From bdubrovsky at redhat.com Thu Jul 1 15:42:56 2010 From: bdubrovsky at redhat.com (Ben Dubrovsky) Date: Thu, 1 Jul 2010 11:42:56 -0400 Subject: [Freeipa-devel] Current Skeletons in a PDF... Message-ID: Hi folks, Here's a copy of the current page skeletons including all Identity sections except netgroups and services. Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: July 1 IPA skeletons.pdf Type: application/pdf Size: 522296 bytes Desc: not available URL: From rcritten at redhat.com Tue Jul 6 18:35:21 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 06 Jul 2010 14:35:21 -0400 Subject: [Freeipa-devel] New web directory In-Reply-To: <4C28C5BC.7030708@redhat.com> References: <4C28C5BC.7030708@redhat.com> Message-ID: <4C337769.4090703@redhat.com> Adam Young wrote: > I think we need a new web directory, something similar to > /usr/share/ipa/html, but that shows up in the web url. > > The wsgi code chops off the file extension, so user.html becomes user. > THis will break the javascript. I'm assuming that was why we're > currently putting the .js files into /var/lib/cache/assets. > > I think the simplest appraoch would be to create a directory in > /var/www/html For static content. Then, the stuff that I have checked > into freeipa/web (minus the sample data sub dir) would be deployed to > there. Of course, the problem is that the /ipa URL path gets > redirected to WSGI, but I think we can put an explicit excludes in for it. Well, we made a conscious decision not to put data into /var/www/html, I believe mostly related to SELinux, and also to keep our stuff separate. This is also legacy from having TurboGears serving up the UI. I'm ok with having multiple listeners on /ipa/*, we just want to be sure to keep everything under /ipa and not take over the whole root (well, we do that now but it is easily resolved by removing a couple of redirects). > As I said before, one of my goals is to be able to do development > completly offline, with no round trips to the server, to ease both > development and to allow for automated testing of the javascript code. > > > If people want to continue to put the static code into > /usr/share/ipa/html then the current html directory should probably be > renamed to 'errors' or something so the good name can be used for the > main html. Well, error and config both sort of share the same space right now. We need some controlled place to redirect users when kerberos authentication fails, as well as an area to store configuration files. I cheated a bit and used the same directory for both purposes. I don't really care what we end up calling this directory though. rob From rcritten at redhat.com Tue Jul 6 19:40:03 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 06 Jul 2010 15:40:03 -0400 Subject: [Freeipa-devel] [PATCH] 464 User-Private groups In-Reply-To: <4C25180E.1050305@redhat.com> References: <4C0EA6B2.2070904@redhat.com> <4C12AE2D.9030205@redhat.com> <4C162427.2060206@redhat.com> <4C1AB22B.7070905@redhat.com> <4C1B68DD.9030100@redhat.com> <4C250ED9.4050800@redhat.com> <4C25180E.1050305@redhat.com> Message-ID: <4C338693.7040708@redhat.com> Adam Young wrote: > On 06/25/2010 04:17 PM, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Adam Young wrote: >>>> On 06/14/2010 08:44 AM, Rob Crittenden wrote: >>>>> Adam Young wrote: >>>>>> When the patch was applied, and the packages were installed on a >>>>>> clean system, ipa-server-install kicked directly into the debugger >>>>>> afterthe line: >>>>>> >>>>>> [7/21]: configuring user private groups >>>>>> >>>>>> >>>>>> stack trace showed >>>>>> >>>>>> dsinstance.py(124)has_managed_entries() >>>>>> ->try >>>>> >>>>> Looks like I left a debug statement in the patch. You can press 'c' >>>>> here to continue (it'll prompt you again later). I can remove these >>>>> statements before I push the patch if it is otherwise ok. >>>>> >>>>> rob >>>> >>>> OK, I think this is a legit problem: I have a version of the the DS >>>> that has /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so >>>> >>>> [root at ipa patchedrpms]# rpmquery 389-ds-base >>>> 389-ds-base-1.2.6-0.6.rc1.fc13.x86_64 >>>> >>>> The following fails. I think the error message is either failing at >>>> I18N or has a typo in the URL, due to the u' in it. >>>> >>>> [root at ipa patchedrpms]# ipa user-add --first Count --last VonCount >>>> User login [cvoncount]: count123ahahah >>>> ipa: ERROR: cannot connect to >>>> u'https://ipa.ayoung.boston.devel.redhat.com/ipa/xml': Internal >>>> Server Error >>>> >>> >>> There should be a backtrace in /var/log/httpd/error_log. Can you >>> provide that? >>> >>> thanks >> >> I rebased the patch, should apply cleanly now. >> >> rob >> >> > > ACK > > Tested out with review board, but the patch seems pretty straight > forward. I should have added to the "testing" section that I applied it > to a DS instance that did not support the lugin and it worked fine as > well. pushed to master From rcritten at redhat.com Tue Jul 6 19:40:13 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 06 Jul 2010 15:40:13 -0400 Subject: [Freeipa-devel] [PATCH] 473 fix aci update summary In-Reply-To: <1277911314.7788.7.camel@wolverine.englab.brq.redhat.com> References: <4C23A121.1040203@redhat.com> <1277911314.7788.7.camel@wolverine.englab.brq.redhat.com> Message-ID: <4C33869D.70908@redhat.com> Martin Nagy wrote: > On Thu, 2010-06-24 at 14:17 -0400, Rob Crittenden wrote: >> Seems I changed the summary message for updating hosts which breaks a >> few of the aci tests. This should bring it back in line. >> >> rob > > Ack. > Martin > pushed to master From rcritten at redhat.com Tue Jul 6 19:40:22 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 06 Jul 2010 15:40:22 -0400 Subject: [Freeipa-devel] [PATCH] 472 cleanup imports of hbacsvc plugin In-Reply-To: <1277911283.7788.6.camel@wolverine.englab.brq.redhat.com> References: <4C237DBA.4040507@redhat.com> <1277911283.7788.6.camel@wolverine.englab.brq.redhat.com> Message-ID: <4C3386A6.90105@redhat.com> Martin Nagy wrote: > On Thu, 2010-06-24 at 11:46 -0400, Rob Crittenden wrote: >> I ran pylint against the hbacsvc plugin and identified a slew of unused >> imports. I removed them and pulled only the classes we need out of baseldap. >> >> rob > > Ack > > Martin > pushed to master From ayoung at redhat.com Wed Jul 7 13:41:18 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 07 Jul 2010 09:41:18 -0400 Subject: [Freeipa-devel] New web directory In-Reply-To: <4C337769.4090703@redhat.com> References: <4C28C5BC.7030708@redhat.com> <4C337769.4090703@redhat.com> Message-ID: <4C3483FE.4030304@redhat.com> On 07/06/2010 02:35 PM, Rob Crittenden wrote: > Adam Young wrote: >> I think we need a new web directory, something similar to >> /usr/share/ipa/html, but that shows up in the web url. >> >> The wsgi code chops off the file extension, so user.html becomes >> user. THis will break the javascript. I'm assuming that was why >> we're currently putting the .js files into /var/lib/cache/assets. >> >> I think the simplest appraoch would be to create a directory in >> /var/www/html For static content. Then, the stuff that I have >> checked into freeipa/web (minus the sample data sub dir) would be >> deployed to there. Of course, the problem is that the /ipa URL path >> gets redirected to WSGI, but I think we can put an explicit excludes >> in for it. > > Well, we made a conscious decision not to put data into /var/www/html, > I believe mostly related to SELinux, and also to keep our stuff > separate. This is also legacy from having TurboGears serving up the UI. > > I'm ok with having multiple listeners on /ipa/*, we just want to be > sure to keep everything under /ipa and not take over the whole root > (well, we do that now but it is easily resolved by removing a couple > of redirects). We already moved forward with putting things into /usr/share/ipa/static. Right now this maps to /ipa/static in the URLs Not thrilled with the currrent naming scheme. I'd like to put all of our web content under one dir, perhaps /usr/share/ipa/html, with images, config, and error as subdirs. We can turn on auth for all, and turn it off for error and config. I'm not sure that the wsgi code should go under share, as the rest of the dynamic python code is under the /usr/lib/python directory. > >> As I said before, one of my goals is to be able to do development >> completly offline, with no round trips to the server, to ease both >> development and to allow for automated testing of the javascript code. >> >> >> If people want to continue to put the static code into >> /usr/share/ipa/html then the current html directory should probably >> be renamed to 'errors' or something so the good name can be used for >> the main html. > > Well, error and config both sort of share the same space right now. We > need some controlled place to redirect users when kerberos > authentication fails, as well as an area to store configuration files. > I cheated a bit and used the same directory for both purposes. I don't > really care what we end up calling this directory though. > > rob From rcritten at redhat.com Wed Jul 7 13:46:09 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 07 Jul 2010 09:46:09 -0400 Subject: [Freeipa-devel] New web directory In-Reply-To: <4C3483FE.4030304@redhat.com> References: <4C28C5BC.7030708@redhat.com> <4C337769.4090703@redhat.com> <4C3483FE.4030304@redhat.com> Message-ID: <4C348521.4090404@redhat.com> Adam Young wrote: > On 07/06/2010 02:35 PM, Rob Crittenden wrote: >> Adam Young wrote: >>> I think we need a new web directory, something similar to >>> /usr/share/ipa/html, but that shows up in the web url. >>> >>> The wsgi code chops off the file extension, so user.html becomes >>> user. THis will break the javascript. I'm assuming that was why >>> we're currently putting the .js files into /var/lib/cache/assets. >>> >>> I think the simplest appraoch would be to create a directory in >>> /var/www/html For static content. Then, the stuff that I have >>> checked into freeipa/web (minus the sample data sub dir) would be >>> deployed to there. Of course, the problem is that the /ipa URL path >>> gets redirected to WSGI, but I think we can put an explicit excludes >>> in for it. >> >> Well, we made a conscious decision not to put data into /var/www/html, >> I believe mostly related to SELinux, and also to keep our stuff >> separate. This is also legacy from having TurboGears serving up the UI. >> >> I'm ok with having multiple listeners on /ipa/*, we just want to be >> sure to keep everything under /ipa and not take over the whole root >> (well, we do that now but it is easily resolved by removing a couple >> of redirects). > > We already moved forward with putting things into > /usr/share/ipa/static. Right now this maps to /ipa/static in the URLs > > > Not thrilled with the currrent naming scheme. I'd like to put all of > our web content under one dir, perhaps /usr/share/ipa/html, with images, > config, and error as subdirs. We can turn on auth for all, and turn it > off for error and config. Don't feel bound by legacy, just understand the reasons so we don't have regressions or relive history. If you want to change things go ahead and we'll argue about it in the patches. > > I'm not sure that the wsgi code should go under share, as the rest of > the dynamic python code is under the /usr/lib/python directory. Well, not really. /usr/lib[64]/python* is really for python libraries. The wsgi code is really standalone used just by Apache. If you want to stick it in another subdirectory I'm fine with that, but it doesn't belong alongside the python libraries IMHO. rob From ayoung at redhat.com Thu Jul 8 18:41:51 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 08 Jul 2010 14:41:51 -0400 Subject: [Freeipa-devel] Git devel approach Message-ID: <4C361BEF.8030004@redhat.com> I have a blog that I use as my programmers notebook. I recently wrote up the approach I am using for working with git in our distributed development. Please take a look, and tell me if this matches what other people are doing, or if there are any obvious errors. http://adam.younglogic.com/?p=885 From rcritten at redhat.com Thu Jul 8 18:57:11 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 Jul 2010 14:57:11 -0400 Subject: [Freeipa-devel] [PATCH] 479 add service-disable command Message-ID: <4C361F87.9030704@redhat.com> Add API to delete a service principal key, service-disable. This is so an admin can essentially revoke a service principal without deleting it. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. The alternative is to add a function to the ldap2 backend that achieves this, or something similar like 'delete_attrs'. I just didn't see a general case for it. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. I added tests to verify that the certificate we issue is found in the service. This also double-checks that the service commands actually return certificate data. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-479-service.patch Type: application/mbox Size: 7050 bytes Desc: not available URL: From ayoung at redhat.com Thu Jul 8 22:55:49 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 08 Jul 2010 18:55:49 -0400 Subject: [Freeipa-devel] [PATCH] 479 add service-disable command In-Reply-To: <4C361F87.9030704@redhat.com> References: <4C361F87.9030704@redhat.com> Message-ID: <4C365775.8070303@redhat.com> On 07/08/2010 02:57 PM, Rob Crittenden wrote: > Add API to delete a service principal key, service-disable. This is so > an admin can essentially revoke a service principal without deleting it. > > I have to do some pretty low-level LDAP work to achieve this. Since we > can't read the key using our modlist generator won't work and lots of > tricks would be needed to use the LDAPUpdate object in any case. The > alternative is to add a function to the ldap2 backend that achieves > this, or something similar like 'delete_attrs'. I just didn't see a > general case for it. > > I pulled usercertificate out of the global params and put into each > appropriate function because it makes no sense for service-disable. > > I added tests to verify that the certificate we issue is found in the > service. This also double-checks that the service commands actually > return certificate data. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Well, it builds and deploys. How do I test? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jul 9 12:55:00 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 09 Jul 2010 08:55:00 -0400 Subject: [Freeipa-devel] [PATCH] 479 add service-disable command In-Reply-To: <4C365775.8070303@redhat.com> References: <4C361F87.9030704@redhat.com> <4C365775.8070303@redhat.com> Message-ID: <4C371C24.1060900@redhat.com> Adam Young wrote: > On 07/08/2010 02:57 PM, Rob Crittenden wrote: >> Add API to delete a service principal key, service-disable. This is so >> an admin can essentially revoke a service principal without deleting it. >> >> I have to do some pretty low-level LDAP work to achieve this. Since we >> can't read the key using our modlist generator won't work and lots of >> tricks would be needed to use the LDAPUpdate object in any case. The >> alternative is to add a function to the ldap2 backend that achieves >> this, or something similar like 'delete_attrs'. I just didn't see a >> general case for it. >> >> I pulled usercertificate out of the global params and put into each >> appropriate function because it makes no sense for service-disable. >> >> I added tests to verify that the certificate we issue is found in the >> service. This also double-checks that the service commands actually >> return certificate data. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Well, it builds and deploys. How do I test? I added test information to ticket https://fedorahosted.org/freeipa/ticket/52 From ssorce at redhat.com Fri Jul 9 14:27:32 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 9 Jul 2010 10:27:32 -0400 Subject: [Freeipa-devel] Git devel approach In-Reply-To: <4C361BEF.8030004@redhat.com> References: <4C361BEF.8030004@redhat.com> Message-ID: <20100709102732.5b8bc887@willson.li.ssimo.org> On Thu, 08 Jul 2010 14:41:51 -0400 Adam Young wrote: > I have a blog that I use as my programmers notebook. I recently > wrote up the approach I am using for working with git in our > distributed development. Please take a look, and tell me if this > matches what other people are doing, or if there are any obvious > errors. > > http://adam.younglogic.com/?p=885 This is more or less what I do daily for SSSD and Samba and used to do with the FreeIPA stuff when I was a bit more active. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Jul 9 14:41:41 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 09 Jul 2010 10:41:41 -0400 Subject: [Freeipa-devel] [PATCH] 479 add service-disable command In-Reply-To: <4C361F87.9030704@redhat.com> References: <4C361F87.9030704@redhat.com> Message-ID: <4C373525.5070504@redhat.com> Rob Crittenden wrote: > Add API to delete a service principal key, service-disable. This is so > an admin can essentially revoke a service principal without deleting it. > > I have to do some pretty low-level LDAP work to achieve this. Since we > can't read the key using our modlist generator won't work and lots of > tricks would be needed to use the LDAPUpdate object in any case. The > alternative is to add a function to the ldap2 backend that achieves > this, or something similar like 'delete_attrs'. I just didn't see a > general case for it. > > I pulled usercertificate out of the global params and put into each > appropriate function because it makes no sense for service-disable. > > I added tests to verify that the certificate we issue is found in the > service. This also double-checks that the service commands actually > return certificate data. > > rob > We need a similar functionality for hosts so I'm going to pull back this patch and do both at once. I'm going to move the magic that does the key deletion into ldap2 to make for a very simple call within the plugins. rob From bdubrovsky at redhat.com Fri Jul 9 16:55:15 2010 From: bdubrovsky at redhat.com (Ben Dubrovsky) Date: Fri, 9 Jul 2010 12:55:15 -0400 Subject: [Freeipa-devel] A question of terminology for the User Experience.... Message-ID: Hi, I am convinced that one of the most critical possible points of user confusion has to do with the difference between the concept of an object (user, group, netgroup, etc) as a *container* holding other objects and the concept of an object being *contained* by another group. To design against this confusion, I would like to see us put in as many points of disambiguation as possible. These include differentiation in icons, perhaps colors, and, most important, in language. In particular - it is important the the term referring the "containing others" and the term referring to "contained by others" be linguistically different from each other. The terms "Member" and "Membership", for instance, are too similar to provide much disambiguation. In the July 7 set of skeletons, I introduced a consistent terminology in which these terms were linguistically different. Dmitry pointed out to me yet another cause of confusion that my terms added. After some discussion, we came up with a different set of terms, that I would like to get some feedback on. First, the terms I introduced: >From the point of view of any given object: The objects it contains are *Members* The relationships to objects that contain it are *Enrollments* The actions related to them: Contained objects are *added* and *removed* -- i.e. Members Objects are *enrolled in* and *withdrawn from* containing objects -- i.e. Enrollments Objects: To create an object, use *New* To delete an object, use *Delete* These terms form the basis of the grammar I used in the July 7 skeletons, and commands, help strings, labels, and titles are derived from these. There are several other clues that are designed in as well: * The general action paradigm is to: 1) find one object out of many; 2) navigate to the proper element of that object; 3) either add to or delete from the list of objects stored in that element * For adding Members, I title the screen in the form: "Add object(s) to thisObject itsName" (e.g. "Add Host Group(s) to Netgroup foo") * For adding Enrollments, I title the screen in a similar, but (hopefully) disambiguated way: "Enroll thisObject itsName in object(s)" (e.g. "Enroll User foo in Netgroup(s)") * Just because it seems extra weird to enroll an object in its own kind of object, I add the word "other" in this case: "Enroll Netgroup Foo in other Netgroup(s)" * The navigation tabs to the separate elements in an object are also based on this formula, and disambiguated by whether the tab represents objects "contained" in this one, or pointers to other "containing" object. * For objects "contained" in this one, I use the form: "Member objects" (e.g. "Member Hosts" or "Member Groups") * For pointers to objects "containing" this, I use the form: "Enrollment in objects" (e.g. "Enrollment in Host Groups" or "Enrollment in Groups") * I also use the word other when the relationship is for the same kind of object: "Enrollment in other Netgroups" * For elements that do not present the ambiguity of contained vs. containing, I just use the word: e.g. Details, or Roles. * At the head of the list of tabs, I use the type of the current object with a colon, suggesting a phase completion. * For instance, on the element pages for the Group object, the word "Group:" is at the head of the tabs. Possible completions (with the tab names) are: Group: Member Users Group: Member Groups Group: Enrollment in other Groups Group: Enrollment in Netgroups Group: Details So here's the challenge: The term "enroll" is overloaded. There are others that the thesaurus has that are workable: Enlistment , Association and Membership We also have to choose words that fit in the various parts of speech in which the word is used in the UI. For instance, "Join" is great as a verb, but there is no noun to describe it (Joinment?). (As a reference, I've put the list of all phrases that use these related terms at the end of this note.) If we choose "Membership", then we need to change the notion of "Member". Not that it's wrong -- but I want to use another term that is clearly linguistically different than Membership -- to disambiguate. Possible words are: affiliate, associate, and constituent. So: (*whew!!*) Do we use: Member(s) and Enrollment (my first attempt, but conflicts with other meanings of Enroll) Member(s) and Enlistment Member(s) and Association Associate(s) and Membership Affilate(s) and Membership Constituent(s) and Membership What do you think? Ben PS: The list of phrases that the words need to work within are below. This includes an example of why Enroll doesn't work -- see if you can find it! Enroll Group Foo in Netgroup(s) Enroll Group Foo in other Group(s) Enroll Host Group Foo in Netgroup(s) Enroll Host Group Foo in other Host Group(s) Enroll Netgroup Foo in other Netgroup(s) Enroll Host Foo in Host Group s) Enroll Host Foo in Netgroup(s) Enroll User Pat D. Bunny in Group (s) Enroll User Pat D. Bunny in Netgroup(s) Enroll Host Enroll Host Group Enroll User Enroll Group Enroll Netgroup Enroll in Host Group(s) Enroll in other Host Group(s) Enroll in Group(s) Enroll in other Group(s) Enroll in Netgroup(s) Enroll in other Netgroup(s) Enrollment in Groups Enrollment in other Groups Enrollment in Host Groups Enrollment in other Host Groups Enrollment in Netgroups Enrollment in other Netgroups Prospective Group Enrollment(s) Prospective Host Group Enrollment(s) Prospective Netgroup Enrollment(s) Status: Enrolled, Kerberos Key Present Enroll via One-Time-Password: Enrolled By: Enrolled? Delete Key, Unenroll Add Group(s) to Group Foo Add Group(s) to Netgroup Foo Add Host Group(s) to Host Group Foo Add Host Group(s) to Netgroup Foo Add Host(s) to Host Group Foo Add Host(s) to Netgroup Foo Add Role(s) to User Pat D. Bunny Add User(s) to Group Foo Add User(s) to Netgroup Foo Add Role(s) to User Pat D. Bunny Add Netgroup(s) to Netgroup Foo Add User(s) Add Group(s) Add Host(s) Add Host Group(s) Add Role (s) Remove User(s) Remove Group(s) Remove Role(s) Remove Host Group(s) Remove Host(s) Member Groups Member Host Groups Member Hosts Member Netgroups Member Users Withdraw from Host Group(s) Withdraw from Netgroup(s) Withdraw from Group(s) New User New Group New Service New Netgroup New Host Group New Host New Certificate Delete User (s) Delete Group(s) Delete Service(s) Delete Netgroup(s) Delete Host Group(s) Delete Host(s) Delete Key, Unenroll Delete Key, Unprovision User Details Group Details Netgroup Details Host Group Details Host Details Service Details Issue New Certificate for Host foo Issue New Certificate for Service foo From dpal at redhat.com Fri Jul 9 17:19:42 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 09 Jul 2010 13:19:42 -0400 Subject: [Freeipa-devel] A question of terminology for the User Experience.... In-Reply-To: References: Message-ID: <4C375A2E.8030602@redhat.com> Ben Dubrovsky wrote: > Hi, > > I am convinced that one of the most critical possible points of user confusion has to do with the difference between the concept of an object (user, group, netgroup, etc) as a *container* holding other objects and the concept of an object being *contained* by another group. > > To design against this confusion, I would like to see us put in as many points of disambiguation as possible. These include differentiation in icons, perhaps colors, and, most important, in language. > > In particular - it is important the the term referring the "containing others" and the term referring to "contained by others" be linguistically different from each other. The terms "Member" and "Membership", for instance, are too similar to provide much disambiguation. In the July 7 set of skeletons, I introduced a consistent terminology in which these terms were linguistically different. Dmitry pointed out to me yet another cause of confusion that my terms added. After some discussion, we came up with a different set of terms, that I would like to get some feedback on. > > First, the terms I introduced: > > >From the point of view of any given object: > The objects it contains are *Members* > The relationships to objects that contain it are *Enrollments* > > The actions related to them: > Contained objects are *added* and *removed* -- i.e. Members > Objects are *enrolled in* and *withdrawn from* containing objects -- i.e. Enrollments > > Objects: > To create an object, use *New* > To delete an object, use *Delete* > > These terms form the basis of the grammar I used in the July 7 skeletons, and commands, help strings, labels, and titles are derived from these. There are several other clues that are designed in as well: > * The general action paradigm is to: > 1) find one object out of many; > 2) navigate to the proper element of that object; > 3) either add to or delete from the list of objects stored in that element > * For adding Members, I title the screen in the form: > "Add object(s) to thisObject itsName" (e.g. "Add Host Group(s) to Netgroup foo") > * For adding Enrollments, I title the screen in a similar, but (hopefully) disambiguated way: > "Enroll thisObject itsName in object(s)" (e.g. "Enroll User foo in Netgroup(s)") > * Just because it seems extra weird to enroll an object in its own kind of object, I add the word "other" in this case: > "Enroll Netgroup Foo in other Netgroup(s)" > * The navigation tabs to the separate elements in an object are also based on this formula, and disambiguated by whether the > tab represents objects "contained" in this one, or pointers to other "containing" object. > * For objects "contained" in this one, I use the form: > "Member objects" (e.g. "Member Hosts" or "Member Groups") > * For pointers to objects "containing" this, I use the form: > "Enrollment in objects" (e.g. "Enrollment in Host Groups" or "Enrollment in Groups") > * I also use the word other when the relationship is for the same kind of object: > "Enrollment in other Netgroups" > * For elements that do not present the ambiguity of contained vs. containing, I just use the word: e.g. Details, or Roles. > * At the head of the list of tabs, I use the type of the current object with a colon, suggesting a phase completion. > * For instance, on the element pages for the Group object, the word "Group:" is at the head of the tabs. Possible completions (with the tab names) are: > Group: Member Users > Group: Member Groups > Group: Enrollment in other Groups > Group: Enrollment in Netgroups > Group: Details > > So here's the challenge: The term "enroll" is overloaded. There are others that the thesaurus has that are workable: Enlistment , Association and Membership > > We also have to choose words that fit in the various parts of speech in which the word is used in the UI. For instance, "Join" is great as a verb, but there is no noun to describe it (Joinment?). > > (As a reference, I've put the list of all phrases that use these related terms at the end of this note.) > > If we choose "Membership", then we need to change the notion of "Member". Not that it's wrong -- but I want to use another term that is clearly linguistically different than Membership -- to disambiguate. Possible words are: affiliate, associate, and constituent. > > So: (*whew!!*) > > Do we use: > Member(s) and Enrollment (my first attempt, but conflicts with other meanings of Enroll) > Member(s) and Enlistment > Member(s) and Association > > Associate(s) and Membership > Affilate(s) and Membership > Constituent(s) and Membership > > What do you think? > > Ben > > > > PS: The list of phrases that the words need to work within are below. This includes an example of why Enroll doesn't work -- see if you can find it! > > > Enroll Group Foo in Netgroup(s) > Enroll Group Foo in other Group(s) > Enroll Host Group Foo in Netgroup(s) > Enroll Host Group Foo in other Host Group(s) > Enroll Netgroup Foo in other Netgroup(s) > > Enroll Host Foo in Host Group s) > Enroll Host Foo in Netgroup(s) > Enroll User Pat D. Bunny in Group (s) > Enroll User Pat D. Bunny in Netgroup(s) > > > Enroll Host > Enroll Host Group > Enroll User > Enroll Group > Enroll Netgroup > > > Enroll in Host Group(s) > Enroll in other Host Group(s) > Enroll in Group(s) > Enroll in other Group(s) > Enroll in Netgroup(s) > Enroll in other Netgroup(s) > > Enrollment in Groups > Enrollment in other Groups > Enrollment in Host Groups > Enrollment in other Host Groups > Enrollment in Netgroups > Enrollment in other Netgroups > > Prospective Group Enrollment(s) > Prospective Host Group Enrollment(s) > Prospective Netgroup Enrollment(s) > > > Status: Enrolled, Kerberos Key Present > Enroll via One-Time-Password: > Enrolled By: > Enrolled? > Delete Key, Unenroll > > > Add Group(s) to Group Foo > Add Group(s) to Netgroup Foo > Add Host Group(s) to Host Group Foo > Add Host Group(s) to Netgroup Foo > Add Host(s) to Host Group Foo > Add Host(s) to Netgroup Foo > Add Role(s) to User Pat D. Bunny > Add User(s) to Group Foo > Add User(s) to Netgroup Foo > Add Role(s) to User Pat D. Bunny > Add Netgroup(s) to Netgroup Foo > > > Add User(s) > Add Group(s) > Add Host(s) > Add Host Group(s) > Add Role (s) > > Remove User(s) > Remove Group(s) > Remove Role(s) > Remove Host Group(s) > Remove Host(s) > > > Member Groups > Member Host Groups > Member Hosts > Member Netgroups > Member Users > > Withdraw from Host Group(s) > Withdraw from Netgroup(s) > Withdraw from Group(s) > > New User > New Group > New Service > New Netgroup > New Host Group > New Host > New Certificate > > Delete User (s) > Delete Group(s) > Delete Service(s) > Delete Netgroup(s) > Delete Host Group(s) > Delete Host(s) > Delete Key, Unenroll > Delete Key, Unprovision > > User Details > Group Details > Netgroup Details > Host Group Details > Host Details > Service Details > > Issue New Certificate for Host foo > Issue New Certificate for Service foo > > > > > IMO we should use Member as described above and replace the "Enroll" & "Enrollment in" verb/noun pair with "Join" and "Associate of" Associate of Groups Associate of other Groups Associate of Host Groups Associate of other Host Groups Associate of Netgroups Associate of other Netgroups Join Host Group(s) Join other Host Group(s) Join Group(s) Join other Group(s) Join Netgroup(s) Join other Netgroup(s) I would keep the Enroll term on the Host screen though since it is a proper use of the term enroll there. 2c > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Fri Jul 9 20:50:12 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 09 Jul 2010 16:50:12 -0400 Subject: [Freeipa-devel] [PATCH] 478 better startup error handling In-Reply-To: <4C24ECF4.8030707@redhat.com> References: <4C24ECF4.8030707@redhat.com> Message-ID: <4C378B84.3050308@redhat.com> On 06/25/2010 01:52 PM, Rob Crittenden wrote: > This patch will limit the amount of output in the Apache error log by > default. It should suppress the traceback and just display the > exception. This is mostly to handle LDAP connection issues during > startup where we retrieve the schema but it could have other > implications as well. > > I've added a new config file directive, startup_traceback, defaulting > to False. If you want the full traceback you can add this to > /etc/ipa/default.conf (or ~/.ipa/default.conf) and get full tracebacks. > > In lite-server.py this defaults to True. > > I was looking for a way to cause Apache startup to fail if something > blew up in IPA but I couldn't find anything in mod_wsgi to support that. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 12 13:32:52 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Jul 2010 09:32:52 -0400 Subject: [Freeipa-devel] [PATCH] 478 better startup error handling In-Reply-To: <4C378B84.3050308@redhat.com> References: <4C24ECF4.8030707@redhat.com> <4C378B84.3050308@redhat.com> Message-ID: <4C3B1984.7070602@redhat.com> Adam Young wrote: > On 06/25/2010 01:52 PM, Rob Crittenden wrote: >> This patch will limit the amount of output in the Apache error log by >> default. It should suppress the traceback and just display the >> exception. This is mostly to handle LDAP connection issues during >> startup where we retrieve the schema but it could have other >> implications as well. >> >> I've added a new config file directive, startup_traceback, defaulting >> to False. If you want the full traceback you can add this to >> /etc/ipa/default.conf (or ~/.ipa/default.conf) and get full tracebacks. >> >> In lite-server.py this defaults to True. >> >> I was looking for a way to cause Apache startup to fail if something >> blew up in IPA but I couldn't find anything in mod_wsgi to support that. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Ack > pushed to master From pzuna at redhat.com Mon Jul 12 14:00:13 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 12 Jul 2010 16:00:13 +0200 Subject: [Freeipa-devel] [PATCH] 476 fix bad API call in selfsign In-Reply-To: <4C24B334.9040503@redhat.com> References: <4C24B334.9040503@redhat.com> Message-ID: <4C3B1FED.2090401@redhat.com> On 06/25/2010 03:46 PM, Rob Crittenden wrote: > Use newer API in selfsign plugin. Fix missing import when running in the > in-tree lite-server. > > rob > Maybe we should remove the comment as well, if it's not valid anymore. Other than that: ACK. Pavel From rcritten at redhat.com Mon Jul 12 18:21:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Jul 2010 14:21:27 -0400 Subject: [Freeipa-devel] [PATCH] 480 new search attribute Message-ID: <4C3B5D27.1090409@redhat.com> Add a new optional calss variable to store the attributes to search on. They might differ from the default attributes you want to display. Also link in any search attributes defined in cn=ipaconfig. Thesese are a comma-separated list of attributes. We only have user and group defined currently. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-480-search.patch Type: application/mbox Size: 3150 bytes Desc: not available URL: From rcritten at redhat.com Mon Jul 12 20:47:43 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Jul 2010 16:47:43 -0400 Subject: [Freeipa-devel] [PATCH] 481 add has_output_params support to Method class Message-ID: <4C3B7F6F.8070502@redhat.com> When figuring out what to display has_output_params was being ignored by decendents of the Method class. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-481-params.patch Type: application/mbox Size: 757 bytes Desc: not available URL: From rcritten at redhat.com Mon Jul 12 21:44:08 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Jul 2010 17:44:08 -0400 Subject: [Freeipa-devel] [PATCH] 482 test cert storage Message-ID: <4C3B8CA8.20101@redhat.com> Verify that we're storing the same certificate that is being issued. Doesn't hurt to be a little extra paranoid. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-482-cert.patch Type: application/mbox Size: 2270 bytes Desc: not available URL: From rcritten at redhat.com Mon Jul 12 21:48:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Jul 2010 17:48:02 -0400 Subject: [Freeipa-devel] [PATCH] 483 disable service/host Message-ID: <4C3B8D92.9010804@redhat.com> This patch supercedes patch 479 which is now defunct. It relies on patch 481. Add API to delete a service principal key, service-disable and host-disable. This is so an admin can essentially revoke a service principal without deleting it (a host stores its own host service principal). I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new output parameter, has_keytab. It is a boolean that indicates whether the entry has a kerberos principal key (or at least our best guess at it). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-483-disable.patch Type: application/mbox Size: 11224 bytes Desc: not available URL: From rcritten at redhat.com Mon Jul 12 21:51:15 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Jul 2010 17:51:15 -0400 Subject: [Freeipa-devel] [PATCH] 484 add framework for testing other cmdlines Message-ID: <4C3B8E53.9040804@redhat.com> In order to test service-disable I needed a way to get a keytab. For this we need to run ipa-getkeytab so I added some framework to be able to run the non-ipa command-line utilities. Right now I'm just testing the very basics of ipa-getkeytab but it's a start. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-484-tests.patch Type: application/mbox Size: 8119 bytes Desc: not available URL: From pzuna at redhat.com Tue Jul 13 12:10:01 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 13 Jul 2010 14:10:01 +0200 Subject: [Freeipa-devel] [PATCH] 480 new search attribute In-Reply-To: <4C3B5D27.1090409@redhat.com> References: <4C3B5D27.1090409@redhat.com> Message-ID: <4C3C5799.3070803@redhat.com> On 07/12/2010 08:21 PM, Rob Crittenden wrote: > Add a new optional calss variable to store the attributes to search on. > They might differ from the default attributes you want to display. > > Also link in any search attributes defined in cn=ipaconfig. Thesese are > a comma-separated list of attributes. We only have user and group > defined currently. > > rob > ACK. Pavel From pzuna at redhat.com Tue Jul 13 12:38:14 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 13 Jul 2010 14:38:14 +0200 Subject: [Freeipa-devel] [PATCH] 481 add has_output_params support to Method class In-Reply-To: <4C3B7F6F.8070502@redhat.com> References: <4C3B7F6F.8070502@redhat.com> Message-ID: <4C3C5E36.9060503@redhat.com> On 07/12/2010 10:47 PM, Rob Crittenden wrote: > When figuring out what to display has_output_params was being ignored by > decendents of the Method class. > > rob > ACK. Pavel From pzuna at redhat.com Tue Jul 13 12:38:55 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 13 Jul 2010 14:38:55 +0200 Subject: [Freeipa-devel] [PATCH] 482 test cert storage In-Reply-To: <4C3B8CA8.20101@redhat.com> References: <4C3B8CA8.20101@redhat.com> Message-ID: <4C3C5E5F.5010702@redhat.com> On 07/12/2010 11:44 PM, Rob Crittenden wrote: > Verify that we're storing the same certificate that is being issued. > Doesn't hurt to be a little extra paranoid. > > rob > ACK. Pavel From pzuna at redhat.com Tue Jul 13 12:40:35 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 13 Jul 2010 14:40:35 +0200 Subject: [Freeipa-devel] [PATCH] 483 disable service/host In-Reply-To: <4C3B8D92.9010804@redhat.com> References: <4C3B8D92.9010804@redhat.com> Message-ID: <4C3C5EC3.4080808@redhat.com> On 07/12/2010 11:48 PM, Rob Crittenden wrote: > This patch supercedes patch 479 which is now defunct. It relies on patch > 481. > > Add API to delete a service principal key, service-disable and > host-disable. This is so an admin can essentially revoke a service > principal without deleting it (a host stores its own host service > principal). > > I pulled usercertificate out of the global params and put into each > appropriate function because it makes no sense for service-disable. > > This also adds a new output parameter, has_keytab. It is a boolean that > indicates whether the entry has a kerberos principal key (or at least > our best guess at it). > > rob ACK. Pavel From rcritten at redhat.com Tue Jul 13 13:29:38 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 Jul 2010 09:29:38 -0400 Subject: [Freeipa-devel] [PATCH] 480 new search attribute In-Reply-To: <4C3C5799.3070803@redhat.com> References: <4C3B5D27.1090409@redhat.com> <4C3C5799.3070803@redhat.com> Message-ID: <4C3C6A42.6080603@redhat.com> Pavel Zuna wrote: > On 07/12/2010 08:21 PM, Rob Crittenden wrote: >> Add a new optional calss variable to store the attributes to search on. >> They might differ from the default attributes you want to display. >> >> Also link in any search attributes defined in cn=ipaconfig. Thesese are >> a comma-separated list of attributes. We only have user and group >> defined currently. >> >> rob >> > ACK. > > Pavel pushed to master From rcritten at redhat.com Tue Jul 13 13:29:41 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 Jul 2010 09:29:41 -0400 Subject: [Freeipa-devel] [PATCH] 481 add has_output_params support to Method class In-Reply-To: <4C3C5E36.9060503@redhat.com> References: <4C3B7F6F.8070502@redhat.com> <4C3C5E36.9060503@redhat.com> Message-ID: <4C3C6A45.9020908@redhat.com> Pavel Zuna wrote: > On 07/12/2010 10:47 PM, Rob Crittenden wrote: >> When figuring out what to display has_output_params was being ignored by >> decendents of the Method class. >> >> rob >> > ACK. > > Pavel pushed to master From rcritten at redhat.com Tue Jul 13 13:29:44 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 Jul 2010 09:29:44 -0400 Subject: [Freeipa-devel] [PATCH] 482 test cert storage In-Reply-To: <4C3C5E5F.5010702@redhat.com> References: <4C3B8CA8.20101@redhat.com> <4C3C5E5F.5010702@redhat.com> Message-ID: <4C3C6A48.7070307@redhat.com> Pavel Zuna wrote: > On 07/12/2010 11:44 PM, Rob Crittenden wrote: >> Verify that we're storing the same certificate that is being issued. >> Doesn't hurt to be a little extra paranoid. >> >> rob >> > ACK. > > Pavel pushed to master From rcritten at redhat.com Tue Jul 13 13:29:47 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 Jul 2010 09:29:47 -0400 Subject: [Freeipa-devel] [PATCH] 483 disable service/host In-Reply-To: <4C3C5EC3.4080808@redhat.com> References: <4C3B8D92.9010804@redhat.com> <4C3C5EC3.4080808@redhat.com> Message-ID: <4C3C6A4B.9060006@redhat.com> Pavel Zuna wrote: > On 07/12/2010 11:48 PM, Rob Crittenden wrote: >> This patch supercedes patch 479 which is now defunct. It relies on patch >> 481. >> >> Add API to delete a service principal key, service-disable and >> host-disable. This is so an admin can essentially revoke a service >> principal without deleting it (a host stores its own host service >> principal). >> >> I pulled usercertificate out of the global params and put into each >> appropriate function because it makes no sense for service-disable. >> >> This also adds a new output parameter, has_keytab. It is a boolean that >> indicates whether the entry has a kerberos principal key (or at least >> our best guess at it). >> >> rob > ACK. > > Pavel pushed to master From dpal at redhat.com Wed Jul 14 16:01:24 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 14 Jul 2010 12:01:24 -0400 Subject: [Freeipa-devel] [PATCH] Schema adjustment Message-ID: <4C3DDF54.4050803@redhat.com> The ipaAssociation is the core of different association objects. It seems that the service is an exception rather then a rule. So it is moved into the object where it belongs. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001--SCHEMA-Moving-services-from-ipaAssociation-to-HBAC.patch Type: text/x-patch Size: 4117 bytes Desc: not available URL: From rcritten at redhat.com Wed Jul 14 19:40:04 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Jul 2010 15:40:04 -0400 Subject: [Freeipa-devel] [PATCH] 485 fix ipa-compat-manage and ipa-nis-manage Message-ID: <4C3E1294.1000308@redhat.com> The commands ipa-compat-manage and ipa-nis-manage didn't really work properly. I think some backend changes caused at least some of the problems. I fixed a few errors causing backtraces as well as some corner cases. Enabling nis added a new compat location. So disabling compat would fail because it wasn't handling this new nis location. I also ran pylint against both and fixed a few problems/warnings it raised. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-485-compat.patch Type: application/mbox Size: 11601 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 14 19:40:50 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 14 Jul 2010 15:40:50 -0400 Subject: [Freeipa-devel] [PATCH] 471 Message-ID: <4C3E12C2.1040508@redhat.com> Ack From rcritten at redhat.com Wed Jul 14 19:41:30 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Jul 2010 15:41:30 -0400 Subject: [Freeipa-devel] [PATCH] 486 fix nis netgroups map Message-ID: <4C3E12EA.3070306@redhat.com> The netgroups map was being served out of the compat subtree. This wasn't working and it is better for the nis plugin to generate its data itself, so I added the rule there as well. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-486-nis.patch Type: application/mbox Size: 2198 bytes Desc: not available URL: From rcritten at redhat.com Wed Jul 14 19:43:14 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Jul 2010 15:43:14 -0400 Subject: [Freeipa-devel] [PATCH] 487 fix netgroup plugin Message-ID: <4C3E1352.10609@redhat.com> The netgroup plugin was using the wrong attribute for memberships. It needs to use memberuser for users and groups and memberhost for hosts and hostgroups. I fixed this up and corrected the tests as well. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-487-netgroup.patch Type: application/mbox Size: 19443 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 14 20:40:41 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 14 Jul 2010 16:40:41 -0400 Subject: [Freeipa-devel] [PATCH] 485 fix ipa-compat-manage and ipa-nis-manage In-Reply-To: <4C3E1294.1000308@redhat.com> References: <4C3E1294.1000308@redhat.com> Message-ID: <4C3E20C9.3060601@redhat.com> On 07/14/2010 03:40 PM, Rob Crittenden wrote: > The commands ipa-compat-manage and ipa-nis-manage didn't really work > properly. I think some backend changes caused at least some of the > problems. I fixed a few errors causing backtraces as well as some > corner cases. > > Enabling nis added a new compat location. So disabling compat would > fail because it wasn't handling this new nis location. > > I also ran pylint against both and fixed a few problems/warnings it > raised. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK: [root at ipa ~]# ipa-compat-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. [root at ipa ~]# ipa-nis-manage enable Directory Manager password: Enabling plugin Traceback (most recent call last): File "/usr/sbin/ipa-nis-manage", line 201, in sys.exit(main()) File "/usr/sbin/ipa-nis-manage", line 150, in main conn.update_entry(nis_config_dn, mod, normalize=False) File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 188, in new_f return f(*new_args, **kwargs) File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 687, in update_entry raise errors.EmptyModlist() ipalib.errors.EmptyModlist: no modifications to be performed -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jul 14 21:44:05 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Jul 2010 17:44:05 -0400 Subject: [Freeipa-devel] [PATCH] 485 fix ipa-compat-manage and ipa-nis-manage In-Reply-To: <4C3E20C9.3060601@redhat.com> References: <4C3E1294.1000308@redhat.com> <4C3E20C9.3060601@redhat.com> Message-ID: <4C3E2FA5.6070307@redhat.com> Adam Young wrote: > On 07/14/2010 03:40 PM, Rob Crittenden wrote: >> The commands ipa-compat-manage and ipa-nis-manage didn't really work >> properly. I think some backend changes caused at least some of the >> problems. I fixed a few errors causing backtraces as well as some >> corner cases. >> >> Enabling nis added a new compat location. So disabling compat would >> fail because it wasn't handling this new nis location. >> >> I also ran pylint against both and fixed a few problems/warnings it >> raised. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > NACK: > > [root at ipa ~]# ipa-compat-manage enable > Directory Manager password: > > Enabling plugin > This setting will not take effect until you restart Directory Server. > > [root at ipa ~]# ipa-nis-manage enable > Directory Manager password: > > Enabling plugin > Traceback (most recent call last): > File "/usr/sbin/ipa-nis-manage", line 201, in > sys.exit(main()) > File "/usr/sbin/ipa-nis-manage", line 150, in main > conn.update_entry(nis_config_dn, mod, normalize=False) > File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 188, > in new_f > return f(*new_args, **kwargs) > File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", > line 687, in update_entry > raise errors.EmptyModlist() > ipalib.errors.EmptyModlist: no modifications to be performed The problem was we ship with the plugin enabled and we were trying to do an LDAP mod to enable it, so literally nothing to do. I also made ipa-nis-manage require that the schema compat plugin already be enabled. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-485-2-compat.patch Type: application/mbox Size: 12423 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 14 22:03:46 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 14 Jul 2010 18:03:46 -0400 Subject: [Freeipa-devel] [PATCH] 486 fix nis netgroups map In-Reply-To: <4C3E12EA.3070306@redhat.com> References: <4C3E12EA.3070306@redhat.com> Message-ID: <4C3E3442.3070404@redhat.com> On 07/14/2010 03:41 PM, Rob Crittenden wrote: > The netgroups map was being served out of the compat subtree. This > wasn't working and it is better for the nis plugin to generate its > data itself, so I added the rule there as well. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jul 14 22:21:57 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 14 Jul 2010 18:21:57 -0400 Subject: [Freeipa-devel] [PATCH] 485 fix ipa-compat-manage and ipa-nis-manage In-Reply-To: <4C3E2FA5.6070307@redhat.com> References: <4C3E1294.1000308@redhat.com> <4C3E20C9.3060601@redhat.com> <4C3E2FA5.6070307@redhat.com> Message-ID: <4C3E3885.4020001@redhat.com> On 07/14/2010 05:44 PM, Rob Crittenden wrote: > Adam Young wrote: >> On 07/14/2010 03:40 PM, Rob Crittenden wrote: >>> The commands ipa-compat-manage and ipa-nis-manage didn't really work >>> properly. I think some backend changes caused at least some of the >>> problems. I fixed a few errors causing backtraces as well as some >>> corner cases. >>> >>> Enabling nis added a new compat location. So disabling compat would >>> fail because it wasn't handling this new nis location. >>> >>> I also ran pylint against both and fixed a few problems/warnings it >>> raised. >>> >>> rob >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> NACK: >> >> [root at ipa ~]# ipa-compat-manage enable >> Directory Manager password: >> >> Enabling plugin >> This setting will not take effect until you restart Directory Server. >> >> [root at ipa ~]# ipa-nis-manage enable >> Directory Manager password: >> >> Enabling plugin >> Traceback (most recent call last): >> File "/usr/sbin/ipa-nis-manage", line 201, in >> sys.exit(main()) >> File "/usr/sbin/ipa-nis-manage", line 150, in main >> conn.update_entry(nis_config_dn, mod, normalize=False) >> File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line >> 188, in new_f >> return f(*new_args, **kwargs) >> File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", >> line 687, in update_entry >> raise errors.EmptyModlist() >> ipalib.errors.EmptyModlist: no modifications to be performed > > The problem was we ship with the plugin enabled and we were trying to > do an LDAP mod to enable it, so literally nothing to do. > > I also made ipa-nis-manage require that the schema compat plugin > already be enabled. > > rob ACK From ayoung at redhat.com Wed Jul 14 22:39:37 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 14 Jul 2010 18:39:37 -0400 Subject: [Freeipa-devel] [PATCH] 487 fix netgroup plugin In-Reply-To: <4C3E1352.10609@redhat.com> References: <4C3E1352.10609@redhat.com> Message-ID: <4C3E3CA9.6050809@redhat.com> On 07/14/2010 03:43 PM, Rob Crittenden wrote: > The netgroup plugin was using the wrong attribute for memberships. It > needs to use memberuser for users and groups and memberhost for hosts > and hostgroups. I fixed this up and corrected the tests as well. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Got it installed and running. Unclear how to test. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Jul 14 23:52:35 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 14 Jul 2010 19:52:35 -0400 Subject: [Freeipa-devel] [PATCH] 487 fix netgroup plugin In-Reply-To: <4C3E3CA9.6050809@redhat.com> References: <4C3E1352.10609@redhat.com> <4C3E3CA9.6050809@redhat.com> Message-ID: <4C3E4DC3.8000103@redhat.com> Adam Young wrote: > On 07/14/2010 03:43 PM, Rob Crittenden wrote: >> The netgroup plugin was using the wrong attribute for memberships. It >> needs to use memberuser for users and groups and memberhost for hosts >> and hostgroups. I fixed this up and corrected the tests as well. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > Got it installed and running. Unclear how to test. Create a user group with 3 users U1 U2 U3. Create a host group with the two hosts H 1 H2 Create a netgroup that includes this user group and this host group Configure client to use your IPA server as a source of the netgroups Lits the netgoups - should get your netgroup List the contents of the netgroup. You should get triplets: user, host, domain The order of the users and hosts in triplets does not matter. What matters is that each host and each user are listed in some triplet and generally present in the netgroup not more than once. > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Thu Jul 15 02:25:24 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 14 Jul 2010 22:25:24 -0400 Subject: [Freeipa-devel] [PATCH] 487 fix netgroup plugin In-Reply-To: <4C3E4DC3.8000103@redhat.com> References: <4C3E1352.10609@redhat.com> <4C3E3CA9.6050809@redhat.com> <4C3E4DC3.8000103@redhat.com> Message-ID: <4C3E7194.4000609@redhat.com> On 07/14/2010 07:52 PM, Dmitri Pal wrote: > Adam Young wrote: > >> On 07/14/2010 03:43 PM, Rob Crittenden wrote: >> >>> The netgroup plugin was using the wrong attribute for memberships. It >>> needs to use memberuser for users and groups and memberhost for hosts >>> and hostgroups. I fixed this up and corrected the tests as well. >>> >>> rob >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> >> >> Got it installed and running. Unclear how to test. >> > > Create a user group with 3 users U1 U2 U3. Create a host group with the > two hosts H 1 H2 > Create a netgroup that includes this user group and this host group > Configure client to use your IPA server as a source of the netgroups > Lits the netgoups - should get your netgroup > List the contents of the netgroup. You should get triplets: user, host, > domain > The order of the users and hosts in triplets does not matter. What > matters is that each host and each user are listed in some triplet and > generally present in the netgroup not more than once. > > > >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > Here's my script. ypcat stopped working with No such map netgroup. Reason: Can't communicate with portmapper Too tired to debug tonight/ ipa user-add --first=Kermit --last=Frog kfrog ipa user-add --first=Count --last=VonCount count123 ipa user-add --first=Oscar --last=Grouch scram ipa user-add --first=Elmo --last=Gonzales elmo ipa user-add --first=Zoe --last=MacPhearson zoe ipa user-add --first=Prairie --last=Dawn pdawn ipa group-add --desc="Monsters on Sesame Street" monsters ipa group-add --desc="Muppets moonlighting for CTW" muppets ipa group-add-member --users=kfrog,scram,pdawn muppets ipa group-add-member --users=count123,elmo,zoe monsters ipa netgroup-add --desc="staging servers" net-stage ipa netgroup-add --desc="live servers" net-live ipa hostgroup-add --desc "Live servers" host-live ipa hostgroup-add --desc "Staging servers" stage-live ipa hostgroup-add-member --hosts live3.pbs.org,live2.pbs.org,live1.pbs.org host-live ipa hostgroup-add-member --hosts stage3.pbs.org,stage2.pbs.org,stage1.pbs.org host-stage ipa netgroup-add-member --groups=muppets --hostgroups=host-live net-live ipa netgroup-add-member --groups=muppets --hostgroups=host-stage net-stage ypcat -d ipa.ayoung.boston.devel.redhat.com -h ipa.ayoung.boston.devel.redhat.com netgroup From rcritten at redhat.com Thu Jul 15 13:15:09 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Jul 2010 09:15:09 -0400 Subject: [Freeipa-devel] [PATCH] 487 fix netgroup plugin In-Reply-To: <4C3E7194.4000609@redhat.com> References: <4C3E1352.10609@redhat.com> <4C3E3CA9.6050809@redhat.com> <4C3E4DC3.8000103@redhat.com> <4C3E7194.4000609@redhat.com> Message-ID: <4C3F09DD.5030106@redhat.com> Adam Young wrote: > On 07/14/2010 07:52 PM, Dmitri Pal wrote: >> Adam Young wrote: >>> On 07/14/2010 03:43 PM, Rob Crittenden wrote: >>>> The netgroup plugin was using the wrong attribute for memberships. It >>>> needs to use memberuser for users and groups and memberhost for hosts >>>> and hostgroups. I fixed this up and corrected the tests as well. >>>> >>>> rob >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> >>> Got it installed and running. Unclear how to test. >> >> Create a user group with 3 users U1 U2 U3. Create a host group with the >> two hosts H 1 H2 >> Create a netgroup that includes this user group and this host group >> Configure client to use your IPA server as a source of the netgroups >> Lits the netgoups - should get your netgroup >> List the contents of the netgroup. You should get triplets: user, host, >> domain >> The order of the users and hosts in triplets does not matter. What >> matters is that each host and each user are listed in some triplet and >> generally present in the netgroup not more than once. >> >> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > > > Here's my script. ypcat stopped working with > > No such map netgroup. Reason: Can't communicate with portmapper > > Too tired to debug tonight/ > > ipa user-add --first=Kermit --last=Frog kfrog > ipa user-add --first=Count --last=VonCount count123 > ipa user-add --first=Oscar --last=Grouch scram > > ipa user-add --first=Elmo --last=Gonzales elmo > ipa user-add --first=Zoe --last=MacPhearson zoe > ipa user-add --first=Prairie --last=Dawn pdawn > > > ipa group-add --desc="Monsters on Sesame Street" monsters > ipa group-add --desc="Muppets moonlighting for CTW" muppets > > ipa group-add-member --users=kfrog,scram,pdawn muppets > ipa group-add-member --users=count123,elmo,zoe monsters > > ipa netgroup-add --desc="staging servers" net-stage > ipa netgroup-add --desc="live servers" net-live > > ipa hostgroup-add --desc "Live servers" host-live > ipa hostgroup-add --desc "Staging servers" stage-live > > > ipa hostgroup-add-member --hosts > live3.pbs.org,live2.pbs.org,live1.pbs.org host-live > ipa hostgroup-add-member --hosts > stage3.pbs.org,stage2.pbs.org,stage1.pbs.org host-stage > > > ipa netgroup-add-member --groups=muppets --hostgroups=host-live net-live > ipa netgroup-add-member --groups=muppets --hostgroups=host-stage net-stage > > > > ypcat -d ipa.ayoung.boston.devel.redhat.com -h > ipa.ayoung.boston.devel.redhat.com netgroup > Ok, kudos on the big test group but your knowledge of Sesame Street characters last names is a bit disturbing ;-) Your ypcat command is wrong. The -d is your NIS domain (same as your IPA domain) and the -h is the host to connect to. I get the following output with this data set: (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) Based on my limited understanding of netgroups this looks correct. You have defined two netgroups, both of which have the same user group as a member. The first netgroup has no hosts or hostgroups associated with it, the second has an empty hostgroup (because you added non-existent hosts, or at least hosts not on my box). I added a host to host-live and now I get: (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) (lion.example.com,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) rob From ayoung at redhat.com Thu Jul 15 13:49:00 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 15 Jul 2010 09:49:00 -0400 Subject: [Freeipa-devel] [PATCH] 487 fix netgroup plugin In-Reply-To: <4C3F09DD.5030106@redhat.com> References: <4C3E1352.10609@redhat.com> <4C3E3CA9.6050809@redhat.com> <4C3E4DC3.8000103@redhat.com> <4C3E7194.4000609@redhat.com> <4C3F09DD.5030106@redhat.com> Message-ID: <4C3F11CC.2060608@redhat.com> On 07/15/2010 09:15 AM, Rob Crittenden wrote: > Adam Young wrote: >> On 07/14/2010 07:52 PM, Dmitri Pal wrote: >>> Adam Young wrote: >>>> On 07/14/2010 03:43 PM, Rob Crittenden wrote: >>>>> The netgroup plugin was using the wrong attribute for memberships. It >>>>> needs to use memberuser for users and groups and memberhost for hosts >>>>> and hostgroups. I fixed this up and corrected the tests as well. >>>>> >>>>> rob >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>>> >>>> Got it installed and running. Unclear how to test. >>> >>> Create a user group with 3 users U1 U2 U3. Create a host group with the >>> two hosts H 1 H2 >>> Create a netgroup that includes this user group and this host group >>> Configure client to use your IPA server as a source of the netgroups >>> Lits the netgoups - should get your netgroup >>> List the contents of the netgroup. You should get triplets: user, host, >>> domain >>> The order of the users and hosts in triplets does not matter. What >>> matters is that each host and each user are listed in some triplet and >>> generally present in the netgroup not more than once. >>> >>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> >> >> >> Here's my script. ypcat stopped working with >> >> No such map netgroup. Reason: Can't communicate with portmapper >> >> Too tired to debug tonight/ >> >> ipa user-add --first=Kermit --last=Frog kfrog >> ipa user-add --first=Count --last=VonCount count123 >> ipa user-add --first=Oscar --last=Grouch scram >> >> ipa user-add --first=Elmo --last=Gonzales elmo >> ipa user-add --first=Zoe --last=MacPhearson zoe >> ipa user-add --first=Prairie --last=Dawn pdawn >> >> >> ipa group-add --desc="Monsters on Sesame Street" monsters >> ipa group-add --desc="Muppets moonlighting for CTW" muppets >> >> ipa group-add-member --users=kfrog,scram,pdawn muppets >> ipa group-add-member --users=count123,elmo,zoe monsters >> >> ipa netgroup-add --desc="staging servers" net-stage >> ipa netgroup-add --desc="live servers" net-live >> >> ipa hostgroup-add --desc "Live servers" host-live >> ipa hostgroup-add --desc "Staging servers" stage-live >> >> >> ipa hostgroup-add-member --hosts >> live3.pbs.org,live2.pbs.org,live1.pbs.org host-live >> ipa hostgroup-add-member --hosts >> stage3.pbs.org,stage2.pbs.org,stage1.pbs.org host-stage >> >> >> ipa netgroup-add-member --groups=muppets --hostgroups=host-live net-live >> ipa netgroup-add-member --groups=muppets --hostgroups=host-stage >> net-stage >> >> >> >> ypcat -d ipa.ayoung.boston.devel.redhat.com -h >> ipa.ayoung.boston.devel.redhat.com netgroup >> > > Ok, kudos on the big test group but your knowledge of Sesame Street > characters last names is a bit disturbing ;-) > > Your ypcat command is wrong. The -d is your NIS domain (same as your > IPA domain) and the -h is the host to connect to. > > I get the following output with this data set: > > (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) > (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) > > Based on my limited understanding of netgroups this looks correct. You > have defined two netgroups, both of which have the same user group as > a member. The first netgroup has no hosts or hostgroups associated > with it, the second has an empty hostgroup (because you added > non-existent hosts, or at least hosts not on my box). > > I added a host to host-live and now I get: > > (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) > (lion.example.com,kfrog,example.com) (-,scram,example.com) > (-,pdawn,example.com) > > rob ACK From rcritten at redhat.com Thu Jul 15 15:19:35 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Jul 2010 11:19:35 -0400 Subject: [Freeipa-devel] [PATCH] 471 crypto cleanup In-Reply-To: <4C237D8C.4040608@redhat.com> References: <4C237D8C.4040608@redhat.com> Message-ID: <4C3F2707.5050008@redhat.com> Rob Crittenden wrote: > Drop our x509v3 asn.1 parser and use the new capabilities of python-nss. > Include a lot more information when returning a certificate. > > I'm including an API change here too. I'm renaming cert-get to cert-show > to be more consistent with other plugins. I don't know of any external > apps that use cert-get so we should be ok there. > > rob > Adam acked this in another thread, pushed to master From rcritten at redhat.com Thu Jul 15 15:21:04 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Jul 2010 11:21:04 -0400 Subject: [Freeipa-devel] [PATCH] 476 fix bad API call in selfsign In-Reply-To: <4C3B1FED.2090401@redhat.com> References: <4C24B334.9040503@redhat.com> <4C3B1FED.2090401@redhat.com> Message-ID: <4C3F2760.5030306@redhat.com> Pavel Zuna wrote: > On 06/25/2010 03:46 PM, Rob Crittenden wrote: >> Use newer API in selfsign plugin. Fix missing import when running in the >> in-tree lite-server. >> >> rob >> > Maybe we should remove the comment as well, if it's not valid anymore. > Other than that: > > ACK. > > Pavel I forgot to remove the comment before pushing, I'll do that in a future patch. pushed to master From rcritten at redhat.com Thu Jul 15 15:21:22 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Jul 2010 11:21:22 -0400 Subject: [Freeipa-devel] [PATCH] 485 fix ipa-compat-manage and ipa-nis-manage In-Reply-To: <4C3E3885.4020001@redhat.com> References: <4C3E1294.1000308@redhat.com> <4C3E20C9.3060601@redhat.com> <4C3E2FA5.6070307@redhat.com> <4C3E3885.4020001@redhat.com> Message-ID: <4C3F2772.6000109@redhat.com> Adam Young wrote: > On 07/14/2010 05:44 PM, Rob Crittenden wrote: >> Adam Young wrote: >>> On 07/14/2010 03:40 PM, Rob Crittenden wrote: >>>> The commands ipa-compat-manage and ipa-nis-manage didn't really work >>>> properly. I think some backend changes caused at least some of the >>>> problems. I fixed a few errors causing backtraces as well as some >>>> corner cases. >>>> >>>> Enabling nis added a new compat location. So disabling compat would >>>> fail because it wasn't handling this new nis location. >>>> >>>> I also ran pylint against both and fixed a few problems/warnings it >>>> raised. >>>> >>>> rob >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> NACK: >>> >>> [root at ipa ~]# ipa-compat-manage enable >>> Directory Manager password: >>> >>> Enabling plugin >>> This setting will not take effect until you restart Directory Server. >>> >>> [root at ipa ~]# ipa-nis-manage enable >>> Directory Manager password: >>> >>> Enabling plugin >>> Traceback (most recent call last): >>> File "/usr/sbin/ipa-nis-manage", line 201, in >>> sys.exit(main()) >>> File "/usr/sbin/ipa-nis-manage", line 150, in main >>> conn.update_entry(nis_config_dn, mod, normalize=False) >>> File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line >>> 188, in new_f >>> return f(*new_args, **kwargs) >>> File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", >>> line 687, in update_entry >>> raise errors.EmptyModlist() >>> ipalib.errors.EmptyModlist: no modifications to be performed >> >> The problem was we ship with the plugin enabled and we were trying to >> do an LDAP mod to enable it, so literally nothing to do. >> >> I also made ipa-nis-manage require that the schema compat plugin >> already be enabled. >> >> rob > > > ACK pushed to master From rcritten at redhat.com Thu Jul 15 15:21:33 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Jul 2010 11:21:33 -0400 Subject: [Freeipa-devel] [PATCH] 486 fix nis netgroups map In-Reply-To: <4C3E3442.3070404@redhat.com> References: <4C3E12EA.3070306@redhat.com> <4C3E3442.3070404@redhat.com> Message-ID: <4C3F277D.1000305@redhat.com> Adam Young wrote: > On 07/14/2010 03:41 PM, Rob Crittenden wrote: >> The netgroups map was being served out of the compat subtree. This >> wasn't working and it is better for the nis plugin to generate its >> data itself, so I added the rule there as well. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK pushed to master From rcritten at redhat.com Thu Jul 15 15:21:43 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Jul 2010 11:21:43 -0400 Subject: [Freeipa-devel] [PATCH] 487 fix netgroup plugin In-Reply-To: <4C3F11CC.2060608@redhat.com> References: <4C3E1352.10609@redhat.com> <4C3E3CA9.6050809@redhat.com> <4C3E4DC3.8000103@redhat.com> <4C3E7194.4000609@redhat.com> <4C3F09DD.5030106@redhat.com> <4C3F11CC.2060608@redhat.com> Message-ID: <4C3F2787.3040509@redhat.com> Adam Young wrote: > On 07/15/2010 09:15 AM, Rob Crittenden wrote: >> Adam Young wrote: >>> On 07/14/2010 07:52 PM, Dmitri Pal wrote: >>>> Adam Young wrote: >>>>> On 07/14/2010 03:43 PM, Rob Crittenden wrote: >>>>>> The netgroup plugin was using the wrong attribute for memberships. It >>>>>> needs to use memberuser for users and groups and memberhost for hosts >>>>>> and hostgroups. I fixed this up and corrected the tests as well. >>>>>> >>>>>> rob >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> >>>>> >>>>> Got it installed and running. Unclear how to test. >>>> >>>> Create a user group with 3 users U1 U2 U3. Create a host group with the >>>> two hosts H 1 H2 >>>> Create a netgroup that includes this user group and this host group >>>> Configure client to use your IPA server as a source of the netgroups >>>> Lits the netgoups - should get your netgroup >>>> List the contents of the netgroup. You should get triplets: user, host, >>>> domain >>>> The order of the users and hosts in triplets does not matter. What >>>> matters is that each host and each user are listed in some triplet and >>>> generally present in the netgroup not more than once. >>>> >>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>> >>> >>> >>> Here's my script. ypcat stopped working with >>> >>> No such map netgroup. Reason: Can't communicate with portmapper >>> >>> Too tired to debug tonight/ >>> >>> ipa user-add --first=Kermit --last=Frog kfrog >>> ipa user-add --first=Count --last=VonCount count123 >>> ipa user-add --first=Oscar --last=Grouch scram >>> >>> ipa user-add --first=Elmo --last=Gonzales elmo >>> ipa user-add --first=Zoe --last=MacPhearson zoe >>> ipa user-add --first=Prairie --last=Dawn pdawn >>> >>> >>> ipa group-add --desc="Monsters on Sesame Street" monsters >>> ipa group-add --desc="Muppets moonlighting for CTW" muppets >>> >>> ipa group-add-member --users=kfrog,scram,pdawn muppets >>> ipa group-add-member --users=count123,elmo,zoe monsters >>> >>> ipa netgroup-add --desc="staging servers" net-stage >>> ipa netgroup-add --desc="live servers" net-live >>> >>> ipa hostgroup-add --desc "Live servers" host-live >>> ipa hostgroup-add --desc "Staging servers" stage-live >>> >>> >>> ipa hostgroup-add-member --hosts >>> live3.pbs.org,live2.pbs.org,live1.pbs.org host-live >>> ipa hostgroup-add-member --hosts >>> stage3.pbs.org,stage2.pbs.org,stage1.pbs.org host-stage >>> >>> >>> ipa netgroup-add-member --groups=muppets --hostgroups=host-live net-live >>> ipa netgroup-add-member --groups=muppets --hostgroups=host-stage >>> net-stage >>> >>> >>> >>> ypcat -d ipa.ayoung.boston.devel.redhat.com -h >>> ipa.ayoung.boston.devel.redhat.com netgroup >>> >> >> Ok, kudos on the big test group but your knowledge of Sesame Street >> characters last names is a bit disturbing ;-) >> >> Your ypcat command is wrong. The -d is your NIS domain (same as your >> IPA domain) and the -h is the host to connect to. >> >> I get the following output with this data set: >> >> (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) >> (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) >> >> Based on my limited understanding of netgroups this looks correct. You >> have defined two netgroups, both of which have the same user group as >> a member. The first netgroup has no hosts or hostgroups associated >> with it, the second has an empty hostgroup (because you added >> non-existent hosts, or at least hosts not on my box). >> >> I added a host to host-live and now I get: >> >> (-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com) >> (lion.example.com,kfrog,example.com) (-,scram,example.com) >> (-,pdawn,example.com) >> >> rob > ACK pushed to master From rcritten at redhat.com Thu Jul 15 19:53:21 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Jul 2010 15:53:21 -0400 Subject: [Freeipa-devel] Announcing FreeIPA v2 Server Alpha 4 Release Message-ID: <4C3F6731.6000000@redhat.com> To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Alpha 4 release of freeIPA 2.0 server [1]. Binaries are available for F-12 and F-13. This alpha is mostly a bug fix release over the previous alpha. We have started the process of polishing so things should generally work more smoothly and look better. There are no improvements in the UI, those should appear in the next release. Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-users at redhat.com The changes in this release are: - Moved our dogtag SELinux to be installed with the rpm instead of during configuration. - Fedora 13 moved to gpg2 and dropped gpg. Fix our invocation so we work with either (this was preventing replica installations). - Query remote server during replica installation to see if the replica already exists. This prevents lots of really strange errors during replica installation. - Fixed SSL error in client enrollment. - Changed the way services are handled in HBAC. There is now a separate service and servicegroup object that you associate with HBAC rules. sssd is already using this new mechanism. - First pass at per-command documentation. It still needs a lot of work. - Fix aci-mod command. It wasn't really working well in almost all cases. - Add replication version checking. This is one step in better control during updates. - Don't try to convert a host's password into a keytab with bulk enrollment (this was causing krbPasswordExpiration to be set). - Add support for User-Private Groups. - Worked on error handling in mod_wsgi. Now hopefully a shorter and less scary backtrace will be thrown when things go bump in the night. - Add new api to disable service and host principals. - Significant cleanup of crypto code. Using python-nss for a lot more (and more to come). - Fixed some errirs in and made ipa-compat-manage and ipa-nis-manage more bullet-proof. - Fixed netgroups plugin, it was generating the wrong attributes. - Other minor polish and bug fixes. Known issues: - The CA must be installed in the en_US locale (#588375) rob [1] http://www.freeipa.org/page/Downloads From dpal at redhat.com Mon Jul 19 13:44:17 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 19 Jul 2010 09:44:17 -0400 Subject: [Freeipa-devel] [PATCH] 1. Schema Cleanup In-Reply-To: <4C3DDF54.4050803@redhat.com> References: <4C3DDF54.4050803@redhat.com> Message-ID: <4C4456B1.5070506@redhat.com> Dmitri Pal wrote: > The ipaAssociation is the core of different association objects. > It seems that the service is an exception rather then a rule. > So it is moved into the object where it belongs. > > I am withdrawing this patch. A new one is attached. In addition to the original changes it also fixes things mentioned in the ticket #89. https://fedorahosted.org/freeipa/ticket/89 > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001--SCHEMA-1.-Schema-cleanup.patch Type: text/x-patch Size: 9111 bytes Desc: not available URL: From rcritten at redhat.com Tue Jul 20 18:12:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 Jul 2010 14:12:02 -0400 Subject: [Freeipa-devel] [PATCH] 488 use the python-nss CertificateRequest object Message-ID: <4C45E6F2.7020203@redhat.com> This drops our own PKCS#10 parser and uses the one from python-nss. I had to bump up the minimum required version of python-nss to pick up some new API for this. This introduces some new challenges for us. NSS needs to be initialized for you to do any sort of operations otherwise you get ugly segfaults. So I added in some catch-all no_db inits to try to prevent this. I also had to add in some code when making SSL requests so that the right database is opened. AFAIK NSS still lacks the ability to operate on multiple databases concurrently. Once that is available this code becomes lots better. Despite this, using the NSS parser is still safer. My PKCS#10 parser seemed ok but getting the extension requests out was a nightmare. It is much easier with python-nss. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-488-csr.patch Type: application/mbox Size: 38319 bytes Desc: not available URL: From rmeggins at redhat.com Tue Jul 20 18:21:41 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 20 Jul 2010 12:21:41 -0600 Subject: [Freeipa-devel] [PATCH] 488 use the python-nss CertificateRequest object In-Reply-To: <4C45E6F2.7020203@redhat.com> References: <4C45E6F2.7020203@redhat.com> Message-ID: <4C45E935.5020503@redhat.com> Rob Crittenden wrote: > This drops our own PKCS#10 parser and uses the one from python-nss. I > had to bump up the minimum required version of python-nss to pick up > some new API for this. > > This introduces some new challenges for us. NSS needs to be > initialized for you to do any sort of operations otherwise you get > ugly segfaults. So I added in some catch-all no_db inits to try to > prevent this. I also had to add in some code when making SSL requests > so that the right database is opened. AFAIK NSS still lacks the > ability to operate on multiple databases concurrently. Once that is > available this code becomes lots better. > > Despite this, using the NSS parser is still safer. My PKCS#10 parser > seemed ok but getting the extension requests out was a nightmare. It > is much easier with python-nss. Does python-nss expose the NSS_InitContext api? > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From rcritten at redhat.com Tue Jul 20 19:37:57 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 Jul 2010 15:37:57 -0400 Subject: [Freeipa-devel] [PATCH] 1. Schema Cleanup In-Reply-To: <4C4456B1.5070506@redhat.com> References: <4C3DDF54.4050803@redhat.com> <4C4456B1.5070506@redhat.com> Message-ID: <4C45FB15.6030000@redhat.com> Dmitri Pal wrote: > Dmitri Pal wrote: >> The ipaAssociation is the core of different association objects. >> It seems that the service is an exception rather then a rule. >> So it is moved into the object where it belongs. >> >> > > I am withdrawing this patch. > A new one is attached. In addition to the original changes it also fixes > things mentioned in the ticket #89. > https://fedorahosted.org/freeipa/ticket/89 > You reference a separate attribute here that we don't currently have defined, enrollmentPwd. We use the userPassword attribute so we can do an LDAP simple bind. rob From dpal at redhat.com Tue Jul 20 22:12:23 2010 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 20 Jul 2010 18:12:23 -0400 Subject: [Freeipa-devel] [PATCH] 1. Schema Cleanup In-Reply-To: <4C45FB15.6030000@redhat.com> References: <4C3DDF54.4050803@redhat.com> <4C4456B1.5070506@redhat.com> <4C45FB15.6030000@redhat.com> Message-ID: <4C461F47.9020105@redhat.com> Rob Crittenden wrote: > Dmitri Pal wrote: >> Dmitri Pal wrote: >>> The ipaAssociation is the core of different association objects. >>> It seems that the service is an exception rather then a rule. >>> So it is moved into the object where it belongs. >>> >>> >> >> I am withdrawing this patch. >> A new one is attached. In addition to the original changes it also fixes >> things mentioned in the ticket #89. >> https://fedorahosted.org/freeipa/ticket/89 >> > > You reference a separate attribute here that we don't currently have > defined, enrollmentPwd. We use the userPassword attribute so we can do > an LDAP simple bind. > Removed and changed OID numbers. New patch attached. > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001--SCHEMA-1.-Schema-cleanup.patch Type: text/x-patch Size: 10524 bytes Desc: not available URL: From rcritten at redhat.com Wed Jul 21 15:40:41 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 Jul 2010 11:40:41 -0400 Subject: [Freeipa-devel] [PATCH] 1. Schema Cleanup In-Reply-To: <4C461F47.9020105@redhat.com> References: <4C3DDF54.4050803@redhat.com> <4C4456B1.5070506@redhat.com> <4C45FB15.6030000@redhat.com> <4C461F47.9020105@redhat.com> Message-ID: <4C4714F9.40004@redhat.com> Dmitri Pal wrote: > Rob Crittenden wrote: >> Dmitri Pal wrote: >>> Dmitri Pal wrote: >>>> The ipaAssociation is the core of different association objects. >>>> It seems that the service is an exception rather then a rule. >>>> So it is moved into the object where it belongs. >>>> >>>> >>> I am withdrawing this patch. >>> A new one is attached. In addition to the original changes it also fixes >>> things mentioned in the ticket #89. >>> https://fedorahosted.org/freeipa/ticket/89 >>> >> You reference a separate attribute here that we don't currently have >> defined, enrollmentPwd. We use the userPassword attribute so we can do >> an LDAP simple bind. >> > Removed and changed OID numbers. New patch attached. > >> rob >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> > > ack, pushed to master From rcritten at redhat.com Wed Jul 21 19:27:17 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 Jul 2010 15:27:17 -0400 Subject: [Freeipa-devel] [PATCH] 488 use the python-nss CertificateRequest object In-Reply-To: <4C45E935.5020503@redhat.com> References: <4C45E6F2.7020203@redhat.com> <4C45E935.5020503@redhat.com> Message-ID: <4C474A15.5060506@redhat.com> Rich Megginson wrote: > Rob Crittenden wrote: >> This drops our own PKCS#10 parser and uses the one from python-nss. I >> had to bump up the minimum required version of python-nss to pick up >> some new API for this. >> >> This introduces some new challenges for us. NSS needs to be >> initialized for you to do any sort of operations otherwise you get >> ugly segfaults. So I added in some catch-all no_db inits to try to >> prevent this. I also had to add in some code when making SSL requests >> so that the right database is opened. AFAIK NSS still lacks the >> ability to operate on multiple databases concurrently. Once that is >> available this code becomes lots better. >> >> Despite this, using the NSS parser is still safer. My PKCS#10 parser >> seemed ok but getting the extension requests out was a nightmare. It >> is much easier with python-nss. > Does python-nss expose the NSS_InitContext api? No, I'm not familiar with it either. Is it fully baked? rob From rmeggins at redhat.com Wed Jul 21 19:32:36 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 21 Jul 2010 13:32:36 -0600 Subject: [Freeipa-devel] [PATCH] 488 use the python-nss CertificateRequest object In-Reply-To: <4C474A15.5060506@redhat.com> References: <4C45E6F2.7020203@redhat.com> <4C45E935.5020503@redhat.com> <4C474A15.5060506@redhat.com> Message-ID: <4C474B54.20408@redhat.com> Rob Crittenden wrote: > Rich Megginson wrote: >> Rob Crittenden wrote: >>> This drops our own PKCS#10 parser and uses the one from python-nss. >>> I had to bump up the minimum required version of python-nss to pick >>> up some new API for this. >>> >>> This introduces some new challenges for us. NSS needs to be >>> initialized for you to do any sort of operations otherwise you get >>> ugly segfaults. So I added in some catch-all no_db inits to try to >>> prevent this. I also had to add in some code when making SSL >>> requests so that the right database is opened. AFAIK NSS still lacks >>> the ability to operate on multiple databases concurrently. Once that >>> is available this code becomes lots better. >>> >>> Despite this, using the NSS parser is still safer. My PKCS#10 parser >>> seemed ok but getting the extension requests out was a nightmare. It >>> is much easier with python-nss. >> Does python-nss expose the NSS_InitContext api? > > No, I'm not familiar with it either. Is it fully baked? OpenLDAP uses it pretty heavily. Has been working fine with NSS 3.12.6 > > rob From rcritten at redhat.com Wed Jul 21 19:47:56 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 Jul 2010 15:47:56 -0400 Subject: [Freeipa-devel] [PATCH] 489 initial entitlement support Message-ID: <4C474EEC.3020207@redhat.com> This adds the container and initial ACIs to store and management entitlements. A management plugin will come later. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-489-entitlement.patch Type: application/mbox Size: 3547 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 21 20:13:12 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 21 Jul 2010 16:13:12 -0400 Subject: [Freeipa-devel] Communicating with FreeIPA via curl Message-ID: <4C4754D8.1030108@redhat.com> The web UI uses JSON RPC to talk to the server. As I look at implement more and more functionality, I find I want to see the JSON messages much the same way that the ipa command line can show the XML-RPC messages. A little trial and error and I got it working: curl -v \ -H "Content-Type:application/json" \ -H "Accept:applicaton/json"\ --negotiate -u : \ --cacert /etc/ipa/ca.crt \ -d "{\"method\":\"user_find\",\"params\":[[\"\"],{}],\"id\":0}" \ -X POST https://`hostname`/ipa/json Here's the explanation if you want it. http://adam.younglogic.com/?p=897 From ssorce at redhat.com Thu Jul 22 12:16:16 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 22 Jul 2010 08:16:16 -0400 Subject: [Freeipa-devel] Communicating with FreeIPA via curl In-Reply-To: <4C4754D8.1030108@redhat.com> References: <4C4754D8.1030108@redhat.com> Message-ID: <20100722081616.645ac68a@willson.li.ssimo.org> On Wed, 21 Jul 2010 16:13:12 -0400 Adam Young wrote: > The web UI uses JSON RPC to talk to the server. As I look at > implement more and more functionality, I find I want to see the JSON > messages much the same way that the ipa command line can show the > XML-RPC messages. A little trial and error and I got it working: > > > curl -v \ > -H "Content-Type:application/json" \ > -H "Accept:applicaton/json"\ > --negotiate -u : \ > --cacert /etc/ipa/ca.crt \ > -d > "{\"method\":\"user_find\",\"params\":[[\"\"],{}],\"id\":0}" \ -X > POST https://`hostname`/ipa/json You can avoid escaping every single quote with single quotes: '{"method":"user_find","params":[[""],{}],"id":0}' Also the ca.crt is available via HTTP iIrc, you just have to download it once. > Here's the explanation if you want it. > > http://adam.younglogic.com/?p=897 Nice post. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Jul 22 13:04:17 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 22 Jul 2010 09:04:17 -0400 Subject: [Freeipa-devel] Communicating with FreeIPA via curl In-Reply-To: <20100722081616.645ac68a@willson.li.ssimo.org> References: <4C4754D8.1030108@redhat.com> <20100722081616.645ac68a@willson.li.ssimo.org> Message-ID: <4C4841D1.2070307@redhat.com> Simo Sorce wrote: > On Wed, 21 Jul 2010 16:13:12 -0400 > Adam Young wrote: > >> The web UI uses JSON RPC to talk to the server. As I look at >> implement more and more functionality, I find I want to see the JSON >> messages much the same way that the ipa command line can show the >> XML-RPC messages. A little trial and error and I got it working: >> >> >> curl -v \ >> -H "Content-Type:application/json" \ >> -H "Accept:applicaton/json"\ >> --negotiate -u : \ >> --cacert /etc/ipa/ca.crt \ >> -d >> "{\"method\":\"user_find\",\"params\":[[\"\"],{}],\"id\":0}" \ -X >> POST https://`hostname`/ipa/json > > You can avoid escaping every single quote with single quotes: > '{"method":"user_find","params":[[""],{}],"id":0}' > > Also the ca.crt is available via HTTP iIrc, you just have to download > it once. This doesn't download it, it points curl to the existing CA cert on the filesystem. rob From rcritten at redhat.com Thu Jul 22 18:25:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 22 Jul 2010 14:25:48 -0400 Subject: [Freeipa-devel] [PATCH] 490 add DNS lookup to new hosts/services Message-ID: <4C488D2C.2060505@redhat.com> Make sure that the host behind new host and service records is actually a resolvable DNS A record. There is a --force flag if you know what you are doing (or just feel like charging ahead anyway). We use a lot of made-up names in the self-tests, had to add the force flag to all of them. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-490-dns.patch Type: application/mbox Size: 15241 bytes Desc: not available URL: From ayoung at redhat.com Thu Jul 22 18:43:57 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 22 Jul 2010 14:43:57 -0400 Subject: [Freeipa-devel] Communicating with FreeIPA via curl In-Reply-To: <20100722081616.645ac68a@willson.li.ssimo.org> References: <4C4754D8.1030108@redhat.com> <20100722081616.645ac68a@willson.li.ssimo.org> Message-ID: <4C48916D.6030306@redhat.com> On 07/22/2010 08:16 AM, Simo Sorce wrote: > On Wed, 21 Jul 2010 16:13:12 -0400 > Adam Young wrote: > > >> The web UI uses JSON RPC to talk to the server. As I look at >> implement more and more functionality, I find I want to see the JSON >> messages much the same way that the ipa command line can show the >> XML-RPC messages. A little trial and error and I got it working: >> >> >> curl -v \ >> -H "Content-Type:application/json" \ >> -H "Accept:applicaton/json"\ >> --negotiate -u : \ >> --cacert /etc/ipa/ca.crt \ >> -d >> "{\"method\":\"user_find\",\"params\":[[\"\"],{}],\"id\":0}" \ -X >> POST https://`hostname`/ipa/json >> > You can avoid escaping every single quote with single quotes: > '{"method":"user_find","params":[[""],{}],"id":0}' > Thanks for the clue-bat. I should have done that in the first place. > Also the ca.crt is available via HTTP iIrc, you just have to download > it once. > > >> Here's the explanation if you want it. >> >> http://adam.younglogic.com/?p=897 >> > Nice post. > > Simo. > > From rcritten at redhat.com Thu Jul 22 20:12:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 22 Jul 2010 16:12:02 -0400 Subject: [Freeipa-devel] [PATCH] 491 Fix replacing a certificate in a service. Message-ID: <4C48A612.5070409@redhat.com> When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-491-service.patch Type: application/mbox Size: 4687 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 22 20:14:44 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 22 Jul 2010 16:14:44 -0400 Subject: [Freeipa-devel] [PATCH] 491 Fix replacing a certificate in a service. In-Reply-To: <4C48A612.5070409@redhat.com> References: <4C48A612.5070409@redhat.com> Message-ID: <4C48A6B4.9070101@redhat.com> Rob Crittenden wrote: > When a service has a certificate and the CA backend doesn't support > revocation (like selfsign) then we simply drop the old certificate in > preparation for adding a new one. We weren't setting the usercertificate > attribute to None so there was nothing to do in ldap_update(). > > Added a test case for this situation to ensure that re-issuing a > certificate works. > This patch relies on patch 490 to apply. rob From dpal at redhat.com Thu Jul 22 23:04:59 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 22 Jul 2010 19:04:59 -0400 Subject: [Freeipa-devel] Support of SUDO in IPA Message-ID: <4C48CE9B.1070601@redhat.com> Hello, Once again after some delay we are taking a look at implementing centrally managed SUDOERS in IPA. First effort was based on the policy engine approach and since the whole policy part got deferred it got postponed too. However it became apparent that there is a need to support central management SUDO sooner rather than later. So we are taking the second look at it. Please review the following page to see our plans: http://www.freeipa.org/page/SUDO_integration_plans We are looking for the feedback regarding this effort. Help is welcome! Also it is very important to do it right. Please find the first cut at the design of the server side here: http://www.freeipa.org/page/SUDO_Schema_Design Please help us find the right answers to the questions asked at the bottom of the page. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Greg_Swift at aotx.uscourts.gov Fri Jul 23 19:45:28 2010 From: Greg_Swift at aotx.uscourts.gov (Greg_Swift at aotx.uscourts.gov) Date: Fri, 23 Jul 2010 14:45:28 -0500 Subject: [Freeipa-devel] packaging of freeipa Message-ID: Hi. I was looking to get freeipa installed in our office environment which is rhel 5 based. There seems to be fairly information that I can discover about any packages being available and I was curious if there was anyone working on this and if they needed any assistance? If so I'd be interested, as I am going to be playing with the packaging to try and get something going here anyways. I am aware that v2 won't run on rhel5 as a server. -greg From jdennis at redhat.com Fri Jul 23 21:05:49 2010 From: jdennis at redhat.com (John Dennis) Date: Fri, 23 Jul 2010 17:05:49 -0400 Subject: [Freeipa-devel] [PATCH] 488 use the python-nss CertificateRequest object In-Reply-To: <4C45E935.5020503@redhat.com> References: <4C45E6F2.7020203@redhat.com> <4C45E935.5020503@redhat.com> Message-ID: <4C4A042D.5040602@redhat.com> On 07/20/2010 02:21 PM, Rich Megginson wrote: > Does python-nss expose the NSS_InitContext api? Not at the moment but if you ask nicely I'll add it :-) I've got my hands full at the moment working on Certificate Sever but I'll try to sneak in some time to add this. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rmeggins at redhat.com Fri Jul 23 21:09:30 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 23 Jul 2010 15:09:30 -0600 Subject: [Freeipa-devel] [PATCH] 488 use the python-nss CertificateRequest object In-Reply-To: <4C4A042D.5040602@redhat.com> References: <4C45E6F2.7020203@redhat.com> <4C45E935.5020503@redhat.com> <4C4A042D.5040602@redhat.com> Message-ID: <4C4A050A.2000202@redhat.com> John Dennis wrote: > On 07/20/2010 02:21 PM, Rich Megginson wrote: > >> Does python-nss expose the NSS_InitContext api? > > Not at the moment but if you ask nicely I'll add it :-) > > I've got my hands full at the moment working on Certificate Sever but > I'll try to sneak in some time to add this. > Where should I file a bug/ticket for this? From jdennis at redhat.com Fri Jul 23 21:31:02 2010 From: jdennis at redhat.com (John Dennis) Date: Fri, 23 Jul 2010 17:31:02 -0400 Subject: [Freeipa-devel] [PATCH] 488 use the python-nss CertificateRequest object In-Reply-To: <4C4A050A.2000202@redhat.com> References: <4C45E6F2.7020203@redhat.com> <4C45E935.5020503@redhat.com> <4C4A042D.5040602@redhat.com> <4C4A050A.2000202@redhat.com> Message-ID: <4C4A0A16.8000608@redhat.com> On 07/23/2010 05:09 PM, Rich Megginson wrote: > John Dennis wrote: >> On 07/20/2010 02:21 PM, Rich Megginson wrote: >> >>> Does python-nss expose the NSS_InitContext api? >> >> Not at the moment but if you ask nicely I'll add it :-) >> >> I've got my hands full at the moment working on Certificate Sever but >> I'll try to sneak in some time to add this. >> > Where should I file a bug/ticket for this? bugzilla.redhat.com product == fedora component == python-nss [ Note, it should really be done via mozilla security along with all the other NSS stuff because that's where python-nss repository is but we never completed the work to get python-nss fully integrated into the NSS administrative framework :-( maybe some day ] -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Mon Jul 26 15:43:54 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 26 Jul 2010 11:43:54 -0400 Subject: [Freeipa-devel] Remove the assets and wehjits code Message-ID: <4C4DAD3A.4070102@redhat.com> This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: remove-assets.patch URL: From ayoung at redhat.com Mon Jul 26 15:57:55 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 26 Jul 2010 11:57:55 -0400 Subject: [Freeipa-devel] [PATCH] Remove the assets and wehjits code In-Reply-To: <4C4DAD3A.4070102@redhat.com> References: <4C4DAD3A.4070102@redhat.com> Message-ID: <4C4DB083.9050308@redhat.com> This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: remove-assets.patch URL: From rcritten at redhat.com Mon Jul 26 22:00:34 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 26 Jul 2010 18:00:34 -0400 Subject: [Freeipa-devel] [PATCH] 492 fix env plugin Message-ID: <4C4E0582.2030800@redhat.com> The env plugin was displaying just the number of entries in the environment, not the values. Add an --all flag to print those, on by default. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-492-env.patch Type: application/mbox Size: 1197 bytes Desc: not available URL: From rcritten at redhat.com Mon Jul 26 22:01:35 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 26 Jul 2010 18:01:35 -0400 Subject: [Freeipa-devel] [PATCH] 493 skip lang test if not built Message-ID: <4C4E05BF.2090205@redhat.com> The i18n tests were failing if the language wasn't built. Skip it in this case and inform the user what to run to get the test to execute. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-493-lang.patch Type: application/mbox Size: 1268 bytes Desc: not available URL: From rcritten at redhat.com Mon Jul 26 22:02:39 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 26 Jul 2010 18:02:39 -0400 Subject: [Freeipa-devel] [PATCH] 494 ipa command failover Message-ID: <4C4E05FF.8040400@redhat.com> Add failover to the ipa command. If the server defined in /etc/ipa/default.conf is not available then each ldap SRV record in DNS is tried until either one is found that works or none of the available servers are responding. ticket #15 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-494-failover.patch Type: application/mbox Size: 15474 bytes Desc: not available URL: From rcritten at redhat.com Tue Jul 27 20:38:28 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 27 Jul 2010 16:38:28 -0400 Subject: [Freeipa-devel] [PATCH] 495 user/group name validation Message-ID: <4C4F43C4.4010201@redhat.com> Add optional error message to pattern validator and enforces valid user/group names. The pattern validator by default displays the pattern that is being matched against. This isn't helpful, particularly for very hairy patterns. This adds a new parameter, pattern_errmsg, that is displayed on errors if set. ticket #11 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-495-validate.patch Type: application/mbox Size: 6593 bytes Desc: not available URL: From rcritten at redhat.com Tue Jul 27 20:40:03 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 27 Jul 2010 16:40:03 -0400 Subject: [Freeipa-devel] [PATCH] 496 fix RPC tests Message-ID: <4C4F4423.4020008@redhat.com> Fix the RPC tests. The method name comes back as a unicode from xmlrpclib.loads(). With this and a fix in patch 495 all tests should now pass. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-496-tests.patch Type: application/mbox Size: 1121 bytes Desc: not available URL: From dpal at redhat.com Wed Jul 28 17:10:08 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 28 Jul 2010 13:10:08 -0400 Subject: [Freeipa-devel] Special HBAC rules Message-ID: <4C506470.9080901@redhat.com> Hello, On a discussion about the UI for HBAC rules it occured to me that there is a use case that we currently do not support with IPA<->SSSD. I do not think it will be an issue for IPAv2 and SSSD 1.5 or but down the road probably yes. So I want to put together a good description of the feature into a trac ticket. But I need to ask questions first, thus this email. The HBAC is good for the cases when a group of admins has access to the group of the machines. But those rules are not that good for the laptop use case. Effectively the access to any laptop will usually be controlled by the two logical rules: * Allow a group of admins to access a group of the laptops - this is handled well with HBAC rules. * Allow the owner of the laptop to access the laptop locally and remotely. Hm... But how to express this without creating individual rules for every user-laptop pair? Here is what comes to mind. In the HBAC rule we have the concept of the hostCategory. Currently we support only "All". But we can easily support the category "Laptop" or "Personal Computer" to be more generic and add a special string attribute "hostPattern" that will contain a pattern that will allow to match host name and the user name. By placing users and groups into such rule we will effectively allow laptop users access to their own machines. Here is the example: my login name is dpal (short one) and dpal at redhat.com is long one. My host name is dpal.laptop So if I create an HBAC rule: dn: ipaUniqueID=49af8430-cbed-11dd-ad8b-0800200c9a66, cn=hbac,... objectClass: top objectClass: ipaAssociation objectClass: ipaHBACRule ipaUniqueID: 49af8430-cbed-11dd-ad8b-0800200c9a66 accessRuleType: allow memberUser: cn=dpal,cn=users,cn=accounts,... memberUser: cn=sgallagh,cn=users,cn=accounts,... memberUser: cn=ssorce,cn=users,cn=accounts,... memberUser: cn=ssbose,cn=users,cn=accounts,... memberUser: cn=Brnodev,cn=groups,cn=accounts,... memberService: cn=ssh,cn=hbacservices,cn=accounts,... hostCategory: laptop hostPattern: %short%.laptop ... This rule grants individual users listed above and Brno developers access to the machines who's name starts with the short name of user and has suffix ".laptop". The only drawback is that the admins would have to use some kind of pattern for the personal machine names derived from the user name. IMO this is a reasonable suggestion for those who want to start to control access via HBAC rules, Potentially we can support several patterns in one HBAC rule if there different naming conventions due to acquisitions and other historical reasons. Thoughts? -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Wed Jul 28 20:16:41 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 28 Jul 2010 16:16:41 -0400 Subject: [Freeipa-devel] [PATCH] 477 add tests for ipalib/x509 In-Reply-To: <4C24B381.4040405@redhat.com> References: <4C24B381.4040405@redhat.com> Message-ID: <4C509029.5000501@redhat.com> On 06/25/2010 09:47 AM, Rob Crittenden wrote: > Add some basic tests for loading certs and retrieving the data we use. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I'll give it a provisional ack. I just ran the tests with 488 applied and they ran fine. So this one lives and dies with 488. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jul 28 20:32:48 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 28 Jul 2010 16:32:48 -0400 Subject: [Freeipa-devel] [PATCH] 488 use the python-nss CertificateRequest object In-Reply-To: <4C45E6F2.7020203@redhat.com> References: <4C45E6F2.7020203@redhat.com> Message-ID: <4C5093F0.1020109@redhat.com> On 07/20/2010 02:12 PM, Rob Crittenden wrote: > This drops our own PKCS#10 parser and uses the one from python-nss. I > had to bump up the minimum required version of python-nss to pick up > some new API for this. > > This introduces some new challenges for us. NSS needs to be > initialized for you to do any sort of operations otherwise you get > ugly segfaults. So I added in some catch-all no_db inits to try to > prevent this. I also had to add in some code when making SSL requests > so that the right database is opened. AFAIK NSS still lacks the > ability to operate on multiple databases concurrently. Once that is > available this code becomes lots better. > > Despite this, using the NSS parser is still safer. My PKCS#10 parser > seemed ok but getting the extension requests out was a nightmare. It > is much easier with python-nss. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jul 28 20:51:40 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 28 Jul 2010 16:51:40 -0400 Subject: [Freeipa-devel] [PATCH] 489 initial entitlement support In-Reply-To: <4C474EEC.3020207@redhat.com> References: <4C474EEC.3020207@redhat.com> Message-ID: <4C50985C.8050108@redhat.com> On 07/21/2010 03:47 PM, Rob Crittenden wrote: > This adds the container and initial ACIs to store and management > entitlements. A management plugin will come later. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jul 29 14:51:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 Jul 2010 10:51:02 -0400 Subject: [Freeipa-devel] [PATCH] Remove the assets and wehjits code In-Reply-To: <4C4DB083.9050308@redhat.com> References: <4C4DAD3A.4070102@redhat.com> <4C4DB083.9050308@redhat.com> Message-ID: <4C519556.3030704@redhat.com> Adam Young wrote: > This patch removes the existing UI functionality, as a prep for adding > the Javascript based ui. > > ACK, pushed to master. rob From rcritten at redhat.com Thu Jul 29 14:51:15 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 Jul 2010 10:51:15 -0400 Subject: [Freeipa-devel] [PATCH] 477 add tests for ipalib/x509 In-Reply-To: <4C509029.5000501@redhat.com> References: <4C24B381.4040405@redhat.com> <4C509029.5000501@redhat.com> Message-ID: <4C519563.5060102@redhat.com> Adam Young wrote: > On 06/25/2010 09:47 AM, Rob Crittenden wrote: >> Add some basic tests for loading certs and retrieving the data we use. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > I'll give it a provisional ack. I just ran the tests with 488 applied > and they ran fine. So this one lives and dies with 488. Pushed to master From rcritten at redhat.com Thu Jul 29 14:51:25 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 Jul 2010 10:51:25 -0400 Subject: [Freeipa-devel] [PATCH] 488 use the python-nss CertificateRequest object In-Reply-To: <4C5093F0.1020109@redhat.com> References: <4C45E6F2.7020203@redhat.com> <4C5093F0.1020109@redhat.com> Message-ID: <4C51956D.6060604@redhat.com> Adam Young wrote: > On 07/20/2010 02:12 PM, Rob Crittenden wrote: >> This drops our own PKCS#10 parser and uses the one from python-nss. I >> had to bump up the minimum required version of python-nss to pick up >> some new API for this. >> >> This introduces some new challenges for us. NSS needs to be >> initialized for you to do any sort of operations otherwise you get >> ugly segfaults. So I added in some catch-all no_db inits to try to >> prevent this. I also had to add in some code when making SSL requests >> so that the right database is opened. AFAIK NSS still lacks the >> ability to operate on multiple databases concurrently. Once that is >> available this code becomes lots better. >> >> Despite this, using the NSS parser is still safer. My PKCS#10 parser >> seemed ok but getting the extension requests out was a nightmare. It >> is much easier with python-nss. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK Pushed to master From rcritten at redhat.com Thu Jul 29 14:51:33 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 Jul 2010 10:51:33 -0400 Subject: [Freeipa-devel] [PATCH] 489 initial entitlement support In-Reply-To: <4C50985C.8050108@redhat.com> References: <4C474EEC.3020207@redhat.com> <4C50985C.8050108@redhat.com> Message-ID: <4C519575.6050300@redhat.com> Adam Young wrote: > On 07/21/2010 03:47 PM, Rob Crittenden wrote: >> This adds the container and initial ACIs to store and management >> entitlements. A management plugin will come later. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK Pushed to master From rcritten at redhat.com Thu Jul 29 14:55:42 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 Jul 2010 10:55:42 -0400 Subject: [Freeipa-devel] [PATCH] 497 check for command existence in tests Message-ID: <4C51966E.1060105@redhat.com> The command tests rely on the in-tree version of the command. If you haven't done a 'make' in the tree the command won't exist so isn't testable. This adds a test for command existence and raises a specific error. It was previously failing with some pretty unhelpful error messages. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-497-tests.patch Type: application/mbox Size: 2733 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 29 15:26:40 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 Jul 2010 11:26:40 -0400 Subject: [Freeipa-devel] [PATCH] 498 enforce 389-ds header existence Message-ID: <4C519DB0.8010009@redhat.com> We were checking for 389-ds headers but not enforcing their existence. I've also added a check for the new repl-session-plugin.h header. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-498-headers.patch Type: application/mbox Size: 1094 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 30 02:20:40 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 29 Jul 2010 22:20:40 -0400 Subject: [Freeipa-devel] WebUI Code review Message-ID: <4C5236F8.7060603@redhat.com> Once more, here is the web UI for cod ereview. It is not complete, but this should be sufficient to give people a sense of where the UI is going. https://fedorahosted.org/reviewboard/r/75/ To test it, once the ipa server is set up, and kinit has been run, browse to https://hostname/ipa/static From ayoung at redhat.com Fri Jul 30 02:34:44 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 29 Jul 2010 22:34:44 -0400 Subject: [Freeipa-devel] WebUI Code review In-Reply-To: <4C5236F8.7060603@redhat.com> References: <4C5236F8.7060603@redhat.com> Message-ID: <4C523A44.5020809@redhat.com> On 07/29/2010 10:20 PM, Adam Young wrote: > Once more, here is the web UI for cod ereview. It is not complete, > but this should be sufficient to give people a sense of where the UI > is going. > > https://fedorahosted.org/reviewboard/r/75/ > > > To test it, once the ipa server is set up, and kinit has been run, > browse to > > https://hostname/ipa/static > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Note that the patch is: A) attached to the diff B) Huge, due to all the binary image files From ayoung at redhat.com Fri Jul 30 17:18:08 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 30 Jul 2010 13:18:08 -0400 Subject: [Freeipa-devel] Leap of faith: Merging in the new web UI Message-ID: <4C530950.3000604@redhat.com> Rob commented earlier this week that the new Web UI code would require a leap of faith for merging into the mainline. I've decided to make that leap, and merged and pushed the code to master. With the small exception of a the whoami plugin, this code does not make any changes to the CLI, and should have small to non-existant effects to any CLI code. We had already stripped out the old web UI in a different patch, so this change doesn't conflict with that, either. If you are working with development builds of FreeIPA, please take the time to look at it and evaluate. From nkinder at redhat.com Fri Jul 30 18:26:07 2010 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 30 Jul 2010 11:26:07 -0700 Subject: [Freeipa-devel] [PATCH] 498 enforce 389-ds header existence In-Reply-To: <4C519DB0.8010009@redhat.com> References: <4C519DB0.8010009@redhat.com> Message-ID: <4C53193F.9090906@redhat.com> On 07/29/2010 08:26 AM, Rob Crittenden wrote: > We were checking for 389-ds headers but not enforcing their existence. > I've also added a check for the new repl-session-plugin.h header. ack > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jul 30 20:02:41 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 30 Jul 2010 16:02:41 -0400 Subject: [Freeipa-devel] [PATCH] 490 add DNS lookup to new hosts/services In-Reply-To: <4C488D2C.2060505@redhat.com> References: <4C488D2C.2060505@redhat.com> Message-ID: <4C532FE1.4040907@redhat.com> On 07/22/2010 02:25 PM, Rob Crittenden wrote: > Make sure that the host behind new host and service records is > actually a resolvable DNS A record. There is a --force flag if you > know what you are doing (or just feel like charging ahead anyway). > > We use a lot of made-up names in the self-tests, had to add the force > flag to all of them. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I can't get this patch to apply: [ayoung at ayoung freeipa]$ git apply ~/Documents/IPA/freeipa-490-dns.patch error: patch failed: ipalib/util.py:28 error: ipalib/util.py: patch does not apply I've tried it both with and without patch 484 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jul 30 20:27:25 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 30 Jul 2010 16:27:25 -0400 Subject: [Freeipa-devel] [PATCH] 451 fix i18n test In-Reply-To: <4C077CD6.3060406@redhat.com> References: <4BF6FC9A.4010307@redhat.com> <4BFE81B2.80604@redhat.com> <4C06AAA0.7070502@redhat.com> <4C077CD6.3060406@redhat.com> Message-ID: <4C5335AD.4080208@redhat.com> On 06/03/2010 05:58 AM, Pavel Z?na wrote: > On 2010-06-02 21:01, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> On 05/21/2010 11:35 PM, Rob Crittenden wrote: >>>> Fix this test to work from source tree root >>>> >>>> It would work if you ran the test from its location in >>>> tests/test_ipalib >>>> but this isn't the most common method. If you want to run it >>>> individually >>>> you can do: >>>> >>>> $ ./make-test tests/test_ipalib/test_text.py >>>> >>>> rob >>>> >>> Maybe I'm doing something wrong, but I'm still getting this one error: >>> >>> ====================================================================== >>> ERROR: Test gettext translation >>> ---------------------------------------------------------------------- >>> Traceback (most recent call last): >>> File "/usr/lib/python2.6/site-packages/nose/case.py", line 183, in >>> runTest >>> self.test(*self.arg) >>> File "/root/freeipa/tests/test_ipalib/test_text.py", line 89, in >>> test_gettext >>> msgid = get_msgid(test_file) >>> File "/root/freeipa/tests/test_ipalib/test_text.py", line 43, in >>> get_msgid >>> f = open(po_file) >>> IOError: [Errno 2] No such file or directory: 'install/po/test.po' >>> >>> >>> Pavel >> >> I finally got around to figuring this out. The problem is that your test >> language hasn't been built yet. >> >> Try this: >> >> $ make -C install/po test_lang >> $ ./make-test tests/test_ipalib/test_text.py I think there is some other dependency that needs to run first. I have done make rpms, but not make, and It doesn't run. I just decided to try to do a straigh up make to see what happens. After that, the above works. So, dumb lesson learned: run make before running ./make-test >> >> Normally one executes this via 'make test' which will ensure that this >> dependency exists, I was using the 'run one test' option to demonstrate >> that it works. >> >> rob > ack. > > Pavel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel