> plugin is already activated so memberof entries should be properly >>> created while replication goes through. But better be thorough. >>> >>> replication is now started within dsinstance.py and not after ds is >>> setup as one of the dsinstance creation steps. >>> >>> Initial testing gave no issues to me. >>> >>> Simo. >> >> Can you please attach the patch? ;-) > > Oh, I thought you'd just trust me :-D > > Attached. > Simo. > Two comments: If I understand it correctly, only HTTP instance should now use the cert in /usr/share/ipa/html/ca.crt, perhaps the CACERT variable in ipaserver/install/dsinstance.py should be changed to point to /etc/ipa/ca.crt, too. The conn.connect() call in ipa-replica-install could pass tls_cacertfile=CACERT since we already called install_ca_cert(). My installation testing with this patch went OK. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0CJQwACgkQHsardTLnvCVWTACcDYBtCjoAPwFJ1s44xXoaL7zv vsAAn1S6wb7BapWzGZa69zCpC7ds24l+ =R62T -----END PGP SIGNATURE----- From jzeleny at redhat.com Fri Dec 10 13:33:11 2010 From: jzeleny at redhat.com (Jan Zeleny) Date: Fri, 10 Dec 2010 14:33:11 +0100 Subject: [Freeipa-devel] [PATCH] Refactoring of baseldap callback invokation In-Reply-To: <4CF57DB0.4020104@redhat.com> References: <201011291128.11090.jzeleny@redhat.com> <4CF57DB0.4020104@redhat.com> Message-ID: <201012101433.11490.jzeleny@redhat.com> Adam Young wrote: > On 11/29/2010 05:28 AM, Jan Zelen? wrote: > > This patch modifies how PRE, POST and EXC callbacks are invoked in > > baseldap module. It provides method invoke_callbacks which can be used > > in all classes derived from baseldap classes as well. > > > > Pavel, since you originally wrote the baseldap module, I'd be grateful if > > you could review the patch, since you know the best if it covers all > > callback processing possibilities. > Pavel, can you take a look at this one. I want to ACK, but after the > last one I looked at like this had unintended consequences, I'm a little > wary. Pavel, after our discussion I send a patch rebased against current master with your patch 42 applied. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0010-02-Refactoring-of-baseldap-callback-invokation.patch Type: text/x-patch Size: 21438 bytes Desc: not available URL: From jhrozek at redhat.com Fri Dec 10 13:49:36 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 10 Dec 2010 14:49:36 +0100 Subject: [Freeipa-devel] [PATCH/0028] Make selfsign CA creation an independent step In-Reply-To: <20101208185213.0a99e2f8@willson.li.ssimo.org> References: <20101208185213.0a99e2f8@willson.li.ssimo.org> Message-ID: <4D022FF0.4050000@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/09/2010 12:52 AM, Simo Sorce wrote: > > When we are creating a selfsign file based CA, do it at the same time > we would do the dogtag CA creation instead of doing it within the > dsinstance. > > Also move around or changes some other related minor details to clean-up > a bit the code. > > Automatically publishes the CA cert to /etc/ipa/ca.crt, this fixes #544 > as now the code gets the cert from there and the cert is put there at > CA creation time before any instance has been invoked. > > Simo. > > Looks good to me and seems to work OK. Ack although I believe patches 25,26 need to be pushed first. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0CL/AACgkQHsardTLnvCWpLgCgvBjIpPZKgRnsYJdrSwnRiQ0/ SRkAoNE7HWdU7Qz6TKkhUs/SSzOzcqCJ =YUcs -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Dec 10 14:05:11 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 10 Dec 2010 15:05:11 +0100 Subject: [Freeipa-devel] [PATCH] 624 clear up config-show --all In-Reply-To: <4CF6D1F1.1000707@redhat.com> References: <4CF6D1F1.1000707@redhat.com> Message-ID: <4D023397.5070602@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/01/2010 11:53 PM, Rob Crittenden wrote: > There were some missing labels in config-show --all, I've added them. > > I also moved the aci one level higher so it doesn't show (it was > confusing). > > I've made the cert subject base read-only. This isn't something > trivially changed. > > I'm leaving cn without a label, there isn't anything clever to add for it. > > rob > Ack, there is just one typo in the config help message - should it say users instead of user's? If so, this can be fixed when pushing.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0CM5cACgkQHsardTLnvCXOzQCcCfLJFhQuuODIACRgpBPog7/M uEoAoM53OYJRtVBo+guM89Z8+thSuhnA =cogp -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Dec 10 14:09:30 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Dec 2010 09:09:30 -0500 Subject: [Freeipa-devel] [PATCH] 0025 Restructure startup code for IPA servers In-Reply-To: <4D02127F.7020302@redhat.com> References: <20101207115345.1a2a9ca6@willson.li.ssimo.org> <4D00E0F5.2060301@redhat.com> <20101209095424.388b8f10@willson.li.ssimo.org> <4D02127F.7020302@redhat.com> Message-ID: <20101210090930.20fcd528@willson.li.ssimo.org> On Fri, 10 Dec 2010 12:43:59 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/09/2010 03:54 PM, Simo Sorce wrote: > > On Thu, 09 Dec 2010 15:00:21 +0100 > > Jakub Hrozek wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> On 12/07/2010 05:53 PM, Simo Sorce wrote: > >>> > >>> With this patch we stop relying on the system to init single ipa > >>> components and instead introduce a "ipa" init script that takes > >>> care of properly starting/stopping all relevant components. > >>> > >>> Components are listed with a generic label in LDAP, per server. > >>> At startup the ipa init script will always start drisrv, then use > >>> the local socket to query it anonymously[*] and get the list of > >>> service to start with a ordering paramater. > >>> > >>> And it will then proceed to start each single service. > >>> On failure it will shut them all down. > >>> > >>> On stoppping ti shuts them down in inverse order. > >>> > >>> Only the ipa service is enabled with chkconfig, all other handled > >>> services are off in chkconfig and started by the ipa service > >>> instead. > >>> > >>> [*] We can create an account if we think this is not good enough, > >>> but I would ask to have a separate ticket and handle this change > >>> as an additional patch if we feel the need to do that. > >>> > >>> Simo. > >> > >> The patch seems to work fine, I just have one question: the script > >> uses #!/usr/bin/env python as the interpreter. While this is > >> generally used in python scripts to allow multiple interpreters, I > >> recall it was discouraged in Fedora (and I'm pretty sure[1] it is > >> discouraged in RHEL, although that could be solved by a > >> RHEL-specific patch) > >> > >> So do we prefer /usr/bin/python or /usr/bin/env python ? > >> > >> Jakub > >> > >> [1] https://bugzilla.redhat.com/show_bug.cgi?id=521940 > > > > I just copied that part from another of our scripts. > > If you think we should change this, I would open a generic ticket > > and go through all the python script and make a consistent change > > to all of them. > > OK: > https://fedorahosted.org/freeipa/ticket/608 Thank you > I think we should at least discuss it -- we would need to change the > interpreter for RHEL anyway..in Fedora/upstream, I don't have a strong > opinion. I agree, but need to be discussed in another thread :) > Other comments: > Since the ipactl script is written in Python and /sbin/service ipa > $action is called in %preun and %postun we also need to add > Requires(preun): python and Requires(postun): python. Ok, I'll add that. > Also, I noticed (unrelated to this patch) that we are missing the > pre/post Requires on chkconfig and initscripts. I'll add that too, seem in context with the patch enough. > Why do we still use chkconfig --add and --del for ipa_kpasswd instead > of using enabling it in KrbInstance.__enable()? Good q. I don't know :) > What are the second elements in the SERVICE_LIST[service_name] tuples? It is the default ordering, used at install time by the instances to create the LDAP entry. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Dec 10 14:14:12 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Dec 2010 09:14:12 -0500 Subject: [Freeipa-devel] [PATCH] 0026 Split replica installation in dsinstance In-Reply-To: <4D02250C.3030203@redhat.com> References: <20101207202239.52f71195@willson.li.ssimo.org> <201012080825.26030.jzeleny@redhat.com> <20101208075944.48796495@willson.li.ssimo.org> <4D02250C.3030203@redhat.com> Message-ID: <20101210091412.29e23531@willson.li.ssimo.org> On Fri, 10 Dec 2010 14:03:08 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/08/2010 01:59 PM, Simo Sorce wrote: > > On Wed, 8 Dec 2010 08:25:25 +0100 > > Jan Zelen? wrote: > > > >> Simo Sorce wrote: > >>> This patch allows patch 0025 to work properly for replica > >>> installation so it is a prereq for it now. > >>> > >>> It split installation so that certain steps can be done after the > >>> tree has been replicated without having them wiped out, like the > >>> creation of the replica master entry under > >>> cn=masters,cn=ipa,cn=etc > >>> > >>> It also introduce a dependency on the replica file having the > >>> ca.crt in it. And installs it by default under /etc/ipa/ca.crt > >>> (the httpinstance later on also stores it also > >>> under /usr/share/ipa/html/ca.crt) > >>> > >>> This patch also makes sure the memberof fixup task is run *after* > >>> initial replication, just to make sure. Technically the memberof > >>> plugin is already activated so memberof entries should be properly > >>> created while replication goes through. But better be thorough. > >>> > >>> replication is now started within dsinstance.py and not after ds > >>> is setup as one of the dsinstance creation steps. > >>> > >>> Initial testing gave no issues to me. > >>> > >>> Simo. > >> > >> Can you please attach the patch? ;-) > > > > Oh, I thought you'd just trust me :-D > > > > Attached. > > Simo. > > > > Two comments: > If I understand it correctly, only HTTP instance should now use the > cert in /usr/share/ipa/html/ca.crt, perhaps the CACERT variable in > ipaserver/install/dsinstance.py should be changed to point to > /etc/ipa/ca.crt, too. No the /usr/share/ipa/html/ca.crt is only the public copy so that clients can download it from the web server. The DB is in /etc/http/alias And, yes the CACERT var should be changed, good catch! > The conn.connect() call in ipa-replica-install could pass > tls_cacertfile=CACERT since we already called install_ca_cert(). Good catch! > My installation testing with this patch went OK. Thanks, I will make the changes and resubmit. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Dec 10 14:59:43 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Dec 2010 09:59:43 -0500 Subject: [Freeipa-devel] [PATCH] 0025 Restructure startup code for IPA servers In-Reply-To: <4D02127F.7020302@redhat.com> References: <20101207115345.1a2a9ca6@willson.li.ssimo.org> <4D00E0F5.2060301@redhat.com> <20101209095424.388b8f10@willson.li.ssimo.org> <4D02127F.7020302@redhat.com> Message-ID: <20101210095943.7f82d66b@willson.li.ssimo.org> On Fri, 10 Dec 2010 12:43:59 +0100 Jakub Hrozek wrote: > Other comments: > Since the ipactl script is written in Python and /sbin/service ipa > $action is called in %preun and %postun we also need to add > Requires(preun): python and Requires(postun): python. Added > Also, I noticed (unrelated to this patch) that we are missing the > pre/post Requires on chkconfig and initscripts. Added as well > Why do we still use chkconfig --add and --del for ipa_kpasswd instead > of using enabling it in KrbInstance.__enable()? > > What are the second elements in the SERVICE_LIST[service_name] tuples? > > Otherwise looks good and works fine. New patch attached. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0025-2-Introduce-ipa-control-script-that-reads-configuratio.patch Type: text/x-patch Size: 22338 bytes Desc: not available URL: From ssorce at redhat.com Fri Dec 10 15:00:12 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Dec 2010 10:00:12 -0500 Subject: [Freeipa-devel] [PATCH] 0026 Split replica installation in dsinstance In-Reply-To: <4D02250C.3030203@redhat.com> References: <20101207202239.52f71195@willson.li.ssimo.org> <201012080825.26030.jzeleny@redhat.com> <20101208075944.48796495@willson.li.ssimo.org> <4D02250C.3030203@redhat.com> Message-ID: <20101210100012.2bc6f552@willson.li.ssimo.org> On Fri, 10 Dec 2010 14:03:08 +0100 Jakub Hrozek wrote: > Two comments: > If I understand it correctly, only HTTP instance should now use the > cert in /usr/share/ipa/html/ca.crt, perhaps the CACERT variable in > ipaserver/install/dsinstance.py should be changed to point to > /etc/ipa/ca.crt, too. Fixed > The conn.connect() call in ipa-replica-install could pass > tls_cacertfile=CACERT since we already called install_ca_cert(). As well > My installation testing with this patch went OK. New patch attached. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0026-2-Split-dsinstance-configuration.patch Type: text/x-patch Size: 12884 bytes Desc: not available URL: From kybaker at redhat.com Fri Dec 10 15:13:25 2010 From: kybaker at redhat.com (Kyle Baker) Date: Fri, 10 Dec 2010 10:13:25 -0500 (EST) Subject: [Freeipa-devel] admiyo-0115-button-and-table-styling. In-Reply-To: <4D015AB6.8010703@redhat.com> Message-ID: <522351689.574131291994005796.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK. This is good to push. ----- "Adam Young" wrote: > On 12/09/2010 05:22 PM, Kyle Baker wrote: > > NACK. This has many problems. > > ----- "Adam Young" wrote: > > > > > >> This is the proper patch. Majority of the work was done by Kyle > >> Baker. > >> > >> _______________________________________________ > >> Freeipa-devel mailing list > >> Freeipa-devel at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > >> > Updated with style differences, images, and fonts From ayoung at redhat.com Fri Dec 10 15:33:06 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 10 Dec 2010 10:33:06 -0500 Subject: [Freeipa-devel] admiyo-0115-button-and-table-styling. In-Reply-To: <522351689.574131291994005796.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <522351689.574131291994005796.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D024832.9000308@redhat.com> On 12/10/2010 10:13 AM, Kyle Baker wrote: > ACK. This is good to push. > ----- "Adam Young" wrote: > > >> On 12/09/2010 05:22 PM, Kyle Baker wrote: >> >>> NACK. This has many problems. >>> ----- "Adam Young" wrote: >>> >>> >>> >>>> This is the proper patch. Majority of the work was done by Kyle >>>> Baker. >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>>> >> Updated with style differences, images, and fonts >> Pushed to master From rcritten at redhat.com Fri Dec 10 15:56:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Dec 2010 10:56:02 -0500 Subject: [Freeipa-devel] [PATCH] 640 save certs to files Message-ID: <4D024D92.5050001@redhat.com> Add --out option to service, host and cert-show to save the cert to a file. Override forward() to grab the result and if a certificate is in the entry and the file is writable then dump the certificate in PEM format. ticket 473 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-640-cert.patch Type: text/x-patch Size: 8500 bytes Desc: not available URL: From jhrozek at redhat.com Fri Dec 10 16:30:34 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 10 Dec 2010 17:30:34 +0100 Subject: [Freeipa-devel] [PATCH] 0025 Restructure startup code for IPA servers In-Reply-To: <20101210095943.7f82d66b@willson.li.ssimo.org> References: <20101207115345.1a2a9ca6@willson.li.ssimo.org> <4D00E0F5.2060301@redhat.com> <20101209095424.388b8f10@willson.li.ssimo.org> <4D02127F.7020302@redhat.com> <20101210095943.7f82d66b@willson.li.ssimo.org> Message-ID: <4D0255AA.8060802@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/10/2010 03:59 PM, Simo Sorce wrote: > New patch attached. > > Simo. Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0CVaoACgkQHsardTLnvCVxxwCgjRIwZXhzdvIjKo78G/kI6OdS /PcAnREAm6z6HyvPzu1yRm76IQZO2fvS =kDNz -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Dec 10 16:30:44 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 10 Dec 2010 17:30:44 +0100 Subject: [Freeipa-devel] [PATCH] 0026 Split replica installation in dsinstance In-Reply-To: <20101210100012.2bc6f552@willson.li.ssimo.org> References: <20101207202239.52f71195@willson.li.ssimo.org> <201012080825.26030.jzeleny@redhat.com> <20101208075944.48796495@willson.li.ssimo.org> <4D02250C.3030203@redhat.com> <20101210100012.2bc6f552@willson.li.ssimo.org> Message-ID: <4D0255B4.3070406@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/10/2010 04:00 PM, Simo Sorce wrote: > New patch attached. > > Simo. Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0CVbQACgkQHsardTLnvCXxdQCfedgBLOdrEW38dzFbc3wRyJg/ 2r4An3Z90RfPbGganiWaJtwGw1r7cp6Z =flF+ -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Dec 10 17:29:10 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Dec 2010 12:29:10 -0500 Subject: [Freeipa-devel] [PATCH] 0025 Restructure startup code for IPA servers In-Reply-To: <4D0255AA.8060802@redhat.com> References: <20101207115345.1a2a9ca6@willson.li.ssimo.org> <4D00E0F5.2060301@redhat.com> <20101209095424.388b8f10@willson.li.ssimo.org> <4D02127F.7020302@redhat.com> <20101210095943.7f82d66b@willson.li.ssimo.org> <4D0255AA.8060802@redhat.com> Message-ID: <20101210122910.4a97b395@willson.li.ssimo.org> On Fri, 10 Dec 2010 17:30:34 +0100 Jakub Hrozek wrote: > On 12/10/2010 03:59 PM, Simo Sorce wrote: > > New patch attached. > > > > Simo. > > Ack Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Dec 10 17:30:17 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Dec 2010 12:30:17 -0500 Subject: [Freeipa-devel] [PATCH/0028] Make selfsign CA creation an independent step In-Reply-To: <4D022FF0.4050000@redhat.com> References: <20101208185213.0a99e2f8@willson.li.ssimo.org> <4D022FF0.4050000@redhat.com> Message-ID: <20101210123017.6b146fde@willson.li.ssimo.org> On Fri, 10 Dec 2010 14:49:36 +0100 Jakub Hrozek wrote: > On 12/09/2010 12:52 AM, Simo Sorce wrote: > > > > When we are creating a selfsign file based CA, do it at the same > > time we would do the dogtag CA creation instead of doing it within > > the dsinstance. > > > > Also move around or changes some other related minor details to > > clean-up a bit the code. > > > > Automatically publishes the CA cert to /etc/ipa/ca.crt, this fixes > > #544 as now the code gets the cert from there and the cert is put > > there at CA creation time before any instance has been invoked. > > > > Simo. > > > > > > Looks good to me and seems to work OK. > > Ack although I believe patches 25,26 need to be pushed first. Thank you, pushed to master after 25/26 Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Dec 10 17:29:24 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Dec 2010 12:29:24 -0500 Subject: [Freeipa-devel] [PATCH] 0026 Split replica installation in dsinstance In-Reply-To: <4D0255B4.3070406@redhat.com> References: <20101207202239.52f71195@willson.li.ssimo.org> <201012080825.26030.jzeleny@redhat.com> <20101208075944.48796495@willson.li.ssimo.org> <4D02250C.3030203@redhat.com> <20101210100012.2bc6f552@willson.li.ssimo.org> <4D0255B4.3070406@redhat.com> Message-ID: <20101210122924.4bd6a2d1@willson.li.ssimo.org> On Fri, 10 Dec 2010 17:30:44 +0100 Jakub Hrozek wrote: > On 12/10/2010 04:00 PM, Simo Sorce wrote: > > New patch attached. > > > > Simo. > > Ack Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From jzeleny at redhat.com Fri Dec 10 18:23:33 2010 From: jzeleny at redhat.com (Jan Zeleny) Date: Fri, 10 Dec 2010 19:23:33 +0100 Subject: [Freeipa-devel] [PATCH] Refactoring of baseldap callback invokation In-Reply-To: <201012101433.11490.jzeleny@redhat.com> References: <201011291128.11090.jzeleny@redhat.com> <4CF57DB0.4020104@redhat.com> <201012101433.11490.jzeleny@redhat.com> Message-ID: <201012101923.33876.jzeleny@redhat.com> Jan Zeleny wrote: > Adam Young wrote: > > On 11/29/2010 05:28 AM, Jan Zelen? wrote: > > > This patch modifies how PRE, POST and EXC callbacks are invoked in > > > baseldap module. It provides method invoke_callbacks which can be used > > > in all classes derived from baseldap classes as well. > > > > > > Pavel, since you originally wrote the baseldap module, I'd be grateful > > > if you could review the patch, since you know the best if it covers > > > all callback processing possibilities. > > > > Pavel, can you take a look at this one. I want to ACK, but after the > > last one I looked at like this had unintended consequences, I'm a little > > wary. > > Pavel, > after our discussion I send a patch rebased against current master with > your patch 42 applied. > > Jan Solving another ticket, I found out that this patch caused some regressions. I'm sending corrected one. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0010-03-Refactoring-of-baseldap-callback-invokation.patch Type: text/x-patch Size: 21102 bytes Desc: not available URL: From jzeleny at redhat.com Fri Dec 10 18:24:40 2010 From: jzeleny at redhat.com (Jan Zeleny) Date: Fri, 10 Dec 2010 19:24:40 +0100 Subject: [Freeipa-devel] [PATCH] Print expected error message in hbac-mod Message-ID: <201012101924.40963.jzeleny@redhat.com> This patch catches NotFound exception and calls handling function which then sends exception with unified error message. https://fedorahosted.org/freeipa/ticket/487 -- Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0016-Print-expected-error-message-in-hbac-mod.patch Type: text/x-patch Size: 1268 bytes Desc: not available URL: From rcritten at redhat.com Fri Dec 10 18:36:23 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Dec 2010 13:36:23 -0500 Subject: [Freeipa-devel] [PATCH] 637 group to group delegation In-Reply-To: <4D010441.1000609@redhat.com> References: <4CFFFEA8.6000609@redhat.com> <4D010441.1000609@redhat.com> Message-ID: <4D027327.9050203@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> Round out our trio of access control plugins. This adds group to group >> delegation where you can grant group A the ability to write a set of >> attributes of group B (v1-style delegation). >> >> rob > > I'm withdrawing this patch, needs more work. > > rob Here is the replacement patch along with some testing instructions: $ kinit admin $ ipa delegation-add --attrs=street --membergroup=admins --group=editors 'editors edit admins street' $ ipa user-add --first=tim --last=user tuser1 --password $ ipa group-add --users=tuser1 editors $ ipa user-add --first=jim --last=admin jadmin $ ipa group-add-member --users=jadmin admins $ kinit tuser1 $ ipa user-mod --street='123 main' jadmin (should succeed) $ ipa user-mod --first=Jimmy jadmin (should fail) So basically we create a couple of users. One we add to editors and the other to admins. We create an aci that grants users in editors to manage the street address of users in admins, then we try it out -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-637-2-delegation.patch Type: text/x-patch Size: 17699 bytes Desc: not available URL: From rcritten at redhat.com Fri Dec 10 18:41:54 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Dec 2010 13:41:54 -0500 Subject: [Freeipa-devel] [PATCH] 624 clear up config-show --all In-Reply-To: <4D023397.5070602@redhat.com> References: <4CF6D1F1.1000707@redhat.com> <4D023397.5070602@redhat.com> Message-ID: <4D027472.6050502@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/01/2010 11:53 PM, Rob Crittenden wrote: >> There were some missing labels in config-show --all, I've added them. >> >> I also moved the aci one level higher so it doesn't show (it was >> confusing). >> >> I've made the cert subject base read-only. This isn't something >> trivially changed. >> >> I'm leaving cn without a label, there isn't anything clever to add for it. >> >> rob >> > > Ack, there is just one typo in the config help message - should it say > users instead of user's? If so, this can be fixed when pushing.. Good catch. Fixed and pushed to master. rob From rcritten at redhat.com Fri Dec 10 18:44:46 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Dec 2010 13:44:46 -0500 Subject: [Freeipa-devel] [PATCH] 636 Properly handle multi-valued attributes when using setattr/addattr In-Reply-To: <201012100804.15028.jzeleny@redhat.com> References: <4CFFCEF5.4090804@redhat.com> <201012091020.18425.jzeleny@redhat.com> <4D00F798.3070003@redhat.com> <201012100804.15028.jzeleny@redhat.com> Message-ID: <4D02751E.7020203@redhat.com> Jan Zeleny wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> Rob Crittenden wrote: >>>> The problem was that the normalizer was returning each value as a tuple >>>> which we were then appending to a list, so it looked like [(u'value1',), >>>> (u'value2',),...]. If there was a single value we could end up adding a >>>> tuple to a list which would fail. Additionally python-ldap doesn't like >>>> lists of lists so it was failing later in the process as well. >>>> >>>> I've added some simple tests for setattr and addattr. >>>> >>>> ticket 565 >>> >>> One question? Why are you removing radiusprofile string in chunk #3? >>> Other than that the patch is fine. >> >> I had removed it from the default user objectclasses in another patch >> and hadn't removed it here. I'm removing it now so the tests I added pass. >> >> rob > > Ok, Ack. > pushed to master From rcritten at redhat.com Fri Dec 10 18:52:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Dec 2010 13:52:26 -0500 Subject: [Freeipa-devel] [PATCH] Print expected error message in hbac-mod In-Reply-To: <201012101924.40963.jzeleny@redhat.com> References: <201012101924.40963.jzeleny@redhat.com> Message-ID: <4D0276EA.8080501@redhat.com> Jan Zeleny wrote: > This patch catches NotFound exception and calls handling function > which then sends exception with unified error message. > > https://fedorahosted.org/freeipa/ticket/487 > > -- > Jan ack, pushed to master rob From dpal at redhat.com Fri Dec 10 19:01:46 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Dec 2010 14:01:46 -0500 Subject: [Freeipa-devel] UI seems to be completely broken Message-ID: <4D02791A.4090601@redhat.com> Hi, I installed today build. I can get to the static frame with green line and rigt user name which indicates that I actually connected and authenticated but for admin the rest of the screen was balnk. When I added myself as an ordinary user and restarted FF I got the same but now it showed dpal as logged in user and there were two links "identity" and "Users" both not clickable. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From JR.Aquino at citrix.com Fri Dec 10 19:23:22 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 10 Dec 2010 19:23:22 +0000 Subject: [Freeipa-devel] [PATCH 5] managed entry hostgroup netgroup support In-Reply-To: Message-ID: Adjustment: I've consolidated both patches into 1 and corrected a bug in the previous patches. There was a line missing from the ipa.spec.in file that was responsible for sbin containing ipa-host-net-manage Please utilize this patch in reference to (https://fedorahosted.org/freeipa/ticket/543) Thank you. On 12/9/10 4:11 PM, "JR Aquino" wrote: >These 2 patches address all of the items within >(https://fedorahosted.org/freeipa/ticket/543) > >Included are: > >* ldif for the hostgroup -to- netgroup Managed Entry Plugin >* dsinstance modifications to correctly install the ldif >* management script (ipa-host-net-manage) >* man page for documentation >* Makefile mods for installation of management script and man page >* ipa.spec.in and ipa.1 to reflect inclusion > >Please review. > >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jaquino-0007-managed-entry-hostgroup-netgroup-support.patch Type: application/octet-stream Size: 16095 bytes Desc: freeipa-jaquino-0007-managed-entry-hostgroup-netgroup-support.patch URL: From ayoung at redhat.com Fri Dec 10 19:30:17 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 10 Dec 2010 14:30:17 -0500 Subject: [Freeipa-devel] UI seems to be completely broken In-Reply-To: <4D02791A.4090601@redhat.com> References: <4D02791A.4090601@redhat.com> Message-ID: <4D027FC9.3040406@redhat.com> On 12/10/2010 02:01 PM, Dmitri Pal wrote: > Hi, > > I installed today build. I can get to the static frame with green line > and rigt user name which indicates that I actually connected and > authenticated but for admin the rest of the screen was balnk. > When I added myself as an ordinary user and restarted FF I got the same > but now it showed dpal as logged in user and there were two links > "identity" and "Users" both not clickable. > > OK, I'll take a look From dpal at redhat.com Fri Dec 10 19:38:26 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Dec 2010 14:38:26 -0500 Subject: [Freeipa-devel] [Fwd: Re: [freeipa] #417: host-add --ipaddr shouldn't fail if reverse zone isn't available] Message-ID: <4D0281B2.3010806@redhat.com> Rob, Simo, what is your opinion? -------- Original Message -------- Subject: Re: [freeipa] #417: host-add --ipaddr shouldn't fail if reverse zone isn't available Date: Fri, 10 Dec 2010 18:33:32 -0000 From: freeipa Reply-To: nobody at fedoraproject.org To: undisclosed-recipients:; References: <038.10d90051ac3878a7ee016c4e626393ba at fedorahosted.org> #417: host-add --ipaddr shouldn't fail if reverse zone isn't available ------------------------+--------------------------------------------------- Reporter: rcritten | Owner: jzeleny Type: defect | Status: assigned Priority: major | Milestone: 0.7 iteration - December FC Component: IPA | Version: Resolution: | Keywords: Tests: 0 | Testsupdated: 0 Affects_cli: 0 | Candidate_to_defer: 0 Affects_doc: 0 | Estimate: ------------------------+--------------------------------------------------- Comment (by jzeleny): How about using --force option to override missing reverse zone? It is already used as an override for situation when host is not in DNS, so I'm not sure if it's convenient to extend its usage this way. -- Ticket URL: freeipa FreeIPA -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Dec 10 20:49:45 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Dec 2010 15:49:45 -0500 Subject: [Freeipa-devel] [PATCH 5] managed entry hostgroup netgroup support In-Reply-To: References: Message-ID: <4D029269.7030502@redhat.com> JR Aquino wrote: > Adjustment: > > I've consolidated both patches into 1 and corrected a bug in the previous > patches. > > There was a line missing from the ipa.spec.in file that was responsible > for sbin containing ipa-host-net-manage > > Please utilize this patch in reference to > (https://fedorahosted.org/freeipa/ticket/543) > > Thank you. nack, found a couple of minor issues: - The patch doesn't apply against the master branch (probably from Simo's recent changes there) - looks like you copied the man page from ipa-ldap-updater, needs a few more updates (though kudos for including one at all!) - IIRC this depends on some fixes in 389-ds-base. You need to set the minimum version that this will work in. - host_nis_groups.ldif isn't installed I'm not entirely sure how to test that this is doing the right thing. rob > > On 12/9/10 4:11 PM, "JR Aquino" wrote: > >> These 2 patches address all of the items within >> (https://fedorahosted.org/freeipa/ticket/543) >> >> Included are: >> >> * ldif for the hostgroup -to- netgroup Managed Entry Plugin >> * dsinstance modifications to correctly install the ldif >> * management script (ipa-host-net-manage) >> * man page for documentation >> * Makefile mods for installation of management script and man page >> * ipa.spec.in and ipa.1 to reflect inclusion >> >> Please review. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > From rcritten at redhat.com Fri Dec 10 21:42:13 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Dec 2010 16:42:13 -0500 Subject: [Freeipa-devel] [PATCH] 641 Check for existence of the group when adding a user. Message-ID: <4D029EB5.2040202@redhat.com> The Managed Entries plugin will allow a user to be added even if a group of the same name exists. This would leave the user without a private group. We need to check for both the user and the group so we can do 1 of 3 things: - throw an error that the group exists (but not the user) - throw an error that the user exists (and the group) - allow the uesr to be added ticket 567 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-641-user.patch Type: text/x-patch Size: 4614 bytes Desc: not available URL: From rcritten at redhat.com Fri Dec 10 22:03:35 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Dec 2010 17:03:35 -0500 Subject: [Freeipa-devel] [PATCH] 642 don't import from ipaserver in clients Message-ID: <4D02A3B7.2050007@redhat.com> Don't import from ipaserver when not in a server context (bad things happen). Easy enough to test. Install on a client with just ipa-client, ipa-python and ipa-admintools. The ipa tool should actually work and not blow up. ticket 579 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-642-import.patch Type: text/x-patch Size: 864 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri Dec 10 23:47:36 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 10 Dec 2010 23:47:36 +0000 Subject: [Freeipa-devel] [PATCH] managed entry hostgroup netgroup support In-Reply-To: <4D029269.7030502@redhat.com> Message-ID: On 12/10/10 12:49 PM, "Rob Crittenden" wrote: >nack, found a couple of minor issues: > >- The patch doesn't apply against the master branch (probably from >Simo's recent changes there) >- looks like you copied the man page from ipa-ldap-updater, needs a few >more updates (though kudos for including one at all!) >- IIRC this depends on some fixes in 389-ds-base. You need to set the >minimum version that this will work in. >- host_nis_groups.ldif isn't installed > >I'm not entirely sure how to test that this is doing the right thing. > >Rob Thanks Rob! Ok, I have adjusted the patch to correct for the errors (and the trailing whitespace). Fixed the man page (will send in a 1 liner fix for ipa-compat-manage's man page) It now installs host_nis_groups.ldif It now cleanly applies and builds, and functions against the master. It references the 389-ds-base 1.2.7.4. To test: (Hopefully this is pretty obvious and straight forward) (1 # ipa-host-net-manage status Plugin Enabled (2 # ipa-host-net-manage disable Disabling Plugin (3 # ipa-host-net-manage enable Enabling Plugin (4 ipa hostgroup-add testing ipa hostgroup-add-member --host=servername.com testing ipa hostgroup-show testing (5 ldapsearch -x -b 'cn=testing,cn=ng,cn=alt,$SUFFIX' -x -D 'cn=Directory Manager' -W # testing, ng, alt, $SUFFIX dn: cn=testing,cn=ng,cn=alt,$SUFFIX objectClass: ipanisnetgroup objectClass: mepManagedEntry objectClass: ipaAssociation objectClass: top cn: testing memberHost: cn=testing,cn=hostgroups,cn=accounts,$SUFFIX description: ipaNetgroup testing mepManagedBy: cn=testing,cn=hostgroups,cn=accounts,$SUFFIX ipaUniqueID: 9d0039ca-04b4-11e0-9494-8a3d259cb0b9 (6 ipa hostgroup-del testing ---------------------------- Deleted hostgroup "testing" ---------------------------- (7 ldapsearch -x -b 'cn=testing,cn=ng,cn=alt,$SUFFIX' -x -D 'cn=Directory Manager' -W # search result search: 2 result: 32 No such object matchedDN: cn=ng,cn=alt,$SUFFIX -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0007-2-managed-entry-hostgroup-netgroup-support.patch Type: application/octet-stream Size: 17094 bytes Desc: freeipa-jraquino-0007-2-managed-entry-hostgroup-netgroup-support.patch URL: From ssorce at redhat.com Sat Dec 11 02:52:16 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Dec 2010 21:52:16 -0500 Subject: [Freeipa-devel] [PATCH] 0029 Fix non selfsigned install Message-ID: <20101210215216.607ec60c@willson.li.ssimo.org> Unfortunately my last patch was not properly tested with a dogtag installation and quite a few spots needed minor adjustments. This patch passed my install tests with dogtag. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0029-Fix-Install-using-dogtag.patch Type: text/x-patch Size: 6411 bytes Desc: not available URL: From ssorce at redhat.com Sat Dec 11 02:55:38 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Dec 2010 21:55:38 -0500 Subject: [Freeipa-devel] [PATCH] 0030 Fix ipactl script Message-ID: <20101210215538.2fc3201a@willson.li.ssimo.org> The ipactl script didn't work properly in some cases. This patch adds a few more error checks and fixes dirsrv restarts which require an instance name to be passed in to work properly. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0030-Fixes-for-ipactl-script.patch Type: text/x-patch Size: 5442 bytes Desc: not available URL: From rcritten at redhat.com Sat Dec 11 03:56:10 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Dec 2010 22:56:10 -0500 Subject: [Freeipa-devel] [PATCH] 643 Better handle permission updates Message-ID: <4D02F65A.9020801@redhat.com> permissions are a real group pointed to by an aci, managed by the same plugin. Any given update can update one or both or neither. Do a better job at determining what it is that needs to be updated and handle the case where only the ACI is updated so that EmptyModList is not thrown. ticket 603 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-643-permission.patch Type: text/x-patch Size: 2413 bytes Desc: not available URL: From rcritten at redhat.com Sat Dec 11 04:10:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Dec 2010 23:10:53 -0500 Subject: [Freeipa-devel] [PATCH] 0029 Fix non selfsigned install In-Reply-To: <20101210215216.607ec60c@willson.li.ssimo.org> References: <20101210215216.607ec60c@willson.li.ssimo.org> Message-ID: <4D02F9CD.9080602@redhat.com> Simo Sorce wrote: > > Unfortunately my last patch was not properly tested with a dogtag > installation and quite a few spots needed minor adjustments. > > This patch passed my install tests with dogtag. > > Simo. > ack, pushed to master rob From rcritten at redhat.com Sat Dec 11 04:11:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Dec 2010 23:11:02 -0500 Subject: [Freeipa-devel] [PATCH] 0030 Fix ipactl script In-Reply-To: <20101210215538.2fc3201a@willson.li.ssimo.org> References: <20101210215538.2fc3201a@willson.li.ssimo.org> Message-ID: <4D02F9D6.3010803@redhat.com> Simo Sorce wrote: > > The ipactl script didn't work properly in some cases. > > This patch adds a few more error checks and fixes dirsrv restarts which > require an instance name to be passed in to work properly. > > Simo. ack, pushed to master From ayoung at redhat.com Sat Dec 11 04:29:28 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 10 Dec 2010 23:29:28 -0500 Subject: [Freeipa-devel] UI seems to be completely broken In-Reply-To: <4D02791A.4090601@redhat.com> References: <4D02791A.4090601@redhat.com> Message-ID: <4D02FE28.4050005@redhat.com> On 12/10/2010 02:01 PM, Dmitri Pal wrote: > Hi, > > I installed today build. I can get to the static frame with green line > and rigt user name which indicates that I actually connected and > authenticated but for admin the rest of the screen was balnk. > When I added myself as an ordinary user and restarted FF I got the same > but now it showed dpal as logged in user and there were two links > "identity" and "Users" both not clickable. > > OK, I don't get that, it worksfor me. Was this a live server or the lite server? I seem to be having some problems with the lite server. From ayoung at redhat.com Sat Dec 11 04:33:30 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 10 Dec 2010 23:33:30 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0116-aci-ui Message-ID: <4D02FF1A.5010202@redhat.com> ONly the first ACI section, not self sign or groups, yet. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0116-aci-ui.patch Type: text/x-patch Size: 115132 bytes Desc: not available URL: From rcritten at redhat.com Sat Dec 11 05:47:25 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 11 Dec 2010 00:47:25 -0500 Subject: [Freeipa-devel] [PATCH] 644 Pass the DM password when trying to delete a replica. Message-ID: <4D03106D.60302@redhat.com> If the ticket is expired or otherwise unusable it should fall back to the DM password. It was prompted for correctly but wasn't being passed on. Note that there is a problem with the access controls that prevents management, I opened ticket 617 for that. ticket 549 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-644-replica.patch Type: text/x-patch Size: 1157 bytes Desc: not available URL: From rcritten at redhat.com Sat Dec 11 05:50:23 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 11 Dec 2010 00:50:23 -0500 Subject: [Freeipa-devel] [PATCH] fix exception catch Message-ID: <4D03111F.9040806@redhat.com> I pushed this under the 1-liner rule. Save the exception to a variable so it can be pushed along. diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 281981d..80a9a51 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -297,7 +297,7 @@ class Service: try: conn.add_s(entry) - except ldap.ALREADY_EXISTS: + except ldap.ALREADY_EXISTS, e: logging.critical("failed to add %s Service startup entry" % name) raise e From rcritten at redhat.com Sat Dec 11 06:08:59 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 11 Dec 2010 01:08:59 -0500 Subject: [Freeipa-devel] [PATCH] 645 remove principal as an option when updating a user Message-ID: <4D03157B.6070908@redhat.com> We don't want people willy-nilly changing principal names. The proper way to do this is to rename the user entry, so remove the option. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-645-user.patch Type: text/x-patch Size: 779 bytes Desc: not available URL: From dpal at redhat.com Sat Dec 11 15:41:56 2010 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 11 Dec 2010 10:41:56 -0500 Subject: [Freeipa-devel] UI seems to be completely broken In-Reply-To: <4D02FE28.4050005@redhat.com> References: <4D02791A.4090601@redhat.com> <4D02FE28.4050005@redhat.com> Message-ID: <4D039BC4.6010608@redhat.com> Adam Young wrote: > On 12/10/2010 02:01 PM, Dmitri Pal wrote: >> Hi, >> >> I installed today build. I can get to the static frame with green line >> and rigt user name which indicates that I actually connected and >> authenticated but for admin the rest of the screen was balnk. >> When I added myself as an ordinary user and restarted FF I got the same >> but now it showed dpal as logged in user and there were two links >> "identity" and "Users" both not clickable. >> >> > > > OK, I don't get that, it worksfor me. Was this a live server or the > lite server? > I seem to be having some problems with the lite server. > It was a problem with the standard UI. Install on a machine Run kinit Start FF Do cert magic (cleanup and accept) Point to UI on the localhost Expected: Get the functioning UI Actual: Got a skeleton of the first page. I will retry tomorrow if have time. > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Sat Dec 11 15:44:40 2010 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 11 Dec 2010 10:44:40 -0500 Subject: [Freeipa-devel] [PATCH] 644 Pass the DM password when trying to delete a replica. In-Reply-To: <4D03106D.60302@redhat.com> References: <4D03106D.60302@redhat.com> Message-ID: <20101211104440.48245b55@willson.li.ssimo.org> On Sat, 11 Dec 2010 00:47:25 -0500 Rob Crittenden wrote: > If the ticket is expired or otherwise unusable it should fall back to > the DM password. It was prompted for correctly but wasn't being > passed on. > > Note that there is a problem with the access controls that prevents > management, I opened ticket 617 for that. > > ticket 549 > > rob Ack and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Sat Dec 11 17:51:27 2010 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 11 Dec 2010 12:51:27 -0500 Subject: [Freeipa-devel] [PATCH] 642 don't import from ipaserver in clients In-Reply-To: <4D02A3B7.2050007@redhat.com> References: <4D02A3B7.2050007@redhat.com> Message-ID: <20101211125127.2b4d7c95@willson.li.ssimo.org> On Fri, 10 Dec 2010 17:03:35 -0500 Rob Crittenden wrote: > Don't import from ipaserver when not in a server context (bad things > happen). > > Easy enough to test. Install on a client with just ipa-client, > ipa-python and ipa-admintools. The ipa tool should actually work and > not blow up. > > ticket 579 ack and pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Sat Dec 11 19:25:33 2010 From: ayoung at redhat.com (Adam Young) Date: Sat, 11 Dec 2010 14:25:33 -0500 Subject: [Freeipa-devel] [PATCH] 645 remove principal as an option when updating a user In-Reply-To: <4D03157B.6070908@redhat.com> References: <4D03157B.6070908@redhat.com> Message-ID: <4D03D02D.4070904@redhat.com> On 12/11/2010 01:08 AM, Rob Crittenden wrote: > We don't want people willy-nilly changing principal names. The proper > way to do this is to rename the user entry, so remove the option. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Sat Dec 11 19:27:32 2010 From: ayoung at redhat.com (Adam Young) Date: Sat, 11 Dec 2010 14:27:32 -0500 Subject: [Freeipa-devel] UI seems to be completely broken In-Reply-To: <4D039BC4.6010608@redhat.com> References: <4D02791A.4090601@redhat.com> <4D02FE28.4050005@redhat.com> <4D039BC4.6010608@redhat.com> Message-ID: <4D03D0A4.2010400@redhat.com> On 12/11/2010 10:41 AM, Dmitri Pal wrote: > Adam Young wrote: > >> On 12/10/2010 02:01 PM, Dmitri Pal wrote: >> >>> Hi, >>> >>> I installed today build. I can get to the static frame with green line >>> and rigt user name which indicates that I actually connected and >>> authenticated but for admin the rest of the screen was balnk. >>> When I added myself as an ordinary user and restarted FF I got the same >>> but now it showed dpal as logged in user and there were two links >>> "identity" and "Users" both not clickable. >>> >>> >>> >> >> OK, I don't get that, it worksfor me. Was this a live server or the >> lite server? >> I seem to be having some problems with the lite server. >> >> > It was a problem with the standard UI. > Install on a machine > Run kinit > Start FF > Do cert magic (cleanup and accept) > Point to UI on the localhost > > Expected: > Get the functioning UI > > Actual: > Got a skeleton of the first page. > > > I will retry tomorrow if have time. > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> > > Is this on a machine that I can connect to? Can you provide the URL and login info? From ayoung at redhat.com Sat Dec 11 19:49:47 2010 From: ayoung at redhat.com (Adam Young) Date: Sat, 11 Dec 2010 14:49:47 -0500 Subject: [Freeipa-devel] ACI permissions UI up for review Message-ID: <4D03D5DB.5050605@redhat.com> Dmitri, While I don't expect you to do the review of the patch, I would appreciate at least a visual inspection of the completed UI. Since there seems to be something wrong with the install/UI right now, I've posed the lates on my Fedora People page. You should be able to see it from here: http://admiyo.fedorapeople.org/ipa/static/#navigation=2&role-entity=permission&ipaserver=0&permission-facet=details&permission-pkey=modifygroupmembership Please let me know if you can or cannot see it. If you can, I'd like to point out a couple things: Selecting the object type radio button displays the attribute list in a multi column form. Selecting one of the others hides it. Ben and I decided to move it to the bottom, so that none of the other page elements move. The values are from LDAP, and may be non-intuitive for someone coming to IPA from outside of that realm. The set of values displayed is from the sample data, which might need to be updated. The live site on my machine has a smaller set. It made the arbitrary decision to put 40 attributes per column, which is easy to change. Biggest thing that was getting lost was the filter. So, we moved that to the top, and added a checkbox for using/not using it. Since the Filter can apply to any of the other types, v it was removed from the radio button set. The radio button et needs a 'none' option, but that requires that the filter checkbox be set. This will require a touch more work. THe Add button off the list page uses the same code as the details. The attributes table here pushes all of the buttons way down the page, but I want to leave it that way until I confirm the the updates work. Once Updates are fixed (Rob has a patch up for review already) We can remove the attributes from this page. This means that creating a permission that requires attribute values will happen in two stages: add, with permissions and the object, then details page, where the user will select the attributes. I can either leave the filter on, or remove it from the add page as well. I think we need the rest of the info that is on there in order to successfully get through the permission-add rpc. I added another option to the radio button set: targetgroup. This is showing up ion the ACIs that come up from permission-find. I am currently populating the select with the values from doing a group-find RPC. i've added a filter field, as we once again have the possibility of having more than 100 groups, and needing to find a group outside that set. CUrrently, the query re-exectes on click of the radio button, but that is not ideal. Ben suggested that we could resend the query with each keystroke, and re-populate the select box, but that might generate a slew of network traffic, and slow down the UI. I won't know unless I implement, and I've lower hanging fruit to pick first. According to Rob, the set of permissions can be a mix of object level (add and delete) and attribute (write) although this is odd. Thus, the set of permissions is done via checkboxes. This does mean that the user can select none, and will get an error back on submit. With Endi on PTO, Pavel is really the only one that can review this code, and even he will have to take some time to learn the changes that Endi and I have made since he was heads down in it. From davido at redhat.com Mon Dec 13 04:13:03 2010 From: davido at redhat.com (David O'Brien) Date: Mon, 13 Dec 2010 14:13:03 +1000 Subject: [Freeipa-devel] [PATCH] 0024 - Better random ranges In-Reply-To: <20101207083654.5cd7e00b@willson.li.ssimo.org> References: <20101206185154.0f7d2614@willson.li.ssimo.org> <4CFE2B44.9090001@redhat.com> <20101207081315.0774d0b4@willson.li.ssimo.org> <4CFE34D0.206@redhat.com> <20101207083654.5cd7e00b@willson.li.ssimo.org> Message-ID: <4D059D4F.9000307@redhat.com> Simo Sorce wrote: > On Tue, 07 Dec 2010 08:21:20 -0500 > Stephen Gallagher wrote: > >>>> Something we used to do at my old job was base it on the IPv4 >>>> address of the primary network adapter in the machine. Basically, >>>> we could take the integer representation of the IP address, take >>>> the modulus 10000 of it, and choose the range from that. >>> That's not needed, if you want to force a specific range you can >>> simply pass an option to the installer. >>> >>>> This would also provide a guarantee that replicas on the same >>>> network would get unique ranges (instead of a 1 in 10,000 chance >>>> of doubling up). >>> Replicas take a cut of the range from the first master, sharing the >>> assigned initial range between them (see the DNA plugin[1] Shared >>> config to understand how it works) >>> >>>> These are just suggestions. The patch as it exists right now looks >>>> fine to me (though I haven't tested it). >>> I have tested it :) >>> >>> Simo. >>> >>> [1] http://directory.fedoraproject.org/wiki/DNA_Plugin >>> >> >> In that case: ack. > > Pushed to master. > > Simo. > Did this make it into a man page or other doc anywhere, or is there a ticket to do so? Also, s/arent't/aren't/ ;-) -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From davido at redhat.com Mon Dec 13 04:31:50 2010 From: davido at redhat.com (David O'Brien) Date: Mon, 13 Dec 2010 14:31:50 +1000 Subject: [Freeipa-devel] Updated SUDO spec In-Reply-To: <4CFE9EAD.9000607@redhat.com> References: <4CFE93F8.2060406@redhat.com> <4CFE9EAD.9000607@redhat.com> Message-ID: <4D05A1B6.6070604@redhat.com> Dmitri Pal wrote: > Dmitri Pal wrote: >> Changes were made to the command section of the details screen. >> >> > > And now with the file > > > > ------------------------------------------------------------------------ > > This body part will be downloaded on demand. I'm still strongly of the opinion that we should be replacing (e.g.) User(s) with Users, and Command(s) with Commands, etc. If we maintain this format, why do we not also use "Sudo Rule(s)" and "Sudo Command(s)", etc? I don't see the benefit of indicating the availability of multiple objects by (s). What happens when you encounter more complex examples? Identity(ies)? That's just messy. In ECS our policy is "If it can be plural, write in plural; if it can only be singular, write in singular." Is this not possible in the UI? -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From davido at redhat.com Mon Dec 13 05:12:00 2010 From: davido at redhat.com (David O'Brien) Date: Mon, 13 Dec 2010 15:12:00 +1000 Subject: [Freeipa-devel] [PATCH] 632 add migration cmd docs In-Reply-To: <4D01369A.2010309@redhat.com> References: <4CFE65E2.8060601@redhat.com> <4CFF6F2F.2060902@redhat.com> <4D01369A.2010309@redhat.com> Message-ID: <4D05AB20.8080706@redhat.com> Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 12/07/2010 05:50 PM, Rob Crittenden wrote: >>> Add some documentation to the migrate-ds command. >>> >>> rob >>> >> >> Ack > > pushed to master > Apologies for the late review; I've been off sick for a week. If you get the opportunity you might like to fix this: "+ The simplest migration, acceptinging all defaults:" -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From davido at redhat.com Mon Dec 13 05:53:20 2010 From: davido at redhat.com (David O'Brien) Date: Mon, 13 Dec 2010 15:53:20 +1000 Subject: [Freeipa-devel] UI seems to be completely broken In-Reply-To: <4D03D0A4.2010400@redhat.com> References: <4D02791A.4090601@redhat.com> <4D02FE28.4050005@redhat.com> <4D039BC4.6010608@redhat.com> <4D03D0A4.2010400@redhat.com> Message-ID: <4D05B4D0.7020805@redhat.com> Adam Young wrote: > On 12/11/2010 10:41 AM, Dmitri Pal wrote: >> Adam Young wrote: >> >>> On 12/10/2010 02:01 PM, Dmitri Pal wrote: >>> >>>> Hi, >>>> >>>> I installed today build. I can get to the static frame with green line >>>> and rigt user name which indicates that I actually connected and >>>> authenticated but for admin the rest of the screen was balnk. >>>> When I added myself as an ordinary user and restarted FF I got the same >>>> but now it showed dpal as logged in user and there were two links >>>> "identity" and "Users" both not clickable. >>>> >>>> >>>> >>> >>> OK, I don't get that, it worksfor me. Was this a live server or the >>> lite server? >>> I seem to be having some problems with the lite server. >>> >>> >> It was a problem with the standard UI. >> Install on a machine >> Run kinit >> Start FF >> Do cert magic (cleanup and accept) >> Point to UI on the localhost >> >> Expected: >> Get the functioning UI >> >> Actual: >> Got a skeleton of the first page. >> >> >> I will retry tomorrow if have time. >> > > Is this on a machine that I can connect to? Can you provide the URL and > login info? > I've just installed ipa-server (ipa-1.91-0.2010121117gitbe3c8e8.fc13) on a VM (after ipa-server-install --uninstall), I'm using --no-host-dns, I ran kinit admin and opened up FF and got what appears to be the "normal" webUI. I'm using jdennis' repo. Links are clickable and all seems to be working. I don't know what the "lite" server is; first I've heard of it. Anyway, WFM. -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From jzeleny at redhat.com Mon Dec 13 09:48:07 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 13 Dec 2010 10:48:07 +0100 Subject: [Freeipa-devel] [PATCH] 641 Check for existence of the group when adding a user. In-Reply-To: <4D029EB5.2040202@redhat.com> References: <4D029EB5.2040202@redhat.com> Message-ID: <201012131048.07457.jzeleny@redhat.com> Rob Crittenden wrote: > The Managed Entries plugin will allow a user to be added even if a group > of the same name exists. This would leave the user without a private group. > > We need to check for both the user and the group so we can do 1 of 3 > things: - throw an error that the group exists (but not the user) > - throw an error that the user exists (and the group) > - allow the uesr to be added > > ticket 567 > > rob ack Jan From jzeleny at redhat.com Mon Dec 13 09:51:19 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 13 Dec 2010 10:51:19 +0100 Subject: [Freeipa-devel] [PATCH] 643 Better handle permission updates In-Reply-To: <4D02F65A.9020801@redhat.com> References: <4D02F65A.9020801@redhat.com> Message-ID: <201012131051.19607.jzeleny@redhat.com> Rob Crittenden wrote: > permissions are a real group pointed to by an aci, managed by the same > plugin. Any given update can update one or both or neither. Do a better > job at determining what it is that needs to be updated and handle the > case where only the ACI is updated so that EmptyModList is not thrown. > > ticket 603 > > rob ack Jan From jzeleny at redhat.com Mon Dec 13 10:25:33 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 13 Dec 2010 11:25:33 +0100 Subject: [Freeipa-devel] [PATCH] 640 save certs to files In-Reply-To: <4D024D92.5050001@redhat.com> References: <4D024D92.5050001@redhat.com> Message-ID: <201012131125.33899.jzeleny@redhat.com> Rob Crittenden wrote: > Add --out option to service, host and cert-show to save the cert to a file. > > Override forward() to grab the result and if a certificate is in the > entry and the file is writable then dump the certificate in PEM format. > > ticket 473 > > rob ack Jan From rcritten at redhat.com Mon Dec 13 14:48:58 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Dec 2010 09:48:58 -0500 Subject: [Freeipa-devel] [PATCH] 632 add migration cmd docs In-Reply-To: <4D05AB20.8080706@redhat.com> References: <4CFE65E2.8060601@redhat.com> <4CFF6F2F.2060902@redhat.com> <4D01369A.2010309@redhat.com> <4D05AB20.8080706@redhat.com> Message-ID: <4D06325A.8050100@redhat.com> David O'Brien wrote: > Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 12/07/2010 05:50 PM, Rob Crittenden wrote: >>>> Add some documentation to the migrate-ds command. >>>> >>>> rob >>>> >>> >>> Ack >> >> pushed to master >> > Apologies for the late review; I've been off sick for a week. > > If you get the opportunity you might like to fix this: > > "+ The simplest migration, acceptinging all defaults:" > Fixed as a 1-liner. rob From rcritten at redhat.com Mon Dec 13 14:54:34 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Dec 2010 09:54:34 -0500 Subject: [Freeipa-devel] [PATCH] 641 Check for existence of the group when adding a user. In-Reply-To: <201012131048.07457.jzeleny@redhat.com> References: <4D029EB5.2040202@redhat.com> <201012131048.07457.jzeleny@redhat.com> Message-ID: <4D0633AA.2020805@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> The Managed Entries plugin will allow a user to be added even if a group >> of the same name exists. This would leave the user without a private group. >> >> We need to check for both the user and the group so we can do 1 of 3 >> things: - throw an error that the group exists (but not the user) >> - throw an error that the user exists (and the group) >> - allow the uesr to be added >> >> ticket 567 >> >> rob > > ack > > Jan Rebased and pushed to master From rcritten at redhat.com Mon Dec 13 14:56:15 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Dec 2010 09:56:15 -0500 Subject: [Freeipa-devel] [PATCH] 643 Better handle permission updates In-Reply-To: <201012131051.19607.jzeleny@redhat.com> References: <4D02F65A.9020801@redhat.com> <201012131051.19607.jzeleny@redhat.com> Message-ID: <4D06340F.7090407@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> permissions are a real group pointed to by an aci, managed by the same >> plugin. Any given update can update one or both or neither. Do a better >> job at determining what it is that needs to be updated and handle the >> case where only the ACI is updated so that EmptyModList is not thrown. >> >> ticket 603 >> >> rob > > ack > > Jan pushed to master From rcritten at redhat.com Mon Dec 13 14:59:50 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Dec 2010 09:59:50 -0500 Subject: [Freeipa-devel] [PATCH] 640 save certs to files In-Reply-To: <201012131125.33899.jzeleny@redhat.com> References: <4D024D92.5050001@redhat.com> <201012131125.33899.jzeleny@redhat.com> Message-ID: <4D0634E6.4090609@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Add --out option to service, host and cert-show to save the cert to a file. >> >> Override forward() to grab the result and if a certificate is in the >> entry and the file is writable then dump the certificate in PEM format. >> >> ticket 473 >> >> rob > > ack > pushed to master From dpal at redhat.com Mon Dec 13 16:05:29 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 13 Dec 2010 11:05:29 -0500 Subject: [Freeipa-devel] ACI permissions UI up for review In-Reply-To: <4D03D5DB.5050605@redhat.com> References: <4D03D5DB.5050605@redhat.com> Message-ID: <4D064449.9040903@redhat.com> Adam Young wrote: > Dmitri, > > While I don't expect you to do the review of the patch, I would > appreciate at least a visual inspection of the completed UI. Since > there seems to be something wrong with the install/UI right now, I've > posed the lates on my Fedora People page. You should be able to see > it from here: > > > > http://admiyo.fedorapeople.org/ipa/static/#navigation=2&role-entity=permission&ipaserver=0&permission-facet=details&permission-pkey=modifygroupmembership > > I can see it. > > > Please let me know if you can or cannot see it. If you can, I'd like > to point out a couple things: > > Selecting the object type radio button displays the attribute list in > a multi column form. Selecting one of the others hides it. Ben and I > decided to move it to the bottom, so that none of the other page > elements move. The values are from LDAP, and may be non-intuitive > for someone coming to IPA from outside of that realm. The set of > values displayed is from the sample data, which might need to be > updated. The live site on my machine has a smaller set. It made the > arbitrary decision to put 40 attributes per column, which is easy to > change. This part is fine. > > Biggest thing that was getting lost was the filter. So, we moved that > to the top, and added a checkbox for using/not using it. Since the > Filter can apply to any of the other types, v it was removed from the > radio button set. The radio button et needs a 'none' option, but that > requires that the filter checkbox be set. This will require a touch > more work. The screen stopped making any sense to me. I do not understand the structure now. Filter? What filter? Where it comes from? Why checkbox? I am really confused by the current layout. > > THe Add button off the list page uses the same code as the details. > The attributes table here pushes all of the buttons way down the page, > but I want to leave it that way until I confirm the the updates work. > Once Updates are fixed (Rob has a patch up for review already) We can > remove the attributes from this page. This means that creating a > permission that requires attribute values will happen in two stages: > add, with permissions and the object, then details page, where the > user will select the attributes. I can either leave the filter on, or > remove it from the add page as well. I think we need the rest of the > info that is on there in order to successfully get through the > permission-add rpc. I have mixed feeling about this approach. What is the implication of having half baked rule? Is it just meaningless until the attributes are defined or it can potentially have a negative impact and open a security hole? > > I added another option to the radio button set: targetgroup. I do not understand it. > This is showing up ion the ACIs that come up from permission-find. I > am currently populating the select with the values from doing a > group-find RPC. i've added a filter field, as we once again have the > possibility of having more than 100 groups, and needing to find a > group outside that set. CUrrently, the query re-exectes on click of > the radio button, but that is not ideal. Ben suggested that we could > resend the query with each keystroke, and re-populate the select box, > but that might generate a slew of network traffic, and slow down the > UI. I won't know unless I implement, and I've lower hanging fruit to > pick first. Sorry this whole part just does not make sense to me. What is the target group? Where it came from? > > According to Rob, the set of permissions can be a mix of object level > (add and delete) and attribute (write) although this is odd. Thus, > the set of permissions is done via checkboxes. This does mean that > the user can select none, and will get an error back on submit. I was hoping that we would be able to help to not mix things together. If you specify add or delete you should not be able to drill down to the attribute level forcing people to create explicit "write" riles targeting attributes. > > With Endi on PTO, Pavel is really the only one that can review this > code, and even he will have to take some time to learn the changes > that Endi and I have made since he was heads down in it. > In addition to the issues I explain above here is what I also noticed: 1) As we mentioned there is no "Description" in ACI. The description and name is the same field for ACI. 2) There is a label it is the name of the task group the ACI is associated with - it is missing 3) Rest of the screen does not make much sense at all but the attribute part seems fine. 4) I do not like some of the levels on the left in the menu. It is all mixed up. 5) The Privileges, Permissions and Role Groups are jumping and changing places depending on your selection - this is wrong. They should just expand. 6) The hierarchy is broken for permissions 7) When editing privileges there is unclear what the enroll button would do. Options no include: * Permissions Members * Role Groups Members * Membership in Permissions Doe not make much sense. It is really confusing if the meaning of the enroll button is going to change depending upon the selection made. But currently it does not and it completely does not make sense. There are more things like that related to the action panel. In general though I like the style and where we are going with navigation. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Dec 13 16:11:55 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Dec 2010 11:11:55 -0500 Subject: [Freeipa-devel] [PATCH] 635 wait for memberof plugin when doing reverse members In-Reply-To: <201012100819.17570.jzeleny@redhat.com> References: <4CFF0848.3030903@redhat.com> <201012090938.38310.jzeleny@redhat.com> <4D00F76E.8020800@redhat.com> <201012100819.17570.jzeleny@redhat.com> Message-ID: <4D0645CB.7020903@redhat.com> Jan Zeleny wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> Rob Crittenden wrote: >>>> Give the memberof plugin time to work when adding/removing reverse >>>> members. >>>> >>>> When we add/remove reverse members it looks like we're operating on >>>> group A but we're really operating on group B. This adds/removes the >>>> member attribute on group B and the memberof plugin adds the memberof >>>> attribute into group A. >>>> >>>> We need to give the memberof plugin a chance to do its work so loop a >>>> few times, reading the entry to see if the number of memberof is more or >>>> less what we expect. Bail out if it is taking too long. >>>> >>>> ticket 560 >>>> >>>> rob >>> >>> About that FIXME you got there: I'm not sure if it wouldn't be better to >>> handle the possible exception right in the wait_for_memberof method (I >>> guess it depends on what exception are we expecting and what are we >>> going to do with it?). If you want the exception to reach the calling >>> function, I'd like to see some kind of exception handling in that >>> function - either to let the user know that the error occurred during >>> this waiting or maybe to disregard the exception and continue normal >>> operation. >> >> The types of exceptions could run the gambit but I was wondering what >> would happen if we were looping and some other user deleted the role. >> The next search for it would fail with NotFound. Granted this isn't a >> very friendly message to return to someone after adding a member to the >> group but it does sort of make sense (someone deleted it concurrently). >> It seemed best to just let this filter up to the caller. > > Yes, I understand that. But my point was that it would be more user friendy to > catch this exception in the calling function and adjust the error message to > the situation. Otherwise user can get completely out-of-context error message, > like "user not found" when working with groups or something like that. > >> >>> Some nitpicking: I'm confused - in the doc string you state that "this >>> will loop for 6+ seconds" and a couple lines below, you have a comment >>> "Don't sleep for more that 6 seconds" - is there a mistake ar are these >>> two statements unrelated? >> >> Yeah, I was afraid that might be confusing. I'll wait .3 seconds 20 >> times so 6 seconds. There are a few LDAP calls which take a bit of time >> as well, so it will be 6+ seconds if it goes the whole time. > > Ok, thanks for explanation > > Jan Ok, I added a catch-all in case something goes horribly wrong. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-635-2-memberof.patch Type: text/x-patch Size: 6284 bytes Desc: not available URL: From dpal at redhat.com Mon Dec 13 16:12:18 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 13 Dec 2010 11:12:18 -0500 Subject: [Freeipa-devel] UI seems to be completely broken In-Reply-To: <4D05B4D0.7020805@redhat.com> References: <4D02791A.4090601@redhat.com> <4D02FE28.4050005@redhat.com> <4D039BC4.6010608@redhat.com> <4D03D0A4.2010400@redhat.com> <4D05B4D0.7020805@redhat.com> Message-ID: <4D0645E2.4050204@redhat.com> David O'Brien wrote: > Adam Young wrote: >> On 12/11/2010 10:41 AM, Dmitri Pal wrote: >>> Adam Young wrote: >>> >>>> On 12/10/2010 02:01 PM, Dmitri Pal wrote: >>>> >>>>> Hi, >>>>> >>>>> I installed today build. I can get to the static frame with green >>>>> line >>>>> and rigt user name which indicates that I actually connected and >>>>> authenticated but for admin the rest of the screen was balnk. >>>>> When I added myself as an ordinary user and restarted FF I got the >>>>> same >>>>> but now it showed dpal as logged in user and there were two links >>>>> "identity" and "Users" both not clickable. >>>>> >>>>> >>>>> >>>> >>>> OK, I don't get that, it worksfor me. Was this a live server or the >>>> lite server? >>>> I seem to be having some problems with the lite server. >>>> >>>> >>> It was a problem with the standard UI. >>> Install on a machine >>> Run kinit >>> Start FF >>> Do cert magic (cleanup and accept) >>> Point to UI on the localhost >>> >>> Expected: >>> Get the functioning UI >>> >>> Actual: >>> Got a skeleton of the first page. >>> >>> >>> I will retry tomorrow if have time. >>> >> >> Is this on a machine that I can connect to? Can you provide the URL >> and login info? >> > I've just installed ipa-server (ipa-1.91-0.2010121117gitbe3c8e8.fc13) > on a VM (after ipa-server-install --uninstall), I'm using > --no-host-dns, I ran kinit admin and opened up FF and got what appears > to be the "normal" webUI. I'm using jdennis' repo. > > Links are clickable and all seems to be working. I don't know what the > "lite" server is; first I've heard of it. > > Anyway, WFM. I did not have a chance to test it yesterday. The earliest time I would be able to is Wednesday. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jzeleny at redhat.com Mon Dec 13 16:19:51 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 13 Dec 2010 17:19:51 +0100 Subject: [Freeipa-devel] [PATCH] 635 wait for memberof plugin when doing reverse members In-Reply-To: <4D0645CB.7020903@redhat.com> References: <4CFF0848.3030903@redhat.com> <201012100819.17570.jzeleny@redhat.com> <4D0645CB.7020903@redhat.com> Message-ID: <201012131719.51958.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zeleny wrote: > > Rob Crittenden wrote: > >> Jan Zelen? wrote: > >>> Rob Crittenden wrote: > >>>> Give the memberof plugin time to work when adding/removing reverse > >>>> members. > >>>> > >>>> When we add/remove reverse members it looks like we're operating on > >>>> group A but we're really operating on group B. This adds/removes the > >>>> member attribute on group B and the memberof plugin adds the memberof > >>>> attribute into group A. > >>>> > >>>> We need to give the memberof plugin a chance to do its work so loop a > >>>> few times, reading the entry to see if the number of memberof is more > >>>> or less what we expect. Bail out if it is taking too long. > >>>> > >>>> ticket 560 > >>>> > >>>> rob > >>> > >>> About that FIXME you got there: I'm not sure if it wouldn't be better > >>> to handle the possible exception right in the wait_for_memberof method > >>> (I guess it depends on what exception are we expecting and what are we > >>> going to do with it?). If you want the exception to reach the calling > >>> function, I'd like to see some kind of exception handling in that > >>> function - either to let the user know that the error occurred during > >>> this waiting or maybe to disregard the exception and continue normal > >>> operation. > >> > >> The types of exceptions could run the gambit but I was wondering what > >> would happen if we were looping and some other user deleted the role. > >> The next search for it would fail with NotFound. Granted this isn't a > >> very friendly message to return to someone after adding a member to the > >> group but it does sort of make sense (someone deleted it concurrently). > >> It seemed best to just let this filter up to the caller. > > > > Yes, I understand that. But my point was that it would be more user > > friendy to catch this exception in the calling function and adjust the > > error message to the situation. Otherwise user can get completely > > out-of-context error message, like "user not found" when working with > > groups or something like that. > > > >>> Some nitpicking: I'm confused - in the doc string you state that "this > >>> will loop for 6+ seconds" and a couple lines below, you have a comment > >>> "Don't sleep for more that 6 seconds" - is there a mistake ar are these > >>> two statements unrelated? > >> > >> Yeah, I was afraid that might be confusing. I'll wait .3 seconds 20 > >> times so 6 seconds. There are a few LDAP calls which take a bit of time > >> as well, so it will be 6+ seconds if it goes the whole time. > > > > Ok, thanks for explanation > > > > Jan > > Ok, I added a catch-all in case something goes horribly wrong. > > rob ack Jan From dpal at redhat.com Mon Dec 13 16:27:04 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 13 Dec 2010 11:27:04 -0500 Subject: [Freeipa-devel] ACI permissions UI up for review In-Reply-To: <4D064449.9040903@redhat.com> References: <4D03D5DB.5050605@redhat.com> <4D064449.9040903@redhat.com> Message-ID: <4D064958.7010203@redhat.com> Dmitri Pal wrote: > Adam Young wrote: > >> Dmitri, >> >> While I don't expect you to do the review of the patch, I would >> appreciate at least a visual inspection of the completed UI. Since >> there seems to be something wrong with the install/UI right now, I've >> posed the lates on my Fedora People page. You should be able to see >> it from here: >> >> >> >> http://admiyo.fedorapeople.org/ipa/static/#navigation=2&role-entity=permission&ipaserver=0&permission-facet=details&permission-pkey=modifygroupmembership >> >> >> > I can see it. > > >> Please let me know if you can or cannot see it. If you can, I'd like >> to point out a couple things: >> >> Selecting the object type radio button displays the attribute list in >> a multi column form. Selecting one of the others hides it. Ben and I >> decided to move it to the bottom, so that none of the other page >> elements move. The values are from LDAP, and may be non-intuitive >> for someone coming to IPA from outside of that realm. The set of >> values displayed is from the sample data, which might need to be >> updated. The live site on my machine has a smaller set. It made the >> arbitrary decision to put 40 attributes per column, which is easy to >> change. >> > > This part is fine. > > >> Biggest thing that was getting lost was the filter. So, we moved that >> to the top, and added a checkbox for using/not using it. Since the >> Filter can apply to any of the other types, v it was removed from the >> radio button set. The radio button et needs a 'none' option, but that >> requires that the filter checkbox be set. This will require a touch >> more work. >> > > The screen stopped making any sense to me. I do not understand the > structure now. Filter? What filter? Where it comes from? Why checkbox? I > am really confused by the current layout. > > >> THe Add button off the list page uses the same code as the details. >> The attributes table here pushes all of the buttons way down the page, >> but I want to leave it that way until I confirm the the updates work. >> Once Updates are fixed (Rob has a patch up for review already) We can >> remove the attributes from this page. This means that creating a >> permission that requires attribute values will happen in two stages: >> add, with permissions and the object, then details page, where the >> user will select the attributes. I can either leave the filter on, or >> remove it from the add page as well. I think we need the rest of the >> info that is on there in order to successfully get through the >> permission-add rpc. >> > I have mixed feeling about this approach. What is the implication of > having half baked rule? Is it just meaningless until the attributes are > defined or it can potentially have a negative impact and open a security > hole? > > > >> I added another option to the radio button set: targetgroup. >> > > I do not understand it. > > >> This is showing up ion the ACIs that come up from permission-find. I >> am currently populating the select with the values from doing a >> group-find RPC. i've added a filter field, as we once again have the >> possibility of having more than 100 groups, and needing to find a >> group outside that set. CUrrently, the query re-exectes on click of >> the radio button, but that is not ideal. Ben suggested that we could >> resend the query with each keystroke, and re-populate the select box, >> but that might generate a slew of network traffic, and slow down the >> UI. I won't know unless I implement, and I've lower hanging fruit to >> pick first. >> > > Sorry this whole part just does not make sense to me. What is the target > group? Where it came from? > > > >> According to Rob, the set of permissions can be a mix of object level >> (add and delete) and attribute (write) although this is odd. Thus, >> the set of permissions is done via checkboxes. This does mean that >> the user can select none, and will get an error back on submit. >> > > I was hoping that we would be able to help to not mix things together. > If you specify add or delete you should not be able to drill down to the > attribute level forcing people to create explicit "write" riles > targeting attributes. > > >> With Endi on PTO, Pavel is really the only one that can review this >> code, and even he will have to take some time to learn the changes >> that Endi and I have made since he was heads down in it. >> >> > In addition to the issues I explain above here is what I also noticed: > 1) As we mentioned there is no "Description" in ACI. The description and > name is the same field for ACI. > 2) There is a label it is the name of the task group the ACI is > associated with - it is missing > 3) Rest of the screen does not make much sense at all but the attribute > part seems fine. > 4) I do not like some of the levels on the left in the menu. It is all > mixed up. > 5) The Privileges, Permissions and Role Groups are jumping and changing > places depending on your selection - this is wrong. They should just expand. > 6) The hierarchy is broken for permissions > 7) When editing privileges there is unclear what the enroll button would > do. > Options no include: > > * Permissions Members > * Role Groups Members > * Membership in Permissions > > Doe not make much sense. It is really confusing if the meaning of the > enroll button is going to change depending upon the selection made. But > currently it does not and it completely does not make sense. > There are more things like that related to the action panel. > > In general though I like the style and where we are going with navigation. > > One other thing that I noticed. Can we have some kind of differentiation between the static part of the label and dynamic part. Right now the whole label: role(s) enrolled in privilege useradmin looks like one static text label. I suggest we have some kind of stylistic difference between the static label and the inserted value so that one can easily grasp the object currently viewed. In this case it is "useradmin". I will leave it to Ben & Kyle to decide how to make it distinct but it should definitely be. And as Devid mentioned we should not do "(s)" - it is really ugly. I hope that for this particular example the whole text will be different. First we use "role groups" term (though I do not like it - I would prefer just roles) secnderily the word "enrolled" is misleading here. I see the label being: Role groups that include privilege "useradmin" or Role groups that contain privilege "useradmin" -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Mon Dec 13 17:52:20 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Dec 2010 12:52:20 -0500 Subject: [Freeipa-devel] ACI permissions UI up for review In-Reply-To: <4D064449.9040903@redhat.com> References: <4D03D5DB.5050605@redhat.com> <4D064449.9040903@redhat.com> Message-ID: <4D065D54.8040707@redhat.com> Lets walk through it tomorrow when I am in the office. On 12/13/2010 11:05 AM, Dmitri Pal wrote: > Adam Young wrote: > >> Dmitri, >> >> While I don't expect you to do the review of the patch, I would >> appreciate at least a visual inspection of the completed UI. Since >> there seems to be something wrong with the install/UI right now, I've >> posed the lates on my Fedora People page. You should be able to see >> it from here: >> >> >> >> http://admiyo.fedorapeople.org/ipa/static/#navigation=2&role-entity=permission&ipaserver=0&permission-facet=details&permission-pkey=modifygroupmembership >> >> >> > I can see it. > > >> >> Please let me know if you can or cannot see it. If you can, I'd like >> to point out a couple things: >> >> Selecting the object type radio button displays the attribute list in >> a multi column form. Selecting one of the others hides it. Ben and I >> decided to move it to the bottom, so that none of the other page >> elements move. The values are from LDAP, and may be non-intuitive >> for someone coming to IPA from outside of that realm. The set of >> values displayed is from the sample data, which might need to be >> updated. The live site on my machine has a smaller set. It made the >> arbitrary decision to put 40 attributes per column, which is easy to >> change. >> > This part is fine. > > >> Biggest thing that was getting lost was the filter. So, we moved that >> to the top, and added a checkbox for using/not using it. Since the >> Filter can apply to any of the other types, v it was removed from the >> radio button set. The radio button et needs a 'none' option, but that >> requires that the filter checkbox be set. This will require a touch >> more work. >> > The screen stopped making any sense to me. I do not understand the > structure now. Filter? What filter? Where it comes from? Why checkbox? I > am really confused by the current layout. > > >> THe Add button off the list page uses the same code as the details. >> The attributes table here pushes all of the buttons way down the page, >> but I want to leave it that way until I confirm the the updates work. >> Once Updates are fixed (Rob has a patch up for review already) We can >> remove the attributes from this page. This means that creating a >> permission that requires attribute values will happen in two stages: >> add, with permissions and the object, then details page, where the >> user will select the attributes. I can either leave the filter on, or >> remove it from the add page as well. I think we need the rest of the >> info that is on there in order to successfully get through the >> permission-add rpc. >> > I have mixed feeling about this approach. What is the implication of > having half baked rule? Is it just meaningless until the attributes are > defined or it can potentially have a negative impact and open a security > hole? > > > >> I added another option to the radio button set: targetgroup. >> > I do not understand it. > > >> This is showing up ion the ACIs that come up from permission-find. I >> am currently populating the select with the values from doing a >> group-find RPC. i've added a filter field, as we once again have the >> possibility of having more than 100 groups, and needing to find a >> group outside that set. CUrrently, the query re-exectes on click of >> the radio button, but that is not ideal. Ben suggested that we could >> resend the query with each keystroke, and re-populate the select box, >> but that might generate a slew of network traffic, and slow down the >> UI. I won't know unless I implement, and I've lower hanging fruit to >> pick first. >> > Sorry this whole part just does not make sense to me. What is the target > group? Where it came from? > > > >> According to Rob, the set of permissions can be a mix of object level >> (add and delete) and attribute (write) although this is odd. Thus, >> the set of permissions is done via checkboxes. This does mean that >> the user can select none, and will get an error back on submit. >> > I was hoping that we would be able to help to not mix things together. > If you specify add or delete you should not be able to drill down to the > attribute level forcing people to create explicit "write" riles > targeting attributes. > > >> With Endi on PTO, Pavel is really the only one that can review this >> code, and even he will have to take some time to learn the changes >> that Endi and I have made since he was heads down in it. >> >> > In addition to the issues I explain above here is what I also noticed: > 1) As we mentioned there is no "Description" in ACI. The description and > name is the same field for ACI. > 2) There is a label it is the name of the task group the ACI is > associated with - it is missing > 3) Rest of the screen does not make much sense at all but the attribute > part seems fine. > 4) I do not like some of the levels on the left in the menu. It is all > mixed up. > 5) The Privileges, Permissions and Role Groups are jumping and changing > places depending on your selection - this is wrong. They should just expand. > 6) The hierarchy is broken for permissions > 7) When editing privileges there is unclear what the enroll button would > do. > Options no include: > > * Permissions Members > * Role Groups Members > * Membership in Permissions > > Doe not make much sense. It is really confusing if the meaning of the > enroll button is going to change depending upon the selection made. But > currently it does not and it completely does not make sense. > There are more things like that related to the action panel. > > In general though I like the style and where we are going with navigation. > > From ayoung at redhat.com Mon Dec 13 17:54:39 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Dec 2010 12:54:39 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0117-aci-unit-tests Message-ID: <4D065DDF.7010905@redhat.com> This depends on my patch 0116. Something not mentioned in the commit message is that this also fixes the 'filter only' options. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0117-aci-unit-tests.patch Type: text/x-patch Size: 13439 bytes Desc: not available URL: From JR.Aquino at citrix.com Mon Dec 13 18:05:16 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 13 Dec 2010 18:05:16 +0000 Subject: [Freeipa-devel] [Patch] sudo run as user or group AND tests Message-ID: Attached are patches to address: (https://fedorahosted.org/freeipa/ticket/570) 5) -The UI needs separate run-as-user and run-as-group categories for the "As Whom" section. The UI also needs a way to manage the list of users/groups for the run-as-user, and the list of groups for the run-as-group. The CLI doesn't have these attributes or operations. First patch is for the sudo plugin to address the bug. Second patch is the corresponding updates to the sudorule tests suite to ease the review process. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0008-2-tests-for-sudo-run-as-user-or-group.patch Type: application/octet-stream Size: 4488 bytes Desc: freeipa-jraquino-0008-2-tests-for-sudo-run-as-user-or-group.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0008-sudo-run-as-user-or-group.patch Type: application/octet-stream Size: 3340 bytes Desc: freeipa-jraquino-0008-sudo-run-as-user-or-group.patch URL: From ayoung at redhat.com Mon Dec 13 18:17:11 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Dec 2010 13:17:11 -0500 Subject: [Freeipa-devel] ACI permissions UI up for review In-Reply-To: <4D064449.9040903@redhat.com> References: <4D03D5DB.5050605@redhat.com> <4D064449.9040903@redhat.com> Message-ID: <4D066327.2080909@redhat.com> On 12/13/2010 11:05 AM, Dmitri Pal wrote: > Adam Young wrote: > >> Dmitri, >> >> While I don't expect you to do the review of the patch, I would >> appreciate at least a visual inspection of the completed UI. Since >> there seems to be something wrong with the install/UI right now, I've >> posed the lates on my Fedora People page. You should be able to see >> it from here: >> >> >> >> http://admiyo.fedorapeople.org/ipa/static/#navigation=2&role-entity=permission&ipaserver=0&permission-facet=details&permission-pkey=modifygroupmembership >> >> >> > I can see it. > > >> >> Please let me know if you can or cannot see it. If you can, I'd like >> to point out a couple things: >> >> Selecting the object type radio button displays the attribute list in >> a multi column form. Selecting one of the others hides it. Ben and I >> decided to move it to the bottom, so that none of the other page >> elements move. The values are from LDAP, and may be non-intuitive >> for someone coming to IPA from outside of that realm. The set of >> values displayed is from the sample data, which might need to be >> updated. The live site on my machine has a smaller set. It made the >> arbitrary decision to put 40 attributes per column, which is easy to >> change. >> > This part is fine. > > >> Biggest thing that was getting lost was the filter. So, we moved that >> to the top, and added a checkbox for using/not using it. Since the >> Filter can apply to any of the other types, v it was removed from the >> radio button set. The radio button et needs a 'none' option, but that >> requires that the filter checkbox be set. This will require a touch >> more work. >> > The screen stopped making any sense to me. I do not understand the > structure now. Filter? What filter? Where it comes from? Why checkbox? I > am really confused by the current layout. > > >> THe Add button off the list page uses the same code as the details. >> The attributes table here pushes all of the buttons way down the page, >> but I want to leave it that way until I confirm the the updates work. >> Once Updates are fixed (Rob has a patch up for review already) We can >> remove the attributes from this page. This means that creating a >> permission that requires attribute values will happen in two stages: >> add, with permissions and the object, then details page, where the >> user will select the attributes. I can either leave the filter on, or >> remove it from the add page as well. I think we need the rest of the >> info that is on there in order to successfully get through the >> permission-add rpc. >> > I have mixed feeling about this approach. What is the implication of > having half baked rule? Is it just meaningless until the attributes are > defined or it can potentially have a negative impact and open a security > hole? > There should be no hole. Just the oppoosite, the rule should be useless, as 'write' without attributes means nothing. But I agree, I don't really like it either. > > >> I added another option to the radio button set: targetgroup. >> > I do not understand it. > > >> This is showing up ion the ACIs that come up from permission-find. I >> am currently populating the select with the values from doing a >> group-find RPC. i've added a filter field, as we once again have the >> possibility of having more than 100 groups, and needing to find a >> group outside that set. CUrrently, the query re-exectes on click of >> the radio button, but that is not ideal. Ben suggested that we could >> resend the query with each keystroke, and re-populate the select box, >> but that might generate a slew of network traffic, and slow down the >> UI. I won't know unless I implement, and I've lower hanging fruit to >> pick first. >> > Sorry this whole part just does not make sense to me. What is the target > group? Where it came from? > I'm wondering if this is from the groups ACI that slipped in. Rob? > > >> According to Rob, the set of permissions can be a mix of object level >> (add and delete) and attribute (write) although this is odd. Thus, >> the set of permissions is done via checkboxes. This does mean that >> the user can select none, and will get an error back on submit. >> > I was hoping that we would be able to help to not mix things together. > If you specify add or delete you should not be able to drill down to the > attribute level forcing people to create explicit "write" riles > targeting attributes. > This was my understanding, and how I think it should be as well: mixing the two is probably a mistake. We'll need to fixz the undering lying enforcement before changing it at the web layer, though, or the UI could potentially receive a rule that it could not display completely. > >> With Endi on PTO, Pavel is really the only one that can review this >> code, and even he will have to take some time to learn the changes >> that Endi and I have made since he was heads down in it. >> >> > In addition to the issues I explain above here is what I also noticed: > 1) As we mentioned there is no "Description" in ACI. The description and > name is the same field for ACI. > Description is in the Meta data, and gets returned with ipa permission_show, role_show, and privilege_show > 2) There is a label it is the name of the task group the ACI is > associated with - it is missing > It is not in the metadata. > 3) Rest of the screen does not make much sense at all but the attribute > part seems fine. > 4) I do not like some of the levels on the left in the menu. It is all > mixed up. > 5) The Privileges, Permissions and Role Groups are jumping and changing > places depending on your selection - this is wrong. They should just expand. > They do "just expand" and contract, but we don't have any animation in there. The order stays the same, but the are under each one either shows or hides the controls. > 6) The hierarchy is broken for permissions > What hierarchy? > 7) When editing privileges there is unclear what the enroll button would > do. > These are auto-generated associations. We need to filter some of them out, but I need to make sure we get the right subset. > Options no include: > > * Permissions Members > * Role Groups Members > * Membership in Permissions > > Doe not make much sense. It is really confusing if the meaning of the > enroll button is going to change depending upon the selection made. But > currently it does not and it completely does not make sense. > There are more things like that related to the action panel. > Yeah, we need to clean up the terms used on multiple associations pages, especially this one. > In general though I like the style and where we are going with navigation. > > From rcritten at redhat.com Mon Dec 13 18:25:34 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Dec 2010 13:25:34 -0500 Subject: [Freeipa-devel] [PATCH] 646 move updates to bootstrap Message-ID: <4D06651E.6000707@redhat.com> Move a bunch of objects created by the updater into the bootstrap ldif. It is cleaner to do it this way (and probably a bit faster too). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-646-bootstrap.patch Type: text/x-patch Size: 9311 bytes Desc: not available URL: From dpal at redhat.com Mon Dec 13 18:28:07 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 13 Dec 2010 13:28:07 -0500 Subject: [Freeipa-devel] ACI permissions UI up for review In-Reply-To: <4D066327.2080909@redhat.com> References: <4D03D5DB.5050605@redhat.com> <4D064449.9040903@redhat.com> <4D066327.2080909@redhat.com> Message-ID: <4D0665B7.90901@redhat.com> >> In addition to the issues I explain above here is what I also noticed: >> 1) As we mentioned there is no "Description" in ACI. The description and >> name is the same field for ACI. >> > > Description is in the Meta data, and gets returned with ipa > permission_show, role_show, and privilege_show May be but I was under impression that the name and description is really the same. > >> 2) There is a label it is the name of the task group the ACI is >> associated with - it is missing >> > > > It is not in the metadata. Then it should be unless we can always name it the same way as name, but as far as I understand this is not the case right now. Rob? > >> 3) Rest of the screen does not make much sense at all but the attribute >> part seems fine. >> 4) I do not like some of the levels on the left in the menu. It is all >> mixed up. >> 5) The Privileges, Permissions and Role Groups are jumping and changing >> places depending on your selection - this is wrong. They should just >> expand. >> > They do "just expand" and contract, but we don't have any animation in > there. The order stays the same, but the are under each one either > shows or hides the controls. > No, the one you click bubbles to the top at least for me. > >> 6) The hierarchy is broken for permissions >> > What hierarchy? The LIST PERMISSIONS is now on the same level as Permissions - this is wrong. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Mon Dec 13 19:01:03 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Dec 2010 14:01:03 -0500 Subject: [Freeipa-devel] ACI permissions UI up for review In-Reply-To: <4D0665B7.90901@redhat.com> References: <4D03D5DB.5050605@redhat.com> <4D064449.9040903@redhat.com> <4D066327.2080909@redhat.com> <4D0665B7.90901@redhat.com> Message-ID: <4D066D6F.1080301@redhat.com> On 12/13/2010 01:28 PM, Dmitri Pal wrote: > >>> In addition to the issues I explain above here is what I also noticed: >>> 1) As we mentioned there is no "Description" in ACI. The description and >>> name is the same field for ACI. >>> >>> >> Description is in the Meta data, and gets returned with ipa >> permission_show, role_show, and privilege_show >> > May be but I was under impression that the name and description is > really the same. > > >> >>> 2) There is a label it is the name of the task group the ACI is >>> associated with - it is missing >>> >>> >> >> It is not in the metadata. >> > Then it should be unless we can always name it the same way as name, but > as far as I understand this is not the case right now. > Rob? > > >> >>> 3) Rest of the screen does not make much sense at all but the attribute >>> part seems fine. >>> 4) I do not like some of the levels on the left in the menu. It is all >>> mixed up. >>> 5) The Privileges, Permissions and Role Groups are jumping and changing >>> places depending on your selection - this is wrong. They should just >>> expand. >>> >>> >> They do "just expand" and contract, but we don't have any animation in >> there. The order stays the same, but the are under each one either >> shows or hides the controls. >> >> > No, the one you click bubbles to the top at least for me. > > >> >>> 6) The hierarchy is broken for permissions >>> >>> >> What hierarchy? >> > The LIST PERMISSIONS is now on the same level as Permissions - this is > wrong. > > > No, the term 'list' gets appended, as per UXD. They still have some more styling to do there, but the label change has been there for a while. Look at SUDO and HBAC and they do the same thing. > > From rcritten at redhat.com Mon Dec 13 19:30:19 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Dec 2010 14:30:19 -0500 Subject: [Freeipa-devel] [PATCH] 647 check for 389-ds replication plugin Message-ID: <4D06744B.2090102@redhat.com> Ensure that the replication plugin exists before creeating or installing a replica. ticket 502 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-647-replica.patch Type: text/x-patch Size: 3329 bytes Desc: not available URL: From rcritten at redhat.com Mon Dec 13 19:48:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Dec 2010 14:48:53 -0500 Subject: [Freeipa-devel] [PATCH] 648 Add krb5-pkinit-openssl as a Requires Message-ID: <4D0678A5.7050400@redhat.com> krb5-pkinit-openssl is used for PKINIT support. Make it a required package. ticket 599 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-648-pkinit.patch Type: text/x-patch Size: 3578 bytes Desc: not available URL: From ayoung at redhat.com Mon Dec 13 19:57:00 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Dec 2010 14:57:00 -0500 Subject: [Freeipa-devel] ACI permissions UI up for review In-Reply-To: <4D064958.7010203@redhat.com> References: <4D03D5DB.5050605@redhat.com> <4D064449.9040903@redhat.com> <4D064958.7010203@redhat.com> Message-ID: <4D067A8C.5020308@redhat.com> On 12/13/2010 11:27 AM, Dmitri Pal wrote: > > > > Sorry this whole part just does not make sense to me. What is the target > > group? Where it came from? > > > One ACI that uses this is 'add_user_to_default_group. This is used in the permission 'useradmin'. The json response for permission-show looks like this: |{ || "error": null, || "id": 2, || "result": { || "result": { || "attributelevelrights": { || "aci": "rscwo", || "businesscategory": "rscwo", || "cn": "rscwo", || "description": "rscwo", || "member": "rscwo", || "nsaccountlock": "rscwo", || "o": "rscwo", || "objectclass": "rscwo", || "ou": "rscwo", || "owner": "rscwo", || "seealso": "rscwo" || }, || "attrs": [ || "member" || ], || "cn": [ || "add_user_to_default_group" || ], || "description": [ || "Add user to default group" || ], || "dn": "cn=add_user_to_default_group,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel||,dc=redhat,dc=com", || "member_privilege": [ || "useradmin" || ], || "objectclass": [ || "top", || "groupofnames" || ], || "permissions": [ || "write" || ], || "targetgroup": "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc||=redhat,dc=com" || }, || "summary": null, || "value": "add_user_to_default_group" || } ||}| -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Dec 13 20:12:43 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 13 Dec 2010 15:12:43 -0500 Subject: [Freeipa-devel] ACI permissions UI up for review In-Reply-To: <4D067A8C.5020308@redhat.com> References: <4D03D5DB.5050605@redhat.com> <4D064449.9040903@redhat.com> <4D064958.7010203@redhat.com> <4D067A8C.5020308@redhat.com> Message-ID: <4D067E3B.5060909@redhat.com> Adam Young wrote: > On 12/13/2010 11:27 AM, Dmitri Pal wrote: >> > >> > Sorry this whole part just does not make sense to me. What is the target >> > group? Where it came from? >> > >> > One ACI that uses this is 'add_user_to_default_group. This is used in > the permission 'useradmin'. > > > The json response for permission-show looks like this: > |{ > || "error": null, > || "id": 2, > || "result": { > || "result": { > || "attributelevelrights": { > || "aci": "rscwo", > || "businesscategory": "rscwo", > || "cn": "rscwo", > || "description": "rscwo", > || "member": "rscwo", > || "nsaccountlock": "rscwo", > || "o": "rscwo", > || "objectclass": "rscwo", > || "ou": "rscwo", > || "owner": "rscwo", > || "seealso": "rscwo" > || }, > || "attrs": [ > || "member" > || ], > || "cn": [ > || "add_user_to_default_group" > || ], > || "description": [ > || "Add user to default group" > || ], > || "dn": "cn=add_user_to_default_group,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel||,dc=redhat,dc=com", > || "member_privilege": [ > || "useradmin" > || ], > || "objectclass": [ > || "top", > || "groupofnames" > || ], > || "permissions": [ > || "write" > || ], > || "targetgroup": "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc||=redhat,dc=com" > || }, > || "summary": null, > || "value": "add_user_to_default_group" > || } > ||}| > IMO this is a special case and should end up in the generic LDAP filter. Rob it seems this case is unclear and we need to sort it out. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Dec 13 22:56:31 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Dec 2010 17:56:31 -0500 Subject: [Freeipa-devel] [PATCH] managed entry hostgroup netgroup support In-Reply-To: References: Message-ID: <4D06A49F.2030809@redhat.com> JR Aquino wrote: > On 12/10/10 12:49 PM, "Rob Crittenden" wrote: >> nack, found a couple of minor issues: >> >> - The patch doesn't apply against the master branch (probably from >> Simo's recent changes there) >> - looks like you copied the man page from ipa-ldap-updater, needs a few >> more updates (though kudos for including one at all!) >> - IIRC this depends on some fixes in 389-ds-base. You need to set the >> minimum version that this will work in. >> - host_nis_groups.ldif isn't installed >> >> I'm not entirely sure how to test that this is doing the right thing. >> >> Rob > > Thanks Rob! > > Ok, I have adjusted the patch to correct for the errors (and the trailing > whitespace). > > Fixed the man page (will send in a 1 liner fix for ipa-compat-manage's man > page) > It now installs host_nis_groups.ldif > It now cleanly applies and builds, and functions against the master. > It references the 389-ds-base 1.2.7.4. > > To test: > (Hopefully this is pretty obvious and straight forward) > > (1 > # ipa-host-net-manage status > > Plugin Enabled > > > (2 > # ipa-host-net-manage disable > > Disabling Plugin > > (3 > # ipa-host-net-manage enable > > Enabling Plugin > > (4 > ipa hostgroup-add testing > ipa hostgroup-add-member --host=servername.com testing > ipa hostgroup-show testing > > > (5 > ldapsearch -x -b 'cn=testing,cn=ng,cn=alt,$SUFFIX' -x -D 'cn=Directory > Manager' -W > > > # testing, ng, alt, $SUFFIX > dn: cn=testing,cn=ng,cn=alt,$SUFFIX > objectClass: ipanisnetgroup > objectClass: mepManagedEntry > objectClass: ipaAssociation > objectClass: top > cn: testing > memberHost: cn=testing,cn=hostgroups,cn=accounts,$SUFFIX > description: ipaNetgroup testing > mepManagedBy: cn=testing,cn=hostgroups,cn=accounts,$SUFFIX > ipaUniqueID: 9d0039ca-04b4-11e0-9494-8a3d259cb0b9 > > > (6 > ipa hostgroup-del testing > > > ---------------------------- > Deleted hostgroup "testing" > ---------------------------- > > > (7 > ldapsearch -x -b 'cn=testing,cn=ng,cn=alt,$SUFFIX' -x -D 'cn=Directory > Manager' -W > > # search result > search: 2 > result: 32 No such object > matchedDN: cn=ng,cn=alt,$SUFFIX > Nice. Can you update the task with these tests as well? I'd suggest trying a netgroup-del testing to confirm that the managed entry can't be deleted. ack, pushed to master. From rcritten at redhat.com Mon Dec 13 22:56:36 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Dec 2010 17:56:36 -0500 Subject: [Freeipa-devel] [Patch] sudo run as user or group AND tests In-Reply-To: References: Message-ID: <4D06A4A4.8060502@redhat.com> JR Aquino wrote: > Attached are patches to address: > (https://fedorahosted.org/freeipa/ticket/570) > 5) -The UI needs separate run-as-user and run-as-group categories for > the "As Whom" section. The UI also needs a way to manage the list of > users/groups for the run-as-user, and the list of groups for the > run-as-group. The CLI doesn't have these attributes or operations. > > First patch is for the sudo plugin to address the bug. > > Second patch is the corresponding updates to the sudorule tests suite to > ease the review process. ;) > ack, pushed to master rob From rcritten at redhat.com Mon Dec 13 22:58:57 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Dec 2010 17:58:57 -0500 Subject: [Freeipa-devel] [PATCH] 635 wait for memberof plugin when doing reverse members In-Reply-To: <201012131719.51958.jzeleny@redhat.com> References: <4CFF0848.3030903@redhat.com> <201012100819.17570.jzeleny@redhat.com> <4D0645CB.7020903@redhat.com> <201012131719.51958.jzeleny@redhat.com> Message-ID: <4D06A531.2070407@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Jan Zeleny wrote: >>> Rob Crittenden wrote: >>>> Jan Zelen? wrote: >>>>> Rob Crittenden wrote: >>>>>> Give the memberof plugin time to work when adding/removing reverse >>>>>> members. >>>>>> >>>>>> When we add/remove reverse members it looks like we're operating on >>>>>> group A but we're really operating on group B. This adds/removes the >>>>>> member attribute on group B and the memberof plugin adds the memberof >>>>>> attribute into group A. >>>>>> >>>>>> We need to give the memberof plugin a chance to do its work so loop a >>>>>> few times, reading the entry to see if the number of memberof is more >>>>>> or less what we expect. Bail out if it is taking too long. >>>>>> >>>>>> ticket 560 >>>>>> >>>>>> rob >>>>> >>>>> About that FIXME you got there: I'm not sure if it wouldn't be better >>>>> to handle the possible exception right in the wait_for_memberof method >>>>> (I guess it depends on what exception are we expecting and what are we >>>>> going to do with it?). If you want the exception to reach the calling >>>>> function, I'd like to see some kind of exception handling in that >>>>> function - either to let the user know that the error occurred during >>>>> this waiting or maybe to disregard the exception and continue normal >>>>> operation. >>>> >>>> The types of exceptions could run the gambit but I was wondering what >>>> would happen if we were looping and some other user deleted the role. >>>> The next search for it would fail with NotFound. Granted this isn't a >>>> very friendly message to return to someone after adding a member to the >>>> group but it does sort of make sense (someone deleted it concurrently). >>>> It seemed best to just let this filter up to the caller. >>> >>> Yes, I understand that. But my point was that it would be more user >>> friendy to catch this exception in the calling function and adjust the >>> error message to the situation. Otherwise user can get completely >>> out-of-context error message, like "user not found" when working with >>> groups or something like that. >>> >>>>> Some nitpicking: I'm confused - in the doc string you state that "this >>>>> will loop for 6+ seconds" and a couple lines below, you have a comment >>>>> "Don't sleep for more that 6 seconds" - is there a mistake ar are these >>>>> two statements unrelated? >>>> >>>> Yeah, I was afraid that might be confusing. I'll wait .3 seconds 20 >>>> times so 6 seconds. There are a few LDAP calls which take a bit of time >>>> as well, so it will be 6+ seconds if it goes the whole time. >>> >>> Ok, thanks for explanation >>> >>> Jan >> >> Ok, I added a catch-all in case something goes horribly wrong. >> >> rob > > ack > > Jan pushed to master From ayoung at redhat.com Tue Dec 14 01:18:41 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Dec 2010 20:18:41 -0500 Subject: [Freeipa-devel] [PATCH] 637 group to group delegation In-Reply-To: <4D027327.9050203@redhat.com> References: <4CFFFEA8.6000609@redhat.com> <4D010441.1000609@redhat.com> <4D027327.9050203@redhat.com> Message-ID: <4D06C5F1.1020704@redhat.com> On 12/10/2010 01:36 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Round out our trio of access control plugins. This adds group to group >>> delegation where you can grant group A the ability to write a set of >>> attributes of group B (v1-style delegation). >>> >>> rob >> >> I'm withdrawing this patch, needs more work. >> >> rob > > Here is the replacement patch along with some testing instructions: > > $ kinit admin > $ ipa delegation-add --attrs=street --membergroup=admins > --group=editors 'editors edit admins street' > $ ipa user-add --first=tim --last=user tuser1 --password > $ ipa group-add --users=tuser1 editors > $ ipa user-add --first=jim --last=admin jadmin > $ ipa group-add-member --users=jadmin admins > $ kinit tuser1 > $ ipa user-mod --street='123 main' jadmin (should succeed) > $ ipa user-mod --first=Jimmy jadmin (should fail) ACK. pushed to master Tested this out, and a few other options and they work OK. This doesn't have the metadata, just like the self-service plugin. > > So basically we create a couple of users. One we add to editors and > the other to admins. > > We create an aci that grants users in editors to manage the street > address of users in admins, then we try it out > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Dec 14 04:15:09 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Dec 2010 23:15:09 -0500 Subject: [Freeipa-devel] [PATCH] 649 metadata for delegation and selfservice Message-ID: <4D06EF4D.4010400@redhat.com> This is metadata for the UI. Adam, I took a guess at the things you need, not everything is defined since these aren't using the baseldap class (doesn't really make sense to since there isn't an object backing them). Let me know if I missed something. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-649-metadata.patch Type: text/x-patch Size: 2158 bytes Desc: not available URL: From jhrozek at redhat.com Tue Dec 14 10:32:34 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 14 Dec 2010 11:32:34 +0100 Subject: [Freeipa-devel] [PATCH] 021 Make the IPA installer IPv6 friendly Message-ID: <4D0747C2.4030007@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is a first patch towards IPv6 support. Currently it only touches the installer only as other changes will be fully testable only when python-nss is IPv6 ready. Changes include: * parse AAAA records in dnsclient * also ask for AAAA records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname(). The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section "Interface Checklist" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0HR8IACgkQHsardTLnvCU/jQCePrBXG+2NTDmfq1y3BgQIaHMl eH8AnAivy5jA3YQP1JXznBg/IubD3lLG =m52C -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-021-Make-the-IPA-installer-IPv6-friendly.patch Type: text/x-patch Size: 13260 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-021-Make-the-IPA-installer-IPv6-friendly.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Tue Dec 14 10:32:43 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 14 Dec 2010 11:32:43 +0100 Subject: [Freeipa-devel] [PATCH] 022 Check the number of fields when importing automount maps Message-ID: <4D0747CB.90300@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/359 Sending this separately from the other automount changes since those are more intrusive and may be under review for a while. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0HR8sACgkQHsardTLnvCUbOwCgzgiTsGH9dEcaUqwIxnyFqPPO 6WMAnjuetAFyQ00ynjsHw1gxd7llsM6U =5Feo -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-022-Check-the-number-of-fields-when-importing-automount-.patch Type: text/x-patch Size: 888 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-022-Check-the-number-of-fields-when-importing-automount-.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Tue Dec 14 10:32:49 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 14 Dec 2010 11:32:49 +0100 Subject: [Freeipa-devel] [PATCH] 023 Clarify ipa-replica-install error message Message-ID: <4D0747D1.1060901@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just a cosmetic fix to the replica installation error message, there's no ticket for this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0HR9EACgkQHsardTLnvCUYBgCeObN9/PWMNKGf8/TWXKglJd/i /awAn1Opj+qq5uk7yHnuNyT33nVo8eRi =MXfi -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-023-Clarify-ipa-replica-install-error-message.patch Type: text/x-patch Size: 1262 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-023-Clarify-ipa-replica-install-error-message.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jzeleny at redhat.com Tue Dec 14 14:56:56 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Tue, 14 Dec 2010 15:56:56 +0100 Subject: [Freeipa-devel] [PATCH] Refactoring of baseldap callback invokation In-Reply-To: <201012101923.33876.jzeleny@redhat.com> References: <201011291128.11090.jzeleny@redhat.com> <201012101433.11490.jzeleny@redhat.com> <201012101923.33876.jzeleny@redhat.com> Message-ID: <201012141556.56657.jzeleny@redhat.com> Jan Zeleny wrote: > Jan Zeleny wrote: > > Adam Young wrote: > > > On 11/29/2010 05:28 AM, Jan Zelen? wrote: > > > > This patch modifies how PRE, POST and EXC callbacks are invoked in > > > > baseldap module. It provides method invoke_callbacks which can be > > > > used in all classes derived from baseldap classes as well. > > > > > > > > Pavel, since you originally wrote the baseldap module, I'd be > > > > grateful if you could review the patch, since you know the best if > > > > it covers all callback processing possibilities. > > > > > > Pavel, can you take a look at this one. I want to ACK, but after the > > > last one I looked at like this had unintended consequences, I'm a > > > little wary. > > > > Pavel, > > after our discussion I send a patch rebased against current master with > > your patch 42 applied. > > > > Jan > > Solving another ticket, I found out that this patch caused some > regressions. I'm sending corrected one. Another correction - the patch now covers some new callback invokation cases. Also some more regressions are fixed. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0010-04-Refactoring-of-baseldap-callback-invokation.patch Type: text/x-patch Size: 19830 bytes Desc: not available URL: From rcritten at redhat.com Tue Dec 14 15:12:23 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Dec 2010 10:12:23 -0500 Subject: [Freeipa-devel] ACI permissions UI up for review In-Reply-To: <4D0665B7.90901@redhat.com> References: <4D03D5DB.5050605@redhat.com> <4D064449.9040903@redhat.com> <4D066327.2080909@redhat.com> <4D0665B7.90901@redhat.com> Message-ID: <4D078957.7030803@redhat.com> Dmitri Pal wrote: > >>> In addition to the issues I explain above here is what I also noticed: >>> 1) As we mentioned there is no "Description" in ACI. The description and >>> name is the same field for ACI. >>> >> >> Description is in the Meta data, and gets returned with ipa >> permission_show, role_show, and privilege_show > > May be but I was under impression that the name and description is > really the same. name is the name of the permission. description is the name/description part of the ACI. > >> >>> 2) There is a label it is the name of the task group the ACI is >>> associated with - it is missing >>> >> >> >> It is not in the metadata. > > Then it should be unless we can always name it the same way as name, but > as far as I understand this is not the case right now. > Rob? I need more context. Also we need to be sure to use the current terms, there is no task group any more. >> >>> 3) Rest of the screen does not make much sense at all but the attribute >>> part seems fine. >>> 4) I do not like some of the levels on the left in the menu. It is all >>> mixed up. >>> 5) The Privileges, Permissions and Role Groups are jumping and changing >>> places depending on your selection - this is wrong. They should just >>> expand. >>> >> They do "just expand" and contract, but we don't have any animation in >> there. The order stays the same, but the are under each one either >> shows or hides the controls. >> > > No, the one you click bubbles to the top at least for me. > >> >>> 6) The hierarchy is broken for permissions >>> >> What hierarchy? > The LIST PERMISSIONS is now on the same level as Permissions - this is > wrong. > > > > From rcritten at redhat.com Tue Dec 14 15:15:25 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Dec 2010 10:15:25 -0500 Subject: [Freeipa-devel] ACI permissions UI up for review In-Reply-To: <4D067E3B.5060909@redhat.com> References: <4D03D5DB.5050605@redhat.com> <4D064449.9040903@redhat.com> <4D064958.7010203@redhat.com> <4D067A8C.5020308@redhat.com> <4D067E3B.5060909@redhat.com> Message-ID: <4D078A0D.5090208@redhat.com> Dmitri Pal wrote: > Adam Young wrote: >> On 12/13/2010 11:27 AM, Dmitri Pal wrote: >>>> >>>> Sorry this whole part just does not make sense to me. What is the target >>>> group? Where it came from? >>>> >>> >> One ACI that uses this is 'add_user_to_default_group. This is used in >> the permission 'useradmin'. >> >> >> The json response for permission-show looks like this: >> |{ >> || "error": null, >> || "id": 2, >> || "result": { >> || "result": { >> || "attributelevelrights": { >> || "aci": "rscwo", >> || "businesscategory": "rscwo", >> || "cn": "rscwo", >> || "description": "rscwo", >> || "member": "rscwo", >> || "nsaccountlock": "rscwo", >> || "o": "rscwo", >> || "objectclass": "rscwo", >> || "ou": "rscwo", >> || "owner": "rscwo", >> || "seealso": "rscwo" >> || }, >> || "attrs": [ >> || "member" >> || ], >> || "cn": [ >> || "add_user_to_default_group" >> || ], >> || "description": [ >> || "Add user to default group" >> || ], >> || "dn": "cn=add_user_to_default_group,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel||,dc=redhat,dc=com", >> || "member_privilege": [ >> || "useradmin" >> || ], >> || "objectclass": [ >> || "top", >> || "groupofnames" >> || ], >> || "permissions": [ >> || "write" >> || ], >> || "targetgroup": "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc||=redhat,dc=com" >> || }, >> || "summary": null, >> || "value": "add_user_to_default_group" >> || } >> ||}| >> > IMO this is a special case and should end up in the generic LDAP filter. > Rob it seems this case is unclear and we need to sort it out. > A targetgroup lets you manage a specific group. In this case it grants permission to manage the membership of the ipausers group. rob From ssorce at redhat.com Tue Dec 14 15:33:32 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 14 Dec 2010 10:33:32 -0500 Subject: [Freeipa-devel] [PATCH] 0031 Add ACI to all replicas Message-ID: <20101214103332.15879c57@willson.li.ssimo.org> This patch adds ACI on cn=config to replicas too. Fixes: #617 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0031-Add-replicatoin-related-acis-to-all-replicas.patch Type: text/x-patch Size: 4552 bytes Desc: not available URL: From ayoung at redhat.com Tue Dec 14 16:10:33 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 14 Dec 2010 11:10:33 -0500 Subject: [Freeipa-devel] [PATCH] 649 metadata for delegation and selfservice In-Reply-To: <4D06EF4D.4010400@redhat.com> References: <4D06EF4D.4010400@redhat.com> Message-ID: <4D0796F9.3030303@redhat.com> On 12/13/2010 11:15 PM, Rob Crittenden wrote: > This is metadata for the UI. Adam, I took a guess at the things you > need, not everything is defined since these aren't using the baseldap > class (doesn't really make sense to since there isn't an object > backing them). > > Let me know if I missed something. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master. I think this coveres everything, but if not, I can add it in. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From jzeleny at redhat.com Tue Dec 14 18:05:44 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 14 Dec 2010 19:05:44 +0100 Subject: [Freeipa-devel] [PATCH] Added option --no-reverse to add-host Message-ID: <201012141905.44949.jzeleny@redhat.com> When adding a host with specific IP address, the operation would fail in case we don't own the reverse DNS. This new option overrides the check for reverse DNS zone and falls back to different IP address existence check. https://fedorahosted.org/freeipa/ticket/417 I was considering deleting the reverse zone detection entirely and check the IP address directly by querying for A records containing it, but I think this way it is more efficient. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0017-Added-option-no-reverse-to-add-host.patch Type: text/x-patch Size: 3249 bytes Desc: not available URL: From sgallagh at redhat.com Tue Dec 14 18:57:17 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 14 Dec 2010 13:57:17 -0500 Subject: [Freeipa-devel] Plans for bind-dyndb-ldap Message-ID: <4D07BE0D.9020506@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FreeIPA v2 DNS integration relies on a BIND plugin to store the DNS data in LDAP, which was written by Martin Nagy. Martin, who left the FreeIPA development team some time ago was the only person with commit access to this repository, leaving it both unmaintained and uneditable. We need to discuss how to proceed with this dependency on FreeIPA. Originally, Martin's plan was to campaign for this plugin's acceptance into the BIND upstream, and to terminate the separate bind-dyndb-ldap project. I think that this is a valuable long-term goal, but we need to discuss shorter-term needs. As we work to finalize FreeIPA v2, it's very likely that we will discover one or more bugs in bind-dyndb-ldap. If this happens, we will have to provide patches and get them included in Fedora. However, Fedora has a strong policy against shipping patches that aren't upstream, and we have no way currently of pushing them upstream. So I figure that we have the following options to consider: 1) Petition the Fedora Infrastructure team to turn over ownership of this upstream project. This is likely to meet with resistance without the input of the current owner (who is more or less unreachable at this point). The bind-dyndb-ldap project was initiated with FreeIPA as its primary patron, but I'm not certain this would be sufficient argument to the admins to annex the project. 2) Open dialog with the BIND upstream and push very hard to merge this code into their mainline, then involve ourselves with their process to push patches. This is probably our best long-term approach, but currently we have no control over when the ldap plugin would be merged, and how soon afterwards that it would be pushed into Fedora. 3) Fork bind-dyndb-ldap into a new project that we maintain and include in Fedora. This is the least controversial approach, as it will involve no difficult political maneuvering to include. However, it also requires an additional effort in setting up a new project and getting packages approved in Fedora. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0Hvg0ACgkQeiVVYja6o6M7VgCeIje+BcvlS5k8C0KgHC3tqhrI s8IAniYxCMx2MqG0idk82RhFXxCgtO48 =m7Ry -----END PGP SIGNATURE----- From sgallagh at redhat.com Tue Dec 14 19:38:01 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 14 Dec 2010 14:38:01 -0500 Subject: [Freeipa-devel] Plans for bind-dyndb-ldap In-Reply-To: <4D07BE0D.9020506@redhat.com> References: <4D07BE0D.9020506@redhat.com> Message-ID: <4D07C799.9010102@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/14/2010 01:57 PM, Stephen Gallagher wrote: > 1) Petition the Fedora Infrastructure team to turn over ownership of > this upstream project. This is likely to meet with resistance without > the input of the current owner (who is more or less unreachable at this > point). The bind-dyndb-ldap project was initiated with FreeIPA as its > primary patron, but I'm not certain this would be sufficient argument to > the admins to annex the project. Apparently, this was indeed sufficient to take over the project. I've been made the project sponsor, and I've granted Simo commit privilege as well. So we should be alright to make fixes as needed from now on. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0Hx5kACgkQeiVVYja6o6P1ogCfZriFVstvBJGW8sFQZTqqchCb GggAoKEB+LAurg6vJ+aMiGz16Uazm5Ip =JrKB -----END PGP SIGNATURE----- From ayoung at redhat.com Tue Dec 14 21:50:12 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 14 Dec 2010 16:50:12 -0500 Subject: [Freeipa-devel] [PATCH] Account activation adjustment In-Reply-To: <4D0151F1.101@redhat.com> References: <4D014782.5010704@redhat.com> <4D0151F1.101@redhat.com> Message-ID: <4D07E694.7080102@redhat.com> On 12/09/2010 05:02 PM, Endi Sukma Dewata wrote: > On 12/9/2010 3:17 PM, Endi Sukma Dewata wrote: >> Please review the attached patch. This should fix this bug: >> >> https://fedorahosted.org/freeipa/ticket/462 >> >> The user details facet has been modified such that when the account >> is activated/deactivated the page will be reloaded. >> >> Some methods in the framework have been changed: >> - The ipa_widget.clear() has been removed because it can be replaced >> by existing reset(). >> - The ipa_widget.set_values() has been renamed into update(). > > Forgot to include the latest changes. Attached is a new patch. Thanks! > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From jzeleny at redhat.com Wed Dec 15 08:36:41 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 15 Dec 2010 09:36:41 +0100 Subject: [Freeipa-devel] [PATCH] 647 check for 389-ds replication plugin In-Reply-To: <4D06744B.2090102@redhat.com> References: <4D06744B.2090102@redhat.com> Message-ID: <201012150936.41305.jzeleny@redhat.com> Rob Crittenden wrote: > Ensure that the replication plugin exists before creeating or installing > a replica. > > ticket 502 > > rob ack, but I'm not a big fan of hardcoding the path of plugins in the code. It may be good for Fedora/RHEL, but how about other distributions? Do we have any policy about this kind of things? Jan From jzeleny at redhat.com Wed Dec 15 08:47:00 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 15 Dec 2010 09:47:00 +0100 Subject: [Freeipa-devel] [PATCH] 648 Add krb5-pkinit-openssl as a Requires In-Reply-To: <4D0678A5.7050400@redhat.com> References: <4D0678A5.7050400@redhat.com> Message-ID: <201012150947.00765.jzeleny@redhat.com> Rob Crittenden wrote: > krb5-pkinit-openssl is used for PKINIT support. Make it a required package. > > ticket 599 > > rob As was my question/concern with your 647 patch - the patch is ok for Fedora, but wouldn't be wise to keep the check_pkinit code for other distributions (or for manual IPA installation if we are going to support it)? Other than that the patch is ok. Jan From jhrozek at redhat.com Wed Dec 15 09:53:10 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 15 Dec 2010 10:53:10 +0100 Subject: [Freeipa-devel] Plans for bind-dyndb-ldap In-Reply-To: <4D07C799.9010102@redhat.com> References: <4D07BE0D.9020506@redhat.com> <4D07C799.9010102@redhat.com> Message-ID: <4D089006.2000005@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/14/2010 08:38 PM, Stephen Gallagher wrote: > On 12/14/2010 01:57 PM, Stephen Gallagher wrote: >> 1) Petition the Fedora Infrastructure team to turn over ownership of >> this upstream project. This is likely to meet with resistance without >> the input of the current owner (who is more or less unreachable at this >> point). The bind-dyndb-ldap project was initiated with FreeIPA as its >> primary patron, but I'm not certain this would be sufficient argument to >> the admins to annex the project. > > > Apparently, this was indeed sufficient to take over the project. I've > been made the project sponsor, and I've granted Simo commit privilege as > well. So we should be alright to make fixes as needed from now on. > > Why don't we simply ask Martin to give us commit rights or transfer the project to us? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0IkAYACgkQHsardTLnvCUv3QCgiNhs7kIBbymikcoph8cKVLBW Z8IAn1R1IaAfvwtWit9T1u9fIM8y0xmr =cOxn -----END PGP SIGNATURE----- From jzeleny at redhat.com Wed Dec 15 09:55:52 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 15 Dec 2010 10:55:52 +0100 Subject: [Freeipa-devel] [PATCH] 021 Make the IPA installer IPv6 friendly In-Reply-To: <4D0747C2.4030007@redhat.com> References: <4D0747C2.4030007@redhat.com> Message-ID: <201012151055.52258.jzeleny@redhat.com> Jakub Hrozek wrote: > This is a first patch towards IPv6 support. Currently it only touches > the installer only as other changes will be fully testable only when > python-nss is IPv6 ready. > > Changes include: > * parse AAAA records in dnsclient > * also ask for AAAA records when verifying FQDN > * do not use functions that are not IPv6 aware - notably > socket.gethostbyname(). The complete list of functions was taken > from http://www.akkadia.org/drepper/userapi-ipv6.html > section "Interface Checklist" Nack, the patch doesn't handle situations when host cannot be resolved. Jan From jzeleny at redhat.com Wed Dec 15 09:59:33 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 15 Dec 2010 10:59:33 +0100 Subject: [Freeipa-devel] [PATCH] 022 Check the number of fields when importing automount maps In-Reply-To: <4D0747CB.90300@redhat.com> References: <4D0747CB.90300@redhat.com> Message-ID: <201012151059.33691.jzeleny@redhat.com> Jakub Hrozek wrote: > https://fedorahosted.org/freeipa/ticket/359 > > Sending this separately from the other automount changes since those are > more intrusive and may be under review for a while. ack Jan From jzeleny at redhat.com Wed Dec 15 10:00:35 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 15 Dec 2010 11:00:35 +0100 Subject: [Freeipa-devel] [PATCH] 023 Clarify ipa-replica-install error message In-Reply-To: <4D0747D1.1060901@redhat.com> References: <4D0747D1.1060901@redhat.com> Message-ID: <201012151100.35889.jzeleny@redhat.com> Jakub Hrozek wrote: > Just a cosmetic fix to the replica installation error message, there's > no ticket for this. ack Jan From jhrozek at redhat.com Wed Dec 15 10:03:15 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 15 Dec 2010 11:03:15 +0100 Subject: [Freeipa-devel] Plans for bind-dyndb-ldap In-Reply-To: <4D089006.2000005@redhat.com> References: <4D07BE0D.9020506@redhat.com> <4D07C799.9010102@redhat.com> <4D089006.2000005@redhat.com> Message-ID: <4D089263.9060709@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/15/2010 10:53 AM, Jakub Hrozek wrote: >> Apparently, this was indeed sufficient to take over the project. I've >> > been made the project sponsor, and I've granted Simo commit privilege as >> > well. So we should be alright to make fixes as needed from now on. >> > >> > > Why don't we simply ask Martin to give us commit rights or transfer the > project to us? > Sorry, I should have read more carefully, I see we already own the project. Sorry for the noise. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0IkmMACgkQHsardTLnvCWI/QCeIRgMCghuNSjfW+L8SkdmDfxi c1QAoLRCOtVZufHJBQdFFbgopNzryYmS =C2Pj -----END PGP SIGNATURE----- From ayoung at redhat.com Wed Dec 15 15:39:50 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 15 Dec 2010 10:39:50 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0117-aci-unit-tests In-Reply-To: <4D065DDF.7010905@redhat.com> References: <4D065DDF.7010905@redhat.com> Message-ID: <4D08E146.5020704@redhat.com> On 12/13/2010 12:54 PM, Adam Young wrote: > This depends on my patch 0116. > > Something not mentioned in the commit message is that this also fixes > the 'filter only' options. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I'm going to pull this patch, and merge it with the other ACI changes into one mega patch. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Dec 15 15:40:14 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 15 Dec 2010 10:40:14 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0116-aci-ui In-Reply-To: <4D02FF1A.5010202@redhat.com> References: <4D02FF1A.5010202@redhat.com> Message-ID: <4D08E15E.9060309@redhat.com> On 12/10/2010 11:33 PM, Adam Young wrote: > ONly the first ACI section, not self sign or groups, yet. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I'm going to pull this patch and merge it with the other ACI patches into one mega patch. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Wed Dec 15 15:59:28 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 15 Dec 2010 10:59:28 -0500 Subject: [Freeipa-devel] [PATCH] do not use extensibleObject if not needed Message-ID: <20101215105928.361d7de2@willson.li.ssimo.org> I pushed the attached patch under the one-liner rule. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Use-nsContainer-and-not-extensibleObject-for-masters.patch Type: text/x-patch Size: 754 bytes Desc: not available URL: From rmeggins at redhat.com Wed Dec 15 16:05:38 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Dec 2010 09:05:38 -0700 Subject: [Freeipa-devel] [PATCH] 647 check for 389-ds replication plugin In-Reply-To: <201012150936.41305.jzeleny@redhat.com> References: <4D06744B.2090102@redhat.com> <201012150936.41305.jzeleny@redhat.com> Message-ID: <4D08E752.7070207@redhat.com> On 12/15/2010 01:36 AM, Jan Zelen? wrote: > Rob Crittenden wrote: >> Ensure that the replication plugin exists before creeating or installing >> a replica. >> >> ticket 502 >> >> rob > ack, but I'm not a big fan of hardcoding the path of plugins in the code. It > may be good for Fedora/RHEL, but how about other distributions? Do we have any > policy about this kind of things? We have a bug open to add more information to the 389-ds-base-devel package: https://bugzilla.redhat.com/show_bug.cgi?id=252249 Seems like this sort of information could be provided by a pkgconfig file or a pkg info script (389-ds-base-config - like icu-config, krb-config, etc.) e.g. pkg-config --variable=plugindir 389-ds-base > Jan > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From atkac at redhat.com Wed Dec 15 17:21:20 2010 From: atkac at redhat.com (Adam Tkac) Date: Wed, 15 Dec 2010 18:21:20 +0100 Subject: [Freeipa-devel] [PATCH] Bugfixes for bind-dyndb-ldap Message-ID: <20101215172120.GA21932@evileye.atkac.brq.redhat.com> Hello, those four patches for bind-dyndb-ldap fix following issues: 0001-Bugfix-Improve-LDAP-schema-to-be-loadable-by-OpenLDA.patch: - Current schema is not loadable by OpenLDAP - https://bugzilla.redhat.com/show_bug.cgi?id=622604 0002-Change-bug-reporting-address-to-freeipa-devel-redhat.patch - fix bug reporting address 0003-Fail-and-emit-error-when-BIND9-or-OpenLDAP-devel-fil.patch - ./configure should fail if bind-devel or openldap-devel is not installed 0004-Bugfix-Fix-loading-of-child-zones-from-LDAP.patch - child zones aren't currently loaded well - https://bugzilla.redhat.com/show_bug.cgi?id=622617 If noone has objections I will push patches till end of the week. Regards, Adam -- Adam Tkac, Red Hat, Inc. -------------- next part -------------- >From d7a0d0544385376fb31d9f59860dc80b3c61e244 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Wed, 15 Dec 2010 14:59:16 +0100 Subject: [PATCH 1/4] [Bugfix] Improve LDAP schema to be loadable by OpenLDAP. OpenLDAP's slapd daemon doesn't like entry's closing parenthesis on the new line. It has to be on the end of the last line of the entry. Signed-off-by: Adam Tkac --- doc/schema | 105 ++++++++++++++++++++---------------------------------------- 1 files changed, 35 insertions(+), 70 deletions(-) diff --git a/doc/schema b/doc/schema index ef18952..a5dacb4 100644 --- a/doc/schema +++ b/doc/schema @@ -2,175 +2,153 @@ attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' DESC 'An integer denoting time to live' EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' DESC 'The class of a resource record' EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' DESC 'domain name pointer, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' DESC 'host information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' DESC 'mailbox or mail list information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' DESC 'text string, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord' DESC 'for AFS Data Base location, RFC 1183' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' DESC 'Signature, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' DESC 'Key, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' DESC 'IPv6 address, RFC 1886' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' DESC 'Location, RFC 1876' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' DESC 'non-existant, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' DESC 'service location, RFC 2782' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' DESC 'Naming Authority Pointer, RFC 2915' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' DESC 'Key Exchange Delegation, RFC 2230' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' DESC 'certificate, RFC 2538' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' DESC 'A6 Record Type, RFC 2874' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non-Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' DESC 'Delegation Signer, RFC 3658' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord' DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' DESC 'RRSIG, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' DESC 'NSEC, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 -) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 2.16.840.1.113730.3.8.5.0 NAME 'idnsName' @@ -178,24 +156,21 @@ attributetype ( 2.16.840.1.113730.3.8.5.0 EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE -) + SINGLE-VALUE ) attributetype ( 2.16.840.1.113730.3.8.5.1 NAME 'idnsAllowDynUpdate' DESC 'permit dynamic updates on this zone' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE -) + SINGLE-VALUE ) attributetype ( 2.16.840.1.113730.3.8.5.2 NAME 'idnsZoneActive' DESC 'define if the zone is considered in use' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE -) + SINGLE-VALUE ) attributetype ( 2.16.840.1.113730.3.8.5.3 NAME 'idnsSOAmName' @@ -203,8 +178,7 @@ attributetype ( 2.16.840.1.113730.3.8.5.3 EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE -) + SINGLE-VALUE ) attributetype ( 2.16.840.1.113730.3.8.5.4 NAME 'idnsSOArName' @@ -212,48 +186,42 @@ attributetype ( 2.16.840.1.113730.3.8.5.4 EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE -) + SINGLE-VALUE ) attributetype ( 2.16.840.1.113730.3.8.5.5 NAME 'idnsSOAserial' DESC 'SOA serial number' EQUALITY numericStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 - SINGLE-VALUE -) + SINGLE-VALUE ) attributetype ( 2.16.840.1.113730.3.8.5.6 NAME 'idnsSOArefresh' DESC 'SOA refresh value' EQUALITY numericStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 - SINGLE-VALUE -) + SINGLE-VALUE ) attributetype ( 2.16.840.1.113730.3.8.5.7 NAME 'idnsSOAretry' DESC 'SOA retry value' EQUALITY numericStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 - SINGLE-VALUE -) + SINGLE-VALUE ) attributetype ( 2.16.840.1.113730.3.8.5.8 NAME 'idnsSOAexpire' DESC 'SOA expire value' EQUALITY numericStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 - SINGLE-VALUE -) + SINGLE-VALUE ) attributetype ( 2.16.840.1.113730.3.8.5.9 NAME 'idnsSOAminimum' DESC 'SOA minimum value' EQUALITY numericStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 - SINGLE-VALUE -) + SINGLE-VALUE ) attributetype ( 2.16.840.1.113730.3.8.5.10 NAME 'idnsUpdatePolicy' @@ -261,8 +229,7 @@ attributetype ( 2.16.840.1.113730.3.8.5.10 EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE -) + SINGLE-VALUE ) objectclass ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' @@ -276,8 +243,7 @@ objectclass ( 2.16.840.1.113730.3.8.6.0 MINFORecord $ AFSDBRecord $ SIGRecord $ KEYRecord $ LOCRecord $ NXTRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ DNAMERecord $ DSRecord $ SSHFPRecord $ RRSIGRecord $ NSECRecord - ) -) + ) ) objectclass ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' @@ -288,5 +254,4 @@ objectclass ( 2.16.840.1.113730.3.8.6.1 idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) - MAY idnsUpdatePolicy -) + MAY idnsUpdatePolicy ) -- 1.7.3.3 -------------- next part -------------- >From 13cbf1b8197def2cabcd7bd952906abf409671b2 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Wed, 15 Dec 2010 16:36:01 +0100 Subject: [PATCH 2/4] Change bug reporting address to freeipa-devel at redhat.com. Signed-off-by: Adam Tkac --- configure.ac | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/configure.ac b/configure.ac index e373530..0370096 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.59]) -AC_INIT([bind-dyndb-ldap], [0.1.0b], [mnagy at redhat.com]) +AC_INIT([bind-dyndb-ldap], [0.1.0b], [freeipa-devel at redhat.com]) AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2]) -- 1.7.3.3 -------------- next part -------------- >From 41f45c9527ba9cf1f110f419847bc13736877f28 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Wed, 15 Dec 2010 16:40:01 +0100 Subject: [PATCH 3/4] Fail and emit error when BIND9 or OpenLDAP devel files are not installed. Signed-off-by: Adam Tkac --- configure.ac | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 0370096..d80d297 100644 --- a/configure.ac +++ b/configure.ac @@ -14,8 +14,10 @@ AC_PROG_CC AC_PROG_LIBTOOL # Checks for libraries. -AC_CHECK_LIB([dns], [dns_name_init]) -AC_CHECK_LIB([ldap], [ldap_initialize]) +AC_CHECK_LIB([dns], [dns_name_init], [], + AC_MSG_ERROR([Install BIND9 development files])) +AC_CHECK_LIB([ldap], [ldap_initialize], [], + AC_MSG_ERROR([Install OpenLDAP development files])) # Checks for header files. AC_CHECK_HEADERS([stddef.h stdlib.h string.h strings.h]) -- 1.7.3.3 -------------- next part -------------- >From d3057f37d4dc163af58b63424a835f95fa74141d Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Wed, 15 Dec 2010 17:49:15 +0100 Subject: [PATCH 4/4] [Bugfix] Fix loading of child zones from LDAP. This commit fixes https://bugzilla.redhat.com/show_bug.cgi?id=622617. Signed-off-by: Adam Tkac --- src/zone_register.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/zone_register.c b/src/zone_register.c index 7fb9924..ca51875 100644 --- a/src/zone_register.c +++ b/src/zone_register.c @@ -180,9 +180,12 @@ zr_add_zone(zone_register_t *zr, dns_zone_t *zone, const char *dn) RWLOCK(&zr->rwlock, isc_rwlocktype_write); - /* First make sure the node doesn't exist. */ + /* + * First make sure the node doesn't exist. Partial matches mean + * there are also child zones in the LDAP database which is allowed. + */ result = dns_rbt_findname(zr->rbt, name, 0, NULL, &dummy); - if (result != ISC_R_NOTFOUND) { + if (result != ISC_R_NOTFOUND && result != DNS_R_PARTIALMATCH) { if (result == ISC_R_SUCCESS) result = ISC_R_EXISTS; log_error_r("failed to add zone to the zone register"); -- 1.7.3.3 From ssorce at redhat.com Wed Dec 15 17:29:01 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 15 Dec 2010 12:29:01 -0500 Subject: [Freeipa-devel] [PATCH] Bugfixes for bind-dyndb-ldap In-Reply-To: <20101215172120.GA21932@evileye.atkac.brq.redhat.com> References: <20101215172120.GA21932@evileye.atkac.brq.redhat.com> Message-ID: <20101215122901.0bab3d5d@willson.li.ssimo.org> On Wed, 15 Dec 2010 18:21:20 +0100 Adam Tkac wrote: > Hello, > > those four patches for bind-dyndb-ldap fix following issues: > > 0001-Bugfix-Improve-LDAP-schema-to-be-loadable-by-OpenLDA.patch: > - Current schema is not loadable by OpenLDAP > - https://bugzilla.redhat.com/show_bug.cgi?id=622604 > > 0002-Change-bug-reporting-address-to-freeipa-devel-redhat.patch > - fix bug reporting address > > 0003-Fail-and-emit-error-when-BIND9-or-OpenLDAP-devel-fil.patch > - ./configure should fail if bind-devel or openldap-devel is not > installed > > 0004-Bugfix-Fix-loading-of-child-zones-from-LDAP.patch > - child zones aren't currently loaded well > - https://bugzilla.redhat.com/show_bug.cgi?id=622617 > > If noone has objections I will push patches till end of the week. ACK to all four. Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Wed Dec 15 17:32:36 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 15 Dec 2010 18:32:36 +0100 Subject: [Freeipa-devel] [PATCH] 024 Change FreeIPA license to GPLv3+ Message-ID: <4D08FBB4.9040302@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, attached is a patch that replaces all GPLv2 license blobs with GPLv3+ blobs. The new blobs also tell users to see a website for the complete license text (the old ones advised to write to a snail mail address..). The SLAPI plugins use a different wording as they need the GPL exception. When this patch is pushed, I think we should send a note at least to freeipa-devel but probably even -users and -interest. Also, I'll keep an eye on all patches that people are sending..those that add some new files will need to include the new blobs. The patch is compressed, as the original had 480 kB.. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0I+7QACgkQHsardTLnvCW7AwCfa2G4XAuHm6zD48t79UGPsCsT ulgAoOk2SYnLjdAs6hGgoGTBoVxzbiAp =GrNq -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-024-Change-FreeIPA-license-to-GPLv3.patch.tar.gz Type: application/x-gzip Size: 39494 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-024-Change-FreeIPA-license-to-GPLv3.patch.tar.gz.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From JR.Aquino at citrix.com Wed Dec 15 19:28:52 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 15 Dec 2010 19:28:52 +0000 Subject: [Freeipa-devel] [PATCH] SUDO plugin support for external hosts and users Message-ID: Attached is the patch to provide cli support for external hosts and users. This is accomplished similarly to the netgroup plugin. If the plugin is input with a hostname/user that does not exist in the directory, the plugin will then assume that the User had intended for these objects to be inserted as 'external' entities. It accomplishes this in a post_callback. Just like the netgroup plugin, this introduces a possible caveat where someone could mistype a user/host and have it inserted as an external entry, but the CLI attempts to reflect this in its output clearly stating that an External User or External Host has been added. Please review. Here is a sample sudorule containing external entries: *Contained herein are, externaluser, externalhost, as well as sudorunas and sudorunasgroup* dn: ipaUniqueID=8a9103b8-06cc-11e0-b481-8a3d259cb0b9,cn=sudorules,dc=example,dc=com objectClass: ipaassociation objectClass: ipasudorule ipaEnabledFlag: TRUE cn: tester ipaUniqueID: 8a9103b8-06cc-11e0-b481-8a3d259cb0b9 ipaSudoRunAs: uid=admin,cn=users,cn=accounts,dc=example,dc=com ipaSudoRunAsGroup: cn=admins,cn=groups,cn=accounts,dc=example,dc=com externalUser: testuser externalHost: host1.example.com -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0009-SUDO-plugin-support-for-external-hosts-and-users.patch Type: application/octet-stream Size: 11637 bytes Desc: freeipa-jraquino-0009-SUDO-plugin-support-for-external-hosts-and-users.patch URL: From JR.Aquino at citrix.com Wed Dec 15 21:29:53 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 15 Dec 2010 21:29:53 +0000 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: <20101209203452.GF28006@redhat.com> Message-ID: Thank you very much Nalin, at first glance these patches appear to solve what we are after. However, it looks like the master has drifted a little and these don't apply correctly. Could I ask you to do a quick spot-check and verify that we can apply these against the current master? I'd like to give an ACK to these this week before the break and I believe we are 99.9% there. Thanks! On 12/9/10 12:34 PM, "Nalin Dahyabhai" wrote: >On Thu, Dec 09, 2010 at 02:59:55PM -0500, Dmitri Pal wrote: >> 1) Adjust the compat plugin as described above > >Attached for testing. Patch 0001 we've seen before; 0002's new. > >Nalin From JR.Aquino at citrix.com Wed Dec 15 21:37:46 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 15 Dec 2010 21:37:46 +0000 Subject: [Freeipa-devel] [PATCH] Fix to man page for ipa-compat-manage (one liner) Message-ID: There was a typo for the manpage, this is a one liner to fix. -.\" A man page for ipa-ldap-updater +.\" A man page for ipa-compat-manage -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0010-Fix-to-man-page-for-ipa-compat-manage.patch Type: application/octet-stream Size: 806 bytes Desc: freeipa-jraquino-0010-Fix-to-man-page-for-ipa-compat-manage.patch URL: From nalin at redhat.com Wed Dec 15 22:49:56 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 15 Dec 2010 17:49:56 -0500 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: References: <20101209203452.GF28006@redhat.com> Message-ID: <20101215224956.GB478@redhat.com> On Wed, Dec 15, 2010 at 09:29:53PM +0000, JR Aquino wrote: > Thank you very much Nalin, at first glance these patches appear to solve > what we are after. > > However, it looks like the master has drifted a little and these don't > apply correctly. > > Could I ask you to do a quick spot-check and verify that we can apply > these against the current master? Looks fine from here. Attached are rebased versions, just in case. Nalin -------------- next part -------------- >From 4e74df79e41209296a81401f243d9f312f01dbc3 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 30 Nov 2010 18:25:33 -0500 Subject: [PATCH 1/2] sudo and netgroup schema compat updates - fix quoting of netgroup entries - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container --- install/share/bootstrap-template.ldif | 6 ----- install/share/schema_compat.uldif | 37 ++++++++++++++++++++++++++++---- ipa.spec.in | 2 +- 3 files changed, 33 insertions(+), 12 deletions(-) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 4f10f07..81eb5d6 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -64,12 +64,6 @@ objectClass: top objectClass: nsContainer cn: sudorules -dn: cn=SUDOers,$SUFFIX -changetype: add -objectClass: nsContainer -objectClass: top -cn: SUDOers - dn: cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index 22e3141..52c8d5a 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -47,7 +47,6 @@ default:schema-compat-entry-attribute: objectclass=posixGroup default:schema-compat-entry-attribute: gidNumber=%{gidNumber} default:schema-compat-entry-attribute: memberUid=%{memberUid} default:schema-compat-entry-attribute: memberUid=%deref("member","uid") -default:schema-compat-entry-attribute: memberUid=%referred("cn=users","memberOf","uid") dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config add:objectClass: top @@ -56,14 +55,42 @@ add:cn: ng add:schema-compat-container-group: 'cn=compat, $SUFFIX' add:schema-compat-container-rdn: cn=ng add:schema-compat-check-access: yes -add:schema-compat-search-base: 'cn=ng,cn=alt,$SUFFIX' -add:schema-compat-search-filter: !(cn=ng) +add:schema-compat-search-base: 'cn=ng, cn=alt, $SUFFIX' +add:schema-compat-search-filter: (objectclass=ipaNisNetgroup) add:schema-compat-entry-rdn: cn=%{cn} add:schema-compat-entry-attribute: objectclass=nisNetgroup add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r("member","cn")' -add:schema-compat-entry-attribute: 'memberNisNetgroup=%referred_r("cn=ng","memberOf","cn")' -add:schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) +add:schema-compat-entry-attribute: 'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})' + +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add:objectClass: top +add:objectClass: extensibleObject +add:cn: sudoers +add:schema-compat-container-group: 'cn=SUDOers, $SUFFIX' +add:schema-compat-search-base: 'cn=sudorules, $SUFFIX' +add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) +add:schema-compat-entry-rdn: cn=%{cn} +add:schema-compat-entry-attribute: objectclass=sudoRole +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(objectclass=ipaHostGroup)\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref(\"memberDenyCmd\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref_r(\"memberDenyCmd\",\"member\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoRunAsUser=%{ipaSudoRunAsExtUser}' +add:schema-compat-entry-attribute: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")' +add:schema-compat-entry-attribute: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}' +add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")' +add:schema-compat-entry-attribute: 'sudoOption=%{ipaSudoOpt}' # Enable anonymous VLV browsing for Solaris dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config only:aci: '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )' + diff --git a/ipa.spec.in b/ipa.spec.in index 95f6e10..764688f 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -91,7 +91,7 @@ Requires: libcap Requires: selinux-policy %endif Requires(post): selinux-policy-base -Requires: slapi-nis >= 0.15 +Requires: slapi-nis >= 0.21 Requires: pki-ca >= 1.3.6 Requires: pki-silent >= 1.3.4 Requires(preun): python initscripts chkconfig -- 1.7.3.3 -------------- next part -------------- >From c1e668bf3655bc2e6cbc3c2683e2ec2c057f4fb1 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Thu, 9 Dec 2010 15:31:13 -0500 Subject: [PATCH 2/2] sudo: treat mepOriginEntry hostgroups differently - if a hostgroup named by the memberHost attribute is not also a mepOriginEntry, proceed as before - if a hostgroup named by the memberHost attribute is also a mepOriginEntry, read its "cn" attribute, prepend a "+" to it, and call it done --- install/share/schema_compat.uldif | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index 52c8d5a..fcd993a 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -78,7 +78,8 @@ add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","% add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")' add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")' -add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(objectclass=ipaHostGroup)\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")")' add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")' add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")' -- 1.7.3.3 From JR.Aquino at citrix.com Wed Dec 15 23:07:32 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 15 Dec 2010 23:07:32 +0000 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: <20101215224956.GB478@redhat.com> Message-ID: Thanks! Testing now. On 12/15/10 2:49 PM, "Nalin Dahyabhai" wrote: >On Wed, Dec 15, 2010 at 09:29:53PM +0000, JR Aquino wrote: >> Thank you very much Nalin, at first glance these patches appear to solve >> what we are after. >> >> However, it looks like the master has drifted a little and these don't >> apply correctly. >> >> Could I ask you to do a quick spot-check and verify that we can apply >> these against the current master? > >Looks fine from here. Attached are rebased versions, just in case. > >Nalin From ssorce at redhat.com Thu Dec 16 01:01:10 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 15 Dec 2010 20:01:10 -0500 Subject: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica Message-ID: <20101215200110.54c16661@willson.li.ssimo.org> Clean up records related to the master being deleted in the shared tree. This also avoid issues later on if you want to rejoin the server as a master. It is also needed in order to give back valid information for patch 0035 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0032-Remove-common-entries-when-deleting-a-master.patch Type: text/x-patch Size: 11176 bytes Desc: not available URL: From ssorce at redhat.com Thu Dec 16 01:02:58 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 15 Dec 2010 20:02:58 -0500 Subject: [Freeipa-devel] [PATCH] 0033 Add disconnect command to change topology Message-ID: <20101215200258.1c118346@willson.li.ssimo.org> This command will delete a replication agreement unless it is the last one on either server. It is used to change replication topology without actually removing any single master for the domain (the del command must be used if that the intent). Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0033-Add-disconnect-command-to-ipa-replica-manage.patch Type: text/x-patch Size: 6389 bytes Desc: not available URL: From ssorce at redhat.com Thu Dec 16 01:06:05 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 15 Dec 2010 20:06:05 -0500 Subject: [Freeipa-devel] [PATCH] 0034 REname command for consistency Message-ID: <20101215200605.4272d995@willson.li.ssimo.org> Rename the "add" command to "connect", this makes it evident it is the opposite of disconnect. "add" was also ambiguos, one could think it could be used to add a new replica, while it can only add agreements between existing replicas thus "connecting" them. This patch also enhances a bit the parsing of arguments by ipa-replica-manage Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0034-Rename-add-command-to-connect-in-ipa-replica-manage.patch Type: text/x-patch Size: 7615 bytes Desc: not available URL: From ssorce at redhat.com Thu Dec 16 01:09:08 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 15 Dec 2010 20:09:08 -0500 Subject: [Freeipa-devel] [PATCH] 0035 Improve ipa-replica-manage list Message-ID: <20101215200908.6fc2c069@willson.li.ssimo.org> With the previous incarnation it wasn't possible to get a list of all replicas, only of the replicas directly connected to the one on which the command was run. This new version will return all known replicas (as per entries under cn=master,cn=ipa,cn=etc,$SUFFIX). If a server name is passed as an argument then the specific replica is queried to get the list of servers it is directly connected to. This is so that topology can be easily discovered from a single machine. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0035-Make-ipa-replica-manage-list-return-all-known-master.patch Type: text/x-patch Size: 5915 bytes Desc: not available URL: From JR.Aquino at citrix.com Thu Dec 16 04:16:36 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 16 Dec 2010 04:16:36 +0000 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: <20101215224956.GB478@redhat.com> Message-ID: Perfect! All tests check out clean! One final piece I think needs a quick one liner: From: http://www.gratisoft.us/sudo/sudoers.ldap.man.html --The sudoers configuration is contained in the ou=SUDOers LDAP container.-- Currently the plugin creates 'cn=sudoers' as opposed to 'ou=sudoers'. After that change I believe we've nailed it 100%! Thank you very much Nalin ACK From rcritten at redhat.com Thu Dec 16 14:29:08 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Dec 2010 09:29:08 -0500 Subject: [Freeipa-devel] [PATCH] 647 check for 389-ds replication plugin In-Reply-To: <4D08E752.7070207@redhat.com> References: <4D06744B.2090102@redhat.com> <201012150936.41305.jzeleny@redhat.com> <4D08E752.7070207@redhat.com> Message-ID: <4D0A2234.4020407@redhat.com> Rich Megginson wrote: > On 12/15/2010 01:36 AM, Jan Zelen? wrote: >> Rob Crittenden wrote: >>> Ensure that the replication plugin exists before creeating or installing >>> a replica. >>> >>> ticket 502 >>> >>> rob >> ack, but I'm not a big fan of hardcoding the path of plugins in the >> code. It >> may be good for Fedora/RHEL, but how about other distributions? Do we >> have any >> policy about this kind of things? > We have a bug open to add more information to the 389-ds-base-devel > package: > https://bugzilla.redhat.com/show_bug.cgi?id=252249 > > Seems like this sort of information could be provided by a pkgconfig > file or a pkg info script (389-ds-base-config - like icu-config, > krb-config, etc.) e.g. > pkg-config --variable=plugindir 389-ds-base Yeah, that sounds cool. Can we piggy back onto this bug? rob From rcritten at redhat.com Thu Dec 16 14:34:13 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Dec 2010 09:34:13 -0500 Subject: [Freeipa-devel] [PATCH] 648 Add krb5-pkinit-openssl as a Requires In-Reply-To: <201012150947.00765.jzeleny@redhat.com> References: <4D0678A5.7050400@redhat.com> <201012150947.00765.jzeleny@redhat.com> Message-ID: <4D0A2365.5070406@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> krb5-pkinit-openssl is used for PKINIT support. Make it a required package. >> >> ticket 599 >> >> rob > > As was my question/concern with your 647 patch - the patch is ok for Fedora, > but wouldn't be wise to keep the check_pkinit code for other distributions (or > for manual IPA installation if we are going to support it)? Other packaging systems will add their own Requires equivalent. > Other than that the patch is ok. Rebased and pushed to master rob From rcritten at redhat.com Thu Dec 16 14:34:19 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Dec 2010 09:34:19 -0500 Subject: [Freeipa-devel] [PATCH] 648 Add krb5-pkinit-openssl as a Requires In-Reply-To: <201012150947.00765.jzeleny@redhat.com> References: <4D0678A5.7050400@redhat.com> <201012150947.00765.jzeleny@redhat.com> Message-ID: <4D0A236B.3060407@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> krb5-pkinit-openssl is used for PKINIT support. Make it a required package. >> >> ticket 599 >> >> rob > > As was my question/concern with your 647 patch - the patch is ok for Fedora, > but wouldn't be wise to keep the check_pkinit code for other distributions (or > for manual IPA installation if we are going to support it)? Other packaging systems will add their own Requires equivalent. > Other than that the patch is ok. Rebased and pushed to master rob From rmeggins at redhat.com Thu Dec 16 15:13:40 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Dec 2010 08:13:40 -0700 Subject: [Freeipa-devel] [PATCH] 647 check for 389-ds replication plugin In-Reply-To: <4D0A2234.4020407@redhat.com> References: <4D06744B.2090102@redhat.com> <201012150936.41305.jzeleny@redhat.com> <4D08E752.7070207@redhat.com> <4D0A2234.4020407@redhat.com> Message-ID: <4D0A2CA4.4030206@redhat.com> On 12/16/2010 07:29 AM, Rob Crittenden wrote: > Rich Megginson wrote: >> On 12/15/2010 01:36 AM, Jan Zelen? wrote: >>> Rob Crittenden wrote: >>>> Ensure that the replication plugin exists before creeating or >>>> installing >>>> a replica. >>>> >>>> ticket 502 >>>> >>>> rob >>> ack, but I'm not a big fan of hardcoding the path of plugins in the >>> code. It >>> may be good for Fedora/RHEL, but how about other distributions? Do we >>> have any >>> policy about this kind of things? >> We have a bug open to add more information to the 389-ds-base-devel >> package: >> https://bugzilla.redhat.com/show_bug.cgi?id=252249 >> >> Seems like this sort of information could be provided by a pkgconfig >> file or a pkg info script (389-ds-base-config - like icu-config, >> krb-config, etc.) e.g. >> pkg-config --variable=plugindir 389-ds-base > > Yeah, that sounds cool. Can we piggy back onto this bug? Yes - and add anything else related - any information that you need from 389. > > rob From JR.Aquino at citrix.com Thu Dec 16 15:32:27 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 16 Dec 2010 15:32:27 +0000 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: Message-ID: Attached are both patches with one modification to 0001: -add:schema-compat-container-group: 'cn=SUDOers, $SUFFIX' +add:schema-compat-container-group: 'ou=SUDOers, $SUFFIX' Please ack and push to master. On 12/15/10 8:16 PM, "JR Aquino" wrote: >Perfect! > >All tests check out clean! > >One final piece I think needs a quick one liner: > >From: http://www.gratisoft.us/sudo/sudoers.ldap.man.html > --The sudoers configuration is contained in the ou=SUDOers LDAP >container.-- > >Currently the plugin creates 'cn=sudoers' as opposed to 'ou=sudoers'. > >After that change I believe we've nailed it 100%! > >Thank you very much Nalin > >ACK > > >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-nalin-0001-sudo-and-netgroup-schema-compat-updates.patch Type: application/octet-stream Size: 7222 bytes Desc: freeipa-nalin-0001-sudo-and-netgroup-schema-compat-updates.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-nalin-0002-sudo-treat-mepOriginEntry-hostgroups-differently.patch Type: application/octet-stream Size: 2320 bytes Desc: freeipa-nalin-0002-sudo-treat-mepOriginEntry-hostgroups-differently.patch URL: From jhrozek at redhat.com Thu Dec 16 16:23:16 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 16 Dec 2010 17:23:16 +0100 Subject: [Freeipa-devel] [PATCH] 025 Allow RDN changes from CLI Message-ID: <4D0A3CF4.4090608@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adds a new parameter 'rename' to all objects with 'rdnattr' attribute. This parameter is a clone of the rdnattr attribute, except for name and docs, so normalizer, default_from and also the type are the same as the original attribute. https://fedorahosted.org/freeipa/ticket/397 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0KPPQACgkQHsardTLnvCXQIgCfYFMPsMow5X4jXBQIPkik1Ink 5oQAoLf/TxwTIEBiGNEpHj+O/sS78yvX =eWE1 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-025-Allow-RDN-changes-from-CLI.patch Type: text/x-patch Size: 3821 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-025-Allow-RDN-changes-from-CLI.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Thu Dec 16 16:57:17 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 16 Dec 2010 17:57:17 +0100 Subject: [Freeipa-devel] [PATCH] 021 Make the IPA installer IPv6 friendly In-Reply-To: <201012151055.52258.jzeleny@redhat.com> References: <4D0747C2.4030007@redhat.com> <201012151055.52258.jzeleny@redhat.com> Message-ID: <4D0A44ED.7060501@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/15/2010 10:55 AM, Jan Zelen? wrote: > Jakub Hrozek wrote: >> This is a first patch towards IPv6 support. Currently it only touches >> the installer only as other changes will be fully testable only when >> python-nss is IPv6 ready. >> >> Changes include: >> * parse AAAA records in dnsclient >> * also ask for AAAA records when verifying FQDN >> * do not use functions that are not IPv6 aware - notably >> socket.gethostbyname(). The complete list of functions was taken >> from http://www.akkadia.org/drepper/userapi-ipv6.html >> section "Interface Checklist" > > Nack, the patch doesn't handle situations when host cannot be resolved. > > Jan > Thanks, it didn't handle the case in ipa-replica-install, now it should catch the exception and return None (and the caller would react upon getting None for the IP address). In krbinstance.py it would still raise an exception, but I think that is OK during instance creation (we surely don't want to print anything). The user would see the error string, anyway.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0KRO0ACgkQHsardTLnvCXAcQCfZgtSWyGo/gCOLPF0Imz0Ogu0 SnEAoOKsG5WTN38lRBr6mYIvDxXC8Vy4 =2QvT -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-021-02-Make-the-IPA-installer-IPv6-friendly.patch Type: text/x-patch Size: 13842 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-021-02-Make-the-IPA-installer-IPv6-friendly.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From zpericic at inet.hr Thu Dec 16 18:39:38 2010 From: zpericic at inet.hr (Zoran Pericic) Date: Thu, 16 Dec 2010 19:39:38 +0100 Subject: [Freeipa-devel] [PATCH] bynd-dyndb-ldap: Fix keytab checking Message-ID: <4D0A5CEA.1000801@inet.hr> diff -ur bind-dyndb-ldap-0.1.0b.org/src/krb5_helper.c bind-dyndb-ldap-0.1.0b.keytab/src/krb5_helper.c --- bind-dyndb-ldap-0.1.0b.org/src/krb5_helper.c 2009-09-06 22:50:14.000000000 +0200 +++ bind-dyndb-ldap-0.1.0b.keytab/src/krb5_helper.c 2010-12-16 19:30:18.281267020 +0100 @@ -111,7 +111,7 @@ DEFAULT_KEYTAB); keyfile = DEFAULT_KEYTAB; } else { - if (strcmp(keyfile, "FILE:") != 0) { + if (strncmp(keyfile, "FILE:", 5) != 0) { log_error("Unknown keytab file name format, " "missing leading 'FILE:' prefix"); return ISC_R_FAILURE; From zpericic at inet.hr Thu Dec 16 18:47:41 2010 From: zpericic at inet.hr (Zoran Pericic) Date: Thu, 16 Dec 2010 19:47:41 +0100 Subject: [Freeipa-devel] [PATCH] bynd-dyndb-ldap: Add separate keytab principal option Message-ID: <4D0A5ECD.5050409@inet.hr> This patch separate sasl_user from keytab. For some reason OpenLDAP refuse login if I use sasl_user. OpenLDAP try to do proxy login which always fail. openldap clients (ldapsearch) sends empty sasl_user for GSSAPI login. To send empty sasl_user we need separate option for krb5 principal so we could init principal from keytab. Here is sample config: dynamic-db "ldapdns" { llibrary "ldap.so"; arg "connections 2"; arg "uri ldap://myhost"; arg "base ou=DNS,dc=mybase"; arg "cache_ttl 300"; arg "auth_method sasl"; arg "krb5_keytab FILE:/etc/named/named.keytab"; arg "krb5_principal dns/myhost"; arg "sasl_mech GSSAPI"; } Best regards, Zoran Pericic --- diff -urN bind-dyndb-ldap-0.1.0b.org/src/ldap_helper.c bind-dyndb-ldap-0.1.0b.krb5_principal/src/ldap_helper.c --- bind-dyndb-ldap-0.1.0b.org/src/ldap_helper.c 2010-03-24 11:55:30.000000000 +0100 +++ bind-dyndb-ldap-0.1.0b.krb5_principal/src/ldap_helper.c 2010-11-18 00:17:57.503920016 +0100 @@ -128,6 +128,7 @@ ldap_auth_t auth_method; ld_string_t *bind_dn; ld_string_t *password; + ld_string_t *krb5_principal; ld_string_t *sasl_mech; ld_string_t *sasl_user; ld_string_t *sasl_auth_name; @@ -293,6 +294,7 @@ { "auth_method", default_string("none") }, { "bind_dn", default_string("") }, { "password", default_string("") }, + { "krb5_principal", default_string("") }, { "sasl_mech", default_string("GSSAPI") }, { "sasl_user", default_string("") }, { "sasl_auth_name", default_string("") }, @@ -330,6 +332,7 @@ CHECK(str_new(mctx, &ldap_inst->base)); CHECK(str_new(mctx, &ldap_inst->bind_dn)); CHECK(str_new(mctx, &ldap_inst->password)); + CHECK(str_new(mctx, &ldap_inst->krb5_principal)); CHECK(str_new(mctx, &ldap_inst->sasl_mech)); CHECK(str_new(mctx, &ldap_inst->sasl_user)); CHECK(str_new(mctx, &ldap_inst->sasl_auth_name)); @@ -346,6 +349,7 @@ ldap_settings[i++].target = auth_method_str; ldap_settings[i++].target = ldap_inst->bind_dn; ldap_settings[i++].target = ldap_inst->password; + ldap_settings[i++].target = ldap_inst->krb5_principal; ldap_settings[i++].target = ldap_inst->sasl_mech; ldap_settings[i++].target = ldap_inst->sasl_user; ldap_settings[i++].target = ldap_inst->sasl_auth_name; @@ -380,13 +384,24 @@ } /* check we have the right data when SASL/GSSAPI is selected */ - if ((ldap_inst->auth_method == AUTH_SASL) && - (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) { - if ((ldap_inst->sasl_user == NULL) || - (str_len(ldap_inst->sasl_user) == 0)) { - log_error("Sasl mech GSSAPI defined but sasl_user is empty"); - result = ISC_R_FAILURE; - goto cleanup; + if((ldap_inst->auth_method == AUTH_SASL) && + (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) { + if((ldap_inst->krb5_principal == NULL) && + (str_len(ldap_inst->krb5_principal) == 0)) { + if((ldap_inst->sasl_user == NULL) && + (str_len(ldap_inst->sasl_user) == 0)) { + char hostname[255]; + if(gethostname(hostname, 255) != 0) { + log_error("SASL mech GSSAPI defined but krb5_principal and sasl_user are empty. Could not get hostname"); + result = ISC_R_FAILURE; + goto cleanup; + } else { + str_sprintf(ldap_inst->krb5_principal, "dns/%s", hostname); + log_debug(2, "SASL mech GSSAPI defined but krb5_principal and sasl_user are empty, using default %s", str_buf(ldap_inst->krb5_principal)); + } + } else { + str_copy(ldap_inst->krb5_principal, ldap_inst->sasl_user); + } } } @@ -447,6 +462,7 @@ str_destroy(&ldap_inst->base); str_destroy(&ldap_inst->bind_dn); str_destroy(&ldap_inst->password); + str_destroy(&ldap_inst->krb5_principal); str_destroy(&ldap_inst->sasl_mech); str_destroy(&ldap_inst->sasl_user); str_destroy(&ldap_inst->sasl_auth_name); @@ -1618,7 +1634,7 @@ isc_result_t result; LOCK(&ldap_inst->kinit_lock); result = get_krb5_tgt(ldap_inst->mctx, - str_buf(ldap_inst->sasl_user), + str_buf(ldap_inst->krb5_principal), str_buf(ldap_inst->krb5_keytab)); UNLOCK(&ldap_inst->kinit_lock); if (result != ISC_R_SUCCESS) From ssorce at redhat.com Thu Dec 16 19:06:17 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 16 Dec 2010 14:06:17 -0500 Subject: [Freeipa-devel] [PATCH] bynd-dyndb-ldap: Add separate keytab principal option In-Reply-To: <4D0A5ECD.5050409@inet.hr> References: <4D0A5ECD.5050409@inet.hr> Message-ID: <20101216140617.0d6f7124@willson.li.ssimo.org> On Thu, 16 Dec 2010 19:47:41 +0100 Zoran Pericic wrote: > This patch separate sasl_user from keytab. Any chance you can send the patch in git format using the following flags: -M -C --patience --full-index Will comment on the patches themselves separately. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Dec 16 19:06:59 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 16 Dec 2010 14:06:59 -0500 Subject: [Freeipa-devel] [PATCH] bynd-dyndb-ldap: Fix keytab checking In-Reply-To: <4D0A5CEA.1000801@inet.hr> References: <4D0A5CEA.1000801@inet.hr> Message-ID: <20101216140659.1d2fc027@willson.li.ssimo.org> On Thu, 16 Dec 2010 19:39:38 +0100 Zoran Pericic wrote: > > diff -ur bind-dyndb-ldap-0.1.0b.org/src/krb5_helper.c > bind-dyndb-ldap-0.1.0b.keytab/src/krb5_helper.c > --- bind-dyndb-ldap-0.1.0b.org/src/krb5_helper.c 2009-09-06 > 22:50:14.000000000 +0200 > +++ bind-dyndb-ldap-0.1.0b.keytab/src/krb5_helper.c 2010-12-16 > 19:30:18.281267020 +0100 > @@ -111,7 +111,7 @@ > DEFAULT_KEYTAB); > keyfile = DEFAULT_KEYTAB; > } else { > - if (strcmp(keyfile, "FILE:") != 0) { > + if (strncmp(keyfile, "FILE:", 5) != 0) { > log_error("Unknown keytab file name format, " > "missing leading 'FILE:' prefix"); > return ISC_R_FAILURE; Obvious ACK, I will put the change in myself unless you can send me a git formatted patch I can git am into my tree. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Thu Dec 16 19:11:36 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 16 Dec 2010 14:11:36 -0500 Subject: [Freeipa-devel] [PATCHES] Three patches for bind-dyndb-ldap Message-ID: <4D0A6468.5010201@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 These three patches were submitted to me directly. Just forwarding them to the freeipa-devel list so they can be properly reviewed. - -------- Original Message -------- Subject: Re: bind-dyndb-ldap Date: Wed, 15 Dec 2010 19:49:49 +0100 From: Zoran Pericic To: Stephen Gallagher On 12/14/2010 08:26 PM, Stephen Gallagher wrote: > In the past, you have each requested commit privilege to the > bind-dyndb-ldap project. This project was mostly abandoned, and I have > taken it over in a sustaining capacity. If you have patches and similar > that you would like to have considered for inclusion, please let me know. I have submited 3 ticket to https://fedorahosted.org/bind-dyndb-ldap/ , ticket #27, #28, #29. This should be included. I am using dyndb-ldap so I will try to fix any bugs I find but I'am not planing to be full time maintainer so commit right is not necessery but would be nice to know where could I contribute to this project (buzilla?, https://fedorahosted.org/bind-dyndb-ldap?). Best regards, Zoran Pericic -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0KZGgACgkQeiVVYja6o6NV9gCgsAg8y7W2WctmwHzgqhRmurbS MYQAn0PoHNZmutTV6K7S4NkqSA1209eC =qHRN -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-0.1.0b-add_zone.patch Type: text/x-patch Size: 640 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-0.1.0b-keytab.patch Type: text/x-patch Size: 778 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-0.1.0b-krb5_principal.patch Type: text/x-patch Size: 3450 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-0.1.0b-add_zone.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-0.1.0b-keytab.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-0.1.0b-krb5_principal.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From ssorce at redhat.com Thu Dec 16 19:25:47 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 16 Dec 2010 14:25:47 -0500 Subject: [Freeipa-devel] [PATCH] bynd-dyndb-ldap: Add separate keytab principal option In-Reply-To: <4D0A5ECD.5050409@inet.hr> References: <4D0A5ECD.5050409@inet.hr> Message-ID: <20101216142547.26cd39c0@willson.li.ssimo.org> On Thu, 16 Dec 2010 19:47:41 +0100 Zoran Pericic wrote: > This patch separate sasl_user from keytab. > > For some reason OpenLDAP refuse login if I use sasl_user. OpenLDAP > try to do proxy login which always fail. openldap clients > (ldapsearch) sends empty sasl_user for GSSAPI login. To send empty > sasl_user we need separate option for krb5 principal so we could init > principal from keytab. > > Here is sample config: > > dynamic-db "ldapdns" { > llibrary "ldap.so"; > arg "connections 2"; > arg "uri ldap://myhost"; > arg "base ou=DNS,dc=mybase"; > arg "cache_ttl 300"; > arg "auth_method sasl"; > arg "krb5_keytab FILE:/etc/named/named.keytab"; > arg "krb5_principal dns/myhost"; > arg "sasl_mech GSSAPI"; > } > > > Best regards, > Zoran Pericic > > > --- > > diff -urN bind-dyndb-ldap-0.1.0b.org/src/ldap_helper.c > bind-dyndb-ldap-0.1.0b.krb5_principal/src/ldap_helper.c > --- bind-dyndb-ldap-0.1.0b.org/src/ldap_helper.c 2010-03-24 > 11:55:30.000000000 +0100 > +++ bind-dyndb-ldap-0.1.0b.krb5_principal/src/ldap_helper.c > 2010-11-18 00:17:57.503920016 +0100 > @@ -128,6 +128,7 @@ > ldap_auth_t auth_method; > ld_string_t *bind_dn; > ld_string_t *password; > + ld_string_t *krb5_principal; are you using spaces instead of tabs ? although we prefer 4 spaces indentations in general in the Freeipa project it appears that the bind-dyndb-ldap plugin uses tabs for indentation, so this patch should do the same. > ld_string_t *sasl_mech; > ld_string_t *sasl_user; > ld_string_t *sasl_auth_name; > @@ -293,6 +294,7 @@ > { "auth_method", default_string("none") }, > { "bind_dn", default_string("") }, > { "password", default_string("") }, > + { "krb5_principal", default_string("") }, ^^ tab > { "sasl_mech", default_string("GSSAPI") }, > { "sasl_user", default_string("") }, > { "sasl_auth_name", default_string("") }, > @@ -330,6 +332,7 @@ > CHECK(str_new(mctx, &ldap_inst->base)); > CHECK(str_new(mctx, &ldap_inst->bind_dn)); > CHECK(str_new(mctx, &ldap_inst->password)); > + CHECK(str_new(mctx, &ldap_inst->krb5_principal)); ^^ tab > CHECK(str_new(mctx, &ldap_inst->sasl_mech)); > CHECK(str_new(mctx, &ldap_inst->sasl_user)); > CHECK(str_new(mctx, &ldap_inst->sasl_auth_name)); > @@ -346,6 +349,7 @@ > ldap_settings[i++].target = auth_method_str; > ldap_settings[i++].target = ldap_inst->bind_dn; > ldap_settings[i++].target = ldap_inst->password; > + ldap_settings[i++].target = ldap_inst->krb5_principal; ^^ tab > ldap_settings[i++].target = ldap_inst->sasl_mech; > ldap_settings[i++].target = ldap_inst->sasl_user; > ldap_settings[i++].target = ldap_inst->sasl_auth_name; > @@ -380,13 +384,24 @@ > } > > /* check we have the right data when SASL/GSSAPI is selected */ > - if ((ldap_inst->auth_method == AUTH_SASL) && > - (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) { > - if ((ldap_inst->sasl_user == NULL) || > - (str_len(ldap_inst->sasl_user) == 0)) { > - log_error("Sasl mech GSSAPI defined but sasl_user is > empty"); > - result = ISC_R_FAILURE; > - goto cleanup; > + if((ldap_inst->auth_method == AUTH_SASL) && please keep using 'if (' and not 'if(' as the rest of the code. > + (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) { > + if((ldap_inst->krb5_principal == NULL) && > + (str_len(ldap_inst->krb5_principal) == 0)) { > + if((ldap_inst->sasl_user == NULL) && > + (str_len(ldap_inst->sasl_user) == 0)) { the above 2 statements seem wrong to me, the original one had: if ((cond 1) || (cond 2)) { while you changed it into: if ((cond 1) && (cond 2)) { This fails to do the check that is intended. > + char hostname[255]; > + if(gethostname(hostname, 255) != 0) { > + log_error("SASL mech GSSAPI defined but > krb5_principal and sasl_user are empty. Could not get hostname"); > + result = ISC_R_FAILURE; > + goto cleanup; > + } else { > + str_sprintf(ldap_inst->krb5_principal, "dns/%s", > hostname); This should probably be "DNS/%s", Kerberos is generally case sensitive and t5he default for bind is to use the service name part in all caps. > + log_debug(2, "SASL mech GSSAPI defined but > krb5_principal and sasl_user are empty, using default %s", > str_buf(ldap_inst->krb5_principal)); It would be preferable, but not necessary, to split long lines so that they stay within 80 columns limits and avoid wrapping. > + } > + } else { > + str_copy(ldap_inst->krb5_principal, > ldap_inst->sasl_user); > + } > } > } > > @@ -447,6 +462,7 @@ > str_destroy(&ldap_inst->base); > str_destroy(&ldap_inst->bind_dn); > str_destroy(&ldap_inst->password); > + str_destroy(&ldap_inst->krb5_principal); > str_destroy(&ldap_inst->sasl_mech); > str_destroy(&ldap_inst->sasl_user); > str_destroy(&ldap_inst->sasl_auth_name); > @@ -1618,7 +1634,7 @@ > isc_result_t result; > LOCK(&ldap_inst->kinit_lock); > result = get_krb5_tgt(ldap_inst->mctx, > - str_buf(ldap_inst->sasl_user), > + str_buf(ldap_inst->krb5_principal), > str_buf(ldap_inst->krb5_keytab)); > UNLOCK(&ldap_inst->kinit_lock); > if (result != ISC_R_SUCCESS) Generally the direction looks ok, if you fix the above issues it will get an ack. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Dec 16 19:28:44 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 16 Dec 2010 14:28:44 -0500 Subject: [Freeipa-devel] [PATCHES] Three patches for bind-dyndb-ldap In-Reply-To: <4D0A6468.5010201@redhat.com> References: <4D0A6468.5010201@redhat.com> Message-ID: <20101216142844.44e04eb6@willson.li.ssimo.org> On Thu, 16 Dec 2010 14:11:36 -0500 Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > These three patches were submitted to me directly. Just forwarding > them to the freeipa-devel list so they can be properly reviewed. The first issue has been already addressed by Adam with a similar patch. The other 2 have landed on the list and received comments. Thanks for forwarding though. Simo. > - -------- Original Message -------- > Subject: Re: bind-dyndb-ldap > Date: Wed, 15 Dec 2010 19:49:49 +0100 > From: Zoran Pericic > To: Stephen Gallagher > > On 12/14/2010 08:26 PM, Stephen Gallagher wrote: > > In the past, you have each requested commit privilege to the > > bind-dyndb-ldap project. This project was mostly abandoned, and I > > have taken it over in a sustaining capacity. If you have patches > > and similar that you would like to have considered for inclusion, > > please let me know. > > I have submited 3 ticket to > https://fedorahosted.org/bind-dyndb-ldap/ , ticket #27, #28, #29. > This should be included. > > I am using dyndb-ldap so I will try to fix any bugs I find but I'am > not planing to be full time maintainer so commit right is not > necessery but would be nice to know where could I contribute to this > project (buzilla?, https://fedorahosted.org/bind-dyndb-ldap?). > > Best regards, > Zoran Pericic > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk0KZGgACgkQeiVVYja6o6NV9gCgsAg8y7W2WctmwHzgqhRmurbS > MYQAn0PoHNZmutTV6K7S4NkqSA1209eC > =qHRN > -----END PGP SIGNATURE----- -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Fri Dec 17 16:37:14 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 17 Dec 2010 16:37:14 +0000 Subject: [Freeipa-devel] [PATCH] SUDO plugin support for IpaSudoOptions, external hosts, and external users In-Reply-To: Message-ID: Here is the final patch for sudorule external host and user support. This patch also adds support for adding/removing IpaSudoOpt values. (We some how missed this till the last hour) This addresses item #6 in ticket 570: (https://fedorahosted.org/freeipa/ticket/570) (This ticket is remarked as critical and has a note: This blocks https://fedorahosted.org/freeipa/ticket/534.) I have included modifications to the sudoplugin.py xmlrpc test to simplify review. Please review and push. On 12/15/10 11:28 AM, "JR Aquino" wrote: >Attached is the patch to provide cli support for external hosts and users. > >This is accomplished similarly to the netgroup plugin. > >If the plugin is input with a hostname/user that does not exist in the >directory, the plugin will then assume that the User had intended for >these objects to be inserted as 'external' entities. It accomplishes >this in a post_callback. > >Just like the netgroup plugin, this introduces a possible caveat where >someone could mistype a user/host and have it inserted as an external >entry, but the CLI attempts to reflect this in its output clearly stating >that an External User or External Host has been added. > >Please review. > >Here is a sample sudorule containing external entries: >*Contained herein are, externaluser, externalhost, as well as sudorunas >and sudorunasgroup* > >dn: >ipaUniqueID=8a9103b8-06cc-11e0-b481-8a3d259cb0b9,cn=sudorules,dc=example,d >c=com >objectClass: ipaassociation >objectClass: ipasudorule >ipaEnabledFlag: TRUE >cn: tester >ipaUniqueID: 8a9103b8-06cc-11e0-b481-8a3d259cb0b9 >ipaSudoRunAs: uid=admin,cn=users,cn=accounts,dc=example,dc=com >ipaSudoRunAsGroup: cn=admins,cn=groups,cn=accounts,dc=example,dc=com >externalUser: testuser >externalHost: host1.example.com > >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0009-2-SUDO-plugin-support-for-external-hosts-and-users.patch Type: application/octet-stream Size: 14863 bytes Desc: freeipa-jraquino-0009-2-SUDO-plugin-support-for-external-hosts-and-users.patch URL: From zpericic at inet.hr Fri Dec 17 16:47:39 2010 From: zpericic at inet.hr (Zoran Pericic) Date: Fri, 17 Dec 2010 17:47:39 +0100 Subject: [Freeipa-devel] [PATCH] bynd-dyndb-ldap: Fix keytab checking In-Reply-To: <20101216140659.1d2fc027@willson.li.ssimo.org> References: <4D0A5CEA.1000801@inet.hr> <20101216140659.1d2fc027@willson.li.ssimo.org> Message-ID: <4D0B942B.1040908@inet.hr> On 12/16/2010 08:06 PM, Simo Sorce wrote: > Obvious ACK, > I will put the change in myself unless you can send me a git formatted > patch I can git am into my tree. Thunerbird converted tabs to spaces. I hope this is ok. Best regards, Zoran Pericic diff --git a/src/krb5_helper.c b/src/krb5_helper.c index a52b412f10551dfb4079ef5add37d0ebe000d310..571f511c71a4a0d547e0e74f5b5109a0bd5498b1 100644 --- a/src/krb5_helper.c +++ b/src/krb5_helper.c @@ -111,7 +111,7 @@ get_krb5_tgt(isc_mem_t *mctx, const char *principal, const char *keyfile) DEFAULT_KEYTAB); keyfile = DEFAULT_KEYTAB; } else { - if (strcmp(keyfile, "FILE:") != 0) { + if (strncmp(keyfile, "FILE:", 5) != 0) { log_error("Unknown keytab file name format, " "missing leading 'FILE:' prefix"); return ISC_R_FAILURE; From ayoung at redhat.com Fri Dec 17 17:03:53 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 17 Dec 2010 12:03:53 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0118-aci-ui Message-ID: <4D0B97F9.8050505@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0118-aci-ui.patch Type: text/x-patch Size: 188030 bytes Desc: not available URL: From sgallagh at redhat.com Fri Dec 17 17:06:50 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 17 Dec 2010 12:06:50 -0500 Subject: [Freeipa-devel] [PATCH] bynd-dyndb-ldap: Fix keytab checking In-Reply-To: <4D0B942B.1040908@inet.hr> References: <4D0A5CEA.1000801@inet.hr> <20101216140659.1d2fc027@willson.li.ssimo.org> <4D0B942B.1040908@inet.hr> Message-ID: <4D0B98AA.5010508@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/17/2010 11:47 AM, Zoran Pericic wrote: > On 12/16/2010 08:06 PM, Simo Sorce wrote: > >> Obvious ACK, >> I will put the change in myself unless you can send me a git formatted >> patch I can git am into my tree. > > Thunerbird converted tabs to spaces. I hope this is ok. > Zoran, it is generally preferred to create the patch with the command: git format-patch -M -C --patience --full-index -1 Then attach the file to the email, rather than copying it in. If you have more than one patch in your tree that you want to send, change "-1" to "-2", "-3", etc. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0LmKoACgkQeiVVYja6o6MOdQCgrNMqGqpd57oX6dY75SU50Oqw TakAoK+Ez7RNR/piaP1eutba2dRU8cYn =+K+j -----END PGP SIGNATURE----- From zpericic at inet.hr Fri Dec 17 17:15:22 2010 From: zpericic at inet.hr (Zoran Pericic) Date: Fri, 17 Dec 2010 18:15:22 +0100 Subject: [Freeipa-devel] [PATCH] bynd-dyndb-ldap: Add separate keytab principal option In-Reply-To: <20101216142547.26cd39c0@willson.li.ssimo.org> References: <4D0A5ECD.5050409@inet.hr> <20101216142547.26cd39c0@willson.li.ssimo.org> Message-ID: <4D0B9AAA.4040805@inet.hr> On 12/16/2010 08:25 PM, Simo Sorce wrote: >> + (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) { >> + if((ldap_inst->krb5_principal == NULL)&& >> + (str_len(ldap_inst->krb5_principal) == 0)) { >> + if((ldap_inst->sasl_user == NULL)&& >> + (str_len(ldap_inst->sasl_user) == 0)) { > the above 2 statements seem wrong to me, the original one had: > if ((cond 1) || (cond 2)) { > while you changed it into: > if ((cond 1)&& (cond 2)) { > This fails to do the check that is intended. You are right. This is bug. >> + char hostname[255]; >> + if(gethostname(hostname, 255) != 0) { >> + log_error("SASL mech GSSAPI defined but >> krb5_principal and sasl_user are empty. Could not get hostname"); >> + result = ISC_R_FAILURE; >> + goto cleanup; >> + } else { >> + str_sprintf(ldap_inst->krb5_principal, "dns/%s", >> hostname); > This should probably be "DNS/%s", Kerberos is generally case sensitive > and t5he default for bind is to use the service name part in all caps. ACK. Best regards, Zoran Pericic --- diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 5eed8afba7a275a6ebb3a28c707639516ba9af41..d767571daa8e747833d598876541996280544916 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -128,6 +128,7 @@ struct ldap_instance { ldap_auth_t auth_method; ld_string_t *bind_dn; ld_string_t *password; + ld_string_t *krb5_principal; ld_string_t *sasl_mech; ld_string_t *sasl_user; ld_string_t *sasl_auth_name; @@ -293,6 +294,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, { "auth_method", default_string("none") }, { "bind_dn", default_string("") }, { "password", default_string("") }, + { "krb5_principal", default_string("") }, { "sasl_mech", default_string("GSSAPI") }, { "sasl_user", default_string("") }, { "sasl_auth_name", default_string("") }, @@ -330,6 +332,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, CHECK(str_new(mctx,&ldap_inst->base)); CHECK(str_new(mctx,&ldap_inst->bind_dn)); CHECK(str_new(mctx,&ldap_inst->password)); + CHECK(str_new(mctx,&ldap_inst->krb5_principal)); CHECK(str_new(mctx,&ldap_inst->sasl_mech)); CHECK(str_new(mctx,&ldap_inst->sasl_user)); CHECK(str_new(mctx,&ldap_inst->sasl_auth_name)); @@ -346,6 +349,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, ldap_settings[i++].target = auth_method_str; ldap_settings[i++].target = ldap_inst->bind_dn; ldap_settings[i++].target = ldap_inst->password; + ldap_settings[i++].target = ldap_inst->krb5_principal; ldap_settings[i++].target = ldap_inst->sasl_mech; ldap_settings[i++].target = ldap_inst->sasl_user; ldap_settings[i++].target = ldap_inst->sasl_auth_name; @@ -381,12 +385,26 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, /* check we have the right data when SASL/GSSAPI is selected */ if ((ldap_inst->auth_method == AUTH_SASL)&& - (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) { - if ((ldap_inst->sasl_user == NULL) || - (str_len(ldap_inst->sasl_user) == 0)) { - log_error("Sasl mech GSSAPI defined but sasl_user is empty"); - result = ISC_R_FAILURE; - goto cleanup; + (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) { + if ((ldap_inst->krb5_principal == NULL) || + (str_len(ldap_inst->krb5_principal) == 0)) { + if ((ldap_inst->sasl_user == NULL) || + (str_len(ldap_inst->sasl_user) == 0)) { + char hostname[255]; + if (gethostname(hostname, 255) != 0) { + log_error("SASL mech GSSAPI defined but krb5_principal" + "and sasl_user are empty. Could not get hostname"); + result = ISC_R_FAILURE; + goto cleanup; + } else { + str_sprintf(ldap_inst->krb5_principal, "DNS/%s", hostname); + log_debug(2, "SASL mech GSSAPI defined but krb5_principal" + "and sasl_user are empty, using default %s", + str_buf(ldap_inst->krb5_principal)); + } + } else { + str_copy(ldap_inst->krb5_principal, ldap_inst->sasl_user); + } } } @@ -447,6 +465,7 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp) str_destroy(&ldap_inst->base); str_destroy(&ldap_inst->bind_dn); str_destroy(&ldap_inst->password); + str_destroy(&ldap_inst->krb5_principal); str_destroy(&ldap_inst->sasl_mech); str_destroy(&ldap_inst->sasl_user); str_destroy(&ldap_inst->sasl_auth_name); @@ -1618,7 +1637,7 @@ ldap_reconnect(ldap_connection_t *ldap_conn) isc_result_t result; LOCK(&ldap_inst->kinit_lock); result = get_krb5_tgt(ldap_inst->mctx, - str_buf(ldap_inst->sasl_user), + str_buf(ldap_inst->krb5_principal), str_buf(ldap_inst->krb5_keytab)); UNLOCK(&ldap_inst->kinit_lock); if (result != ISC_R_SUCCESS) From jhrozek at redhat.com Fri Dec 17 17:20:18 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 17 Dec 2010 18:20:18 +0100 Subject: [Freeipa-devel] [PATCH] 646 move updates to bootstrap In-Reply-To: <4D06651E.6000707@redhat.com> References: <4D06651E.6000707@redhat.com> Message-ID: <4D0B9BD2.4070501@redhat.com> On 12/13/2010 07:25 PM, Rob Crittenden wrote: > Move a bunch of objects created by the updater into the bootstrap ldif. > It is cleaner to do it this way (and probably a bit faster too). > > rob > Ack. with the patch applied on top of origin/master, the tree builds, installs and the entries are added (I tested a couple, not all of them). From zpericic at inet.hr Fri Dec 17 17:40:05 2010 From: zpericic at inet.hr (Zoran Pericic) Date: Fri, 17 Dec 2010 18:40:05 +0100 Subject: [Freeipa-devel] [PATCH] bynd-dyndb-ldap: Fix keytab checking In-Reply-To: <4D0B98AA.5010508@redhat.com> References: <4D0A5CEA.1000801@inet.hr> <20101216140659.1d2fc027@willson.li.ssimo.org> <4D0B942B.1040908@inet.hr> <4D0B98AA.5010508@redhat.com> Message-ID: <4D0BA075.4020602@inet.hr> On 12/17/2010 06:06 PM, Stephen Gallagher wrote: > Zoran, it is generally preferred to create the patch with the command: > git format-patch -M -C --patience --full-index -1 > > Then attach the file to the email, rather than copying it in. If you > have more than one patch in your tree that you want to send, change "-1" > to "-2", "-3", etc. > Thanks. Will look at git documentation. Best regard, Zoran Pericic From grajaiya at redhat.com Fri Dec 17 19:43:08 2010 From: grajaiya at redhat.com (Gowrishankar Rajaiyan) Date: Sat, 18 Dec 2010 01:13:08 +0530 Subject: [Freeipa-devel] [PATCH] Fixed typos in man page of ipa-getkeytab. Message-ID: <4D0BBD4C.5070504@redhat.com> Hi All, Fixed typos in the man page of ipa-getkeytab and corrected my name in Contributors.txt. Regards /Shanks -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fixing-typos-in-man-page-of-ipa-getkeytab.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Correcting-my-name-in-Contributors-file.patch URL: From rcritten at redhat.com Fri Dec 17 20:39:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Dec 2010 15:39:48 -0500 Subject: [Freeipa-devel] [PATCH] 649 fix a couple of broken permissions Message-ID: <4D0BCA94.7010805@redhat.com> The change_password permission was too broad, limit it to users. The DNS access controls rolled everything into a single ACI. I broke it out into separate ACIs for add, delete and add. I also added a new dns type for the permission plugin. ticket 628 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-650-aci.patch Type: text/x-patch Size: 7033 bytes Desc: not available URL: From rcritten at redhat.com Fri Dec 17 20:40:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Dec 2010 15:40:27 -0500 Subject: [Freeipa-devel] [PATCH] 651 handle errors better Message-ID: <4D0BCABB.5040602@redhat.com> We create the aci with the --test flag to test its validity but it doesn't do the same level of tests that actually adding an aci to LDAP does. Catch any syntax errors that get thrown and clean up as best we can. ticket 621 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-651-permission.patch Type: text/x-patch Size: 2448 bytes Desc: not available URL: From rcritten at redhat.com Fri Dec 17 21:37:13 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Dec 2010 16:37:13 -0500 Subject: [Freeipa-devel] [PATCH] 652 fix doctests Message-ID: <4D0BD809.5000603@redhat.com> A couple of the doctests were failing because of minor bad formatting. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-652-doctest.patch Type: text/x-patch Size: 2635 bytes Desc: not available URL: From ayoung at redhat.com Fri Dec 17 21:43:05 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 17 Dec 2010 16:43:05 -0500 Subject: [Freeipa-devel] A handful of one liners Message-ID: <4D0BD969.6060002@redhat.com> Saw three things that I fixed with one line patches: 1. When browsing page unauthorized.html from firefox4, It showed a blank screen, but with what looked like valid source. turns out, the title open tag was closed with an h2, which didn't match. Rendered fine on firefox3, but not on 4. 2. The link for kerberos time out was the generic "hoiw to configure the browser" page as opposed to the file unauthorized.html which actually performs the configuration. 3. The text for the kinit timeout message read 'run KInit' but the command is kinit. Fixed the capitalization. From ayoung at redhat.com Fri Dec 17 21:53:00 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 17 Dec 2010 16:53:00 -0500 Subject: [Freeipa-devel] A handful of one liners In-Reply-To: <4D0BD969.6060002@redhat.com> References: <4D0BD969.6060002@redhat.com> Message-ID: <4D0BDBBC.9010406@redhat.com> On 12/17/2010 04:43 PM, Adam Young wrote: > Saw three things that I fixed with one line patches: > > > 1. When browsing page unauthorized.html from firefox4, It showed a > blank screen, but with what looked like valid source. turns out, the > title open tag was closed with an h2, which didn't match. Rendered > fine on firefox3, but not on 4. > > 2. The link for kerberos time out was the generic "hoiw to configure > the browser" page as opposed to the file unauthorized.html which > actually performs the configuration. > > 3. The text for the kinit timeout message read 'run KInit' but the > command is kinit. Fixed the capitalization. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-type-prevented-rendering-on-firefox4.patch Type: text/x-patch Size: 665 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-error-link.patch Type: text/x-patch Size: 1169 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-kinit-typo.patch Type: text/x-patch Size: 1041 bytes Desc: not available URL: From ssorce at redhat.com Fri Dec 17 21:50:45 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Dec 2010 16:50:45 -0500 Subject: [Freeipa-devel] [PATCH] 623 quote passwords, don't log 'em In-Reply-To: <4CF57CFD.6030904@redhat.com> References: <4CF57CFD.6030904@redhat.com> Message-ID: <20101217165045.01272184@willson.li.ssimo.org> On Tue, 30 Nov 2010 17:38:53 -0500 Rob Crittenden wrote: > Properly quote passwords sent to pkisilent so special characters work. > > Also check for url-encoded passwords before logging them. > > ticket 324 ACK and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Dec 17 21:53:46 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Dec 2010 16:53:46 -0500 Subject: [Freeipa-devel] [PATCH] 628 use KDC schema file In-Reply-To: <20101209191943.GE28006@redhat.com> References: <4CF9663A.9090609@redhat.com> <20101203222159.GB25845@redhat.com> <4CFD12B8.1050802@redhat.com> <20101209191943.GE28006@redhat.com> Message-ID: <20101217165346.41bfea47@willson.li.ssimo.org> On Thu, 9 Dec 2010 14:19:43 -0500 Nalin Dahyabhai wrote: > On Mon, Dec 06, 2010 at 11:43:36AM -0500, Rob Crittenden wrote: > > What if we do both? Use the one provided by the KDC if it exists > > otherwise fall back to our own? > > Then you're basically depending on me getting the generated LDIF right > every time. I haven't previously done much validation of the result, > and it turns out that I missed a couple of syntax problems during the > initial import for Fedora's branch for 1.9. > > If we can spot any problems in that LDIF quickly enough when the krb5 > package gets updated, then we'll probably be fine, otherwise I'd be > worried about unintentionally breaking IPA. > > Up to you, I guess. This patch has been dropped. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Dec 17 21:59:24 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Dec 2010 16:59:24 -0500 Subject: [Freeipa-devel] [PATCH] 631 Add IA5String type In-Reply-To: <201012071642.08965.jzeleny@redhat.com> References: <4CFD4390.2070603@redhat.com> <201012071339.53533.jzeleny@redhat.com> <4CFE5414.7010104@redhat.com> <201012071642.08965.jzeleny@redhat.com> Message-ID: <20101217165924.3b9c331d@willson.li.ssimo.org> On Tue, 7 Dec 2010 16:42:08 +0100 Jan Zelen? wrote: > Rob Crittenden wrote: > > Jan Zelen? wrote: > > > Rob Crittenden wrote: > > >> Some attributes we use are IA5Strings which have a very limited > > >> character set. Add a parameter type for that so we can catch the > > >> bad type up front and give a more reasonable error message than > > >> "syntax error". > > >> > > >> ticket 496 > > >> > > >> rob > > > > > > I noticed that you only switched ipaHomesRootDir attribute to > > > IA5String type. Are there no other candidates for this? Other > > > thing which I don't fully understand is changing > > > ipausersearchfields, ipagroupsearchfields, automountinformation > > > and automountkey to IA5String. Other than that the patch is ok. > > > > > > Jan > > > > No, I did switch the others, exactly the ones you mention. > > > > rob > > Oh, sorry for that, I was just expecting them to be changed in some > LDIF file, like ipaHomesRootDir. ACK. This patch has been pushed a while back. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Dec 17 22:03:06 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Dec 2010 17:03:06 -0500 Subject: [Freeipa-devel] [PATCH] 653 don't use camel-case, drop an aci Message-ID: <4D0BDE1A.3060705@redhat.com> Don't use camel-case LDAP attributes in ACI and don't clear enrolledBy We keep LDAP attributes lower-case elsewhere in the API we should do the same with all access controls. There were two ACIs pointing at the manage_host_keytab permission. This isn't allowed in general and we have decided separately to not clear out enrolledBy when a host is unenrolled so dropping it is the obvious thing to do. ticket 597 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-653-aci.patch Type: text/x-patch Size: 24549 bytes Desc: not available URL: From ssorce at redhat.com Fri Dec 17 22:05:38 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Dec 2010 17:05:38 -0500 Subject: [Freeipa-devel] [PATCH] 639 Fix a slew of tests. In-Reply-To: <4D01354C.6000008@redhat.com> References: <4D01354C.6000008@redhat.com> Message-ID: <20101217170538.064d4b98@willson.li.ssimo.org> On Thu, 09 Dec 2010 15:00:12 -0500 Rob Crittenden wrote: > - Skip the DNS tests if DNS isn't configured > - Add new attributes to user entries (displayname, cn and initials) > - Make the nsaccountlock value consistent > - Fix the cert subject for cert tests > > All but 2 tests pass for me now, both related to renaming objects. > There is already a ticket for that. > > This relies on the objectclass fix in patch 636. ACK, and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Dec 17 22:08:36 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Dec 2010 17:08:36 -0500 Subject: [Freeipa-devel] [PATCH] 645 remove principal as an option when updating a user In-Reply-To: <4D03D02D.4070904@redhat.com> References: <4D03157B.6070908@redhat.com> <4D03D02D.4070904@redhat.com> Message-ID: <20101217170836.7f120da0@willson.li.ssimo.org> On Sat, 11 Dec 2010 14:25:33 -0500 Adam Young wrote: > On 12/11/2010 01:08 AM, Rob Crittenden wrote: > > We don't want people willy-nilly changing principal names. The > > proper way to do this is to rename the user entry, so remove the > > option. > > > > rob > ACK Pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Fri Dec 17 22:18:14 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 17 Dec 2010 17:18:14 -0500 Subject: [Freeipa-devel] [PATCH] 649 fix a couple of broken permissions In-Reply-To: <4D0BCA94.7010805@redhat.com> References: <4D0BCA94.7010805@redhat.com> Message-ID: <4D0BE1A6.5090005@redhat.com> On 12/17/2010 03:39 PM, Rob Crittenden wrote: > The change_password permission was too broad, limit it to users. > > The DNS access controls rolled everything into a single ACI. I broke > it out into separate ACIs for add, delete and add. I also added a new > dns type for the permission plugin. > > ticket 628 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Fri Dec 17 22:41:11 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Dec 2010 17:41:11 -0500 Subject: [Freeipa-devel] [PATCH] 646 move updates to bootstrap In-Reply-To: <4D0B9BD2.4070501@redhat.com> References: <4D06651E.6000707@redhat.com> <4D0B9BD2.4070501@redhat.com> Message-ID: <20101217174111.79933677@willson.li.ssimo.org> On Fri, 17 Dec 2010 18:20:18 +0100 Jakub Hrozek wrote: > On 12/13/2010 07:25 PM, Rob Crittenden wrote: > > Move a bunch of objects created by the updater into the bootstrap > > ldif. It is cleaner to do it this way (and probably a bit faster > > too). > > > > rob > > > > Ack. > > with the patch applied on top of origin/master, the tree builds, > installs and the entries are added (I tested a couple, not all of > them). Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Dec 17 22:41:34 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Dec 2010 17:41:34 -0500 Subject: [Freeipa-devel] [PATCH] 647 check for 389-ds replication plugin In-Reply-To: <201012150936.41305.jzeleny@redhat.com> References: <4D06744B.2090102@redhat.com> <201012150936.41305.jzeleny@redhat.com> Message-ID: <20101217174134.5b8e1a46@willson.li.ssimo.org> On Wed, 15 Dec 2010 09:36:41 +0100 Jan Zelen? wrote: > Rob Crittenden wrote: > > Ensure that the replication plugin exists before creeating or > > installing a replica. > > > > ticket 502 > > > > rob > > ack, but I'm not a big fan of hardcoding the path of plugins in the > code. It may be good for Fedora/RHEL, but how about other > distributions? Do we have any policy about this kind of things? Have same feeling but it is good enough for now. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Dec 17 23:07:33 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Dec 2010 18:07:33 -0500 Subject: [Freeipa-devel] [PATCH] 651 handle errors better In-Reply-To: <4D0BCABB.5040602@redhat.com> References: <4D0BCABB.5040602@redhat.com> Message-ID: <20101217180733.403a2a91@willson.li.ssimo.org> On Fri, 17 Dec 2010 15:40:27 -0500 Rob Crittenden wrote: > We create the aci with the --test flag to test its validity but it > doesn't do the same level of tests that actually adding an aci to > LDAP does. Catch any syntax errors that get thrown and clean up as > best we can. > > ticket 621 ACK, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Dec 17 23:07:49 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Dec 2010 18:07:49 -0500 Subject: [Freeipa-devel] [PATCH] 652 fix doctests In-Reply-To: <4D0BD809.5000603@redhat.com> References: <4D0BD809.5000603@redhat.com> Message-ID: <20101217180749.42d629df@willson.li.ssimo.org> On Fri, 17 Dec 2010 16:37:13 -0500 Rob Crittenden wrote: > A couple of the doctests were failing because of minor bad formatting. ACK and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Dec 17 23:08:07 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Dec 2010 18:08:07 -0500 Subject: [Freeipa-devel] [PATCH] 653 don't use camel-case, drop an aci In-Reply-To: <4D0BDE1A.3060705@redhat.com> References: <4D0BDE1A.3060705@redhat.com> Message-ID: <20101217180807.7f81cb52@willson.li.ssimo.org> On Fri, 17 Dec 2010 17:03:06 -0500 Rob Crittenden wrote: > Don't use camel-case LDAP attributes in ACI and don't clear enrolledBy > > We keep LDAP attributes lower-case elsewhere in the API we should do > the same with all access controls. > > There were two ACIs pointing at the manage_host_keytab permission. > This isn't allowed in general and we have decided separately to not > clear out enrolledBy when a host is unenrolled so dropping it is the > obvious thing to do. > > ticket 597 ack and pushed to master. simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Sun Dec 19 21:17:25 2010 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 19 Dec 2010 16:17:25 -0500 Subject: [Freeipa-devel] Migrating netgroups Message-ID: <4D0E7665.2010705@redhat.com> David, I put together a doc that outlines how administrators should look at the migration of netgroups from external source to IPA. I think it should be a chapter in the migration guide. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: Netgroup migration.odt Type: application/vnd.oasis.opendocument.text Size: 17823 bytes Desc: not available URL: From davido at redhat.com Sun Dec 19 23:26:28 2010 From: davido at redhat.com (David O'Brien) Date: Mon, 20 Dec 2010 09:26:28 +1000 Subject: [Freeipa-devel] [PATCH] Fixed typos in man page of ipa-getkeytab. In-Reply-To: <4D0BBD4C.5070504@redhat.com> References: <4D0BBD4C.5070504@redhat.com> Message-ID: <4D0E94A4.7030207@redhat.com> Gowrishankar Rajaiyan wrote: > > Hi All, > > Fixed typos in the man page of ipa-getkeytab and corrected my name in > Contributors.txt. > > Regards > /Shanks > ACK -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From jzeleny at redhat.com Mon Dec 20 08:12:26 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 20 Dec 2010 09:12:26 +0100 Subject: [Freeipa-devel] [PATCH] 021 Make the IPA installer IPv6 friendly In-Reply-To: <4D0A44ED.7060501@redhat.com> References: <4D0747C2.4030007@redhat.com> <201012151055.52258.jzeleny@redhat.com> <4D0A44ED.7060501@redhat.com> Message-ID: <201012200912.26675.jzeleny@redhat.com> Jakub Hrozek wrote: > On 12/15/2010 10:55 AM, Jan Zelen? wrote: > > Jakub Hrozek wrote: > >> This is a first patch towards IPv6 support. Currently it only touches > >> the installer only as other changes will be fully testable only when > >> python-nss is IPv6 ready. > >> > >> Changes include: > >> * parse AAAA records in dnsclient > >> * also ask for AAAA records when verifying FQDN > >> * do not use functions that are not IPv6 aware - notably > >> > >> socket.gethostbyname(). The complete list of functions was taken > >> from http://www.akkadia.org/drepper/userapi-ipv6.html > >> section "Interface Checklist" > > > > Nack, the patch doesn't handle situations when host cannot be resolved. > > > > Jan > > Thanks, it didn't handle the case in ipa-replica-install, now it should > catch the exception and return None (and the caller would react upon > getting None for the IP address). > > In krbinstance.py it would still raise an exception, but I think that is > OK during instance creation (we surely don't want to print anything). > The user would see the error string, anyway.. ack Jan From jzeleny at redhat.com Mon Dec 20 08:26:10 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 20 Dec 2010 09:26:10 +0100 Subject: [Freeipa-devel] [PATCH] 025 Allow RDN changes from CLI In-Reply-To: <4D0A3CF4.4090608@redhat.com> References: <4D0A3CF4.4090608@redhat.com> Message-ID: <201012200926.11011.jzeleny@redhat.com> Jakub Hrozek wrote: > Adds a new parameter 'rename' to all objects with 'rdnattr' attribute. > This parameter is a clone of the rdnattr attribute, except for name and > docs, so normalizer, default_from and also the type are the same as the > original attribute. > > https://fedorahosted.org/freeipa/ticket/397 ack Jan From jhrozek at redhat.com Mon Dec 20 08:48:41 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Dec 2010 09:48:41 +0100 Subject: [Freeipa-devel] [PATCH] import NSPRError in host.py Message-ID: <4D0F1869.4020701@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The host plugin references NSPRError on couple of places but never imports it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PGGkACgkQHsardTLnvCW6rACg6LetC6RilUSTpvRWBs1CDFJd H40AoJC7KWGNIYMyHvh9Kmd8EGZ0ZUyH =2U5v -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-026-import-NSPRError-in-host.py.patch Type: text/x-patch Size: 623 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-026-import-NSPRError-in-host.py.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jzeleny at redhat.com Mon Dec 20 08:52:48 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 20 Dec 2010 09:52:48 +0100 Subject: [Freeipa-devel] [PATCH] import NSPRError in host.py In-Reply-To: <4D0F1869.4020701@redhat.com> References: <4D0F1869.4020701@redhat.com> Message-ID: <201012200952.48566.jzeleny@redhat.com> Jakub Hrozek wrote: > The host plugin references NSPRError on couple of places but never > imports it. Obviously ack Jan From jhrozek at redhat.com Mon Dec 20 10:12:31 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Dec 2010 11:12:31 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <201012090954.57062.jzeleny@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201012081637.39615.jzeleny@redhat.com> <201012090954.57062.jzeleny@redhat.com> Message-ID: <4D0F2C0F.1030500@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/09/2010 09:54 AM, Jan Zelen? wrote: > Jan Zelen? wrote: >> Jan Zelen? wrote: >>> Now each plugin can define its topic as a 2-tuple, where the first >>> item is the name of topic it belongs to and the second item is >>> a description of such topic. Topic descriptions must be the same >>> for all modules belonging to the topic. >>> >>> By using this topics, it is possible to group plugins as we see fit. >>> When asking for help for a particular topic, help for all modules >>> in given topic is written. >>> >>> ipa help - show all topics (until now it showed all plugins) >>> ipa help - show details to given topic >>> >>> https://fedorahosted.org/freeipa/ticket/410 >> >> So here it is: I'm sending couple patches which resolve the ticket and >> implement grouping the way we previously discussed. Please feel free to >> send me any recommendations if anything should be modified. > > Here's updated version of 0014 (changed type detection from type(var) is > type({}) to type(var) is dict) > > Jan The first patch in the series does not apply cleanly anymore, can you rebase? Also, ipa help gives me a traceback now: ipa: ERROR: UnboundLocalError: local variable 'mod_name' referenced before assignment Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1049, in run api.finalize() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 615, in finalize p.instance.finalize() File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 662, in finalize self._count_topic_mcl(topic_name, mod_name) UnboundLocalError: local variable 'mod_name' referenced before assignment ipa: ERROR: an internal error has occurred -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PLA8ACgkQHsardTLnvCWgIwCeIlMoGGZhbmr0t9aD19L4pBHP rf4AoNrX+TkHlSDfT0BmR3J1MEz7bU5+ =XzUE -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Dec 20 10:38:33 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Dec 2010 11:38:33 +0100 Subject: [Freeipa-devel] [PATCH] Added option --no-reverse to add-host In-Reply-To: <201012141905.44949.jzeleny@redhat.com> References: <201012141905.44949.jzeleny@redhat.com> Message-ID: <4D0F3229.4040104@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/14/2010 07:05 PM, Jan Zelen? wrote: > When adding a host with specific IP address, the operation would fail in > case we don't own the reverse DNS. This new option overrides the > check for reverse DNS zone and falls back to different IP address > existence check. > > https://fedorahosted.org/freeipa/ticket/417 > > I was considering deleting the reverse zone detection entirely and check the > IP address directly by querying for A records containing it, but I think this > way it is more efficient. > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PMikACgkQHsardTLnvCW8kACeIiYZGg1s32dXU0lvErxcpbro KRQAoNGHYok29j+xj6MeOiLqYJ2DnisA =YW3x -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Dec 20 12:15:24 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Dec 2010 13:15:24 +0100 Subject: [Freeipa-devel] [PATCH] Allow renaming of object that have a parent Message-ID: <4D0F48DC.2000506@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When performing an RDN change, we would construct the new DN from the RDN attribute only. This doesn't work when the object needs has a parent. There's currently no testcase, I hit that when working on automount - so this patch will be testable with the automount patch and also a dependency for it. But I think the code is pretty clear.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PSNwACgkQHsardTLnvCWVNwCg2R+eiK2KoM6GlIuSrsYJZKzw zOcAnihrRg63h72zzhCzjg4WjPeuguP/ =SNXO -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-027-rename-with-parent.patch Type: text/x-patch Size: 1073 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-027-rename-with-parent.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Mon Dec 20 12:15:36 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Dec 2010 13:15:36 +0100 Subject: [Freeipa-devel] [PATCH] Make pkey always iterable when deleting Message-ID: <4D0F48E8.5030004@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When deleting multiple objects, the code tries to enforce that the primary key is always iterable by doing: keys = keys[:-1] + (keys[-1], ) But this doesn't work, the line only concatenates two tuples effectively returning the original one. See the attached patch for a fix. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PSOgACgkQHsardTLnvCWaYwCgxLGN09ZAjApMevLaQqlSM0hZ NnIAoLFkL2o2eBbQhDyEEJ7URz9NkFvo =Z2cP -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-028-pkey-iterable.patch Type: text/x-patch Size: 1354 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-028-pkey-iterable.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Mon Dec 20 13:49:12 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Dec 2010 14:49:12 +0100 Subject: [Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys Message-ID: <4D0F5ED8.5000403@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Attached is a patch that changes the uniqueness constraint of automount keys from (key) to (key,info) pairs. The patch is not really standard baseldap style. The reason is that during development, I found that baseldap is really dependent on having a single primary key and also during many operations accessing it as keys[-1]. Please note that the ipa automountkey-* commands used to have three args, now its two args and two required options (that compose the tuple that is primary key). I know next to nothing about UI, but I assume this has consequences as the JSON marshalled call needs to be different now. Can someone point me to the place in code that I need to fix now? Fixes: https://fedorahosted.org/freeipa/ticket/293 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PXtgACgkQHsardTLnvCUSkACfS010sMTUgl2Oi7x2eKvL9cVV DtUAoNuqMZFwV9MypFvJ4Oe8VTBVVqx0 =ChvW -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-029-automount-keys-uniqueness.patch Type: text/x-patch Size: 19001 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-029-automount-keys-uniqueness.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jzeleny at redhat.com Mon Dec 20 14:00:52 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 20 Dec 2010 15:00:52 +0100 Subject: [Freeipa-devel] [PATCH] Allow renaming of object that have a parent In-Reply-To: <4D0F48DC.2000506@redhat.com> References: <4D0F48DC.2000506@redhat.com> Message-ID: <201012201500.52649.jzeleny@redhat.com> Jakub Hrozek wrote: > When performing an RDN change, we would construct the new DN from the > RDN attribute only. This doesn't work when the object needs has a parent. > > There's currently no testcase, I hit that when working on automount - so > this patch will be testable with the automount patch and also a > dependency for it. But I think the code is pretty clear.. ack Jan From jzeleny at redhat.com Mon Dec 20 14:07:49 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 20 Dec 2010 15:07:49 +0100 Subject: [Freeipa-devel] [PATCH] Make pkey always iterable when deleting In-Reply-To: <4D0F48E8.5030004@redhat.com> References: <4D0F48E8.5030004@redhat.com> Message-ID: <201012201507.49718.jzeleny@redhat.com> Jakub Hrozek wrote: > When deleting multiple objects, the code tries to enforce that the > primary key is always iterable by doing: > > keys = keys[:-1] + (keys[-1], ) > > But this doesn't work, the line only concatenates two tuples effectively > returning the original one. See the attached patch for a fix. nack: you have the condition in chunk #2 wrong - pkeyiter will be never None Jan From jhrozek at redhat.com Mon Dec 20 14:28:39 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Dec 2010 15:28:39 +0100 Subject: [Freeipa-devel] [PATCH] Make pkey always iterable when deleting In-Reply-To: <201012201507.49718.jzeleny@redhat.com> References: <4D0F48E8.5030004@redhat.com> <201012201507.49718.jzeleny@redhat.com> Message-ID: <4D0F6817.3030101@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/20/2010 03:07 PM, Jan Zelen? wrote: > Jakub Hrozek wrote: >> When deleting multiple objects, the code tries to enforce that the >> primary key is always iterable by doing: >> >> keys = keys[:-1] + (keys[-1], ) >> >> But this doesn't work, the line only concatenates two tuples effectively >> returning the original one. See the attached patch for a fix. > > nack: you have the condition in chunk #2 wrong - pkeyiter will be never None > > Jan > Thanks, attached is a new patch. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PaBYACgkQHsardTLnvCVszQCeJLpRnhTlTE4sfXEsOGYHxTuM XNMAoOPT5ha6jlNRFlcg86GLAcElsRI8 =P15o -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-028-02-pkey-iterable.patch Type: text/x-patch Size: 1357 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-028-02-pkey-iterable.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Mon Dec 20 14:33:45 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Dec 2010 15:33:45 +0100 Subject: [Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys In-Reply-To: <4D0F5ED8.5000403@redhat.com> References: <4D0F5ED8.5000403@redhat.com> Message-ID: <4D0F6949.4020504@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/20/2010 02:49 PM, Jakub Hrozek wrote: > Attached is a patch that changes the uniqueness constraint of automount > keys from (key) to (key,info) pairs. The patch is not really standard > baseldap style. The reason is that during development, I found that > baseldap is really dependent on having a single primary key and also > during many operations accessing it as keys[-1]. > > Please note that the ipa automountkey-* commands used to have three > args, now its two args and two required options (that compose the tuple > that is primary key). I know next to nothing about UI, but I assume this > has consequences as the JSON marshalled call needs to be different now. > Can someone point me to the place in code that I need to fix now? > > Fixes: > https://fedorahosted.org/freeipa/ticket/293 Sorry, I left some debugging statements in. Attached is a new patch. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PaUkACgkQHsardTLnvCXYsgCePRyuu2yz6yQ+Pw1dhf3P61eW VFUAoL9RDDDOSolHA0dg35lSwitp/mNE =tsL7 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-029-02-automount-keys-uniqueness.patch Type: text/x-patch Size: 18893 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-029-02-automount-keys-uniqueness.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jzeleny at redhat.com Mon Dec 20 14:46:27 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 20 Dec 2010 15:46:27 +0100 Subject: [Freeipa-devel] [PATCH] Make pkey always iterable when deleting In-Reply-To: <4D0F6817.3030101@redhat.com> References: <4D0F48E8.5030004@redhat.com> <201012201507.49718.jzeleny@redhat.com> <4D0F6817.3030101@redhat.com> Message-ID: <201012201546.27204.jzeleny@redhat.com> Jakub Hrozek wrote: > On 12/20/2010 03:07 PM, Jan Zelen? wrote: > > Jakub Hrozek wrote: > >> When deleting multiple objects, the code tries to enforce that the > >> primary key is always iterable by doing: > >> > >> keys = keys[:-1] + (keys[-1], ) > >> > >> But this doesn't work, the line only concatenates two tuples effectively > >> returning the original one. See the attached patch for a fix. > > > > nack: you have the condition in chunk #2 wrong - pkeyiter will be never > > None > > > > Jan > > Thanks, attached is a new patch. ack Jan From jzeleny at redhat.com Mon Dec 20 14:48:28 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 20 Dec 2010 15:48:28 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <4D0F2C0F.1030500@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201012090954.57062.jzeleny@redhat.com> <4D0F2C0F.1030500@redhat.com> Message-ID: <201012201548.28171.jzeleny@redhat.com> Jakub Hrozek wrote: > On 12/09/2010 09:54 AM, Jan Zelen? wrote: > > Jan Zelen? wrote: > >> Jan Zelen? wrote: > >>> Now each plugin can define its topic as a 2-tuple, where the first > >>> item is the name of topic it belongs to and the second item is > >>> a description of such topic. Topic descriptions must be the same > >>> for all modules belonging to the topic. > >>> > >>> By using this topics, it is possible to group plugins as we see fit. > >>> When asking for help for a particular topic, help for all modules > >>> in given topic is written. > >>> > >>> ipa help - show all topics (until now it showed all plugins) > >>> ipa help - show details to given topic > >>> > >>> https://fedorahosted.org/freeipa/ticket/410 > >> > >> So here it is: I'm sending couple patches which resolve the ticket and > >> implement grouping the way we previously discussed. Please feel free to > >> send me any recommendations if anything should be modified. > > > > Here's updated version of 0014 (changed type detection from type(var) is > > type({}) to type(var) is dict) > > > > Jan > > The first patch in the series does not apply cleanly anymore, can you > rebase? > > Also, ipa help gives me a traceback now: Both patches are in the attachment Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0014-03-Changed-concept-of-ipa-help.patch Type: text/x-patch Size: 8424 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0013-02-Rename-hbac-module-to-hbacrule.patch Type: text/x-patch Size: 8821 bytes Desc: not available URL: From jhrozek at redhat.com Mon Dec 20 14:52:36 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Dec 2010 15:52:36 +0100 Subject: [Freeipa-devel] [PATCH] 030 Fix delegation.ldif Message-ID: <4D0F6DB4.30207@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There was a typo in the delagation LDIF file that caused the LDIF to fail to load during installation. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PbbQACgkQHsardTLnvCXGpgCg5dHyih4G+btRmMdc9OU84Q8p qjQAoNwwGuatbAP7vNkIzOYFch+CSbMQ =iQII -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-030-delegation-typo.patch Type: text/x-patch Size: 1289 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-030-delegation-typo.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jzeleny at redhat.com Mon Dec 20 15:16:15 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 20 Dec 2010 16:16:15 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <201012201548.28171.jzeleny@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <4D0F2C0F.1030500@redhat.com> <201012201548.28171.jzeleny@redhat.com> Message-ID: <201012201616.15519.jzeleny@redhat.com> Jan Zelen? wrote: > Jakub Hrozek wrote: > > On 12/09/2010 09:54 AM, Jan Zelen? wrote: > > > Jan Zelen? wrote: > > >> Jan Zelen? wrote: > > >>> Now each plugin can define its topic as a 2-tuple, where the first > > >>> item is the name of topic it belongs to and the second item is > > >>> a description of such topic. Topic descriptions must be the same > > >>> for all modules belonging to the topic. > > >>> > > >>> By using this topics, it is possible to group plugins as we see fit. > > >>> When asking for help for a particular topic, help for all modules > > >>> in given topic is written. > > >>> > > >>> ipa help - show all topics (until now it showed all plugins) > > >>> ipa help - show details to given topic > > >>> > > >>> https://fedorahosted.org/freeipa/ticket/410 > > >> > > >> So here it is: I'm sending couple patches which resolve the ticket and > > >> implement grouping the way we previously discussed. Please feel free > > >> to send me any recommendations if anything should be modified. > > > > > > Here's updated version of 0014 (changed type detection from type(var) > > > is type({}) to type(var) is dict) > > > > > > Jan > > > > The first patch in the series does not apply cleanly anymore, can you > > rebase? > > > Also, ipa help gives me a traceback now: > Both patches are in the attachment > > Jan One more change to the renaming of hbac to hbacrule. I'm sending all patches for better lucidity. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0013-03-Rename-hbac-module-to-hbacrule.patch Type: text/x-patch Size: 8987 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0014-03-Changed-concept-of-ipa-help.patch Type: text/x-patch Size: 8424 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0015-Initial-grouping-of-ipalib-plugins-for-ipa-help.patch Type: text/x-patch Size: 3070 bytes Desc: not available URL: From rcritten at redhat.com Mon Dec 20 15:41:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 10:41:48 -0500 Subject: [Freeipa-devel] [PATCH] 030 Fix delegation.ldif In-Reply-To: <4D0F6DB4.30207@redhat.com> References: <4D0F6DB4.30207@redhat.com> Message-ID: <4D0F793C.4000207@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > There was a typo in the delagation LDIF file that caused the LDIF to > fail to load during installation. ack, pushed to master rob From rcritten at redhat.com Mon Dec 20 15:43:20 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 10:43:20 -0500 Subject: [Freeipa-devel] [PATCH] Make pkey always iterable when deleting In-Reply-To: <4D0F6817.3030101@redhat.com> References: <4D0F48E8.5030004@redhat.com> <201012201507.49718.jzeleny@redhat.com> <4D0F6817.3030101@redhat.com> Message-ID: <4D0F7998.2050505@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/20/2010 03:07 PM, Jan Zelen? wrote: >> Jakub Hrozek wrote: >>> When deleting multiple objects, the code tries to enforce that the >>> primary key is always iterable by doing: >>> >>> keys = keys[:-1] + (keys[-1], ) >>> >>> But this doesn't work, the line only concatenates two tuples effectively >>> returning the original one. See the attached patch for a fix. >> >> nack: you have the condition in chunk #2 wrong - pkeyiter will be never None >> >> Jan >> > > Thanks, attached is a new patch. pushed to master From ssorce at redhat.com Mon Dec 20 15:43:30 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 20 Dec 2010 10:43:30 -0500 Subject: [Freeipa-devel] [PATCH] 030 Fix delegation.ldif In-Reply-To: <4D0F6DB4.30207@redhat.com> References: <4D0F6DB4.30207@redhat.com> Message-ID: <20101220104330.0e884497@willson.li.ssimo.org> On Mon, 20 Dec 2010 15:52:36 +0100 Jakub Hrozek wrote: > There was a typo in the delagation LDIF file that caused the LDIF to > fail to load during installation. Obviously correct, ACK and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Dec 20 15:44:34 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 10:44:34 -0500 Subject: [Freeipa-devel] [PATCH] Allow renaming of object that have a parent In-Reply-To: <201012201500.52649.jzeleny@redhat.com> References: <4D0F48DC.2000506@redhat.com> <201012201500.52649.jzeleny@redhat.com> Message-ID: <4D0F79E2.7060601@redhat.com> Jan Zelen? wrote: > Jakub Hrozek wrote: >> When performing an RDN change, we would construct the new DN from the >> RDN attribute only. This doesn't work when the object needs has a parent. >> >> There's currently no testcase, I hit that when working on automount - so >> this patch will be testable with the automount patch and also a >> dependency for it. But I think the code is pretty clear.. > > ack pushed to master From rcritten at redhat.com Mon Dec 20 15:45:42 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 10:45:42 -0500 Subject: [Freeipa-devel] [PATCH] Added option --no-reverse to add-host In-Reply-To: <4D0F3229.4040104@redhat.com> References: <201012141905.44949.jzeleny@redhat.com> <4D0F3229.4040104@redhat.com> Message-ID: <4D0F7A26.7080203@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/14/2010 07:05 PM, Jan Zelen? wrote: >> When adding a host with specific IP address, the operation would fail in >> case we don't own the reverse DNS. This new option overrides the >> check for reverse DNS zone and falls back to different IP address >> existence check. >> >> https://fedorahosted.org/freeipa/ticket/417 >> >> I was considering deleting the reverse zone detection entirely and check the >> IP address directly by querying for A records containing it, but I think this >> way it is more efficient. >> > > Ack pushed to master From rcritten at redhat.com Mon Dec 20 15:46:51 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 10:46:51 -0500 Subject: [Freeipa-devel] [PATCH] import NSPRError in host.py In-Reply-To: <201012200952.48566.jzeleny@redhat.com> References: <4D0F1869.4020701@redhat.com> <201012200952.48566.jzeleny@redhat.com> Message-ID: <4D0F7A6B.1040200@redhat.com> Jan Zelen? wrote: > Jakub Hrozek wrote: >> The host plugin references NSPRError on couple of places but never >> imports it. > > Obviously ack pushed to master From rcritten at redhat.com Mon Dec 20 15:56:49 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 10:56:49 -0500 Subject: [Freeipa-devel] [PATCH] Fixed typos in man page of ipa-getkeytab. In-Reply-To: <4D0E94A4.7030207@redhat.com> References: <4D0BBD4C.5070504@redhat.com> <4D0E94A4.7030207@redhat.com> Message-ID: <4D0F7CC1.7060505@redhat.com> David O'Brien wrote: > Gowrishankar Rajaiyan wrote: >> >> Hi All, >> >> Fixed typos in the man page of ipa-getkeytab and corrected my name in >> Contributors.txt. >> >> Regards >> /Shanks >> > > ACK > pushed to master From jzeleny at redhat.com Mon Dec 20 16:20:40 2010 From: jzeleny at redhat.com (Jan =?utf-8?q?Zelen=C3=BD?=) Date: Mon, 20 Dec 2010 17:20:40 +0100 Subject: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes. In-Reply-To: <4D00CE67.4010208@redhat.com> References: <4CF34E28.2040209@redhat.com> <4CFFDCBB.9080505@redhat.com> <4D00CE67.4010208@redhat.com> Message-ID: <201012201720.40133.jzeleny@redhat.com> Pavel Zuna wrote: > On 12/08/2010 08:30 PM, Rob Crittenden wrote: > > Pavel Z?na wrote: > >> On 2010-11-30 04:06, Rob Crittenden wrote: > >>> Pavel Z?na wrote: > >>>> LDAPSearch base class has now the ability to generate additional > >>>> options for objects with member attributes. These options are > >>>> used to filter search results - search only for objects without > >>>> the specified members. > >>>> > >>>> Any class that extends LDAPSearch can benefit from this functionality. > >>>> This patch enables it for the following objects: > >>>> group, netgroup, rolegroup, hostgroup, taskgroup > >>>> > >>>> Example: > >>>> ipa group-find --no-users=admin > >>>> > >>>> Only direct members are taken into account, but if we need indirect > >>>> members as well - it's not a problem. > >>>> > >>>> Ticket #288 > >>>> > >>>> Pavel > >>> > >>> This works as advertised but I wonder what would happen if a huge list > >>> of members was passed in to ignore. Is there a limit on the search > >>> filter size (remember that the member will be translated into a full dn > >>> so will quickly grow in size). > >>> > >>> Should we impose a cofigurable limit on the # of members to be > >>> excluded? > >>> > >>> Is there a max search filter size and should we check that we haven't > >>> exceeded that before doing a search? > >>> > >>> rob > >> > >> I tried it out with more than a 1000 users and was getting an unwilling > >> to perform error (search filter nested too deep). > >> > >> After a little bit of investigation, I figured the filter was being > >> generated like this: > >> > >> (&(&(!(a=v))(!(a2=v2)))) > >> > >> We were going deeper with each additional DN! > >> > >> I updated the patch to generate the filter like this instead: > >> > >> (!(|(a=v)(a2=v2))) > >> > >> Tried it again with more than 1000 users (~55Kb) - it worked and wasn't > >> even slow. > >> > >> Updated patch attached. > >> > >> I also had to fix a bug in ldap2 filter generator, as a result this > >> patch depends on my patch number 43. > >> > >> Pavel > > > > You'll need to rebase this against master but otherwise ACK. > > > > It might be a small optimization to de-dupe the no-users list but it > > isn't a priority. > > > > rob > > Re-based patch attached. > > Pavel This hasn't been already pushed and the patch still applies against master. Can someone push it so the ticket can be closed? Jan From rcritten at redhat.com Mon Dec 20 16:28:00 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 11:28:00 -0500 Subject: [Freeipa-devel] [PATCH] 023 Clarify ipa-replica-install error message In-Reply-To: <201012151100.35889.jzeleny@redhat.com> References: <4D0747D1.1060901@redhat.com> <201012151100.35889.jzeleny@redhat.com> Message-ID: <4D0F8410.3010502@redhat.com> Jan Zelen? wrote: > Jakub Hrozek wrote: >> Just a cosmetic fix to the replica installation error message, there's >> no ticket for this. > > ack > > Jan pushed to master From rcritten at redhat.com Mon Dec 20 16:28:14 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 11:28:14 -0500 Subject: [Freeipa-devel] [PATCH] 025 Allow RDN changes from CLI In-Reply-To: <201012200926.11011.jzeleny@redhat.com> References: <4D0A3CF4.4090608@redhat.com> <201012200926.11011.jzeleny@redhat.com> Message-ID: <4D0F841E.3010002@redhat.com> Jan Zelen? wrote: > Jakub Hrozek wrote: >> Adds a new parameter 'rename' to all objects with 'rdnattr' attribute. >> This parameter is a clone of the rdnattr attribute, except for name and >> docs, so normalizer, default_from and also the type are the same as the >> original attribute. >> >> https://fedorahosted.org/freeipa/ticket/397 > > ack > > Jan pushed to master From rcritten at redhat.com Mon Dec 20 16:28:28 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 11:28:28 -0500 Subject: [Freeipa-devel] [PATCH] 022 Check the number of fields when importing automount maps In-Reply-To: <201012151059.33691.jzeleny@redhat.com> References: <4D0747CB.90300@redhat.com> <201012151059.33691.jzeleny@redhat.com> Message-ID: <4D0F842C.8060206@redhat.com> Jan Zelen? wrote: > Jakub Hrozek wrote: >> https://fedorahosted.org/freeipa/ticket/359 >> >> Sending this separately from the other automount changes since those are >> more intrusive and may be under review for a while. > > ack > > Jan pushed to master From rcritten at redhat.com Mon Dec 20 16:28:43 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 11:28:43 -0500 Subject: [Freeipa-devel] [PATCH] 021 Make the IPA installer IPv6 friendly In-Reply-To: <201012200912.26675.jzeleny@redhat.com> References: <4D0747C2.4030007@redhat.com> <201012151055.52258.jzeleny@redhat.com> <4D0A44ED.7060501@redhat.com> <201012200912.26675.jzeleny@redhat.com> Message-ID: <4D0F843B.4000706@redhat.com> Jan Zelen? wrote: > Jakub Hrozek wrote: >> On 12/15/2010 10:55 AM, Jan Zelen? wrote: >>> Jakub Hrozek wrote: >>>> This is a first patch towards IPv6 support. Currently it only touches >>>> the installer only as other changes will be fully testable only when >>>> python-nss is IPv6 ready. >>>> >>>> Changes include: >>>> * parse AAAA records in dnsclient >>>> * also ask for AAAA records when verifying FQDN >>>> * do not use functions that are not IPv6 aware - notably >>>> >>>> socket.gethostbyname(). The complete list of functions was taken >>>> from http://www.akkadia.org/drepper/userapi-ipv6.html >>>> section "Interface Checklist" >>> >>> Nack, the patch doesn't handle situations when host cannot be resolved. >>> >>> Jan >> >> Thanks, it didn't handle the case in ipa-replica-install, now it should >> catch the exception and return None (and the caller would react upon >> getting None for the IP address). >> >> In krbinstance.py it would still raise an exception, but I think that is >> OK during instance creation (we surely don't want to print anything). >> The user would see the error string, anyway.. > > ack > > Jan pushed to master From jhrozek at redhat.com Mon Dec 20 17:02:02 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Dec 2010 18:02:02 +0100 Subject: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica In-Reply-To: <20101215200110.54c16661@willson.li.ssimo.org> References: <20101215200110.54c16661@willson.li.ssimo.org> Message-ID: <20101220170201.GA10690@zeppelin.brq.redhat.com> On Wed, Dec 15, 2010 at 08:01:10PM -0500, Simo Sorce wrote: > > Clean up records related to the master being deleted in the shared tree. > > This also avoid issues later on if you want to rejoin the server as a > master. It is also needed in order to give back valid information for > patch 0035 > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > def del_master(replman, hostname, force=False): > + has_repl_agreement = True > try: > t = replman.get_agreement_type(hostname) > except ldap.NO_SUCH_OBJECT: > print "No replication agreement found for '%s'" % hostname > - return > + if force: > + has_repl_agreement = False > + else: > + return > except errors.NotFound: > print "No replication agreement found for '%s'" % hostname > - return > + if force: > + has_repl_agreement = False > + else: > + return This is just a nitpick but the above except: blocks are exactly the same. One could remove the redundancy by just using: except (errors.NotFound, ldap.NO_SUCH_OBJECT): > + > + def replica_cleanup(self, replica, realm, force=False): > + > + err = None > + > + if replica == self.hostname: > + raise RuntimeError("Can't cleanup self") > + > + if not self.suffix or self.suffix == "": > + self.suffix = util.realm_to_suffix(realm) > + self.suffix = ipaldap.IPAdmin.normalizeDN(self.suffix) This looks suspicious. Should one of these be in else: perhaps? The rest of the code looks OK, but I'm currently not able to test as the deletion fails with "Insufficient access". In my setup, vm-061 is the master and vm-038 is the replica: [root at vm-061 ~]# ipa-replica-manage list vm-061.idm.lab.bos.redhat.com vm-038.idm.lab.bos.redhat.com [root at vm-061 ~]# ipa-replica-manage del vm-038.idm.lab.bos.redhat.com Unable to remove agreement on vm-038.idm.lab.bos.redhat.com: Insufficient access: From jhrozek at redhat.com Mon Dec 20 17:22:48 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Dec 2010 18:22:48 +0100 Subject: [Freeipa-devel] [PATCH] 0033 Add disconnect command to change topology In-Reply-To: <20101215200258.1c118346@willson.li.ssimo.org> References: <20101215200258.1c118346@willson.li.ssimo.org> Message-ID: <4D0F90E8.4030705@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/16/2010 02:02 AM, Simo Sorce wrote: > > This command will delete a replication agreement unless it is the last > one on either server. It is used to change replication topology without > actually removing any single master for the domain (the del command > must be used if that the intent). > > Simo. > Please document the new action in the manpage. As the actions are not printed when one specifies --help, there's no way to discover it short of reading the code. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0PkOgACgkQHsardTLnvCXuDQCeMHTn6ezhtHQmxq7FVx0NATBn iNIAoKsWq/2DgHljH2VVc/gK1S+C8bVD =/Lcz -----END PGP SIGNATURE----- From ayoung at redhat.com Mon Dec 20 17:29:55 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Dec 2010 12:29:55 -0500 Subject: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes. In-Reply-To: <201012201720.40133.jzeleny@redhat.com> References: <4CF34E28.2040209@redhat.com> <4CFFDCBB.9080505@redhat.com> <4D00CE67.4010208@redhat.com> <201012201720.40133.jzeleny@redhat.com> Message-ID: <4D0F9293.4080303@redhat.com> On 12/20/2010 11:20 AM, Jan Zelen? wrote: > Pavel Zuna wrote: > >> On 12/08/2010 08:30 PM, Rob Crittenden wrote: >> >>> Pavel Z?na wrote: >>> >>>> On 2010-11-30 04:06, Rob Crittenden wrote: >>>> >>>>> Pavel Z?na wrote: >>>>> >>>>>> LDAPSearch base class has now the ability to generate additional >>>>>> options for objects with member attributes. These options are >>>>>> used to filter search results - search only for objects without >>>>>> the specified members. >>>>>> >>>>>> Any class that extends LDAPSearch can benefit from this functionality. >>>>>> This patch enables it for the following objects: >>>>>> group, netgroup, rolegroup, hostgroup, taskgroup >>>>>> >>>>>> Example: >>>>>> ipa group-find --no-users=admin >>>>>> >>>>>> Only direct members are taken into account, but if we need indirect >>>>>> members as well - it's not a problem. >>>>>> >>>>>> Ticket #288 >>>>>> >>>>>> Pavel >>>>>> >>>>> This works as advertised but I wonder what would happen if a huge list >>>>> of members was passed in to ignore. Is there a limit on the search >>>>> filter size (remember that the member will be translated into a full dn >>>>> so will quickly grow in size). >>>>> >>>>> Should we impose a cofigurable limit on the # of members to be >>>>> excluded? >>>>> >>>>> Is there a max search filter size and should we check that we haven't >>>>> exceeded that before doing a search? >>>>> >>>>> rob >>>>> >>>> I tried it out with more than a 1000 users and was getting an unwilling >>>> to perform error (search filter nested too deep). >>>> >>>> After a little bit of investigation, I figured the filter was being >>>> generated like this: >>>> >>>> (&(&(!(a=v))(!(a2=v2)))) >>>> >>>> We were going deeper with each additional DN! >>>> >>>> I updated the patch to generate the filter like this instead: >>>> >>>> (!(|(a=v)(a2=v2))) >>>> >>>> Tried it again with more than 1000 users (~55Kb) - it worked and wasn't >>>> even slow. >>>> >>>> Updated patch attached. >>>> >>>> I also had to fix a bug in ldap2 filter generator, as a result this >>>> patch depends on my patch number 43. >>>> >>>> Pavel >>>> >>> You'll need to rebase this against master but otherwise ACK. >>> >>> It might be a small optimization to de-dupe the no-users list but it >>> isn't a priority. >>> >>> rob >>> >> Re-based patch attached. >> >> Pavel >> > > This hasn't been already pushed and the patch still applies against master. > Can someone push it so the ticket can be closed? > > Jan > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master From rcritten at redhat.com Mon Dec 20 19:06:06 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 14:06:06 -0500 Subject: [Freeipa-devel] [PATCH] 655 translation delegation group dns to names Message-ID: <4D0FA91E.2060605@redhat.com> Translate the membergroup dn into a group name. Drop filter from the output, it is superfluous. ticket 634 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-655-delegation.patch Type: text/x-patch Size: 6920 bytes Desc: not available URL: From ayoung at redhat.com Mon Dec 20 19:13:27 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Dec 2010 14:13:27 -0500 Subject: [Freeipa-devel] [PATCH] Added option --no-reverse to add-host In-Reply-To: <4D0F7A26.7080203@redhat.com> References: <201012141905.44949.jzeleny@redhat.com> <4D0F3229.4040104@redhat.com> <4D0F7A26.7080203@redhat.com> Message-ID: <4D0FAAD7.6070502@redhat.com> On 12/20/2010 10:45 AM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 12/14/2010 07:05 PM, Jan Zelen? wrote: >>> When adding a host with specific IP address, the operation would >>> fail in >>> case we don't own the reverse DNS. This new option overrides the >>> check for reverse DNS zone and falls back to different IP address >>> existence check. >>> >>> https://fedorahosted.org/freeipa/ticket/417 >>> >>> I was considering deleting the reverse zone detection entirely and >>> check the >>> IP address directly by querying for A records containing it, but I >>> think this >>> way it is more efficient. >>> >> >> Ack > > pushed to master > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I think that this is going to make the CLI capable of doing something that the CLI can't. Do we need a UI field to add in this flag? From ssorce at redhat.com Mon Dec 20 20:00:17 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 20 Dec 2010 15:00:17 -0500 Subject: [Freeipa-devel] [PATCH] Bugfixes for bind-dyndb-ldap In-Reply-To: <20101215122901.0bab3d5d@willson.li.ssimo.org> References: <20101215172120.GA21932@evileye.atkac.brq.redhat.com> <20101215122901.0bab3d5d@willson.li.ssimo.org> Message-ID: <20101220150017.4a1ffd37@willson.li.ssimo.org> On Wed, 15 Dec 2010 12:29:01 -0500 Simo Sorce wrote: > On Wed, 15 Dec 2010 18:21:20 +0100 > Adam Tkac wrote: > > > Hello, > > > > those four patches for bind-dyndb-ldap fix following issues: > > > > 0001-Bugfix-Improve-LDAP-schema-to-be-loadable-by-OpenLDA.patch: > > - Current schema is not loadable by OpenLDAP > > - https://bugzilla.redhat.com/show_bug.cgi?id=622604 > > > > 0002-Change-bug-reporting-address-to-freeipa-devel-redhat.patch > > - fix bug reporting address > > > > 0003-Fail-and-emit-error-when-BIND9-or-OpenLDAP-devel-fil.patch > > - ./configure should fail if bind-devel or openldap-devel is not > > installed > > > > 0004-Bugfix-Fix-loading-of-child-zones-from-LDAP.patch > > - child zones aren't currently loaded well > > - https://bugzilla.redhat.com/show_bug.cgi?id=622617 > > > > If noone has objections I will push patches till end of the week. > > ACK to all four. These have been pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Dec 20 20:02:42 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 20 Dec 2010 15:02:42 -0500 Subject: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica In-Reply-To: <20101220170201.GA10690@zeppelin.brq.redhat.com> References: <20101215200110.54c16661@willson.li.ssimo.org> <20101220170201.GA10690@zeppelin.brq.redhat.com> Message-ID: <20101220150242.79d9a383@willson.li.ssimo.org> On Mon, 20 Dec 2010 18:02:02 +0100 Jakub Hrozek wrote: > On Wed, Dec 15, 2010 at 08:01:10PM -0500, Simo Sorce wrote: > > > > Clean up records related to the master being deleted in the shared > > tree. > > > > This also avoid issues later on if you want to rejoin the server as > > a master. It is also needed in order to give back valid information > > for patch 0035 > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > def del_master(replman, hostname, force=False): > > + has_repl_agreement = True > > try: > > t = replman.get_agreement_type(hostname) > > except ldap.NO_SUCH_OBJECT: > > print "No replication agreement found for '%s'" % hostname > > - return > > + if force: > > + has_repl_agreement = False > > + else: > > + return > > except errors.NotFound: > > print "No replication agreement found for '%s'" % hostname > > - return > > + if force: > > + has_repl_agreement = False > > + else: > > + return > > This is just a nitpick but the above except: blocks are exactly the > same. One could remove the redundancy by just using: > > except (errors.NotFound, ldap.NO_SUCH_OBJECT): > > > + > > + def replica_cleanup(self, replica, realm, force=False): > > + > > + err = None > > + > > + if replica == self.hostname: > > + raise RuntimeError("Can't cleanup self") > > + > > + if not self.suffix or self.suffix == "": > > + self.suffix = util.realm_to_suffix(realm) > > + self.suffix = ipaldap.IPAdmin.normalizeDN(self.suffix) > > This looks suspicious. Should one of these be in else: perhaps? No, I just reused the same var to keep a temporary value, instead of having a long line. not pretty but it is correct. I can use a temp var if you think it makes for more readable code though. > The rest of the code looks OK, but I'm currently not able to test as > the deletion fails with "Insufficient access". In my setup, vm-061 is > the master and vm-038 is the replica: > > [root at vm-061 ~]# ipa-replica-manage list vm-061.idm.lab.bos.redhat.com > vm-038.idm.lab.bos.redhat.com > [root at vm-061 ~]# ipa-replica-manage del vm-038.idm.lab.bos.redhat.com > Unable to remove agreement on vm-038.idm.lab.bos.redhat.com: > Insufficient access: Do you have a ticket as admin when you try this ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Dec 20 20:04:42 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 20 Dec 2010 15:04:42 -0500 Subject: [Freeipa-devel] [PATCH] 0033 Add disconnect command to change topology In-Reply-To: <4D0F90E8.4030705@redhat.com> References: <20101215200258.1c118346@willson.li.ssimo.org> <4D0F90E8.4030705@redhat.com> Message-ID: <20101220150442.23ad4dda@willson.li.ssimo.org> On Mon, 20 Dec 2010 18:22:48 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/16/2010 02:02 AM, Simo Sorce wrote: > > > > This command will delete a replication agreement unless it is the > > last one on either server. It is used to change replication > > topology without actually removing any single master for the domain > > (the del command must be used if that the intent). > > > > Simo. > > > > Please document the new action in the manpage. As the actions are not > printed when one specifies --help, there's no way to discover it short > of reading the code. I have a separate ticket to add all the changes to the man page. It requires some deep review and I preferred to split it from the rest of the changes. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Dec 20 20:10:01 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 20 Dec 2010 15:10:01 -0500 Subject: [Freeipa-devel] [PATCH] Remove referrals to removed replicas/links Message-ID: <20101220151001.6c10d421@willson.li.ssimo.org> When a replication agreement is removed also make sure to remove referrals to the replicas to avoid dangling referrals. This patch also fixes acis related to replica as the fix is also required to be able to change the referrals attributes. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0036-Remove-referrals-when-removing-agreements.patch Type: text/x-patch Size: 5963 bytes Desc: not available URL: From ayoung at redhat.com Mon Dec 20 20:36:07 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Dec 2010 15:36:07 -0500 Subject: [Freeipa-devel] [PATCH] 655 translation delegation group dns to names In-Reply-To: <4D0FA91E.2060605@redhat.com> References: <4D0FA91E.2060605@redhat.com> Message-ID: <4D0FBE37.5030809@redhat.com> On 12/20/2010 02:06 PM, Rob Crittenden wrote: > Translate the membergroup dn into a group name. > > Drop filter from the output, it is superfluous. > > ticket 634 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Dec 20 20:56:09 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 15:56:09 -0500 Subject: [Freeipa-devel] [PATCH] 656 move permissions and privileges Message-ID: <4D0FC2E9.8020402@redhat.com> Move permissions and privileges to their own container. They don't really belong in cn=accounts any more. This leaves just roles there. ticket 638 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-656-pbac.patch Type: text/x-patch Size: 53191 bytes Desc: not available URL: From rcritten at redhat.com Mon Dec 20 21:39:12 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 16:39:12 -0500 Subject: [Freeipa-devel] [PATCH] Added option --no-reverse to add-host In-Reply-To: <4D0FAAD7.6070502@redhat.com> References: <201012141905.44949.jzeleny@redhat.com> <4D0F3229.4040104@redhat.com> <4D0F7A26.7080203@redhat.com> <4D0FAAD7.6070502@redhat.com> Message-ID: <4D0FCD00.4090800@redhat.com> Adam Young wrote: > On 12/20/2010 10:45 AM, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 12/14/2010 07:05 PM, Jan Zelen? wrote: >>>> When adding a host with specific IP address, the operation would >>>> fail in >>>> case we don't own the reverse DNS. This new option overrides the >>>> check for reverse DNS zone and falls back to different IP address >>>> existence check. >>>> >>>> https://fedorahosted.org/freeipa/ticket/417 >>>> >>>> I was considering deleting the reverse zone detection entirely and >>>> check the >>>> IP address directly by querying for A records containing it, but I >>>> think this >>>> way it is more efficient. >>>> >>> >>> Ack >> >> pushed to master >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > I think that this is going to make the CLI capable of doing something > that the CLI can't. Do we need a UI field to add in this flag? Yes, I think we'd need a check-box or equivalent for it. rob From jhrozek at redhat.com Mon Dec 20 21:40:50 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Dec 2010 22:40:50 +0100 Subject: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica In-Reply-To: <20101220150242.79d9a383@willson.li.ssimo.org> References: <20101215200110.54c16661@willson.li.ssimo.org> <20101220170201.GA10690@zeppelin.brq.redhat.com> <20101220150242.79d9a383@willson.li.ssimo.org> Message-ID: <4D0FCD62.9020403@redhat.com> On 12/20/2010 09:02 PM, Simo Sorce wrote: > On Mon, 20 Dec 2010 18:02:02 +0100 > Jakub Hrozek wrote: > >> On Wed, Dec 15, 2010 at 08:01:10PM -0500, Simo Sorce wrote: >>> >>> Clean up records related to the master being deleted in the shared >>> tree. >>> >>> This also avoid issues later on if you want to rejoin the server as >>> a master. It is also needed in order to give back valid information >>> for patch 0035 >>> >>> Simo. >>> >>> -- >>> Simo Sorce * Red Hat, Inc * New York >> >>> def del_master(replman, hostname, force=False): >>> + has_repl_agreement = True >>> try: >>> t = replman.get_agreement_type(hostname) >>> except ldap.NO_SUCH_OBJECT: >>> print "No replication agreement found for '%s'" % hostname >>> - return >>> + if force: >>> + has_repl_agreement = False >>> + else: >>> + return >>> except errors.NotFound: >>> print "No replication agreement found for '%s'" % hostname >>> - return >>> + if force: >>> + has_repl_agreement = False >>> + else: >>> + return >> >> This is just a nitpick but the above except: blocks are exactly the >> same. One could remove the redundancy by just using: >> >> except (errors.NotFound, ldap.NO_SUCH_OBJECT): >> >>> + >>> + def replica_cleanup(self, replica, realm, force=False): >>> + >>> + err = None >>> + >>> + if replica == self.hostname: >>> + raise RuntimeError("Can't cleanup self") >>> + >>> + if not self.suffix or self.suffix == "": >>> + self.suffix = util.realm_to_suffix(realm) >>> + self.suffix = ipaldap.IPAdmin.normalizeDN(self.suffix) >> >> This looks suspicious. Should one of these be in else: perhaps? > > No, I just reused the same var to keep a temporary value, instead of > having a long line. not pretty but it is correct. > I can use a temp var if you think it makes for more readable code > though. > Oh, that's OK, I was just too lazy to read the methods before. It makes sense now, thanks. >> The rest of the code looks OK, but I'm currently not able to test as >> the deletion fails with "Insufficient access". In my setup, vm-061 is >> the master and vm-038 is the replica: >> >> [root at vm-061 ~]# ipa-replica-manage list vm-061.idm.lab.bos.redhat.com >> vm-038.idm.lab.bos.redhat.com >> [root at vm-061 ~]# ipa-replica-manage del vm-038.idm.lab.bos.redhat.com >> Unable to remove agreement on vm-038.idm.lab.bos.redhat.com: >> Insufficient access: > > Do you have a ticket as admin when you try this ? > > Simo. > I do. The traceback looks like this (I inserted and extra traceback.print_exc() call to get it): ---- Traceback (most recent call last): File "/usr/sbin/ipa-replica-manage", line 269, in del_master other_replman.delete_agreement(replman.conn.host) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 408, in delete_agreement return self.conn.deleteEntry(dn) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 563, in deleteEntry self.__handle_errors(e, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 316, in __handle_errors raise errors.ACIError(info=info) ACIError: Insufficient access: ---- So this seems to be an ACI problem. I have your 4 patches applied on top of the current origin/master and was calling "ipa-replica-manage del ". From ayoung at redhat.com Mon Dec 20 21:57:19 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Dec 2010 16:57:19 -0500 Subject: [Freeipa-devel] [PATCH]admiyo-0119-cusor-pointer-for-undo-link Message-ID: <4D0FD13F.1020605@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0119-cusor-pointer-for-undo-link.patch Type: text/x-patch Size: 1290 bytes Desc: not available URL: From ayoung at redhat.com Mon Dec 20 21:58:49 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Dec 2010 16:58:49 -0500 Subject: [Freeipa-devel] [PATCH]admiyo-0119-cusor-pointer-for-undo-link In-Reply-To: <4D0FD13F.1020605@redhat.com> References: <4D0FD13F.1020605@redhat.com> Message-ID: <4D0FD199.1050805@redhat.com> On 12/20/2010 04:57 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Graphical diff is here: https://fedorahosted.org/freeipa/attachment/ticket/489/freeipa-admiyo-0119-cusor-pointer-for-undo-link.patch -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Mon Dec 20 22:05:20 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 20 Dec 2010 17:05:20 -0500 Subject: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica In-Reply-To: <4D0FCD62.9020403@redhat.com> References: <20101215200110.54c16661@willson.li.ssimo.org> <20101220170201.GA10690@zeppelin.brq.redhat.com> <20101220150242.79d9a383@willson.li.ssimo.org> <4D0FCD62.9020403@redhat.com> Message-ID: <20101220170520.3fde6d05@willson.li.ssimo.org> On Mon, 20 Dec 2010 22:40:50 +0100 Jakub Hrozek wrote: > >> The rest of the code looks OK, but I'm currently not able to test > >> as the deletion fails with "Insufficient access". In my setup, > >> vm-061 is the master and vm-038 is the replica: > >> > >> [root at vm-061 ~]# ipa-replica-manage list > >> vm-061.idm.lab.bos.redhat.com vm-038.idm.lab.bos.redhat.com > >> [root at vm-061 ~]# ipa-replica-manage del > >> vm-038.idm.lab.bos.redhat.com Unable to remove agreement on > >> vm-038.idm.lab.bos.redhat.com: Insufficient access: > > > > Do you have a ticket as admin when you try this ? > > > > Simo. > > > > I do. The traceback looks like this (I inserted and extra > traceback.print_exc() call to get it): > > ---- > Traceback (most recent call last): > File "/usr/sbin/ipa-replica-manage", line 269, in del_master > other_replman.delete_agreement(replman.conn.host) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 408, in delete_agreement > return self.conn.deleteEntry(dn) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line > 563, in deleteEntry > self.__handle_errors(e, **kw) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line > 316, in __handle_errors > raise errors.ACIError(info=info) > ACIError: Insufficient access: > ---- > > So this seems to be an ACI problem. I have your 4 patches applied on > top of the current origin/master and was calling "ipa-replica-manage > del ". > I guess it work properly if you kdestroy and use the DM password ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Dec 20 22:21:11 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 17:21:11 -0500 Subject: [Freeipa-devel] [PATCH] 024 Change FreeIPA license to GPLv3+ In-Reply-To: <4D08FBB4.9040302@redhat.com> References: <4D08FBB4.9040302@redhat.com> Message-ID: <4D0FD6D7.3000604@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > attached is a patch that replaces all GPLv2 license blobs with GPLv3+ > blobs. The new blobs also tell users to see a website for the complete > license text (the old ones advised to write to a snail mail address..). > > The SLAPI plugins use a different wording as they need the GPL exception. > > When this patch is pushed, I think we should send a note at least to > freeipa-devel but probably even -users and -interest. Also, I'll keep an > eye on all patches that people are sending..those that add some new > files will need to include the new blobs. > > The patch is compressed, as the original had 480 kB.. > double-ack from me and Simo. pushed to master From ssorce at redhat.com Tue Dec 21 01:47:12 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 20 Dec 2010 20:47:12 -0500 Subject: [Freeipa-devel] [PATCH]admiyo-0119-cusor-pointer-for-undo-link In-Reply-To: <4D0FD199.1050805@redhat.com> References: <4D0FD13F.1020605@redhat.com> <4D0FD199.1050805@redhat.com> Message-ID: <20101220204712.468b735e@willson.li.ssimo.org> On Mon, 20 Dec 2010 16:58:49 -0500 Adam Young wrote: > On 12/20/2010 04:57 PM, Adam Young wrote: > > > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Graphical diff is here: > > https://fedorahosted.org/freeipa/attachment/ticket/489/freeipa-admiyo-0119-cusor-pointer-for-undo-link.patch ACK Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 21 02:23:54 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 20 Dec 2010 21:23:54 -0500 Subject: [Freeipa-devel] [PATCH] 0037 Fix race condition in install Message-ID: <20101220212354.2099cdd7@willson.li.ssimo.org> This seem to fix a long-standing bug that was mitigated by a workaround, but was still present after all. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0037-Fix-race-condition-in-installation-due-to-use-of-asy.patch Type: text/x-patch Size: 2589 bytes Desc: not available URL: From ayoung at redhat.com Tue Dec 21 03:58:47 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Dec 2010 22:58:47 -0500 Subject: [Freeipa-devel] [PATCH]admiyo-0119-cusor-pointer-for-undo-link In-Reply-To: <20101220204712.468b735e@willson.li.ssimo.org> References: <4D0FD13F.1020605@redhat.com> <4D0FD199.1050805@redhat.com> <20101220204712.468b735e@willson.li.ssimo.org> Message-ID: <4D1025F7.8040703@redhat.com> On 12/20/2010 08:47 PM, Simo Sorce wrote: > On Mon, 20 Dec 2010 16:58:49 -0500 > Adam Young wrote: > > >> On 12/20/2010 04:57 PM, Adam Young wrote: >> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> Graphical diff is here: >> >> https://fedorahosted.org/freeipa/attachment/ticket/489/freeipa-admiyo-0119-cusor-pointer-for-undo-link.patch >> > ACK > Simo. > > pushed to master From rcritten at redhat.com Tue Dec 21 04:23:50 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 23:23:50 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0118-aci-ui In-Reply-To: <4D0B97F9.8050505@redhat.com> References: <4D0B97F9.8050505@redhat.com> Message-ID: <4D102BD6.80104@redhat.com> Adam Young wrote: > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack. Adam, I'm going to let you push this. There were a couple of trivial merge errors but I figure you're best to work them out. I will have a follow-on patch shortly to fix a few problems on my end I discovered while poking around with this. rob From ayoung at redhat.com Tue Dec 21 04:31:39 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Dec 2010 23:31:39 -0500 Subject: [Freeipa-devel] [PATCH] 0037 Fix race condition in install In-Reply-To: <20101220212354.2099cdd7@willson.li.ssimo.org> References: <20101220212354.2099cdd7@willson.li.ssimo.org> Message-ID: <4D102DAB.9000003@redhat.com> On 12/20/2010 09:23 PM, Simo Sorce wrote: > This seem to fix a long-standing bug that was mitigated by a > workaround, but was still present after all. > > Simo. > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Applied and ran the install successfully. ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Dec 21 04:30:39 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Dec 2010 23:30:39 -0500 Subject: [Freeipa-devel] [PATCH] 657 fix a few ACI problems found Message-ID: <4D102D6F.5050207@redhat.com> This depends on Adam's patch 0118. In meta data make ACI attributes lower-case, sorted. Add possible attributes. The metadata contains a list of possible attributes that an ACI for that object might need. Add a new variable to hold possible objectclasses for optional elements (like posixGroup for groups). To make the list easier to handle sort it and make it all lower-case. Fix a couple of missed camel-case attributes in the default ACI list. ticket 641 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-657-aci.patch Type: text/x-patch Size: 6534 bytes Desc: not available URL: From ayoung at redhat.com Tue Dec 21 04:38:24 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Dec 2010 23:38:24 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0118-aci-ui In-Reply-To: <4D102BD6.80104@redhat.com> References: <4D0B97F9.8050505@redhat.com> <4D102BD6.80104@redhat.com> Message-ID: <4D102F40.2090500@redhat.com> On 12/20/2010 11:23 PM, Rob Crittenden wrote: > Adam Young wrote: >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > ack. > > Adam, I'm going to let you push this. There were a couple of trivial > merge errors but I figure you're best to work them out. > > I will have a follow-on patch shortly to fix a few problems on my end > I discovered while poking around with this. > > rob rebased and pushed to master. From ayoung at redhat.com Tue Dec 21 05:20:33 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 21 Dec 2010 00:20:33 -0500 Subject: [Freeipa-devel] Issues with ACI UI Message-ID: <4D103921.5040008@redhat.com> 1. Can't add an ACI. Before, I was able to get away with a blank filter, but that doesn't seem to work anymore. 2. Delegation-add : the group-find for the combo boxes isn't getting executed. 3. Some edits are broken for Permissions: For certain, update dns entries 4. adding self service permission, attrs is required, even if the user just wants to do an 'add' permission. 5. Modifying the self service permission just added gives an internal error. I removed the 'delete' and 'write' permission ( which I did not set in the add dialog) as well as the 'audio' permission. Log is below: [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 211, in wsgi_execute [Tue Dec 21 00:18:03 2010] [error] result = self.Command[name](*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in __call__ [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 696, in run [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py", line 160, in execute [Tue Dec 21 00:18:03 2010] [error] result = api.Command['aci_mod'](aciname, **kw)['result'] [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in __call__ [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 696, in run [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 550, in execute [Tue Dec 21 00:18:03 2010] [error] result = self.api.Command['aci_add'](aciname, **newkw)['result'] [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in __call__ [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 696, in run [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, **options) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 450, in execute [Tue Dec 21 00:18:03 2010] [error] newaci_str = unicode(newaci) [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/aci.py", line 68, in __repr__ [Tue Dec 21 00:18:03 2010] [error] return self.export_to_string() [Tue Dec 21 00:18:03 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/aci.py", line 79, in export_to_string [Tue Dec 21 00:18:03 2010] [error] target = target + l + " || " [Tue Dec 21 00:18:03 2010] [error] TypeError: cannot concatenate 'str' and 'NoneType' objects Some of these are on the UI side, and some are on the server side. We'll need to sort out which is which. From ayoung at redhat.com Tue Dec 21 05:23:37 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 21 Dec 2010 00:23:37 -0500 Subject: [Freeipa-devel] [PATCH] 0037 Fix race condition in install In-Reply-To: <4D102DAB.9000003@redhat.com> References: <20101220212354.2099cdd7@willson.li.ssimo.org> <4D102DAB.9000003@redhat.com> Message-ID: <4D1039D9.5050500@redhat.com> On 12/20/2010 11:31 PM, Adam Young wrote: > On 12/20/2010 09:23 PM, Simo Sorce wrote: >> This seem to fix a long-standing bug that was mitigated by a >> workaround, but was still present after all. >> >> Simo. >> >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Applied and ran the install successfully. > ACK > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Tue Dec 21 07:14:14 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 02:14:14 -0500 Subject: [Freeipa-devel] [PATCH] 0038 Rework init and sync commands of ipa-replica-prepare Message-ID: <20101221021414.541d6226@willson.li.ssimo.org> These commands had a very confusing syntax as well as issues (init was running the memberof task on the wrong server). The commands has been renamed to make it clearer what they do. init -> re-initialize synch -> force-sync both commands now require a --from as the server they get their data from and can only be run on the replica that needs to be re-initialized or re-synced. This is to make it was confusing to understand what server was used so now the server you are operating on is the one you are sitting on. As a bonus the whole thing now works with just admin credentials (or any kerb credentials of a user with the managereplica permission). The init command also does not return until the re-initialization is done (giving out the status once a second) and properly runs the memberof task only once all the entries have been received. The only thing that I am a bit unconfortable with is the new aci on the cn=tasks,cn=config object. I tried to add the task on the cn=memberof task,cn=tasks,cn=config object to restrict pwer only on that task, but DS refused to allow me to set an aci on that entry for some reason. Fixes: #626 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0038-Rework-old-init-and-synch-commands-and-use-better-na.patch Type: text/x-patch Size: 9251 bytes Desc: not available URL: From jzeleny at redhat.com Tue Dec 21 09:10:24 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Tue, 21 Dec 2010 10:10:24 +0100 Subject: [Freeipa-devel] [PATCH] 656 move permissions and privileges In-Reply-To: <4D0FC2E9.8020402@redhat.com> References: <4D0FC2E9.8020402@redhat.com> Message-ID: <201012211010.24423.jzeleny@redhat.com> Rob Crittenden wrote: > Move permissions and privileges to their own container. They don't > really belong in cn=accounts any more. This leaves just roles there. > > ticket 638 > > rob Ack, but I'd be nice to also apply changes to following files, just to prevent confusion in the future: ./install/static/test/data/permission_add.json ./install/static/test/data/permission_show.json ./install/static/test/data/permission_find.json ./install/static/test/data/privilege_show.json ./install/static/test/data/privilege_find.json Jan From jzeleny at redhat.com Tue Dec 21 09:42:57 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Tue, 21 Dec 2010 10:42:57 +0100 Subject: [Freeipa-devel] [PATCH] 657 fix a few ACI problems found In-Reply-To: <4D102D6F.5050207@redhat.com> References: <4D102D6F.5050207@redhat.com> Message-ID: <201012211042.57512.jzeleny@redhat.com> Rob Crittenden wrote: > This depends on Adam's patch 0118. > > In meta data make ACI attributes lower-case, sorted. Add possible > attributes. > > The metadata contains a list of possible attributes that an ACI for that > object might need. Add a new variable to hold possible objectclasses for > optional elements (like posixGroup for groups). > > To make the list easier to handle sort it and make it all lower-case. > > Fix a couple of missed camel-case attributes in the default ACI list. > > ticket 641 > > rob ack Jan From jzeleny at redhat.com Tue Dec 21 11:27:37 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 21 Dec 2010 12:27:37 +0100 Subject: [Freeipa-devel] [PATCH] Added some fields to DNS2 plugin Message-ID: <201012211227.37943.jzeleny@redhat.com> Field idnszoneactive is marked as optional with no_create and no_update, because it is set to true by default (see class dnszone_add, I'm not sure this is the right approach though) and for enabling and disabling the zone there are special operations dnszone_enable and dnszone_disable. https://fedorahosted.org/freeipa/ticket/601 -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0018-Added-some-fields-to-DNS2-plugin.patch Type: text/x-patch Size: 2351 bytes Desc: not available URL: From jhrozek at redhat.com Tue Dec 21 11:28:17 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 12:28:17 +0100 Subject: [Freeipa-devel] Heads up: FreeIPA license has changed to GPLv3+ Message-ID: <4D108F51.8090202@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, with a recent patch, the license of FreeIPA has changed from GPLv2 only to GPLv3 or later. This mail is just a reminder to change the license blob in any new files or perhaps skeletons for new files in your editor to include the new license blob. Thank you, Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0Qj1EACgkQHsardTLnvCVDbgCgh8IK9yfnCBB/qldIMLXUGFuQ zfIAnjxwwoxAnCkRKbAWEnWMYmSfZAQt =LUnk -----END PGP SIGNATURE----- From jhrozek at redhat.com Tue Dec 21 11:59:50 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 12:59:50 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <201012201616.15519.jzeleny@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <4D0F2C0F.1030500@redhat.com> <201012201548.28171.jzeleny@redhat.com> <201012201616.15519.jzeleny@redhat.com> Message-ID: <4D1096B6.7020703@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/20/2010 04:16 PM, Jan Zelen? wrote: > Jan Zelen? wrote: >> Jakub Hrozek wrote: >>> On 12/09/2010 09:54 AM, Jan Zelen? wrote: >>>> Jan Zelen? wrote: >>>>> Jan Zelen? wrote: >>>>>> Now each plugin can define its topic as a 2-tuple, where the first >>>>>> item is the name of topic it belongs to and the second item is >>>>>> a description of such topic. Topic descriptions must be the same >>>>>> for all modules belonging to the topic. >>>>>> >>>>>> By using this topics, it is possible to group plugins as we see fit. >>>>>> When asking for help for a particular topic, help for all modules >>>>>> in given topic is written. >>>>>> >>>>>> ipa help - show all topics (until now it showed all plugins) >>>>>> ipa help - show details to given topic >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/410 >>>>> >>>>> So here it is: I'm sending couple patches which resolve the ticket and >>>>> implement grouping the way we previously discussed. Please feel free >>>>> to send me any recommendations if anything should be modified. >>>> >>>> Here's updated version of 0014 (changed type detection from type(var) >>>> is type({}) to type(var) is dict) >>>> >>>> Jan >>> >>> The first patch in the series does not apply cleanly anymore, can you >>> rebase? >> >>> Also, ipa help gives me a traceback now: >> Both patches are in the attachment >> >> Jan > > One more change to the renaming of hbac to hbacrule. I'm sending all patches > for better lucidity. > > Jan > Nack, the hbac->hbacrule rename is still not complete. There is still "from ipalib.plugins.hbac import is_all" in ipalib/plugins/netgroup.py and "api.register(hbac)" in ipalib/plugins/hbacrule.py and also "ret = self.failsafe_add(api.Object.hbac," in tests/test_xmlrpc/test_hbac_plugin.py Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0QlrYACgkQHsardTLnvCVW6ACeKTVGIizY9AfoZzVA4zA2yf1H focAni0NUUZwkoPxjZnUveOMOlUAtDeM =XEKr -----END PGP SIGNATURE----- From jhrozek at redhat.com Tue Dec 21 12:22:22 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 13:22:22 +0100 Subject: [Freeipa-devel] [PATCH] Added some fields to DNS2 plugin In-Reply-To: <201012211227.37943.jzeleny@redhat.com> References: <201012211227.37943.jzeleny@redhat.com> Message-ID: <4D109BFE.90907@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/21/2010 12:27 PM, Jan Zelen? wrote: > Field idnszoneactive is marked as optional with no_create and no_update, > because it is set to true by default (see class dnszone_add, I'm not sure this > is the right approach though) and for enabling and disabling the zone there > are special operations dnszone_enable and dnszone_disable. > > https://fedorahosted.org/freeipa/ticket/601 > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0Qm/4ACgkQHsardTLnvCVAtgCg1U5lvRpPCeWvlJadmZrIzpNu aMMAoOkp4HWxnO8xm5iV8pTZ9qGB8saE =FMwZ -----END PGP SIGNATURE----- From jhrozek at redhat.com Tue Dec 21 13:17:16 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 14:17:16 +0100 Subject: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica In-Reply-To: <20101220170520.3fde6d05@willson.li.ssimo.org> References: <20101215200110.54c16661@willson.li.ssimo.org> <20101220170201.GA10690@zeppelin.brq.redhat.com> <20101220150242.79d9a383@willson.li.ssimo.org> <4D0FCD62.9020403@redhat.com> <20101220170520.3fde6d05@willson.li.ssimo.org> Message-ID: <4D10A8DC.2050507@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/20/2010 11:05 PM, Simo Sorce wrote: > I guess it work properly if you kdestroy and use the DM password ? > > Simo. > Yes is does. ipa-replica-manage del works, plus I inspected the directory contents before adding and after removing a replica - the only difference is nsDS5ReplicaId: attrbute which is expected. I filed a separate ticket about the ACI problem and ACK to this patch. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0QqNwACgkQHsardTLnvCVSBgCeMZsW2m1UnUxiFTfavAuFCxig YJEAn0o4dWqMufHscJFpBtBj+pKShq0Z =90+a -----END PGP SIGNATURE----- From ayoung at redhat.com Tue Dec 21 13:57:50 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 21 Dec 2010 08:57:50 -0500 Subject: [Freeipa-devel] Issues with ACI UI In-Reply-To: <4D103921.5040008@redhat.com> References: <4D103921.5040008@redhat.com> Message-ID: <4D10B25E.4030908@redhat.com> On 12/21/2010 12:20 AM, Adam Young wrote: > 1. Can't add an ACI. Before, I was able to get away with a blank > filter, but that doesn't seem to work anymore. As a short term work around, I can do the object type as the default, and have the user switch it on edit, but that seems pretty counter-intuitive. My original thought was to have something equivalent to a null filter that gets populated by default, without the user seeing it, and then, when they go to the edit page, they can either change the filter or change the overall type. I need a syntactically valid null filter. > 2. Delegation-add : the group-find for the combo boxes isn't getting > executed. Note that if you clicked 'filter' and then start typing, the combo box does get executed, just not on initial form load. We don't currently have an event that signifies 'show form' which means that I have to populate them on initial creation. This should be a two line fix. > 3. Some edits are broken for Permissions: For certain, update dns > entries The error I am getting here is that the aciattrs is missing. Since this permission is for the whole object, this makes sense. I can shortcircuit the check there, which should be a one line fix. > 4. adding self service permission, attrs is required, even if the > user just wants to do an 'add' permission. > 5. Modifying the self service permission just added gives an internal > error. I removed the 'delete' and 'write' permission ( which I did > not set in the add dialog) as well as the 'audio' permission. Log is > below: > [Tue Dec 21 00:18:03 2010] [error] File > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 211, > in wsgi_execute > [Tue Dec 21 00:18:03 2010] [error] result = > self.Command[name](*args, **options) > [Tue Dec 21 00:18:03 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in > __call__ > [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) > [Tue Dec 21 00:18:03 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 696, in run > [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, > **options) > [Tue Dec 21 00:18:03 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py", line > 160, in execute > [Tue Dec 21 00:18:03 2010] [error] result = > api.Command['aci_mod'](aciname, **kw)['result'] > [Tue Dec 21 00:18:03 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in > __call__ > [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) > [Tue Dec 21 00:18:03 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 696, in run > [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, > **options) > [Tue Dec 21 00:18:03 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 550, in > execute > [Tue Dec 21 00:18:03 2010] [error] result = > self.api.Command['aci_add'](aciname, **newkw)['result'] > [Tue Dec 21 00:18:03 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in > __call__ > [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) > [Tue Dec 21 00:18:03 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 696, in run > [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, > **options) > [Tue Dec 21 00:18:03 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 450, in > execute > [Tue Dec 21 00:18:03 2010] [error] newaci_str = unicode(newaci) > [Tue Dec 21 00:18:03 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/aci.py", line 68, in __repr__ > [Tue Dec 21 00:18:03 2010] [error] return self.export_to_string() > [Tue Dec 21 00:18:03 2010] [error] File > "/usr/lib/python2.6/site-packages/ipalib/aci.py", line 79, in > export_to_string > [Tue Dec 21 00:18:03 2010] [error] target = target + l + " || " > [Tue Dec 21 00:18:03 2010] [error] TypeError: cannot concatenate 'str' > and 'NoneType' objects > > > Some of these are on the UI side, and some are on the server side. > We'll need to sort out which is which. Pretty sure these last two are server side issues. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From jhrozek at redhat.com Tue Dec 21 13:58:56 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 14:58:56 +0100 Subject: [Freeipa-devel] [PATCH] 0031 Add ACI to all replicas In-Reply-To: <20101214103332.15879c57@willson.li.ssimo.org> References: <20101214103332.15879c57@willson.li.ssimo.org> Message-ID: <4D10B2A0.4020609@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/14/2010 04:33 PM, Simo Sorce wrote: > > This patch adds ACI on cn=config to replicas too. > Fixes: #617 > > Simo. > Does not apply cleanly on master anymore, but did apply with git am -3 and the code is OK. So ACK, but please rebase before pushing. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0QsqAACgkQHsardTLnvCUw5gCghjrvMf1XlVyBgAFPmeNs3GvF W+YAniyIv/FduY+416Bt0rhF3s/6kq7L =XZVG -----END PGP SIGNATURE----- From jhrozek at redhat.com Tue Dec 21 14:10:36 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 15:10:36 +0100 Subject: [Freeipa-devel] [PATCH] 0033 Add disconnect command to change topology In-Reply-To: <20101220150442.23ad4dda@willson.li.ssimo.org> References: <20101215200258.1c118346@willson.li.ssimo.org> <4D0F90E8.4030705@redhat.com> <20101220150442.23ad4dda@willson.li.ssimo.org> Message-ID: <4D10B55C.2040604@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/20/2010 09:04 PM, Simo Sorce wrote: > On Mon, 20 Dec 2010 18:22:48 +0100 > Jakub Hrozek wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 12/16/2010 02:02 AM, Simo Sorce wrote: >>> >>> This command will delete a replication agreement unless it is the >>> last one on either server. It is used to change replication >>> topology without actually removing any single master for the domain >>> (the del command must be used if that the intent). >>> >>> Simo. >>> >> >> Please document the new action in the manpage. As the actions are not >> printed when one specifies --help, there's no way to discover it short >> of reading the code. > > I have a separate ticket to add all the changes to the man page. > It requires some deep review and I preferred to split it from the rest > of the changes. > > Simo. > OK, as long as it is tracked I'm fine :-) Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0QtVwACgkQHsardTLnvCUJ4gCg3vMDIqF45HgViCnuyiZ565iB 1sMAn14o9WRdwVswbuXSUOA26AWdwCKL =V6mC -----END PGP SIGNATURE----- From jhrozek at redhat.com Tue Dec 21 14:10:40 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 15:10:40 +0100 Subject: [Freeipa-devel] [PATCH] 0034 REname command for consistency In-Reply-To: <20101215200605.4272d995@willson.li.ssimo.org> References: <20101215200605.4272d995@willson.li.ssimo.org> Message-ID: <4D10B560.9000704@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/16/2010 02:06 AM, Simo Sorce wrote: > > Rename the "add" command to "connect", this makes it evident it is the > opposite of disconnect. "add" was also ambiguos, one could think it > could be used to add a new replica, while it can only add agreements > between existing replicas thus "connecting" them. > > This patch also enhances a bit the parsing of arguments by > ipa-replica-manage > > Simo. > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0QtWAACgkQHsardTLnvCVDugCfUwK4q7POqQlu6XBLa5evBRmz iXQAn2nMJEDIqSBEB6nqRJuqR5ww2TKK =q+YP -----END PGP SIGNATURE----- From jhrozek at redhat.com Tue Dec 21 14:48:40 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 15:48:40 +0100 Subject: [Freeipa-devel] [PATCH] 0035 Improve ipa-replica-manage list In-Reply-To: <20101215200908.6fc2c069@willson.li.ssimo.org> References: <20101215200908.6fc2c069@willson.li.ssimo.org> Message-ID: <4D10BE48.6000706@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/16/2010 02:09 AM, Simo Sorce wrote: > > With the previous incarnation it wasn't possible to get a list of all > replicas, only of the replicas directly connected to the one on which > the command was run. > This new version will return all known replicas (as per entries under > cn=master,cn=ipa,cn=etc,$SUFFIX). > If a server name is passed as an argument then the specific replica is > queried to get the list of servers it is directly connected to. > This is so that topology can be easily discovered from a single > machine. > > Simo. > Ack, but only if you squash in the attached one-liner which actually makes ipa-replica-manage list work with --verbose. Right now it would fail with "unexpected error: utcoffset() takes exactly 1 argument (2 given)" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0QvkgACgkQHsardTLnvCW71ACghNc+Kox+wNjJRjH3S9kkKt9A nUsAoJ5hmrGk9luTDV9HKa6bGZceUmNU =E4Nk -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fix-GeneralizedTimeZone.utcoffset.patch Type: text/x-patch Size: 737 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fix-GeneralizedTimeZone.utcoffset.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From rcritten at redhat.com Tue Dec 21 14:57:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Dec 2010 09:57:27 -0500 Subject: [Freeipa-devel] [PATCH] 656 move permissions and privileges In-Reply-To: <201012211010.24423.jzeleny@redhat.com> References: <4D0FC2E9.8020402@redhat.com> <201012211010.24423.jzeleny@redhat.com> Message-ID: <4D10C057.8060101@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Move permissions and privileges to their own container. They don't >> really belong in cn=accounts any more. This leaves just roles there. >> >> ticket 638 >> >> rob > > Ack, but I'd be nice to also apply changes to following files, just to prevent > confusion in the future: > > ./install/static/test/data/permission_add.json > ./install/static/test/data/permission_show.json > ./install/static/test/data/permission_find.json > ./install/static/test/data/privilege_show.json > ./install/static/test/data/privilege_find.json > > Jan There were added with Adam's recent ACI UI patch. I fixed this as well and re-based. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-656-2-pbac.patch Type: text/x-patch Size: 76648 bytes Desc: not available URL: From jhrozek at redhat.com Tue Dec 21 15:29:23 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 16:29:23 +0100 Subject: [Freeipa-devel] [PATCH] 031 Do not require DNS record, just warn if one is missing Message-ID: <4D10C7D3.6060309@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The way I changed the installer with the IPv6 fix, it would require a record in DNS for the machine hostname and fail if there was none. The previous (and correct) behaviour is to work even if there is only record in /etc/hosts and only warn if there are no DNS records for the given hostname. The attached patch reverts to the original behaviour. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0Qx9MACgkQHsardTLnvCUgLwCffxWV+dFR99zvE6Op62dm+V5f skUAn0iO/48bDd6fLXOqEkCY2zCmAHM5 =EfTy -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-031-dont-require-IP.patch Type: text/x-patch Size: 1826 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-031-dont-require-IP.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From pzuna at redhat.com Tue Dec 21 15:42:03 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 21 Dec 2010 16:42:03 +0100 Subject: [Freeipa-devel] [PATCH] Fix the mod operations. Message-ID: <4D10CACB.3030508@redhat.com> *-mod operations were not functioning properly after the recent 'rename' patch. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0046-fixmod.patch Type: text/x-patch Size: 854 bytes Desc: not available URL: From ssorce at redhat.com Tue Dec 21 15:53:35 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 10:53:35 -0500 Subject: [Freeipa-devel] [PATCH] 031 Do not require DNS record, just warn if one is missing In-Reply-To: <4D10C7D3.6060309@redhat.com> References: <4D10C7D3.6060309@redhat.com> Message-ID: <20101221105335.43ec2d45@willson.li.ssimo.org> On Tue, 21 Dec 2010 16:29:23 +0100 Jakub Hrozek wrote: > The way I changed the installer with the IPv6 fix, it would require a > record in DNS for the machine hostname and fail if there was none. > > The previous (and correct) behaviour is to work even if there is only > record in /etc/hosts and only warn if there are no DNS records for the > given hostname. The attached patch reverts to the original behaviour. ACK Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 21 15:54:10 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 10:54:10 -0500 Subject: [Freeipa-devel] [PATCH] Fix the mod operations. In-Reply-To: <4D10CACB.3030508@redhat.com> References: <4D10CACB.3030508@redhat.com> Message-ID: <20101221105410.7f1f380a@willson.li.ssimo.org> On Tue, 21 Dec 2010 16:42:03 +0100 Pavel Zuna wrote: > *-mod operations were not functioning properly after the recent > 'rename' patch. ACK Simo. -- Simo Sorce * Red Hat, Inc * New York From pzuna at redhat.com Tue Dec 21 17:13:25 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 21 Dec 2010 18:13:25 +0100 Subject: [Freeipa-devel] [PATCH] Fix reporting of errors when validating parameters. Message-ID: <4D10E035.8060200@redhat.com> Print the attribute CLI name instead of its 'real' name. The real name is usually the name of the corresponding LDAP attribute, which is confusing to the user. This way we get: Invalid 'login': blablabla instead of: Invalid 'uid': blablabla Another example: Invalid 'hostname': blablabla instead of: Invalid 'fqdn': blablabla Ticket #435 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0047-validerrors.patch Type: text/x-patch Size: 2406 bytes Desc: not available URL: From pzuna at redhat.com Tue Dec 21 17:14:50 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 21 Dec 2010 18:14:50 +0100 Subject: [Freeipa-devel] [PATCH] Update built-in help for user (ipa help user) with info about username format. Message-ID: <4D10E08A.2040305@redhat.com> General talk about username format including username length and how to change it in ipa config. Ticket #436 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0048-helpuser.patch Type: text/x-patch Size: 1101 bytes Desc: not available URL: From rcritten at redhat.com Tue Dec 21 17:31:57 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Dec 2010 12:31:57 -0500 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates In-Reply-To: References: Message-ID: <4D10E48D.8070809@redhat.com> JR Aquino wrote: > Attached are both patches with one modification to 0001: > > -add:schema-compat-container-group: 'cn=SUDOers, $SUFFIX' > +add:schema-compat-container-group: 'ou=SUDOers, $SUFFIX' > > > > Please ack and push to master. ack, pushed to master > > On 12/15/10 8:16 PM, "JR Aquino" wrote: > >> Perfect! >> >> All tests check out clean! >> >> One final piece I think needs a quick one liner: >> >> From: http://www.gratisoft.us/sudo/sudoers.ldap.man.html >> --The sudoers configuration is contained in the ou=SUDOers LDAP >> container.-- >> >> Currently the plugin creates 'cn=sudoers' as opposed to 'ou=sudoers'. >> >> After that change I believe we've nailed it 100%! >> >> Thank you very much Nalin >> >> ACK >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > From rcritten at redhat.com Tue Dec 21 17:32:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Dec 2010 12:32:26 -0500 Subject: [Freeipa-devel] [PATCH] SUDO plugin support for IpaSudoOptions, external hosts, and external users In-Reply-To: References: Message-ID: <4D10E4AA.6080708@redhat.com> JR Aquino wrote: > Here is the final patch for sudorule external host and user support. > This patch also adds support for adding/removing IpaSudoOpt values. (We > some how missed this till the last hour) > > This addresses item #6 in ticket 570: > (https://fedorahosted.org/freeipa/ticket/570) > (This ticket is remarked as critical and has a note: This blocks > https://fedorahosted.org/freeipa/ticket/534.) > > I have included modifications to the sudoplugin.py xmlrpc test to simplify > review. > > Please review and push. ack, pushed to master rob > > On 12/15/10 11:28 AM, "JR Aquino" wrote: > >> Attached is the patch to provide cli support for external hosts and users. >> >> This is accomplished similarly to the netgroup plugin. >> >> If the plugin is input with a hostname/user that does not exist in the >> directory, the plugin will then assume that the User had intended for >> these objects to be inserted as 'external' entities. It accomplishes >> this in a post_callback. >> >> Just like the netgroup plugin, this introduces a possible caveat where >> someone could mistype a user/host and have it inserted as an external >> entry, but the CLI attempts to reflect this in its output clearly stating >> that an External User or External Host has been added. >> >> Please review. >> >> Here is a sample sudorule containing external entries: >> *Contained herein are, externaluser, externalhost, as well as sudorunas >> and sudorunasgroup* >> >> dn: >> ipaUniqueID=8a9103b8-06cc-11e0-b481-8a3d259cb0b9,cn=sudorules,dc=example,d >> c=com >> objectClass: ipaassociation >> objectClass: ipasudorule >> ipaEnabledFlag: TRUE >> cn: tester >> ipaUniqueID: 8a9103b8-06cc-11e0-b481-8a3d259cb0b9 >> ipaSudoRunAs: uid=admin,cn=users,cn=accounts,dc=example,dc=com >> ipaSudoRunAsGroup: cn=admins,cn=groups,cn=accounts,dc=example,dc=com >> externalUser: testuser >> externalHost: host1.example.com >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From rcritten at redhat.com Tue Dec 21 17:34:19 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Dec 2010 12:34:19 -0500 Subject: [Freeipa-devel] [PATCH] Fix the mod operations. In-Reply-To: <20101221105410.7f1f380a@willson.li.ssimo.org> References: <4D10CACB.3030508@redhat.com> <20101221105410.7f1f380a@willson.li.ssimo.org> Message-ID: <4D10E51B.70306@redhat.com> Simo Sorce wrote: > On Tue, 21 Dec 2010 16:42:03 +0100 > Pavel Zuna wrote: > >> *-mod operations were not functioning properly after the recent >> 'rename' patch. > > ACK > Simo. > pushed to master From rcritten at redhat.com Tue Dec 21 17:37:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Dec 2010 12:37:27 -0500 Subject: [Freeipa-devel] [PATCH] Added some fields to DNS2 plugin In-Reply-To: <4D109BFE.90907@redhat.com> References: <201012211227.37943.jzeleny@redhat.com> <4D109BFE.90907@redhat.com> Message-ID: <4D10E5D7.7090306@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/21/2010 12:27 PM, Jan Zelen? wrote: >> Field idnszoneactive is marked as optional with no_create and no_update, >> because it is set to true by default (see class dnszone_add, I'm not sure this >> is the right approach though) and for enabling and disabling the zone there >> are special operations dnszone_enable and dnszone_disable. >> >> https://fedorahosted.org/freeipa/ticket/601 >> > > Ack pushed to master From jhrozek at redhat.com Tue Dec 21 17:47:36 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 18:47:36 +0100 Subject: [Freeipa-devel] [PATCH] 0033 Add disconnect command to change topology In-Reply-To: <4D10B55C.2040604@redhat.com> References: <20101215200258.1c118346@willson.li.ssimo.org> <4D0F90E8.4030705@redhat.com> <20101220150442.23ad4dda@willson.li.ssimo.org> <4D10B55C.2040604@redhat.com> Message-ID: <4D10E838.8090603@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/21/2010 03:10 PM, Jakub Hrozek wrote: > On 12/20/2010 09:04 PM, Simo Sorce wrote: >> On Mon, 20 Dec 2010 18:22:48 +0100 >> Jakub Hrozek wrote: > >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 12/16/2010 02:02 AM, Simo Sorce wrote: >>>> >>>> This command will delete a replication agreement unless it is the >>>> last one on either server. It is used to change replication >>>> topology without actually removing any single master for the domain >>>> (the del command must be used if that the intent). >>>> >>>> Simo. >>>> >>> >>> Please document the new action in the manpage. As the actions are not >>> printed when one specifies --help, there's no way to discover it short >>> of reading the code. > >> I have a separate ticket to add all the changes to the man page. >> It requires some deep review and I preferred to split it from the rest >> of the changes. > >> Simo. > > > OK, as long as it is tracked I'm fine :-) > > Ack Actually, sorry, one more thing I noticed. In del_link(), you assign "type2 = repl2.get_agreement_type(replica1)" but never use type2 again. Should the next if say "if repl2 and type2 == replication.IPA_REPLICA:" perhaps? _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0Q6DgACgkQHsardTLnvCWScACg2StFWJ0Qy6qvjHagyJyR1g1h Pg0AoMIKX0xpvoYWU8aAtsoPp5+a4/E7 =31Fc -----END PGP SIGNATURE----- From rcritten at redhat.com Tue Dec 21 17:57:59 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Dec 2010 12:57:59 -0500 Subject: [Freeipa-devel] [PATCH] Fix reporting of errors when validating parameters. In-Reply-To: <4D10E035.8060200@redhat.com> References: <4D10E035.8060200@redhat.com> Message-ID: <4D10EAA7.7040103@redhat.com> Pavel Zuna wrote: > Print the attribute CLI name instead of its 'real' name. The real name > is usually the name of the corresponding LDAP attribute, which is > confusing to the user. > > This way we get: > > Invalid 'login': blablabla > > instead of: > > Invalid 'uid': blablabla > > > Another example: > > Invalid 'hostname': blablabla > > instead of: > > Invalid 'fqdn': blablabla > > > Ticket #435 > > Pavel ack, pushed to master From atkac at redhat.com Tue Dec 21 17:58:49 2010 From: atkac at redhat.com (Adam Tkac) Date: Tue, 21 Dec 2010 18:58:49 +0100 Subject: [Freeipa-devel] [PATCH] Fix handling of ANY queries in bind-dyndb-ldap Message-ID: <20101221175849.GA7420@traged.englab.brq.redhat.com> Hello all, attached patches fix handling of ANY queries in bind-dyndb-ldap backend. The first patch implements dns_rdatasetiter interface which is needed by allrdatasets() DB method (implemented in the second patch). The allrdatasets() database method is used by the named daemon to handle ANY queries. The third patch fixes the find() DB method to correctly return the complete database node for a certain DNS name. Details are below. If there are no objections I will push the patches. Details: Consider following resource records stored in the LDAP: idns2.example.com. IN A 1.1.1.1 idns2.example.com. IN AAAA ::1 Currently the response for the ANY question looks: --- $ dig @127.0.0.1 idns2.example.com ANY ;; QUESTION SECTION: ;idns2.example.com. IN ANY ;; AUTHORITY SECTION: example.com. 86400 IN SOA idns.example.com. root.example.com. 2009083006 10800 900 604800 86400 --- which is obviously incorrect. With this patch series output looks fine: $ dig @127.0.0.1 idns2.example.com ANY --- ;; QUESTION SECTION: ;idns2.example.com. IN ANY ;; ANSWER SECTION: idns2.example.com. 86400 IN A 1.1.1.1 idns2.example.com. 86400 IN AAAA ::1 ;; AUTHORITY SECTION: example.com. 86400 IN NS idns2.example.com. example.com. 86400 IN NS idns.example.com. example.com. 86400 IN NS ns.example.com. ;; ADDITIONAL SECTION: ns.example.com. 86400 IN A 172.29.255.254 idns.example.com. 86400 IN A 172.30.0.32 --- Regards, Adam -- Adam Tkac, Red Hat, Inc. -------------- next part -------------- >From 1d7f44970bca635b4ed5a9ccd8521a3da6ae31fc Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Tue, 21 Dec 2010 18:21:29 +0100 Subject: [PATCH 1/3] Implement dns_rdatasetiter interface. Signed-off-by: Adam Tkac --- src/ldap_driver.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 60 insertions(+), 0 deletions(-) diff --git a/src/ldap_driver.c b/src/ldap_driver.c index 925ae20..0b584a5 100644 --- a/src/ldap_driver.c +++ b/src/ldap_driver.c @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -75,12 +76,71 @@ typedef struct { ldapdb_rdatalist_t rdatalist; } ldapdbnode_t; +typedef struct { + dns_rdatasetiter_t common; + dns_rdatalist_t *current; +} ldapdb_rdatasetiter_t; + static int dummy; static void *ldapdb_version = &dummy; static void free_ldapdb(ldapdb_t *ldapdb); static void detachnode(dns_db_t *db, dns_dbnode_t **targetp); static unsigned int rdatalist_length(const dns_rdatalist_t *rdlist); +static isc_result_t clone_rdatalist_to_rdataset(isc_mem_t *mctx, + dns_rdatalist_t *rdlist, + dns_rdataset_t *rdataset); + +/* ldapdb_rdatasetiter_t methods */ +static void +rdatasetiter_destroy(dns_rdatasetiter_t **iterp) +{ + ldapdb_rdatasetiter_t *ldapdbiter = (ldapdb_rdatasetiter_t *)(*iterp); + + detachnode(ldapdbiter->common.db, &ldapdbiter->common.node); + SAFE_MEM_PUT_PTR(ldapdbiter->common.db->mctx, ldapdbiter); + *iterp = NULL; +} + +static isc_result_t +rdatasetiter_first(dns_rdatasetiter_t *iter) +{ + ldapdb_rdatasetiter_t *ldapdbiter = (ldapdb_rdatasetiter_t *)iter; + ldapdbnode_t *node = (ldapdbnode_t *)iter->node; + + if (EMPTY(node->rdatalist)) + return ISC_R_NOMORE; + + ldapdbiter->current = HEAD(node->rdatalist); + return ISC_R_SUCCESS; +} + +static isc_result_t +rdatasetiter_next(dns_rdatasetiter_t *iter) +{ + ldapdb_rdatasetiter_t *ldapdbiter = (ldapdb_rdatasetiter_t *)iter; + + ldapdbiter->current = NEXT(ldapdbiter->current, link); + return (ldapdbiter->current == NULL) ? ISC_R_NOMORE : ISC_R_SUCCESS; +} + +static void +rdatasetiter_current(dns_rdatasetiter_t *iter, dns_rdataset_t *rdataset) +{ + ldapdb_rdatasetiter_t *ldapdbiter = (ldapdb_rdatasetiter_t *)iter; + isc_result_t result; + + result = clone_rdatalist_to_rdataset(ldapdbiter->common.db->mctx, + ldapdbiter->current, rdataset); + INSIST(result == ISC_R_SUCCESS); +} + +static dns_rdatasetitermethods_t rdatasetiter_methods = { + rdatasetiter_destroy, + rdatasetiter_first, + rdatasetiter_next, + rdatasetiter_current +}; /* ldapdbnode_t functions */ static isc_result_t -- 1.7.3.4 -------------- next part -------------- >From 2f750c435ab9af81ec88658a685d17f76d7dc2a7 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Tue, 21 Dec 2010 18:26:31 +0100 Subject: [PATCH 2/3] Implement allrdatasets() DB method. Signed-off-by: Adam Tkac --- src/ldap_driver.c | 25 +++++++++++++++++++------ 1 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/ldap_driver.c b/src/ldap_driver.c index 0b584a5..5787d6f 100644 --- a/src/ldap_driver.c +++ b/src/ldap_driver.c @@ -606,13 +606,26 @@ static isc_result_t allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, isc_stdtime_t now, dns_rdatasetiter_t **iteratorp) { - UNUSED(db); - UNUSED(node); - UNUSED(version); - UNUSED(now); - UNUSED(iteratorp); + ldapdb_rdatasetiter_t *iter; + isc_result_t result; - return ISC_R_NOTIMPLEMENTED; + REQUIRE(version == NULL || version == &dummy); + + CHECKED_MEM_GET_PTR(db->mctx, iter); + iter->common.magic = DNS_RDATASETITER_MAGIC; + iter->common.methods = &rdatasetiter_methods; + iter->common.db = db; + iter->common.node = NULL; + attachnode(db, node, &iter->common.node); + iter->common.version = version; + iter->common.now = now; + + *iteratorp = (dns_rdatasetiter_t *)iter; + + return ISC_R_SUCCESS; + +cleanup: + return result; } /* -- 1.7.3.4 -------------- next part -------------- >From 6aebf7e1162654dc3d15741de5fbfc35a27a44ee Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Tue, 21 Dec 2010 18:43:25 +0100 Subject: [PATCH 3/3] Fix ticket #2 - handling of DNS ANY questions. Signed-off-by: Adam Tkac --- src/ldap_driver.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/src/ldap_driver.c b/src/ldap_driver.c index 5787d6f..965877c 100644 --- a/src/ldap_driver.c +++ b/src/ldap_driver.c @@ -435,6 +435,13 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, if (result != ISC_R_SUCCESS && result != DNS_R_PARTIALMATCH) return (result == ISC_R_NOTFOUND) ? DNS_R_NXDOMAIN : result; + /* + * ANY pseudotype indicates the whole node, skip routines + * which attempts to find the exact RR type. + */ + if (type == dns_rdatatype_any) + goto anyfound; + result = ldapdb_rdatalist_findrdatatype(&rdatalist, type, &rdlist); if (result != ISC_R_SUCCESS) { /* No exact rdtype match. Check CNAME */ @@ -455,6 +462,7 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, goto cleanup; } +anyfound: /* XXX currently we implemented only exact authoritative matches */ CHECK(dns_name_copy(name, foundname, NULL)); -- 1.7.3.4 From rcritten at redhat.com Tue Dec 21 18:00:28 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Dec 2010 13:00:28 -0500 Subject: [Freeipa-devel] [PATCH] 657 fix a few ACI problems found In-Reply-To: <201012211042.57512.jzeleny@redhat.com> References: <4D102D6F.5050207@redhat.com> <201012211042.57512.jzeleny@redhat.com> Message-ID: <4D10EB3C.5040103@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> This depends on Adam's patch 0118. >> >> In meta data make ACI attributes lower-case, sorted. Add possible >> attributes. >> >> The metadata contains a list of possible attributes that an ACI for that >> object might need. Add a new variable to hold possible objectclasses for >> optional elements (like posixGroup for groups). >> >> To make the list easier to handle sort it and make it all lower-case. >> >> Fix a couple of missed camel-case attributes in the default ACI list. >> >> ticket 641 >> >> rob > > ack > > Jan pushed to master From jhrozek at redhat.com Tue Dec 21 18:09:46 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 19:09:46 +0100 Subject: [Freeipa-devel] [PATCH] 0038 Rework init and sync commands of ipa-replica-prepare In-Reply-To: <20101221021414.541d6226@willson.li.ssimo.org> References: <20101221021414.541d6226@willson.li.ssimo.org> Message-ID: <4D10ED6A.2010607@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/21/2010 08:14 AM, Simo Sorce wrote: > > These commands had a very confusing syntax as well as issues (init was > running the memberof task on the wrong server). > > The commands has been renamed to make it clearer what they do. > init -> re-initialize > synch -> force-sync > > both commands now require a --from as the server they get > their data from and can only be run on the replica that needs to be > re-initialized or re-synced. This is to make it was confusing to > understand what server was used so now the server you are operating on > is the one you are sitting on. > > As a bonus the whole thing now works with just admin credentials (or > any kerb credentials of a user with the managereplica permission). > > The init command also does not return until the re-initialization is > done (giving out the status once a second) and properly runs the > memberof task only once all the entries have been received. > > The only thing that I am a bit unconfortable with is the new aci on the > cn=tasks,cn=config object. I tried to add the task on the cn=memberof > task,cn=tasks,cn=config object to restrict pwer only on that task, but > DS refused to allow me to set an aci on that entry for some reason. > > Fixes: #626 > > Simo. > The patch looks good to me, but the hunk in ipaserver/install/service.py seems to be completely unrelated. Did you run git commit -am by accident? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0Q7WoACgkQHsardTLnvCX9qwCgoOvWEijDCVR5HdkwTmUy3k1G 10cAoOUf3Ku9jtsVTT1Wt0iTmX5uKuoP =GMK7 -----END PGP SIGNATURE----- From ayoung at redhat.com Tue Dec 21 18:39:24 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 21 Dec 2010 13:39:24 -0500 Subject: [Freeipa-devel] [PATCH] populate the group select upon initial creation Message-ID: <4D10F45C.4000207@redhat.com> commit 2cb53ec8d0271c8db0f09203fdc60878a66cbdb6 Author: Adam Young Date: Tue Dec 21 13:37:23 2010 -0500 populate the group select upon initial creation Fixes the delegation add dialog diff --git a/install/static/aci.js b/install/static/aci.js index d536e34..f31449f 100644 --- a/install/static/aci.js +++ b/install/static/aci.js @@ -179,7 +179,7 @@ IPA.entity_select_widget = function(spec){ return false; } }).appendTo(dd); - + populate_select(); } var value = ''; that.reset = function(){ Pushed under the one liner rule. From ssorce at redhat.com Tue Dec 21 18:43:30 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 13:43:30 -0500 Subject: [Freeipa-devel] [PATCH] 0038 Rework init and sync commands of ipa-replica-prepare In-Reply-To: <4D10ED6A.2010607@redhat.com> References: <20101221021414.541d6226@willson.li.ssimo.org> <4D10ED6A.2010607@redhat.com> Message-ID: <20101221134330.75ef38ea@willson.li.ssimo.org> On Tue, 21 Dec 2010 19:09:46 +0100 Jakub Hrozek wrote: > The patch looks good to me, but the hunk in > ipaserver/install/service.py seems to be completely unrelated. Did > you run git commit -am by accident? As discussed on IRC this is necessary to make things work when we are using SASL/GSSAPI instead of simple binds with passwords. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 21 18:48:58 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 13:48:58 -0500 Subject: [Freeipa-devel] [PATCH] 0033 Add disconnect command to change topology In-Reply-To: <4D10E838.8090603@redhat.com> References: <20101215200258.1c118346@willson.li.ssimo.org> <4D0F90E8.4030705@redhat.com> <20101220150442.23ad4dda@willson.li.ssimo.org> <4D10B55C.2040604@redhat.com> <4D10E838.8090603@redhat.com> Message-ID: <20101221134858.4b3a41de@willson.li.ssimo.org> On Tue, 21 Dec 2010 18:47:36 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/21/2010 03:10 PM, Jakub Hrozek wrote: > > On 12/20/2010 09:04 PM, Simo Sorce wrote: > >> On Mon, 20 Dec 2010 18:22:48 +0100 > >> Jakub Hrozek wrote: > > > >>> -----BEGIN PGP SIGNED MESSAGE----- > >>> Hash: SHA1 > >>> > >>> On 12/16/2010 02:02 AM, Simo Sorce wrote: > >>>> > >>>> This command will delete a replication agreement unless it is the > >>>> last one on either server. It is used to change replication > >>>> topology without actually removing any single master for the > >>>> domain (the del command must be used if that the intent). > >>>> > >>>> Simo. > >>>> > >>> > >>> Please document the new action in the manpage. As the actions are > >>> not printed when one specifies --help, there's no way to discover > >>> it short of reading the code. > > > >> I have a separate ticket to add all the changes to the man page. > >> It requires some deep review and I preferred to split it from the > >> rest of the changes. > > > >> Simo. > > > > > > OK, as long as it is tracked I'm fine :-) > > > > Ack > > Actually, sorry, one more thing I noticed. In del_link(), you assign > "type2 = repl2.get_agreement_type(replica1)" but never use type2 > again. Should the next if say "if repl2 and type2 == > replication.IPA_REPLICA:" perhaps? Initially that was the aim, but then I realized that you wouldn't be able to delete replication agreements with Windows domains (winsync), if you enforced that so I just removed the check about type2 and type2 was left unused. I can remove that line before pushing if needed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Tue Dec 21 19:04:19 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 21 Dec 2010 14:04:19 -0500 Subject: [Freeipa-devel] Issues with ACI UI In-Reply-To: <4D10B25E.4030908@redhat.com> References: <4D103921.5040008@redhat.com> <4D10B25E.4030908@redhat.com> Message-ID: <4D10FA33.2030404@redhat.com> On 12/21/2010 08:57 AM, Adam Young wrote: > On 12/21/2010 12:20 AM, Adam Young wrote: >> 1. Can't add an ACI. Before, I was able to get away with a blank >> filter, but that doesn't seem to work anymore. > As a short term work around, I can do the object type as the default, > and have the user switch it on edit, but that seems pretty > counter-intuitive. My original thought was to have something > equivalent to a null filter that gets populated by default, without > the user seeing it, and then, when they go to the edit page, they can > either change the filter or change the overall type. I need a > syntactically valid null filter. OK, I can use something like objectClass=thisclassdoesnotexist However, if I do that, whenever I call permission-mod I now get "rename is required" > > > >> 2. Delegation-add : the group-find for the combo boxes isn't >> getting executed. > Note that if you clicked 'filter' and then start typing, the combo box > does get executed, just not on initial form load. We don't currently > have an event that signifies 'show form' which means that I have to > populate them on initial creation. This should be a two line fix. Got it in one > > > >> 3. Some edits are broken for Permissions: For certain, update dns >> entries > The error I am getting here is that the aciattrs is missing. Since > this permission is for the whole object, this makes sense. I can > shortcircuit the check there, which should be a one line fix. I was wrong about the cuase. THe problem is that the dns entities are not showing up in the meta-data aciattrs list. > >> 4. adding self service permission, attrs is required, even if the >> user just wants to do an 'add' permission. >> 5. Modifying the self service permission just added gives an >> internal error. I removed the 'delete' and 'write' permission ( >> which I did not set in the add dialog) as well as the 'audio' >> permission. Log is below: >> [Tue Dec 21 00:18:03 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 211, >> in wsgi_execute >> [Tue Dec 21 00:18:03 2010] [error] result = >> self.Command[name](*args, **options) >> [Tue Dec 21 00:18:03 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in >> __call__ >> [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) >> [Tue Dec 21 00:18:03 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 696, in run >> [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, >> **options) >> [Tue Dec 21 00:18:03 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py", >> line 160, in execute >> [Tue Dec 21 00:18:03 2010] [error] result = >> api.Command['aci_mod'](aciname, **kw)['result'] >> [Tue Dec 21 00:18:03 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in >> __call__ >> [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) >> [Tue Dec 21 00:18:03 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 696, in run >> [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, >> **options) >> [Tue Dec 21 00:18:03 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 550, >> in execute >> [Tue Dec 21 00:18:03 2010] [error] result = >> self.api.Command['aci_add'](aciname, **newkw)['result'] >> [Tue Dec 21 00:18:03 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 417, in >> __call__ >> [Tue Dec 21 00:18:03 2010] [error] ret = self.run(*args, **options) >> [Tue Dec 21 00:18:03 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 696, in run >> [Tue Dec 21 00:18:03 2010] [error] return self.execute(*args, >> **options) >> [Tue Dec 21 00:18:03 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 450, >> in execute >> [Tue Dec 21 00:18:03 2010] [error] newaci_str = unicode(newaci) >> [Tue Dec 21 00:18:03 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/aci.py", line 68, in __repr__ >> [Tue Dec 21 00:18:03 2010] [error] return self.export_to_string() >> [Tue Dec 21 00:18:03 2010] [error] File >> "/usr/lib/python2.6/site-packages/ipalib/aci.py", line 79, in >> export_to_string >> [Tue Dec 21 00:18:03 2010] [error] target = target + l + " || " >> [Tue Dec 21 00:18:03 2010] [error] TypeError: cannot concatenate >> 'str' and 'NoneType' objects >> >> >> Some of these are on the UI side, and some are on the server side. >> We'll need to sort out which is which. > > Pretty sure these last two are server side issues. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From jhrozek at redhat.com Tue Dec 21 20:57:29 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 21:57:29 +0100 Subject: [Freeipa-devel] [PATCH] 0033 Add disconnect command to change topology In-Reply-To: <20101221134858.4b3a41de@willson.li.ssimo.org> References: <20101215200258.1c118346@willson.li.ssimo.org> <4D0F90E8.4030705@redhat.com> <20101220150442.23ad4dda@willson.li.ssimo.org> <4D10B55C.2040604@redhat.com> <4D10E838.8090603@redhat.com> <20101221134858.4b3a41de@willson.li.ssimo.org> Message-ID: <4D1114B9.3000606@redhat.com> On 12/21/2010 07:48 PM, Simo Sorce wrote: > On Tue, 21 Dec 2010 18:47:36 +0100 > Jakub Hrozek wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 12/21/2010 03:10 PM, Jakub Hrozek wrote: >>> On 12/20/2010 09:04 PM, Simo Sorce wrote: >>>> On Mon, 20 Dec 2010 18:22:48 +0100 >>>> Jakub Hrozek wrote: >>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> On 12/16/2010 02:02 AM, Simo Sorce wrote: >>>>>> >>>>>> This command will delete a replication agreement unless it is the >>>>>> last one on either server. It is used to change replication >>>>>> topology without actually removing any single master for the >>>>>> domain (the del command must be used if that the intent). >>>>>> >>>>>> Simo. >>>>>> >>>>> >>>>> Please document the new action in the manpage. As the actions are >>>>> not printed when one specifies --help, there's no way to discover >>>>> it short of reading the code. >>> >>>> I have a separate ticket to add all the changes to the man page. >>>> It requires some deep review and I preferred to split it from the >>>> rest of the changes. >>> >>>> Simo. >>> >>> >>> OK, as long as it is tracked I'm fine :-) >>> >>> Ack >> >> Actually, sorry, one more thing I noticed. In del_link(), you assign >> "type2 = repl2.get_agreement_type(replica1)" but never use type2 >> again. Should the next if say "if repl2 and type2 == >> replication.IPA_REPLICA:" perhaps? > > Initially that was the aim, but then I realized that you wouldn't be > able to delete replication agreements with Windows domains (winsync), > if you enforced that so I just removed the check about type2 and type2 > was left unused. > > I can remove that line before pushing if needed. > > Simo. > Yes, I think that would be nice. Ack again and thanks for explaining! From jhrozek at redhat.com Tue Dec 21 21:04:12 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 22:04:12 +0100 Subject: [Freeipa-devel] [PATCH] 0038 Rework init and sync commands of ipa-replica-prepare In-Reply-To: <20101221134330.75ef38ea@willson.li.ssimo.org> References: <20101221021414.541d6226@willson.li.ssimo.org> <4D10ED6A.2010607@redhat.com> <20101221134330.75ef38ea@willson.li.ssimo.org> Message-ID: <4D11164C.9040706@redhat.com> On 12/21/2010 07:43 PM, Simo Sorce wrote: > On Tue, 21 Dec 2010 19:09:46 +0100 > Jakub Hrozek wrote: > >> The patch looks good to me, but the hunk in >> ipaserver/install/service.py seems to be completely unrelated. Did >> you run git commit -am by accident? > > As discussed on IRC this is necessary to make things work when we are > using SASL/GSSAPI instead of simple binds with passwords. > > Simo. > Thank you for explanation. Ack. From jhrozek at redhat.com Tue Dec 21 22:17:53 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Dec 2010 23:17:53 +0100 Subject: [Freeipa-devel] [PATCH] Remove referrals to removed replicas/links In-Reply-To: <20101220151001.6c10d421@willson.li.ssimo.org> References: <20101220151001.6c10d421@willson.li.ssimo.org> Message-ID: <4D112791.4010705@redhat.com> On 12/20/2010 09:10 PM, Simo Sorce wrote: > When a replication agreement is removed also make sure to remove > referrals to the replicas to avoid dangling referrals. > > This patch also fixes acis related to replica as the fix is also > required to be able to change the referrals attributes. > > Simo. > Ack. As discussed with Simo on IRC, calling del_link() when performing ipa-replica-manage del would be handled in a follow-up patch. From ssorce at redhat.com Tue Dec 21 22:21:55 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 17:21:55 -0500 Subject: [Freeipa-devel] [PATCH] 0039 Fix ipa-replica-manage del command to remove all agreements Message-ID: <20101221172155.268aba4f@willson.li.ssimo.org> With this patch all agreements to the replica being deleted are properly removed even when we have to force the replica removal because it is not available anymore. As a bonus this command too now works with just Kerberos credentials of a user that have enough privileges. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0039-Make-ipa-replica-manage-del-actually-remove-all-repl.patch Type: text/x-patch Size: 7703 bytes Desc: not available URL: From ssorce at redhat.com Tue Dec 21 22:23:33 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 17:23:33 -0500 Subject: [Freeipa-devel] [PATCH] 0040 Temporary fix for ipa-replica-manage connect Message-ID: <20101221172333.4a71746f@willson.li.ssimo.org> There are some issues deep down the replication instance that prevent us from successfully add new connections between replicas using SASL/GSSAPI credentials. Force the request for the DM password for now so that the command can work. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0040-Temporary-fix-for-connect-operations.patch Type: text/x-patch Size: 1175 bytes Desc: not available URL: From ssorce at redhat.com Tue Dec 21 22:30:21 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 17:30:21 -0500 Subject: [Freeipa-devel] [PATCH] 0031 Add ACI to all replicas In-Reply-To: <4D10B2A0.4020609@redhat.com> References: <20101214103332.15879c57@willson.li.ssimo.org> <4D10B2A0.4020609@redhat.com> Message-ID: <20101221173021.6ae2aa10@willson.li.ssimo.org> On Tue, 21 Dec 2010 14:58:56 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/14/2010 04:33 PM, Simo Sorce wrote: > > > > This patch adds ACI on cn=config to replicas too. > > Fixes: #617 > > > > Simo. > > > > Does not apply cleanly on master anymore, but did apply with git am -3 > and the code is OK. > > So ACK, but please rebase before pushing. Rebased and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 21 22:31:50 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 17:31:50 -0500 Subject: [Freeipa-devel] [PATCH] 0033 Add disconnect command to change topology In-Reply-To: <4D1114B9.3000606@redhat.com> References: <20101215200258.1c118346@willson.li.ssimo.org> <4D0F90E8.4030705@redhat.com> <20101220150442.23ad4dda@willson.li.ssimo.org> <4D10B55C.2040604@redhat.com> <4D10E838.8090603@redhat.com> <20101221134858.4b3a41de@willson.li.ssimo.org> <4D1114B9.3000606@redhat.com> Message-ID: <20101221173150.2eb42fa1@willson.li.ssimo.org> On Tue, 21 Dec 2010 21:57:29 +0100 Jakub Hrozek wrote: > On 12/21/2010 07:48 PM, Simo Sorce wrote: > > On Tue, 21 Dec 2010 18:47:36 +0100 > > Jakub Hrozek wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> On 12/21/2010 03:10 PM, Jakub Hrozek wrote: > >>> On 12/20/2010 09:04 PM, Simo Sorce wrote: > >>>> On Mon, 20 Dec 2010 18:22:48 +0100 > >>>> Jakub Hrozek wrote: > >>> > >>>>> -----BEGIN PGP SIGNED MESSAGE----- > >>>>> Hash: SHA1 > >>>>> > >>>>> On 12/16/2010 02:02 AM, Simo Sorce wrote: > >>>>>> > >>>>>> This command will delete a replication agreement unless it is > >>>>>> the last one on either server. It is used to change replication > >>>>>> topology without actually removing any single master for the > >>>>>> domain (the del command must be used if that the intent). > >>>>>> > >>>>>> Simo. > >>>>>> > >>>>> > >>>>> Please document the new action in the manpage. As the actions > >>>>> are not printed when one specifies --help, there's no way to > >>>>> discover it short of reading the code. > >>> > >>>> I have a separate ticket to add all the changes to the man page. > >>>> It requires some deep review and I preferred to split it from the > >>>> rest of the changes. > >>> > >>>> Simo. > >>> > >>> > >>> OK, as long as it is tracked I'm fine :-) > >>> > >>> Ack > >> > >> Actually, sorry, one more thing I noticed. In del_link(), you > >> assign "type2 = repl2.get_agreement_type(replica1)" but never use > >> type2 again. Should the next if say "if repl2 and type2 == > >> replication.IPA_REPLICA:" perhaps? > > > > Initially that was the aim, but then I realized that you wouldn't be > > able to delete replication agreements with Windows domains > > (winsync), if you enforced that so I just removed the check about > > type2 and type2 was left unused. > > > > I can remove that line before pushing if needed. > > > > Simo. > > > > Yes, I think that would be nice. > > Ack again and thanks for explaining! removed the type2 line and also added a repl2 = None on top (it was causing errors in a later patch). Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 21 22:32:08 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 17:32:08 -0500 Subject: [Freeipa-devel] [PATCH] 0034 REname command for consistency In-Reply-To: <4D10B560.9000704@redhat.com> References: <20101215200605.4272d995@willson.li.ssimo.org> <4D10B560.9000704@redhat.com> Message-ID: <20101221173208.3b140d69@willson.li.ssimo.org> On Tue, 21 Dec 2010 15:10:40 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/16/2010 02:06 AM, Simo Sorce wrote: > > > > Rename the "add" command to "connect", this makes it evident it is > > the opposite of disconnect. "add" was also ambiguos, one could > > think it could be used to add a new replica, while it can only add > > agreements between existing replicas thus "connecting" them. > > > > This patch also enhances a bit the parsing of arguments by > > ipa-replica-manage > > > > Simo. > > > > Ack Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 21 22:32:40 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 17:32:40 -0500 Subject: [Freeipa-devel] [PATCH] 0035 Improve ipa-replica-manage list In-Reply-To: <4D10BE48.6000706@redhat.com> References: <20101215200908.6fc2c069@willson.li.ssimo.org> <4D10BE48.6000706@redhat.com> Message-ID: <20101221173240.2409f7c5@willson.li.ssimo.org> On Tue, 21 Dec 2010 15:48:40 +0100 Jakub Hrozek wrote: > Ack, but only if you squash in the attached one-liner which actually > makes ipa-replica-manage list work with --verbose. Right now it would > fail with "unexpected error: utcoffset() takes exactly 1 argument (2 > given)" > Thanks, I had noticed and then forgotten this error. I squashed in your fix and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 21 22:33:22 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 17:33:22 -0500 Subject: [Freeipa-devel] [PATCH] Remove referrals to removed replicas/links In-Reply-To: <4D112791.4010705@redhat.com> References: <20101220151001.6c10d421@willson.li.ssimo.org> <4D112791.4010705@redhat.com> Message-ID: <20101221173322.3c5f6a3c@willson.li.ssimo.org> On Tue, 21 Dec 2010 23:17:53 +0100 Jakub Hrozek wrote: > Ack. Pushed to master. > As discussed with Simo on IRC, calling del_link() when performing > ipa-replica-manage del would be handled in a follow-up patch. Patch 0039 does this and I have sent it to the list. Thanks, Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 21 22:33:54 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 17:33:54 -0500 Subject: [Freeipa-devel] [PATCH] 0038 Rework init and sync commands of ipa-replica-prepare In-Reply-To: <4D11164C.9040706@redhat.com> References: <20101221021414.541d6226@willson.li.ssimo.org> <4D10ED6A.2010607@redhat.com> <20101221134330.75ef38ea@willson.li.ssimo.org> <4D11164C.9040706@redhat.com> Message-ID: <20101221173354.4efe3f94@willson.li.ssimo.org> On Tue, 21 Dec 2010 22:04:12 +0100 Jakub Hrozek wrote: > On 12/21/2010 07:43 PM, Simo Sorce wrote: > > On Tue, 21 Dec 2010 19:09:46 +0100 > > Jakub Hrozek wrote: > > > >> The patch looks good to me, but the hunk in > >> ipaserver/install/service.py seems to be completely unrelated. Did > >> you run git commit -am by accident? > > > > As discussed on IRC this is necessary to make things work when we > > are using SASL/GSSAPI instead of simple binds with passwords. > > > > Simo. > > > > Thank you for explanation. Ack. Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 21 22:48:11 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 17:48:11 -0500 Subject: [Freeipa-devel] [PATCH] Fix handling of ANY queries in bind-dyndb-ldap In-Reply-To: <20101221175849.GA7420@traged.englab.brq.redhat.com> References: <20101221175849.GA7420@traged.englab.brq.redhat.com> Message-ID: <20101221174811.6eadc1a0@willson.li.ssimo.org> On Tue, 21 Dec 2010 18:58:49 +0100 Adam Tkac wrote: > attached patches fix handling of ANY queries in bind-dyndb-ldap > backend. > > The first patch implements dns_rdatasetiter interface which is needed > by allrdatasets() DB method (implemented in the second patch). > The allrdatasets() database method is used by the named daemon to > handle ANY queries. > > The third patch fixes the find() DB method to correctly return the > complete database node for a certain DNS name. Details are below. > > If there are no objections I will push the patches. Patches look good. But I haven't had a chance to test them. Do you happen to have a scratch build handy ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 21 22:52:11 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 17:52:11 -0500 Subject: [Freeipa-devel] [PATCH] Fix to man page for ipa-compat-manage (one liner) In-Reply-To: References: Message-ID: <20101221175211.18e098a4@willson.li.ssimo.org> On Wed, 15 Dec 2010 21:37:46 +0000 JR Aquino wrote: > There was a typo for the manpage, this is a one liner to fix. > > -.\" A man page for ipa-ldap-updater > +.\" A man page for ipa-compat-manage > Ack, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 21 22:53:24 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 17:53:24 -0500 Subject: [Freeipa-devel] [PATCH] 656 move permissions and privileges In-Reply-To: <4D10C057.8060101@redhat.com> References: <4D0FC2E9.8020402@redhat.com> <201012211010.24423.jzeleny@redhat.com> <4D10C057.8060101@redhat.com> Message-ID: <20101221175324.292cfd62@willson.li.ssimo.org> On Tue, 21 Dec 2010 09:57:27 -0500 Rob Crittenden wrote: > Jan Zelen? wrote: > > Rob Crittenden wrote: > >> Move permissions and privileges to their own container. They don't > >> really belong in cn=accounts any more. This leaves just roles > >> there. > >> > >> ticket 638 > >> > >> rob > > > > Ack, but I'd be nice to also apply changes to following files, just > > to prevent confusion in the future: > > > > ./install/static/test/data/permission_add.json > > ./install/static/test/data/permission_show.json > > ./install/static/test/data/permission_find.json > > ./install/static/test/data/privilege_show.json > > ./install/static/test/data/privilege_find.json > > > > Jan > > There were added with Adam's recent ACI UI patch. I fixed this as > well and re-based. ACk, but it will need another minor rebase to address changes I had to make to replica management permissions both in delegation.ldif and replica-acis.ldif Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 21 22:55:06 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 17:55:06 -0500 Subject: [Freeipa-devel] [PATCH] 031 Do not require DNS record, just warn if one is missing In-Reply-To: <20101221105335.43ec2d45@willson.li.ssimo.org> References: <4D10C7D3.6060309@redhat.com> <20101221105335.43ec2d45@willson.li.ssimo.org> Message-ID: <20101221175506.4205dec3@willson.li.ssimo.org> On Tue, 21 Dec 2010 10:53:35 -0500 Simo Sorce wrote: > On Tue, 21 Dec 2010 16:29:23 +0100 > Jakub Hrozek wrote: > > > The way I changed the installer with the IPv6 fix, it would require > > a record in DNS for the machine hostname and fail if there was none. > > > > The previous (and correct) behaviour is to work even if there is > > only record in /etc/hosts and only warn if there are no DNS records > > for the given hostname. The attached patch reverts to the original > > behaviour. > > ACK > Simo. > Pusehd to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Dec 22 00:04:20 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 21 Dec 2010 19:04:20 -0500 Subject: [Freeipa-devel] [PATCh] admiyo-0120-hidden-filter. Message-ID: <4D114084.4060208@redhat.com> This handles the ACI creation problem. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0120-hidden-filter.patch Type: text/x-patch Size: 3025 bytes Desc: not available URL: From ssorce at redhat.com Wed Dec 22 00:42:47 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 19:42:47 -0500 Subject: [Freeipa-devel] [PATCH] 0041 Fix ipa-replica-manage man page Message-ID: <20101221194247.7b3f77ea@willson.li.ssimo.org> Mam page fixes after all the changes I made to the ipa-replica-manage command. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0041-Fix-ipa-replica-manage-man-page-to-reflect-current-s.patch Type: text/x-patch Size: 4105 bytes Desc: not available URL: From ssorce at redhat.com Wed Dec 22 01:17:36 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 20:17:36 -0500 Subject: [Freeipa-devel] [PATCH] bynd-dyndb-ldap: Fix keytab checking In-Reply-To: <4D0B942B.1040908@inet.hr> References: <4D0A5CEA.1000801@inet.hr> <20101216140659.1d2fc027@willson.li.ssimo.org> <4D0B942B.1040908@inet.hr> Message-ID: <20101221201736.773f5e08@willson.li.ssimo.org> On Fri, 17 Dec 2010 17:47:39 +0100 Zoran Pericic wrote: > On 12/16/2010 08:06 PM, Simo Sorce wrote: > > > Obvious ACK, > > I will put the change in myself unless you can send me a git > > formatted patch I can git am into my tree. > > Thunerbird converted tabs to spaces. I hope this is ok. > > Best regards, > Zoran Pericic > > diff --git a/src/krb5_helper.c b/src/krb5_helper.c > index > a52b412f10551dfb4079ef5add37d0ebe000d310..571f511c71a4a0d547e0e74f5b5109a0bd5498b1 > 100644 --- a/src/krb5_helper.c +++ b/src/krb5_helper.c > @@ -111,7 +111,7 @@ get_krb5_tgt(isc_mem_t *mctx, const char > *principal, const char *keyfile) DEFAULT_KEYTAB); > keyfile = DEFAULT_KEYTAB; > } else { > - if (strcmp(keyfile, "FILE:") != 0) { > + if (strncmp(keyfile, "FILE:", 5) != 0) { > log_error("Unknown keytab file name format, > " "missing leading 'FILE:' prefix"); > return ISC_R_FAILURE; This patch was pushed by Adam. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Dec 22 01:36:17 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Dec 2010 20:36:17 -0500 Subject: [Freeipa-devel] [PATCH] bynd-dyndb-ldap: Add separate keytab principal option In-Reply-To: <4D0B9AAA.4040805@inet.hr> References: <4D0A5ECD.5050409@inet.hr> <20101216142547.26cd39c0@willson.li.ssimo.org> <4D0B9AAA.4040805@inet.hr> Message-ID: <20101221203617.43921218@willson.li.ssimo.org> Attached find a patch in the proper git format. Adam can you push it if you think it is ok ? Thanks, Simo. On Fri, 17 Dec 2010 18:15:22 +0100 Zoran Pericic wrote: > On 12/16/2010 08:25 PM, Simo Sorce wrote: > > >> + (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) { > >> + if((ldap_inst->krb5_principal == NULL)&& > >> + (str_len(ldap_inst->krb5_principal) == 0)) { > >> + if((ldap_inst->sasl_user == NULL)&& > >> + (str_len(ldap_inst->sasl_user) == 0)) { > > the above 2 statements seem wrong to me, the original one had: > > if ((cond 1) || (cond 2)) { > > while you changed it into: > > if ((cond 1)&& (cond 2)) { > > This fails to do the check that is intended. > You are right. This is bug. > > >> + char hostname[255]; > >> + if(gethostname(hostname, 255) != 0) { > >> + log_error("SASL mech GSSAPI defined but > >> krb5_principal and sasl_user are empty. Could not get hostname"); > >> + result = ISC_R_FAILURE; > >> + goto cleanup; > >> + } else { > >> + str_sprintf(ldap_inst->krb5_principal, > >> "dns/%s", hostname); > > This should probably be "DNS/%s", Kerberos is generally case > > sensitive and t5he default for bind is to use the service name part > > in all caps. > ACK. > > Best regards, > > Zoran Pericic > > --- > diff --git a/src/ldap_helper.c b/src/ldap_helper.c > index > 5eed8afba7a275a6ebb3a28c707639516ba9af41..d767571daa8e747833d598876541996280544916 > 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c > @@ -128,6 +128,7 @@ struct ldap_instance { > ldap_auth_t auth_method; > ld_string_t *bind_dn; > ld_string_t *password; > + ld_string_t *krb5_principal; > ld_string_t *sasl_mech; > ld_string_t *sasl_user; > ld_string_t *sasl_auth_name; > @@ -293,6 +294,7 @@ new_ldap_instance(isc_mem_t *mctx, const char > *db_name, { "auth_method", default_string("none") }, > { "bind_dn", > default_string("") }, { "password", > default_string("") }, > + { "krb5_principal", > default_string("") }, { "sasl_mech", > default_string("GSSAPI") }, { "sasl_user", > default_string("") }, { "sasl_auth_name", > default_string("") }, @@ -330,6 +332,7 @@ > new_ldap_instance(isc_mem_t *mctx, const char *db_name, > CHECK(str_new(mctx,&ldap_inst->base)); > CHECK(str_new(mctx,&ldap_inst->bind_dn)); > CHECK(str_new(mctx,&ldap_inst->password)); > + CHECK(str_new(mctx,&ldap_inst->krb5_principal)); > CHECK(str_new(mctx,&ldap_inst->sasl_mech)); > CHECK(str_new(mctx,&ldap_inst->sasl_user)); > CHECK(str_new(mctx,&ldap_inst->sasl_auth_name)); > @@ -346,6 +349,7 @@ new_ldap_instance(isc_mem_t *mctx, const char > *db_name, ldap_settings[i++].target = auth_method_str; > ldap_settings[i++].target = ldap_inst->bind_dn; > ldap_settings[i++].target = ldap_inst->password; > + ldap_settings[i++].target = ldap_inst->krb5_principal; > ldap_settings[i++].target = ldap_inst->sasl_mech; > ldap_settings[i++].target = ldap_inst->sasl_user; > ldap_settings[i++].target = ldap_inst->sasl_auth_name; > @@ -381,12 +385,26 @@ new_ldap_instance(isc_mem_t *mctx, const char > *db_name, > > /* check we have the right data when SASL/GSSAPI is > selected */ if ((ldap_inst->auth_method == AUTH_SASL)&& > - (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == > 0)) { > - if ((ldap_inst->sasl_user == NULL) || > - (str_len(ldap_inst->sasl_user) == 0)) { > - log_error("Sasl mech GSSAPI defined but > sasl_user is empty"); > - result = ISC_R_FAILURE; > - goto cleanup; > + (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == > 0)) { > + if ((ldap_inst->krb5_principal == NULL) || > + (str_len(ldap_inst->krb5_principal) == 0)) { > + if ((ldap_inst->sasl_user == NULL) || > + (str_len(ldap_inst->sasl_user) == > 0)) { > + char hostname[255]; > + if (gethostname(hostname, 255) != 0) > { > + log_error("SASL mech GSSAPI > defined but krb5_principal" > + "and sasl_user are > empty. Could not get hostname"); > + result = ISC_R_FAILURE; > + goto cleanup; > + } else { > + > str_sprintf(ldap_inst->krb5_principal, "DNS/%s", hostname); > + log_debug(2, "SASL mech > GSSAPI defined but krb5_principal" > + "and sasl_user are > empty, using default %s", > + > str_buf(ldap_inst->krb5_principal)); > + } > + } else { > + str_copy(ldap_inst->krb5_principal, > ldap_inst->sasl_user); > + } > } > } > > @@ -447,6 +465,7 @@ destroy_ldap_instance(ldap_instance_t > **ldap_instp) str_destroy(&ldap_inst->base); > str_destroy(&ldap_inst->bind_dn); > str_destroy(&ldap_inst->password); > + str_destroy(&ldap_inst->krb5_principal); > str_destroy(&ldap_inst->sasl_mech); > str_destroy(&ldap_inst->sasl_user); > str_destroy(&ldap_inst->sasl_auth_name); > @@ -1618,7 +1637,7 @@ ldap_reconnect(ldap_connection_t *ldap_conn) > isc_result_t result; > LOCK(&ldap_inst->kinit_lock); > result = get_krb5_tgt(ldap_inst->mctx, > - > str_buf(ldap_inst->sasl_user), > + > str_buf(ldap_inst->krb5_principal), str_buf(ldap_inst->krb5_keytab)); > UNLOCK(&ldap_inst->kinit_lock); > if (result != ISC_R_SUCCESS) -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Use-separate-variables-for-sasl_user-and-krb5_princi.patch Type: text/x-patch Size: 3961 bytes Desc: not available URL: From rcritten at redhat.com Wed Dec 22 03:42:44 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Dec 2010 22:42:44 -0500 Subject: [Freeipa-devel] [PATCH] 658 don't allow attrs=None Message-ID: <4D1173B4.1000504@redhat.com> Setting an empty set of target attributes should raise an exception. It is possible to create an ACI with attributes and then try to set that to None via a mod command later. We need to catch this and raise an exception. ticket 647 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-658-aci.patch Type: text/x-patch Size: 5155 bytes Desc: not available URL: From davido at redhat.com Wed Dec 22 04:23:34 2010 From: davido at redhat.com (David O'Brien) Date: Wed, 22 Dec 2010 14:23:34 +1000 Subject: [Freeipa-devel] [PATCH] 0041 Fix ipa-replica-manage man page In-Reply-To: <20101221194247.7b3f77ea@willson.li.ssimo.org> References: <20101221194247.7b3f77ea@willson.li.ssimo.org> Message-ID: <4D117D46.9010009@redhat.com> Simo Sorce wrote: > Mam page fixes after all the changes I made to the ipa-replica-manage > command. > > Simo. > > NACK I'd like to change these: 1. Forces a full re-initialization of the IPA server pulling data from a server specified with the --from option to: Forces a full re-initialization of the IPA server, retrieving data from the server specified with the --from option 2. This will re\-initialize the data on the server you execute the command, pulling the data from the srv2.example.com replica to: This will re\-initialize the data on the server where you execute the command, retrieving the data from the srv2.example.com replica I realise "pull" is a commonplace verb in this context, so I'm not especially fussed about that, but I'd like to see the other changes. -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From jhrozek at redhat.com Wed Dec 22 13:32:43 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 22 Dec 2010 14:32:43 +0100 Subject: [Freeipa-devel] [PATCH] 032 Ask for reverse zone creation only when --setup-bind is specified Message-ID: <4D11FDFB.7010806@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The installer asked for reverse zone creation even if --setup-bind was not specified -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0R/fsACgkQHsardTLnvCVoSQCfYHaR7PvhpB+/P2QTCzCZSOlz VTUAnjQR5OTEtPFC+50cmQ7BH8zKaAIB =YMAM -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-032-reverse-zone.patch Type: text/x-patch Size: 1287 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-032-reverse-zone.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Wed Dec 22 14:03:05 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 22 Dec 2010 15:03:05 +0100 Subject: [Freeipa-devel] [PATCH] 0039 Fix ipa-replica-manage del command to remove all agreements In-Reply-To: <20101221172155.268aba4f@willson.li.ssimo.org> References: <20101221172155.268aba4f@willson.li.ssimo.org> Message-ID: <4D120519.10901@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/21/2010 11:21 PM, Simo Sorce wrote: > > With this patch all agreements to the replica being deleted are > properly removed even when we have to force the replica removal because > it is not available anymore. > > As a bonus this command too now works with just Kerberos credentials of > a user that have enough privileges. > > Simo. > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0SBRcACgkQHsardTLnvCVX/ACfVcgeyRWcC9IM1BgAZ060a/Ez zv8An1+vWKgdBCHpGJCbZdeTDsqmbPsq =bbba -----END PGP SIGNATURE----- From jhrozek at redhat.com Wed Dec 22 14:04:57 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 22 Dec 2010 15:04:57 +0100 Subject: [Freeipa-devel] [PATCH] 0041 Fix ipa-replica-manage man page In-Reply-To: <4D117D46.9010009@redhat.com> References: <20101221194247.7b3f77ea@willson.li.ssimo.org> <4D117D46.9010009@redhat.com> Message-ID: <4D120589.1010505@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/22/2010 05:23 AM, David O'Brien wrote: > Simo Sorce wrote: >> Mam page fixes after all the changes I made to the ipa-replica-manage >> command. >> >> Simo. >> >> > NACK > > I'd like to change these: > > 1. Forces a full re-initialization of the IPA server pulling data from a > server specified with the --from option > > to: > > Forces a full re-initialization of the IPA server, retrieving data from > the server specified with the --from option > > > 2. This will re\-initialize the data on the server you execute the > command, pulling the data from the srv2.example.com replica > > to: > > This will re\-initialize the data on the server where you execute the > command, retrieving the data from the srv2.example.com replica > > I realise "pull" is a commonplace verb in this context, so I'm not > especially fussed about that, but I'd like to see the other changes. I won't argue with David about English wording but from a technical standpoint, I'd like to ack the patch. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0SBYgACgkQHsardTLnvCWI5QCgwZ8+nscMNaG9MMrwQ9d7kv8f mbYAnAkFJsGutoMlFig7M9NsYdL4IiW6 =wUWl -----END PGP SIGNATURE----- From jhrozek at redhat.com Wed Dec 22 14:09:04 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 22 Dec 2010 15:09:04 +0100 Subject: [Freeipa-devel] [PATCH] 0040 Temporary fix for ipa-replica-manage connect In-Reply-To: <20101221172333.4a71746f@willson.li.ssimo.org> References: <20101221172333.4a71746f@willson.li.ssimo.org> Message-ID: <4D120680.7090108@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/21/2010 11:23 PM, Simo Sorce wrote: > > There are some issues deep down the replication instance that prevent > us from successfully add new connections between replicas using > SASL/GSSAPI credentials. > Force the request for the DM password for now so that the command can > work. > > Simo. > Ack (sorry, the first one went directly to Simo only) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0SBoAACgkQHsardTLnvCVKOwCg6IOdNjo2yWmRK86btCkJ9DeQ c8IAnifArApTgGW6lAnT9EeWi20h21sc =9RhK -----END PGP SIGNATURE----- From rcritten at redhat.com Wed Dec 22 14:57:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Dec 2010 09:57:02 -0500 Subject: [Freeipa-devel] [PATCH] 658 don't allow attrs=None In-Reply-To: <4D1173B4.1000504@redhat.com> References: <4D1173B4.1000504@redhat.com> Message-ID: <4D1211BE.20401@redhat.com> Rob Crittenden wrote: > Setting an empty set of target attributes should raise an exception. > > It is possible to create an ACI with attributes and then try to set that > to None via a mod command later. We need to catch this and raise an > exception. > > ticket 647 > > rob I'm going to withdraw this patch to work on it some more. There needs to be some mechanism to completely remove attributes from an aci (in ipalib/aci.py). rob From rcritten at redhat.com Wed Dec 22 15:22:12 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Dec 2010 10:22:12 -0500 Subject: [Freeipa-devel] [PATCH] 658 don't allow attrs=None In-Reply-To: <4D1211BE.20401@redhat.com> References: <4D1173B4.1000504@redhat.com> <4D1211BE.20401@redhat.com> Message-ID: <4D1217A4.7070403@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> Setting an empty set of target attributes should raise an exception. >> >> It is possible to create an ACI with attributes and then try to set that >> to None via a mod command later. We need to catch this and raise an >> exception. >> >> ticket 647 >> >> rob > > I'm going to withdraw this patch to work on it some more. There needs to > be some mechanism to completely remove attributes from an aci (in > ipalib/aci.py). > > rob > Updated patch attached. If None is set as the list of attributes then the target is dropped. Note that no attributes is never legal for a delegation plugin. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-658-2-aci.patch Type: text/x-patch Size: 5440 bytes Desc: not available URL: From pzuna at redhat.com Wed Dec 22 15:25:42 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 22 Dec 2010 16:25:42 +0100 Subject: [Freeipa-devel] [PATCH] Fix webUI command parameters error on Fedora 14. Message-ID: <4D121876.5070800@redhat.com> Fixes the webUI on Fedora 14. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0049-webuiunicodef14.patch Type: text/x-patch Size: 1304 bytes Desc: not available URL: From ssorce at redhat.com Wed Dec 22 15:27:44 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 22 Dec 2010 10:27:44 -0500 Subject: [Freeipa-devel] [PATCH] 0039 Fix ipa-replica-manage del command to remove all agreements In-Reply-To: <4D120519.10901@redhat.com> References: <20101221172155.268aba4f@willson.li.ssimo.org> <4D120519.10901@redhat.com> Message-ID: <20101222102744.653f5d84@willson.li.ssimo.org> On Wed, 22 Dec 2010 15:03:05 +0100 Jakub Hrozek wrote: > On 12/21/2010 11:21 PM, Simo Sorce wrote: > > > > With this patch all agreements to the replica being deleted are > > properly removed even when we have to force the replica removal > > because it is not available anymore. > > > > As a bonus this command too now works with just Kerberos > > credentials of a user that have enough privileges. > > > > Simo. > > > > Ack Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Dec 22 15:28:23 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 22 Dec 2010 10:28:23 -0500 Subject: [Freeipa-devel] [PATCH] 0041 Fix ipa-replica-manage man page In-Reply-To: <4D120589.1010505@redhat.com> References: <20101221194247.7b3f77ea@willson.li.ssimo.org> <4D117D46.9010009@redhat.com> <4D120589.1010505@redhat.com> Message-ID: <20101222102823.11fd66d0@willson.li.ssimo.org> On Wed, 22 Dec 2010 15:04:57 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/22/2010 05:23 AM, David O'Brien wrote: > > Simo Sorce wrote: > >> Mam page fixes after all the changes I made to the > >> ipa-replica-manage command. > >> > >> Simo. > >> > >> > > NACK > > > > I'd like to change these: > > > > 1. Forces a full re-initialization of the IPA server pulling data > > from a server specified with the --from option > > > > to: > > > > Forces a full re-initialization of the IPA server, retrieving data > > from the server specified with the --from option > > > > > > 2. This will re\-initialize the data on the server you execute the > > command, pulling the data from the srv2.example.com replica > > > > to: > > > > This will re\-initialize the data on the server where you execute > > the command, retrieving the data from the srv2.example.com replica > > > > I realise "pull" is a commonplace verb in this context, so I'm not > > especially fussed about that, but I'd like to see the other changes. > > I won't argue with David about English wording but from a technical > standpoint, I'd like to ack the patch. Included changes from David and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Dec 22 15:28:36 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 22 Dec 2010 10:28:36 -0500 Subject: [Freeipa-devel] [PATCH] 0040 Temporary fix for ipa-replica-manage connect In-Reply-To: <4D120680.7090108@redhat.com> References: <20101221172333.4a71746f@willson.li.ssimo.org> <4D120680.7090108@redhat.com> Message-ID: <20101222102836.5e9118d3@willson.li.ssimo.org> On Wed, 22 Dec 2010 15:09:04 +0100 Jakub Hrozek wrote: > On 12/21/2010 11:23 PM, Simo Sorce wrote: > > > > There are some issues deep down the replication instance that > > prevent us from successfully add new connections between replicas > > using SASL/GSSAPI credentials. > > Force the request for the DM password for now so that the command > > can work. > > > > Simo. > > > > Ack (sorry, the first one went directly to Simo only) Pushed to master, Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Wed Dec 22 15:35:11 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 22 Dec 2010 16:35:11 +0100 Subject: [Freeipa-devel] [PATCH] Fix webUI command parameters error on Fedora 14. In-Reply-To: <4D121876.5070800@redhat.com> References: <4D121876.5070800@redhat.com> Message-ID: <4D121AAF.1050906@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/22/2010 04:25 PM, Pavel Zuna wrote: > Fixes the webUI on Fedora 14. > > Pavel > No more unicode decode errors with the patch. Ack! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0SGq8ACgkQHsardTLnvCX0fACgvMWaVOFnL3+SYWz8QG+PDZ76 oCcAoN4BXk13pi2EjdB4BDoj3NXg2xIp =VRix -----END PGP SIGNATURE----- From ayoung at redhat.com Wed Dec 22 16:00:55 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 22 Dec 2010 11:00:55 -0500 Subject: [Freeipa-devel] [PATCH] Fix webUI command parameters error on Fedora 14. In-Reply-To: <4D121AAF.1050906@redhat.com> References: <4D121876.5070800@redhat.com> <4D121AAF.1050906@redhat.com> Message-ID: <4D1220B7.8000608@redhat.com> On 12/22/2010 10:35 AM, Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/22/2010 04:25 PM, Pavel Zuna wrote: > >> Fixes the webUI on Fedora 14. >> >> Pavel >> >> > No more unicode decode errors with the patch. > > Ack! > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk0SGq8ACgkQHsardTLnvCX0fACgvMWaVOFnL3+SYWz8QG+PDZ76 > oCcAoN4BXk13pi2EjdB4BDoj3NXg2xIp > =VRix > -----END PGP SIGNATURE----- > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > pushed to master From ssorce at redhat.com Wed Dec 22 16:05:53 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 22 Dec 2010 11:05:53 -0500 Subject: [Freeipa-devel] [PATCH 4] dbe instead of lde (ipa-compat-manage/ipa-nis-manage) In-Reply-To: <201012091033.05281.jzeleny@redhat.com> References: <201012091033.05281.jzeleny@redhat.com> Message-ID: <20101222110553.0b15481a@willson.li.ssimo.org> On Thu, 9 Dec 2010 10:33:05 +0100 Jan Zelen? wrote: > JR Aquino wrote: > > The error handling refers to lde as a typo... When the exception > > occurs due to a database error, it gets captured as: dbe. > > > > This is a One line bug fix for compat and nis tools > > ACK Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Dec 22 16:15:49 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Dec 2010 11:15:49 -0500 Subject: [Freeipa-devel] Issues with ACI UI In-Reply-To: <4D103921.5040008@redhat.com> References: <4D103921.5040008@redhat.com> Message-ID: <4D122435.9060104@redhat.com> Adam Young wrote: > 1. Can't add an ACI. Before, I was able to get away with a blank > filter, but that doesn't seem to work anymore. Do you know when things changed? You probably shouldn't set values that aren't used. > 2. Delegation-add : the group-find for the combo boxes isn't getting > executed. > 3. Some edits are broken for Permissions: For certain, update dns entries I updated the ticket with info on this. I think you're using the wrong key to the metadata (dns vs dnszone). > 4. adding self service permission, attrs is required, even if the user > just wants to do an 'add' permission. There should be no 'add' on selfservice, only read/write. This is only granting access to attributes which is why they are required. > 5. Modifying the self service permission just added gives an internal > error. I removed the 'delete' and 'write' permission ( which I did not > set in the add dialog) as well as the 'audio' permission. Log is below: Patch 658 should fix this. > > > Some of these are on the UI side, and some are on the server side. We'll > need to sort out which is which. From rcritten at redhat.com Wed Dec 22 16:27:08 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Dec 2010 11:27:08 -0500 Subject: [Freeipa-devel] [PATCH] 656 move permissions and privileges In-Reply-To: <20101221175324.292cfd62@willson.li.ssimo.org> References: <4D0FC2E9.8020402@redhat.com> <201012211010.24423.jzeleny@redhat.com> <4D10C057.8060101@redhat.com> <20101221175324.292cfd62@willson.li.ssimo.org> Message-ID: <4D1226DC.2020907@redhat.com> Simo Sorce wrote: > On Tue, 21 Dec 2010 09:57:27 -0500 > Rob Crittenden wrote: > >> Jan Zelen? wrote: >>> Rob Crittenden wrote: >>>> Move permissions and privileges to their own container. They don't >>>> really belong in cn=accounts any more. This leaves just roles >>>> there. >>>> >>>> ticket 638 >>>> >>>> rob >>> >>> Ack, but I'd be nice to also apply changes to following files, just >>> to prevent confusion in the future: >>> >>> ./install/static/test/data/permission_add.json >>> ./install/static/test/data/permission_show.json >>> ./install/static/test/data/permission_find.json >>> ./install/static/test/data/privilege_show.json >>> ./install/static/test/data/privilege_find.json >>> >>> Jan >> >> There were added with Adam's recent ACI UI patch. I fixed this as >> well and re-based. > > ACk, but it will need another minor rebase to address changes I had to > make to replica management permissions both in delegation.ldif and > replica-acis.ldif Done and pushed to master From rcritten at redhat.com Wed Dec 22 16:34:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Dec 2010 11:34:26 -0500 Subject: [Freeipa-devel] [PATCH] Update built-in help for user (ipa help user) with info about username format. In-Reply-To: <4D10E08A.2040305@redhat.com> References: <4D10E08A.2040305@redhat.com> Message-ID: <4D122892.2000500@redhat.com> Pavel Zuna wrote: > General talk about username format including username length and how to > change it in ipa config. > > Ticket #436 > > Pavel ack, pushed to master rob From ssorce at redhat.com Wed Dec 22 16:39:03 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 22 Dec 2010 11:39:03 -0500 Subject: [Freeipa-devel] [PATCH] 032 Ask for reverse zone creation only when --setup-bind is specified In-Reply-To: <4D11FDFB.7010806@redhat.com> References: <4D11FDFB.7010806@redhat.com> Message-ID: <20101222113903.5842253b@willson.li.ssimo.org> On Wed, 22 Dec 2010 14:32:43 +0100 Jakub Hrozek wrote: > The installer asked for reverse zone creation even if --setup-bind was > not specified Ack, pushed to master. I have a related question though. Why create_reverse is always False when the installation is unattended ? Should we have a new option so that unattended installs can specify they actually want a reverse zone be created ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Dec 22 17:06:12 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Dec 2010 12:06:12 -0500 Subject: [Freeipa-devel] [PATCh] admiyo-0120-hidden-filter. In-Reply-To: <4D114084.4060208@redhat.com> References: <4D114084.4060208@redhat.com> Message-ID: <4D123004.3080706@redhat.com> Adam Young wrote: > This handles the ACI creation problem. nack. The change to widget.js causes the first two labels to not be displayed in the Add ACI modal dialog. It otherwise looks ok. rob From ayoung at redhat.com Wed Dec 22 17:27:10 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 22 Dec 2010 12:27:10 -0500 Subject: [Freeipa-devel] [PATCh] admiyo-0120-hidden-filter. In-Reply-To: <4D123004.3080706@redhat.com> References: <4D114084.4060208@redhat.com> <4D123004.3080706@redhat.com> Message-ID: <4D1234EE.9070103@redhat.com> On 12/22/2010 12:06 PM, Rob Crittenden wrote: > Adam Young wrote: >> This handles the ACI creation problem. > > nack. The change to widget.js causes the first two labels to not be > displayed in the Add ACI modal dialog. > > It otherwise looks ok. > > rob Ah...should have looked for 'undefined' -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0120-2-hidden-filter.patch Type: text/x-patch Size: 3084 bytes Desc: not available URL: From rcritten at redhat.com Wed Dec 22 17:48:39 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Dec 2010 12:48:39 -0500 Subject: [Freeipa-devel] [PATCh] admiyo-0120-hidden-filter. In-Reply-To: <4D1234EE.9070103@redhat.com> References: <4D114084.4060208@redhat.com> <4D123004.3080706@redhat.com> <4D1234EE.9070103@redhat.com> Message-ID: <4D1239F7.3030001@redhat.com> Adam Young wrote: > On 12/22/2010 12:06 PM, Rob Crittenden wrote: >> Adam Young wrote: >>> This handles the ACI creation problem. >> >> nack. The change to widget.js causes the first two labels to not be >> displayed in the Add ACI modal dialog. >> >> It otherwise looks ok. >> >> rob > Ah...should have looked for 'undefined' ack, pushed to master From jhrozek at redhat.com Wed Dec 22 18:36:19 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 22 Dec 2010 19:36:19 +0100 Subject: [Freeipa-devel] [PATCH] 032 Ask for reverse zone creation only when --setup-bind is specified In-Reply-To: <20101222113903.5842253b@willson.li.ssimo.org> References: <4D11FDFB.7010806@redhat.com> <20101222113903.5842253b@willson.li.ssimo.org> Message-ID: <4D124523.9050209@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/22/2010 05:39 PM, Simo Sorce wrote: > On Wed, 22 Dec 2010 14:32:43 +0100 > Jakub Hrozek wrote: > >> The installer asked for reverse zone creation even if --setup-bind was >> not specified > > Ack, pushed to master. > > I have a related question though. > Why create_reverse is always False when the installation is unattended ? > Should we have a new option so that unattended installs can specify > they actually want a reverse zone be created ? > > Simo. > Probably yes, good suggestion. I will file a ticket. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0SRSMACgkQHsardTLnvCXMqACg4vXYSoyuo4K8Ylpb/u+Utlte EmcAn0zLQKc6V44NCtBTGF7KSHVyQSVm =iYLr -----END PGP SIGNATURE----- From newsletter at transifex.net Wed Dec 22 19:38:09 2010 From: newsletter at transifex.net (Transifex Newsletter) Date: Wed, 22 Dec 2010 14:38:09 -0500 Subject: [Freeipa-devel] [Transifex] Upgraded to 1.0, Woohoo! Message-ID: <14154d471be565eb94c9e3e0012ff591a5d.20101222193708@mcsv73.net> Upgrade to Transifex 1.0, woohoo! A fresh road leading to increased stability and awesome future plans. Please fasten seat belts and remain calm for takeoff. Dear fellow Transifexian, We've just finished upgrading, testing, bugfixing and polishing a super major upgrade of Transifex.net. We're psyched with the new features and the scalability the release brings, as well as the control and options added to everyone's workflow. We've went on and re-written the core Transifex Translation Storage Engine from scratch. If you were wondering what have we been cooking in the last 6 months, since the last newsletter was sent, well, this is it. Transifex is gradually becoming "git for translations". We now have a solid foundation on top of which we can continue making Transifex available to a bigger audience and continue innovating on the service. The new engine can handle way more fine-grained precision than before, since it is now working on the very strings inside your translation files. _Major changes_ The new version [9]brings some big changes to the traditional workflow used by project maintainers. In particular: 1. Translations are now _stored inside Transifex_ instead of being auto-committed to the versioning systems. Project maintainers will now have to use a _command-line client_ to export the translation files from Transifex, e.g. right before a software release. The command-line client is continuously enriched with new functionality, and will eventually become something like 'a vcs for translations'. 2. Instead of cloning the whole VCS repository, Transifex can now _monitor a source language file_ using a public HTTP link to it, such as your GitHub "raw" URL link to the English PO file. The command-line client can also be used to push the source language files, such as after a string freeze. 3. Support for more translation sources, such as _QT's .ts_ file format were added. We're already testing _Joomla .ini_ files and others. Links: 9. http://help.transifex.net/user-guide/one-dot-zero.html?utm_source=Transifex+Newsletter&utm_campaign=98eb4f1481-Transifex+1.0+Upgrade&utm_medium=email#migrating-your-project Moar featurez: * Translation file metadata auto-updating (PO headers) * Clone a language (useful for en-GB, fr-CA, etc.) * Non-English Source Languages for resources * Web Editor: Translate from Multiple Source Languages, Translation suggestions, Keyboard Shortcuts * Basic support for Translation Memory * AJAX support in many places, including the web editor and common screens * 100 new languages, now reaching 261 * [10]Application Programmable Interface * New [11]Transifex.net Help Section Links: 10. http://help.transifex.net/technical/api/api.html?utm_source=Transifex+Newsletter&utm_campaign=98eb4f1481-Transifex+1.0+Upgrade&utm_medium=email 11. http://help.transifex.net?utm_source=Transifex+Newsletter&utm_campaign=98eb4f1481-Transifex+1.0+Upgrade&utm_medium=email _Migrating your project_ If you?re a translator, the only differences you will notice are the UI improvements we made. More AJAX, nicer controls on your files, incremental saves in the web editor. If you?re a developer, please refer to the section [12]Migrating Your Project to make sure your code and workflow are migrated. Basically you?ll need to start using a command-line tool, similarly to how you interact with your own versioning system. Then, you can run a couple of commands on your local workstation to pull fresh files from Transifex whenever is needed -- e.g. before you release your software. To make this process automated, Makefile rules are our friends. We understand that this might require some extra work, but we really think it's worth it in the long term! This was a very big step for our small team and large codebase, so please bear with us while we're learning and getting more experienced with smooth upgrades. If you have any questions, take a look at the [13]FAQ, or contact us directly at support at indifex.com. If you need assistance over the telephone or Skype, just let us know straight away. For live, community-based IRC support, you may find us on #transifex on Freenode. Links: 12. http://help.transifex.net/user-guide/one-dot-zero.html?utm_source=Transifex+Newsletter&utm_campaign=98eb4f1481-Transifex+1.0+Upgrade&utm_medium=email#migrating-your-project 13. http://help.transifex.net/user-guide/one-dot-zero.html?utm_source=Transifex+Newsletter&utm_campaign=98eb4f1481-Transifex+1.0+Upgrade&utm_medium=email#frequently-asked-questions-faqs Let a thousand languages bloom! About Transifex [14]Transifex is a one-stop, batteries-included Localization Hub, helping developers reach out to an international user-base. Transifex supports translations over standard formats, straight from the development repository. More than 2.000 projects and companies are using Transifex to an international audience of many millions. Links: 14. http://www.transifex.net?utm_source=Transifex+Newsletter&utm_campaign=98eb4f1481-Transifex+1.0+Upgrade&utm_medium=email Transifex is being developed by [15]Indifex, a fresh company based in sunny Greece. We work closely with large corporations as well as a large number of small-to-medium enterprises. Learn more about our work and our services at www.indifex.com. Do you think we can help your company with its Localization needs? [17]Get in touch with us. Links: 15. http://www.indifex.com?utm_source=Transifex+Newsletter&utm_campaign=98eb4f1481-Transifex+1.0+Upgrade&utm_medium=email 17. http://www.indifex.com/contact?utm_source=Transifex+Newsletter&utm_campaign=98eb4f1481-Transifex+1.0+Upgrade&utm_medium=email ============================================== Unsubscribe freeipa-devel at redhat.com from this list: http://transifex.us1.list-manage.com/unsubscribe?u=14154d471be565eb94c9e3e00&id=0a2ad6b02a&e=12ff591a5d&c=98eb4f1481 -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Wed Dec 22 23:18:06 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 22 Dec 2010 23:18:06 +0000 Subject: [Freeipa-devel] [PATCH] netgroups created by hostgroups lacked info Message-ID: Fix for ticket #653 https://fedorahosted.org/freeipa/ticket/653 The managed netgroup was missing the ipaObject objectclass and the nisDomain attribute when created from a hostgroup. Please review and ack. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0011-netgroups-created-by-hostgroups-lacked-info.patch Type: application/octet-stream Size: 891 bytes Desc: freeipa-jraquino-0011-netgroups-created-by-hostgroups-lacked-info.patch URL: From dpal at redhat.com Thu Dec 23 08:06:58 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 23 Dec 2010 03:06:58 -0500 Subject: [Freeipa-devel] Announcing FreeIPA v2 Server Beta 1 Release Message-ID: <4D130322.9070900@redhat.com> To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Beta 1 release of freeIPA 2.0 server [1]. - Binaries are available for F-13 and F-14. - With this beta freeIPA is feature complete. - Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-users at redhat.com Main Highlights of the Beta - This beta is the first attempt to show all planned capabilities of the upcoming release. - For the first time the new UI is mostly operational and can be used to perform management of the system. - Some areas are still very rough and we will appreciate your help with those. Focus of the Beta Testing - Please take a moment and look at the new Web UI. Any feedback about the general approaches, work flows, and usability is appreciated. It is still very rough but one can hopefully get a good understanding of how we plan the final UI to function and look like. - Replication management was significantly improved. Testing of multi replica configurations should be easier. - We are looking for a feedback about the DNS integration and networking issues you find in your environment configuring and using IPA with the embedded DNS enabled. Significant Changes Since Alpha 5 - FreeIPA has changed its license to GPLv3+ - Having IPA manage the reverse zone is optional. - The access control subsystem was re-written to be more understandable. For details see [2] - Support for SUDO rules - There is now a distinction between replicas and their replication agreements in the ipa-replica-manage command. It is now much easier to manage the replication topology. - Renaming entries is easier with the --rename option of the mod commands. - Fix special character handling in passwords, ensure that passwords are not logged. - Certificates can be saved as PEM files in service-show and host-show commands. - All IPA services are now started/stopped using the ipactl command. This gives us better control over the start/stop order during reboot/shutdown. - Set up ntpd first so the time is sane. - Better multi-valued value handle with --setattr and --addattr. - Add support for both RFC2307 and RFC2307bis to migration. - UID ranges were reduced by default from 1M to 200k. - Add ability to add/remove DNS records when adding/removing a host entry. - A number of i18n issues have been addressed. - Updated a lot of man pages. What is not Complete - We are still using older version of the Dogtag. New version of the Dogtag Certificate System will be based on tomcat6 and is forthcoming. - We plan to take advantage of Kerberos 1.9 that was released today but we have not finished the integration effort yet. Known Issues - IPV6 works in the installer but not the server itself - Make sure you machine can properly resolve its name before installing the server. Edit /etc/hosts to remove host name from the localhost and localhost6 lines if needed. - The UI is still rough in places
Use the following query [3] to see the tickets currently open against UI. - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for the time being run: # ln -s /usr/share/java/xalan-j2-serializer.jar /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar - Instead of Dogtag on F14 you can also try the self-signed CA which is similar to the CA that was provided in IPA v1. This was designed for testing and development and not recommended for deployment. - Make sure you enable updates-testing repository on your fedora machine. Thank you, FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] http://freeipa.org/page/Permissions [3] https://fedorahosted.org/freeipa/report/12 From amrossi at linux.it Thu Dec 23 08:47:14 2010 From: amrossi at linux.it (Andrea Modesto Rossi) Date: Thu, 23 Dec 2010 09:47:14 +0100 (CET) Subject: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <4D130322.9070900@redhat.com> References: <4D130322.9070900@redhat.com> Message-ID: On Gio, 23 Dicembre 2010 9:06 am, Dmitri Pal wrote: > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of the > Beta 1 release of freeIPA 2.0 server [1]. > - Binaries are available for F-13 and F-14. > - With this beta freeIPA is feature complete. > - Please do not hesitate to share feedback, criticism or bugs with us on > our mailing list: freeipa-users at redhat.com This is a great gift for Christmas! Thank you very much. -- Andrea Modesto Rossi Fedora Ambassador From jgalipea at redhat.com Thu Dec 23 17:43:46 2010 From: jgalipea at redhat.com (Jenny Galipeau) Date: Thu, 23 Dec 2010 12:43:46 -0500 Subject: [Freeipa-devel] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <4D130322.9070900@redhat.com> References: <4D130322.9070900@redhat.com> Message-ID: <4D138A52.8080800@redhat.com> Dmitri Pal wrote: > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of the > Beta 1 release of freeIPA 2.0 server [1]. > - Binaries are available for F-13 and F-14. > - With this beta freeIPA is feature complete. > - Please do not hesitate to share feedback, criticism or bugs with us on > our mailing list: freeipa-users at redhat.com > > Main Highlights of the Beta > - This beta is the first attempt to show all planned capabilities of the > upcoming release. > - For the first time the new UI is mostly operational and can be used to > perform management of the system. > - Some areas are still very rough and we will appreciate your help with > those. > > Focus of the Beta Testing > - Please take a moment and look at the new Web UI. Any feedback about > the general approaches, work flows, and usability is appreciated. It is > still very rough but one can hopefully get a good understanding of how > we plan the final UI to function and look like. > - Replication management was significantly improved. Testing of multi > replica configurations should be easier. > - We are looking for a feedback about the DNS integration and networking > issues you find in your environment configuring and using IPA with the > embedded DNS enabled. > It would also be beneficial if Delegated Administration (ACIs, task groups and role groups) were an area of focus too. This area has had major changes. Thanks!! > Significant Changes Since Alpha 5 > - FreeIPA has changed its license to GPLv3+ > - Having IPA manage the reverse zone is optional. > - The access control subsystem was re-written to be more understandable. > For details see [2] > - Support for SUDO rules > - There is now a distinction between replicas and their replication > agreements in the ipa-replica-manage command. It is now much easier to > manage the replication topology. > - Renaming entries is easier with the --rename option of the mod commands. > - Fix special character handling in passwords, ensure that passwords are > not logged. > - Certificates can be saved as PEM files in service-show and host-show > commands. > - All IPA services are now started/stopped using the ipactl command. > This gives us better control over the start/stop order during > reboot/shutdown. > - Set up ntpd first so the time is sane. > - Better multi-valued value handle with --setattr and --addattr. > - Add support for both RFC2307 and RFC2307bis to migration. > - UID ranges were reduced by default from 1M to 200k. > - Add ability to add/remove DNS records when adding/removing a host entry. > - A number of i18n issues have been addressed. > - Updated a lot of man pages. > > What is not Complete > - We are still using older version of the Dogtag. New version of the > Dogtag Certificate System will be based on tomcat6 and is forthcoming. > - We plan to take advantage of Kerberos 1.9 that was released today but > we have not finished the integration effort yet. > > Known Issues > - IPV6 works in the installer but not the server itself > - Make sure you machine can properly resolve its name before installing > the server. Edit /etc/hosts to remove host name from the localhost and > localhost6 lines if needed. > - The UI is still rough in places
Use the following query [3] to see > the tickets currently open against UI. > - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for > the time being run: > # ln -s /usr/share/java/xalan-j2-serializer.jar > /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar > - Instead of Dogtag on F14 you can also try the self-signed CA which is > similar to the CA that was provided in IPA v1. This was designed for > testing and development and not recommended for deployment. > - Make sure you enable updates-testing repository on your fedora machine. > > Thank you, > FreeIPA development team > > [1] http://www.freeipa.org/page/Downloads > [2] http://freeipa.org/page/Permissions > [3] https://fedorahosted.org/freeipa/report/12 > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From ayoung at redhat.com Thu Dec 23 19:15:58 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 23 Dec 2010 14:15:58 -0500 Subject: [Freeipa-devel] [PATCH] fix reset password Message-ID: <4D139FEE.7000608@redhat.com> One liner pushed to master [ayoung at ayoung static]$ git show HEAD commit 247e2a263b3fedfa8b3e2ef3e006c64083677c91 Author: Adam Young Date: Thu Dec 23 14:12:33 2010 -0500 fix reset passwrod The way we store the user object returned from user-find --whoami changed, and this code diff --git a/install/static/user.js b/install/static/user.js index cb4c005..1a2ab44 100644 --- a/install/static/user.js +++ b/install/static/user.js @@ -194,7 +194,7 @@ function resetpwd_on_click(){ var user_pkey = $.bbq.getState('user-pkey'); var pw_pkey; - if (user_pkey === ipa_whoami_pkey){ + if (user_pkey === IPA.whoami.uid[0]){ pw_pkey = []; }else{ pw_pkey = [user_pkey]; From ayoung at redhat.com Thu Dec 23 19:27:41 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 23 Dec 2010 14:27:41 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0121-posix-checked Message-ID: <4D13A2AD.8010902@redhat.com> fixes https://fedorahosted.org/freeipa/ticket/661 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0121-posix-checked.patch Type: text/x-patch Size: 1944 bytes Desc: not available URL: From ayoung at redhat.com Thu Dec 23 19:36:41 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 23 Dec 2010 14:36:41 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0122-cancel-on-failure Message-ID: <4D13A4C9.1070705@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0122-cancel-on-failure.patch Type: text/x-patch Size: 1005 bytes Desc: not available URL: From ayoung at redhat.com Thu Dec 23 19:57:10 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 23 Dec 2010 14:57:10 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0123-Remove-description-field-from-config Message-ID: <4D13A996.1030803@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0123-Remove-description-field-from-config.patch Type: text/x-patch Size: 1003 bytes Desc: not available URL: From ayoung at redhat.com Thu Dec 23 19:58:29 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 23 Dec 2010 14:58:29 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0123-Remove-description-field-from-config In-Reply-To: <4D13A996.1030803@redhat.com> References: <4D13A996.1030803@redhat.com> Message-ID: <4D13A9E5.4050409@redhat.com> On 12/23/2010 02:57 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel One Liner. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Dec 23 21:11:31 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 23 Dec 2010 16:11:31 -0500 Subject: [Freeipa-devel] [PATCH] Introduce new env variable, enable_dns=True, if IPA is managing DNS. In-Reply-To: <1982415185.475451291919658489.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1982415185.475451291919658489.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D13BB03.3090007@redhat.com> On 12/09/2010 01:34 PM, Simo Sorce wrote: > ----- "Pavel Zuna" wrote: > >> if api.env.enable_dns: >> print "DNS is managed by IPA" >> >> ==== >> >> ipa env | grep "enable_dns: True"> /devnull&& echo "DNS is managed >> by IPA" >> >> ==== >> >> Ticket #600 > > Nack, sorry the approach is completely wrong. > > As discussed on IRC you should search the LDAP server and see if the DNS service is enabled for at least one master under cn=masters,cn=ipa,cn=etc,$SUFFIX > > This new data is only available after my patch 0025 is pushed. > > Simo. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Now that 0025 is in, what more needs to be done? From zpericic at inet.hr Sun Dec 26 20:09:34 2010 From: zpericic at inet.hr (Zoran Pericic) Date: Sun, 26 Dec 2010 21:09:34 +0100 Subject: [Freeipa-devel] [krb5kdc] LDAP handle unavailable: Can't contact LDAP server on kinit Message-ID: <4D17A0FE.60307@inet.hr> Hi, I have strange problem with krb5 krb5-server-ldap and FC14. Tried to resolve it my self, but i'am stuck. Stangest thing is that all of this work perfectly with fc13 so it's no config issue. I could not find any major difference in krb5 from fc13 to fc14. Only thing is that libldap from openldap-clients is compiled with mozilla nss (fc14) instead of OpenSSL (fc13) but krb5kdc is connected to ldap servers which I confirmed in ldap server logs, so it should not be TLS related problem. krb5kdc bind for first time and get realm related stuff. But when I run kinit it returns "kinit: Generic error (see e-text) while getting initial credentials". Strangest this is that all works perfectly if I manually run krb5kdc "/usr/sbin/krb5kdc -r ST -P /var/run/krb5kdc.pid" instead of using initscripts. Attached krb5.conf, patch to enhance krb5kdc debugging and log file created with this patch included. This may not be right list but I think that freeipa should have same bug. Feel free to ask for more debugging or probing new patches. Best regards, Zoran Pericic -------------- next part -------------- A non-text attachment was scrubbed... Name: krb5-1.8.2-debug.patch Type: text/x-patch Size: 5646 bytes Desc: not available URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: krb5.conf URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: krb5kdc.log Type: text/x-log Size: 3974 bytes Desc: not available URL: From jdennis at redhat.com Wed Dec 29 14:55:31 2010 From: jdennis at redhat.com (John Dennis) Date: Wed, 29 Dec 2010 09:55:31 -0500 Subject: [Freeipa-devel] [PATCH 21/21] fixes CA install problem in trac ticket 682 Message-ID: <201012291455.oBTEtVZt020993@int-mx01.intmail.prod.int.phx2.redhat.com> Do not call status after pkisilent, it will return non-zero. Instead restart server after pkisilent so configuration changes take effect, the check the status. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0021-fixes-CA-install-problem-in-trac-ticket-682.patch Type: text/x-patch Size: 3733 bytes Desc: not available URL: From pzuna at redhat.com Thu Dec 30 09:26:02 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Thu, 30 Dec 2010 10:26:02 +0100 Subject: [Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights. Message-ID: <4D1C502A.8050409@redhat.com> LDAPObject sub-classes can define a custom list of attributes for effective rights retrieval. Fix #677 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-50-customrights.patch Type: text/x-patch Size: 4089 bytes Desc: not available URL: From pzuna at redhat.com Thu Dec 30 09:29:02 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Thu, 30 Dec 2010 10:29:02 +0100 Subject: [Freeipa-devel] [PATCH] Translate IA5Str paramaters the editable text fields in the webUI. Message-ID: <4D1C50DE.6050705@redhat.com> Fix #684 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-51-editia5str.patch Type: text/x-patch Size: 1181 bytes Desc: not available URL: From pzuna at redhat.com Thu Dec 30 09:29:43 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Thu, 30 Dec 2010 10:29:43 +0100 Subject: [Freeipa-devel] [PATCH] Fix 'ipa help permissions'; add 'dns' in allowed types. Message-ID: <4D1C5107.7050404@redhat.com> Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-52-permissionhelp.patch Type: text/x-patch Size: 966 bytes Desc: not available URL: From pzuna at redhat.com Thu Dec 30 16:27:32 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Thu, 30 Dec 2010 17:27:32 +0100 Subject: [Freeipa-devel] [PATCH] Translate IA5Str paramaters the editable text fields in the webUI. In-Reply-To: <4D1C50DE.6050705@redhat.com> References: <4D1C50DE.6050705@redhat.com> Message-ID: <4D1CB2F4.9090704@redhat.com> On 2010-12-30 10:29, Pavel Z?na wrote: > Fix #684 > > Pavel > Left some debugging output in the original patch. Fixed version attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-51-2-editia5str.patch Type: text/x-patch Size: 865 bytes Desc: not available URL: From pzuna at redhat.com Thu Dec 30 16:44:33 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Thu, 30 Dec 2010 17:44:33 +0100 Subject: [Freeipa-devel] [PATCH] Disable action panel links when the selected entry is deleted. Message-ID: <4D1CB6F1.1050208@redhat.com> Fix #685 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-53-actionpanel.patch Type: text/x-patch Size: 1209 bytes Desc: not available URL: