From mnagy at redhat.com Sat May 1 19:23:57 2010 From: mnagy at redhat.com (Martin Nagy) Date: Sat, 01 May 2010 21:23:57 +0200 Subject: [Freeipa-devel] [PATCH] named.conf: Add trailing dot to the fake_mname Message-ID: <4BDC7FCD.7040708@redhat.com> Hi, Yet another trailing dot issue, but this one was kept hidden because only the latest bind-dyndb-ldap package uses the fake_mname option. Thanks to Stephen for finding this one. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-named.conf-Add-trailing-dot-to-the-fake_mname.patch Type: text/x-patch Size: 961 bytes Desc: not available URL: From sgallagh at redhat.com Sat May 1 19:26:47 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sat, 01 May 2010 15:26:47 -0400 Subject: [Freeipa-devel] [PATCH] named.conf: Add trailing dot to the fake_mname In-Reply-To: <4BDC7FCD.7040708@redhat.com> References: <4BDC7FCD.7040708@redhat.com> Message-ID: <4BDC8077.20402@redhat.com> On 05/01/2010 03:23 PM, Martin Nagy wrote: > Hi, > Yet another trailing dot issue, but this one was kept hidden because > only the latest bind-dyndb-ldap package uses the fake_mname option. > > Thanks to Stephen for finding this one. > > Martin > Ack. -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From admin at transifex.net Mon May 3 03:06:30 2010 From: admin at transifex.net (admin at transifex.net) Date: Mon, 03 May 2010 03:06:30 -0000 Subject: [Freeipa-devel] [www.transifex.net] Team Creation Requested: Chinese (Taiwan) Message-ID: <20100503030630.24974.19759@web1.transifex.net> Hello freeipa, this is Transifex at http://www.transifex.net. A translation team for 'Chinese (Taiwan)' has been required to the 'FreeIPA' project. Please, visit Transifex at http://www.transifex.net/projects/p/freeipa/teams/ in order to manage the teams of the project. Always at your service. -- Transifex -- Open Translation Platform To change your notification settings, please visit your profile page at http://www.transifex.net/notices/. From admin at transifex.net Mon May 3 13:43:35 2010 From: admin at transifex.net (admin at transifex.net) Date: Mon, 03 May 2010 13:43:35 -0000 Subject: [Freeipa-devel] [www.transifex.net] New Team Added: Chinese (Taiwan) Message-ID: <20100503134335.10108.6653@web1.transifex.net> Hello freeipa, this is Transifex at http://www.transifex.net. A new translation team called 'Chinese (Taiwan)' has been added to the 'FreeIPA' project. Please, visit Transifex at http://www.transifex.net/projects/p/freeipa/team/zh_TW/ in order to see this new team. Always at your service. -- Transifex -- Open Translation Platform To change your notification settings, please visit your profile page at http://www.transifex.net/notices/. From jderose at redhat.com Mon May 3 20:03:01 2010 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 03 May 2010 14:03:01 -0600 Subject: [Freeipa-devel] [PATCH] 422 reorder some things in client installer In-Reply-To: <4BC8D920.5060303@redhat.com> References: <4BC8D920.5060303@redhat.com> Message-ID: <1272916981.2656.0.camel@jgd-dsk> On Fri, 2010-04-16 at 17:39 -0400, Rob Crittenden wrote: > Reorder some things in the client installer > > - Fetch the CA cert before running certmonger > - Delete entries from the keytab before removing /etc/krb5.conf > - Add and remove the IPA CA to /etc/pki/nssdb > > rob ack. pushed to master. From jderose at redhat.com Mon May 3 20:03:14 2010 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 03 May 2010 14:03:14 -0600 Subject: [Freeipa-devel] [PATCH] 425 client installer fixes In-Reply-To: <4BD5EF50.3090201@redhat.com> References: <4BD5EF50.3090201@redhat.com> Message-ID: <1272916995.2656.1.camel@jgd-dsk> On Mon, 2010-04-26 at 15:53 -0400, Rob Crittenden wrote: > This addresses a couple of minor client issues I discovered: > > - Don't run nscd with sssd. nscd conflicts with the sssd caching > - Set the minimum version of sssd to 1.1.1 to pick up a needed hbac fix. > I did some basic hbac testing and it seems to work ok. > - Don't try to read the IPA configuration if the server is passed on the > command-line. Chances are this file doesn't exist so an error will be > displayed. So no need to confuse things if we already have the data we > need to enroll. > > rob ack. pushed to master. From jderose at redhat.com Mon May 3 20:03:26 2010 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 03 May 2010 14:03:26 -0600 Subject: [Freeipa-devel] [PATCH] 426 fix output In-Reply-To: <4BD608E5.2020708@redhat.com> References: <4BD608E5.2020708@redhat.com> Message-ID: <1272917006.2656.2.camel@jgd-dsk> On Mon, 2010-04-26 at 17:43 -0400, Rob Crittenden wrote: > Summaries were printing as "Gettext(...)". > > Embedded dictionaries were just a dump because we weren't passing in the > list of labels. > > Now things like -add-member looks right again. > > rob ack. pushed to master. From jderose at redhat.com Mon May 3 20:03:52 2010 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 03 May 2010 14:03:52 -0600 Subject: [Freeipa-devel] [PATCH] 428 set socket reuse In-Reply-To: <4BD9FC4A.7080808@redhat.com> References: <4BD9FC4A.7080808@redhat.com> Message-ID: <1272917032.2656.3.camel@jgd-dsk> On Thu, 2010-04-29 at 17:38 -0400, Rob Crittenden wrote: > Set SO_REUSEADDR when determining socket availability > > The old perl DS code for detection didn't set this so was often confused > about port availability. We had to match their behavior so the > installation didn't blow up. They fixed this a while ago, this catches > us up. > > rob ack. pushed to master. From jderose at redhat.com Mon May 3 20:04:07 2010 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 03 May 2010 14:04:07 -0600 Subject: [Freeipa-devel] [PATCH] 429 enhance installer/uninstaller In-Reply-To: <4BD9FC70.5040603@redhat.com> References: <4BD9FC70.5040603@redhat.com> Message-ID: <1272917047.2656.4.camel@jgd-dsk> On Thu, 2010-04-29 at 17:38 -0400, Rob Crittenden wrote: > We have had a state file for quite some time that is used to return the > system to its pre-install state. We can use that to determine what has > been configured. > > This patch: > - uses the state file to determine if dogtag was installed > - prevents someone from trying to re-install an installed server > - displays some output when uninstalling > - re-arranges the ipa_kpasswd installation so the state is properly saved > - removes pkiuser if it was added by the installer > - fetches and installs the CA on both masters and clients > > rob ack. pushed to master. From jderose at redhat.com Mon May 3 20:23:48 2010 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 03 May 2010 14:23:48 -0600 Subject: [Freeipa-devel] [PATCH] 430 AccessTime tests In-Reply-To: <4BDAFF93.8040101@redhat.com> References: <4BDAFF93.8040101@redhat.com> Message-ID: <1272918228.2656.5.camel@jgd-dsk> On Fri, 2010-04-30 at 12:04 -0400, Rob Crittenden wrote: > I added some tests for the AccessTime parameter type. During test > development I fixed a few bugs in the parameter and hopefully added some > improved error messages to nudge the user in the right direction. The > time syntax is quite difficult to understand. > > I noticed that the 'weekly' periodic type wasn't implemented. I'm not > sure if this was an oversight or not. > > rob ack. pushed to master. From rcritten at redhat.com Mon May 3 21:41:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 03 May 2010 17:41:48 -0400 Subject: [Freeipa-devel] [PATCH] 431 better CSR header handling Message-ID: <4BDF431C.2070406@redhat.com> Properly handle CSRs whether they have NEW in the header block or not. The code was looking for headers without NEW in it but in that case would cut the first 4 characters of the request off, causing decoding to fail. I also consolidate some duplicate code. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-431-csr.patch Type: application/mbox Size: 4055 bytes Desc: not available URL: From jderose at redhat.com Tue May 4 09:24:08 2010 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 04 May 2010 03:24:08 -0600 Subject: [Freeipa-devel] [PATCH] 431 better CSR header handling In-Reply-To: <4BDF431C.2070406@redhat.com> References: <4BDF431C.2070406@redhat.com> Message-ID: <1272965048.2656.6.camel@jgd-dsk> On Mon, 2010-05-03 at 17:41 -0400, Rob Crittenden wrote: > Properly handle CSRs whether they have NEW in the header block or not. > The code was looking for headers without NEW in it but in that case > would cut the first 4 characters of the request off, causing decoding to > fail. > > I also consolidate some duplicate code. > > rob ack. pushed to master. From pzuna at redhat.com Tue May 4 17:35:01 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 04 May 2010 19:35:01 +0200 Subject: [Freeipa-devel] [PATCH] Add weekly periodic schedule to AccessTime param type. Message-ID: <4BE05AC5.9090603@redhat.com> Fix bug #588414. I'm going to submit improved validation error messages for AccessTime in a separate patch. This one just fixes the bug. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0002-accesstime.patch Type: application/mbox Size: 2151 bytes Desc: not available URL: From rcritten at redhat.com Tue May 4 17:40:34 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 May 2010 13:40:34 -0400 Subject: [Freeipa-devel] [PATCH] Add weekly periodic schedule to AccessTime param type. In-Reply-To: <4BE05AC5.9090603@redhat.com> References: <4BE05AC5.9090603@redhat.com> Message-ID: <4BE05C12.6040909@redhat.com> Pavel Zuna wrote: > Fix bug #588414. > > I'm going to submit improved validation error messages for AccessTime in > a separate patch. This one just fixes the bug. > > Pavel ack, pushed to master From pzuna at redhat.com Tue May 4 17:40:40 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 04 May 2010 19:40:40 +0200 Subject: [Freeipa-devel] [PATCH] Add new pwpolicy plugin based on baseldap classes In-Reply-To: <4BD73FE7.6050508@redhat.com> References: <4BC8A55E.1010204@redhat.com> <4BD73FE7.6050508@redhat.com> Message-ID: <4BE05C18.9040702@redhat.com> On 04/27/2010 09:49 PM, Rob Crittenden wrote: > Pavel Z?na wrote: >> Don't mind the numbering. This is a completely independent patch. >> >> It adds a new pwpolicy plugin based on baseldap.py classes. It has the >> same functionality as the current pwpolicy plugin, but a more clean >> and consistent interface, fine grained search capabilities, etc. >> >> This is actually an updated version of a patch I released some time >> ago, but it never got fully reviewed. >> >> Pavel > > The original pwpolicy module took group policy via the --group option, > yours takes group as the first argument (if any). My thought on this was > that at some point someone would want per-user password policy so we > could add a --user option. If this isn't forseen as needed then using > the first argument for group is probably easier to grok. > > Had a failure: > $ ./ipa pwpolicy2-mod g1 --priority=2 > ipa: ERROR: an internal error has occurred > > File "/home/rcrit/redhat/freeipa-ca/ipalib/plugins/pwpolicy2.py", line > 99, in pre_callback > del entry_attrs['cn'] > KeyError: 'cn' > > rob Fixed. I also noticed another minor bug. When only priority is modified by pwpolicy2-mod, the EmptyModlist exception is raised. This is because priority is stored in a different entry that is managed by cosentry_* commands and there's nothing left to be changed for the policy entry. The command does it's job, but reports an error and there is no way to catch it without ugly hacks. I'm going to implement a new callback type for baseldap.py classes for the purpose of error handling/exception catching. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0003-pwpolicy2.patch Type: application/mbox Size: 18949 bytes Desc: not available URL: From rcritten at redhat.com Tue May 4 19:30:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 May 2010 15:30:48 -0400 Subject: [Freeipa-devel] [PATCH] 432 add default open HBAC on install Message-ID: <4BE075E8.30000@redhat.com> Create an HBAC that allows all users to access all hosts from any host. This should make initial installation and testing easier. It is expected that this rule (allow_all) will be removed before deployment. In case you know you don't want this you can pass --no_hbac_allow to ipa-server-install and the rule won't be added. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-432-hbac.patch Type: application/mbox Size: 6132 bytes Desc: not available URL: From rcritten at redhat.com Tue May 4 19:31:31 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 May 2010 15:31:31 -0400 Subject: [Freeipa-devel] [PATCH] 433 improve hbac output Message-ID: <4BE07613.50506@redhat.com> This patch adds more attributes to the default output and fixes up some labels. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-433-hbac.patch Type: application/mbox Size: 1537 bytes Desc: not available URL: From rcritten at redhat.com Wed May 5 15:14:59 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 May 2010 11:14:59 -0400 Subject: [Freeipa-devel] [PATCH] 434 fix ipa-join segfault Message-ID: <4BE18B73.7040705@redhat.com> I set MALLOC_PERTURB_ and ipa-join generated a segfault. This was caused by some uninitialized XML-RPC structures. This patch should fix it up. I also re-arrange some code around determining the server. I got a bit overzealous in my previous attempt to not spew bogus error messages when we don't need to read /etc/ipa/default.conf. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-434-join.patch Type: application/mbox Size: 2982 bytes Desc: not available URL: From pzuna at redhat.com Wed May 5 15:36:00 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Wed, 05 May 2010 17:36:00 +0200 Subject: [Freeipa-devel] [PATCH] 432 add default open HBAC on install In-Reply-To: <4BE075E8.30000@redhat.com> References: <4BE075E8.30000@redhat.com> Message-ID: <4BE19060.9010701@redhat.com> On 2010-05-04 21:30, Rob Crittenden wrote: > Create an HBAC that allows all users to access all hosts from any host. > This should make initial installation and testing easier. It is expected > that this rule (allow_all) will be removed before deployment. > > In case you know you don't want this you can pass --no_hbac_allow to > ipa-server-install and the rule won't be added. > > rob > ack. Pavel From pzuna at redhat.com Wed May 5 15:36:22 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Wed, 05 May 2010 17:36:22 +0200 Subject: [Freeipa-devel] [PATCH] 433 improve hbac output In-Reply-To: <4BE07613.50506@redhat.com> References: <4BE07613.50506@redhat.com> Message-ID: <4BE19076.9020203@redhat.com> On 2010-05-04 21:31, Rob Crittenden wrote: > This patch adds more attributes to the default output and fixes up some > labels. > > rob ack. Pavel From rcritten at redhat.com Wed May 5 18:57:41 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 May 2010 14:57:41 -0400 Subject: [Freeipa-devel] [PATCH] 435 more client install/uninstall fixes Message-ID: <4BE1BFA5.4050705@redhat.com> Lots of small fixes in the client installer/uninstaller to make it work nicer (or at all): - Move the ipa-getcert request to after we set up /etc/krb5.conf - Don't try removing certificates that don't exist - Don't tell certmonger to stop tracking a cert that doesn't exist - Allow --password/-w to be the kerberos password - Print an error if prompting for a password would happen in unattended mode - Still support echoing a password in when in unattended mode rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-435-client.patch Type: application/mbox Size: 7760 bytes Desc: not available URL: From rcritten at redhat.com Wed May 5 18:58:19 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 May 2010 14:58:19 -0400 Subject: [Freeipa-devel] [PATCH] 432 add default open HBAC on install In-Reply-To: <4BE19060.9010701@redhat.com> References: <4BE075E8.30000@redhat.com> <4BE19060.9010701@redhat.com> Message-ID: <4BE1BFCB.2000206@redhat.com> Pavel Z?na wrote: > On 2010-05-04 21:30, Rob Crittenden wrote: >> Create an HBAC that allows all users to access all hosts from any host. >> This should make initial installation and testing easier. It is expected >> that this rule (allow_all) will be removed before deployment. >> >> In case you know you don't want this you can pass --no_hbac_allow to >> ipa-server-install and the rule won't be added. >> >> rob >> > ack. > > Pavel pushed to master From rcritten at redhat.com Wed May 5 18:58:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 May 2010 14:58:27 -0400 Subject: [Freeipa-devel] [PATCH] 433 improve hbac output In-Reply-To: <4BE19076.9020203@redhat.com> References: <4BE07613.50506@redhat.com> <4BE19076.9020203@redhat.com> Message-ID: <4BE1BFD3.5020508@redhat.com> Pavel Z?na wrote: > On 2010-05-04 21:31, Rob Crittenden wrote: >> This patch adds more attributes to the default output and fixes up some >> labels. >> >> rob > ack. > > Pavel pushed to master From rcritten at redhat.com Wed May 5 19:01:06 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 May 2010 15:01:06 -0400 Subject: [Freeipa-devel] [PATCH] Add new pwpolicy plugin based on baseldap classes In-Reply-To: <4BE05C18.9040702@redhat.com> References: <4BC8A55E.1010204@redhat.com> <4BD73FE7.6050508@redhat.com> <4BE05C18.9040702@redhat.com> Message-ID: <4BE1C072.80708@redhat.com> Pavel Zuna wrote: > On 04/27/2010 09:49 PM, Rob Crittenden wrote: >> Pavel Z?na wrote: >>> Don't mind the numbering. This is a completely independent patch. >>> >>> It adds a new pwpolicy plugin based on baseldap.py classes. It has the >>> same functionality as the current pwpolicy plugin, but a more clean >>> and consistent interface, fine grained search capabilities, etc. >>> >>> This is actually an updated version of a patch I released some time >>> ago, but it never got fully reviewed. >>> >>> Pavel >> >> The original pwpolicy module took group policy via the --group option, >> yours takes group as the first argument (if any). My thought on this was >> that at some point someone would want per-user password policy so we >> could add a --user option. If this isn't forseen as needed then using >> the first argument for group is probably easier to grok. >> >> Had a failure: >> $ ./ipa pwpolicy2-mod g1 --priority=2 >> ipa: ERROR: an internal error has occurred >> >> File "/home/rcrit/redhat/freeipa-ca/ipalib/plugins/pwpolicy2.py", line >> 99, in pre_callback >> del entry_attrs['cn'] >> KeyError: 'cn' >> >> rob > Fixed. > > I also noticed another minor bug. When only priority is modified by > pwpolicy2-mod, the EmptyModlist exception is raised. This is because > priority is stored in a different entry that is managed by cosentry_* > commands and there's nothing left to be changed for the policy entry. > The command does it's job, but reports an error and there is no way to > catch it without ugly hacks. I'm going to implement a new callback type > for baseldap.py classes for the purpose of error handling/exception > catching. > > Pavel I was going to hold off pushing this until the error handling fix could be made but since this is currently riding alongside the original pwpolicy plugin I'm going to go ahead and push this to make future merges easier. Once we get the error handling done we'll drop the old pwpolicy plugin and rename this one. rob From rcritten at redhat.com Thu May 6 14:27:51 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 May 2010 10:27:51 -0400 Subject: [Freeipa-devel] [PATCH] named.conf: Add trailing dot to the fake_mname In-Reply-To: <4BDC8077.20402@redhat.com> References: <4BDC7FCD.7040708@redhat.com> <4BDC8077.20402@redhat.com> Message-ID: <4BE2D1E7.70300@redhat.com> Stephen Gallagher wrote: > On 05/01/2010 03:23 PM, Martin Nagy wrote: >> Hi, >> Yet another trailing dot issue, but this one was kept hidden because >> only the latest bind-dyndb-ldap package uses the fake_mname option. >> >> Thanks to Stephen for finding this one. >> >> Martin >> > > Ack. > pushed to master From jderose at redhat.com Thu May 6 15:28:44 2010 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 06 May 2010 09:28:44 -0600 Subject: [Freeipa-devel] [PATCH] 434 fix ipa-join segfault In-Reply-To: <4BE18B73.7040705@redhat.com> References: <4BE18B73.7040705@redhat.com> Message-ID: <1273159724.20163.0.camel@jgd-dsk> On Wed, 2010-05-05 at 11:14 -0400, Rob Crittenden wrote: > I set MALLOC_PERTURB_ and ipa-join generated a segfault. This was caused > by some uninitialized XML-RPC structures. This patch should fix it up. > > I also re-arrange some code around determining the server. I got a bit > overzealous in my previous attempt to not spew bogus error messages when > we don't need to read /etc/ipa/default.conf. > > rob ack. pushed to master. From jderose at redhat.com Thu May 6 15:29:08 2010 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 06 May 2010 09:29:08 -0600 Subject: [Freeipa-devel] [PATCH] 435 more client install/uninstall fixes In-Reply-To: <4BE1BFA5.4050705@redhat.com> References: <4BE1BFA5.4050705@redhat.com> Message-ID: <1273159748.20163.1.camel@jgd-dsk> On Wed, 2010-05-05 at 14:57 -0400, Rob Crittenden wrote: > Lots of small fixes in the client installer/uninstaller to make it work > nicer (or at all): > > - Move the ipa-getcert request to after we set up /etc/krb5.conf > - Don't try removing certificates that don't exist > - Don't tell certmonger to stop tracking a cert that doesn't exist > - Allow --password/-w to be the kerberos password > - Print an error if prompting for a password would happen in unattended mode > - Still support echoing a password in when in unattended mode > > rob ack. pushed to master. From rcritten at redhat.com Thu May 6 19:39:54 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 May 2010 15:39:54 -0400 Subject: [Freeipa-devel] [PATCH] 436 make service/chkconfig more fault tolerant Message-ID: <4BE31B0A.309@redhat.com> If we try to use service/chkconfig in the client installer on a service that doesn't exist then it would throw lots of bogus errors. This is an attempt to be a little smarter about it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-436-client.patch Type: application/mbox Size: 4816 bytes Desc: not available URL: From rcritten at redhat.com Thu May 6 20:51:55 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 May 2010 16:51:55 -0400 Subject: [Freeipa-devel] [PATCH] 437 detect client installation Message-ID: <4BE32BEB.9020800@redhat.com> Detect if the IPA client is already configured and bail if it is. This should help prevent problems, particularly with certmonger. It will refuse to generate a new CSR for a certificate it is already tracking (and this is a good thing). So if you configure the client, then configure the client again bad things could happen, don't allow it. If things every got out-of-sync a user could always remove /var/lib/ipa-client/sysrestore/* to be able to install again. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-437-client.patch Type: application/mbox Size: 1909 bytes Desc: not available URL: From jderose at redhat.com Thu May 6 21:42:19 2010 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 06 May 2010 15:42:19 -0600 Subject: [Freeipa-devel] [PATCH] 436 make service/chkconfig more fault tolerant In-Reply-To: <4BE31B0A.309@redhat.com> References: <4BE31B0A.309@redhat.com> Message-ID: <1273182139.20163.8.camel@jgd-dsk> On Thu, 2010-05-06 at 15:39 -0400, Rob Crittenden wrote: > If we try to use service/chkconfig in the client installer on a service > that doesn't exist then it would throw lots of bogus errors. This is an > attempt to be a little smarter about it. > > rob ack. pushed to master. From jderose at redhat.com Thu May 6 21:42:30 2010 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 06 May 2010 15:42:30 -0600 Subject: [Freeipa-devel] [PATCH] 437 detect client installation In-Reply-To: <4BE32BEB.9020800@redhat.com> References: <4BE32BEB.9020800@redhat.com> Message-ID: <1273182150.20163.9.camel@jgd-dsk> On Thu, 2010-05-06 at 16:51 -0400, Rob Crittenden wrote: > Detect if the IPA client is already configured and bail if it is. This > should help prevent problems, particularly with certmonger. It will > refuse to generate a new CSR for a certificate it is already tracking > (and this is a good thing). So if you configure the client, then > configure the client again bad things could happen, don't allow it. > > If things every got out-of-sync a user could always remove > /var/lib/ipa-client/sysrestore/* to be able to install again. > > rob ack. pushed to master. From rcritten at redhat.com Fri May 7 02:15:49 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 May 2010 22:15:49 -0400 Subject: [Freeipa-devel] [PATCH] 438 client uninstaller work Message-ID: <4BE377D5.4020702@redhat.com> Check to see if we are installed before doing an uninstall. Uses the same mechanism as is used to see if we are already installed. I also changed this so the --force flag will override on install and uninstall. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-438-client.patch Type: application/mbox Size: 1203 bytes Desc: not available URL: From sgallagh at redhat.com Fri May 7 11:28:09 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 07 May 2010 07:28:09 -0400 Subject: [Freeipa-devel] [PATCH] 438 client uninstaller work In-Reply-To: <4BE377D5.4020702@redhat.com> References: <4BE377D5.4020702@redhat.com> Message-ID: <4BE3F949.9010807@redhat.com> On 05/06/2010 10:15 PM, Rob Crittenden wrote: > Check to see if we are installed before doing an uninstall. Uses the > same mechanism as is used to see if we are already installed. > > I also changed this so the --force flag will override on install and > uninstall. > > rob > Ack. -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From rcritten at redhat.com Fri May 7 16:02:33 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 May 2010 12:02:33 -0400 Subject: [Freeipa-devel] [PATCH] 438 client uninstaller work In-Reply-To: <4BE3F949.9010807@redhat.com> References: <4BE377D5.4020702@redhat.com> <4BE3F949.9010807@redhat.com> Message-ID: <4BE43999.7000202@redhat.com> Stephen Gallagher wrote: > On 05/06/2010 10:15 PM, Rob Crittenden wrote: >> Check to see if we are installed before doing an uninstall. Uses the >> same mechanism as is used to see if we are already installed. >> >> I also changed this so the --force flag will override on install and >> uninstall. >> >> rob >> > > Ack. > > pushed to master From rcritten at redhat.com Fri May 7 19:56:19 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 May 2010 15:56:19 -0400 Subject: [Freeipa-devel] Announcing FreeIPA v2 Server Alpha 3 Release Message-ID: <4BE47063.4030901@redhat.com> To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Alpha 3 release of freeIPA 2.0 server [1]. Binaries are available for F-12 and F-13. This alpha is mostly a bug fix release over the previous alpha. We have started the process of polishing so things should generally work more smoothly and look better. There are few visual improvements in the UI, those should appear in the next release. Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-users at redhat.com The big changes in this release are: - better i18n support including a few translations - the XML-RPC API changed so it is not compatible with previous releases - use mod_wsgi instead of mod_python - the CA is a required component and is now configured by default. Pass --selfsign to the installer to use the old self-signed CA - man page for the ipa command - A default Host-Based Access Control (HBAC) rule is created that grants all users the ability to log into any host from any host. This was done to simplify initial testing, it is expected this rule, allow_all, will be removed before you deploy. - We no longer enable nscd, sssd handles caching now Known issues: - The CA must be installed in the en_US locale (#588375) A more complete, semi-high-level list of changes since the last alpha are: - Fix memory crash-bug in ipa-join - Add pwpolicy2 plugin, future replacement for pwpolicy - CSRs that don't include NEW in the header/footer blocks should work now - Lots of clean-ups in ipa-client-install - ipa-server-install and ipa-client-install now use backed-up files and state in /var/lib/ipa and /var/lib/ipa-client to determine whether they are already configured or not - Fixed bug in some DNS entries that were missing a trailing dot (.) - Fix bug in password plugin that prevented ldappasswd from working on non-kerberized users - In the client installer we will have certmonger issue certificate requests using the subject base that IPA is configured with. This will make certmonger play nicer with the selfsign CA. - IPA works when using external CA option again - Stop using LDAPv2-style escaped DNs where possible - Updated MITM integration with dogtag - Anonymous VLV is enabled when the compat plugin is enabled making Solaris 10 clients happy - Add a CRL URI to certificates that are issued by dogtag - Added an ipa man page - XML-RPC signature change. This will affect older alphas command-line utilities trying to talk to a new server - Fixed bug in host plugin where deleting a non-qualified hostname would delete just the host, not the service entries associated with that host. - ipa-replica-manage now uses kerberos to delete and list servers. Add still requires the DM password - Provide feedback if a -mod command is executed and no changes are performed - Don't log passwords into files during installation - Add option to enable pam_mkhomedirs in the IPA client installer - Fixed a number of bugs in the pwpolicy plugin - More detailed error messages when entries are not found - Viewing binary in the UI shouldn't cause it to fail - dogtag is a required component and now configured by default - Run the XML-RPC server under mod_wsgi instead of mod_python - Fix the --all and --raw options - 8 translations: - Bengali India - Indonesian - Ukrainian - Kannada - Polish - Russian - Spanish - Chinese Simplified - Other minor polish and bug fixes rob [1] http://www.freeipa.org/page/Downloads From o.burtchen at gmx.de Sat May 8 03:37:27 2010 From: o.burtchen at gmx.de (Oliver Burtchen) Date: Sat, 8 May 2010 05:37:27 +0200 Subject: [Freeipa-devel] [Freeipa-users] Announcing FreeIPA v2 Server Alpha 3 Release In-Reply-To: <4BE47063.4030901@redhat.com> References: <4BE47063.4030901@redhat.com> Message-ID: <201005080537.27529.o.burtchen@gmx.de> Hi @all, as long year Fedora and formerly Red Hat Linux user and interested tester of freeipa v2 lately, I want just congratulate for the next (alpha) release of freeipa. Thanks to the developers and Red Hat at all for the ongoing work, friendly support in the mailing lists and contributions to the open source community! Best regards, Oli Am Freitag, 7. Mai 2010 21:56:19 schrieb Rob Crittenden: > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of the > Alpha 3 release of freeIPA 2.0 server [1]. Binaries are available for > F-12 and F-13. > > This alpha is mostly a bug fix release over the previous alpha. We have > started the process of polishing so things should generally work more > smoothly and look better. There are few visual improvements in the UI, > those should appear in the next release. > > Please do not hesitate to share feedback, criticism or bugs with us on > our mailing list: freeipa-users at redhat.com > > The big changes in this release are: > - better i18n support including a few translations > - the XML-RPC API changed so it is not compatible with previous releases > - use mod_wsgi instead of mod_python > - the CA is a required component and is now configured by default. > Pass --selfsign to the installer to use the old self-signed CA > - man page for the ipa command > - A default Host-Based Access Control (HBAC) rule is created that > grants all users the ability to log into any host from any host. This > was done to simplify initial testing, it is expected this rule, > allow_all, will be removed before you deploy. > - We no longer enable nscd, sssd handles caching now > > Known issues: > - The CA must be installed in the en_US locale (#588375) > > A more complete, semi-high-level list of changes since the last alpha are: > - Fix memory crash-bug in ipa-join > - Add pwpolicy2 plugin, future replacement for pwpolicy > - CSRs that don't include NEW in the header/footer blocks should work now > - Lots of clean-ups in ipa-client-install > - ipa-server-install and ipa-client-install now use backed-up files and > state in /var/lib/ipa and /var/lib/ipa-client to determine whether they > are already configured or not > - Fixed bug in some DNS entries that were missing a trailing dot (.) > - Fix bug in password plugin that prevented ldappasswd from working on > non-kerberized users > - In the client installer we will have certmonger issue certificate > requests using the subject base that IPA is configured with. This will > make certmonger play nicer with the selfsign CA. > - IPA works when using external CA option again > - Stop using LDAPv2-style escaped DNs where possible > - Updated MITM integration with dogtag > - Anonymous VLV is enabled when the compat plugin is enabled making > Solaris 10 clients happy > - Add a CRL URI to certificates that are issued by dogtag > - Added an ipa man page > - XML-RPC signature change. This will affect older alphas command-line > utilities trying to talk to a new server > - Fixed bug in host plugin where deleting a non-qualified hostname would > delete just the host, not the service entries associated with that host. > - ipa-replica-manage now uses kerberos to delete and list servers. Add > still requires the DM password > - Provide feedback if a -mod command is executed and no changes are > performed > - Don't log passwords into files during installation > - Add option to enable pam_mkhomedirs in the IPA client installer > - Fixed a number of bugs in the pwpolicy plugin > - More detailed error messages when entries are not found > - Viewing binary in the UI shouldn't cause it to fail > - dogtag is a required component and now configured by default > - Run the XML-RPC server under mod_wsgi instead of mod_python > - Fix the --all and --raw options > - 8 translations: > - Bengali India > - Indonesian > - Ukrainian > - Kannada > - Polish > - Russian > - Spanish > - Chinese Simplified > - Other minor polish and bug fixes > > rob > > [1] http://www.freeipa.org/page/Downloads > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Oliver Burtchen, Berlin From pzuna at redhat.com Mon May 10 13:41:46 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 10 May 2010 15:41:46 +0200 Subject: [Freeipa-devel] [PATCH] Add exception callback (exc_callback) to baseldap.py classes. Message-ID: <4BE80D1A.1050803@redhat.com> The new callback enables plugin authors to supply their own handler for ExecutionError exceptions generated by calls to ldap2 made from the execute method of baseldap.py classes that extend CallbackInterface. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0004-exc_callback.patch Type: application/mbox Size: 12079 bytes Desc: not available URL: From pzuna at redhat.com Mon May 10 13:44:19 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 10 May 2010 15:44:19 +0200 Subject: [Freeipa-devel] [PATCH] Correctly handle EmptyModlist exception in pwpolicy2-mod. Message-ID: <4BE80DB3.1070602@redhat.com> EmptyModlist exception was generated by pwpolicy2-mod when modifying policy priority only. It was because the priority attribute is stored outside of the policy entry (in a CoS entry) and there was nothing left to be changed in the policy entry. This patch uses the new exception callbacks in baseldap.py classes (introduced in my recent patch no. 0004) to catch the EmptyModlist exception and checks if there was really nothing to be modified before reraising the exception. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0005-pwpolicy2.patch Type: application/mbox Size: 1804 bytes Desc: not available URL: From rcritten at redhat.com Mon May 10 18:11:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 May 2010 14:11:48 -0400 Subject: [Freeipa-devel] [PATCH] 439 spec file cleanups Message-ID: <4BE84C64.4090205@redhat.com> Remove references to Fedora < 10 and add some tests for RHEL 6. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-439-spec.patch Type: application/mbox Size: 2688 bytes Desc: not available URL: From rcritten at redhat.com Mon May 10 18:38:22 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 May 2010 14:38:22 -0400 Subject: [Freeipa-devel] [PATCH] Add exception callback (exc_callback) to baseldap.py classes. In-Reply-To: <4BE80D1A.1050803@redhat.com> References: <4BE80D1A.1050803@redhat.com> Message-ID: <4BE8529E.5070804@redhat.com> Pavel Zuna wrote: > The new callback enables plugin authors to supply their own handler for > ExecutionError exceptions generated by calls to ldap2 made from the > execute method of baseldap.py classes that extend CallbackInterface. > > Pavel I don't see any reference to EXC_CALLBACKS other than in registration. It looks like this provides a registration system then just calls the top exc_callback call. I see the default exc_callback() is just a raise. I think this should always be called last to raise the exception if things get that far. This way the plugin author doesn't have to remember to raise themselves if whatever condition they're looking for isn't met (which your second patch doesn't do). I like where this is going, just needs a little more work. rob From admin at transifex.net Tue May 11 14:34:30 2010 From: admin at transifex.net (admin at transifex.net) Date: Tue, 11 May 2010 14:34:30 -0000 Subject: [Freeipa-devel] [Transifex] File submitted via email to FreeIPA | master Message-ID: <20100511143430.16719.50121@web1.transifex.net> Hello freeipa, this is Transifex at http://www.transifex.net. The following attached files were submitted to FreeIPA | master by gundachandru Please, visit Transifex at http://www.transifex.net/projects/p/freeipa/c/master/ in order to see the component page. Thank you, Transifex -------------- next part -------------- # Kannada translations for ipa-server package. # Copyright (C) 2010 Red Hat # This file is distributed under the same license as the PACKAGE package. # gundachandru , 2010. # msgid "" msgstr "" "Project-Id-Version: ipa\n" "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/newticket\n" "POT-Creation-Date: 2010-03-01 19:57-0500\n" "PO-Revision-Date: 2010-05-11 20:03+0530\n" "Last-Translator: gundachandru \n" "Language-Team: Kannada\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" #: ../../ipalib/parameters.py:295 msgid "incorrect type" msgstr "???????? ???" #: ../../ipalib/parameters.py:298 msgid "Only one value is allowed" msgstr "???? ???? ???? ????? ??????????????" #: ../../ipalib/parameters.py:862 msgid "must be True or False" msgstr "??? (True) ???? ?????? (False) ??????????" #: ../../ipalib/parameters.py:963 msgid "must be an integer" msgstr "???????? ??????????" #: ../../ipalib/parameters.py:1014 #, python-format msgid "must be at least %(minvalue)d" msgstr "?????????? %(minvalue)d ??????????" #: ../../ipalib/parameters.py:1024 #, python-format msgid "can be at most %(maxvalue)d" msgstr "?????????? %(maxvalue)d ?????????" #: ../../ipalib/parameters.py:1034 msgid "must be a decimal number" msgstr "????? ?????? ??????????" #: ../../ipalib/parameters.py:1056 #, python-format msgid "must be at least %(minvalue)f" msgstr "?????????? %(minvalue)f ??????????" #: ../../ipalib/parameters.py:1066 #, python-format msgid "can be at most %(maxvalue)f" msgstr "?????????? %(maxvalue)f ?????????" #: ../../ipalib/parameters.py:1126 #, python-format msgid "must match pattern \"%(pattern)s\"" msgstr "????? \"%(pattern)s\" ??????????????????" #: ../../ipalib/parameters.py:1144 msgid "must be binary data" msgstr "????? ???? ??????????" #: ../../ipalib/parameters.py:1159 #, python-format msgid "must be at least %(minlength)d bytes" msgstr "?????????? %(minlength)d ?????? ??????????" #: ../../ipalib/parameters.py:1169 #, python-format msgid "can be at most %(maxlength)d bytes" msgstr "?????????? %(maxlength)d ?????? ?????????" #: ../../ipalib/parameters.py:1179 #, python-format msgid "must be exactly %(length)d bytes" msgstr "???????? %(length)d ?????? ??????????" #: ../../ipalib/parameters.py:1197 msgid "must be Unicode text" msgstr "???????? ???? ??????????" #: ../../ipalib/parameters.py:1227 #, python-format msgid "must be at least %(minlength)d characters" msgstr "?????????? %(minlength)d ???????? ????????" #: ../../ipalib/parameters.py:1237 #, python-format msgid "can be at most %(maxlength)d characters" msgstr "?????????? %(maxlength)d ???????? ???????" #: ../../ipalib/parameters.py:1247 #, python-format msgid "must be exactly %(length)d characters" msgstr "???????? %(length)d ???????? ????????" #: ../../ipalib/parameters.py:1286 #, python-format msgid "must be one of %(values)r" msgstr "%(values)r ????? ???? ??????????" #: ../../ipalib/cli.py:507 #, python-format msgid "Enter %(label)s again to verify: " msgstr "????????? ?????????? %(label)s ????? ????:" #: ../../ipalib/cli.py:511 msgid "Passwords do not match!" msgstr "?????????? ????????????????????!" #: ../../ipalib/cli.py:516 msgid "Cancelled." msgstr "????????????????." #: ../../ipalib/frontend.py:377 msgid "Results are truncated, try a more specific search" msgstr "?????????? ????????????????, ???????? ???????????? ????? ??????????" #: ../../ipalib/errors.py:297 #, python-format msgid "%(cver)s client incompatible with %(sver)s server at %(server)r" msgstr "%(server)r ????? ??????? %(cver)s ??????? %(sver)s ??????? ??????????????????" #: ../../ipalib/errors.py:315 #, python-format msgid "unknown error %(code)d from %(server)s: %(error)s" msgstr "%(server)s ??????????? ?????? ??? %(code)d: %(error)s" #: ../../ipalib/errors.py:331 msgid "an internal error has occurred" msgstr "?????? ??? ????????" #: ../../ipalib/errors.py:353 #, python-format msgid "an internal error has occurred on server at %(server)r" msgstr "%(server)r ????? ???????????? ?????? ??? ????????" #: ../../ipalib/errors.py:369 #, python-format msgid "unknown command %(name)r" msgstr "?????? ?????(????????) %(name)r " #: ../../ipalib/errors.py:386 #: ../../ipalib/errors.py:411 #, python-format msgid "error on server %(server)r: %(error)s" msgstr "%(server)r ???????????? ???: %(error)s" #: ../../ipalib/errors.py:402 #, python-format msgid "cannot connect to %(uri)r: %(error)s" msgstr "%(uri)r ?? ?????????? ??????????: %(error)s" #: ../../ipalib/errors.py:420 #, python-format msgid "Invalid JSON-RPC request: %(error)s" msgstr "????????? JSON-RPC ??????: %(error)s" #: ../../ipalib/errors.py:448 #, python-format msgid "Kerberos error: %(major)s/%(minor)s" msgstr "Kerberos ???: %(major)s/%(minor)s" #: ../../ipalib/errors.py:465 msgid "did not receive Kerberos credentials" msgstr "Kerberos ????????????????? ????????" #: ../../ipalib/errors.py:481 #, python-format msgid "Service %(service)r not found in Kerberos database" msgstr "Kerberos ?????????????? %(service)r ????(???????) ???????????" #: ../../ipalib/errors.py:497 msgid "No credentials cache found" msgstr "???????????? ?????????????? ???????????" #: ../../ipalib/errors.py:513 msgid "Ticket expired" msgstr "???????? ???? ????????" #: ../../ipalib/errors.py:529 msgid "Credentials cache permissions incorrect" msgstr "????????????? ???????? ????????? ????????" #: ../../ipalib/errors.py:545 msgid "Bad format in credentials cache" msgstr "????????????? ???????????? ????? ????????" #: ../../ipalib/errors.py:561 msgid "Cannot resolve KDC for requested realm" msgstr "????? ???????(??????)?????? KDC ????? ????????? ??????????" #: ../../ipalib/errors.py:580 #, python-format msgid "Insufficient access: %(info)s" msgstr "???????(???????) ?????????: %(info)s" #: ../../ipalib/errors.py:624 #, python-format msgid "command %(name)r takes no arguments" msgstr "%(name)r ?????(????????) ?????? ????????????????? ???????????????????" #: ../../ipalib/errors.py:644 #, python-format msgid "command %(name)r takes at most %(count)d argument" msgid_plural "command %(name)r takes at most %(count)d arguments" msgstr[0] "%(name)r ?????(????????) ?????? %(count)d ???????????????? ?????????????????" msgstr[1] "%(name)r ?????(????????) ?????? %(count)d ????????????????? ?????????????????" #: ../../ipalib/errors.py:674 #, python-format msgid "overlapping arguments and options: %(names)r" msgstr "????????????????? ????? ??????????? ????????????????????????: %(names)r" #: ../../ipalib/errors.py:690 #, python-format msgid "%(name)r is required" msgstr "%(name)r ?????????" #: ../../ipalib/errors.py:706 #: ../../ipalib/errors.py:722 #, python-format msgid "invalid %(name)r: %(error)s" msgstr "????????? %(name)r: %(error)s" #: ../../ipalib/errors.py:738 #, python-format msgid "api has no such namespace: %(name)r" msgstr "api????? ? ???? ?????? ??????????? ????: %(name)r" #: ../../ipalib/errors.py:747 msgid "Passwords do not match" msgstr "?????????? ????????????????????" #: ../../ipalib/errors.py:755 msgid "Command not implemented" msgstr "?????(????????)????? ?????????????????" #: ../../ipalib/errors.py:783 #: ../../ipalib/errors.py:1023 #, python-format msgid "%(reason)s" msgstr "%(reason)s" #: ../../ipalib/errors.py:799 msgid "This entry already exists" msgstr "? ????? ?????? ???????????????" #: ../../ipalib/errors.py:815 msgid "You must enroll a host in order to create a host service" msgstr "???? ?????? ????(???????)????? ?????? ??????? ???? ???? ?????? ????? ???????????????" #: ../../ipalib/errors.py:831 #, python-format msgid "Service principal is not of the form: service/fully-qualified host name: %(reason)s" msgstr "Service principal? ?????? ???????: service/fully-qualified host name: %(reason)s" #: ../../ipalib/errors.py:847 msgid "The realm for the principal does not match the realm for this IPA server" msgstr "principal? ???????(??????)?? ? IPA ???????? ???????(??????)???? ???????????????" #: ../../ipalib/errors.py:863 msgid "This command requires root access" msgstr "? ?????(????????) ????(root) ???????(???????) ?????????" #: ../../ipalib/errors.py:879 msgid "This is already a posix group" msgstr "??? ?????? posix ?????" #: ../../ipalib/errors.py:895 #, python-format msgid "Principal is not of the form user at REALM: %(principal)r" msgstr "Principal? ?????? user at REALM ??????: %(principal)r" #: ../../ipalib/errors.py:911 msgid "This entry is already unlocked" msgstr "? ????? ?????? ???????? ?????" #: ../../ipalib/errors.py:927 msgid "This entry is already locked" msgstr "? ????? ?????? ???? ?????" #: ../../ipalib/errors.py:943 msgid "This entry has nsAccountLock set, it cannot be locked or unlocked" msgstr "? ??????? nsAccountLock ???? ?????, ?????? ???? ???? ???????? ??????????????" #: ../../ipalib/errors.py:959 msgid "This entry is not a member of the group" msgstr "? ????? ?????? ???? ????? ??????" #: ../../ipalib/errors.py:975 msgid "A group may not be a member of itself" msgstr "???? ????? ??? ???? ????? ??????????" #: ../../ipalib/errors.py:991 msgid "This entry is already a member of the group" msgstr "? ????? ?????? ?????? ???? ????? ?????" #: ../../ipalib/errors.py:1007 #, python-format msgid "Base64 decoding failed: %(reason)s" msgstr "Base64 ????????? ???????????: %(reason)s" #: ../../ipalib/errors.py:1039 msgid "A group may not be added as a member of itself" msgstr "???? ????? ??? ???? ????????? ??????? ??????????" #: ../../ipalib/errors.py:1055 msgid "The default users group cannot be removed" msgstr "???????? ???????? ???????? ??????????? ??????????" #: ../../ipalib/errors.py:1078 #, python-format msgid "no command nor help topic %(topic)r" msgstr "?????(????????) ???? ????? ?????? %(topic)r ??? ????" #: ../../ipalib/errors.py:1102 msgid "change collided with another change" msgstr "??????? ???????? ?????????????? ??????????????" #: ../../ipalib/errors.py:1118 msgid "no modifications to be performed" msgstr "?????? ?????????? ?????????" #: ../../ipalib/errors.py:1134 #, python-format msgid "%(desc)s:%(info)s" msgstr "%(desc)s:%(info)s" #: ../../ipalib/errors.py:1150 msgid "limits exceeded for this query" msgstr "? ???????? ??????? ??????" #: ../../ipalib/errors.py:1165 #, python-format msgid "%(info)s" msgstr "%(info)s" #: ../../ipalib/errors.py:1190 #, python-format msgid "Certificate operation cannot be completed: %(error)s" msgstr "??????????? ??????????????? ???????????? ??????????: %(error)s" #: ../../ipalib/plugins/config.py:45 msgid "Max username length" msgstr "????????????? ?????? ????" #: ../../ipalib/plugins/config.py:50 msgid "Home directory base" msgstr "???? ????????? ???" #: ../../ipalib/plugins/config.py:51 msgid "Default location of home directories" msgstr "???? ??????????? ???????? ???" #: ../../ipalib/plugins/config.py:55 msgid "Default shell" msgstr "???????? ????" #: ../../ipalib/plugins/config.py:56 msgid "Default shell for new users" msgstr "??? ????????????? ???????? ????" #: ../../ipalib/plugins/config.py:60 msgid "Default users group" msgstr "???????? ???????? ?????" #: ../../ipalib/plugins/config.py:61 msgid "Default group for new users" msgstr "??? ????????????? ???????? ?????" #: ../../ipalib/plugins/config.py:65 msgid "Default e-mail domain" msgstr "???????? ?-???? ??????" #: ../../ipalib/plugins/config.py:66 msgid "Default e-mail domain new users" msgstr "???????? ?-???? ?????? ??? ?????????" #: ../../ipalib/plugins/config.py:70 msgid "Search time limit" msgstr "?????? ??? ????" #: ../../ipalib/plugins/config.py:71 msgid "Max. amount of time (sec.) for a search (-1 is unlimited)" msgstr "???? ?????????????? (-1 ???????) ?????? ?????? ??? (sec.)" #: ../../ipalib/plugins/config.py:76 msgid "Search size limit" msgstr "?????? ????? ????" #: ../../ipalib/plugins/config.py:77 msgid "Max. number of records to search (-1 is unlimited)" msgstr "?????? ??????? ??????????????? ??????????????? (-1 ???????)" #: ../../ipalib/plugins/config.py:82 msgid "User search fields" msgstr "???????? ??? ??????????" #: ../../ipalib/plugins/config.py:83 msgid "A comma-separated list of fields to search when searching for users" msgstr "A comma-separated list of fields to search when searching for users" #: ../../ipalib/plugins/config.py:92 msgid "Migration mode" msgstr "????????? ????" #: ../../ipalib/plugins/config.py:93 msgid "Enabled migration mode" msgstr "????????? ???????? ???????????????" #: ../../ipalib/plugins/config.py:97 msgid "Certificate Subject base" msgstr "??????????? ???? ???" #: ../../ipalib/plugins/config.py:98 msgid "base for certificate subjects (OU=Test,O=Example)" msgstr "base for certificate subjects (OU=Test,O=Example)" #: ../../ipalib/plugins/rolegroup.py:42 msgid "Role Groups" msgstr "????(????)? ????????" #: ../../ipalib/plugins/rolegroup.py:47 msgid "Role-group name" msgstr "????-?????? ?????" #: ../../ipalib/plugins/rolegroup.py:53 #: ../../ipalib/plugins/host.py:77 #: ../../ipalib/plugins/group.py:59 #: ../../ipalib/plugins/hbac.py:91 #: ../../ipalib/plugins/automount.py:230 #: ../../ipalib/plugins/netgroup.py:58 #: ../../ipalib/plugins/taskgroup.py:54 #: ../../ipalib/plugins/hostgroup.py:55 msgid "Description" msgstr "??????" #: ../../ipalib/plugins/rolegroup.py:54 msgid "A description of this role-group" msgstr "? ????-???????? ??????" #: ../../ipalib/plugins/rolegroup.py:57 #: ../../ipalib/plugins/group.py:68 #: ../../ipalib/plugins/taskgroup.py:58 msgid "Member groups" msgstr "????? ????????" #: ../../ipalib/plugins/rolegroup.py:61 #: ../../ipalib/plugins/group.py:72 #: ../../ipalib/plugins/taskgroup.py:62 msgid "Member users" msgstr "????? ?????????" #: ../../ipalib/plugins/rolegroup.py:65 msgid "Member of task-groups" msgstr "??????-??????? ?????" #: ../../ipalib/plugins/rolegroup.py:78 #, python-format msgid "Added rolegroup \"%(value)s\"" msgstr "\"%(value)s\" ?????????????? ???????????" #: ../../ipalib/plugins/rolegroup.py:88 #, python-format msgid "Deleted rolegroup \"%(value)s\"" msgstr "\"%(value)s\" ?????????????? ??????????" #: ../../ipalib/plugins/rolegroup.py:98 #, python-format msgid "Modified rolegroup \"%(value)s\"" msgstr "\"%(value)s\" ?????????????? ?????????????" #: ../../ipalib/plugins/rolegroup.py:109 #, python-format msgid "%(count)d rolegroup matched" msgid_plural "%(count)d rolegroups matched" msgstr[0] "%(count)d ??????????? ??????????????" msgstr[1] "%(count)d ??????????????? ??????????????" #: ../../ipalib/plugins/host.py:66 msgid "Hosts" msgstr "??????????" #: ../../ipalib/plugins/host.py:71 msgid "Host name" msgstr "?????? ?????" #: ../../ipalib/plugins/host.py:78 msgid "A description of this host" msgstr "? ???????? ??????" #: ../../ipalib/plugins/host.py:82 msgid "Locality" msgstr "??????" #: ../../ipalib/plugins/host.py:83 msgid "Host locality (e.g. \"Baltimore, MD\")" msgstr "?????? ??? (e.g. \"Baltimore, MD\")" #: ../../ipalib/plugins/host.py:87 #: ../../ipalib/plugins/automount.py:107 msgid "Location" msgstr "????" #: ../../ipalib/plugins/host.py:88 msgid "Host location (e.g. \"Lab 2\")" msgstr "?????? ??? (e.g. \"Lab 2\")" #: ../../ipalib/plugins/host.py:92 msgid "Platform" msgstr "?????????????" #: ../../ipalib/plugins/host.py:93 msgid "Host hardware platform (e.g. \"Lenovo T61\")" msgstr "?????? ??????????? ??????????????? (e.g. \"Lenovo T61\")" #: ../../ipalib/plugins/host.py:97 msgid "Operating system" msgstr "????????? ????????" #: ../../ipalib/plugins/host.py:98 msgid "Host operating system and version (e.g. \"Fedora 9\")" msgstr "?????? ????????? ???????? ????? ??????? (e.g. \"Fedora 9\")" #: ../../ipalib/plugins/host.py:102 msgid "User password" msgstr "???????? ???????" #: ../../ipalib/plugins/host.py:103 msgid "Password used in bulk enrollment" msgstr "????? ??????? ???????????? ?????? ???????" #: ../../ipalib/plugins/host.py:107 #: ../../ipalib/plugins/service.py:128 #: ../../ipalib/plugins/cert.py:188 #: ../../ipalib/plugins/cert.py:370 msgid "Certificate" msgstr "??????????" #: ../../ipalib/plugins/host.py:108 #: ../../ipalib/plugins/service.py:129 msgid "Base-64 encoded server certificate" msgstr "Base-64 ?????????? ?????? ??????????" #: ../../ipalib/plugins/host.py:111 #: ../../ipalib/plugins/host.py:214 msgid "Principal name" msgstr "Principal ?????" #: ../../ipalib/plugins/host.py:115 #: ../../ipalib/plugins/hostgroup.py:67 msgid "Member of host-groups" msgstr "??????-?????? ?????" #: ../../ipalib/plugins/host.py:119 msgid "Member of net-groups" msgstr "????-??????? ?????" #: ../../ipalib/plugins/host.py:123 msgid "Member of role-groups" msgstr "????-??????? ?????" #: ../../ipalib/plugins/host.py:152 #, python-format msgid "Added host \"%(value)s\"" msgstr "\"%(value)s\" ????????? ???????????" #: ../../ipalib/plugins/host.py:181 #, python-format msgid "Deleted host \"%(value)s\"" msgstr "\"%(value)s\" ????????? ??????????" #: ../../ipalib/plugins/host.py:209 #, python-format msgid "Modified host \"%(value)s\"" msgstr "\"%(value)s\" ????????? ?????????????" #: ../../ipalib/plugins/host.py:215 msgid "Kerberos principal name for this host" msgstr "? ????????? Kerberos principal? ?????" #: ../../ipalib/plugins/host.py:259 #, python-format msgid "%(count)d host matched" msgid_plural "%(count)d hosts matched" msgstr[0] "%(count)d ??????? ??????????????" msgstr[1] "%(count)d ?????????? ??????????????" #: ../../ipalib/plugins/group.py:48 msgid "User Groups" msgstr "???????? ????????" #: ../../ipalib/plugins/group.py:53 msgid "Group name" msgstr "?????? ?????" #: ../../ipalib/plugins/group.py:60 msgid "Group description" msgstr "?????? ??????" #: ../../ipalib/plugins/group.py:64 msgid "GID" msgstr "GID" #: ../../ipalib/plugins/group.py:65 msgid "GID (use this option to set it manually)" msgstr "GID (?????? ??????????? ??? ???? ????? ? ?????????? ????)" #: ../../ipalib/plugins/group.py:76 msgid "Failed members" msgstr "???????? ???????" #: ../../ipalib/plugins/group.py:80 #: ../../ipalib/plugins/user.py:48 msgid "Users" msgstr "?????????" #: ../../ipalib/plugins/group.py:84 #: ../../ipalib/plugins/user.py:109 msgid "Groups" msgstr "????????" #: ../../ipalib/plugins/group.py:97 #, python-format msgid "Added group \"%(value)s\"" msgstr "\"%(value)s\" ???????? ???????????" #: ../../ipalib/plugins/group.py:102 msgid "Create as posix group?" msgstr "posix ????????? ?????????" #: ../../ipalib/plugins/group.py:120 #, python-format msgid "Deleted group \"%(value)s\"" msgstr "\"%(value)s\" ???????? ??????????" #: ../../ipalib/plugins/group.py:146 #, python-format msgid "Modified group \"%(value)s\"" msgstr "\"%(value)s\" ???????? ?????????????" #: ../../ipalib/plugins/group.py:175 #, python-format msgid "%(count)d group matched" msgid_plural "%(count)d groups matched" msgstr[0] "%(count)d ????? ??????????????" msgstr[1] "%(count)d ???????? ?????????????? " #: ../../ipalib/plugins/migration.py:166 msgid "LDAP URI" msgstr "LDAP URI" #: ../../ipalib/plugins/migration.py:167 msgid "LDAP URI of DS server to migrate from" msgstr "LDAP URI of DS server to migrate from" #: ../../ipalib/plugins/migration.py:178 msgid "Bind DN" msgstr "????? DN" #: ../../ipalib/plugins/migration.py:184 msgid "User container" msgstr "???????? ???????" #: ../../ipalib/plugins/migration.py:185 msgid "RDN of container for users in DS" msgstr "DS???????? ????????????? RDN? ??????? " #: ../../ipalib/plugins/migration.py:191 msgid "Group container" msgstr "?????? ???????" #: ../../ipalib/plugins/migration.py:192 msgid "RDN of container for groups in DS" msgstr "DS???????? ???????????? RDN? ??????? " #: ../../ipalib/plugins/service.py:116 msgid "Services" msgstr "???????(????????)" #: ../../ipalib/plugins/service.py:121 #: ../../ipalib/plugins/cert.py:175 msgid "Principal" msgstr "Principal" #: ../../ipalib/plugins/service.py:122 msgid "Service principal" msgstr "Service principal" #: ../../ipalib/plugins/service.py:140 #, python-format msgid "Added service \"%(value)s\"" msgstr "\"%(value)s\" ????(???????)????? ???????????" #: ../../ipalib/plugins/service.py:187 #, python-format msgid "Deleted service \"%(value)s\"" msgstr "\"%(value)s\" ????(???????)????? ??????????" #: ../../ipalib/plugins/passwd.py:37 #: ../../ipalib/plugins/krbtpolicy.py:47 msgid "User name" msgstr "???????? ?????" #: ../../ipalib/plugins/hbac.py:48 msgid "HBAC" msgstr "HBAC" #: ../../ipalib/plugins/hbac.py:53 msgid "Rule name" msgstr "????? ?????" #: ../../ipalib/plugins/hbac.py:58 msgid "Rule type (allow or deny)" msgstr "????? ???(???????? ???? ?????????)" #: ../../ipalib/plugins/hbac.py:63 msgid "Service name" msgstr "????? ?????" #: ../../ipalib/plugins/hbac.py:64 msgid "Name of service the rule applies to (e.g. ssh)" msgstr "Name of service the rule applies to (e.g. ssh)" #: ../../ipalib/plugins/hbac.py:69 msgid "User category" msgstr "???????? ????" #: ../../ipalib/plugins/hbac.py:70 msgid "User category the rule applies to" msgstr "???? ???????????? ???????? ????" #: ../../ipalib/plugins/hbac.py:75 msgid "Host category" msgstr "?????? ????" #: ../../ipalib/plugins/hbac.py:76 msgid "Host category the rule applies to" msgstr "???? ???????????? ?????? ????" #: ../../ipalib/plugins/hbac.py:81 msgid "Source host category" msgstr "??? ?????? ????" #: ../../ipalib/plugins/hbac.py:82 msgid "Source host category the rule applies to" msgstr "???? ???????????? ??? ?????? ????" #: ../../ipalib/plugins/hbac.py:87 #: ../../ipalib/plugins/hbac.py:221 #: ../../ipalib/plugins/hbac.py:259 msgid "Access time" msgstr "??????? ???" #: ../../ipalib/plugins/cert.py:62 #: ../../ipalib/plugins/cert.py:83 msgid "Unable to decode certificate in entry" msgstr "????????????? ??????????? ????????? ????????????????" #: ../../ipalib/plugins/cert.py:105 #: ../../ipalib/plugins/cert.py:119 #: ../../ipalib/plugins/cert.py:136 msgid "Failure decoding Certificate Signing Request" msgstr "??????????? ???? ??????? ??????????? ??????" #: ../../ipalib/plugins/cert.py:138 #, python-format msgid "Failure decoding Certificate Signing Request: %s" msgstr "??????????? ???? ??????? ??????????? ??????: %s" #: ../../ipalib/plugins/cert.py:176 msgid "Service principal for this certificate (e.g. HTTP/test.example.com)" msgstr "? ???????????????? Service principal (e.g. HTTP/test.example.com)" #: ../../ipalib/plugins/cert.py:183 msgid "automatically add the principal if it doesn't exist" msgstr "?????????????? principal ?????? ??? ????????????? ?????????????" #: ../../ipalib/plugins/cert.py:192 #: ../../ipalib/plugins/cert.py:374 msgid "Subject" msgstr "????" #: ../../ipalib/plugins/cert.py:196 #: ../../ipalib/plugins/cert.py:357 msgid "Serial number" msgstr "??????? ??????" #: ../../ipalib/plugins/cert.py:334 msgid "Request id" msgstr "?????? ID" #: ../../ipalib/plugins/cert.py:340 msgid "Request status" msgstr "?????? ??????" #: ../../ipalib/plugins/cert.py:358 msgid "Serial number in decimal or if prefixed with 0x in hexadecimal" msgstr "???? ?????? ????????????? ???? 0x ????? ????????????? ???????????????????" #: ../../ipalib/plugins/cert.py:378 msgid "Revocation reason" msgstr "????? ??????????? ????" #: ../../ipalib/plugins/cert.py:403 msgid "Revoked" msgstr "????? ?????????" #: ../../ipalib/plugins/cert.py:412 msgid "Reason" msgstr "????" #: ../../ipalib/plugins/cert.py:413 msgid "Reason for revoking the certificate (0-10)" msgstr "??????????????? (0-10) ????? ????? ????" #: ../../ipalib/plugins/cert.py:438 msgid "Unrevoked" msgstr "????? ??????????" #: ../../ipalib/plugins/cert.py:442 msgid "Error" msgstr "???" #: ../../ipalib/plugins/baseldap.py:115 msgid "Add an attribute/value pair. Format is attr=value" msgstr "Add an attribute/value pair. Format is attr=value" #: ../../ipalib/plugins/baseldap.py:120 msgid "Set an attribute to an name/value pair. Format is attr=value" msgstr "Set an attribute to an name/value pair. Format is attr=value" #: ../../ipalib/plugins/aci.py:109 msgid "type, filter, subtree and targetgroup are mutually exclusive" msgstr " ???, ???????, ???????? ????? ??????????????? ??? ?????? ????????" #: ../../ipalib/plugins/aci.py:112 msgid "at least one of: type, filter, subtree, targetgroup, attrs or memberof are required" msgstr "?????? ???? : ???, ???????, ????????, ???????????????, attrs ???? memberof ?? ?????????" #: ../../ipalib/plugins/aci.py:117 msgid "group and taskgroup are mutually exclusive" msgstr "????? ????? ????????????? ?????? ????????" #: ../../ipalib/plugins/aci.py:119 msgid "One of group or taskgroup is required" msgstr "???? ????? ???? ????????????? ?????????" #: ../../ipalib/plugins/aci.py:140 #, python-format msgid "Group '%s' does not exist" msgstr " '%s' ????? ????????????????" #: ../../ipalib/plugins/aci.py:184 #, python-format msgid "ACI with name \"%s\" not found" msgstr "\"%s\" ????? ???????? ACI ????????????" #: ../../ipalib/plugins/aci.py:201 msgid "ACIs" msgstr "ACIs" #: ../../ipalib/plugins/aci.py:206 msgid "ACI name" msgstr "ACI ?????" #: ../../ipalib/plugins/aci.py:211 msgid "Taskgroup" msgstr "?????????????" #: ../../ipalib/plugins/aci.py:212 msgid "Taskgroup ACI grants access to" msgstr "Taskgroup ACI grants access to" #: ../../ipalib/plugins/aci.py:216 msgid "User group" msgstr "??????? ?????" #: ../../ipalib/plugins/aci.py:217 msgid "User group ACI grants access to" msgstr "User group ACI grants access to" #: ../../ipalib/plugins/aci.py:221 msgid "Permissions" msgstr "?????????" #: ../../ipalib/plugins/aci.py:222 msgid "comma-separated list of permissions to grant(read, write, add, delete, selfwrite, all)" msgstr "comma-separated list of permissions to grant(read, write, add, delete, selfwrite, all)" #: ../../ipalib/plugins/aci.py:228 msgid "Attributes" msgstr "????????????" #: ../../ipalib/plugins/aci.py:229 msgid "Comma-separated list of attributes" msgstr "Comma-separated ??????????? ?????" #: ../../ipalib/plugins/aci.py:233 msgid "Type" msgstr "???" #: ../../ipalib/plugins/aci.py:234 msgid "type of IPA object (user, group, host)" msgstr "IPA ????????? ??? (???????, ?????, ??????)" #: ../../ipalib/plugins/aci.py:239 msgid "Member of" msgstr "?????" #: ../../ipalib/plugins/aci.py:240 msgid "Member of a group" msgstr "???? ?????? ?????" #: ../../ipalib/plugins/aci.py:244 msgid "Filter" msgstr "???? (???????)" #: ../../ipalib/plugins/aci.py:245 msgid "Legal LDAP filter (e.g. ou=Engineering)" msgstr "Legal LDAP filter (e.g. ou=Engineering)" #: ../../ipalib/plugins/aci.py:249 msgid "Subtree" msgstr "???????" #: ../../ipalib/plugins/aci.py:250 msgid "Subtree to apply ACI to" msgstr "Subtree to apply ACI to" #: ../../ipalib/plugins/aci.py:254 msgid "Target group" msgstr "Target ?????" #: ../../ipalib/plugins/aci.py:255 msgid "Group to apply ACI to" msgstr "Group to apply ACI to" #: ../../ipalib/plugins/aci.py:267 #, python-format msgid "Created ACI \"%(value)s\"" msgstr "\"%(value)s\" ACI????? ??????????" #: ../../ipalib/plugins/aci.py:317 #, python-format msgid "Deleted ACI \"%(value)s\"" msgstr "\"%(value)s\" ACI????? ??????????" #: ../../ipalib/plugins/aci.py:357 #, python-format msgid "Modified ACI \"%(value)s\"" msgstr "\"%(value)s\" ACI????? ?????????????" #: ../../ipalib/plugins/aci.py:417 #, python-format msgid "%(count)d ACI matched" msgid_plural "%(count)d ACIs matched" msgstr[0] "%(count)d ACI ??????????????" msgstr[1] "%(count)d ACI??? ??????????????" #: ../../ipalib/plugins/krbtpolicy.py:48 msgid "Manage ticket policy for specific user" msgstr "?????? ??????????? ?????? ??????????? ?????????" #: ../../ipalib/plugins/krbtpolicy.py:53 msgid "Max life" msgstr "?????? ?????????" #: ../../ipalib/plugins/krbtpolicy.py:54 msgid "Maximum ticket life" msgstr "?????? ?????? ?????????" #: ../../ipalib/plugins/krbtpolicy.py:58 msgid "Max renew" msgstr "?????? ??????" #: ../../ipalib/plugins/krbtpolicy.py:59 msgid "Maximum renewable age" msgstr "?????? ??????????? ??????" #: ../../ipalib/plugins/dns.py:113 msgid "DNS" msgstr "DNS" #: ../../ipalib/plugins/dns.py:118 msgid "Zone" msgstr "???" #: ../../ipalib/plugins/dns.py:119 msgid "Zone name (FQDN)" msgstr "???? ????? (FQDN)" #: ../../ipalib/plugins/dns.py:125 msgid "Authoritative name server" msgstr "Authoritative name server" #: ../../ipalib/plugins/dns.py:129 msgid "administrator e-mail address" msgstr "???????????????? ?-???? ?????" #: ../../ipalib/plugins/dns.py:135 msgid "SOA serial" msgstr "SOA serial" #: ../../ipalib/plugins/dns.py:139 msgid "SOA refresh" msgstr "SOA refresh" #: ../../ipalib/plugins/dns.py:143 msgid "SOA retry" msgstr "SOA retry" #: ../../ipalib/plugins/dns.py:147 msgid "SOA expire" msgstr "SOA expire" #: ../../ipalib/plugins/dns.py:151 msgid "SOA minimum" msgstr "SOA minimum" #: ../../ipalib/plugins/dns.py:155 msgid "SOA time to live" msgstr "SOA time to live" #: ../../ipalib/plugins/dns.py:159 msgid "SOA class" msgstr "SOA class" #: ../../ipalib/plugins/dns.py:164 msgid "allow dynamic update?" msgstr "??????? ???????? ????????????" #: ../../ipalib/plugins/dns.py:168 msgid "BIND update policy" msgstr "BIND update policy" #: ../../ipalib/plugins/dns.py:393 #: ../../ipalib/plugins/dns.py:427 #: ../../ipalib/plugins/dns.py:462 #: ../../ipalib/plugins/dns.py:577 #: ../../ipalib/plugins/dns.py:662 #: ../../ipalib/plugins/dns.py:786 msgid "Zone name" msgstr "???? ?????" #: ../../ipalib/plugins/dns.py:467 msgid "resource name" msgstr "???????? ?????" #: ../../ipalib/plugins/dns.py:472 #: ../../ipalib/plugins/dns.py:587 #: ../../ipalib/plugins/dns.py:678 msgid "Record type" msgstr "?????? ???" #: ../../ipalib/plugins/dns.py:476 #: ../../ipalib/plugins/dns.py:591 msgid "Data" msgstr "???????" #: ../../ipalib/plugins/dns.py:477 #: ../../ipalib/plugins/dns.py:592 msgid "Type-specific data" msgstr "?????-?????? ???????" #: ../../ipalib/plugins/dns.py:484 msgid "Time to live" msgstr "??????????? ???" #: ../../ipalib/plugins/dns.py:489 msgid "Class" msgstr "????" #: ../../ipalib/plugins/dns.py:582 #: ../../ipalib/plugins/dns.py:674 #: ../../ipalib/plugins/dns.py:791 msgid "Resource name" msgstr "???????? ?????" #: ../../ipalib/plugins/dns.py:667 msgid "Search criteria" msgstr "?????? criteria" #: ../../ipalib/plugins/dns.py:682 msgid "type-specific data" msgstr "?????-?????? ???????" #: ../../ipalib/plugins/automount.py:108 msgid "Automount location name" msgstr "???????? ???? ?????" #: ../../ipalib/plugins/automount.py:224 msgid "Map" msgstr "?????" #: ../../ipalib/plugins/automount.py:225 msgid "Automount map name" msgstr "???????? ???????? ?????" #: ../../ipalib/plugins/automount.py:234 msgid "Automount Maps" msgstr "????????? ????????" #: ../../ipalib/plugins/automount.py:306 msgid "Key" msgstr "??" #: ../../ipalib/plugins/automount.py:307 msgid "Automount key name" msgstr "???????? ?? ?????" #: ../../ipalib/plugins/automount.py:312 msgid "Mount information" msgstr "????? ??????" #: ../../ipalib/plugins/automount.py:316 msgid "description" msgstr "??????" #: ../../ipalib/plugins/automount.py:320 msgid "Automount Keys" msgstr "???? ????????" #: ../../ipalib/plugins/automount.py:340 msgid "Mount point" msgstr "????? ??????" #: ../../ipalib/plugins/automount.py:344 msgid "Parent map" msgstr "Parent map" #: ../../ipalib/plugins/automount.py:345 msgid "Name of parent automount map (default: auto.master)" msgstr "Name of parent automount map (default: auto.master)" #: ../../ipalib/plugins/netgroup.py:47 msgid "Net Groups" msgstr "???? ????????" #: ../../ipalib/plugins/netgroup.py:52 msgid "Netgroup name" msgstr "??????????? ?????" #: ../../ipalib/plugins/netgroup.py:59 msgid "Netgroup description" msgstr "??????????? ??????" #: ../../ipalib/plugins/netgroup.py:63 msgid "NIS domain name" msgstr "NIS ?????? ?????" #: ../../ipalib/plugins/netgroup.py:80 msgid "Member host" msgstr "????? ??????" #: ../../ipalib/plugins/netgroup.py:88 msgid "External host" msgstr "?????? ??????" #: ../../ipalib/plugins/misc.py:37 #, python-format msgid "%(count)d variables" msgstr "%(count)d ?????????????" #: ../../ipalib/plugins/misc.py:96 #, python-format msgid "%(count)d plugin loaded" msgid_plural "%(count)d plugins loaded" msgstr[0] "%(count)d ??????? ???? ?????" msgstr[1] "%(count)d ??????????? ???? ????? " #: ../../ipalib/plugins/user.py:53 msgid "User login" msgstr "???????? ??????" #: ../../ipalib/plugins/user.py:60 msgid "First name" msgstr "???? ?????" #: ../../ipalib/plugins/user.py:64 msgid "Last name" msgstr "????? ?????" #: ../../ipalib/plugins/user.py:72 msgid "GECOS field" msgstr "GECOS ???????" #: ../../ipalib/plugins/user.py:78 msgid "Login shell" msgstr "?????? ????" #: ../../ipalib/plugins/user.py:83 msgid "Kerberos principal" msgstr "Kerberos principal" #: ../../ipalib/plugins/user.py:89 msgid "Email address" msgstr "????? ?????" #: ../../ipalib/plugins/user.py:93 msgid "Password" msgstr "???????" #: ../../ipalib/plugins/user.py:94 msgid "Set the user password" msgstr "???????? ??????? ???? ????" #: ../../ipalib/plugins/user.py:101 msgid "UID" msgstr "UID" #: ../../ipalib/plugins/user.py:102 msgid "UID (use this option to set it manually)" msgstr "UID (?????? ??????????? ??? ???? ????? ? ?????????? ????)" #: ../../ipalib/plugins/user.py:106 msgid "Street address" msgstr "???? ?????" #: ../../ipalib/plugins/user.py:113 msgid "Netgroups" msgstr "???????????????" #: ../../ipalib/plugins/user.py:117 msgid "Rolegroups" msgstr "???????????????" #: ../../ipalib/plugins/user.py:121 msgid "Taskgroups" msgstr "?????????????????" #: ../../ipalib/plugins/user.py:134 #, python-format msgid "Added user \"%(value)s\"" msgstr "\"%(value)s\" ???????????? ???????????" #: ../../ipalib/plugins/user.py:179 #, python-format msgid "Deleted user \"%(value)s\"" msgstr "\"%(value)s\" ???????????? ??????????" #: ../../ipalib/plugins/user.py:198 #, python-format msgid "Modified user \"%(value)s\"" msgstr "\"%(value)s\" ???????????? ?????????????" #: ../../ipalib/plugins/user.py:209 #, python-format msgid "%(count)d user matched" msgid_plural "%(count)d users matched" msgstr[0] "%(count)d ??????? ??????????????????" msgstr[1] "%(count)d ????????? ??????????????????" #: ../../ipalib/plugins/user.py:229 #, python-format msgid "Locked user \"%(value)s\"" msgstr "???? ?????? ??????? \"%(value)s\"" #: ../../ipalib/plugins/user.py:255 #, python-format msgid "Unlocked user \"%(value)s\"" msgstr "???????? ?????? ??????? \"%(value)s\"" #: ../../ipalib/plugins/taskgroup.py:43 msgid "Task Groups" msgstr "????(??????)? ????????" #: ../../ipalib/plugins/taskgroup.py:48 msgid "Task-group name" msgstr "??????-?????? ?????" #: ../../ipalib/plugins/taskgroup.py:55 msgid "Task-group description" msgstr "??????-?????? ??????" #: ../../ipalib/plugins/taskgroup.py:66 msgid "Member role-groups" msgstr "????? ????-??????????" #: ../../ipalib/plugins/taskgroup.py:79 #, python-format msgid "Added taskgroup \"%(value)s\"" msgstr "\"%(value)s\" ???????????????? ???????????" #: ../../ipalib/plugins/taskgroup.py:89 #, python-format msgid "Deleted taskgroup \"%(value)s\"" msgstr "\"%(value)s\" ???????????????? ??????????" #: ../../ipalib/plugins/taskgroup.py:99 #, python-format msgid "Modified taskgroup \"%(value)s\"" msgstr "\"%(value)s\" ???????????????? ?????????????" #: ../../ipalib/plugins/taskgroup.py:110 #, python-format msgid "%(count)d taskgroup matched" msgid_plural "%(count)d taskgroups matched" msgstr[0] "%(count)d ?????????????? ??????????????" msgstr[1] "%(count)d ????????????????? ??????????????" #: ../../ipalib/plugins/hostgroup.py:43 msgid "Host Groups" msgstr "?????? ????????" #: ../../ipalib/plugins/hostgroup.py:48 msgid "Host-group" msgstr "??????-?????" #: ../../ipalib/plugins/hostgroup.py:49 msgid "Name of host-group" msgstr "??????-?????? ?????" #: ../../ipalib/plugins/hostgroup.py:56 msgid "A description of this host-group" msgstr "? ??????-???????? ??????" #: ../../ipalib/plugins/hostgroup.py:59 msgid "Member hosts" msgstr "????? ??????????" #: ../../ipalib/plugins/hostgroup.py:63 msgid "Member host-groups" msgstr "????? ??????-??????????" #: ../../ipalib/plugins/hostgroup.py:80 #, python-format msgid "Added hostgroup \"%(value)s\"" msgstr "\"%(value)s\" ???????????????? ???????????" #: ../../ipalib/plugins/hostgroup.py:90 #, python-format msgid "Deleted hostgroup \"%(value)s\"" msgstr "\"%(value)s\" ???????????????? ??????????" #: ../../ipalib/plugins/hostgroup.py:100 #, python-format msgid "Modified hostgroup \"%(value)s\"" msgstr "\"%(value)s\" ???????????????? ?????????????" #: ../../ipalib/plugins/hostgroup.py:111 #, python-format msgid "%(count)d hostgroup matched" msgid_plural "%(count)d hostgroups matched" msgstr[0] "%(count)d ?????????????? ??????????????" msgstr[1] "%(count)d ????????????????? ??????????????" #: ../../ipalib/plugins/pwpolicy.py:121 #: ../../ipalib/plugins/pwpolicy.py:173 #: ../../ipalib/plugins/pwpolicy.py:225 #: ../../ipalib/plugins/pwpolicy.py:321 msgid "Group" msgstr "?????" #: ../../ipalib/plugins/pwpolicy.py:126 msgid "Max lifetime (days)" msgstr "?????? ????????? (??????)" #: ../../ipalib/plugins/pwpolicy.py:127 msgid "Maximum password lifetime (in days)" msgstr "???????? ?????? ????????? (?????????)" #: ../../ipalib/plugins/pwpolicy.py:133 msgid "Min lifetime (hours)" msgstr "?????? ????????? (???????)" #: ../../ipalib/plugins/pwpolicy.py:134 msgid "Minimum password lifetime (in hours)" msgstr "???????? ?????? ????????? (??????????)" #: ../../ipalib/plugins/pwpolicy.py:140 msgid "History size" msgstr "??????? ?????" #: ../../ipalib/plugins/pwpolicy.py:141 msgid "Password history size" msgstr "??????? ??????? ?????" #: ../../ipalib/plugins/pwpolicy.py:147 msgid "Character classes" msgstr "??????????? ??????????" #: ../../ipalib/plugins/pwpolicy.py:148 msgid "Minimum number of character classes" msgstr "?????? ??????? ?????????? ??????????" #: ../../ipalib/plugins/pwpolicy.py:154 msgid "Min length" msgstr "?????? ????" #: ../../ipalib/plugins/pwpolicy.py:155 msgid "Minimum length of password" msgstr "???????? ?????? ????" #: ../../ipalib/plugins/pwpolicy.py:169 #, python-format msgid "Added policy for group \"%(value)s\"" msgstr "????? \"%(value)s\" ?? ??????????? ???????????" #: ../../ipalib/plugins/pwpolicy.py:174 #: ../../ipalib/plugins/pwpolicy.py:226 msgid "Group to set policy for" msgstr "Group to set policy for" #: ../../ipalib/plugins/pwpolicy.py:179 #: ../../ipalib/plugins/pwpolicy.py:230 msgid "Priority" msgstr "??????" #: ../../ipalib/plugins/pwpolicy.py:180 #: ../../ipalib/plugins/pwpolicy.py:231 msgid "Priority of the policy (higher number equals lower priority)" msgstr "??????? ?????? (?????? ?????? ?????? ???????? ?????????????)" #: ../../ipalib/plugins/pwpolicy.py:222 #, python-format msgid "Modified policy for group \"%(value)s\"" msgstr "????? \"%(value)s\" ?? ??????????? ?????????????" #: ../../ipalib/plugins/pwpolicy.py:244 msgid "priority cannot be set on global policy" msgstr "??????? ??????????? ??????????? ???? ??????????????" #: ../../ipalib/plugins/pwpolicy.py:277 #, python-format msgid "Deleted policy for group \"%(value)s\"" msgstr "????? \"%(value)s\" ?? ??????????? ??????????" #: ../../ipalib/plugins/pwpolicy.py:322 msgid "Group to display policy" msgstr "?????? ??????????????? ?????" #: ../../ipalib/plugins/pwpolicy.py:325 msgid "User" msgstr "???????" #: ../../ipalib/plugins/pwpolicy.py:326 msgid "Display policy applied to a given user" msgstr "???? ??????????? ??????????? ?????? ??????" #: ../../ipaserver/install/certs.py:576 #: ../../ipaserver/plugins/dogtag.py:1313 #: ../../ipaserver/plugins/dogtag.py:1398 #: ../../ipaserver/plugins/dogtag.py:1463 #: ../../ipaserver/plugins/dogtag.py:1543 #: ../../ipaserver/plugins/dogtag.py:1602 #, python-format msgid "Unable to communicate with CMS (%s)" msgstr "CMS (%s) ???? ?????????? ????????????????" #: ../../ipaserver/plugins/selfsign.py:102 #, python-format msgid "Request subject \"%(request_subject)s\" does not match the form \"%(subject_base)s\"" msgstr "?????? ???? \"%(request_subject)s\" ?????? \"%(subject_base)s\" ???? ??????????????????" #: ../../ipaserver/plugins/selfsign.py:107 #, python-format msgid "unable to decode csr: %s" msgstr "csr ????? ?????? ????? ????????????????: %s" #: ../../ipaserver/plugins/selfsign.py:128 #: ../../ipaserver/plugins/selfsign.py:143 msgid "file operation" msgstr "???? ??????????" #: ../../ipaserver/plugins/selfsign.py:157 msgid "cannot obtain next serial number" msgstr "?????? ??????? ????? ????? ?????? ??????????" #: ../../ipaserver/plugins/selfsign.py:192 msgid "certutil failure" msgstr "certutil ??????" From jdennis at redhat.com Tue May 11 15:37:03 2010 From: jdennis at redhat.com (John Dennis) Date: Tue, 11 May 2010 11:37:03 -0400 Subject: [Freeipa-devel] [PATCH 15/15] Update Kannada translations Message-ID: <201005111537.o4BFb3uv013472@int-mx01.intmail.prod.int.phx2.redhat.com> -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0015-Update-Kannada-translations.patch Type: text/x-patch Size: 47029 bytes Desc: not available URL: From rcritten at redhat.com Tue May 11 18:23:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 May 2010 14:23:26 -0400 Subject: [Freeipa-devel] [PATCH 15/15] Update Kannada translations In-Reply-To: <201005111537.o4BFb3uv013472@int-mx01.intmail.prod.int.phx2.redhat.com> References: <201005111537.o4BFb3uv013472@int-mx01.intmail.prod.int.phx2.redhat.com> Message-ID: <4BE9A09E.5010707@redhat.com> John Dennis wrote: > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel pushed to master From pzuna at redhat.com Wed May 12 17:19:42 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Wed, 12 May 2010 19:19:42 +0200 Subject: [Freeipa-devel] [PATCH] Add exception callback (exc_callback) to baseldap.py classes. In-Reply-To: <4BE8529E.5070804@redhat.com> References: <4BE80D1A.1050803@redhat.com> <4BE8529E.5070804@redhat.com> Message-ID: <4BEAE32E.7010006@redhat.com> On 2010-05-10 20:38, Rob Crittenden wrote: > Pavel Zuna wrote: >> The new callback enables plugin authors to supply their own handler >> for ExecutionError exceptions generated by calls to ldap2 made from >> the execute method of baseldap.py classes that extend CallbackInterface. >> >> Pavel > > I don't see any reference to EXC_CALLBACKS other than in registration. > It looks like this provides a registration system then just calls the > top exc_callback call. My mistake, fixed patch attached. > I see the default exc_callback() is just a raise. I think this should > always be called last to raise the exception if things get that far. > This way the plugin author doesn't have to remember to raise themselves > if whatever condition they're looking for isn't met (which your second > patch doesn't do). We can't always call the default callback last, because all registered callbacks are called in a row and therefore the exception would always be raised. We want to be able to suppress exceptions. Just to make things a little more clear: The default callbacks (the {pre,post,exc}_callback methods) are there to be overridden by plugin authors. Registering new callbacks is a way to extend existing plugins. I also modified the way we call exception callbacks in this version of the patch, so that we can simulate that nothing went wrong even for ldap2 calls that return values. Also if a callback raises an ExecutionError, the callbacks called next have a chance to handle it. > I like where this is going, just needs a little more work. > > rob Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: pzuna-freeipa-0004-exc_callback.patch URL: From pzuna at redhat.com Wed May 12 17:22:18 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Wed, 12 May 2010 19:22:18 +0200 Subject: [Freeipa-devel] [PATCH] Correctly handle EmptyModlist exception in pwpolicy2-mod. In-Reply-To: <4BE80DB3.1070602@redhat.com> References: <4BE80DB3.1070602@redhat.com> Message-ID: <4BEAE3CA.4030606@redhat.com> On 2010-05-10 15:44, Pavel Zuna wrote: > EmptyModlist exception was generated by pwpolicy2-mod when modifying > policy priority only. It was because the priority attribute is stored > outside of the policy entry (in a CoS entry) and there was nothing left > to be changed in the policy entry. > > This patch uses the new exception callbacks in baseldap.py classes > (introduced in my recent patch no. 0004) to catch the EmptyModlist > exception and checks if there was really nothing to be modified before > reraising the exception. > > Pavel > Improved version attached: - there a bug that Rob pointed out in another thread - exceptions other than EmptyModlist were suppressed unintentionally - the GLOBAL password policy was always displayed in searches using pwpolicy2-find, now it's only displayed if searching without criteria Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: pzuna-freeipa-0005-pwpolicy2.patch URL: From rcritten at redhat.com Fri May 14 13:40:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 May 2010 09:40:53 -0400 Subject: [Freeipa-devel] [PATCH] 440 add groups of services to hbac Message-ID: <4BED52E5.1070208@redhat.com> Replace serviceName with memberService so we can assign individual services or groups of services to an HBAC rule. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-440-hbac.patch Type: application/mbox Size: 17807 bytes Desc: not available URL: From pzuna at redhat.com Fri May 14 14:09:38 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 14 May 2010 16:09:38 +0200 Subject: [Freeipa-devel] [PATCH] Add exception callback (exc_callback) to baseldap.py classes. In-Reply-To: <4BEAE32E.7010006@redhat.com> References: <4BE80D1A.1050803@redhat.com> <4BE8529E.5070804@redhat.com> <4BEAE32E.7010006@redhat.com> Message-ID: <4BED59A2.3060803@redhat.com> Improved version attached. If a callback raised a new exception, callbacks next in row would still get the original exception. Now they should get the new one as intended. Thanks to Rob for pointing this out. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0004-exc_callback.patch Type: application/mbox Size: 13432 bytes Desc: not available URL: From rcritten at redhat.com Fri May 14 15:07:31 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 May 2010 11:07:31 -0400 Subject: [Freeipa-devel] [PATCH] Add exception callback (exc_callback) to baseldap.py classes. In-Reply-To: <4BED59A2.3060803@redhat.com> References: <4BE80D1A.1050803@redhat.com> <4BE8529E.5070804@redhat.com> <4BEAE32E.7010006@redhat.com> <4BED59A2.3060803@redhat.com> Message-ID: <4BED6733.8010409@redhat.com> Pavel Zuna wrote: > Improved version attached. > > If a callback raised a new exception, callbacks next in row would still > get the original exception. Now they should get the new one as intended. > > Thanks to Rob for pointing this out. > > Pavel Ack, pushed to master From rcritten at redhat.com Fri May 14 15:07:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 May 2010 11:07:53 -0400 Subject: [Freeipa-devel] [PATCH] Correctly handle EmptyModlist exception in pwpolicy2-mod. In-Reply-To: <4BEAE3CA.4030606@redhat.com> References: <4BE80DB3.1070602@redhat.com> <4BEAE3CA.4030606@redhat.com> Message-ID: <4BED6749.7060105@redhat.com> Pavel Z?na wrote: > On 2010-05-10 15:44, Pavel Zuna wrote: >> EmptyModlist exception was generated by pwpolicy2-mod when modifying >> policy priority only. It was because the priority attribute is stored >> outside of the policy entry (in a CoS entry) and there was nothing left >> to be changed in the policy entry. >> >> This patch uses the new exception callbacks in baseldap.py classes >> (introduced in my recent patch no. 0004) to catch the EmptyModlist >> exception and checks if there was really nothing to be modified before >> reraising the exception. >> >> Pavel >> > Improved version attached: > - there a bug that Rob pointed out in another thread - exceptions other > than EmptyModlist were suppressed unintentionally > - the GLOBAL password policy was always displayed in searches using > pwpolicy2-find, now it's only displayed if searching without criteria > > Pavel > Yup, working nicely. Ack, pushed to master. rob From rcritten at redhat.com Fri May 14 20:02:57 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 May 2010 16:02:57 -0400 Subject: [Freeipa-devel] [PATCH] 441 complete switch to new pwpolicy plugin Message-ID: <4BEDAC71.9000203@redhat.com> This completes the switch to the new pwpolicy plugin. I generated the patch with -M but it still created a huge diff. The changes are relatively minor, mostly dropping '2' from a bunch of calls and fixing removal of the pwpolicy when deleting a group. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-441-tests.patch Type: application/mbox Size: 51488 bytes Desc: not available URL: From rcritten at redhat.com Fri May 14 21:30:16 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 May 2010 17:30:16 -0400 Subject: [Freeipa-devel] [PATCH] 442 update hbac tests Message-ID: <4BEDC0E8.1010008@redhat.com> Update HBAC test to drop serviceName for groups of services. This relies on patch 440 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-442-hbac.patch Type: application/mbox Size: 4228 bytes Desc: not available URL: From rcritten at redhat.com Fri May 14 21:32:40 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 May 2010 17:32:40 -0400 Subject: [Freeipa-devel] [PATCH] 443 password policy lifetimes Message-ID: <4BEDC178.1020508@redhat.com> Enforce that the max lifetime is > min lifetime. This was a regression from IPA v1. This relies on the pwpolicy switcheroo, patch 441. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-443-pwpolicy.patch Type: application/mbox Size: 3560 bytes Desc: not available URL: From rcritten at redhat.com Fri May 14 21:54:19 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 May 2010 17:54:19 -0400 Subject: [Freeipa-devel] [PATCH] 444 try to clarify uid Message-ID: <4BEDC68B.1040707@redhat.com> The uid option to the user plugin is the uidnumber, not the login name. Try to clarify that in the cmd line doc. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-444-user.patch Type: application/mbox Size: 816 bytes Desc: not available URL: From pzuna at redhat.com Mon May 17 12:12:15 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 17 May 2010 14:12:15 +0200 Subject: [Freeipa-devel] [PATCH] 440 add groups of services to hbac In-Reply-To: <4BED52E5.1070208@redhat.com> References: <4BED52E5.1070208@redhat.com> Message-ID: <4BF1329F.80101@redhat.com> On 05/14/2010 03:40 PM, Rob Crittenden wrote: > Replace serviceName with memberService so we can assign individual > services or groups of services to an HBAC rule. > > rob > Why is there a custom get_dn() in hbacsvcgroup? If the primary_key (cn) is part of the object DN, there is not need to override it. But that's just a detail - it doesn't hurt anything. ACK. Pavel From pzuna at redhat.com Mon May 17 12:12:46 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 17 May 2010 14:12:46 +0200 Subject: [Freeipa-devel] [PATCH] 441 complete switch to new pwpolicy plugin In-Reply-To: <4BEDAC71.9000203@redhat.com> References: <4BEDAC71.9000203@redhat.com> Message-ID: <4BF132BE.4030206@redhat.com> On 05/14/2010 10:02 PM, Rob Crittenden wrote: > This completes the switch to the new pwpolicy plugin. I generated the > patch with -M but it still created a huge diff. The changes are > relatively minor, mostly dropping '2' from a bunch of calls and fixing > removal of the pwpolicy when deleting a group. > > rob > ack. Pavel From pzuna at redhat.com Mon May 17 12:12:59 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 17 May 2010 14:12:59 +0200 Subject: [Freeipa-devel] [PATCH] 442 update hbac tests In-Reply-To: <4BEDC0E8.1010008@redhat.com> References: <4BEDC0E8.1010008@redhat.com> Message-ID: <4BF132CB.9090503@redhat.com> On 05/14/2010 11:30 PM, Rob Crittenden wrote: > Update HBAC test to drop serviceName for groups of services. > > This relies on patch 440 > rob > ack. Pavel From pzuna at redhat.com Mon May 17 12:13:14 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 17 May 2010 14:13:14 +0200 Subject: [Freeipa-devel] [PATCH] 443 password policy lifetimes In-Reply-To: <4BEDC178.1020508@redhat.com> References: <4BEDC178.1020508@redhat.com> Message-ID: <4BF132DA.80408@redhat.com> On 05/14/2010 11:32 PM, Rob Crittenden wrote: > Enforce that the max lifetime is > min lifetime. This was a regression > from IPA v1. > > This relies on the pwpolicy switcheroo, patch 441. > > rob > ack. Pavel From pzuna at redhat.com Mon May 17 12:13:36 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 17 May 2010 14:13:36 +0200 Subject: [Freeipa-devel] [PATCH] 444 try to clarify uid In-Reply-To: <4BEDC68B.1040707@redhat.com> References: <4BEDC68B.1040707@redhat.com> Message-ID: <4BF132F0.6000804@redhat.com> On 05/14/2010 11:54 PM, Rob Crittenden wrote: > The uid option to the user plugin is the uidnumber, not the login name. > Try to clarify that in the cmd line doc. > > rob > ack. Pavel From rcritten at redhat.com Mon May 17 17:39:59 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 17 May 2010 13:39:59 -0400 Subject: [Freeipa-devel] [PATCH] 445 fix up hbacsvcplugin and add tests Message-ID: <4BF17F6F.5070609@redhat.com> Remove the unnecessary get_dn() and get_primary_key_from_dn() from hbacsvcgroup plugin and add some basic tests for it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-445-hbac.patch Type: application/mbox Size: 10874 bytes Desc: not available URL: From rcritten at redhat.com Mon May 17 17:47:44 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 17 May 2010 13:47:44 -0400 Subject: [Freeipa-devel] [PATCH] 440 add groups of services to hbac In-Reply-To: <4BF1329F.80101@redhat.com> References: <4BED52E5.1070208@redhat.com> <4BF1329F.80101@redhat.com> Message-ID: <4BF18140.8020208@redhat.com> Pavel Zuna wrote: > On 05/14/2010 03:40 PM, Rob Crittenden wrote: >> Replace serviceName with memberService so we can assign individual >> services or groups of services to an HBAC rule. >> >> rob >> > > Why is there a custom get_dn() in hbacsvcgroup? If the primary_key (cn) > is part of the object DN, there is not need to override it. But that's > just a detail - it doesn't hurt anything. > > ACK. > > Pavel Good catch, I meant to remove that. I'm going to push the patch as-is and submit a fix for this later this morning. pushed to master rob From rcritten at redhat.com Mon May 17 17:48:32 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 17 May 2010 13:48:32 -0400 Subject: [Freeipa-devel] [PATCH] 441 complete switch to new pwpolicy plugin In-Reply-To: <4BF132BE.4030206@redhat.com> References: <4BEDAC71.9000203@redhat.com> <4BF132BE.4030206@redhat.com> Message-ID: <4BF18170.8080805@redhat.com> Pavel Zuna wrote: > On 05/14/2010 10:02 PM, Rob Crittenden wrote: >> This completes the switch to the new pwpolicy plugin. I generated the >> patch with -M but it still created a huge diff. The changes are >> relatively minor, mostly dropping '2' from a bunch of calls and fixing >> removal of the pwpolicy when deleting a group. >> >> rob >> > ack. > > Pavel Pushed to master From rcritten at redhat.com Mon May 17 17:48:55 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 17 May 2010 13:48:55 -0400 Subject: [Freeipa-devel] [PATCH] 442 update hbac tests In-Reply-To: <4BF132CB.9090503@redhat.com> References: <4BEDC0E8.1010008@redhat.com> <4BF132CB.9090503@redhat.com> Message-ID: <4BF18187.2040401@redhat.com> Pavel Zuna wrote: > On 05/14/2010 11:30 PM, Rob Crittenden wrote: >> Update HBAC test to drop serviceName for groups of services. >> >> This relies on patch 440 >> rob >> > ack. > > Pavel pushed to master From rcritten at redhat.com Mon May 17 17:49:35 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 17 May 2010 13:49:35 -0400 Subject: [Freeipa-devel] [PATCH] 443 password policy lifetimes In-Reply-To: <4BF132DA.80408@redhat.com> References: <4BEDC178.1020508@redhat.com> <4BF132DA.80408@redhat.com> Message-ID: <4BF181AF.2030608@redhat.com> Pavel Zuna wrote: > On 05/14/2010 11:32 PM, Rob Crittenden wrote: >> Enforce that the max lifetime is > min lifetime. This was a regression >> from IPA v1. >> >> This relies on the pwpolicy switcheroo, patch 441. >> >> rob >> > ack. > > Pavel pushed to master From rcritten at redhat.com Mon May 17 17:50:01 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 17 May 2010 13:50:01 -0400 Subject: [Freeipa-devel] [PATCH] 444 try to clarify uid In-Reply-To: <4BF132F0.6000804@redhat.com> References: <4BEDC68B.1040707@redhat.com> <4BF132F0.6000804@redhat.com> Message-ID: <4BF181C9.40905@redhat.com> Pavel Zuna wrote: > On 05/14/2010 11:54 PM, Rob Crittenden wrote: >> The uid option to the user plugin is the uidnumber, not the login name. >> Try to clarify that in the cmd line doc. >> >> rob >> > ack. > > Pavel pushed to master From pzuna at redhat.com Tue May 18 13:08:50 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 18 May 2010 15:08:50 +0200 Subject: [Freeipa-devel] [PATCH] 445 fix up hbacsvcplugin and add tests In-Reply-To: <4BF17F6F.5070609@redhat.com> References: <4BF17F6F.5070609@redhat.com> Message-ID: <4BF29162.6030001@redhat.com> On 05/17/2010 07:39 PM, Rob Crittenden wrote: > Remove the unnecessary get_dn() and get_primary_key_from_dn() from > hbacsvcgroup plugin and add some basic tests for it. > > rob > ack. Pavel From rcritten at redhat.com Wed May 19 17:28:14 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 May 2010 13:28:14 -0400 Subject: [Freeipa-devel] [PATCH] 446 fix clone from a clone Message-ID: <4BF41FAE.2020103@redhat.com> Include -clone_uri argument to pkisilent setting the clone URI. This makes creating a clone from a clone work as expected. Note that this depends on some fixes in the pki-ca, pki-common and pki-silent packages. I tested this against pre-release versions. This means you can do something like this: Install IPA on server A Prepare a replica file on server A for server B Install the IPA replica on server B Preparea replica file for server C on server B Install the IPA replica on server C The replication topology looks like: A <-> B <-> C This isn't really recommended but it at least frees us from having a single point of failure regarding the CA. The CAs are now independent, though they replicate over a difference channel than IPA user data. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-446-clone.patch Type: application/mbox Size: 1005 bytes Desc: not available URL: From rcritten at redhat.com Thu May 20 15:56:46 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 May 2010 11:56:46 -0400 Subject: [Freeipa-devel] [PATCH] 447 load dogtag selinux rules in spec Message-ID: <4BF55BBE.8080704@redhat.com> Move the dogtag SELinux rules loading into the spec file I couldn't put the dogtag rules into the spec file until we required dogtag as a component. If it wasn't pre-loaded them the rules loading would fail because types would be missing. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-447-selinux.patch Type: application/mbox Size: 5281 bytes Desc: not available URL: From rcritten at redhat.com Thu May 20 17:53:21 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 May 2010 13:53:21 -0400 Subject: [Freeipa-devel] [PATCH] 445 fix up hbacsvcplugin and add tests In-Reply-To: <4BF29162.6030001@redhat.com> References: <4BF17F6F.5070609@redhat.com> <4BF29162.6030001@redhat.com> Message-ID: <4BF57711.1000609@redhat.com> Pavel Zuna wrote: > On 05/17/2010 07:39 PM, Rob Crittenden wrote: >> Remove the unnecessary get_dn() and get_primary_key_from_dn() from >> hbacsvcgroup plugin and add some basic tests for it. >> >> rob >> > ack. > > Pavel pushed to master From rcritten at redhat.com Thu May 20 17:54:25 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 May 2010 13:54:25 -0400 Subject: [Freeipa-devel] [PATCH] 448 fix default hbac rule, add default services Message-ID: <4BF57751.604@redhat.com> Add the 'all' serviceCategory to the default allow_all HBAC rule and add some standard services: ftp, login, sshd, su, sudo. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-448-hbac.patch Type: application/mbox Size: 1452 bytes Desc: not available URL: From sgallagh at redhat.com Thu May 20 18:18:27 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 20 May 2010 14:18:27 -0400 Subject: [Freeipa-devel] [PATCH] 448 fix default hbac rule, add default services In-Reply-To: <4BF57751.604@redhat.com> References: <4BF57751.604@redhat.com> Message-ID: <4BF57CF3.4000906@redhat.com> On 05/20/2010 01:54 PM, Rob Crittenden wrote: > Add the 'all' serviceCategory to the default allow_all HBAC rule and add > some standard services: ftp, login, sshd, su, sudo. > > rob Please add 'su-l' as well -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From rcritten at redhat.com Thu May 20 21:05:07 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 May 2010 17:05:07 -0400 Subject: [Freeipa-devel] [PATCH] 449 renumber IPA schema OIDs Message-ID: <4BF5A403.60701@redhat.com> Use correct OID base for ipaVolumeKey (its an objectClass, not an attribute). Re-number to use contiguous values. There were some pretty big gaps. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-449-schema.patch Type: application/mbox Size: 21180 bytes Desc: not available URL: From dpal at redhat.com Fri May 21 15:45:38 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 21 May 2010 11:45:38 -0400 Subject: [Freeipa-devel] [PATCH] 449 renumber IPA schema OIDs In-Reply-To: <4BF5A403.60701@redhat.com> References: <4BF5A403.60701@redhat.com> Message-ID: <4BF6AAA2.3080202@redhat.com> Rob Crittenden wrote: > Use correct OID base for ipaVolumeKey (its an objectClass, not an > attribute). > > Re-number to use contiguous values. There were some pretty big gaps. > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack Here are couple suggestions: * Let us not add schema that we do not use and do not need. The policy schema though well desinged has not been implemented. There is a risk that it would require some changes if ever implemented. I suggest we keep it in the tree but not include in the install. * The volume key management schema is not used either. I would suggest we extract it and save in a file aside but do not add into the main schema. As things stand not this schema will not be used. * For v2 we should use only 3,4,5,6. 1 and are reserved for v1 So the things would look like in the attached files. I have not had a chance to make sure they load but I hope I did not miss anything. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 60basev2.ldif URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 60policyv2.ldif URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: key_escrow_schema.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 60ipaconfig.ldif URL: From rcritten at redhat.com Fri May 21 19:17:28 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 May 2010 15:17:28 -0400 Subject: [Freeipa-devel] [PATCH] 449 renumber IPA schema OIDs In-Reply-To: <4BF6AAA2.3080202@redhat.com> References: <4BF5A403.60701@redhat.com> <4BF6AAA2.3080202@redhat.com> Message-ID: <4BF6DC48.2030909@redhat.com> Dmitri Pal wrote: > Rob Crittenden wrote: >> Use correct OID base for ipaVolumeKey (its an objectClass, not an >> attribute). >> >> Re-number to use contiguous values. There were some pretty big gaps. >> >> rob >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Nack > > Here are couple suggestions: > * Let us not add schema that we do not use and do not need. The policy > schema though well desinged has not been implemented. There is a risk > that it would require some changes if ever implemented. I suggest we > keep it in the tree but not include in the install. > * The volume key management schema is not used either. I would suggest > we extract it and save in a file aside but do not add into the main > schema. As things stand not this schema will not be used. > * For v2 we should use only 3,4,5,6. 1 and are reserved for v1 > > > So the things would look like in the attached files. > I have not had a chance to make sure they load but I hope I did not miss > anything. I made a few slight modifications but this is basically the set of files you provided. Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-449-2-schema.patch Type: application/mbox Size: 28918 bytes Desc: not available URL: From dpal at redhat.com Fri May 21 19:32:03 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 21 May 2010 15:32:03 -0400 Subject: [Freeipa-devel] [PATCH] 449 renumber IPA schema OIDs In-Reply-To: <4BF6DC48.2030909@redhat.com> References: <4BF5A403.60701@redhat.com> <4BF6AAA2.3080202@redhat.com> <4BF6DC48.2030909@redhat.com> Message-ID: <4BF6DFB3.7030903@redhat.com> Rob Crittenden wrote: > Dmitri Pal wrote: >> Rob Crittenden wrote: >>> Use correct OID base for ipaVolumeKey (its an objectClass, not an >>> attribute). >>> >>> Re-number to use contiguous values. There were some pretty big gaps. >>> >>> rob >>> ------------------------------------------------------------------------ >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Nack >> >> Here are couple suggestions: >> * Let us not add schema that we do not use and do not need. The policy >> schema though well desinged has not been implemented. There is a risk >> that it would require some changes if ever implemented. I suggest we >> keep it in the tree but not include in the install. >> * The volume key management schema is not used either. I would suggest >> we extract it and save in a file aside but do not add into the main >> schema. As things stand not this schema will not be used. >> * For v2 we should use only 3,4,5,6. 1 and are reserved for v1 >> >> >> So the things would look like in the attached files. >> I have not had a chance to make sure they load but I hope I did not miss >> anything. > > I made a few slight modifications but this is basically the set of > files you provided. Updated patch attached. > > rob Visual ack. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri May 21 20:30:12 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 May 2010 16:30:12 -0400 Subject: [Freeipa-devel] [PATCH] 450 fixes for HBAC services Message-ID: <4BF6ED54.1060607@redhat.com> Add the ipqUniqueID object to HBAC services and make sure that they get the memberOf attribute if they are members of service groups. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-450-hbac.patch Type: application/mbox Size: 6203 bytes Desc: not available URL: From rcritten at redhat.com Fri May 21 21:35:22 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 May 2010 17:35:22 -0400 Subject: [Freeipa-devel] [PATCH] 451 fix i18n test Message-ID: <4BF6FC9A.4010307@redhat.com> Fix this test to work from source tree root It would work if you ran the test from its location in tests/test_ipalib but this isn't the most common method. If you want to run it individually you can do: $ ./make-test tests/test_ipalib/test_text.py rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-451-test.patch Type: application/mbox Size: 1118 bytes Desc: not available URL: From sbose at redhat.com Wed May 26 10:15:48 2010 From: sbose at redhat.com (Sumit Bose) Date: Wed, 26 May 2010 12:15:48 +0200 Subject: [Freeipa-devel] [PATCH] 450 fixes for HBAC services In-Reply-To: <4BF6ED54.1060607@redhat.com> References: <4BF6ED54.1060607@redhat.com> Message-ID: <20100526101548.GD16394@localhost.localdomain> On Fri, May 21, 2010 at 04:30:12PM -0400, Rob Crittenden wrote: > Add the ipqUniqueID object to HBAC services and make sure that they > get the memberOf attribute if they are members of service groups. > > rob I think 30-hbacsvc.update is missing. bye, Sumit > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From rcritten at redhat.com Wed May 26 13:50:21 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 26 May 2010 09:50:21 -0400 Subject: [Freeipa-devel] [PATCH] 452 add missing hbac update file Message-ID: <4BFD271D.7040800@redhat.com> I moved these contents into an update so that each entry could get its own UUID. The templater for ldif files is a little less robust and can only assign a single UUID per file. If this is ever an issue we can address it then butit isn't a problem for now. This is needed for patch 450 to work properly. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-452-hbac.patch Type: application/mbox Size: 1569 bytes Desc: not available URL: From rcritten at redhat.com Wed May 26 13:51:21 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 26 May 2010 09:51:21 -0400 Subject: [Freeipa-devel] [PATCH] 450 fixes for HBAC services In-Reply-To: <20100526101548.GD16394@localhost.localdomain> References: <4BF6ED54.1060607@redhat.com> <20100526101548.GD16394@localhost.localdomain> Message-ID: <4BFD2759.7030700@redhat.com> Sumit Bose wrote: > On Fri, May 21, 2010 at 04:30:12PM -0400, Rob Crittenden wrote: >> Add the ipqUniqueID object to HBAC services and make sure that they >> get the memberOf attribute if they are members of service groups. >> >> rob > > I think 30-hbacsvc.update is missing. > > bye, > Sumit I'd have sworn I added that file... Anyway, I made a new patch, 452, to add this file in. thanks rob From rcritten at redhat.com Wed May 26 19:24:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 26 May 2010 15:24:53 -0400 Subject: [Freeipa-devel] [PATCH] 453 fix gpg2 usage Message-ID: <4BFD7585.6090207@redhat.com> Replica preparation and installation is not working in F-13 because of gpg2. It now requires the --batch argument when using the --passphrase* options. This patch is for ipa-1.2.2 but the same principal applies to master as well. Note that this fixes some whitespace issues as well. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-453-gpg.patch Type: application/mbox Size: 3963 bytes Desc: not available URL: From sgallagh at redhat.com Wed May 26 19:32:17 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 26 May 2010 15:32:17 -0400 Subject: [Freeipa-devel] [PATCH] 453 fix gpg2 usage In-Reply-To: <4BFD7585.6090207@redhat.com> References: <4BFD7585.6090207@redhat.com> Message-ID: <4BFD7741.7090507@redhat.com> On 05/26/2010 03:24 PM, Rob Crittenden wrote: > Replica preparation and installation is not working in F-13 because of > gpg2. It now requires the --batch argument when using the --passphrase* > options. > > This patch is for ipa-1.2.2 but the same principal applies to master as > well. Note that this fixes some whitespace issues as well. > > rob Ack. -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From sbose at redhat.com Thu May 27 12:56:39 2010 From: sbose at redhat.com (Sumit Bose) Date: Thu, 27 May 2010 14:56:39 +0200 Subject: [Freeipa-devel] [PATCH] 450 fixes for HBAC services In-Reply-To: <4BFD2759.7030700@redhat.com> References: <4BF6ED54.1060607@redhat.com> <20100526101548.GD16394@localhost.localdomain> <4BFD2759.7030700@redhat.com> Message-ID: <20100527125639.GF16394@localhost.localdomain> On Wed, May 26, 2010 at 09:51:21AM -0400, Rob Crittenden wrote: > Sumit Bose wrote: > >On Fri, May 21, 2010 at 04:30:12PM -0400, Rob Crittenden wrote: > >>Add the ipqUniqueID object to HBAC services and make sure that they > >>get the memberOf attribute if they are members of service groups. > >> > >>rob > > > >I think 30-hbacsvc.update is missing. > > > >bye, > >Sumit > > I'd have sworn I added that file... > > Anyway, I made a new patch, 452, to add this file in. > ok, with this patch everything works as expected. Thanks. bye, Sumit > thanks > > rob From pzuna at redhat.com Thu May 27 14:09:44 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 27 May 2010 16:09:44 +0200 Subject: [Freeipa-devel] [PATCH] 446 fix clone from a clone In-Reply-To: <4BF41FAE.2020103@redhat.com> References: <4BF41FAE.2020103@redhat.com> Message-ID: <4BFE7D28.3080707@redhat.com> On 05/19/2010 07:28 PM, Rob Crittenden wrote: > Include -clone_uri argument to pkisilent setting the clone URI. > > This makes creating a clone from a clone work as expected. > > Note that this depends on some fixes in the pki-ca, pki-common and > pki-silent packages. I tested this against pre-release versions. > > This means you can do something like this: > > Install IPA on server A > Prepare a replica file on server A for server B > Install the IPA replica on server B > Preparea replica file for server C on server B > Install the IPA replica on server C > > The replication topology looks like: A <-> B <-> C > > This isn't really recommended but it at least frees us from having a > single point of failure regarding the CA. The CAs are now independent, > though they replicate over a difference channel than IPA user data. > > rob > ack. Pavel From pzuna at redhat.com Thu May 27 14:16:53 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 27 May 2010 16:16:53 +0200 Subject: [Freeipa-devel] [PATCH] 447 load dogtag selinux rules in spec In-Reply-To: <4BF55BBE.8080704@redhat.com> References: <4BF55BBE.8080704@redhat.com> Message-ID: <4BFE7ED5.9040602@redhat.com> On 05/20/2010 05:56 PM, Rob Crittenden wrote: > Move the dogtag SELinux rules loading into the spec file > > I couldn't put the dogtag rules into the spec file until we required > dogtag as a component. If it wasn't pre-loaded them the rules loading > would fail because types would be missing. > > rob > This doesn't apply after your 446 patch, because it includes it. So either drop 446 or remove the CAInstance part from 447 and apply both. Pavel From pzuna at redhat.com Thu May 27 14:21:31 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 27 May 2010 16:21:31 +0200 Subject: [Freeipa-devel] [PATCH] 448 fix default hbac rule, add default services In-Reply-To: <4BF57751.604@redhat.com> References: <4BF57751.604@redhat.com> Message-ID: <4BFE7FEB.9030107@redhat.com> On 05/20/2010 07:54 PM, Rob Crittenden wrote: > Add the 'all' serviceCategory to the default allow_all HBAC rule and add > some standard services: ftp, login, sshd, su, sudo. > > rob > ack. Pavel From pzuna at redhat.com Thu May 27 14:29:06 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 27 May 2010 16:29:06 +0200 Subject: [Freeipa-devel] [PATCH] 451 fix i18n test In-Reply-To: <4BF6FC9A.4010307@redhat.com> References: <4BF6FC9A.4010307@redhat.com> Message-ID: <4BFE81B2.80604@redhat.com> On 05/21/2010 11:35 PM, Rob Crittenden wrote: > Fix this test to work from source tree root > > It would work if you ran the test from its location in tests/test_ipalib > but this isn't the most common method. If you want to run it individually > you can do: > > $ ./make-test tests/test_ipalib/test_text.py > > rob > Maybe I'm doing something wrong, but I'm still getting this one error: ====================================================================== ERROR: Test gettext translation ---------------------------------------------------------------------- Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/nose/case.py", line 183, in runTest self.test(*self.arg) File "/root/freeipa/tests/test_ipalib/test_text.py", line 89, in test_gettext msgid = get_msgid(test_file) File "/root/freeipa/tests/test_ipalib/test_text.py", line 43, in get_msgid f = open(po_file) IOError: [Errno 2] No such file or directory: 'install/po/test.po' Pavel From pzuna at redhat.com Thu May 27 14:31:11 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 27 May 2010 16:31:11 +0200 Subject: [Freeipa-devel] [PATCH] 452 add missing hbac update file In-Reply-To: <4BFD271D.7040800@redhat.com> References: <4BFD271D.7040800@redhat.com> Message-ID: <4BFE822F.3080801@redhat.com> On 05/26/2010 03:50 PM, Rob Crittenden wrote: > I moved these contents into an update so that each entry could get its > own UUID. The templater for ldif files is a little less robust and can > only assign a single UUID per file. If this is ever an issue we can > address it then butit isn't a problem for now. > > This is needed for patch 450 to work properly. > > rob > ack. Pavel From pzuna at redhat.com Thu May 27 14:31:47 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 27 May 2010 16:31:47 +0200 Subject: [Freeipa-devel] [PATCH] 450 fixes for HBAC services In-Reply-To: <4BF6ED54.1060607@redhat.com> References: <4BF6ED54.1060607@redhat.com> Message-ID: <4BFE8253.2020509@redhat.com> On 05/21/2010 10:30 PM, Rob Crittenden wrote: > Add the ipqUniqueID object to HBAC services and make sure that they get > the memberOf attribute if they are members of service groups. > > rob > ack. Pavel From rcritten at redhat.com Thu May 27 14:52:07 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 May 2010 10:52:07 -0400 Subject: [Freeipa-devel] [PATCH] 446 fix clone from a clone In-Reply-To: <4BFE7D28.3080707@redhat.com> References: <4BF41FAE.2020103@redhat.com> <4BFE7D28.3080707@redhat.com> Message-ID: <4BFE8717.3080107@redhat.com> Pavel Zuna wrote: > On 05/19/2010 07:28 PM, Rob Crittenden wrote: >> Include -clone_uri argument to pkisilent setting the clone URI. >> >> This makes creating a clone from a clone work as expected. >> >> Note that this depends on some fixes in the pki-ca, pki-common and >> pki-silent packages. I tested this against pre-release versions. >> >> This means you can do something like this: >> >> Install IPA on server A >> Prepare a replica file on server A for server B >> Install the IPA replica on server B >> Preparea replica file for server C on server B >> Install the IPA replica on server C >> >> The replication topology looks like: A <-> B <-> C >> >> This isn't really recommended but it at least frees us from having a >> single point of failure regarding the CA. The CAs are now independent, >> though they replicate over a difference channel than IPA user data. >> >> rob >> > ack. > > Pavel pushed to master From rcritten at redhat.com Thu May 27 14:52:39 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 May 2010 10:52:39 -0400 Subject: [Freeipa-devel] [PATCH] 447 load dogtag selinux rules in spec In-Reply-To: <4BFE7ED5.9040602@redhat.com> References: <4BF55BBE.8080704@redhat.com> <4BFE7ED5.9040602@redhat.com> Message-ID: <4BFE8737.5080404@redhat.com> Pavel Zuna wrote: > On 05/20/2010 05:56 PM, Rob Crittenden wrote: >> Move the dogtag SELinux rules loading into the spec file >> >> I couldn't put the dogtag rules into the spec file until we required >> dogtag as a component. If it wasn't pre-loaded them the rules loading >> would fail because types would be missing. >> >> rob >> > This doesn't apply after your 446 patch, because it includes it. So > either drop 446 or remove the CAInstance part from 447 and apply both. > > Pavel I'm not sure how I managed that one but I removed the duplicate section from 447. pushed to master From rcritten at redhat.com Thu May 27 14:53:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 May 2010 10:53:53 -0400 Subject: [Freeipa-devel] [PATCH] 448 fix default hbac rule, add default services In-Reply-To: <4BFE7FEB.9030107@redhat.com> References: <4BF57751.604@redhat.com> <4BFE7FEB.9030107@redhat.com> Message-ID: <4BFE8781.6000605@redhat.com> Pavel Zuna wrote: > On 05/20/2010 07:54 PM, Rob Crittenden wrote: >> Add the 'all' serviceCategory to the default allow_all HBAC rule and add >> some standard services: ftp, login, sshd, su, sudo. >> >> rob >> > ack. > > Pavel pushed to master. I'm going to submit a separate patch for su-l as requested by Steve. rob From rcritten at redhat.com Thu May 27 14:55:07 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 May 2010 10:55:07 -0400 Subject: [Freeipa-devel] [PATCH] 449 renumber IPA schema OIDs In-Reply-To: <4BF6DFB3.7030903@redhat.com> References: <4BF5A403.60701@redhat.com> <4BF6AAA2.3080202@redhat.com> <4BF6DC48.2030909@redhat.com> <4BF6DFB3.7030903@redhat.com> Message-ID: <4BFE87CB.2070002@redhat.com> Dmitri Pal wrote: > Rob Crittenden wrote: >> Dmitri Pal wrote: >>> Rob Crittenden wrote: >>>> Use correct OID base for ipaVolumeKey (its an objectClass, not an >>>> attribute). >>>> >>>> Re-number to use contiguous values. There were some pretty big gaps. >>>> >>>> rob >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Nack >>> >>> Here are couple suggestions: >>> * Let us not add schema that we do not use and do not need. The policy >>> schema though well desinged has not been implemented. There is a risk >>> that it would require some changes if ever implemented. I suggest we >>> keep it in the tree but not include in the install. >>> * The volume key management schema is not used either. I would suggest >>> we extract it and save in a file aside but do not add into the main >>> schema. As things stand not this schema will not be used. >>> * For v2 we should use only 3,4,5,6. 1 and are reserved for v1 >>> >>> >>> So the things would look like in the attached files. >>> I have not had a chance to make sure they load but I hope I did not miss >>> anything. >> I made a few slight modifications but this is basically the set of >> files you provided. Updated patch attached. >> >> rob > Visual ack. > Ok, pushed to master. rob From rcritten at redhat.com Thu May 27 14:55:38 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 May 2010 10:55:38 -0400 Subject: [Freeipa-devel] [PATCH] 450 fixes for HBAC services In-Reply-To: <20100527125639.GF16394@localhost.localdomain> References: <4BF6ED54.1060607@redhat.com> <20100526101548.GD16394@localhost.localdomain> <4BFD2759.7030700@redhat.com> <20100527125639.GF16394@localhost.localdomain> Message-ID: <4BFE87EA.3030303@redhat.com> Sumit Bose wrote: > On Wed, May 26, 2010 at 09:51:21AM -0400, Rob Crittenden wrote: >> Sumit Bose wrote: >>> On Fri, May 21, 2010 at 04:30:12PM -0400, Rob Crittenden wrote: >>>> Add the ipqUniqueID object to HBAC services and make sure that they >>>> get the memberOf attribute if they are members of service groups. >>>> >>>> rob >>> I think 30-hbacsvc.update is missing. >>> >>> bye, >>> Sumit >> I'd have sworn I added that file... >> >> Anyway, I made a new patch, 452, to add this file in. >> > > ok, with this patch everything works as expected. Thanks. > Great, pushed to master From rcritten at redhat.com Thu May 27 14:55:50 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 May 2010 10:55:50 -0400 Subject: [Freeipa-devel] [PATCH] 452 add missing hbac update file In-Reply-To: <4BFE822F.3080801@redhat.com> References: <4BFD271D.7040800@redhat.com> <4BFE822F.3080801@redhat.com> Message-ID: <4BFE87F6.7050003@redhat.com> Pavel Zuna wrote: > On 05/26/2010 03:50 PM, Rob Crittenden wrote: >> I moved these contents into an update so that each entry could get its >> own UUID. The templater for ldif files is a little less robust and can >> only assign a single UUID per file. If this is ever an issue we can >> address it then butit isn't a problem for now. >> >> This is needed for patch 450 to work properly. >> >> rob >> > ack. > > Pavel pushed to master From rcritten at redhat.com Thu May 27 14:59:33 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 May 2010 10:59:33 -0400 Subject: [Freeipa-devel] [PATCH] 454 add su-l hbac service Message-ID: <4BFE88D5.9000600@redhat.com> Add another default hbac service, su-l. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-454-hbac.patch Type: application/mbox Size: 827 bytes Desc: not available URL: From rcritten at redhat.com Thu May 27 15:02:56 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 May 2010 11:02:56 -0400 Subject: [Freeipa-devel] [PATCH] 453 fix gpg2 usage In-Reply-To: <4BFD7741.7090507@redhat.com> References: <4BFD7585.6090207@redhat.com> <4BFD7741.7090507@redhat.com> Message-ID: <4BFE89A0.5010503@redhat.com> Stephen Gallagher wrote: > On 05/26/2010 03:24 PM, Rob Crittenden wrote: >> Replica preparation and installation is not working in F-13 because of >> gpg2. It now requires the --batch argument when using the --passphrase* >> options. >> >> This patch is for ipa-1.2.2 but the same principal applies to master as >> well. Note that this fixes some whitespace issues as well. >> >> rob > > > Ack. > pushed to ipa-1-2 and master From sgallagh at redhat.com Thu May 27 15:09:59 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 27 May 2010 11:09:59 -0400 Subject: [Freeipa-devel] [PATCH] 454 add su-l hbac service In-Reply-To: <4BFE88D5.9000600@redhat.com> References: <4BFE88D5.9000600@redhat.com> Message-ID: <4BFE8B47.50901@redhat.com> On 05/27/2010 10:59 AM, Rob Crittenden wrote: > Add another default hbac service, su-l. > > rob > Ack -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From rcritten at redhat.com Thu May 27 17:04:35 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 May 2010 13:04:35 -0400 Subject: [Freeipa-devel] [PATCH] 455 upgrade over ldapi Message-ID: <4BFEA623.4010807@redhat.com> For v2 upgrades we want the LDAP server to be quiet so we will shut it down, disable its TCP listeners and bring it back up to update over ldapi. This also enables autobind so we can bind as root and perform operations as Directory Manager and not require a password. To use this mode run ipa-ldap-updater --upgrade. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-455-upgrade.patch Type: application/mbox Size: 15080 bytes Desc: not available URL: From rcritten at redhat.com Thu May 27 21:51:32 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 May 2010 17:51:32 -0400 Subject: [Freeipa-devel] [PATCH] 456 replica creation Message-ID: <4BFEE964.4040507@redhat.com> If a host is already enrolled (either as a client or a former replica) then ipa-replica-install will fail spectacularly with an error about a missing keytab. This is because some entries already exist and it totally confuses things. We need to start this host from scratch, so catch this condition and give the admin some hints on how to fix it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-456-replica.patch Type: application/mbox Size: 2807 bytes Desc: not available URL: From rcritten at redhat.com Thu May 27 21:52:50 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 May 2010 17:52:50 -0400 Subject: [Freeipa-devel] [PATCH] 457 fall back to DM password in ipa-replica-manage Message-ID: <4BFEE9B2.9070906@redhat.com> ipa-replica-manage can use the current kerberos credentials for some commands now. To make it a bit nicer to use fall back to prompt for the DM password if there are no credentials. I've found it handy to have this in development. I also fix up the errors when deleting a replica too (my test case for the fallback). The error message was a bit mis-formatted. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-457-replica.patch Type: application/mbox Size: 3537 bytes Desc: not available URL: From rcritten at redhat.com Fri May 28 15:22:23 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 28 May 2010 11:22:23 -0400 Subject: [Freeipa-devel] [PATCH] 458 catch no CA preop.pin Message-ID: <4BFFDFAF.70001@redhat.com> The preop.pin is used to authenticate the admin when doing CA enrollment. We were assuming it would be available and things blow up badly if not (we end up passing None as an argument to exec). If there isn't a preop pin there is no need to do anything, so raise an error. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-458-dogtag.patch Type: application/mbox Size: 977 bytes Desc: not available URL: From ayoung at redhat.com Sat May 29 01:32:52 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 28 May 2010 21:32:52 -0400 Subject: [Freeipa-devel] Building V2 vs V1 In-Reply-To: <4BFFDFAF.70001@redhat.com> References: <4BFFDFAF.70001@redhat.com> Message-ID: <4C006EC4.6070508@redhat.com> Is there any need to modify the VERSION file in order to build the V2 tree? From the build page, it looks like the only difference between V1 and V2 is: make local-dist for V1, and make rpms for V2. Howevere, the RPMS in the dist/rpms direcotry are all tagged as Version 1.9. I'm assuming this is intentional. Anything that I am missing? From rcritten at redhat.com Sat May 29 02:43:15 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 28 May 2010 22:43:15 -0400 Subject: [Freeipa-devel] Building V2 vs V1 In-Reply-To: <4C006EC4.6070508@redhat.com> References: <4BFFDFAF.70001@redhat.com> <4C006EC4.6070508@redhat.com> Message-ID: <4C007F43.8060505@redhat.com> Adam Young wrote: > Is there any need to modify the VERSION file in order to build the V2 > tree? From the build page, it looks like the only difference between V1 > and V2 is: > > make local-dist > > for V1, and > > make rpms > > for V2. Howevere, the RPMS in the dist/rpms direcotry are all tagged > as Version 1.9. I'm assuming this is intentional. > > Anything that I am missing? Just not ready to quite call it v2 yet so we're going with 1.9 right now. rob