From ayoung at redhat.com Mon Nov 1 14:28:38 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 01 Nov 2010 10:28:38 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch In-Reply-To: <4CCB7575.8050409@redhat.com> References: <4CCB256B.109@redhat.com> <4CCB7575.8050409@redhat.com> Message-ID: <4CCECE96.8070006@redhat.com> On 10/29/2010 09:31 PM, Endi Sukma Dewata wrote: > On 10/29/2010 2:50 PM, Adam Young wrote: >> Check effective rights. If the right is not explicitly allowed, show the >> field as read only. > > It seems to be working, but I think it has to wait until the > attributelevelrights is returned in the JSON response because without > it the UI would become unusable because all fields would be disabled. > That is part of the patch. attributelevelrights has been added as a flag to the JSON request. The change to baseldap.py will only apply on to of the change made to return the rights. I suspect that what you are seeing is that there is some holes in the coverage of the attribute level rights, and I made the decision to default to "don't allow changes". Thus, this code needs to go in before we can identify places where the rights are not being properly reported, otherwise, we just won't know. From dpal at redhat.com Mon Nov 1 15:08:57 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 01 Nov 2010 11:08:57 -0400 Subject: [Freeipa-devel] Autofs schema Message-ID: <4CCED809.1080109@redhat.com> Are we using the right one? https://bugzilla.redhat.com/show_bug.cgi?id=643045 -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Nov 1 16:08:36 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Nov 2010 12:08:36 -0400 Subject: [Freeipa-devel] [PATCH] 593 fix group objectclasses on detach Message-ID: <4CCEE604.6090700@redhat.com> Make sure a detached group has the default list of objectclasses. ipaUniqueId is handled by the new uuid plugin. https://fedorahosted.org/freeipa/ticket/250 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-593-group.patch Type: text/x-patch Size: 5720 bytes Desc: not available URL: From rmeggins at redhat.com Mon Nov 1 16:12:07 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 01 Nov 2010 10:12:07 -0600 Subject: [Freeipa-devel] Autofs schema In-Reply-To: <4CCED809.1080109@redhat.com> References: <4CCED809.1080109@redhat.com> Message-ID: <4CCEE6D7.1070807@redhat.com> Dmitri Pal wrote: > Are we using the right one? > https://bugzilla.redhat.com/show_bug.cgi?id=643045 > > The 60autofs.ldif schema in 389 is from the latest draft-howard-rfc2307bis From rcritten at redhat.com Mon Nov 1 17:08:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Nov 2010 13:08:27 -0400 Subject: [Freeipa-devel] Autofs schema In-Reply-To: <4CCED809.1080109@redhat.com> References: <4CCED809.1080109@redhat.com> Message-ID: <4CCEF40B.9010909@redhat.com> Dmitri Pal wrote: > Are we using the right one? > https://bugzilla.redhat.com/show_bug.cgi?id=643045 > We use the schema from RFC 2307bis. rob From ayoung at redhat.com Mon Nov 1 17:35:46 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 01 Nov 2010 13:35:46 -0400 Subject: [Freeipa-devel] [PATCH] HBAC Details Page In-Reply-To: <4CCB5CC9.7030800@redhat.com> References: <4CCB5CC9.7030800@redhat.com> Message-ID: <4CCEFA72.9060906@redhat.com> On 10/29/2010 07:46 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > https://fedorahosted.org/reviewboard/r/99/ > > The ipa_details_section class has been enhanced to support HTML > templates. This way the layout can be changed without modifying > the code. The ipa_details_field is used to setup the fields in > the template, also used to load and save the values. > > If no template is specified, it will go back to the original > behavior: the section will be rendered using the dl/dt/dd tags. > > Some fields have been added to support standard HTML widgets: > - ipa_details_text: text field > - ipa_details_radio: radio button > - ipa_details_textarea: textarea > - ipa_details_button: button > > The HBAC details page has been implemented using this enhancement. > It uses the templates stored in hbac-details-*.html. It also uses > HBAC-specific widgets which are defined in these classes: > - ipa_hbac_details_table: table for member enrollment > - ipa_hbac_details_accesstime: table for access time > > The buttons for adding and removing members are still not working. > There is no hint or undo functionality yet. They will be added in > subsequent patches. > > The ipa_make_button() has been converted into ipa_button class which > can be used to replace the standard HTML button. The search-container > CSS class has been renamed to entity-container and used for all facets. > > The unit test and test data have been updated accordingly. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK, based on the templating issues we discussed on the phone. TO lay out the issues for other people reading: we previously had a framework like what Endi is proposing here. We found that importing HTML fragments didn't provide much benefit, and lead to duplicated code. When Pavel did a major rework of the code in August, we removed the templating mechanism. We are going to add it back in as part of this patch, but with a note that it is purely for Rapid prototyping purposes. For HBAC, Endi is going to make the Table code into a component that works without templating. Instead, weare going to generate the table code using Javascript, the same way that we do in the search code. This is the start of the work specified in https://fedorahosted.org/freeipa/ticket/419 When we are done, we hope to havea reusable component that supports the search, associtions, record level attributes (like phone number) and the HBAC use cases. We'll produce a design document as we get better clarity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Nov 1 17:58:00 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 01 Nov 2010 13:58:00 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch Message-ID: <4CCEFFA8.1080804@redhat.com> For the 'add and add again' useage. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch Type: text/x-patch Size: 1847 bytes Desc: not available URL: From ayoung at redhat.com Mon Nov 1 19:28:49 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 01 Nov 2010 15:28:49 -0400 Subject: [Freeipa-devel] [PATCH] 586 kerberos password policy In-Reply-To: <4CCB30FC.2060109@redhat.com> References: <4CC5FF3A.4010509@redhat.com> <20101028170948.02cb245f@willson.li.ssimo.org> <4CCB30FC.2060109@redhat.com> Message-ID: <4CCF14F1.6080904@redhat.com> On 10/29/2010 04:39 PM, Rob Crittenden wrote: > Simo Sorce wrote: >> On Mon, 25 Oct 2010 18:05:46 -0400 >> Rob Crittenden wrote: >> >>> Use kerberos password policy. >>> >>> This lets the KDC count password failures and can lock out accounts >>> for a period of time. This only works for KDC>= 1.8. >>> >>> There currently is no way to unlock a locked account across a >>> replica. MIT Kerberos 1.9 is adding support for doing so. Once that >>> is available unlock will be added. >>> >>> The concept of a "global" password policy has changed. When we were >>> managing the policy using the IPA password plugin it was smart enough >>> to search up the tree looking for a policy. The KDC is not so smart >>> and relies on the krbpwdpolicyreference to find the policy. For this >>> reason every user entry requires this attribute. I've created a new >>> global_policy entry to store the default password policy. All users >>> point at this now. The group policy works the same and can override >>> this setting. >>> rob >> >> Almost but have to NACK because ipa pwpolicy-show --user=user1 returns >> the wrong group name (always GLOBAL apparently). >> >> Everything else works fine. >> >> Simo. >> > > Fixed. I dropped the special renaming of GLOBAL. We now show the > actual entry name, global_policy. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Nov 1 19:38:39 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 01 Nov 2010 20:38:39 +0100 Subject: [Freeipa-devel] [PATCH] 004 Log script options to logfile Message-ID: <4CCF173F.8080204@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzPFocACgkQHsardTLnvCXxagCg1tuQv+lSo+i2f02WSYncQrRi zZoAoKHoB/6qO5atlxUdw8G9X4nUf/TL =oZDX -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0004-Log-script-options-to-logfile.patch Type: text/x-patch Size: 16798 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0004-Log-script-options-to-logfile.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From JR.Aquino at citrix.com Mon Nov 1 23:33:41 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 1 Nov 2010 23:33:41 +0000 Subject: [Freeipa-devel] [ PATCH ] lite-server.py failing due to cli.py dependency: import default_encoding_utf8 Message-ID: <5B17AFF8-6961-4667-A042-E560D83449B3@citrixonline.com> ./lite-server.py -d ipa: DEBUG: importing all plugin modules in '/usr/src/freeipa/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/automount.py' ipa: ERROR: could not load plugin module '/usr/src/freeipa/ipalib/plugins/automount.py' Traceback (most recent call last): File "/usr/src/freeipa/ipalib/plugable.py", line 538, in import_plugins __import__(fullname) File "/usr/src/freeipa/ipalib/plugins/automount.py", line 172, in from ipalib.plugins.baseldap import * File "/usr/src/freeipa/ipalib/plugins/baseldap.py", line 30, in from ipalib.cli import to_cli, from_cli File "/usr/src/freeipa/ipalib/cli.py", line 35, in import default_encoding_utf8 ImportError: No module named default_encoding_utf8 Patch is a 1 liner that changes: import default_encoding_utf8 To from policycoreutils import default_encoding_utf8 -------------- next part -------------- A non-text attachment was scrubbed... Name: cli_policycoreutils.patch Type: application/octet-stream Size: 630 bytes Desc: cli_policycoreutils.patch URL: -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Nov 2 03:24:40 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Nov 2010 23:24:40 -0400 Subject: [Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI In-Reply-To: <4CCAE292.6020602@redhat.com> References: <4CCAE292.6020602@redhat.com> Message-ID: <4CCF8478.3030807@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > https://fedorahosted.org/freeipa/ticket/154 > > The second patch removes the /ipatest section that has been commented > out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore :-) Migration doesn't seem to be working. The migration page itself comes up fine and prompts for data but when I enter the password of a migrated user I don't seem to be getting valid kerberos keys. kinit doesn't work in any case. It could also be that I'm tired. Does a migrated account work for you? This could be related to redoing the 389-ds password plugin as I did all previous testing before we did the file split. > > I also have two questions: > 1) how should exceptions be handled? In the patch, I only explicitly > handle exceptions that could happen very easily (like, password being > wrong, or the LDAP server down..). Anything else would just trigger 500 > Server Error.. I think that's ok as long as we provide enough logging to point the admin in the right direction. > > 2) When playing with the migration command line plugin, I noticed that > it can only handle RFC2307bis groups (member: dn) and has the > objectclass for groups hardcoded to > "(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))". I think > it would be worthwile (and easy, too!) to modify the plugin to accept > also RFC2307 schema and allow specifying a different objectclass > (posixGroup might come handy..). Thoughts? Yes, that sounds like a good enhancement. Great idea. rob From rcritten at redhat.com Tue Nov 2 03:44:14 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Nov 2010 23:44:14 -0400 Subject: [Freeipa-devel] [ PATCH ] lite-server.py failing due to cli.py dependency: import default_encoding_utf8 In-Reply-To: References: Message-ID: <4CCF890E.9060104@redhat.com> JR Aquino wrote: > ./lite-server.py -d > ipa: DEBUG: importing all plugin modules in '/usr/src/freeipa/ipalib/plugins'... > ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/aci.py' > ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/automount.py' > ipa: ERROR: could not load plugin module '/usr/src/freeipa/ipalib/plugins/automount.py' > Traceback (most recent call last): > File "/usr/src/freeipa/ipalib/plugable.py", line 538, in import_plugins > __import__(fullname) > File "/usr/src/freeipa/ipalib/plugins/automount.py", line 172, in > from ipalib.plugins.baseldap import * > File "/usr/src/freeipa/ipalib/plugins/baseldap.py", line 30, in > from ipalib.cli import to_cli, from_cli > File "/usr/src/freeipa/ipalib/cli.py", line 35, in > import default_encoding_utf8 > ImportError: No module named default_encoding_utf8 > > Patch is a 1 liner that changes: > > import default_encoding_utf8 > > To > > from policycoreutils import default_encoding_utf8 We provide a module of the same name. You probably just need to update your base install on your IPA server. This is very interesting though. I'll check with those guys, maybe we can drop our local copy if they're doing the same thing. So NACK for now until we can figure this out. rob From jhrozek at redhat.com Tue Nov 2 14:58:16 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 02 Nov 2010 15:58:16 +0100 Subject: [Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI In-Reply-To: <4CCF8478.3030807@redhat.com> References: <4CCAE292.6020602@redhat.com> <4CCF8478.3030807@redhat.com> Message-ID: <4CD02708.60304@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (resending to the list, I accidentally replied to Rob only before..) On 11/02/2010 04:24 AM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> https://fedorahosted.org/freeipa/ticket/154 >> >> The second patch removes the /ipatest section that has been commented >> out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore >> :-) > > Migration doesn't seem to be working. The migration page itself comes up > fine and prompts for data but when I enter the password of a migrated > user I don't seem to be getting valid kerberos keys. kinit doesn't work > in any case. It could also be that I'm tired. Does a migrated account > work for you? > It does for me -- or at least I think it's working. This is how I tested: 1) migrate users from LDAP using the migrate-ds plugin. 2) try kinit - preauth will fail 3) go to the migration page, enter username/password This redirects me to the ui page if the credentials are correct. 4) kinit for the user works now This is on the current master + the two patches under review, on a F13 host migrating from 389 DS on another F13 machine. > This could be related to redoing the 389-ds password plugin as I did all > previous testing before we did the file split. > >> >> I also have two questions: >> 1) how should exceptions be handled? In the patch, I only explicitly >> handle exceptions that could happen very easily (like, password being >> wrong, or the LDAP server down..). Anything else would just trigger 500 >> Server Error.. > > I think that's ok as long as we provide enough logging to point the > admin in the right direction. > >> >> 2) When playing with the migration command line plugin, I noticed that >> it can only handle RFC2307bis groups (member: dn) and has the >> objectclass for groups hardcoded to >> "(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))". I think >> it would be worthwile (and easy, too!) to modify the plugin to accept >> also RFC2307 schema and allow specifying a different objectclass >> (posixGroup might come handy..). Thoughts? > > Yes, that sounds like a good enhancement. Great idea. > OK: https://fedorahosted.org/freeipa/ticket/429 (taken, since I was already poking at the plugin anyway) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzQJwgACgkQHsardTLnvCXu+ACgvMTxMPP8YpmwwzvCiMKpPp35 RQgAnA0CTuBxDI0hZzfZDDu50wunYRqP =++oI -----END PGP SIGNATURE----- From jzeleny at redhat.com Tue Nov 2 15:17:20 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 2 Nov 2010 16:17:20 +0100 Subject: [Freeipa-devel] [PATCH] 0001 Ensure that Apache is running in Prefork mode Message-ID: <201011021617.20977.jzeleny@redhat.com> I tried one other solution, but this approach was recommended to me by Pavel. It seems to be working fine. If you don't agree with the concept (detection per request), I can present you the original one. https://fedorahosted.org/freeipa/ticket/252 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0001-Ensure-that-Apache-is-running-with-MPM-Prefork.patch Type: text/x-patch Size: 863 bytes Desc: not available URL: From jhrozek at redhat.com Tue Nov 2 15:28:34 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 02 Nov 2010 16:28:34 +0100 Subject: [Freeipa-devel] [PATCH] 001 Clarify the description of --raw and -all In-Reply-To: <4CCB163D.8020709@redhat.com> References: <4CCAE263.1000809@redhat.com> <4CCB163D.8020709@redhat.com> Message-ID: <4CD02E22.4060909@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/29/2010 08:45 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: > https://fedorahosted.org/freeipa/ticket/244 > > If I understand the code correctly, --all is not really a parameter that > affects only output, it also causes all attributes to be retrieved from > the server, so I have adjusted the description just a little. > > --raw now mentions it only affects output. > >> nack, --all only affects output as well. > When I said that it doesn't only affect output, I was referring to this part of baseldap.py: if options.get('all', False): attrs_list = ['*'] else: attrs_list = list(self.obj.default_attributes) I don't have strong feeling about this, but what I wanted to make clear in the help message was that it /can/ have performance impact as the ldap query is different. We can for instance have an object in LDAP that has attribute containing user avatar binary blob or something like that..in which case, --all would fetch it from the server, right? But I agree that for user, this is 'behind the scenes', so I'm not opposed to changing the string..new patch attached.. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzQLiIACgkQHsardTLnvCVdUwCgmpvYvvqs3D6/+vpo/PIhjK1Y jisAniMyZdwrqWRblqdfTfgEaYdvIpw0 =zREK -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: jhrozek-freeipa-0001-02-Clarify-the-description-of-raw-and-all.patc URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0001-02-Clarify-the-description-of-raw-and-all.patc.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From JR.Aquino at citrix.com Tue Nov 2 16:05:56 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 2 Nov 2010 16:05:56 +0000 Subject: [Freeipa-devel] [ Patch ] sudo plugins updated to reflect sudocmd attribute change Message-ID: Patches for sudocmd attribute change and support for sudorule cmdCategory. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Added-fixes-to-adjust-for-sudocmd-attribute-for-sudo.patch Type: application/octet-stream Size: 6882 bytes Desc: 0001-Added-fixes-to-adjust-for-sudocmd-attribute-for-sudo.patch URL: From jzeleny at redhat.com Tue Nov 2 17:32:41 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 2 Nov 2010 18:32:41 +0100 Subject: [Freeipa-devel] [PATCH] 0002 Add SEE ALSO section to man pages Message-ID: <201011021832.41758.jzeleny@redhat.com> All ipa-* commands except for ipa-fix-CVE-2008-3274 were added to SEE ALSO section of ipa(1). https://fedorahosted.org/freeipa/ticket/329 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0002-Add-SEE-ALSO-section-to-ipa-man-page.patch Type: text/x-patch Size: 1006 bytes Desc: not available URL: From jzeleny at redhat.com Tue Nov 2 17:38:38 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 2 Nov 2010 18:38:38 +0100 Subject: [Freeipa-devel] [PATCH] 0003 Remove reference to ipa_webgui from ipa-server-install man page Message-ID: <201011021838.38787.jzeleny@redhat.com> There was a single reference, so I removed it and rephrased the sentence a little. https://fedorahosted.org/freeipa/ticket/330 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0003-Remove-reference-to-ipa_webgui.patch Type: text/x-patch Size: 1428 bytes Desc: not available URL: From ayoung at redhat.com Tue Nov 2 18:57:05 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 02 Nov 2010 14:57:05 -0400 Subject: [Freeipa-devel] [PATCH] 0003 Remove reference to ipa_webgui from ipa-server-install man page In-Reply-To: <201011021838.38787.jzeleny@redhat.com> References: <201011021838.38787.jzeleny@redhat.com> Message-ID: <4CD05F01.5070709@redhat.com> On 11/02/2010 01:38 PM, Jan Zelen? wrote: > There was a single reference, so I removed it and rephrased the sentence a > little. > > https://fedorahosted.org/freeipa/ticket/330 > > Jan > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Nov 2 19:33:48 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 02 Nov 2010 15:33:48 -0400 Subject: [Freeipa-devel] [PATCH] 0074 jslint cleanup Message-ID: <4CD0679C.9080505@redhat.com> While this doesn't fix all of the jslint complaints for ipa.js, it fixes the worst offenders. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-freeipa-0074-jslint-cleanup.patch Type: text/x-patch Size: 9905 bytes Desc: not available URL: From ayoung at redhat.com Tue Nov 2 19:35:05 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 02 Nov 2010 15:35:05 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0075-Ticket-Expiration.patch Message-ID: <4CD067E9.1080902@redhat.com> Ticket Expiration This patch handles Kerberos ticket expiration in the UI. Additionally it removes the mod_auth_kerb authorization for elements in the static directory, cutting down on the number of round trips -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-freeipa-0075-Ticket-Expiration.patch Type: text/x-patch Size: 4786 bytes Desc: not available URL: From ayoung at redhat.com Tue Nov 2 20:00:00 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 02 Nov 2010 16:00:00 -0400 Subject: [Freeipa-devel] patches needing review Message-ID: <4CD06DC0.6050007@redhat.com> freeipa-admiyo-freeipa-0070-delete-associations.patch freeipa-admiyo-freeipa-0071-group_remove_memeber.json.patch freeipa-admiyo-freeipa-0072-rights-check.patch freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch freeipa-admiyo-freeipa-0074-jslint-cleanup.patch freeipa-admiyo-freeipa-0075-Ticket-Expiration.patch jzeleny-freeipa-0001-Ensure-that-Apache-is-running-with-MPM-Prefork.patch jhrozek-freeipa-0004-Log-script-options-to-logfile.patch freeipa-rcrit-593-group.patch I may have missed earlier rcrit patches. From ayoung at redhat.com Tue Nov 2 23:29:01 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 02 Nov 2010 19:29:01 -0400 Subject: [Freeipa-devel] [PATCH] Bulk Message-ID: <4CD09EBD.5030201@redhat.com> Joint effort between me and Rob in getting this to work. I've tested it with the following data: [ayoung at ipa freeipa]$ cat ../bulk_request.json {"method":"bulk","params":[[ {"method":"json_metadata","params":[[],{}]}, {"method":"user_find","params":[[],{"whoami":" true","all":"true"}]}, {"method":"user_show","params":[["admin"],{"all":true}],"id":4} ],{}],"id":1} Called this way: curl -H "Content-Type:application/json" -H "Accept:applicaton/json" -H "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d @../bulk_request.json -X POST http://localhost:8888/ipa/json This needs a test, but that will be a follow on patch. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-freeipa-0076-bulk.patch Type: text/x-patch Size: 2265 bytes Desc: not available URL: From davido at redhat.com Tue Nov 2 23:32:01 2010 From: davido at redhat.com (David O'Brien) Date: Wed, 03 Nov 2010 09:32:01 +1000 Subject: [Freeipa-devel] [PATCH] 0003 Remove reference to ipa_webgui from ipa-server-install man page In-Reply-To: <201011021838.38787.jzeleny@redhat.com> References: <201011021838.38787.jzeleny@redhat.com> Message-ID: <4CD09F71.2050903@redhat.com> Jan Zelen? wrote: > There was a single reference, so I removed it and rephrased the sentence a > little. > > https://fedorahosted.org/freeipa/ticket/330 > > Jan > nack "...and starting IPA\-provided service ipa_kpasswd." is grammatically incorrect (missing article). I also propose a minor rephrase: "... and starting the ipa_kpasswd service provided by IPA." -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From jzeleny at redhat.com Wed Nov 3 08:27:09 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 3 Nov 2010 09:27:09 +0100 Subject: [Freeipa-devel] [PATCH] 0003 Remove reference to ipa_webgui from ipa-server-install man page In-Reply-To: <4CD09F71.2050903@redhat.com> References: <201011021838.38787.jzeleny@redhat.com> <4CD09F71.2050903@redhat.com> Message-ID: <201011030927.09954.jzeleny@redhat.com> "David O'Brien" wrote: > Jan Zelen? wrote: > > There was a single reference, so I removed it and rephrased the sentence > > a little. > > > > https://fedorahosted.org/freeipa/ticket/330 > > > > Jan > > nack > > "...and starting IPA\-provided service ipa_kpasswd." is grammatically > incorrect (missing article). I also propose a minor rephrase: > > "... and starting the ipa_kpasswd service provided by IPA." Corrected patch is in the attachment. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0003-02-Remove-reference-to-ipa_webgui.patch Type: text/x-patch Size: 1434 bytes Desc: not available URL: From JR.Aquino at citrix.com Mon Nov 1 22:13:52 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 1 Nov 2010 22:13:52 +0000 Subject: [Freeipa-devel] [ PATCH ] lite-server.py failing due to cli.py dependency: import default_encoding_utf8 Message-ID: ./lite-server.py -d ipa: DEBUG: importing all plugin modules in '/usr/src/freeipa/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/automount.py' ipa: ERROR: could not load plugin module '/usr/src/freeipa/ipalib/plugins/automount.py' Traceback (most recent call last): File "/usr/src/freeipa/ipalib/plugable.py", line 538, in import_plugins __import__(fullname) File "/usr/src/freeipa/ipalib/plugins/automount.py", line 172, in from ipalib.plugins.baseldap import * File "/usr/src/freeipa/ipalib/plugins/baseldap.py", line 30, in from ipalib.cli import to_cli, from_cli File "/usr/src/freeipa/ipalib/cli.py", line 35, in import default_encoding_utf8 ImportError: No module named default_encoding_utf8 Patch is a 1 liner that changes: import default_encoding_utf8 To from policycoreutils import default_encoding_utf8 -------------- next part -------------- A non-text attachment was scrubbed... Name: cli_policycoreutils.patch Type: application/octet-stream Size: 630 bytes Desc: cli_policycoreutils.patch URL: From edewata at redhat.com Wed Nov 3 12:30:55 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Nov 2010 07:30:55 -0500 Subject: [Freeipa-devel] [PATCH] HBAC Details Page In-Reply-To: <4CCEFA72.9060906@redhat.com> References: <4CCB5CC9.7030800@redhat.com> <4CCEFA72.9060906@redhat.com> Message-ID: <4CD155FF.7080907@redhat.com> On 11/1/2010 12:35 PM, Adam Young wrote: > NACK, based on the templating issues we discussed on the phone. > > TO lay out the issues for other people reading: we previously had a > framework like what Endi is proposing here. We found that importing HTML > fragments didn't provide much benefit, and lead to duplicated code. When > Pavel did a major rework of the code in August, we removed the > templating mechanism. > > We are going to add it back in as part of this patch, but with a note > that it is purely for Rapid prototyping purposes. For HBAC, Endi is > going to make the Table code into a component that works without > templating. Instead, weare going to generate the table code using > Javascript, the same way that we do in the search code. This is the > start of the work specified in > > https://fedorahosted.org/freeipa/ticket/419 > > When we are done, we hope to havea reusable component that supports the > search, associtions, record level attributes (like phone number) and the > HBAC use cases. We'll produce a design document as we get better clarity. Please take a look at the new patch. Thanks! https://fedorahosted.org/reviewboard/r/99/ The UI framework has been extended to include a collection of widgets: - ipa_widget: base class - ipa_text_widget: text field - ipa_radio_widget: radio button - ipa_textarea_widget: textarea - ipa_button_widget: button - ipa_column_widget: column for table - ipa_table_widget: table These widgets can be used to create input controls. They can also be extended to create custom controls. The framework has also been enhanced to support themes. Themes can be used to change the look of the application without changing the code. This would be useful to customize IPA deployments. Initially this is only available in details section. A theme is a collection of HTML templates. Each template is a complete and valid HTML file which can be viewed using a browser. The template will be loaded and initialized by the code, then filled with the data from the server. The themes are located in install/static/themes folder. By default, if no templates are used, the fields in the details page are rendered vertically using dd/dt/dd tags. For pages that require different layout, a custom UI needs to be developed. There are two ways to do that: - write a custom widget to generate the UI dynamically - create an HTML template and write the initialization code For components that are quite complex or used frequently, it's might be better to use the first method. For simple pages that are used only in one location or need to support customization, the second method might be preferable. Other benefits of templates: - cleaner code and UI separation - more flexibility in customization - new pages can be developed quickly and require less coding - multiple templates can be used with the same initialization code - easier to maintain The HBAC details page has been implemented using both methods. By default it will use custom widgets to generate the page. To use the theme, add the following parameter to the URL, then reload the page: &theme= Currently the only available theme is 'default' which produces the same layout as the custom widgets. The HBAC details page is usable, but it still needs additional work. The access time is not working yet. There is no undo button, hint, or validation yet. The table in the association facet has also been changed to use ipa_association_widget which is derived from ipa_table_widget. The Makefile has been updated to include the themes. The unit tests also have been updated. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0025-2-HBAC-Details-Page.patch Type: text/x-patch Size: 139365 bytes Desc: not available URL: From edewata at redhat.com Wed Nov 3 12:31:35 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Nov 2010 07:31:35 -0500 Subject: [Freeipa-devel] [PATCH] HBAC test data Message-ID: <4CD15627.2060007@redhat.com> Hi, Please review the attached patch. It can be installed independently from my patch #25-2 (HBAC Details Page). Thanks! https://fedorahosted.org/reviewboard/r/100/ -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0026-HBAC-test-data.patch Type: text/x-patch Size: 24803 bytes Desc: not available URL: From edewata at redhat.com Wed Nov 3 12:32:13 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Nov 2010 07:32:13 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch In-Reply-To: <4CCECE96.8070006@redhat.com> References: <4CCB256B.109@redhat.com> <4CCB7575.8050409@redhat.com> <4CCECE96.8070006@redhat.com> Message-ID: <4CD1564D.4070109@redhat.com> On 11/1/2010 9:28 AM, Adam Young wrote: >>> Check effective rights. If the right is not explicitly allowed, show the >>> field as read only. >> It seems to be working, but I think it has to wait until the >> attributelevelrights is returned in the JSON response because without >> it the UI would become unusable because all fields would be disabled. > That is part of the patch. attributelevelrights has been added as a flag > to the JSON request. The change to baseldap.py will only apply on to of > the change made to return the rights. > > I suspect that what you are seeing is that there is some holes in the > coverage of the attribute level rights, and I made the decision to > default to "don't allow changes". Thus, this code needs to go in before > we can identify places where the rights are not being properly reported, > otherwise, we just won't know. Still NACK. I have tested this again. It looks like the UI does not send the --rights parameter which is required to get the attributelevelrights. With this patch even the admin can't edit anything. -- Endi S. Dewata From edewata at redhat.com Wed Nov 3 12:33:02 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Nov 2010 07:33:02 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch In-Reply-To: <4CCEFFA8.1080804@redhat.com> References: <4CCEFFA8.1080804@redhat.com> Message-ID: <4CD1567E.1000001@redhat.com> On 11/1/2010 12:58 PM, Adam Young wrote: > For the 'add and add again' useage. NACK. The following for-loop shouldn't be moved into add_win() because it breaks the service add dialog. - for (var i = 0; i < that.fields.length; ++i) { - var field = that.fields[i]; - if (field.setup) { - var value = field.setup(dialog, IPA_ADD_UPDATE); - if (value != null) { - if (field.name == pkey_name) - pkey = [value]; - else + for (var i = 0; i < that.fields.length; ++i) { + var field = that.fields[i]; + if (field.setup) { + var value = field.setup(dialog, IPA_ADD_UPDATE); + if (value != null) { + if (field.name == pkey_name) + pkey = [value]; + } else { options[field.name] = value; + } } } -- Endi S. Dewata From edewata at redhat.com Wed Nov 3 12:33:47 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Nov 2010 07:33:47 -0500 Subject: [Freeipa-devel] [PATCH] 0074 jslint cleanup In-Reply-To: <4CD0679C.9080505@redhat.com> References: <4CD0679C.9080505@redhat.com> Message-ID: <4CD156AB.2050403@redhat.com> On 11/2/2010 2:33 PM, Adam Young wrote: > While this doesn't fix all of the jslint complaints for ipa.js, it fixes > the worst offenders. Nearly ACKed... is there such thing? :) The IPA and ipa_cmd are defined twice. +var IPA; +var ipa_cmd; +var IPA = ( function () { function ipa_cmd(name, args, options, win_callback, fail_callback, objname) -- Endi S. Dewata From edewata at redhat.com Wed Nov 3 12:35:03 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Nov 2010 07:35:03 -0500 Subject: [Freeipa-devel] patches needing review In-Reply-To: <4CD06DC0.6050007@redhat.com> References: <4CD06DC0.6050007@redhat.com> Message-ID: <4CD156F7.10204@redhat.com> These were acked and pushed last week: > freeipa-admiyo-freeipa-0070-delete-associations.patch > freeipa-admiyo-freeipa-0071-group_remove_memeber.json.patch These still have problems: > freeipa-admiyo-freeipa-0072-rights-check.patch > freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch > freeipa-admiyo-freeipa-0074-jslint-cleanup.patch -- Endi S. Dewata From davido at redhat.com Wed Nov 3 12:37:06 2010 From: davido at redhat.com (David O'Brien) Date: Wed, 03 Nov 2010 22:37:06 +1000 Subject: [Freeipa-devel] [PATCH] 0003 Remove reference to ipa_webgui from ipa-server-install man page In-Reply-To: <201011030927.09954.jzeleny@redhat.com> References: <201011021838.38787.jzeleny@redhat.com> <4CD09F71.2050903@redhat.com> <201011030927.09954.jzeleny@redhat.com> Message-ID: <4CD15772.2010404@redhat.com> Jan Zelen? wrote: > "David O'Brien" wrote: >> Jan Zelen? wrote: >>> There was a single reference, so I removed it and rephrased the sentence >>> a little. >>> >>> https://fedorahosted.org/freeipa/ticket/330 >>> >>> Jan >> nack >> >> "...and starting IPA\-provided service ipa_kpasswd." is grammatically >> incorrect (missing article). I also propose a minor rephrase: >> >> "... and starting the ipa_kpasswd service provided by IPA." > > Corrected patch is in the attachment. > > Jan > ACK -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From ayoung at redhat.com Wed Nov 3 13:53:37 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Nov 2010 09:53:37 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch In-Reply-To: <4CD1564D.4070109@redhat.com> References: <4CCB256B.109@redhat.com> <4CCB7575.8050409@redhat.com> <4CCECE96.8070006@redhat.com> <4CD1564D.4070109@redhat.com> Message-ID: <4CD16961.5040109@redhat.com> On 11/03/2010 08:32 AM, Endi Sukma Dewata wrote: > On 11/1/2010 9:28 AM, Adam Young wrote: >>>> Check effective rights. If the right is not explicitly allowed, >>>> show the >>>> field as read only. > >>> It seems to be working, but I think it has to wait until the >>> attributelevelrights is returned in the JSON response because without >>> it the UI would become unusable because all fields would be disabled. > >> That is part of the patch. attributelevelrights has been added as a flag >> to the JSON request. The change to baseldap.py will only apply on to of >> the change made to return the rights. >> >> I suspect that what you are seeing is that there is some holes in the >> coverage of the attribute level rights, and I made the decision to >> default to "don't allow changes". Thus, this code needs to go in before >> we can identify places where the rights are not being properly reported, >> otherwise, we just won't know. > > Still NACK. I have tested this again. It looks like the UI does not > send the --rights parameter which is required to get the > attributelevelrights. With this patch even the admin can't edit anything. > Ah...that was because I did it as two commits, and only made a patch out of one. Here is the missing part: [ayoung at ayoung freeipa]$ git show HEAD~1 commit d3b146090cbf74f1fe0978fcae23e0632be01a77 Author: adam Date: Fri Oct 29 14:09:15 2010 -0400 add rights to show call diff --git a/install/static/details.js b/install/static/details.js index e4cbec7..4bc1791 100644 --- a/install/static/details.js +++ b/install/static/details.js @@ -344,7 +344,7 @@ function ipa_details_load(container, pkey, on_win, on_fail) params = []; } ipa_cmd( - 'show', params, {all: true}, load_on_win, load_on_fail, obj_name + 'show', params, {all: true, rights: 1 }, load_on_win, load_on_fail, ob ); } function ipa_details_update(container, pkey, on_win, on_fail) From ayoung at redhat.com Wed Nov 3 13:55:31 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Nov 2010 09:55:31 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch In-Reply-To: <4CD1567E.1000001@redhat.com> References: <4CCEFFA8.1080804@redhat.com> <4CD1567E.1000001@redhat.com> Message-ID: <4CD169D3.4040009@redhat.com> On 11/03/2010 08:33 AM, Endi Sukma Dewata wrote: > On 11/1/2010 12:58 PM, Adam Young wrote: >> For the 'add and add again' useage. > > NACK. The following for-loop shouldn't be moved into add_win() because > it breaks the service add dialog. > > - for (var i = 0; i < that.fields.length; ++i) { > - var field = that.fields[i]; > - if (field.setup) { > - var value = field.setup(dialog, IPA_ADD_UPDATE); > - if (value != null) { > - if (field.name == pkey_name) > - pkey = [value]; > - else > + for (var i = 0; i < that.fields.length; ++i) { > + var field = that.fields[i]; > + if (field.setup) { > + var value = field.setup(dialog, IPA_ADD_UPDATE); > + if (value != null) { > + if (field.name == pkey_name) > + pkey = [value]; > + } else { > options[field.name] = value; > + } > } > } > I suspect then that the service add dialog is wrong. This behaviour has been spec'ed and working for a long time. What does it break? From ayoung at redhat.com Wed Nov 3 14:10:55 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Nov 2010 10:10:55 -0400 Subject: [Freeipa-devel] [PATCH] 0074 jslint cleanup In-Reply-To: <4CD156AB.2050403@redhat.com> References: <4CD0679C.9080505@redhat.com> <4CD156AB.2050403@redhat.com> Message-ID: <4CD16D6F.8010305@redhat.com> On 11/03/2010 08:33 AM, Endi Sukma Dewata wrote: > On 11/2/2010 2:33 PM, Adam Young wrote: >> While this doesn't fix all of the jslint complaints for ipa.js, it fixes >> the worst offenders. > > Nearly ACKed... is there such thing? :) > > The IPA and ipa_cmd are defined twice. > > +var IPA; > +var ipa_cmd; > > +var IPA = ( function () { > function ipa_cmd(name, args, options, win_callback, fail_callback, > objname) > Fixed -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-freeipa-0074-2-jslint-cleanup.patch Type: text/x-patch Size: 9740 bytes Desc: not available URL: From rcritten at redhat.com Wed Nov 3 14:23:57 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Nov 2010 10:23:57 -0400 Subject: [Freeipa-devel] [ Patch ] sudo plugins updated to reflect sudocmd attribute change In-Reply-To: References: Message-ID: <4CD1707D.3060106@redhat.com> JR Aquino wrote: > Patches for sudocmd attribute change and support for sudorule cmdCategory. ack, pushed to master From ayoung at redhat.com Wed Nov 3 14:26:45 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Nov 2010 10:26:45 -0400 Subject: [Freeipa-devel] [PATCH] HBAC test data In-Reply-To: <4CD15627.2060007@redhat.com> References: <4CD15627.2060007@redhat.com> Message-ID: <4CD17125.6060707@redhat.com> On 11/03/2010 08:31 AM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. It can be installed independently > from my patch #25-2 (HBAC Details Page). Thanks! > > https://fedorahosted.org/reviewboard/r/100/ > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Nov 3 14:25:18 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Nov 2010 10:25:18 -0400 Subject: [Freeipa-devel] [PATCH] 0003 Remove reference to ipa_webgui from ipa-server-install man page In-Reply-To: <4CD15772.2010404@redhat.com> References: <201011021838.38787.jzeleny@redhat.com> <4CD09F71.2050903@redhat.com> <201011030927.09954.jzeleny@redhat.com> <4CD15772.2010404@redhat.com> Message-ID: <4CD170CE.4040208@redhat.com> David O'Brien wrote: > Jan Zelen? wrote: >> "David O'Brien" wrote: >>> Jan Zelen? wrote: >>>> There was a single reference, so I removed it and rephrased the >>>> sentence >>>> a little. >>>> >>>> https://fedorahosted.org/freeipa/ticket/330 >>>> >>>> Jan >>> nack >>> >>> "...and starting IPA\-provided service ipa_kpasswd." is grammatically >>> incorrect (missing article). I also propose a minor rephrase: >>> >>> "... and starting the ipa_kpasswd service provided by IPA." >> >> Corrected patch is in the attachment. >> >> Jan >> > > ACK > pushed to master From rcritten at redhat.com Wed Nov 3 14:26:14 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Nov 2010 10:26:14 -0400 Subject: [Freeipa-devel] [PATCH] 0002 Add SEE ALSO section to man pages In-Reply-To: <201011021832.41758.jzeleny@redhat.com> References: <201011021832.41758.jzeleny@redhat.com> Message-ID: <4CD17106.2040309@redhat.com> Jan Zelen? wrote: > All ipa-* commands except for ipa-fix-CVE-2008-3274 were added to SEE > ALSO section of ipa(1). > > https://fedorahosted.org/freeipa/ticket/329 > > Jan ack, pushed to master From rcritten at redhat.com Wed Nov 3 14:28:15 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Nov 2010 10:28:15 -0400 Subject: [Freeipa-devel] [PATCH] 0001 Ensure that Apache is running in Prefork mode In-Reply-To: <201011021617.20977.jzeleny@redhat.com> References: <201011021617.20977.jzeleny@redhat.com> Message-ID: <4CD1717F.4020003@redhat.com> Jan Zelen? wrote: > I tried one other solution, but this approach was recommended to me by Pavel. > It seems to be working fine. If you don't agree with the concept (detection per > request), I can present you the original one. > > https://fedorahosted.org/freeipa/ticket/252 > > Jan > nack. I think we need some logging to say "IPA does not work with the threaded MPM, use the pre-fork MPM" or something like that. Otherwise it is going to silently fail and users will have no idea why. rob From rcritten at redhat.com Wed Nov 3 14:35:31 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Nov 2010 10:35:31 -0400 Subject: [Freeipa-devel] [PATCH] Bulk In-Reply-To: <4CD09EBD.5030201@redhat.com> References: <4CD09EBD.5030201@redhat.com> Message-ID: <4CD17333.4060100@redhat.com> Adam Young wrote: > Joint effort between me and Rob in getting this to work. > > I've tested it with the following data: > > [ayoung at ipa freeipa]$ cat ../bulk_request.json > {"method":"bulk","params":[[ > {"method":"json_metadata","params":[[],{}]}, > {"method":"user_find","params":[[],{"whoami":" true","all":"true"}]}, > {"method":"user_show","params":[["admin"],{"all":true}],"id":4} > ],{}],"id":1} > > > Called this way: > > curl -H "Content-Type:application/json" -H "Accept:applicaton/json" -H > "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d > @../bulk_request.json -X POST http://localhost:8888/ipa/json > > > > This needs a test, but that will be a follow on patch. nack, I think this needs a bit more work before we push it. There are no doc strings for the arguments, no documentation at all really. At a minimum the example you have in this e-mail would be handy to have in the plugin. Do we want to expose this to the command-line or keep it for json only? I can see admins wanting to use this for the cli but I have no clue how we'd pass in the arguments :-) This includes some apparently unrelated changes to internal.py The List argument is actually a comma-separated list, not a python list. It works, I suppose, but I'm not sure it is the right thing. In fact, I'm not sure what the right param type is in this case. I know I'm the one that suggested setting an empty error on success, I wonder if that is really needed. Adam, would you use this to determine if you have an actual response or not? This code bothered me when I wrote it last night but I was in "make it work" mode. There has to be a more elegant way. The incoming dict keys are unicode, we need them to be strings: + newkw = {} + for k in kw: + newkw[str(k)] = kw[k] rob From ayoung at redhat.com Wed Nov 3 14:48:58 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Nov 2010 10:48:58 -0400 Subject: [Freeipa-devel] [PATCH] HBAC Details Page In-Reply-To: <4CD155FF.7080907@redhat.com> References: <4CCB5CC9.7030800@redhat.com> <4CCEFA72.9060906@redhat.com> <4CD155FF.7080907@redhat.com> Message-ID: <4CD1765A.80003@redhat.com> On 11/03/2010 08:30 AM, Endi Sukma Dewata wrote: > On 11/1/2010 12:35 PM, Adam Young wrote: >> NACK, based on the templating issues we discussed on the phone. >> >> TO lay out the issues for other people reading: we previously had a >> framework like what Endi is proposing here. We found that importing HTML >> fragments didn't provide much benefit, and lead to duplicated code. When >> Pavel did a major rework of the code in August, we removed the >> templating mechanism. >> >> We are going to add it back in as part of this patch, but with a note >> that it is purely for Rapid prototyping purposes. For HBAC, Endi is >> going to make the Table code into a component that works without >> templating. Instead, weare going to generate the table code using >> Javascript, the same way that we do in the search code. This is the >> start of the work specified in >> >> https://fedorahosted.org/freeipa/ticket/419 >> >> When we are done, we hope to havea reusable component that supports the >> search, associtions, record level attributes (like phone number) and the >> HBAC use cases. We'll produce a design document as we get better >> clarity. > > Please take a look at the new patch. Thanks! > > https://fedorahosted.org/reviewboard/r/99/ > > The UI framework has been extended to include a collection of widgets: > - ipa_widget: base class > - ipa_text_widget: text field > - ipa_radio_widget: radio button > - ipa_textarea_widget: textarea > - ipa_button_widget: button > - ipa_column_widget: column for table > - ipa_table_widget: table > > These widgets can be used to create input controls. They can also be > extended to create custom controls. > > The framework has also been enhanced to support themes. Themes can be > used to change the look of the application without changing the code. > This would be useful to customize IPA deployments. Initially this is > only available in details section. > > A theme is a collection of HTML templates. Each template is a complete > and valid HTML file which can be viewed using a browser. The template > will be loaded and initialized by the code, then filled with the data > from the server. The themes are located in install/static/themes folder. > > By default, if no templates are used, the fields in the details page > are rendered vertically using dd/dt/dd tags. For pages that require > different layout, a custom UI needs to be developed. There are two ways > to do that: > - write a custom widget to generate the UI dynamically > - create an HTML template and write the initialization code > > For components that are quite complex or used frequently, it's might > be better to use the first method. For simple pages that are used only > in one location or need to support customization, the second method > might be preferable. Other benefits of templates: > - cleaner code and UI separation > - more flexibility in customization > - new pages can be developed quickly and require less coding > - multiple templates can be used with the same initialization code > - easier to maintain > > The HBAC details page has been implemented using both methods. By > default it will use custom widgets to generate the page. To use the > theme, add the following parameter to the URL, then reload the page: > > &theme= > > Currently the only available theme is 'default' which produces the > same layout as the custom widgets. > > The HBAC details page is usable, but it still needs additional work. > The access time is not working yet. There is no undo button, hint, > or validation yet. > > The table in the association facet has also been changed to use > ipa_association_widget which is derived from ipa_table_widget. > > The Makefile has been updated to include the themes. The unit tests > also have been updated. > A few questions (and tweaks). Note that I have just given the code a read through, not applied the patch yet. Are you sure we want to implement our own Theme code? I'd rather try to keep theme stuff as part of JQUery.UI. At a mionimum, we risk name clash and confusion over the term 'theme'. add.js line 34: Do we really need accesor like this? There is nothing wrong with doing modifying the member directly. I see the code at line 62 that delegates it down the tree...I think there is a more javascript-y way to do this. Look up Javascript accessors. If you are going to change a function header like on associate line 133, go ahead and remove the camel_casing as well. (manyObjPKey) as you seem to be doing variable cleanup elsewhere. Line 297, executor takes 7 params, that are all member variables of "that". Since that.execute is invoked as a method, you can remove these parameters and instead, internal to executor, refer to them via this. Typo line 344: that.member_attrribute From ayoung at redhat.com Wed Nov 3 15:09:01 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Nov 2010 11:09:01 -0400 Subject: [Freeipa-devel] [PATCH] HBAC Details Page In-Reply-To: <4CD1765A.80003@redhat.com> References: <4CCB5CC9.7030800@redhat.com> <4CCEFA72.9060906@redhat.com> <4CD155FF.7080907@redhat.com> <4CD1765A.80003@redhat.com> Message-ID: <4CD17B0D.5070409@redhat.com> On 11/03/2010 10:48 AM, Adam Young wrote: > On 11/03/2010 08:30 AM, Endi Sukma Dewata wrote: >> On 11/1/2010 12:35 PM, Adam Young wrote: >>> NACK, based on the templating issues we discussed on the phone. >>> >>> TO lay out the issues for other people reading: we previously had a >>> framework like what Endi is proposing here. We found that importing >>> HTML >>> fragments didn't provide much benefit, and lead to duplicated code. >>> When >>> Pavel did a major rework of the code in August, we removed the >>> templating mechanism. >>> >>> We are going to add it back in as part of this patch, but with a note >>> that it is purely for Rapid prototyping purposes. For HBAC, Endi is >>> going to make the Table code into a component that works without >>> templating. Instead, weare going to generate the table code using >>> Javascript, the same way that we do in the search code. This is the >>> start of the work specified in >>> >>> https://fedorahosted.org/freeipa/ticket/419 >>> >>> When we are done, we hope to havea reusable component that supports the >>> search, associtions, record level attributes (like phone number) and >>> the >>> HBAC use cases. We'll produce a design document as we get better >>> clarity. >> >> Please take a look at the new patch. Thanks! >> >> https://fedorahosted.org/reviewboard/r/99/ >> >> The UI framework has been extended to include a collection of widgets: >> - ipa_widget: base class >> - ipa_text_widget: text field >> - ipa_radio_widget: radio button >> - ipa_textarea_widget: textarea >> - ipa_button_widget: button >> - ipa_column_widget: column for table >> - ipa_table_widget: table >> >> These widgets can be used to create input controls. They can also be >> extended to create custom controls. >> >> The framework has also been enhanced to support themes. Themes can be >> used to change the look of the application without changing the code. >> This would be useful to customize IPA deployments. Initially this is >> only available in details section. >> >> A theme is a collection of HTML templates. Each template is a complete >> and valid HTML file which can be viewed using a browser. The template >> will be loaded and initialized by the code, then filled with the data >> from the server. The themes are located in install/static/themes folder. >> >> By default, if no templates are used, the fields in the details page >> are rendered vertically using dd/dt/dd tags. For pages that require >> different layout, a custom UI needs to be developed. There are two ways >> to do that: >> - write a custom widget to generate the UI dynamically >> - create an HTML template and write the initialization code >> >> For components that are quite complex or used frequently, it's might >> be better to use the first method. For simple pages that are used only >> in one location or need to support customization, the second method >> might be preferable. Other benefits of templates: >> - cleaner code and UI separation >> - more flexibility in customization >> - new pages can be developed quickly and require less coding >> - multiple templates can be used with the same initialization code >> - easier to maintain >> >> The HBAC details page has been implemented using both methods. By >> default it will use custom widgets to generate the page. To use the >> theme, add the following parameter to the URL, then reload the page: >> >> &theme= >> >> Currently the only available theme is 'default' which produces the >> same layout as the custom widgets. >> >> The HBAC details page is usable, but it still needs additional work. >> The access time is not working yet. There is no undo button, hint, >> or validation yet. >> >> The table in the association facet has also been changed to use >> ipa_association_widget which is derived from ipa_table_widget. >> >> The Makefile has been updated to include the themes. The unit tests >> also have been updated. >> > > A few questions (and tweaks). Note that I have just given the code a > read through, not applied the patch yet. > > > Are you sure we want to implement our own Theme code? I'd rather try > to keep theme stuff as part of JQUery.UI. At a mionimum, we risk name > clash and confusion over the term 'theme'. > > add.js line 34: Do we really need accesor like this? There is > nothing wrong with doing modifying the member directly. I see the > code at line 62 that delegates it down the tree...I think there is a > more javascript-y way to do this. Look up Javascript accessors. > > > If you are going to change a function header like on associate line > 133, go ahead and remove the camel_casing as well. (manyObjPKey) as > you seem to be doing variable cleanup elsewhere. > > Line 297, executor takes 7 params, that are all member variables of > "that". Since that.execute is invoked as a method, you can remove > these parameters and instead, internal to executor, refer to them via > this. > > > Typo line 344: that.member_attrribute > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Also: remove the buttons for features that we are not going to implement this time around from the top of the page: Troubleshoot, Cull Disabled Rules, And the TEst Rule link under quick links You can leave Login SVC and Login Svc Groups , those are coming next, correct? Add rule has a rule type field, but no guidance what to fill it in with. I suspect this should be a select. Without knowing what to put in here, you can't add a rule. At a minimum, lets put in text 'allow or deny' Note that this failure case doesn't fail very cleanly. There is an error that shows up in Friebug. Ignore it for now, as I belive my patch for handling ticket time out fixes this as a side effect. Add access time seems to be broken. I get 'that.add is not a function' From dpal at redhat.com Wed Nov 3 15:20:00 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 03 Nov 2010 11:20:00 -0400 Subject: [Freeipa-devel] patches needing review In-Reply-To: <4CD06DC0.6050007@redhat.com> References: <4CD06DC0.6050007@redhat.com> Message-ID: <4CD17DA0.2010103@redhat.com> Adam Young wrote: > freeipa-admiyo-freeipa-0070-delete-associations.patch > freeipa-admiyo-freeipa-0071-group_remove_memeber.json.patch > freeipa-admiyo-freeipa-0072-rights-check.patch > freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch > freeipa-admiyo-freeipa-0074-jslint-cleanup.patch > freeipa-admiyo-freeipa-0075-Ticket-Expiration.patch > > > jzeleny-freeipa-0001-Ensure-that-Apache-is-running-with-MPM-Prefork.patch > > jhrozek-freeipa-0004-Log-script-options-to-logfile.patch > > freeipa-rcrit-593-group.patch > > There is also a patch from JR re SUDO, please review. > > I may have missed earlier rcrit patches. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Wed Nov 3 15:22:20 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Nov 2010 11:22:20 -0400 Subject: [Freeipa-devel] [PATCH] Bulk In-Reply-To: <4CD17333.4060100@redhat.com> References: <4CD09EBD.5030201@redhat.com> <4CD17333.4060100@redhat.com> Message-ID: <4CD17E2C.9050506@redhat.com> On 11/03/2010 10:35 AM, Rob Crittenden wrote: > Adam Young wrote: >> Joint effort between me and Rob in getting this to work. >> >> I've tested it with the following data: >> >> [ayoung at ipa freeipa]$ cat ../bulk_request.json >> {"method":"bulk","params":[[ >> {"method":"json_metadata","params":[[],{}]}, >> {"method":"user_find","params":[[],{"whoami":" true","all":"true"}]}, >> {"method":"user_show","params":[["admin"],{"all":true}],"id":4} >> ],{}],"id":1} >> >> >> Called this way: >> >> curl -H "Content-Type:application/json" -H "Accept:applicaton/json" -H >> "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d >> @../bulk_request.json -X POST http://localhost:8888/ipa/json >> >> >> >> This needs a test, but that will be a follow on patch. > > nack, I think this needs a bit more work before we push it. There are > no doc strings for the arguments, no documentation at all really. At a > minimum the example you have in this e-mail would be handy to have in > the plugin. Good idea. I'd also like to have one of the comaands you used that had keywords in it. > > Do we want to expose this to the command-line or keep it for json > only? I can see admins wanting to use this for the cli but I have no > clue how we'd pass in the arguments :-) I think we want it for both, but we shouldn't hold up getting this in waiting for the CLI. We'll have to make changes on the webUI to make use of it, too. > > This includes some apparently unrelated changes to internal.py Yeah. I originally had it in internal.py, and then pulled it out into its own function. THe internal.py changes will go away prior to push. > > The List argument is actually a comma-separated list, not a python > list. It works, I suppose, but I'm not sure it is the right thing. In > fact, I'm not sure what the right param type is in this case. I think this is a problem with the JSON marshalling. JSON has a perfectly valid Array type, not sure why we are forced to go with the 'v1,'v2,v3' approach when it should be ['v1','v2','v3'] > > I know I'm the one that suggested setting an empty error on success, I > wonder if that is really needed. Adam, would you use this to determine > if you have an actual response or not? THis is correct, I think. We check for the presence of an error field to indicate an error. An actuall RPC error gets reported by the HTTP return code, so it goes down a different code path for that. > > This code bothered me when I wrote it last night but I was in "make it > work" mode. There has to be a more elegant way. The incoming dict keys > are unicode, we need them to be strings: > > + newkw = {} > + for k in kw: > + newkw[str(k)] = kw[k] I'm OK with this code as it is. If you get a better idea later on, we can alwyas clean it up, but this looks like as straight forward a translation as we are going to get. > > rob From dpal at redhat.com Wed Nov 3 15:31:54 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 03 Nov 2010 11:31:54 -0400 Subject: [Freeipa-devel] patches needing review In-Reply-To: <4CD17DA0.2010103@redhat.com> References: <4CD06DC0.6050007@redhat.com> <4CD17DA0.2010103@redhat.com> Message-ID: <4CD1806A.20803@redhat.com> Dmitri Pal wrote: > Adam Young wrote: > >> freeipa-admiyo-freeipa-0070-delete-associations.patch >> freeipa-admiyo-freeipa-0071-group_remove_memeber.json.patch >> freeipa-admiyo-freeipa-0072-rights-check.patch >> freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch >> freeipa-admiyo-freeipa-0074-jslint-cleanup.patch >> freeipa-admiyo-freeipa-0075-Ticket-Expiration.patch >> >> >> jzeleny-freeipa-0001-Ensure-that-Apache-is-running-with-MPM-Prefork.patch >> >> jhrozek-freeipa-0004-Log-script-options-to-logfile.patch >> >> freeipa-rcrit-593-group.patch >> >> >> > > There is also a patch from JR re SUDO, please review. > I see it was pushed. > >> I may have missed earlier rcrit patches. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Wed Nov 3 15:32:55 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Nov 2010 11:32:55 -0400 Subject: [Freeipa-devel] [PATCH] 594 display aci components separately Message-ID: <4CD180A7.9090500@redhat.com> Break out an ACI into components so it is easier to see what it does. This will be needed for UI support. I also filled more supported types and made the List parameter perform validation. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-594-aci.patch Type: text/x-patch Size: 19874 bytes Desc: not available URL: From dpal at redhat.com Wed Nov 3 15:33:02 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 03 Nov 2010 11:33:02 -0400 Subject: [Freeipa-devel] [ PATCH ] lite-server.py failing due to cli.py dependency: import default_encoding_utf8 In-Reply-To: References: Message-ID: <4CD180AE.2030701@redhat.com> JR Aquino wrote: > ./lite-server.py -d > ipa: DEBUG: importing all plugin modules in '/usr/src/freeipa/ipalib/plugins'... > ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/aci.py' > ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/automount.py' > ipa: ERROR: could not load plugin module '/usr/src/freeipa/ipalib/plugins/automount.py' > Traceback (most recent call last): > File "/usr/src/freeipa/ipalib/plugable.py", line 538, in import_plugins > __import__(fullname) > File "/usr/src/freeipa/ipalib/plugins/automount.py", line 172, in > from ipalib.plugins.baseldap import * > File "/usr/src/freeipa/ipalib/plugins/baseldap.py", line 30, in > from ipalib.cli import to_cli, from_cli > File "/usr/src/freeipa/ipalib/cli.py", line 35, in > import default_encoding_utf8 > ImportError: No module named default_encoding_utf8 > > Patch is a 1 liner that changes: > > import default_encoding_utf8 > > To > > from policycoreutils import default_encoding_utf8 > > But this one was not reviewed yet, right? > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From JR.Aquino at citrix.com Wed Nov 3 15:36:01 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 3 Nov 2010 15:36:01 +0000 Subject: [Freeipa-devel] [ PATCH ] lite-server.py failing due to cli.py dependency: import default_encoding_utf8 In-Reply-To: <4CD180AE.2030701@redhat.com> Message-ID: This issue is resolved. A full uninstall and reinstall properly fixed the dependency issue. On 11/3/10 8:33 AM, "Dmitri Pal" wrote: >JR Aquino wrote: >> ./lite-server.py -d >> ipa: DEBUG: importing all plugin modules in >>'/usr/src/freeipa/ipalib/plugins'... >> ipa: DEBUG: importing plugin module >>'/usr/src/freeipa/ipalib/plugins/aci.py' >> ipa: DEBUG: importing plugin module >>'/usr/src/freeipa/ipalib/plugins/automount.py' >> ipa: ERROR: could not load plugin module >>'/usr/src/freeipa/ipalib/plugins/automount.py' >> Traceback (most recent call last): >> File "/usr/src/freeipa/ipalib/plugable.py", line 538, in >>import_plugins >> __import__(fullname) >> File "/usr/src/freeipa/ipalib/plugins/automount.py", line 172, in >> >> from ipalib.plugins.baseldap import * >> File "/usr/src/freeipa/ipalib/plugins/baseldap.py", line 30, in >> >> from ipalib.cli import to_cli, from_cli >> File "/usr/src/freeipa/ipalib/cli.py", line 35, in >> import default_encoding_utf8 >> ImportError: No module named default_encoding_utf8 >> >> Patch is a 1 liner that changes: >> >> import default_encoding_utf8 >> >> To >> >> from policycoreutils import default_encoding_utf8 >> >> > >But this one was not reviewed yet, right? > >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > >-- >Thank you, >Dmitri Pal > >Sr. Engineering Manager IPA project, >Red Hat Inc. > > >------------------------------- >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > From rcritten at redhat.com Wed Nov 3 15:37:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Nov 2010 11:37:02 -0400 Subject: [Freeipa-devel] [ PATCH ] lite-server.py failing due to cli.py dependency: import default_encoding_utf8 In-Reply-To: <4CD180AE.2030701@redhat.com> References: <4CD180AE.2030701@redhat.com> Message-ID: <4CD1819E.1030105@redhat.com> Dmitri Pal wrote: > JR Aquino wrote: >> ./lite-server.py -d >> ipa: DEBUG: importing all plugin modules in '/usr/src/freeipa/ipalib/plugins'... >> ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/aci.py' >> ipa: DEBUG: importing plugin module '/usr/src/freeipa/ipalib/plugins/automount.py' >> ipa: ERROR: could not load plugin module '/usr/src/freeipa/ipalib/plugins/automount.py' >> Traceback (most recent call last): >> File "/usr/src/freeipa/ipalib/plugable.py", line 538, in import_plugins >> __import__(fullname) >> File "/usr/src/freeipa/ipalib/plugins/automount.py", line 172, in >> from ipalib.plugins.baseldap import * >> File "/usr/src/freeipa/ipalib/plugins/baseldap.py", line 30, in >> from ipalib.cli import to_cli, from_cli >> File "/usr/src/freeipa/ipalib/cli.py", line 35, in >> import default_encoding_utf8 >> ImportError: No module named default_encoding_utf8 >> >> Patch is a 1 liner that changes: >> >> import default_encoding_utf8 >> >> To >> >> from policycoreutils import default_encoding_utf8 >> >> > > But this one was not reviewed yet, right? It was, I'm trying to decide what to do with it. It would seem that the SELinux policycoreutils python package has an identically named shared library that seems to do the same thing. I'm checking with them to see if that is true, then we can decide if we want to use theirs or ours. rob From rcritten at redhat.com Wed Nov 3 15:52:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Nov 2010 11:52:27 -0400 Subject: [Freeipa-devel] [PATCH] 595 add additional hbac services Message-ID: <4CD1853B.7030807@redhat.com> Add gdm, gdm-password and kdm as default hbac services. ticket https://fedorahosted.org/freeipa/ticket/307 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-595-hbac.patch Type: text/x-patch Size: 1396 bytes Desc: not available URL: From jdennis at redhat.com Wed Nov 3 15:59:33 2010 From: jdennis at redhat.com (John Dennis) Date: Wed, 03 Nov 2010 11:59:33 -0400 Subject: [Freeipa-devel] [ PATCH ] lite-server.py failing due to cli.py dependency: import default_encoding_utf8 In-Reply-To: <4CD1819E.1030105@redhat.com> References: <4CD180AE.2030701@redhat.com> <4CD1819E.1030105@redhat.com> Message-ID: <4CD186E5.4040908@redhat.com> On 11/03/2010 11:37 AM, Rob Crittenden wrote: >>> Patch is a 1 liner that changes: >>> >>> import default_encoding_utf8 >>> >>> To >>> >>> from policycoreutils import default_encoding_utf8 >>> >>> >> >> But this one was not reviewed yet, right? > > It was, I'm trying to decide what to do with it. > > It would seem that the SELinux policycoreutils python package has an > identically named shared library that seems to do the same thing. I'm > checking with them to see if that is true, then we can decide if we want > to use theirs or ours. It is most likely identical as I provided the source code to both Dan (SELinux) and Rob (IPA). But I'm not sure I see the problem, we should be importing from our own package area, it's fine if there are two (identical for the moment) modules because they are in their own name space. Bottom line, we should be importing default_encoding_utf8 from *our* ipa package space, not from some other random area where there just happens to be an identically named module by coincidence. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Wed Nov 3 16:17:00 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Nov 2010 12:17:00 -0400 Subject: [Freeipa-devel] [PATCH] 594 display aci components separately In-Reply-To: <4CD180A7.9090500@redhat.com> References: <4CD180A7.9090500@redhat.com> Message-ID: <4CD18AFC.2000801@redhat.com> On 11/03/2010 11:32 AM, Rob Crittenden wrote: > Break out an ACI into components so it is easier to see what it does. > This will be needed for UI support. > > I also filled more supported types and made the List parameter perform > validation. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK. Doesn't run. WIth a full install: [ayoung at ipa freeipa]$ ipa aci-find ipa: ERROR: no such entry And on the lite server: [ayoung at ipa freeipa]$ ipa aci-find ipa: ERROR: non-public: ValueError: aci_find.validate_output(): missing keys ['truncated'] in {'count': 53, 'result': (u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0;acl "Enable Anonymous access";allow (read,search,compare) userdn = "ldap:///anyone";)', u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0;acl "Admin can manage any entry";allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0;acl "Self can write own password";allow (write) userdn = "ldap:///self";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "Admins can write passwords";allow (add,delete,write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "Password change service can read/write passwords";allow (read,write) userdn = "ldap:///krbprincipalname=kadmin/changepw at AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "KDC System Account can access passwords";allow (all) userdn = "ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0;acl "KDC System Account can update some fields";allow (write) userdn = "ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0;acl "Only the KDC System Account has access to kerberos material";allow (read,search,compare) userdn = "ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(targetfilter = "(objectClass=krbPwdPolicy)")(version 3.0;acl "Admins can write password policies";allow (read,search,compare,write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)', u'(targetattr = "objectClass")(target = "ldap:///cn=certificate status,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Get Certificates status from the CA";allow (write) groupdn = "ldap:///cn=certificate_status,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify group membership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (write) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "userCertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "cn || description || l || location || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)', u'(targetattr = "krbPrincipalName || enrolledBy || objectClass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups, cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify role group membership";allow (write) groupdn = "ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "objectClass")(target = "ldap:///cn=request certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Request Certificates from the CA";allow (write) groupdn = "ldap:///cn=request_certs,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify task group membership";allow (write) groupdn = "ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "objectClass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Certificate Remove Hold";allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add automount maps";allow (add) groupdn = "ldap:///cn=addautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)', u'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap:///cn=addautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "objectClass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Retrieve Certificates from the CA";allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "objectClass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Revoke Certificate";allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups, cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepManagedBy")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify host group membership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "objectClass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Request Certificates from a different host";allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)'), 'summary': u'53 ACIs matched'} Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 125, in execute result = self.Command[_name](*args, **options) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 428, in __call__ self.validate_output(ret) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 837, in validate_output nice, missing, output) ValueError: aci_find.validate_output(): missing keys ['truncated'] in {'count': 53, 'result': (u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0;acl "Enable Anonymous access";allow (read,search,compare) userdn = "ldap:///anyone";)', u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0;acl "Admin can manage any entry";allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0;acl "Self can write own password";allow (write) userdn = "ldap:///self";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "Admins can write passwords";allow (add,delete,write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "Password change service can read/write passwords";allow (read,write) userdn = "ldap:///krbprincipalname=kadmin/changepw at AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "KDC System Account can access passwords";allow (all) userdn = "ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0;acl "KDC System Account can update some fields";allow (write) userdn = "ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0;acl "Only the KDC System Account has access to kerberos material";allow (read,search,compare) userdn = "ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(targetfilter = "(objectClass=krbPwdPolicy)")(version 3.0;acl "Admins can write password policies";allow (read,search,compare,write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)', u'(targetattr = "objectClass")(target = "ldap:///cn=certificate status,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Get Certificates status from the CA";allow (write) groupdn = "ldap:///cn=certificate_status,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify group membership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (write) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "userCertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "cn || description || l || location || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)', u'(targetattr = "krbPrincipalName || enrolledBy || objectClass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups, cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify role group membership";allow (write) groupdn = "ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "objectClass")(target = "ldap:///cn=request certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Request Certificates from the CA";allow (write) groupdn = "ldap:///cn=request_certs,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify task group membership";allow (write) groupdn = "ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "objectClass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Certificate Remove Hold";allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add automount maps";allow (add) groupdn = "ldap:///cn=addautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)', u'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap:///cn=addautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "objectClass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Retrieve Certificates from the CA";allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "objectClass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Revoke Certificate";allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups, cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepManagedBy")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Modify host group membership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(targetattr = "objectClass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version 3.0;acl "Request Certificates from a different host";allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)'), 'summary': u'53 ACIs matched'} ipa: ERROR: an internal error has occurred -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Nov 3 16:55:58 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Nov 2010 11:55:58 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch In-Reply-To: <4CD16961.5040109@redhat.com> References: <4CCB256B.109@redhat.com> <4CCB7575.8050409@redhat.com> <4CCECE96.8070006@redhat.com> <4CD1564D.4070109@redhat.com> <4CD16961.5040109@redhat.com> Message-ID: <4CD1941E.3090701@redhat.com> On 11/3/2010 8:53 AM, Adam Young wrote: >> Still NACK. I have tested this again. It looks like the UI does not >> send the --rights parameter which is required to get the >> attributelevelrights. With this patch even the admin can't edit anything. > > Ah...that was because I did it as two commits, and only made a patch out > of one. Still too many disabled inputs. If you login as admin and open admin's details page, the only editable fields are last name and full name. (State is also editable but I suspect it's because this field doesn't support rights yet.) According to attributelevelrights I should be able to edit a number of attributes including uidNumber, gidNumber, telephoneNumber, but that's not the case. Do you see a different behavior when you test it? Am I missing some other patches? Btw, in your patch I think rights should be set to 'true' instead of 1. "attributelevelrights": { "aci": "rscwo", "cn": "rscwo", "description": "rscwo", "gecos": "rscwo", "gidNumber": "rscwo", "homeDirectory": "rscwo", "inetUserHttpURL": "rscwo", "inetUserStatus": "rscwo", "ipaUniqueID": "rsc", "krbCanonicalName": "rscwo", "krbExtraData": "rscwo", "krbLastFailedAuth": "rscwo", "krbLastPwdChange": "rscwo", "krbLastSuccessfulAuth": "rscwo", "krbLoginFailedCount": "rscwo", "krbMaxRenewableAge": "rscwo", "krbMaxTicketLife": "rscwo", "krbPasswordExpiration": "rscwo", "krbPrincipalAliases": "rscwo", "krbPrincipalExpiration": "rscwo", "krbPrincipalKey": "wo", "krbPrincipalName": "rscwo", "krbPrincipalType": "rscwo", "krbPwdHistory": "rscwo", "krbPwdPolicyReference": "rscwo", "krbTicketFlags": "rscwo", "krbTicketPolicyReference": "rscwo", "krbUPEnabled": "rscwo", "loginShell": "rscwo", "memberOf": "rsc", "mepManagedEntry": "rscwo", "nsAccountLock": "rscwo", "objectClass": "rscwo", "seeAlso": "rscwo", "sn": "rscwo", "telephoneNumber": "rscwo", "uid": "rscwo", "uidNumber": "rscwo", "userPassword": "wo" }, -- Endi S. Dewata From edewata at redhat.com Wed Nov 3 17:03:55 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Nov 2010 12:03:55 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch In-Reply-To: <4CD169D3.4040009@redhat.com> References: <4CCEFFA8.1080804@redhat.com> <4CD1567E.1000001@redhat.com> <4CD169D3.4040009@redhat.com> Message-ID: <4CD195FB.6020300@redhat.com> On 11/3/2010 8:55 AM, Adam Young wrote: > I suspect then that the service add dialog is wrong. This behaviour has > been spec'ed and working for a long time. What does it break? The field.setup(dialog, IPA_ADD_UPDATE) should be called before the add operation to allow constructing krbprincipalname from service name and hostname. It wouldn't make any sense to call this function after the add operation is successfully completed. -- Endi S. Dewata From edewata at redhat.com Wed Nov 3 17:15:40 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Nov 2010 12:15:40 -0500 Subject: [Freeipa-devel] [PATCH] 0074 jslint cleanup In-Reply-To: <4CD16D6F.8010305@redhat.com> References: <4CD0679C.9080505@redhat.com> <4CD156AB.2050403@redhat.com> <4CD16D6F.8010305@redhat.com> Message-ID: <4CD198BC.5010207@redhat.com> On 11/3/2010 9:10 AM, Adam Young wrote: >> The IPA and ipa_cmd are defined twice. >> >> +var IPA; >> +var ipa_cmd; >> >> +var IPA = ( function () { >> function ipa_cmd(name, args, options, win_callback, fail_callback, >> objname) > Fixed The duplicate IPA declaration is fixed, but the ipa_cmd is still declared twice: var ipa_cmd; function ipa_cmd( ... ) { ... } Is var ipa_cmd really necessary? We could also do this if we have to: var ipa_cmd; ipa_cmd = function( ... ) { ... }; But is there anything wrong with just the plain function declaration? -- Endi S. Dewata From rcritten at redhat.com Wed Nov 3 17:42:33 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Nov 2010 13:42:33 -0400 Subject: [Freeipa-devel] [PATCH] 594 display aci components separately In-Reply-To: <4CD18AFC.2000801@redhat.com> References: <4CD180A7.9090500@redhat.com> <4CD18AFC.2000801@redhat.com> Message-ID: <4CD19F09.1090107@redhat.com> Adam Young wrote: > On 11/03/2010 11:32 AM, Rob Crittenden wrote: >> Break out an ACI into components so it is easier to see what it does. >> This will be needed for UI support. >> >> I also filled more supported types and made the List parameter perform >> validation. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > NACK. Doesn't run. > > WIth a full install: > > [ayoung at ipa freeipa]$ ipa aci-find > ipa: ERROR: no such entry > Is this a full install from a fresh pull? I applied this to the HEAD and built rpms and it works fine. rob From rcritten at redhat.com Wed Nov 3 17:52:36 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Nov 2010 13:52:36 -0400 Subject: [Freeipa-devel] [PATCH] 596 remove ipa-fix-CVE-2008-3274 Message-ID: <4CD1A164.70601@redhat.com> This tool was designed to fix CVE-2008-3274. This configuration is default now in V2 so this isn't needed now. https://fedorahosted.org/freeipa/ticket/331 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-596-cve.patch Type: text/x-patch Size: 20548 bytes Desc: not available URL: From ayoung at redhat.com Wed Nov 3 18:18:30 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Nov 2010 14:18:30 -0400 Subject: [Freeipa-devel] [PATCH] 594 display aci components separately In-Reply-To: <4CD19F09.1090107@redhat.com> References: <4CD180A7.9090500@redhat.com> <4CD18AFC.2000801@redhat.com> <4CD19F09.1090107@redhat.com> Message-ID: <4CD1A776.9060702@redhat.com> On 11/03/2010 01:42 PM, Rob Crittenden wrote: > Adam Young wrote: >> On 11/03/2010 11:32 AM, Rob Crittenden wrote: >>> Break out an ACI into components so it is easier to see what it does. >>> This will be needed for UI support. >>> >>> I also filled more supported types and made the List parameter perform >>> validation. >>> >>> rob >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> NACK. Doesn't run. >> >> WIth a full install: >> >> [ayoung at ipa freeipa]$ ipa aci-find >> ipa: ERROR: no such entry >> > > Is this a full install from a fresh pull? I applied this to the HEAD > and built rpms and it works fine. > > rob Yes it is. git checkout master git checkout -b patch-594 git clean -fdx\ git am ... make rpms and so on From ayoung at redhat.com Wed Nov 3 18:20:04 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Nov 2010 14:20:04 -0400 Subject: [Freeipa-devel] [PATCH] 0074 jslint cleanup In-Reply-To: <4CD198BC.5010207@redhat.com> References: <4CD0679C.9080505@redhat.com> <4CD156AB.2050403@redhat.com> <4CD16D6F.8010305@redhat.com> <4CD198BC.5010207@redhat.com> Message-ID: <4CD1A7D4.3080004@redhat.com> On 11/03/2010 01:15 PM, Endi Sukma Dewata wrote: > On 11/3/2010 9:10 AM, Adam Young wrote: >>> The IPA and ipa_cmd are defined twice. >>> >>> +var IPA; >>> +var ipa_cmd; >>> >>> +var IPA = ( function () { >>> function ipa_cmd(name, args, options, win_callback, fail_callback, >>> objname) > >> Fixed > > The duplicate IPA declaration is fixed, but the ipa_cmd is still > declared twice: > > var ipa_cmd; > > function ipa_cmd( ... ) { ... } > > Is var ipa_cmd really necessary? We could also do this if we have to: > > var ipa_cmd; > > ipa_cmd = function( ... ) { ... }; > > But is there anything wrong with just the plain function declaration? > Note the comment about "Forward declared" jslint complains if there is no forward declaration. I've postponed moving ipa_cmd into the IPA namespace in this patch, as that will cause a ripple effect through the rest of the .js files. From edewata at redhat.com Wed Nov 3 18:43:36 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Nov 2010 13:43:36 -0500 Subject: [Freeipa-devel] [PATCH] HBAC Details Page In-Reply-To: <4CD17B0D.5070409@redhat.com> References: <4CCB5CC9.7030800@redhat.com> <4CCEFA72.9060906@redhat.com> <4CD155FF.7080907@redhat.com> <4CD1765A.80003@redhat.com> <4CD17B0D.5070409@redhat.com> Message-ID: <4CD1AD58.3030005@redhat.com> On 11/3/2010 10:09 AM, Adam Young wrote: >> A few questions (and tweaks). Note that I have just given the code a >> read through, not applied the patch yet. >> >> Are you sure we want to implement our own Theme code? I'd rather try >> to keep theme stuff as part of JQUery.UI. At a mionimum, we risk name >> clash and confusion over the term 'theme'. I think they will complement each other. The jQuery UI theme is limited to CSS. The IPA theme I'm creating is for the layout. Although CSS can do layout too, it is limited to the elements and classes that are already defined in the HTML page. If you need to change the elements in the HTML page you'd have to change the JavaScript code because it's generated dynamically. For example, it's not possible to change this layout: First Name: Adam Last Name: Young into this layout Last Name: Young First Name: Adam using CSS alone unless you specify different ID's or assign different CSS classes for each HTML element. And changing the JavaScript code to support this specific layout would be either too difficult or not very useful for anything else. With the IPA theme you could create 2 different templates:
First Name:
Last Name:
or
Last Name: First Name:
and not change a single code. The jQuery UI theme can still be applied on top of this. >> add.js line 34: Do we really need accesor like this? There is nothing >> wrong with doing modifying the member directly. I see the code at line >> 62 that delegates it down the tree...I think there is a more >> javascript-y way to do this. Look up Javascript accessors. You mean like this? http://offthelip.org/?p=101 Yes, we can do that. Regardless, the accessor is necessary because a widget may contain a set of other widgets and we want to let the widget figure out how to pass the value to the other widgets. Ideally I prefer if we can get rid of the entity_name from widgets, but we can do that another time. >> If you are going to change a function header like on associate line >> 133, go ahead and remove the camel_casing as well. (manyObjPKey) as >> you seem to be doing variable cleanup elsewhere. OK, I can fix that too. I had to draw the line somewhere, otherwise the patch will be too big (it's already bigger than I wanted). >> Line 297, executor takes 7 params, that are all member variables of >> "that". Since that.execute is invoked as a method, you can remove >> these parameters and instead, internal to executor, refer to them via >> this. Not sure that would be a good idea. "that" in this code refers to the dialog box. The executor is one of the serial/bulk associator. Associator is not a dialog box, so referring to the parameters using this might work but will be confusing. This code is actually calling the associator's constructor and execute it too. I was planning to create a base class for the associators, but that's for next time. >> Typo line 344: that.member_attrribute OK, I'll fix it. That was from a copy & paste. > Also: remove the buttons for features that we are not going to implement > this time around > > from the top of the page: Troubleshoot, Cull Disabled Rules, And the > TEst Rule link under quick links > You can leave Login SVC and Login Svc Groups , those are coming next, > correct? Let me remove all of them for now and add it back as I implement them. That way we can cut a release anytime without having a broken button. > Add rule has a rule type field, but no guidance what to fill it in with. > I suspect this should be a select. Without knowing what to put in here, > you can't add a rule. At a minimum, lets put in text 'allow or deny' OK, I'll add that text. I was planning to do that in a later patch because we have the same issue with the service name. > Note that this failure case doesn't fail very cleanly. There is an error > that shows up in Friebug. Ignore it for now, as I belive my patch for > handling ticket time out fixes this as a side effect. > > Add access time seems to be broken. I get 'that.add is not a function' Yes, I mentioned that in the patch description. That will be done in a follow up. -- Endi S. Dewata From ayoung at redhat.com Wed Nov 3 18:59:54 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Nov 2010 14:59:54 -0400 Subject: [Freeipa-devel] [PATCH] HBAC Details Page In-Reply-To: <4CD1AD58.3030005@redhat.com> References: <4CCB5CC9.7030800@redhat.com> <4CCEFA72.9060906@redhat.com> <4CD155FF.7080907@redhat.com> <4CD1765A.80003@redhat.com> <4CD17B0D.5070409@redhat.com> <4CD1AD58.3030005@redhat.com> Message-ID: <4CD1B12A.80302@redhat.com> On 11/03/2010 02:43 PM, Endi Sukma Dewata wrote: > On 11/3/2010 10:09 AM, Adam Young wrote: >>> A few questions (and tweaks). Note that I have just given the code a >>> read through, not applied the patch yet. >>> >>> Are you sure we want to implement our own Theme code? I'd rather try >>> to keep theme stuff as part of JQUery.UI. At a mionimum, we risk name >>> clash and confusion over the term 'theme'. > > I think they will complement each other. The jQuery UI theme is > limited to CSS. The IPA theme I'm creating is for the layout. Although > CSS can do layout too, it is limited to the elements and classes that > are already defined in the HTML page. If you need to change the > elements in the HTML page you'd have to change the JavaScript code > because it's generated dynamically. For example, it's not possible to > change this layout: > > First Name: Adam > Last Name: Young > > into this layout > > Last Name: Young First Name: Adam > > using CSS alone unless you specify different ID's or assign different > CSS classes for each HTML element. And changing the JavaScript code to > support this specific layout would be either too difficult or not very > useful for anything else. > > With the IPA theme you could create 2 different templates: > >
>
First Name:
>
>
Last Name:
>
>
> > or > > > > > > > > >
Last Name:First Name:
> > and not change a single code. The jQuery UI theme can still be applied > on top of this. Very cool, but suggest we change the term. Would layout perhaps be better? > >>> add.js line 34: Do we really need accesor like this? There is nothing >>> wrong with doing modifying the member directly. I see the code at line >>> 62 that delegates it down the tree...I think there is a more >>> javascript-y way to do this. Look up Javascript accessors. > > You mean like this? http://offthelip.org/?p=101 > Yes, we can do that. Regardless, the accessor is necessary because a > widget may contain a set of other widgets and we want to let the > widget figure out how to pass the value to the other widgets. Ideally > I prefer if we can get rid of the entity_name from widgets, but we can > do that another time. yeah, like that. I'd rather not use a naming convention that is different from what the language supports. > >>> If you are going to change a function header like on associate line >>> 133, go ahead and remove the camel_casing as well. (manyObjPKey) as >>> you seem to be doing variable cleanup elsewhere. > > OK, I can fix that too. I had to draw the line somewhere, otherwise > the patch will be too big (it's already bigger than I wanted). > >>> Line 297, executor takes 7 params, that are all member variables of >>> "that". Since that.execute is invoked as a method, you can remove >>> these parameters and instead, internal to executor, refer to them via >>> this. > > Not sure that would be a good idea. "that" in this code refers to the > dialog box. The executor is one of the serial/bulk associator. > Associator is not a dialog box, so referring to the parameters using > this might work but will be confusing. This code is actually calling > the associator's constructor and execute it too. I was planning to > create a base class for the associators, but that's for next time. Yeah. PLus, with the Bulk plugin, we'll want to change the name of the bulk associator to something more correct, like single_call versus bulk_call, and change the serial associator to use the bulk plugin. > >>> Typo line 344: that.member_attrribute > > OK, I'll fix it. That was from a copy & paste. > >> Also: remove the buttons for features that we are not going to implement >> this time around >> >> from the top of the page: Troubleshoot, Cull Disabled Rules, And the >> TEst Rule link under quick links >> You can leave Login SVC and Login Svc Groups , those are coming next, >> correct? > > Let me remove all of them for now and add it back as I implement them. > That way we can cut a release anytime > without having a broken button. Agreed > >> Add rule has a rule type field, but no guidance what to fill it in with. >> I suspect this should be a select. Without knowing what to put in here, >> you can't add a rule. At a minimum, lets put in text 'allow or deny' > > OK, I'll add that text. I was planning to do that in a later patch > because we have the same issue with the service name. Yeah, lets do it now. I had to go top the CLI to figure out what values to put in here to get it to work. Add a ticket for replacing it with a select, too. > >> Note that this failure case doesn't fail very cleanly. There is an error >> that shows up in Friebug. Ignore it for now, as I belive my patch for >> handling ticket time out fixes this as a side effect. >> >> Add access time seems to be broken. I get 'that.add is not a function' > > Yes, I mentioned that in the patch description. That will be done in a > follow up. > From edewata at redhat.com Wed Nov 3 19:13:52 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Nov 2010 14:13:52 -0500 Subject: [Freeipa-devel] [PATCH] 0074 jslint cleanup In-Reply-To: <4CD1A7D4.3080004@redhat.com> References: <4CD0679C.9080505@redhat.com> <4CD156AB.2050403@redhat.com> <4CD16D6F.8010305@redhat.com> <4CD198BC.5010207@redhat.com> <4CD1A7D4.3080004@redhat.com> Message-ID: <4CD1B470.4060003@redhat.com> On 11/3/2010 1:20 PM, Adam Young wrote: > Note the comment about "Forward declared" > jslint complains if there is no forward declaration. I've postponed > moving ipa_cmd into the IPA namespace in this patch, as that will cause > a ripple effect through the rest of the .js files. I've seen several ways to define class methods: 1. Global function: this seems to be good for large method. function class_name() { var that = {}; that.method = class_name_method; return that; } function class_name_method() { } 2. Anonymous function: this seems to be good for simple methods. function class_name() { var that = {}; that.method = function() { }; return that; } 3. Local function: this seems to be needed for passing a method to super class. function class_name(spec) { spec.method1 = method1; var that = super_class_name(spec) that.method2 = spec.method2 || method2; function method1() { } function method2() { } return that; } Any comments/suggestions? -- Endi S. Dewata From rcritten at redhat.com Wed Nov 3 19:34:44 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Nov 2010 15:34:44 -0400 Subject: [Freeipa-devel] [PATCH] 597 user-enable/disable improvements Message-ID: <4CD1B954.9040106@redhat.com> Always display the account enable/disable status. Don't ignore the exceptions when a user is already enabled or disabled. Fix the exception error messages to use the right terminology. In baseldap when retrieving all attributes include the default attributes in case they include some operational attributes. ticket 392 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-597-status.patch Type: text/x-patch Size: 11397 bytes Desc: not available URL: From ayoung at redhat.com Wed Nov 3 19:50:01 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Nov 2010 15:50:01 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch In-Reply-To: <4CD1941E.3090701@redhat.com> References: <4CCB256B.109@redhat.com> <4CCB7575.8050409@redhat.com> <4CCECE96.8070006@redhat.com> <4CD1564D.4070109@redhat.com> <4CD16961.5040109@redhat.com> <4CD1941E.3090701@redhat.com> Message-ID: <4CD1BCE9.6060408@redhat.com> On 11/03/2010 12:55 PM, Endi Sukma Dewata wrote: > On 11/3/2010 8:53 AM, Adam Young wrote: >>> Still NACK. I have tested this again. It looks like the UI does not >>> send the --rights parameter which is required to get the >>> attributelevelrights. With this patch even the admin can't edit >>> anything. >> >> Ah...that was because I did it as two commits, and only made a patch out >> of one. > > Still too many disabled inputs. If you login as admin and open admin's > details page, the only editable fields are last name and full name. > (State is also editable but I suspect it's because this field doesn't > support rights yet.) According to attributelevelrights I should be able > to edit a number of attributes including uidNumber, gidNumber, > telephoneNumber, but that's not the case. Do you see a different > behavior when you test it? Am I missing some other patches? Btw, in > your patch I think rights should be set to 'true' instead of 1. > > "attributelevelrights": { > "aci": "rscwo", > "cn": "rscwo", > "description": "rscwo", > "gecos": "rscwo", > "gidNumber": "rscwo", > "homeDirectory": "rscwo", > "inetUserHttpURL": "rscwo", > "inetUserStatus": "rscwo", > "ipaUniqueID": "rsc", > "krbCanonicalName": "rscwo", > "krbExtraData": "rscwo", > "krbLastFailedAuth": "rscwo", > "krbLastPwdChange": "rscwo", > "krbLastSuccessfulAuth": "rscwo", > "krbLoginFailedCount": "rscwo", > "krbMaxRenewableAge": "rscwo", > "krbMaxTicketLife": "rscwo", > "krbPasswordExpiration": "rscwo", > "krbPrincipalAliases": "rscwo", > "krbPrincipalExpiration": "rscwo", > "krbPrincipalKey": "wo", > "krbPrincipalName": "rscwo", > "krbPrincipalType": "rscwo", > "krbPwdHistory": "rscwo", > "krbPwdPolicyReference": "rscwo", > "krbTicketFlags": "rscwo", > "krbTicketPolicyReference": "rscwo", > "krbUPEnabled": "rscwo", > "loginShell": "rscwo", > "memberOf": "rsc", > "mepManagedEntry": "rscwo", > "nsAccountLock": "rscwo", > "objectClass": "rscwo", > "seeAlso": "rscwo", > "sn": "rscwo", > "telephoneNumber": "rscwo", > "uid": "rscwo", > "uidNumber": "rscwo", > "userPassword": "wo" > }, > Now defaulting to rscwo, which means that some fields will show up editable even if the user can't change them, due to effectiverights not being returned on all fields. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-freeipa-0072-2-rights-check.patch Type: text/x-patch Size: 7840 bytes Desc: not available URL: From ayoung at redhat.com Wed Nov 3 19:51:20 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Nov 2010 15:51:20 -0400 Subject: [Freeipa-devel] [PATCH] 0074 jslint cleanup In-Reply-To: <4CD1A7D4.3080004@redhat.com> References: <4CD0679C.9080505@redhat.com> <4CD156AB.2050403@redhat.com> <4CD16D6F.8010305@redhat.com> <4CD198BC.5010207@redhat.com> <4CD1A7D4.3080004@redhat.com> Message-ID: <4CD1BD38.3060500@redhat.com> On 11/03/2010 02:20 PM, Adam Young wrote: > On 11/03/2010 01:15 PM, Endi Sukma Dewata wrote: >> On 11/3/2010 9:10 AM, Adam Young wrote: >>>> The IPA and ipa_cmd are defined twice. >>>> >>>> +var IPA; >>>> +var ipa_cmd; >>>> >>>> +var IPA = ( function () { >>>> function ipa_cmd(name, args, options, win_callback, fail_callback, >>>> objname) >> >>> Fixed >> >> The duplicate IPA declaration is fixed, but the ipa_cmd is still >> declared twice: >> >> var ipa_cmd; >> >> function ipa_cmd( ... ) { ... } >> >> Is var ipa_cmd really necessary? We could also do this if we have to: >> >> var ipa_cmd; >> >> ipa_cmd = function( ... ) { ... }; >> >> But is there anything wrong with just the plain function declaration? >> > > Note the comment about "Forward declared" > jslint complains if there is no forward declaration. I've postponed > moving ipa_cmd into the IPA namespace in this patch, as that will > cause a ripple effect through the rest of the .js files. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC. Pushed to master From rcritten at redhat.com Wed Nov 3 21:38:47 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Nov 2010 17:38:47 -0400 Subject: [Freeipa-devel] [PATCH] one-liner fix pushed Message-ID: <4CD1D667.6040905@redhat.com> Pushed this fix under the 1-liner rule. We had the wrong attribute in an aci. diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index da17358..d51e213 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -241,7 +241,7 @@ add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn= taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "cn || description || l || location || +add:aci: '(targetattr = "cn || description || l || nshostlocation || nshardwareplatform || nsosversion") (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts, -- 1.6.2.5 From edewata at redhat.com Wed Nov 3 22:20:43 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Nov 2010 17:20:43 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch In-Reply-To: <4CD1BCE9.6060408@redhat.com> References: <4CCB256B.109@redhat.com> <4CCB7575.8050409@redhat.com> <4CCECE96.8070006@redhat.com> <4CD1564D.4070109@redhat.com> <4CD16961.5040109@redhat.com> <4CD1941E.3090701@redhat.com> <4CD1BCE9.6060408@redhat.com> Message-ID: <4CD1E03B.5000305@redhat.com> On 11/3/2010 2:50 PM, Adam Young wrote: > Now defaulting to rscwo, which means that some fields will show up > editable even if the user can't change them, due to effectiverights not > being returned on all fields. Could you rebase it against the latest in master? The patch cannot be applied. Thanks. -- Endi S. Dewata From nalin at redhat.com Wed Nov 3 22:59:08 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 3 Nov 2010 18:59:08 -0400 Subject: [Freeipa-devel] [PATCH] nis and schema-compat: heed userCategory and hostCategory in netgroups Message-ID: <20101103225908.GB22214@redhat.com> It looks like we missed the userCategory and hostCategory stuff when we did the original pass at configuring the nis server and schema compat plugins for netgroups. Here's a proposed change which should empty the right fields when we have one or the other set to "ALL". Nalin -------------- next part -------------- commit 7a76e7b25026ebd1596040892bc95e1deda777eb Author: Nalin Dahyabhai Date: Wed Nov 3 18:57:33 2010 -0400 - add support for hostCategory and userCategory diff --git a/install/share/nis.uldif b/install/share/nis.uldif index d6a3644..f23b49e 100644 --- a/install/share/nis.uldif +++ b/install/share/nis.uldif @@ -80,5 +80,5 @@ default:nis-map: netgroup default:nis-base: cn=ng, cn=alt, $SUFFIX default:nis-filter: (objectClass=ipanisNetgroup) default:nis-key-format: %{cn} -default:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\",\"-\",\",\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})") +default:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\\\")\",\"-\"),%{nisDomainName:-})") default:nis-secure: no diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index 15ac2a2..22e3141 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -62,7 +62,7 @@ add:schema-compat-entry-rdn: cn=%{cn} add:schema-compat-entry-attribute: objectclass=nisNetgroup add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r("member","cn")' add:schema-compat-entry-attribute: 'memberNisNetgroup=%referred_r("cn=ng","memberOf","cn")' -add:schema-compat-entry-attribute: 'nisNetgroupTriple=(%link("%collect(\"%{externalHost}\",\"%deref(\\\"memberHost\\\",\\\"fqdn\\\")\",\"%deref_r(\\\"member\\\",\\\"fqdn\\\")\",\"%deref_r(\\\"memberHost\\\",\\\"member\\\",\\\"fqdn\\\")\")","-",",","%collect(\"%deref(\\\"memberUser\\\",\\\"uid\\\")\",\"%deref_r(\\\"member\\\",\\\"uid\\\")\",\"%deref_r(\\\"memberUser\\\",\\\"member\\\",\\\"uid\\\")\")","-"),%{nisDomainName:-})' +add:schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) # Enable anonymous VLV browsing for Solaris dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config From rcritten at redhat.com Thu Nov 4 14:47:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Nov 2010 10:47:27 -0400 Subject: [Freeipa-devel] [PATCH] 598 add rights to LDAPUpdate base class Message-ID: <4CD2C77F.3020205@redhat.com> This makes --rights available to all _mod commands. https://fedorahosted.org/freeipa/ticket/437 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-598-rights.patch Type: text/x-patch Size: 2782 bytes Desc: not available URL: From rcritten at redhat.com Thu Nov 4 15:07:44 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Nov 2010 11:07:44 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch In-Reply-To: <4CD1BCE9.6060408@redhat.com> References: <4CCB256B.109@redhat.com> <4CCB7575.8050409@redhat.com> <4CCECE96.8070006@redhat.com> <4CD1564D.4070109@redhat.com> <4CD16961.5040109@redhat.com> <4CD1941E.3090701@redhat.com> <4CD1BCE9.6060408@redhat.com> Message-ID: <4CD2CC40.2070900@redhat.com> Adam Young wrote: > On 11/03/2010 12:55 PM, Endi Sukma Dewata wrote: >> On 11/3/2010 8:53 AM, Adam Young wrote: >>>> Still NACK. I have tested this again. It looks like the UI does not >>>> send the --rights parameter which is required to get the >>>> attributelevelrights. With this patch even the admin can't edit >>>> anything. >>> >>> Ah...that was because I did it as two commits, and only made a patch out >>> of one. >> >> Still too many disabled inputs. If you login as admin and open admin's >> details page, the only editable fields are last name and full name. >> (State is also editable but I suspect it's because this field doesn't >> support rights yet.) According to attributelevelrights I should be able >> to edit a number of attributes including uidNumber, gidNumber, >> telephoneNumber, but that's not the case. Do you see a different >> behavior when you test it? Am I missing some other patches? Btw, in >> your patch I think rights should be set to 'true' instead of 1. >> >> "attributelevelrights": { >> "aci": "rscwo", >> "cn": "rscwo", >> "description": "rscwo", >> "gecos": "rscwo", >> "gidNumber": "rscwo", >> "homeDirectory": "rscwo", >> "inetUserHttpURL": "rscwo", >> "inetUserStatus": "rscwo", >> "ipaUniqueID": "rsc", >> "krbCanonicalName": "rscwo", >> "krbExtraData": "rscwo", >> "krbLastFailedAuth": "rscwo", >> "krbLastPwdChange": "rscwo", >> "krbLastSuccessfulAuth": "rscwo", >> "krbLoginFailedCount": "rscwo", >> "krbMaxRenewableAge": "rscwo", >> "krbMaxTicketLife": "rscwo", >> "krbPasswordExpiration": "rscwo", >> "krbPrincipalAliases": "rscwo", >> "krbPrincipalExpiration": "rscwo", >> "krbPrincipalKey": "wo", >> "krbPrincipalName": "rscwo", >> "krbPrincipalType": "rscwo", >> "krbPwdHistory": "rscwo", >> "krbPwdPolicyReference": "rscwo", >> "krbTicketFlags": "rscwo", >> "krbTicketPolicyReference": "rscwo", >> "krbUPEnabled": "rscwo", >> "loginShell": "rscwo", >> "memberOf": "rsc", >> "mepManagedEntry": "rscwo", >> "nsAccountLock": "rscwo", >> "objectClass": "rscwo", >> "seeAlso": "rscwo", >> "sn": "rscwo", >> "telephoneNumber": "rscwo", >> "uid": "rscwo", >> "uidNumber": "rscwo", >> "userPassword": "wo" >> }, >> > Now defaulting to rscwo, which means that some fields will show up > editable even if the user can't change them, due to effectiverights not > being returned on all fields. The problem is that the effective rights is not returned properly, the account in question (admin) doesn't have those attributes at all. I don't think this is an appropriate fix. rob From edewata at redhat.com Thu Nov 4 15:42:03 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 04 Nov 2010 10:42:03 -0500 Subject: [Freeipa-devel] [PATCH] HBAC Details Page In-Reply-To: <4CD1B12A.80302@redhat.com> References: <4CCB5CC9.7030800@redhat.com> <4CCEFA72.9060906@redhat.com> <4CD155FF.7080907@redhat.com> <4CD1765A.80003@redhat.com> <4CD17B0D.5070409@redhat.com> <4CD1AD58.3030005@redhat.com> <4CD1B12A.80302@redhat.com> Message-ID: <4CD2D44B.8010903@redhat.com> Hi, Please take a look at the new patch (also attached): https://fedorahosted.org/reviewboard/r/99/ On 11/3/2010 1:59 PM, Adam Young wrote: > Very cool, but suggest we change the term. Would layout perhaps be better? Renamed that to layout. >>>> add.js line 34: Do we really need accesor like this? There is nothing >>>> wrong with doing modifying the member directly. I see the code at line >>>> 62 that delegates it down the tree...I think there is a more >>>> javascript-y way to do this. Look up Javascript accessors. Now it's using setter/getter for entity_name. >>>> If you are going to change a function header like on associate line >>>> 133, go ahead and remove the camel_casing as well. (manyObjPKey) as >>>> you seem to be doing variable cleanup elsewhere. >>>> Line 297, executor takes 7 params, that are all member variables of >>>> "that". Since that.execute is invoked as a method, you can remove >>>> these parameters and instead, internal to executor, refer to them via >>>> this. > Yeah. PLus, with the Bulk plugin, we'll want to change the name of the > bulk associator to something more correct, like single_call versus > bulk_call, and change the serial associator to use the bulk plugin. I cleaned up the associators. I added a base class, I also combined the adder & deleter (both for serial & bulk) because once the parameters are cleaned up they are actually exactly the same code. We can rename these classes again later if necessary. >>>> Typo line 344: that.member_attrribute Fixed. >>> Also: remove the buttons for features that we are not going to implement >>> this time around >>> from the top of the page: Troubleshoot, Cull Disabled Rules, And the >>> TEst Rule link under quick links >>> You can leave Login SVC and Login Svc Groups , those are coming next, >>> correct? They are commented out for now, will be added back as we implement them. >>> Add rule has a rule type field, but no guidance what to fill it in with. >>> I suspect this should be a select. Without knowing what to put in here, >>> you can't add a rule. At a minimum, lets put in text 'allow or deny' Fixed. Will open a new ticket for the drop down list. Thanks! -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0025-3-HBAC-Details-Page.patch Type: text/x-patch Size: 144967 bytes Desc: not available URL: From ayoung at redhat.com Thu Nov 4 16:49:54 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 04 Nov 2010 12:49:54 -0400 Subject: [Freeipa-devel] [PATCH] 594 display aci components separately In-Reply-To: <4CD1A776.9060702@redhat.com> References: <4CD180A7.9090500@redhat.com> <4CD18AFC.2000801@redhat.com> <4CD19F09.1090107@redhat.com> <4CD1A776.9060702@redhat.com> Message-ID: <4CD2E432.8080901@redhat.com> On 11/03/2010 02:18 PM, Adam Young wrote: > On 11/03/2010 01:42 PM, Rob Crittenden wrote: >> Adam Young wrote: >>> On 11/03/2010 11:32 AM, Rob Crittenden wrote: >>>> Break out an ACI into components so it is easier to see what it does. >>>> This will be needed for UI support. >>>> >>>> I also filled more supported types and made the List parameter perform >>>> validation. >>>> >>>> rob >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> NACK. Doesn't run. >>> >>> WIth a full install: >>> >>> [ayoung at ipa freeipa]$ ipa aci-find >>> ipa: ERROR: no such entry >>> >> >> Is this a full install from a fresh pull? I applied this to the HEAD >> and built rpms and it works fine. >> >> rob > Yes it is. > > git checkout master > git checkout -b patch-594 > git clean -fdx\ > git am ... > make rpms > and so on > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master From ayoung at redhat.com Thu Nov 4 16:50:29 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 04 Nov 2010 12:50:29 -0400 Subject: [Freeipa-devel] [PATCH] 597 user-enable/disable improvements In-Reply-To: <4CD1B954.9040106@redhat.com> References: <4CD1B954.9040106@redhat.com> Message-ID: <4CD2E455.4060808@redhat.com> On 11/03/2010 03:34 PM, Rob Crittenden wrote: > Always display the account enable/disable status. > > Don't ignore the exceptions when a user is already enabled or disabled. > > Fix the exception error messages to use the right terminology. > > In baseldap when retrieving all attributes include the default > attributes in case they include some operational attributes. > > ticket 392 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Nov 4 17:57:04 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Nov 2010 13:57:04 -0400 Subject: [Freeipa-devel] [PATCH] one-liner fix Message-ID: <4CD2F3F0.5080409@redhat.com> Pushed this under the one-liner rule. My domain was hardcoded in a couple of acis. rob diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index d51e213..085cd1f 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -723,10 +723,10 @@ add:description: Modify Entitlements add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: $SUFFIX -add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' +add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)' dn: $SUFFIX -add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' +add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)' dn: $SUFFIX -add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' +add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)' -- 1.6.2.5 From ayoung at redhat.com Thu Nov 4 18:39:18 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 04 Nov 2010 14:39:18 -0400 Subject: [Freeipa-devel] [PATCH] HBAC Details Page In-Reply-To: <4CD2D44B.8010903@redhat.com> References: <4CCB5CC9.7030800@redhat.com> <4CCEFA72.9060906@redhat.com> <4CD155FF.7080907@redhat.com> <4CD1765A.80003@redhat.com> <4CD17B0D.5070409@redhat.com> <4CD1AD58.3030005@redhat.com> <4CD1B12A.80302@redhat.com> <4CD2D44B.8010903@redhat.com> Message-ID: <4CD2FDD6.4000707@redhat.com> On 11/04/2010 11:42 AM, Endi Sukma Dewata wrote: > Hi, > > Please take a look at the new patch (also attached): > > https://fedorahosted.org/reviewboard/r/99/ > > On 11/3/2010 1:59 PM, Adam Young wrote: >> Very cool, but suggest we change the term. Would layout perhaps be >> better? > > Renamed that to layout. > >>>>> add.js line 34: Do we really need accesor like this? There is nothing >>>>> wrong with doing modifying the member directly. I see the code at >>>>> line >>>>> 62 that delegates it down the tree...I think there is a more >>>>> javascript-y way to do this. Look up Javascript accessors. > > Now it's using setter/getter for entity_name. > >>>>> If you are going to change a function header like on associate line >>>>> 133, go ahead and remove the camel_casing as well. (manyObjPKey) as >>>>> you seem to be doing variable cleanup elsewhere. > >>>>> Line 297, executor takes 7 params, that are all member variables of >>>>> "that". Since that.execute is invoked as a method, you can remove >>>>> these parameters and instead, internal to executor, refer to them via >>>>> this. > >> Yeah. PLus, with the Bulk plugin, we'll want to change the name of the >> bulk associator to something more correct, like single_call versus >> bulk_call, and change the serial associator to use the bulk plugin. > > I cleaned up the associators. I added a base class, I also combined > the adder & deleter (both for serial & bulk) because once the > parameters are cleaned up they are actually exactly the same code. We > can rename these classes again later if necessary. > >>>>> Typo line 344: that.member_attrribute > > Fixed. > >>>> Also: remove the buttons for features that we are not going to >>>> implement >>>> this time around >>>> from the top of the page: Troubleshoot, Cull Disabled Rules, And the >>>> TEst Rule link under quick links >>>> You can leave Login SVC and Login Svc Groups , those are coming next, >>>> correct? > > They are commented out for now, will be added back as we implement them. > >>>> Add rule has a rule type field, but no guidance what to fill it in >>>> with. >>>> I suspect this should be a select. Without knowing what to put in >>>> here, >>>> you can't add a rule. At a minimum, lets put in text 'allow or deny' > > Fixed. Will open a new ticket for the drop down list. > > Thanks! > ACK and pushed to master From rcritten at redhat.com Thu Nov 4 19:14:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Nov 2010 15:14:48 -0400 Subject: [Freeipa-devel] [PATCH] nis and schema-compat: heed userCategory and hostCategory in netgroups In-Reply-To: <20101103225908.GB22214@redhat.com> References: <20101103225908.GB22214@redhat.com> Message-ID: <4CD30628.10209@redhat.com> Nalin Dahyabhai wrote: > It looks like we missed the userCategory and hostCategory stuff when we > did the original pass at configuring the nis server and schema compat > plugins for netgroups. Here's a proposed change which should empty the > right fields when we have one or the other set to "ALL". Works for me. I missed this too and netgroups don't currently allow setting user or hostcategory. Created ticket 443 to track this. This patch works for me, ack, pushed to master. rob From rcritten at redhat.com Thu Nov 4 19:21:06 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Nov 2010 15:21:06 -0400 Subject: [Freeipa-devel] [PATCH] 599 add usercat and hostcat to netgroups Message-ID: <4CD307A2.20207@redhat.com> The netgroup plugin was missing the usercategory and hostcategory associations. This adds them and fixes displaying membership in netgroup_show. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-599-netgroup.patch Type: text/x-patch Size: 2714 bytes Desc: not available URL: From rcritten at redhat.com Thu Nov 4 19:28:44 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Nov 2010 15:28:44 -0400 Subject: [Freeipa-devel] [PATCH] 600 fix ipa-nis-manage Message-ID: <4CD3096C.4040302@redhat.com> ipa-nis-manage was broken because of a signature change to ldap2.getentry(). Two new arguments were added before normalize and a call to this in ipa-nis-manage was relying on positional arguments. This caused ldap2 to add the basedn to what we were trying to get, which was something in cn=config, so it failed. ticket https://fedorahosted.org/freeipa/ticket/414 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-600-nis.patch Type: text/x-patch Size: 2259 bytes Desc: not available URL: From rcritten at redhat.com Thu Nov 4 19:56:21 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Nov 2010 15:56:21 -0400 Subject: [Freeipa-devel] [PATCH] 601 rename 60sudo.ldif Message-ID: <4CD30FE5.7090401@redhat.com> Rename 60sudo.ldif to 60ipasudo.ldif. We are overwriting a file of the same name from the default 389-ds schema. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-601-sudo.patch Type: text/x-patch Size: 12365 bytes Desc: not available URL: From ayoung at redhat.com Thu Nov 4 20:53:17 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 04 Nov 2010 16:53:17 -0400 Subject: [Freeipa-devel] [PATCH] Bulk In-Reply-To: <4CD17E2C.9050506@redhat.com> References: <4CD09EBD.5030201@redhat.com> <4CD17333.4060100@redhat.com> <4CD17E2C.9050506@redhat.com> Message-ID: <4CD31D3D.3040209@redhat.com> Renamed the plugin to 'batch' which is a better name than bulk. Added the example to the docs, put a header on it, and removed the changes to internal.py -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-freeipa-0076-2-batch.patch Type: text/x-patch Size: 3453 bytes Desc: not available URL: From rcritten at redhat.com Thu Nov 4 21:00:00 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Nov 2010 17:00:00 -0400 Subject: [Freeipa-devel] [PATCH] 602 verify --ip-address option during installation Message-ID: <4CD31ED0.5030403@redhat.com> There was a corner case where the value of --ip-address was never verified if you were also setting up DNS. Added this bit of information to the man page too. ticket 399 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-602-dns.patch Type: text/x-patch Size: 1788 bytes Desc: not available URL: From rcritten at redhat.com Thu Nov 4 21:38:23 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Nov 2010 17:38:23 -0400 Subject: [Freeipa-devel] [PATCH] 603 add examples to ipa-replica-install man page Message-ID: <4CD327CF.6040802@redhat.com> Add a couple of examples in ipa-replica-install.1 in an effort to clarify where one does a re-init. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-603-man.patch Type: text/x-patch Size: 4604 bytes Desc: not available URL: From rcritten at redhat.com Fri Nov 5 15:15:10 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 05 Nov 2010 11:15:10 -0400 Subject: [Freeipa-devel] [PATCH] Bulk In-Reply-To: <4CD31D3D.3040209@redhat.com> References: <4CD09EBD.5030201@redhat.com> <4CD17333.4060100@redhat.com> <4CD17E2C.9050506@redhat.com> <4CD31D3D.3040209@redhat.com> Message-ID: <4CD41F7E.4020009@redhat.com> Adam Young wrote: > Renamed the plugin to 'batch' which is a better name than bulk. Added > the example to the docs, put a header on it, and removed the changes to > internal.py This will blow up if args ends up being empty so we'll need to address that at some point. This particular error I think will blow everything up before it gets very far so it is probably fine for now. Just fix the spelling of my last name and this is ACK :-) rob From ayoung at redhat.com Fri Nov 5 15:22:10 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 05 Nov 2010 11:22:10 -0400 Subject: [Freeipa-devel] [PATCH] Bulk In-Reply-To: <4CD41F7E.4020009@redhat.com> References: <4CD09EBD.5030201@redhat.com> <4CD17333.4060100@redhat.com> <4CD17E2C.9050506@redhat.com> <4CD31D3D.3040209@redhat.com> <4CD41F7E.4020009@redhat.com> Message-ID: <4CD42122.4020708@redhat.com> On 11/05/2010 11:15 AM, Rob Crittenden wrote: > Adam Young wrote: >> Renamed the plugin to 'batch' which is a better name than bulk. Added >> the example to the docs, put a header on it, and removed the changes to >> internal.py > > This will blow up if args ends up being empty so we'll need to address > that at some point. This particular error I think will blow everything > up before it gets very far so it is probably fine for now. > > Just fix the spelling of my last name and this is ACK :-) > > rob Fixed, Pushed to master From ayoung at redhat.com Fri Nov 5 18:29:25 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 05 Nov 2010 14:29:25 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-0072-3-rights-check.patch In-Reply-To: <4CD2CC40.2070900@redhat.com> References: <4CCB256B.109@redhat.com> <4CCB7575.8050409@redhat.com> <4CCECE96.8070006@redhat.com> <4CD1564D.4070109@redhat.com> <4CD16961.5040109@redhat.com> <4CD1941E.3090701@redhat.com> <4CD1BCE9.6060408@redhat.com> <4CD2CC40.2070900@redhat.com> Message-ID: <4CD44D05.2040507@redhat.com> REbased, got the links for add and removed chacked as well, and set defautl to 'rsc' -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0072-3-rights-check.patch Type: text/x-patch Size: 10851 bytes Desc: not available URL: From ayoung at redhat.com Fri Nov 5 19:01:35 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 05 Nov 2010 15:01:35 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-0072-3-rights-check.patch In-Reply-To: <4CD44D05.2040507@redhat.com> References: <4CCB256B.109@redhat.com> <4CCB7575.8050409@redhat.com> <4CCECE96.8070006@redhat.com> <4CD1564D.4070109@redhat.com> <4CD16961.5040109@redhat.com> <4CD1941E.3090701@redhat.com> <4CD1BCE9.6060408@redhat.com> <4CD2CC40.2070900@redhat.com> <4CD44D05.2040507@redhat.com> Message-ID: <4CD4548F.60304@redhat.com> On 11/05/2010 02:29 PM, Adam Young wrote: > REbased, got the links for add and removed chacked as well, and set > defautl to 'rsc' > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel A couple notes: because _mod does not return rights (even though this code asks for them) the details page is effectively read only after an update. Password Policy and DNS do not return rights, and are therefore broken by this patch -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Nov 5 19:14:59 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 05 Nov 2010 15:14:59 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-0072-3-rights-check.patch In-Reply-To: <4CD44D05.2040507@redhat.com> References: <4CCB256B.109@redhat.com> <4CCB7575.8050409@redhat.com> <4CCECE96.8070006@redhat.com> <4CD1564D.4070109@redhat.com> <4CD16961.5040109@redhat.com> <4CD1941E.3090701@redhat.com> <4CD1BCE9.6060408@redhat.com> <4CD2CC40.2070900@redhat.com> <4CD44D05.2040507@redhat.com> Message-ID: <4CD457B3.9030403@redhat.com> Adam Young wrote: > REbased, got the links for add and removed chacked as well, and set > defautl to 'rsc' ack From rcritten at redhat.com Fri Nov 5 19:16:22 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 05 Nov 2010 15:16:22 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-0072-3-rights-check.patch In-Reply-To: <4CD4548F.60304@redhat.com> References: <4CCB256B.109@redhat.com> <4CCB7575.8050409@redhat.com> <4CCECE96.8070006@redhat.com> <4CD1564D.4070109@redhat.com> <4CD16961.5040109@redhat.com> <4CD1941E.3090701@redhat.com> <4CD1BCE9.6060408@redhat.com> <4CD2CC40.2070900@redhat.com> <4CD44D05.2040507@redhat.com> <4CD4548F.60304@redhat.com> Message-ID: <4CD45806.7000101@redhat.com> Adam Young wrote: > On 11/05/2010 02:29 PM, Adam Young wrote: >> REbased, got the links for add and removed chacked as well, and set >> defautl to 'rsc' >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > A couple notes: > > because _mod does not return rights (even though this code asks for > them) the details page is effectively read only after an update. > > Password Policy and DNS do not return rights, and are therefore broken > by this patch There is a patch for _mod (598). Can you open separate tickets for pwpolicy and DNS? Pavel is hopefully nearly done with the dns rewrite so it may just magically appear. rob From rcritten at redhat.com Fri Nov 5 19:20:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 05 Nov 2010 15:20:27 -0400 Subject: [Freeipa-devel] [PATCH] 604 revoke certs when disabling and deleting hosts Message-ID: <4CD458FB.2010507@redhat.com> When a host is deleted we revoke its certificate, if any. When a host keytab is disabled we disable all the keytabs and revoke the certificates of its services. I've also tried to make it more universal to display certificate details when viewing a record with a certificate in it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-604-host.patch Type: text/x-patch Size: 24635 bytes Desc: not available URL: From ayoung at redhat.com Fri Nov 5 20:39:10 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 05 Nov 2010 16:39:10 -0400 Subject: [Freeipa-devel] [PATCH] 598 add rights to LDAPUpdate base class In-Reply-To: <4CD2C77F.3020205@redhat.com> References: <4CD2C77F.3020205@redhat.com> Message-ID: <4CD46B6E.1070902@redhat.com> On 11/04/2010 10:47 AM, Rob Crittenden wrote: > This makes --rights available to all _mod commands. > > https://fedorahosted.org/freeipa/ticket/437 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Nov 5 20:42:15 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 05 Nov 2010 16:42:15 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-0072-3-rights-check.patch In-Reply-To: <4CD45806.7000101@redhat.com> References: <4CCB256B.109@redhat.com> <4CCB7575.8050409@redhat.com> <4CCECE96.8070006@redhat.com> <4CD1564D.4070109@redhat.com> <4CD16961.5040109@redhat.com> <4CD1941E.3090701@redhat.com> <4CD1BCE9.6060408@redhat.com> <4CD2CC40.2070900@redhat.com> <4CD44D05.2040507@redhat.com> <4CD4548F.60304@redhat.com> <4CD45806.7000101@redhat.com> Message-ID: <4CD46C27.6050107@redhat.com> On 11/05/2010 03:16 PM, Rob Crittenden wrote: > Adam Young wrote: >> On 11/05/2010 02:29 PM, Adam Young wrote: >>> REbased, got the links for add and removed chacked as well, and set >>> defautl to 'rsc' >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> A couple notes: >> >> because _mod does not return rights (even though this code asks for >> them) the details page is effectively read only after an update. >> >> Password Policy and DNS do not return rights, and are therefore broken >> by this patch > > There is a patch for _mod (598). Can you open separate tickets for > pwpolicy and DNS? Pavel is hopefully nearly done with the dns rewrite > so it may just magically appear. > > rob Rebased on top of 598 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0072-4-rights-check.patch Type: text/x-patch Size: 10289 bytes Desc: not available URL: From ayoung at redhat.com Fri Nov 5 20:47:06 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 05 Nov 2010 16:47:06 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-0072-3-rights-check.patch In-Reply-To: <4CD46C27.6050107@redhat.com> References: <4CCB256B.109@redhat.com> <4CCB7575.8050409@redhat.com> <4CCECE96.8070006@redhat.com> <4CD1564D.4070109@redhat.com> <4CD16961.5040109@redhat.com> <4CD1941E.3090701@redhat.com> <4CD1BCE9.6060408@redhat.com> <4CD2CC40.2070900@redhat.com> <4CD44D05.2040507@redhat.com> <4CD4548F.60304@redhat.com> <4CD45806.7000101@redhat.com> <4CD46C27.6050107@redhat.com> Message-ID: <4CD46D4A.8030401@redhat.com> On 11/05/2010 04:42 PM, Adam Young wrote: > On 11/05/2010 03:16 PM, Rob Crittenden wrote: >> Adam Young wrote: >>> On 11/05/2010 02:29 PM, Adam Young wrote: >>>> REbased, got the links for add and removed chacked as well, and set >>>> defautl to 'rsc' >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> A couple notes: >>> >>> because _mod does not return rights (even though this code asks for >>> them) the details page is effectively read only after an update. >>> >>> Password Policy and DNS do not return rights, and are therefore broken >>> by this patch >> >> There is a patch for _mod (598). Can you open separate tickets for >> pwpolicy and DNS? Pavel is hopefully nearly done with the dns rewrite >> so it may just magically appear. >> >> rob > Rebased on top of 598 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Nov 5 21:00:39 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 05 Nov 2010 17:00:39 -0400 Subject: [Freeipa-devel] Patches needing review Message-ID: <4CD47077.5040809@redhat.com> Rob's patches: 593 595 599 600 601 602 603 604 Adam's 0073 (Clear fields upon add) Jakub's patch 004 Have I missed any? From ayoung at redhat.com Fri Nov 5 21:03:55 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 05 Nov 2010 17:03:55 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0075-Ticket-Expiration.patch In-Reply-To: <4CD067E9.1080902@redhat.com> References: <4CD067E9.1080902@redhat.com> Message-ID: <4CD4713B.8050806@redhat.com> On 11/02/2010 03:35 PM, Adam Young wrote: > Ticket Expiration > This patch handles Kerberos ticket expiration in the UI. > Additionally it removes the mod_auth_kerb authorization for elements > in the static directory, cutting down on the number of round trips > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0075-2-Ticket-Expiration.patch Type: text/x-patch Size: 10289 bytes Desc: not available URL: From edewata at redhat.com Fri Nov 5 21:25:51 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 05 Nov 2010 16:25:51 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch In-Reply-To: <4CD195FB.6020300@redhat.com> References: <4CCEFFA8.1080804@redhat.com> <4CD1567E.1000001@redhat.com> <4CD169D3.4040009@redhat.com> <4CD195FB.6020300@redhat.com> Message-ID: <4CD4765F.4070109@redhat.com> On 11/3/2010 12:03 PM, Endi Sukma Dewata wrote: > On 11/3/2010 8:55 AM, Adam Young wrote: >> I suspect then that the service add dialog is wrong. This behaviour has >> been spec'ed and working for a long time. What does it break? > > The field.setup(dialog, IPA_ADD_UPDATE) should be called before the add > operation to allow constructing krbprincipalname from service name and > hostname. It wouldn't make any sense to call this function after the add > operation is successfully completed. Do you have an update for this patch? The problem I mentioned above is still valid. You can test it by adding a new service on a live server. Thanks. -- Endi S. Dewata From edewata at redhat.com Fri Nov 5 21:26:14 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 05 Nov 2010 16:26:14 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0075-Ticket-Expiration.patch In-Reply-To: <4CD4713B.8050806@redhat.com> References: <4CD067E9.1080902@redhat.com> <4CD4713B.8050806@redhat.com> Message-ID: <4CD47676.7060506@redhat.com> On 11/5/2010 4:03 PM, Adam Young wrote: >> Ticket Expiration >> This patch handles Kerberos ticket expiration in the UI. >> Additionally it removes the mod_auth_kerb authorization for elements >> in the static directory, cutting down on the number of round trips > Rebased It still doesn't apply. Could you double-check? Maybe it's based on some uncommitted patches. Thanks. -- Endi S. Dewata From ayoung at redhat.com Fri Nov 5 23:52:53 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 05 Nov 2010 19:52:53 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0075-Ticket-Expiration.patch In-Reply-To: <4CD47676.7060506@redhat.com> References: <4CD067E9.1080902@redhat.com> <4CD4713B.8050806@redhat.com> <4CD47676.7060506@redhat.com> Message-ID: <4CD498D5.1040806@redhat.com> On 11/05/2010 05:26 PM, Endi Sukma Dewata wrote: > On 11/5/2010 4:03 PM, Adam Young wrote: >>> Ticket Expiration >>> This patch handles Kerberos ticket expiration in the UI. >>> Additionally it removes the mod_auth_kerb authorization for elements >>> in the static directory, cutting down on the number of round trips > >> Rebased > > It still doesn't apply. Could you double-check? Maybe it's based on > some uncommitted patches. Thanks. Here it is. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0075-3-Ticket-Expiration.patch Type: text/x-patch Size: 4698 bytes Desc: not available URL: From edewata at redhat.com Sat Nov 6 04:45:35 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 05 Nov 2010 23:45:35 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0075-Ticket-Expiration.patch In-Reply-To: <4CD498D5.1040806@redhat.com> References: <4CD067E9.1080902@redhat.com> <4CD4713B.8050806@redhat.com> <4CD47676.7060506@redhat.com> <4CD498D5.1040806@redhat.com> Message-ID: <4CD4DD6F.1050508@redhat.com> On 11/5/2010 6:52 PM, Adam Young wrote: > Here it is. ACK-ish.. :) The error handling on ticket expiration works, but there are some minor issues: 1. The IPA variable is declared twice. +var IPA; var IPA = ( function () { 2. IPA_DEFAULT_JSON_URL should be deleted. var IPA_DEFAULT_JSON_URL = '/ipa/json'; + var default_json_url = '/ipa/json'; 3. Is it necessary to call hasOwnProperty() in this loop? Variable "a" is obtained from attribute_members, so I think the hasOwnProperty() will always return true. for (var a in attribute_members) { + if (attribute_members.hasOwnProperty(a)){ If you could fix this before pushing that would be great. Thanks! -- Endi S. Dewata From edewata at redhat.com Sat Nov 6 04:53:08 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 05 Nov 2010 23:53:08 -0500 Subject: [Freeipa-devel] [PATCH] HBAC Access Time Message-ID: <4CD4DF34.7090901@redhat.com> Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/102/ IPA commands now can be defined in these classes: - ipa_command: a single IPA command - ipa_batch_command: a batch command for executing multiple commands on the server side using the new batch plugin The dialog boxes for adding and removing entries have been refactored: - ipa_dialog: base class for dialog boxes - ipa_adder_dialog: generic adder dialog box - ipa_deleter_dialog: generic deleter dialog box - ipa_association_adder_dialog: adding entity association - ipa_association_deleter_dialog: removing entity association Dialog boxes for adding/deleting HBAC users, hosts, services, and sourcehosts are implemented using the association dialog boxes. The dialog box for adding access time is implemented using ipa_dialog and currently contains only a text field. This will be replaced with a custom dialog box in a separate patch. The dialog box for removing access time is implemented using the generic deleter class because it's not an association. Removing multiple access times is implemented using batch operations. New test data files for access times have been added. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0027-HBAC-Access-Time.patch Type: text/x-patch Size: 32484 bytes Desc: not available URL: From ayoung at redhat.com Sun Nov 7 00:23:07 2010 From: ayoung at redhat.com (Adam Young) Date: Sat, 06 Nov 2010 20:23:07 -0400 Subject: [Freeipa-devel] [PATCH] HBAC Access Time In-Reply-To: <4CD4DF34.7090901@redhat.com> References: <4CD4DF34.7090901@redhat.com> Message-ID: <4CD5F16B.1010501@redhat.com> On 11/06/2010 12:53 AM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > https://fedorahosted.org/reviewboard/r/102/ > > IPA commands now can be defined in these classes: > - ipa_command: a single IPA command > - ipa_batch_command: a batch command for executing multiple commands > on the server side using the new batch plugin > > The dialog boxes for adding and removing entries have been refactored: > - ipa_dialog: base class for dialog boxes > - ipa_adder_dialog: generic adder dialog box > - ipa_deleter_dialog: generic deleter dialog box > - ipa_association_adder_dialog: adding entity association > - ipa_association_deleter_dialog: removing entity association > > Dialog boxes for adding/deleting HBAC users, hosts, services, and > sourcehosts are implemented using the association dialog boxes. > > The dialog box for adding access time is implemented using ipa_dialog > and currently contains only a text field. This will be replaced with a > custom dialog box in a separate patch. > > The dialog box for removing access time is implemented using the > generic deleter class because it's not an association. Removing multiple > access times is implemented using batch operations. > > New test data files for access times have been added. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel The Time Dialog needs a format. I couldn't guess a value that it would accept. The retry/cancel message is really confusing, too. Tried 1200, 12:00 and 1200-1300. 1. Put in text showing the format. 2. Validate using a regex 3. Don't use the standard error handling, show the error inside the dialog box that has the time in it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Nov 8 01:13:54 2010 From: ayoung at redhat.com (Adam Young) Date: Sun, 07 Nov 2010 20:13:54 -0500 Subject: [Freeipa-devel] [PATCH] HBAC Access Time In-Reply-To: <4CD5F16B.1010501@redhat.com> References: <4CD4DF34.7090901@redhat.com> <4CD5F16B.1010501@redhat.com> Message-ID: <4CD74ED2.9010805@redhat.com> On 11/06/2010 08:23 PM, Adam Young wrote: > On 11/06/2010 12:53 AM, Endi Sukma Dewata wrote: >> Hi, >> >> Please review the attached patch. Thanks! >> >> https://fedorahosted.org/reviewboard/r/102/ >> >> IPA commands now can be defined in these classes: >> - ipa_command: a single IPA command >> - ipa_batch_command: a batch command for executing multiple commands >> on the server side using the new batch plugin >> >> The dialog boxes for adding and removing entries have been refactored: >> - ipa_dialog: base class for dialog boxes >> - ipa_adder_dialog: generic adder dialog box >> - ipa_deleter_dialog: generic deleter dialog box >> - ipa_association_adder_dialog: adding entity association >> - ipa_association_deleter_dialog: removing entity association >> >> Dialog boxes for adding/deleting HBAC users, hosts, services, and >> sourcehosts are implemented using the association dialog boxes. >> >> The dialog box for adding access time is implemented using ipa_dialog >> and currently contains only a text field. This will be replaced with a >> custom dialog box in a separate patch. >> >> The dialog box for removing access time is implemented using the >> generic deleter class because it's not an association. Removing multiple >> access times is implemented using batch operations. >> >> New test data files for access times have been added. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > The Time Dialog needs a format. I couldn't guess a value that it > would accept. The retry/cancel message is really confusing, too. > Tried 1200, 12:00 and 1200-1300. > > 1. Put in text showing the format. > 2. Validate using a regex > 3. Don't use the standard error handling, show the error inside the > dialog box that has the time in it. > > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel The rest of the patch looks good. I think we can get away with just a comment on the time formate for this, get it checked in, and do the follow on work in another patch. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jzeleny at redhat.com Mon Nov 8 08:26:12 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 8 Nov 2010 09:26:12 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior Message-ID: <201011080926.12248.jzeleny@redhat.com> Now each plugin can define its topic as a 2-tuple, where the first item is the name of topic it belongs to and the second item is a description of such topic. Topic descriptions must be the same for all modules belonging to the topic. By using this topics, it is possible to group plugins as we see fit. When asking for help for a particular topic, help for all modules in given topic is written. ipa help - show all topics (until now it showed all plugins) ipa help - show details to given topic https://fedorahosted.org/freeipa/ticket/410 -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0001-Modified-ipa-help.patch Type: text/x-patch Size: 15775 bytes Desc: not available URL: From jzeleny at redhat.com Mon Nov 8 09:54:00 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 8 Nov 2010 10:54:00 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <201011080926.12248.jzeleny@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> Message-ID: <201011081054.00482.jzeleny@redhat.com> Jan Zelen? wrote: > Now each plugin can define its topic as a 2-tuple, where the first > item is the name of topic it belongs to and the second item is > a description of such topic. Topic descriptions must be the same > for all modules belonging to the topic. > > By using this topics, it is possible to group plugins as we see fit. > When asking for help for a particular topic, help for all modules > in given topic is written. > > ipa help - show all topics (until now it showed all plugins) > ipa help - show details to given topic > > https://fedorahosted.org/freeipa/ticket/410 Sorry for the wrong sequence number, sending the correct one now. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0004-Modified-ipa-help.patch Type: text/x-patch Size: 15775 bytes Desc: not available URL: From jzeleny at redhat.com Mon Nov 8 10:07:21 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 8 Nov 2010 11:07:21 +0100 Subject: [Freeipa-devel] [PATCH] 0001 Ensure that Apache is running in Prefork mode In-Reply-To: <4CD1717F.4020003@redhat.com> References: <201011021617.20977.jzeleny@redhat.com> <4CD1717F.4020003@redhat.com> Message-ID: <201011081107.21728.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > I tried one other solution, but this approach was recommended to me by > > Pavel. It seems to be working fine. If you don't agree with the concept > > (detection per request), I can present you the original one. > > > > https://fedorahosted.org/freeipa/ticket/252 > > > > Jan > > nack. I think we need some logging to say "IPA does not work with the > threaded MPM, use the pre-fork MPM" or something like that. > > Otherwise it is going to silently fail and users will have no idea why. I added logging as you requested. I'm still not quite sure how does the logging work exactly, but as I understand it, this way it should be ok. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0001-02-Ensure-that-Apache-is-running-with-MPM-Prefork.patch Type: text/x-patch Size: 1004 bytes Desc: not available URL: From jhrozek at redhat.com Mon Nov 8 12:06:41 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 08 Nov 2010 13:06:41 +0100 Subject: [Freeipa-devel] [PATCH] 596 remove ipa-fix-CVE-2008-3274 In-Reply-To: <4CD1A164.70601@redhat.com> References: <4CD1A164.70601@redhat.com> Message-ID: <4CD7E7D1.9030303@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/03/2010 06:52 PM, Rob Crittenden wrote: > This tool was designed to fix CVE-2008-3274. This configuration is > default now in V2 so this isn't needed now. > > https://fedorahosted.org/freeipa/ticket/331 > > rob > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzX59EACgkQHsardTLnvCXFNwCdHL+KV4Rl+/u1HwSWCUmpaC4U ZsEAn2VR+VU0Ty1n1fLrpN5GxPuEcI3l =JCQe -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Nov 8 14:53:03 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 08 Nov 2010 15:53:03 +0100 Subject: [Freeipa-devel] [PATCH] 595 add additional hbac services In-Reply-To: <4CD1853B.7030807@redhat.com> References: <4CD1853B.7030807@redhat.com> Message-ID: <4CD80ECF.70405@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/03/2010 04:52 PM, Rob Crittenden wrote: > Add gdm, gdm-password and kdm as default hbac services. > > ticket https://fedorahosted.org/freeipa/ticket/307 > > rob > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzYDs8ACgkQHsardTLnvCUftACgs2yahlwDTuvwHuJJjxleTBrP CsMAoIEI1MdKHUuK8ijn56YniWvRX8YS =fc4P -----END PGP SIGNATURE----- From ayoung at redhat.com Mon Nov 8 15:13:11 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 08 Nov 2010 10:13:11 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch In-Reply-To: <4CD4765F.4070109@redhat.com> References: <4CCEFFA8.1080804@redhat.com> <4CD1567E.1000001@redhat.com> <4CD169D3.4040009@redhat.com> <4CD195FB.6020300@redhat.com> <4CD4765F.4070109@redhat.com> Message-ID: <4CD81387.1070203@redhat.com> On 11/05/2010 05:25 PM, Endi Sukma Dewata wrote: > On 11/3/2010 12:03 PM, Endi Sukma Dewata wrote: >> On 11/3/2010 8:55 AM, Adam Young wrote: >>> I suspect then that the service add dialog is wrong. This behaviour has >>> been spec'ed and working for a long time. What does it break? >> >> The field.setup(dialog, IPA_ADD_UPDATE) should be called before the add >> operation to allow constructing krbprincipalname from service name and >> hostname. It wouldn't make any sense to call this function after the add >> operation is successfully completed. > > Do you have an update for this patch? The problem I mentioned above is > still valid. You can test it by adding a new service on a live server. > Thanks. > I now see what I broke: I had mistmatched the brackets. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0073-2-Clear-fields-after-add.patch Type: text/x-patch Size: 1603 bytes Desc: not available URL: From rcritten at redhat.com Mon Nov 8 16:10:06 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 08 Nov 2010 11:10:06 -0500 Subject: [Freeipa-devel] [PATCH] 605 use diff user for dogtag DS instance Message-ID: <4CD820DE.9030800@redhat.com> Use a different user for the dogtag DS instance. This prevents an error during uninstall of trying to remove the dirsrv user when the dogtag DS instance is removed. I also added a ipactl stop to the beginning of the uninstall process. We will try to stop each service individually during uninstall but stopping them all first is cleaner. Its how I've been uninstalling for months now anything (ipactl stop && ipa-server-install --uninstall -U). ticket https://fedorahosted.org/freeipa/ticket/349 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-605-uninstal.patch Type: text/x-patch Size: 1547 bytes Desc: not available URL: From edewata at redhat.com Mon Nov 8 16:20:41 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 08 Nov 2010 10:20:41 -0600 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0073-Clear-fields-after-add.patch In-Reply-To: <4CD81387.1070203@redhat.com> References: <4CCEFFA8.1080804@redhat.com> <4CD1567E.1000001@redhat.com> <4CD169D3.4040009@redhat.com> <4CD195FB.6020300@redhat.com> <4CD4765F.4070109@redhat.com> <4CD81387.1070203@redhat.com> Message-ID: <4CD82359.5010806@redhat.com> On 11/8/2010 9:13 AM, Adam Young wrote: > On 11/05/2010 05:25 PM, Endi Sukma Dewata wrote: >> On 11/3/2010 12:03 PM, Endi Sukma Dewata wrote: >>> On 11/3/2010 8:55 AM, Adam Young wrote: >>>> I suspect then that the service add dialog is wrong. This behaviour has >>>> been spec'ed and working for a long time. What does it break? >>> >>> The field.setup(dialog, IPA_ADD_UPDATE) should be called before the add >>> operation to allow constructing krbprincipalname from service name and >>> hostname. It wouldn't make any sense to call this function after the add >>> operation is successfully completed. >> >> Do you have an update for this patch? The problem I mentioned above is >> still valid. You can test it by adding a new service on a live server. >> Thanks. >> > I now see what I broke: I had mistmatched the brackets. ACKed and pushed to master. -- Endi S. Dewata From dpal at redhat.com Mon Nov 8 17:31:23 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 08 Nov 2010 12:31:23 -0500 Subject: [Freeipa-devel] Fields in the tickets Message-ID: <4CD833EB.8060802@redhat.com> Hi, Please do not forget to check the "Affects CLI" and newly added "Affects DOC" checkboxes when closing tickets when the work done changes the signature or output of the CLI or needs to be documented. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jhrozek at redhat.com Mon Nov 8 17:05:06 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 08 Nov 2010 18:05:06 +0100 Subject: [Freeipa-devel] [PATCH] 599 add usercat and hostcat to netgroups In-Reply-To: <4CD307A2.20207@redhat.com> References: <4CD307A2.20207@redhat.com> Message-ID: <4CD82DC2.5000205@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/04/2010 08:21 PM, Rob Crittenden wrote: > The netgroup plugin was missing the usercategory and hostcategory > associations. This adds them and fixes displaying membership in > netgroup_show. > > rob The code looks OK and works, but why use enum when there's only one allowed value? A bool switch would be more intuitive, I think.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzYLcIACgkQHsardTLnvCU3jQCgzm2SknLRF3HZSjhGEOf8dPXR DDoAn1ZrPlWqvVpSA9tdIoxYgsE8/qcs =pZ4d -----END PGP SIGNATURE----- From ayoung at redhat.com Mon Nov 8 18:01:47 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 08 Nov 2010 13:01:47 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0077-Disable-Enable-user Message-ID: <4CD83B0B.9030109@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0077-Disable-Enable-user.patch Type: text/x-patch Size: 6804 bytes Desc: not available URL: From ayoung at redhat.com Mon Nov 8 18:30:22 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 08 Nov 2010 13:30:22 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0078-link-indications Message-ID: <4CD841BE.303@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0078-link-indications.patch Type: text/x-patch Size: 1047 bytes Desc: not available URL: From rcritten at redhat.com Mon Nov 8 18:52:34 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 08 Nov 2010 13:52:34 -0500 Subject: [Freeipa-devel] [PATCH] 599 add usercat and hostcat to netgroups In-Reply-To: <4CD82DC2.5000205@redhat.com> References: <4CD307A2.20207@redhat.com> <4CD82DC2.5000205@redhat.com> Message-ID: <4CD846F2.4020302@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/04/2010 08:21 PM, Rob Crittenden wrote: >> The netgroup plugin was missing the usercategory and hostcategory >> associations. This adds them and fixes displaying membership in >> netgroup_show. >> >> rob > > The code looks OK and works, but why use enum when there's only one > allowed value? A bool switch would be more intuitive, I think.. So we don't have to change the type later. It is expected that at some point these will have additional values. rob From rcritten at redhat.com Mon Nov 8 19:13:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 08 Nov 2010 14:13:48 -0500 Subject: [Freeipa-devel] [PATCH] 606 IPA v1.2.2 binary location fix Message-ID: <4CD84BEC.7040309@redhat.com> Fix for IPA v1.2.2 bug https://bugzilla.redhat.com/show_bug.cgi?id=650725 The problem is in Fedora 14 the kerberos binaries were moved so our tools all fail. This makes the run() call more generic by using PATH to find binaries. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-606-env.patch Type: text/x-patch Size: 6926 bytes Desc: not available URL: From ayoung at redhat.com Mon Nov 8 19:19:09 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 08 Nov 2010 14:19:09 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0075-Ticket-Expiration.patch In-Reply-To: <4CD4DD6F.1050508@redhat.com> References: <4CD067E9.1080902@redhat.com> <4CD4713B.8050806@redhat.com> <4CD47676.7060506@redhat.com> <4CD498D5.1040806@redhat.com> <4CD4DD6F.1050508@redhat.com> Message-ID: <4CD84D2D.3080909@redhat.com> On 11/06/2010 12:45 AM, Endi Sukma Dewata wrote: > On 11/5/2010 6:52 PM, Adam Young wrote: >> Here it is. > > ACK-ish.. :) > > The error handling on ticket expiration works, but there are some > minor issues: > > 1. The IPA variable is declared twice. > > +var IPA; > var IPA = ( function () { > > 2. IPA_DEFAULT_JSON_URL should be deleted. > > var IPA_DEFAULT_JSON_URL = '/ipa/json'; > + var default_json_url = '/ipa/json'; > > 3. Is it necessary to call hasOwnProperty() in this loop? > Variable "a" is obtained from attribute_members, so > I think the hasOwnProperty() will always return true. > > for (var a in attribute_members) { > + if (attribute_members.hasOwnProperty(a)){ > > If you could fix this before pushing that would be great. Thanks! > Fixed and pushed to master. The hasOwnProperty check was for JSLint, but I think that it is actually wrong in this situation, and I removed it. From rcritten at redhat.com Mon Nov 8 19:23:16 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 08 Nov 2010 14:23:16 -0500 Subject: [Freeipa-devel] [PATCH] 595 add additional hbac services In-Reply-To: <4CD80ECF.70405@redhat.com> References: <4CD1853B.7030807@redhat.com> <4CD80ECF.70405@redhat.com> Message-ID: <4CD84E24.7060105@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/03/2010 04:52 PM, Rob Crittenden wrote: >> Add gdm, gdm-password and kdm as default hbac services. >> >> ticket https://fedorahosted.org/freeipa/ticket/307 >> >> rob >> > > Ack pushed to master From rcritten at redhat.com Mon Nov 8 19:23:42 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 08 Nov 2010 14:23:42 -0500 Subject: [Freeipa-devel] [PATCH] 596 remove ipa-fix-CVE-2008-3274 In-Reply-To: <4CD7E7D1.9030303@redhat.com> References: <4CD1A164.70601@redhat.com> <4CD7E7D1.9030303@redhat.com> Message-ID: <4CD84E3E.1060903@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/03/2010 06:52 PM, Rob Crittenden wrote: >> This tool was designed to fix CVE-2008-3274. This configuration is >> default now in V2 so this isn't needed now. >> >> https://fedorahosted.org/freeipa/ticket/331 >> >> rob >> > > Ack pushed to master From rcritten at redhat.com Mon Nov 8 20:00:30 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 08 Nov 2010 15:00:30 -0500 Subject: [Freeipa-devel] [PATCH] 004 Log script options to logfile In-Reply-To: <4CCF173F.8080204@redhat.com> References: <4CCF173F.8080204@redhat.com> Message-ID: <4CD856DE.5090406@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Uses a new subclass IPAOptionParser in scripts instead of OptionParser > from the standard python library. IPAOptionParser uses its own IPAOption > class to store options, which adds a new 'sensitive' attribute. > > https://fedorahosted.org/freeipa/ticket/393 This is a good start and does what I requested, I just wasn't clear enough in the request. I think we should log the interactive data as well. This patch is fine as-is so I'll give you a choice: 1. You can update this patch and log those things that will be queried if not provided on the CLI. 2. I can ACK and push this and we can open a new ticket for additional enhancements. rob From jhrozek at redhat.com Mon Nov 8 20:12:23 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 08 Nov 2010 21:12:23 +0100 Subject: [Freeipa-devel] [PATCH] 004 Log script options to logfile In-Reply-To: <4CD856DE.5090406@redhat.com> References: <4CCF173F.8080204@redhat.com> <4CD856DE.5090406@redhat.com> Message-ID: <4CD859A7.4030604@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/08/2010 09:00 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Uses a new subclass IPAOptionParser in scripts instead of OptionParser >> from the standard python library. IPAOptionParser uses its own IPAOption >> class to store options, which adds a new 'sensitive' attribute. >> >> https://fedorahosted.org/freeipa/ticket/393 > > This is a good start and does what I requested, I just wasn't clear > enough in the request. > > I think we should log the interactive data as well. > Oh, right.. > This patch is fine as-is so I'll give you a choice: > > 1. You can update this patch and log those things that will be queried > if not provided on the CLI. I'd prefer this option. The patch really is incomplete. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzYWaMACgkQHsardTLnvCW2owCdEn/QD9LiB0+4vZy/KTW8x1Et CbAAoKoqq3GYGKaTKdwwZAjNuym0p6qq =d3jn -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Nov 8 20:13:51 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 08 Nov 2010 21:13:51 +0100 Subject: [Freeipa-devel] [PATCH] 599 add usercat and hostcat to netgroups In-Reply-To: <4CD846F2.4020302@redhat.com> References: <4CD307A2.20207@redhat.com> <4CD82DC2.5000205@redhat.com> <4CD846F2.4020302@redhat.com> Message-ID: <4CD859FF.7020300@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/08/2010 07:52 PM, Rob Crittenden wrote: > So we don't have to change the type later. It is expected that at some > point these will have additional values. > > rob OK, that's what I thought, but I wanted to have this confirmed before giving an ack.. Ack now. Thanks for the explanation. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzYWfwACgkQHsardTLnvCXxoQCeJ8+r5fybOyXJjpksSHnaGRfi TpgAn2AP/u/fKoSh7Z78v1kwLZhNmMFQ =+jrI -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Nov 8 20:23:21 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 08 Nov 2010 15:23:21 -0500 Subject: [Freeipa-devel] [PATCH] 001 Clarify the description of --raw and -all In-Reply-To: <4CD02E22.4060909@redhat.com> References: <4CCAE263.1000809@redhat.com> <4CCB163D.8020709@redhat.com> <4CD02E22.4060909@redhat.com> Message-ID: <4CD85C39.4010107@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/29/2010 08:45 PM, Rob Crittenden wrote: >> Jakub Hrozek wrote: >> https://fedorahosted.org/freeipa/ticket/244 >> >> If I understand the code correctly, --all is not really a parameter that >> affects only output, it also causes all attributes to be retrieved from >> the server, so I have adjusted the description just a little. >> >> --raw now mentions it only affects output. >> >>> nack, --all only affects output as well. >> > > When I said that it doesn't only affect output, I was referring to this > part of baseldap.py: > > if options.get('all', False): > attrs_list = ['*'] > else: > attrs_list = list(self.obj.default_attributes) > > I don't have strong feeling about this, but what I wanted to make clear > in the help message was that it /can/ have performance impact as the > ldap query is different. We can for instance have an object in LDAP that > has attribute containing user avatar binary blob or something like > that..in which case, --all would fetch it from the server, right? > > But I agree that for user, this is 'behind the scenes', so I'm not > opposed to changing the string..new patch attached.. ack, pushed to master rob From rcritten at redhat.com Mon Nov 8 20:23:56 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 08 Nov 2010 15:23:56 -0500 Subject: [Freeipa-devel] [PATCH] 599 add usercat and hostcat to netgroups In-Reply-To: <4CD859FF.7020300@redhat.com> References: <4CD307A2.20207@redhat.com> <4CD82DC2.5000205@redhat.com> <4CD846F2.4020302@redhat.com> <4CD859FF.7020300@redhat.com> Message-ID: <4CD85C5C.506@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/08/2010 07:52 PM, Rob Crittenden wrote: >> So we don't have to change the type later. It is expected that at some >> point these will have additional values. >> >> rob > > OK, that's what I thought, but I wanted to have this confirmed before > giving an ack.. > > Ack now. Thanks for the explanation. thanks, pushed to master From rcritten at redhat.com Mon Nov 8 20:55:35 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 08 Nov 2010 15:55:35 -0500 Subject: [Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI In-Reply-To: <4CD02708.60304@redhat.com> References: <4CCAE292.6020602@redhat.com> <4CCF8478.3030807@redhat.com> <4CD02708.60304@redhat.com> Message-ID: <4CD863C7.1060806@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > (resending to the list, I accidentally replied to Rob only before..) > > On 11/02/2010 04:24 AM, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> https://fedorahosted.org/freeipa/ticket/154 >>> >>> The second patch removes the /ipatest section that has been commented >>> out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore >>> :-) >> >> Migration doesn't seem to be working. The migration page itself comes up >> fine and prompts for data but when I enter the password of a migrated >> user I don't seem to be getting valid kerberos keys. kinit doesn't work >> in any case. It could also be that I'm tired. Does a migrated account >> work for you? >> > > It does for me -- or at least I think it's working. This is how I tested: > 1) migrate users from LDAP using the migrate-ds plugin. > 2) try kinit - preauth will fail > 3) go to the migration page, enter username/password This redirects me > to the ui page if the credentials are correct. > 4) kinit for the user works now > > This is on the current master + the two patches under review, on a F13 > host migrating from 389 DS on another F13 machine. I still can't get this to work on my F12 machine. The LDAP password is ok, I confirmed that with ldapsearch. My process is as yours. I get redirected to the UI page which fails because I haven't done a kinit yet. I go do the kinit and that fails. The KDC is logging: Nov 08 15:48:48 panther.example.com krb5kdc[23964](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.166.34: NEEDED_PREAUTH: tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): preauth (timestamp) verify failure: Decrypt integrity check failed Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.166.34: PREAUTH_FAILED: tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Decrypt integrity check failed I think the timestamp part is bogus, I think this just means the password is bad. I noticed that krbPrincipalKey is getting migrated as well. If I delete this before trying the migration the password works. I find it unlikely that this is related to your mod_wsgi conversion so I'm going to open a separate ticket on that and ack your changes. ACK rob > >> This could be related to redoing the 389-ds password plugin as I did all >> previous testing before we did the file split. >> >>> >>> I also have two questions: >>> 1) how should exceptions be handled? In the patch, I only explicitly >>> handle exceptions that could happen very easily (like, password being >>> wrong, or the LDAP server down..). Anything else would just trigger 500 >>> Server Error.. >> >> I think that's ok as long as we provide enough logging to point the >> admin in the right direction. >> >>> >>> 2) When playing with the migration command line plugin, I noticed that >>> it can only handle RFC2307bis groups (member: dn) and has the >>> objectclass for groups hardcoded to >>> "(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))". I think >>> it would be worthwile (and easy, too!) to modify the plugin to accept >>> also RFC2307 schema and allow specifying a different objectclass >>> (posixGroup might come handy..). Thoughts? >> >> Yes, that sounds like a good enhancement. Great idea. >> > > OK: > https://fedorahosted.org/freeipa/ticket/429 > > (taken, since I was already poking at the plugin anyway) > From jhrozek at redhat.com Mon Nov 8 21:14:18 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 08 Nov 2010 22:14:18 +0100 Subject: [Freeipa-devel] [PATCH] Fix a couple of problems in C code Message-ID: <4CD8682A.40805@redhat.com> [PATCH 1/6] Common include file for SLAPI plugin logging Consolidate the common logging macros into common/util.h and use them in SLAPI plugins instead of calling slapi_log_error() directly. https://fedorahosted.org/freeipa/ticket/408 [PATCH 2/6] Stricter compilation flags Use a little stricter compilation flags, in particular -Wall and treat implicit function declarations as errors. [PATCH 3/6] Use internal implementation of internal Kerberos functions Don't use KRB5_PRIVATE. The patch implements and uses the following krb5 functions that are otherwise private in recent MIT Kerberos releases: * krb5_principal2salt_norealm * krb5_free_ktypes [PATCH 4/6] Don't use deprecated ldap_bind_s ldap_bind_s is marked as deprecated in new libldap releases. [PATCH 5/6] Silence compilation warnings in SLAPI plugins The most important part of the patch is exporting hexbuf() in ipapwd.h Also uses strcasecmp() instead of PL_strcasecmp() since we were not including nspr headers and linking against it - I hope this is OK, we can revert if we need to be portable to platforms with no strcasecmp(). The rest are cosmetic fixes. [PATCH 6/6] ipa-client code cleanup Fixes errors about implicit function declaration and moves duplicated gettext code into a common module. Also silences some warnings. Patches 3 - 6 fix https://fedorahosted.org/freeipa/ticket/454 -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0005-Common-include-file-for-SLAPI-plugin-logging.patch Type: text/x-patch Size: 81063 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0006-Stricter-compilation-flags.patch Type: text/x-patch Size: 6305 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0007-Use-internal-implementation-of-internal-Kerberos-fun.patch Type: text/x-patch Size: 5561 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0008-Don-t-use-deprecated-ldap_bind_s.patch Type: text/x-patch Size: 1356 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0009-Silence-compilation-warnings-in-SLAPI-plugins.patch Type: text/x-patch Size: 18020 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0010-ipa-client-code-cleanup.patch Type: text/x-patch Size: 9125 bytes Desc: not available URL: From ssorce at redhat.com Mon Nov 8 21:24:08 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 8 Nov 2010 16:24:08 -0500 Subject: [Freeipa-devel] [PATCH] Use stronmgest enctype for master key Message-ID: <20101108162408.28c6dcfd@willson.li.ssimo.org> This patch configures IPA to use the currently strongest available enctype for the master key. Fixes #456 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0002-Use-strongest-keytype-for-master-key.patch Type: text/x-patch Size: 910 bytes Desc: not available URL: From edewata at redhat.com Mon Nov 8 22:01:52 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 08 Nov 2010 16:01:52 -0600 Subject: [Freeipa-devel] [PATCH] HBAC Access Time In-Reply-To: <4CD74ED2.9010805@redhat.com> References: <4CD4DF34.7090901@redhat.com> <4CD5F16B.1010501@redhat.com> <4CD74ED2.9010805@redhat.com> Message-ID: <4CD87350.50907@redhat.com> On 11/7/2010 7:13 PM, Adam Young wrote: >> The Time Dialog needs a format. I couldn't guess a value that it would >> accept. The retry/cancel message is really confusing, too. Tried 1200, >> 12:00 and 1200-1300. >> >> 1. Put in text showing the format. >> 2. Validate using a regex >> 3. Don't use the standard error handling, show the error inside the >> dialog box that has the time in it. > The rest of the patch looks good. > > I think we can get away with just a comment on the time formate for > this, get it checked in, and do the follow on work in another patch. Please take a look at the updated patch. I've added the same example provided by the CLI for now. We will eventually replace this dialog with a custom widget. Thanks! -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0027-2-HBAC-Access-Time.patch Type: text/x-patch Size: 33257 bytes Desc: not available URL: From edewata at redhat.com Mon Nov 8 23:44:29 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 08 Nov 2010 17:44:29 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0077-Disable-Enable-user In-Reply-To: <4CD83B0B.9030109@redhat.com> References: <4CD83B0B.9030109@redhat.com> Message-ID: <4CD88B5D.5070806@redhat.com> On 11/8/2010 12:01 PM, Adam Young wrote: > The functionality works, but there are some issues: 1. The JSON files contain some trailing whitespaces. 2. The server seems to be using "true" and "False" for nsaccountlock value. So it might be safer to use case-insensitive comparison or normalize the value using toLowerCase(). 3. The title & text variables are declared twice: var title = "Active"; var text = "Active: Click to Deactivate"; if (locked) { var title = "Inactive"; // remove var var text = "Inactive: Click to Activate"; // remove var } 4. As you described on IRC, after enabling/disabling the user the browser goes back to the search page immediately because of several reasons: the update and enable/disable operations aren't likely to be used together, and the server doesn't return the new account status in JSON response. I don't have any objection to this, but the behavior might be unexpected by users. I'd like to see how others think about this. -- Endi S. Dewata From ssorce at redhat.com Tue Nov 9 00:34:12 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 8 Nov 2010 19:34:12 -0500 Subject: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support Message-ID: <20101108193412.43d82687@willson.li.ssimo.org> This set of patches implement the first part of ticket #55 The patchset only adds the ability to install pkinit with the selfsigned CA (or with externally provided certs). If you need to use/test dogtag you can pass the --no-pkinit option for the time being as etting up pkinit is performed by default. Patch 0003: change the install tools to use a subject base based on the realm name and not O=IPA for all installs. Patch 0004: Add basic certification creation for selfsigned CA and KDC configuration. opnessl had to be used because the NSS tools cannot deal with the special subjectaltName needed for the KDC certificate. Patch 0005: Always set pkinit_anchors so that all clients are preconfigured to do anonymous pkinit including master. Even if the client does not support pkinit adding the option does not cause any harm so it is a safe default. Patch 0006: Add the wellknown principal need to perform anonymous pkinit AS requests. This principal is *DISABLED* by default. Patch 0007: Ad a new plugin that allows to enable the wellknown account, effectively allowing to get pkinit anonymous tickets. (as a bonus implements disable too :) Patch 0008: Add support for configuring pkinit certs on replicas too. What is still missing is dogtag integration and certmonger tracking. Couldn't work on the dogtag part yet because it won't work on f14 which is the only fedora version that has a kerberos version recent enough to support asking for anonynoums pkinit tickets. Certmonger will need some thinking too as the KDC ticket requires a different code path to be renewd (different commands in selfsign CA and different profile with dogtag). Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0003-Use-Realm-as-certs-subject-base-name.patch Type: text/x-patch Size: 19012 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0004-Add-support-for-configuring-KDC-certs-for-PKINIT.patch Type: text/x-patch Size: 15953 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0005-pkinit-always-configure-pkinit_anchors-in-krb5.conf.patch Type: text/x-patch Size: 741 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0006-anon-pkinit-add-well-known-principal.patch Type: text/x-patch Size: 2132 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0007-add-plugin-to-enable-disable-anonymous-pkinit.patch Type: text/x-patch Size: 3380 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0008-pkinit-replica-create-certificates-for-replicas-too.patch Type: text/x-patch Size: 13974 bytes Desc: not available URL: From ayoung at redhat.com Tue Nov 9 01:30:55 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 08 Nov 2010 20:30:55 -0500 Subject: [Freeipa-devel] [PATCH] HBAC Access Time In-Reply-To: <4CD87350.50907@redhat.com> References: <4CD4DF34.7090901@redhat.com> <4CD5F16B.1010501@redhat.com> <4CD74ED2.9010805@redhat.com> <4CD87350.50907@redhat.com> Message-ID: <4CD8A44F.6080005@redhat.com> On 11/08/2010 05:01 PM, Endi Sukma Dewata wrote: > On 11/7/2010 7:13 PM, Adam Young wrote: >>> The Time Dialog needs a format. I couldn't guess a value that it would >>> accept. The retry/cancel message is really confusing, too. Tried 1200, >>> 12:00 and 1200-1300. >>> >>> 1. Put in text showing the format. >>> 2. Validate using a regex >>> 3. Don't use the standard error handling, show the error inside the >>> dialog box that has the time in it. > >> The rest of the patch looks good. >> >> I think we can get away with just a comment on the time formate for >> this, get it checked in, and do the follow on work in another patch. > > Please take a look at the updated patch. I've added the same example > provided by the CLI for now. We will eventually replace this dialog > with a custom widget. Thanks! > ACK and pushed to master. From ayoung at redhat.com Tue Nov 9 01:41:14 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 08 Nov 2010 20:41:14 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0079-delete-to-remove Message-ID: <4CD8A6BA.3080309@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0079-delete-to-remove.patch Type: text/x-patch Size: 3364 bytes Desc: not available URL: From ayoung at redhat.com Tue Nov 9 01:59:32 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 08 Nov 2010 20:59:32 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0077-Disable-Enable-user In-Reply-To: <4CD88B5D.5070806@redhat.com> References: <4CD83B0B.9030109@redhat.com> <4CD88B5D.5070806@redhat.com> Message-ID: <4CD8AB04.3040306@redhat.com> On 11/08/2010 06:44 PM, Endi Sukma Dewata wrote: > On 11/8/2010 12:01 PM, Adam Young wrote: >> > > The functionality works, but there are some issues: > > 1. The JSON files contain some trailing whitespaces. > > 2. The server seems to be using "true" and "False" for nsaccountlock > value. So it might be safer to use case-insensitive comparison or > normalize the value using toLowerCase(). > > 3. The title & text variables are declared twice: > > var title = "Active"; > var text = "Active: Click to Deactivate"; > if (locked) { > var title = "Inactive"; // remove var > var text = "Inactive: Click to Activate"; // remove var > } > > 4. As you described on IRC, after enabling/disabling the user the > browser goes back to the search page immediately because of several > reasons: the update and enable/disable operations aren't likely to be > used together, and the server doesn't return the new account status in > JSON response. I don't have any objection to this, but the behavior > might be unexpected by users. I'd like to see how others think about > this. > Fixed issues 1-3. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0077-2-Disable-Enable-user.patch Type: text/x-patch Size: 6717 bytes Desc: not available URL: From edewata at redhat.com Tue Nov 9 02:04:58 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 08 Nov 2010 20:04:58 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0077-Disable-Enable-user In-Reply-To: <4CD88B5D.5070806@redhat.com> References: <4CD83B0B.9030109@redhat.com> <4CD88B5D.5070806@redhat.com> Message-ID: <4CD8AC4A.6080408@redhat.com> On 11/8/2010 5:44 PM, Endi Sukma Dewata wrote: > The functionality works, but there are some issues: > > 1. The JSON files contain some trailing whitespaces. > > 2. The server seems to be using "true" and "False" for nsaccountlock > value. So it might be safer to use case-insensitive comparison or > normalize the value using toLowerCase(). > > 3. The title & text variables are declared twice: > > var title = "Active"; > var text = "Active: Click to Deactivate"; > if (locked) { > var title = "Inactive"; // remove var > var text = "Inactive: Click to Activate"; // remove var > } > > 4. As you described on IRC, after enabling/disabling the user the > browser goes back to the search page immediately because of several > reasons: the update and enable/disable operations aren't likely to be > used together, and the server doesn't return the new account status in > JSON response. I don't have any objection to this, but the behavior > might be unexpected by users. I'd like to see how others think about this. As discussed over IRC, we'll ACK this now and address the issues in follow up as they are not blocking anything. -- Endi S. Dewata From ayoung at redhat.com Tue Nov 9 02:08:39 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 08 Nov 2010 21:08:39 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0077-Disable-Enable-user In-Reply-To: <4CD8AC4A.6080408@redhat.com> References: <4CD83B0B.9030109@redhat.com> <4CD88B5D.5070806@redhat.com> <4CD8AC4A.6080408@redhat.com> Message-ID: <4CD8AD27.2010407@redhat.com> On 11/08/2010 09:04 PM, Endi Sukma Dewata wrote: > On 11/8/2010 5:44 PM, Endi Sukma Dewata wrote: > >> The functionality works, but there are some issues: >> >> 1. The JSON files contain some trailing whitespaces. >> >> 2. The server seems to be using "true" and "False" for nsaccountlock >> value. So it might be safer to use case-insensitive comparison or >> normalize the value using toLowerCase(). >> >> 3. The title & text variables are declared twice: >> >> var title = "Active"; >> var text = "Active: Click to Deactivate"; >> if (locked) { >> var title = "Inactive"; // remove var >> var text = "Inactive: Click to Activate"; // remove var >> } >> >> 4. As you described on IRC, after enabling/disabling the user the >> browser goes back to the search page immediately because of several >> reasons: the update and enable/disable operations aren't likely to be >> used together, and the server doesn't return the new account status in >> JSON response. I don't have any objection to this, but the behavior >> might be unexpected by users. I'd like to see how others think about >> this. > > As discussed over IRC, we'll ACK this now and address the issues in > follow up as they are not blocking anything. > Pushed to master From edewata at redhat.com Tue Nov 9 03:01:30 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 08 Nov 2010 21:01:30 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0078-link-indications In-Reply-To: <4CD841BE.303@redhat.com> References: <4CD841BE.303@redhat.com> Message-ID: <4CD8B98A.6090907@redhat.com> On 11/8/2010 12:30 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Nov 9 03:36:25 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 08 Nov 2010 21:36:25 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0079-delete-to-remove In-Reply-To: <4CD8A6BA.3080309@redhat.com> References: <4CD8A6BA.3080309@redhat.com> Message-ID: <4CD8C1B9.20903@redhat.com> On 11/8/2010 7:41 PM, Adam Young wrote: > ACK and pushed to master. I also fixed 2 issues and pushed them using 1-liner rule. 1. Renamed button.deletes to button.remove in widget.js. 2. Renamed button.delete to button.remove in json_metadata.json. -- Endi S. Dewata From pzuna at redhat.com Tue Nov 9 03:55:50 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Tue, 09 Nov 2010 04:55:50 +0100 Subject: [Freeipa-devel] [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods. Message-ID: <4CD8C646.6020104@redhat.com> If the parent and child entries have the same attribute as primary key (such as in the DNS schema), we need to rename the parent key to prevent a param name conflict. It has no side effects, because the primary key name is always taken from the LDAPObject params, never from the method params. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0035-parentkey.patch Type: text/x-patch Size: 1394 bytes Desc: not available URL: From pzuna at redhat.com Tue Nov 9 04:07:05 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Tue, 09 Nov 2010 05:07:05 +0100 Subject: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests. Message-ID: <4CD8C8E9.1000809@redhat.com> Finally, there it is. :) I redesigned the whole thing to fit the baseldap model. Here's some example on how it's used: # create zone 'example.com' # ipa dnszone-add example.com --name=ns.example.com --admin=admin at example.com # create a resource in zone 'example.com' named 'machine1' # (machine1.example.com) with A record 10.10.0.1 # ipa dnsres-add example.com machine1 --a-rec=10.10.0.1 # Add another A record to 'machine1' in 'example.com' # ipa dnsres-add-record example.com machine1 --a-rec=10.10.0.2 # Remove one of the A records from 'machine1' in 'example.com' # ipa dnsres-remove-record example.com machine1 --a-rec=10.10.0.1 The plugin is pretty complex and requires my patch number 35 to work. There is a bunch of unit tests, so hopefully it won't be too much pain to review. You can use both dns and dns2 at the same time. When dns2 is tested enough, it should replace the original dns plugin. docstring (ipa help dns2) documentation will follow soon in a separate patch. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0036-dns2.patch Type: text/x-patch Size: 28776 bytes Desc: not available URL: From pzuna at redhat.com Tue Nov 9 04:08:47 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Tue, 09 Nov 2010 05:08:47 +0100 Subject: [Freeipa-devel] [PATCH] Replace 'Locking' in `ipa help user` with 'Disabling'. Message-ID: <4CD8C94F.8030900@redhat.com> Ticket #452 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0037-userhelp.patch Type: text/x-patch Size: 789 bytes Desc: not available URL: From pzuna at redhat.com Tue Nov 9 04:12:56 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Tue, 09 Nov 2010 05:12:56 +0100 Subject: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests. In-Reply-To: <4CD8C8E9.1000809@redhat.com> References: <4CD8C8E9.1000809@redhat.com> Message-ID: <4CD8CA48.2040207@redhat.com> On 2010-11-09 05:07, Pavel Z?na wrote: > Finally, there it is. :) > > I redesigned the whole thing to fit the baseldap model. > > Here's some example on how it's used: > > # create zone 'example.com' > # ipa dnszone-add example.com --name=ns.example.com > --admin=admin at example.com > > # create a resource in zone 'example.com' named 'machine1' > # (machine1.example.com) with A record 10.10.0.1 > # ipa dnsres-add example.com machine1 --a-rec=10.10.0.1 > > # Add another A record to 'machine1' in 'example.com' > # ipa dnsres-add-record example.com machine1 --a-rec=10.10.0.2 > > # Remove one of the A records from 'machine1' in 'example.com' > # ipa dnsres-remove-record example.com machine1 --a-rec=10.10.0.1 > > > > The plugin is pretty complex and requires my patch number 35 to work. > There is a bunch of unit tests, so hopefully it won't be too much pain > to review. > > You can use both dns and dns2 at the same time. > > When dns2 is tested enough, it should replace the original dns plugin. > > docstring (ipa help dns2) documentation will follow soon in a separate > patch. > > Pavel > Forgot to mention that this solves: Ticket #36 Ticket #450 Pavel From jhrozek at redhat.com Tue Nov 9 10:22:26 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 09 Nov 2010 11:22:26 +0100 Subject: [Freeipa-devel] [PATCH] 601 rename 60sudo.ldif In-Reply-To: <4CD30FE5.7090401@redhat.com> References: <4CD30FE5.7090401@redhat.com> Message-ID: <4CD920E2.9080009@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/04/2010 08:56 PM, Rob Crittenden wrote: > Rename 60sudo.ldif to 60ipasudo.ldif. We are overwriting a file of the > same name from the default 389-ds schema. > > rob > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzZIOIACgkQHsardTLnvCUIRACg6Ms9+pMkZ5g13ni9vi0rTm4s sBIAoNhCs0QTqgA1WMLFB43P4XeBXagq =xMna -----END PGP SIGNATURE----- From jhrozek at redhat.com Tue Nov 9 10:28:46 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 09 Nov 2010 11:28:46 +0100 Subject: [Freeipa-devel] [PATCH] 603 add examples to ipa-replica-install man page In-Reply-To: <4CD327CF.6040802@redhat.com> References: <4CD327CF.6040802@redhat.com> Message-ID: <4CD9225E.8060003@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/04/2010 10:38 PM, Rob Crittenden wrote: > Add a couple of examples in ipa-replica-install.1 in an effort to > clarify where one does a re-init. > > rob > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzZIl4ACgkQHsardTLnvCXzcQCg6MSTQ2bERX76PDb0aJsscTY8 H8sAoMbJQglzPdRNb0Zl6WPJBSy78A9y =24u5 -----END PGP SIGNATURE----- From jhrozek at redhat.com Tue Nov 9 10:44:53 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 09 Nov 2010 11:44:53 +0100 Subject: [Freeipa-devel] [PATCH] 602 verify --ip-address option during installation In-Reply-To: <4CD31ED0.5030403@redhat.com> References: <4CD31ED0.5030403@redhat.com> Message-ID: <4CD92625.3090300@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/04/2010 10:00 PM, Rob Crittenden wrote: > There was a corner case where the value of --ip-address was never > verified if you were also setting up DNS. > > Added this bit of information to the man page too. > > ticket 399 > > rob > Two questions: 1) is it intended to quit without printing an error message if verify_ip() fails? 2) I don't quite understand the manpage part - it says "and --setup-dns is *not* selected" - but the code checks for "if options.setup_dns:" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzZJiUACgkQHsardTLnvCWUQQCgk3Mw/MjM+QVfruI0YH+ow9++ KywAoNhjrzmfqf9vuEui9NO2mgiwpAhe =K2YI -----END PGP SIGNATURE----- From jhrozek at redhat.com Tue Nov 9 13:32:28 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 09 Nov 2010 14:32:28 +0100 Subject: [Freeipa-devel] [PATCH] 600 fix ipa-nis-manage In-Reply-To: <4CD3096C.4040302@redhat.com> References: <4CD3096C.4040302@redhat.com> Message-ID: <4CD94D6C.7020908@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/04/2010 08:28 PM, Rob Crittenden wrote: > ipa-nis-manage was broken because of a signature change to > ldap2.getentry(). Two new arguments were added before normalize and a > call to this in ipa-nis-manage was relying on positional arguments. This > caused ldap2 to add the basedn to what we were trying to get, which was > something in cn=config, so it failed. > > ticket https://fedorahosted.org/freeipa/ticket/414 > > rob > ipa-nis-manage does not throw an exception with this patch anymore - -> Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzZTWwACgkQHsardTLnvCUuiQCfV4A+vTsMxC7NywfgkLS3PJdB W9EAn3KmQf2Aqj24BU3eE/0bdZmVX8Tc =gWc8 -----END PGP SIGNATURE----- From ssorce at redhat.com Tue Nov 9 13:56:47 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 9 Nov 2010 08:56:47 -0500 Subject: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support In-Reply-To: <20101108193412.43d82687@willson.li.ssimo.org> References: <20101108193412.43d82687@willson.li.ssimo.org> Message-ID: <20101109085647.571f0fed@willson.li.ssimo.org> On Mon, 8 Nov 2010 19:34:12 -0500 Simo Sorce wrote: > > This set of patches implement the first part of ticket #55 > The patchset only adds the ability to install pkinit with the > selfsigned CA (or with externally provided certs). > > If you need to use/test dogtag you can pass the --no-pkinit option for > the time being as etting up pkinit is performed by default. > > Patch 0003: change the install tools to use a subject base based on > the realm name and not O=IPA for all installs. I realized this patch ^^ should probably have been posted separately, although it is a dependency for all others. It fixes #427 Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Tue Nov 9 14:42:33 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 09 Nov 2010 15:42:33 +0100 Subject: [Freeipa-devel] [PATCH] 004 Log script options to logfile In-Reply-To: <4CD859A7.4030604@redhat.com> References: <4CCF173F.8080204@redhat.com> <4CD856DE.5090406@redhat.com> <4CD859A7.4030604@redhat.com> Message-ID: <4CD95DD9.7030500@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/08/2010 09:12 PM, Jakub Hrozek wrote: >> > This patch is fine as-is so I'll give you a choice: >> > >> > 1. You can update this patch and log those things that will be queried >> > if not provided on the CLI. > I'd prefer this option. The patch really is incomplete. New patch attached. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzZXdkACgkQHsardTLnvCX5twCbB2FE6edo3WRxWWKKbqHghfM2 Er8An3Maearm/uPMrfAiE3DN93+gGHg0 =HKkw -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0004-02-Log-script-options-to-logfile.patch Type: text/x-patch Size: 21165 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0004-02-Log-script-options-to-logfile.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From rcritten at redhat.com Tue Nov 9 14:50:32 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Nov 2010 09:50:32 -0500 Subject: [Freeipa-devel] [PATCH] 602 verify --ip-address option during installation In-Reply-To: <4CD92625.3090300@redhat.com> References: <4CD31ED0.5030403@redhat.com> <4CD92625.3090300@redhat.com> Message-ID: <4CD95FB8.70604@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/04/2010 10:00 PM, Rob Crittenden wrote: >> There was a corner case where the value of --ip-address was never >> verified if you were also setting up DNS. >> >> Added this bit of information to the man page too. >> >> ticket 399 >> >> rob >> > > Two questions: > 1) is it intended to quit without printing an error message if > verify_ip() fails? verify_ip_address() prints the message. > 2) I don't quite understand the manpage part - it says "and --setup-dns > is *not* selected" - but the code checks for "if options.setup_dns:" You can only override the public IP address setting if you are setting up your own DNS server. Perhaps I should make the text say that... rob From jhrozek at redhat.com Tue Nov 9 15:34:58 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 09 Nov 2010 16:34:58 +0100 Subject: [Freeipa-devel] [PATCH] 011 Use sys.exit to quit scripts Message-ID: <4CD96A22.9050105@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Instead of print and return, use sys.exit() to quit scripts with an error message and a non zero return code. https://fedorahosted.org/freeipa/ticket/425 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzZaiIACgkQHsardTLnvCUJpwCffqc36vpRNL9ZUg0Jk67UsWDD eGAAnjMS5rIqfs4FHLHqZpPfRFtyDkUQ =w11Y -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0011-Use-sys.exit-to-quit-scripts.patch Type: text/x-patch Size: 15737 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0011-Use-sys.exit-to-quit-scripts.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From rcritten at redhat.com Tue Nov 9 18:26:08 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Nov 2010 13:26:08 -0500 Subject: [Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI In-Reply-To: <4CD863C7.1060806@redhat.com> References: <4CCAE292.6020602@redhat.com> <4CCF8478.3030807@redhat.com> <4CD02708.60304@redhat.com> <4CD863C7.1060806@redhat.com> Message-ID: <4CD99240.9060605@redhat.com> Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> (resending to the list, I accidentally replied to Rob only before..) >> >> On 11/02/2010 04:24 AM, Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> https://fedorahosted.org/freeipa/ticket/154 >>>> >>>> The second patch removes the /ipatest section that has been commented >>>> out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore >>>> :-) >>> >>> Migration doesn't seem to be working. The migration page itself comes up >>> fine and prompts for data but when I enter the password of a migrated >>> user I don't seem to be getting valid kerberos keys. kinit doesn't work >>> in any case. It could also be that I'm tired. Does a migrated account >>> work for you? >>> >> >> It does for me -- or at least I think it's working. This is how I tested: >> 1) migrate users from LDAP using the migrate-ds plugin. >> 2) try kinit - preauth will fail >> 3) go to the migration page, enter username/password This redirects me >> to the ui page if the credentials are correct. >> 4) kinit for the user works now >> >> This is on the current master + the two patches under review, on a F13 >> host migrating from 389 DS on another F13 machine. > > I still can't get this to work on my F12 machine. The LDAP password is > ok, I confirmed that with ldapsearch. > > My process is as yours. I get redirected to the UI page which fails > because I haven't done a kinit yet. I go do the kinit and that fails. > > The KDC is logging: > > Nov 08 15:48:48 panther.example.com krb5kdc[23964](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.166.34: NEEDED_PREAUTH: > tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional > pre-authentication required > Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): preauth > (timestamp) verify failure: Decrypt integrity check failed > Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.166.34: PREAUTH_FAILED: > tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Decrypt integrity > check failed > > I think the timestamp part is bogus, I think this just means the > password is bad. > > I noticed that krbPrincipalKey is getting migrated as well. If I delete > this before trying the migration the password works. > > I find it unlikely that this is related to your mod_wsgi conversion so > I'm going to open a separate ticket on that and ack your changes. > > ACK > > rob pushed to master From rcritten at redhat.com Tue Nov 9 18:28:34 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Nov 2010 13:28:34 -0500 Subject: [Freeipa-devel] [PATCH] 004 Log script options to logfile In-Reply-To: <4CD95DD9.7030500@redhat.com> References: <4CCF173F.8080204@redhat.com> <4CD856DE.5090406@redhat.com> <4CD859A7.4030604@redhat.com> <4CD95DD9.7030500@redhat.com> Message-ID: <4CD992D2.2040106@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/08/2010 09:12 PM, Jakub Hrozek wrote: >>>> This patch is fine as-is so I'll give you a choice: >>>> >>>> 1. You can update this patch and log those things that will be queried >>>> if not provided on the CLI. >> I'd prefer this option. The patch really is incomplete. > > New patch attached. Ack, pushed to master rob From rcritten at redhat.com Tue Nov 9 18:31:58 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Nov 2010 13:31:58 -0500 Subject: [Freeipa-devel] [PATCH] 601 rename 60sudo.ldif In-Reply-To: <4CD920E2.9080009@redhat.com> References: <4CD30FE5.7090401@redhat.com> <4CD920E2.9080009@redhat.com> Message-ID: <4CD9939E.7000908@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/04/2010 08:56 PM, Rob Crittenden wrote: >> Rename 60sudo.ldif to 60ipasudo.ldif. We are overwriting a file of the >> same name from the default 389-ds schema. >> >> rob >> > > Ack pushed to master From rcritten at redhat.com Tue Nov 9 18:32:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Nov 2010 13:32:26 -0500 Subject: [Freeipa-devel] [PATCH] 603 add examples to ipa-replica-install man page In-Reply-To: <4CD9225E.8060003@redhat.com> References: <4CD327CF.6040802@redhat.com> <4CD9225E.8060003@redhat.com> Message-ID: <4CD993BA.1000204@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/04/2010 10:38 PM, Rob Crittenden wrote: >> Add a couple of examples in ipa-replica-install.1 in an effort to >> clarify where one does a re-init. >> >> rob >> > > Ack pushed to master From rcritten at redhat.com Tue Nov 9 18:33:19 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Nov 2010 13:33:19 -0500 Subject: [Freeipa-devel] [PATCH] 600 fix ipa-nis-manage In-Reply-To: <4CD94D6C.7020908@redhat.com> References: <4CD3096C.4040302@redhat.com> <4CD94D6C.7020908@redhat.com> Message-ID: <4CD993EF.7010202@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/04/2010 08:28 PM, Rob Crittenden wrote: >> ipa-nis-manage was broken because of a signature change to >> ldap2.getentry(). Two new arguments were added before normalize and a >> call to this in ipa-nis-manage was relying on positional arguments. This >> caused ldap2 to add the basedn to what we were trying to get, which was >> something in cn=config, so it failed. >> >> ticket https://fedorahosted.org/freeipa/ticket/414 >> >> rob >> > > ipa-nis-manage does not throw an exception with this patch anymore > > - -> Ack pushed to master From rcritten at redhat.com Tue Nov 9 19:00:00 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Nov 2010 14:00:00 -0500 Subject: [Freeipa-devel] [PATCH] 607 add managedby to hosts Message-ID: <4CD99A30.2030705@redhat.com> This will let one host do things on behalf of another host (request a keytab, certificate, etc). ticket https://fedorahosted.org/freeipa/ticket/280 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-607-host.patch Type: text/x-patch Size: 13949 bytes Desc: not available URL: From rcritten at redhat.com Tue Nov 9 19:01:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Nov 2010 14:01:26 -0500 Subject: [Freeipa-devel] [PATCH] 011 Use sys.exit to quit scripts In-Reply-To: <4CD96A22.9050105@redhat.com> References: <4CD96A22.9050105@redhat.com> Message-ID: <4CD99A86.3020202@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Instead of print and return, use sys.exit() to quit scripts with an > error message and a non zero return code. > > https://fedorahosted.org/freeipa/ticket/425 > This isn't applying for me. Can you try to rebase it? thanks rob From rcritten at redhat.com Tue Nov 9 19:03:28 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Nov 2010 14:03:28 -0500 Subject: [Freeipa-devel] [PATCH] Replace 'Locking' in `ipa help user` with 'Disabling'. In-Reply-To: <4CD8C94F.8030900@redhat.com> References: <4CD8C94F.8030900@redhat.com> Message-ID: <4CD99B00.6040205@redhat.com> Pavel Z?na wrote: > Ticket #452 > > Pavel ack, pushed to master From ayoung at redhat.com Tue Nov 9 19:15:58 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 09 Nov 2010 14:15:58 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0080-Label-cleanup Message-ID: <4CD99DEE.8080602@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0080-Label-cleanup.patch Type: text/x-patch Size: 2596 bytes Desc: not available URL: From rcritten at redhat.com Tue Nov 9 19:49:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Nov 2010 14:49:27 -0500 Subject: [Freeipa-devel] [PATCH] Use stronmgest enctype for master key In-Reply-To: <20101108162408.28c6dcfd@willson.li.ssimo.org> References: <20101108162408.28c6dcfd@willson.li.ssimo.org> Message-ID: <4CD9A5C7.1000702@redhat.com> Simo Sorce wrote: > > This patch configures IPA to use the currently strongest available > enctype for the master key. > > Fixes #456 > > Simo. ack From ssorce at redhat.com Tue Nov 9 19:50:39 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 9 Nov 2010 14:50:39 -0500 Subject: [Freeipa-devel] [PATCH] 607 add managedby to hosts In-Reply-To: <4CD99A30.2030705@redhat.com> References: <4CD99A30.2030705@redhat.com> Message-ID: <20101109145039.2b315e95@willson.li.ssimo.org> On Tue, 09 Nov 2010 14:00:00 -0500 Rob Crittenden wrote: > + > + Add a host that can manage this host's keytab and certificate: > + ipa host-add-host --hosts=test2 test > """ > I do not want to nack, but looking at this command in isolation I am quite confused at what it is supposed to do (think ab out seeing it in a log file and wondering what it means w/o further context). What does it mean to add a host into a host (host-add-host) ? And which one is added to the other one ? test in test2 or test2 in test? I do not know if we can change names/syntax to make this more immediately understandable, but if we can I'd like to do that. Obscure/confusing syntaxes generally makes it easier to do mistakes, which are bad in a tool used to manage security. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Nov 9 20:02:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Nov 2010 15:02:02 -0500 Subject: [Freeipa-devel] [PATCH] Use stronmgest enctype for master key In-Reply-To: <4CD9A5C7.1000702@redhat.com> References: <20101108162408.28c6dcfd@willson.li.ssimo.org> <4CD9A5C7.1000702@redhat.com> Message-ID: <4CD9A8BA.6040108@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> >> This patch configures IPA to use the currently strongest available >> enctype for the master key. >> >> Fixes #456 >> >> Simo. > > ack pushed to master From ssorce at redhat.com Tue Nov 9 20:12:25 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 9 Nov 2010 15:12:25 -0500 Subject: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support In-Reply-To: <20101108193412.43d82687@willson.li.ssimo.org> References: <20101108193412.43d82687@willson.li.ssimo.org> Message-ID: <20101109151225.182aa986@willson.li.ssimo.org> On Mon, 8 Nov 2010 19:34:12 -0500 Simo Sorce wrote: > Patch 0004: Add basic certification creation for selfsigned CA and KDC > configuration. opnessl had to be used because the NSS tools cannot > deal with the special subjectaltName needed for the KDC certificate. Rebased this one on top of master (there was a conflict after latest pushes). Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0004-2-Add-support-for-configuring-KDC-certs-for-PKINIT.patch Type: text/x-patch Size: 15981 bytes Desc: not available URL: From jhrozek at redhat.com Tue Nov 9 20:13:09 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 09 Nov 2010 21:13:09 +0100 Subject: [Freeipa-devel] [PATCH] 004 Log script options to logfile In-Reply-To: <4CD992D2.2040106@redhat.com> References: <4CCF173F.8080204@redhat.com> <4CD856DE.5090406@redhat.com> <4CD859A7.4030604@redhat.com> <4CD95DD9.7030500@redhat.com> <4CD992D2.2040106@redhat.com> Message-ID: <4CD9AB55.6030903@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/09/2010 07:28 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 11/08/2010 09:12 PM, Jakub Hrozek wrote: >>>>> This patch is fine as-is so I'll give you a choice: >>>>> >>>>> 1. You can update this patch and log those things that will be queried >>>>> if not provided on the CLI. >>> I'd prefer this option. The patch really is incomplete. >> >> New patch attached. > > Ack, pushed to master > > rob Are you sure you pushed the second patch (-02) ? Looking at what's in master, it looks like the first version.. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzZq1IACgkQHsardTLnvCVKJACcCKjrIyigJ7fg8ItTXWxFl+0V ZMMAoKSfh0A0z1b2EJYLO33yWN8s1Jn5 =aI0u -----END PGP SIGNATURE----- From jhrozek at redhat.com Tue Nov 9 20:14:38 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 09 Nov 2010 21:14:38 +0100 Subject: [Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI In-Reply-To: <4CD99240.9060605@redhat.com> References: <4CCAE292.6020602@redhat.com> <4CCF8478.3030807@redhat.com> <4CD02708.60304@redhat.com> <4CD863C7.1060806@redhat.com> <4CD99240.9060605@redhat.com> Message-ID: <4CD9ABAE.5000409@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/09/2010 07:26 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> (resending to the list, I accidentally replied to Rob only before..) >>> >>> On 11/02/2010 04:24 AM, Rob Crittenden wrote: >>>> Jakub Hrozek wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/154 >>>>> >>>>> The second patch removes the /ipatest section that has been commented >>>>> out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore >>>>> :-) >>>> >>>> Migration doesn't seem to be working. The migration page itself >>>> comes up >>>> fine and prompts for data but when I enter the password of a migrated >>>> user I don't seem to be getting valid kerberos keys. kinit doesn't work >>>> in any case. It could also be that I'm tired. Does a migrated account >>>> work for you? >>>> >>> >>> It does for me -- or at least I think it's working. This is how I >>> tested: >>> 1) migrate users from LDAP using the migrate-ds plugin. >>> 2) try kinit - preauth will fail >>> 3) go to the migration page, enter username/password This redirects me >>> to the ui page if the credentials are correct. >>> 4) kinit for the user works now >>> >>> This is on the current master + the two patches under review, on a F13 >>> host migrating from 389 DS on another F13 machine. >> >> I still can't get this to work on my F12 machine. The LDAP password is >> ok, I confirmed that with ldapsearch. >> >> My process is as yours. I get redirected to the UI page which fails >> because I haven't done a kinit yet. I go do the kinit and that fails. >> >> The KDC is logging: >> >> Nov 08 15:48:48 panther.example.com krb5kdc[23964](info): AS_REQ (7 >> etypes {18 17 16 23 1 3 2}) 192.168.166.34: NEEDED_PREAUTH: >> tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional >> pre-authentication required >> Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): preauth >> (timestamp) verify failure: Decrypt integrity check failed >> Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): AS_REQ (7 >> etypes {18 17 16 23 1 3 2}) 192.168.166.34: PREAUTH_FAILED: >> tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Decrypt integrity >> check failed >> >> I think the timestamp part is bogus, I think this just means the >> password is bad. >> >> I noticed that krbPrincipalKey is getting migrated as well. If I delete >> this before trying the migration the password works. >> >> I find it unlikely that this is related to your mod_wsgi conversion so >> I'm going to open a separate ticket on that and ack your changes. >> >> ACK >> >> rob > > pushed to master Thanks! Do you think it makes sense to also review and potentially push the second patch in the original thread? (jhrozek-freeipa-0003-Remove-some-more-mod_python-references.patch) Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzZq6sACgkQHsardTLnvCW2MQCgypQe6l8dLOt/mVzVNJ7gNg2Q U2MAnA6KjZbUykGrOEf9MO8qWWqilVW9 =igLu -----END PGP SIGNATURE----- From rcritten at redhat.com Tue Nov 9 21:11:56 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Nov 2010 16:11:56 -0500 Subject: [Freeipa-devel] [PATCH] 608 fix rights with pwpolicy plugin Message-ID: <4CD9B91C.6070101@redhat.com> The pwpolicy plugin wasn't returning effective rights. I fixed that and it will also return the rights for cospriority if showing a group. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-608-rights.patch Type: text/x-patch Size: 2046 bytes Desc: not available URL: From ayoung at redhat.com Tue Nov 9 21:31:19 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 09 Nov 2010 16:31:19 -0500 Subject: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests. In-Reply-To: <4CD8C8E9.1000809@redhat.com> References: <4CD8C8E9.1000809@redhat.com> Message-ID: <4CD9BDA7.4020104@redhat.com> On 11/08/2010 11:07 PM, Pavel Z?na wrote: > Finally, there it is. :) > > I redesigned the whole thing to fit the baseldap model. > > Here's some example on how it's used: > > # create zone 'example.com' > # ipa dnszone-add example.com --name=ns.example.com > --admin=admin at example.com > > # create a resource in zone 'example.com' named 'machine1' > # (machine1.example.com) with A record 10.10.0.1 > # ipa dnsres-add example.com machine1 --a-rec=10.10.0.1 > > # Add another A record to 'machine1' in 'example.com' > # ipa dnsres-add-record example.com machine1 --a-rec=10.10.0.2 > > # Remove one of the A records from 'machine1' in 'example.com' > # ipa dnsres-remove-record example.com machine1 --a-rec=10.10.0.1 > > > > The plugin is pretty complex and requires my patch number 35 to work. > There is a bunch of unit tests, so hopefully it won't be too much pain > to review. > > You can use both dns and dns2 at the same time. > > When dns2 is tested enough, it should replace the original dns plugin. > > docstring (ipa help dns2) documentation will follow soon in a separate > patch. > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Note that it has the patch format issue where Thunderbird prepends a > keeping git am from applying. Also, patch name is reversed: we had standardized on freeipa_ The lite server doesn't seem to want to respond to thenew commands. ipa helpd dns2 brings up the right subset of helpstrings, but: [ayoung at ipa freeipa]$ ./ipa dnszone-find ipa: ERROR: unknown command u'dnszone_find' [ayoung at ipa freeipa]$ ./ipa dnsres-find ayoung.boston.devel.redhat.com ipa: ERROR: unknown command u'dnsres_find' -------------- next part -------------- An HTML attachment was scrubbed... URL: From pzuna at redhat.com Wed Nov 10 16:06:11 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 10 Nov 2010 17:06:11 +0100 Subject: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests. In-Reply-To: <4CD9BDA7.4020104@redhat.com> References: <4CD8C8E9.1000809@redhat.com> <4CD9BDA7.4020104@redhat.com> Message-ID: <4CDAC2F3.2010309@redhat.com> On 11/09/2010 10:31 PM, Adam Young wrote: > On 11/08/2010 11:07 PM, Pavel Z?na wrote: >> Finally, there it is. :) >> >> I redesigned the whole thing to fit the baseldap model. >> >> Here's some example on how it's used: >> >> # create zone 'example.com' >> # ipa dnszone-add example.com --name=ns.example.com >> --admin=admin at example.com >> >> # create a resource in zone 'example.com' named 'machine1' >> # (machine1.example.com) with A record 10.10.0.1 >> # ipa dnsres-add example.com machine1 --a-rec=10.10.0.1 >> >> # Add another A record to 'machine1' in 'example.com' >> # ipa dnsres-add-record example.com machine1 --a-rec=10.10.0.2 >> >> # Remove one of the A records from 'machine1' in 'example.com' >> # ipa dnsres-remove-record example.com machine1 --a-rec=10.10.0.1 >> >> >> >> The plugin is pretty complex and requires my patch number 35 to work. >> There is a bunch of unit tests, so hopefully it won't be too much pain >> to review. >> >> You can use both dns and dns2 at the same time. >> >> When dns2 is tested enough, it should replace the original dns plugin. >> >> docstring (ipa help dns2) documentation will follow soon in a separate >> patch. >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Note that it has the patch format issue where Thunderbird prepends a > > keeping git am from applying. Also, patch name is reversed: we had > standardized on freeipa_ Sorry about that, I'll make sure to use this convention for my future patches. > > > The lite server doesn't seem to want to respond to thenew commands. ipa > helpd dns2 brings up the right subset of helpstrings, but: > > > [ayoung at ipa freeipa]$ ./ipa dnszone-find > ipa: ERROR: unknown command u'dnszone_find' > > [ayoung at ipa freeipa]$ ./ipa dnsres-find ayoung.boston.devel.redhat.com > ipa: ERROR: unknown command u'dnsres_find' > > Just tested in on a clean clone of master and it works. Check your configuration: ./ipa env | grep xmlrpc_uri It should read: https://localhost:8888/ipa/xml Otherwise you're not connecting to the lite-server, but to the installed server. Pavel From edewata at redhat.com Wed Nov 10 17:28:41 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 10 Nov 2010 11:28:41 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0080-Label-cleanup In-Reply-To: <4CD99DEE.8080602@redhat.com> References: <4CD99DEE.8080602@redhat.com> Message-ID: <4CDAD649.80101@redhat.com> On 11/9/2010 1:15 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From jhrozek at redhat.com Wed Nov 10 17:47:43 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 10 Nov 2010 18:47:43 +0100 Subject: [Freeipa-devel] [PATCH] Set CACERTDIR during install to work around openldap bug Message-ID: <4CDADABF.4040906@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please see attachment. The right fix would be to fix this in openldap, but I think we should have a workaround, at least for the time being. Much of the credit goes to Jan who helped me debug the issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkza2r8ACgkQHsardTLnvCUT/wCgyVEmVcbFyNlkSVtsyT8YEmHg lZgAoOq3n/0ZscNpbUoQNcknT71qIwIo =EUmC -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-012-Set-CACERTDIR-during-install-to-work-around-openldap.patch Type: text/x-patch Size: 1350 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-012-Set-CACERTDIR-during-install-to-work-around-openldap.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Wed Nov 10 18:11:46 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 10 Nov 2010 19:11:46 +0100 Subject: [Freeipa-devel] [PATCH] Set CACERTDIR during install to work around openldap bug In-Reply-To: <4CDADABF.4040906@redhat.com> References: <4CDADABF.4040906@redhat.com> Message-ID: <4CDAE062.1050900@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/10/2010 06:47 PM, Jakub Hrozek wrote: > Please see attachment. The right fix would be to fix this in openldap, > but I think we should have a workaround, at least for the time being. > Much of the credit goes to Jan who helped me debug the issue. Sorry, the first patch had a small bug. New one attached. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkza4GIACgkQHsardTLnvCXmOwCguBQb66ZVwmhbon49uXjta6Ut s18AoOS51Y3vj6jkNQCnfAqAz+H9F+ec =0+ET -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-012-Set-CACERTDIR-during-install-to-work-around-openldap.patch Type: text/x-patch Size: 1354 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-012-Set-CACERTDIR-during-install-to-work-around-openldap.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From ssorce at redhat.com Wed Nov 10 20:22:40 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 10 Nov 2010 15:22:40 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 0009 uuid fixes for replication In-Reply-To: <1845947112.1905311289420484631.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1312455402.1905511289420560479.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> The uuid plugin was misbehaving in the replication case returning access denied on replication operations. This patch makes the plugin ignore replication for all operations but changes in the configuration of the plugin itself. Fixes bug #468 Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0009-uuid-plugin-Fix-control-access-bug-on-replication.patch Type: text/x-patch Size: 1897 bytes Desc: not available URL: From rcritten at redhat.com Wed Nov 10 20:35:12 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Nov 2010 15:35:12 -0500 Subject: [Freeipa-devel] [PATCH] 0009 uuid fixes for replication In-Reply-To: <1312455402.1905511289420560479.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1312455402.1905511289420560479.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CDB0200.9040604@redhat.com> Simo Sorce wrote: > > The uuid plugin was misbehaving in the replication case returning access denied on replication operations. This patch makes the plugin ignore replication for all operations but changes in the configuration of the plugin itself. > > Fixes bug #468 > > Simo. ack, pushed to master From rcritten at redhat.com Wed Nov 10 21:25:18 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Nov 2010 16:25:18 -0500 Subject: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write. Message-ID: <4CDB0DBE.4020803@redhat.com> The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. https://fedorahosted.org/freeipa/ticket/416 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-609-aci.patch Type: text/x-patch Size: 6425 bytes Desc: not available URL: From rcritten at redhat.com Wed Nov 10 21:48:30 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Nov 2010 16:48:30 -0500 Subject: [Freeipa-devel] [PATCH] 607 add managedby to hosts In-Reply-To: <20101109145039.2b315e95@willson.li.ssimo.org> References: <4CD99A30.2030705@redhat.com> <20101109145039.2b315e95@willson.li.ssimo.org> Message-ID: <4CDB132E.7060008@redhat.com> Simo Sorce wrote: > On Tue, 09 Nov 2010 14:00:00 -0500 > Rob Crittenden wrote: > >> + >> + Add a host that can manage this host's keytab and certificate: >> + ipa host-add-host --hosts=test2 test >> """ >> > > I do not want to nack, but looking at this command in isolation I am > quite confused at what it is supposed to do (think ab out seeing it in > a log file and wondering what it means w/o further context). > > What does it mean to add a host into a host (host-add-host) ? > And which one is added to the other one ? test in test2 or test2 in > test? > > I do not know if we can change names/syntax to make this more > immediately understandable, but if we can I'd like to do that. > Obscure/confusing syntaxes generally makes it easier to do mistakes, > which are bad in a tool used to manage security. > > Simo. > Switched to host-add-managedby and host-remove-managedby. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-607-2-host.patch Type: text/x-patch Size: 14810 bytes Desc: not available URL: From rcritten at redhat.com Wed Nov 10 21:53:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Nov 2010 16:53:02 -0500 Subject: [Freeipa-devel] [PATCH] 610 don't include internal commands in help Message-ID: <4CDB143E.3030304@redhat.com> Don't include internal commands in `ipa help commands` output. https://fedorahosted.org/freeipa/ticket/463 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-610-help.patch Type: text/x-patch Size: 834 bytes Desc: not available URL: From rcritten at redhat.com Wed Nov 10 22:33:31 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Nov 2010 17:33:31 -0500 Subject: [Freeipa-devel] [PATCH] 611 increase default username len Message-ID: <4CDB1DBB.1060805@redhat.com> Increase default username length to 32 and max for users and groups to 255. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-611-len.patch Type: text/x-patch Size: 2205 bytes Desc: not available URL: From rcritten at redhat.com Wed Nov 10 22:38:47 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Nov 2010 17:38:47 -0500 Subject: [Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI In-Reply-To: <4CD9ABAE.5000409@redhat.com> References: <4CCAE292.6020602@redhat.com> <4CCF8478.3030807@redhat.com> <4CD02708.60304@redhat.com> <4CD863C7.1060806@redhat.com> <4CD99240.9060605@redhat.com> <4CD9ABAE.5000409@redhat.com> Message-ID: <4CDB1EF7.8040206@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/09/2010 07:26 PM, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> (resending to the list, I accidentally replied to Rob only before..) >>>> >>>> On 11/02/2010 04:24 AM, Rob Crittenden wrote: >>>>> Jakub Hrozek wrote: >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/154 >>>>>> >>>>>> The second patch removes the /ipatest section that has been commented >>>>>> out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore >>>>>> :-) >>>>> >>>>> Migration doesn't seem to be working. The migration page itself >>>>> comes up >>>>> fine and prompts for data but when I enter the password of a migrated >>>>> user I don't seem to be getting valid kerberos keys. kinit doesn't work >>>>> in any case. It could also be that I'm tired. Does a migrated account >>>>> work for you? >>>>> >>>> >>>> It does for me -- or at least I think it's working. This is how I >>>> tested: >>>> 1) migrate users from LDAP using the migrate-ds plugin. >>>> 2) try kinit - preauth will fail >>>> 3) go to the migration page, enter username/password This redirects me >>>> to the ui page if the credentials are correct. >>>> 4) kinit for the user works now >>>> >>>> This is on the current master + the two patches under review, on a F13 >>>> host migrating from 389 DS on another F13 machine. >>> >>> I still can't get this to work on my F12 machine. The LDAP password is >>> ok, I confirmed that with ldapsearch. >>> >>> My process is as yours. I get redirected to the UI page which fails >>> because I haven't done a kinit yet. I go do the kinit and that fails. >>> >>> The KDC is logging: >>> >>> Nov 08 15:48:48 panther.example.com krb5kdc[23964](info): AS_REQ (7 >>> etypes {18 17 16 23 1 3 2}) 192.168.166.34: NEEDED_PREAUTH: >>> tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional >>> pre-authentication required >>> Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): preauth >>> (timestamp) verify failure: Decrypt integrity check failed >>> Nov 08 15:48:50 panther.example.com krb5kdc[23964](info): AS_REQ (7 >>> etypes {18 17 16 23 1 3 2}) 192.168.166.34: PREAUTH_FAILED: >>> tuser2 at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Decrypt integrity >>> check failed >>> >>> I think the timestamp part is bogus, I think this just means the >>> password is bad. >>> >>> I noticed that krbPrincipalKey is getting migrated as well. If I delete >>> this before trying the migration the password works. >>> >>> I find it unlikely that this is related to your mod_wsgi conversion so >>> I'm going to open a separate ticket on that and ack your changes. >>> >>> ACK >>> >>> rob >> >> pushed to master > > Thanks! Do you think it makes sense to also review and potentially push > the second patch in the original thread? > (jhrozek-freeipa-0003-Remove-some-more-mod_python-references.patch) Sorry, I knew it was there, missed it when I was pushing. ack and pushed to master From rcritten at redhat.com Wed Nov 10 23:12:49 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Nov 2010 18:12:49 -0500 Subject: [Freeipa-devel] [PATCH] 0001 Ensure that Apache is running in Prefork mode In-Reply-To: <201011081107.21728.jzeleny@redhat.com> References: <201011021617.20977.jzeleny@redhat.com> <4CD1717F.4020003@redhat.com> <201011081107.21728.jzeleny@redhat.com> Message-ID: <4CDB26F1.1040905@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> I tried one other solution, but this approach was recommended to me by >>> Pavel. It seems to be working fine. If you don't agree with the concept >>> (detection per request), I can present you the original one. >>> >>> https://fedorahosted.org/freeipa/ticket/252 >>> >>> Jan >> >> nack. I think we need some logging to say "IPA does not work with the >> threaded MPM, use the pre-fork MPM" or something like that. >> >> Otherwise it is going to silently fail and users will have no idea why. > > I added logging as you requested. I'm still not quite sure how does the > logging work exactly, but as I understand it, this way it should be ok. > > Jan nack, I can still run httpd.worker and serve IPA requests. We do things to the environment so we need to be sure that each request is isolated from all others which is why we want to run in multi-process mode. rob From edewata at redhat.com Wed Nov 10 23:20:04 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 10 Nov 2010 17:20:04 -0600 Subject: [Freeipa-devel] [PATCH] HBAC Services Message-ID: <4CDB28A4.90206@redhat.com> Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/104/ The HBAC Service search and details pages have been added under the HBAC tab. This requires some changes to the framework. Currently the navigation framework doesn't support multiple entities under one tab. As a temporary solution, an 'entity' URL parameter is used to determine the entity to be displayed. This parameter is now only used by HBAC tab, but its use might be expanded later. The navigation framework needs be redesigned to provide more flexibility. The search page in all entities except DNS records have been changed to use the ipa_search_widget. The Select/Unselect All checbox and Delete button now work correctly and consistently. The Add dialog has been enhanced to render and work in a more consistent way while still supporting custom widgets & layouts. For the search page, the Add button will refresh the search results and clear the fields in the dialog box. The framework now provides some extension points which can be overriden by the subclasses: - init(): for initialization and configuration - create(): for creating the layout dynamically or from template - setup(): for setting the look and feel - load(): for loading the data Entity and facet initialization is now done after IPA.init(). This is to ensure the metadata is loaded first so the entities and facets can use localized messages/labels/titles. The group entity has been partially converted to use the new framework. The unit tests have been updated accordingly. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0028-HBAC-Services.patch Type: text/x-patch Size: 113609 bytes Desc: not available URL: From edewata at redhat.com Wed Nov 10 23:23:40 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 10 Nov 2010 17:23:40 -0600 Subject: [Freeipa-devel] HBAC Service & Service Group test data Message-ID: <4CDB297C.6010109@redhat.com> Hi, Please review the attached patch. This can be installed independently from my patch #28 (HBAC Services). Thanks! https://fedorahosted.org/reviewboard/r/105/ -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0029-HBAC-Service-Service-Group-test-data.patch Type: text/x-patch Size: 6814 bytes Desc: not available URL: From ayoung at redhat.com Thu Nov 11 01:18:31 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 10 Nov 2010 20:18:31 -0500 Subject: [Freeipa-devel] HBAC Service & Service Group test data In-Reply-To: <4CDB297C.6010109@redhat.com> References: <4CDB297C.6010109@redhat.com> Message-ID: <4CDB4467.4010506@redhat.com> On 11/10/2010 06:23 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. This can be installed independently > from my patch #28 (HBAC Services). Thanks! > > https://fedorahosted.org/reviewboard/r/105/ > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel You want to make sure the hbac_show.json was built with the --rights param, otherwise you don't get the effective rights in the results. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Nov 11 01:46:43 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 10 Nov 2010 19:46:43 -0600 Subject: [Freeipa-devel] [PATCH] HBAC Service Groups Message-ID: <4CDB4B03.5080005@redhat.com> Hi, Please review the attached patch. This patch requires my patch #28 (HBAC Services). Thanks! The HBAC Service Groups search, details, and association pages have been added under the HBAC tab. New test data files for HBAC Service Groups have been added. The sample metadata has been updated as well. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0030-HBAC-Service-Groups.patch Type: text/x-patch Size: 16065 bytes Desc: not available URL: From rcritten at redhat.com Thu Nov 11 03:01:52 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Nov 2010 22:01:52 -0500 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <201011081054.00482.jzeleny@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201011081054.00482.jzeleny@redhat.com> Message-ID: <4CDB5CA0.9020906@redhat.com> Jan Zelen? wrote: > Jan Zelen? wrote: >> Now each plugin can define its topic as a 2-tuple, where the first >> item is the name of topic it belongs to and the second item is >> a description of such topic. Topic descriptions must be the same >> for all modules belonging to the topic. >> >> By using this topics, it is possible to group plugins as we see fit. >> When asking for help for a particular topic, help for all modules >> in given topic is written. >> >> ipa help - show all topics (until now it showed all plugins) >> ipa help - show details to given topic >> >> https://fedorahosted.org/freeipa/ticket/410 > > Sorry for the wrong sequence number, sending the correct one now. I think this is a good start but I find the output hard to read, both with a single topic (like user) or multiple (like sudo). The dashed lines and the extra spaces make my eyes cross a bit What I don't have is any good suggestion to change it up. I realize you are jamming together discrete things that may or may not look nice together. I suppose a few suggestions might be: - a SEEALSO-like where you print the topics at the bottom so it is obvious that multiple things are jammed together - A single dashed-line all the way across (more or less) with a single space before and after might be a less jarring separator. IIRC we have some output code that should handle screen sizes for you. - I'm not sure if combining all the commands into a single list is the right thing or not. It may not be necessary with the SEEALSO. So nack for now but this is headed in the right direction. rob From jhrozek at redhat.com Thu Nov 11 06:36:22 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 11 Nov 2010 07:36:22 +0100 Subject: [Freeipa-devel] [PATCH] 011 Use sys.exit to quit scripts In-Reply-To: <4CD99A86.3020202@redhat.com> References: <4CD96A22.9050105@redhat.com> <4CD99A86.3020202@redhat.com> Message-ID: <4CDB8EE6.4030704@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/09/2010 08:01 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Instead of print and return, use sys.exit() to quit scripts with an >> error message and a non zero return code. >> >> https://fedorahosted.org/freeipa/ticket/425 >> > > This isn't applying for me. Can you try to rebase it? > > thanks > > rob It should apply cleanly once the remaining diff of the patch that logs install script options is pushed. Sorry, I did not mention there was a dependency earlier. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzbjuIACgkQHsardTLnvCVD4QCgiOaLttJDLTSyOn8jDjhhQmZI 9EwAoN71+rR585sDcWVIow5mLaiLEXBl =rV70 -----END PGP SIGNATURE----- From jhrozek at redhat.com Thu Nov 11 11:30:16 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 11 Nov 2010 12:30:16 +0100 Subject: [Freeipa-devel] [PATCH] 610 don't include internal commands in help In-Reply-To: <4CDB143E.3030304@redhat.com> References: <4CDB143E.3030304@redhat.com> Message-ID: <20101111113016.GA2596@zeppelin.brq.redhat.com> On Wed, Nov 10, 2010 at 04:53:02PM -0500, Rob Crittenden wrote: > Don't include internal commands in `ipa help commands` output. > > https://fedorahosted.org/freeipa/ticket/463 > > rob With this patch, commands like "cos*" or "batch" don't show up with "ipa help commands" -> ACK Jakub From jhrozek at redhat.com Thu Nov 11 12:35:59 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 11 Nov 2010 13:35:59 +0100 Subject: [Freeipa-devel] [PATCH] 611 increase default username len In-Reply-To: <4CDB1DBB.1060805@redhat.com> References: <4CDB1DBB.1060805@redhat.com> Message-ID: <20101111123559.GA3397@zeppelin.brq.redhat.com> On Wed, Nov 10, 2010 at 05:33:31PM -0500, Rob Crittenden wrote: > Increase default username length to 32 and max for users and groups to 255. > > rob Adding users with usernames longer than 8 characters works OK until the limit of 32 at which point I got: ipa: ERROR: invalid 'uid': can be at most 32 characters ->ACK Jakub From jhrozek at redhat.com Thu Nov 11 12:48:49 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 11 Nov 2010 13:48:49 +0100 Subject: [Freeipa-devel] [PATCH] 605 use diff user for dogtag DS instance In-Reply-To: <4CD820DE.9030800@redhat.com> References: <4CD820DE.9030800@redhat.com> Message-ID: <20101111124848.GA24073@zeppelin.brq.redhat.com> On Mon, Nov 08, 2010 at 11:10:06AM -0500, Rob Crittenden wrote: > Use a different user for the dogtag DS instance. This prevents an > error during uninstall of trying to remove the dirsrv user when the > dogtag DS instance is removed. > > I also added a ipactl stop to the beginning of the uninstall > process. We will try to stop each service individually during > uninstall but stopping them all first is cleaner. Its how I've been > uninstalling for months now anything (ipactl stop && > ipa-server-install --uninstall -U). > > ticket https://fedorahosted.org/freeipa/ticket/349 > > rob I tested this only on F13, as installing CA on F14 currently doesn't work, but seems to work OK there.. Ack Jakub From ssorce at redhat.com Thu Nov 11 13:10:33 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 11 Nov 2010 08:10:33 -0500 Subject: [Freeipa-devel] [PATCH] Set CACERTDIR during install to work around openldap bug In-Reply-To: <4CDAE062.1050900@redhat.com> References: <4CDADABF.4040906@redhat.com> <4CDAE062.1050900@redhat.com> Message-ID: <20101111081033.1e6580d3@willson.li.ssimo.org> On Wed, 10 Nov 2010 19:11:46 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/10/2010 06:47 PM, Jakub Hrozek wrote: > > Please see attachment. The right fix would be to fix this in > > openldap, but I think we should have a workaround, at least for the > > time being. Much of the credit goes to Jan who helped me debug the > > issue. > > Sorry, the first patch had a small bug. New one attached. Jakub, I am surprised, I have the current code working on F14 w/o issues, why do you need to set also the CACERTDIR ? Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Thu Nov 11 13:37:35 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 11 Nov 2010 14:37:35 +0100 Subject: [Freeipa-devel] [PATCH] Set CACERTDIR during install to work around openldap bug In-Reply-To: <20101111081033.1e6580d3@willson.li.ssimo.org> References: <4CDADABF.4040906@redhat.com> <4CDAE062.1050900@redhat.com> <20101111081033.1e6580d3@willson.li.ssimo.org> Message-ID: <20101111133735.GA12653@zeppelin.brq.redhat.com> On Thu, Nov 11, 2010 at 08:10:33AM -0500, Simo Sorce wrote: > On Wed, 10 Nov 2010 19:11:46 +0100 > Jakub Hrozek wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 11/10/2010 06:47 PM, Jakub Hrozek wrote: > > > Please see attachment. The right fix would be to fix this in > > > openldap, but I think we should have a workaround, at least for the > > > time being. Much of the credit goes to Jan who helped me debug the > > > issue. > > > > Sorry, the first patch had a small bug. New one attached. > > Jakub, I am surprised, I have the current code working on F14 w/o > issues, why do you need to set also the CACERTDIR ? > > Simo. How does your /etc/openldap/ldap.conf look like? On both of my test machines (one of them F13, the other one F14) it contains: --- URI ldap://127.0.0.1/ BASE dc=example,dc=com TLS_CACERTDIR /etc/openldap/cacerts --- I don't recall setting it manually, though..I suspect some package scriptlet or authconfig..dunno yet. With the above setting, installation on F14 fails for me during the very last step: --- Unable to set admin password Command '/usr/bin/ldappasswd -h vm-061.idm.lab.bos.redhat.com -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpWn1lsN -T /var/lib/ipa/tmp_7938z uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' returned non-zero exit status 1 --- When I ran ldappasswd with "-d -1", I could see TLS errors and ldappasswd opened only /etc/openldap/cacerts. Seeing the ldappasswd invocation working on F13 and not F14, I suspect that CACERTDIR errorneously takes precedence over CACERT (maybe something to do with the switch to NSS?). Putting CACERTDIR into the environment fixed the issue for me.. Jakub From ssorce at redhat.com Thu Nov 11 13:43:05 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 11 Nov 2010 08:43:05 -0500 Subject: [Freeipa-devel] [PATCH] Set CACERTDIR during install to work around openldap bug In-Reply-To: <20101111133735.GA12653@zeppelin.brq.redhat.com> References: <4CDADABF.4040906@redhat.com> <4CDAE062.1050900@redhat.com> <20101111081033.1e6580d3@willson.li.ssimo.org> <20101111133735.GA12653@zeppelin.brq.redhat.com> Message-ID: <20101111084305.1b99ff24@willson.li.ssimo.org> On Thu, 11 Nov 2010 14:37:35 +0100 Jakub Hrozek wrote: > On Thu, Nov 11, 2010 at 08:10:33AM -0500, Simo Sorce wrote: > > On Wed, 10 Nov 2010 19:11:46 +0100 > > Jakub Hrozek wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > On 11/10/2010 06:47 PM, Jakub Hrozek wrote: > > > > Please see attachment. The right fix would be to fix this in > > > > openldap, but I think we should have a workaround, at least for > > > > the time being. Much of the credit goes to Jan who helped me > > > > debug the issue. > > > > > > Sorry, the first patch had a small bug. New one attached. > > > > Jakub, I am surprised, I have the current code working on F14 w/o > > issues, why do you need to set also the CACERTDIR ? > > > > Simo. > > How does your /etc/openldap/ldap.conf look like? On both of my test > machines (one of them F13, the other one F14) it contains: > > --- > URI ldap://127.0.0.1/ > BASE dc=example,dc=com > TLS_CACERTDIR /etc/openldap/cacerts > --- > > I don't recall setting it manually, though..I suspect some package > scriptlet or authconfig..dunno yet. I have both a F13 and a F14 machine and neither have TLS_CACERTDIR set. > With the above setting, installation on F14 fails for me during the > very last step: > > --- > Unable to set admin password Command '/usr/bin/ldappasswd -h > vm-061.idm.lab.bos.redhat.com -ZZ -x -D cn=Directory Manager -y > /var/lib/ipa/tmpWn1lsN -T /var/lib/ipa/tmp_7938z > uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' > returned non-zero exit status 1 > --- > > When I ran ldappasswd with "-d -1", I could see TLS errors and > ldappasswd opened only /etc/openldap/cacerts. > > Seeing the ldappasswd invocation working on F13 and not F14, I > suspect that CACERTDIR errorneously takes precedence over CACERT > (maybe something to do with the switch to NSS?). Putting CACERTDIR > into the environment fixed the issue for me.. Ok, thanks for the summary, this explains why I don't see it. Ah, and ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Thu Nov 11 13:54:09 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 11 Nov 2010 08:54:09 -0500 Subject: [Freeipa-devel] [PATCH] Set CACERTDIR during install to work around openldap bug In-Reply-To: <20101111084305.1b99ff24@willson.li.ssimo.org> References: <4CDADABF.4040906@redhat.com> <4CDAE062.1050900@redhat.com> <20101111081033.1e6580d3@willson.li.ssimo.org> <20101111133735.GA12653@zeppelin.brq.redhat.com> <20101111084305.1b99ff24@willson.li.ssimo.org> Message-ID: <4CDBF581.30202@redhat.com> On 11/11/2010 08:43 AM, Simo Sorce wrote: > On Thu, 11 Nov 2010 14:37:35 +0100 > Jakub Hrozek wrote: > > >> On Thu, Nov 11, 2010 at 08:10:33AM -0500, Simo Sorce wrote: >> >>> On Wed, 10 Nov 2010 19:11:46 +0100 >>> Jakub Hrozek wrote: >>> >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> On 11/10/2010 06:47 PM, Jakub Hrozek wrote: >>>> >>>>> Please see attachment. The right fix would be to fix this in >>>>> openldap, but I think we should have a workaround, at least for >>>>> the time being. Much of the credit goes to Jan who helped me >>>>> debug the issue. >>>>> >>>> Sorry, the first patch had a small bug. New one attached. >>>> >>> Jakub, I am surprised, I have the current code working on F14 w/o >>> issues, why do you need to set also the CACERTDIR ? >>> >>> Simo. >>> >> How does your /etc/openldap/ldap.conf look like? On both of my test >> machines (one of them F13, the other one F14) it contains: >> >> --- >> URI ldap://127.0.0.1/ >> BASE dc=example,dc=com >> TLS_CACERTDIR /etc/openldap/cacerts >> --- >> >> I don't recall setting it manually, though..I suspect some package >> scriptlet or authconfig..dunno yet. >> > I have both a F13 and a F14 machine and neither have TLS_CACERTDIR set. > > >> With the above setting, installation on F14 fails for me during the >> very last step: >> >> --- >> Unable to set admin password Command '/usr/bin/ldappasswd -h >> vm-061.idm.lab.bos.redhat.com -ZZ -x -D cn=Directory Manager -y >> /var/lib/ipa/tmpWn1lsN -T /var/lib/ipa/tmp_7938z >> uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' >> returned non-zero exit status 1 >> --- >> >> When I ran ldappasswd with "-d -1", I could see TLS errors and >> ldappasswd opened only /etc/openldap/cacerts. >> >> Seeing the ldappasswd invocation working on F13 and not F14, I >> suspect that CACERTDIR errorneously takes precedence over CACERT >> (maybe something to do with the switch to NSS?). Putting CACERTDIR >> into the environment fixed the issue for me.. >> > Ok, thanks for the summary, this explains why I don't see it. > > Ah, and ACK. > > Simo. > > pushed to master From ssorce at redhat.com Thu Nov 11 15:21:15 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 11 Nov 2010 10:21:15 -0500 Subject: [Freeipa-devel] [PATCH] 0010 change uuid plugin to use libuuid Message-ID: <20101111102115.7543fc91@willson.li.ssimo.org> Directory Server guys decided not to expose internal uuid functions so change the ipa uuid plugin to use libuuid. This changes the string format of the UUID records once again unfortunately ... Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0010-uuid-plugin-convert-the-plugin-to-use-the-libuuid-li.patch Type: text/x-patch Size: 4897 bytes Desc: not available URL: From edewata at redhat.com Thu Nov 11 17:22:00 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 11 Nov 2010 11:22:00 -0600 Subject: [Freeipa-devel] HBAC Service & Service Group test data In-Reply-To: <4CDB4467.4010506@redhat.com> References: <4CDB297C.6010109@redhat.com> <4CDB4467.4010506@redhat.com> Message-ID: <4CDC2638.7040601@redhat.com> On 11/10/2010 7:18 PM, Adam Young wrote: >> Please review the attached patch. This can be installed independently >> from my patch #28 (HBAC Services). Thanks! >> >> https://fedorahosted.org/reviewboard/r/105/ > You want to make sure the hbac_show.json was built with the --rights > param, otherwise you don't get the effective rights in the results. Attached is the new patch. I regenerated the show and mod files with --all and --rights. Thanks! -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0029-2-HBAC-Service-Service-Group-test-data.patch Type: text/x-patch Size: 9520 bytes Desc: not available URL: From ayoung at redhat.com Thu Nov 11 17:23:55 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 11 Nov 2010 12:23:55 -0500 Subject: [Freeipa-devel] [PATCH] HBAC Services In-Reply-To: <4CDB28A4.90206@redhat.com> References: <4CDB28A4.90206@redhat.com> Message-ID: <4CDC26AB.1030605@redhat.com> On 11/10/2010 06:20 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > https://fedorahosted.org/reviewboard/r/104/ > > The HBAC Service search and details pages have been added under the > HBAC tab. This requires some changes to the framework. > > Currently the navigation framework doesn't support multiple entities > under one tab. As a temporary solution, an 'entity' URL parameter is > used to determine the entity to be displayed. This parameter is now > only used by HBAC tab, but its use might be expanded later. The > navigation framework needs be redesigned to provide more flexibility. > > The search page in all entities except DNS records have been changed > to use the ipa_search_widget. The Select/Unselect All checbox and > Delete button now work correctly and consistently. > > The Add dialog has been enhanced to render and work in a more > consistent way while still supporting custom widgets & layouts. For > the search page, the Add button will refresh the search results and > clear the fields in the dialog box. > > The framework now provides some extension points which can be > overriden by the subclasses: > - init(): for initialization and configuration > - create(): for creating the layout dynamically or from template > - setup(): for setting the look and feel > - load(): for loading the data > > Entity and facet initialization is now done after IPA.init(). This is > to ensure the metadata is loaded first so the entities and facets can > use localized messages/labels/titles. > > The group entity has been partially converted to use the new framework. > > The unit tests have been updated accordingly. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Nov 11 17:24:17 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 11 Nov 2010 12:24:17 -0500 Subject: [Freeipa-devel] [PATCH] HBAC Service Groups In-Reply-To: <4CDB4B03.5080005@redhat.com> References: <4CDB4B03.5080005@redhat.com> Message-ID: <4CDC26C1.8020607@redhat.com> On 11/10/2010 08:46 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. This patch requires my patch #28 > (HBAC Services). Thanks! > > The HBAC Service Groups search, details, and association pages have > been added under the HBAC tab. > > New test data files for HBAC Service Groups have been added. The sample > metadata has been updated as well. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK/ pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Nov 11 17:32:53 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 11 Nov 2010 12:32:53 -0500 Subject: [Freeipa-devel] HBAC Service & Service Group test data In-Reply-To: <4CDC2638.7040601@redhat.com> References: <4CDB297C.6010109@redhat.com> <4CDB4467.4010506@redhat.com> <4CDC2638.7040601@redhat.com> Message-ID: <4CDC28C5.1040509@redhat.com> On 11/11/2010 12:22 PM, Endi Sukma Dewata wrote: > On 11/10/2010 7:18 PM, Adam Young wrote: >>> Please review the attached patch. This can be installed independently >>> from my patch #28 (HBAC Services). Thanks! >>> >>> https://fedorahosted.org/reviewboard/r/105/ > >> You want to make sure the hbac_show.json was built with the --rights >> param, otherwise you don't get the effective rights in the results. > > Attached is the new patch. I regenerated the show and mod files with > --all and --rights. Thanks! > Applied the diff on top of the old metadata patch and pushed. From rcritten at redhat.com Thu Nov 11 17:52:04 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 11 Nov 2010 12:52:04 -0500 Subject: [Freeipa-devel] Announcing FreeIPA v2 Server Alpha 5 Release Message-ID: <4CDC2D44.1010602@redhat.com> To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Alpha 5 release of freeIPA 2.0 server [1]. Binaries are available for F-12, F-13 and F-14. This alpha is a bug fix release over the previous alpha and includes a completely re-written UI. Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-users at redhat.com The changes in this release include: - Dropped our PKCS#10 parser to use the one provided by python-nss - Started enforcing that hosts must be resolvable before adding them (use --force if you really want to add them). - Provide a reason when adding members to a group fails. - Allow de-coupling of user private groups (group-detach). - Support for ipa tool failover. - Hosts are allowed to retrieve keytabs for their services. - More configurable logging, see http://freeipa.org/page/IPAv2_config_files - Add support for ldap:///self aci rules - Use global time and size limit values when searching. - Don't include passwords in log files. - Work on F-14 - Make ipactl a lot smarter and add a man page for it. - Have certmonger track the IPA service certificates. - Initial support for SUDO. You can create the objects but the client-side is not done yet. - The delete commands now take multiple arguments: ipa user-del user1 user2 user3 ... usern - Remove reliance on 'admin' as a special user. All access control now granted via groups. - Groups are now created as POSIX by default. - Add options to control NTLM hashes. By default LM hash is disabled. - Remove the correct password from the history. We were mistakenly removing the latest password from the history instead of the oldest. - Rename user-lock and user-unlock to user-enable user-disable. - The ipa command should return non-zero when something fails. - Add gettext support for the C utilities. - Add capability to import automount files. - Add basic support for user and group renames (more work is needed). For now use ipa user-mod --setattr uid=newuser olduser - Add flag to group-find to only search on private groups. - Set default python encoding to utf-8. This should resolve a number of i18n problems. - Show indirect members (of groups, hostgroups, netgroups, etc). - Remove group nesting from the HBAC service groups. - Implement nested netgroups. - Add basic support for kerberos lockout policy. You can control how many failed attempts are allowed before lockout. What is missing is a way to unlock a user. This depends on fixes from MIT Kerberos 1.9. - Correct handling of userCategory and hostCategory in netgroups. - Updated a lot of man pages. Known issues: - dogtag does not work out-of-the-box on Fedora 14. To fix it for for the time being run: # ln -s /usr/share/java/xalan-j2-serializer.jar /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar rob [1] http://www.freeipa.org/page/Downloads From dpal at redhat.com Thu Nov 11 22:21:54 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 11 Nov 2010 17:21:54 -0500 Subject: [Freeipa-devel] [PATCH] Set CACERTDIR during install to work around openldap bug In-Reply-To: <20101111133735.GA12653@zeppelin.brq.redhat.com> References: <4CDADABF.4040906@redhat.com> <4CDAE062.1050900@redhat.com> <20101111081033.1e6580d3@willson.li.ssimo.org> <20101111133735.GA12653@zeppelin.brq.redhat.com> Message-ID: <4CDC6C82.9070906@redhat.com> Jakub Hrozek wrote: > On Thu, Nov 11, 2010 at 08:10:33AM -0500, Simo Sorce wrote: > >> On Wed, 10 Nov 2010 19:11:46 +0100 >> Jakub Hrozek wrote: >> >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 11/10/2010 06:47 PM, Jakub Hrozek wrote: >>> >>>> Please see attachment. The right fix would be to fix this in >>>> openldap, but I think we should have a workaround, at least for the >>>> time being. Much of the credit goes to Jan who helped me debug the >>>> issue. >>>> >>> Sorry, the first patch had a small bug. New one attached. >>> >> Jakub, I am surprised, I have the current code working on F14 w/o >> issues, why do you need to set also the CACERTDIR ? >> >> Simo. >> > > How does your /etc/openldap/ldap.conf look like? On both of my test machines > (one of them F13, the other one F14) it contains: > > --- > URI ldap://127.0.0.1/ > BASE dc=example,dc=com > TLS_CACERTDIR /etc/openldap/cacerts > --- > > I don't recall setting it manually, though..I suspect some package > scriptlet or authconfig..dunno yet. > > With the above setting, installation on F14 fails for me during the very > last step: > > --- > Unable to set admin password Command '/usr/bin/ldappasswd -h > vm-061.idm.lab.bos.redhat.com -ZZ -x -D cn=Directory Manager -y > /var/lib/ipa/tmpWn1lsN -T /var/lib/ipa/tmp_7938z > uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' > returned non-zero exit status 1 > --- > > When I ran ldappasswd with "-d -1", I could see TLS errors and > ldappasswd opened only /etc/openldap/cacerts. > > Seeing the ldappasswd invocation working on F13 and not F14, I suspect that > CACERTDIR errorneously takes precedence over CACERT (maybe something to > do with the switch to NSS?). Putting CACERTDIR into the environment > fixed the issue for me.. > > > Jakub > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Can it be that Jakub has it because of the Fedora test date for the openLDAP? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Fri Nov 12 00:51:23 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 11 Nov 2010 19:51:23 -0500 Subject: [Freeipa-devel] [PATCH] 0011 Change DNA configuration to use shared configuration Message-ID: <20101111195123.517010ad@willson.li.ssimo.org> With this patch 2 changes are introduced. 1. idranges are unified, the --uidstart and --gistart options are removed and instead --idtsrat and --idmax are provided at install time. This is a prerequisite to simplify configuration for the next change. 2. DNA is configured to share range configurations among multiple masters now. When replicas are installed an invalid range is configured so that they are forced to contact another peer as soon as someone tries to create a user/group on that master. The replica will get a part of the available range from the peer for its use. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0011-id-ranges-change-DNA-configuration.patch Type: text/x-patch Size: 15049 bytes Desc: not available URL: From ayoung at redhat.com Fri Nov 12 01:30:06 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 11 Nov 2010 20:30:06 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0081-layout Message-ID: <4CDC989E.4050005@redhat.com> Incremental stylesheet and layout changes. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0081-layout.patch Type: text/x-patch Size: 12099 bytes Desc: not available URL: From jhrozek at redhat.com Fri Nov 12 08:56:02 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 12 Nov 2010 09:56:02 +0100 Subject: [Freeipa-devel] [PATCH] Set CACERTDIR during install to work around openldap bug In-Reply-To: <4CDC6C82.9070906@redhat.com> References: <4CDADABF.4040906@redhat.com> <4CDAE062.1050900@redhat.com> <20101111081033.1e6580d3@willson.li.ssimo.org> <20101111133735.GA12653@zeppelin.brq.redhat.com> <4CDC6C82.9070906@redhat.com> Message-ID: <20101112085601.GA30214@zeppelin.brq.redhat.com> On Thu, Nov 11, 2010 at 05:21:54PM -0500, Dmitri Pal wrote: > Can it be that Jakub has it because of the Fedora test date for the > openLDAP? Me and Jan hit the issue independently on two separate clean installs of a F14 VM. The only reason Adam and Simo did not see the issue was because whatever changed our /etc/openldap/ldap.conf did not run on their system. FWIW, I filed the two issues here: https://bugzilla.redhat.com/show_bug.cgi?id=652304 https://bugzilla.redhat.com/show_bug.cgi?id=652315 Jakub From jzeleny at redhat.com Fri Nov 12 13:10:06 2010 From: jzeleny at redhat.com (Jan Zeleny) Date: Fri, 12 Nov 2010 14:10:06 +0100 Subject: [Freeipa-devel] [PATCH] 0001 Ensure that Apache is running in Prefork mode In-Reply-To: <4CDB26F1.1040905@redhat.com> References: <201011021617.20977.jzeleny@redhat.com> <201011081107.21728.jzeleny@redhat.com> <4CDB26F1.1040905@redhat.com> Message-ID: <201011121410.06832.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Rob Crittenden wrote: > >> Jan Zelen? wrote: > >>> I tried one other solution, but this approach was recommended to me by > >>> Pavel. It seems to be working fine. If you don't agree with the concept > >>> (detection per request), I can present you the original one. > >>> > >>> https://fedorahosted.org/freeipa/ticket/252 > >>> > >>> Jan > >> > >> nack. I think we need some logging to say "IPA does not work with the > >> threaded MPM, use the pre-fork MPM" or something like that. > >> > >> Otherwise it is going to silently fail and users will have no idea why. > > > > I added logging as you requested. I'm still not quite sure how does the > > logging work exactly, but as I understand it, this way it should be ok. > > > > Jan > > nack, I can still run httpd.worker and serve IPA requests. > > We do things to the environment so we need to be sure that each request > is isolated from all others which is why we want to run in multi-process > mode. > > rob I based that patch on WSGI specification, which says: "This value should evaluate true if the application object may be simultaneously invoked by another thread in the same process, and should evaluate false otherwise." I didn't realize that this condition may be evaluated as false even when running multiple threads. That means I have to abandon this approach and try the original one. I'm going to sync the patch I have prepared with the current HEAD and I'll send it ASAP. Jan From ssorce at redhat.com Fri Nov 12 17:06:06 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 12 Nov 2010 12:06:06 -0500 Subject: [Freeipa-devel] [PATCH] 0012 Fix #401 test.po creation fails in make test Message-ID: <20101112120606.60990bef@willson.li.ssimo.org> This patch fixes the errors caused by the creation of test.po in make test_lang under /install/po It seem make test ahs regressed though because as a whole it fails later on with various errors. So this patch strictly fixes only bug #401. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0012-Fix-test.po-errors-in-make-test.patch Type: text/x-patch Size: 983 bytes Desc: not available URL: From rcritten at redhat.com Fri Nov 12 22:25:25 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Nov 2010 17:25:25 -0500 Subject: [Freeipa-devel] [PATCH] 610 don't include internal commands in help In-Reply-To: <20101111113016.GA2596@zeppelin.brq.redhat.com> References: <4CDB143E.3030304@redhat.com> <20101111113016.GA2596@zeppelin.brq.redhat.com> Message-ID: <4CDDBED5.8070204@redhat.com> Jakub Hrozek wrote: > On Wed, Nov 10, 2010 at 04:53:02PM -0500, Rob Crittenden wrote: >> Don't include internal commands in `ipa help commands` output. >> >> https://fedorahosted.org/freeipa/ticket/463 >> >> rob > > With this patch, commands like "cos*" or "batch" don't show up with "ipa > help commands" > > -> ACK This was pushed to master rob From rcritten at redhat.com Fri Nov 12 22:26:28 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Nov 2010 17:26:28 -0500 Subject: [Freeipa-devel] [PATCH] 611 increase default username len In-Reply-To: <20101111123559.GA3397@zeppelin.brq.redhat.com> References: <4CDB1DBB.1060805@redhat.com> <20101111123559.GA3397@zeppelin.brq.redhat.com> Message-ID: <4CDDBF14.5030509@redhat.com> Jakub Hrozek wrote: > On Wed, Nov 10, 2010 at 05:33:31PM -0500, Rob Crittenden wrote: >> Increase default username length to 32 and max for users and groups to 255. >> >> rob > > Adding users with usernames longer than 8 characters works OK until the > limit of 32 at which point I got: > > ipa: ERROR: invalid 'uid': can be at most 32 characters > > ->ACK pushed to master From rcritten at redhat.com Fri Nov 12 22:27:01 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Nov 2010 17:27:01 -0500 Subject: [Freeipa-devel] [PATCH] 605 use diff user for dogtag DS instance In-Reply-To: <20101111124848.GA24073@zeppelin.brq.redhat.com> References: <4CD820DE.9030800@redhat.com> <20101111124848.GA24073@zeppelin.brq.redhat.com> Message-ID: <4CDDBF35.4030307@redhat.com> Jakub Hrozek wrote: > On Mon, Nov 08, 2010 at 11:10:06AM -0500, Rob Crittenden wrote: >> Use a different user for the dogtag DS instance. This prevents an >> error during uninstall of trying to remove the dirsrv user when the >> dogtag DS instance is removed. >> >> I also added a ipactl stop to the beginning of the uninstall >> process. We will try to stop each service individually during >> uninstall but stopping them all first is cleaner. Its how I've been >> uninstalling for months now anything (ipactl stop&& >> ipa-server-install --uninstall -U). >> >> ticket https://fedorahosted.org/freeipa/ticket/349 >> >> rob > > I tested this only on F13, as installing CA on F14 currently doesn't > work, but seems to work OK there.. > > Ack pushed to master From ayoung at redhat.com Sun Nov 14 02:02:12 2010 From: ayoung at redhat.com (Adam Young) Date: Sat, 13 Nov 2010 21:02:12 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0082-more-css-cleanup Message-ID: <4CDF4324.2000501@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0082-more-css-cleanup.patch Type: text/x-patch Size: 13035 bytes Desc: not available URL: From ayoung at redhat.com Sun Nov 14 02:03:07 2010 From: ayoung at redhat.com (Adam Young) Date: Sat, 13 Nov 2010 21:03:07 -0500 Subject: [Freeipa-devel] admiyo-0083-super-to-superior Message-ID: <4CDF435B.2070203@redhat.com> super is a keyword in Javascript. This removeds a syntax error that shows up on some browsers. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0083-super-to-superior.patch Type: text/x-patch Size: 22847 bytes Desc: not available URL: From ayoung at redhat.com Sun Nov 14 02:35:14 2010 From: ayoung at redhat.com (Adam Young) Date: Sat, 13 Nov 2010 21:35:14 -0500 Subject: [Freeipa-devel] admiyo-0084-buttons-to-action-panel Message-ID: <4CDF4AE2.8010005@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0084-buttons-to-action-panel.patch Type: text/x-patch Size: 5595 bytes Desc: not available URL: From ayoung at redhat.com Sun Nov 14 02:39:03 2010 From: ayoung at redhat.com (Adam Young) Date: Sat, 13 Nov 2010 21:39:03 -0500 Subject: [Freeipa-devel] admiyo-0084-buttons-to-action-panel In-Reply-To: <4CDF4AE2.8010005@redhat.com> References: <4CDF4AE2.8010005@redhat.com> Message-ID: <4CDF4BC7.9080002@redhat.com> On 11/13/2010 09:35 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel As soon as I posted this, I saw an error. This version fixes the broken 'add' button. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0084-2-buttons-to-action-panel.patch Type: text/x-patch Size: 5286 bytes Desc: not available URL: From edewata at redhat.com Sun Nov 14 03:09:19 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 13 Nov 2010 21:09:19 -0600 Subject: [Freeipa-devel] admiyo-0084-buttons-to-action-panel In-Reply-To: <4CDF4BC7.9080002@redhat.com> References: <4CDF4AE2.8010005@redhat.com> <4CDF4BC7.9080002@redhat.com> Message-ID: <4CDF52DF.5070303@redhat.com> On 11/13/2010 8:39 PM, Adam Young wrote: >> > As soon as I posted this, I saw an error. This version fixes the broken > 'add' button. ACK and pushed 81, 82, 83, and 84-2 to master. -- Endi S. Dewata From edewata at redhat.com Sun Nov 14 04:14:05 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 13 Nov 2010 22:14:05 -0600 Subject: [Freeipa-devel] [PATCH] HBAC details page enhancement Message-ID: <4CDF620D.8010901@redhat.com> Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/107/ The HBAC details page has been enhanced to support Undo and Reset operations. The functionality is implemented in the base widget class so the behavior will be more consistent across widgets. A tag now used to define the field boundary in the HTML doc. The tag contains the visual representation of the field which include the input tag and optionally the undo link. The Update method on HBAC details page has been modified so that it executes several operations using a batch command. The operations being executed depends on the changes made to the fields. These operations may include: - removing access time if access time is changed to any time - removing memberships if member category is changed to all - modifying rule attributes if description or rule type is changed - enabling/disabling the rule if rule status is changed The behavior of the Add & Remove buttons also has been changed such that it adjust the category attribute properly in addition to adding the memberships using batch command. For example, if category is initially set to all, adding a new member will also change the category to empty. The ipa_command have been modified to store the on_success and on_error handlers as properties. When the command is executed as a part of batch operation, the result of each command will be passed to the appropriate handler. The unit tests and test data have been updated as well. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0031-HBAC-details-page-enhancement.patch Type: text/x-patch Size: 119285 bytes Desc: not available URL: From jzeleny at redhat.com Mon Nov 15 10:21:11 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 15 Nov 2010 11:21:11 +0100 Subject: [Freeipa-devel] [PATCH] 0001 Ensure that Apache is running in Prefork mode In-Reply-To: <201011121410.06832.jzeleny@redhat.com> References: <201011021617.20977.jzeleny@redhat.com> <4CDB26F1.1040905@redhat.com> <201011121410.06832.jzeleny@redhat.com> Message-ID: <201011151121.12250.jzeleny@redhat.com> Jan Zeleny wrote: > Rob Crittenden wrote: > > Jan Zelen? wrote: > > > Rob Crittenden wrote: > > >> Jan Zelen? wrote: > > >>> I tried one other solution, but this approach was recommended to me > > >>> by Pavel. It seems to be working fine. If you don't agree with the > > >>> concept (detection per request), I can present you the original one. > > >>> > > >>> https://fedorahosted.org/freeipa/ticket/252 > > >>> > > >>> Jan > > >> > > >> nack. I think we need some logging to say "IPA does not work with the > > >> threaded MPM, use the pre-fork MPM" or something like that. > > >> > > >> Otherwise it is going to silently fail and users will have no idea > > >> why. > > > > > > I added logging as you requested. I'm still not quite sure how does the > > > logging work exactly, but as I understand it, this way it should be ok. > > > > > > Jan > > > > nack, I can still run httpd.worker and serve IPA requests. > > > > We do things to the environment so we need to be sure that each request > > is isolated from all others which is why we want to run in multi-process > > mode. > > > > rob > > I based that patch on WSGI specification, which says: > > "This value should evaluate true if the application object may be > simultaneously invoked by another thread in the same process, and should > evaluate false otherwise." > > I didn't realize that this condition may be evaluated as false even when > running multiple threads. > > That means I have to abandon this approach and try the original one. I'm > going to sync the patch I have prepared with the current HEAD and I'll > send it ASAP. Ok, so I've hit a small complication and I had to update the patch, so the detection is as robust as possible. This patch is working in Fedora environment, where the packaging of httpd is ... well ... strange at least. The only situation it isn't handling 100% well is the case when 2 different Apache servers are running. But since that's not common case and I can't think of a way to detect which instance is running current WSGI script, the script just doesn't allow such situation. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0001-03-Ensure-that-Apache-is-running-with-MPM-Prefork.patch Type: text/x-patch Size: 2127 bytes Desc: not available URL: From jhrozek at redhat.com Mon Nov 15 11:53:22 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 15 Nov 2010 12:53:22 +0100 Subject: [Freeipa-devel] [PATCH] Do not create reverse zone by default Message-ID: <20101115115320.GA19666@zeppelin.brq.redhat.com> Prompt for creation of reverse zone, with the default for unattended installations being False. https://fedorahosted.org/freeipa/ticket/418 -- Jakub Hrozek Red Hat -------------- next part -------------- >From 2e54c194bd40d59e7bf2625dd2beb6cb42cbd4bd Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 11 Nov 2010 19:27:27 +0100 Subject: [PATCH] Do not create reverse zone by default Prompt for creation of reverse zone, with the default for unattended installations being False. https://fedorahosted.org/freeipa/ticket/418 --- install/tools/ipa-dns-install | 3 ++- install/tools/ipa-replica-install | 3 ++- install/tools/ipa-server-install | 3 ++- ipaserver/install/bindinstance.py | 12 ++++++++++-- 4 files changed, 16 insertions(+), 5 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 5604931..bf6679e 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -161,7 +161,8 @@ def main(): # Create a BIND instance bind = bindinstance.BindInstance(fstore, dm_password) - bind.setup(api.env.host, ip_address, api.env.realm, api.env.domain, dns_forwarders, conf_ntp, zonemgr=options.zonemgr) + create_reverse = bindinstance.create_reverse(options.unattended) + bind.setup(api.env.host, ip_address, api.env.realm, api.env.domain, dns_forwarders, conf_ntp, create_reverse, zonemgr=options.zonemgr) api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dm_password) bind.create_instance() diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index e4aae4a..2fee483 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -223,8 +223,9 @@ def install_bind(config, options): forwarders = () bind = bindinstance.BindInstance(dm_password=config.dirman_password) ip_address = resolve_host(config.host_name) + create_reverse = bindinstance.create_reverse(options.unattended) bind.setup(config.host_name, ip_address, config.realm_name, - config.domain_name, forwarders, options.conf_ntp) + config.domain_name, forwarders, options.conf_ntp, create_reverse) bind.create_instance() def check_dirsrv(): diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index f0c7a17..a709e18 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -763,7 +763,8 @@ def main(): # Create a BIND instance bind = bindinstance.BindInstance(fstore, dm_password) - bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders, options.conf_ntp, zonemgr=options.zonemgr) + create_reverse = bindinstance.create_reverse(options.unattended) + bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders, options.conf_ntp, create_reverse, zonemgr=options.zonemgr) if options.setup_dns: api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dm_password) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 4e63e7e..ec74564 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -58,6 +58,11 @@ def check_inst(unattended): return True +def create_reverse(unattended): + if unattended: + return False + return ipautil.user_input("Do you want to configure the reverse zone?", False) + def dns_container_exists(fqdn, realm): """ Test whether the dns container exists. @@ -200,13 +205,14 @@ class BindInstance(service.Service): self.realm = None self.forwarders = None self.sub_dict = None + self.create_reverse = False if fstore: self.fstore = fstore else: self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') - def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp, named_user="named", zonemgr=None): + def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp, create_reverse, named_user="named", zonemgr=None): self.named_user = named_user self.fqdn = fqdn self.ip_address = ip_address @@ -216,6 +222,7 @@ class BindInstance(service.Service): self.host = fqdn.split(".")[0] self.suffix = util.realm_to_suffix(self.realm) self.ntp = ntp + self.create_reverse = create_reverse if zonemgr: self.zonemgr = zonemgr.replace('@','.') @@ -247,7 +254,8 @@ class BindInstance(service.Service): if not dns_container_exists(self.fqdn, self.suffix): self.step("adding DNS container", self.__setup_dns_container) self.step("setting up our zone", self.__setup_zone) - self.step("setting up reverse zone", self.__setup_reverse_zone) + if self.create_reverse: + self.step("setting up reverse zone", self.__setup_reverse_zone) self.step("setting up kerberos principal", self.__setup_principal) self.step("setting up named.conf", self.__setup_named_conf) -- 1.7.3.2 From jhrozek at redhat.com Mon Nov 15 11:56:58 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 15 Nov 2010 12:56:58 +0100 Subject: [Freeipa-devel] [PATCH] Make the migration plugin more configurable Message-ID: <20101115115657.GB19666@zeppelin.brq.redhat.com> This patch adds new options to the migration plugin: * the option to fine-tune the objectclass of users or groups being * imported * the option to select the LDAP schema (RFC2307 or RFC2307bis) https://fedorahosted.org/freeipa/ticket/429 -------------- next part -------------- >From 88165ff6ea2d889150e8bdc882a7b6bec1ab0519 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 26 Oct 2010 16:10:42 -0400 Subject: [PATCH] Make the migration plugin more configurable This patch adds new options to the migration plugin: * the option to fine-tune the objectclass of users or groups being imported * the option to select the LDAP schema (RFC2307 or RFC2307bis) https://fedorahosted.org/freeipa/ticket/429 --- ipalib/plugins/migration.py | 86 ++++++++++++++++++++++++++++++++++--------- 1 files changed, 68 insertions(+), 18 deletions(-) diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 6dc9934..81e35e2 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -28,7 +28,7 @@ import logging import re from ipalib import api, errors, output -from ipalib import Command, List, Password, Str, Flag +from ipalib import Command, List, Password, Str, Flag, StrEnum from ipalib.cli import to_cli if api.env.in_server and api.env.context in ['lite', 'server']: try: @@ -44,8 +44,10 @@ from ipalib.text import Gettext # FIXME: remove once the other Gettext FIXME is _krb_err_msg = _('Kerberos principal %s already exists. Use \'ipa user-mod\' to set it manually.') _grp_err_msg = _('Failed to add user to the default group. Use \'ipa group-add-member\' to add manually.') +_supported_schemas = (u'RFC2307bis', u'RFC2307') -def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx): + +def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs): # get default primary group for new users if 'def_group_dn' not in ctx: def_group = config.get('ipadefaultprimarygroup') @@ -90,8 +92,8 @@ def _post_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx): # GROUP MIGRATION CALLBACKS AND VARS -def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx): - def convert_members(member_attr, overwrite=False): +def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs): + def convert_members_rfc2307bis(member_attr, overwrite=False): """ Convert DNs in member attributes to work in IPA. """ @@ -112,15 +114,36 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx): entry_attrs['member'] = [] entry_attrs['member'] += new_members + def convert_members_rfc2307(member_attr): + """ + Convert usernames in member attributes to work in IPA. + """ + new_members = [] + entry_attrs.setdefault(member_attr, []) + for m in entry_attrs[member_attr]: + memberdn = 'uid=%s,%s' % (m, api.env.container_user) + new_members.append(ldap.normalize_dn(memberdn)) + entry_attrs['member'] = new_members + + schema = kwargs.get('schema', None) entry_attrs['ipauniqueid'] = 'autogenerate' - convert_members('member', overwrite=True) - convert_members('uniquemember') + if schema == 'RFC2307bis': + convert_members_rfc2307bis('member', overwrite=True) + convert_members_rfc2307bis('uniquemember') + elif schema == 'RFC2307': + convert_members_rfc2307('memberuid') + else: + raise ValueError('Schema %s not supported' % schema) return dn # DS MIGRATION PLUGIN +def construct_filter(template, oc_list): + oc_subfilter = ''.join([ '(objectclass=%s)' % oc for oc in oc_list]) + return template % oc_subfilter + def validate_ldapuri(ugettext, ldapuri): m = re.match('^ldaps?://[-\w\.]+(:\d+)?$', ldapuri) if not m: @@ -152,14 +175,18 @@ class migrate_ds(Command): # # If pre_callback return value evaluates to False, migration # of the current object is aborted. - 'user': ( - '(&(objectClass=person)(uid=*))', - _pre_migrate_user, _post_migrate_user - ), - 'group': ( - '(&(|(objectClass=groupOfUniqueNames)(objectClass=groupOfNames))(cn=*))', - _pre_migrate_group, None - ), + 'user': { + 'filter_template' : '(&(|%s)(uid=*))', + 'oc_option' : 'userobjectclass', + 'pre_callback' : _pre_migrate_user, + 'post_callback' : _post_migrate_user + }, + 'group': { + 'filter_template' : '(&(|%s)(cn=*))', + 'oc_option' : 'groupobjectclass', + 'pre_callback' : _pre_migrate_group, + 'post_callback' : None + }, } migrate_order = ('user', 'group') @@ -196,6 +223,28 @@ class migrate_ds(Command): default=u'ou=groups', autofill=True, ), + List('userobjectclass?', + cli_name='user_objectclass', + label=_('User object class'), + doc=_('Comma-separated list of objectclasses used to search for user entries in DS'), + default=(u'person',), + autofill=True, + ), + List('groupobjectclass?', + cli_name='group_objectclass', + label=_('Group object class'), + doc=_('Comma-separated list of objectclasses used to search for group entries in DS'), + default=(u'groupOfUniqueNames', u'groupOfNames'), + autofill=True, + ), + StrEnum('schema?', + cli_name='schema', + label=_('LDAP schema'), + doc=_('The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis'), + values=_supported_schemas, + default=_supported_schemas[0], + autofill=True, + ), Flag('continue?', doc=_('Continous operation mode. Errors are reported but the process continues'), default=False, @@ -276,7 +325,8 @@ can use their Kerberos accounts.''') for ldap_obj_name in self.migrate_order: ldap_obj = self.api.Object[ldap_obj_name] - search_filter = self.migrate_objects[ldap_obj_name][0] + search_filter = construct_filter(self.migrate_objects[ldap_obj_name]['filter_template'], + options[to_cli(self.migrate_objects[ldap_obj_name]['oc_option'])]) search_base = '%s,%s' % ( options['%scontainer' % to_cli(ldap_obj_name)], ds_base_dn ) @@ -319,11 +369,11 @@ can use their Kerberos accounts.''') ) ) - callback = self.migrate_objects[ldap_obj_name][1] + callback = self.migrate_objects[ldap_obj_name]['pre_callback'] if callable(callback): dn = callback( ldap, pkey, dn, entry_attrs, failed[ldap_obj_name], - config, context + config, context, schema = options['schema'] ) if not dn: continue @@ -335,7 +385,7 @@ can use their Kerberos accounts.''') else: migrated[ldap_obj_name].append(pkey) - callback = self.migrate_objects[ldap_obj_name][2] + callback = self.migrate_objects[ldap_obj_name]['post_callback'] if callable(callback): callback( ldap, pkey, dn, entry_attrs, failed[ldap_obj_name], -- 1.7.3.2 From jhrozek at redhat.com Mon Nov 15 12:04:54 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 15 Nov 2010 13:04:54 +0100 Subject: [Freeipa-devel] [PATCH] 0012 Fix #401 test.po creation fails in make test In-Reply-To: <20101112120606.60990bef@willson.li.ssimo.org> References: <20101112120606.60990bef@willson.li.ssimo.org> Message-ID: <20101115120453.GC19666@zeppelin.brq.redhat.com> On Fri, Nov 12, 2010 at 12:06:06PM -0500, Simo Sorce wrote: > > This patch fixes the errors caused by the creation of test.po in make > test_lang under /install/po > > It seem make test ahs regressed though because as a whole it fails > later on with various errors. > > So this patch strictly fixes only bug #401. > > Simo. > This patch gets rid of error messages like: test.po:2636: `msgid' and `msgstr' entries do not both end with '\n' -> ACK From jhrozek at redhat.com Mon Nov 15 12:48:51 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 15 Nov 2010 13:48:51 +0100 Subject: [Freeipa-devel] [PATCH] 0010 change uuid plugin to use libuuid In-Reply-To: <20101111102115.7543fc91@willson.li.ssimo.org> References: <20101111102115.7543fc91@willson.li.ssimo.org> Message-ID: <20101115124850.GD19666@zeppelin.brq.redhat.com> On Thu, Nov 11, 2010 at 10:21:15AM -0500, Simo Sorce wrote: > > Directory Server guys decided not to expose internal uuid functions so > change the ipa uuid plugin to use libuuid. > The code looks OK and seems to work fine. > This changes the string format of the UUID records once again > unfortunately ... > I was about to ACK the patch, but I'm wondering, should I check some other parts of the server to see whether the new format does not break anything? I tested just with adding a user and checking the ipauniqueid: attribute looks good. Jakub From jhrozek at redhat.com Mon Nov 15 13:03:54 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 15 Nov 2010 14:03:54 +0100 Subject: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write. In-Reply-To: <4CDB0DBE.4020803@redhat.com> References: <4CDB0DBE.4020803@redhat.com> Message-ID: <20101115130352.GE19666@zeppelin.brq.redhat.com> On Wed, Nov 10, 2010 at 04:25:18PM -0500, Rob Crittenden wrote: > The list of attributes that a host bound as itself could write was > overly broad. > > A host can now only update its description, information about itself > such as OS release, etc, its certificate, password and keytab. > > https://fedorahosted.org/freeipa/ticket/416 > > rob Some of the changes in install/share/default-aci.ldif seem to not apply cleanly on top of the current master. Does this patch depend on another one? Jakub From jhrozek at redhat.com Mon Nov 15 13:17:28 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 15 Nov 2010 14:17:28 +0100 Subject: [Freeipa-devel] [PATCH] 602 verify --ip-address option during installation In-Reply-To: <4CD95FB8.70604@redhat.com> References: <4CD31ED0.5030403@redhat.com> <4CD92625.3090300@redhat.com> <4CD95FB8.70604@redhat.com> Message-ID: <20101115131725.GF19666@zeppelin.brq.redhat.com> On Tue, Nov 09, 2010 at 09:50:32AM -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >On 11/04/2010 10:00 PM, Rob Crittenden wrote: > >>There was a corner case where the value of --ip-address was never > >>verified if you were also setting up DNS. > >> > >>Added this bit of information to the man page too. > >> > >>ticket 399 > >> > >>rob > >> > > > >Two questions: > >1) is it intended to quit without printing an error message if > >verify_ip() fails? > > verify_ip_address() prints the message. Ah, sorry. I didn't see that. > > >2) I don't quite understand the manpage part - it says "and --setup-dns > >is *not* selected" - but the code checks for "if options.setup_dns:" > > You can only override the public IP address setting if you are > setting up your own DNS server. Perhaps I should make the text say > that... I don't have any very strong feeling about it, but maybe it would be clearer. I can ack both patches :-) Jakub From jzeleny at redhat.com Mon Nov 15 13:24:13 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 15 Nov 2010 14:24:13 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <4CDB5CA0.9020906@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201011081054.00482.jzeleny@redhat.com> <4CDB5CA0.9020906@redhat.com> Message-ID: <201011151424.13468.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Jan Zelen? wrote: > >> Now each plugin can define its topic as a 2-tuple, where the first > >> item is the name of topic it belongs to and the second item is > >> a description of such topic. Topic descriptions must be the same > >> for all modules belonging to the topic. > >> > >> By using this topics, it is possible to group plugins as we see fit. > >> When asking for help for a particular topic, help for all modules > >> in given topic is written. > >> > >> ipa help - show all topics (until now it showed all plugins) > >> ipa help - show details to given topic > >> > >> https://fedorahosted.org/freeipa/ticket/410 > > > > Sorry for the wrong sequence number, sending the correct one now. > > I think this is a good start but I find the output hard to read, both > with a single topic (like user) or multiple (like sudo). The dashed > lines and the extra spaces make my eyes cross a bit > > What I don't have is any good suggestion to change it up. I realize you > are jamming together discrete things that may or may not look nice > together. > > I suppose a few suggestions might be: > > - a SEEALSO-like where you print the topics at the bottom so it is > obvious that multiple things are jammed together > - A single dashed-line all the way across (more or less) with a single > space before and after might be a less jarring separator. IIRC we have > some output code that should handle screen sizes for you. > - I'm not sure if combining all the commands into a single list is the > right thing or not. It may not be necessary with the SEEALSO. > > So nack for now but this is headed in the right direction. > > rob I gave this some thought: Output for each single-module topic is given by module's doc string. How good readability it has is not up to help function, but rather up to the developer of that particular module. The only thing I can do is not to display the separator. And as for multiple topics - I can change the concept to support two-level topics. That way when asking for the first level, it would display either entire single-module topic with its commands or it will only display a brief description of the topic and a list of its subtopics (this is based on your suggestion with SEEALSO section). Asking for one of these subtopics will output the same help as it would for single-module topic. I'm not sure about usability of this though. Personally I'd probably be asking who invented a help, which needs 4 shell commands to get to a help of IPA command: ipa help ipa help sudo ipa help sudocmd ipa help sudocmd-add I tried your other suggestions and the result doesn't look significantly better than the current one. What do you think is the best way to proceed? Jan From ssorce at redhat.com Mon Nov 15 13:24:59 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 15 Nov 2010 08:24:59 -0500 Subject: [Freeipa-devel] [PATCH] 0010 change uuid plugin to use libuuid In-Reply-To: <20101115124850.GD19666@zeppelin.brq.redhat.com> References: <20101111102115.7543fc91@willson.li.ssimo.org> <20101115124850.GD19666@zeppelin.brq.redhat.com> Message-ID: <20101115082459.08c0610e@willson.li.ssimo.org> On Mon, 15 Nov 2010 13:48:51 +0100 Jakub Hrozek wrote: > On Thu, Nov 11, 2010 at 10:21:15AM -0500, Simo Sorce wrote: > > > > Directory Server guys decided not to expose internal uuid functions > > so change the ipa uuid plugin to use libuuid. > > > > The code looks OK and seems to work fine. > > > This changes the string format of the UUID records once again > > unfortunately ... > > > > I was about to ACK the patch, but I'm wondering, should I check some > other parts of the server to see whether the new format does not break > anything? I tested just with adding a user and checking the > ipauniqueid: attribute looks good. No I don't think anything more is required, except the attached patch I forgot to send, which reverts the format being tested in the xmlrpc unit tests. If you can ack both together it would be nice. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0013-Revert-tests-code-to-use-the-old-uuid-format.patch Type: text/x-patch Size: 1147 bytes Desc: not available URL: From jhrozek at redhat.com Mon Nov 15 13:45:18 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 15 Nov 2010 14:45:18 +0100 Subject: [Freeipa-devel] [PATCH] 0010 change uuid plugin to use libuuid In-Reply-To: <20101115082459.08c0610e@willson.li.ssimo.org> References: <20101111102115.7543fc91@willson.li.ssimo.org> <20101115124850.GD19666@zeppelin.brq.redhat.com> <20101115082459.08c0610e@willson.li.ssimo.org> Message-ID: <20101115134518.GG19666@zeppelin.brq.redhat.com> On Mon, Nov 15, 2010 at 08:24:59AM -0500, Simo Sorce wrote: > On Mon, 15 Nov 2010 13:48:51 +0100 > Jakub Hrozek wrote: > > > On Thu, Nov 11, 2010 at 10:21:15AM -0500, Simo Sorce wrote: > > > > > > Directory Server guys decided not to expose internal uuid functions > > > so change the ipa uuid plugin to use libuuid. > > > > > > > The code looks OK and seems to work fine. > > > > > This changes the string format of the UUID records once again > > > unfortunately ... > > > > > > > I was about to ACK the patch, but I'm wondering, should I check some > > other parts of the server to see whether the new format does not break > > anything? I tested just with adding a user and checking the > > ipauniqueid: attribute looks good. > > No I don't think anything more is required, except the attached patch I > forgot to send, which reverts the format being tested in the xmlrpc > unit tests. > > If you can ack both together it would be nice. > > Simo. > Ack to both. From jhrozek at redhat.com Mon Nov 15 14:52:30 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 15 Nov 2010 15:52:30 +0100 Subject: [Freeipa-devel] [PATCH] Improve the documentation of setattr/addattr Message-ID: <20101115145229.GH19666@zeppelin.brq.redhat.com> https://fedorahosted.org/freeipa/ticket/245 -------------- next part -------------- >From fc18a26b2af2addd21edad6066fc3c1faa9583e5 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 15 Nov 2010 15:37:40 +0100 Subject: [PATCH] Improve the documentation of setattr/addattr https://fedorahosted.org/freeipa/ticket/245 --- ipalib/plugins/baseldap.py | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 6bf9b3b..d3c5604 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -279,12 +279,13 @@ class LDAPObject(Object): _attr_options = ( Str('addattr*', validate_add_attribute, cli_name='addattr', - doc=_('Add an attribute/value pair. Format is attr=value'), + doc=_('Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.'), exclude='webui', ), Str('setattr*', validate_set_attribute, cli_name='setattr', - doc=_('Set an attribute to an name/value pair. Format is attr=value'), + doc=_("""Set an attribute to an name/value pair. Format is attr=value. +For multivalued attributes, the command replaces the values already present."""), exclude='webui', ), ) -- 1.7.3.2 From ayoung at redhat.com Mon Nov 15 15:48:22 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Nov 2010 10:48:22 -0500 Subject: [Freeipa-devel] [PATCH] association buttons to action panel Message-ID: <4CE15646.5020405@redhat.com> Pushed under the one line rule: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0085-Push-associate-buttons-to-the-action-panel.patch Type: text/x-patch Size: 1101 bytes Desc: not available URL: From ayoung at redhat.com Mon Nov 15 15:58:28 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Nov 2010 10:58:28 -0500 Subject: [Freeipa-devel] [PATCH] HBAC details page enhancement In-Reply-To: <4CDF620D.8010901@redhat.com> References: <4CDF620D.8010901@redhat.com> Message-ID: <4CE158A4.4030107@redhat.com> On 11/13/2010 11:14 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > https://fedorahosted.org/reviewboard/r/107/ > > The HBAC details page has been enhanced to support Undo and Reset > operations. The functionality is implemented in the base widget class > so the behavior will be more consistent across widgets. A tag > now used to define the field boundary in the HTML doc. The tag > contains the visual representation of the field which include the > input tag and optionally the undo link. > > The Update method on HBAC details page has been modified so that it > executes several operations using a batch command. The operations > being executed depends on the changes made to the fields. These > operations may include: > - removing access time if access time is changed to any time This didn't seem to work. The rest of it was fine, but I still see the acces time I added > - removing memberships if member category is changed to all > - modifying rule attributes if description or rule type is changed > - enabling/disabling the rule if rule status is changed > > The behavior of the Add & Remove buttons also has been changed such > that it adjust the category attribute properly in addition to adding the > memberships using batch command. For example, if category is initially > set to all, adding a new member will also change the category to empty. > > The ipa_command have been modified to store the on_success and > on_error handlers as properties. When the command is executed as a > part of batch operation, the result of each command will be passed to > the appropriate handler. > > The unit tests and test data have been updated as well. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Nov 15 16:00:46 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Nov 2010 11:00:46 -0500 Subject: [Freeipa-devel] [PATCH] HBAC details page enhancement In-Reply-To: <4CE158A4.4030107@redhat.com> References: <4CDF620D.8010901@redhat.com> <4CE158A4.4030107@redhat.com> Message-ID: <4CE1592E.3070006@redhat.com> On 11/15/2010 10:58 AM, Adam Young wrote: > On 11/13/2010 11:14 PM, Endi Sukma Dewata wrote: >> Hi, >> >> Please review the attached patch. Thanks! >> >> https://fedorahosted.org/reviewboard/r/107/ >> >> The HBAC details page has been enhanced to support Undo and Reset >> operations. The functionality is implemented in the base widget class >> so the behavior will be more consistent across widgets. A tag >> now used to define the field boundary in the HTML doc. The tag >> contains the visual representation of the field which include the >> input tag and optionally the undo link. >> >> The Update method on HBAC details page has been modified so that it >> executes several operations using a batch command. The operations >> being executed depends on the changes made to the fields. These >> operations may include: >> - removing access time if access time is changed to any time > > This didn't seem to work. The rest of it was fine, but I still see > the acces time I added > >> - removing memberships if member category is changed to all >> - modifying rule attributes if description or rule type is changed >> - enabling/disabling the rule if rule status is changed >> >> The behavior of the Add & Remove buttons also has been changed such >> that it adjust the category attribute properly in addition to adding the >> memberships using batch command. For example, if category is >> initially set to all, adding a new member will also change the >> category to empty. >> >> The ipa_command have been modified to store the on_success and >> on_error handlers as properties. When the command is executed as a >> part of batch operation, the result of each command will be passed to >> the appropriate handler. >> >> The unit tests and test data have been updated as well. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel BTW, I rebased and merged on top of my one line fix. Here's the updated. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0031-2-HBAC-details-page-enhancement.patch Type: text/x-patch Size: 116698 bytes Desc: not available URL: From rcritten at redhat.com Mon Nov 15 16:00:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Nov 2010 11:00:26 -0500 Subject: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write. In-Reply-To: <20101115130352.GE19666@zeppelin.brq.redhat.com> References: <4CDB0DBE.4020803@redhat.com> <20101115130352.GE19666@zeppelin.brq.redhat.com> Message-ID: <4CE1591A.5030703@redhat.com> Jakub Hrozek wrote: > On Wed, Nov 10, 2010 at 04:25:18PM -0500, Rob Crittenden wrote: >> The list of attributes that a host bound as itself could write was >> overly broad. >> >> A host can now only update its description, information about itself >> such as OS release, etc, its certificate, password and keytab. >> >> https://fedorahosted.org/freeipa/ticket/416 >> >> rob > > Some of the changes in install/share/default-aci.ldif seem to not apply > cleanly on top of the current master. Does this patch depend on another > one? Maybe unreviewed patch 593 fix group objectclasses on detach rob From ayoung at redhat.com Mon Nov 15 17:47:09 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Nov 2010 12:47:09 -0500 Subject: [Freeipa-devel] [PATCH] HBAC details page enhancement In-Reply-To: <4CE1592E.3070006@redhat.com> References: <4CDF620D.8010901@redhat.com> <4CE158A4.4030107@redhat.com> <4CE1592E.3070006@redhat.com> Message-ID: <4CE1721D.2050701@redhat.com> On 11/15/2010 11:00 AM, Adam Young wrote: > On 11/15/2010 10:58 AM, Adam Young wrote: >> On 11/13/2010 11:14 PM, Endi Sukma Dewata wrote: >>> Hi, >>> >>> Please review the attached patch. Thanks! >>> >>> https://fedorahosted.org/reviewboard/r/107/ >>> >>> The HBAC details page has been enhanced to support Undo and Reset >>> operations. The functionality is implemented in the base widget >>> class so the behavior will be more consistent across widgets. A >>> tag now used to define the field boundary in the HTML doc. >>> The tag contains the visual representation of the field which >>> include the input tag and optionally the undo link. >>> >>> The Update method on HBAC details page has been modified so that it >>> executes several operations using a batch command. The operations >>> being executed depends on the changes made to the fields. These >>> operations may include: >>> - removing access time if access time is changed to any time >> >> This didn't seem to work. The rest of it was fine, but I still see >> the acces time I added >> >>> - removing memberships if member category is changed to all >>> - modifying rule attributes if description or rule type is changed >>> - enabling/disabling the rule if rule status is changed >>> >>> The behavior of the Add & Remove buttons also has been changed such >>> that it adjust the category attribute properly in addition to adding >>> the >>> memberships using batch command. For example, if category is >>> initially set to all, adding a new member will also change the >>> category to empty. >>> >>> The ipa_command have been modified to store the on_success and >>> on_error handlers as properties. When the command is executed as a >>> part of batch operation, the result of each command will be passed >>> to the appropriate handler. >>> >>> The unit tests and test data have been updated as well. >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > BTW, I rebased and merged on top of my one line fix. Here's the updated. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon Nov 15 17:52:52 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 15 Nov 2010 11:52:52 -0600 Subject: [Freeipa-devel] [PATCH] HBAC details page enhancement In-Reply-To: <4CE1721D.2050701@redhat.com> References: <4CDF620D.8010901@redhat.com> <4CE158A4.4030107@redhat.com> <4CE1592E.3070006@redhat.com> <4CE1721D.2050701@redhat.com> Message-ID: <4CE17374.2000902@redhat.com> On 11/15/2010 11:47 AM, Adam Young wrote: > ACK Thanks. Pushed a new rebase to master. -- Endi S. Dewata From ayoung at redhat.com Mon Nov 15 18:22:15 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Nov 2010 13:22:15 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0087-demo-deploy Message-ID: <4CE17A57.7030605@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0087-demo-deploy.patch Type: text/x-patch Size: 1339 bytes Desc: not available URL: From ayoung at redhat.com Mon Nov 15 18:44:29 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Nov 2010 13:44:29 -0500 Subject: [Freeipa-devel] [PATCH] dmiyo-0088-HBAC-css-cleanup. Message-ID: <4CE17F8D.5090704@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0088-HBAC-css-cleanup.patch Type: text/x-patch Size: 3780 bytes Desc: not available URL: From ssorce at redhat.com Mon Nov 15 19:53:22 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 15 Nov 2010 14:53:22 -0500 Subject: [Freeipa-devel] [PATCH] 0010 change uuid plugin to use libuuid In-Reply-To: <20101115134518.GG19666@zeppelin.brq.redhat.com> References: <20101111102115.7543fc91@willson.li.ssimo.org> <20101115124850.GD19666@zeppelin.brq.redhat.com> <20101115082459.08c0610e@willson.li.ssimo.org> <20101115134518.GG19666@zeppelin.brq.redhat.com> Message-ID: <20101115145322.3a8e5d4c@willson.li.ssimo.org> On Mon, 15 Nov 2010 14:45:18 +0100 Jakub Hrozek wrote: > On Mon, Nov 15, 2010 at 08:24:59AM -0500, Simo Sorce wrote: > > On Mon, 15 Nov 2010 13:48:51 +0100 > > Jakub Hrozek wrote: > > > > > On Thu, Nov 11, 2010 at 10:21:15AM -0500, Simo Sorce wrote: > > > > > > > > Directory Server guys decided not to expose internal uuid > > > > functions so change the ipa uuid plugin to use libuuid. > > > > > > > > > > The code looks OK and seems to work fine. > > > > > > > This changes the string format of the UUID records once again > > > > unfortunately ... > > > > > > > > > > I was about to ACK the patch, but I'm wondering, should I check > > > some other parts of the server to see whether the new format does > > > not break anything? I tested just with adding a user and checking > > > the ipauniqueid: attribute looks good. > > > > No I don't think anything more is required, except the attached > > patch I forgot to send, which reverts the format being tested in > > the xmlrpc unit tests. > > > > If you can ack both together it would be nice. > > > > Simo. > > > > Ack to both. Pushed to master. Simo. From ssorce at redhat.com Mon Nov 15 19:53:47 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 15 Nov 2010 14:53:47 -0500 Subject: [Freeipa-devel] [PATCH] 0012 Fix #401 test.po creation fails in make test In-Reply-To: <20101115120453.GC19666@zeppelin.brq.redhat.com> References: <20101112120606.60990bef@willson.li.ssimo.org> <20101115120453.GC19666@zeppelin.brq.redhat.com> Message-ID: <20101115145347.590ecfac@willson.li.ssimo.org> On Mon, 15 Nov 2010 13:04:54 +0100 Jakub Hrozek wrote: > On Fri, Nov 12, 2010 at 12:06:06PM -0500, Simo Sorce wrote: > > > > This patch fixes the errors caused by the creation of test.po in > > make test_lang under /install/po > > > > It seem make test ahs regressed though because as a whole it fails > > later on with various errors. > > > > So this patch strictly fixes only bug #401. > > > > Simo. > > > > This patch gets rid of error messages like: > test.po:2636: `msgid' and `msgstr' entries do not both end with '\n' > > > -> ACK Pushed to master Simo. From ayoung at redhat.com Mon Nov 15 20:07:52 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Nov 2010 15:07:52 -0500 Subject: [Freeipa-devel] admiyo-0090-px-to-em Message-ID: <4CE19318.9010602@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0090-px-to-em.patch Type: text/x-patch Size: 4948 bytes Desc: not available URL: From ayoung at redhat.com Mon Nov 15 20:12:11 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Nov 2010 15:12:11 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0087-demo-deploy In-Reply-To: <4CE17A57.7030605@redhat.com> References: <4CE17A57.7030605@redhat.com> Message-ID: <4CE1941B.2040302@redhat.com> On 11/15/2010 01:22 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased ontop of current stack, to include my patch 0090. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0087-2-demo-deploy.patch Type: text/x-patch Size: 1170 bytes Desc: not available URL: From ayoung at redhat.com Mon Nov 15 20:17:20 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Nov 2010 15:17:20 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0088-HBAC-css-cleanup. In-Reply-To: <4CE17F8D.5090704@redhat.com> References: <4CE17F8D.5090704@redhat.com> Message-ID: <4CE19550.8010803@redhat.com> On 11/15/2010 01:44 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased on top of 0877-2 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0088-2-HBAC-css-cleanup.patch Type: text/x-patch Size: 3399 bytes Desc: not available URL: From ayoung at redhat.com Mon Nov 15 21:00:02 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Nov 2010 16:00:02 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0091-buttons-to-action-panel Message-ID: <4CE19F52.9020705@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0091-buttons-to-action-panel.patch Type: text/x-patch Size: 1493 bytes Desc: not available URL: From edewata at redhat.com Mon Nov 15 21:02:44 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 15 Nov 2010 15:02:44 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0088-HBAC-css-cleanup. In-Reply-To: <4CE19550.8010803@redhat.com> References: <4CE17F8D.5090704@redhat.com> <4CE19550.8010803@redhat.com> Message-ID: <4CE19FF4.5030404@redhat.com> On 11/15/2010 2:17 PM, Adam Young wrote: ACK #90, #87-2, #88-2. Note: the font looks too big on my browser, but this can be addressed later. -- Endi S. Dewata From ssorce at redhat.com Tue Nov 16 02:03:09 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 15 Nov 2010 21:03:09 -0500 Subject: [Freeipa-devel] [PATCH] 0014 better version checking Message-ID: <20101115210309.0b71c283@willson.li.ssimo.org> The pwpolicy plugin was basically hardcoded to version 1.8 instead of checking for >= 1.8 This patch uses distutils.version to fix that. Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0014-Use-distutil.version-to-check-for-min-version.patch Type: text/x-patch Size: 1428 bytes Desc: not available URL: From ssorce at redhat.com Tue Nov 16 02:05:55 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 15 Nov 2010 21:05:55 -0500 Subject: [Freeipa-devel] [PATCH] 0015 Configure KDC to use multiple workers Message-ID: <20101115210555.4a1ff6c2@willson.li.ssimo.org> Add code to detect the number of CPUs available at install time. If the kerberos version is >= 1.9 then the KDC supports multiple workers. If more than 1 CPU is available configure the KDC to start 1 worker per CPU to aid in scalability. Addresses ticket #222 Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0015-Configure-KDC-to-use-multiple-workers.patch Type: text/x-patch Size: 2646 bytes Desc: not available URL: From jzeleny at redhat.com Tue Nov 16 15:35:26 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 16 Nov 2010 16:35:26 +0100 Subject: [Freeipa-devel] [PATCH] Use provided domain name during the installation Message-ID: <201011161635.26226.jzeleny@redhat.com> When installing IPA client, the install script used detected domain name of the machine instead of that given by administrator (in case one was given). This is now fixed. https://fedorahosted.org/freeipa/ticket/363 -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0005-Use-provided-domain-name-during-installation.patch Type: text/x-patch Size: 1257 bytes Desc: not available URL: From ssorce at redhat.com Tue Nov 16 15:56:39 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 16 Nov 2010 10:56:39 -0500 Subject: [Freeipa-devel] [PATCH] Use provided domain name during the installation In-Reply-To: <201011161635.26226.jzeleny@redhat.com> References: <201011161635.26226.jzeleny@redhat.com> Message-ID: <20101116105639.3c263596@willson.li.ssimo.org> On Tue, 16 Nov 2010 16:35:26 +0100 Jan Zelen? wrote: > When installing IPA client, the install script used detected domain > name of the machine instead of that given by administrator (in case > one was given). This is now fixed. > > https://fedorahosted.org/freeipa/ticket/363 > ACK Simo. From edewata at redhat.com Tue Nov 16 16:21:42 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 16 Nov 2010 10:21:42 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0088-HBAC-css-cleanup. In-Reply-To: <4CE19FF4.5030404@redhat.com> References: <4CE17F8D.5090704@redhat.com> <4CE19550.8010803@redhat.com> <4CE19FF4.5030404@redhat.com> Message-ID: <4CE2AF96.7020205@redhat.com> On 11/15/2010 3:02 PM, Endi Sukma Dewata wrote: > ACK #90, #87-2, #88-2. > > Note: the font looks too big on my browser, but this can be addressed > later. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Nov 16 16:22:36 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 16 Nov 2010 10:22:36 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0091-buttons-to-action-panel In-Reply-To: <4CE19F52.9020705@redhat.com> References: <4CE19F52.9020705@redhat.com> Message-ID: <4CE2AFCC.7020801@redhat.com> On 11/15/2010 3:00 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From ssorce at redhat.com Tue Nov 16 19:09:58 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 16 Nov 2010 14:09:58 -0500 Subject: [Freeipa-devel] [PATCH] 0016 Tune directory server Message-ID: <20101116140958.39fa360c@willson.li.ssimo.org> This patch bumps up the default number of files allowed by default for directory server. This allows more clients and also reserves a bigger number of FDs (at least according to doc) for replication agreements and such things. Ticket 464. Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0016-Autotune-directory-server-to-use-a-greater-number-of.patch Type: text/x-patch Size: 4613 bytes Desc: not available URL: From ayoung at redhat.com Wed Nov 17 02:16:33 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 16 Nov 2010 21:16:33 -0500 Subject: [Freeipa-devel] Moving index page from xhtml to html Message-ID: <4CE33B01.9060405@redhat.com> Although we currently don't have an requirement to support IE, it seems that IE has a trouble with xhtml. I guess there is no good reason to stay on xhtml: HTML5 will give us validation, and a file in valid html5 format will render in IR. So, in the not-to-distant future, I'll be moving the index page to index.html. If anyone has any objections, voice them now. From edewata at redhat.com Wed Nov 17 04:52:20 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 16 Nov 2010 22:52:20 -0600 Subject: [Freeipa-devel] [PATCH] Service and Host Provisioning Message-ID: <4CE35F84.70304@redhat.com> Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/109/ The service and host details pages have been modified to display Kerberos key provisioning status and to provide a way to unprovision. The host enrollment via OTP has not been implemented yet. The ipa_details_field has been modified to remove any old
tags it created in the previous load operation. This is to support other widgets that need to perform load operation without removing
tags. The certificate_status_panel has been converted into a widget. The host entity has been rewritten using the new framework. The unit tests has been updated. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0032-Service-and-Host-Provisioning.patch Type: text/x-patch Size: 52782 bytes Desc: not available URL: From ayoung at redhat.com Wed Nov 17 18:38:23 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 17 Nov 2010 13:38:23 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0092-action-select Message-ID: <4CE4211F.4030909@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0092-action-select.patch Type: text/x-patch Size: 15180 bytes Desc: not available URL: From adam at younglogic.com Wed Nov 17 18:37:35 2010 From: adam at younglogic.com (Adam Young) Date: Wed, 17 Nov 2010 13:37:35 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0092-action-select Message-ID: <4CE420EF.9000302@younglogic.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0092-action-select.patch Type: text/x-patch Size: 15180 bytes Desc: not available URL: From ayoung at redhat.com Wed Nov 17 19:54:29 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 17 Nov 2010 14:54:29 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0093-CSS-cleanup Message-ID: <4CE432F5.9060303@redhat.com> Depends on 0092. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0093-CSS-cleanup.patch Type: text/x-patch Size: 7832 bytes Desc: not available URL: From ayoung at redhat.com Wed Nov 17 20:06:26 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 17 Nov 2010 15:06:26 -0500 Subject: [Freeipa-devel] [PATCH]admiyo-0094-xhtml-to-html Message-ID: <4CE435C2.5090705@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0094-xhtml-to-html.patch Type: text/x-patch Size: 1165 bytes Desc: not available URL: From rcritten at redhat.com Wed Nov 17 20:07:03 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Nov 2010 15:07:03 -0500 Subject: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write. In-Reply-To: <4CE1591A.5030703@redhat.com> References: <4CDB0DBE.4020803@redhat.com> <20101115130352.GE19666@zeppelin.brq.redhat.com> <4CE1591A.5030703@redhat.com> Message-ID: <4CE435E7.5070203@redhat.com> Rob Crittenden wrote: > Jakub Hrozek wrote: >> On Wed, Nov 10, 2010 at 04:25:18PM -0500, Rob Crittenden wrote: >>> The list of attributes that a host bound as itself could write was >>> overly broad. >>> >>> A host can now only update its description, information about itself >>> such as OS release, etc, its certificate, password and keytab. >>> >>> https://fedorahosted.org/freeipa/ticket/416 >>> >>> rob >> >> Some of the changes in install/share/default-aci.ldif seem to not apply >> cleanly on top of the current master. Does this patch depend on another >> one? > > Maybe unreviewed patch 593 fix group objectclasses on detach > > rob Ok, yes, this relies on patch 593. I also re-based it to patch cleanly against the master. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-609-2-aci.patch Type: text/x-patch Size: 6334 bytes Desc: not available URL: From rcritten at redhat.com Wed Nov 17 20:18:54 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Nov 2010 15:18:54 -0500 Subject: [Freeipa-devel] [PATCH] 606 IPA v1.2.2 binary location fix In-Reply-To: <4CD84BEC.7040309@redhat.com> References: <4CD84BEC.7040309@redhat.com> Message-ID: <4CE438AE.4050502@redhat.com> Rob Crittenden wrote: > Fix for IPA v1.2.2 bug https://bugzilla.redhat.com/show_bug.cgi?id=650725 > > The problem is in Fedora 14 the kerberos binaries were moved so our > tools all fail. This makes the run() call more generic by using PATH to > find binaries. > > rob Reviewed in bug, pushed to ipa-1-2 branch. From sgallagh at redhat.com Wed Nov 17 21:07:24 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 17 Nov 2010 16:07:24 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar Message-ID: <4CE4440C.4030400@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 During a discussion today about how to represent the HBAC grammar in the FreeIPA GUI, it became apparent that there was a limitation in the grammar. Specifically, it's not possible to describe in a non-ambiguous way "The first Wednesday of the month". Right now, this would be described by: accessTime: periodic monthly week 1 day 3 0800-1700 However, this literally means "Wednesdays that appear as the first week on a wall calendar". Meaning that if the month began on a Thursday, this rule would not fire this month. Thus it's not behaving in a way that would be reasonably expected by a user. After extended discussion, Simo, Ben and I discussed replacing this week-of-the-month concept with a septet-of-the-month concept instead. This would be described by: accessTime: periodic monthly septet 1 day 3 0800-1700 and would literally translate as "The wednesday that exists within the first septet of the month". The first septet being the range of day 1 through day 7, the second septet being day 8 through 14, and so forth. We all feel that this would map closer to a user's expectation when describing "the Nth Wednesday of the month", since it's a guarantee that Wednesday will appear only once within a septet. This will require two changes to the HBAC schema. First of all, we plan to drop the week-of-the-month concept entirely and replace it with septet-of-the-month. This is being done to eliminate the ambiguity entirely. Secondly, we will need to describe day-of-the-septet in the grammar (where the day of the septet describes the name of the weekday, and not its numerical position within the septet, as that would be a useless and complex duplication of the day-of-the-month concept). In a related note, we also discussed how to handle describing activity windows that cross the midnight boundary. It's my recommendation that we should handle examples like the following by breaking them into two separate accessTime attributes, one that describes the portion preceding midnight and describes the set of days wherein the block starts, and a second accessTime attribute that is offset by one day and describes the portion taking place after midnight. Second-shift (17:00-01:59, M-S*) *starts Monday, ends Saturday morning becomes accessTime: periodic weekly day 1-5 1700-2359 accessTime: periodic weekly day 2-6 0000-0159 - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzkRAwACgkQeiVVYja6o6NtHwCgi3Vk2Q2aZXKIRHM3fbWOsLHE X6UAn3zECofcDzG1+gJClyUlDVZvKnmS =+zfc -----END PGP SIGNATURE----- From dpal at redhat.com Wed Nov 17 21:21:18 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 17 Nov 2010 16:21:18 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CE4440C.4030400@redhat.com> References: <4CE4440C.4030400@redhat.com> Message-ID: <4CE4474E.2040102@redhat.com> Stephen Gallagher wrote: > During a discussion today about how to represent the HBAC grammar in the > FreeIPA GUI, it became apparent that there was a limitation in the > grammar. Specifically, it's not possible to describe in a non-ambiguous > way "The first Wednesday of the month". > > Right now, this would be described by: > accessTime: periodic monthly week 1 day 3 0800-1700 > > However, this literally means "Wednesdays that appear as the first week > on a wall calendar". Meaning that if the month began on a Thursday, this > rule would not fire this month. Thus it's not behaving in a way that > would be reasonably expected by a user. > > After extended discussion, Simo, Ben and I discussed replacing this > week-of-the-month concept with a septet-of-the-month concept instead. > > This would be described by: > accessTime: periodic monthly septet 1 day 3 0800-1700 > > and would literally translate as "The wednesday that exists within the > first septet of the month". The first septet being the range of day 1 > through day 7, the second septet being day 8 through 14, and so forth. > > We all feel that this would map closer to a user's expectation when > describing "the Nth Wednesday of the month", since it's a guarantee that > Wednesday will appear only once within a septet. > > This will require two changes to the HBAC schema. First of all, we plan > to drop the week-of-the-month concept entirely and replace it with > septet-of-the-month. This is being done to eliminate the ambiguity > entirely. Secondly, we will need to describe day-of-the-septet in the > grammar (where the day of the septet describes the name of the weekday, > and not its numerical position within the septet, as that would be a > useless and complex duplication of the day-of-the-month concept). > > > In a related note, we also discussed how to handle describing activity > windows that cross the midnight boundary. It's my recommendation that we > should handle examples like the following by breaking them into two > separate accessTime attributes, one that describes the portion preceding > midnight and describes the set of days wherein the block starts, and a > second accessTime attribute that is offset by one day and describes the > portion taking place after midnight. > > Second-shift (17:00-01:59, M-S*) *starts Monday, ends Saturday morning > becomes > accessTime: periodic weekly day 1-5 1700-2359 > accessTime: periodic weekly day 2-6 0000-0159 > I agree with the proposal the only issue I see is the issue of the time zone of the user. When the user schedules the window it should be clear what time zone he is using. If we in v2 use UTC for all I am fine but if we allow user to enter window in the local time to his machine and then rely on the client UI/CLI to convert it to UTC we can face a problem of the local time window not crossing midnight while the UTC window will cross the boundary. We need to define how this case will be handled and how we interpret the input. Please add the clarification about this. _______________________________________________ sssd-devel mailing list sssd-devel at lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Wed Nov 17 21:26:17 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Nov 2010 16:26:17 -0500 Subject: [Freeipa-devel] [PATCH] 0016 Tune directory server In-Reply-To: <20101116140958.39fa360c@willson.li.ssimo.org> References: <20101116140958.39fa360c@willson.li.ssimo.org> Message-ID: <20101117162617.34313713@willson.li.ssimo.org> On Tue, 16 Nov 2010 14:09:58 -0500 Simo Sorce wrote: > > This patch bumps up the default number of files allowed by default for > directory server. This allows more clients and also reserves a bigger > number of FDs (at least according to doc) for replication agreements > and such things. > > Ticket 464. Changed the patch to restore files on uninstall. Now 0016-2 depends on 0017 attached here too. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0016-2-Autotune-directory-server-to-use-a-greater-number-of.patch Type: text/x-patch Size: 5305 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0017-Save-and-restore-on-uninstall-ds-related-config-file.patch Type: text/x-patch Size: 2760 bytes Desc: not available URL: From ssorce at redhat.com Wed Nov 17 21:27:11 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Nov 2010 16:27:11 -0500 Subject: [Freeipa-devel] [PATCH] 0018 filter lockout attributes from replication Message-ID: <20101117162711.2682bfd9@willson.li.ssimo.org> Fixes #440 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0018-Exclude-Krb-lockout-attributes-from-replication.patch Type: text/x-patch Size: 1797 bytes Desc: not available URL: From ssorce at redhat.com Wed Nov 17 21:31:14 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Nov 2010 16:31:14 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE4440C.4030400@redhat.com> References: <4CE4440C.4030400@redhat.com> Message-ID: <20101117163114.13724d40@willson.li.ssimo.org> On Wed, 17 Nov 2010 16:07:24 -0500 Stephen Gallagher wrote: > This will require two changes to the HBAC schema. First of all, we > plan to drop the week-of-the-month concept entirely and replace it > with septet-of-the-month. This is being done to eliminate the > ambiguity entirely. Secondly, we will need to describe > day-of-the-septet in the grammar (where the day of the septet > describes the name of the weekday, and not its numerical position > within the septet, as that would be a useless and complex duplication > of the day-of-the-month concept). > I think we can keep using 1-7 in the septet with the understanding that 1 is always Monday, 2 is always Tuesday and so on. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Nov 17 21:51:12 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 17 Nov 2010 16:51:12 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <20101117163114.13724d40@willson.li.ssimo.org> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> Message-ID: <4CE44E50.1020300@redhat.com> On 11/17/2010 04:31 PM, Simo Sorce wrote: > On Wed, 17 Nov 2010 16:07:24 -0500 > Stephen Gallagher wrote: > > >> This will require two changes to the HBAC schema. First of all, we >> plan to drop the week-of-the-month concept entirely and replace it >> with septet-of-the-month. This is being done to eliminate the >> ambiguity entirely. Secondly, we will need to describe >> day-of-the-septet in the grammar (where the day of the septet >> describes the name of the weekday, and not its numerical position >> within the septet, as that would be a useless and complex duplication >> of the day-of-the-month concept). >> >> > I think we can keep using 1-7 in the septet with the > understanding that 1 is always Monday, 2 is always Tuesday and so on. > > Simo. > > I'd like to propose that we have a goal to be as close to the Cron grammar as practicable. So we should allow 0 or 7 for Sunday. This is in keeping with your proposal. Here are the examples from the crontab 5 manpage; # run five minutes after midnight, every day 5 0 * * * $HOME/bin/daily.job >> $HOME/tmp/out 2>&1 # run at 2:15pm on the first of every month -- output mailed to paul 15 14 1 * * $HOME/bin/monthly # run at 10 pm on weekdays, annoy Joe 0 22 * * 1-5 mail -s "It?s 10pm" joe%Joe,%%Where are your kids?% 23 0-23/2 * * * echo "run 23 minutes after midn, 2am, 4am ..., everyday" 5 4 * * sun echo "run at 5 after 4 every sunday" I'm not sure that 'First Wednesday of the month' is possible with this grammar, either. Yet, somehow, it has survived many years. Since we are so close to deadline on this, I suspect we should go with something as straightforward as this, and expand it post release. From ayoung at redhat.com Wed Nov 17 21:51:21 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 17 Nov 2010 16:51:21 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <20101117163114.13724d40@willson.li.ssimo.org> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> Message-ID: <4CE44E59.5050908@redhat.com> On 11/17/2010 04:31 PM, Simo Sorce wrote: > On Wed, 17 Nov 2010 16:07:24 -0500 > Stephen Gallagher wrote: > > >> This will require two changes to the HBAC schema. First of all, we >> plan to drop the week-of-the-month concept entirely and replace it >> with septet-of-the-month. This is being done to eliminate the >> ambiguity entirely. Secondly, we will need to describe >> day-of-the-septet in the grammar (where the day of the septet >> describes the name of the weekday, and not its numerical position >> within the septet, as that would be a useless and complex duplication >> of the day-of-the-month concept). >> >> > I think we can keep using 1-7 in the septet with the > understanding that 1 is always Monday, 2 is always Tuesday and so on. > > Simo. > > I'd like to propose that we have a goal to be as close to the Cron grammar as practicable. So we should allow 0 or 7 for Sunday. This is in keeping with your proposal. Here are the examples from the crontab 5 manpage; # run five minutes after midnight, every day 5 0 * * * $HOME/bin/daily.job >> $HOME/tmp/out 2>&1 # run at 2:15pm on the first of every month -- output mailed to paul 15 14 1 * * $HOME/bin/monthly # run at 10 pm on weekdays, annoy Joe 0 22 * * 1-5 mail -s "It?s 10pm" joe%Joe,%%Where are your kids?% 23 0-23/2 * * * echo "run 23 minutes after midn, 2am, 4am ..., everyday" 5 4 * * sun echo "run at 5 after 4 every sunday" I'm not sure that 'First Wednesday of the month' is possible with this grammar, either. Yet, somehow, it has survived many years. Since we are so close to deadline on this, I suspect we should go with something as straightforward as this, and expand it post release. From edewata at redhat.com Wed Nov 17 22:01:34 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 17 Nov 2010 16:01:34 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0092-action-select In-Reply-To: <4CE4211F.4030909@redhat.com> References: <4CE4211F.4030909@redhat.com> Message-ID: <4CE450BE.4070400@redhat.com> On 11/17/2010 12:38 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From ssorce at redhat.com Wed Nov 17 22:06:16 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Nov 2010 17:06:16 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE44E50.1020300@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> Message-ID: <20101117170616.55c38b91@willson.li.ssimo.org> On Wed, 17 Nov 2010 16:51:12 -0500 Adam Young wrote: > Since we are so close to deadline on this, I suspect we should go > with something as straightforward as this, and expand it post release. Expanding post release would be an ABI change, not feasible. Remember that *clients* need to interpret this, that's why we defined the grammar so much in advance. Once released it is basically unchangeable. So incremental doesn't work here, unless you have a way to tell how client should behave when they do not understand what they are receiving, and the only answer I see in that case is that they will behave *badly* (ie the only option they have is to deny always). Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Wed Nov 17 22:16:55 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 17 Nov 2010 16:16:55 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0093-CSS-cleanup In-Reply-To: <4CE432F5.9060303@redhat.com> References: <4CE432F5.9060303@redhat.com> Message-ID: <4CE45457.2000101@redhat.com> On 11/17/2010 1:54 PM, Adam Young wrote: > Depends on 0092. ACK and pushed to master. Note: 1. The 2nd level navigation is too wide, it wraps to the next line. 2. Just noticed the unselect all checkbox is broken, but not because of this patch though. -- Endi S. Dewata From edewata at redhat.com Wed Nov 17 22:20:39 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 17 Nov 2010 16:20:39 -0600 Subject: [Freeipa-devel] [PATCH]admiyo-0094-xhtml-to-html In-Reply-To: <4CE435C2.5090705@redhat.com> References: <4CE435C2.5090705@redhat.com> Message-ID: <4CE45537.2080300@redhat.com> On 11/17/2010 2:06 PM, Adam Young wrote: > This patch doesn't apply, the index.html is already created in patch #92. -- Endi S. Dewata From edewata at redhat.com Wed Nov 17 23:24:33 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 17 Nov 2010 17:24:33 -0600 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CE4474E.2040102@redhat.com> References: <4CE4440C.4030400@redhat.com> <4CE4474E.2040102@redhat.com> Message-ID: <4CE46431.2090907@redhat.com> On 11/17/2010 3:21 PM, Dmitri Pal wrote: >> In a related note, we also discussed how to handle describing activity >> windows that cross the midnight boundary. It's my recommendation that we >> should handle examples like the following by breaking them into two >> separate accessTime attributes, one that describes the portion preceding >> midnight and describes the set of days wherein the block starts, and a >> second accessTime attribute that is offset by one day and describes the >> portion taking place after midnight. >> >> Second-shift (17:00-01:59, M-S*) *starts Monday, ends Saturday morning >> becomes >> accessTime: periodic weekly day 1-5 1700-2359 >> accessTime: periodic weekly day 2-6 0000-0159 > > I agree with the proposal the only issue I see is the issue of the time > zone of the user. When the user schedules the window it should be clear > what time zone he is using. If we in v2 use UTC for all I am fine but if > we allow user to enter window in the local time to his machine and then > rely on the client UI/CLI to convert it to UTC we can face a problem of > the local time window not crossing midnight while the UTC window will > cross the boundary. We need to define how this case will be handled and > how we interpret the input. Will the user need to be aware of this issue? In other words, will the UI enforce the user to split a schedule that crosses midnight manually? If yes, there are some issues: 1. Some schedules that have to be split because of local time zone can actually be merged in UTC. In that case do we want to merge it or keep them separate? For example: - Original: 2100-0159 local (UTC-3) - Entered in UI: 2100-2359 and 0000-0159 local - Stored on server: a) keep the split schedules: 0000-0259 and 0300-0459 UTC b) merge it: 0000-0359 UTC 2. Some schedules that have to be split because of local time zone may need to be split differently in UTC. Will this confuse users? For example: - Original: 2100-0159 local (UTC-2) - Entered in UI: 2100-2359 and 0000-0159 local - Stored on server: a) split the first part: 2300-2359, 0000-0159, and 0200-0359 UTC b) merge if possible: 2300-2359 and 0000-0359 UTC Alternatively, the splitting issue can be hidden by the UI, but UI and CLI will be inconsistent. -- Endi S. Dewata From edewata at redhat.com Wed Nov 17 23:37:45 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 17 Nov 2010 17:37:45 -0600 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CE46431.2090907@redhat.com> References: <4CE4440C.4030400@redhat.com> <4CE4474E.2040102@redhat.com> <4CE46431.2090907@redhat.com> Message-ID: <4CE46749.3080807@redhat.com> On 11/17/2010 5:24 PM, Endi Sukma Dewata wrote: > Will the user need to be aware of this issue? In other words, will the > UI enforce the user to split a schedule that crosses midnight manually? > > If yes, there are some issues: > > 1. Some schedules that have to be split because of local time zone can > actually be merged in UTC. In that case do we want to merge it or keep > them separate? For example: > - Original: 2100-0159 local (UTC-3) > - Entered in UI: 2100-2359 and 0000-0159 local > - Stored on server: > a) keep the split schedules: 0000-0259 and 0300-0459 UTC > b) merge it: 0000-0359 UTC > > 2. Some schedules that have to be split because of local time zone may > need to be split differently in UTC. Will this confuse users? For example: > - Original: 2100-0159 local (UTC-2) > - Entered in UI: 2100-2359 and 0000-0159 local > - Stored on server: > a) split the first part: 2300-2359, 0000-0159, and 0200-0359 UTC > b) merge if possible: 2300-2359 and 0000-0359 UTC > > Alternatively, the splitting issue can be hidden by the UI, but UI and > CLI will be inconsistent. > Also, when viewing an existing schedule, the UTC schedule may not fit the UI for the local time zone, requiring a split too. -- Endi S. Dewata From ayoung at redhat.com Thu Nov 18 01:58:43 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 17 Nov 2010 20:58:43 -0500 Subject: [Freeipa-devel] [PATCH]admiyo-0094-xhtml-to-html In-Reply-To: <4CE45537.2080300@redhat.com> References: <4CE435C2.5090705@redhat.com> <4CE45537.2080300@redhat.com> Message-ID: <4CE48853.4040607@redhat.com> On 11/17/2010 05:20 PM, Endi Sukma Dewata wrote: > On 11/17/2010 2:06 PM, Adam Young wrote: >> > > This patch doesn't apply, the index.html is already created in patch #92. > OK. Didn't realize I had done that, though it was in another branch. The index.html file is in the right form, though, so all that really needs to happen is removing the xhtml file -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0095-removed-index.xhtml.patch Type: text/x-patch Size: 3684 bytes Desc: not available URL: From ayoung at redhat.com Thu Nov 18 03:17:29 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 17 Nov 2010 22:17:29 -0500 Subject: [Freeipa-devel] Plugin to list plugins? Message-ID: <4CE49AC9.9020005@redhat.com> Is there a server side plugin I can call to list the plugins, or is this login completely contained on the client side now? From ayoung at redhat.com Thu Nov 18 03:34:34 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 17 Nov 2010 22:34:34 -0500 Subject: [Freeipa-devel] admiyo-0097-batch-init Message-ID: <4CE49ECA.4020308@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0097-batch-init.patch Type: text/x-patch Size: 257450 bytes Desc: not available URL: From sgallagh at redhat.com Thu Nov 18 12:09:47 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 18 Nov 2010 07:09:47 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE44E50.1020300@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> Message-ID: <4CE5178B.4050402@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/17/2010 04:51 PM, Adam Young wrote: > On 11/17/2010 04:31 PM, Simo Sorce wrote: >> On Wed, 17 Nov 2010 16:07:24 -0500 >> Stephen Gallagher wrote: >> >> >>> This will require two changes to the HBAC schema. First of all, we >>> plan to drop the week-of-the-month concept entirely and replace it >>> with septet-of-the-month. This is being done to eliminate the >>> ambiguity entirely. Secondly, we will need to describe >>> day-of-the-septet in the grammar (where the day of the septet >>> describes the name of the weekday, and not its numerical position >>> within the septet, as that would be a useless and complex duplication >>> of the day-of-the-month concept). >>> >>> >> I think we can keep using 1-7 in the septet with the >> understanding that 1 is always Monday, 2 is always Tuesday and so on. >> >> Simo. >> >> > I'd like to propose that we have a goal to be as close to the Cron > grammar as practicable. So we should allow 0 or 7 for Sunday. This is in > keeping with your proposal. > > > > Here are the examples from the crontab 5 manpage; > > # run five minutes after midnight, every day > 5 0 * * * $HOME/bin/daily.job >> $HOME/tmp/out 2>&1 > # run at 2:15pm on the first of every month -- output mailed to paul > 15 14 1 * * $HOME/bin/monthly > # run at 10 pm on weekdays, annoy Joe > 0 22 * * 1-5 mail -s "It?s 10pm" joe%Joe,%%Where are your kids?% > 23 0-23/2 * * * echo "run 23 minutes after midn, 2am, 4am ..., everyday" > 5 4 * * sun echo "run at 5 after 4 every sunday" > > > > I'm not sure that 'First Wednesday of the month' is possible with this > grammar, either. Yet, somehow, it has survived many years. > 0 8 1-7 * 3 (read, 08:00 on the Wednesday that falls between the 1st and 7th day of the 6th month) - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzlF4UACgkQeiVVYja6o6NTtwCfRBeGkTqDMHYj+SPMydCfFila wCYAn1Z8gbd0qlaWSEchzqbTe86jWDXM =r9zs -----END PGP SIGNATURE----- From sgallagh at redhat.com Thu Nov 18 12:12:21 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 18 Nov 2010 07:12:21 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CE46749.3080807@redhat.com> References: <4CE4440C.4030400@redhat.com> <4CE4474E.2040102@redhat.com> <4CE46431.2090907@redhat.com> <4CE46749.3080807@redhat.com> Message-ID: <4CE51825.2060907@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/17/2010 06:37 PM, Endi Sukma Dewata wrote: > On 11/17/2010 5:24 PM, Endi Sukma Dewata wrote: >> Will the user need to be aware of this issue? In other words, will the >> UI enforce the user to split a schedule that crosses midnight manually? >> >> If yes, there are some issues: >> >> 1. Some schedules that have to be split because of local time zone can >> actually be merged in UTC. In that case do we want to merge it or keep >> them separate? For example: >> - Original: 2100-0159 local (UTC-3) >> - Entered in UI: 2100-2359 and 0000-0159 local >> - Stored on server: >> a) keep the split schedules: 0000-0259 and 0300-0459 UTC >> b) merge it: 0000-0359 UTC >> >> 2. Some schedules that have to be split because of local time zone may >> need to be split differently in UTC. Will this confuse users? For >> example: >> - Original: 2100-0159 local (UTC-2) >> - Entered in UI: 2100-2359 and 0000-0159 local >> - Stored on server: >> a) split the first part: 2300-2359, 0000-0159, and 0200-0359 UTC >> b) merge if possible: 2300-2359 and 0000-0359 UTC >> >> Alternatively, the splitting issue can be hidden by the UI, but UI and >> CLI will be inconsistent. >> > > Also, when viewing an existing schedule, the UTC schedule may not fit > the UI for the local time zone, requiring a split too. > The intent from a user interface perspective (Web UI or CLI) was that we would allow the user to specify the start time, a duration and a repetition, and that internally we would convert that into the format described above. Of course, the UI->accessTime conversion is easy. It might be tricky to do the reverse when reading it back to the user. I'm open to suggestions on how to handle this. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzlGCUACgkQeiVVYja6o6OIiwCfdIhgFv5YYEfYyW2cea7oFZNP GywAnizSgA1FKzSAcKZqN9hnzNhuMm+a =tSss -----END PGP SIGNATURE----- From sgallagh at redhat.com Thu Nov 18 12:21:04 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 18 Nov 2010 07:21:04 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <20101117214815.GK2973@localhost.localdomain> References: <4CE4440C.4030400@redhat.com> <20101117214815.GK2973@localhost.localdomain> Message-ID: <4CE51A30.1040702@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/17/2010 04:48 PM, Sumit Bose wrote: > On Wed, Nov 17, 2010 at 04:07:24PM -0500, Stephen Gallagher wrote: > After extended discussion, Simo, Ben and I discussed replacing this > week-of-the-month concept with a septet-of-the-month concept instead. > > This would be described by: > accessTime: periodic monthly septet 1 day 3 0800-1700 > > and would literally translate as "The wednesday that exists within the > first septet of the month". The first septet being the range of day 1 > through day 7, the second septet being day 8 through 14, and so forth. > >> I would like to suggest to allow negative numbers to cover 'the last >> Wednesdays of the month'. > Doing the forward septets is easy (1*x..7*x), but the reverse septets are more complicated (since they would be (y-1*x..y-7*x), where y is the total number of days in the month (which also has to account for leap years). I think it might be a nice enhancement, but I recommend that we not include it right now, given the tight release schedule for FreeIPA v2. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzlGjAACgkQeiVVYja6o6PLxQCfW4OakzaQH+OPtlD4kOsyh7BN voMAn1G+dMWRTx5jwxL1yu5lkbuWX+Qz =ZDmw -----END PGP SIGNATURE----- From ssorce at redhat.com Thu Nov 18 13:24:47 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 18 Nov 2010 08:24:47 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CE51A30.1040702@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117214815.GK2973@localhost.localdomain> <4CE51A30.1040702@redhat.com> Message-ID: <20101118082447.23f6052f@willson.li.ssimo.org> On Thu, 18 Nov 2010 07:21:04 -0500 Stephen Gallagher wrote: > Doing the forward septets is easy (1*x..7*x), but the reverse septets > are more complicated (since they would be (y-1*x..y-7*x), where y is > the total number of days in the month (which also has to account for > leap years). > > I think it might be a nice enhancement, but I recommend that we not > include it right now, given the tight release schedule for FreeIPA v2. As I said before it is a now or never condition. If you do not put it in now, then when you put it in, old clients will not understand the rule. And they will have only one option, always deny access, because they have no way to understand when it is ok to allow/deny it. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Thu Nov 18 13:29:55 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 18 Nov 2010 08:29:55 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CE46431.2090907@redhat.com> References: <4CE4440C.4030400@redhat.com> <4CE4474E.2040102@redhat.com> <4CE46431.2090907@redhat.com> Message-ID: <4CE52A53.4010602@redhat.com> Endi Sukma Dewata wrote: > On 11/17/2010 3:21 PM, Dmitri Pal wrote: >>> In a related note, we also discussed how to handle describing activity >>> windows that cross the midnight boundary. It's my recommendation >>> that we >>> should handle examples like the following by breaking them into two >>> separate accessTime attributes, one that describes the portion >>> preceding >>> midnight and describes the set of days wherein the block starts, and a >>> second accessTime attribute that is offset by one day and describes the >>> portion taking place after midnight. >>> >>> Second-shift (17:00-01:59, M-S*) *starts Monday, ends Saturday morning >>> becomes >>> accessTime: periodic weekly day 1-5 1700-2359 >>> accessTime: periodic weekly day 2-6 0000-0159 >> >> I agree with the proposal the only issue I see is the issue of the time >> zone of the user. When the user schedules the window it should be clear >> what time zone he is using. If we in v2 use UTC for all I am fine but if >> we allow user to enter window in the local time to his machine and then >> rely on the client UI/CLI to convert it to UTC we can face a problem of >> the local time window not crossing midnight while the UTC window will >> cross the boundary. We need to define how this case will be handled and >> how we interpret the input. > > Will the user need to be aware of this issue? In other words, will the > UI enforce the user to split a schedule that crosses midnight manually? > > If yes, there are some issues: > > 1. Some schedules that have to be split because of local time zone can > actually be merged in UTC. In that case do we want to merge it or keep > them separate? For example: > - Original: 2100-0159 local (UTC-3) > - Entered in UI: 2100-2359 and 0000-0159 local > - Stored on server: > a) keep the split schedules: 0000-0259 and 0300-0459 UTC > b) merge it: 0000-0359 UTC > > 2. Some schedules that have to be split because of local time zone may > need to be split differently in UTC. Will this confuse users? For > example: > - Original: 2100-0159 local (UTC-2) > - Entered in UI: 2100-2359 and 0000-0159 local > - Stored on server: > a) split the first part: 2300-2359, 0000-0159, and 0200-0359 UTC > b) merge if possible: 2300-2359 and 0000-0359 UTC > > Alternatively, the splitting issue can be hidden by the UI, but UI and > CLI will be inconsistent. > Yes. This is exactly the problem I am concerned about. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From adam at younglogic.com Thu Nov 18 02:15:10 2010 From: adam at younglogic.com (Adam Young) Date: Wed, 17 Nov 2010 21:15:10 -0500 Subject: [Freeipa-devel] admiyo-0096-add-button Message-ID: <4CE48C2E.9080704@younglogic.com> https://fedorahosted.org/freeipa/ticket/471 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0096-add-button.patch Type: text/x-patch Size: 1350 bytes Desc: not available URL: From dpal at redhat.com Thu Nov 18 13:37:32 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 18 Nov 2010 08:37:32 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <20101118082447.23f6052f@willson.li.ssimo.org> References: <4CE4440C.4030400@redhat.com> <20101117214815.GK2973@localhost.localdomain> <4CE51A30.1040702@redhat.com> <20101118082447.23f6052f@willson.li.ssimo.org> Message-ID: <4CE52C1C.7030808@redhat.com> Simo Sorce wrote: > On Thu, 18 Nov 2010 07:21:04 -0500 > Stephen Gallagher wrote: > > >> Doing the forward septets is easy (1*x..7*x), but the reverse septets >> are more complicated (since they would be (y-1*x..y-7*x), where y is >> the total number of days in the month (which also has to account for >> leap years). >> >> I think it might be a nice enhancement, but I recommend that we not >> include it right now, given the tight release schedule for FreeIPA v2. >> > > As I said before it is a now or never condition. > If you do not put it in now, then when you put it in, old clients will > not understand the rule. And they will have only one option, always > deny access, because they have no way to understand when it is ok to > allow/deny it. > > Simo. > > What about just using the cron spec then with the addition of the duration? And completely abandon our grammar for the periodic part (I know it is a lot of work and start over again but if we have one shot wouldn't it be best to use something existing?) Will that work? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Thu Nov 18 14:06:30 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 18 Nov 2010 09:06:30 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CE52A53.4010602@redhat.com> References: <4CE4440C.4030400@redhat.com> <4CE4474E.2040102@redhat.com> <4CE46431.2090907@redhat.com> <4CE52A53.4010602@redhat.com> Message-ID: <20101118090630.087ad6b1@willson.li.ssimo.org> On Thu, 18 Nov 2010 08:29:55 -0500 Dmitri Pal wrote: > Endi Sukma Dewata wrote: > > On 11/17/2010 3:21 PM, Dmitri Pal wrote: > >>> In a related note, we also discussed how to handle describing > >>> activity windows that cross the midnight boundary. It's my > >>> recommendation that we > >>> should handle examples like the following by breaking them into > >>> two separate accessTime attributes, one that describes the portion > >>> preceding > >>> midnight and describes the set of days wherein the block starts, > >>> and a second accessTime attribute that is offset by one day and > >>> describes the portion taking place after midnight. > >>> > >>> Second-shift (17:00-01:59, M-S*) *starts Monday, ends Saturday > >>> morning becomes > >>> accessTime: periodic weekly day 1-5 1700-2359 > >>> accessTime: periodic weekly day 2-6 0000-0159 > >> > >> I agree with the proposal the only issue I see is the issue of the > >> time zone of the user. When the user schedules the window it > >> should be clear what time zone he is using. If we in v2 use UTC > >> for all I am fine but if we allow user to enter window in the > >> local time to his machine and then rely on the client UI/CLI to > >> convert it to UTC we can face a problem of the local time window > >> not crossing midnight while the UTC window will cross the > >> boundary. We need to define how this case will be handled and how > >> we interpret the input. > > > > Will the user need to be aware of this issue? In other words, will > > the UI enforce the user to split a schedule that crosses midnight > > manually? > > > > If yes, there are some issues: > > > > 1. Some schedules that have to be split because of local time zone > > can actually be merged in UTC. In that case do we want to merge it > > or keep them separate? For example: > > - Original: 2100-0159 local (UTC-3) > > - Entered in UI: 2100-2359 and 0000-0159 local > > - Stored on server: > > a) keep the split schedules: 0000-0259 and 0300-0459 UTC > > b) merge it: 0000-0359 UTC > > > > 2. Some schedules that have to be split because of local time zone > > may need to be split differently in UTC. Will this confuse users? > > For example: > > - Original: 2100-0159 local (UTC-2) > > - Entered in UI: 2100-2359 and 0000-0159 local > > - Stored on server: > > a) split the first part: 2300-2359, 0000-0159, and 0200-0359 > > UTC b) merge if possible: 2300-2359 and 0000-0359 UTC > > > > Alternatively, the splitting issue can be hidden by the UI, but UI > > and CLI will be inconsistent. > > > Yes. This is exactly the problem I am concerned about. > Ok there is an easy way to solve this. Instead of defining the interval as start-stop time we can define it as start-duration. This will remove any problem with crossing the midnight and will alow to make a 23:59 hours inteval starting at any time of the day. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Nov 18 14:08:08 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 18 Nov 2010 09:08:08 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CE52C1C.7030808@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117214815.GK2973@localhost.localdomain> <4CE51A30.1040702@redhat.com> <20101118082447.23f6052f@willson.li.ssimo.org> <4CE52C1C.7030808@redhat.com> Message-ID: <20101118090808.5cbdceaf@willson.li.ssimo.org> On Thu, 18 Nov 2010 08:37:32 -0500 Dmitri Pal wrote: > Simo Sorce wrote: > > On Thu, 18 Nov 2010 07:21:04 -0500 > > Stephen Gallagher wrote: > > > > > >> Doing the forward septets is easy (1*x..7*x), but the reverse > >> septets are more complicated (since they would be (y-1*x..y-7*x), > >> where y is the total number of days in the month (which also has > >> to account for leap years). > >> > >> I think it might be a nice enhancement, but I recommend that we not > >> include it right now, given the tight release schedule for FreeIPA > >> v2. > > > > As I said before it is a now or never condition. > > If you do not put it in now, then when you put it in, old clients > > will not understand the rule. And they will have only one option, > > always deny access, because they have no way to understand when it > > is ok to allow/deny it. > > > > Simo. > > > > > What about just using the cron spec then with the addition of the > duration? And completely abandon our grammar for the periodic part (I > know it is a lot of work and start over again but if we have one shot > wouldn't it be best to use something existing?) > Will that work? The Cron grammar is very ugly and can't do many of the things we need anyway. The problems we have with the current grammar are minor, and can be easily solved. We have done 98% of the work, I wouldn't throw it all away just becaue we need to fix the remaining 2% Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Thu Nov 18 14:16:49 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 18 Nov 2010 15:16:49 +0100 Subject: [Freeipa-devel] [PATCH] Fix a couple of problems in C code In-Reply-To: <4CD8682A.40805@redhat.com> References: <4CD8682A.40805@redhat.com> Message-ID: <20101118141646.GA4133@zeppelin.brq.redhat.com> On Mon, Nov 08, 2010 at 10:14:18PM +0100, Jakub Hrozek wrote: > [PATCH 1/6] Common include file for SLAPI plugin logging > Consolidate the common logging macros into common/util.h and use them > in SLAPI plugins instead of calling slapi_log_error() directly. > > https://fedorahosted.org/freeipa/ticket/408 > > [PATCH 2/6] Stricter compilation flags > Use a little stricter compilation flags, in particular -Wall and treat > implicit function declarations as errors. > > [PATCH 3/6] Use internal implementation of internal Kerberos functions > Don't use KRB5_PRIVATE. > > The patch implements and uses the following krb5 functions that are > otherwise private in recent MIT Kerberos releases: > * krb5_principal2salt_norealm > * krb5_free_ktypes > > [PATCH 4/6] Don't use deprecated ldap_bind_s > ldap_bind_s is marked as deprecated in new libldap releases. > > [PATCH 5/6] Silence compilation warnings in SLAPI plugins > The most important part of the patch is exporting hexbuf() in ipapwd.h > Also uses strcasecmp() instead of PL_strcasecmp() since we were not > including nspr headers and linking against it - I hope this is OK, we > can revert if we need to be portable to platforms with no strcasecmp(). > The rest are cosmetic fixes. > > [PATCH 6/6] ipa-client code cleanup > Fixes errors about implicit function declaration and moves duplicated > gettext code into a common module. Also silences some warnings. > > Patches 3 - 6 fix https://fedorahosted.org/freeipa/ticket/454 Attached are patches rebased on top of current master, esp. the UUID patch. -------------- next part -------------- >From a89642497c219c93da7f94913364c73a7ab70a7f Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 3 Nov 2010 14:44:44 +0100 Subject: [PATCH 1/6] Common include file for SLAPI plugin logging Consolidate the common logging macros into common/util.h and use them in SLAPI plugins instead of calling slapi_log_error() directly. https://fedorahosted.org/freeipa/ticket/408 --- daemons/ipa-slapi-plugins/common/util.h | 40 +++ .../ipa-slapi-plugins/ipa-enrollment/Makefile.am | 3 + .../ipa-enrollment/ipa_enrollment.c | 78 ++--- daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am | 3 + daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c | 41 +-- .../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 3 + .../ipa-pwd-extop/ipa_pwd_extop.c | 1 + daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 21 +-- .../ipa-pwd-extop/ipapwd_common.c | 1 + .../ipa-pwd-extop/ipapwd_encoding.c | 1 + .../ipa-pwd-extop/ipapwd_prepost.c | 1 + daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am | 3 + daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 85 ++--- daemons/ipa-slapi-plugins/ipa-version/Makefile.am | 3 + .../ipa-version/ipa_repl_version.c | 51 ++-- daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am | 3 + .../ipa-winsync/ipa-winsync-config.c | 90 +++--- .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.c | 350 ++++++++------------ .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.h | 4 +- 19 files changed, 335 insertions(+), 447 deletions(-) create mode 100644 daemons/ipa-slapi-plugins/common/util.h diff --git a/daemons/ipa-slapi-plugins/common/util.h b/daemons/ipa-slapi-plugins/common/util.h new file mode 100644 index 0000000..8a7d518 --- /dev/null +++ b/daemons/ipa-slapi-plugins/common/util.h @@ -0,0 +1,40 @@ +#ifndef _SLAPI_PLUGINS_UTIL_H +#define _SLAPI_PLUGINS_UTIL_H + +#define EOK 0 +#define EFAIL -1 + +#ifndef discard_const +#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) +#endif + +#define log_func discard_const(__func__) + +#define LOG_PLUGIN_NAME(NAME, fmt, ...) \ + slapi_log_error(SLAPI_LOG_PLUGIN, \ + NAME, \ + fmt, ##__VA_ARGS__) + +#define LOG(fmt, ...) \ + LOG_PLUGIN_NAME(IPA_PLUGIN_NAME, fmt, ##__VA_ARGS__) + +#define LOG_CONFIG_NAME(NAME, fmt, ...) \ + slapi_log_error(SLAPI_LOG_CONFIG, \ + NAME, \ + fmt, ##__VA_ARGS__) + +#define LOG_CONFIG(fmt, ...) \ + LOG_CONFIG_NAME(IPA_PLUGIN_NAME, fmt, ##__VA_ARGS__) + +#define LOG_FATAL(fmt, ...) \ + slapi_log_error(SLAPI_LOG_FATAL, log_func, \ + "[file %s, line %d]: " fmt, \ + __FILE__, __LINE__, ##__VA_ARGS__) + +#define LOG_TRACE(fmt, ...) \ + slapi_log_error(SLAPI_LOG_TRACE, log_func, fmt, ##__VA_ARGS__) + +#define LOG_OOM() LOG_FATAL("Out of Memory!\n") + +#endif /* _SLAPI_PLUGINS_UTIL_H */ + diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am index 8a4ba09..fc3c55c 100644 --- a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am @@ -1,8 +1,11 @@ NULL = +PLUGIN_COMMON_DIR=../common + INCLUDES = \ -I. \ -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c index 8a9906a..bc5551e 100644 --- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c +++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c @@ -49,11 +49,15 @@ #include #include +#include "util.h" + +#define IPA_PLUGIN_NAME "ipa-enrollment" + /* OID of the extended operation handled by this plug-in */ #define JOIN_OID "2.16.840.1.113730.3.8.3.53" Slapi_PluginDesc pdesc = { - "ipa-enrollment", + IPA_PLUGIN_NAME, "IPA Project", "IPA/2.0", "IPA Enrollment Extended Operation plugin" @@ -80,21 +84,19 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg) int sasl_ssf, is_ssl; int rc = LDAP_SUCCESS; - slapi_log_error(SLAPI_LOG_TRACE, "ipa_enrollment", "=> ipaenrollment_secure\n"); + LOG_TRACE("=> ipaenrollment_secure\n"); /* Allow enrollment only for SSL/TLS established connections and * connections using SASL privacy layers */ if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) { - slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", - "Could not get SASL SSF from connection\n"); + LOG_TRACE("Could not get SASL SSF from connection\n"); *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_OPERATIONS_ERROR; goto done; } if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) { - slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", - "Could not get IS SSL from connection\n"); + LOG_TRACE("Could not get IS SSL from connection\n"); *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_OPERATIONS_ERROR; goto done; @@ -107,7 +109,7 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg) } done: - slapi_log_error(SLAPI_LOG_TRACE, "ipa_enrollment", "<= ipaenrollment_secure\n"); + LOG_TRACE("<= ipaenrollment_secure\n"); return rc; } @@ -175,9 +177,7 @@ ipa_join(Slapi_PBlock *pb) ret = slapi_search_internal_pb(pbte); slapi_pblock_get(pbte, SLAPI_PLUGIN_INTOP_RESULT, &res); if (ret == -1 || res != LDAP_SUCCESS) { - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "Search for host failed, err (%d)\n", - res?res:ret); + LOG_TRACE("Search for host failed, err (%d)\n", res?res:ret); errMesg = "Host not found.\n"; rc = LDAP_NO_SUCH_OBJECT; goto free_and_return; @@ -186,7 +186,7 @@ ipa_join(Slapi_PBlock *pb) /* get entries */ slapi_pblock_get(pbte, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &es); if (!es) { - slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "No entries ?!"); + LOG_TRACE("No entries ?!"); errMesg = "Host not found.\n"; rc = LDAP_NO_SUCH_OBJECT; goto free_and_return; @@ -197,8 +197,7 @@ ipa_join(Slapi_PBlock *pb) /* if there is none or more than one, freak out */ if (i != 1) { - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "Too many entries, or entry no found (%d)", i); + LOG_TRACE("Too many entries, or entry no found (%d)", i); errMesg = "Host not found.\n"; rc = LDAP_NO_SUCH_OBJECT; goto free_and_return; @@ -208,8 +207,7 @@ ipa_join(Slapi_PBlock *pb) /* Is this host already enrolled? */ krbLastPwdChange = slapi_entry_attr_get_charptr(targetEntry, "krbLastPwdChange"); if (NULL != krbLastPwdChange) { - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "Host already enrolled"); + LOG_TRACE("Host already enrolled"); errMesg = "Host already enrolled.\n"; rc = LDAP_OPERATIONS_ERROR; goto free_and_return; @@ -266,19 +264,16 @@ ipa_join(Slapi_PBlock *pb) rc = slapi_modify_internal_pb (pbtm); if (rc) { - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "WARNING: modify error %d on entry '%s'\n", - rc, slapi_entry_get_dn_const(targetEntry)); + LOG_TRACE("WARNING: modify error %d on entry '%s'\n", + rc, slapi_entry_get_dn_const(targetEntry)); } else { slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); if (rc != LDAP_SUCCESS){ - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "WARNING: modify error %d on entry '%s'\n", - rc, slapi_entry_get_dn_const(targetEntry)); + LOG_TRACE("WARNING: modify error %d on entry '%s'\n", + rc, slapi_entry_get_dn_const(targetEntry)); } else { - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "<= apply mods: Successful\n"); + LOG_TRACE("<= apply mods: Successful\n"); } } @@ -291,8 +286,7 @@ done: if (!ret) ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_VALUE, &retbval); if (ret) { errMesg = "Could not set return values"; - slapi_log_error(SLAPI_LOG_PLUGIN, "ipaenrollmenti_extop", "%s\n", - errMesg); + LOG("%s\n", errMesg); rc = SLAPI_PLUGIN_EXTENDED_SENT_RESULT; } @@ -309,7 +303,7 @@ free_and_return: if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange); - slapi_log_error(SLAPI_LOG_PLUGIN, "ipaenrollment_extop", errMesg ? errMesg : "success\n"); + LOG(errMesg ? errMesg : "success\n"); slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL); free(principal); @@ -325,7 +319,7 @@ ipaenrollment_extop(Slapi_PBlock *pb) char *errMesg = NULL; int rc, ret; - slapi_log_error(SLAPI_LOG_TRACE, "ipa_enrollment", "=> ipaenrollment_extop\n"); + LOG_TRACE("=> ipaenrollment_extop\n"); rc = ipaenrollement_secure(pb, &errMesg); if (rc) { @@ -336,7 +330,7 @@ ipaenrollment_extop(Slapi_PBlock *pb) if (slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid ) != 0) { errMesg = "Could not get OID and value from request.\n"; rc = LDAP_OPERATIONS_ERROR; - slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", errMesg); + LOG(errMesg); goto free_and_return; } @@ -349,7 +343,7 @@ ipaenrollment_extop(Slapi_PBlock *pb) rc = LDAP_OPERATIONS_ERROR; free_and_return: - slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_enrollment", errMesg); + LOG(errMesg); slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL); return SLAPI_PLUGIN_EXTENDED_SENT_RESULT; @@ -369,35 +363,32 @@ ipaenrollment_start(Slapi_PBlock *pb) krberr = krb5_init_context(&krbctx); if (krberr) { - slapi_log_error(SLAPI_LOG_FATAL, "ipaenrollment_init", - "krb5_init_context failed\n"); + LOG_FATAL("krb5_init_context failed\n"); return LDAP_OPERATIONS_ERROR; } ret = krb5_get_default_realm(krbctx, &realm); if (ret) { - slapi_log_error(SLAPI_LOG_FATAL, "ipaenrollment_init", - "Failed to get default realm?!\n"); + LOG_FATAL("Failed to get default realm?!\n"); ret = LDAP_OPERATIONS_ERROR; } if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &config_dn) != 0) { - slapi_log_error( SLAPI_LOG_FATAL, "ipaenrollment_start", "No config DN?\n"); + LOG_FATAL("No config DN?\n"); ret = LDAP_OPERATIONS_ERROR; goto done; } sdn = slapi_sdn_new_dn_byref(config_dn); if ((rc = slapi_search_internal_get_entry(sdn, NULL, &config_entry, ipaenrollment_plugin_id)) != LDAP_SUCCESS ){ - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "ipaenrollment_start: No such entry-(%s), err (%d)\n", - config_dn, rc); + LOG_TRACE("ipaenrollment_start: No such entry-(%s), err (%d)\n", + config_dn, rc); } slapi_sdn_free(&sdn); partition_dn = slapi_entry_attr_get_charptr(config_entry, "nsslapd-realmtree"); if (!partition_dn) { - slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Missing partition configuration entry (nsslapd-realmTree)!\n"); + LOG_FATAL("Missing partition configuration entry (nsslapd-realmTree)!\n"); ret = LDAP_OPERATIONS_ERROR; goto done; } @@ -405,7 +396,7 @@ ipaenrollment_start(Slapi_PBlock *pb) ipa_realm_dn = slapi_ch_smprintf("cn=computers,cn=accounts,%s", partition_dn); slapi_ch_free_string(&partition_dn); if (!ipa_realm_dn) { - slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory ?\n"); + LOG_FATAL("Out of memory ?\n"); ret = LDAP_OPERATIONS_ERROR; goto done; } @@ -430,13 +421,11 @@ ipaenrollment_init(Slapi_PBlock *pb) ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ipaenrollment_plugin_id); if ((ret != 0) || (NULL == ipaenrollment_plugin_id)) { - slapi_log_error(SLAPI_LOG_PLUGIN, - "ipaenrollment_init", "Could not get identity or identity was NULL\n"); + LOG("Could not get identity or identity was NULL\n"); return -1; } - slapi_log_error(SLAPI_LOG_PLUGIN, "ipaenrollment_init", - "Registering plug-in for extended op.\n"); + LOG("Registering plug-in for extended op.\n"); /* Register the plug-in function as an extended operation plug-in function. */ @@ -448,8 +437,7 @@ ipaenrollment_init(Slapi_PBlock *pb) if (!ret) slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_FN, (void *)ipaenrollment_extop); if (ret) { - slapi_log_error(SLAPI_LOG_PLUGIN, "ipaenrollment_init", - "Failed to set plug-in version, function, and OID.\n"); + LOG("Failed to set plug-in version, function, and OID.\n"); return -1; } diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am index 5770624..3b0ff62 100644 --- a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am @@ -1,8 +1,11 @@ NULL = +PLUGIN_COMMON_DIR=../common + INCLUDES = \ -I. \ -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ -I/usr/include/dirsrv \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c index 72e16e9..1e094f1 100644 --- a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c +++ b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c @@ -44,40 +44,13 @@ #include "nspr.h" #include "prclist.h" -#define IPAMODRDN_PLUGIN_NAME "ipa-modrdn-plugin" +#include "util.h" + +#define IPA_PLUGIN_NAME "ipa-modrdn-plugin" #define IPAMODRDN_PLUGIN_VERSION 0x00010000 #define IPAMODRDN_DN "cn=IPA MODRDN,cn=plugins,cn=config" /* temporary */ -#define EOK 0 -#define EFAIL -1 - -#ifndef discard_const -#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) -#endif - -#define log_func discard_const(__func__) - -#define LOG(fmt, ...) \ - slapi_log_error(SLAPI_LOG_PLUGIN, \ - IPAMODRDN_PLUGIN_NAME, \ - fmt, ##__VA_ARGS__) - -#define LOG_CONFIG(fmt, ...) \ - slapi_log_error(SLAPI_LOG_CONFIG, \ - IPAMODRDN_PLUGIN_NAME, \ - fmt, ##__VA_ARGS__) - -#define LOG_FATAL(fmt, ...) \ - slapi_log_error(SLAPI_LOG_FATAL, log_func, \ - "[file %s, line %d]: " fmt, \ - __FILE__, __LINE__, ##__VA_ARGS__) - -#define LOG_TRACE(fmt, ...) \ - slapi_log_error(SLAPI_LOG_TRACE, log_func, fmt, ##__VA_ARGS__) - -#define LOG_OOM() LOG_FATAL("Out of Memory!\n") - /** * IPA MODRDN config types */ @@ -701,7 +674,7 @@ ipamodrdn_change_attr(struct configEntry *cfgentry, mods[0] = &mod; mods[1] = 0; - LOG("Setting %s to %s in entry (%s)\n", cfgentry->tattr, targetdn); + LOG("Setting %s to %s in entry (%s)\n", cfgentry->tattr, value, targetdn); /* Perform the modify operation. */ slapi_modify_internal_set_pb(mod_pb, targetdn, mods, @@ -785,12 +758,12 @@ static int ipamodrdn_post_op(Slapi_PBlock *pb) } if (slapi_entry_attr_find(e, cfgentry->sattr, &sattr) != 0) { - LOG_TRACE("Source attr %s not found for %d\n", + LOG_TRACE("Source attr %s not found for %s\n", cfgentry->sattr, dn); continue; } if (slapi_entry_attr_find(e, cfgentry->tattr, &tattr) != 0) { - LOG_TRACE("Target attr %s not found for %d\n", + LOG_TRACE("Target attr %s not found for %s\n", cfgentry->tattr, dn); } else { Slapi_Value *val; @@ -805,7 +778,7 @@ static int ipamodrdn_post_op(Slapi_PBlock *pb) ret = ipamodrdn_change_attr(cfgentry, dn, strval); if (ret != EOK) { - LOG_FATAL("Failed to set target attr %s for %d\n", + LOG_FATAL("Failed to set target attr %s for %s\n", cfgentry->tattr, dn); } } diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am index 6358ece..3577e48 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am @@ -1,8 +1,11 @@ NULL = +PLUGIN_COMMON_DIR=../common + INCLUDES = \ -I. \ -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index ed9637a..8df766e 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -38,6 +38,7 @@ * END COPYRIGHT BLOCK **/ #include "ipapwd.h" +#include "util.h" /* * Password Modify - LDAP Extended Operation. diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index 5b15622..523934c 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -64,26 +64,7 @@ #define IPAPWD_FEATURE_DESC "IPA Password Manager" #define IPAPWD_PLUGIN_DESC "IPA Password Extended Operation plugin" -#ifndef discard_const -#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) -#endif - -#define log_func discard_const(__func__) - -#define LOG(fmt, ...) \ - slapi_log_error(SLAPI_LOG_PLUGIN, \ - IPAPWD_PLUGIN_NAME, \ - fmt, ##__VA_ARGS__) - -#define LOG_FATAL(fmt, ...) \ - slapi_log_error(SLAPI_LOG_FATAL, log_func, \ - "[file %s, line %d]: " fmt, \ - __FILE__, __LINE__, ##__VA_ARGS__) - -#define LOG_TRACE(fmt, ...) \ - slapi_log_error(SLAPI_LOG_TRACE, log_func, fmt, ##__VA_ARGS__) - -#define LOG_OOM() LOG_FATAL("Out of Memory!\n") +#define IPA_PLUGIN_NAME IPAPWD_PLUGIN_NAME #define IPAPWD_CHECK_CONN_SECURE 0x00000001 #define IPAPWD_CHECK_DN 0x00000002 diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index 514274e..92c388a 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -38,6 +38,7 @@ * END COPYRIGHT BLOCK **/ #include "ipapwd.h" +#include "util.h" /* Type of connection for this operation;*/ #define LDAP_EXTOP_PASSMOD_CONN_SECURE diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c index 527e178..4513501 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c @@ -53,6 +53,7 @@ #include #include "ipapwd.h" +#include "util.h" /* krbTicketFlags */ #define KTF_DISALLOW_POSTDATED 0x00000001 diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index 6636d61..44b280b 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -53,6 +53,7 @@ #include #include "ipapwd.h" +#include "util.h" #define IPAPWD_OP_NULL 0 #define IPAPWD_OP_ADD 1 diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am index 167a196..1e5d979 100644 --- a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am @@ -1,8 +1,11 @@ NULL = +PLUGIN_COMMON_DIR=../common + INCLUDES = \ -I. \ -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ -I/usr/include/dirsrv \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c index 919abc8..58ef6e6 100644 --- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c +++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c @@ -45,41 +45,20 @@ #include "prclist.h" #include "uuid/uuid.h" -#define IPAUUID_PLUGIN_NAME "ipa-uuid-plugin" -#define IPAUUID_PLUGIN_VERSION 0x00010000 - -#define IPAUUID_DN "cn=IPA UUID,cn=plugins,cn=config" /* temporary */ - -#define IPAUUID_SUCCESS 0 -#define IPAUUID_FAILURE -1 +#include "util.h" #define IPAUUID_STR_SIZE 36 -#ifndef discard_const -#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) +#ifndef TEMP_TEMP_GET_A_DEFINE_FROM_389DS_TEAM +int slapi_uniqueIDGenerateString(char **uId); #endif -#define log_func discard_const(__func__) - -#define LOG(fmt, ...) \ - slapi_log_error(SLAPI_LOG_PLUGIN, \ - IPAUUID_PLUGIN_NAME, \ - fmt, ##__VA_ARGS__) - -#define LOG_CONFIG(fmt, ...) \ - slapi_log_error(SLAPI_LOG_CONFIG, \ - IPAUUID_PLUGIN_NAME, \ - fmt, ##__VA_ARGS__) - -#define LOG_FATAL(fmt, ...) \ - slapi_log_error(SLAPI_LOG_FATAL, log_func, \ - "[file %s, line %d]: " fmt, \ - __FILE__, __LINE__, ##__VA_ARGS__) +#define IPAUUID_PLUGIN_NAME "ipa-uuid-plugin" +#define IPAUUID_PLUGIN_VERSION 0x00010000 -#define LOG_TRACE(fmt, ...) \ - slapi_log_error(SLAPI_LOG_TRACE, log_func, fmt, ##__VA_ARGS__) +#define IPAUUID_DN "cn=IPA UUID,cn=plugins,cn=config" /* temporary */ -#define LOG_OOM() LOG_FATAL("Out of Memory!\n") +#define IPA_PLUGIN_NAME IPAUUID_PLUGIN_NAME /** * IPA UUID config types @@ -235,7 +214,7 @@ char *getPluginDN() int ipauuid_init(Slapi_PBlock *pb) { - int status = IPAUUID_SUCCESS; + int status = EOK; char *plugin_identity = NULL; LOG_TRACE("--in-->\n"); @@ -281,7 +260,7 @@ ipauuid_init(Slapi_PBlock *pb) ) ) { LOG_FATAL("failed to register plugin\n"); - status = IPAUUID_FAILURE; + status = EFAIL; } LOG_TRACE("<--out--\n"); @@ -291,7 +270,7 @@ ipauuid_init(Slapi_PBlock *pb) static int ipauuid_internal_preop_init(Slapi_PBlock *pb) { - int status = IPAUUID_SUCCESS; + int status = EOK; if (slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01) != 0 || @@ -301,7 +280,7 @@ ipauuid_internal_preop_init(Slapi_PBlock *pb) (void *) ipauuid_mod_pre_op) != 0 || slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_PRE_ADD_FN, (void *) ipauuid_add_pre_op) != 0) { - status = IPAUUID_FAILURE; + status = EFAIL; } return status; @@ -310,7 +289,7 @@ ipauuid_internal_preop_init(Slapi_PBlock *pb) static int ipauuid_postop_init(Slapi_PBlock *pb) { - int status = IPAUUID_SUCCESS; + int status = EOK; if (slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01) != 0 || @@ -325,7 +304,7 @@ ipauuid_postop_init(Slapi_PBlock *pb) slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *) ipauuid_config_check_post_op) != 0) { LOG_FATAL("failed to register plugin\n"); - status = IPAUUID_FAILURE; + status = EFAIL; } return status; @@ -355,7 +334,7 @@ ipauuid_start(Slapi_PBlock * pb) if (!g_ipauuid_cache_lock) { LOG_FATAL("lock creation failed\n"); - return IPAUUID_FAILURE; + return EFAIL; } /** @@ -381,9 +360,9 @@ ipauuid_start(Slapi_PBlock * pb) slapi_ch_calloc(1, sizeof(struct configEntry)); PR_INIT_CLIST(ipauuid_global_config); - if (ipauuid_load_plugin_config() != IPAUUID_SUCCESS) { + if (ipauuid_load_plugin_config() != EOK) { LOG_FATAL("unable to load plug-in configuration\n"); - return IPAUUID_FAILURE; + return EFAIL; } g_plugin_started = 1; @@ -391,7 +370,7 @@ ipauuid_start(Slapi_PBlock * pb) LOG_TRACE("<--out--\n"); done: - return IPAUUID_SUCCESS; + return EOK; } /* @@ -410,7 +389,7 @@ ipauuid_close(Slapi_PBlock * pb) LOG_TRACE("<--out--\n"); - return IPAUUID_SUCCESS; + return EOK; } /* @@ -426,7 +405,7 @@ ipauuid_close(Slapi_PBlock * pb) static int ipauuid_load_plugin_config() { - int status = IPAUUID_SUCCESS; + int status = EOK; int result; int i; time_t now; @@ -447,14 +426,14 @@ ipauuid_load_plugin_config() slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &result); if (LDAP_SUCCESS != result) { - status = IPAUUID_FAILURE; + status = EFAIL; goto cleanup; } slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries); if (NULL == entries || NULL == entries[0]) { - status = IPAUUID_SUCCESS; + status = EOK; goto cleanup; } @@ -482,7 +461,7 @@ ipauuid_load_plugin_config() * validate config without making any changes by setting apply * to 0. * - * Returns IPAUUID_SUCCESS if the entry is valid and IPAUUID_FAILURE + * Returns EOK if the entry is valid and EFAIL * if it is invalid. */ static int @@ -494,20 +473,20 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) PRCList *list; int entry_added = 0; int i = 0; - int ret = IPAUUID_SUCCESS; + int ret = EOK; LOG_TRACE("--in-->\n"); /* If this is the main UUID plug-in config entry, just bail. */ if (strcasecmp(getPluginDN(), slapi_entry_get_ndn(e)) == 0) { - ret = IPAUUID_FAILURE; + ret = EFAIL; goto bail; } entry = (struct configEntry *) slapi_ch_calloc(1, sizeof(struct configEntry)); if (NULL == entry) { - ret = IPAUUID_FAILURE; + ret = EFAIL; goto bail; } @@ -521,7 +500,7 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) if (!entry->attr) { LOG_FATAL("The %s config setting is required for %s.\n", IPAUUID_ATTR, entry->dn); - ret = IPAUUID_FAILURE; + ret = EFAIL; goto bail; } LOG_CONFIG("----------> %s [%s]\n", IPAUUID_ATTR, entry->attr); @@ -544,13 +523,13 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) if (NULL == (entry->slapi_filter = slapi_str2filter(value))) { LOG_FATAL("Error: Invalid search filter in entry [%s]: [%s]\n", entry->dn, value); - ret = IPAUUID_FAILURE; + ret = EFAIL; goto bail; } } else { LOG_FATAL("The %s config setting is required for %s.\n", IPAUUID_FILTER, entry->dn); - ret = IPAUUID_FAILURE; + ret = EFAIL; goto bail; } LOG_CONFIG("----------> %s [%s]\n", IPAUUID_FILTER, value); @@ -561,7 +540,7 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) } else { LOG_FATAL("The %s config config setting is required for %s.\n", IPAUUID_SCOPE, entry->dn); - ret = IPAUUID_FAILURE; + ret = EFAIL; goto bail; } LOG_CONFIG("----------> %s [%s]\n", IPAUUID_SCOPE, entry->scope); @@ -622,7 +601,7 @@ bail: } ipauuid_free_config_entry(&entry); } else { - ret = IPAUUID_SUCCESS; + ret = EOK; } LOG_TRACE("<--out--\n"); @@ -886,7 +865,7 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype) test_e = resulting_e; } - if (ipauuid_parse_config_entry(test_e, false) != IPAUUID_SUCCESS) { + if (ipauuid_parse_config_entry(test_e, false) != EOK) { /* Refuse the operation if config parsing failed. */ ret = LDAP_UNWILLING_TO_PERFORM; if (LDAP_CHANGETYPE_ADD == modtype) { @@ -1201,7 +1180,7 @@ done: LOG("operation failure [%d]\n", ret); slapi_send_ldap_result(pb, ret, NULL, errstr, 0, NULL); slapi_ch_free((void **)&errstr); - ret = IPAUUID_FAILURE; + ret = EFAIL; } LOG_TRACE("<--out--\n"); diff --git a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am index 331ce7f..f90543e 100644 --- a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am @@ -1,9 +1,12 @@ NULL = +PLUGIN_COMMON_DIR=../common + INCLUDES = \ -I. \ -I../../ \ -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ -I/usr/include/dirsrv \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-version/ipa_repl_version.c b/daemons/ipa-slapi-plugins/ipa-version/ipa_repl_version.c index a938001..e8c633b 100644 --- a/daemons/ipa-slapi-plugins/ipa-version/ipa_repl_version.c +++ b/daemons/ipa-slapi-plugins/ipa-version/ipa_repl_version.c @@ -38,12 +38,13 @@ #include "slapi-plugin.h" #include "repl-session-plugin.h" #include "ipa-version.h" +#include "util.h" #include /* Identify the type of data we're sending, an unsigned int in this case */ #define REPL_VERSION_DATA_GUID "2D562D8B-2F30-4447-AF76-2B721D1D5F6A" -static char *repl_version_plugin_name = "ipa_replication_version"; +#define IPA_PLUGIN_NAME "ipa_replication_version" static char *data_version = NULL; /* @@ -74,8 +75,7 @@ static int repl_version_plugin_pre_acquire_cb(void *cookie, const Slapi_DN *repl_subtree, int is_total, char **data_guid, struct berval **data) { - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "repl_version_plugin_pre_acquire_cb() called for suffix \"%s\", " + LOG("repl_version_plugin_pre_acquire_cb() called for suffix \"%s\", " "is_total: \"%s\".\n", slapi_sdn_get_ndn(repl_subtree), is_total ? "TRUE" : "FALSE"); @@ -85,9 +85,8 @@ repl_version_plugin_pre_acquire_cb(void *cookie, const Slapi_DN *repl_subtree, (*data)->bv_val = slapi_ch_smprintf("%s", data_version); (*data)->bv_len = strlen((*data)->bv_val) + 1; - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "repl_version_plugin_pre_acquire_cb() sending data: guid: \"%s\" data: \"%s\".\n", - *data_guid, (*data)->bv_val); + LOG("repl_version_plugin_pre_acquire_cb() sending data: guid: \"%s\" data: \"%s\".\n", + *data_guid, (*data)->bv_val); return 0; } @@ -108,18 +107,17 @@ static int repl_version_plugin_recv_acquire_cb(const char *repl_subtree, int is_total, const char *data_guid, const struct berval *data) { - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "test_repl_session_plugin_recv_acquire_cb() called for suffix \"%s\", is_total: \"%s\".\n", + LOG("test_repl_session_plugin_recv_acquire_cb() called for suffix \"%s\", is_total: \"%s\".\n", repl_subtree, is_total ? "TRUE" : "FALSE"); /* compare our data version to the master data version */ if (data_guid && data && (strcmp(data_guid, REPL_VERSION_DATA_GUID) == 0)) { - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "repl_version_plugin_recv_acquire_cb() received data: guid: \"%s\" data: \"%s\".\n", + LOG("repl_version_plugin_recv_acquire_cb() received data: guid: \"%s\" data: \"%s\".\n", data_guid, data->bv_val); if (!(strcmp(data_version, data->bv_val) == 0)) { - slapi_log_error(SLAPI_LOG_FATAL, repl_version_plugin_name, - "Incompatible IPA versions, pausing replication. This server: \"%s\" remote server: \"%s\".\n", data_version, data->bv_val); + LOG_FATAL("Incompatible IPA versions, pausing replication. " + "This server: \"%s\" remote server: \"%s\".\n", + data_version, data->bv_val); return 1; } } @@ -146,35 +144,30 @@ static void *repl_version_api[] = { static int repl_version_plugin_start(Slapi_PBlock *pb) { - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "--> repl_version_plugin_start -- begin\n"); + LOG("--> repl_version_plugin_start -- begin\n"); - data_version = slapi_ch_smprintf("%llu", DATA_VERSION); + data_version = slapi_ch_smprintf("%llu", (unsigned long long) DATA_VERSION); - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "<-- repl_version_plugin_start -- end\n"); + LOG("<-- repl_version_plugin_start -- end\n"); return 0; } static int repl_version_plugin_close(Slapi_PBlock *pb) { - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "--> repl_version_plugin_close -- begin\n"); + LOG("--> repl_version_plugin_close -- begin\n"); slapi_apib_unregister(REPL_SESSION_v1_0_GUID); slapi_ch_free_string(&data_version); - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "<-- repl_version_plugin_close -- end\n"); + LOG("<-- repl_version_plugin_close -- end\n"); return 0; } int repl_version_plugin_init(Slapi_PBlock *pb) { - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "--> repl_version_plugin_init -- begin\n"); + LOG("--> repl_version_plugin_init -- begin\n"); if ( slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01 ) != 0 || @@ -185,14 +178,12 @@ int repl_version_plugin_init(Slapi_PBlock *pb) slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&repl_version_pdesc ) != 0 ) { - slapi_log_error( SLAPI_LOG_FATAL, repl_version_plugin_name, - "<-- repl_version_plugin_init -- failed to register plugin -- end\n"); + LOG_FATAL("<-- repl_version_plugin_init -- failed to register plugin -- end\n"); return -1; } if( slapi_apib_register(REPL_SESSION_v1_0_GUID, repl_version_api) ) { - slapi_log_error( SLAPI_LOG_FATAL, repl_version_plugin_name, - "<-- repl_version_plugin_start -- failed to register repl_version api -- end\n"); + LOG_FATAL("<-- repl_version_plugin_start -- failed to register repl_version api -- end\n"); return -1; } @@ -200,12 +191,10 @@ int repl_version_plugin_init(Slapi_PBlock *pb) /* Retrieve and save the plugin identity to later pass to internal operations */ if (slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &repl_version_plugin_id) != 0) { - slapi_log_error(SLAPI_LOG_FATAL, repl_version_plugin_name, - "<-- repl_version_plugin_init -- failed to retrieve plugin identity -- end\n"); + LOG_FATAL("<-- repl_version_plugin_init -- failed to retrieve plugin identity -- end\n"); return -1; } - slapi_log_error( SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "<-- repl_version_plugin_init -- end\n"); + LOG("<-- repl_version_plugin_init -- end\n"); return 0; } diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am index 94bc2dc..79c37be 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am @@ -1,8 +1,11 @@ NULL = +PLUGIN_COMMON_DIR=../common + INCLUDES = \ -I. \ -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c index 45efa6d..5e762bc 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c @@ -109,10 +109,9 @@ ipa_winsync_config(Slapi_Entry *config_e) char returntext[SLAPI_DSE_RETURNTEXT_SIZE]; if ( inited ) { - slapi_log_error( SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: IPA WinSync plug-in already configured. " - "Please remove the plugin config entry [%s]\n", - slapi_entry_get_dn_const(config_e)); + LOG_FATAL("Error: IPA WinSync plug-in already configured. " + "Please remove the plugin config entry [%s]\n", + slapi_entry_get_dn_const(config_e)); return( LDAP_PARAM_ERROR ); } @@ -150,8 +149,7 @@ ipa_winsync_config(Slapi_Entry *config_e) inited = 1; if (returncode != LDAP_SUCCESS) { - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error %d: %s\n", returncode, returntext); + LOG_FATAL("Error %d: %s\n", returncode, returntext); } return returncode; @@ -264,9 +262,8 @@ ipa_winsync_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_E /* get new_user_oc_attr */ if (!(attrsvals = slapi_entry_attr_get_charray( e, IPA_WINSYNC_NEW_USER_ATTRS_VALS))) { - slapi_log_error(SLAPI_LOG_PLUGIN, IPA_WINSYNC_PLUGIN_NAME, - "Info: no default attributes and values given in [%s]\n", - IPA_WINSYNC_NEW_USER_ATTRS_VALS); + LOG("Info: no default attributes and values given in [%s]\n", + IPA_WINSYNC_NEW_USER_ATTRS_VALS); } /* format of *attrsvals is "attrname value" */ @@ -461,9 +458,8 @@ ipa_winsync_apply_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, /* get new_user_oc_attr */ if (!(attrsvals = slapi_entry_attr_get_charray( e, IPA_WINSYNC_NEW_USER_ATTRS_VALS))) { - slapi_log_error(SLAPI_LOG_PLUGIN, IPA_WINSYNC_PLUGIN_NAME, - "Info: no default attributes and values given in [%s]\n", - IPA_WINSYNC_NEW_USER_ATTRS_VALS); + LOG("Info: no default attributes and values given in [%s]\n", + IPA_WINSYNC_NEW_USER_ATTRS_VALS); } /* get acct disable sync value */ @@ -688,20 +684,18 @@ internal_find_entry_get_attr_val(const Slapi_DN *basedn, int scope, */ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); if (ret != LDAP_SUCCESS) { - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error [%d:%s] searching for base [%s] filter [%s]" - " attr [%s]\n", ret, ldap_err2string(ret), - search_basedn, filter, attrs[0]); + LOG_FATAL("Error [%d:%s] searching for base [%s] filter [%s]" + " attr [%s]\n", ret, ldap_err2string(ret), + search_basedn, filter, attrs[0]); goto out1; } slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries); if (entries && entries[0] && entries[1]) { /* error - should never be more than one matching entry */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: more than one entry matches search for " - "base [%s] filter [%s] attr [%s]\n", - search_basedn, filter, attrs[0]); + LOG_FATAL("Error: more than one entry matches search for " + "base [%s] filter [%s] attr [%s]\n", + search_basedn, filter, attrs[0]); ret = LDAP_UNWILLING_TO_PERFORM; goto out1; } @@ -724,10 +718,9 @@ internal_find_entry_get_attr_val(const Slapi_DN *basedn, int scope, } } else { ret = LDAP_NO_SUCH_OBJECT; - slapi_log_error(SLAPI_LOG_PLUGIN, IPA_WINSYNC_PLUGIN_NAME, - "Did not find an entry for search " - "base [%s] filter [%s] attr [%s]\n", - search_basedn, filter, attrs[0]); + LOG("Did not find an entry for search " + "base [%s] filter [%s] attr [%s]\n", + search_basedn, filter, attrs[0]); } out1: @@ -814,10 +807,9 @@ ipa_winsync_config_refresh_domain( if (!iwdc->realm_name) { /* error - could not find the IPA config entry with the realm name */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the entry containing the realm name for " - "ds subtree [%s] filter [%s] attr [%s]\n", - slapi_sdn_get_dn(ds_subtree), realm_filter, realm_attr); + LOG_FATAL("Error: could not find the entry containing the realm name for " + "ds subtree [%s] filter [%s] attr [%s]\n", + slapi_sdn_get_dn(ds_subtree), realm_filter, realm_attr); goto out; } @@ -828,10 +820,9 @@ ipa_winsync_config_refresh_domain( &new_user_objclasses, NULL); if (!new_user_objclasses) { /* error - could not find the entry containing list of objectclasses */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the entry containing the new user objectclass list for " - "ds subtree [%s] filter [%s] attr [%s]\n", - slapi_sdn_get_dn(ds_subtree), new_entry_filter, new_user_oc_attr); + LOG_FATAL("Error: could not find the entry containing the new user objectclass list for " + "ds subtree [%s] filter [%s] attr [%s]\n", + slapi_sdn_get_dn(ds_subtree), new_entry_filter, new_user_oc_attr); goto out; } @@ -844,10 +835,9 @@ ipa_winsync_config_refresh_domain( NULL, &iwdc->homedir_prefix); if (!iwdc->homedir_prefix) { /* error - could not find the home dir prefix */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the entry containing the home directory prefix for " - "ds subtree [%s] filter [%s] attr [%s]\n", - slapi_sdn_get_dn(ds_subtree), new_entry_filter, homedir_prefix_attr); + LOG_FATAL("Error: could not find the entry containing the home directory prefix for " + "ds subtree [%s] filter [%s] attr [%s]\n", + slapi_sdn_get_dn(ds_subtree), new_entry_filter, homedir_prefix_attr); goto out; } @@ -860,10 +850,9 @@ ipa_winsync_config_refresh_domain( NULL, &default_group_name); if (!default_group_name) { /* error - could not find the default group name */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the entry containing the default group name for " - "ds subtree [%s] filter [%s] attr [%s]\n", - slapi_sdn_get_dn(ds_subtree), new_entry_filter, default_group_attr); + LOG_FATAL("Error: could not find the entry containing the default group name for " + "ds subtree [%s] filter [%s] attr [%s]\n", + slapi_sdn_get_dn(ds_subtree), new_entry_filter, default_group_attr); goto out; } @@ -877,10 +866,9 @@ ipa_winsync_config_refresh_domain( NULL, &default_gid); if (!default_gid) { /* error - could not find the default gidNumber */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the entry containing the default gidNumber " - "ds subtree [%s] filter [%s] attr [%s]\n", - slapi_sdn_get_dn(ds_subtree), new_entry_filter, "gidNumber"); + LOG_FATAL("Error: could not find the entry containing the default gidNumber " + "ds subtree [%s] filter [%s] attr [%s]\n", + slapi_sdn_get_dn(ds_subtree), new_entry_filter, "gidNumber"); goto out; } @@ -897,10 +885,9 @@ ipa_winsync_config_refresh_domain( NULL, &inactivated_group_dn); if (!inactivated_group_dn) { /* error - could not find the inactivated group dn */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the DN of the inactivated users group " - "ds subtree [%s] filter [%s]\n", - slapi_sdn_get_dn(ds_subtree), inactivated_filter); + LOG_FATAL("Error: could not find the DN of the inactivated users group " + "ds subtree [%s] filter [%s]\n", + slapi_sdn_get_dn(ds_subtree), inactivated_filter); goto out; } ret = internal_find_entry_get_attr_val(config_dn, search_scope, @@ -908,10 +895,9 @@ ipa_winsync_config_refresh_domain( NULL, &activated_group_dn); if (!activated_group_dn) { /* error - could not find the activated group dn */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the DN of the activated users group " - "ds subtree [%s] filter [%s]\n", - slapi_sdn_get_dn(ds_subtree), activated_filter); + LOG_FATAL("Error: could not find the DN of the activated users group " + "ds subtree [%s] filter [%s]\n", + slapi_sdn_get_dn(ds_subtree), activated_filter); goto out; } } diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c index 9ee8805..4e2d534 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c @@ -59,8 +59,6 @@ #endif #include "ipa-winsync.h" -static char *ipa_winsync_plugin_name = IPA_WINSYNC_PLUGIN_NAME; - static void sync_acct_disable( void *cbdata, /* the usual domain config data */ @@ -87,16 +85,14 @@ static void * ipa_winsync_agmt_init(const Slapi_DN *ds_subtree, const Slapi_DN *ad_subtree) { void *cbdata = NULL; - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_agmt_init [%s] [%s] -- begin\n", - slapi_sdn_get_dn(ds_subtree), - slapi_sdn_get_dn(ad_subtree)); + LOG("--> ipa_winsync_agmt_init [%s] [%s] -- begin\n", + slapi_sdn_get_dn(ds_subtree), + slapi_sdn_get_dn(ad_subtree)); /* do the domain specific configuration based on the ds subtree */ cbdata = ipa_winsync_config_new_domain(ds_subtree, ad_subtree); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_agmt_init -- end\n"); + LOG("<-- ipa_winsync_agmt_init -- end\n"); return cbdata; } @@ -106,11 +102,9 @@ ipa_winsync_dirsync_search_params_cb(void *cbdata, const char *agmt_dn, char **base, int *scope, char **filter, char ***attrs, LDAPControl ***serverctrls) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_dirsync_search_params_cb -- begin\n"); + LOG("--> ipa_winsync_dirsync_search_params_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_dirsync_search_params_cb -- end\n"); + LOG("<-- ipa_winsync_dirsync_search_params_cb -- end\n"); return; } @@ -121,11 +115,9 @@ ipa_winsync_pre_ad_search_cb(void *cbdata, const char *agmt_dn, char **base, int *scope, char **filter, char ***attrs, LDAPControl ***serverctrls) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ad_search_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ad_search_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ad_search_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ad_search_cb -- end\n"); return; } @@ -136,16 +128,13 @@ ipa_winsync_pre_ds_search_entry_cb(void *cbdata, const char *agmt_dn, char **base, int *scope, char **filter, char ***attrs, LDAPControl ***serverctrls) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_search_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ds_search_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "-- ipa_winsync_pre_ds_search_cb - base [%s] " - "scope [%d] filter [%s]\n", - *base, *scope, *filter); + LOG("-- ipa_winsync_pre_ds_search_cb - base [%s] " + "scope [%d] filter [%s]\n", + *base, *scope, *filter); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ds_search_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ds_search_cb -- end\n"); return; } @@ -156,9 +145,8 @@ ipa_winsync_pre_ds_search_all_cb(void *cbdata, const char *agmt_dn, char **base, int *scope, char **filter, char ***attrs, LDAPControl ***serverctrls) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_search_all_cb -- orig filter [%s] -- begin\n", - ((filter && *filter) ? *filter : "NULL")); + LOG("--> ipa_winsync_pre_ds_search_all_cb -- orig filter [%s] -- begin\n", + ((filter && *filter) ? *filter : "NULL")); /* We only want to grab users from the ds side - no groups */ slapi_ch_free_string(filter); @@ -167,8 +155,7 @@ ipa_winsync_pre_ds_search_all_cb(void *cbdata, const char *agmt_dn, indexed for equality only - need to add presence? */ *filter = slapi_ch_strdup("(&(objectclass=ntuser)(ntUserDomainId=*))"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ds_search_all_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ds_search_all_cb -- end\n"); return; } @@ -178,14 +165,12 @@ ipa_winsync_pre_ad_mod_user_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Entry *ad_entry, Slapi_Entry *ds_entry, Slapi_Mods *smods, int *do_modify) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ad_mod_user_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ad_mod_user_cb -- begin\n"); sync_acct_disable(cbdata, rawentry, ds_entry, ACCT_DISABLE_TO_AD, NULL, smods, do_modify); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ad_mod_user_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ad_mod_user_cb -- end\n"); return; } @@ -195,11 +180,9 @@ ipa_winsync_pre_ad_mod_group_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Entry *ad_entry, Slapi_Entry *ds_entry, Slapi_Mods *smods, int *do_modify) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ad_mod_group_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ad_mod_group_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ad_mod_group_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ad_mod_group_cb -- end\n"); return; } @@ -209,16 +192,14 @@ ipa_winsync_pre_ds_mod_user_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Entry *ad_entry, Slapi_Entry *ds_entry, Slapi_Mods *smods, int *do_modify) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_mod_user_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ds_mod_user_cb -- begin\n"); sync_acct_disable(cbdata, rawentry, ds_entry, ACCT_DISABLE_TO_DS, NULL, smods, do_modify); do_force_sync(rawentry, ds_entry, smods, do_modify); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ds_mod_user_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ds_mod_user_cb -- end\n"); return; } @@ -228,11 +209,9 @@ ipa_winsync_pre_ds_mod_group_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Entry *ad_entry, Slapi_Entry *ds_entry, Slapi_Mods *smods, int *do_modify) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_mod_group_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ds_mod_group_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ds_mod_group_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ds_mod_group_cb -- end\n"); return; } @@ -247,16 +226,14 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry, char *type = NULL; IPA_WinSync_Config *global_ipaconfig = ipa_winsync_get_config(); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_add_user_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ds_add_user_cb -- begin\n"); if (!ipaconfig || !ipaconfig->domain_e || !ipaconfig->realm_name || !ipaconfig->homedir_prefix) { - slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "Error: configuration failure: cannot map Windows " - "entry dn [%s], DS entry dn [%s]\n", - slapi_entry_get_dn_const(ad_entry), - slapi_entry_get_dn_const(ds_entry)); + LOG_FATAL("Error: configuration failure: cannot map Windows " + "entry dn [%s], DS entry dn [%s]\n", + slapi_entry_get_dn_const(ad_entry), + slapi_entry_get_dn_const(ds_entry)); return; } @@ -278,10 +255,9 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry, { if (!slapi_entry_attr_has_syntax_value(ds_entry, type, sv)) { /* attr-value sv not found in ds_entry; add it */ - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_add_user_cb -- " - "adding val for [%s] to new entry [%s]\n", - type, slapi_entry_get_dn_const(ds_entry)); + LOG("--> ipa_winsync_pre_ds_add_user_cb -- " + "adding val for [%s] to new entry [%s]\n", + type, slapi_entry_get_dn_const(ds_entry)); slapi_entry_add_value(ds_entry, type, sv); } @@ -310,13 +286,12 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry, upn = slapi_ch_smprintf("%s@%s", samAccountName, ipaconfig->realm_name); slapi_ch_free_string(&samAccountName); } else { /* fatal error - nothing to use for krbPrincipalName */ - slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "Error creating %s for realm [%s] for Windows " - "entry dn [%s], DS entry dn [%s] - Windows entry " - "has no samAccountName, and DS entry has no uid.\n", - type, ipaconfig->realm_name, - slapi_entry_get_dn_const(ad_entry), - slapi_entry_get_dn_const(ds_entry)); + LOG_FATAL("Error creating %s for realm [%s] for Windows " + "entry dn [%s], DS entry dn [%s] - Windows entry " + "has no samAccountName, and DS entry has no uid.\n", + type, ipaconfig->realm_name, + slapi_entry_get_dn_const(ad_entry), + slapi_entry_get_dn_const(ds_entry)); } if (upn) { @@ -341,13 +316,12 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry, samAccountName); slapi_ch_free_string(&samAccountName); } else { /* fatal error - nothing to use for homeDirectory */ - slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "Error creating %s for realm [%s] for Windows " - "entry dn [%s], DS entry dn [%s] - Windows entry " - "has no samAccountName, and DS entry has no uid.\n", - type, ipaconfig->realm_name, - slapi_entry_get_dn_const(ad_entry), - slapi_entry_get_dn_const(ds_entry)); + LOG_FATAL("Error creating %s for realm [%s] for Windows " + "entry dn [%s], DS entry dn [%s] - Windows entry " + "has no samAccountName, and DS entry has no uid.\n", + type, ipaconfig->realm_name, + slapi_entry_get_dn_const(ad_entry), + slapi_entry_get_dn_const(ds_entry)); } if (homeDir) { @@ -375,8 +349,7 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry, sync_acct_disable(cbdata, rawentry, ds_entry, ACCT_DISABLE_TO_DS, ds_entry, NULL, NULL); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ds_add_user_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ds_add_user_cb -- end\n"); return; } @@ -385,11 +358,9 @@ static void ipa_winsync_pre_ds_add_group_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Entry *ad_entry, Slapi_Entry *ds_entry) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_add_group_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ds_add_group_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ds_add_group_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ds_add_group_cb -- end\n"); return; } @@ -403,8 +374,7 @@ ipa_winsync_get_new_ds_user_dn_cb(void *cbdata, const Slapi_Entry *rawentry, PRBool flatten = PR_TRUE; IPA_WinSync_Config *ipaconfig = ipa_winsync_get_config(); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_get_new_ds_user_dn_cb -- old dn [%s] -- begin\n", + LOG("--> ipa_winsync_get_new_ds_user_dn_cb -- old dn [%s] -- begin\n", *new_dn_string); slapi_lock_mutex(ipaconfig->lock); @@ -425,8 +395,7 @@ ipa_winsync_get_new_ds_user_dn_cb(void *cbdata, const Slapi_Entry *rawentry, *new_dn_string = slapi_ch_smprintf("%s,%s", rdns[0], slapi_sdn_get_dn(ds_suffix)); ldap_value_free(rdns); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_get_new_ds_user_dn_cb -- new dn [%s] -- end\n", + LOG("<-- ipa_winsync_get_new_ds_user_dn_cb -- new dn [%s] -- end\n", *new_dn_string); return; @@ -437,11 +406,9 @@ ipa_winsync_get_new_ds_group_dn_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Entry *ad_entry, char **new_dn_string, const Slapi_DN *ds_suffix, const Slapi_DN *ad_suffix) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_get_new_ds_group_dn_cb -- begin\n"); + LOG("--> ipa_winsync_get_new_ds_group_dn_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_get_new_ds_group_dn_cb -- end\n"); + LOG("<-- ipa_winsync_get_new_ds_group_dn_cb -- end\n"); return; } @@ -455,8 +422,7 @@ ipa_winsync_pre_ad_mod_user_mods_cb(void *cbdata, const Slapi_Entry *rawentry, { Slapi_Mods *smods; - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ad_mod_user_mods_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ad_mod_user_mods_cb -- begin\n"); /* wrap the modstosend in a Slapi_Mods for convenience */ smods = slapi_mods_new(); @@ -467,8 +433,7 @@ ipa_winsync_pre_ad_mod_user_mods_cb(void *cbdata, const Slapi_Entry *rawentry, /* convert back to LDAPMod ** and clean up */ *modstosend = slapi_mods_get_ldapmods_passout(smods); slapi_mods_free(&smods); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ad_mod_user_mods_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ad_mod_user_mods_cb -- end\n"); return; } @@ -480,11 +445,9 @@ ipa_winsync_pre_ad_mod_group_mods_cb(void *cbdata, const Slapi_Entry *rawentry, LDAPMod * const *origmods, Slapi_DN *remote_dn, LDAPMod ***modstosend) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ad_mod_group_mods_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ad_mod_group_mods_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ad_mod_group_mods_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ad_mod_group_mods_cb -- end\n"); return; } @@ -493,11 +456,9 @@ static int ipa_winsync_can_add_entry_to_ad_cb(void *cbdata, const Slapi_Entry *local_entry, const Slapi_DN *remote_dn) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_can_add_entry_to_ad_cb -- begin\n"); + LOG("--> ipa_winsync_can_add_entry_to_ad_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_can_add_entry_to_ad_cb -- end\n"); + LOG("<-- ipa_winsync_can_add_entry_to_ad_cb -- end\n"); return 0; /* false - do not allow entries to be added to ad */ } @@ -506,13 +467,11 @@ static void ipa_winsync_begin_update_cb(void *cbdata, const Slapi_DN *ds_subtree, const Slapi_DN *ad_subtree, int is_total) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_begin_update_cb -- begin\n"); + LOG("--> ipa_winsync_begin_update_cb -- begin\n"); ipa_winsync_config_refresh_domain(cbdata, ds_subtree, ad_subtree); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_begin_update_cb -- end\n"); + LOG("<-- ipa_winsync_begin_update_cb -- end\n"); return; } @@ -521,11 +480,9 @@ static void ipa_winsync_end_update_cb(void *cbdata, const Slapi_DN *ds_subtree, const Slapi_DN *ad_subtree, int is_total) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_end_update_cb -- begin\n"); + LOG("--> ipa_winsync_end_update_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_end_update_cb -- end\n"); + LOG("<-- ipa_winsync_end_update_cb -- end\n"); return; } @@ -534,13 +491,11 @@ static void ipa_winsync_destroy_agmt_cb(void *cbdata, const Slapi_DN *ds_subtree, const Slapi_DN *ad_subtree) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_destroy_agmt_cb -- begin\n"); + LOG("--> ipa_winsync_destroy_agmt_cb -- begin\n"); ipa_winsync_config_destroy_domain(cbdata, ds_subtree, ad_subtree); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_destroy_agmt_cb -- end\n"); + LOG("<-- ipa_winsync_destroy_agmt_cb -- end\n"); return; } @@ -600,42 +555,35 @@ ipa_winsync_plugin_start(Slapi_PBlock *pb) int rc; Slapi_Entry *config_e = NULL; /* entry containing plugin config */ - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_plugin_start -- begin\n"); + LOG("--> ipa_winsync_plugin_start -- begin\n"); if( slapi_apib_register(WINSYNC_v1_0_GUID, ipa_winsync_api) ) { - slapi_log_error( SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "<-- ipa_winsync_plugin_start -- failed to register winsync api -- end\n"); - return -1; + LOG_FATAL("<-- ipa_winsync_plugin_start -- failed to register winsync api -- end\n"); + return -1; } if ( slapi_pblock_get( pb, SLAPI_ADD_ENTRY, &config_e ) != 0 ) { - slapi_log_error( SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "missing config entry\n" ); - return( -1 ); + LOG_FATAL("missing config entry\n" ); + return( -1 ); } if (( rc = ipa_winsync_config( config_e )) != LDAP_SUCCESS ) { - slapi_log_error( SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "configuration failed (%s)\n", ldap_err2string( rc )); - return( -1 ); + LOG_FATAL("configuration failed (%s)\n", ldap_err2string( rc )); + return( -1 ); } - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_plugin_start -- end\n"); - return 0; + LOG("<-- ipa_winsync_plugin_start -- end\n"); + return 0; } static int ipa_winsync_plugin_close(Slapi_PBlock *pb) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_plugin_close -- begin\n"); + LOG("--> ipa_winsync_plugin_close -- begin\n"); slapi_apib_unregister(WINSYNC_v1_0_GUID); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_plugin_close -- end\n"); + LOG("<-- ipa_winsync_plugin_close -- end\n"); return 0; } @@ -646,8 +594,7 @@ int ipa_winsync_plugin_init(Slapi_PBlock *pb) { void *plugin_id = NULL; - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_plugin_init -- begin\n"); + LOG("--> ipa_winsync_plugin_init -- begin\n"); if ( slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01 ) != 0 || @@ -658,23 +605,20 @@ int ipa_winsync_plugin_init(Slapi_PBlock *pb) slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&ipa_winsync_pdesc ) != 0 ) { - slapi_log_error( SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "<-- ipa_winsync_plugin_init -- failed to register plugin -- end\n"); + LOG_FATAL("<-- ipa_winsync_plugin_init -- failed to register plugin -- end\n"); return -1; } /* Retrieve and save the plugin identity to later pass to internal operations */ if (slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &plugin_id) != 0) { - slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "<-- ipa_winsync_plugin_init -- failed to retrieve plugin identity -- end\n"); + LOG_FATAL("<-- ipa_winsync_plugin_init -- failed to retrieve plugin identity -- end\n"); return -1; } ipa_winsync_set_plugin_identity(plugin_id); - slapi_log_error( SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_plugin_init -- end\n"); + LOG("<-- ipa_winsync_plugin_init -- end\n"); return 0; } @@ -704,11 +648,10 @@ ipa_check_account_lock(Slapi_Entry *ds_entry, int *isvirt) rc = 0; /* account is disabled */ } slapi_ch_free_string(&strval); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_check_account_lock - entry [%s] has real " - "attribute nsAccountLock and entry %s locked\n", - slapi_entry_get_dn_const(ds_entry), - rc ? "is not" : "is"); + LOG("<-- ipa_check_account_lock - entry [%s] has real " + "attribute nsAccountLock and entry %s locked\n", + slapi_entry_get_dn_const(ds_entry), + rc ? "is not" : "is"); return rc; } @@ -734,18 +677,16 @@ ipa_check_account_lock(Slapi_Entry *ds_entry, int *isvirt) if (values != NULL) { slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags); } - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_check_account_lock - entry [%s] has virtual " - "attribute nsAccountLock and entry %s locked\n", - slapi_entry_get_dn_const(ds_entry), - rc ? "is not" : "is"); + LOG("<-- ipa_check_account_lock - entry [%s] has virtual " + "attribute nsAccountLock and entry %s locked\n", + slapi_entry_get_dn_const(ds_entry), + rc ? "is not" : "is"); } else { rc = 1; /* no attr == entry is enabled */ - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_check_account_lock - entry [%s] does not " - "have attribute nsAccountLock - entry %s locked\n", - slapi_entry_get_dn_const(ds_entry), - rc ? "is not" : "is"); + LOG("<-- ipa_check_account_lock - entry [%s] does not " + "have attribute nsAccountLock - entry %s locked\n", + slapi_entry_get_dn_const(ds_entry), + rc ? "is not" : "is"); } return rc; @@ -784,12 +725,11 @@ do_group_modify(const char *dn, const char *modtype, int modop, const char *modv slapi_pblock_destroy(mod_pb); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- do_group_modify - %s value [%s] in attribute [%s] " - "in entry [%s] - result (%d: %s)\n", - (modop & LDAP_MOD_ADD) ? "added" : "deleted", - modval, modtype, dn, - rc, ldap_err2string(rc)); + LOG("<-- do_group_modify - %s value [%s] in attribute [%s] " + "in entry [%s] - result (%d: %s)\n", + (modop & LDAP_MOD_ADD) ? "added" : "deleted", + modval, modtype, dn, + rc, ldap_err2string(rc)); return rc; } @@ -863,12 +803,11 @@ sync_acct_disable( adval |= mask; /* set the 0x2 disable bit */ } slapi_entry_attr_set_ulong(update_entry, "userAccountControl", adval); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- sync_acct_disable - %s AD account [%s] - " - "new value is [%ld]\n", - (ds_is_enabled) ? "enabled" : "disabled", - slapi_entry_get_dn_const(update_entry), - adval); + LOG("<-- sync_acct_disable - %s AD account [%s] - " + "new value is [%ld]\n", + (ds_is_enabled) ? "enabled" : "disabled", + slapi_entry_get_dn_const(update_entry), + adval); } else { /* iterate through the mods - if there is already a mod for userAccountControl, change it - otherwise, add it */ @@ -924,12 +863,11 @@ sync_acct_disable( mod_bval->bv_val = slapi_ch_strdup(acctvalstr); mod_bval->bv_len = strlen(acctvalstr); } - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- sync_acct_disable - %s AD account [%s] - " - "new value is [%ld]\n", - (ds_is_enabled) ? "enabled" : "disabled", - slapi_entry_get_dn_const(ad_entry), - adval); + LOG("<-- sync_acct_disable - %s AD account [%s] - " + "new value is [%ld]\n", + (ds_is_enabled) ? "enabled" : "disabled", + slapi_entry_get_dn_const(ad_entry), + adval); } } @@ -946,10 +884,9 @@ sync_acct_disable( if (update_entry) { slapi_entry_attr_set_charptr(update_entry, attrtype, attrval); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- sync_acct_disable - %s DS account [%s]\n", - (ad_is_enabled) ? "enabled" : "disabled", - slapi_entry_get_dn_const(ds_entry)); + LOG("<-- sync_acct_disable - %s DS account [%s]\n", + (ad_is_enabled) ? "enabled" : "disabled", + slapi_entry_get_dn_const(ds_entry)); } else { /* do mod */ struct berval tmpbval = {0, NULL}; Slapi_Mod *smod = slapi_mod_new(); @@ -964,10 +901,9 @@ sync_acct_disable( slapi_mods_add_ldapmod(smods, slapi_mod_get_ldapmod_passout(smod)); slapi_mod_free(&smod); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- sync_acct_disable - %s DS account [%s]\n", - (ad_is_enabled) ? "enabled" : "disabled", - slapi_entry_get_dn_const(ds_entry)); + LOG("<-- sync_acct_disable - %s DS account [%s]\n", + (ad_is_enabled) ? "enabled" : "disabled", + slapi_entry_get_dn_const(ds_entry)); if (do_modify) { *do_modify = 1; /* added mods */ } @@ -993,27 +929,24 @@ sync_acct_disable( } dsdn = slapi_entry_get_dn_const(ds_entry); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- sync_acct_disable - %s DS account [%s] - " - "deldn [%s] adddn [%s]\n", - (ad_is_enabled) ? "enabling" : "disabling", - slapi_entry_get_dn_const(ds_entry), - deldn, adddn); + LOG("<-- sync_acct_disable - %s DS account [%s] - " + "deldn [%s] adddn [%s]\n", + (ad_is_enabled) ? "enabling" : "disabling", + slapi_entry_get_dn_const(ds_entry), + deldn, adddn); /* first, delete the user from the deldn group - ignore (but log) value not found errors - means the user wasn't there yet */ rc = do_group_modify(deldn, "member", LDAP_MOD_DELETE, dsdn); if (rc == LDAP_NO_SUCH_ATTRIBUTE) { /* either the value of the attribute doesn't exist */ - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "Could not delete user [%s] from the [%s] group: " - "either the user was not in the group already, " - "or the group had no members\n", - dsdn, deldn); + LOG("Could not delete user [%s] from the [%s] group: " + "either the user was not in the group already, " + "or the group had no members\n", + dsdn, deldn); } else if (rc != LDAP_SUCCESS) { - slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "Error deleting user [%s] from the [%s] group: " - "(%d - %s)\n", dsdn, deldn, rc, - ldap_err2string(rc)); + LOG_FATAL("Error deleting user [%s] from the [%s] group: " + "(%d - %s)\n", dsdn, deldn, rc, + ldap_err2string(rc)); } /* next, add the user to the adddn group - ignore (but log) if the user is already in that group */ @@ -1024,15 +957,13 @@ sync_acct_disable( } if (rc == LDAP_TYPE_OR_VALUE_EXISTS) { /* user already in that group */ - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "Could not add user [%s] to the [%s] group: " - "user is already in that group\n", - dsdn, adddn); + LOG("Could not add user [%s] to the [%s] group: " + "user is already in that group\n", + dsdn, adddn); } else if (rc != LDAP_SUCCESS) { - slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "Error adding user [%s] to the [%s] group: " - "(%d - %s)\n", dsdn, adddn, rc, - ldap_err2string(rc)); + LOG_FATAL("Error adding user [%s] to the [%s] group: " + "(%d - %s)\n", dsdn, adddn, rc, + ldap_err2string(rc)); } #ifndef MEMBEROF_WORKS_FOR_INTERNAL_OPS /* memberOf doesn't currently listen for internal operations @@ -1074,10 +1005,9 @@ sync_acct_disable( slapi_value_free(&sv); } #endif /* MEMBEROF_WORKS_FOR_INTERNAL_OPS */ - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- sync_acct_disable - %s DS account [%s]\n", - (ad_is_enabled) ? "enabled" : "disabled", - slapi_entry_get_dn_const(ds_entry)); + LOG("<-- sync_acct_disable - %s DS account [%s]\n", + (ad_is_enabled) ? "enabled" : "disabled", + slapi_entry_get_dn_const(ds_entry)); } } @@ -1125,10 +1055,9 @@ find_and_add_mod(Slapi_Entry *ent, Slapi_Mods *smods, const char *type, if (do_modify) { *do_modify = 1; /* added a mod */ } - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- find_and_add_mod - added value [%s] " - "to attribute [%s] in entry [%s]\n", - val, type, slapi_entry_get_dn_const(ent)); + LOG("<-- find_and_add_mod - added value [%s] " + "to attribute [%s] in entry [%s]\n", + val, type, slapi_entry_get_dn_const(ent)); } slapi_value_free(&sv); @@ -1165,11 +1094,10 @@ do_force_sync( return; /* not supported */ } - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "do_force_sync - forcing sync of AD entry [%s] " - "with DS entry [%s]\n", - slapi_entry_get_dn_const(ad_entry), - slapi_entry_get_dn_const(ds_entry)); + LOG("do_force_sync - forcing sync of AD entry [%s] " + "with DS entry [%s]\n", + slapi_entry_get_dn_const(ad_entry), + slapi_entry_get_dn_const(ds_entry)); find_and_add_mod(ds_entry, smods, "objectClass", "ntUser", (size_t)6, do_modify); diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h index 58a9a6c..338e67c 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h @@ -52,7 +52,9 @@ #include #endif /* WINSYNC_TEST_IPA */ -#define IPA_WINSYNC_PLUGIN_NAME "ipa-winsync" +#include "util.h" + +#define IPA_PLUGIN_NAME "ipa-winsync" typedef struct ipa_winsync_config_struct { Slapi_Mutex *lock; /* for config access */ -- 1.7.3.2 -------------- next part -------------- >From bb01c43fa062e2ab5785aae741dafe92765996d9 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 4 Nov 2010 17:08:26 +0100 Subject: [PATCH 2/6] Stricter compilation flags Use a little stricter compilation flags, in particular -Wall and treat implicit function declarations as errors. --- daemons/Makefile.am | 8 ++++++++ daemons/configure.ac | 2 ++ daemons/ipa-kpasswd/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-enrollment/Makefile.am | 1 + daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 1 + daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am | 1 + daemons/ipa-slapi-plugins/ipa-version/Makefile.am | 1 + daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am | 1 + ipa-client/Makefile.am | 9 +++++++++ ipa-client/configure.ac | 2 ++ 11 files changed, 28 insertions(+), 0 deletions(-) diff --git a/daemons/Makefile.am b/daemons/Makefile.am index 9960789..7b2b997 100644 --- a/daemons/Makefile.am +++ b/daemons/Makefile.am @@ -4,6 +4,14 @@ AUTOMAKE_OPTIONS = 1.7 NULL = +AM_CFLAGS = $(NULL) +if HAVE_GCC + AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ + -Wcast-align -Werror-implicit-function-declaration \ + $(NULL) +endif +export AM_CFLAGS + SUBDIRS = \ ipa-kpasswd \ ipa-slapi-plugins \ diff --git a/daemons/configure.ac b/daemons/configure.ac index 53806f5..da86557 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -16,6 +16,8 @@ AC_PROG_LIBTOOL AC_HEADER_STDC +AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes]) + AC_SUBST(VERSION) dnl --------------------------------------------------------------------------- diff --git a/daemons/ipa-kpasswd/Makefile.am b/daemons/ipa-kpasswd/Makefile.am index ce241ca..40e8c58 100644 --- a/daemons/ipa-kpasswd/Makefile.am +++ b/daemons/ipa-kpasswd/Makefile.am @@ -8,6 +8,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(OPENLDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am index fc3c55c..d041815 100644 --- a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am @@ -11,6 +11,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(MOZLDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am index 3b0ff62..b798687 100644 --- a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am @@ -12,6 +12,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(MOZLDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am index 3577e48..6f6092d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am @@ -11,6 +11,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(MOZLDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(SSL_CFLAGS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am index 1e5d979..7c3709b 100644 --- a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am @@ -12,6 +12,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(MOZLDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am index f90543e..d26a7d2 100644 --- a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am @@ -13,6 +13,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(MOZLDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am index 79c37be..82a934a 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am @@ -11,6 +11,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(MOZLDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am index 2fc45be..655a686 100644 --- a/ipa-client/Makefile.am +++ b/ipa-client/Makefile.am @@ -4,6 +4,14 @@ AUTOMAKE_OPTIONS = 1.7 NULL = +AM_CFLAGS = $(NULL) +if HAVE_GCC + AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ + -Wcast-align -Werror-implicit-function-declaration \ + $(NULL) +endif +export AM_CFLAGS + INCLUDES = \ -I. \ -I$(srcdir) \ @@ -13,6 +21,7 @@ INCLUDES = \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ -DLOCALEDIR=\""$(localedir)"\" \ + $(AM_CFLAGS) \ $(KRB5_CFLAGS) \ $(OPENLDAP_CFLAGS) \ $(MOZLDAP_CFLAGS) \ diff --git a/ipa-client/configure.ac b/ipa-client/configure.ac index bfa77ce..95becd3 100644 --- a/ipa-client/configure.ac +++ b/ipa-client/configure.ac @@ -19,6 +19,8 @@ AC_DISABLE_STATIC AC_HEADER_STDC +AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes]) + AC_SUBST(VERSION) dnl --------------------------------------------------------------------------- -- 1.7.3.2 -------------- next part -------------- >From 60c03071911b474cb49dc4a7bbb88a0085c6a5df Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 4 Nov 2010 19:29:01 +0100 Subject: [PATCH 3/6] Use internal implementation of internal Kerberos functions Don't use KRB5_PRIVATE. The patch implements and uses the following krb5 functions that are otherwise private in recent MIT Kerberos releases: * krb5_principal2salt_norealm * krb5_free_ktypes --- .../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 4 ++ daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 1 - .../ipa-pwd-extop/ipapwd_encoding.c | 1 + ipa-client/Makefile.am | 5 ++ ipa-client/ipa-getkeytab.c | 4 +- util/ipa_krb5.c | 46 ++++++++++++++++++++ util/ipa_krb5.h | 12 +++++ 7 files changed, 71 insertions(+), 2 deletions(-) create mode 100644 util/ipa_krb5.c create mode 100644 util/ipa_krb5.h diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am index 6f6092d..41d9f23 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am @@ -1,11 +1,14 @@ NULL = PLUGIN_COMMON_DIR=../common +KRB5_UTIL_DIR= ../../../util +KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c INCLUDES = \ -I. \ -I$(srcdir) \ -I$(PLUGIN_COMMON_DIR) \ + -I$(KRB5_UTIL_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ @@ -28,6 +31,7 @@ libipa_pwd_extop_la_SOURCES = \ ipapwd_encoding.c \ ipapwd_prepost.c \ ipa_pwd_extop.c \ + $(KRB5_UTIL_SRCS) \ $(NULL) libipa_pwd_extop_la_LDFLAGS = -avoid-version diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index 523934c..bc52107 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -52,7 +52,6 @@ #include #include #include -#define KRB5_PRIVATE 1 #include #include #include diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c index 4513501..37002d3 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c @@ -54,6 +54,7 @@ #include "ipapwd.h" #include "util.h" +#include "ipa_krb5.h" /* krbTicketFlags */ #define KTF_DISALLOW_POSTDATED 0x00000001 diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am index 655a686..ebb9a83 100644 --- a/ipa-client/Makefile.am +++ b/ipa-client/Makefile.am @@ -12,9 +12,13 @@ if HAVE_GCC endif export AM_CFLAGS +KRB5_UTIL_DIR=../util +KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c + INCLUDES = \ -I. \ -I$(srcdir) \ + -I$(KRB5_UTIL_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ @@ -38,6 +42,7 @@ sbin_PROGRAMS = \ ipa_getkeytab_SOURCES = \ ipa-getkeytab.c \ + $(KRB5_UTIL_SRCS) \ $(NULL) ipa_getkeytab_LDADD = \ diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index a54c57c..8bdc6b6 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -27,10 +27,10 @@ #include #include #include +#include #include #include #include -#define KRB5_PRIVATE 1 #include #ifdef WITH_MOZLDAP #include @@ -44,6 +44,8 @@ #include #define _(STRING) gettext(STRING) +#include "ipa_krb5.h" + /* Salt types */ #define NO_SALT -1 #define KRB5_KDB_SALTTYPE_NORMAL 0 diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c new file mode 100644 index 0000000..4311705 --- /dev/null +++ b/util/ipa_krb5.c @@ -0,0 +1,46 @@ +#include +#include +#include + +#include "ipa_krb5.h" + +void +krb5_free_ktypes(krb5_context context, krb5_enctype *val) +{ + free(val); +} + +/* + * Convert a krb5_principal into the default salt for that principal. + */ +krb5_error_code +krb5_principal2salt_norealm(krb5_context context, krb5_const_principal pr, krb5_data *ret) +{ + unsigned int size = 0, offset=0; + krb5_int32 nelem; + register int i; + + if (pr == 0) { + ret->length = 0; + ret->data = 0; + return 0; + } + + nelem = krb5_princ_size(context, pr); + + for (i = 0; i < (int) nelem; i++) + size += krb5_princ_component(context, pr, i)->length; + + ret->length = size; + if (!(ret->data = malloc (size))) + return ENOMEM; + + for (i = 0; i < (int) nelem; i++) { + memcpy(&ret->data[offset], krb5_princ_component(context, pr, i)->data, + krb5_princ_component(context, pr, i)->length); + offset += krb5_princ_component(context, pr, i)->length; + } + return 0; +} + + diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h new file mode 100644 index 0000000..7f00889 --- /dev/null +++ b/util/ipa_krb5.h @@ -0,0 +1,12 @@ +#ifndef __IPA_KRB5_H_ +#define __IPA_KRB5_H_ + +#include + +void +krb5_free_ktypes(krb5_context context, krb5_enctype *val); + +krb5_error_code +krb5_principal2salt_norealm(krb5_context context, krb5_const_principal pr, krb5_data *ret); + +#endif /* __IPA_KRB5_H_ */ -- 1.7.3.2 -------------- next part -------------- >From 1254aba9d610c040202342f2191c00cc5e0d29e8 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 4 Nov 2010 19:41:12 +0100 Subject: [PATCH 4/6] Don't use deprecated ldap_bind_s ldap_bind_s is marked as deprecated in new libldap releases. --- ipa-client/ipa-getkeytab.c | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index 8bdc6b6..daf6f20 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -58,6 +58,10 @@ #define KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1" #define KEYTAB_RET_OID "2.16.840.1.113730.3.8.3.2" +#ifndef discard_const +#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) +#endif + struct krb_key_salt { krb5_enctype enctype; krb5_int32 salttype; @@ -576,7 +580,13 @@ static int ldap_set_keytab(krb5_context krbctx, } if (binddn) { - ret = ldap_bind_s(ld, binddn, bindpw, LDAP_AUTH_SIMPLE); + struct berval bv; + + bv.bv_val = discard_const(bindpw); + bv.bv_len = strlen(bindpw); + + ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bv, + NULL, NULL, NULL); if (ret != LDAP_SUCCESS) { fprintf(stderr, _("Simple bind failed\n")); goto error_out; -- 1.7.3.2 -------------- next part -------------- >From 252743820f6e3f9179a88d4ecdadf1beed7625cd Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 3 Nov 2010 16:54:44 +0100 Subject: [PATCH 5/6] Silence compilation warnings in SLAPI plugins --- daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c | 27 ++++++++----------- .../ipa-pwd-extop/ipa_pwd_extop.c | 2 +- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 1 + .../ipa-pwd-extop/ipapwd_common.c | 18 ++++++------- .../ipa-pwd-extop/ipapwd_prepost.c | 3 +- daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 21 ++++++--------- .../ipa-winsync/ipa-winsync-config.c | 11 +++----- .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.c | 18 +++++++------ .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.h | 5 +++- 9 files changed, 50 insertions(+), 56 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c index 1e094f1..5a0cef5 100644 --- a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c +++ b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c @@ -111,9 +111,9 @@ static int ipamodrdn_close(Slapi_PBlock * pb); * Local operation functions * */ -static int ipamodrdn_load_plugin_config(); +static int ipamodrdn_load_plugin_config(void); static int ipamodrdn_parse_config_entry(Slapi_Entry * e, bool apply); -static void ipamodrdn_delete_config(); +static void ipamodrdn_delete_config(void); static void ipamodrdn_free_config_entry(struct configEntry ** entry); /** @@ -135,7 +135,7 @@ static int ipamodrdn_post_op(Slapi_PBlock * pb); /** * debug functions - global, for the debugger */ -void ipamodrdn_dump_config(); +void ipamodrdn_dump_config(void); void ipamodrdn_dump_config_entry(struct configEntry *); /** @@ -143,17 +143,17 @@ void ipamodrdn_dump_config_entry(struct configEntry *); * Deal with cache locking * */ -void ipamodrdn_read_lock() +void ipamodrdn_read_lock(void) { PR_RWLock_Rlock(g_ipamodrdn_cache_lock); } -void ipamodrdn_write_lock() +void ipamodrdn_write_lock(void) { PR_RWLock_Wlock(g_ipamodrdn_cache_lock); } -void ipamodrdn_unlock() +void ipamodrdn_unlock(void) { PR_RWLock_Unlock(g_ipamodrdn_cache_lock); } @@ -163,7 +163,7 @@ void ipamodrdn_unlock() * Get the plug-in version * */ -int ipamodrdn_version() +int ipamodrdn_version(void) { return IPAMODRDN_PLUGIN_VERSION; } @@ -176,7 +176,7 @@ void setPluginID(void *pluginID) _PluginID = pluginID; } -void *getPluginID() +void *getPluginID(void) { return _PluginID; } @@ -186,7 +186,7 @@ void setPluginDN(char *pluginDN) _PluginDN = pluginDN; } -char *getPluginDN() +char *getPluginDN(void) { return _PluginDN; } @@ -330,12 +330,11 @@ ipamodrdn_close(Slapi_PBlock * pb) * ------ cn=etc etc */ static int -ipamodrdn_load_plugin_config() +ipamodrdn_load_plugin_config(void) { int status = EOK; int result; int i; - time_t now; Slapi_PBlock *search_pb; Slapi_Entry **entries = NULL; @@ -399,7 +398,6 @@ ipamodrdn_parse_config_entry(Slapi_Entry * e, bool apply) struct configEntry *config_entry; PRCList *list; int entry_added = 0; - int i = 0; int ret = EOK; LOG_TRACE("--in-->\n"); @@ -512,7 +510,6 @@ ipamodrdn_parse_config_entry(Slapi_Entry * e, bool apply) break; } - next: list = PR_NEXT_LINK(list); if (ipamodrdn_global_config == list) { @@ -594,7 +591,7 @@ ipamodrdn_delete_configEntry(PRCList *entry) } static void -ipamodrdn_delete_config() +ipamodrdn_delete_config(void) { PRCList *list; @@ -710,8 +707,6 @@ static int ipamodrdn_post_op(Slapi_PBlock *pb) struct slapi_entry *e = NULL; Slapi_Attr *sattr = NULL; Slapi_Attr *tattr = NULL; - char *value = NULL; - char *errstr = NULL; int ret = LDAP_SUCCESS; LOG_TRACE("--in-->\n"); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 8df766e..f347eef 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -916,7 +916,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) if (ret != -1) { struct berval *bvp; - LDAPControl new_ctrl = {0}; + LDAPControl new_ctrl; ret = ber_flatten(ber, &bvp); if (ret == -1) { diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index bc52107..b9ad01f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -131,6 +131,7 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods, int ipapwd_apply_mods(const char *dn, Slapi_Mods *mods); void ipapwd_free_slapi_value_array(Slapi_Value ***svals); void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg); +void hexbuf(char *out, const uint8_t *in); /* from ipapwd_encoding.c */ struct ipapwd_krbkeydata { diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index 92c388a..0e7f2aa 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -564,7 +564,7 @@ static int ipapwd_sv_pw_cmp(const void *pv1, const void *pv2) int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e, int *is_root, int *is_krb, int *is_smb, - char *attr, int access) + char *attr, int acc) { Slapi_Value *sval; int rc; @@ -574,7 +574,7 @@ int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e, if (!*is_root) { /* verify this user is allowed to write a user password */ - rc = slapi_access_allowed(pb, e, attr, NULL, access); + rc = slapi_access_allowed(pb, e, attr, NULL, acc); if (rc != LDAP_SUCCESS) { /* we have no business here, the operation will be denied anyway */ rc = LDAP_SUCCESS; @@ -932,14 +932,14 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) ret = slapi_entry_attr_find(data->target, "passwordHistory", &passwordHistory); if (ret == 0) { - int ret, hint, count, i, j; + int err, hint, count, i, j; const char *pwstr; Slapi_Value **pH; Slapi_Value *pw; hint = 0; count = 0; - ret = slapi_attr_get_numvalues(passwordHistory, &count); + err = slapi_attr_get_numvalues(passwordHistory, &count); /* check history only if we have one */ if (count > 0 && data->pwHistoryLen > 0) { pH = calloc(count + 2, sizeof(Slapi_Value *)); @@ -982,7 +982,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) return LDAP_OPERATIONS_ERROR; } - ret = slapi_pw_find_sv(pH, pw); + err = slapi_pw_find_sv(pH, pw); for (j = 0; pH[j]; j++) { slapi_value_free(&pH[j]); @@ -990,7 +990,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) slapi_value_free(&pw); free(pH); - if (ret == 0) { + if (err == 0) { LOG_TRACE("Password in history\n"); slapi_entry_free(policy); return IPAPWD_POLICY_ERROR | LDAP_PWPOLICY_PWDINHISTORY; @@ -1111,8 +1111,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, Slapi_Value **pwvals = NULL; struct tm utctime; char timestr[GENERALIZED_TIME_LENGTH+1]; - krb5_context krbctx; - krb5_error_code krberr; char *lm = NULL; char *nt = NULL; int is_smb = 0; @@ -1259,13 +1257,13 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods, ret = slapi_entry_attr_find(data->target, "passwordHistory", &passwordHistory); if (ret == 0) { - int ret, hint, count, i, j; + int err, hint, count, i, j; const char *pwstr; Slapi_Value *pw; hint = 0; count = 0; - ret = slapi_attr_get_numvalues(passwordHistory, &count); + err = slapi_attr_get_numvalues(passwordHistory, &count); /* if we have one */ if (count > 0 && data->pwHistoryLen > 0) { pH = calloc(count + 2, sizeof(Slapi_Value *)); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index 44b280b..281522f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -41,8 +41,10 @@ # include #endif +#define _XOPEN_SOURCE /* strptime needs this */ #include #include +#include #include #include #include @@ -880,7 +882,6 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) Slapi_Value *value = NULL; Slapi_Attr *attr = NULL; struct tm expire_tm; - time_t expire_time; char *errMesg = "Internal operations error\n"; /* error message */ char *expire = NULL; /* passwordExpirationTime attribute value */ char *dn = NULL; /* bind DN */ diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c index 58ef6e6..b202806 100644 --- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c +++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c @@ -123,9 +123,9 @@ static int ipauuid_postop_init(Slapi_PBlock * pb); * Local operation functions * */ -static int ipauuid_load_plugin_config(); +static int ipauuid_load_plugin_config(void); static int ipauuid_parse_config_entry(Slapi_Entry * e, bool apply); -static void ipauuid_delete_config(); +static void ipauuid_delete_config(void); static void ipauuid_free_config_entry(struct configEntry ** entry); /** @@ -150,7 +150,7 @@ static int ipauuid_add_pre_op(Slapi_PBlock * pb); /** * debug functions - global, for the debugger */ -void ipauuid_dump_config(); +void ipauuid_dump_config(void); void ipauuid_dump_config_entry(struct configEntry *); /** @@ -158,17 +158,17 @@ void ipauuid_dump_config_entry(struct configEntry *); * Deal with cache locking * */ -void ipauuid_read_lock() +void ipauuid_read_lock(void) { PR_RWLock_Rlock(g_ipauuid_cache_lock); } -void ipauuid_write_lock() +void ipauuid_write_lock(void) { PR_RWLock_Wlock(g_ipauuid_cache_lock); } -void ipauuid_unlock() +void ipauuid_unlock(void) { PR_RWLock_Unlock(g_ipauuid_cache_lock); } @@ -178,7 +178,7 @@ void ipauuid_unlock() * Get the plug-in version * */ -int ipauuid_version() +int ipauuid_version(void) { return IPAUUID_PLUGIN_VERSION; } @@ -191,7 +191,7 @@ void setPluginID(void *pluginID) _PluginID = pluginID; } -void *getPluginID() +void *getPluginID(void) { return _PluginID; } @@ -201,7 +201,7 @@ void setPluginDN(char *pluginDN) _PluginDN = pluginDN; } -char *getPluginDN() +char *getPluginDN(void) { return _PluginDN; } @@ -408,7 +408,6 @@ ipauuid_load_plugin_config() int status = EOK; int result; int i; - time_t now; Slapi_PBlock *search_pb; Slapi_Entry **entries = NULL; @@ -472,7 +471,6 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) struct configEntry *config_entry; PRCList *list; int entry_added = 0; - int i = 0; int ret = EOK; LOG_TRACE("--in-->\n"); @@ -575,7 +573,6 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) break; } - next: list = PR_NEXT_LINK(list); if (ipauuid_global_config == list) { diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c index 5e762bc..b5b1a4d 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c @@ -59,8 +59,6 @@ #endif #include "ipa-winsync.h" -#include - #define IPA_WINSYNC_CONFIG_FILTER "(objectclass=*)" /* @@ -162,13 +160,13 @@ parse_acct_disable(const char *theval) if (!theval || !*theval) { return retval; } - if (!PL_strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_NONE)) { + if (!strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_NONE)) { retval = ACCT_DISABLE_NONE; - } else if (!PL_strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_TO_AD)) { + } else if (!strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_TO_AD)) { retval = ACCT_DISABLE_TO_AD; - } else if (!PL_strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_TO_DS)) { + } else if (!strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_TO_DS)) { retval = ACCT_DISABLE_TO_DS; - } else if (!PL_strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_BOTH)) { + } else if (!strcasecmp(theval, IPA_WINSYNC_ACCT_DISABLE_BOTH)) { retval = ACCT_DISABLE_BOTH; } @@ -542,7 +540,6 @@ ipa_winsync_apply_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "Error: could not add value [%s] for attribute name " "[%s] - ldap error [%d: %s]", val, attrsvals[ii], - attrsvals[ii], IPA_WINSYNC_NEW_USER_ATTRS_VALS, rc, ldap_err2string(rc)); slapi_entry_free(theConfig.config_e); theConfig.config_e = NULL; diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c index 4e2d534..b16fb1e 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c @@ -59,6 +59,9 @@ #endif #include "ipa-winsync.h" +#include +#include + static void sync_acct_disable( void *cbdata, /* the usual domain config data */ @@ -224,7 +227,6 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Attr *attr = NULL; Slapi_Attr *e_attr = NULL; char *type = NULL; - IPA_WinSync_Config *global_ipaconfig = ipa_winsync_get_config(); LOG("--> ipa_winsync_pre_ds_add_user_cb -- begin\n"); @@ -544,7 +546,7 @@ void ipa_winsync_set_plugin_identity(void * identity) ipa_winsync_plugin_id=identity; } -void * ipa_winsync_get_plugin_identity() +void * ipa_winsync_get_plugin_identity(void) { return ipa_winsync_plugin_id; } @@ -644,7 +646,7 @@ ipa_check_account_lock(Slapi_Entry *ds_entry, int *isvirt) if (strval) { /* value is real */ *isvirt = 0; /* value is real */ rc = 1; /* default to enabled */ - if (PL_strncasecmp(strval, "true", 4) == 0) { + if (strncasecmp(strval, "true", 4) == 0) { rc = 0; /* account is disabled */ } slapi_ch_free_string(&strval); @@ -668,7 +670,7 @@ ipa_check_account_lock(Slapi_Entry *ds_entry, int *isvirt) *isvirt = 1; /* value is virtual */ if ((slapi_valueset_first_value(values, &v) != -1) && (bvp = slapi_value_get_berval(v)) != NULL) { - if ( (bvp != NULL) && (PL_strncasecmp(bvp->bv_val, "true", 4) == 0) ) { + if ( (bvp != NULL) && (strncasecmp(bvp->bv_val, "true", 4) == 0) ) { slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags); rc = 0; /* account is disabled */ } @@ -816,7 +818,7 @@ sync_acct_disable( struct berval *mod_bval = NULL; for (mod = slapi_mods_get_first_mod(smods); mod; mod = slapi_mods_get_next_mod(smods)) { - if (!PL_strcasecmp(mod->mod_type, "userAccountControl") && + if (!strcasecmp(mod->mod_type, "userAccountControl") && mod->mod_bvalues && mod->mod_bvalues[0]) { mod_bval = mod->mod_bvalues[0]; /* mod_bval points directly to value inside mod list */ @@ -1033,7 +1035,7 @@ find_and_add_mod(Slapi_Entry *ent, Slapi_Mods *smods, const char *type, !found && mod; mod = slapi_mods_get_next_mod(smods)) { int ii; - if (PL_strcasecmp(mod->mod_type, type)) { + if (strcasecmp(mod->mod_type, type)) { continue; /* skip - not a mod of this type */ } if (!(mod->mod_op & (LDAP_MOD_ADD|LDAP_MOD_REPLACE))) { @@ -1044,8 +1046,8 @@ find_and_add_mod(Slapi_Entry *ent, Slapi_Mods *smods, const char *type, !found && mod->mod_bvalues && mod->mod_bvalues[ii]; ++ii) { if (mod->mod_bvalues[ii]->bv_val) { - found = !PL_strncasecmp(mod->mod_bvalues[ii]->bv_val, - val, vallen); + found = !strncasecmp(mod->mod_bvalues[ii]->bv_val, + val, vallen); } } } diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h index 338e67c..735f656 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h @@ -52,6 +52,9 @@ #include #endif /* WINSYNC_TEST_IPA */ +#include +#include + #include "util.h" #define IPA_PLUGIN_NAME "ipa-winsync" @@ -86,7 +89,7 @@ typedef struct ipa_winsync_domain_config { } IPA_WinSync_Domain_Config; void ipa_winsync_set_plugin_identity(void * identity); -void * ipa_winsync_get_plugin_identity(); +void * ipa_winsync_get_plugin_identity(void); int ipa_winsync_config( Slapi_Entry *config_e ); IPA_WinSync_Config *ipa_winsync_get_config( void ); -- 1.7.3.2 -------------- next part -------------- >From 4431b3255d8abcc8d1eefffeb0ff4a12372c6677 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 5 Nov 2010 09:36:00 +0100 Subject: [PATCH 6/6] ipa-client code cleanup Fixes errors about implicit function declaration and moves duplicated gettext code into a common module. Also silences some warnings. --- ipa-client/Makefile.am | 3 ++ ipa-client/config.c | 30 ++---------------------- ipa-client/ipa-client-common.c | 48 ++++++++++++++++++++++++++++++++++++++++ ipa-client/ipa-client-common.h | 9 +++++++ ipa-client/ipa-getkeytab.c | 36 ++++------------------------- ipa-client/ipa-join.c | 13 +--------- ipa-client/ipa-rmkeytab.c | 32 ++------------------------ 7 files changed, 73 insertions(+), 98 deletions(-) create mode 100644 ipa-client/ipa-client-common.c create mode 100644 ipa-client/ipa-client-common.h diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am index ebb9a83..7d152fb 100644 --- a/ipa-client/Makefile.am +++ b/ipa-client/Makefile.am @@ -42,6 +42,7 @@ sbin_PROGRAMS = \ ipa_getkeytab_SOURCES = \ ipa-getkeytab.c \ + ipa-client-common.c \ $(KRB5_UTIL_SRCS) \ $(NULL) @@ -55,6 +56,7 @@ ipa_getkeytab_LDADD = \ ipa_rmkeytab_SOURCES = \ ipa-rmkeytab.c \ + ipa-client-common.c \ $(NULL) ipa_rmkeytab_LDADD = \ @@ -64,6 +66,7 @@ ipa_rmkeytab_LDADD = \ ipa_join_SOURCES = \ config.c \ + ipa-client-common.c \ ipa-join.c \ $(NULL) diff --git a/ipa-client/config.c b/ipa-client/config.c index 69bd9cb..31060e3 100644 --- a/ipa-client/config.c +++ b/ipa-client/config.c @@ -39,8 +39,8 @@ #include #include "config.h" -#include -#define _(STRING) gettext(STRING) + +#include "ipa-client-common.h" char * read_config_file(const char *filename) @@ -88,7 +88,7 @@ read_config_file(const char *filename) char * get_config_entry(char * in_data, const char *section, const char *key) { - char *ptr, *p, *tmp; + char *ptr = NULL, *p, *tmp; char *line; int in_section = 0; char * data; @@ -164,27 +164,3 @@ get_config_entry(char * in_data, const char *section, const char *key) free(data); return NULL; } - -int init_gettext(void) -{ - char *c; - - c = setlocale(LC_ALL, ""); - if (!c) { - return EIO; - } - - errno = 0; - c = bindtextdomain(PACKAGE, LOCALEDIR); - if (c == NULL) { - return errno; - } - - errno = 0; - c = textdomain(PACKAGE); - if (c == NULL) { - return errno; - } - - return 0; -} diff --git a/ipa-client/ipa-client-common.c b/ipa-client/ipa-client-common.c new file mode 100644 index 0000000..d7b6230 --- /dev/null +++ b/ipa-client/ipa-client-common.c @@ -0,0 +1,48 @@ +/* Authors: Jakub Hrozek + * + * Copyright (C) 2010 Red Hat + * see file 'COPYING' for use and warranty information + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; version 2 only + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#include +#include +#include + +#include "config.h" + +int init_gettext(void) +{ + char *c; + + c = setlocale(LC_ALL, ""); + if (!c) { + return EIO; + } + + errno = 0; + c = bindtextdomain(PACKAGE, LOCALEDIR); + if (c == NULL) { + return errno; + } + + errno = 0; + c = textdomain(PACKAGE); + if (c == NULL) { + return errno; + } + + return 0; +} diff --git a/ipa-client/ipa-client-common.h b/ipa-client/ipa-client-common.h new file mode 100644 index 0000000..dbf474d --- /dev/null +++ b/ipa-client/ipa-client-common.h @@ -0,0 +1,9 @@ +#ifndef __IPA_CLIENT_COMMON_H +#define __IPA_CLIENT_COMMON_H + +#include +#define _(STRING) gettext(STRING) + +int init_gettext(void); + +#endif /* __IPA_CLIENT_COMMON_H */ diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index daf6f20..b396ab8 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -41,10 +41,9 @@ #include #include "config.h" -#include -#define _(STRING) gettext(STRING) #include "ipa_krb5.h" +#include "ipa-client-common.h" /* Salt types */ #define NO_SALT -1 @@ -229,7 +228,7 @@ static int prep_ksdata(krb5_context krbctx, const char *str, * MIT code do anyway */ for (i = 0, n = 0; i < nkeys; i++ ) { - int similar = 0; + krb5_boolean similar = 0; for (j = 0; j < i; j++) { krberr = krb5_c_enctype_compare(krbctx, @@ -275,7 +274,7 @@ static int create_keys(krb5_context krbctx, krb5_error_code krberr; krb5_data key_password; krb5_data *realm; - int i, j, nkeys; + int i, nkeys; int ret; ret = prep_ksdata(krbctx, enctypes_string, keys); @@ -751,31 +750,7 @@ static char *ask_password(krb5_context krbctx) return password; } -int init_gettext(void) -{ - char *c; - - c = setlocale(LC_ALL, ""); - if (!c) { - return EIO; - } - - errno = 0; - c = bindtextdomain(PACKAGE, LOCALEDIR); - if (c == NULL) { - return errno; - } - - errno = 0; - c = textdomain(PACKAGE); - if (c == NULL) { - return errno; - } - - return 0; -} - -int main(int argc, char *argv[]) +int main(int argc, const char *argv[]) { static const char *server = NULL; static const char *principal = NULL; @@ -805,7 +780,7 @@ int main(int argc, char *argv[]) _("Show the list of permitted encryption types and exit"), _("Permitted Encryption Types") }, { "password", 'P', POPT_ARG_NONE, &askpass, 0, - _("Asks for a non-random password to use for the principal") }, + _("Asks for a non-random password to use for the principal"), NULL }, { "binddn", 'D', POPT_ARG_STRING, &binddn, 0, _("LDAP DN"), _("DN to bind as if not using kerberos") }, { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0, @@ -821,7 +796,6 @@ int main(int argc, char *argv[]) krb5_principal uprinc; krb5_principal sprinc; krb5_error_code krberr; - ber_int_t *enctypes; struct keys_container keys; krb5_keytab kt; int kvno; diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c index e67f29b..01afa1a 100644 --- a/ipa-client/ipa-join.c +++ b/ipa-client/ipa-join.c @@ -38,8 +38,7 @@ #include "xmlrpc-c/base.h" #include "xmlrpc-c/client.h" -#include -#define _(STRING) gettext(STRING) +#include "ipa-client-common.h" #define NAME "ipa-join" #define VERSION "1.0" @@ -82,14 +81,6 @@ getIPAserver(char * data) { return get_config_entry(data, "global", "server"); } -/* Get the IPA realm from the configuration file. - * The caller is responsible for freeing this value - */ -static char * -getIPArealm(char * data) { - return get_config_entry(data, "global", "realm"); -} - /* Make sure that the keytab is writable before doing anything */ static int check_perms(const char *keytab) { @@ -951,7 +942,7 @@ cleanup: * unique (host already added). */ int -main(int argc, char **argv) { +main(int argc, const char **argv) { static const char *hostname = NULL; static const char *server = NULL; static const char *keytab = NULL; diff --git a/ipa-client/ipa-rmkeytab.c b/ipa-client/ipa-rmkeytab.c index c46bb8b..1ccf673 100644 --- a/ipa-client/ipa-rmkeytab.c +++ b/ipa-client/ipa-rmkeytab.c @@ -25,10 +25,8 @@ #include #include +#include "ipa-client-common.h" #include "config.h" -#include -#define _(STRING) gettext(STRING) - int remove_principal(krb5_context context, krb5_keytab ktid, const char *principal, int debug) @@ -143,32 +141,8 @@ done: return rval; } -int init_gettext(void) -{ - char *c; - - c = setlocale(LC_ALL, ""); - if (!c) { - return EIO; - } - - errno = 0; - c = bindtextdomain(PACKAGE, LOCALEDIR); - if (c == NULL) { - return errno; - } - - errno = 0; - c = textdomain(PACKAGE); - if (c == NULL) { - return errno; - } - - return 0; -} - int -main(int argc, char **argv) +main(int argc, const char **argv) { krb5_context context; krb5_error_code krberr; @@ -180,7 +154,7 @@ main(int argc, char **argv) static const char *principal = NULL; static const char *realm = NULL; int debug = 0; - int ret, rval; + int ret, rval = 0; struct poptOption options[] = { { "debug", 'd', POPT_ARG_NONE, &debug, 0, _("Print debugging information"), _("Debugging output") }, -- 1.7.3.2 From ayoung at redhat.com Thu Nov 18 14:31:42 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 09:31:42 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE5178B.4050402@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> <4CE5178B.4050402@redhat.com> Message-ID: <4CE538CE.10009@redhat.com> On 11/18/2010 07:09 AM, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/17/2010 04:51 PM, Adam Young wrote: > >> On 11/17/2010 04:31 PM, Simo Sorce wrote: >> >>> On Wed, 17 Nov 2010 16:07:24 -0500 >>> Stephen Gallagher wrote: >>> >>> >>> >>>> This will require two changes to the HBAC schema. First of all, we >>>> plan to drop the week-of-the-month concept entirely and replace it >>>> with septet-of-the-month. This is being done to eliminate the >>>> ambiguity entirely. Secondly, we will need to describe >>>> day-of-the-septet in the grammar (where the day of the septet >>>> describes the name of the weekday, and not its numerical position >>>> within the septet, as that would be a useless and complex duplication >>>> of the day-of-the-month concept). >>>> >>>> >>>> >>> I think we can keep using 1-7 in the septet with the >>> understanding that 1 is always Monday, 2 is always Tuesday and so on. >>> >>> Simo. >>> >>> >>> >> I'd like to propose that we have a goal to be as close to the Cron >> grammar as practicable. So we should allow 0 or 7 for Sunday. This is in >> keeping with your proposal. >> >> >> >> Here are the examples from the crontab 5 manpage; >> >> # run five minutes after midnight, every day >> 5 0 * * * $HOME/bin/daily.job>> $HOME/tmp/out 2>&1 >> # run at 2:15pm on the first of every month -- output mailed to paul >> 15 14 1 * * $HOME/bin/monthly >> # run at 10 pm on weekdays, annoy Joe >> 0 22 * * 1-5 mail -s "It?s 10pm" joe%Joe,%%Where are your kids?% >> 23 0-23/2 * * * echo "run 23 minutes after midn, 2am, 4am ..., everyday" >> 5 4 * * sun echo "run at 5 after 4 every sunday" >> >> >> >> I'm not sure that 'First Wednesday of the month' is possible with this >> grammar, either. Yet, somehow, it has survived many years. >> >> > > 0 8 1-7 * 3 (read, 08:00 on the Wednesday that falls between the 1st > and 7th day of the 6th month) > Yep: except you meant every month. field allowed values ----- -------------- minute 0-59 hour 0-23 day of month 1-31 month 1-12 (or names, see below) day of week 0-7 (0 or 7 is Sun, or use names) OK. So we add a duration to this grammar, declare victory and go home. I propose adding a hyphen and then duration in days:hours:minutes 0 8 1-7 * 3 : 0:0:30 #from 8 - 8:30 0 8 1-7 * 3 : 0:2:0 #from 8 - 10: 0 8 1-7 * 3 : 2:0:0 #For 48 hours > > > - -- > Stephen Gallagher > RHCE 804006346421761 > > Delivering value year after year. > Red Hat ranks #1 in value among software vendors. > http://www.redhat.com/promo/vendor/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzlF4UACgkQeiVVYja6o6NTtwCfRBeGkTqDMHYj+SPMydCfFila > wCYAn1Z8gbd0qlaWSEchzqbTe86jWDXM > =r9zs > -----END PGP SIGNATURE----- > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From sgallagh at redhat.com Thu Nov 18 14:34:03 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 18 Nov 2010 09:34:03 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE538CE.10009@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> <4CE5178B.4050402@redhat.com> <4CE538CE.10009@redhat.com> Message-ID: <4CE5395B.7050803@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/18/2010 09:31 AM, Adam Young wrote: > On 11/18/2010 07:09 AM, Stephen Gallagher wrote: > On 11/17/2010 04:51 PM, Adam Young wrote: > >>>> On 11/17/2010 04:31 PM, Simo Sorce wrote: >>>> >>>>> On Wed, 17 Nov 2010 16:07:24 -0500 >>>>> Stephen Gallagher wrote: >>>>> >>>>> >>>>> >>>>>> This will require two changes to the HBAC schema. First of all, we >>>>>> plan to drop the week-of-the-month concept entirely and replace it >>>>>> with septet-of-the-month. This is being done to eliminate the >>>>>> ambiguity entirely. Secondly, we will need to describe >>>>>> day-of-the-septet in the grammar (where the day of the septet >>>>>> describes the name of the weekday, and not its numerical position >>>>>> within the septet, as that would be a useless and complex duplication >>>>>> of the day-of-the-month concept). >>>>>> >>>>>> >>>>>> >>>>> I think we can keep using 1-7 in the septet with the >>>>> understanding that 1 is always Monday, 2 is always Tuesday and so on. >>>>> >>>>> Simo. >>>>> >>>>> >>>>> >>>> I'd like to propose that we have a goal to be as close to the Cron >>>> grammar as practicable. So we should allow 0 or 7 for Sunday. This is in >>>> keeping with your proposal. >>>> >>>> >>>> >>>> Here are the examples from the crontab 5 manpage; >>>> >>>> # run five minutes after midnight, every day >>>> 5 0 * * * $HOME/bin/daily.job>> $HOME/tmp/out 2>&1 >>>> # run at 2:15pm on the first of every month -- output mailed to paul >>>> 15 14 1 * * $HOME/bin/monthly >>>> # run at 10 pm on weekdays, annoy Joe >>>> 0 22 * * 1-5 mail -s "Its 10pm" joe%Joe,%%Where are your kids?% >>>> 23 0-23/2 * * * echo "run 23 minutes after midn, 2am, 4am ..., everyday" >>>> 5 4 * * sun echo "run at 5 after 4 every sunday" >>>> >>>> >>>> >>>> I'm not sure that 'First Wednesday of the month' is possible with this >>>> grammar, either. Yet, somehow, it has survived many years. >>>> >>>> > > 0 8 1-7 * 3 (read, 08:00 on the Wednesday that falls between the 1st > and 7th day of the 6th month) > >> Yep: except you meant every month. > Whoops. I had that example written down earlier from some theoretical constructs I was working on, and just changed that to * but forgot to change the comment. > >> OK. So we add a duration to this grammar, declare victory and go home. > >> I propose adding a hyphen and then duration in days:hours:minutes > >> 0 8 1-7 * 3 : 0:0:30 #from 8 - 8:30 > >> 0 8 1-7 * 3 : 0:2:0 #from 8 - 10: > >> 0 8 1-7 * 3 : 2:0:0 #For 48 hours > I'm not sure we want to do that. I still think we want to try to use our existing representation internally, as long as we can map them bi-directionally in a reasonable way. Mostly because rewriting the time rules parser is a big job that I'd like to see us avoid if possible. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzlOVsACgkQeiVVYja6o6NN7wCdEu+kb5vWoi3k0KW9WJpbi8l9 fP4AoKcpR5XUzeKmHTWeUxo4VzTWJDRv =Hvbm -----END PGP SIGNATURE----- From dpal at redhat.com Thu Nov 18 14:55:49 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 18 Nov 2010 09:55:49 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE5395B.7050803@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> <4CE5178B.4050402@redhat.com> <4CE538CE.10009@redhat.com> <4CE5395B.7050803@redhat.com> Message-ID: <4CE53E75.8000500@redhat.com> Stephen Gallagher wrote: > On 11/18/2010 09:31 AM, Adam Young wrote: > > On 11/18/2010 07:09 AM, Stephen Gallagher wrote: > > On 11/17/2010 04:51 PM, Adam Young wrote: > > >>>> On 11/17/2010 04:31 PM, Simo Sorce wrote: > >>>> > >>>>> On Wed, 17 Nov 2010 16:07:24 -0500 > >>>>> Stephen Gallagher wrote: > >>>>> > >>>>> > >>>>> > >>>>>> This will require two changes to the HBAC schema. First of all, we > >>>>>> plan to drop the week-of-the-month concept entirely and replace it > >>>>>> with septet-of-the-month. This is being done to eliminate the > >>>>>> ambiguity entirely. Secondly, we will need to describe > >>>>>> day-of-the-septet in the grammar (where the day of the septet > >>>>>> describes the name of the weekday, and not its numerical position > >>>>>> within the septet, as that would be a useless and complex > duplication > >>>>>> of the day-of-the-month concept). > >>>>>> > >>>>>> > >>>>>> > >>>>> I think we can keep using 1-7 in the septet with the > >>>>> understanding that 1 is always Monday, 2 is always Tuesday and > so on. > >>>>> > >>>>> Simo. > >>>>> > >>>>> > >>>>> > >>>> I'd like to propose that we have a goal to be as close to the Cron > >>>> grammar as practicable. So we should allow 0 or 7 for Sunday. > This is in > >>>> keeping with your proposal. > >>>> > >>>> > >>>> > >>>> Here are the examples from the crontab 5 manpage; > >>>> > >>>> # run five minutes after midnight, every day > >>>> 5 0 * * * $HOME/bin/daily.job>> $HOME/tmp/out 2>&1 > >>>> # run at 2:15pm on the first of every month -- output mailed to paul > >>>> 15 14 1 * * $HOME/bin/monthly > >>>> # run at 10 pm on weekdays, annoy Joe > >>>> 0 22 * * 1-5 mail -s "Its 10pm" joe%Joe,%%Where are your kids?% > >>>> 23 0-23/2 * * * echo "run 23 minutes after midn, 2am, 4am ..., > everyday" > >>>> 5 4 * * sun echo "run at 5 after 4 every sunday" > >>>> > >>>> > >>>> > >>>> I'm not sure that 'First Wednesday of the month' is possible with > this > >>>> grammar, either. Yet, somehow, it has survived many years. > >>>> > >>>> > > 0 8 1-7 * 3 (read, 08:00 on the Wednesday that falls between the 1st > > and 7th day of the 6th month) > > >> Yep: except you meant every month. > > Whoops. I had that example written down earlier from some theoretical > constructs I was working on, and just changed that to * but forgot to > change the comment. > > > >> OK. So we add a duration to this grammar, declare victory and go > home. > >> I propose adding a hyphen and then duration in days:hours:minutes > >> 0 8 1-7 * 3 : 0:0:30 #from 8 - 8:30 > >> 0 8 1-7 * 3 : 0:2:0 #from 8 - 10: > >> 0 8 1-7 * 3 : 2:0:0 #For 48 hours > > I'm not sure we want to do that. I still think we want to try to use our > existing representation internally, as long as we can map them > bi-directionally in a reasonable way. > > Mostly because rewriting the time rules parser is a big job that I'd > like to see us avoid if possible. > Steve can you summarize where we are and what we agreed to, please, and identify the questions that we need to answer. _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jhrozek at redhat.com Thu Nov 18 15:23:38 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 18 Nov 2010 16:23:38 +0100 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <20101118082447.23f6052f@willson.li.ssimo.org> References: <4CE4440C.4030400@redhat.com> <20101117214815.GK2973@localhost.localdomain> <4CE51A30.1040702@redhat.com> <20101118082447.23f6052f@willson.li.ssimo.org> Message-ID: <4CE544FA.3060000@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/18/2010 02:24 PM, Simo Sorce wrote: > On Thu, 18 Nov 2010 07:21:04 -0500 > Stephen Gallagher wrote: > >> Doing the forward septets is easy (1*x..7*x), but the reverse septets >> are more complicated (since they would be (y-1*x..y-7*x), where y is >> the total number of days in the month (which also has to account for >> leap years). >> >> I think it might be a nice enhancement, but I recommend that we not >> include it right now, given the tight release schedule for FreeIPA v2. > > As I said before it is a now or never condition. > If you do not put it in now, then when you put it in, old clients will > not understand the rule. And they will have only one option, always > deny access, because they have no way to understand when it is ok to > allow/deny it. > > Simo. > In that case, should we have some version identifier, too? In case we identify some flaw later on and need to change the format once again. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzlRPkACgkQHsardTLnvCVfqgCeK1eNnHgf3mKoZthvQE6B6Ji0 js8Anj0NvU+AH8PDsRgV59+Sm2gNdaqh =3A8g -----END PGP SIGNATURE----- From ayoung at redhat.com Thu Nov 18 15:51:57 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 10:51:57 -0500 Subject: [Freeipa-devel] [PATCH] Service and Host Provisioning In-Reply-To: <4CE35F84.70304@redhat.com> References: <4CE35F84.70304@redhat.com> Message-ID: <4CE54B9D.7070507@redhat.com> On 11/16/2010 11:52 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > https://fedorahosted.org/reviewboard/r/109/ > > The service and host details pages have been modified to display > Kerberos key provisioning status and to provide a way to unprovision. > The host enrollment via OTP has not been implemented yet. > > The ipa_details_field has been modified to remove any old
tags it > created in the previous load operation. This is to support other widgets > that need to perform load operation without removing
tags. > > The certificate_status_panel has been converted into a widget. The host > entity has been rewritten using the new framework. > > The unit tests has been updated. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Nov 18 16:00:58 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 18 Nov 2010 17:00:58 +0100 Subject: [Freeipa-devel] [PATCH] 593 fix group objectclasses on detach In-Reply-To: <4CCEE604.6090700@redhat.com> References: <4CCEE604.6090700@redhat.com> Message-ID: <20101118160058.GA26817@zeppelin.brq.redhat.com> On Mon, Nov 01, 2010 at 12:08:36PM -0400, Rob Crittenden wrote: > Make sure a detached group has the default list of objectclasses. > ipaUniqueId is handled by the new uuid plugin. > > https://fedorahosted.org/freeipa/ticket/250 > > rob I haven't fully tested the patch yet, but this caught my attention: > + (group_dn, group_attrs) = ldap.get_entry(group_dn) > + is_managed = self.obj.has_objectclass(group_attrs['objectclass'], '') I think that is_managed is guaranteed to be False in this case, since has_objectclass would do: return '' in group_attrs['objectclass'] Jakub From ssorce at redhat.com Thu Nov 18 16:14:39 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 18 Nov 2010 11:14:39 -0500 Subject: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support In-Reply-To: <20101109151225.182aa986@willson.li.ssimo.org> References: <20101108193412.43d82687@willson.li.ssimo.org> <20101109151225.182aa986@willson.li.ssimo.org> Message-ID: <20101118111439.3fb00fe9@willson.li.ssimo.org> On Tue, 9 Nov 2010 15:12:25 -0500 Simo Sorce wrote: > On Mon, 8 Nov 2010 19:34:12 -0500 > Simo Sorce wrote: > > > Patch 0004: Add basic certification creation for selfsigned CA and > > KDC configuration. opnessl had to be used because the NSS tools > > cannot deal with the special subjectaltName needed for the KDC > > certificate. > > Rebased this one on top of master (there was a conflict after latest > pushes). > > Simo. > This is a rebase of all the patches in this thread on top of current master. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0003-2-Use-Realm-as-certs-subject-base-name.patch Type: text/x-patch Size: 19020 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0004-3-Add-support-for-configuring-KDC-certs-for-PKINIT.patch Type: text/x-patch Size: 15987 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0005-2-pkinit-always-configure-pkinit_anchors-in-krb5.conf.patch Type: text/x-patch Size: 743 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0006-2-anon-pkinit-add-well-known-principal.patch Type: text/x-patch Size: 2134 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0007-2-add-plugin-to-enable-disable-anonymous-pkinit.patch Type: text/x-patch Size: 3382 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0008-2-pkinit-replica-create-certificates-for-replicas-too.patch Type: text/x-patch Size: 14038 bytes Desc: not available URL: From rcritten at redhat.com Thu Nov 18 16:22:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Nov 2010 11:22:26 -0500 Subject: [Freeipa-devel] [PATCH] 608 Fix returning effective rights for password policy Message-ID: <4CE552C2.2030609@redhat.com> Password policy needs to update the class of service priority in another entry. Include the CoS attribute when reporting rights. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-608-rights.patch Type: text/x-patch Size: 2046 bytes Desc: not available URL: From JR.Aquino at citrix.com Thu Nov 18 16:35:17 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 18 Nov 2010 16:35:17 +0000 Subject: [Freeipa-devel] Where we are with SUDO? In-Reply-To: <20101118161606.GD2734@redhat.com> Message-ID: On 11/18/10 8:16 AM, "Nalin Dahyabhai" wrote: > >> >> ToDo's: >> >> * Get sudo compat to translate usergroup/posix group's such that it can >> prepend a %groupname <- notice that it is not fully qualified dn. > >If memberUser can point to either a user or a group, and we read a >memberUser entry's "cn" attribute, we don't currently have a way to >avoid throwing the "cn" values from user entries into the mix. I >could've sworn we were using memberGroup and memberNetgroup for those >cases to avoid this, but it appears I was mistaken. The IPA SudoRule Structure has largely been based off of what we are doing today with HBAC. HBAC does not distinguish between memberGroup or memberNetgroup... Its simply, memberHost and memberUser for both HBAC and IPASudoRules. Also, when HBAC or IPASudoRules add a member, there is no resulting 'memberOf' or (hbacMemberOf/sudoMemberOf) inserted into the usergroup, hostgroup, command group, etc... Whereas, if you add a host to a hostgroup, the host ends up with a pointer referring back to the hostgroup. I believe this was done to provide referential integrity. We will definitely need to modify the schema under the hood if it is necessary to make these shifts, but I am not sure if that sort of change will be effected by the way the backend treats these sorts of objects. > >> * Get sudo compat to translate the 'hostgroups' into whatever their >> respective nisnetgroups should be and refer to them as +nisnetgroupname >><- >> again, can't be fully qualified in the translation. > >That won't work -- a hostgroup isn't a netgroup, so the name of a >hostgroup won't mean anything to a client if we provide it there. >From the start of this project, we have faced this challenge, and need to have an answer for it. Sudo, does not support hostgroups, it only knows about nisnetgroups. As such, either we need the backend code to translate this information automatically for us. Or We need to go down the path of procedurally solving this issue. For example: * Create a user + usergroup * Create a command + commandgroup * Create a host + hostgroup * Create a nisNetgroup with the same name as the ipaHostgroup, and add the hostgroup into the nisNetgroup... * Allow translation to occur and point everything with 1-to-1 except for: -sudocmdgroups are unknown to sudo, so the individual commands need to be broken out and listed individually in the translation. -sudoHost will need to point to a (shared name) that represents both an ipaHostgroup and an ipaNisNetgroup. We have discussed this challenge at length, and everyone agrees that nisNetgroups are a thing of the past, that is best forgotten. However, it is necessary to support them in the interim because sudo currently does not support anything else. It is an ideal to strive toward getting sudo to support hostgroups, and also to support sssd, but we have a long way to go to get there. -JR From rcritten at redhat.com Thu Nov 18 16:45:30 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Nov 2010 11:45:30 -0500 Subject: [Freeipa-devel] [PATCH] 0014 better version checking In-Reply-To: <20101115210309.0b71c283@willson.li.ssimo.org> References: <20101115210309.0b71c283@willson.li.ssimo.org> Message-ID: <4CE5582A.6010206@redhat.com> Simo Sorce wrote: > > The pwpolicy plugin was basically hardcoded to version 1.8 instead of > checking for>= 1.8 > > This patch uses distutils.version to fix that. > > Simo. ack From ayoung at redhat.com Thu Nov 18 17:01:47 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 12:01:47 -0500 Subject: [Freeipa-devel] WebUI status Message-ID: <4CE55BFB.8000402@redhat.com> To sum up where we are overall, and the dependencies. We have three Entities not yet implemented: Permissions (ACIs) - Spec'ed, but waiting on Backend implementation. SUDO - Not spec'ed, but we can get started based on the HBAC work. Joint effort between edewata and JR Aquino Automount -- Recommend that we do not do this for 2.0 Broken Entities: DNS. Right now DNS is unusable, since we don't get effective rights. THat is awating Pavel's work on the DNS plugin. Certificates: Do not work without Dogtag. To get this to work, we need to be able to identify if Dogtag is enabled or not. Associations: Need multi column support. Nothinjg blocking this work. Server side filtering: eg. don't show the groups that a user is already inrolled in. baseldap needs a flag that will state entity & pkey to exclude. There is a wide array of small detail cleanup work through the site as well. UXD has provided a punch list for a series of clean up work in the WebUI. From ssorce at redhat.com Thu Nov 18 17:22:01 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 18 Nov 2010 12:22:01 -0500 Subject: [Freeipa-devel] [PATCH] 604 revoke certs when disabling and deleting hosts In-Reply-To: <4CD458FB.2010507@redhat.com> References: <4CD458FB.2010507@redhat.com> Message-ID: <20101118122201.6c20a699@willson.li.ssimo.org> On Fri, 05 Nov 2010 15:20:27 -0400 Rob Crittenden wrote: > When a host is deleted we revoke its certificate, if any. > > When a host keytab is disabled we disable all the keytabs and revoke > the certificates of its services. > > I've also tried to make it more universal to display certificate > details when viewing a record with a certificate in it. > > rob a. needs rebase (I did a rebase on my own, hopefully the next point was not because of that) b. after some fiddling and testing ipa host-disable seem to return a bogus error of: ipa: ERROR: no modifications to be performed and if tried again: ipa: ERROR: This entry is already disabled Possibly the first error was returned because the service I took a cert for (to test the cert was removed on disabling, which it was) didn;t have a keytab associated. So NACK on this error, but the general approach looks good. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Nov 18 17:27:57 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Nov 2010 12:27:57 -0500 Subject: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support In-Reply-To: <20101118111439.3fb00fe9@willson.li.ssimo.org> References: <20101108193412.43d82687@willson.li.ssimo.org> <20101109151225.182aa986@willson.li.ssimo.org> <20101118111439.3fb00fe9@willson.li.ssimo.org> Message-ID: <4CE5621D.90806@redhat.com> Simo Sorce wrote: > On Tue, 9 Nov 2010 15:12:25 -0500 > Simo Sorce wrote: > >> On Mon, 8 Nov 2010 19:34:12 -0500 >> Simo Sorce wrote: >> >>> Patch 0004: Add basic certification creation for selfsigned CA and >>> KDC configuration. opnessl had to be used because the NSS tools >>> cannot deal with the special subjectaltName needed for the KDC >>> certificate. >> >> Rebased this one on top of master (there was a conflict after latest >> pushes). >> >> Simo. >> > > This is a rebase of all the patches in this thread on top of current > master. acks all around rob From rcritten at redhat.com Thu Nov 18 17:30:17 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Nov 2010 12:30:17 -0500 Subject: [Freeipa-devel] [PATCH] 593 fix group objectclasses on detach In-Reply-To: <20101118160058.GA26817@zeppelin.brq.redhat.com> References: <4CCEE604.6090700@redhat.com> <20101118160058.GA26817@zeppelin.brq.redhat.com> Message-ID: <4CE562A9.7010700@redhat.com> Jakub Hrozek wrote: > On Mon, Nov 01, 2010 at 12:08:36PM -0400, Rob Crittenden wrote: >> Make sure a detached group has the default list of objectclasses. >> ipaUniqueId is handled by the new uuid plugin. >> >> https://fedorahosted.org/freeipa/ticket/250 >> >> rob > > I haven't fully tested the patch yet, but this caught my attention: > >> + (group_dn, group_attrs) = ldap.get_entry(group_dn) >> + is_managed = self.obj.has_objectclass(group_attrs['objectclass'], '') > > I think that is_managed is guaranteed to be False in this case, since > has_objectclass would do: > > return '' in group_attrs['objectclass'] Gah! Good catch, that should be mepManagedBy. Can you fix this and continue testing? rob From edewata at redhat.com Thu Nov 18 20:04:31 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Nov 2010 14:04:31 -0600 Subject: [Freeipa-devel] admiyo-0097-batch-init In-Reply-To: <4CE49ECA.4020308@redhat.com> References: <4CE49ECA.4020308@redhat.com> Message-ID: <4CE586CF.5090102@redhat.com> On 11/17/2010 9:34 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From ssorce at redhat.com Thu Nov 18 20:10:33 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 18 Nov 2010 15:10:33 -0500 Subject: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support In-Reply-To: <4CE5621D.90806@redhat.com> References: <20101108193412.43d82687@willson.li.ssimo.org> <20101109151225.182aa986@willson.li.ssimo.org> <20101118111439.3fb00fe9@willson.li.ssimo.org> <4CE5621D.90806@redhat.com> Message-ID: <20101118151033.2af6ff2d@willson.li.ssimo.org> On Thu, 18 Nov 2010 12:27:57 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 9 Nov 2010 15:12:25 -0500 > > Simo Sorce wrote: > > > >> On Mon, 8 Nov 2010 19:34:12 -0500 > >> Simo Sorce wrote: > >> > >>> Patch 0004: Add basic certification creation for selfsigned CA and > >>> KDC configuration. opnessl had to be used because the NSS tools > >>> cannot deal with the special subjectaltName needed for the KDC > >>> certificate. > >> > >> Rebased this one on top of master (there was a conflict after > >> latest pushes). > >> > >> Simo. > >> > > > > This is a rebase of all the patches in this thread on top of current > > master. > > acks all around Pushed all to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Nov 18 20:13:39 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 18 Nov 2010 15:13:39 -0500 Subject: [Freeipa-devel] [PATCH] 0014 better version checking In-Reply-To: <4CE5582A.6010206@redhat.com> References: <20101115210309.0b71c283@willson.li.ssimo.org> <4CE5582A.6010206@redhat.com> Message-ID: <20101118151339.21fb6635@willson.li.ssimo.org> On Thu, 18 Nov 2010 11:45:30 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > > > The pwpolicy plugin was basically hardcoded to version 1.8 instead > > of checking for>= 1.8 > > > > This patch uses distutils.version to fix that. > > > > Simo. > > ack pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Nov 18 20:17:02 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 18 Nov 2010 15:17:02 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CE544FA.3060000@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117214815.GK2973@localhost.localdomain> <4CE51A30.1040702@redhat.com> <20101118082447.23f6052f@willson.li.ssimo.org> <4CE544FA.3060000@redhat.com> Message-ID: <20101118151702.7e9dc216@willson.li.ssimo.org> On Thu, 18 Nov 2010 16:23:38 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/18/2010 02:24 PM, Simo Sorce wrote: > > On Thu, 18 Nov 2010 07:21:04 -0500 > > Stephen Gallagher wrote: > > > >> Doing the forward septets is easy (1*x..7*x), but the reverse > >> septets are more complicated (since they would be (y-1*x..y-7*x), > >> where y is the total number of days in the month (which also has > >> to account for leap years). > >> > >> I think it might be a nice enhancement, but I recommend that we not > >> include it right now, given the tight release schedule for FreeIPA > >> v2. > > > > As I said before it is a now or never condition. > > If you do not put it in now, then when you put it in, old clients > > will not understand the rule. And they will have only one option, > > always deny access, because they have no way to understand when it > > is ok to allow/deny it. > > > > Simo. > > > > In that case, should we have some version identifier, too? In case we > identify some flaw later on and need to change the format once again. And what should a client do when it finds a version it does not understand ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Thu Nov 18 20:36:00 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 15:36:00 -0500 Subject: [Freeipa-devel] admiyo-0083-super-to-superior In-Reply-To: <4CDF435B.2070203@redhat.com> References: <4CDF435B.2070203@redhat.com> Message-ID: <4CE58E30.8080007@redhat.com> On 11/13/2010 09:03 PM, Adam Young wrote: > super is a keyword in Javascript. This removeds a syntax error that > shows up on some browsers. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKEd and pushed by edewata -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Nov 18 20:36:16 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 15:36:16 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0082-more-css-cleanup In-Reply-To: <4CDF4324.2000501@redhat.com> References: <4CDF4324.2000501@redhat.com> Message-ID: <4CE58E40.6090903@redhat.com> On 11/13/2010 09:02 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed and pushed by edewata -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Thu Nov 18 21:02:11 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 18 Nov 2010 16:02:11 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE53E75.8000500@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> <4CE5178B.4050402@redhat.com> <4CE538CE.10009@redhat.com> <4CE5395B.7050803@redhat.com> <4CE53E75.8000500@redhat.com> Message-ID: <4CE59453.6020103@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/18/2010 09:55 AM, Dmitri Pal wrote: > Steve can you summarize where we are and what we agreed to, please, and > identify the questions that we need to answer. Simo, Adam and I had a long discussion on IRC regarding the time rules today (complete log attached). The short version is that we're going to continue (mostly) with the current grammar for the time rules, with a few changes. 1) We need to replace week-of-the-month with day-of-the-septet. This day should not be a range or multi-valued to eliminate confusion 2) We need to replace the time range with a duration 3) We should add startDate and endDate as attributes on the HBAC object (separate from the accessTime). I propose these should be in LDAP generalizedTime so that it's possible to construct filters around them. This effectively sets the beginning and end of a periodic schedule. I've drawn up a new grammar definition and published it to the SSSD wiki (not currently linked from anywhere): https://fedorahosted.org/sssd/wiki/HBAC_Grammar Please review and give feedback. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzllFMACgkQeiVVYja6o6PNIwCfQeLMCrWS0dW3t+pD8raTJ7d5 /7oAmwUAFMY1XAb289ysIGzSq3sPMjJF =a0mt -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: hbac_timerules_discussion.txt URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: hbac_timerules_discussion.txt.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From ayoung at redhat.com Thu Nov 18 21:13:05 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 16:13:05 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE59453.6020103@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> <4CE5178B.4050402@redhat.com> <4CE538CE.10009@redhat.com> <4CE5395B.7050803@redhat.com> <4CE53E75.8000500@redhat.com> <4CE59453.6020103@redhat.com> Message-ID: <4CE596E1.8020007@redhat.com> On 11/18/2010 04:02 PM, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/18/2010 09:55 AM, Dmitri Pal wrote: > >> Steve can you summarize where we are and what we agreed to, please, and >> identify the questions that we need to answer. >> > > Simo, Adam and I had a long discussion on IRC regarding the time rules > today (complete log attached). > > The short version is that we're going to continue (mostly) with the > current grammar for the time rules, with a few changes. > > 1) We need to replace week-of-the-month with day-of-the-septet. This day > should not be a range or multi-valued to eliminate confusion > 2) We need to replace the time range with a duration > 3) We should add startDate and endDate as attributes on the HBAC object > (separate from the accessTime). I propose these should be in LDAP > generalizedTime so that it's possible to construct filters around them. > This effectively sets the beginning and end of a periodic schedule. > OK, just please stop calling it septet. I think Drums, Bass, Piano, 2 Saxes, Trumpet, Trombone Jazz combo when I hear that. It isl ike octet versus byte....it means the same thing, and just annoys people. What you really want is to call it week-of-the-month as opposed to week. I realize that is more verbose, but we don't sound like smarty-pants. > > I've drawn up a new grammar definition and published it to the SSSD wiki > (not currently linked from anywhere): > https://fedorahosted.org/sssd/wiki/HBAC_Grammar > > Please review and give feedback. > > > - -- > Stephen Gallagher > RHCE 804006346421761 > > Delivering value year after year. > Red Hat ranks #1 in value among software vendors. > http://www.redhat.com/promo/vendor/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzllFMACgkQeiVVYja6o6PNIwCfQeLMCrWS0dW3t+pD8raTJ7d5 > /7oAmwUAFMY1XAb289ysIGzSq3sPMjJF > =a0mt > -----END PGP SIGNATURE----- > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Nov 18 22:04:28 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Nov 2010 17:04:28 -0500 Subject: [Freeipa-devel] [PATCH] 604 revoke certs when disabling and deleting hosts In-Reply-To: <20101118122201.6c20a699@willson.li.ssimo.org> References: <4CD458FB.2010507@redhat.com> <20101118122201.6c20a699@willson.li.ssimo.org> Message-ID: <4CE5A2EC.7030709@redhat.com> Simo Sorce wrote: > On Fri, 05 Nov 2010 15:20:27 -0400 > Rob Crittenden wrote: > >> When a host is deleted we revoke its certificate, if any. >> >> When a host keytab is disabled we disable all the keytabs and revoke >> the certificates of its services. >> >> I've also tried to make it more universal to display certificate >> details when viewing a record with a certificate in it. >> >> rob > > a. needs rebase (I did a rebase on my own, hopefully the next point was > not because of that) > > b. after some fiddling and testing ipa host-disable seem to return a > bogus error of: ipa: ERROR: no modifications to be performed > and if tried again: ipa: ERROR: This entry is already disabled > > Possibly the first error was returned because the service I took a cert > for (to test the cert was removed on disabling, which it was) didn;t > have a keytab associated. > > So NACK on this error, but the general approach looks good. > > Simo. > Updated patch attached. Here is how to test it. My IPA server is on host slinky.example.com. I'm doing these commands from there. # mkdir /etc/nsstmp # certutil -N -d /etc/nsstmp (for simplicity do not set a password) # ipa host-add puma.example.com # ipa-getkeytab -s slinky -k /tmp/test.kt host/puma.example.com # ipa-getcert request -d /etc/nss -n Server-Cert -N "cn=puma.example.com,O=EXAMPLE.COM" -K host/puma.example.com at EXAMPLE.COM Now run this until the cert is in the state MONITORING # ipa-getcert list Just to double check, look at the host, it should have a keytab and a cert: # ipa host-show puma Host name: puma.example.com Certificate: MIICkjCCAfugAwIBAgICBAUwDQYJKoZIhvcNAQEFBQAwLDEqMCgGA1UEAxMhR1JFWU9BSy5DT00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMTExODIwNDExNloXDTE1MTExODIwNDExNlowMTEUMBIGA1UEChMLR1JFWU9BSy5DT00xGTAXBgNVBAMTEHB1bWEuZ3JleW9hay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjYEiiPC1AGFX4qbSFpHNkUyoZK60hXblw6OrAc5IGOZGgGGb/pOEMhWSZt45TzbZLExB9V73BON9wYvokkkwxVydPxx6ardEWdoAmz6gHYPK2B2GgUfKAbyu2vNJKuQ0RdVFwfKgPv7PbF9LJ2Glfb3dg7f90vCA67hP/wb5rGBkvkfk/Rw4O2lmFlxGxLkvHhVQn+LIdsqpO2bn47GYPSJqsj3bRzbK3WOKulyW99eD+QLP215SKvlh2oXh+I2qu2HgmbvuRdQcYqTU9dYltOmxybvuDllYRnhV2FWQ4U7NtPdKEOjazZJ/dOue/Ei2sAwpMyKkKH9HXUkTUhqi1AgMBAAGjOjA4MBEGCWCGSAGG+EIBAQQEAwIGQDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAQdXfmoHJ33h8JfY4t/vYgT8p99bSwLrOuwsSzy1tw5p/cZ3VXDkrLPDzHSnZTycTRRqrtsqMQt3v+NQdV/OjC2ALAfZnVM/JymWMwk9ub90N4O2x8nY18eCNxSmSaPbfhelsx2JeHg8jLXeiBN722rr2iWgcQ87sBejLYJhO/Bc= Principal name: host/puma.example.com at EXAMPLE.COM Keytab: True Managed by: puma.example.com Subject: CN=puma.example.com,O=EXAMPLE.COM Serial Number: 1029 Issuer: CN=EXAMPLE.COM Certificate Authority Not Before: Thu Nov 18 20:41:16 2010 UTC Not After: Wed Nov 18 20:41:16 2015 UTC Fingerprint (MD5): 2a:f5:47:88:62:93:7f:87:2e:c5:d6:9a:11:df:b3:9d Fingerprint (SHA1): a0:4a:b2:2a:fc:f9:0f:cc:e7:18:30:29:7e:f6:63:75:8a:8d:45:12 Finally we're ready to test if disabling the host revokes/removes the cert too: # ipa host-disable puma --------------------------------------------------------- Removed kerberos key and disabled all services for "puma" --------------------------------------------------------- Verify that the host is disabled and its cert is gone: # ipa host-show puma Host name: puma.example.com Principal name: host/puma.example.com at EXAMPLE.COM Keytab: False Managed by: puma.example.com Note that I'm allowing admin to write enrolledBy again. I need to find a better way to handle the attribute but lets clear it without errors for now. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-604-2-host.patch Type: text/x-patch Size: 26450 bytes Desc: not available URL: From rcritten at redhat.com Thu Nov 18 22:05:01 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Nov 2010 17:05:01 -0500 Subject: [Freeipa-devel] [PATCH] 607 add managedby to hosts In-Reply-To: <4CDB132E.7060008@redhat.com> References: <4CD99A30.2030705@redhat.com> <20101109145039.2b315e95@willson.li.ssimo.org> <4CDB132E.7060008@redhat.com> Message-ID: <4CE5A30D.5050602@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Tue, 09 Nov 2010 14:00:00 -0500 >> Rob Crittenden wrote: >> >>> + >>> + Add a host that can manage this host's keytab and certificate: >>> + ipa host-add-host --hosts=test2 test >>> """ >>> >> >> I do not want to nack, but looking at this command in isolation I am >> quite confused at what it is supposed to do (think ab out seeing it in >> a log file and wondering what it means w/o further context). >> >> What does it mean to add a host into a host (host-add-host) ? >> And which one is added to the other one ? test in test2 or test2 in >> test? >> >> I do not know if we can change names/syntax to make this more >> immediately understandable, but if we can I'd like to do that. >> Obscure/confusing syntaxes generally makes it easier to do mistakes, >> which are bad in a tool used to manage security. >> >> Simo. >> > > Switched to host-add-managedby and host-remove-managedby. > Re-based against tip. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-607-3-host.patch Type: text/x-patch Size: 15953 bytes Desc: not available URL: From ayoung at redhat.com Thu Nov 18 22:08:46 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 17:08:46 -0500 Subject: [Freeipa-devel] admiyo-0098-env-init Message-ID: <4CE5A3EE.6020400@redhat.com> Example: to find the cert server used, you would do: IPA.env.ra_plugin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0098-env-init.patch Type: text/x-patch Size: 12321 bytes Desc: not available URL: From ayoung at redhat.com Thu Nov 18 22:27:19 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 17:27:19 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0092-action-select In-Reply-To: <4CE420EF.9000302@younglogic.com> References: <4CE420EF.9000302@younglogic.com> Message-ID: <4CE5A847.5030608@redhat.com> On 11/17/2010 01:37 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed and pushed to master by edewata -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Nov 18 22:27:13 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 18 Nov 2010 17:27:13 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE596E1.8020007@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> <4CE5178B.4050402@redhat.com> <4CE538CE.10009@redhat.com> <4CE5395B.7050803@redhat.com> <4CE53E75.8000500@redhat.com> <4CE59453.6020103@redhat.com> <4CE596E1.8020007@redhat.com> Message-ID: <4CE5A841.7000509@redhat.com> Adam Young wrote: > On 11/18/2010 04:02 PM, Stephen Gallagher wrote: > On 11/18/2010 09:55 AM, Dmitri Pal wrote: > > >>> Steve can you summarize where we are and what we agreed to, > please, and > >>> identify the questions that we need to answer. > >>> > > Simo, Adam and I had a long discussion on IRC regarding the time rules > today (complete log attached). > > The short version is that we're going to continue (mostly) with the > current grammar for the time rules, with a few changes. > > 1) We need to replace week-of-the-month with day-of-the-septet. This day > should not be a range or multi-valued to eliminate confusion > 2) We need to replace the time range with a duration > 3) We should add startDate and endDate as attributes on the HBAC object > (separate from the accessTime). I propose these should be in LDAP > generalizedTime so that it's possible to construct filters around them. > This effectively sets the beginning and end of a periodic schedule. > > > > OK, just please stop calling it septet. I think Drums, Bass, Piano, > 2 Saxes, Trumpet, Trombone Jazz combo when I hear that. It isl ike > octet versus byte....it means the same thing, and just annoys people. > > > What you really want is to call it week-of-the-month as opposed to > week. I realize that is more verbose, but we don't sound like > smarty-pants. > > > > > I've drawn up a new grammar definition and published it to the SSSD wiki > (not currently linked from anywhere): > https://fedorahosted.org/sssd/wiki/HBAC_Grammar > > Please review and give feedback. > > I thought that first septet is the first seven days of the month based on earlier mails from Steven. Is this a true statement? The whole issue started with ambiguity of the notion of the "N-th week" of the month. What is it the week-of-the-month? Is it first seven day regardless what day of the week is the first day of the month (this is what I thought a septet is) or fist full week from Monday to Sunday or from Sunday to Saturday, or it is the first usually partial week? This is the ambiguity that we want to avoid! If the septet is what I think it is then we can't name it the week-of-the-month and IMO septet is a good term here. However then there is a bug in grammar as septet can be only 1-5 not 1-6. >> >> _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel > ------------------------- > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From adam at younglogic.com Thu Nov 18 22:00:21 2010 From: adam at younglogic.com (Adam Young) Date: Thu, 18 Nov 2010 17:00:21 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0098-env-init Message-ID: <4CE5A1F5.3040902@younglogic.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0098-env-init.patch Type: text/x-patch Size: 7950 bytes Desc: not available URL: From rcritten at redhat.com Thu Nov 18 22:37:52 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Nov 2010 17:37:52 -0500 Subject: [Freeipa-devel] [PATCH] 593 fix group objectclasses on detach In-Reply-To: <4CE562A9.7010700@redhat.com> References: <4CCEE604.6090700@redhat.com> <20101118160058.GA26817@zeppelin.brq.redhat.com> <4CE562A9.7010700@redhat.com> Message-ID: <4CE5AAC0.3010802@redhat.com> Rob Crittenden wrote: > Jakub Hrozek wrote: >> On Mon, Nov 01, 2010 at 12:08:36PM -0400, Rob Crittenden wrote: >>> Make sure a detached group has the default list of objectclasses. >>> ipaUniqueId is handled by the new uuid plugin. >>> >>> https://fedorahosted.org/freeipa/ticket/250 >>> >>> rob >> >> I haven't fully tested the patch yet, but this caught my attention: >> >>> + (group_dn, group_attrs) = ldap.get_entry(group_dn) >>> + is_managed = self.obj.has_objectclass(group_attrs['objectclass'], '') >> >> I think that is_managed is guaranteed to be False in this case, since >> has_objectclass would do: >> >> return '' in group_attrs['objectclass'] > > Gah! Good catch, that should be mepManagedBy. Can you fix this and > continue testing? > > rob I rebased this and fix this error (I rebased it with patches 604 and 607 on my tree in case that makes a difference). To test this do: # ipa user-add --first=Tim --last=User tuser # ipa group-show tuser --all [ note the objectclasses ] # ipa group-detach tuser # ipa group-show --all tuser It should now be a full POSIX group with a ipaUniqueId and a full set of objectclass. You should be able to add a user to it. # ipa group-add-member --users=tuser tuser rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-593-2-group.patch Type: text/x-patch Size: 5718 bytes Desc: not available URL: From ayoung at redhat.com Thu Nov 18 22:42:19 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 17:42:19 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE5A841.7000509@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> <4CE5178B.4050402@redhat.com> <4CE538CE.10009@redhat.com> <4CE5395B.7050803@redhat.com> <4CE53E75.8000500@redhat.com> <4CE59453.6020103@redhat.com> <4CE596E1.8020007@redhat.com> <4CE5A841.7000509@redhat.com> Message-ID: <4CE5ABCB.6070807@redhat.com> On 11/18/2010 05:27 PM, Dmitri Pal wrote: > Adam Young wrote: > >> On 11/18/2010 04:02 PM, Stephen Gallagher wrote: >> On 11/18/2010 09:55 AM, Dmitri Pal wrote: >> >> >>>>> Steve can you summarize where we are and what we agreed to, >>>>> >> please, and >> >>>>> identify the questions that we need to answer. >>>>> >>>>> >> Simo, Adam and I had a long discussion on IRC regarding the time rules >> today (complete log attached). >> >> The short version is that we're going to continue (mostly) with the >> current grammar for the time rules, with a few changes. >> >> 1) We need to replace week-of-the-month with day-of-the-septet. This day >> should not be a range or multi-valued to eliminate confusion >> 2) We need to replace the time range with a duration >> 3) We should add startDate and endDate as attributes on the HBAC object >> (separate from the accessTime). I propose these should be in LDAP >> generalizedTime so that it's possible to construct filters around them. >> This effectively sets the beginning and end of a periodic schedule. >> >> >> >>> OK, just please stop calling it septet. I think Drums, Bass, Piano, >>> >> 2 Saxes, Trumpet, Trombone Jazz combo when I hear that. It isl ike >> octet versus byte....it means the same thing, and just annoys people. >> >> >>> What you really want is to call it week-of-the-month as opposed to >>> >> week. I realize that is more verbose, but we don't sound like >> smarty-pants. >> >> >> >> >> I've drawn up a new grammar definition and published it to the SSSD wiki >> (not currently linked from anywhere): >> https://fedorahosted.org/sssd/wiki/HBAC_Grammar >> >> Please review and give feedback. >> >> >> > I thought that first septet is the first seven days of the month based > on earlier mails from Steven. Is this a true statement? > The whole issue started with ambiguity of the notion of the "N-th week" > of the month. > What is it the week-of-the-month? Is it first seven day regardless what > day of the week is the first day of the month (this is what I thought a > septet is) or fist full week from Monday to Sunday or from Sunday to > Saturday, or it is the first usually partial week? This is the ambiguity > that we want to avoid! > > If the septet is what I think it is then we can't name it the > week-of-the-month and IMO septet is a good term here. However then there > is a bug in grammar as septet can be only 1-5 not 1-6. > OK, if this is really what is driving the grammar, I'm going to have to NACK. Lets make something that is intelligible. We don't want to be inventing concepts like Septet. Or Septave, since 8 days is already called an octave. Here's the Cron line that Steve posted before. It represents THe first wednesday of the month. 0 8 1-7 * 3 Lets keep the concept of week, starting on Sunday, add in the concept of day of the month, and mix the two together. Does the current grammar (pre-septet) support that? Something like: accessTime: periodic monthly between day 1-7 wednesday > >>> >>> > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > >> ------------------------- >> > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > From dpal at redhat.com Thu Nov 18 23:11:26 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 18 Nov 2010 18:11:26 -0500 Subject: [Freeipa-devel] Where we are with SUDO? In-Reply-To: References: Message-ID: <4CE5B29E.2020702@redhat.com> JR Aquino wrote: > On 11/18/10 8:16 AM, "Nalin Dahyabhai" wrote: > >> >> >>> ToDo's: >>> >>> * Get sudo compat to translate usergroup/posix group's such that it can >>> prepend a %groupname <- notice that it is not fully qualified dn. >>> >> If memberUser can point to either a user or a group, and we read a >> memberUser entry's "cn" attribute, we don't currently have a way to >> avoid throwing the "cn" values from user entries into the mix. I >> could've sworn we were using memberGroup and memberNetgroup for those >> cases to avoid this, but it appears I was mistaken. >> > > The IPA SudoRule Structure has largely been based off of what we are doing > today with HBAC. > > HBAC does not distinguish between memberGroup or memberNetgroup... Its > simply, memberHost and memberUser for both HBAC and IPASudoRules. > > Also, when HBAC or IPASudoRules add a member, there is no resulting > 'memberOf' or (hbacMemberOf/sudoMemberOf) inserted into the usergroup, > hostgroup, command group, etc... Whereas, if you add a host to a > hostgroup, the host ends up with a pointer referring back to the > hostgroup. I believe this was done to provide referential integrity. > > We will definitely need to modify the schema under the hood if it is > necessary to make these shifts, but I am not sure if that sort of change > will be effected by the way the backend treats these sorts of objects. > > Nalin is working on a solution to this. We do not need to modify schema. Instead he is adding code to make checks on the object type and have a way to transform the value in different ways based on this check. >>> * Get sudo compat to translate the 'hostgroups' into whatever their >>> respective nisnetgroups should be and refer to them as +nisnetgroupname >>> <- >>> again, can't be fully qualified in the translation. >>> >> That won't work -- a hostgroup isn't a netgroup, so the name of a >> hostgroup won't mean anything to a client if we provide it there. >> > > From the start of this project, we have faced this challenge, and need to > have an answer for it. > > Sudo, does not support hostgroups, it only knows about nisnetgroups. > > As such, either we need the backend code to translate this information > automatically for us. > > Or > > We need to go down the path of procedurally solving this issue. > > For example: > > * Create a user + usergroup > * Create a command + commandgroup > * Create a host + hostgroup > * Create a nisNetgroup with the same name as the ipaHostgroup, and add the > hostgroup into the nisNetgroup... > * Allow translation to occur and point everything with 1-to-1 except for: > -sudocmdgroups are unknown to sudo, so the individual commands need to be > broken out and listed individually in the translation. > -sudoHost will need to point to a (shared name) that represents both an > ipaHostgroup and an ipaNisNetgroup. > > We have discussed this challenge at length, and everyone agrees that > nisNetgroups are a thing of the past, that is best forgotten. However, it > is necessary to support them in the interim because sudo currently does > not support anything else. It is an ideal to strive toward getting sudo > to support hostgroups, and also to support sssd, but we have a long way to > go to get there. > > > I was assuming that this is a procedurally solvable solution during migration. In your case when you move to IPA you would need to transfer data from the original data source. 1) All the netgroups that store the hosts and used in SUDO and other places need to be migrated into IPA back end schema. As you prepare data for migration the following reshuffling needs to be done with the original data and the resulting LDIF should have: a) all the hosts should be created as host entries b) all hosts should be added to a host group - probably with the same name as the name of the netgroup in the original data set c) a netgroup entry with the same name is in the source data set should be created pointing to this host group d) memberHost attribute of the SUDO rule should then point to the netgroup DN This solves the issue of migrating data from the old model to the new model. Would be nice to have some scripts in the project that would help people to take the 2307 + SUDO schema and move to IPA. We do not have cycles to do it ourselves and hope that something like this would be eventually developed and contributed by the community. 2) The other question is management of SUDO data on the ongoing basis. Until SUDO does not support host groups via a policy plugin the IPA admins would have to wrap host groups into netgroups. A special wrapper can be created for the CLI to create a netgroup out of the hostgroup or may be it can be a flag to the hostgroup-add to automatically create a netgroup with the same name. Something similar to what we do with host-add and DNS. An alternative is to have a managed entry plugin to automatically create a netgroup for every hostgroup in the system. This might be even simpler. I am open to suggestions here but hope that since this is an optimization and we are in a bit of ramp up to the release this functionality can be contributed soon or can be added later. Thank you, Dmitri > -JR > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu Nov 18 23:16:49 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 18 Nov 2010 18:16:49 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE5ABCB.6070807@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> <4CE5178B.4050402@redhat.com> <4CE538CE.10009@redhat.com> <4CE5395B.7050803@redhat.com> <4CE53E75.8000500@redhat.com> <4CE59453.6020103@redhat.com> <4CE596E1.8020007@redhat.com> <4CE5A841.7000509@redhat.com> <4CE5ABCB.6070807@redhat.com> Message-ID: <4CE5B3E1.7040100@redhat.com> Adam Young wrote: > On 11/18/2010 05:27 PM, Dmitri Pal wrote: >> Adam Young wrote: >> >>> On 11/18/2010 04:02 PM, Stephen Gallagher wrote: >>> On 11/18/2010 09:55 AM, Dmitri Pal wrote: >>> >>> >>>>>> Steve can you summarize where we are and what we agreed to, >>>>>> >>> please, and >>> >>>>>> identify the questions that we need to answer. >>>>>> >>>>>> >>> Simo, Adam and I had a long discussion on IRC regarding the time rules >>> today (complete log attached). >>> >>> The short version is that we're going to continue (mostly) with the >>> current grammar for the time rules, with a few changes. >>> >>> 1) We need to replace week-of-the-month with day-of-the-septet. This >>> day >>> should not be a range or multi-valued to eliminate confusion >>> 2) We need to replace the time range with a duration >>> 3) We should add startDate and endDate as attributes on the HBAC object >>> (separate from the accessTime). I propose these should be in LDAP >>> generalizedTime so that it's possible to construct filters around them. >>> This effectively sets the beginning and end of a periodic schedule. >>> >>> >>> >>>> OK, just please stop calling it septet. I think Drums, Bass, Piano, >>>> >>> 2 Saxes, Trumpet, Trombone Jazz combo when I hear that. It isl ike >>> octet versus byte....it means the same thing, and just annoys people. >>> >>> >>>> What you really want is to call it week-of-the-month as opposed to >>>> >>> week. I realize that is more verbose, but we don't sound like >>> smarty-pants. >>> >>> >>> >>> >>> I've drawn up a new grammar definition and published it to the SSSD >>> wiki >>> (not currently linked from anywhere): >>> https://fedorahosted.org/sssd/wiki/HBAC_Grammar >>> >>> Please review and give feedback. >>> >>> >>> >> I thought that first septet is the first seven days of the month based >> on earlier mails from Steven. Is this a true statement? >> The whole issue started with ambiguity of the notion of the "N-th week" >> of the month. >> What is it the week-of-the-month? Is it first seven day regardless what >> day of the week is the first day of the month (this is what I thought a >> septet is) or fist full week from Monday to Sunday or from Sunday to >> Saturday, or it is the first usually partial week? This is the ambiguity >> that we want to avoid! >> >> If the septet is what I think it is then we can't name it the >> week-of-the-month and IMO septet is a good term here. However then there >> is a bug in grammar as septet can be only 1-5 not 1-6. >> > > OK, if this is really what is driving the grammar, I'm going to have > to NACK. > > Lets make something that is intelligible. We don't want to be > inventing concepts like Septet. Or Septave, since 8 days is already > called an octave. > > Here's the Cron line that Steve posted before. It represents THe > first wednesday of the month. > > 0 8 1-7 * 3 > > > Lets keep the concept of week, starting on Sunday, add in the concept > of day of the month, and mix the two together. > > Does the current grammar (pre-septet) support that? Something like: > > accessTime: periodic monthly between day 1-7 wednesday > > It does not support this. It requires to specify either a week of the month after "monthly" and then day within a week (as numbers or the letter day names) or a set of numbers representing days or ranges of ways with thin the month. You can't with exiting schema unambiguously define "first Wednesday of the month" without the proposed "septet" changes. > > > >> >>>> >>>> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> >>> ------------------------- >>> >> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> >> > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Thu Nov 18 23:46:25 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Nov 2010 17:46:25 -0600 Subject: [Freeipa-devel] admiyo-0098-env-init In-Reply-To: <4CE5A3EE.6020400@redhat.com> References: <4CE5A3EE.6020400@redhat.com> Message-ID: <4CE5BAD1.3060409@redhat.com> On 11/18/2010 4:08 PM, Adam Young wrote: > Example: to find the cert server used, you would do: > > IPA.env.ra_plugin ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Fri Nov 19 01:13:10 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 20:13:10 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0095-removed-index. Message-ID: <4CE5CF26.9040307@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0095-removed-index.xhtml.patch Type: text/x-patch Size: 3684 bytes Desc: not available URL: From ayoung at redhat.com Fri Nov 19 01:34:18 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 20:34:18 -0500 Subject: [Freeipa-devel] [PATCH] 608 Fix returning effective rights for password policy In-Reply-To: <4CE552C2.2030609@redhat.com> References: <4CE552C2.2030609@redhat.com> Message-ID: <4CE5D41A.4080807@redhat.com> On 11/18/2010 11:22 AM, Rob Crittenden wrote: > Password policy needs to update the class of service priority in > another entry. Include the CoS attribute when reporting rights. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel CAn't seem to get it to work. Running in the lite server, I have confirmed that the patch is applied and run: curl -H "Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u : --cacert /etc/ipa/ca.crt -d '{"method":"pwpolicy_show","params":[["global_policy"],{"rights":1, "all":1}]}' -X POST http://localhost:8888/ipa/json | less as well as ./ipa pwpolicy-show global_policy --rights and ./ipa pwpolicy-show global_policy --rights --all But do not see rights. Which returns: ipa: ERROR: global_policy: entry not found Considering that I run ./ipa pwpolicy-find global_policy --rights --all and get ipa: error: no such option: --rights I am pretty sure that the patch is applied. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Nov 19 01:40:02 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 20:40:02 -0500 Subject: [Freeipa-devel] [PATCH] 0016 Tune directory server In-Reply-To: <20101117162617.34313713@willson.li.ssimo.org> References: <20101116140958.39fa360c@willson.li.ssimo.org> <20101117162617.34313713@willson.li.ssimo.org> Message-ID: <4CE5D572.7080306@redhat.com> On 11/17/2010 04:26 PM, Simo Sorce wrote: > On Tue, 16 Nov 2010 14:09:58 -0500 > Simo Sorce wrote: > > >> This patch bumps up the default number of files allowed by default for >> directory server. This allows more clients and also reserves a bigger >> number of FDs (at least according to doc) for replication agreements >> and such things. >> >> Ticket 464. >> > Changed the patch to restore files on uninstall. Now 0016-2 depends on > 0017 attached here too. > > > Simo. > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Patched 17 failed to apply. Ran using git am as well as patch -p1 Here's the rej --- ipaserver/install/dsinstance.py +++ ipaserver/install/dsinstance.py @@ -185,6 +186,12 @@ else: self.suffix = None + if fstore: + self.fstore = fstore + else: + self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + def create_instance(self, ds_user, realm_name, fqdn, domain_name, dm_password, pkcs12_info=None, self_signed_ca=False, idstart=1100, idmax=999999, subject_base=None, Tried patch 16-2 and it failed, too. Here's the rej --- ipaserver/install/dsinstance.py +++ ipaserver/install/dsinstance.py @@ -185,10 +185,7 @@ else: self.suffix = None - if fstore: - self.fstore = fstore - else: - self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') def create_instance(self, ds_user, realm_name, fqdn, domain_name, @@ -533,6 +531,7 @@ self.stop() try: + self.fstore.restore_file("/etc/security/limits.conf") self.fstore.restore_file("/etc/sysconfig/dirsrv") except ValueError, error: logging.debug(error) -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Nov 19 01:54:11 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 20:54:11 -0500 Subject: [Freeipa-devel] [PATCH] 0018 filter lockout attributes from replication In-Reply-To: <20101117162711.2682bfd9@willson.li.ssimo.org> References: <20101117162711.2682bfd9@willson.li.ssimo.org> Message-ID: <4CE5D8C3.4010204@redhat.com> On 11/17/2010 04:27 PM, Simo Sorce wrote: > Fixes #440 > > Simo. > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Nov 19 02:03:07 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Nov 2010 21:03:07 -0500 Subject: [Freeipa-devel] [PATCH] 607 add managedby to hosts In-Reply-To: <4CE5A30D.5050602@redhat.com> References: <4CD99A30.2030705@redhat.com> <20101109145039.2b315e95@willson.li.ssimo.org> <4CDB132E.7060008@redhat.com> <4CE5A30D.5050602@redhat.com> Message-ID: <4CE5DADB.8070906@redhat.com> On 11/18/2010 05:05 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Tue, 09 Nov 2010 14:00:00 -0500 >>> Rob Crittenden wrote: >>> >>>> + >>>> + Add a host that can manage this host's keytab and certificate: >>>> + ipa host-add-host --hosts=test2 test >>>> """ >>>> >>> >>> I do not want to nack, but looking at this command in isolation I am >>> quite confused at what it is supposed to do (think ab out seeing it in >>> a log file and wondering what it means w/o further context). >>> >>> What does it mean to add a host into a host (host-add-host) ? >>> And which one is added to the other one ? test in test2 or test2 in >>> test? >>> >>> I do not know if we can change names/syntax to make this more >>> immediately understandable, but if we can I'd like to do that. >>> Obscure/confusing syntaxes generally makes it easier to do mistakes, >>> which are bad in a tool used to manage security. >>> >>> Simo. >>> >> >> Switched to host-add-managedby and host-remove-managedby. >> > > Re-based against tip. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Just tried to apply to master. am failed, and patch -p provided the following rej: --- ipalib/plugins/host.py +++ ipalib/plugins/host.py @@ -101,6 +104,9 @@ Flag('has_keytab', label=_('Keytab'), ), + Str('managedby_host', + label='Managed by', + ), Str('subject', label=_('Subject'), ), @@ -453,6 +463,7 @@ Display information about a host. """ has_output_params = LDAPRetrieve.has_output_params + host_output_params + member_attributes = ['managedby'] def post_callback(self, ldap, dn, entry_attrs, *keys, **options): if 'krblastpwdchange' in entry_attrs: As well as --- tests/test_xmlrpc/test_host_plugin.py +++ tests/test_xmlrpc/test_host_plugin.py @@ -221,6 +228,7 @@ fqdn=[fqdn1], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], + managedby_host=[u'%s' % fqdn1], usercertificate=[base64.b64decode(servercert)], valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC', valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC', @@ -247,6 +255,7 @@ l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], has_keytab=False, + managedby_host=[u'%s' % fqdn1], usercertificate=[base64.b64decode(servercert)], valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC', valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC', tests/test_xmlrpc/test_host_plugin.py.rej (END) -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Nov 19 02:28:15 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Nov 2010 20:28:15 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0095-removed-index. In-Reply-To: <4CE5CF26.9040307@redhat.com> References: <4CE5CF26.9040307@redhat.com> Message-ID: <4CE5E0BF.5030308@redhat.com> On 11/18/2010 7:13 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Nov 19 02:32:44 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Nov 2010 20:32:44 -0600 Subject: [Freeipa-devel] admiyo-0096-add-button In-Reply-To: <4CE48C2E.9080704@younglogic.com> References: <4CE48C2E.9080704@younglogic.com> Message-ID: <4CE5E1CC.8080507@redhat.com> On 11/17/2010 8:15 PM, Adam Young wrote: > https://fedorahosted.org/freeipa/ticket/471 ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Nov 19 02:33:58 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Nov 2010 20:33:58 -0600 Subject: [Freeipa-devel] [PATCH] SUDO Rule Search and Details Pages Message-ID: <4CE5E216.6000109@redhat.com> Hi, Please review the attached patch. Thanks! The search and details pages for SUDO Rule have been added. Codes that are shared with HBAC have been moved to rule.js. The following methods were renamed for consistency: - ipa_details_load() -> ipa_details_refresh() - ipa_details_display() -> ipa_details_load() The ipa_details_cache has been removed because the cache is now stored in each widget. The index.xhtml has been removed. All references to it has been changed to index.html. The Unselect All checkbox has been fixed. Unnecessary parameter 'container' has been removed. The unit test has been updated and new test data has been added. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0033-SUDO-Rule-Search-and-Details-Pages.patch Type: text/x-patch Size: 95892 bytes Desc: not available URL: From rcritten at redhat.com Fri Nov 19 03:04:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Nov 2010 22:04:26 -0500 Subject: [Freeipa-devel] [PATCH] 608 Fix returning effective rights for password policy In-Reply-To: <4CE5D41A.4080807@redhat.com> References: <4CE552C2.2030609@redhat.com> <4CE5D41A.4080807@redhat.com> Message-ID: <4CE5E93A.90403@redhat.com> Adam Young wrote: > On 11/18/2010 11:22 AM, Rob Crittenden wrote: >> Password policy needs to update the class of service priority in >> another entry. Include the CoS attribute when reporting rights. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > CAn't seem to get it to work. Running in the lite server, I have > confirmed that the patch is applied and run: > > curl -H "Content-Type:application/json" -H "Accept:applicaton/json" > --negotiate -u : --cacert /etc/ipa/ca.crt -d > '{"method":"pwpolicy_show","params":[["global_policy"],{"rights":1, > "all":1}]}' -X POST http://localhost:8888/ipa/json | less > > > as well as > > ./ipa pwpolicy-show global_policy --rights > > and > ./ipa pwpolicy-show global_policy --rights --all > > But do not see rights. > > Which returns: > ipa: ERROR: global_policy: entry not found > > > > Considering that I run > ./ipa pwpolicy-find global_policy --rights --all > > and get > ipa: error: no such option: --rights > > > I am pretty sure that the patch is applied. Looks like global_policy is still a bit of a special case. It has no priority because it is the default. Try with a regular group or without global_policy. I didn't know you wanted rights with find. I can either add the special case in with a resubmission or push this and create a new task to fix that. rob From rcritten at redhat.com Fri Nov 19 03:06:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Nov 2010 22:06:27 -0500 Subject: [Freeipa-devel] [PATCH] 607 add managedby to hosts In-Reply-To: <4CE5DADB.8070906@redhat.com> References: <4CD99A30.2030705@redhat.com> <20101109145039.2b315e95@willson.li.ssimo.org> <4CDB132E.7060008@redhat.com> <4CE5A30D.5050602@redhat.com> <4CE5DADB.8070906@redhat.com> Message-ID: <4CE5E9B3.60003@redhat.com> Adam Young wrote: > On 11/18/2010 05:05 PM, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Simo Sorce wrote: >>>> On Tue, 09 Nov 2010 14:00:00 -0500 >>>> Rob Crittenden wrote: >>>> >>>>> + >>>>> + Add a host that can manage this host's keytab and certificate: >>>>> + ipa host-add-host --hosts=test2 test >>>>> """ >>>>> >>>> >>>> I do not want to nack, but looking at this command in isolation I am >>>> quite confused at what it is supposed to do (think ab out seeing it in >>>> a log file and wondering what it means w/o further context). >>>> >>>> What does it mean to add a host into a host (host-add-host) ? >>>> And which one is added to the other one ? test in test2 or test2 in >>>> test? >>>> >>>> I do not know if we can change names/syntax to make this more >>>> immediately understandable, but if we can I'd like to do that. >>>> Obscure/confusing syntaxes generally makes it easier to do mistakes, >>>> which are bad in a tool used to manage security. >>>> >>>> Simo. >>>> >>> >>> Switched to host-add-managedby and host-remove-managedby. >>> >> >> Re-based against tip. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Just tried to apply to master. am failed, and patch -p provided the > following rej: > > --- ipalib/plugins/host.py > +++ ipalib/plugins/host.py > @@ -101,6 +104,9 @@ > Flag('has_keytab', > label=_('Keytab'), > ), > + Str('managedby_host', > + label='Managed by', > + ), > Str('subject', > label=_('Subject'), > ), > @@ -453,6 +463,7 @@ > Display information about a host. > """ > has_output_params = LDAPRetrieve.has_output_params + host_output_params > + member_attributes = ['managedby'] > > def post_callback(self, ldap, dn, entry_attrs, *keys, **options): > if 'krblastpwdchange' in entry_attrs: > > > > > As well as > > --- tests/test_xmlrpc/test_host_plugin.py > +++ tests/test_xmlrpc/test_host_plugin.py > @@ -221,6 +228,7 @@ > fqdn=[fqdn1], > l=[u'Undisclosed location 1'], > krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], > + managedby_host=[u'%s' % fqdn1], > usercertificate=[base64.b64decode(servercert)], > valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC', > valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC', > @@ -247,6 +255,7 @@ > l=[u'Undisclosed location 1'], > krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], > has_keytab=False, > + managedby_host=[u'%s' % fqdn1], > usercertificate=[base64.b64decode(servercert)], > valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC', > valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC', > tests/test_xmlrpc/test_host_plugin.py.rej (END) > Can you try with patch 604 applied? rob From rcritten at redhat.com Fri Nov 19 04:11:51 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Nov 2010 23:11:51 -0500 Subject: [Freeipa-devel] [PATCH] 612 re-implimit permissions Message-ID: <4CE5F907.1030607@redhat.com> Re-implement access control using an updated model. The new model is based on permissions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). ticket 445 WARNING. The patch is humongous and changes a whole slew of stuff. It patches cleanly against the master right now but it is quite delicate so the sooner this is reviewed (without pushing anything else) the better. The self-tests all pass for me as well as some spot checking. Also note that I currently define a single role and it has no privileges. We will need to fill that in soon. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-612-permission.patch Type: text/x-patch Size: 223307 bytes Desc: not available URL: From edewata at redhat.com Fri Nov 19 04:50:55 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Nov 2010 22:50:55 -0600 Subject: [Freeipa-devel] [PATCH] Host Enrollment via OTP Message-ID: <4CE6022F.2010508@redhat.com> Hi, Please revie the attached patch. Thanks! The support for host enrollment via one-time-password has been added. When submitted, the OTP will be used to set the host's userpassword. Previously each IPA command can only have one JSON test data file. The ipa_cmd() has been modifies to accept an optional command name. When used with static files, it will pull the test data whose name is the same as the command name. The batch.json has been renamed to ipa_init.json for UI initialization. Some test data have been added for operations against specific hosts. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0034-Host-Enrollment-via-OTP.patch Type: text/x-patch Size: 27268 bytes Desc: not available URL: From edewata at redhat.com Fri Nov 19 05:35:54 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Nov 2010 23:35:54 -0600 Subject: [Freeipa-devel] [PATCH] Sample data for service provisioning Message-ID: <4CE60CBA.4090309@redhat.com> Hi, Please review the attached patch. Thanks! -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0035-Sample-data-for-service-provisioning.patch Type: text/x-patch Size: 3463 bytes Desc: not available URL: From edewata at redhat.com Fri Nov 19 06:00:07 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Nov 2010 00:00:07 -0600 Subject: [Freeipa-devel] [PATCH] Use radio buttons for HBAC rule type Message-ID: <4CE61267.8090501@redhat.com> Hi, Please review the attached patch. Thanks! To be consistent with the details page, the rule type in the HBAC add dialog box has been converted into radio buttons. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0036-Use-radio-buttons-for-HBAC-rule-type.patch Type: text/x-patch Size: 2615 bytes Desc: not available URL: From sgallagh at redhat.com Fri Nov 19 11:33:40 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 19 Nov 2010 06:33:40 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE5B3E1.7040100@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> <4CE5178B.4050402@redhat.com> <4CE538CE.10009@redhat.com> <4CE5395B.7050803@redhat.com> <4CE53E75.8000500@redhat.com> <4CE59453.6020103@redhat.com> <4CE596E1.8020007@redhat.com> <4CE5A841.7000509@redhat.com> <4CE5ABCB.6070807@redhat.com> <4CE5B3E1.7040100@redhat.com> Message-ID: <4CE66094.4020505@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/18/2010 06:16 PM, Dmitri Pal wrote: > Adam Young wrote: >> On 11/18/2010 05:27 PM, Dmitri Pal wrote: >>> Adam Young wrote: >>> >>>> On 11/18/2010 04:02 PM, Stephen Gallagher wrote: >>>> On 11/18/2010 09:55 AM, Dmitri Pal wrote: >>>> >>>> >>>>>>> Steve can you summarize where we are and what we agreed to, >>>>>>> >>>> please, and >>>> >>>>>>> identify the questions that we need to answer. >>>>>>> >>>>>>> >>>> Simo, Adam and I had a long discussion on IRC regarding the time rules >>>> today (complete log attached). >>>> >>>> The short version is that we're going to continue (mostly) with the >>>> current grammar for the time rules, with a few changes. >>>> >>>> 1) We need to replace week-of-the-month with day-of-the-septet. This >>>> day >>>> should not be a range or multi-valued to eliminate confusion >>>> 2) We need to replace the time range with a duration >>>> 3) We should add startDate and endDate as attributes on the HBAC object >>>> (separate from the accessTime). I propose these should be in LDAP >>>> generalizedTime so that it's possible to construct filters around them. >>>> This effectively sets the beginning and end of a periodic schedule. >>>> >>>> >>>> >>>>> OK, just please stop calling it septet. I think Drums, Bass, Piano, >>>>> >>>> 2 Saxes, Trumpet, Trombone Jazz combo when I hear that. It isl ike >>>> octet versus byte....it means the same thing, and just annoys people. >>>> >>>> >>>>> What you really want is to call it week-of-the-month as opposed to >>>>> >>>> week. I realize that is more verbose, but we don't sound like >>>> smarty-pants. >>>> >>>> >>>> >>>> >>>> I've drawn up a new grammar definition and published it to the SSSD >>>> wiki >>>> (not currently linked from anywhere): >>>> https://fedorahosted.org/sssd/wiki/HBAC_Grammar >>>> >>>> Please review and give feedback. >>>> >>>> >>>> >>> I thought that first septet is the first seven days of the month based >>> on earlier mails from Steven. Is this a true statement? >>> The whole issue started with ambiguity of the notion of the "N-th week" >>> of the month. >>> What is it the week-of-the-month? Is it first seven day regardless what >>> day of the week is the first day of the month (this is what I thought a >>> septet is) or fist full week from Monday to Sunday or from Sunday to >>> Saturday, or it is the first usually partial week? This is the ambiguity >>> that we want to avoid! >>> >>> If the septet is what I think it is then we can't name it the >>> week-of-the-month and IMO septet is a good term here. However then there >>> is a bug in grammar as septet can be only 1-5 not 1-6. >>> >> >> OK, if this is really what is driving the grammar, I'm going to have >> to NACK. >> >> Lets make something that is intelligible. We don't want to be >> inventing concepts like Septet. Or Septave, since 8 days is already >> called an octave. >> >> Here's the Cron line that Steve posted before. It represents THe >> first wednesday of the month. >> >> 0 8 1-7 * 3 >> >> >> Lets keep the concept of week, starting on Sunday, add in the concept >> of day of the month, and mix the two together. >> >> Does the current grammar (pre-septet) support that? Something like: >> >> accessTime: periodic monthly between day 1-7 wednesday >> No, it does not. That's the specific reason for introducing septet, to add this support. However, you make an interesting point. Perhaps we could introduce a more generic term than septet to allow the above. Though I think user comprehension would be made easier if we turned the construct into something closer to: accessTime: periodic monthly Wed between day 1-7 Though for the parser, I think it would be best to have a delimiter between Monthly and Wed. I'm open to suggestions for what makes sense, though. "encompass"? "inclusive"? "position"? >> > > It does not support this. > It requires to specify either a week of the month after "monthly" and > then day within a week (as numbers or the letter day names) or a set of > numbers representing days or ranges of ways with thin the month. > You can't with exiting schema unambiguously define "first Wednesday of > the month" without the proposed "septet" changes. > - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzmYI8ACgkQeiVVYja6o6N6nACfeoqLtaVfLQo8P9V+HeUgObfp dr4AnjK5+NlPAFFFW5JiP74HFEzZ/gGK =s+6m -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Nov 19 12:41:09 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 19 Nov 2010 13:41:09 +0100 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <20101118151702.7e9dc216@willson.li.ssimo.org> References: <4CE4440C.4030400@redhat.com> <20101117214815.GK2973@localhost.localdomain> <4CE51A30.1040702@redhat.com> <20101118082447.23f6052f@willson.li.ssimo.org> <4CE544FA.3060000@redhat.com> <20101118151702.7e9dc216@willson.li.ssimo.org> Message-ID: <20101119124108.GC5619@zeppelin.brq.redhat.com> On Thu, Nov 18, 2010 at 03:17:02PM -0500, Simo Sorce wrote: > On Thu, 18 Nov 2010 16:23:38 +0100 > Jakub Hrozek wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 11/18/2010 02:24 PM, Simo Sorce wrote: > > > On Thu, 18 Nov 2010 07:21:04 -0500 > > > Stephen Gallagher wrote: > > > > > >> Doing the forward septets is easy (1*x..7*x), but the reverse > > >> septets are more complicated (since they would be (y-1*x..y-7*x), > > >> where y is the total number of days in the month (which also has > > >> to account for leap years). > > >> > > >> I think it might be a nice enhancement, but I recommend that we not > > >> include it right now, given the tight release schedule for FreeIPA > > >> v2. > > > > > > As I said before it is a now or never condition. > > > If you do not put it in now, then when you put it in, old clients > > > will not understand the rule. And they will have only one option, > > > always deny access, because they have no way to understand when it > > > is ok to allow/deny it. > > > > > > Simo. > > > > > > > In that case, should we have some version identifier, too? In case we > > identify some flaw later on and need to change the format once again. > > And what should a client do when it finds a version it does not > understand ? > > Simo. > At least log it. If the client finds a HBAC rule it does not understand it would just error out (which is the better case, what if the syntax in the new version was the same but semantics not?) From sbose at redhat.com Fri Nov 19 12:49:24 2010 From: sbose at redhat.com (Sumit Bose) Date: Fri, 19 Nov 2010 13:49:24 +0100 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE5A841.7000509@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> <4CE5178B.4050402@redhat.com> <4CE538CE.10009@redhat.com> <4CE5395B.7050803@redhat.com> <4CE53E75.8000500@redhat.com> <4CE59453.6020103@redhat.com> <4CE596E1.8020007@redhat.com> <4CE5A841.7000509@redhat.com> Message-ID: <20101119124924.GT2973@localhost.localdomain> On Thu, Nov 18, 2010 at 05:27:13PM -0500, Dmitri Pal wrote: > Adam Young wrote: > > On 11/18/2010 04:02 PM, Stephen Gallagher wrote: > > On 11/18/2010 09:55 AM, Dmitri Pal wrote: > > > > >>> Steve can you summarize where we are and what we agreed to, > > please, and > > >>> identify the questions that we need to answer. > > >>> > > > > Simo, Adam and I had a long discussion on IRC regarding the time rules > > today (complete log attached). > > > > The short version is that we're going to continue (mostly) with the > > current grammar for the time rules, with a few changes. > > > > 1) We need to replace week-of-the-month with day-of-the-septet. This day > > should not be a range or multi-valued to eliminate confusion > > 2) We need to replace the time range with a duration > > 3) We should add startDate and endDate as attributes on the HBAC object > > (separate from the accessTime). I propose these should be in LDAP > > generalizedTime so that it's possible to construct filters around them. > > This effectively sets the beginning and end of a periodic schedule. > > > > > > > OK, just please stop calling it septet. I think Drums, Bass, Piano, > > 2 Saxes, Trumpet, Trombone Jazz combo when I hear that. It isl ike > > octet versus byte....it means the same thing, and just annoys people. > > > > > What you really want is to call it week-of-the-month as opposed to > > week. I realize that is more verbose, but we don't sound like > > smarty-pants. > > > > > > > > > > I've drawn up a new grammar definition and published it to the SSSD wiki > > (not currently linked from anywhere): > > https://fedorahosted.org/sssd/wiki/HBAC_Grammar > > > > Please review and give feedback. > > > > > I thought that first septet is the first seven days of the month based > on earlier mails from Steven. Is this a true statement? > The whole issue started with ambiguity of the notion of the "N-th week" > of the month. > What is it the week-of-the-month? Is it first seven day regardless what > day of the week is the first day of the month (this is what I thought a > septet is) or fist full week from Monday to Sunday or from Sunday to > Saturday, or it is the first usually partial week? This is the ambiguity > that we want to avoid! > > If the septet is what I think it is then we can't name it the > week-of-the-month and IMO septet is a good term here. However then there > is a bug in grammar as septet can be only 1-5 not 1-6. > if I understand the septets correctly the 5th septet will cover days 29-35. When will you need the 6th? bye, Sumit > > >> > >> > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > ------------------------- > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From sgallagh at redhat.com Fri Nov 19 13:10:13 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 19 Nov 2010 08:10:13 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <20101119124924.GT2973@localhost.localdomain> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> <4CE5178B.4050402@redhat.com> <4CE538CE.10009@redhat.com> <4CE5395B.7050803@redhat.com> <4CE53E75.8000500@redhat.com> <4CE59453.6020103@redhat.com> <4CE596E1.8020007@redhat.com> <4CE5A841.7000509@redhat.com> <20101119124924.GT2973@localhost.localdomain> Message-ID: <4CE67735.6060302@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/19/2010 07:49 AM, Sumit Bose wrote: > On Thu, Nov 18, 2010 at 05:27:13PM -0500, Dmitri Pal wrote: >> Adam Young wrote: >>> On 11/18/2010 04:02 PM, Stephen Gallagher wrote: >>> On 11/18/2010 09:55 AM, Dmitri Pal wrote: >>> >>>>>> Steve can you summarize where we are and what we agreed to, >>> please, and >>>>>> identify the questions that we need to answer. >>>>>> >>> >>> Simo, Adam and I had a long discussion on IRC regarding the time rules >>> today (complete log attached). >>> >>> The short version is that we're going to continue (mostly) with the >>> current grammar for the time rules, with a few changes. >>> >>> 1) We need to replace week-of-the-month with day-of-the-septet. This day >>> should not be a range or multi-valued to eliminate confusion >>> 2) We need to replace the time range with a duration >>> 3) We should add startDate and endDate as attributes on the HBAC object >>> (separate from the accessTime). I propose these should be in LDAP >>> generalizedTime so that it's possible to construct filters around them. >>> This effectively sets the beginning and end of a periodic schedule. >>> >>> >>>> OK, just please stop calling it septet. I think Drums, Bass, Piano, >>> 2 Saxes, Trumpet, Trombone Jazz combo when I hear that. It isl ike >>> octet versus byte....it means the same thing, and just annoys people. >>> >>>> What you really want is to call it week-of-the-month as opposed to >>> week. I realize that is more verbose, but we don't sound like >>> smarty-pants. >>> >>> >>> >>> >>> I've drawn up a new grammar definition and published it to the SSSD wiki >>> (not currently linked from anywhere): >>> https://fedorahosted.org/sssd/wiki/HBAC_Grammar >>> >>> Please review and give feedback. >>> >>> >> I thought that first septet is the first seven days of the month based >> on earlier mails from Steven. Is this a true statement? >> The whole issue started with ambiguity of the notion of the "N-th week" >> of the month. >> What is it the week-of-the-month? Is it first seven day regardless what >> day of the week is the first day of the month (this is what I thought a >> septet is) or fist full week from Monday to Sunday or from Sunday to >> Saturday, or it is the first usually partial week? This is the ambiguity >> that we want to avoid! >> >> If the septet is what I think it is then we can't name it the >> week-of-the-month and IMO septet is a good term here. However then there >> is a bug in grammar as septet can be only 1-5 not 1-6. >> > > if I understand the septets correctly the 5th septet will cover days > 29-35. When will you need the 6th? > Dmitri is correct. That was a typo on my part. I've fixed that on the wiki page now. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzmdzUACgkQeiVVYja6o6MxKwCgll4QvAq9TlQoDmEkjvGwWpsm 5tQAoJK1iPMj+QuTD2GJVQETbyqpuQpO =HFwW -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Nov 19 14:11:08 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 19 Nov 2010 09:11:08 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <20101119124108.GC5619@zeppelin.brq.redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117214815.GK2973@localhost.localdomain> <4CE51A30.1040702@redhat.com> <20101118082447.23f6052f@willson.li.ssimo.org> <4CE544FA.3060000@redhat.com> <20101118151702.7e9dc216@willson.li.ssimo.org> <20101119124108.GC5619@zeppelin.brq.redhat.com> Message-ID: <20101119091108.64c69123@willson.li.ssimo.org> On Fri, 19 Nov 2010 13:41:09 +0100 Jakub Hrozek wrote: > On Thu, Nov 18, 2010 at 03:17:02PM -0500, Simo Sorce wrote: > > On Thu, 18 Nov 2010 16:23:38 +0100 > > Jakub Hrozek wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > On 11/18/2010 02:24 PM, Simo Sorce wrote: > > > > On Thu, 18 Nov 2010 07:21:04 -0500 > > > > Stephen Gallagher wrote: > > > > > > > >> Doing the forward septets is easy (1*x..7*x), but the reverse > > > >> septets are more complicated (since they would be > > > >> (y-1*x..y-7*x), where y is the total number of days in the > > > >> month (which also has to account for leap years). > > > >> > > > >> I think it might be a nice enhancement, but I recommend that > > > >> we not include it right now, given the tight release schedule > > > >> for FreeIPA v2. > > > > > > > > As I said before it is a now or never condition. > > > > If you do not put it in now, then when you put it in, old > > > > clients will not understand the rule. And they will have only > > > > one option, always deny access, because they have no way to > > > > understand when it is ok to allow/deny it. > > > > > > > > Simo. > > > > > > > > > > In that case, should we have some version identifier, too? In > > > case we identify some flaw later on and need to change the format > > > once again. > > > > And what should a client do when it finds a version it does not > > understand ? > > > > Simo. > > > > At least log it. If the client finds a HBAC rule it does not > understand it would just error out (which is the better case, what if > the syntax in the new version was the same but semantics not?) Exactly. So as soon as you store a new rule all machines with the older client will start refusing every access ... not a good idea imo. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Fri Nov 19 14:15:15 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 19 Nov 2010 09:15:15 -0500 Subject: [Freeipa-devel] [PATCH] 608 Fix returning effective rights for password policy In-Reply-To: <4CE5E93A.90403@redhat.com> References: <4CE552C2.2030609@redhat.com> <4CE5D41A.4080807@redhat.com> <4CE5E93A.90403@redhat.com> Message-ID: <4CE68673.1020900@redhat.com> On 11/18/2010 10:04 PM, Rob Crittenden wrote: > Adam Young wrote: >> On 11/18/2010 11:22 AM, Rob Crittenden wrote: >>> Password policy needs to update the class of service priority in >>> another entry. Include the CoS attribute when reporting rights. >>> >>> rob >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> CAn't seem to get it to work. Running in the lite server, I have >> confirmed that the patch is applied and run: >> >> curl -H "Content-Type:application/json" -H "Accept:applicaton/json" >> --negotiate -u : --cacert /etc/ipa/ca.crt -d >> '{"method":"pwpolicy_show","params":[["global_policy"],{"rights":1, >> "all":1}]}' -X POST http://localhost:8888/ipa/json | less >> >> >> as well as >> >> ./ipa pwpolicy-show global_policy --rights >> >> and >> ./ipa pwpolicy-show global_policy --rights --all >> >> But do not see rights. >> >> Which returns: >> ipa: ERROR: global_policy: entry not found >> >> >> >> Considering that I run >> ./ipa pwpolicy-find global_policy --rights --all >> >> and get >> ipa: error: no such option: --rights >> >> >> I am pretty sure that the patch is applied. > > Looks like global_policy is still a bit of a special case. It has no > priority because it is the default. Try with a regular group or > without global_policy. It needs to be there for all groups. If it doesn't work with global_policy, the webUI will be broken. > > I didn't know you wanted rights with find. I don't. It was just making sure I was testing the right thing. > > I can either add the special case in with a resubmission or push this > and create a new task to fix that. > > rob From rcritten at redhat.com Fri Nov 19 14:37:50 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Nov 2010 09:37:50 -0500 Subject: [Freeipa-devel] [PATCH] 613 fix build errors Message-ID: <4CE68BBE.1040802@redhat.com> The rename of index.xhtml to index.html was causing a build failure. I've pushed the attached patch to fix it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-613-build.patch Type: text/x-patch Size: 1163 bytes Desc: not available URL: From jhrozek at redhat.com Fri Nov 19 15:21:14 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 19 Nov 2010 16:21:14 +0100 Subject: [Freeipa-devel] [PATCH] 593 fix group objectclasses on detach In-Reply-To: <4CE5AAC0.3010802@redhat.com> References: <4CCEE604.6090700@redhat.com> <20101118160058.GA26817@zeppelin.brq.redhat.com> <4CE562A9.7010700@redhat.com> <4CE5AAC0.3010802@redhat.com> Message-ID: <20101119152113.GA25987@zeppelin.brq.redhat.com> On Thu, Nov 18, 2010 at 05:37:52PM -0500, Rob Crittenden wrote: > Rob Crittenden wrote: > >Jakub Hrozek wrote: > >>On Mon, Nov 01, 2010 at 12:08:36PM -0400, Rob Crittenden wrote: > >>>Make sure a detached group has the default list of objectclasses. > >>>ipaUniqueId is handled by the new uuid plugin. > >>> > >>>https://fedorahosted.org/freeipa/ticket/250 > >>> > >>>rob > >> > >>I haven't fully tested the patch yet, but this caught my attention: > >> > >>>+ (group_dn, group_attrs) = ldap.get_entry(group_dn) > >>>+ is_managed = self.obj.has_objectclass(group_attrs['objectclass'], '') > >> > >>I think that is_managed is guaranteed to be False in this case, since > >>has_objectclass would do: > >> > >>return '' in group_attrs['objectclass'] > > > >Gah! Good catch, that should be mepManagedBy. Can you fix this and > >continue testing? > > > >rob > > I rebased this and fix this error (I rebased it with patches 604 and > 607 on my tree in case that makes a difference). > > To test this do: > > # ipa user-add --first=Tim --last=User tuser > # ipa group-show tuser --all > [ note the objectclasses ] > # ipa group-detach tuser > # ipa group-show --all tuser > > It should now be a full POSIX group with a ipaUniqueId and a full > set of objectclass. You should be able to add a user to it. > > # ipa group-add-member --users=tuser tuser > > rob Ack (before applying and pushing please note that as Rob notes above, this must be applied on top of his patches 604 and 607) Jakub From jhrozek at redhat.com Fri Nov 19 15:23:52 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 19 Nov 2010 16:23:52 +0100 Subject: [Freeipa-devel] [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods. In-Reply-To: <4CD8C646.6020104@redhat.com> References: <4CD8C646.6020104@redhat.com> Message-ID: <20101119152351.GB25987@zeppelin.brq.redhat.com> On Tue, Nov 09, 2010 at 04:55:50AM +0100, Pavel Z?na wrote: > If the parent and child entries have the same attribute as primary > key (such as in the DNS schema), we need to rename the parent key > to prevent a param name conflict. It has no side effects, because > the primary key name is always taken from the LDAPObject params, > never from the method params. > > Pavel Would you mind rebasing the patch on top of Rob's 593 which is already acked (not pushed yet as of now). Jakub From ayoung at redhat.com Fri Nov 19 16:07:50 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 19 Nov 2010 11:07:50 -0500 Subject: [Freeipa-devel] [PATCH] 607 add managedby to hosts In-Reply-To: <4CE5E9B3.60003@redhat.com> References: <4CD99A30.2030705@redhat.com> <20101109145039.2b315e95@willson.li.ssimo.org> <4CDB132E.7060008@redhat.com> <4CE5A30D.5050602@redhat.com> <4CE5DADB.8070906@redhat.com> <4CE5E9B3.60003@redhat.com> Message-ID: <4CE6A0D6.9040400@redhat.com> On 11/18/2010 10:06 PM, Rob Crittenden wrote: > Adam Young wrote: >> On 11/18/2010 05:05 PM, Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Simo Sorce wrote: >>>>> On Tue, 09 Nov 2010 14:00:00 -0500 >>>>> Rob Crittenden wrote: >>>>> >>>>>> + >>>>>> + Add a host that can manage this host's keytab and certificate: >>>>>> + ipa host-add-host --hosts=test2 test >>>>>> """ >>>>>> >>>>> >>>>> I do not want to nack, but looking at this command in isolation I am >>>>> quite confused at what it is supposed to do (think ab out seeing >>>>> it in >>>>> a log file and wondering what it means w/o further context). >>>>> >>>>> What does it mean to add a host into a host (host-add-host) ? >>>>> And which one is added to the other one ? test in test2 or test2 in >>>>> test? >>>>> >>>>> I do not know if we can change names/syntax to make this more >>>>> immediately understandable, but if we can I'd like to do that. >>>>> Obscure/confusing syntaxes generally makes it easier to do mistakes, >>>>> which are bad in a tool used to manage security. >>>>> >>>>> Simo. >>>>> >>>> >>>> Switched to host-add-managedby and host-remove-managedby. >>>> >>> >>> Re-based against tip. >>> >>> rob >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Just tried to apply to master. am failed, and patch -p provided the >> following rej: >> >> --- ipalib/plugins/host.py >> +++ ipalib/plugins/host.py >> @@ -101,6 +104,9 @@ >> Flag('has_keytab', >> label=_('Keytab'), >> ), >> + Str('managedby_host', >> + label='Managed by', >> + ), >> Str('subject', >> label=_('Subject'), >> ), >> @@ -453,6 +463,7 @@ >> Display information about a host. >> """ >> has_output_params = LDAPRetrieve.has_output_params + host_output_params >> + member_attributes = ['managedby'] >> >> def post_callback(self, ldap, dn, entry_attrs, *keys, **options): >> if 'krblastpwdchange' in entry_attrs: >> >> >> >> >> As well as >> >> --- tests/test_xmlrpc/test_host_plugin.py >> +++ tests/test_xmlrpc/test_host_plugin.py >> @@ -221,6 +228,7 @@ >> fqdn=[fqdn1], >> l=[u'Undisclosed location 1'], >> krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], >> + managedby_host=[u'%s' % fqdn1], >> usercertificate=[base64.b64decode(servercert)], >> valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC', >> valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC', >> @@ -247,6 +255,7 @@ >> l=[u'Undisclosed location 1'], >> krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], >> has_keytab=False, >> + managedby_host=[u'%s' % fqdn1], >> usercertificate=[base64.b64decode(servercert)], >> valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC', >> valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC', >> tests/test_xmlrpc/test_host_plugin.py.rej (END) >> > > Can you try with patch 604 applied? > > rob ACK pushed to master From ayoung at redhat.com Fri Nov 19 16:08:12 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 19 Nov 2010 11:08:12 -0500 Subject: [Freeipa-devel] [PATCH] 607 add managedby to hosts In-Reply-To: <4CE5E9B3.60003@redhat.com> References: <4CD99A30.2030705@redhat.com> <20101109145039.2b315e95@willson.li.ssimo.org> <4CDB132E.7060008@redhat.com> <4CE5A30D.5050602@redhat.com> <4CE5DADB.8070906@redhat.com> <4CE5E9B3.60003@redhat.com> Message-ID: <4CE6A0EC.906@redhat.com> On 11/18/2010 10:06 PM, Rob Crittenden wrote: > Adam Young wrote: >> On 11/18/2010 05:05 PM, Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Simo Sorce wrote: >>>>> On Tue, 09 Nov 2010 14:00:00 -0500 >>>>> Rob Crittenden wrote: >>>>> >>>>>> + >>>>>> + Add a host that can manage this host's keytab and certificate: >>>>>> + ipa host-add-host --hosts=test2 test >>>>>> """ >>>>>> >>>>> >>>>> I do not want to nack, but looking at this command in isolation I am >>>>> quite confused at what it is supposed to do (think ab out seeing >>>>> it in >>>>> a log file and wondering what it means w/o further context). >>>>> >>>>> What does it mean to add a host into a host (host-add-host) ? >>>>> And which one is added to the other one ? test in test2 or test2 in >>>>> test? >>>>> >>>>> I do not know if we can change names/syntax to make this more >>>>> immediately understandable, but if we can I'd like to do that. >>>>> Obscure/confusing syntaxes generally makes it easier to do mistakes, >>>>> which are bad in a tool used to manage security. >>>>> >>>>> Simo. >>>>> >>>> >>>> Switched to host-add-managedby and host-remove-managedby. >>>> >>> >>> Re-based against tip. >>> >>> rob >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Just tried to apply to master. am failed, and patch -p provided the >> following rej: >> >> --- ipalib/plugins/host.py >> +++ ipalib/plugins/host.py >> @@ -101,6 +104,9 @@ >> Flag('has_keytab', >> label=_('Keytab'), >> ), >> + Str('managedby_host', >> + label='Managed by', >> + ), >> Str('subject', >> label=_('Subject'), >> ), >> @@ -453,6 +463,7 @@ >> Display information about a host. >> """ >> has_output_params = LDAPRetrieve.has_output_params + host_output_params >> + member_attributes = ['managedby'] >> >> def post_callback(self, ldap, dn, entry_attrs, *keys, **options): >> if 'krblastpwdchange' in entry_attrs: >> >> >> >> >> As well as >> >> --- tests/test_xmlrpc/test_host_plugin.py >> +++ tests/test_xmlrpc/test_host_plugin.py >> @@ -221,6 +228,7 @@ >> fqdn=[fqdn1], >> l=[u'Undisclosed location 1'], >> krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], >> + managedby_host=[u'%s' % fqdn1], >> usercertificate=[base64.b64decode(servercert)], >> valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC', >> valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC', >> @@ -247,6 +255,7 @@ >> l=[u'Undisclosed location 1'], >> krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], >> has_keytab=False, >> + managedby_host=[u'%s' % fqdn1], >> usercertificate=[base64.b64decode(servercert)], >> valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC', >> valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC', >> tests/test_xmlrpc/test_host_plugin.py.rej (END) >> > > Can you try with patch 604 applied? > > rob ACK and pushed to master From ayoung at redhat.com Fri Nov 19 16:10:11 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 19 Nov 2010 11:10:11 -0500 Subject: [Freeipa-devel] [PATCH] 604 revoke certs when disabling and deleting hosts In-Reply-To: <4CE5A2EC.7030709@redhat.com> References: <4CD458FB.2010507@redhat.com> <20101118122201.6c20a699@willson.li.ssimo.org> <4CE5A2EC.7030709@redhat.com> Message-ID: <4CE6A163.1080806@redhat.com> On 11/18/2010 05:04 PM, Rob Crittenden wrote: > Simo Sorce wrote: >> On Fri, 05 Nov 2010 15:20:27 -0400 >> Rob Crittenden wrote: >> >>> When a host is deleted we revoke its certificate, if any. >>> >>> When a host keytab is disabled we disable all the keytabs and revoke >>> the certificates of its services. >>> >>> I've also tried to make it more universal to display certificate >>> details when viewing a record with a certificate in it. >>> >>> rob >> >> a. needs rebase (I did a rebase on my own, hopefully the next point was >> not because of that) >> >> b. after some fiddling and testing ipa host-disable seem to return a >> bogus error of: ipa: ERROR: no modifications to be performed >> and if tried again: ipa: ERROR: This entry is already disabled >> >> Possibly the first error was returned because the service I took a cert >> for (to test the cert was removed on disabling, which it was) didn;t >> have a keytab associated. >> >> So NACK on this error, but the general approach looks good. >> >> Simo. >> > > Updated patch attached. Here is how to test it. > > My IPA server is on host slinky.example.com. I'm doing these commands > from there. > > # mkdir /etc/nsstmp > # certutil -N -d /etc/nsstmp (for simplicity do not set a password) > # ipa host-add puma.example.com > # ipa-getkeytab -s slinky -k /tmp/test.kt host/puma.example.com > # ipa-getcert request -d /etc/nss -n Server-Cert -N > "cn=puma.example.com,O=EXAMPLE.COM" -K host/puma.example.com at EXAMPLE.COM > > Now run this until the cert is in the state MONITORING > # ipa-getcert list > > Just to double check, look at the host, it should have a keytab and a > cert: > > # ipa host-show puma > Host name: puma.example.com > Certificate: > MIICkjCCAfugAwIBAgICBAUwDQYJKoZIhvcNAQEFBQAwLDEqMCgGA1UEAxMhR1JFWU9BSy5DT00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMTExODIwNDExNloXDTE1MTExODIwNDExNlowMTEUMBIGA1UEChMLR1JFWU9BSy5DT00xGTAXBgNVBAMTEHB1bWEuZ3JleW9hay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjYEiiPC1AGFX4qbSFpHNkUyoZK60hXblw6OrAc5IGOZGgGGb/pOEMhWSZt45TzbZLExB9V73BON9wYvokkkwxVydPxx6ardEWdoAmz6gHYPK2B2GgUfKAbyu2vNJKuQ0RdVFwfKgPv7PbF9LJ2Glfb3dg7f90vCA67hP/wb5rGBkvkfk/Rw4O2lmFlxGxLkvHhVQn+LIdsqpO2bn47GYPSJqsj3bRzbK3WOKulyW99eD+QLP215SKvlh2oXh+I2qu2HgmbvuRdQcYqTU9dYltOmxybvuDllYRnhV2FWQ4U7NtPdKEOjazZJ/dOue/Ei2sAwpMyKkKH9HXUkTUhqi1AgMBAAGjOjA4MBEGCWCGSAGG+EIBAQQEAwIGQDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAQdXfmoHJ33h8JfY4t/vYgT8p99bSwLrOuwsSzy1tw5p/cZ3VXDkrLPDzHSnZTycTRRqrtsqMQt3v+NQdV/OjC2ALAfZnVM/JymWMwk9ub90N4O2x8nY18eCNxSmSaPbfhelsx2JeHg8jLXeiBN722rr2iWgcQ87sBejLYJhO/Bc= > > Principal name: host/puma.example.com at EXAMPLE.COM > Keytab: True > Managed by: puma.example.com > Subject: CN=puma.example.com,O=EXAMPLE.COM > Serial Number: 1029 > Issuer: CN=EXAMPLE.COM Certificate Authority > Not Before: Thu Nov 18 20:41:16 2010 UTC > Not After: Wed Nov 18 20:41:16 2015 UTC > Fingerprint (MD5): 2a:f5:47:88:62:93:7f:87:2e:c5:d6:9a:11:df:b3:9d > Fingerprint (SHA1): > a0:4a:b2:2a:fc:f9:0f:cc:e7:18:30:29:7e:f6:63:75:8a:8d:45:12 > > Finally we're ready to test if disabling the host revokes/removes the > cert too: > > # ipa host-disable puma > --------------------------------------------------------- > Removed kerberos key and disabled all services for "puma" > --------------------------------------------------------- > > Verify that the host is disabled and its cert is gone: > > # ipa host-show puma > Host name: puma.example.com > Principal name: host/puma.example.com at EXAMPLE.COM > Keytab: False > Managed by: puma.example.com > > Note that I'm allowing admin to write enrolledBy again. I need to find > a better way to handle the attribute but lets clear it without errors > for now. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Nov 19 16:20:05 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Nov 2010 11:20:05 -0500 Subject: [Freeipa-devel] [PATCH] 614 Display user and host membership in netgroups. Message-ID: <4CE6A3B5.8060606@redhat.com> This uses an enhanced memberof plugin that allows multiple attributes to be configured to create memberOf attributes. This patch requires a new 389-ds-base, 1.2.7. This is currently only available in updates-testing. tickets 109 and 110 To validate: # ipa user-add --first=Jim --last=User juser # ipa netgroup-add --desc=netgroup net1 # ipa netgroup-add-member --users=juser --hosts=`hostname` net1 # ipa netgroup-show net1 (should have the host and user as members) # ipa user-show juser (should have Member of netgroups) # ipa host-show `hostname` (should have Member of netgroups) rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-614-memberof.patch Type: text/x-patch Size: 2527 bytes Desc: not available URL: From ayoung at redhat.com Fri Nov 19 16:22:35 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 19 Nov 2010 11:22:35 -0500 Subject: [Freeipa-devel] [PATCH] SUDO Rule Search and Details Pages In-Reply-To: <4CE5E216.6000109@redhat.com> References: <4CE5E216.6000109@redhat.com> Message-ID: <4CE6A44B.2030903@redhat.com> On 11/18/2010 09:33 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The search and details pages for SUDO Rule have been added. Codes > that are shared with HBAC have been moved to rule.js. > > The following methods were renamed for consistency: > - ipa_details_load() -> ipa_details_refresh() > - ipa_details_display() -> ipa_details_load() > > The ipa_details_cache has been removed because the cache is now > stored in each widget. > > The index.xhtml has been removed. All references to it has been > changed to index.html. > > The Unselect All checkbox has been fixed. Unnecessary parameter > 'container' has been removed. > > The unit test has been updated and new test data has been added. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. However, you will need to rebase, as Rob already made the index.html addition to ipa.spec.in -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Nov 19 16:42:26 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 19 Nov 2010 11:42:26 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0099-tab-width Message-ID: <4CE6A8F2.2070205@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0099-tab-width.patch Type: text/x-patch Size: 1456 bytes Desc: not available URL: From edewata at redhat.com Fri Nov 19 16:55:51 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Nov 2010 10:55:51 -0600 Subject: [Freeipa-devel] [PATCH] SUDO Rule Search and Details Pages In-Reply-To: <4CE6A44B.2030903@redhat.com> References: <4CE5E216.6000109@redhat.com> <4CE6A44B.2030903@redhat.com> Message-ID: <4CE6AC17.3090807@redhat.com> On 11/19/2010 10:22 AM, Adam Young wrote: > ACK. However, you will need to rebase, as Rob already made the > index.html addition to ipa.spec.in Thanks. Rebased and pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Nov 19 17:01:01 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Nov 2010 11:01:01 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0099-tab-width In-Reply-To: <4CE6A8F2.2070205@redhat.com> References: <4CE6A8F2.2070205@redhat.com> Message-ID: <4CE6AD4D.5030807@redhat.com> On 11/19/2010 10:42 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Fri Nov 19 17:18:35 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 19 Nov 2010 12:18:35 -0500 Subject: [Freeipa-devel] [PATCH] Sample data for service provisioning In-Reply-To: <4CE60CBA.4090309@redhat.com> References: <4CE60CBA.4090309@redhat.com> Message-ID: <4CE6B16B.5030406@redhat.com> On 11/19/2010 12:35 AM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Nov 19 17:18:01 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 19 Nov 2010 12:18:01 -0500 Subject: [Freeipa-devel] [PATCH] SUDO Rule Search and Details Pages In-Reply-To: <4CE6AC17.3090807@redhat.com> References: <4CE5E216.6000109@redhat.com> <4CE6A44B.2030903@redhat.com> <4CE6AC17.3090807@redhat.com> Message-ID: <4CE6B149.1020705@redhat.com> Endi Sukma Dewata wrote: > On 11/19/2010 10:22 AM, Adam Young wrote: >> ACK. However, you will need to rebase, as Rob already made the >> index.html addition to ipa.spec.in > > Thanks. Rebased and pushed to master. > I suspect it is the first pass at those since the UXD spec is underway for the SUDO pages. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Fri Nov 19 17:21:13 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Nov 2010 11:21:13 -0600 Subject: [Freeipa-devel] [PATCH] SUDO Rule Search and Details Pages In-Reply-To: <4CE6B149.1020705@redhat.com> References: <4CE5E216.6000109@redhat.com> <4CE6A44B.2030903@redhat.com> <4CE6AC17.3090807@redhat.com> <4CE6B149.1020705@redhat.com> Message-ID: <4CE6B209.2080705@redhat.com> On 11/19/2010 11:18 AM, Dmitri Pal wrote: > Endi Sukma Dewata wrote: >> On 11/19/2010 10:22 AM, Adam Young wrote: >>> ACK. However, you will need to rebase, as Rob already made the >>> index.html addition to ipa.spec.in >> >> Thanks. Rebased and pushed to master. >> > I suspect it is the first pass at those since the UXD spec is underway > for the SUDO pages. Yes, this is based on HBAC. At least the functionality works. We can revise the page again when the spec becomes available. -- Endi S. Dewata From ayoung at redhat.com Fri Nov 19 17:37:25 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 19 Nov 2010 12:37:25 -0500 Subject: [Freeipa-devel] [PATCH] 608 Fix returning effective rights for password policy In-Reply-To: <4CE68673.1020900@redhat.com> References: <4CE552C2.2030609@redhat.com> <4CE5D41A.4080807@redhat.com> <4CE5E93A.90403@redhat.com> <4CE68673.1020900@redhat.com> Message-ID: <4CE6B5D5.4000407@redhat.com> On 11/19/2010 09:15 AM, Adam Young wrote: > On 11/18/2010 10:04 PM, Rob Crittenden wrote: >> Adam Young wrote: >>> On 11/18/2010 11:22 AM, Rob Crittenden wrote: >>>> Password policy needs to update the class of service priority in >>>> another entry. Include the CoS attribute when reporting rights. >>>> >>>> rob >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> CAn't seem to get it to work. Running in the lite server, I have >>> confirmed that the patch is applied and run: >>> >>> curl -H "Content-Type:application/json" -H "Accept:applicaton/json" >>> --negotiate -u : --cacert /etc/ipa/ca.crt -d >>> '{"method":"pwpolicy_show","params":[["global_policy"],{"rights":1, >>> "all":1}]}' -X POST http://localhost:8888/ipa/json | less >>> >>> >>> as well as >>> >>> ./ipa pwpolicy-show global_policy --rights >>> >>> and >>> ./ipa pwpolicy-show global_policy --rights --all >>> >>> But do not see rights. >>> >>> Which returns: >>> ipa: ERROR: global_policy: entry not found >>> >>> >>> >>> Considering that I run >>> ./ipa pwpolicy-find global_policy --rights --all >>> >>> and get >>> ipa: error: no such option: --rights >>> >>> >>> I am pretty sure that the patch is applied. >> >> Looks like global_policy is still a bit of a special case. It has no >> priority because it is the default. Try with a regular group or >> without global_policy. > > It needs to be there for all groups. If it doesn't work with > global_policy, the webUI will be broken. > > >> >> I didn't know you wanted rights with find. > > I don't. It was just making sure I was testing the right thing. >> >> I can either add the special case in with a resubmission or push this >> and create a new task to fix that. >> >> rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master. From ssorce at redhat.com Fri Nov 19 17:41:49 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 19 Nov 2010 12:41:49 -0500 Subject: [Freeipa-devel] [PATCH] fix default install with dogtag Message-ID: <20101119124149.50848549@willson.li.ssimo.org> This patch automatically disables pkinit when installing with dogatg until dogtag support is added to the pkinit install bits. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0019-Automatically-diable-pkinit-when-not-supported.patch Type: text/x-patch Size: 1028 bytes Desc: not available URL: From ayoung at redhat.com Fri Nov 19 17:53:05 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 19 Nov 2010 12:53:05 -0500 Subject: [Freeipa-devel] [PATCH] Host Enrollment via OTP In-Reply-To: <4CE6022F.2010508@redhat.com> References: <4CE6022F.2010508@redhat.com> Message-ID: <4CE6B981.80303@redhat.com> On 11/18/2010 11:50 PM, Endi Sukma Dewata wrote: > Hi, > > Please revie the attached patch. Thanks! > > The support for host enrollment via one-time-password has been added. > When submitted, the OTP will be used to set the host's userpassword. > > Previously each IPA command can only have one JSON test data file. > The ipa_cmd() has been modifies to accept an optional command name. > When used with static files, it will pull the test data whose name > is the same as the command name. > > The batch.json has been renamed to ipa_init.json for UI initialization. > Some test data have been added for operations against specific hosts. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Nov 19 17:54:44 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 19 Nov 2010 12:54:44 -0500 Subject: [Freeipa-devel] [PATCH] Use radio buttons for HBAC rule type In-Reply-To: <4CE61267.8090501@redhat.com> References: <4CE61267.8090501@redhat.com> Message-ID: <4CE6B9E4.9010803@redhat.com> On 11/19/2010 01:00 AM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > To be consistent with the details page, the rule type in the HBAC > add dialog box has been converted into radio buttons. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Nov 19 17:57:07 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 19 Nov 2010 12:57:07 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE66094.4020505@redhat.com> References: <4CE4440C.4030400@redhat.com> <20101117163114.13724d40@willson.li.ssimo.org> <4CE44E50.1020300@redhat.com> <4CE5178B.4050402@redhat.com> <4CE538CE.10009@redhat.com> <4CE5395B.7050803@redhat.com> <4CE53E75.8000500@redhat.com> <4CE59453.6020103@redhat.com> <4CE596E1.8020007@redhat.com> <4CE5A841.7000509@redhat.com> <4CE5ABCB.6070807@redhat.com> <4CE5B3E1.7040100@redhat.com> <4CE66094.4020505@redhat.com> Message-ID: <4CE6BA73.2010201@redhat.com> On 11/19/2010 06:33 AM, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/18/2010 06:16 PM, Dmitri Pal wrote: > >> Adam Young wrote: >> >>> On 11/18/2010 05:27 PM, Dmitri Pal wrote: >>> >>>> Adam Young wrote: >>>> >>>> >>>>> On 11/18/2010 04:02 PM, Stephen Gallagher wrote: >>>>> On 11/18/2010 09:55 AM, Dmitri Pal wrote: >>>>> >>>>> >>>>> >>>>>>>> Steve can you summarize where we are and what we agreed to, >>>>>>>> >>>>>>>> >>>>> please, and >>>>> >>>>> >>>>>>>> identify the questions that we need to answer. >>>>>>>> >>>>>>>> >>>>>>>> >>>>> Simo, Adam and I had a long discussion on IRC regarding the time rules >>>>> today (complete log attached). >>>>> >>>>> The short version is that we're going to continue (mostly) with the >>>>> current grammar for the time rules, with a few changes. >>>>> >>>>> 1) We need to replace week-of-the-month with day-of-the-septet. This >>>>> day >>>>> should not be a range or multi-valued to eliminate confusion >>>>> 2) We need to replace the time range with a duration >>>>> 3) We should add startDate and endDate as attributes on the HBAC object >>>>> (separate from the accessTime). I propose these should be in LDAP >>>>> generalizedTime so that it's possible to construct filters around them. >>>>> This effectively sets the beginning and end of a periodic schedule. >>>>> >>>>> >>>>> >>>>> >>>>>> OK, just please stop calling it septet. I think Drums, Bass, Piano, >>>>>> >>>>>> >>>>> 2 Saxes, Trumpet, Trombone Jazz combo when I hear that. It isl ike >>>>> octet versus byte....it means the same thing, and just annoys people. >>>>> >>>>> >>>>> >>>>>> What you really want is to call it week-of-the-month as opposed to >>>>>> >>>>>> >>>>> week. I realize that is more verbose, but we don't sound like >>>>> smarty-pants. >>>>> >>>>> >>>>> >>>>> >>>>> I've drawn up a new grammar definition and published it to the SSSD >>>>> wiki >>>>> (not currently linked from anywhere): >>>>> https://fedorahosted.org/sssd/wiki/HBAC_Grammar >>>>> >>>>> Please review and give feedback. >>>>> >>>>> >>>>> >>>>> >>>> I thought that first septet is the first seven days of the month based >>>> on earlier mails from Steven. Is this a true statement? >>>> The whole issue started with ambiguity of the notion of the "N-th week" >>>> of the month. >>>> What is it the week-of-the-month? Is it first seven day regardless what >>>> day of the week is the first day of the month (this is what I thought a >>>> septet is) or fist full week from Monday to Sunday or from Sunday to >>>> Saturday, or it is the first usually partial week? This is the ambiguity >>>> that we want to avoid! >>>> >>>> If the septet is what I think it is then we can't name it the >>>> week-of-the-month and IMO septet is a good term here. However then there >>>> is a bug in grammar as septet can be only 1-5 not 1-6. >>>> >>>> >>> OK, if this is really what is driving the grammar, I'm going to have >>> to NACK. >>> >>> Lets make something that is intelligible. We don't want to be >>> inventing concepts like Septet. Or Septave, since 8 days is already >>> called an octave. >>> >>> Here's the Cron line that Steve posted before. It represents THe >>> first wednesday of the month. >>> >>> 0 8 1-7 * 3 >>> >>> >>> Lets keep the concept of week, starting on Sunday, add in the concept >>> of day of the month, and mix the two together. >>> >>> Does the current grammar (pre-septet) support that? Something like: >>> >>> accessTime: periodic monthly between day 1-7 wednesday >>> >>> > No, it does not. That's the specific reason for introducing septet, to > add this support. However, you make an interesting point. Perhaps we > could introduce a more generic term than septet to allow the above. > > Though I think user comprehension would be made easier if we turned the > construct into something closer to: > > accessTime: periodic monthly Wed between day 1-7 > > > Though for the parser, I think it would be best to have a delimiter > between Monthly and Wed. I'm open to suggestions for what makes sense, > though. "encompass"? "inclusive"? "position"? > 'on'? > >>> >> It does not support this. >> It requires to specify either a week of the month after "monthly" and >> then day within a week (as numbers or the letter day names) or a set of >> numbers representing days or ranges of ways with thin the month. >> You can't with exiting schema unambiguously define "first Wednesday of >> the month" without the proposed "septet" changes. >> >> > > - -- > Stephen Gallagher > RHCE 804006346421761 > > Delivering value year after year. > Red Hat ranks #1 in value among software vendors. > http://www.redhat.com/promo/vendor/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzmYI8ACgkQeiVVYja6o6N6nACfeoqLtaVfLQo8P9V+HeUgObfp > dr4AnjK5+NlPAFFFW5JiP74HFEzZ/gGK > =s+6m > -----END PGP SIGNATURE----- > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > From rcritten at redhat.com Fri Nov 19 18:16:06 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Nov 2010 13:16:06 -0500 Subject: [Freeipa-devel] [PATCH] 608 Fix returning effective rights for password policy In-Reply-To: <4CE6B5D5.4000407@redhat.com> References: <4CE552C2.2030609@redhat.com> <4CE5D41A.4080807@redhat.com> <4CE5E93A.90403@redhat.com> <4CE68673.1020900@redhat.com> <4CE6B5D5.4000407@redhat.com> Message-ID: <4CE6BEE6.2040600@redhat.com> Adam Young wrote: > On 11/19/2010 09:15 AM, Adam Young wrote: >> On 11/18/2010 10:04 PM, Rob Crittenden wrote: >>> Adam Young wrote: >>>> On 11/18/2010 11:22 AM, Rob Crittenden wrote: >>>>> Password policy needs to update the class of service priority in >>>>> another entry. Include the CoS attribute when reporting rights. >>>>> >>>>> rob >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> CAn't seem to get it to work. Running in the lite server, I have >>>> confirmed that the patch is applied and run: >>>> >>>> curl -H "Content-Type:application/json" -H "Accept:applicaton/json" >>>> --negotiate -u : --cacert /etc/ipa/ca.crt -d >>>> '{"method":"pwpolicy_show","params":[["global_policy"],{"rights":1, >>>> "all":1}]}' -X POST http://localhost:8888/ipa/json | less >>>> >>>> >>>> as well as >>>> >>>> ./ipa pwpolicy-show global_policy --rights >>>> >>>> and >>>> ./ipa pwpolicy-show global_policy --rights --all >>>> >>>> But do not see rights. >>>> >>>> Which returns: >>>> ipa: ERROR: global_policy: entry not found >>>> >>>> >>>> >>>> Considering that I run >>>> ./ipa pwpolicy-find global_policy --rights --all >>>> >>>> and get >>>> ipa: error: no such option: --rights >>>> >>>> >>>> I am pretty sure that the patch is applied. >>> >>> Looks like global_policy is still a bit of a special case. It has no >>> priority because it is the default. Try with a regular group or >>> without global_policy. >> >> It needs to be there for all groups. If it doesn't work with >> global_policy, the webUI will be broken. >> >> >>> >>> I didn't know you wanted rights with find. >> >> I don't. It was just making sure I was testing the right thing. >>> >>> I can either add the special case in with a resubmission or push this >>> and create a new task to fix that. >>> >>> rob >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK and pushed to master. > I filed https://fedorahosted.org/freeipa/ticket/523 to track the special handling for global_policy. rob From rcritten at redhat.com Fri Nov 19 18:45:11 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Nov 2010 13:45:11 -0500 Subject: [Freeipa-devel] [PATCH] fix default install with dogtag In-Reply-To: <20101119124149.50848549@willson.li.ssimo.org> References: <20101119124149.50848549@willson.li.ssimo.org> Message-ID: <4CE6C5B7.8000302@redhat.com> Simo Sorce wrote: > > This patch automatically disables pkinit when installing with > dogatg until dogtag support is added to the pkinit install bits. > > Simo. > nack I think this should be just: if not options.selfsign: ... external_cert_file and external_ca_file are used when you are setting up dogtag as a subordinate of another CA. But it is still just setting up dogtag. rob From rcritten at redhat.com Fri Nov 19 18:50:14 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Nov 2010 13:50:14 -0500 Subject: [Freeipa-devel] [PATCH] 593 fix group objectclasses on detach In-Reply-To: <20101119152113.GA25987@zeppelin.brq.redhat.com> References: <4CCEE604.6090700@redhat.com> <20101118160058.GA26817@zeppelin.brq.redhat.com> <4CE562A9.7010700@redhat.com> <4CE5AAC0.3010802@redhat.com> <20101119152113.GA25987@zeppelin.brq.redhat.com> Message-ID: <4CE6C6E6.7090907@redhat.com> Jakub Hrozek wrote: > On Thu, Nov 18, 2010 at 05:37:52PM -0500, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> On Mon, Nov 01, 2010 at 12:08:36PM -0400, Rob Crittenden wrote: >>>>> Make sure a detached group has the default list of objectclasses. >>>>> ipaUniqueId is handled by the new uuid plugin. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/250 >>>>> >>>>> rob >>>> >>>> I haven't fully tested the patch yet, but this caught my attention: >>>> >>>>> + (group_dn, group_attrs) = ldap.get_entry(group_dn) >>>>> + is_managed = self.obj.has_objectclass(group_attrs['objectclass'], '') >>>> >>>> I think that is_managed is guaranteed to be False in this case, since >>>> has_objectclass would do: >>>> >>>> return '' in group_attrs['objectclass'] >>> >>> Gah! Good catch, that should be mepManagedBy. Can you fix this and >>> continue testing? >>> >>> rob >> >> I rebased this and fix this error (I rebased it with patches 604 and >> 607 on my tree in case that makes a difference). >> >> To test this do: >> >> # ipa user-add --first=Tim --last=User tuser >> # ipa group-show tuser --all >> [ note the objectclasses ] >> # ipa group-detach tuser >> # ipa group-show --all tuser >> >> It should now be a full POSIX group with a ipaUniqueId and a full >> set of objectclass. You should be able to add a user to it. >> >> # ipa group-add-member --users=tuser tuser >> >> rob > > Ack (before applying and pushing please note that as Rob notes above, > this must be applied on top of his patches 604 and 607) > > Jakub > pushed to master From rcritten at redhat.com Fri Nov 19 18:57:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Nov 2010 13:57:26 -0500 Subject: [Freeipa-devel] [PATCH] Improve the documentation of setattr/addattr In-Reply-To: <20101115145229.GH19666@zeppelin.brq.redhat.com> References: <20101115145229.GH19666@zeppelin.brq.redhat.com> Message-ID: <4CE6C896.6080304@redhat.com> Jakub Hrozek wrote: > https://fedorahosted.org/freeipa/ticket/245 > ack, pushed to master From ssorce at redhat.com Fri Nov 19 18:55:29 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 19 Nov 2010 13:55:29 -0500 Subject: [Freeipa-devel] [PATCH] fix default install with dogtag In-Reply-To: <4CE6C5B7.8000302@redhat.com> References: <20101119124149.50848549@willson.li.ssimo.org> <4CE6C5B7.8000302@redhat.com> Message-ID: <20101119135529.11d23fae@willson.li.ssimo.org> On Fri, 19 Nov 2010 13:45:11 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > > > This patch automatically disables pkinit when installing with > > dogatg until dogtag support is added to the pkinit install bits. > > > > Simo. > > > > nack > > I think this should be just: if not options.selfsign: ... > > external_cert_file and external_ca_file are used when you are setting > up dogtag as a subordinate of another CA. But it is still just > setting up dogtag. I took the wrong option, I meant to not disable pkinit if you pass in explicitly a pkinit certificate when external certs are used. Attached new patch. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0019-2-Automatically-diable-pkinit-when-not-supported.patch Type: text/x-patch Size: 993 bytes Desc: not available URL: From rcritten at redhat.com Fri Nov 19 19:17:35 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Nov 2010 14:17:35 -0500 Subject: [Freeipa-devel] [PATCH] Make the migration plugin more configurable In-Reply-To: <20101115115657.GB19666@zeppelin.brq.redhat.com> References: <20101115115657.GB19666@zeppelin.brq.redhat.com> Message-ID: <4CE6CD4F.3090101@redhat.com> Jakub Hrozek wrote: > This patch adds new options to the migration plugin: > * the option to fine-tune the objectclass of users or groups being > * imported > * the option to select the LDAP schema (RFC2307 or RFC2307bis) > > https://fedorahosted.org/freeipa/ticket/429 I don't see where the RFC 2307bis case handles nested groups. This should be supported, right? rob From rcritten at redhat.com Fri Nov 19 19:18:36 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Nov 2010 14:18:36 -0500 Subject: [Freeipa-devel] [PATCH] fix default install with dogtag In-Reply-To: <20101119135529.11d23fae@willson.li.ssimo.org> References: <20101119124149.50848549@willson.li.ssimo.org> <4CE6C5B7.8000302@redhat.com> <20101119135529.11d23fae@willson.li.ssimo.org> Message-ID: <4CE6CD8C.9050407@redhat.com> Simo Sorce wrote: > On Fri, 19 Nov 2010 13:45:11 -0500 > Rob Crittenden wrote: > >> Simo Sorce wrote: >>> >>> This patch automatically disables pkinit when installing with >>> dogatg until dogtag support is added to the pkinit install bits. >>> >>> Simo. >>> >> >> nack >> >> I think this should be just: if not options.selfsign: ... >> >> external_cert_file and external_ca_file are used when you are setting >> up dogtag as a subordinate of another CA. But it is still just >> setting up dogtag. > > I took the wrong option, I meant to not disable pkinit if you pass in > explicitly a pkinit certificate when external certs are used. > > Attached new patch. > > Simo. > ack From dpal at redhat.com Fri Nov 19 19:25:42 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 19 Nov 2010 14:25:42 -0500 Subject: [Freeipa-devel] [PATCH] Make the migration plugin more configurable In-Reply-To: <4CE6CD4F.3090101@redhat.com> References: <20101115115657.GB19666@zeppelin.brq.redhat.com> <4CE6CD4F.3090101@redhat.com> Message-ID: <4CE6CF36.4020101@redhat.com> Rob Crittenden wrote: > Jakub Hrozek wrote: >> This patch adds new options to the migration plugin: >> * the option to fine-tune the objectclass of users or groups being >> * imported >> * the option to select the LDAP schema (RFC2307 or RFC2307bis) >> >> https://fedorahosted.org/freeipa/ticket/429 > > I don't see where the RFC 2307bis case handles nested groups. This > should be supported, right? > I think Jakub refers to memberUid vs. member attribute. > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Fri Nov 19 19:42:32 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 19 Nov 2010 14:42:32 -0500 Subject: [Freeipa-devel] [PATCH] Use provided domain name during the installation In-Reply-To: <20101116105639.3c263596@willson.li.ssimo.org> References: <201011161635.26226.jzeleny@redhat.com> <20101116105639.3c263596@willson.li.ssimo.org> Message-ID: <20101119144232.23685e62@willson.li.ssimo.org> On Tue, 16 Nov 2010 10:56:39 -0500 Simo Sorce wrote: > On Tue, 16 Nov 2010 16:35:26 +0100 > Jan Zelen? wrote: > > > When installing IPA client, the install script used detected domain > > name of the machine instead of that given by administrator (in case > > one was given). This is now fixed. > > > > https://fedorahosted.org/freeipa/ticket/363 > > > > ACK Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Nov 19 20:01:51 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Nov 2010 15:01:51 -0500 Subject: [Freeipa-devel] [PATCH] 615 handle empty members Message-ID: <4CE6D7AF.6080902@redhat.com> If an empty member list was passed in we would crap out because we were trying to iterate over None. Add a test for this. ticket 486 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-615-member.patch Type: text/x-patch Size: 1240 bytes Desc: not available URL: From ssorce at redhat.com Fri Nov 19 20:03:25 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 19 Nov 2010 15:03:25 -0500 Subject: [Freeipa-devel] [PATCH] fix default install with dogtag In-Reply-To: <4CE6CD8C.9050407@redhat.com> References: <20101119124149.50848549@willson.li.ssimo.org> <4CE6C5B7.8000302@redhat.com> <20101119135529.11d23fae@willson.li.ssimo.org> <4CE6CD8C.9050407@redhat.com> Message-ID: <20101119150325.2eff82e4@willson.li.ssimo.org> On Fri, 19 Nov 2010 14:18:36 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > On Fri, 19 Nov 2010 13:45:11 -0500 > > Rob Crittenden wrote: > > > >> Simo Sorce wrote: > >>> > >>> This patch automatically disables pkinit when installing with > >>> dogatg until dogtag support is added to the pkinit install bits. > >>> > >>> Simo. > >>> > >> > >> nack > >> > >> I think this should be just: if not options.selfsign: ... > >> > >> external_cert_file and external_ca_file are used when you are > >> setting up dogtag as a subordinate of another CA. But it is still > >> just setting up dogtag. > > > > I took the wrong option, I meant to not disable pkinit if you pass > > in explicitly a pkinit certificate when external certs are used. > > > > Attached new patch. > > > > Simo. > > > > ack rebased and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Nov 19 20:08:22 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 19 Nov 2010 15:08:22 -0500 Subject: [Freeipa-devel] [PATCH] 0011 Change DNA configuration to use shared configuration In-Reply-To: <20101111195123.517010ad@willson.li.ssimo.org> References: <20101111195123.517010ad@willson.li.ssimo.org> Message-ID: <20101119150822.2c0196e6@willson.li.ssimo.org> On Thu, 11 Nov 2010 19:51:23 -0500 Simo Sorce wrote: > > With this patch 2 changes are introduced. > > 1. idranges are unified, the --uidstart and --gistart options are > removed and instead --idtsrat and --idmax are provided at install > time. This is a prerequisite to simplify configuration for the next > change. > > 2. DNA is configured to share range configurations among multiple > masters now. When replicas are installed an invalid range is > configured so that they are forced to contact another peer as soon as > someone tries to create a user/group on that master. The replica will > get a part of the available range from the peer for its use. > > Simo. > Rebased on top of current master, or it would fail to apply. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0011-2-id-ranges-change-DNA-configuration.patch Type: text/x-patch Size: 15144 bytes Desc: not available URL: From sgallagh at redhat.com Fri Nov 19 20:31:30 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 19 Nov 2010 15:31:30 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar Message-ID: <4CE6DEA2.2010904@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Breaking the thread intentionally to bring back focus. With Adam's recent input, I've modified the grammar to what I hope will be it's final form. The complete grammar is available at https://fedorahosted.org/sssd/wiki/HBAC_Grammar The differences from my previous proposal (involving septets) is here: https://fedorahosted.org/sssd/wiki/HBAC_Grammar?action=diff&version=3 The primary change is that instead of introducing the septet concept, we will specify "day within a range". So the first Friday of the month would be: accessTime = periodic monthly on Fri between 1-7 Tuesdays for the second half of the month would be: accessTime = periodic monthly on Tue between 15-31 I don't anticipate that last being very common, but it's now possible. Please chime in if you have any further comments about the grammar, or we will declare this final and move to adjusting the implementation next week. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzm3qIACgkQeiVVYja6o6OgkgCeLQiHkFJCfgIPRAtmHdcN/iar mZEAn0+RuUCV9/8EepbqW/zdpQZqXD+z =+wsh -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Nov 19 20:55:10 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 19 Nov 2010 15:55:10 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE6DEA2.2010904@redhat.com> References: <4CE6DEA2.2010904@redhat.com> Message-ID: <20101119155510.44d12526@willson.li.ssimo.org> On Fri, 19 Nov 2010 15:31:30 -0500 Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Breaking the thread intentionally to bring back focus. > > With Adam's recent input, I've modified the grammar to what I hope > will be it's final form. > > The complete grammar is available at > https://fedorahosted.org/sssd/wiki/HBAC_Grammar > > The differences from my previous proposal (involving septets) is here: > https://fedorahosted.org/sssd/wiki/HBAC_Grammar?action=diff&version=3 > > > The primary change is that instead of introducing the septet concept, > we will specify "day within a range". So the first Friday of the month > would be: > > accessTime = periodic monthly on Fri between 1-7 > > Tuesdays for the second half of the month would be: > accessTime = periodic monthly on Tue between 15-31 > > > I don't anticipate that last being very common, but it's now possible. > > Please chime in if you have any further comments about the grammar, or > we will declare this final and move to adjusting the implementation > next week. So we loose the possibility of saying: the last friday of the month ? Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Fri Nov 19 20:56:55 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 19 Nov 2010 15:56:55 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <20101119155510.44d12526@willson.li.ssimo.org> References: <4CE6DEA2.2010904@redhat.com> <20101119155510.44d12526@willson.li.ssimo.org> Message-ID: <4CE6E497.2090407@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/19/2010 03:55 PM, Simo Sorce wrote: > On Fri, 19 Nov 2010 15:31:30 -0500 > Stephen Gallagher wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Breaking the thread intentionally to bring back focus. >> >> With Adam's recent input, I've modified the grammar to what I hope >> will be it's final form. >> >> The complete grammar is available at >> https://fedorahosted.org/sssd/wiki/HBAC_Grammar >> >> The differences from my previous proposal (involving septets) is here: >> https://fedorahosted.org/sssd/wiki/HBAC_Grammar?action=diff&version=3 >> >> >> The primary change is that instead of introducing the septet concept, >> we will specify "day within a range". So the first Friday of the month >> would be: >> >> accessTime = periodic monthly on Fri between 1-7 >> >> Tuesdays for the second half of the month would be: >> accessTime = periodic monthly on Tue between 15-31 >> >> >> I don't anticipate that last being very common, but it's now possible. >> >> Please chime in if you have any further comments about the grammar, or >> we will declare this final and move to adjusting the implementation >> next week. > > So we loose the possibility of saying: the last friday of the month ? It's not impossible, it can still be done with this schema, though it's somewhat more complicated. You'd need to set it up as separate rules for each particular month. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzm5JcACgkQeiVVYja6o6Pv1wCeNLivqHkH4tbT0kPFboa/EnZx HTMAni0PdakTcad85YDMZ4NUmygZl9TW =ddmI -----END PGP SIGNATURE----- From dpal at redhat.com Fri Nov 19 21:09:31 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 19 Nov 2010 16:09:31 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE6DEA2.2010904@redhat.com> References: <4CE6DEA2.2010904@redhat.com> Message-ID: <4CE6E78B.9090406@redhat.com> Stephen Gallagher wrote: > Breaking the thread intentionally to bring back focus. > > With Adam's recent input, I've modified the grammar to what I hope will > be it's final form. > > The complete grammar is available at > https://fedorahosted.org/sssd/wiki/HBAC_Grammar > > The differences from my previous proposal (involving septets) is here: > https://fedorahosted.org/sssd/wiki/HBAC_Grammar?action=diff&version=3 > > > The primary change is that instead of introducing the septet concept, we > will specify "day within a range". So the first Friday of the month > would be: > > accessTime = periodic monthly on Fri between 1-7 > > Tuesdays for the second half of the month would be: > accessTime = periodic monthly on Tue between 15-31 > > > I don't anticipate that last being very common, but it's now possible. > > Please chime in if you have any further comments about the grammar, or > we will declare this final and move to adjusting the implementation next > week. > Why you are making it singular? Why it can't be: accessTime = periodic monthly on Tue, Thu between 15-31 or accessTime = periodic monthly on Mon-Wed between 15-31 or accessTime = periodic monthly on 1,2,3 between 15-31 <- meaning same as above It seems that "singular" in this case is an artificial limitation. However I would also treat the last portion of the rule differently. In stead of: M-on = "on" WSP day-of-the-week-singular WSP "between" WSP day-of-the-month-range and day-of-the-month-range = range 1-31 M-on = "on" WSP day-of-the-week WSP "during-7-day-set" WSP day-set day-set = day-set-list / day-set-range day-set-list = "1-7","8-14","15-21","22-28","29+" or alternatively day-set-list = "1","2","3","4","5" <- meaning first seven days, second seven days etc. if we use this version them day-set-range can be just: day-set-range = 1-5 otherwise it might be a bit more ugly. If we now combine day set-list and day set range into one list range in the same way as we allow in interval for days we would be able to express accessTime = periodic monthly on Tue, Thu between 15-31 it will look like: accessTime = periodic monthly on Tue, Thu during-7-day-set 2-3 or accessTime = periodic monthly on Tue, Thu during-7-day-set 2,3 as well as accessTime = periodic monthly on Tue, Thu during-7-day-set 1 <--- meaning first Tue and Thu of the month or accessTime = periodic monthly on Tue, Thu during-7-day-set 1-5 <--- meaning all Tue and Thu of the month I would actually argue that we would be able to reuse the interval logic from the month for this so it should not be more work than what has been proposed. _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Fri Nov 19 21:09:45 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Nov 2010 15:09:45 -0600 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE6E497.2090407@redhat.com> References: <4CE6DEA2.2010904@redhat.com> <20101119155510.44d12526@willson.li.ssimo.org> <4CE6E497.2090407@redhat.com> Message-ID: <4CE6E799.10200@redhat.com> On 11/19/2010 2:56 PM, Stephen Gallagher wrote: >> So we loose the possibility of saying: the last friday of the month ? > > It's not impossible, it can still be done with this schema, though it's > somewhat more complicated. > > You'd need to set it up as separate rules for each particular month. How about this? accessTime = periodic monthly on Friday between (last_day_of_month-6) to last_day_of_month -- Endi S. Dewata From dpal at redhat.com Fri Nov 19 21:13:09 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 19 Nov 2010 16:13:09 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE6E78B.9090406@redhat.com> References: <4CE6DEA2.2010904@redhat.com> <4CE6E78B.9090406@redhat.com> Message-ID: <4CE6E865.5060502@redhat.com> Dmitri Pal wrote: > Stephen Gallagher wrote: > >> Breaking the thread intentionally to bring back focus. >> >> With Adam's recent input, I've modified the grammar to what I hope will >> be it's final form. >> >> The complete grammar is available at >> https://fedorahosted.org/sssd/wiki/HBAC_Grammar >> >> The differences from my previous proposal (involving septets) is here: >> https://fedorahosted.org/sssd/wiki/HBAC_Grammar?action=diff&version=3 >> >> >> The primary change is that instead of introducing the septet concept, we >> will specify "day within a range". So the first Friday of the month >> would be: >> >> accessTime = periodic monthly on Fri between 1-7 >> >> Tuesdays for the second half of the month would be: >> accessTime = periodic monthly on Tue between 15-31 >> >> >> I don't anticipate that last being very common, but it's now possible. >> >> Please chime in if you have any further comments about the grammar, or >> we will declare this final and move to adjusting the implementation next >> week. >> >> > Why you are making it singular? > Why it can't be: > accessTime = periodic monthly on Tue, Thu between 15-31 > or > accessTime = periodic monthly on Mon-Wed between 15-31 > or > accessTime = periodic monthly on 1,2,3 between 15-31 <- meaning same as > above > > It seems that "singular" in this case is an artificial limitation. > However I would also treat the last portion of the rule differently. > In stead of: > > M-on = "on" WSP day-of-the-week-singular WSP "between" WSP day-of-the-month-range > and > day-of-the-month-range = range 1-31 > > M-on = "on" WSP day-of-the-week WSP "during-7-day-set" WSP day-set > day-set = day-set-list / day-set-range > day-set-list = "1-7","8-14","15-21","22-28","29+" > or alternatively > day-set-list = "1","2","3","4","5" <- meaning first seven days, second seven days etc. > if we use this version them day-set-range can be just: > day-set-range = 1-5 > otherwise it might be a bit more ugly. > If we now combine day set-list and day set range into one list range in the same way as we allow in interval for days we would be able to express > > accessTime = periodic monthly on Tue, Thu between 15-31 > > it will look like: > > accessTime = periodic monthly on Tue, Thu during-7-day-set 2-3 > or > accessTime = periodic monthly on Tue, Thu during-7-day-set 2,3 > > as well as > accessTime = periodic monthly on Tue, Thu during-7-day-set 1 <--- meaning first Tue and Thu of the month > > or > > accessTime = periodic monthly on Tue, Thu during-7-day-set 1-5 <--- meaning all Tue and Thu of the month > > > I would actually argue that we would be able to reuse the interval logic from the month for this so it should not be more work than what has been proposed. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > This does not accommodate for the "last X of the month" so it can be modified like this: day-set-range 1-5 / "last" -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Fri Nov 19 21:33:30 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Nov 2010 15:33:30 -0600 Subject: [Freeipa-devel] [PATCH] Fixed action panel queries Message-ID: <4CE6ED2A.8070804@redhat.com> Hi, Please review the attached patch. Thanks! Previously the queries for action panel were done globally. Since each entity container has its own action panel, the queries will return multiple results. This is fixed by qualifying the query to run within the entity container. The query has also been moved into ipa_facet.get_action_panel(). Entities that do not have their own entity container (e.g. HBAC services and service groups) will need to override this method to get the action panel from the right entity container (e.g. HBAC rules). The facet.setup_views() has been renamed to facet.create_action_panel(). New test data for SUDO rules have been added. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0037-Fixed-action-panel-queries.patch Type: text/x-patch Size: 24642 bytes Desc: not available URL: From ayoung at redhat.com Fri Nov 19 22:09:30 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 19 Nov 2010 17:09:30 -0500 Subject: [Freeipa-devel] [PATCH] 0100-top-nav-index Message-ID: <4CE6F59A.4060507@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0100-top-nav-index.patch Type: text/x-patch Size: 4886 bytes Desc: not available URL: From rcritten at redhat.com Fri Nov 19 23:00:18 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Nov 2010 18:00:18 -0500 Subject: [Freeipa-devel] [PATCH] 583 update DNS when adding/removing host In-Reply-To: <20101028162914.13f6dbf8@willson.li.ssimo.org> References: <4CBEFC00.7020303@redhat.com> <20101028162914.13f6dbf8@willson.li.ssimo.org> Message-ID: <4CE70182.8020205@redhat.com> Simo Sorce wrote: > On Wed, 20 Oct 2010 10:26:08 -0400 > Rob Crittenden wrote: > >> Add ability to add/remove DNS records when adding/removing a host >> entry. >> >> A host in DNS must have an IP address so a valid IP address is >> required when adding a host. The --force flag will be needed too >> since you are adding a host that isn't in DNS. >> >> For IPv4 it will create an A and a PTR DNS record. >> >> IPv6 isn't quite supported yet. Some basic work in the DNS installer >> is needed to get this working. Once the get_reverse_zone() returns >> the right value then this should start working and create an AAAA >> record and the appropriate reverse entry. >> >> When deleting a host with the --updatedns flag it will try to remove >> all records it can find in the zone for this host. >> >> ticket 238 >> >> rob > > NACK, this patch introduces a bug when trying to add the same host > multiple time with different ip address. > The second time the ipa host-ad will correctly return an error that the > host already exist yet the A record with the new address is added in > DNS. Adding records to the DNS should happen only after the host has > been successfully created. > > Simo. > Ok, moved the dns_add into the post operation. It still does some amount of validation in the preop. I added a failsafe so that if the host add is successful but the dns add fails it raises an error to that effect, it doesn't roll back all the changes. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-583-2-host.patch Type: text/x-patch Size: 11095 bytes Desc: not available URL: From edewata at redhat.com Fri Nov 19 23:53:03 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Nov 2010 17:53:03 -0600 Subject: [Freeipa-devel] [PATCH] 0100-top-nav-index In-Reply-To: <4CE6F59A.4060507@redhat.com> References: <4CE6F59A.4060507@redhat.com> Message-ID: <4CE70DDF.1040205@redhat.com> On 11/19/2010 4:09 PM, Adam Young wrote: > This will not work with entities that do not have associated tabs, e.g. hbacsvc, hbacsvcgroups, sudocmd, sudocmdgroups. For these entities the IPA.tab_state() will return undefined, so the ipa_column_widget.setup() will fail. To reproduce this problem, try clicking the search results in hbacsvc or hbacsvcgroups. For some reason it will bring you to the user search page. We need to figure out the proper way to handle these entities. It probably requires framework modification. -- Endi S. Dewata From edewata at redhat.com Sat Nov 20 00:10:03 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Nov 2010 18:10:03 -0600 Subject: [Freeipa-devel] [PATCH] SUDO Commands and Command Groups Message-ID: <4CE711DB.802@redhat.com> Hi, Please review the attached patch. It requires patch #37 (Fixed action panel queries). Thanks! The SUDO Commands and Command Groups pages have been added under SUDO Rules tab. Similar to HBAC navigation issue, these entities do not have their own tab, so an exception has been added to the navigation code to read sudo-entity parameter to determine the entity being viewed. Fixing this issue will require framework changes. New test data for these operations have been added. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0038-SUDO-Commands-and-Command-Groups.patch Type: text/x-patch Size: 33334 bytes Desc: not available URL: From edewata at redhat.com Sat Nov 20 02:35:43 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Nov 2010 20:35:43 -0600 Subject: [Freeipa-devel] [PATCH] Multivalued email address Message-ID: <4CE733FF.8000001@redhat.com> Pushed under three-liner rule. ;) -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0039-Multivalued-email-address.patch Type: text/x-patch Size: 2313 bytes Desc: not available URL: From rcritten at redhat.com Sat Nov 20 04:20:23 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Nov 2010 23:20:23 -0500 Subject: [Freeipa-devel] [PATCH] 616 handle client-install wget failure Message-ID: <4CE74C87.3050101@redhat.com> In the client installer we fetch the CA from the IPA server. Wrap this to catch any failures that might occur (like there is an iptables rule denying access to the IPA server). I tested this by shutting down the httpd service on the IPA server and running ipa-client-install on a client. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-616-client.patch Type: text/x-patch Size: 1112 bytes Desc: not available URL: From jhrozek at redhat.com Mon Nov 22 12:01:38 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 22 Nov 2010 13:01:38 +0100 Subject: [Freeipa-devel] [PATCH] 011 Use sys.exit to quit scripts In-Reply-To: <4CDB8EE6.4030704@redhat.com> References: <4CD96A22.9050105@redhat.com> <4CD99A86.3020202@redhat.com> <4CDB8EE6.4030704@redhat.com> Message-ID: <20101122120137.GA18205@zeppelin.brq.redhat.com> On Thu, Nov 11, 2010 at 07:36:22AM +0100, Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/09/2010 08:01 PM, Rob Crittenden wrote: > > Jakub Hrozek wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Instead of print and return, use sys.exit() to quit scripts with an > >> error message and a non zero return code. > >> > >> https://fedorahosted.org/freeipa/ticket/425 > >> > > > > This isn't applying for me. Can you try to rebase it? > > > > thanks > > > > rob > > It should apply cleanly once the remaining diff of the patch that logs > install script options is pushed. Sorry, I did not mention there was a > dependency earlier. > Attached patch rebased on top of the current master Jakub -------------- next part -------------- >From 84a3b6335bf2b7082469bc9b048245e5605a5f55 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 8 Nov 2010 23:13:48 +0100 Subject: [PATCH] Use sys.exit to quit scripts Instead of print and return, use sys.exit() to quit scripts with an error message and a non zero return code. https://fedorahosted.org/freeipa/ticket/425 --- install/tools/ipa-compat-manage | 16 ++++------- install/tools/ipa-dns-install | 9 ++---- install/tools/ipa-nis-manage | 13 +++------ install/tools/ipa-server-certinstall | 5 +-- install/tools/ipa-server-install | 32 ++++++++------------- ipa-client/ipa-install/ipa-client-install | 43 ++++++++++++----------------- 6 files changed, 45 insertions(+), 73 deletions(-) diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index ded587d..508efd8 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -74,11 +74,9 @@ def main(): loglevel = logging.DEBUG if len(args) != 1: - print "You must specify one action, either enable or disable" - sys.exit(1) + sys.exit("You must specify one action, either enable or disable") elif args[0] != "enable" and args[0] != "disable" and args[0] != "status": - print "Unrecognized action [" + args[0] + "]" - sys.exit(1) + sys.exit("Unrecognized action [" + args[0] + "]") logging.basicConfig(level=loglevel, format='%(levelname)s %(message)s') @@ -102,9 +100,7 @@ def main(): bind_dn='cn=directory manager', bind_pw=dirman_password ) except errors.LDAPError, lde: - print "An error occurred while connecting to the server." - print lde - return 1 + sys.exit("An error occurred while connecting to the server.\n%s\n" % str(lde)) if args[0] == "status": try: @@ -142,9 +138,9 @@ def main(): # We can't disable schema compat if the NIS plugin is enabled try: conn.get_entry(netgroup_compat_dn, normalize=False) - print "The NIS plugin is configured, cannot disable compatibility." - print "Run 'ipa-nis-manage disable' first." - return 2 + print >>sys.stderr, "The NIS plugin is configured, cannot disable compatibility." + print >>sys.stderr, "Run 'ipa-nis-manage disable' first." + sys.exit(2) except errors.NotFound: pass # Make a quick hack for now, directly delete the entries by name, diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index b7db1be..5604931 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -80,8 +80,7 @@ def main(): safe_options, options = parse_options() if os.getegid() != 0: - print "Must be root to setup server" - return 1 + sys.exit("Must be root to setup server") standard_logging_setup("/var/log/ipaserver-install.log", options.debug, filemode='a') print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" @@ -103,8 +102,7 @@ def main(): # Check bind packages are installed if not bindinstance.check_inst(options.unattended): - print "Aborting installation" - return 1 + sys.exit("Aborting installation") # Initialize the ipalib api cfg = dict( @@ -124,8 +122,7 @@ def main(): ip_address = resolve_host(api.env.host) if not ip_address or not verify_ip_address(ip_address): if options.unattended: - print "Unable to resolve IP address for host name" - return 1 + sys.exit("Unable to resolve IP address for host name") else: ip_address = read_ip_address(api.env.host, fstore) logging.debug("will use ip_address: %s\n", ip_address) diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage index 6448d17..9151886 100755 --- a/install/tools/ipa-nis-manage +++ b/install/tools/ipa-nis-manage @@ -88,11 +88,9 @@ def main(): loglevel = logging.DEBUG if len(args) != 1: - print "You must specify one action, either enable or disable" - sys.exit(1) + sys.exit("You must specify one action, either enable or disable") elif args[0] != "enable" and args[0] != "disable": - print "Unrecognized action [" + args[0] + "]" - sys.exit(1) + sys.exit("Unrecognized action [" + args[0] + "]") logging.basicConfig(level=loglevel, format='%(levelname)s %(message)s') @@ -118,15 +116,12 @@ def main(): except errors.ACIError: sys.exit("Incorrect password") except errors.LDAPError, lde: - print "An error occurred while connecting to the server." - print lde - return 1 + sys.exit("An error occurred while connecting to the server: %s" % str(lde)) if args[0] == "enable": compat = get_entry(compat_dn, conn) if compat is None: - print "The compat plugin needs to be enabled: ipa-compat-manage enable" - return 1 + sys.exit("The compat plugin needs to be enabled: ipa-compat-manage enable") entry = None try: entry = get_entry(nis_config_dn, conn) diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall index 9d69853..4b46053 100755 --- a/install/tools/ipa-server-certinstall +++ b/install/tools/ipa-server-certinstall @@ -156,9 +156,8 @@ def main(): os.chown(dirname + "/secmod.db", 0, pent.pw_gid ) except Exception, e: - print "an unexpected error occurred: %s" % str(e) - traceback.print_exc() - return 1 + traceback.print_exc(file=sys.stderr) + sys.exit("an unexpected error occurred: %s" % str(e)) return 0 diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index aeb1cb7..b3e724e 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -455,8 +455,7 @@ def main(): safe_options, options = parse_options() if os.getegid() != 0: - print "Must be root to set up server" - return 1 + sys.exit("Must be root to set up server") signal.signal(signal.SIGTERM, signal_handler) signal.signal(signal.SIGINT, signal_handler) @@ -539,14 +538,12 @@ def main(): # check bind packages are installed if options.setup_dns: if not bindinstance.check_inst(options.unattended): - print "Aborting installation" - return 1 + sys.exit("Aborting installation") # check the pkinit plugin is installed if options.setup_pkinit: if not krbinstance.check_pkinit_plugin(): - print "Aborting installation" - return 1 + sys.exit("Aborting installation") # check the hostname is correctly configured, it must be as the kldap # utilities just use the hostname as returned by gethostbyname to set @@ -562,8 +559,7 @@ def main(): try: verify_fqdn(host_default,options.no_host_dns) except RuntimeError, e: - logging.error(str(e) + "\n") - return 1 + sys.exit(str(e) + "\n") host_name = host_default else: @@ -586,27 +582,25 @@ def main(): if options.ip_address: ip = options.ip_address if ip is None and options.unattended: - print "Unable to resolve IP address for host name" - return 1 + sys.exit("Unable to resolve IP address for host name") if not verify_ip_address(ip): ip = "" if options.unattended: - return 1 + sys.exit(1) if options.ip_address and options.ip_address != ip: if options.setup_dns: ip = options.ip_address else: - print "Error: the hostname resolves to an IP address that is different" - print "from the one provided on the command line. Please fix your DNS" - print "or /etc/hosts file and restart the installation." + print >>sys.stderr, "Error: the hostname resolves to an IP address that is different" + print >>sys.stderr, "from the one provided on the command line. Please fix your DNS" + print >>sys.stderr, "or /etc/hosts file and restart the installation." return 1 if options.unattended: if not ip: - print "Unable to resolve IP address" - return 1 + sys.exit("Unable to resolve IP address") if not ip: ip = read_ip_address(host_name, fstore) @@ -622,7 +616,7 @@ def main(): if not options.ds_user: ds_user = read_ds_user() if ds_user == "": - return 1 + sys.exit(1) logging.debug("read ds_user: %s\n" % ds_user) else: ds_user = options.ds_user @@ -830,9 +824,7 @@ def main(): try: run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name]) except Exception, e: - print "Configuration of client side components failed!" - print "ipa-client-install returned: " + str(e) - return 1 + sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e)) print "==============================================================================" print "Setup complete" diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index cc27ff7..df3b4b5 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -515,8 +515,7 @@ def main(): return uninstall(options, env) if fstore.has_files() and not options.force: - print "IPA client is already configured on this system." - return 1 + sys.exit("IPA client is already configured on this system.") cli_domain = None cli_server = None @@ -525,8 +524,7 @@ def main(): subject_base = None if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: - print "One of password and principal are required." - return 1 + sys.exit("One of password and principal are required.") # Create the discovery instance ds = ipaclient.ipadiscovery.IPADiscovery() @@ -536,8 +534,8 @@ def main(): else: ret = ds.search() if ret == -10: - print "Can't get the fully qualified name of this host" - print "Please check that the client is properly configured" + print >>sys.stderr, "Can't get the fully qualified name of this host" + print >>sys.stderr, "Please check that the client is properly configured" return ret if ret == -1 or not ds.getDomainName(): logging.debug("Domain not found") @@ -577,9 +575,9 @@ def main(): logging.debug("will use server: %s\n", cli_server) if ret != 0: - print "Failed to verify that "+cli_server+" is an IPA Server." - print "This may mean that the remote server is not up or is not reachable" - print "due to network or firewall settings." + print >>sys.stderr, "Failed to verify that "+cli_server+" is an IPA Server." + print >>sys.stderr, "This may mean that the remote server is not up or is not reachable" + print >>sys.stderr, "due to network or firewall settings." return ret if dnsok: @@ -596,7 +594,7 @@ def main(): if options.realm_name and options.realm_name != ds.getRealmName(): if not options.unattended: - print "ERROR: The provided realm name: ["+options.realm_name+"] does not match with the discovered one: ["+ds.getRealmName()+"]\n" + print >>sys.stderr, "ERROR: The provided realm name: ["+options.realm_name+"] does not match with the discovered one: ["+ds.getRealmName()+"]\n" return -3 cli_realm = ds.getRealmName() @@ -634,8 +632,7 @@ def main(): (krb_fd, krb_name) = tempfile.mkstemp() os.close(krb_fd) if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, krb_name): - print "Test kerberos configuration failed" - return 1 + sys.exit("Test kerberos configuration failed") env['KRB5_CONFIG'] = krb_name join_args = ["/usr/sbin/ipa-join", "-s", cli_server] if options.debug: @@ -653,23 +650,20 @@ def main(): sys.stdout.flush() else: if sys.stdin.isatty(): - print "Password must be provided in non-interactive mode" - return 1 + sys.exit("Password must be provided in non-interactive mode") else: stdin = sys.stdin.readline() (stderr, stdout, returncode) = run(["kinit", principal], raiseonerr=False, stdin=stdin, env=env) print "" if returncode != 0: - print stdout - return 1 + sys.exit(stdout) elif options.password: join_args.append("-w") join_args.append(options.password) elif options.prompt_password: if options.unattended: - print "Password must be provided in non-interactive mode" - return 1 + sys.exit("Password must be provided in non-interactive mode") password = getpass.getpass("Password: ") join_args.append("-w") join_args.append(password) @@ -678,7 +672,7 @@ def main(): (stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env) if returncode != 0: - print "Joining realm failed: %s" % stderr, + print >>sys.stderr, "Joining realm failed: %s" % stderr, if not options.force: return 1 print " Use ipa-getkeytab to obtain a host principal for this server." @@ -763,8 +757,7 @@ def main(): try: hardcode_ldap_server(cli_server) except Exception, e: - print "Adding hardcoded server name to /etc/ldap.conf failed: " + str(e) - return 1 + sys.exit("Adding hardcoded server name to /etc/ldap.conf failed: " + str(e)) #Modify pam to add pam_krb5 run(["/usr/sbin/authconfig", "--enablekrb5", "--update", "--nostart"]) @@ -789,16 +782,16 @@ def main(): try: service('nscd', nscd_action) except: - print "Failed to %s the NSCD daemon" % nscd_action + print >>sys.stderr, "Failed to %s the NSCD daemon" % nscd_action if not options.sssd: - print "Caching of users/groups will not be available" + print >>sys.stderr, "Caching of users/groups will not be available" try: chkconfig('nscd', nscd_status) except: - print "Failed to configure automatic startup of the NSCD daemon" + print >>sys.stderr, "Failed to configure automatic startup of the NSCD daemon" if not options.sssd: - print "Caching of users/groups will not be available after reboot" + print >>sys.stderr, "Caching of users/groups will not be available after reboot" print "Client configuration complete." -- 1.7.3.2 From jhrozek at redhat.com Mon Nov 22 12:58:40 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 22 Nov 2010 13:58:40 +0100 Subject: [Freeipa-devel] [PATCH] 0015 Configure KDC to use multiple workers In-Reply-To: <20101115210555.4a1ff6c2@willson.li.ssimo.org> References: <20101115210555.4a1ff6c2@willson.li.ssimo.org> Message-ID: <20101122125839.GA21959@zeppelin.brq.redhat.com> On Mon, Nov 15, 2010 at 09:05:55PM -0500, Simo Sorce wrote: > > Add code to detect the number of CPUs available at install time. > If the kerberos version is >= 1.9 then the KDC supports multiple > workers. > If more than 1 CPU is available configure the KDC to start 1 worker per > CPU to aid in scalability. > > Addresses ticket #222 > > Simo. As I don't have Kerberos 1.9 (does not seem to be even in F15..) I only tested that the patch modifies the /etc/sysconfig/krb5kdc file. The code looks good and seems to work fine. I have two suggestions: 1) we should test if the open() calls succeed 2) I think that we should log that we are about to modify a file A more general thought (although it's certainly not a task for 2.0), maybe we should consider using Augeas, either via its Python API or just calling augtool to modify config files. The benefits would be safer modifications (augeas knows the file structure) and most probably even cleaner code. Jakub From jhrozek at redhat.com Mon Nov 22 13:27:21 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 22 Nov 2010 14:27:21 +0100 Subject: [Freeipa-devel] [PATCH] 616 handle client-install wget failure In-Reply-To: <4CE74C87.3050101@redhat.com> References: <4CE74C87.3050101@redhat.com> Message-ID: <20101122132720.GB21959@zeppelin.brq.redhat.com> On Fri, Nov 19, 2010 at 11:20:23PM -0500, Rob Crittenden wrote: > In the client installer we fetch the CA from the IPA server. Wrap > this to catch any failures that might occur (like there is an > iptables rule denying access to the IPA server). > > I tested this by shutting down the httpd service on the IPA server > and running ipa-client-install on a client. > > rob ACK From ssorce at redhat.com Mon Nov 22 13:36:49 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 22 Nov 2010 08:36:49 -0500 Subject: [Freeipa-devel] [PATCH] 0015 Configure KDC to use multiple workers In-Reply-To: <20101122125839.GA21959@zeppelin.brq.redhat.com> References: <20101115210555.4a1ff6c2@willson.li.ssimo.org> <20101122125839.GA21959@zeppelin.brq.redhat.com> Message-ID: <20101122083649.12611953@willson.li.ssimo.org> On Mon, 22 Nov 2010 13:58:40 +0100 Jakub Hrozek wrote: > On Mon, Nov 15, 2010 at 09:05:55PM -0500, Simo Sorce wrote: > > > > Add code to detect the number of CPUs available at install time. > > If the kerberos version is >= 1.9 then the KDC supports multiple > > workers. > > If more than 1 CPU is available configure the KDC to start 1 worker > > per CPU to aid in scalability. > > > > Addresses ticket #222 > > > > Simo. > > As I don't have Kerberos 1.9 (does not seem to be even in F15..) I > only tested that the patch modifies the /etc/sysconfig/krb5kdc file. > > The code looks good and seems to work fine. I have two suggestions: > > 1) we should test if the open() calls succeed In what case it can fail ? > 2) I think that we should log that we are about to modify a file We don't do that for any of the many files we modify, why should we ? > A more general thought (although it's certainly not a task for 2.0), > maybe we should consider using Augeas, either via its Python API or > just calling augtool to modify config files. The benefits would be > safer modifications (augeas knows the file structure) and most > probably even cleaner code. This is a good idea, can you open an enhancement ticket ? Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Mon Nov 22 14:12:17 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 22 Nov 2010 15:12:17 +0100 Subject: [Freeipa-devel] [PATCH] 0015 Configure KDC to use multiple workers In-Reply-To: <20101122083649.12611953@willson.li.ssimo.org> References: <20101115210555.4a1ff6c2@willson.li.ssimo.org> <20101122125839.GA21959@zeppelin.brq.redhat.com> <20101122083649.12611953@willson.li.ssimo.org> Message-ID: <4CEA7A41.6040300@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/22/2010 02:36 PM, Simo Sorce wrote: > On Mon, 22 Nov 2010 13:58:40 +0100 > Jakub Hrozek wrote: > >> On Mon, Nov 15, 2010 at 09:05:55PM -0500, Simo Sorce wrote: >>> >>> Add code to detect the number of CPUs available at install time. >>> If the kerberos version is >= 1.9 then the KDC supports multiple >>> workers. >>> If more than 1 CPU is available configure the KDC to start 1 worker >>> per CPU to aid in scalability. >>> >>> Addresses ticket #222 >>> >>> Simo. >> >> As I don't have Kerberos 1.9 (does not seem to be even in F15..) I >> only tested that the patch modifies the /etc/sysconfig/krb5kdc file. >> >> The code looks good and seems to work fine. I have two suggestions: >> >> 1) we should test if the open() calls succeed > > In what case it can fail ? For instance if the file was not present, if its SELinux label was wrong..I just think it's good defensive behaviour. Although it is true that the scripts would catch the exception and print a more meaingful error message than just an ugly traceback, which was basically my point. So this might actually be fine. > >> 2) I think that we should log that we are about to modify a file > > We don't do that for any of the many files we modify, why should we ? OK, If we don't do that already, it makes no sense to do it for this single occurrence. FWIW, I was thinking that as an admin I would probably like to see when config on my system changes - at least when the log level is set to debug. > >> A more general thought (although it's certainly not a task for 2.0), >> maybe we should consider using Augeas, either via its Python API or >> just calling augtool to modify config files. The benefits would be >> safer modifications (augeas knows the file structure) and most >> probably even cleaner code. > > This is a good idea, can you open an enhancement ticket ? > https://fedorahosted.org/freeipa/ticket/525 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzqekEACgkQHsardTLnvCV7bwCgy1QqjR7200M3ogBQkR0voZVk BnEAniLevMiMmFQZPTWc+aSySO2isBdB =Tnhc -----END PGP SIGNATURE----- From jzeleny at redhat.com Mon Nov 22 14:25:44 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 22 Nov 2010 15:25:44 +0100 Subject: [Freeipa-devel] [PATCH] Added some fields to user object Message-ID: <201011221525.44652.jzeleny@redhat.com> Some fields were missing from user object, this change adds them along with their l10n https://fedorahosted.org/freeipa/ticket/305 -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0006-Added-some-fields-to-user-object.patch Type: text/x-patch Size: 2919 bytes Desc: not available URL: From ayoung at redhat.com Mon Nov 22 14:37:18 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 22 Nov 2010 09:37:18 -0500 Subject: [Freeipa-devel] [PATCH] Added some fields to user object In-Reply-To: <201011221525.44652.jzeleny@redhat.com> References: <201011221525.44652.jzeleny@redhat.com> Message-ID: <4CEA801E.2020908@redhat.com> On 11/22/2010 09:25 AM, Jan Zelen? wrote: > Some fields were missing from user object, this change adds them > along with their l10n > > https://fedorahosted.org/freeipa/ticket/305 > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK Did a user-show and got this stack trace Traceback (most recent call last): File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 538, in import_plugins __import__(fullname) File "/home/ayoung/devel/freeipa/ipalib/plugins/user.py", line 57, in class user(LDAPObject): File "/home/ayoung/devel/freeipa/ipalib/plugins/user.py", line 185, in user label=_('Org. Unit'), File "/home/ayoung/devel/freeipa/ipalib/parameters.py", line 1232, in __init__ super(Str, self).__init__(name, *rules, **kw) File "/home/ayoung/devel/freeipa/ipalib/parameters.py", line 1111, in __init__ super(Data, self).__init__(name, *rules, **kw) File "/home/ayoung/devel/freeipa/ipalib/parameters.py", line 404, in __init__ check_name(self.cli_name) File "/home/ayoung/devel/freeipa/ipalib/base.py", line 244, in check_name NAME_ERROR % (NAME_REGEX, name) ValueError: name must match '^[a-z][_a-z0-9]*[a-z0-9]$|^[a-z]$'; got 'org-unit' Traceback (most recent call last): File "./lite-server.py", line 121, in api.finalize() File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 557, in finalize self.__do_if_not_done('load_plugins') File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 371, in __do_if_not_done getattr(self, name)() File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 509, in load_plugins self.import_plugins('ipalib') File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 547, in import_plugins raise e ValueError: name must match '^[a-z][_a-z0-9]*[a-z0-9]$|^[a-z]$'; got 'org-unit' -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Nov 22 14:41:06 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 22 Nov 2010 09:41:06 -0500 Subject: [Freeipa-devel] [PATCH] 616 handle client-install wget failure In-Reply-To: <20101122132720.GB21959@zeppelin.brq.redhat.com> References: <4CE74C87.3050101@redhat.com> <20101122132720.GB21959@zeppelin.brq.redhat.com> Message-ID: <4CEA8102.2070500@redhat.com> On 11/22/2010 08:27 AM, Jakub Hrozek wrote: > On Fri, Nov 19, 2010 at 11:20:23PM -0500, Rob Crittenden wrote: > >> In the client installer we fetch the CA from the IPA server. Wrap >> this to catch any failures that might occur (like there is an >> iptables rule denying access to the IPA server). >> >> I tested this by shutting down the httpd service on the IPA server >> and running ipa-client-install on a client. >> >> rob >> > ACK > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > Pushed to master From jhrozek at redhat.com Mon Nov 22 15:04:51 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 22 Nov 2010 16:04:51 +0100 Subject: [Freeipa-devel] [PATCH] 0015 Configure KDC to use multiple workers In-Reply-To: <4CEA7A41.6040300@redhat.com> References: <20101115210555.4a1ff6c2@willson.li.ssimo.org> <20101122125839.GA21959@zeppelin.brq.redhat.com> <20101122083649.12611953@willson.li.ssimo.org> <4CEA7A41.6040300@redhat.com> Message-ID: <4CEA8693.5070305@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/22/2010 03:12 PM, Jakub Hrozek wrote: >> In what case it can fail ? > For instance if the file was not present, if its SELinux label was > wrong..I just think it's good defensive behaviour. > > Although it is true that the scripts would catch the exception and print > a more meaingful error message than just an ugly traceback, which was > basically my point. So this might actually be fine. > >> > >>> >> 2) I think that we should log that we are about to modify a file >> > >> > We don't do that for any of the many files we modify, why should we ? > OK, If we don't do that already, it makes no sense to do it for this > single occurrence. FWIW, I was thinking that as an admin I would > probably like to see when config on my system changes - at least when > the log level is set to debug. > This could have been shortened to Ack :-) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzqhpMACgkQHsardTLnvCW7tgCgjmCvQZaLduhy77QU6BV8MmZU BQoAoIwxdJDEtDHwjmJ0vgPfo6OcIanw =n1X0 -----END PGP SIGNATURE----- From sgallagh at redhat.com Mon Nov 22 15:05:53 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 22 Nov 2010 10:05:53 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE6E799.10200@redhat.com> References: <4CE6DEA2.2010904@redhat.com> <20101119155510.44d12526@willson.li.ssimo.org> <4CE6E497.2090407@redhat.com> <4CE6E799.10200@redhat.com> Message-ID: <4CEA86D1.5000700@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/19/2010 04:09 PM, Endi Sukma Dewata wrote: > On 11/19/2010 2:56 PM, Stephen Gallagher wrote: >>> So we loose the possibility of saying: the last friday of the month ? >> >> It's not impossible, it can still be done with this schema, though it's >> somewhat more complicated. >> >> You'd need to set it up as separate rules for each particular month. > > How about this? > accessTime = periodic monthly on Friday between (last_day_of_month-6) to > last_day_of_month > Actually, I think this would be easier to handle: accessTime = periodic monthly on Friday between -7 - -1 So we define negative day-of-the-month numbers as number of days from the end of the month, with -1 being the last day of the month. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzqhtEACgkQeiVVYja6o6NxwACgk2f2OWfD8H9s+MK2RE6E73JF 5HMAnAi5fPZwSWEWx1UqE1Xv92zlBX8Z =dksU -----END PGP SIGNATURE----- From sgallagh at redhat.com Mon Nov 22 15:13:59 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 22 Nov 2010 10:13:59 -0500 Subject: [Freeipa-devel] Proposed changes to the HBAC grammar In-Reply-To: <4CE6E78B.9090406@redhat.com> References: <4CE6DEA2.2010904@redhat.com> <4CE6E78B.9090406@redhat.com> Message-ID: <4CEA88B7.7080503@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/19/2010 04:09 PM, Dmitri Pal wrote: > Stephen Gallagher wrote: >> Breaking the thread intentionally to bring back focus. >> >> With Adam's recent input, I've modified the grammar to what I hope will >> be it's final form. >> >> The complete grammar is available at >> https://fedorahosted.org/sssd/wiki/HBAC_Grammar >> >> The differences from my previous proposal (involving septets) is here: >> https://fedorahosted.org/sssd/wiki/HBAC_Grammar?action=diff&version=3 >> >> >> The primary change is that instead of introducing the septet concept, we >> will specify "day within a range". So the first Friday of the month >> would be: >> >> accessTime = periodic monthly on Fri between 1-7 >> >> Tuesdays for the second half of the month would be: >> accessTime = periodic monthly on Tue between 15-31 >> >> >> I don't anticipate that last being very common, but it's now possible. >> >> Please chime in if you have any further comments about the grammar, or >> we will declare this final and move to adjusting the implementation next >> week. >> > Why you are making it singular? > Why it can't be: > accessTime = periodic monthly on Tue, Thu between 15-31 > or > accessTime = periodic monthly on Mon-Wed between 15-31 > or > accessTime = periodic monthly on 1,2,3 between 15-31 <- meaning same as > above > > It seems that "singular" in this case is an artificial limitation. I'll agree with this. We can remove the "singular" limitation. > However I would also treat the last portion of the rule differently. > In stead of: > > M-on = "on" WSP day-of-the-week-singular WSP "between" WSP day-of-the-month-range > and > day-of-the-month-range = range 1-31 > > M-on = "on" WSP day-of-the-week WSP "during-7-day-set" WSP day-set > day-set = day-set-list / day-set-range > day-set-list = "1-7","8-14","15-21","22-28","29+" > or alternatively > day-set-list = "1","2","3","4","5" <- meaning first seven days, second seven days etc. > if we use this version them day-set-range can be just: > day-set-range = 1-5 > otherwise it might be a bit more ugly. > If we now combine day set-list and day set range into one list range in the same way as we allow in interval for days we would be able to express > > accessTime = periodic monthly on Tue, Thu between 15-31 > > it will look like: > > accessTime = periodic monthly on Tue, Thu during-7-day-set 2-3 > or > accessTime = periodic monthly on Tue, Thu during-7-day-set 2,3 > > as well as > accessTime = periodic monthly on Tue, Thu during-7-day-set 1 <--- meaning first Tue and Thu of the month > > or > > accessTime = periodic monthly on Tue, Thu during-7-day-set 1-5 <--- meaning all Tue and Thu of the month > > > I would actually argue that we would be able to reuse the interval logic from the month for this so it should not be more work than what has been proposed. > I am opposed to this completely. It's both unreadable and incomprehensible to most users. I think the language we've described between eliminating the "singular" limitation and adding negative numbers to describe the numbers back from the end of the month will provide all the versatility we need. Adding "7-day-set" is no different from the "septet" we discussed previously and shot down. Examples with my current proposal: The first Tuesday and Thursday of the month: accessTime = periodic monthly on Tue,Thu between 1 - 7 All Tuesdays and Thursdays in the month: accessTime = periodic monthly on Tue,Thu between 1 - 31 The last Tuesday and Thursday of the month: accessTime = periodic monthly on Tue,Thus between -7 - -1 I'm questioning whether for readability (especially with negative values in play) we should switch to: accessTime = periodic monthly on Tue,Thus between -7 and -1 Using "and" in place of the range hyphen. Thoughts? - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzqiLcACgkQeiVVYja6o6NGoACfUyTjhvYx8eFcXUWcmdAi2oT4 zfIAoJMipLumnwIvSSNBT0G3NmRxQOom =hnac -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Nov 22 15:16:35 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 22 Nov 2010 16:16:35 +0100 Subject: [Freeipa-devel] [PATCH] Make the migration plugin more configurable In-Reply-To: <4CE6CD4F.3090101@redhat.com> References: <20101115115657.GB19666@zeppelin.brq.redhat.com> <4CE6CD4F.3090101@redhat.com> Message-ID: <4CEA8953.4030507@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/19/2010 08:17 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> This patch adds new options to the migration plugin: >> * the option to fine-tune the objectclass of users or groups being >> * imported >> * the option to select the LDAP schema (RFC2307 or RFC2307bis) >> >> https://fedorahosted.org/freeipa/ticket/429 > > I don't see where the RFC 2307bis case handles nested groups. This > should be supported, right? > > rob > The code handles it (I just ran a quick test with --schema=RFC2307bis). It just iterates through all members of a group -- be it user member of group member, it's just a DN for the plugin. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzqiVMACgkQHsardTLnvCWLFwCcD4GUp4RVUVoTzElVuHqayJOw Vq8An0tRSltlWh3Y2V92eWhyLsQwVwip =RITJ -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Nov 22 15:21:47 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 22 Nov 2010 16:21:47 +0100 Subject: [Freeipa-devel] [PATCH] Make the migration plugin more configurable In-Reply-To: <4CEA8953.4030507@redhat.com> References: <20101115115657.GB19666@zeppelin.brq.redhat.com> <4CE6CD4F.3090101@redhat.com> <4CEA8953.4030507@redhat.com> Message-ID: <4CEA8A8B.3000901@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/22/2010 04:16 PM, Jakub Hrozek wrote: > The code handles it (I just ran a quick test with --schema=RFC2307bis). > > It just iterates through all members of a group -- be it user member of > group member, it's just a DN for the plugin. > > Jakub Sorry, I found another bug in the plugin. I'll send a new patch shortly, so please don't waste time reviewing this one. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzqiosACgkQHsardTLnvCWfsQCgoMrDohpVXFv7tBlGt/qXhisx IksAmgISQyR7dluC+w2sqGt7RErRsFr/ =uIRo -----END PGP SIGNATURE----- From sgallagh at redhat.com Mon Nov 22 15:27:58 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 22 Nov 2010 10:27:58 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CEA88B7.7080503@redhat.com> References: <4CE6DEA2.2010904@redhat.com> <4CE6E78B.9090406@redhat.com> <4CEA88B7.7080503@redhat.com> Message-ID: <4CEA8BFE.6020806@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have updated the grammar page at https://fedorahosted.org/sssd/wiki/HBAC_Grammar again. The main changes made are these: * Eliminate the arbitrary "singular" from monthly repetitions * Add negative numbers for days of the month for counting from the end * For readability, replaced "-" with "and" for "between DAY and DAY" * For readability, added delimiter "at" before the range-specifier Please reread the page for more detail. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzqi/4ACgkQeiVVYja6o6Nv6ACfSvLHsASBQbqipVbjZGZhFfkX moIAn0SV8RsrpuAeJicMyFD2k7KeUzzT =NkXL -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Nov 22 15:40:45 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Nov 2010 10:40:45 -0500 Subject: [Freeipa-devel] [PATCH] 617 catch CA retrieval errors Message-ID: <4CEA8EFD.20807@redhat.com> Catch when retrieving the CA chain from dogtag fails and report a friendlier error. Also don't try to free the XML document unless it has been created. To test this do an installation on F14 with a dogtag backend without fixing the symbolic link from /usr/share/java/xalan-j2-serializer.jar to /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-617-dogtag.patch Type: text/x-patch Size: 1270 bytes Desc: not available URL: From ayoung at redhat.com Mon Nov 22 15:47:42 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 22 Nov 2010 10:47:42 -0500 Subject: [Freeipa-devel] [PATCH] 011 Use sys.exit to quit scripts In-Reply-To: <20101122120137.GA18205@zeppelin.brq.redhat.com> References: <4CD96A22.9050105@redhat.com> <4CD99A86.3020202@redhat.com> <4CDB8EE6.4030704@redhat.com> <20101122120137.GA18205@zeppelin.brq.redhat.com> Message-ID: <4CEA909E.6020501@redhat.com> On 11/22/2010 07:01 AM, Jakub Hrozek wrote: > On Thu, Nov 11, 2010 at 07:36:22AM +0100, Jakub Hrozek wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 11/09/2010 08:01 PM, Rob Crittenden wrote: >> >>> Jakub Hrozek wrote: >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Instead of print and return, use sys.exit() to quit scripts with an >>>> error message and a non zero return code. >>>> >>>> https://fedorahosted.org/freeipa/ticket/425 >>>> >>>> >>> This isn't applying for me. Can you try to rebase it? >>> >>> thanks >>> >>> rob >>> >> It should apply cleanly once the remaining diff of the patch that logs >> install script options is pushed. Sorry, I did not mention there was a >> dependency earlier. >> >> > Attached patch rebased on top of the current master > > Jakub > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Nov 22 16:33:19 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Nov 2010 11:33:19 -0500 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <201011151424.13468.jzeleny@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201011081054.00482.jzeleny@redhat.com> <4CDB5CA0.9020906@redhat.com> <201011151424.13468.jzeleny@redhat.com> Message-ID: <4CEA9B4F.80400@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> Jan Zelen? wrote: >>>> Now each plugin can define its topic as a 2-tuple, where the first >>>> item is the name of topic it belongs to and the second item is >>>> a description of such topic. Topic descriptions must be the same >>>> for all modules belonging to the topic. >>>> >>>> By using this topics, it is possible to group plugins as we see fit. >>>> When asking for help for a particular topic, help for all modules >>>> in given topic is written. >>>> >>>> ipa help - show all topics (until now it showed all plugins) >>>> ipa help - show details to given topic >>>> >>>> https://fedorahosted.org/freeipa/ticket/410 >>> >>> Sorry for the wrong sequence number, sending the correct one now. >> >> I think this is a good start but I find the output hard to read, both >> with a single topic (like user) or multiple (like sudo). The dashed >> lines and the extra spaces make my eyes cross a bit >> >> What I don't have is any good suggestion to change it up. I realize you >> are jamming together discrete things that may or may not look nice >> together. >> >> I suppose a few suggestions might be: >> >> - a SEEALSO-like where you print the topics at the bottom so it is >> obvious that multiple things are jammed together >> - A single dashed-line all the way across (more or less) with a single >> space before and after might be a less jarring separator. IIRC we have >> some output code that should handle screen sizes for you. >> - I'm not sure if combining all the commands into a single list is the >> right thing or not. It may not be necessary with the SEEALSO. >> >> So nack for now but this is headed in the right direction. >> >> rob > > I gave this some thought: > > Output for each single-module topic is given by module's doc string. How good > readability it has is not up to help function, but rather up to the developer > of that particular module. The only thing I can do is not to display the > separator. > > And as for multiple topics - I can change the concept to support two-level > topics. That way when asking for the first level, it would display either > entire single-module topic with its commands or it will only display a brief > description of the topic and a list of its subtopics (this is based on your > suggestion with SEEALSO section). Asking for one of these subtopics will > output the same help as it would for single-module topic. I'm not sure about > usability of this though. Personally I'd probably be asking who invented a > help, which needs 4 shell commands to get to a help of IPA command: > ipa help > ipa help sudo > ipa help sudocmd > ipa help sudocmd-add > > I tried your other suggestions and the result doesn't look significantly better > than the current one. > > What do you think is the best way to proceed? > > Jan The multiple commands for a given logical topic weren't really a consideration when the framework was created. At that time we were only considering very high-level topics like user, group and host. To example on your comment about the per-module documentation, that seems to be key. We have a separate ticket open against hbac-add to include per-command documentation on access time format. So I'm wondering if we need to re-think how we'd documenting things. Right now we have on the order of 178 commands. That is a LOT of man pages even if we used some sort of automated XML system. We just need to do the right thing before GA. Rather than combining the help from all the similar commands just show the top-level and include a SEEALSO? So for example for: ipa help hbac We would just show the hbac top-level help and include a SEEALSO for hbacsvc and hbacsvcgroup rather than including those top-level help as well? Similarly for sudo. rob From ayoung at redhat.com Mon Nov 22 16:41:01 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 22 Nov 2010 11:41:01 -0500 Subject: [Freeipa-devel] [PATCH] 0100-top-nav-index In-Reply-To: <4CE70DDF.1040205@redhat.com> References: <4CE6F59A.4060507@redhat.com> <4CE70DDF.1040205@redhat.com> Message-ID: <4CEA9D1D.1010204@redhat.com> On 11/19/2010 06:53 PM, Endi Sukma Dewata wrote: > On 11/19/2010 4:09 PM, Adam Young wrote: >> > > This will not work with entities that do not have associated tabs, > e.g. hbacsvc, hbacsvcgroups, sudocmd, sudocmdgroups. For these > entities the IPA.tab_state() will return undefined, so the > ipa_column_widget.setup() will fail. > > To reproduce this problem, try clicking the search results in hbacsvc > or hbacsvcgroups. For some reason it will bring you to the user search > page. > > We need to figure out the proper way to handle these entities. It > probably requires framework modification. > Been pondering this during the weekend. I am not a huge fan of burying things like HBAC and Sudo entities so deep. There is little reason to force a use to search for these things, and so I suspect, over time we will adjust the UI to let them "float" up higher in the navigation structure. Without reordering things now, I propose we allow for a three level structure in the tab_set. Top level will not be an entity. Second level will be an entity. third level will be a nested entity. Nested entities are not related in any way to the entity that they are nested under except by convention. Thus, sudocmd and sudocmdgrps may get nested under sudorules, but they could easily be placed as peers. Contrast these with DNS records, that require the the DNS Zone value. For 3 level deep nesting, we will need a naming scheme to make these work. something like #subtab=sudorule&entity=sudocmd contrast this with #entity=sudorule Thus, the entity value always points to the object, not necessarily at the leaf node of the navigation tree. From ssorce at redhat.com Mon Nov 22 16:55:21 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 22 Nov 2010 11:55:21 -0500 Subject: [Freeipa-devel] [PATCH] Fix a couple of problems in C code In-Reply-To: <20101118141646.GA4133@zeppelin.brq.redhat.com> References: <4CD8682A.40805@redhat.com> <20101118141646.GA4133@zeppelin.brq.redhat.com> Message-ID: <20101122115521.2d6ee79d@willson.li.ssimo.org> On Thu, 18 Nov 2010 15:16:49 +0100 Jakub Hrozek wrote: > On Mon, Nov 08, 2010 at 10:14:18PM +0100, Jakub Hrozek wrote: > > [PATCH 1/6] Common include file for SLAPI plugin logging > > Consolidate the common logging macros into common/util.h and use > > them in SLAPI plugins instead of calling slapi_log_error() directly. > > > > https://fedorahosted.org/freeipa/ticket/408 NACK, reintroduces a define of a function that was private to 389ds that we stoppped using. Everything else look fine > > [PATCH 2/6] Stricter compilation flags > > Use a little stricter compilation flags, in particular -Wall and > > treat implicit function declarations as errors. ACK > > [PATCH 3/6] Use internal implementation of internal Kerberos > > functions Don't use KRB5_PRIVATE. > > > > The patch implements and uses the following krb5 functions that are > > otherwise private in recent MIT Kerberos releases: > > * krb5_principal2salt_norealm > > * krb5_free_ktypes NACK, i we re-implement functions we should use our own namespace or we risk conflicts with the real functions in the library. > > [PATCH 4/6] Don't use deprecated ldap_bind_s > > ldap_bind_s is marked as deprecated in new libldap releases. ACK > > [PATCH 5/6] Silence compilation warnings in SLAPI plugins > > The most important part of the patch is exporting hexbuf() in > > ipapwd.h Also uses strcasecmp() instead of PL_strcasecmp() since we > > were not including nspr headers and linking against it - I hope > > this is OK, we can revert if we need to be portable to platforms > > with no strcasecmp(). The rest are cosmetic fixes. It seems to me that hexbuf() is used only in ipapwd_encoding.c, what about moving it there and making it static instead ? Adding the header would make less changes than replacing PL_strcasecmp everywhere. Any reason why replacing is easier than just adding the proper header ? > > [PATCH 6/6] ipa-client code cleanup > > Fixes errors about implicit function declaration and moves > > duplicated gettext code into a common module. Also silences some > > warnings. ACK > > Patches 3 - 6 fix https://fedorahosted.org/freeipa/ticket/454 > > Attached are patches rebased on top of current master, esp. the UUID > patch. Only needs minor changes, mostly a very good set, thanks! Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Nov 22 17:00:04 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 22 Nov 2010 12:00:04 -0500 Subject: [Freeipa-devel] [PATCH] 0015 Configure KDC to use multiple workers In-Reply-To: <4CEA8693.5070305@redhat.com> References: <20101115210555.4a1ff6c2@willson.li.ssimo.org> <20101122125839.GA21959@zeppelin.brq.redhat.com> <20101122083649.12611953@willson.li.ssimo.org> <4CEA7A41.6040300@redhat.com> <4CEA8693.5070305@redhat.com> Message-ID: <20101122120004.6e25c811@willson.li.ssimo.org> On Mon, 22 Nov 2010 16:04:51 +0100 Jakub Hrozek wrote: > This could have been shortened to Ack :-) Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Mon Nov 22 17:22:32 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 22 Nov 2010 12:22:32 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CEA8BFE.6020806@redhat.com> References: <4CE6DEA2.2010904@redhat.com> <4CE6E78B.9090406@redhat.com> <4CEA88B7.7080503@redhat.com> <4CEA8BFE.6020806@redhat.com> Message-ID: <4CEAA6D8.3020809@redhat.com> Stephen Gallagher wrote: > I have updated the grammar page at > https://fedorahosted.org/sssd/wiki/HBAC_Grammar again. > > The main changes made are these: > > * Eliminate the arbitrary "singular" from monthly repetitions > * Add negative numbers for days of the month for counting from the end > * For readability, replaced "-" with "and" for "between DAY and DAY" > * For readability, added delimiter "at" before the range-specifier > > Please reread the page for more detail. > I have to comment on many things with the current state of grammar so for easier reference I copied it here and commented inline >timerange = Absolute / Periodic > >Absolute = "absolute" WSP generalizedTime WSP "~" WSP generalizedTime > >generalizedTime as defined in RFC 4517 section 3.3.13 but without time zone at the end. > >Periodic = "periodic" WSP Yearly / Monthly / Weekly / Daily > >Yearly = "yearly" WSP Y-specifier WSP range-specified > >Monthly = "monthly" WSP M-specifier WSP range-specifier > >Weekly = "weekly" WSP W-specifier WSP range-specifier > >Daily = "daily" WSP range-specifier > >Y-specifier = Y-month / Y-week / Y-day > >Y-month = "month" WSP month-number WSP M-specifier > >Y-week = "week" WSP week-of-the-year WSP W-specifier > >Y-day = "day" WSP day-of-the-year > >M-specifier = M-on / M-day If we read grammar so far we will end up with the following uses of the M-specifier periodic monthly periodic yearly month 1,4,7 So far so good. Now we have two variants of the M-specifier M-on and M-day >M-on = "on" WSP day-of-the-week WSP day-of-the-month-range The intent of this one was to be able to specify the weekday within a month >M-day = "day" WSP day-of-the-month-interval This one for calendar days within a month >W-specifier = "day" WSP day-of-the-week > >month-number = interval 1-12 > >week-of-the-year = interval 1-52 > >septet-of-the-month = interval 1-5 The septet is not used any more and should be removed, right? >day-of-the-month-interval = interval day-of-the-month This should be a plain interval from 1-31 with no negatives since it is used in the M-day rule I would argue that M-day can be just replaced with M-day = "day" WSP interval 1-31 Keep in mind that definition of the interval here is as described below: interval XX-YY = a comma-separated list of items from XX to YY, or dash-separated ranges. For example, (interval 1-31) 3-7,10,12,15,25-31 with no spaces inside. So definition of the day-of-the-month-interval can be then removed. >day-of-the-month-range = "between" WSP day-of-the-month WSP "and" WSP day-of-the-month > >day-of-the-month = "-31" to "31" This notion allows me to enter "between -31 and 3" which does not make any sense. Also current grammar does not allow me to use ranges which I want to use here. I want to be able to express "Wednesday" of the first and third week of the month. Capability to do so it completely lost. We abandoned the term "septet" not because of the bad idea but because this is a confusing word. But we can leave without it as long as I can use complex intervals. After more thinking I would like to reject idea of the negative numbers. Instead we can do the following: M-on = "on" WSP day-of-the-week WSP "during" WSP day-of-the-month-range day-of-the-month-range = interval 1-31 / last-days last-days = "last" WSP sequential-days sequential-days = single number from the 1-31 range So if we want to say "Wednesday" of the first and third week of the month I will use: periodic monthly on Wed during 1-7,15-21 if I want to say Wednesday during last two weeks of the month I will say: periodic monthly on Wed during last 14 IMO it is cleaner and simpler and allows to express all the notions we want to express. >day-of-the-week = interval 1-7 (or Mon-Sun) > >range-specifier = "at" WSP HHMM WSP "+" WSP duration-specifier What is the value and significance of the "+" here? Is it just for readability? Then I would suggest that we replace it with the word "for". >duration-specifier = DDHHMM > >DD = "00" to "31" > >HH = "00" to "23" > >MM = "00" to "59" > > >interval XX-YY = a comma-separated list of items from XX to YY, or dash-separated ranges. >range = dash-separated range This definition seems incomplete but I do not know how to make it better... >For example, (interval 1-31) 3-7,10,12,15,25-31 with no spaces inside. Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Nov 22 17:27:56 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 22 Nov 2010 12:27:56 -0500 Subject: [Freeipa-devel] [PATCH] 0100-top-nav-index In-Reply-To: <4CEA9D1D.1010204@redhat.com> References: <4CE6F59A.4060507@redhat.com> <4CE70DDF.1040205@redhat.com> <4CEA9D1D.1010204@redhat.com> Message-ID: <4CEAA81C.6020705@redhat.com> Adam Young wrote: > On 11/19/2010 06:53 PM, Endi Sukma Dewata wrote: >> On 11/19/2010 4:09 PM, Adam Young wrote: >>> >> >> This will not work with entities that do not have associated tabs, >> e.g. hbacsvc, hbacsvcgroups, sudocmd, sudocmdgroups. For these >> entities the IPA.tab_state() will return undefined, so the >> ipa_column_widget.setup() will fail. >> >> To reproduce this problem, try clicking the search results in hbacsvc >> or hbacsvcgroups. For some reason it will bring you to the user >> search page. >> >> We need to figure out the proper way to handle these entities. It >> probably requires framework modification. >> > Been pondering this during the weekend. > > I am not a huge fan of burying things like HBAC and Sudo entities so > deep. There is little reason to force a use to search for these > things, and so I suspect, over time we will adjust the UI to let them > "float" up higher in the navigation structure. > > > Without reordering things now, I propose we allow for a three level > structure in the tab_set. Top level will not be an entity. Second > level will be an entity. third level will be a nested entity. > > Nested entities are not related in any way to the entity that they are > nested under except by convention. Thus, sudocmd and sudocmdgrps may > get nested under sudorules, but they could easily be placed as peers. > Contrast these with DNS records, that require the the DNS Zone value. > > For 3 level deep nesting, we will need a naming scheme to make these > work. something like > #subtab=sudorule&entity=sudocmd > > contrast this with > > #entity=sudorule > > Thus, the entity value always points to the object, not necessarily at > the leaf node of the navigation tree. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Do I read you right that instead of using actions menu you want to as another row of the tabs at the top? I am not sure I agree with this. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Nov 22 17:31:11 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 22 Nov 2010 12:31:11 -0500 Subject: [Freeipa-devel] [PATCH] 0100-top-nav-index In-Reply-To: <4CEAA81C.6020705@redhat.com> References: <4CE6F59A.4060507@redhat.com> <4CE70DDF.1040205@redhat.com> <4CEA9D1D.1010204@redhat.com> <4CEAA81C.6020705@redhat.com> Message-ID: <4CEAA8DF.2090504@redhat.com> Dmitri Pal wrote: > Adam Young wrote: > >> On 11/19/2010 06:53 PM, Endi Sukma Dewata wrote: >> >>> On 11/19/2010 4:09 PM, Adam Young wrote: >>> >>> This will not work with entities that do not have associated tabs, >>> e.g. hbacsvc, hbacsvcgroups, sudocmd, sudocmdgroups. For these >>> entities the IPA.tab_state() will return undefined, so the >>> ipa_column_widget.setup() will fail. >>> >>> To reproduce this problem, try clicking the search results in hbacsvc >>> or hbacsvcgroups. For some reason it will bring you to the user >>> search page. >>> >>> We need to figure out the proper way to handle these entities. It >>> probably requires framework modification. >>> >>> >> Been pondering this during the weekend. >> >> I am not a huge fan of burying things like HBAC and Sudo entities so >> deep. There is little reason to force a use to search for these >> things, and so I suspect, over time we will adjust the UI to let them >> "float" up higher in the navigation structure. >> >> >> Without reordering things now, I propose we allow for a three level >> structure in the tab_set. Top level will not be an entity. Second >> level will be an entity. third level will be a nested entity. >> >> Nested entities are not related in any way to the entity that they are >> nested under except by convention. Thus, sudocmd and sudocmdgrps may >> get nested under sudorules, but they could easily be placed as peers. >> Contrast these with DNS records, that require the the DNS Zone value. >> >> For 3 level deep nesting, we will need a naming scheme to make these >> work. something like >> #subtab=sudorule&entity=sudocmd >> >> contrast this with >> >> #entity=sudorule >> >> Thus, the entity value always points to the object, not necessarily at >> the leaf node of the navigation tree. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> > Do I read you right that instead of using actions menu you want to as > use > another row of the tabs at the top? > I am not sure I agree with this. > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Mon Nov 22 17:34:25 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 22 Nov 2010 12:34:25 -0500 Subject: [Freeipa-devel] [PATCH] 0100-top-nav-index In-Reply-To: <4CEAA81C.6020705@redhat.com> References: <4CE6F59A.4060507@redhat.com> <4CE70DDF.1040205@redhat.com> <4CEA9D1D.1010204@redhat.com> <4CEAA81C.6020705@redhat.com> Message-ID: <4CEAA9A1.3090502@redhat.com> On 11/22/2010 12:27 PM, Dmitri Pal wrote: > Adam Young wrote: > >> On 11/19/2010 06:53 PM, Endi Sukma Dewata wrote: >> >>> On 11/19/2010 4:09 PM, Adam Young wrote: >>> >>>> >>> This will not work with entities that do not have associated tabs, >>> e.g. hbacsvc, hbacsvcgroups, sudocmd, sudocmdgroups. For these >>> entities the IPA.tab_state() will return undefined, so the >>> ipa_column_widget.setup() will fail. >>> >>> To reproduce this problem, try clicking the search results in hbacsvc >>> or hbacsvcgroups. For some reason it will bring you to the user >>> search page. >>> >>> We need to figure out the proper way to handle these entities. It >>> probably requires framework modification. >>> >>> >> Been pondering this during the weekend. >> >> I am not a huge fan of burying things like HBAC and Sudo entities so >> deep. There is little reason to force a use to search for these >> things, and so I suspect, over time we will adjust the UI to let them >> "float" up higher in the navigation structure. >> >> >> Without reordering things now, I propose we allow for a three level >> structure in the tab_set. Top level will not be an entity. Second >> level will be an entity. third level will be a nested entity. >> >> Nested entities are not related in any way to the entity that they are >> nested under except by convention. Thus, sudocmd and sudocmdgrps may >> get nested under sudorules, but they could easily be placed as peers. >> Contrast these with DNS records, that require the the DNS Zone value. >> >> For 3 level deep nesting, we will need a naming scheme to make these >> work. something like >> #subtab=sudorule&entity=sudocmd >> >> contrast this with >> >> #entity=sudorule >> >> Thus, the entity value always points to the object, not necessarily at >> the leaf node of the navigation tree. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> > Do I read you right that instead of using actions menu you want to as > another row of the tabs at the top? > I am not sure I agree with this. > > No, I am not suggesting that. I am saying that we use the tree of entities that is used for the tabs to generate the actions on the left nav as well. The look and feel will be the same as now, just the implementation will be changed. From ayoung at redhat.com Mon Nov 22 17:42:45 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 22 Nov 2010 12:42:45 -0500 Subject: [Freeipa-devel] [PATCH] 0001 Ensure that Apache is running in Prefork mode In-Reply-To: <201011151121.12250.jzeleny@redhat.com> References: <201011021617.20977.jzeleny@redhat.com> <4CDB26F1.1040905@redhat.com> <201011121410.06832.jzeleny@redhat.com> <201011151121.12250.jzeleny@redhat.com> Message-ID: <4CEAAB95.8090304@redhat.com> On 11/15/2010 05:21 AM, Jan Zelen? wrote: > Jan Zeleny wrote: > >> Rob Crittenden wrote: >> >>> Jan Zelen? wrote: >>> >>>> Rob Crittenden wrote: >>>> >>>>> Jan Zelen? wrote: >>>>> >>>>>> I tried one other solution, but this approach was recommended to me >>>>>> by Pavel. It seems to be working fine. If you don't agree with the >>>>>> concept (detection per request), I can present you the original one. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/252 >>>>>> >>>>>> Jan >>>>>> >>>>> nack. I think we need some logging to say "IPA does not work with the >>>>> threaded MPM, use the pre-fork MPM" or something like that. >>>>> >>>>> Otherwise it is going to silently fail and users will have no idea >>>>> why. >>>>> >>>> I added logging as you requested. I'm still not quite sure how does the >>>> logging work exactly, but as I understand it, this way it should be ok. >>>> >>>> Jan >>>> >>> nack, I can still run httpd.worker and serve IPA requests. >>> >>> We do things to the environment so we need to be sure that each request >>> is isolated from all others which is why we want to run in multi-process >>> mode. >>> >>> rob >>> >> I based that patch on WSGI specification, which says: >> >> "This value should evaluate true if the application object may be >> simultaneously invoked by another thread in the same process, and should >> evaluate false otherwise." >> >> I didn't realize that this condition may be evaluated as false even when >> running multiple threads. >> >> That means I have to abandon this approach and try the original one. I'm >> going to sync the patch I have prepared with the current HEAD and I'll >> send it ASAP. >> > Ok, so I've hit a small complication and I had to update the patch, so the > detection is as robust as possible. This patch is working in Fedora > environment, where the packaging of httpd is ... well ... strange at least. > > The only situation it isn't handling 100% well is the case when 2 different > Apache servers are running. But since that's not common case and I can't think > of a way to detect which instance is running current WSGI script, the script > just doesn't allow such situation. > > Jan > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Nov 22 18:00:52 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 22 Nov 2010 19:00:52 +0100 Subject: [Freeipa-devel] [PATCH] Fix a couple of problems in C code In-Reply-To: <20101122115521.2d6ee79d@willson.li.ssimo.org> References: <4CD8682A.40805@redhat.com> <20101118141646.GA4133@zeppelin.brq.redhat.com> <20101122115521.2d6ee79d@willson.li.ssimo.org> Message-ID: <20101122180049.GA15220@zeppelin.brq.redhat.com> On Mon, Nov 22, 2010 at 11:55:21AM -0500, Simo Sorce wrote: > On Thu, 18 Nov 2010 15:16:49 +0100 > Jakub Hrozek wrote: > > > On Mon, Nov 08, 2010 at 10:14:18PM +0100, Jakub Hrozek wrote: > > > [PATCH 1/6] Common include file for SLAPI plugin logging > > > Consolidate the common logging macros into common/util.h and use > > > them in SLAPI plugins instead of calling slapi_log_error() directly. > > > > > > https://fedorahosted.org/freeipa/ticket/408 > > NACK, reintroduces a define of a function that was private to 389ds > that we stoppped using. > Everything else look fine > Fixed. > > > [PATCH 2/6] Stricter compilation flags > > > Use a little stricter compilation flags, in particular -Wall and > > > treat implicit function declarations as errors. > > ACK > > > > [PATCH 3/6] Use internal implementation of internal Kerberos > > > functions Don't use KRB5_PRIVATE. > > > > > > The patch implements and uses the following krb5 functions that are > > > otherwise private in recent MIT Kerberos releases: > > > * krb5_principal2salt_norealm > > > * krb5_free_ktypes > > NACK, i we re-implement functions we should use our own namespace or we > risk conflicts with the real functions in the library. > Thanks, fixed. Also changed pointer initialization from ptr=0 (which libkrb5 uses) to ptr=NULL as discussed on IRC. > > > [PATCH 4/6] Don't use deprecated ldap_bind_s > > > ldap_bind_s is marked as deprecated in new libldap releases. > > ACK > > > > [PATCH 5/6] Silence compilation warnings in SLAPI plugins > > > The most important part of the patch is exporting hexbuf() in > > > ipapwd.h Also uses strcasecmp() instead of PL_strcasecmp() since we > > > were not including nspr headers and linking against it - I hope > > > this is OK, we can revert if we need to be portable to platforms > > > with no strcasecmp(). The rest are cosmetic fixes. > > It seems to me that hexbuf() is used only in ipapwd_encoding.c, what > about moving it there and making it static instead ? It was already in ipapwd_util.c and seemed like it could be potentially useful elsewhere in ipapwd. But moving it is OK, too. > > Adding the header would make less changes than replacing PL_strcasecmp > everywhere. Any reason why replacing is easier than just adding the > proper header ? > Initially, I was thinking that by not using any nspr functions we could lose a dependency, but given the tight coupling between 389-ds, nss and nspr, this is not realistic. So I reverted the PL_str* calls and added a #include directive instead. > > > [PATCH 6/6] ipa-client code cleanup > > > Fixes errors about implicit function declaration and moves > > > duplicated gettext code into a common module. Also silences some > > > warnings. > > ACK > > > > Patches 3 - 6 fix https://fedorahosted.org/freeipa/ticket/454 > > > > Attached are patches rebased on top of current master, esp. the UUID > > patch. > > Only needs minor changes, mostly a very good set, thanks! > > Simo. > Thanks for the review! New patches are attached. If you're going to use interdiff or something similar, please note that these patches were generated with different flags passed to git format-patch, as suggested on IRC. -------------- next part -------------- >From 4c34f472d847dcd5382a41a363bb92fa98682268 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 3 Nov 2010 14:44:44 +0100 Subject: [PATCH 1/6] Common include file for SLAPI plugin logging Consolidate the common logging macros into common/util.h and use them in SLAPI plugins instead of calling slapi_log_error() directly. https://fedorahosted.org/freeipa/ticket/408 --- daemons/ipa-slapi-plugins/common/util.h | 40 +++ .../ipa-slapi-plugins/ipa-enrollment/Makefile.am | 3 + .../ipa-enrollment/ipa_enrollment.c | 78 ++--- daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am | 3 + daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c | 41 +-- .../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 3 + .../ipa-pwd-extop/ipa_pwd_extop.c | 1 + daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 21 +-- .../ipa-pwd-extop/ipapwd_common.c | 1 + .../ipa-pwd-extop/ipapwd_encoding.c | 1 + .../ipa-pwd-extop/ipapwd_prepost.c | 1 + daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am | 3 + daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 85 ++--- daemons/ipa-slapi-plugins/ipa-version/Makefile.am | 3 + .../ipa-version/ipa_repl_version.c | 51 ++-- daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am | 3 + .../ipa-winsync/ipa-winsync-config.c | 90 +++--- .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.c | 350 ++++++++------------ .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.h | 4 +- 19 files changed, 333 insertions(+), 449 deletions(-) create mode 100644 daemons/ipa-slapi-plugins/common/util.h diff --git a/daemons/ipa-slapi-plugins/common/util.h b/daemons/ipa-slapi-plugins/common/util.h new file mode 100644 index 0000000000000000000000000000000000000000..8a7d51870b1483b183da9654c4cc2c35118002fb --- /dev/null +++ b/daemons/ipa-slapi-plugins/common/util.h @@ -0,0 +1,40 @@ +#ifndef _SLAPI_PLUGINS_UTIL_H +#define _SLAPI_PLUGINS_UTIL_H + +#define EOK 0 +#define EFAIL -1 + +#ifndef discard_const +#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) +#endif + +#define log_func discard_const(__func__) + +#define LOG_PLUGIN_NAME(NAME, fmt, ...) \ + slapi_log_error(SLAPI_LOG_PLUGIN, \ + NAME, \ + fmt, ##__VA_ARGS__) + +#define LOG(fmt, ...) \ + LOG_PLUGIN_NAME(IPA_PLUGIN_NAME, fmt, ##__VA_ARGS__) + +#define LOG_CONFIG_NAME(NAME, fmt, ...) \ + slapi_log_error(SLAPI_LOG_CONFIG, \ + NAME, \ + fmt, ##__VA_ARGS__) + +#define LOG_CONFIG(fmt, ...) \ + LOG_CONFIG_NAME(IPA_PLUGIN_NAME, fmt, ##__VA_ARGS__) + +#define LOG_FATAL(fmt, ...) \ + slapi_log_error(SLAPI_LOG_FATAL, log_func, \ + "[file %s, line %d]: " fmt, \ + __FILE__, __LINE__, ##__VA_ARGS__) + +#define LOG_TRACE(fmt, ...) \ + slapi_log_error(SLAPI_LOG_TRACE, log_func, fmt, ##__VA_ARGS__) + +#define LOG_OOM() LOG_FATAL("Out of Memory!\n") + +#endif /* _SLAPI_PLUGINS_UTIL_H */ + diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am index 8a4ba09c7e8658b2132d6722fe929a71a6f0fdf1..fc3c55cca95c3aba0abf20a6f4c4e63ba80a5c4e 100644 --- a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am @@ -1,8 +1,11 @@ NULL = +PLUGIN_COMMON_DIR=../common + INCLUDES = \ -I. \ -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c index 8a9906aab5fabd5643fc6a03e9b48b2c5a26216f..bc5551eda29d11c2f4e75a1e1ef8cf4130b8f955 100644 --- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c +++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c @@ -49,11 +49,15 @@ #include #include +#include "util.h" + +#define IPA_PLUGIN_NAME "ipa-enrollment" + /* OID of the extended operation handled by this plug-in */ #define JOIN_OID "2.16.840.1.113730.3.8.3.53" Slapi_PluginDesc pdesc = { - "ipa-enrollment", + IPA_PLUGIN_NAME, "IPA Project", "IPA/2.0", "IPA Enrollment Extended Operation plugin" @@ -80,21 +84,19 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg) int sasl_ssf, is_ssl; int rc = LDAP_SUCCESS; - slapi_log_error(SLAPI_LOG_TRACE, "ipa_enrollment", "=> ipaenrollment_secure\n"); + LOG_TRACE("=> ipaenrollment_secure\n"); /* Allow enrollment only for SSL/TLS established connections and * connections using SASL privacy layers */ if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) { - slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", - "Could not get SASL SSF from connection\n"); + LOG_TRACE("Could not get SASL SSF from connection\n"); *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_OPERATIONS_ERROR; goto done; } if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) { - slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", - "Could not get IS SSL from connection\n"); + LOG_TRACE("Could not get IS SSL from connection\n"); *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_OPERATIONS_ERROR; goto done; @@ -107,7 +109,7 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg) } done: - slapi_log_error(SLAPI_LOG_TRACE, "ipa_enrollment", "<= ipaenrollment_secure\n"); + LOG_TRACE("<= ipaenrollment_secure\n"); return rc; } @@ -175,9 +177,7 @@ ipa_join(Slapi_PBlock *pb) ret = slapi_search_internal_pb(pbte); slapi_pblock_get(pbte, SLAPI_PLUGIN_INTOP_RESULT, &res); if (ret == -1 || res != LDAP_SUCCESS) { - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "Search for host failed, err (%d)\n", - res?res:ret); + LOG_TRACE("Search for host failed, err (%d)\n", res?res:ret); errMesg = "Host not found.\n"; rc = LDAP_NO_SUCH_OBJECT; goto free_and_return; @@ -186,7 +186,7 @@ ipa_join(Slapi_PBlock *pb) /* get entries */ slapi_pblock_get(pbte, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &es); if (!es) { - slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "No entries ?!"); + LOG_TRACE("No entries ?!"); errMesg = "Host not found.\n"; rc = LDAP_NO_SUCH_OBJECT; goto free_and_return; @@ -197,8 +197,7 @@ ipa_join(Slapi_PBlock *pb) /* if there is none or more than one, freak out */ if (i != 1) { - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "Too many entries, or entry no found (%d)", i); + LOG_TRACE("Too many entries, or entry no found (%d)", i); errMesg = "Host not found.\n"; rc = LDAP_NO_SUCH_OBJECT; goto free_and_return; @@ -208,8 +207,7 @@ ipa_join(Slapi_PBlock *pb) /* Is this host already enrolled? */ krbLastPwdChange = slapi_entry_attr_get_charptr(targetEntry, "krbLastPwdChange"); if (NULL != krbLastPwdChange) { - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "Host already enrolled"); + LOG_TRACE("Host already enrolled"); errMesg = "Host already enrolled.\n"; rc = LDAP_OPERATIONS_ERROR; goto free_and_return; @@ -266,19 +264,16 @@ ipa_join(Slapi_PBlock *pb) rc = slapi_modify_internal_pb (pbtm); if (rc) { - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "WARNING: modify error %d on entry '%s'\n", - rc, slapi_entry_get_dn_const(targetEntry)); + LOG_TRACE("WARNING: modify error %d on entry '%s'\n", + rc, slapi_entry_get_dn_const(targetEntry)); } else { slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); if (rc != LDAP_SUCCESS){ - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "WARNING: modify error %d on entry '%s'\n", - rc, slapi_entry_get_dn_const(targetEntry)); + LOG_TRACE("WARNING: modify error %d on entry '%s'\n", + rc, slapi_entry_get_dn_const(targetEntry)); } else { - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "<= apply mods: Successful\n"); + LOG_TRACE("<= apply mods: Successful\n"); } } @@ -291,8 +286,7 @@ done: if (!ret) ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_VALUE, &retbval); if (ret) { errMesg = "Could not set return values"; - slapi_log_error(SLAPI_LOG_PLUGIN, "ipaenrollmenti_extop", "%s\n", - errMesg); + LOG("%s\n", errMesg); rc = SLAPI_PLUGIN_EXTENDED_SENT_RESULT; } @@ -309,7 +303,7 @@ free_and_return: if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange); - slapi_log_error(SLAPI_LOG_PLUGIN, "ipaenrollment_extop", errMesg ? errMesg : "success\n"); + LOG(errMesg ? errMesg : "success\n"); slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL); free(principal); @@ -325,7 +319,7 @@ ipaenrollment_extop(Slapi_PBlock *pb) char *errMesg = NULL; int rc, ret; - slapi_log_error(SLAPI_LOG_TRACE, "ipa_enrollment", "=> ipaenrollment_extop\n"); + LOG_TRACE("=> ipaenrollment_extop\n"); rc = ipaenrollement_secure(pb, &errMesg); if (rc) { @@ -336,7 +330,7 @@ ipaenrollment_extop(Slapi_PBlock *pb) if (slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid ) != 0) { errMesg = "Could not get OID and value from request.\n"; rc = LDAP_OPERATIONS_ERROR; - slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", errMesg); + LOG(errMesg); goto free_and_return; } @@ -349,7 +343,7 @@ ipaenrollment_extop(Slapi_PBlock *pb) rc = LDAP_OPERATIONS_ERROR; free_and_return: - slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_enrollment", errMesg); + LOG(errMesg); slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL); return SLAPI_PLUGIN_EXTENDED_SENT_RESULT; @@ -369,35 +363,32 @@ ipaenrollment_start(Slapi_PBlock *pb) krberr = krb5_init_context(&krbctx); if (krberr) { - slapi_log_error(SLAPI_LOG_FATAL, "ipaenrollment_init", - "krb5_init_context failed\n"); + LOG_FATAL("krb5_init_context failed\n"); return LDAP_OPERATIONS_ERROR; } ret = krb5_get_default_realm(krbctx, &realm); if (ret) { - slapi_log_error(SLAPI_LOG_FATAL, "ipaenrollment_init", - "Failed to get default realm?!\n"); + LOG_FATAL("Failed to get default realm?!\n"); ret = LDAP_OPERATIONS_ERROR; } if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &config_dn) != 0) { - slapi_log_error( SLAPI_LOG_FATAL, "ipaenrollment_start", "No config DN?\n"); + LOG_FATAL("No config DN?\n"); ret = LDAP_OPERATIONS_ERROR; goto done; } sdn = slapi_sdn_new_dn_byref(config_dn); if ((rc = slapi_search_internal_get_entry(sdn, NULL, &config_entry, ipaenrollment_plugin_id)) != LDAP_SUCCESS ){ - slapi_log_error(SLAPI_LOG_TRACE, "ipaenrollment_extop", - "ipaenrollment_start: No such entry-(%s), err (%d)\n", - config_dn, rc); + LOG_TRACE("ipaenrollment_start: No such entry-(%s), err (%d)\n", + config_dn, rc); } slapi_sdn_free(&sdn); partition_dn = slapi_entry_attr_get_charptr(config_entry, "nsslapd-realmtree"); if (!partition_dn) { - slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Missing partition configuration entry (nsslapd-realmTree)!\n"); + LOG_FATAL("Missing partition configuration entry (nsslapd-realmTree)!\n"); ret = LDAP_OPERATIONS_ERROR; goto done; } @@ -405,7 +396,7 @@ ipaenrollment_start(Slapi_PBlock *pb) ipa_realm_dn = slapi_ch_smprintf("cn=computers,cn=accounts,%s", partition_dn); slapi_ch_free_string(&partition_dn); if (!ipa_realm_dn) { - slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory ?\n"); + LOG_FATAL("Out of memory ?\n"); ret = LDAP_OPERATIONS_ERROR; goto done; } @@ -430,13 +421,11 @@ ipaenrollment_init(Slapi_PBlock *pb) ret = slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ipaenrollment_plugin_id); if ((ret != 0) || (NULL == ipaenrollment_plugin_id)) { - slapi_log_error(SLAPI_LOG_PLUGIN, - "ipaenrollment_init", "Could not get identity or identity was NULL\n"); + LOG("Could not get identity or identity was NULL\n"); return -1; } - slapi_log_error(SLAPI_LOG_PLUGIN, "ipaenrollment_init", - "Registering plug-in for extended op.\n"); + LOG("Registering plug-in for extended op.\n"); /* Register the plug-in function as an extended operation plug-in function. */ @@ -448,8 +437,7 @@ ipaenrollment_init(Slapi_PBlock *pb) if (!ret) slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_FN, (void *)ipaenrollment_extop); if (ret) { - slapi_log_error(SLAPI_LOG_PLUGIN, "ipaenrollment_init", - "Failed to set plug-in version, function, and OID.\n"); + LOG("Failed to set plug-in version, function, and OID.\n"); return -1; } diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am index 57706246416c5bb309cf0403fe499f32536f5058..3b0ff629730e49244433dd85f9ca6fdb6211d838 100644 --- a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am @@ -1,8 +1,11 @@ NULL = +PLUGIN_COMMON_DIR=../common + INCLUDES = \ -I. \ -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ -I/usr/include/dirsrv \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c index 72e16e90c2f41f3601ece714bbcf781538a163f4..1e094f1d0eebb258bd9cd72450eefb09294f8598 100644 --- a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c +++ b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c @@ -44,40 +44,13 @@ #include "nspr.h" #include "prclist.h" -#define IPAMODRDN_PLUGIN_NAME "ipa-modrdn-plugin" +#include "util.h" + +#define IPA_PLUGIN_NAME "ipa-modrdn-plugin" #define IPAMODRDN_PLUGIN_VERSION 0x00010000 #define IPAMODRDN_DN "cn=IPA MODRDN,cn=plugins,cn=config" /* temporary */ -#define EOK 0 -#define EFAIL -1 - -#ifndef discard_const -#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) -#endif - -#define log_func discard_const(__func__) - -#define LOG(fmt, ...) \ - slapi_log_error(SLAPI_LOG_PLUGIN, \ - IPAMODRDN_PLUGIN_NAME, \ - fmt, ##__VA_ARGS__) - -#define LOG_CONFIG(fmt, ...) \ - slapi_log_error(SLAPI_LOG_CONFIG, \ - IPAMODRDN_PLUGIN_NAME, \ - fmt, ##__VA_ARGS__) - -#define LOG_FATAL(fmt, ...) \ - slapi_log_error(SLAPI_LOG_FATAL, log_func, \ - "[file %s, line %d]: " fmt, \ - __FILE__, __LINE__, ##__VA_ARGS__) - -#define LOG_TRACE(fmt, ...) \ - slapi_log_error(SLAPI_LOG_TRACE, log_func, fmt, ##__VA_ARGS__) - -#define LOG_OOM() LOG_FATAL("Out of Memory!\n") - /** * IPA MODRDN config types */ @@ -701,7 +674,7 @@ ipamodrdn_change_attr(struct configEntry *cfgentry, mods[0] = &mod; mods[1] = 0; - LOG("Setting %s to %s in entry (%s)\n", cfgentry->tattr, targetdn); + LOG("Setting %s to %s in entry (%s)\n", cfgentry->tattr, value, targetdn); /* Perform the modify operation. */ slapi_modify_internal_set_pb(mod_pb, targetdn, mods, @@ -785,12 +758,12 @@ static int ipamodrdn_post_op(Slapi_PBlock *pb) } if (slapi_entry_attr_find(e, cfgentry->sattr, &sattr) != 0) { - LOG_TRACE("Source attr %s not found for %d\n", + LOG_TRACE("Source attr %s not found for %s\n", cfgentry->sattr, dn); continue; } if (slapi_entry_attr_find(e, cfgentry->tattr, &tattr) != 0) { - LOG_TRACE("Target attr %s not found for %d\n", + LOG_TRACE("Target attr %s not found for %s\n", cfgentry->tattr, dn); } else { Slapi_Value *val; @@ -805,7 +778,7 @@ static int ipamodrdn_post_op(Slapi_PBlock *pb) ret = ipamodrdn_change_attr(cfgentry, dn, strval); if (ret != EOK) { - LOG_FATAL("Failed to set target attr %s for %d\n", + LOG_FATAL("Failed to set target attr %s for %s\n", cfgentry->tattr, dn); } } diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am index 6358eceb2db8d576a6efbfa7ffc7dd32b3060bc7..3577e48cc050a5d96987886b466f3b1ead71a646 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am @@ -1,8 +1,11 @@ NULL = +PLUGIN_COMMON_DIR=../common + INCLUDES = \ -I. \ -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index ed9637a00d2ced89b619076b3ce29d48d9d0398c..8df766e03b0613805f6bba1cb5b4ca24dc94b471 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -38,6 +38,7 @@ * END COPYRIGHT BLOCK **/ #include "ipapwd.h" +#include "util.h" /* * Password Modify - LDAP Extended Operation. diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index 5b15622fa999dfa48c79442794dc488fdaa273d9..523934ccdc46217b92b64b0f9ee57ef044b21a7c 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -64,26 +64,7 @@ #define IPAPWD_FEATURE_DESC "IPA Password Manager" #define IPAPWD_PLUGIN_DESC "IPA Password Extended Operation plugin" -#ifndef discard_const -#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) -#endif - -#define log_func discard_const(__func__) - -#define LOG(fmt, ...) \ - slapi_log_error(SLAPI_LOG_PLUGIN, \ - IPAPWD_PLUGIN_NAME, \ - fmt, ##__VA_ARGS__) - -#define LOG_FATAL(fmt, ...) \ - slapi_log_error(SLAPI_LOG_FATAL, log_func, \ - "[file %s, line %d]: " fmt, \ - __FILE__, __LINE__, ##__VA_ARGS__) - -#define LOG_TRACE(fmt, ...) \ - slapi_log_error(SLAPI_LOG_TRACE, log_func, fmt, ##__VA_ARGS__) - -#define LOG_OOM() LOG_FATAL("Out of Memory!\n") +#define IPA_PLUGIN_NAME IPAPWD_PLUGIN_NAME #define IPAPWD_CHECK_CONN_SECURE 0x00000001 #define IPAPWD_CHECK_DN 0x00000002 diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index 514274e77308d4f8a850b5b1b71502517695e090..92c388a259c1caaa80779bbf005063b0fe1b48e0 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -38,6 +38,7 @@ * END COPYRIGHT BLOCK **/ #include "ipapwd.h" +#include "util.h" /* Type of connection for this operation;*/ #define LDAP_EXTOP_PASSMOD_CONN_SECURE diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c index 527e178fe01b9f775fb0522f81eeedfcbde0ee50..451350163fe820d5a9ed6ff2494461ece3e7e1d8 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c @@ -53,6 +53,7 @@ #include #include "ipapwd.h" +#include "util.h" /* krbTicketFlags */ #define KTF_DISALLOW_POSTDATED 0x00000001 diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index 6636d611a2facca5ead4d5d474f1494ea9675e41..44b280bfd61f685ccf0a2e720648bc5b0e7d7372 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -53,6 +53,7 @@ #include #include "ipapwd.h" +#include "util.h" #define IPAPWD_OP_NULL 0 #define IPAPWD_OP_ADD 1 diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am index 167a196314bd4e7fa0b23827730c5dfed570c67f..1e5d9793779a43c0d23f34ae1dc69824af1a1c9e 100644 --- a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am @@ -1,8 +1,11 @@ NULL = +PLUGIN_COMMON_DIR=../common + INCLUDES = \ -I. \ -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ -I/usr/include/dirsrv \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c index 919abc821e290b74623deb7121f71d46118f71a5..1f6e5d30a53b35a21506b6fc1fc8aacf42827484 100644 --- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c +++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c @@ -45,41 +45,16 @@ #include "prclist.h" #include "uuid/uuid.h" +#include "util.h" + +#define IPAUUID_STR_SIZE 36 + #define IPAUUID_PLUGIN_NAME "ipa-uuid-plugin" #define IPAUUID_PLUGIN_VERSION 0x00010000 #define IPAUUID_DN "cn=IPA UUID,cn=plugins,cn=config" /* temporary */ -#define IPAUUID_SUCCESS 0 -#define IPAUUID_FAILURE -1 - -#define IPAUUID_STR_SIZE 36 - -#ifndef discard_const -#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) -#endif - -#define log_func discard_const(__func__) - -#define LOG(fmt, ...) \ - slapi_log_error(SLAPI_LOG_PLUGIN, \ - IPAUUID_PLUGIN_NAME, \ - fmt, ##__VA_ARGS__) - -#define LOG_CONFIG(fmt, ...) \ - slapi_log_error(SLAPI_LOG_CONFIG, \ - IPAUUID_PLUGIN_NAME, \ - fmt, ##__VA_ARGS__) - -#define LOG_FATAL(fmt, ...) \ - slapi_log_error(SLAPI_LOG_FATAL, log_func, \ - "[file %s, line %d]: " fmt, \ - __FILE__, __LINE__, ##__VA_ARGS__) - -#define LOG_TRACE(fmt, ...) \ - slapi_log_error(SLAPI_LOG_TRACE, log_func, fmt, ##__VA_ARGS__) - -#define LOG_OOM() LOG_FATAL("Out of Memory!\n") +#define IPA_PLUGIN_NAME IPAUUID_PLUGIN_NAME /** * IPA UUID config types @@ -235,7 +210,7 @@ char *getPluginDN() int ipauuid_init(Slapi_PBlock *pb) { - int status = IPAUUID_SUCCESS; + int status = EOK; char *plugin_identity = NULL; LOG_TRACE("--in-->\n"); @@ -281,7 +256,7 @@ ipauuid_init(Slapi_PBlock *pb) ) ) { LOG_FATAL("failed to register plugin\n"); - status = IPAUUID_FAILURE; + status = EFAIL; } LOG_TRACE("<--out--\n"); @@ -291,7 +266,7 @@ ipauuid_init(Slapi_PBlock *pb) static int ipauuid_internal_preop_init(Slapi_PBlock *pb) { - int status = IPAUUID_SUCCESS; + int status = EOK; if (slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01) != 0 || @@ -301,7 +276,7 @@ ipauuid_internal_preop_init(Slapi_PBlock *pb) (void *) ipauuid_mod_pre_op) != 0 || slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_PRE_ADD_FN, (void *) ipauuid_add_pre_op) != 0) { - status = IPAUUID_FAILURE; + status = EFAIL; } return status; @@ -310,7 +285,7 @@ ipauuid_internal_preop_init(Slapi_PBlock *pb) static int ipauuid_postop_init(Slapi_PBlock *pb) { - int status = IPAUUID_SUCCESS; + int status = EOK; if (slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01) != 0 || @@ -325,7 +300,7 @@ ipauuid_postop_init(Slapi_PBlock *pb) slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *) ipauuid_config_check_post_op) != 0) { LOG_FATAL("failed to register plugin\n"); - status = IPAUUID_FAILURE; + status = EFAIL; } return status; @@ -355,7 +330,7 @@ ipauuid_start(Slapi_PBlock * pb) if (!g_ipauuid_cache_lock) { LOG_FATAL("lock creation failed\n"); - return IPAUUID_FAILURE; + return EFAIL; } /** @@ -381,9 +356,9 @@ ipauuid_start(Slapi_PBlock * pb) slapi_ch_calloc(1, sizeof(struct configEntry)); PR_INIT_CLIST(ipauuid_global_config); - if (ipauuid_load_plugin_config() != IPAUUID_SUCCESS) { + if (ipauuid_load_plugin_config() != EOK) { LOG_FATAL("unable to load plug-in configuration\n"); - return IPAUUID_FAILURE; + return EFAIL; } g_plugin_started = 1; @@ -391,7 +366,7 @@ ipauuid_start(Slapi_PBlock * pb) LOG_TRACE("<--out--\n"); done: - return IPAUUID_SUCCESS; + return EOK; } /* @@ -410,7 +385,7 @@ ipauuid_close(Slapi_PBlock * pb) LOG_TRACE("<--out--\n"); - return IPAUUID_SUCCESS; + return EOK; } /* @@ -426,7 +401,7 @@ ipauuid_close(Slapi_PBlock * pb) static int ipauuid_load_plugin_config() { - int status = IPAUUID_SUCCESS; + int status = EOK; int result; int i; time_t now; @@ -447,14 +422,14 @@ ipauuid_load_plugin_config() slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &result); if (LDAP_SUCCESS != result) { - status = IPAUUID_FAILURE; + status = EFAIL; goto cleanup; } slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries); if (NULL == entries || NULL == entries[0]) { - status = IPAUUID_SUCCESS; + status = EOK; goto cleanup; } @@ -482,7 +457,7 @@ ipauuid_load_plugin_config() * validate config without making any changes by setting apply * to 0. * - * Returns IPAUUID_SUCCESS if the entry is valid and IPAUUID_FAILURE + * Returns EOK if the entry is valid and EFAIL * if it is invalid. */ static int @@ -494,20 +469,20 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) PRCList *list; int entry_added = 0; int i = 0; - int ret = IPAUUID_SUCCESS; + int ret = EOK; LOG_TRACE("--in-->\n"); /* If this is the main UUID plug-in config entry, just bail. */ if (strcasecmp(getPluginDN(), slapi_entry_get_ndn(e)) == 0) { - ret = IPAUUID_FAILURE; + ret = EFAIL; goto bail; } entry = (struct configEntry *) slapi_ch_calloc(1, sizeof(struct configEntry)); if (NULL == entry) { - ret = IPAUUID_FAILURE; + ret = EFAIL; goto bail; } @@ -521,7 +496,7 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) if (!entry->attr) { LOG_FATAL("The %s config setting is required for %s.\n", IPAUUID_ATTR, entry->dn); - ret = IPAUUID_FAILURE; + ret = EFAIL; goto bail; } LOG_CONFIG("----------> %s [%s]\n", IPAUUID_ATTR, entry->attr); @@ -544,13 +519,13 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) if (NULL == (entry->slapi_filter = slapi_str2filter(value))) { LOG_FATAL("Error: Invalid search filter in entry [%s]: [%s]\n", entry->dn, value); - ret = IPAUUID_FAILURE; + ret = EFAIL; goto bail; } } else { LOG_FATAL("The %s config setting is required for %s.\n", IPAUUID_FILTER, entry->dn); - ret = IPAUUID_FAILURE; + ret = EFAIL; goto bail; } LOG_CONFIG("----------> %s [%s]\n", IPAUUID_FILTER, value); @@ -561,7 +536,7 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) } else { LOG_FATAL("The %s config config setting is required for %s.\n", IPAUUID_SCOPE, entry->dn); - ret = IPAUUID_FAILURE; + ret = EFAIL; goto bail; } LOG_CONFIG("----------> %s [%s]\n", IPAUUID_SCOPE, entry->scope); @@ -622,7 +597,7 @@ bail: } ipauuid_free_config_entry(&entry); } else { - ret = IPAUUID_SUCCESS; + ret = EOK; } LOG_TRACE("<--out--\n"); @@ -886,7 +861,7 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype) test_e = resulting_e; } - if (ipauuid_parse_config_entry(test_e, false) != IPAUUID_SUCCESS) { + if (ipauuid_parse_config_entry(test_e, false) != EOK) { /* Refuse the operation if config parsing failed. */ ret = LDAP_UNWILLING_TO_PERFORM; if (LDAP_CHANGETYPE_ADD == modtype) { @@ -1201,7 +1176,7 @@ done: LOG("operation failure [%d]\n", ret); slapi_send_ldap_result(pb, ret, NULL, errstr, 0, NULL); slapi_ch_free((void **)&errstr); - ret = IPAUUID_FAILURE; + ret = EFAIL; } LOG_TRACE("<--out--\n"); diff --git a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am index 331ce7f1bcf7e24e499a38760683c81415a29b27..f90543ee426438820356541041c2480a5808ea95 100644 --- a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am @@ -1,9 +1,12 @@ NULL = +PLUGIN_COMMON_DIR=../common + INCLUDES = \ -I. \ -I../../ \ -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ -I/usr/include/dirsrv \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-version/ipa_repl_version.c b/daemons/ipa-slapi-plugins/ipa-version/ipa_repl_version.c index a93800134b42c310c0d5f064e5892768c1c4823d..e8c633be6dd13a35d0a05d233b542b846a4f8560 100644 --- a/daemons/ipa-slapi-plugins/ipa-version/ipa_repl_version.c +++ b/daemons/ipa-slapi-plugins/ipa-version/ipa_repl_version.c @@ -38,12 +38,13 @@ #include "slapi-plugin.h" #include "repl-session-plugin.h" #include "ipa-version.h" +#include "util.h" #include /* Identify the type of data we're sending, an unsigned int in this case */ #define REPL_VERSION_DATA_GUID "2D562D8B-2F30-4447-AF76-2B721D1D5F6A" -static char *repl_version_plugin_name = "ipa_replication_version"; +#define IPA_PLUGIN_NAME "ipa_replication_version" static char *data_version = NULL; /* @@ -74,8 +75,7 @@ static int repl_version_plugin_pre_acquire_cb(void *cookie, const Slapi_DN *repl_subtree, int is_total, char **data_guid, struct berval **data) { - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "repl_version_plugin_pre_acquire_cb() called for suffix \"%s\", " + LOG("repl_version_plugin_pre_acquire_cb() called for suffix \"%s\", " "is_total: \"%s\".\n", slapi_sdn_get_ndn(repl_subtree), is_total ? "TRUE" : "FALSE"); @@ -85,9 +85,8 @@ repl_version_plugin_pre_acquire_cb(void *cookie, const Slapi_DN *repl_subtree, (*data)->bv_val = slapi_ch_smprintf("%s", data_version); (*data)->bv_len = strlen((*data)->bv_val) + 1; - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "repl_version_plugin_pre_acquire_cb() sending data: guid: \"%s\" data: \"%s\".\n", - *data_guid, (*data)->bv_val); + LOG("repl_version_plugin_pre_acquire_cb() sending data: guid: \"%s\" data: \"%s\".\n", + *data_guid, (*data)->bv_val); return 0; } @@ -108,18 +107,17 @@ static int repl_version_plugin_recv_acquire_cb(const char *repl_subtree, int is_total, const char *data_guid, const struct berval *data) { - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "test_repl_session_plugin_recv_acquire_cb() called for suffix \"%s\", is_total: \"%s\".\n", + LOG("test_repl_session_plugin_recv_acquire_cb() called for suffix \"%s\", is_total: \"%s\".\n", repl_subtree, is_total ? "TRUE" : "FALSE"); /* compare our data version to the master data version */ if (data_guid && data && (strcmp(data_guid, REPL_VERSION_DATA_GUID) == 0)) { - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "repl_version_plugin_recv_acquire_cb() received data: guid: \"%s\" data: \"%s\".\n", + LOG("repl_version_plugin_recv_acquire_cb() received data: guid: \"%s\" data: \"%s\".\n", data_guid, data->bv_val); if (!(strcmp(data_version, data->bv_val) == 0)) { - slapi_log_error(SLAPI_LOG_FATAL, repl_version_plugin_name, - "Incompatible IPA versions, pausing replication. This server: \"%s\" remote server: \"%s\".\n", data_version, data->bv_val); + LOG_FATAL("Incompatible IPA versions, pausing replication. " + "This server: \"%s\" remote server: \"%s\".\n", + data_version, data->bv_val); return 1; } } @@ -146,35 +144,30 @@ static void *repl_version_api[] = { static int repl_version_plugin_start(Slapi_PBlock *pb) { - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "--> repl_version_plugin_start -- begin\n"); + LOG("--> repl_version_plugin_start -- begin\n"); - data_version = slapi_ch_smprintf("%llu", DATA_VERSION); + data_version = slapi_ch_smprintf("%llu", (unsigned long long) DATA_VERSION); - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "<-- repl_version_plugin_start -- end\n"); + LOG("<-- repl_version_plugin_start -- end\n"); return 0; } static int repl_version_plugin_close(Slapi_PBlock *pb) { - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "--> repl_version_plugin_close -- begin\n"); + LOG("--> repl_version_plugin_close -- begin\n"); slapi_apib_unregister(REPL_SESSION_v1_0_GUID); slapi_ch_free_string(&data_version); - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "<-- repl_version_plugin_close -- end\n"); + LOG("<-- repl_version_plugin_close -- end\n"); return 0; } int repl_version_plugin_init(Slapi_PBlock *pb) { - slapi_log_error(SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "--> repl_version_plugin_init -- begin\n"); + LOG("--> repl_version_plugin_init -- begin\n"); if ( slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01 ) != 0 || @@ -185,14 +178,12 @@ int repl_version_plugin_init(Slapi_PBlock *pb) slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&repl_version_pdesc ) != 0 ) { - slapi_log_error( SLAPI_LOG_FATAL, repl_version_plugin_name, - "<-- repl_version_plugin_init -- failed to register plugin -- end\n"); + LOG_FATAL("<-- repl_version_plugin_init -- failed to register plugin -- end\n"); return -1; } if( slapi_apib_register(REPL_SESSION_v1_0_GUID, repl_version_api) ) { - slapi_log_error( SLAPI_LOG_FATAL, repl_version_plugin_name, - "<-- repl_version_plugin_start -- failed to register repl_version api -- end\n"); + LOG_FATAL("<-- repl_version_plugin_start -- failed to register repl_version api -- end\n"); return -1; } @@ -200,12 +191,10 @@ int repl_version_plugin_init(Slapi_PBlock *pb) /* Retrieve and save the plugin identity to later pass to internal operations */ if (slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &repl_version_plugin_id) != 0) { - slapi_log_error(SLAPI_LOG_FATAL, repl_version_plugin_name, - "<-- repl_version_plugin_init -- failed to retrieve plugin identity -- end\n"); + LOG_FATAL("<-- repl_version_plugin_init -- failed to retrieve plugin identity -- end\n"); return -1; } - slapi_log_error( SLAPI_LOG_PLUGIN, repl_version_plugin_name, - "<-- repl_version_plugin_init -- end\n"); + LOG("<-- repl_version_plugin_init -- end\n"); return 0; } diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am index 94bc2dc68af33c59d91116b5c54739e4ec94e90b..79c37becb4bf8e62e91ce87c5333623de5421d31 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am @@ -1,8 +1,11 @@ NULL = +PLUGIN_COMMON_DIR=../common + INCLUDES = \ -I. \ -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c index 45efa6df09fdce93ae1c60dcbbdf71122d1d0fc3..5e762bc426b46993606661a6fdd267fca38013cc 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c @@ -109,10 +109,9 @@ ipa_winsync_config(Slapi_Entry *config_e) char returntext[SLAPI_DSE_RETURNTEXT_SIZE]; if ( inited ) { - slapi_log_error( SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: IPA WinSync plug-in already configured. " - "Please remove the plugin config entry [%s]\n", - slapi_entry_get_dn_const(config_e)); + LOG_FATAL("Error: IPA WinSync plug-in already configured. " + "Please remove the plugin config entry [%s]\n", + slapi_entry_get_dn_const(config_e)); return( LDAP_PARAM_ERROR ); } @@ -150,8 +149,7 @@ ipa_winsync_config(Slapi_Entry *config_e) inited = 1; if (returncode != LDAP_SUCCESS) { - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error %d: %s\n", returncode, returntext); + LOG_FATAL("Error %d: %s\n", returncode, returntext); } return returncode; @@ -264,9 +262,8 @@ ipa_winsync_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_E /* get new_user_oc_attr */ if (!(attrsvals = slapi_entry_attr_get_charray( e, IPA_WINSYNC_NEW_USER_ATTRS_VALS))) { - slapi_log_error(SLAPI_LOG_PLUGIN, IPA_WINSYNC_PLUGIN_NAME, - "Info: no default attributes and values given in [%s]\n", - IPA_WINSYNC_NEW_USER_ATTRS_VALS); + LOG("Info: no default attributes and values given in [%s]\n", + IPA_WINSYNC_NEW_USER_ATTRS_VALS); } /* format of *attrsvals is "attrname value" */ @@ -461,9 +458,8 @@ ipa_winsync_apply_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, /* get new_user_oc_attr */ if (!(attrsvals = slapi_entry_attr_get_charray( e, IPA_WINSYNC_NEW_USER_ATTRS_VALS))) { - slapi_log_error(SLAPI_LOG_PLUGIN, IPA_WINSYNC_PLUGIN_NAME, - "Info: no default attributes and values given in [%s]\n", - IPA_WINSYNC_NEW_USER_ATTRS_VALS); + LOG("Info: no default attributes and values given in [%s]\n", + IPA_WINSYNC_NEW_USER_ATTRS_VALS); } /* get acct disable sync value */ @@ -688,20 +684,18 @@ internal_find_entry_get_attr_val(const Slapi_DN *basedn, int scope, */ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); if (ret != LDAP_SUCCESS) { - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error [%d:%s] searching for base [%s] filter [%s]" - " attr [%s]\n", ret, ldap_err2string(ret), - search_basedn, filter, attrs[0]); + LOG_FATAL("Error [%d:%s] searching for base [%s] filter [%s]" + " attr [%s]\n", ret, ldap_err2string(ret), + search_basedn, filter, attrs[0]); goto out1; } slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries); if (entries && entries[0] && entries[1]) { /* error - should never be more than one matching entry */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: more than one entry matches search for " - "base [%s] filter [%s] attr [%s]\n", - search_basedn, filter, attrs[0]); + LOG_FATAL("Error: more than one entry matches search for " + "base [%s] filter [%s] attr [%s]\n", + search_basedn, filter, attrs[0]); ret = LDAP_UNWILLING_TO_PERFORM; goto out1; } @@ -724,10 +718,9 @@ internal_find_entry_get_attr_val(const Slapi_DN *basedn, int scope, } } else { ret = LDAP_NO_SUCH_OBJECT; - slapi_log_error(SLAPI_LOG_PLUGIN, IPA_WINSYNC_PLUGIN_NAME, - "Did not find an entry for search " - "base [%s] filter [%s] attr [%s]\n", - search_basedn, filter, attrs[0]); + LOG("Did not find an entry for search " + "base [%s] filter [%s] attr [%s]\n", + search_basedn, filter, attrs[0]); } out1: @@ -814,10 +807,9 @@ ipa_winsync_config_refresh_domain( if (!iwdc->realm_name) { /* error - could not find the IPA config entry with the realm name */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the entry containing the realm name for " - "ds subtree [%s] filter [%s] attr [%s]\n", - slapi_sdn_get_dn(ds_subtree), realm_filter, realm_attr); + LOG_FATAL("Error: could not find the entry containing the realm name for " + "ds subtree [%s] filter [%s] attr [%s]\n", + slapi_sdn_get_dn(ds_subtree), realm_filter, realm_attr); goto out; } @@ -828,10 +820,9 @@ ipa_winsync_config_refresh_domain( &new_user_objclasses, NULL); if (!new_user_objclasses) { /* error - could not find the entry containing list of objectclasses */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the entry containing the new user objectclass list for " - "ds subtree [%s] filter [%s] attr [%s]\n", - slapi_sdn_get_dn(ds_subtree), new_entry_filter, new_user_oc_attr); + LOG_FATAL("Error: could not find the entry containing the new user objectclass list for " + "ds subtree [%s] filter [%s] attr [%s]\n", + slapi_sdn_get_dn(ds_subtree), new_entry_filter, new_user_oc_attr); goto out; } @@ -844,10 +835,9 @@ ipa_winsync_config_refresh_domain( NULL, &iwdc->homedir_prefix); if (!iwdc->homedir_prefix) { /* error - could not find the home dir prefix */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the entry containing the home directory prefix for " - "ds subtree [%s] filter [%s] attr [%s]\n", - slapi_sdn_get_dn(ds_subtree), new_entry_filter, homedir_prefix_attr); + LOG_FATAL("Error: could not find the entry containing the home directory prefix for " + "ds subtree [%s] filter [%s] attr [%s]\n", + slapi_sdn_get_dn(ds_subtree), new_entry_filter, homedir_prefix_attr); goto out; } @@ -860,10 +850,9 @@ ipa_winsync_config_refresh_domain( NULL, &default_group_name); if (!default_group_name) { /* error - could not find the default group name */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the entry containing the default group name for " - "ds subtree [%s] filter [%s] attr [%s]\n", - slapi_sdn_get_dn(ds_subtree), new_entry_filter, default_group_attr); + LOG_FATAL("Error: could not find the entry containing the default group name for " + "ds subtree [%s] filter [%s] attr [%s]\n", + slapi_sdn_get_dn(ds_subtree), new_entry_filter, default_group_attr); goto out; } @@ -877,10 +866,9 @@ ipa_winsync_config_refresh_domain( NULL, &default_gid); if (!default_gid) { /* error - could not find the default gidNumber */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the entry containing the default gidNumber " - "ds subtree [%s] filter [%s] attr [%s]\n", - slapi_sdn_get_dn(ds_subtree), new_entry_filter, "gidNumber"); + LOG_FATAL("Error: could not find the entry containing the default gidNumber " + "ds subtree [%s] filter [%s] attr [%s]\n", + slapi_sdn_get_dn(ds_subtree), new_entry_filter, "gidNumber"); goto out; } @@ -897,10 +885,9 @@ ipa_winsync_config_refresh_domain( NULL, &inactivated_group_dn); if (!inactivated_group_dn) { /* error - could not find the inactivated group dn */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the DN of the inactivated users group " - "ds subtree [%s] filter [%s]\n", - slapi_sdn_get_dn(ds_subtree), inactivated_filter); + LOG_FATAL("Error: could not find the DN of the inactivated users group " + "ds subtree [%s] filter [%s]\n", + slapi_sdn_get_dn(ds_subtree), inactivated_filter); goto out; } ret = internal_find_entry_get_attr_val(config_dn, search_scope, @@ -908,10 +895,9 @@ ipa_winsync_config_refresh_domain( NULL, &activated_group_dn); if (!activated_group_dn) { /* error - could not find the activated group dn */ - slapi_log_error(SLAPI_LOG_FATAL, IPA_WINSYNC_PLUGIN_NAME, - "Error: could not find the DN of the activated users group " - "ds subtree [%s] filter [%s]\n", - slapi_sdn_get_dn(ds_subtree), activated_filter); + LOG_FATAL("Error: could not find the DN of the activated users group " + "ds subtree [%s] filter [%s]\n", + slapi_sdn_get_dn(ds_subtree), activated_filter); goto out; } } diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c index 9ee8805bb1bf9683a194d82f16e6e6ea7d5f5141..4e2d534fc174657e02be1c0692de01f8745d4ba8 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c @@ -59,8 +59,6 @@ #endif #include "ipa-winsync.h" -static char *ipa_winsync_plugin_name = IPA_WINSYNC_PLUGIN_NAME; - static void sync_acct_disable( void *cbdata, /* the usual domain config data */ @@ -87,16 +85,14 @@ static void * ipa_winsync_agmt_init(const Slapi_DN *ds_subtree, const Slapi_DN *ad_subtree) { void *cbdata = NULL; - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_agmt_init [%s] [%s] -- begin\n", - slapi_sdn_get_dn(ds_subtree), - slapi_sdn_get_dn(ad_subtree)); + LOG("--> ipa_winsync_agmt_init [%s] [%s] -- begin\n", + slapi_sdn_get_dn(ds_subtree), + slapi_sdn_get_dn(ad_subtree)); /* do the domain specific configuration based on the ds subtree */ cbdata = ipa_winsync_config_new_domain(ds_subtree, ad_subtree); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_agmt_init -- end\n"); + LOG("<-- ipa_winsync_agmt_init -- end\n"); return cbdata; } @@ -106,11 +102,9 @@ ipa_winsync_dirsync_search_params_cb(void *cbdata, const char *agmt_dn, char **base, int *scope, char **filter, char ***attrs, LDAPControl ***serverctrls) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_dirsync_search_params_cb -- begin\n"); + LOG("--> ipa_winsync_dirsync_search_params_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_dirsync_search_params_cb -- end\n"); + LOG("<-- ipa_winsync_dirsync_search_params_cb -- end\n"); return; } @@ -121,11 +115,9 @@ ipa_winsync_pre_ad_search_cb(void *cbdata, const char *agmt_dn, char **base, int *scope, char **filter, char ***attrs, LDAPControl ***serverctrls) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ad_search_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ad_search_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ad_search_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ad_search_cb -- end\n"); return; } @@ -136,16 +128,13 @@ ipa_winsync_pre_ds_search_entry_cb(void *cbdata, const char *agmt_dn, char **base, int *scope, char **filter, char ***attrs, LDAPControl ***serverctrls) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_search_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ds_search_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "-- ipa_winsync_pre_ds_search_cb - base [%s] " - "scope [%d] filter [%s]\n", - *base, *scope, *filter); + LOG("-- ipa_winsync_pre_ds_search_cb - base [%s] " + "scope [%d] filter [%s]\n", + *base, *scope, *filter); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ds_search_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ds_search_cb -- end\n"); return; } @@ -156,9 +145,8 @@ ipa_winsync_pre_ds_search_all_cb(void *cbdata, const char *agmt_dn, char **base, int *scope, char **filter, char ***attrs, LDAPControl ***serverctrls) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_search_all_cb -- orig filter [%s] -- begin\n", - ((filter && *filter) ? *filter : "NULL")); + LOG("--> ipa_winsync_pre_ds_search_all_cb -- orig filter [%s] -- begin\n", + ((filter && *filter) ? *filter : "NULL")); /* We only want to grab users from the ds side - no groups */ slapi_ch_free_string(filter); @@ -167,8 +155,7 @@ ipa_winsync_pre_ds_search_all_cb(void *cbdata, const char *agmt_dn, indexed for equality only - need to add presence? */ *filter = slapi_ch_strdup("(&(objectclass=ntuser)(ntUserDomainId=*))"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ds_search_all_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ds_search_all_cb -- end\n"); return; } @@ -178,14 +165,12 @@ ipa_winsync_pre_ad_mod_user_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Entry *ad_entry, Slapi_Entry *ds_entry, Slapi_Mods *smods, int *do_modify) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ad_mod_user_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ad_mod_user_cb -- begin\n"); sync_acct_disable(cbdata, rawentry, ds_entry, ACCT_DISABLE_TO_AD, NULL, smods, do_modify); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ad_mod_user_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ad_mod_user_cb -- end\n"); return; } @@ -195,11 +180,9 @@ ipa_winsync_pre_ad_mod_group_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Entry *ad_entry, Slapi_Entry *ds_entry, Slapi_Mods *smods, int *do_modify) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ad_mod_group_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ad_mod_group_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ad_mod_group_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ad_mod_group_cb -- end\n"); return; } @@ -209,16 +192,14 @@ ipa_winsync_pre_ds_mod_user_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Entry *ad_entry, Slapi_Entry *ds_entry, Slapi_Mods *smods, int *do_modify) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_mod_user_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ds_mod_user_cb -- begin\n"); sync_acct_disable(cbdata, rawentry, ds_entry, ACCT_DISABLE_TO_DS, NULL, smods, do_modify); do_force_sync(rawentry, ds_entry, smods, do_modify); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ds_mod_user_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ds_mod_user_cb -- end\n"); return; } @@ -228,11 +209,9 @@ ipa_winsync_pre_ds_mod_group_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Entry *ad_entry, Slapi_Entry *ds_entry, Slapi_Mods *smods, int *do_modify) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_mod_group_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ds_mod_group_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ds_mod_group_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ds_mod_group_cb -- end\n"); return; } @@ -247,16 +226,14 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry, char *type = NULL; IPA_WinSync_Config *global_ipaconfig = ipa_winsync_get_config(); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_add_user_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ds_add_user_cb -- begin\n"); if (!ipaconfig || !ipaconfig->domain_e || !ipaconfig->realm_name || !ipaconfig->homedir_prefix) { - slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "Error: configuration failure: cannot map Windows " - "entry dn [%s], DS entry dn [%s]\n", - slapi_entry_get_dn_const(ad_entry), - slapi_entry_get_dn_const(ds_entry)); + LOG_FATAL("Error: configuration failure: cannot map Windows " + "entry dn [%s], DS entry dn [%s]\n", + slapi_entry_get_dn_const(ad_entry), + slapi_entry_get_dn_const(ds_entry)); return; } @@ -278,10 +255,9 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry, { if (!slapi_entry_attr_has_syntax_value(ds_entry, type, sv)) { /* attr-value sv not found in ds_entry; add it */ - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_add_user_cb -- " - "adding val for [%s] to new entry [%s]\n", - type, slapi_entry_get_dn_const(ds_entry)); + LOG("--> ipa_winsync_pre_ds_add_user_cb -- " + "adding val for [%s] to new entry [%s]\n", + type, slapi_entry_get_dn_const(ds_entry)); slapi_entry_add_value(ds_entry, type, sv); } @@ -310,13 +286,12 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry, upn = slapi_ch_smprintf("%s@%s", samAccountName, ipaconfig->realm_name); slapi_ch_free_string(&samAccountName); } else { /* fatal error - nothing to use for krbPrincipalName */ - slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "Error creating %s for realm [%s] for Windows " - "entry dn [%s], DS entry dn [%s] - Windows entry " - "has no samAccountName, and DS entry has no uid.\n", - type, ipaconfig->realm_name, - slapi_entry_get_dn_const(ad_entry), - slapi_entry_get_dn_const(ds_entry)); + LOG_FATAL("Error creating %s for realm [%s] for Windows " + "entry dn [%s], DS entry dn [%s] - Windows entry " + "has no samAccountName, and DS entry has no uid.\n", + type, ipaconfig->realm_name, + slapi_entry_get_dn_const(ad_entry), + slapi_entry_get_dn_const(ds_entry)); } if (upn) { @@ -341,13 +316,12 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry, samAccountName); slapi_ch_free_string(&samAccountName); } else { /* fatal error - nothing to use for homeDirectory */ - slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "Error creating %s for realm [%s] for Windows " - "entry dn [%s], DS entry dn [%s] - Windows entry " - "has no samAccountName, and DS entry has no uid.\n", - type, ipaconfig->realm_name, - slapi_entry_get_dn_const(ad_entry), - slapi_entry_get_dn_const(ds_entry)); + LOG_FATAL("Error creating %s for realm [%s] for Windows " + "entry dn [%s], DS entry dn [%s] - Windows entry " + "has no samAccountName, and DS entry has no uid.\n", + type, ipaconfig->realm_name, + slapi_entry_get_dn_const(ad_entry), + slapi_entry_get_dn_const(ds_entry)); } if (homeDir) { @@ -375,8 +349,7 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry, sync_acct_disable(cbdata, rawentry, ds_entry, ACCT_DISABLE_TO_DS, ds_entry, NULL, NULL); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ds_add_user_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ds_add_user_cb -- end\n"); return; } @@ -385,11 +358,9 @@ static void ipa_winsync_pre_ds_add_group_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Entry *ad_entry, Slapi_Entry *ds_entry) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ds_add_group_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ds_add_group_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ds_add_group_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ds_add_group_cb -- end\n"); return; } @@ -403,8 +374,7 @@ ipa_winsync_get_new_ds_user_dn_cb(void *cbdata, const Slapi_Entry *rawentry, PRBool flatten = PR_TRUE; IPA_WinSync_Config *ipaconfig = ipa_winsync_get_config(); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_get_new_ds_user_dn_cb -- old dn [%s] -- begin\n", + LOG("--> ipa_winsync_get_new_ds_user_dn_cb -- old dn [%s] -- begin\n", *new_dn_string); slapi_lock_mutex(ipaconfig->lock); @@ -425,8 +395,7 @@ ipa_winsync_get_new_ds_user_dn_cb(void *cbdata, const Slapi_Entry *rawentry, *new_dn_string = slapi_ch_smprintf("%s,%s", rdns[0], slapi_sdn_get_dn(ds_suffix)); ldap_value_free(rdns); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_get_new_ds_user_dn_cb -- new dn [%s] -- end\n", + LOG("<-- ipa_winsync_get_new_ds_user_dn_cb -- new dn [%s] -- end\n", *new_dn_string); return; @@ -437,11 +406,9 @@ ipa_winsync_get_new_ds_group_dn_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Entry *ad_entry, char **new_dn_string, const Slapi_DN *ds_suffix, const Slapi_DN *ad_suffix) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_get_new_ds_group_dn_cb -- begin\n"); + LOG("--> ipa_winsync_get_new_ds_group_dn_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_get_new_ds_group_dn_cb -- end\n"); + LOG("<-- ipa_winsync_get_new_ds_group_dn_cb -- end\n"); return; } @@ -455,8 +422,7 @@ ipa_winsync_pre_ad_mod_user_mods_cb(void *cbdata, const Slapi_Entry *rawentry, { Slapi_Mods *smods; - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ad_mod_user_mods_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ad_mod_user_mods_cb -- begin\n"); /* wrap the modstosend in a Slapi_Mods for convenience */ smods = slapi_mods_new(); @@ -467,8 +433,7 @@ ipa_winsync_pre_ad_mod_user_mods_cb(void *cbdata, const Slapi_Entry *rawentry, /* convert back to LDAPMod ** and clean up */ *modstosend = slapi_mods_get_ldapmods_passout(smods); slapi_mods_free(&smods); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ad_mod_user_mods_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ad_mod_user_mods_cb -- end\n"); return; } @@ -480,11 +445,9 @@ ipa_winsync_pre_ad_mod_group_mods_cb(void *cbdata, const Slapi_Entry *rawentry, LDAPMod * const *origmods, Slapi_DN *remote_dn, LDAPMod ***modstosend) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_pre_ad_mod_group_mods_cb -- begin\n"); + LOG("--> ipa_winsync_pre_ad_mod_group_mods_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_pre_ad_mod_group_mods_cb -- end\n"); + LOG("<-- ipa_winsync_pre_ad_mod_group_mods_cb -- end\n"); return; } @@ -493,11 +456,9 @@ static int ipa_winsync_can_add_entry_to_ad_cb(void *cbdata, const Slapi_Entry *local_entry, const Slapi_DN *remote_dn) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_can_add_entry_to_ad_cb -- begin\n"); + LOG("--> ipa_winsync_can_add_entry_to_ad_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_can_add_entry_to_ad_cb -- end\n"); + LOG("<-- ipa_winsync_can_add_entry_to_ad_cb -- end\n"); return 0; /* false - do not allow entries to be added to ad */ } @@ -506,13 +467,11 @@ static void ipa_winsync_begin_update_cb(void *cbdata, const Slapi_DN *ds_subtree, const Slapi_DN *ad_subtree, int is_total) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_begin_update_cb -- begin\n"); + LOG("--> ipa_winsync_begin_update_cb -- begin\n"); ipa_winsync_config_refresh_domain(cbdata, ds_subtree, ad_subtree); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_begin_update_cb -- end\n"); + LOG("<-- ipa_winsync_begin_update_cb -- end\n"); return; } @@ -521,11 +480,9 @@ static void ipa_winsync_end_update_cb(void *cbdata, const Slapi_DN *ds_subtree, const Slapi_DN *ad_subtree, int is_total) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_end_update_cb -- begin\n"); + LOG("--> ipa_winsync_end_update_cb -- begin\n"); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_end_update_cb -- end\n"); + LOG("<-- ipa_winsync_end_update_cb -- end\n"); return; } @@ -534,13 +491,11 @@ static void ipa_winsync_destroy_agmt_cb(void *cbdata, const Slapi_DN *ds_subtree, const Slapi_DN *ad_subtree) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_destroy_agmt_cb -- begin\n"); + LOG("--> ipa_winsync_destroy_agmt_cb -- begin\n"); ipa_winsync_config_destroy_domain(cbdata, ds_subtree, ad_subtree); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_destroy_agmt_cb -- end\n"); + LOG("<-- ipa_winsync_destroy_agmt_cb -- end\n"); return; } @@ -600,42 +555,35 @@ ipa_winsync_plugin_start(Slapi_PBlock *pb) int rc; Slapi_Entry *config_e = NULL; /* entry containing plugin config */ - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_plugin_start -- begin\n"); + LOG("--> ipa_winsync_plugin_start -- begin\n"); if( slapi_apib_register(WINSYNC_v1_0_GUID, ipa_winsync_api) ) { - slapi_log_error( SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "<-- ipa_winsync_plugin_start -- failed to register winsync api -- end\n"); - return -1; + LOG_FATAL("<-- ipa_winsync_plugin_start -- failed to register winsync api -- end\n"); + return -1; } if ( slapi_pblock_get( pb, SLAPI_ADD_ENTRY, &config_e ) != 0 ) { - slapi_log_error( SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "missing config entry\n" ); - return( -1 ); + LOG_FATAL("missing config entry\n" ); + return( -1 ); } if (( rc = ipa_winsync_config( config_e )) != LDAP_SUCCESS ) { - slapi_log_error( SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "configuration failed (%s)\n", ldap_err2string( rc )); - return( -1 ); + LOG_FATAL("configuration failed (%s)\n", ldap_err2string( rc )); + return( -1 ); } - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_plugin_start -- end\n"); - return 0; + LOG("<-- ipa_winsync_plugin_start -- end\n"); + return 0; } static int ipa_winsync_plugin_close(Slapi_PBlock *pb) { - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_plugin_close -- begin\n"); + LOG("--> ipa_winsync_plugin_close -- begin\n"); slapi_apib_unregister(WINSYNC_v1_0_GUID); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_plugin_close -- end\n"); + LOG("<-- ipa_winsync_plugin_close -- end\n"); return 0; } @@ -646,8 +594,7 @@ int ipa_winsync_plugin_init(Slapi_PBlock *pb) { void *plugin_id = NULL; - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "--> ipa_winsync_plugin_init -- begin\n"); + LOG("--> ipa_winsync_plugin_init -- begin\n"); if ( slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01 ) != 0 || @@ -658,23 +605,20 @@ int ipa_winsync_plugin_init(Slapi_PBlock *pb) slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&ipa_winsync_pdesc ) != 0 ) { - slapi_log_error( SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "<-- ipa_winsync_plugin_init -- failed to register plugin -- end\n"); + LOG_FATAL("<-- ipa_winsync_plugin_init -- failed to register plugin -- end\n"); return -1; } /* Retrieve and save the plugin identity to later pass to internal operations */ if (slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &plugin_id) != 0) { - slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "<-- ipa_winsync_plugin_init -- failed to retrieve plugin identity -- end\n"); + LOG_FATAL("<-- ipa_winsync_plugin_init -- failed to retrieve plugin identity -- end\n"); return -1; } ipa_winsync_set_plugin_identity(plugin_id); - slapi_log_error( SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_winsync_plugin_init -- end\n"); + LOG("<-- ipa_winsync_plugin_init -- end\n"); return 0; } @@ -704,11 +648,10 @@ ipa_check_account_lock(Slapi_Entry *ds_entry, int *isvirt) rc = 0; /* account is disabled */ } slapi_ch_free_string(&strval); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_check_account_lock - entry [%s] has real " - "attribute nsAccountLock and entry %s locked\n", - slapi_entry_get_dn_const(ds_entry), - rc ? "is not" : "is"); + LOG("<-- ipa_check_account_lock - entry [%s] has real " + "attribute nsAccountLock and entry %s locked\n", + slapi_entry_get_dn_const(ds_entry), + rc ? "is not" : "is"); return rc; } @@ -734,18 +677,16 @@ ipa_check_account_lock(Slapi_Entry *ds_entry, int *isvirt) if (values != NULL) { slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags); } - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_check_account_lock - entry [%s] has virtual " - "attribute nsAccountLock and entry %s locked\n", - slapi_entry_get_dn_const(ds_entry), - rc ? "is not" : "is"); + LOG("<-- ipa_check_account_lock - entry [%s] has virtual " + "attribute nsAccountLock and entry %s locked\n", + slapi_entry_get_dn_const(ds_entry), + rc ? "is not" : "is"); } else { rc = 1; /* no attr == entry is enabled */ - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- ipa_check_account_lock - entry [%s] does not " - "have attribute nsAccountLock - entry %s locked\n", - slapi_entry_get_dn_const(ds_entry), - rc ? "is not" : "is"); + LOG("<-- ipa_check_account_lock - entry [%s] does not " + "have attribute nsAccountLock - entry %s locked\n", + slapi_entry_get_dn_const(ds_entry), + rc ? "is not" : "is"); } return rc; @@ -784,12 +725,11 @@ do_group_modify(const char *dn, const char *modtype, int modop, const char *modv slapi_pblock_destroy(mod_pb); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- do_group_modify - %s value [%s] in attribute [%s] " - "in entry [%s] - result (%d: %s)\n", - (modop & LDAP_MOD_ADD) ? "added" : "deleted", - modval, modtype, dn, - rc, ldap_err2string(rc)); + LOG("<-- do_group_modify - %s value [%s] in attribute [%s] " + "in entry [%s] - result (%d: %s)\n", + (modop & LDAP_MOD_ADD) ? "added" : "deleted", + modval, modtype, dn, + rc, ldap_err2string(rc)); return rc; } @@ -863,12 +803,11 @@ sync_acct_disable( adval |= mask; /* set the 0x2 disable bit */ } slapi_entry_attr_set_ulong(update_entry, "userAccountControl", adval); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- sync_acct_disable - %s AD account [%s] - " - "new value is [%ld]\n", - (ds_is_enabled) ? "enabled" : "disabled", - slapi_entry_get_dn_const(update_entry), - adval); + LOG("<-- sync_acct_disable - %s AD account [%s] - " + "new value is [%ld]\n", + (ds_is_enabled) ? "enabled" : "disabled", + slapi_entry_get_dn_const(update_entry), + adval); } else { /* iterate through the mods - if there is already a mod for userAccountControl, change it - otherwise, add it */ @@ -924,12 +863,11 @@ sync_acct_disable( mod_bval->bv_val = slapi_ch_strdup(acctvalstr); mod_bval->bv_len = strlen(acctvalstr); } - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- sync_acct_disable - %s AD account [%s] - " - "new value is [%ld]\n", - (ds_is_enabled) ? "enabled" : "disabled", - slapi_entry_get_dn_const(ad_entry), - adval); + LOG("<-- sync_acct_disable - %s AD account [%s] - " + "new value is [%ld]\n", + (ds_is_enabled) ? "enabled" : "disabled", + slapi_entry_get_dn_const(ad_entry), + adval); } } @@ -946,10 +884,9 @@ sync_acct_disable( if (update_entry) { slapi_entry_attr_set_charptr(update_entry, attrtype, attrval); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- sync_acct_disable - %s DS account [%s]\n", - (ad_is_enabled) ? "enabled" : "disabled", - slapi_entry_get_dn_const(ds_entry)); + LOG("<-- sync_acct_disable - %s DS account [%s]\n", + (ad_is_enabled) ? "enabled" : "disabled", + slapi_entry_get_dn_const(ds_entry)); } else { /* do mod */ struct berval tmpbval = {0, NULL}; Slapi_Mod *smod = slapi_mod_new(); @@ -964,10 +901,9 @@ sync_acct_disable( slapi_mods_add_ldapmod(smods, slapi_mod_get_ldapmod_passout(smod)); slapi_mod_free(&smod); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- sync_acct_disable - %s DS account [%s]\n", - (ad_is_enabled) ? "enabled" : "disabled", - slapi_entry_get_dn_const(ds_entry)); + LOG("<-- sync_acct_disable - %s DS account [%s]\n", + (ad_is_enabled) ? "enabled" : "disabled", + slapi_entry_get_dn_const(ds_entry)); if (do_modify) { *do_modify = 1; /* added mods */ } @@ -993,27 +929,24 @@ sync_acct_disable( } dsdn = slapi_entry_get_dn_const(ds_entry); - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- sync_acct_disable - %s DS account [%s] - " - "deldn [%s] adddn [%s]\n", - (ad_is_enabled) ? "enabling" : "disabling", - slapi_entry_get_dn_const(ds_entry), - deldn, adddn); + LOG("<-- sync_acct_disable - %s DS account [%s] - " + "deldn [%s] adddn [%s]\n", + (ad_is_enabled) ? "enabling" : "disabling", + slapi_entry_get_dn_const(ds_entry), + deldn, adddn); /* first, delete the user from the deldn group - ignore (but log) value not found errors - means the user wasn't there yet */ rc = do_group_modify(deldn, "member", LDAP_MOD_DELETE, dsdn); if (rc == LDAP_NO_SUCH_ATTRIBUTE) { /* either the value of the attribute doesn't exist */ - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "Could not delete user [%s] from the [%s] group: " - "either the user was not in the group already, " - "or the group had no members\n", - dsdn, deldn); + LOG("Could not delete user [%s] from the [%s] group: " + "either the user was not in the group already, " + "or the group had no members\n", + dsdn, deldn); } else if (rc != LDAP_SUCCESS) { - slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "Error deleting user [%s] from the [%s] group: " - "(%d - %s)\n", dsdn, deldn, rc, - ldap_err2string(rc)); + LOG_FATAL("Error deleting user [%s] from the [%s] group: " + "(%d - %s)\n", dsdn, deldn, rc, + ldap_err2string(rc)); } /* next, add the user to the adddn group - ignore (but log) if the user is already in that group */ @@ -1024,15 +957,13 @@ sync_acct_disable( } if (rc == LDAP_TYPE_OR_VALUE_EXISTS) { /* user already in that group */ - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "Could not add user [%s] to the [%s] group: " - "user is already in that group\n", - dsdn, adddn); + LOG("Could not add user [%s] to the [%s] group: " + "user is already in that group\n", + dsdn, adddn); } else if (rc != LDAP_SUCCESS) { - slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name, - "Error adding user [%s] to the [%s] group: " - "(%d - %s)\n", dsdn, adddn, rc, - ldap_err2string(rc)); + LOG_FATAL("Error adding user [%s] to the [%s] group: " + "(%d - %s)\n", dsdn, adddn, rc, + ldap_err2string(rc)); } #ifndef MEMBEROF_WORKS_FOR_INTERNAL_OPS /* memberOf doesn't currently listen for internal operations @@ -1074,10 +1005,9 @@ sync_acct_disable( slapi_value_free(&sv); } #endif /* MEMBEROF_WORKS_FOR_INTERNAL_OPS */ - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- sync_acct_disable - %s DS account [%s]\n", - (ad_is_enabled) ? "enabled" : "disabled", - slapi_entry_get_dn_const(ds_entry)); + LOG("<-- sync_acct_disable - %s DS account [%s]\n", + (ad_is_enabled) ? "enabled" : "disabled", + slapi_entry_get_dn_const(ds_entry)); } } @@ -1125,10 +1055,9 @@ find_and_add_mod(Slapi_Entry *ent, Slapi_Mods *smods, const char *type, if (do_modify) { *do_modify = 1; /* added a mod */ } - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "<-- find_and_add_mod - added value [%s] " - "to attribute [%s] in entry [%s]\n", - val, type, slapi_entry_get_dn_const(ent)); + LOG("<-- find_and_add_mod - added value [%s] " + "to attribute [%s] in entry [%s]\n", + val, type, slapi_entry_get_dn_const(ent)); } slapi_value_free(&sv); @@ -1165,11 +1094,10 @@ do_force_sync( return; /* not supported */ } - slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name, - "do_force_sync - forcing sync of AD entry [%s] " - "with DS entry [%s]\n", - slapi_entry_get_dn_const(ad_entry), - slapi_entry_get_dn_const(ds_entry)); + LOG("do_force_sync - forcing sync of AD entry [%s] " + "with DS entry [%s]\n", + slapi_entry_get_dn_const(ad_entry), + slapi_entry_get_dn_const(ds_entry)); find_and_add_mod(ds_entry, smods, "objectClass", "ntUser", (size_t)6, do_modify); diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h index 58a9a6c40e67d6be3cd92219432340d13f3ec59e..338e67cfb310e791f629c213c152553b666c1455 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h @@ -52,7 +52,9 @@ #include #endif /* WINSYNC_TEST_IPA */ -#define IPA_WINSYNC_PLUGIN_NAME "ipa-winsync" +#include "util.h" + +#define IPA_PLUGIN_NAME "ipa-winsync" typedef struct ipa_winsync_config_struct { Slapi_Mutex *lock; /* for config access */ -- 1.7.3.2 -------------- next part -------------- >From e0fc8221ed25ab9269f2263bedba5a0bd42f8a55 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 4 Nov 2010 17:08:26 +0100 Subject: [PATCH 2/6] Stricter compilation flags Use a little stricter compilation flags, in particular -Wall and treat implicit function declarations as errors. --- daemons/Makefile.am | 8 ++++++++ daemons/configure.ac | 2 ++ daemons/ipa-kpasswd/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-enrollment/Makefile.am | 1 + daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 1 + daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am | 1 + daemons/ipa-slapi-plugins/ipa-version/Makefile.am | 1 + daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am | 1 + ipa-client/Makefile.am | 9 +++++++++ ipa-client/configure.ac | 2 ++ 11 files changed, 28 insertions(+), 0 deletions(-) diff --git a/daemons/Makefile.am b/daemons/Makefile.am index 9960789a4cef414371f9b90cc78ce8e2aa59723b..7b2b9974647246cfbe02c85fd7def6776394614e 100644 --- a/daemons/Makefile.am +++ b/daemons/Makefile.am @@ -4,6 +4,14 @@ AUTOMAKE_OPTIONS = 1.7 NULL = +AM_CFLAGS = $(NULL) +if HAVE_GCC + AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ + -Wcast-align -Werror-implicit-function-declaration \ + $(NULL) +endif +export AM_CFLAGS + SUBDIRS = \ ipa-kpasswd \ ipa-slapi-plugins \ diff --git a/daemons/configure.ac b/daemons/configure.ac index 53806f52d499bcb9f692d42994eebcc30a5f0955..da86557d28b2c6e1035ab85a21408f9bb0a6724f 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -16,6 +16,8 @@ AC_PROG_LIBTOOL AC_HEADER_STDC +AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes]) + AC_SUBST(VERSION) dnl --------------------------------------------------------------------------- diff --git a/daemons/ipa-kpasswd/Makefile.am b/daemons/ipa-kpasswd/Makefile.am index ce241ca06a67f36500309c46a3ef75b8fb39e6b2..40e8c58f06fdb3a1e86284e5e13a2deef9359a29 100644 --- a/daemons/ipa-kpasswd/Makefile.am +++ b/daemons/ipa-kpasswd/Makefile.am @@ -8,6 +8,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(OPENLDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am index fc3c55cca95c3aba0abf20a6f4c4e63ba80a5c4e..d041815a2693a990431e2f42d22d0ae6ad5024fa 100644 --- a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am @@ -11,6 +11,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(MOZLDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am index 3b0ff629730e49244433dd85f9ca6fdb6211d838..b7986874822690422f015b1d39454c2ed9995340 100644 --- a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am @@ -12,6 +12,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(MOZLDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am index 3577e48cc050a5d96987886b466f3b1ead71a646..6f6092d2080e97e7b2985b524145a360576f1d5c 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am @@ -11,6 +11,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(MOZLDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(SSL_CFLAGS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am index 1e5d9793779a43c0d23f34ae1dc69824af1a1c9e..7c3709b5a4d88f48e46aa67cfc054aa01e1a5599 100644 --- a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am @@ -12,6 +12,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(MOZLDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am index f90543ee426438820356541041c2480a5808ea95..d26a7d24eca5f4ca6de6e7906e462d165b657d14 100644 --- a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am @@ -13,6 +13,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(MOZLDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am index 79c37becb4bf8e62e91ce87c5333623de5421d31..82a934a220598399569e6cb9ad80c5b9e751b365 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am @@ -11,6 +11,7 @@ INCLUDES = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ + $(AM_CFLAGS) \ $(MOZLDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am index 2fc45be259bc9e9793dd71c7cbe43fabb7868ad4..655a686649ae169af4bd174f21569be564d9c4ad 100644 --- a/ipa-client/Makefile.am +++ b/ipa-client/Makefile.am @@ -4,6 +4,14 @@ AUTOMAKE_OPTIONS = 1.7 NULL = +AM_CFLAGS = $(NULL) +if HAVE_GCC + AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ + -Wcast-align -Werror-implicit-function-declaration \ + $(NULL) +endif +export AM_CFLAGS + INCLUDES = \ -I. \ -I$(srcdir) \ @@ -13,6 +21,7 @@ INCLUDES = \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ -DLOCALEDIR=\""$(localedir)"\" \ + $(AM_CFLAGS) \ $(KRB5_CFLAGS) \ $(OPENLDAP_CFLAGS) \ $(MOZLDAP_CFLAGS) \ diff --git a/ipa-client/configure.ac b/ipa-client/configure.ac index bfa77cefafac78b66c33f159a302cf03dbe1f577..95becd352f54c4b33dd0d3e007cccadb363be52d 100644 --- a/ipa-client/configure.ac +++ b/ipa-client/configure.ac @@ -19,6 +19,8 @@ AC_DISABLE_STATIC AC_HEADER_STDC +AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes]) + AC_SUBST(VERSION) dnl --------------------------------------------------------------------------- -- 1.7.3.2 -------------- next part -------------- >From 6bb0c68aae485275b6acdf1dbbb8054fc1004c1d Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 4 Nov 2010 19:29:01 +0100 Subject: [PATCH 3/6] Use internal implementation of internal Kerberos functions Don't use KRB5_PRIVATE. The patch implements and uses the following krb5 functions that are otherwise private in recent MIT Kerberos releases: * krb5_principal2salt_norealm * krb5_free_ktypes --- .../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 4 ++ daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 1 - .../ipa-pwd-extop/ipapwd_encoding.c | 3 +- ipa-client/Makefile.am | 5 ++ ipa-client/ipa-getkeytab.c | 10 +++-- util/ipa_krb5.c | 46 ++++++++++++++++++++ util/ipa_krb5.h | 12 +++++ 7 files changed, 75 insertions(+), 6 deletions(-) create mode 100644 util/ipa_krb5.c create mode 100644 util/ipa_krb5.h diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am index 6f6092d2080e97e7b2985b524145a360576f1d5c..41d9f237850a485371a60722d8ad54e4dab133ef 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am @@ -1,11 +1,14 @@ NULL = PLUGIN_COMMON_DIR=../common +KRB5_UTIL_DIR= ../../../util +KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c INCLUDES = \ -I. \ -I$(srcdir) \ -I$(PLUGIN_COMMON_DIR) \ + -I$(KRB5_UTIL_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ @@ -28,6 +31,7 @@ libipa_pwd_extop_la_SOURCES = \ ipapwd_encoding.c \ ipapwd_prepost.c \ ipa_pwd_extop.c \ + $(KRB5_UTIL_SRCS) \ $(NULL) libipa_pwd_extop_la_LDFLAGS = -avoid-version diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index 523934ccdc46217b92b64b0f9ee57ef044b21a7c..bc521071e908cbc4f4288fcb3542372ca79e26ba 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -52,7 +52,6 @@ #include #include #include -#define KRB5_PRIVATE 1 #include #include #include diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c index 451350163fe820d5a9ed6ff2494461ece3e7e1d8..bba6367730821900fd6dbca43b48dfa013627eac 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c @@ -54,6 +54,7 @@ #include "ipapwd.h" #include "util.h" +#include "ipa_krb5.h" /* krbTicketFlags */ #define KTF_DISALLOW_POSTDATED 0x00000001 @@ -341,7 +342,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, case KRB5_KDB_SALTTYPE_NOREALM: - krberr = krb5_principal2salt_norealm(krbctx, princ, &salt); + krberr = ipa_krb5_principal2salt_norealm(krbctx, princ, &salt); if (krberr) { LOG_FATAL("krb5_principal2salt failed [%s]\n", krb5_get_error_message(krbctx, krberr)); diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am index 655a686649ae169af4bd174f21569be564d9c4ad..ebb9a8392585985cbf4b232e388bca575a3e1c66 100644 --- a/ipa-client/Makefile.am +++ b/ipa-client/Makefile.am @@ -12,9 +12,13 @@ if HAVE_GCC endif export AM_CFLAGS +KRB5_UTIL_DIR=../util +KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c + INCLUDES = \ -I. \ -I$(srcdir) \ + -I$(KRB5_UTIL_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ @@ -38,6 +42,7 @@ sbin_PROGRAMS = \ ipa_getkeytab_SOURCES = \ ipa-getkeytab.c \ + $(KRB5_UTIL_SRCS) \ $(NULL) ipa_getkeytab_LDADD = \ diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index a54c57c7e662cb558c02d9527e7214f17783423f..8588652691d54cef34259d7377c9d79750373e52 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -27,10 +27,10 @@ #include #include #include +#include #include #include #include -#define KRB5_PRIVATE 1 #include #ifdef WITH_MOZLDAP #include @@ -44,6 +44,8 @@ #include #define _(STRING) gettext(STRING) +#include "ipa_krb5.h" + /* Salt types */ #define NO_SALT -1 #define KRB5_KDB_SALTTYPE_NORMAL 0 @@ -152,7 +154,7 @@ static int prep_ksdata(krb5_context krbctx, const char *str, ksdata[i].salttype = KRB5_KDB_SALTTYPE_NORMAL; } - krb5_free_ktypes(krbctx, ktypes); + ipa_krb5_free_ktypes(krbctx, ktypes); nkeys = i; @@ -322,7 +324,7 @@ static int create_keys(krb5_context krbctx, break; case KRB5_KDB_SALTTYPE_NOREALM: - krberr = krb5_principal2salt_norealm(krbctx, princ, &ksdata[i].salt); + krberr = ipa_krb5_principal2salt_norealm(krbctx, princ, &ksdata[i].salt); if (krberr) { fprintf(stderr, _("Failed to create key!\n")); return 0; @@ -848,7 +850,7 @@ int main(int argc, char *argv[]) } fprintf(stdout, "%s\n", enc); } - krb5_free_ktypes(krbctx, ktypes); + ipa_krb5_free_ktypes(krbctx, ktypes); exit (0); } diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c new file mode 100644 index 0000000000000000000000000000000000000000..e2cf201b54f74297ed312bd166418b7049c8a8db --- /dev/null +++ b/util/ipa_krb5.c @@ -0,0 +1,46 @@ +#include +#include +#include + +#include "ipa_krb5.h" + +void +ipa_krb5_free_ktypes(krb5_context context, krb5_enctype *val) +{ + free(val); +} + +/* + * Convert a krb5_principal into the default salt for that principal. + */ +krb5_error_code +ipa_krb5_principal2salt_norealm(krb5_context context, krb5_const_principal pr, krb5_data *ret) +{ + unsigned int size = 0, offset=0; + krb5_int32 nelem; + register int i; + + if (pr == NULL) { + ret->length = 0; + ret->data = NULL; + return 0; + } + + nelem = krb5_princ_size(context, pr); + + for (i = 0; i < (int) nelem; i++) + size += krb5_princ_component(context, pr, i)->length; + + ret->length = size; + if (!(ret->data = malloc (size))) + return ENOMEM; + + for (i = 0; i < (int) nelem; i++) { + memcpy(&ret->data[offset], krb5_princ_component(context, pr, i)->data, + krb5_princ_component(context, pr, i)->length); + offset += krb5_princ_component(context, pr, i)->length; + } + return 0; +} + + diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h new file mode 100644 index 0000000000000000000000000000000000000000..09f492ea13ec76f44e3aad5b012e3847bc9a9420 --- /dev/null +++ b/util/ipa_krb5.h @@ -0,0 +1,12 @@ +#ifndef __IPA_KRB5_H_ +#define __IPA_KRB5_H_ + +#include + +void +ipa_krb5_free_ktypes(krb5_context context, krb5_enctype *val); + +krb5_error_code +ipa_krb5_principal2salt_norealm(krb5_context context, krb5_const_principal pr, krb5_data *ret); + +#endif /* __IPA_KRB5_H_ */ -- 1.7.3.2 -------------- next part -------------- >From 91eed393b0e0313f6d03c82e6ebb9c19fd1afd86 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 4 Nov 2010 19:41:12 +0100 Subject: [PATCH 4/6] Don't use deprecated ldap_bind_s ldap_bind_s is marked as deprecated in new libldap releases. --- ipa-client/ipa-getkeytab.c | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index 8588652691d54cef34259d7377c9d79750373e52..19f8b21d663de5c28bec19e282985f70fcc6197a 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -58,6 +58,10 @@ #define KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1" #define KEYTAB_RET_OID "2.16.840.1.113730.3.8.3.2" +#ifndef discard_const +#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) +#endif + struct krb_key_salt { krb5_enctype enctype; krb5_int32 salttype; @@ -576,7 +580,13 @@ static int ldap_set_keytab(krb5_context krbctx, } if (binddn) { - ret = ldap_bind_s(ld, binddn, bindpw, LDAP_AUTH_SIMPLE); + struct berval bv; + + bv.bv_val = discard_const(bindpw); + bv.bv_len = strlen(bindpw); + + ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bv, + NULL, NULL, NULL); if (ret != LDAP_SUCCESS) { fprintf(stderr, _("Simple bind failed\n")); goto error_out; -- 1.7.3.2 -------------- next part -------------- >From 57ae09159e803cc7ae3e53755a17abbc9139d46e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 3 Nov 2010 16:54:44 +0100 Subject: [PATCH 5/6] Silence compilation warnings in SLAPI plugins --- daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c | 27 +++++++---------- .../ipa-pwd-extop/ipa_pwd_extop.c | 2 +- .../ipa-pwd-extop/ipapwd_common.c | 32 +++++--------------- .../ipa-pwd-extop/ipapwd_encoding.c | 14 ++++++++ .../ipa-pwd-extop/ipapwd_prepost.c | 3 +- daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 21 +++++------- .../ipa-winsync/ipa-winsync-config.c | 3 +- .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.c | 6 ++- .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.h | 5 ++- 9 files changed, 54 insertions(+), 59 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c index 1e094f1d0eebb258bd9cd72450eefb09294f8598..5a0cef57311cb0b5da53315a8554d0876a2ca5f8 100644 --- a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c +++ b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c @@ -111,9 +111,9 @@ static int ipamodrdn_close(Slapi_PBlock * pb); * Local operation functions * */ -static int ipamodrdn_load_plugin_config(); +static int ipamodrdn_load_plugin_config(void); static int ipamodrdn_parse_config_entry(Slapi_Entry * e, bool apply); -static void ipamodrdn_delete_config(); +static void ipamodrdn_delete_config(void); static void ipamodrdn_free_config_entry(struct configEntry ** entry); /** @@ -135,7 +135,7 @@ static int ipamodrdn_post_op(Slapi_PBlock * pb); /** * debug functions - global, for the debugger */ -void ipamodrdn_dump_config(); +void ipamodrdn_dump_config(void); void ipamodrdn_dump_config_entry(struct configEntry *); /** @@ -143,17 +143,17 @@ void ipamodrdn_dump_config_entry(struct configEntry *); * Deal with cache locking * */ -void ipamodrdn_read_lock() +void ipamodrdn_read_lock(void) { PR_RWLock_Rlock(g_ipamodrdn_cache_lock); } -void ipamodrdn_write_lock() +void ipamodrdn_write_lock(void) { PR_RWLock_Wlock(g_ipamodrdn_cache_lock); } -void ipamodrdn_unlock() +void ipamodrdn_unlock(void) { PR_RWLock_Unlock(g_ipamodrdn_cache_lock); } @@ -163,7 +163,7 @@ void ipamodrdn_unlock() * Get the plug-in version * */ -int ipamodrdn_version() +int ipamodrdn_version(void) { return IPAMODRDN_PLUGIN_VERSION; } @@ -176,7 +176,7 @@ void setPluginID(void *pluginID) _PluginID = pluginID; } -void *getPluginID() +void *getPluginID(void) { return _PluginID; } @@ -186,7 +186,7 @@ void setPluginDN(char *pluginDN) _PluginDN = pluginDN; } -char *getPluginDN() +char *getPluginDN(void) { return _PluginDN; } @@ -330,12 +330,11 @@ ipamodrdn_close(Slapi_PBlock * pb) * ------ cn=etc etc */ static int -ipamodrdn_load_plugin_config() +ipamodrdn_load_plugin_config(void) { int status = EOK; int result; int i; - time_t now; Slapi_PBlock *search_pb; Slapi_Entry **entries = NULL; @@ -399,7 +398,6 @@ ipamodrdn_parse_config_entry(Slapi_Entry * e, bool apply) struct configEntry *config_entry; PRCList *list; int entry_added = 0; - int i = 0; int ret = EOK; LOG_TRACE("--in-->\n"); @@ -512,7 +510,6 @@ ipamodrdn_parse_config_entry(Slapi_Entry * e, bool apply) break; } - next: list = PR_NEXT_LINK(list); if (ipamodrdn_global_config == list) { @@ -594,7 +591,7 @@ ipamodrdn_delete_configEntry(PRCList *entry) } static void -ipamodrdn_delete_config() +ipamodrdn_delete_config(void) { PRCList *list; @@ -710,8 +707,6 @@ static int ipamodrdn_post_op(Slapi_PBlock *pb) struct slapi_entry *e = NULL; Slapi_Attr *sattr = NULL; Slapi_Attr *tattr = NULL; - char *value = NULL; - char *errstr = NULL; int ret = LDAP_SUCCESS; LOG_TRACE("--in-->\n"); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 8df766e03b0613805f6bba1cb5b4ca24dc94b471..f347eef2d11898b38274d3c76961c5d5720a4e0d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -916,7 +916,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) if (ret != -1) { struct berval *bvp; - LDAPControl new_ctrl = {0}; + LDAPControl new_ctrl; ret = ber_flatten(ber, &bvp); if (ret == -1) { diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index 92c388a259c1caaa80779bbf005063b0fe1b48e0..99ade1211e49601bc1c977bf8d4ee4b18213d3db 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -535,20 +535,6 @@ static Slapi_Value *ipapwd_strip_pw_date(Slapi_Value *pw) return slapi_value_new_string(&pwstr[GENERALIZED_TIME_LENGTH]); } -/* ascii hex output of bytes in "in" - * out len is 32 (preallocated) - * in len is 16 */ -static const char hexchars[] = "0123456789ABCDEF"; -void hexbuf(char *out, const uint8_t *in) -{ - int i; - - for (i = 0; i < 16; i++) { - out[i*2] = hexchars[in[i] >> 4]; - out[i*2+1] = hexchars[in[i] & 0x0f]; - } -} - /* searches the directory and finds the policy closest to the DN */ /* return 0 on success, -1 on error or if no policy is found */ static int ipapwd_sv_pw_cmp(const void *pv1, const void *pv2) @@ -564,7 +550,7 @@ static int ipapwd_sv_pw_cmp(const void *pv1, const void *pv2) int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e, int *is_root, int *is_krb, int *is_smb, - char *attr, int access) + char *attr, int acc) { Slapi_Value *sval; int rc; @@ -574,7 +560,7 @@ int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e, if (!*is_root) { /* verify this user is allowed to write a user password */ - rc = slapi_access_allowed(pb, e, attr, NULL, access); + rc = slapi_access_allowed(pb, e, attr, NULL, acc); if (rc != LDAP_SUCCESS) { /* we have no business here, the operation will be denied anyway */ rc = LDAP_SUCCESS; @@ -932,14 +918,14 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) ret = slapi_entry_attr_find(data->target, "passwordHistory", &passwordHistory); if (ret == 0) { - int ret, hint, count, i, j; + int err, hint, count, i, j; const char *pwstr; Slapi_Value **pH; Slapi_Value *pw; hint = 0; count = 0; - ret = slapi_attr_get_numvalues(passwordHistory, &count); + err = slapi_attr_get_numvalues(passwordHistory, &count); /* check history only if we have one */ if (count > 0 && data->pwHistoryLen > 0) { pH = calloc(count + 2, sizeof(Slapi_Value *)); @@ -982,7 +968,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) return LDAP_OPERATIONS_ERROR; } - ret = slapi_pw_find_sv(pH, pw); + err = slapi_pw_find_sv(pH, pw); for (j = 0; pH[j]; j++) { slapi_value_free(&pH[j]); @@ -990,7 +976,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) slapi_value_free(&pw); free(pH); - if (ret == 0) { + if (err == 0) { LOG_TRACE("Password in history\n"); slapi_entry_free(policy); return IPAPWD_POLICY_ERROR | LDAP_PWPOLICY_PWDINHISTORY; @@ -1111,8 +1097,6 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, Slapi_Value **pwvals = NULL; struct tm utctime; char timestr[GENERALIZED_TIME_LENGTH+1]; - krb5_context krbctx; - krb5_error_code krberr; char *lm = NULL; char *nt = NULL; int is_smb = 0; @@ -1259,13 +1243,13 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods, ret = slapi_entry_attr_find(data->target, "passwordHistory", &passwordHistory); if (ret == 0) { - int ret, hint, count, i, j; + int err, hint, count, i, j; const char *pwstr; Slapi_Value *pw; hint = 0; count = 0; - ret = slapi_attr_get_numvalues(passwordHistory, &count); + err = slapi_attr_get_numvalues(passwordHistory, &count); /* if we have one */ if (count > 0 && data->pwHistoryLen > 0) { pH = calloc(count + 2, sizeof(Slapi_Value *)); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c index bba6367730821900fd6dbca43b48dfa013627eac..6746d63b628a4d8d1169eb9202e77dc38b8be2b5 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c @@ -112,6 +112,20 @@ void krb5int_c_free_keyblock_contents(krb5_context context, */ +/* ascii hex output of bytes in "in" + * out len is 32 (preallocated) + * in len is 16 */ +static const char hexchars[] = "0123456789ABCDEF"; +static void hexbuf(char *out, const uint8_t *in) +{ + int i; + + for (i = 0; i < 16; i++) { + out[i*2] = hexchars[in[i] >> 4]; + out[i*2+1] = hexchars[in[i] & 0x0f]; + } +} + struct berval *encode_keys(struct ipapwd_keyset *kset) { BerElement *be = NULL; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index 44b280bfd61f685ccf0a2e720648bc5b0e7d7372..281522f6a34415260278fc2377a5fd51a14d898f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -41,8 +41,10 @@ # include #endif +#define _XOPEN_SOURCE /* strptime needs this */ #include #include +#include #include #include #include @@ -880,7 +882,6 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) Slapi_Value *value = NULL; Slapi_Attr *attr = NULL; struct tm expire_tm; - time_t expire_time; char *errMesg = "Internal operations error\n"; /* error message */ char *expire = NULL; /* passwordExpirationTime attribute value */ char *dn = NULL; /* bind DN */ diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c index 1f6e5d30a53b35a21506b6fc1fc8aacf42827484..27e5e8e0786b99f0a9fbefca96f78ba77a041365 100644 --- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c +++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c @@ -119,9 +119,9 @@ static int ipauuid_postop_init(Slapi_PBlock * pb); * Local operation functions * */ -static int ipauuid_load_plugin_config(); +static int ipauuid_load_plugin_config(void); static int ipauuid_parse_config_entry(Slapi_Entry * e, bool apply); -static void ipauuid_delete_config(); +static void ipauuid_delete_config(void); static void ipauuid_free_config_entry(struct configEntry ** entry); /** @@ -146,7 +146,7 @@ static int ipauuid_add_pre_op(Slapi_PBlock * pb); /** * debug functions - global, for the debugger */ -void ipauuid_dump_config(); +void ipauuid_dump_config(void); void ipauuid_dump_config_entry(struct configEntry *); /** @@ -154,17 +154,17 @@ void ipauuid_dump_config_entry(struct configEntry *); * Deal with cache locking * */ -void ipauuid_read_lock() +void ipauuid_read_lock(void) { PR_RWLock_Rlock(g_ipauuid_cache_lock); } -void ipauuid_write_lock() +void ipauuid_write_lock(void) { PR_RWLock_Wlock(g_ipauuid_cache_lock); } -void ipauuid_unlock() +void ipauuid_unlock(void) { PR_RWLock_Unlock(g_ipauuid_cache_lock); } @@ -174,7 +174,7 @@ void ipauuid_unlock() * Get the plug-in version * */ -int ipauuid_version() +int ipauuid_version(void) { return IPAUUID_PLUGIN_VERSION; } @@ -187,7 +187,7 @@ void setPluginID(void *pluginID) _PluginID = pluginID; } -void *getPluginID() +void *getPluginID(void) { return _PluginID; } @@ -197,7 +197,7 @@ void setPluginDN(char *pluginDN) _PluginDN = pluginDN; } -char *getPluginDN() +char *getPluginDN(void) { return _PluginDN; } @@ -404,7 +404,6 @@ ipauuid_load_plugin_config() int status = EOK; int result; int i; - time_t now; Slapi_PBlock *search_pb; Slapi_Entry **entries = NULL; @@ -468,7 +467,6 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) struct configEntry *config_entry; PRCList *list; int entry_added = 0; - int i = 0; int ret = EOK; LOG_TRACE("--in-->\n"); @@ -571,7 +569,6 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) break; } - next: list = PR_NEXT_LINK(list); if (ipauuid_global_config == list) { diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c index 5e762bc426b46993606661a6fdd267fca38013cc..88f6df359834bf5b0e54bf029dbf4f82a584448e 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c @@ -59,7 +59,7 @@ #endif #include "ipa-winsync.h" -#include +#include "plstr.h" #define IPA_WINSYNC_CONFIG_FILTER "(objectclass=*)" @@ -542,7 +542,6 @@ ipa_winsync_apply_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "Error: could not add value [%s] for attribute name " "[%s] - ldap error [%d: %s]", val, attrsvals[ii], - attrsvals[ii], IPA_WINSYNC_NEW_USER_ATTRS_VALS, rc, ldap_err2string(rc)); slapi_entry_free(theConfig.config_e); theConfig.config_e = NULL; diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c index 4e2d534fc174657e02be1c0692de01f8745d4ba8..ecdda238f2fc1cd22be74845244e7eaecc19c43a 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c @@ -59,6 +59,9 @@ #endif #include "ipa-winsync.h" +#include +#include "plstr.h" + static void sync_acct_disable( void *cbdata, /* the usual domain config data */ @@ -224,7 +227,6 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Attr *attr = NULL; Slapi_Attr *e_attr = NULL; char *type = NULL; - IPA_WinSync_Config *global_ipaconfig = ipa_winsync_get_config(); LOG("--> ipa_winsync_pre_ds_add_user_cb -- begin\n"); @@ -544,7 +546,7 @@ void ipa_winsync_set_plugin_identity(void * identity) ipa_winsync_plugin_id=identity; } -void * ipa_winsync_get_plugin_identity() +void * ipa_winsync_get_plugin_identity(void) { return ipa_winsync_plugin_id; } diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h index 338e67cfb310e791f629c213c152553b666c1455..735f65684d2f545d743cc02dc10e7eccb58f1b58 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h @@ -52,6 +52,9 @@ #include #endif /* WINSYNC_TEST_IPA */ +#include +#include + #include "util.h" #define IPA_PLUGIN_NAME "ipa-winsync" @@ -86,7 +89,7 @@ typedef struct ipa_winsync_domain_config { } IPA_WinSync_Domain_Config; void ipa_winsync_set_plugin_identity(void * identity); -void * ipa_winsync_get_plugin_identity(); +void * ipa_winsync_get_plugin_identity(void); int ipa_winsync_config( Slapi_Entry *config_e ); IPA_WinSync_Config *ipa_winsync_get_config( void ); -- 1.7.3.2 -------------- next part -------------- >From 277ee471abeb953d160098219e89894d54491ed7 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 5 Nov 2010 09:36:00 +0100 Subject: [PATCH 6/6] ipa-client code cleanup Fixes errors about implicit function declaration and moves duplicated gettext code into a common module. Also silences some warnings. --- ipa-client/Makefile.am | 3 ++ ipa-client/config.c | 30 ++---------------------- ipa-client/ipa-client-common.c | 48 ++++++++++++++++++++++++++++++++++++++++ ipa-client/ipa-client-common.h | 9 +++++++ ipa-client/ipa-getkeytab.c | 36 ++++------------------------- ipa-client/ipa-join.c | 13 +--------- ipa-client/ipa-rmkeytab.c | 32 ++------------------------ 7 files changed, 73 insertions(+), 98 deletions(-) create mode 100644 ipa-client/ipa-client-common.c create mode 100644 ipa-client/ipa-client-common.h diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am index ebb9a8392585985cbf4b232e388bca575a3e1c66..7d152fbfd38391a6ab6feb2f549086f19acf8d2a 100644 --- a/ipa-client/Makefile.am +++ b/ipa-client/Makefile.am @@ -42,6 +42,7 @@ sbin_PROGRAMS = \ ipa_getkeytab_SOURCES = \ ipa-getkeytab.c \ + ipa-client-common.c \ $(KRB5_UTIL_SRCS) \ $(NULL) @@ -55,6 +56,7 @@ ipa_getkeytab_LDADD = \ ipa_rmkeytab_SOURCES = \ ipa-rmkeytab.c \ + ipa-client-common.c \ $(NULL) ipa_rmkeytab_LDADD = \ @@ -64,6 +66,7 @@ ipa_rmkeytab_LDADD = \ ipa_join_SOURCES = \ config.c \ + ipa-client-common.c \ ipa-join.c \ $(NULL) diff --git a/ipa-client/config.c b/ipa-client/config.c index 69bd9cb3398bea013928bfabc1810d21abd93524..31060e39f031b4d2586c521a9bdb167fac71fcce 100644 --- a/ipa-client/config.c +++ b/ipa-client/config.c @@ -39,8 +39,8 @@ #include #include "config.h" -#include -#define _(STRING) gettext(STRING) + +#include "ipa-client-common.h" char * read_config_file(const char *filename) @@ -88,7 +88,7 @@ read_config_file(const char *filename) char * get_config_entry(char * in_data, const char *section, const char *key) { - char *ptr, *p, *tmp; + char *ptr = NULL, *p, *tmp; char *line; int in_section = 0; char * data; @@ -164,27 +164,3 @@ get_config_entry(char * in_data, const char *section, const char *key) free(data); return NULL; } - -int init_gettext(void) -{ - char *c; - - c = setlocale(LC_ALL, ""); - if (!c) { - return EIO; - } - - errno = 0; - c = bindtextdomain(PACKAGE, LOCALEDIR); - if (c == NULL) { - return errno; - } - - errno = 0; - c = textdomain(PACKAGE); - if (c == NULL) { - return errno; - } - - return 0; -} diff --git a/ipa-client/ipa-client-common.c b/ipa-client/ipa-client-common.c new file mode 100644 index 0000000000000000000000000000000000000000..d7b62307840eed3d7cb30421be316bd0de7af53f --- /dev/null +++ b/ipa-client/ipa-client-common.c @@ -0,0 +1,48 @@ +/* Authors: Jakub Hrozek + * + * Copyright (C) 2010 Red Hat + * see file 'COPYING' for use and warranty information + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; version 2 only + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#include +#include +#include + +#include "config.h" + +int init_gettext(void) +{ + char *c; + + c = setlocale(LC_ALL, ""); + if (!c) { + return EIO; + } + + errno = 0; + c = bindtextdomain(PACKAGE, LOCALEDIR); + if (c == NULL) { + return errno; + } + + errno = 0; + c = textdomain(PACKAGE); + if (c == NULL) { + return errno; + } + + return 0; +} diff --git a/ipa-client/ipa-client-common.h b/ipa-client/ipa-client-common.h new file mode 100644 index 0000000000000000000000000000000000000000..dbf474d526c161c9be0ae48d43a52659dc7e9f11 --- /dev/null +++ b/ipa-client/ipa-client-common.h @@ -0,0 +1,9 @@ +#ifndef __IPA_CLIENT_COMMON_H +#define __IPA_CLIENT_COMMON_H + +#include +#define _(STRING) gettext(STRING) + +int init_gettext(void); + +#endif /* __IPA_CLIENT_COMMON_H */ diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index 19f8b21d663de5c28bec19e282985f70fcc6197a..2f9d09bf8167aa4157f3873fd15627d5b836798b 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -41,10 +41,9 @@ #include #include "config.h" -#include -#define _(STRING) gettext(STRING) #include "ipa_krb5.h" +#include "ipa-client-common.h" /* Salt types */ #define NO_SALT -1 @@ -229,7 +228,7 @@ static int prep_ksdata(krb5_context krbctx, const char *str, * MIT code do anyway */ for (i = 0, n = 0; i < nkeys; i++ ) { - int similar = 0; + krb5_boolean similar = 0; for (j = 0; j < i; j++) { krberr = krb5_c_enctype_compare(krbctx, @@ -275,7 +274,7 @@ static int create_keys(krb5_context krbctx, krb5_error_code krberr; krb5_data key_password; krb5_data *realm; - int i, j, nkeys; + int i, nkeys; int ret; ret = prep_ksdata(krbctx, enctypes_string, keys); @@ -751,31 +750,7 @@ static char *ask_password(krb5_context krbctx) return password; } -int init_gettext(void) -{ - char *c; - - c = setlocale(LC_ALL, ""); - if (!c) { - return EIO; - } - - errno = 0; - c = bindtextdomain(PACKAGE, LOCALEDIR); - if (c == NULL) { - return errno; - } - - errno = 0; - c = textdomain(PACKAGE); - if (c == NULL) { - return errno; - } - - return 0; -} - -int main(int argc, char *argv[]) +int main(int argc, const char *argv[]) { static const char *server = NULL; static const char *principal = NULL; @@ -805,7 +780,7 @@ int main(int argc, char *argv[]) _("Show the list of permitted encryption types and exit"), _("Permitted Encryption Types") }, { "password", 'P', POPT_ARG_NONE, &askpass, 0, - _("Asks for a non-random password to use for the principal") }, + _("Asks for a non-random password to use for the principal"), NULL }, { "binddn", 'D', POPT_ARG_STRING, &binddn, 0, _("LDAP DN"), _("DN to bind as if not using kerberos") }, { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0, @@ -821,7 +796,6 @@ int main(int argc, char *argv[]) krb5_principal uprinc; krb5_principal sprinc; krb5_error_code krberr; - ber_int_t *enctypes; struct keys_container keys; krb5_keytab kt; int kvno; diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c index e67f29b810a09116519b9ef740f58ee4621cafed..01afa1ad03ab437f06bf5c0d6d9d19b32d2cca3f 100644 --- a/ipa-client/ipa-join.c +++ b/ipa-client/ipa-join.c @@ -38,8 +38,7 @@ #include "xmlrpc-c/base.h" #include "xmlrpc-c/client.h" -#include -#define _(STRING) gettext(STRING) +#include "ipa-client-common.h" #define NAME "ipa-join" #define VERSION "1.0" @@ -82,14 +81,6 @@ getIPAserver(char * data) { return get_config_entry(data, "global", "server"); } -/* Get the IPA realm from the configuration file. - * The caller is responsible for freeing this value - */ -static char * -getIPArealm(char * data) { - return get_config_entry(data, "global", "realm"); -} - /* Make sure that the keytab is writable before doing anything */ static int check_perms(const char *keytab) { @@ -951,7 +942,7 @@ cleanup: * unique (host already added). */ int -main(int argc, char **argv) { +main(int argc, const char **argv) { static const char *hostname = NULL; static const char *server = NULL; static const char *keytab = NULL; diff --git a/ipa-client/ipa-rmkeytab.c b/ipa-client/ipa-rmkeytab.c index c46bb8b6ceb9b4618122666701fff93258f1d55f..1ccf673272e254f22dd95401225db3efdb559a9f 100644 --- a/ipa-client/ipa-rmkeytab.c +++ b/ipa-client/ipa-rmkeytab.c @@ -25,10 +25,8 @@ #include #include +#include "ipa-client-common.h" #include "config.h" -#include -#define _(STRING) gettext(STRING) - int remove_principal(krb5_context context, krb5_keytab ktid, const char *principal, int debug) @@ -143,32 +141,8 @@ done: return rval; } -int init_gettext(void) -{ - char *c; - - c = setlocale(LC_ALL, ""); - if (!c) { - return EIO; - } - - errno = 0; - c = bindtextdomain(PACKAGE, LOCALEDIR); - if (c == NULL) { - return errno; - } - - errno = 0; - c = textdomain(PACKAGE); - if (c == NULL) { - return errno; - } - - return 0; -} - int -main(int argc, char **argv) +main(int argc, const char **argv) { krb5_context context; krb5_error_code krberr; @@ -180,7 +154,7 @@ main(int argc, char **argv) static const char *principal = NULL; static const char *realm = NULL; int debug = 0; - int ret, rval; + int ret, rval = 0; struct poptOption options[] = { { "debug", 'd', POPT_ARG_NONE, &debug, 0, _("Print debugging information"), _("Debugging output") }, -- 1.7.3.2 From jzeleny at redhat.com Mon Nov 22 18:10:20 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 22 Nov 2010 19:10:20 +0100 Subject: [Freeipa-devel] [PATCH] Added some fields to user object In-Reply-To: <4CEA801E.2020908@redhat.com> References: <201011221525.44652.jzeleny@redhat.com> <4CEA801E.2020908@redhat.com> Message-ID: <201011221910.21059.jzeleny@redhat.com> Adam Young wrote: > On 11/22/2010 09:25 AM, Jan Zelen? wrote: > > Some fields were missing from user object, this change adds them > > along with their l10n > > > > https://fedorahosted.org/freeipa/ticket/305 > > NACK > > Did a user-show and got this stack trace Sorry for that, left a dash there. This should be better. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0006-02-Added-some-fields-to-user-object.patch Type: text/x-patch Size: 2918 bytes Desc: not available URL: From ayoung at redhat.com Mon Nov 22 18:23:45 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 22 Nov 2010 13:23:45 -0500 Subject: [Freeipa-devel] [PATCH] 0016 Tune directory server In-Reply-To: <4CE5D572.7080306@redhat.com> References: <20101116140958.39fa360c@willson.li.ssimo.org> <20101117162617.34313713@willson.li.ssimo.org> <4CE5D572.7080306@redhat.com> Message-ID: <4CEAB531.1010007@redhat.com> On 11/18/2010 08:40 PM, Adam Young wrote: > On 11/17/2010 04:26 PM, Simo Sorce wrote: >> On Tue, 16 Nov 2010 14:09:58 -0500 >> Simo Sorce wrote: >> >> >>> This patch bumps up the default number of files allowed by default for >>> directory server. This allows more clients and also reserves a bigger >>> number of FDs (at least according to doc) for replication agreements >>> and such things. >>> >>> Ticket 464. >>> >> Changed the patch to restore files on uninstall. Now 0016-2 depends on >> 0017 attached here too. >> >> >> Simo. >> >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Patched 17 failed to apply. Ran using git am as well as patch -p1 > > > Here's the rej > > > > --- ipaserver/install/dsinstance.py > +++ ipaserver/install/dsinstance.py > @@ -185,6 +186,12 @@ > else: > self.suffix = None > > + if fstore: > + self.fstore = fstore > + else: > + self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') > + > + > def create_instance(self, ds_user, realm_name, fqdn, domain_name, > dm_password, pkcs12_info=None, > self_signed_ca=False, > idstart=1100, idmax=999999, subject_base=None, > > > > > Tried patch 16-2 and it failed, too. Here's the rej > > --- ipaserver/install/dsinstance.py > +++ ipaserver/install/dsinstance.py > @@ -185,10 +185,7 @@ > else: > self.suffix = None > > - if fstore: > - self.fstore = fstore > - else: > - self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') > + self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') > > > def create_instance(self, ds_user, realm_name, fqdn, domain_name, > @@ -533,6 +531,7 @@ > self.stop() > > try: > + self.fstore.restore_file("/etc/security/limits.conf") > self.fstore.restore_file("/etc/sysconfig/dirsrv") > except ValueError, error: > logging.debug(error) > > > > > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Nov 22 18:32:39 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 22 Nov 2010 13:32:39 -0500 Subject: [Freeipa-devel] [PATCH] 0011 Change DNA configuration to use shared configuration In-Reply-To: <20101119150822.2c0196e6@willson.li.ssimo.org> References: <20101111195123.517010ad@willson.li.ssimo.org> <20101119150822.2c0196e6@willson.li.ssimo.org> Message-ID: <4CEAB747.9010509@redhat.com> On 11/19/2010 03:08 PM, Simo Sorce wrote: > On Thu, 11 Nov 2010 19:51:23 -0500 > Simo Sorce wrote: > > >> With this patch 2 changes are introduced. >> >> 1. idranges are unified, the --uidstart and --gistart options are >> removed and instead --idtsrat and --idmax are provided at install >> time. This is a prerequisite to simplify configuration for the next >> change. >> >> 2. DNA is configured to share range configurations among multiple >> masters now. When replicas are installed an invalid range is >> configured so that they are forced to contact another peer as soon as >> someone tries to create a user/group on that master. The replica will >> get a part of the available range from the peer for its use. >> >> Simo. >> >> > Rebased on top of current master, or it would fail to apply. > > Simo. > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master. Note that I've just applied and built it, but did not run the code it changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Mon Nov 22 18:34:57 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 22 Nov 2010 13:34:57 -0500 Subject: [Freeipa-devel] [PATCH] 0020 Make pkinit optional in ipa-replica-prepare Message-ID: <20101122133457.124d41d0@willson.li.ssimo.org> Fixes #527 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0020-Make-pkinit-setup-optional-in-ipa-replica-prepare-to.patch Type: text/x-patch Size: 1041 bytes Desc: not available URL: From rcritten at redhat.com Mon Nov 22 18:40:40 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Nov 2010 13:40:40 -0500 Subject: [Freeipa-devel] [PATCH] 0020 Make pkinit optional in ipa-replica-prepare In-Reply-To: <20101122133457.124d41d0@willson.li.ssimo.org> References: <20101122133457.124d41d0@willson.li.ssimo.org> Message-ID: <4CEAB928.8030706@redhat.com> Simo Sorce wrote: > > Fixes #527 > > Simo. There is no selfsign option in ipa-replica-prepare. At best you can detect whether it is selfsigned by calling certs.ipa_self_signed() rob From sgallagh at redhat.com Mon Nov 22 19:02:15 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 22 Nov 2010 14:02:15 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CEAA6D8.3020809@redhat.com> References: <4CE6DEA2.2010904@redhat.com> <4CE6E78B.9090406@redhat.com> <4CEA88B7.7080503@redhat.com> <4CEA8BFE.6020806@redhat.com> <4CEAA6D8.3020809@redhat.com> Message-ID: <4CEABE37.9070902@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/22/2010 12:22 PM, Dmitri Pal wrote >> >> septet-of-the-month = interval 1-5 > > The septet is not used any more and should be removed, right? Yeah, I missed removing that. I've deleted it from the page now. > >> day-of-the-month-interval = interval day-of-the-month > > This should be a plain interval from 1-31 with no negatives since it is used in the M-day rule > I would argue that M-day can be just replaced with > > M-day = "day" WSP interval 1-31 > I disagree. With this construction, we can say: accessTime = periodic monthly day -1 at 0900 + 000800 (Read: on the last day of the month from 09:00 to 17:00) This would be useful for e.g. a regularly-scheduled backup task. > Keep in mind that definition of the interval here is as described below: > interval XX-YY = a comma-separated list of items from XX to YY, or dash-separated ranges. > For example, (interval 1-31) 3-7,10,12,15,25-31 with no spaces inside. > > So definition of the day-of-the-month-interval can be then removed. > Agreed. I've simplified the display of this. >> day-of-the-month-range = "between" WSP day-of-the-month WSP "and" WSP day-of-the-month >> >> day-of-the-month = "-31" to "31" > > > This notion allows me to enter "between -31 and 3" which does not make any sense. I'll clarify with "-31" to "-1" OR "0" to "31". > Also current grammar does not allow me to use ranges which I want to use here. Please explain what range you want here. I'm specifically avoiding "intervals" here because it's too complex to understand. Describing events with arbitrary intervals like this would be better done with the M-day approach. > I want to be able to express "Wednesday" of the first and third week of the month. Capability to do so it completely lost. Wrong. accessTime is multivalued. You just create two entries, one for the first week, one for the third week. They are additive. > We abandoned the term "septet" not because of the bad idea but because this is a confusing word. But we can leave without it as long as I can use complex intervals. > After more thinking I would like to reject idea of the negative numbers. > Instead we can do the following: > > > M-on = "on" WSP day-of-the-week WSP "during" WSP day-of-the-month-range > day-of-the-month-range = interval 1-31 / last-days > last-days = "last" WSP sequential-days > sequential-days = single number from the 1-31 range > > So if we want to say "Wednesday" of the first and third week of the month I will use: > > periodic monthly on Wed during 1-7,15-21 > > if I want to say Wednesday during last two weeks of the month I will say: > > periodic monthly on Wed during last 14 > > IMO it is cleaner and simpler and allows to express all the notions we want to express. > See above. I really don't want intervals in the M-on grammar, since it makes it extremely difficult to comprehend by mere mortals. > > >> day-of-the-week = interval 1-7 (or Mon-Sun) >> >> range-specifier = "at" WSP HHMM WSP "+" WSP duration-specifier > > What is the value and significance of the "+" here? Is it just for readability? Then I would suggest that we replace it with the word "for". > Sure, "for" is fine. >> duration-specifier = DDHHMM >> >> DD = "00" to "31" >> >> HH = "00" to "23" >> >> MM = "00" to "59" >> >> >> interval XX-YY = a comma-separated list of items from XX to YY, or dash-separated ranges. >> range = dash-separated range > > This definition seems incomplete but I do not know how to make it better... > >> For example, (interval 1-31) 3-7,10,12,15,25-31 with no spaces inside. > > > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzqvi4ACgkQeiVVYja6o6ODqQCgm5eK3onDby9Of4arf53p8oNM GV8AoIhFQUXZNF8EiJ4d6S/BAujAHnAy =PCv6 -----END PGP SIGNATURE----- From JR.Aquino at citrix.com Mon Nov 22 19:18:42 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 22 Nov 2010 19:18:42 +0000 Subject: [Freeipa-devel] Where we are with SUDO? In-Reply-To: <4CE5B29E.2020702@redhat.com> Message-ID: On 11/18/10 3:11 PM, "Dmitri Pal" wrote: >JR Aquino wrote: >> >> The IPA SudoRule Structure has largely been based off of what we are >>doing >> today with HBAC. >> >> HBAC does not distinguish between memberGroup or memberNetgroup... Its >> simply, memberHost and memberUser for both HBAC and IPASudoRules. >> >> Also, when HBAC or IPASudoRules add a member, there is no resulting >> 'memberOf' or (hbacMemberOf/sudoMemberOf) inserted into the usergroup, >> hostgroup, command group, etc... Whereas, if you add a host to a >> hostgroup, the host ends up with a pointer referring back to the >> hostgroup. I believe this was done to provide referential integrity. >> >> We will definitely need to modify the schema under the hood if it is >> necessary to make these shifts, but I am not sure if that sort of change >> will be effected by the way the backend treats these sorts of objects. >> >> > >Nalin is working on a solution to this. We do not need to modify schema. >Instead he is adding code to make checks on the object type and have a >way to transform the value in different ways based on this check. Excellent! I'll retest as soon as the new patch is available! >>Sudo, does not support hostgroups, it only knows about nisnetgroups. >> >> As such, either we need the backend code to translate this information >> automatically for us. >> >> Or >> >> We need to go down the path of procedurally solving this issue. >> >> For example: >> >> * Create a user + usergroup >> * Create a command + commandgroup >> * Create a host + hostgroup >> * Create a nisNetgroup with the same name as the ipaHostgroup, and add >>the >> hostgroup into the nisNetgroup... >> * Allow translation to occur and point everything with 1-to-1 except >>for: >> -sudocmdgroups are unknown to sudo, so the individual commands need to >>be >> broken out and listed individually in the translation. >> -sudoHost will need to point to a (shared name) that represents both an >> ipaHostgroup and an ipaNisNetgroup. >> >> We have discussed this challenge at length, and everyone agrees that >> nisNetgroups are a thing of the past, that is best forgotten. However, >>it >> is necessary to support them in the interim because sudo currently does >> not support anything else. It is an ideal to strive toward getting sudo >> to support hostgroups, and also to support sssd, but we have a long way >>to >> go to get there. >> >> >> >I was assuming that this is a procedurally solvable solution during >migration. In your case when you move to IPA you would need to transfer >data from the original data source. >1) All the netgroups that store the hosts and used in SUDO and other >places need to be migrated into IPA back end schema. As you prepare >data for migration the following reshuffling needs to be done with the >original data and the resulting LDIF should have: > a) all the hosts should be created as host entries > b) all hosts should be added to a host group - probably with the >same name as the name of the netgroup in the original data set > c) a netgroup entry with the same name is in the source data set >should be created pointing to this host group > d) memberHost attribute of the SUDO rule should then point to the >netgroup DN The Sudo Plugin currently points to the HostGroup DN. Since we must solve this issue procedurally by using the same name for the Hostgroup and nisNetgroup, I would prefer to continue to point to the HostGroup DN. This allows for the future of the plugin to remain sane after sudo natively support sssd/FreeIPA... I'm concerned that if we force the Sudo Piece to only look at the nisNetgroup, that it will encourage siloing to occur; the goal is to facilitate and encourage the usage of hostgroup objects throughout the framework. >This solves the issue of migrating data from the old model to the new >model. Would be nice to have some scripts in the project that would help >people to take the 2307 + SUDO schema and move to IPA. We do not have >cycles to do it ourselves and hope that something like this would be >eventually developed and contributed by the community. >2) The other question is management of SUDO data on the ongoing basis. >Until SUDO does not support host groups via a policy plugin the IPA >admins would have to wrap host groups into netgroups. Depending on size, this can be daunting... >A special wrapper >can be created for the CLI to create a netgroup out of the hostgroup or >may be it can be a flag to the hostgroup-add to automatically create a >netgroup with the same name. Something similar to what we do with >host-add and DNS. That sounds VERY promising! I wasn't aware that we had a plugin that could have triggered adds! >An alternative is to have a managed entry plugin to >automatically create a netgroup for every hostgroup in the system. This >might be even simpler. I'm not sure how I would go about coding this option... >I am open to suggestions here but hope that since this is an >optimization and we are in a bit of ramp up to the release this >functionality can be contributed soon or can be added later. I agree. We are very very close to functional and it makes sense to get over the hump while bookmarking 'optimizations' that can be revisited after the major release. -JR From ssorce at redhat.com Mon Nov 22 19:19:44 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 22 Nov 2010 14:19:44 -0500 Subject: [Freeipa-devel] [PATCH] 0020 Make pkinit optional in ipa-replica-prepare In-Reply-To: <20101122133457.124d41d0@willson.li.ssimo.org> References: <20101122133457.124d41d0@willson.li.ssimo.org> Message-ID: <20101122141944.63c998ad@willson.li.ssimo.org> On Mon, 22 Nov 2010 13:34:57 -0500 Simo Sorce wrote: > > Fixes #527 > > Simo. > A copy&paste from ipa-server-install was a bit too optimistic. Attached a new patch that actually works (tested). Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0020-2x-Make-pkinit-setup-optional-in-ipa-replica-prepare-to.patch Type: text/x-patch Size: 1168 bytes Desc: not available URL: From rcritten at redhat.com Mon Nov 22 19:42:39 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Nov 2010 14:42:39 -0500 Subject: [Freeipa-devel] [PATCH] 0011 Change DNA configuration to use shared configuration In-Reply-To: <4CEAB747.9010509@redhat.com> References: <20101111195123.517010ad@willson.li.ssimo.org> <20101119150822.2c0196e6@willson.li.ssimo.org> <4CEAB747.9010509@redhat.com> Message-ID: <4CEAC7AF.10203@redhat.com> Adam Young wrote: > On 11/19/2010 03:08 PM, Simo Sorce wrote: >> On Thu, 11 Nov 2010 19:51:23 -0500 >> Simo Sorce wrote: >> >> >>> With this patch 2 changes are introduced. >>> >>> 1. idranges are unified, the --uidstart and --gistart options are >>> removed and instead --idtsrat and --idmax are provided at install >>> time. This is a prerequisite to simplify configuration for the next >>> change. >>> >>> 2. DNA is configured to share range configurations among multiple >>> masters now. When replicas are installed an invalid range is >>> configured so that they are forced to contact another peer as soon as >>> someone tries to create a user/group on that master. The replica will >>> get a part of the available range from the peer for its use. >>> >>> Simo. >>> >>> >> Rebased on top of current master, or it would fail to apply. >> >> Simo. >> >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK and pushed to master. Note that I've just applied and built it, but > did not run the code it changes. It is testing out ok for me. I installed with idstart=5000 and my first user was added with uid=5003. I created a replica and the first user there had uid=505500 rob From rcritten at redhat.com Mon Nov 22 19:47:50 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Nov 2010 14:47:50 -0500 Subject: [Freeipa-devel] [PATCH] 616 handle client-install wget failure In-Reply-To: <4CEA8102.2070500@redhat.com> References: <4CE74C87.3050101@redhat.com> <20101122132720.GB21959@zeppelin.brq.redhat.com> <4CEA8102.2070500@redhat.com> Message-ID: <4CEAC8E6.4000109@redhat.com> Adam Young wrote: > On 11/22/2010 08:27 AM, Jakub Hrozek wrote: >> On Fri, Nov 19, 2010 at 11:20:23PM -0500, Rob Crittenden wrote: >>> In the client installer we fetch the CA from the IPA server. Wrap >>> this to catch any failures that might occur (like there is an >>> iptables rule denying access to the IPA server). >>> >>> I tested this by shutting down the httpd service on the IPA server >>> and running ipa-client-install on a client. >>> >>> rob >> ACK >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Pushed to master > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel really pushed to master :-) rob From rcritten at redhat.com Mon Nov 22 19:55:08 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Nov 2010 14:55:08 -0500 Subject: [Freeipa-devel] [PATCH] don't use kerberos path Message-ID: <4CEACA9C.80602@redhat.com> I pushed this under the 1-liner rule. Don't use full pathnames for kerberos binaries, let PATH find them. Kerberos binaries may be in /usr/kerberos/*bin or /usr/*bin, let PATH sort it out. diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 41c6878..8c22e6f 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -367,7 +367,7 @@ class KrbInstance(service.Service): MIN_KRB5KDC_WITH_WORKERS = "1.9" cpus = os.sysconf('SC_NPROCESSORS_ONLN') workers = False - (stdout, stderr, rc) = ipautil.run(['/usr/bin/klist', '-V'], raiseonerr=False) + (stdout, stderr, rc) = ipautil.run(['klist', '-V'], raiseonerr=False) if rc == 0: verstr = stdout.split()[-1] ver = version.LooseVersion(verstr) From ayoung at redhat.com Mon Nov 22 20:53:53 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 22 Nov 2010 15:53:53 -0500 Subject: [Freeipa-devel] [PATCH] SUDO Commands and Command Groups In-Reply-To: <4CE711DB.802@redhat.com> References: <4CE711DB.802@redhat.com> Message-ID: <4CEAD861.5020601@redhat.com> On 11/19/2010 07:10 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. It requires patch #37 (Fixed action > panel queries). Thanks! > > The SUDO Commands and Command Groups pages have been added under > SUDO Rules tab. > > Similar to HBAC navigation issue, these entities do not have their > own tab, so an exception has been added to the navigation code > to read sudo-entity parameter to determine the entity being viewed. > Fixing this issue will require framework changes. > > New test data for these operations have been added. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Nov 22 20:54:40 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 22 Nov 2010 15:54:40 -0500 Subject: [Freeipa-devel] [PATCH] Fixed action panel queries In-Reply-To: <4CE6ED2A.8070804@redhat.com> References: <4CE6ED2A.8070804@redhat.com> Message-ID: <4CEAD890.6000206@redhat.com> On 11/19/2010 04:33 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > Previously the queries for action panel were done globally. Since each > entity container has its own action panel, the queries will return > multiple results. This is fixed by qualifying the query to run within > the entity container. > > The query has also been moved into ipa_facet.get_action_panel(). > Entities that do not have their own entity container (e.g. HBAC > services and service groups) will need to override this method to get > the action panel from the right entity container (e.g. HBAC rules). > > The facet.setup_views() has been renamed to facet.create_action_panel(). > New test data for SUDO rules have been added. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Mon Nov 22 20:54:53 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 22 Nov 2010 15:54:53 -0500 Subject: [Freeipa-devel] [PATCH] 0020 Make pkinit optional in ipa-replica-prepare In-Reply-To: <20101122141944.63c998ad@willson.li.ssimo.org> References: <20101122133457.124d41d0@willson.li.ssimo.org> <20101122141944.63c998ad@willson.li.ssimo.org> Message-ID: <20101122155453.4b352eb0@willson.li.ssimo.org> On Mon, 22 Nov 2010 14:19:44 -0500 Simo Sorce wrote: > A copy&paste from ipa-server-install was a bit too optimistic. > Attached a new patch that actually works (tested). After some more testing I find out that ipa-replica-install was broken too. Attaching revised patch that addresses all replica installation issues I found so far related to the pkinit change. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0020-3-Make-pkinit-setup-optional-in-ipa-replica-prepare-to.patch Type: text/x-patch Size: 2865 bytes Desc: not available URL: From ssorce at redhat.com Mon Nov 22 20:55:52 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 22 Nov 2010 15:55:52 -0500 Subject: [Freeipa-devel] [PATCH] Fix crash in modrdn plugin Message-ID: <20101122155552.03d18722@willson.li.ssimo.org> I was stupidly assigning a const string to a variable that would be freed later. Fixes bug #529 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0021-Fix-modrdn-plugin-crash-bug.patch Type: text/x-patch Size: 2638 bytes Desc: not available URL: From ssorce at redhat.com Mon Nov 22 21:02:31 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 22 Nov 2010 16:02:31 -0500 Subject: [Freeipa-devel] [PATCH] Fix a couple of problems in C code In-Reply-To: <20101122180049.GA15220@zeppelin.brq.redhat.com> References: <4CD8682A.40805@redhat.com> <20101118141646.GA4133@zeppelin.brq.redhat.com> <20101122115521.2d6ee79d@willson.li.ssimo.org> <20101122180049.GA15220@zeppelin.brq.redhat.com> Message-ID: <20101122160231.4f99deb3@willson.li.ssimo.org> On Mon, 22 Nov 2010 19:00:52 +0100 Jakub Hrozek wrote: > Thanks for the review! New patches are attached. > > If you're going to use interdiff or something similar, please note > that these patches were generated with different flags passed to git > format-patch, as suggested on IRC. Pushed them all to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Mon Nov 22 21:12:37 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 22 Nov 2010 16:12:37 -0500 Subject: [Freeipa-devel] [PATCH] SUDO Rule Search and Details Pages In-Reply-To: <4CE6B209.2080705@redhat.com> References: <4CE5E216.6000109@redhat.com> <4CE6A44B.2030903@redhat.com> <4CE6AC17.3090807@redhat.com> <4CE6B149.1020705@redhat.com> <4CE6B209.2080705@redhat.com> Message-ID: <4CEADCC5.4060003@redhat.com> On 11/19/2010 12:21 PM, Endi Sukma Dewata wrote: > On 11/19/2010 11:18 AM, Dmitri Pal wrote: >> Endi Sukma Dewata wrote: >>> On 11/19/2010 10:22 AM, Adam Young wrote: >>>> ACK. However, you will need to rebase, as Rob already made the >>>> index.html addition to ipa.spec.in >>> >>> Thanks. Rebased and pushed to master. >>> >> I suspect it is the first pass at those since the UXD spec is underway >> for the SUDO pages. > > Yes, this is based on HBAC. At least the functionality works. We can > revise the page again when the spec becomes available. > ACK and pushed to master From ssorce at redhat.com Mon Nov 22 21:14:03 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 22 Nov 2010 16:14:03 -0500 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <4CEA9B4F.80400@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201011081054.00482.jzeleny@redhat.com> <4CDB5CA0.9020906@redhat.com> <201011151424.13468.jzeleny@redhat.com> <4CEA9B4F.80400@redhat.com> Message-ID: <20101122161403.356501ff@willson.li.ssimo.org> On Mon, 22 Nov 2010 11:33:19 -0500 Rob Crittenden wrote: > So I'm wondering if we need to re-think how we'd documenting things. > > Right now we have on the order of 178 commands. That is a LOT of man > pages even if we used some sort of automated XML system. We just need > to do the right thing before GA. > > Rather than combining the help from all the similar commands just > show the top-level and include a SEEALSO? > > So for example for: ipa help hbac > > We would just show the hbac top-level help and include a SEEALSO for > hbacsvc and hbacsvcgroup rather than including those top-level help > as well? > > Similarly for sudo. Not saying we should follow example but git seem to just fetch and popup the man page when you run a --help request. So it seem that git upstream decided to document stuff only in the manpages instead of providing contextual help. It seem an interesting option, worth discussing imo. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Mon Nov 22 21:35:56 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 22 Nov 2010 16:35:56 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CEABE37.9070902@redhat.com> References: <4CE6DEA2.2010904@redhat.com> <4CE6E78B.9090406@redhat.com> <4CEA88B7.7080503@redhat.com> <4CEA8BFE.6020806@redhat.com> <4CEAA6D8.3020809@redhat.com> <4CEABE37.9070902@redhat.com> Message-ID: <4CEAE23C.5070509@redhat.com> Stephen Gallagher wrote: > On 11/22/2010 12:22 PM, Dmitri Pal wrote > >> septet-of-the-month = interval 1-5 > > The septet is not used any more and should be removed, right? > > Yeah, I missed removing that. I've deleted it from the page now. > > >> day-of-the-month-interval = interval day-of-the-month > > This should be a plain interval from 1-31 with no negatives since it > is used in the M-day rule > > I would argue that M-day can be just replaced with > > > M-day = "day" WSP interval 1-31 > > > I disagree. With this construction, we can say: > > accessTime = periodic monthly day -1 at 0900 + 000800 > > (Read: on the last day of the month from 09:00 to 17:00) > > This would be useful for e.g. a regularly-scheduled backup task. > I think negative numbers are confusing and it is hard to decipher. Why we cant say "last"? it will be much cleaner. > > Keep in mind that definition of the interval here is as described > below: > > interval XX-YY = a comma-separated list of items from XX to YY, or > dash-separated ranges. > > For example, (interval 1-31) 3-7,10,12,15,25-31 with no spaces inside. > > > So definition of the day-of-the-month-interval can be then removed. > > > Agreed. I've simplified the display of this. > > >> day-of-the-month-range = "between" WSP day-of-the-month WSP "and" > WSP day-of-the-month > >> > >> day-of-the-month = "-31" to "31" > > > This notion allows me to enter "between -31 and 3" which does not > make any sense. > > I'll clarify with "-31" to "-1" OR "0" to "31". > > > Also current grammar does not allow me to use ranges which I want to > use here. > > Please explain what range you want here. I'm specifically avoiding > "intervals" here because it's too complex to understand. I think it is very simple: a) I want to use explicit days by number I use this: periodic monthly day 1,3,5,10-15,22 b) I want to use week days during an interval I use this: periodic monthly day on Wed, Sun during 1,3,5,10-15,22 I want to use same interval definition in both cases. > > Describing events with arbitrary intervals like this would be better > done with the M-day approach. > > > > I want to be able to express "Wednesday" of the first and third week > of the month. Capability to do so it completely lost. > > Wrong. accessTime is multivalued. You just create two entries, one for > the first week, one for the third week. They are additive. Yes you can but I think it is not an acceptable solution. I should be able to express it in one rule. > > > We abandoned the term "septet" not because of the bad idea but > because this is a confusing word. But we can leave without it as long > as I can use complex intervals. > > After more thinking I would like to reject idea of the negative numbers. > > Instead we can do the following: > > > > M-on = "on" WSP day-of-the-week WSP "during" WSP day-of-the-month-range > > day-of-the-month-range = interval 1-31 / last-days > > last-days = "last" WSP sequential-days > > sequential-days = single number from the 1-31 range > > > So if we want to say "Wednesday" of the first and third week of the > month I will use: > > > periodic monthly on Wed during 1-7,15-21 > > > if I want to say Wednesday during last two weeks of the month I will > say: > > > periodic monthly on Wed during last 14 > > > IMO it is cleaner and simpler and allows to express all the notions > we want to express. > > > See above. I really don't want intervals in the M-on grammar, since it > makes it extremely difficult to comprehend by mere mortals. And I really want them there. > > > >> day-of-the-week = interval 1-7 (or Mon-Sun) > >> > >> range-specifier = "at" WSP HHMM WSP "+" WSP duration-specifier > > What is the value and significance of the "+" here? Is it just for > readability? Then I would suggest that we replace it with the word "for". > > > Sure, "for" is fine. > > >> duration-specifier = DDHHMM > >> > >> DD = "00" to "31" > >> > >> HH = "00" to "23" > >> > >> MM = "00" to "59" > >> > >> > >> interval XX-YY = a comma-separated list of items from XX to YY, or > dash-separated ranges. > >> range = dash-separated range > > This definition seems incomplete but I do not know how to make it > better... > > >> For example, (interval 1-31) 3-7,10,12,15,25-31 with no spaces inside. > > > Thank you, > > Dmitri Pal > > > Sr. Engineering Manager IPA project, > > Red Hat Inc. > > > > ------------------------------- > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > _______________________________________________ sssd-devel mailing list sssd-devel at lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jeffschroeder at computer.org Mon Nov 22 21:49:22 2010 From: jeffschroeder at computer.org (Jeff Schroeder) Date: Mon, 22 Nov 2010 13:49:22 -0800 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: <4CEAE23C.5070509@redhat.com> References: <4CE6DEA2.2010904@redhat.com> <4CE6E78B.9090406@redhat.com> <4CEA88B7.7080503@redhat.com> <4CEA8BFE.6020806@redhat.com> <4CEAA6D8.3020809@redhat.com> <4CEABE37.9070902@redhat.com> <4CEAE23C.5070509@redhat.com> Message-ID: On Mon, Nov 22, 2010 at 1:35 PM, Dmitri Pal wrote: > Stephen Gallagher wrote: >> On 11/22/2010 12:22 PM, Dmitri Pal wrote >> >> septet-of-the-month = interval 1-5 >> > The septet is not used any more and should be removed, right? >> >> Yeah, I missed removing that. I've deleted it from the page now. >> >> >> day-of-the-month-interval = interval day-of-the-month >> > This should be a plain interval from 1-31 with no negatives since it >> is used in the M-day rule >> > I would argue that M-day can be just replaced with >> >> > M-day = "day" WSP interval 1-31 >> >> >> I disagree. With this construction, we can say: >> >> accessTime = periodic monthly day -1 at 0900 + 000800 >> >> (Read: on the last day of the month from 09:00 to 17:00) >> >> This would be useful for e.g. a regularly-scheduled backup task. >> > > I think negative numbers are confusing and it is hard to decipher. > Why we cant say "last"? it will be much cleaner. As a user, I disagree. While a "last" statement makes sense, a negative number makes perfect sense as well. In fact, a negative number is easier to feed to various scripts and whatnot. I'd actually prefer -1 to denote the last day of the month or whatnot over last. >> > Keep in mind that definition of the interval here is as described >> below: >> > interval XX-YY = a comma-separated list of items from XX to YY, or >> dash-separated ranges. >> > For example, (interval 1-31) 3-7,10,12,15,25-31 with no spaces inside. >> >> > So definition of the day-of-the-month-interval can be then removed. >> >> >> Agreed. I've simplified the display of this. >> >> >> day-of-the-month-range = "between" WSP day-of-the-month WSP "and" >> WSP day-of-the-month >> >> >> >> day-of-the-month = "-31" to "31" >> >> > This notion allows me to enter "between -31 and 3" which does not >> make any sense. >> >> I'll clarify with "-31" to "-1" OR "0" to "31". >> >> > Also current grammar does not allow me to use ranges which I want to >> use here. >> >> Please explain what range you want here. I'm specifically avoiding >> "intervals" here because it's too complex to understand. > > I think it is very simple: > > a) I want to use explicit days by number I use this: > periodic monthly day 1,3,5,10-15,22 > b) I want to use week days during an interval I use this: > periodic monthly day on Wed, Sun during 1,3,5,10-15,22 > > I want to use same interval definition in both cases. >> >> Describing events with arbitrary intervals like this would be better >> done with the M-day approach. >> >> >> > I want to be able to express "Wednesday" of the first and third week >> of the month. Capability to do so it completely lost. >> >> Wrong. accessTime is multivalued. You just create two entries, one for >> the first week, one for the third week. They are additive. > > Yes you can but I think it is not an acceptable solution. I should be > able to express it in one rule. While this would be nice, does it really matter? Smaller rules are easier to understand. Keep in mind that the more chances you give admins to misconfigure things through really hairy rules, the more they will misconfigure things. >> > We abandoned the term "septet" not because of the bad idea but >> because this is a confusing word. But we can leave without it as long >> as I can use complex intervals. >> > After more thinking I would like to reject idea of the negative numbers. >> > Instead we can do the following: >> >> >> > M-on = "on" WSP day-of-the-week WSP "during" WSP day-of-the-month-range >> > day-of-the-month-range = interval 1-31 / last-days >> > last-days = "last" WSP sequential-days >> > sequential-days = single number from the 1-31 range >> >> > So if we want to say "Wednesday" of the first and third week of the >> month I will use: >> >> > periodic monthly on Wed during 1-7,15-21 >> >> > if I want to say Wednesday during last two weeks of the month I will >> say: >> >> > periodic monthly on Wed during last 14 >> >> > IMO it is cleaner and simpler and allows to express all the notions >> we want to express. >> >> >> See above. I really don't want intervals in the M-on grammar, since it >> makes it extremely difficult to comprehend by mere mortals. > > And I really want them there. Why? What technical argument necessitates this? I'm inclined to agree with Stephen here. He has a good point. >> >> day-of-the-week = interval 1-7 (or Mon-Sun) >> >> >> >> range-specifier = "at" WSP HHMM WSP "+" WSP duration-specifier >> > What is the value and significance of the "+" here? Is it just for >> readability? Then I would suggest that we replace it with the word "for". >> >> >> Sure, "for" is fine. >> >> >> duration-specifier = DDHHMM >> >> >> >> DD = "00" to "31" >> >> >> >> HH = "00" to "23" >> >> >> >> MM = "00" to "59" >> >> >> >> >> >> interval XX-YY = a comma-separated list of items from XX to YY, or >> dash-separated ranges. >> >> range = dash-separated range >> > This definition seems incomplete but I do not know how to make it >> better... >> >> >> For example, (interval 1-31) 3-7,10,12,15,25-31 with no spaces inside. >> >> > Thank you, >> > Dmitri Pal >> >> > Sr. Engineering Manager IPA project, >> > Red Hat Inc. >> >> >> > ------------------------------- >> > Looking to carve out IT costs? >> > www.redhat.com/carveoutcosts/ >> >> > _______________________________________________ >> > Freeipa-devel mailing list >> > Freeipa-devel at redhat.com >> > https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> > _______________________________________________ > sssd-devel mailing list > sssd-devel at lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > _______________________________________________ > sssd-devel mailing list > sssd-devel at lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel > -- Jeff Schroeder Don't drink and derive, alcohol and analysis don't mix. http://www.digitalprognosis.com From dpal at redhat.com Mon Nov 22 22:01:37 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 22 Nov 2010 17:01:37 -0500 Subject: [Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar In-Reply-To: References: <4CE6DEA2.2010904@redhat.com> <4CE6E78B.9090406@redhat.com> <4CEA88B7.7080503@redhat.com> <4CEA8BFE.6020806@redhat.com> <4CEAA6D8.3020809@redhat.com> <4CEABE37.9070902@redhat.com> <4CEAE23C.5070509@redhat.com> Message-ID: <4CEAE841.9090504@redhat.com> >>>> periodic monthly on Wed during last 14 >>>> >>>> IMO it is cleaner and simpler and allows to express all the notions >>>> >>> we want to express. >>> >>> >>> See above. I really don't want intervals in the M-on grammar, since it >>> makes it extremely difficult to comprehend by mere mortals. >>> >> And I really want them there. >> > > Why? What technical argument necessitates this? I'm inclined to agree > with Stephen here. He has a good point. > > Consistency, same pattern, same construct so less code... Those are pretty significant arguments for me. There are couple other things that came from a discussion with UXD which I will describe in a different thread. > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Tue Nov 23 03:54:35 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 22 Nov 2010 22:54:35 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar Message-ID: <4CEB3AFB.7000605@redhat.com> Hi, During the conversation with Ben and Kyle today over the calendar screen two things came up: 1) Time zone 2) Duration Time zone It makes perfect sense to allow the admin to enter the rule and specify the time zone that the admin used to enter the time. Internally it will be converted to UTC but for the purpose of easier rule creation specifying time zone is helpful. Our grammar right now does not allow saving the zone since we plan to convert time to UTC, however when the value is fetched from the LDAP and presented for editing it is unclear which time zone it was entered in. Also there are two approaches to dealing with time zone information in general. Imagine you have a drop down with time zones. Imagine you entered time and then change the selected time zone in the drop down. Should the time you entered be automatically adjusted? First approach says "yes" but that means that we will have to implement a complex time recalculator since in corner cases the time difference between the time zones will affect the starting. The second option is to say: the time zone is just a specifier for the whole time rule indicating that the time values were entered in the given time zone. The when you change the value of the time zone you do not recalculate anything. With the right UI structure this can be made more obvious. However when the value fetched from the LDAP and displayed it might be useful to recalculate so I see two options how we can deal with the time zones. a) Do not save the time zone but recalculate the time (and date ???) when you change time zone in the drop down both in add and edit cases. When you fetch and display always use UTC but allow admin to change the "timezone view" at his will. b) Save time zone in the rule. As Simo pointed the time zone definition change from time to time so it makes sense to actually save offset and timezone as additional hint. This way we can easily convert the time stamp into the specified time zone and back at save and retrieval with no need to implement complex logic in the UI. IMO the second option is simpler but requires yet another change to grammar. I suggest we add offset and time zone as optional fields somewhere at the end of the rule or after start time. Duration New grammar allows DDHHMM for the duration. UI proposes to limit the duration to less than 24 hours since more than 24 hour windows can start overlapping and thus allowing to enter duration days was confusing to the users who tried the UI. We need to reconcile this a bit between what can be stored and what can be displayed. IMO it makes sense to allow windows more than 24 hours (regular service window over weekend for example). But on the other hand I see how having a separate field for number of duration days in the UI might be confusing. I would vote for not having days in the UI at all but allowing any numeric value to be entered into the hours field. This however rises a question whether we want to have the duration be in DDHHMM format in grammar or in just NMM format where N is any numeric value that represents unlimited number of hours. Thoughts? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jhrozek at redhat.com Tue Nov 23 11:35:02 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 23 Nov 2010 12:35:02 +0100 Subject: [Freeipa-devel] [PATCH] Fix crash in modrdn plugin In-Reply-To: <20101122155552.03d18722@willson.li.ssimo.org> References: <20101122155552.03d18722@willson.li.ssimo.org> Message-ID: <20101123113501.GA18888@zeppelin.brq.redhat.com> On Mon, Nov 22, 2010 at 03:55:52PM -0500, Simo Sorce wrote: > > I was stupidly assigning a const string to a variable that would be > freed later. > Fixes bug #529 > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York This patch is obviously correct and gets rid of the segfault (also fixes one other potential double-free crasher), so I'd like to ACK this one. I still wasn't able to install a replica, but that seems to be another bug.. Jakub From jhrozek at redhat.com Tue Nov 23 12:36:36 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 23 Nov 2010 13:36:36 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <20101122161403.356501ff@willson.li.ssimo.org> References: <201011080926.12248.jzeleny@redhat.com> <201011081054.00482.jzeleny@redhat.com> <4CDB5CA0.9020906@redhat.com> <201011151424.13468.jzeleny@redhat.com> <4CEA9B4F.80400@redhat.com> <20101122161403.356501ff@willson.li.ssimo.org> Message-ID: <20101123123636.GB18888@zeppelin.brq.redhat.com> On Mon, Nov 22, 2010 at 04:14:03PM -0500, Simo Sorce wrote: > On Mon, 22 Nov 2010 11:33:19 -0500 > Rob Crittenden wrote: > > > So I'm wondering if we need to re-think how we'd documenting things. > > > > Right now we have on the order of 178 commands. That is a LOT of man > > pages even if we used some sort of automated XML system. We just need > > to do the right thing before GA. > > > > Rather than combining the help from all the similar commands just > > show the top-level and include a SEEALSO? > > > > So for example for: ipa help hbac > > > > We would just show the hbac top-level help and include a SEEALSO for > > hbacsvc and hbacsvcgroup rather than including those top-level help > > as well? > > > > Similarly for sudo. > > Not saying we should follow example but git seem to just fetch and > popup the man page when you run a --help request. > > So it seem that git upstream decided to document stuff only in the > manpages instead of providing contextual help. > > It seem an interesting option, worth discussing imo. > > Simo. Depends on how verbose the manpage is, I guess. I often run --help just to check the exact syntax of switches -- stuff like does ipa group-add-member take --groups or --group? From pzuna at redhat.com Tue Nov 23 14:29:45 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 23 Nov 2010 15:29:45 +0100 Subject: [Freeipa-devel] [PATCH] Change signature of LDAPSearch.pre_callback. Message-ID: <4CEBCFD9.9080400@redhat.com> Add the opportunity to change base DN and scope in the callback. This makes the callback a lot more powerful, because it enables the plugin author to broaden or completely change the search location. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0038-searchprecall.patch Type: text/x-patch Size: 7160 bytes Desc: not available URL: From pzuna at redhat.com Tue Nov 23 14:37:17 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 23 Nov 2010 15:37:17 +0100 Subject: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests. Message-ID: <4CEBD19D.9050707@redhat.com> Finally managed to rewrite the DNS plugin again. Sorry, it took so long, we had training in the office and I also had a nasty bug in baseldap.py I couldn't find. Anyway, this version has it all: - changes we agreed on meeting, the "resource" abstraction is gone and we now only have zones and records = adding new record automatically updates and existing entry or creates it if it wasn't there and deleting the last record deletes the whole entry - all of it transparent to the user - unit tests - ipa help documentation Fixes tickets: #36 #450 I also closed bug #654412. It has a new patch sequence number, because it depends on another patch with a higher number and didn't want to create forward dependencies. Depends on my patches number: 35 (will repost if needed) 38 (posted a while ago on freeipa-devel) Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0039-dns2.patch Type: text/x-patch Size: 30996 bytes Desc: not available URL: From pzuna at redhat.com Tue Nov 23 14:39:29 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 23 Nov 2010 15:39:29 +0100 Subject: [Freeipa-devel] [PATCH] Generate better DuplicateEntry error message in LDAPCreate. Message-ID: <4CEBD221.4020405@redhat.com> DuplicateEntry error messages generated by LDAPCreate are now detailed like this: ipa: ERROR: user with name "testuser" already exists Solves ticket #530. It works for everything, not just the objects described in this ticket. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0040-duplicateerror.patch Type: text/x-patch Size: 2046 bytes Desc: not available URL: From pzuna at redhat.com Tue Nov 23 14:41:42 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 23 Nov 2010 15:41:42 +0100 Subject: [Freeipa-devel] [PATCH] Change signature of LDAPSearch.pre_callback. In-Reply-To: <4CEBCFD9.9080400@redhat.com> References: <4CEBCFD9.9080400@redhat.com> Message-ID: <4CEBD2A6.5000704@redhat.com> On 11/23/2010 03:29 PM, Pavel Zuna wrote: > Add the opportunity to change base DN and scope in the callback. > > This makes the callback a lot more powerful, because it enables the > plugin author to broaden or completely change the search location. > > Pavel > > Just noticed that this patch also fixes the "ipa plugins" command. Meant to be in a separate patch, but it ended up here by accident. Pavel From sgallagh at redhat.com Tue Nov 23 15:44:45 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 23 Nov 2010 10:44:45 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <4CEB3AFB.7000605@redhat.com> References: <4CEB3AFB.7000605@redhat.com> Message-ID: <4CEBE16D.5060804@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/22/2010 10:54 PM, Dmitri Pal wrote: > Hi, > > During the conversation with Ben and Kyle today over the calendar screen > two things came up: > 1) Time zone > 2) Duration > > Time zone > Time zone should always be entered relative to the server, not the user entering it. This should be clearly identified in the UI. Then there's no ambiguity upon reading it back out, as it is ALWAYS relative to the server. > > Duration > > New grammar allows DDHHMM for the duration. UI proposes to limit the > duration to less than 24 hours since more than 24 hour windows can start > overlapping and thus allowing to enter duration days was confusing to > the users who tried the UI. We need to reconcile this a bit between > what can be stored and what can be displayed. IMO it makes sense to > allow windows more than 24 hours (regular service window over weekend > for example). But on the other hand I see how having a separate field > for number of duration days in the UI might be confusing. I would vote > for not having days in the UI at all but allowing any numeric value to > be entered into the hours field. This however rises a question whether > we want to have the duration be in DDHHMM format in grammar or in just > NMM format where N is any numeric value that represents unlimited number > of hours. Thoughts? > I agree that we don't want to have > 24 hours in the UI. DDHHMM is easier to parse, and I can't come up with an example where a window of longer than 99 days makes sense. Instead, it should be a recurring event. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzr4WkACgkQeiVVYja6o6PmXgCbBKNR3qb5uh2hJlfF1TsQLkMz yx4AnAuGm/PADzU9CFa2+DRCmLbDxq1k =7+wV -----END PGP SIGNATURE----- From ssorce at redhat.com Tue Nov 23 16:42:46 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 23 Nov 2010 11:42:46 -0500 Subject: [Freeipa-devel] [PATCH] Fix crash in modrdn plugin In-Reply-To: <20101123113501.GA18888@zeppelin.brq.redhat.com> References: <20101122155552.03d18722@willson.li.ssimo.org> <20101123113501.GA18888@zeppelin.brq.redhat.com> Message-ID: <20101123114246.334387d8@willson.li.ssimo.org> On Tue, 23 Nov 2010 12:35:02 +0100 Jakub Hrozek wrote: > On Mon, Nov 22, 2010 at 03:55:52PM -0500, Simo Sorce wrote: > > > > I was stupidly assigning a const string to a variable that would be > > freed later. > > Fixes bug #529 > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > This patch is obviously correct and gets rid of the segfault (also > fixes one other potential double-free crasher), so I'd like to ACK > this one. > > I still wasn't able to install a replica, but that seems to be another > bug.. Ok, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Tue Nov 23 19:15:29 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 23 Nov 2010 13:15:29 -0600 Subject: [Freeipa-devel] [PATCH] 0100-top-nav-index In-Reply-To: <4CEA9D1D.1010204@redhat.com> References: <4CE6F59A.4060507@redhat.com> <4CE70DDF.1040205@redhat.com> <4CEA9D1D.1010204@redhat.com> Message-ID: <4CEC12D1.6080208@redhat.com> On 11/22/2010 10:41 AM, Adam Young wrote: > Without reordering things now, I propose we allow for a three level > structure in the tab_set. Top level will not be an entity. Second level > will be an entity. third level will be a nested entity. > Nested entities are not related in any way to the entity that they are > nested under except by convention. Thus, sudocmd and sudocmdgrps may get > nested under sudorules, but they could easily be placed as peers. > Contrast these with DNS records, that require the the DNS Zone value. > For 3 level deep nesting, we will need a naming scheme to make these > work. something like > #subtab=sudorule&entity=sudocmd > > contrast this with > > #entity=sudorule > > Thus, the entity value always points to the object, not necessarily at > the leaf node of the navigation tree. I agree that the navigation should be decoupled from entity make it more flexible. This is a more detailed proposal, I don't know if we can fully implement this within the schedule, but at least we can go toward this direction. Currently the navigation tree always points to entities. This should be replaced by pages (you're calling it subtab). We can pick another name if this is confusing, but for now let's use these terms: the first level tabs are sections, the second level tabs are pages. A page defines anything you see below the tabs, including client area and action panel. Each page can have one entity (e.g. users), multiple entities (e.g. hbac), or special cases (e.g. krbtpolicy, config). We can have a base class (e.g. ipa_page) that defines the basic layout where the UI components are located (e.g. the action panel, client area, title, buttons), this way all pages will be consistent. Then we can create subclasses that will customize each component depending on the entity, facet, or entry being selected. Each page is responsible to read the parameters it needs from the URL. We might also need a tree-like navigation for the action panel, but that's for another discussion. -- Endi S. Dewata From ayoung at redhat.com Tue Nov 23 19:57:47 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 23 Nov 2010 14:57:47 -0500 Subject: [Freeipa-devel] [PATCH] 0100-top-nav-index In-Reply-To: <4CEC12D1.6080208@redhat.com> References: <4CE6F59A.4060507@redhat.com> <4CE70DDF.1040205@redhat.com> <4CEA9D1D.1010204@redhat.com> <4CEC12D1.6080208@redhat.com> Message-ID: <4CEC1CBB.9080507@redhat.com> On 11/23/2010 02:15 PM, Endi Sukma Dewata wrote: > On 11/22/2010 10:41 AM, Adam Young wrote: >> Without reordering things now, I propose we allow for a three level >> structure in the tab_set. Top level will not be an entity. Second level >> will be an entity. third level will be a nested entity. > >> Nested entities are not related in any way to the entity that they are >> nested under except by convention. Thus, sudocmd and sudocmdgrps may get >> nested under sudorules, but they could easily be placed as peers. >> Contrast these with DNS records, that require the the DNS Zone value. > >> For 3 level deep nesting, we will need a naming scheme to make these >> work. something like >> #subtab=sudorule&entity=sudocmd >> >> contrast this with >> >> #entity=sudorule >> >> Thus, the entity value always points to the object, not necessarily at >> the leaf node of the navigation tree. > > I agree that the navigation should be decoupled from entity make it > more flexible. This is a more detailed proposal, I don't know if we > can fully implement this within the schedule, but at least we can go > toward this direction. > > Currently the navigation tree always points to entities. This should > be replaced by pages (you're calling it subtab). We can pick another > name if this is confusing, but for now let's use these terms: the > first level tabs are sections, the second level tabs are pages. > > A page defines anything you see below the tabs, including client area > and action panel. Each page can have one entity (e.g. users), multiple > entities (e.g. hbac), or special cases (e.g. krbtpolicy, config). > > We can have a base class (e.g. ipa_page) that defines the basic layout > where the UI components are located (e.g. the action panel, client > area, title, buttons), this way all pages will be consistent. Then we > can create subclasses that will customize each component depending on > the entity, facet, or entry being selected. Each page is responsible > to read the parameters it needs from the URL. > > We might also need a tree-like navigation for the action panel, but > that's for another discussion. > If I understand this correctly, it is pretty much in line what I am thinking. For a first round, and to get this patch submitted, I think I am going to add entires to the tab set under HBAC and sudo that will be used for navigating to those entities, even though it won't be used for populating the action panel. The action panel work can follow on. For now, and through this release, we will only have one layout, what you are calling ipa_page. From rcritten at redhat.com Tue Nov 23 20:14:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 23 Nov 2010 15:14:27 -0500 Subject: [Freeipa-devel] [PATCH] 618 handle membership better Message-ID: <4CEC20A3.4070609@redhat.com> Use better description for group names in help and always prompt for members When running -[add|remove]-member completely interactively it didn't prompt for managing membership, it just reported that 0 members were handled which was rather confusing. This will work via a shell if you want to echo too: $ echo "" | ipa group-add-member g1 This returns 0 members because nothing is read for users or group members. $ echo -e "g1\nadmin\n" | ipa group-add-member This adds the user admin to the group g1. It adds it as a user because user membership is prompted for first. ticket 415 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-618-members.patch Type: text/x-patch Size: 5091 bytes Desc: not available URL: From rcritten at redhat.com Tue Nov 23 21:07:47 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 23 Nov 2010 16:07:47 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <4CEBE16D.5060804@redhat.com> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> Message-ID: <4CEC2D23.6050804@redhat.com> Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/22/2010 10:54 PM, Dmitri Pal wrote: >> Hi, >> >> During the conversation with Ben and Kyle today over the calendar screen >> two things came up: >> 1) Time zone >> 2) Duration >> >> Time zone >> > > > Time zone should always be entered relative to the server, not the user > entering it. This should be clearly identified in the UI. Then there's > no ambiguity upon reading it back out, as it is ALWAYS relative to the > server. I don't want to throw a wrench in, but what if you have multiple replicas in various distant locations, WHICH server is the time relative to? rob > >> >> Duration >> >> New grammar allows DDHHMM for the duration. UI proposes to limit the >> duration to less than 24 hours since more than 24 hour windows can start >> overlapping and thus allowing to enter duration days was confusing to >> the users who tried the UI. We need to reconcile this a bit between >> what can be stored and what can be displayed. IMO it makes sense to >> allow windows more than 24 hours (regular service window over weekend >> for example). But on the other hand I see how having a separate field >> for number of duration days in the UI might be confusing. I would vote >> for not having days in the UI at all but allowing any numeric value to >> be entered into the hours field. This however rises a question whether >> we want to have the duration be in DDHHMM format in grammar or in just >> NMM format where N is any numeric value that represents unlimited number >> of hours. Thoughts? >> > > I agree that we don't want to have> 24 hours in the UI. > > DDHHMM is easier to parse, and I can't come up with an example where a > window of longer than 99 days makes sense. Instead, it should be a > recurring event. > > > - -- > Stephen Gallagher > RHCE 804006346421761 > > Delivering value year after year. > Red Hat ranks #1 in value among software vendors. > http://www.redhat.com/promo/vendor/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzr4WkACgkQeiVVYja6o6PmXgCbBKNR3qb5uh2hJlfF1TsQLkMz > yx4AnAuGm/PADzU9CFa2+DRCmLbDxq1k > =7+wV > -----END PGP SIGNATURE----- > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From nalin at redhat.com Tue Nov 23 21:10:15 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 23 Nov 2010 16:10:15 -0500 Subject: [Freeipa-devel] Where we are with SUDO? In-Reply-To: References: <4CE5B29E.2020702@redhat.com> Message-ID: <20101123211015.GA13884@redhat.com> On Mon, Nov 22, 2010 at 07:18:42PM +0000, JR Aquino wrote: > On 11/18/10 3:11 PM, "Dmitri Pal" wrote: > >JR Aquino wrote: > >> The IPA SudoRule Structure has largely been based off of what we are > >>doing > >> today with HBAC. > >> > >> HBAC does not distinguish between memberGroup or memberNetgroup... Its > >> simply, memberHost and memberUser for both HBAC and IPASudoRules. > >> > >> Also, when HBAC or IPASudoRules add a member, there is no resulting > >> 'memberOf' or (hbacMemberOf/sudoMemberOf) inserted into the usergroup, > >> hostgroup, command group, etc... Whereas, if you add a host to a > >> hostgroup, the host ends up with a pointer referring back to the > >> hostgroup. I believe this was done to provide referential integrity. No problem. References to memberOf were there before mainly to try to cover unusual cases, but they can be dropped so long as people aren't going to go around adding memberOf values just for kicks. > >Nalin is working on a solution to this. We do not need to modify schema. > >Instead he is adding code to make checks on the object type and have a > >way to transform the value in different ways based on this check. > > Excellent! > > I'll retest as soon as the new patch is available! Attached. You'll need the current snapshot of slapi-nis in order to get functionality that the new configuration patch depends on. Cheers, Nalin -------------- next part -------------- >From 96e6467b20c69051147ed1dc9d7023169cce7c7e Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 23 Nov 2010 15:38:40 -0500 Subject: [PATCH] - fix quoting of netgroup entries - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container --- install/share/bootstrap-template.ldif | 6 ----- install/share/schema_compat.uldif | 35 ++++++++++++++++++++++++++++++-- ipa.spec.in | 2 +- 3 files changed, 33 insertions(+), 10 deletions(-) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 7946526..283d226 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -64,12 +64,6 @@ objectClass: top objectClass: nsContainer cn: sudorules -dn: cn=SUDOers,$SUFFIX -changetype: add -objectClass: nsContainer -objectClass: top -cn: SUDOers - dn: cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index 22e3141..d74a9c0 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -56,14 +56,43 @@ add:cn: ng add:schema-compat-container-group: 'cn=compat, $SUFFIX' add:schema-compat-container-rdn: cn=ng add:schema-compat-check-access: yes -add:schema-compat-search-base: 'cn=ng,cn=alt,$SUFFIX' -add:schema-compat-search-filter: !(cn=ng) +add:schema-compat-search-base: 'cn=ng, cn=alt, $SUFFIX' +add:schema-compat-search-filter: (objectclass=ipaNisNetgroup) add:schema-compat-entry-rdn: cn=%{cn} add:schema-compat-entry-attribute: objectclass=nisNetgroup add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r("member","cn")' add:schema-compat-entry-attribute: 'memberNisNetgroup=%referred_r("cn=ng","memberOf","cn")' -add:schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) +add:schema-compat-entry-attribute: 'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})' + +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add:objectClass: top +add:objectClass: extensibleObject +add:cn: sudoers +add:schema-compat-container-group: 'cn=sudoers, $SUFFIX' +add:schema-compat-search-base: 'cn=sudorules, $SUFFIX' +add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) +add:schema-compat-entry-rdn: cn=%{cn} +add:schema-compat-entry-attribute: objectclass=sudoRole +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_rf(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(objectclass=ipaHostGroup)\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref(\"memberDenyCmd\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref_r(\"memberDenyCmd\",\"member\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoRunAsUser=%{ipaSudoRunAsExtUser}' +add:schema-compat-entry-attribute: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")' +add:schema-compat-entry-attribute: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}' +add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")' +add:schema-compat-entry-attribute: 'sudoOption=%{ipaSudoOpt}' # Enable anonymous VLV browsing for Solaris dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config only:aci: '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )' + diff --git a/ipa.spec.in b/ipa.spec.in index 5a3ea2b..ab47535 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -91,7 +91,7 @@ Requires: libcap Requires: selinux-policy %endif Requires(post): selinux-policy-base -Requires: slapi-nis >= 0.15 +Requires: slapi-nis >= 0.21 Requires: pki-ca >= 1.3.6 Requires: pki-silent >= 1.3.4 -- 1.7.3.2 From ssorce at redhat.com Tue Nov 23 21:32:24 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 23 Nov 2010 16:32:24 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <4CEC2D23.6050804@redhat.com> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> <4CEC2D23.6050804@redhat.com> Message-ID: <20101123163224.3408cbb3@willson.li.ssimo.org> On Tue, 23 Nov 2010 16:07:47 -0500 Rob Crittenden wrote: > I don't want to throw a wrench in, but what if you have multiple > replicas in various distant locations, WHICH server is the time > relative to? By server I think Steve meant the machine currently evaluation the access control decision. "Host" would have been a happier term. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Nov 23 22:24:33 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 23 Nov 2010 17:24:33 -0500 Subject: [Freeipa-devel] [PATCH] 0022 Enable EntryUSN plugin by default Message-ID: <20101123172433.7261d1f2@willson.li.ssimo.org> This patch enables the entryUSN plugin by default at install time. EntryUSN numbers are ususful fro clients that want to track newest objects w/o having to care about timestamps dated in the past and replicated by other masters. EntrUSN numbers are valid only in the context of a single server, as each master in the domain keeps its own entryUSN numbers. Fixes 526 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0022-Enable-EntryUSN-plugin-by-default-with-global-scope.patch Type: text/x-patch Size: 3346 bytes Desc: not available URL: From rcritten at redhat.com Tue Nov 23 22:48:29 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 23 Nov 2010 17:48:29 -0500 Subject: [Freeipa-devel] [PATCH] 583 update DNS when adding/removing host In-Reply-To: <4CE70182.8020205@redhat.com> References: <4CBEFC00.7020303@redhat.com> <20101028162914.13f6dbf8@willson.li.ssimo.org> <4CE70182.8020205@redhat.com> Message-ID: <4CEC44BD.1060103@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Wed, 20 Oct 2010 10:26:08 -0400 >> Rob Crittenden wrote: >> >>> Add ability to add/remove DNS records when adding/removing a host >>> entry. >>> >>> A host in DNS must have an IP address so a valid IP address is >>> required when adding a host. The --force flag will be needed too >>> since you are adding a host that isn't in DNS. >>> >>> For IPv4 it will create an A and a PTR DNS record. >>> >>> IPv6 isn't quite supported yet. Some basic work in the DNS installer >>> is needed to get this working. Once the get_reverse_zone() returns >>> the right value then this should start working and create an AAAA >>> record and the appropriate reverse entry. >>> >>> When deleting a host with the --updatedns flag it will try to remove >>> all records it can find in the zone for this host. >>> >>> ticket 238 >>> >>> rob >> >> NACK, this patch introduces a bug when trying to add the same host >> multiple time with different ip address. >> The second time the ipa host-ad will correctly return an error that the >> host already exist yet the A record with the new address is added in >> DNS. Adding records to the DNS should happen only after the host has >> been successfully created. >> >> Simo. >> > > Ok, moved the dns_add into the post operation. It still does some amount > of validation in the preop. > > I added a failsafe so that if the host add is successful but the dns add > fails it raises an error to that effect, it doesn't roll back all the > changes. > > rob > Re-based patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-583-3-host.patch Type: text/x-patch Size: 11271 bytes Desc: not available URL: From ssorce at redhat.com Tue Nov 23 23:24:02 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 23 Nov 2010 18:24:02 -0500 Subject: [Freeipa-devel] [PATCH] 583 update DNS when adding/removing host In-Reply-To: <4CEC44BD.1060103@redhat.com> References: <4CBEFC00.7020303@redhat.com> <20101028162914.13f6dbf8@willson.li.ssimo.org> <4CE70182.8020205@redhat.com> <4CEC44BD.1060103@redhat.com> Message-ID: <20101123182402.57983607@willson.li.ssimo.org> On Tue, 23 Nov 2010 17:48:29 -0500 Rob Crittenden wrote: > Rob Crittenden wrote: > > Simo Sorce wrote: > >> On Wed, 20 Oct 2010 10:26:08 -0400 > >> Rob Crittenden wrote: > >> > >>> Add ability to add/remove DNS records when adding/removing a host > >>> entry. > >>> > >>> A host in DNS must have an IP address so a valid IP address is > >>> required when adding a host. The --force flag will be needed too > >>> since you are adding a host that isn't in DNS. > >>> > >>> For IPv4 it will create an A and a PTR DNS record. > >>> > >>> IPv6 isn't quite supported yet. Some basic work in the DNS > >>> installer is needed to get this working. Once the > >>> get_reverse_zone() returns the right value then this should start > >>> working and create an AAAA record and the appropriate reverse > >>> entry. > >>> > >>> When deleting a host with the --updatedns flag it will try to > >>> remove all records it can find in the zone for this host. > >>> > >>> ticket 238 > >>> > >>> rob > >> > >> NACK, this patch introduces a bug when trying to add the same host > >> multiple time with different ip address. > >> The second time the ipa host-ad will correctly return an error > >> that the host already exist yet the A record with the new address > >> is added in DNS. Adding records to the DNS should happen only > >> after the host has been successfully created. > >> > >> Simo. > >> > > > > Ok, moved the dns_add into the post operation. It still does some > > amount of validation in the preop. > > > > I added a failsafe so that if the host add is successful but the > > dns add fails it raises an error to that effect, it doesn't roll > > back all the changes. > > > > rob > > > > Re-based patch. > > rob ACK, and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Nov 24 02:26:28 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 23 Nov 2010 21:26:28 -0500 Subject: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests. In-Reply-To: <4CEBD19D.9050707@redhat.com> References: <4CEBD19D.9050707@redhat.com> Message-ID: <4CEC77D4.8030208@redhat.com> On 11/23/2010 09:37 AM, Pavel Zuna wrote: > Finally managed to rewrite the DNS plugin again. Sorry, it took so > long, we had training in the office and I also had a nasty bug in > baseldap.py I couldn't find. > > Anyway, this version has it all: > - changes we agreed on meeting, the "resource" abstraction is gone and > we now only have zones and records = adding new record automatically > updates and existing entry or creates it if it wasn't there and > deleting the last record deletes the whole entry - all of it > transparent to the user > - unit tests > - ipa help documentation > > Fixes tickets: > #36 > #450 > > I also closed bug #654412. > > It has a new patch sequence number, because it depends on another > patch with a higher number and didn't want to create forward > dependencies. > > Depends on my patches number: > 35 (will repost if needed) > 38 (posted a while ago on freeipa-devel) > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I keep getting an error when doing simple things like install and ipa help: [ayoung at ipa freeipa]$ ./ipa help dns2 ipa: ERROR: AttributeError: cannot override NameSpace.idnsname value Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa', localedir=None), label=Gettext('Zone name', domain='ipa', localedir=None), multivalue=False, normalizer=, primary_key=True, query=True, required=True) with Str('idnsname', attribute=True, cli_name='name', doc=Gettext('Record name', domain='ipa', localedir=None), label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) Traceback (most recent call last): File "/home/ayoung/devel/freeipa/ipalib/cli.py", line 962, in run api.finalize() File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 615, in finalize p.instance.finalize() File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 724, in finalize self._create_param_namespace('args') File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 350, in _create_param_namespace sort=False File "/home/ayoung/devel/freeipa/ipalib/base.py", line 407, in __init__ (self.__class__.__name__, name, self.__map[name], member) AttributeError: cannot override NameSpace.idnsname value Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa', localedir=None), label=Gettext('Zone name', domain='ipa', localedir=None), multivalue=False, normalizer=, primary_key=True, query=True, required=True) with Str('idnsname', attribute=True, cli_name='name', doc=Gettext('Record name', domain='ipa', localedir=None), label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) ipa: ERROR: an internal error has occurred -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Nov 24 02:45:53 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 23 Nov 2010 21:45:53 -0500 Subject: [Freeipa-devel] [PATCH] Change signature of LDAPSearch.pre_callback. In-Reply-To: <4CEBD2A6.5000704@redhat.com> References: <4CEBCFD9.9080400@redhat.com> <4CEBD2A6.5000704@redhat.com> Message-ID: <4CEC7C61.5070401@redhat.com> On 11/23/2010 09:41 AM, Pavel Zuna wrote: > On 11/23/2010 03:29 PM, Pavel Zuna wrote: >> Add the opportunity to change base DN and scope in the callback. >> >> This makes the callback a lot more powerful, because it enables the >> plugin author to broaden or completely change the search location. >> >> Pavel >> >> > > Just noticed that this patch also fixes the "ipa plugins" command. > Meant to be in a separate patch, but it ended up here by accident. > > Pavel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master From ayoung at redhat.com Wed Nov 24 02:46:09 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 23 Nov 2010 21:46:09 -0500 Subject: [Freeipa-devel] [PATCH] Generate better DuplicateEntry error message in LDAPCreate. In-Reply-To: <4CEBD221.4020405@redhat.com> References: <4CEBD221.4020405@redhat.com> Message-ID: <4CEC7C71.4000005@redhat.com> On 11/23/2010 09:39 AM, Pavel Zuna wrote: > DuplicateEntry error messages generated by LDAPCreate are now detailed > like this: > ipa: ERROR: user with name "testuser" already exists > > Solves ticket #530. > > It works for everything, not just the objects described in this ticket. > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Nov 24 03:22:37 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 23 Nov 2010 22:22:37 -0500 Subject: [Freeipa-devel] [PATCH] Change signature of LDAPSearch.pre_callback. In-Reply-To: <4CEBCFD9.9080400@redhat.com> References: <4CEBCFD9.9080400@redhat.com> Message-ID: <4CEC84FD.1090304@redhat.com> Pavel Zuna wrote: > Add the opportunity to change base DN and scope in the callback. > > This makes the callback a lot more powerful, because it enables the > plugin author to broaden or completely change the search location. > > Pavel > Ack. From rcritten at redhat.com Wed Nov 24 03:23:12 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 23 Nov 2010 22:23:12 -0500 Subject: [Freeipa-devel] [PATCH] Generate better DuplicateEntry error message in LDAPCreate. In-Reply-To: <4CEBD221.4020405@redhat.com> References: <4CEBD221.4020405@redhat.com> Message-ID: <4CEC8520.3020900@redhat.com> Pavel Zuna wrote: > DuplicateEntry error messages generated by LDAPCreate are now detailed > like this: > ipa: ERROR: user with name "testuser" already exists > > Solves ticket #530. > > It works for everything, not just the objects described in this ticket. > > Pavel ack From jzeleny at redhat.com Wed Nov 24 07:49:36 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 24 Nov 2010 08:49:36 +0100 Subject: [Freeipa-devel] [PATCH] 615 handle empty members In-Reply-To: <4CE6D7AF.6080902@redhat.com> References: <4CE6D7AF.6080902@redhat.com> Message-ID: <201011240849.37181.jzeleny@redhat.com> Rob Crittenden wrote: > If an empty member list was passed in we would crap out because we were > trying to iterate over None. Add a test for this. > > ticket 486 > > rob ACK -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From jzeleny at redhat.com Wed Nov 24 07:51:23 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 24 Nov 2010 08:51:23 +0100 Subject: [Freeipa-devel] [PATCH] 617 catch CA retrieval errors In-Reply-To: <4CEA8EFD.20807@redhat.com> References: <4CEA8EFD.20807@redhat.com> Message-ID: <201011240851.23546.jzeleny@redhat.com> Rob Crittenden wrote: > Catch when retrieving the CA chain from dogtag fails and report a > friendlier error. Also don't try to free the XML document unless it has > been created. > > To test this do an installation on F14 with a dogtag backend without > fixing the symbolic link from /usr/share/java/xalan-j2-serializer.jar to > /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar > > rob ACK -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From jzeleny at redhat.com Wed Nov 24 08:00:24 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 24 Nov 2010 09:00:24 +0100 Subject: [Freeipa-devel] [PATCH] 614 Display user and host membership in netgroups. In-Reply-To: <4CE6A3B5.8060606@redhat.com> References: <4CE6A3B5.8060606@redhat.com> Message-ID: <201011240900.25066.jzeleny@redhat.com> Rob Crittenden wrote: > This uses an enhanced memberof plugin that allows multiple attributes > to be configured to create memberOf attributes. > > This patch requires a new 389-ds-base, 1.2.7. This is currently only > available in updates-testing. > > tickets 109 and 110 > > To validate: > > # ipa user-add --first=Jim --last=User juser > # ipa netgroup-add --desc=netgroup net1 > # ipa netgroup-add-member --users=juser --hosts=`hostname` net1 > # ipa netgroup-show net1 (should have the host and user as members) > # ipa user-show juser (should have Member of netgroups) > # ipa host-show `hostname` (should have Member of netgroups) > > rob ACK -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From pzuna at redhat.com Wed Nov 24 08:46:00 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 24 Nov 2010 09:46:00 +0100 Subject: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests. In-Reply-To: <4CEC77D4.8030208@redhat.com> References: <4CEBD19D.9050707@redhat.com> <4CEC77D4.8030208@redhat.com> Message-ID: <4CECD0C8.3030009@redhat.com> On 11/24/2010 03:26 AM, Adam Young wrote: > On 11/23/2010 09:37 AM, Pavel Zuna wrote: >> Finally managed to rewrite the DNS plugin again. Sorry, it took so >> long, we had training in the office and I also had a nasty bug in >> baseldap.py I couldn't find. >> >> Anyway, this version has it all: >> - changes we agreed on meeting, the "resource" abstraction is gone and >> we now only have zones and records = adding new record automatically >> updates and existing entry or creates it if it wasn't there and >> deleting the last record deletes the whole entry - all of it >> transparent to the user >> - unit tests >> - ipa help documentation >> >> Fixes tickets: >> #36 >> #450 >> >> I also closed bug #654412. >> >> It has a new patch sequence number, because it depends on another >> patch with a higher number and didn't want to create forward >> dependencies. >> >> Depends on my patches number: >> 35 (will repost if needed) >> 38 (posted a while ago on freeipa-devel) >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > I keep getting an error when doing simple things like install and ipa help: > [ayoung at ipa freeipa]$ ./ipa help dns2 > ipa: ERROR: AttributeError: cannot override NameSpace.idnsname value > Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)', > domain='ipa', localedir=None), label=Gettext('Zone name', domain='ipa', > localedir=None), multivalue=False, normalizer=, > primary_key=True, query=True, required=True) with Str('idnsname', > attribute=True, cli_name='name', doc=Gettext('Record name', > domain='ipa', localedir=None), label=Gettext('Record name', > domain='ipa', localedir=None), multivalue=False, primary_key=True, > query=True, required=True) > Traceback (most recent call last): > File "/home/ayoung/devel/freeipa/ipalib/cli.py", line 962, in run > api.finalize() > File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 615, in finalize > p.instance.finalize() > File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 724, in finalize > self._create_param_namespace('args') > File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 350, in > _create_param_namespace > sort=False > File "/home/ayoung/devel/freeipa/ipalib/base.py", line 407, in __init__ > (self.__class__.__name__, name, self.__map[name], member) > AttributeError: cannot override NameSpace.idnsname value Str('idnsname', > cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa', > localedir=None), label=Gettext('Zone name', domain='ipa', > localedir=None), multivalue=False, normalizer=, > primary_key=True, query=True, required=True) with Str('idnsname', > attribute=True, cli_name='name', doc=Gettext('Record name', > domain='ipa', localedir=None), label=Gettext('Record name', > domain='ipa', localedir=None), multivalue=False, primary_key=True, > query=True, required=True) > ipa: ERROR: an internal error has occurred > That's because you need my patch number 35 for it to work... Pavel From pzuna at redhat.com Wed Nov 24 08:48:01 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 24 Nov 2010 09:48:01 +0100 Subject: [Freeipa-devel] [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods. In-Reply-To: <20101119152351.GB25987@zeppelin.brq.redhat.com> References: <4CD8C646.6020104@redhat.com> <20101119152351.GB25987@zeppelin.brq.redhat.com> Message-ID: <4CECD141.8020306@redhat.com> On 11/19/2010 04:23 PM, Jakub Hrozek wrote: > On Tue, Nov 09, 2010 at 04:55:50AM +0100, Pavel Z?na wrote: >> If the parent and child entries have the same attribute as primary >> key (such as in the DNS schema), we need to rename the parent key >> to prevent a param name conflict. It has no side effects, because >> the primary key name is always taken from the LDAPObject params, >> never from the method params. >> >> Pavel > > Would you mind rebasing the patch on top of Rob's 593 which is already > acked (not pushed yet as of now). > > Jakub > Rebased patch number 35 attached - required by the new DNS plugin. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0035-parentkey.patch Type: text/x-patch Size: 1382 bytes Desc: not available URL: From pzuna at redhat.com Wed Nov 24 13:06:15 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 24 Nov 2010 14:06:15 +0100 Subject: [Freeipa-devel] [PATCH] Prompt correctly for required Password params. Message-ID: <4CED0DC7.8030806@redhat.com> Required Password params were prompted for like any other non-Password params, resulting in the password being displayed on the command line and there was no confirmation. Ticket #361 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0041-password.patch Type: text/x-patch Size: 2468 bytes Desc: not available URL: From ssorce at redhat.com Wed Nov 24 13:40:30 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 24 Nov 2010 08:40:30 -0500 Subject: [Freeipa-devel] [PATCH] 614 Display user and host membership in netgroups. In-Reply-To: <201011240900.25066.jzeleny@redhat.com> References: <4CE6A3B5.8060606@redhat.com> <201011240900.25066.jzeleny@redhat.com> Message-ID: <20101124084030.22b3226f@willson.li.ssimo.org> On Wed, 24 Nov 2010 09:00:24 +0100 Jan Zelen? wrote: > Rob Crittenden wrote: > > This uses an enhanced memberof plugin that allows multiple > > attributes to be configured to create memberOf attributes. > > > > This patch requires a new 389-ds-base, 1.2.7. This is currently only > > available in updates-testing. > > > > tickets 109 and 110 > > > > To validate: > > > > # ipa user-add --first=Jim --last=User juser > > # ipa netgroup-add --desc=netgroup net1 > > # ipa netgroup-add-member --users=juser --hosts=`hostname` net1 > > # ipa netgroup-show net1 (should have the host and user as members) > > # ipa user-show juser (should have Member of netgroups) > > # ipa host-show `hostname` (should have Member of netgroups) > > > > rob > > ACK > Ok pushed to master after rebasing the patch. Rob please check as one chunk had to be removed. I believe the change is correct but I prefer you to double-check. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Nov 24 13:40:45 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 24 Nov 2010 08:40:45 -0500 Subject: [Freeipa-devel] [PATCH] 615 handle empty members In-Reply-To: <201011240849.37181.jzeleny@redhat.com> References: <4CE6D7AF.6080902@redhat.com> <201011240849.37181.jzeleny@redhat.com> Message-ID: <20101124084045.0c34a96f@willson.li.ssimo.org> On Wed, 24 Nov 2010 08:49:36 +0100 Jan Zelen? wrote: > Rob Crittenden wrote: > > If an empty member list was passed in we would crap out because we > > were trying to iterate over None. Add a test for this. > > > > ticket 486 > > > > rob > > ACK > Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Nov 24 13:40:58 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 24 Nov 2010 08:40:58 -0500 Subject: [Freeipa-devel] [PATCH] 617 catch CA retrieval errors In-Reply-To: <201011240851.23546.jzeleny@redhat.com> References: <4CEA8EFD.20807@redhat.com> <201011240851.23546.jzeleny@redhat.com> Message-ID: <20101124084058.4d6a308d@willson.li.ssimo.org> On Wed, 24 Nov 2010 08:51:23 +0100 Jan Zelen? wrote: > Rob Crittenden wrote: > > Catch when retrieving the CA chain from dogtag fails and report a > > friendlier error. Also don't try to free the XML document unless it > > has been created. > > > > To test this do an installation on F14 with a dogtag backend without > > fixing the symbolic link > > from /usr/share/java/xalan-j2-serializer.jar > > to /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar > > > > rob > ACK > Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Nov 24 14:19:32 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 24 Nov 2010 09:19:32 -0500 Subject: [Freeipa-devel] [PATCH] 602 verify --ip-address option during installation In-Reply-To: <4CD95FB8.70604@redhat.com> References: <4CD31ED0.5030403@redhat.com> <4CD92625.3090300@redhat.com> <4CD95FB8.70604@redhat.com> Message-ID: <20101124091932.238ae94f@willson.li.ssimo.org> On Tue, 09 Nov 2010 09:50:32 -0500 Rob Crittenden wrote: > Jakub Hrozek wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 11/04/2010 10:00 PM, Rob Crittenden wrote: > >> There was a corner case where the value of --ip-address was never > >> verified if you were also setting up DNS. > >> > >> Added this bit of information to the man page too. > >> > >> ticket 399 > >> > >> rob > >> > > > > Two questions: > > 1) is it intended to quit without printing an error message if > > verify_ip() fails? > > verify_ip_address() prints the message. > > > 2) I don't quite understand the manpage part - it says "and > > --setup-dns is *not* selected" - but the code checks for "if > > options.setup_dns:" > > You can only override the public IP address setting if you are > setting up your own DNS server. Perhaps I should make the text say > that... Ack and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Nov 24 14:36:14 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 24 Nov 2010 09:36:14 -0500 Subject: [Freeipa-devel] [PATCH] 612 re-implimit permissions In-Reply-To: <4CE5F907.1030607@redhat.com> References: <4CE5F907.1030607@redhat.com> Message-ID: <20101124093614.2e8efd30@willson.li.ssimo.org> On Thu, 18 Nov 2010 23:11:51 -0500 Rob Crittenden wrote: > Re-implement access control using an updated model. > > The new model is based on permissions, privileges and roles. Most > importantly it corrects the reverse membership that caused problems > in the previous implementation. You add permission to privileges and > privileges to roles, not the other way around (even though it works > that way behind the scenes). > > A permission object is a combination of a simple group and an aci. > The linkage between the aci and the permission is the description of > the permission. This shows as the name/description of the aci. > > ldap:///self and groups granting groups (v1-style) are not supported > by this model (it will be provided separately). > > ticket 445 > > WARNING. The patch is humongous and changes a whole slew of stuff. It > patches cleanly against the master right now but it is quite delicate > so the sooner this is reviewed (without pushing anything else) the > better. > > The self-tests all pass for me as well as some spot checking. > > Also note that I currently define a single role and it has no > privileges. We will need to fill that in soon. Sorry Rob, but before I can ACK a change of this proportion in the Security model I want a wiki page with the model explained clearly and in detail. I am vetoing this patch until we have that. Note, I am *not* saying the patch is wrong, only that reviewing it w/o a reference model is basically impossible and it touches sensitive security stuff so I can't just let it pass hoping we got everything right. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Nov 24 14:37:49 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 24 Nov 2010 09:37:49 -0500 Subject: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write. In-Reply-To: <4CE435E7.5070203@redhat.com> References: <4CDB0DBE.4020803@redhat.com> <20101115130352.GE19666@zeppelin.brq.redhat.com> <4CE1591A.5030703@redhat.com> <4CE435E7.5070203@redhat.com> Message-ID: <20101124093749.651b16be@willson.li.ssimo.org> On Wed, 17 Nov 2010 15:07:03 -0500 Rob Crittenden wrote: > aci: (targetattr != "userPassword || krbPrincipalKey || > sambaLMPassword || sambaNTPassword || passwordHistory || > krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, > search, compare) userdn = "ldap:///anyone";) -aci: (targetattr != > "userPassword || krbPrincipalKey || sambaLMPassword || > sambaNTPassword || passwordHistory || krbMKey || memberOf || > serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any > entry"; allow (all) groupdn = > "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) +aci: > (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || > sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || > krbCanonicalName || krbUPEnabled || krbMKey || > krbTicketPolicyReference || krbPrincipalExpiration || > krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || > krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || > krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || > krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || > serverHostName || enrolledBy")(versi Nack. Some attributes are repeated multiple times in this chunk. (krbMKey for example). Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Nov 24 14:44:13 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Nov 2010 09:44:13 -0500 Subject: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write. In-Reply-To: <20101124093749.651b16be@willson.li.ssimo.org> References: <4CDB0DBE.4020803@redhat.com> <20101115130352.GE19666@zeppelin.brq.redhat.com> <4CE1591A.5030703@redhat.com> <4CE435E7.5070203@redhat.com> <20101124093749.651b16be@willson.li.ssimo.org> Message-ID: <4CED24BD.9000404@redhat.com> Simo Sorce wrote: > On Wed, 17 Nov 2010 15:07:03 -0500 > Rob Crittenden wrote: > >> aci: (targetattr != "userPassword || krbPrincipalKey || >> sambaLMPassword || sambaNTPassword || passwordHistory || >> krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, >> search, compare) userdn = "ldap:///anyone";) -aci: (targetattr != >> "userPassword || krbPrincipalKey || sambaLMPassword || >> sambaNTPassword || passwordHistory || krbMKey || memberOf || >> serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any >> entry"; allow (all) groupdn = >> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) +aci: >> (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || >> sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || >> krbCanonicalName || krbUPEnabled || krbMKey || >> krbTicketPolicyReference || krbPrincipalExpiration || >> krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || >> krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || >> krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || >> krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || >> serverHostName || enrolledBy")(versi > > Nack. > > Some attributes are repeated multiple times in this chunk. (krbMKey for > example). > > Simo. > Gah, ok. What I did here was ran GER on the various objects and wonder "Gee, should those be writable?" I guess I did a poor job de-duping. I'll take another look. rob From ssorce at redhat.com Wed Nov 24 14:45:28 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 24 Nov 2010 09:45:28 -0500 Subject: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write. In-Reply-To: <4CE435E7.5070203@redhat.com> References: <4CDB0DBE.4020803@redhat.com> <20101115130352.GE19666@zeppelin.brq.redhat.com> <4CE1591A.5030703@redhat.com> <4CE435E7.5070203@redhat.com> Message-ID: <20101124094528.72f40f83@willson.li.ssimo.org> On Wed, 17 Nov 2010 15:07:03 -0500 Rob Crittenden wrote: > +aci: (targetattr != "userPassword || krbPrincipalKey || > sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || > krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || > krbTicketPolicyReference || krbPrincipalExpiration || > krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || > krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || > krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || > krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || > serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any > entry"; allow (all) groupdn = > "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) Ah also forgot to say that I am not sure we want admin to be able to change krbPwdHistory and krbLastPwdChange. Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, while we might let admin write krbLoginFailedCount in order to unlock an automatically locked account that failed preauth too many times. We also probably do not want admin to be able to change ipaUniqueId. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Wed Nov 24 14:48:10 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 24 Nov 2010 09:48:10 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <20101123163224.3408cbb3@willson.li.ssimo.org> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> <4CEC2D23.6050804@redhat.com> <20101123163224.3408cbb3@willson.li.ssimo.org> Message-ID: <4CED25AA.7000609@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/23/2010 04:32 PM, Simo Sorce wrote: > On Tue, 23 Nov 2010 16:07:47 -0500 > Rob Crittenden wrote: > >> I don't want to throw a wrench in, but what if you have multiple >> replicas in various distant locations, WHICH server is the time >> relative to? > > By server I think Steve meant the machine currently evaluation the > access control decision. "Host" would have been a happier term. No, I was actually talking about the FreeIPA server in this situation, but Rob is right that there is no guarantee in a multi-master situation that the servers themselves are in the same timezone. Given this, I think the only sane thing to do here is to always use UTC (and state clearly that this is what is happening) - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkztJaoACgkQeiVVYja6o6MPPgCglv9EY4OaQk6PaEEXhUIIdFu4 HVQAn1gqQom24AmJ/qMUoxWN/4mr/+M4 =hSe5 -----END PGP SIGNATURE----- From ayoung at redhat.com Wed Nov 24 14:51:51 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 24 Nov 2010 09:51:51 -0500 Subject: [Freeipa-devel] Patches and Thunderbird Message-ID: <4CED2687.8040202@redhat.com> Thunderbird formatting of patches: Thunderbird has a nasty habit of prepending a '>' character to the patch, messing up the format. While it is trivial to edit the patch by hand to remove it, the patch sender can help out by configuring Thurnderbird this way: * In Thunderbird Preferences, * go to the Advanced->General tab. * Select "Config Editor" * Search for mail.file_attach_binary and * set this value to true I've added this to the patch format page. https://fedorahosted.org/freeipa/wiki/PatchFormat I'm making an effort to keep track of the different patches that are out there and their status, so the more consistent we are, the easier it is to do. Please make sure at least the patch number is in the title of the email you send out. There are so many patches, that when someone refers to their patch 86 it makes it much faster to go and find that patch. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Nov 24 14:54:23 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 24 Nov 2010 09:54:23 -0500 Subject: [Freeipa-devel] [PATCH] Rename parent LDAPObject pkeys in child LDAPObject methods. In-Reply-To: <4CECD141.8020306@redhat.com> References: <4CD8C646.6020104@redhat.com> <20101119152351.GB25987@zeppelin.brq.redhat.com> <4CECD141.8020306@redhat.com> Message-ID: <4CED271F.2070203@redhat.com> On 11/24/2010 03:48 AM, Pavel Zuna wrote: > On 11/19/2010 04:23 PM, Jakub Hrozek wrote: >> On Tue, Nov 09, 2010 at 04:55:50AM +0100, Pavel Z?na wrote: >>> If the parent and child entries have the same attribute as primary >>> key (such as in the DNS schema), we need to rename the parent key >>> to prevent a param name conflict. It has no side effects, because >>> the primary key name is always taken from the LDAPObject params, >>> never from the method params. >>> >>> Pavel >> >> Would you mind rebasing the patch on top of Rob's 593 which is already >> acked (not pushed yet as of now). >> >> Jakub >> > > Rebased patch number 35 attached - required by the new DNS plugin. > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Nov 24 14:53:09 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Nov 2010 09:53:09 -0500 Subject: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write. In-Reply-To: <20101124094528.72f40f83@willson.li.ssimo.org> References: <4CDB0DBE.4020803@redhat.com> <20101115130352.GE19666@zeppelin.brq.redhat.com> <4CE1591A.5030703@redhat.com> <4CE435E7.5070203@redhat.com> <20101124094528.72f40f83@willson.li.ssimo.org> Message-ID: <4CED26D5.20008@redhat.com> Simo Sorce wrote: > On Wed, 17 Nov 2010 15:07:03 -0500 > Rob Crittenden wrote: > >> +aci: (targetattr != "userPassword || krbPrincipalKey || >> sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || >> krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || >> krbTicketPolicyReference || krbPrincipalExpiration || >> krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || >> krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || >> krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || >> krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || >> serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any >> entry"; allow (all) groupdn = >> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) > > Ah also forgot to say that I am not sure we want admin to be able to > change krbPwdHistory and krbLastPwdChange. > Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, while > we might let admin write krbLoginFailedCount in order to unlock an > automatically locked account that failed preauth too many times. > > We also probably do not want admin to be able to change ipaUniqueId. > > Simo. > I was going to tackle krbLoginFailedCount when we finally got a way to unlock users across replicas. You're right on the other two, we want admins to reset passwords :-) ipaUniqueId needs to be writable so a UPG group can be detached. The write is "autogenerate", the plugin handles the rest of the access control. rob From jhrozek at redhat.com Wed Nov 24 15:14:03 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 24 Nov 2010 16:14:03 +0100 Subject: [Freeipa-devel] [PATCH] Make the migration plugin more configurable In-Reply-To: <4CEA8A8B.3000901@redhat.com> References: <20101115115657.GB19666@zeppelin.brq.redhat.com> <4CE6CD4F.3090101@redhat.com> <4CEA8953.4030507@redhat.com> <4CEA8A8B.3000901@redhat.com> Message-ID: <4CED2BBB.8090902@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/22/2010 04:21 PM, Jakub Hrozek wrote: > On 11/22/2010 04:16 PM, Jakub Hrozek wrote: >> The code handles it (I just ran a quick test with --schema=RFC2307bis). > >> It just iterates through all members of a group -- be it user member of >> group member, it's just a DN for the plugin. > >> Jakub > > Sorry, I found another bug in the plugin. I'll send a new patch shortly, > so please don't waste time reviewing this one. New patch is attached. It fixes two more bugs of the original plugin - determines whether a group member is a user or a nested group by checking the DN, not just the RDN attribute name and does not hardcode primary keys. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkztK7sACgkQHsardTLnvCUdewCdECJneAALtFoe80bWgZqMUHJ2 FjIAn05ld9VSNwe8Xmhi7Y8R3g3Af/av =ZInN -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-015-02-Make-the-migration-plugin-more-configurable.patch Type: text/x-patch Size: 10767 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-015-02-Make-the-migration-plugin-more-configurable.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From ayoung at redhat.com Wed Nov 24 15:21:56 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 24 Nov 2010 10:21:56 -0500 Subject: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests. In-Reply-To: <4CECD0C8.3030009@redhat.com> References: <4CEBD19D.9050707@redhat.com> <4CEC77D4.8030208@redhat.com> <4CECD0C8.3030009@redhat.com> Message-ID: <4CED2D94.9020506@redhat.com> On 11/24/2010 03:46 AM, Pavel Zuna wrote: > On 11/24/2010 03:26 AM, Adam Young wrote: >> On 11/23/2010 09:37 AM, Pavel Zuna wrote: >>> Finally managed to rewrite the DNS plugin again. Sorry, it took so >>> long, we had training in the office and I also had a nasty bug in >>> baseldap.py I couldn't find. >>> >>> Anyway, this version has it all: >>> - changes we agreed on meeting, the "resource" abstraction is gone and >>> we now only have zones and records = adding new record automatically >>> updates and existing entry or creates it if it wasn't there and >>> deleting the last record deletes the whole entry - all of it >>> transparent to the user >>> - unit tests >>> - ipa help documentation >>> >>> Fixes tickets: >>> #36 >>> #450 >>> >>> I also closed bug #654412. >>> >>> It has a new patch sequence number, because it depends on another >>> patch with a higher number and didn't want to create forward >>> dependencies. >>> >>> Depends on my patches number: >>> 35 (will repost if needed) >>> 38 (posted a while ago on freeipa-devel) >>> >>> Pavel >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> I keep getting an error when doing simple things like install and ipa >> help: >> [ayoung at ipa freeipa]$ ./ipa help dns2 >> ipa: ERROR: AttributeError: cannot override NameSpace.idnsname value >> Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)', >> domain='ipa', localedir=None), label=Gettext('Zone name', domain='ipa', >> localedir=None), multivalue=False, normalizer=, >> primary_key=True, query=True, required=True) with Str('idnsname', >> attribute=True, cli_name='name', doc=Gettext('Record name', >> domain='ipa', localedir=None), label=Gettext('Record name', >> domain='ipa', localedir=None), multivalue=False, primary_key=True, >> query=True, required=True) >> Traceback (most recent call last): >> File "/home/ayoung/devel/freeipa/ipalib/cli.py", line 962, in run >> api.finalize() >> File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 615, in >> finalize >> p.instance.finalize() >> File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 724, in >> finalize >> self._create_param_namespace('args') >> File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 350, in >> _create_param_namespace >> sort=False >> File "/home/ayoung/devel/freeipa/ipalib/base.py", line 407, in __init__ >> (self.__class__.__name__, name, self.__map[name], member) >> AttributeError: cannot override NameSpace.idnsname value Str('idnsname', >> cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa', >> localedir=None), label=Gettext('Zone name', domain='ipa', >> localedir=None), multivalue=False, normalizer=, >> primary_key=True, query=True, required=True) with Str('idnsname', >> attribute=True, cli_name='name', doc=Gettext('Record name', >> domain='ipa', localedir=None), label=Gettext('Record name', >> domain='ipa', localedir=None), multivalue=False, primary_key=True, >> query=True, required=True) >> ipa: ERROR: an internal error has occurred >> > > That's because you need my patch number 35 for it to work... > > Pavel OK, with that change, the patch applies and works. I've tested: creating a zone Creating an a record Adding an a record entry to an existing entry (calling ipa dnsrecord-add a second time with just a different ip address) Adding an aaaa record. Deleting one and multiple aaaa records One thing that is a little counter intuitive is that you have to specify which records to delete: just running ipa dnsrecord-del ayoung.test.ipa.redhat.com hiphop doesn't delete all records with the A name of hiphop. I think this is the right behavior, but it should be better documented. Have to hold off on pushing it due to F14: python-netaddr Isn't in F14, so we are adding a new python package with this plugin, too. From dpal at redhat.com Wed Nov 24 16:15:17 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 24 Nov 2010 11:15:17 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <4CED25AA.7000609@redhat.com> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> <4CEC2D23.6050804@redhat.com> <20101123163224.3408cbb3@willson.li.ssimo.org> <4CED25AA.7000609@redhat.com> Message-ID: <4CED3A15.0@redhat.com> Stephen Gallagher wrote: > On 11/23/2010 04:32 PM, Simo Sorce wrote: > > On Tue, 23 Nov 2010 16:07:47 -0500 > > Rob Crittenden wrote: > > >> I don't want to throw a wrench in, but what if you have multiple > >> replicas in various distant locations, WHICH server is the time > >> relative to? > > By server I think Steve meant the machine currently evaluation the > > access control decision. "Host" would have been a happier term. > > > No, I was actually talking about the FreeIPA server in this situation, > but Rob is right that there is no guarantee in a multi-master situation > that the servers themselves are in the same timezone. > > Given this, I think the only sane thing to do here is to always use UTC > (and state clearly that this is what is happening) > I was always saying that the time should be in the UTC only when it is evaluated on the server . I do not think that "local" is a good solution. But I think the whole idea with the timezones have been misinterpreted so let me try to explain one more time. He is the workflow that I have in mind: 1) Admin creates a rule with time definition using UI and CLI 2) Rule is saved in the LDAP attribute 3) Rule gets replicated between IPA servers 4) SSSD fetches the rule from an IPA server 5) SSSD validates the rule Let us say that the rule is entered, saved, transfered and interpreted on the client as UTC. Sounds reasonable and not that complex from the implementation POW. Good! The only issue I see is that the admin during step 1 does not think in terms of UTC as Ben pointed out. He thinks in user time or server time i.e. tries to relate the rule to some reasonable time markers (start of a shift, end of a working day, midnight at a special location etc.) So I was suggesting the following: 1) Allow admin to specify in what time zone he entered the time 2) Pass the time definition together with the time zone he selected to the server 3) Before saving the rule the server would convert the rule into UTC and stick the TZ info hint into the rule 4) When SSSD retrieves the attribute it will know that time is in UTC and will ignore any TZ hints stored in the rule 5) The TZ hint only need for UI/CLI when admin fetches the rule and looks at it. In this case the server will take attribute which is in UTC, extract a TZ hint from the rule and use that TZ to convert UTC value it has to the value in the specified TZ. This is what is sent to the client and displayed in the UI/CLI. So TZ is needed only for the administrative purposes and not for SSSD. I hope it is clear now. I was also suggesting to save offset together with the TZ hint but I guess this can be dropped. Can we agree to keep the TZ as hint for the management purposes in the rule? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Wed Nov 24 16:17:21 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 24 Nov 2010 11:17:21 -0500 Subject: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests. In-Reply-To: <4CED2D94.9020506@redhat.com> References: <4CEBD19D.9050707@redhat.com> <4CEC77D4.8030208@redhat.com> <4CECD0C8.3030009@redhat.com> <4CED2D94.9020506@redhat.com> Message-ID: <4CED3A91.5060601@redhat.com> On 11/24/2010 10:21 AM, Adam Young wrote: > On 11/24/2010 03:46 AM, Pavel Zuna wrote: >> On 11/24/2010 03:26 AM, Adam Young wrote: >>> On 11/23/2010 09:37 AM, Pavel Zuna wrote: >>>> Finally managed to rewrite the DNS plugin again. Sorry, it took so >>>> long, we had training in the office and I also had a nasty bug in >>>> baseldap.py I couldn't find. >>>> >>>> Anyway, this version has it all: >>>> - changes we agreed on meeting, the "resource" abstraction is gone and >>>> we now only have zones and records = adding new record automatically >>>> updates and existing entry or creates it if it wasn't there and >>>> deleting the last record deletes the whole entry - all of it >>>> transparent to the user >>>> - unit tests >>>> - ipa help documentation >>>> >>>> Fixes tickets: >>>> #36 >>>> #450 >>>> >>>> I also closed bug #654412. >>>> >>>> It has a new patch sequence number, because it depends on another >>>> patch with a higher number and didn't want to create forward >>>> dependencies. >>>> >>>> Depends on my patches number: >>>> 35 (will repost if needed) >>>> 38 (posted a while ago on freeipa-devel) >>>> >>>> Pavel >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> I keep getting an error when doing simple things like install and >>> ipa help: >>> [ayoung at ipa freeipa]$ ./ipa help dns2 >>> ipa: ERROR: AttributeError: cannot override NameSpace.idnsname value >>> Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)', >>> domain='ipa', localedir=None), label=Gettext('Zone name', domain='ipa', >>> localedir=None), multivalue=False, normalizer=, >>> primary_key=True, query=True, required=True) with Str('idnsname', >>> attribute=True, cli_name='name', doc=Gettext('Record name', >>> domain='ipa', localedir=None), label=Gettext('Record name', >>> domain='ipa', localedir=None), multivalue=False, primary_key=True, >>> query=True, required=True) >>> Traceback (most recent call last): >>> File "/home/ayoung/devel/freeipa/ipalib/cli.py", line 962, in run >>> api.finalize() >>> File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 615, in >>> finalize >>> p.instance.finalize() >>> File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 724, in >>> finalize >>> self._create_param_namespace('args') >>> File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 350, in >>> _create_param_namespace >>> sort=False >>> File "/home/ayoung/devel/freeipa/ipalib/base.py", line 407, in __init__ >>> (self.__class__.__name__, name, self.__map[name], member) >>> AttributeError: cannot override NameSpace.idnsname value >>> Str('idnsname', >>> cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa', >>> localedir=None), label=Gettext('Zone name', domain='ipa', >>> localedir=None), multivalue=False, normalizer=, >>> primary_key=True, query=True, required=True) with Str('idnsname', >>> attribute=True, cli_name='name', doc=Gettext('Record name', >>> domain='ipa', localedir=None), label=Gettext('Record name', >>> domain='ipa', localedir=None), multivalue=False, primary_key=True, >>> query=True, required=True) >>> ipa: ERROR: an internal error has occurred >>> >> >> That's because you need my patch number 35 for it to work... >> >> Pavel > > OK, with that change, the patch applies and works. > > I've tested: creating a zone > Creating an a record > Adding an a record entry to an existing entry (calling ipa > dnsrecord-add a second time with just a different ip address) > Adding an aaaa record. > Deleting one and multiple aaaa records > > > One thing that is a little counter intuitive is that you have to > specify which records to delete: just running > ipa dnsrecord-del ayoung.test.ipa.redhat.com hiphop doesn't delete > all records with the A name of hiphop. I think this is the right > behavior, but it should be better documented. > > > Have to hold off on pushing it due to F14: python-netaddr Isn't in > F14, so we are adding a new python package with this plugin, too. > Correction, Due to RHEL6. unwise to take on a new dependency this close to ship. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From dpal at redhat.com Wed Nov 24 16:26:05 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 24 Nov 2010 11:26:05 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <4CEBE16D.5060804@redhat.com> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> Message-ID: <4CED3C9D.9070202@redhat.com> > > > Duration > > > New grammar allows DDHHMM for the duration. UI proposes to limit the > > duration to less than 24 hours since more than 24 hour windows can start > > overlapping and thus allowing to enter duration days was confusing to > > the users who tried the UI. We need to reconcile this a bit between > > what can be stored and what can be displayed. IMO it makes sense to > > allow windows more than 24 hours (regular service window over weekend > > for example). But on the other hand I see how having a separate field > > for number of duration days in the UI might be confusing. I would vote > > for not having days in the UI at all but allowing any numeric value to > > be entered into the hours field. This however rises a question whether > > we want to have the duration be in DDHHMM format in grammar or in just > > NMM format where N is any numeric value that represents unlimited number > > of hours. Thoughts? > > > I agree that we don't want to have > 24 hours in the UI. > > DDHHMM is easier to parse, and I can't come up with an example where a > window of longer than 99 days makes sense. Instead, it should be a > recurring event. > > Steven, please think about the case when the rule needs to be edited in UI and it has some value for DD - say 1. What you display in UI then? If you do not allow to enter days and you not allow more than 24 hours in the hour field you will fail to translate the rule to the proposed UI. The only option would be to show the raw rule in this case. IMO this does not seem like the best option to me. I think the DD is redundant and other means should be used to schedule windows bigger than 2 days however the HH should IMO allow 1-48 ours to allow specifying a week end outage like: from 1AM Sat to 11PM Sun. If it is more than 2 days it is reasonable to ask to split the rule into several slices. _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Wed Nov 24 16:51:32 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 24 Nov 2010 11:51:32 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0102-action-panel-formatting Message-ID: <4CED4294.1000007@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0102-action-panel-formatting.patch Type: text/x-patch Size: 7681 bytes Desc: not available URL: From sgallagh at redhat.com Wed Nov 24 16:54:57 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 24 Nov 2010 11:54:57 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <4CED3C9D.9070202@redhat.com> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> <4CED3C9D.9070202@redhat.com> Message-ID: <4CED4361.3050405@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/24/2010 11:26 AM, Dmitri Pal wrote: > >> >>> Duration >> >>> New grammar allows DDHHMM for the duration. UI proposes to limit the >>> duration to less than 24 hours since more than 24 hour windows can start >>> overlapping and thus allowing to enter duration days was confusing to >>> the users who tried the UI. We need to reconcile this a bit between >>> what can be stored and what can be displayed. IMO it makes sense to >>> allow windows more than 24 hours (regular service window over weekend >>> for example). But on the other hand I see how having a separate field >>> for number of duration days in the UI might be confusing. I would vote >>> for not having days in the UI at all but allowing any numeric value to >>> be entered into the hours field. This however rises a question whether >>> we want to have the duration be in DDHHMM format in grammar or in just >>> NMM format where N is any numeric value that represents unlimited number >>> of hours. Thoughts? >> >> >> I agree that we don't want to have > 24 hours in the UI. >> >> DDHHMM is easier to parse, and I can't come up with an example where a >> window of longer than 99 days makes sense. Instead, it should be a >> recurring event. >> >> > > Steven, please think about the case when the rule needs to be edited in > UI and it has some value for DD - say 1. > What you display in UI then? If you do not allow to enter days and you > not allow more than 24 hours in the hour field you will fail to > translate the rule to the proposed UI. > The only option would be to show the raw rule in this case. IMO this > does not seem like the best option to me. > I think the DD is redundant and other means should be used to schedule > windows bigger than 2 days however the HH should IMO allow 1-48 ours to > allow specifying a week end outage like: > from 1AM Sat to 11PM Sun. If it is more than 2 days it is reasonable to > ask to split the rule into several slices. > I don't want the internal representation to have arbitrary limitations set by the WebUI. It's trivial for the WebUI to be designed to convert hours to days and reverse. So we can store it in DDHHMM format and display it in the WebUI as hours if we really want to. To someone writing a rule by hand, the DDHHMM representation is going to be far more useful. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkztQ2EACgkQeiVVYja6o6McjgCfZ7RfnLM+wU4KUqXdKac9PuWE q50An07EzeToJV6YlhStTrBg1mDIkw8s =hO6C -----END PGP SIGNATURE----- From sgallagh at redhat.com Wed Nov 24 17:03:53 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 24 Nov 2010 12:03:53 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <4CED3A15.0@redhat.com> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> <4CEC2D23.6050804@redhat.com> <20101123163224.3408cbb3@willson.li.ssimo.org> <4CED25AA.7000609@redhat.com> <4CED3A15.0@redhat.com> Message-ID: <4CED4579.9090203@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/24/2010 11:15 AM, Dmitri Pal wrote: > Stephen Gallagher wrote: >> On 11/23/2010 04:32 PM, Simo Sorce wrote: >>> On Tue, 23 Nov 2010 16:07:47 -0500 >>> Rob Crittenden wrote: >> >>>> I don't want to throw a wrench in, but what if you have multiple >>>> replicas in various distant locations, WHICH server is the time >>>> relative to? >>> By server I think Steve meant the machine currently evaluation the >>> access control decision. "Host" would have been a happier term. >> >> >> No, I was actually talking about the FreeIPA server in this situation, >> but Rob is right that there is no guarantee in a multi-master situation >> that the servers themselves are in the same timezone. >> >> Given this, I think the only sane thing to do here is to always use UTC >> (and state clearly that this is what is happening) >> > > I was always saying that the time should be in the UTC only when it is > evaluated on the server . I do not think that "local" is a good solution. > But I think the whole idea with the timezones have been misinterpreted > so let me try to explain one more time. > He is the workflow that I have in mind: > > 1) Admin creates a rule with time definition using UI and CLI > 2) Rule is saved in the LDAP attribute > 3) Rule gets replicated between IPA servers > 4) SSSD fetches the rule from an IPA server > 5) SSSD validates the rule > > Let us say that the rule is entered, saved, transfered and interpreted > on the client as UTC. Sounds reasonable and not that complex from the > implementation POW. Good! > The only issue I see is that the admin during step 1 does not think in > terms of UTC as Ben pointed out. He thinks in user time or server time > i.e. tries to relate the rule to some reasonable time markers (start of > a shift, end of a working day, midnight at a special location etc.) > So I was suggesting the following: > 1) Allow admin to specify in what time zone he entered the time > 2) Pass the time definition together with the time zone he selected to > the server > 3) Before saving the rule the server would convert the rule into UTC and > stick the TZ info hint into the rule > 4) When SSSD retrieves the attribute it will know that time is in UTC > and will ignore any TZ hints stored in the rule > 5) The TZ hint only need for UI/CLI when admin fetches the rule and > looks at it. In this case the server will take attribute which is in > UTC, extract a TZ hint from the rule and use that TZ to convert UTC > value it has to the value in the specified TZ. This is what is sent to > the client and displayed in the UI/CLI. > > So TZ is needed only for the administrative purposes and not for SSSD. I > hope it is clear now. > I was also suggesting to save offset together with the TZ hint but I > guess this can be dropped. > Can we agree to keep the TZ as hint for the management purposes in the rule? > Dmitri, this simply cannot work, because time zones are not static. You can't tell the administrator he is defining something in the Eastern time zone from 09:00-17:00 EST and then store that value as UTC. Because when DST happens, suddenly this will be equivalent to 08:00-16:00 EDT. And the meaning of the rule is lost. So if you want to define a timezone for a rule, it MUST be stored as local time plus timezone identifier, so that when it is evaluated it will use the appropriate offset for that moment in history. You can't just send a UTC value down to SSSD. After lunch, I'm going to write up the completely new proposal that Adam and I are suggesting to avoid the future upgrade issue for SSSD as well. It will account for the problem you're trying to solve here. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkztRXkACgkQeiVVYja6o6N4nwCeMQ5Rby7kGQADKbYj0EdEqfzi JDYAnRBS+A3rY/dg7kQVMeEB8CEHIcSr =G3lr -----END PGP SIGNATURE----- From dpal at redhat.com Wed Nov 24 17:19:13 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 24 Nov 2010 12:19:13 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <4CED4361.3050405@redhat.com> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> <4CED3C9D.9070202@redhat.com> <4CED4361.3050405@redhat.com> Message-ID: <4CED4911.6090109@redhat.com> Stephen Gallagher wrote: > On 11/24/2010 11:26 AM, Dmitri Pal wrote: > >>> Duration > >>> New grammar allows DDHHMM for the duration. UI proposes to limit the > >>> duration to less than 24 hours since more than 24 hour windows can > start > >>> overlapping and thus allowing to enter duration days was confusing to > >>> the users who tried the UI. We need to reconcile this a bit between > >>> what can be stored and what can be displayed. IMO it makes sense to > >>> allow windows more than 24 hours (regular service window over weekend > >>> for example). But on the other hand I see how having a separate field > >>> for number of duration days in the UI might be confusing. I would vote > >>> for not having days in the UI at all but allowing any numeric value to > >>> be entered into the hours field. This however rises a question whether > >>> we want to have the duration be in DDHHMM format in grammar or in just > >>> NMM format where N is any numeric value that represents unlimited > number > >>> of hours. Thoughts? > >> > >> I agree that we don't want to have > 24 hours in the UI. > >> > >> DDHHMM is easier to parse, and I can't come up with an example where a > >> window of longer than 99 days makes sense. Instead, it should be a > >> recurring event. > >> > >> > > Steven, please think about the case when the rule needs to be edited in > > UI and it has some value for DD - say 1. > > What you display in UI then? If you do not allow to enter days and you > > not allow more than 24 hours in the hour field you will fail to > > translate the rule to the proposed UI. > > The only option would be to show the raw rule in this case. IMO this > > does not seem like the best option to me. > > I think the DD is redundant and other means should be used to schedule > > windows bigger than 2 days however the HH should IMO allow 1-48 ours to > > allow specifying a week end outage like: > > from 1AM Sat to 11PM Sun. If it is more than 2 days it is reasonable to > > ask to split the rule into several slices. > > > > I don't want the internal representation to have arbitrary limitations > set by the WebUI. It's trivial for the WebUI to be designed to convert > hours to days and reverse. So we can store it in DDHHMM format and > display it in the WebUI as hours if we really want to. Sorry but you are completely wrong here. First this is not an arbitrarily limitation but a usability one. Second it is not trivial to design web UI especially to be usable. Current version of the proposed UI (I hope you have seen it) says: a) No day field b) Hours field can't accept more than 24 hours You agreed in the first email that these are reasonable UI limitations. So IMO it is completely unreasonable to store something that we can't ever represent in the UI (not because we do not have time, but because the internal grammar contradicts the suggested UI). I see three outcomes in current situation: 1) Allow schema to have DDHHMM as you proposed and have UI as Ben proposed and close eyes to all the ugliness it creates. IMO it is just wrong and will backfire in future. 2) Adjust UI to match proposed schema - this means we should either add a day field in the UI or allow the time field to store more than 24 hours 3) Adjust the schema to match the UI - IMO this is the path of least resistance and most reasonable thing to do. So to summarize I disagree and stick to my point. Please get together with Ben on Monday and come to consensus on 2) or 3). I do not care. 1) Is not an option. > > To someone writing a rule by hand, the DDHHMM representation is going to > be far more useful. > _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Nov 24 17:24:13 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 24 Nov 2010 12:24:13 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <4CED4579.9090203@redhat.com> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> <4CEC2D23.6050804@redhat.com> <20101123163224.3408cbb3@willson.li.ssimo.org> <4CED25AA.7000609@redhat.com> <4CED3A15.0@redhat.com> <4CED4579.9090203@redhat.com> Message-ID: <4CED4A3D.90802@redhat.com> Stephen Gallagher wrote: > On 11/24/2010 11:15 AM, Dmitri Pal wrote: > > Stephen Gallagher wrote: > >> On 11/23/2010 04:32 PM, Simo Sorce wrote: > >>> On Tue, 23 Nov 2010 16:07:47 -0500 > >>> Rob Crittenden wrote: > >>>> I don't want to throw a wrench in, but what if you have multiple > >>>> replicas in various distant locations, WHICH server is the time > >>>> relative to? > >>> By server I think Steve meant the machine currently evaluation the > >>> access control decision. "Host" would have been a happier term. > >> > >> No, I was actually talking about the FreeIPA server in this situation, > >> but Rob is right that there is no guarantee in a multi-master situation > >> that the servers themselves are in the same timezone. > >> > >> Given this, I think the only sane thing to do here is to always use UTC > >> (and state clearly that this is what is happening) > >> > > I was always saying that the time should be in the UTC only when it is > > evaluated on the server . I do not think that "local" is a good > solution. > > But I think the whole idea with the timezones have been misinterpreted > > so let me try to explain one more time. > > He is the workflow that I have in mind: > > > 1) Admin creates a rule with time definition using UI and CLI > > 2) Rule is saved in the LDAP attribute > > 3) Rule gets replicated between IPA servers > > 4) SSSD fetches the rule from an IPA server > > 5) SSSD validates the rule > > > Let us say that the rule is entered, saved, transfered and interpreted > > on the client as UTC. Sounds reasonable and not that complex from the > > implementation POW. Good! > > The only issue I see is that the admin during step 1 does not think in > > terms of UTC as Ben pointed out. He thinks in user time or server time > > i.e. tries to relate the rule to some reasonable time markers (start of > > a shift, end of a working day, midnight at a special location etc.) > > So I was suggesting the following: > > 1) Allow admin to specify in what time zone he entered the time > > 2) Pass the time definition together with the time zone he selected to > > the server > > 3) Before saving the rule the server would convert the rule into UTC and > > stick the TZ info hint into the rule > > 4) When SSSD retrieves the attribute it will know that time is in UTC > > and will ignore any TZ hints stored in the rule > > 5) The TZ hint only need for UI/CLI when admin fetches the rule and > > looks at it. In this case the server will take attribute which is in > > UTC, extract a TZ hint from the rule and use that TZ to convert UTC > > value it has to the value in the specified TZ. This is what is sent to > > the client and displayed in the UI/CLI. > > > So TZ is needed only for the administrative purposes and not for SSSD. I > > hope it is clear now. > > I was also suggesting to save offset together with the TZ hint but I > > guess this can be dropped. > > Can we agree to keep the TZ as hint for the management purposes in > the rule? > > > Dmitri, this simply cannot work, because time zones are not static. You > can't tell the administrator he is defining something in the Eastern > time zone from 09:00-17:00 EST and then store that value as UTC. Because > when DST happens, suddenly this will be equivalent to 08:00-16:00 EDT. > And the meaning of the rule is lost. The may be we should store both the UTC and the time how it was entered by the user in the same rule. > > So if you want to define a timezone for a rule, it MUST be stored as > local time plus timezone identifier, so that when it is evaluated it > will use the appropriate offset for that moment in history. > > You can't just send a UTC value down to SSSD. Yes you can. This is what we all agree is the safest option. > > After lunch, I'm going to write up the completely new proposal that Adam > and I are suggesting to avoid the future upgrade issue for SSSD as well. > It will account for the problem you're trying to solve here. > > > I am all ears. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From JR.Aquino at citrix.com Wed Nov 24 17:32:21 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 24 Nov 2010 17:32:21 +0000 Subject: [Freeipa-devel] Where we are with SUDO? In-Reply-To: <20101123211015.GA13884@redhat.com> Message-ID: Progress! Ok, here is the latest data from the lab. The compat translation is almost there!!! * The sudoers container has correctly been moved out to the top of the tree. I think it only needs 1 small final edit, the sudo ldap default is to look for: ou=sudoers, rather than what is currently "cn=sudoers" * sudoUser correctly translates to a % * sudoCommand: correctly translates to the individual members of the ipaSudoCmdGroup * sudoHost: is incorrectly enumerating the individual members of the ipaHostgroup This similar to how sudoCommand is being populated. It wants to be like how sudoUser is being populated. sudoHost: +prod Here is the ldapsearch for the pieces that need adjustment. # prod, hostgroups, accounts, example.com dn: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com objectClass: ipaobject objectClass: ipahostgroup objectClass: nestedGroup objectClass: groupOfNames objectClass: top cn: prod description: prod ipaUniqueID: 15261e98-f7ee-11df-968e-8a3d259cb0b9 member: fqdn=auth3.ops.example.com,cn=computers,cn=accounts,dc=example,dc=com # sudoers, example.com dn: cn=sudoers, dc=example,dc=com objectClass: extensibleObject cn: sudoers # operations, sudoers, example.com dn: cn=operations,cn=sudoers,dc=example,dc=com objectClass: sudoRole sudoUser: %ops sudoHost: auth3.ops.example.com sudoCommand: /usr/bin/less cn: operations Thank you very much for your help Nalin! From ssorce at redhat.com Wed Nov 24 17:42:42 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 24 Nov 2010 12:42:42 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <4CED3C9D.9070202@redhat.com> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> <4CED3C9D.9070202@redhat.com> Message-ID: <20101124124242.5b3e8c0a@willson.li.ssimo.org> On Wed, 24 Nov 2010 11:26:05 -0500 Dmitri Pal wrote: > Steven, please think about the case when the rule needs to be edited > in UI and it has some value for DD - say 1. > What you display in UI then? If you do not allow to enter days and you > not allow more than 24 hours in the hour field you will fail to > translate the rule to the proposed UI. > The only option would be to show the raw rule in this case. IMO this > does not seem like the best option to me. May not be the best but it is perfectly reasonable. > I think the DD is redundant and other means should be used to schedule > windows bigger than 2 days however the HH should IMO allow 1-48 ours > to allow specifying a week end outage like: > from 1AM Sat to 11PM Sun. If it is more than 2 days it is reasonable > to ask to split the rule into several slices. I think this is not reasonable at all, it is an arbitrary limit due to the "current" thinking around the UI, if you change mind about the UI tomorrow, you will be left with the constraint in the grammar. This is just backwards. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Wed Nov 24 18:12:02 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 24 Nov 2010 13:12:02 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <20101124124242.5b3e8c0a@willson.li.ssimo.org> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> <4CED3C9D.9070202@redhat.com> <20101124124242.5b3e8c0a@willson.li.ssimo.org> Message-ID: <4CED5572.5000704@redhat.com> Simo Sorce wrote: > On Wed, 24 Nov 2010 11:26:05 -0500 > Dmitri Pal wrote: > > >> Steven, please think about the case when the rule needs to be edited >> in UI and it has some value for DD - say 1. >> What you display in UI then? If you do not allow to enter days and you >> not allow more than 24 hours in the hour field you will fail to >> translate the rule to the proposed UI. >> The only option would be to show the raw rule in this case. IMO this >> does not seem like the best option to me. >> > > May not be the best but it is perfectly reasonable. > > >> I think the DD is redundant and other means should be used to schedule >> windows bigger than 2 days however the HH should IMO allow 1-48 ours >> to allow specifying a week end outage like: >> from 1AM Sat to 11PM Sun. If it is more than 2 days it is reasonable >> to ask to split the rule into several slices. >> > > I think this is not reasonable at all, it is an arbitrary limit due to > the "current" thinking around the UI, if you change mind about the UI > tomorrow, you will be left with the constraint in the grammar. > This is just backwards. > > Simo. > > Keeping in mind that we have just one shot at it, it is unreasonable to think that the limitations that the UI imposes will ever go away. Effectively what you and Steven say is that the grammar should dictate the UI. It is the wrong approach. As well as the vice versa. The UI should not dictate the grammar. However the grammar also should not have constructs that would never be expressed in UI because they are already identified as unusable. In other words the UI can be subset of what grammar supports but all the options that grammar supports should be potentially implementable in UI and usable. If the they never can be implemented in UI in usable way they should not be in grammar. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Nov 24 18:22:41 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 24 Nov 2010 13:22:41 -0500 Subject: [Freeipa-devel] Where we are with SUDO? In-Reply-To: References: Message-ID: <4CED57F1.7060209@redhat.com> JR Aquino wrote: > Progress! > > Ok, here is the latest data from the lab. > > The compat translation is almost there!!! > > * The sudoers container has correctly been moved out to the top of the > tree. I think it only needs 1 small final edit, the sudo ldap default is > to look for: ou=sudoers, rather than what is currently "cn=sudoers" > > Does this matter because the SUDO clients in your deployment look for "ou" rather than "cn" or it is a general convention? > * sudoUser correctly translates to a % > * sudoCommand: correctly translates to the individual members of the > ipaSudoCmdGroup > * sudoHost: is incorrectly enumerating the individual members of the > ipaHostgroup > > This similar to how sudoCommand is being populated. > > It wants to be like how sudoUser is being populated. > > sudoHost: +prod > > Here is the ldapsearch for the pieces that need adjustment. > > # prod, hostgroups, accounts, example.com > dn: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com > objectClass: ipaobject > objectClass: ipahostgroup > objectClass: nestedGroup > objectClass: groupOfNames > objectClass: top > cn: prod > description: prod > ipaUniqueID: 15261e98-f7ee-11df-968e-8a3d259cb0b9 > member: > fqdn=auth3.ops.example.com,cn=computers,cn=accounts,dc=example,dc=com > > > # sudoers, example.com > dn: cn=sudoers, dc=example,dc=com > objectClass: extensibleObject > cn: sudoers > > # operations, sudoers, example.com > dn: cn=operations,cn=sudoers,dc=example,dc=com > objectClass: sudoRole > sudoUser: %ops > sudoHost: auth3.ops.example.com > sudoCommand: /usr/bin/less > cn: operations > > > Currently it functions as originally specified i.e. it expand the hosts when a host group is referenced directly. Please create a nis netgroup and add a host group into it manually. Point the sudo rule you created to the netgroup rather than to the host group directly In this case you should get what you are currently looking for i.e. +prod (if that would be the name of the netgroup). If that works the sudo part will be done and we would need to focus on one of the variants of keeping the netgroups and host groups in synch as was proposed in other thread. > Thank you very much for your help Nalin! > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Wed Nov 24 19:02:33 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 24 Nov 2010 14:02:33 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0103-navigation-format Message-ID: <4CED6149.6000101@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0103-navigation-format.patch Type: text/x-patch Size: 23878 bytes Desc: not available URL: From ssorce at redhat.com Wed Nov 24 19:16:42 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 24 Nov 2010 14:16:42 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <4CED5572.5000704@redhat.com> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> <4CED3C9D.9070202@redhat.com> <20101124124242.5b3e8c0a@willson.li.ssimo.org> <4CED5572.5000704@redhat.com> Message-ID: <20101124141642.11964da2@willson.li.ssimo.org> On Wed, 24 Nov 2010 13:12:02 -0500 Dmitri Pal wrote: > Simo Sorce wrote: > > On Wed, 24 Nov 2010 11:26:05 -0500 > > Dmitri Pal wrote: > > > > > >> Steven, please think about the case when the rule needs to be > >> edited in UI and it has some value for DD - say 1. > >> What you display in UI then? If you do not allow to enter days and > >> you not allow more than 24 hours in the hour field you will fail to > >> translate the rule to the proposed UI. > >> The only option would be to show the raw rule in this case. IMO > >> this does not seem like the best option to me. > >> > > > > May not be the best but it is perfectly reasonable. > > > > > >> I think the DD is redundant and other means should be used to > >> schedule windows bigger than 2 days however the HH should IMO > >> allow 1-48 ours to allow specifying a week end outage like: > >> from 1AM Sat to 11PM Sun. If it is more than 2 days it is > >> reasonable to ask to split the rule into several slices. > >> > > > > I think this is not reasonable at all, it is an arbitrary limit due > > to the "current" thinking around the UI, if you change mind about > > the UI tomorrow, you will be left with the constraint in the > > grammar. This is just backwards. > > > > Simo. > > > > > Keeping in mind that we have just one shot at it, it is unreasonable > to think that the limitations that the UI imposes will ever go away. They changed many times since we started and will keep changing in time, I have no doubt about that. > Effectively what you and Steven say is that the grammar should dictate > the UI. It is the wrong approach. As well as the vice versa. The UI > should not dictate the grammar. No, what we say is that the UI is the flexible actor in this dram, the grammar is not flexible. The worst case for the UI is that it may have to display an ugly rule in raw grammar. The worst case for the grammar is that you cannot express a rule, and have to change it. > However the grammar also should not have constructs that would never > be expressed in UI because they are already identified as unusable. The grammar needs to be flaxible in what can be represented, the UI then can choose to allow only a subset to be set. The UI drives the game, the cases where an admin will try to change something at a low level via direct ldap calls is going to be rare, and in those cases the UI can very well degrade to a less than ideal mode and show raw rules, with the option to wipe them out and let the admin replace them with UI-friendly rules. > In other words the UI can be subset of what grammar supports but > all the options that grammar supports should be potentially > implementable in UI and usable. Everything is potentially implementable. > If the they never can be implemented in UI in usable way they > should not be in grammar. Given that in the worst case you show a rule by simply describing it in pseudo-natural language I think the UI has no real limits except the limits set forth by the specific implementation. That said I am starting thing that having a grammar that is powerful enough to express all possible combinations an admin can think of is not possible to get done right w/o making it extremely complicated. I need to think a bit more but I think we may want to radically simplify the grammar instead by splitting single rules (as seen in the UI) in multiple values. And use additional attributes to aid the UI, like having a displayTZ attribute that tells the UI what is the preferred timezone to look at a rule. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Wed Nov 24 19:19:02 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 24 Nov 2010 14:19:02 -0500 Subject: [Freeipa-devel] Host groups and netgroups Message-ID: <4CED6526.1060702@redhat.com> Hello, It is well known that with IPA we want to try to move people from the netgroups to host groups but many companies currently use netgroups as hostgroups. To simplify migration I suggest that we by default always create a managed "nisnetgroup" entry that would map 1-1 to the host group using managed entry plugin. The logic would work the following way: 1) When the host group is created the netgroup also will be created with the same name and memberHost attribute pointing to the DN of the newly created host group 2) The deletion of the host group will automatically remove managed netgroup 3) The rename of the host group (if allowed) should cause the managed group to be renamed too. In the UI/CLI we will filter out managed netgroups in all cases related to identity part of the server (list of netgroups, users members of the netgroup, hosts members of netgroup, ect.). The netgroups will be available only in the special cases like SUDO plugin. The work will consist of: 1) Defining the managed entry plugin config for this case 2) Adding this configuration to the installation sequence 3) Updating netgroup searches to filter out managed entries 4) Allow all netgroups in SUDO plugin (I think this is already the case). If this proposal looks reasonable I will open a ticket. JR will you be able to provide a patch that does all of this since this is not exactly what we originally planned? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From adam at younglogic.com Wed Nov 24 18:46:54 2010 From: adam at younglogic.com (Adam Young) Date: Wed, 24 Nov 2010 13:46:54 -0500 Subject: [Freeipa-devel] [PATCH]admiyo-0103-navigation-format Message-ID: <4CED5D9E.30808@younglogic.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0103-navigation-format.patch Type: text/x-patch Size: 23878 bytes Desc: not available URL: From ssorce at redhat.com Wed Nov 24 19:24:43 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 24 Nov 2010 14:24:43 -0500 Subject: [Freeipa-devel] Patches and Thunderbird In-Reply-To: <4CED2687.8040202@redhat.com> References: <4CED2687.8040202@redhat.com> Message-ID: <20101124142443.617d446a@willson.li.ssimo.org> On Wed, 24 Nov 2010 09:51:51 -0500 Adam Young wrote: > Thunderbird formatting of patches: > > Thunderbird has a nasty habit of prepending a '>' character to the > patch, messing up the format. While it is trivial to edit the > patch by hand to remove it, the patch sender can help out by > configuring Thurnderbird this way: > > * In Thunderbird Preferences, > * go to the Advanced->General tab. > * Select "Config Editor" > * Search for mail.file_attach_binary and > * set this value to true > > I've added this to the patch format page. > > https://fedorahosted.org/freeipa/wiki/PatchFormat > > I'm making an effort to keep track of the different patches that are > out there and their status, so the more consistent we are, the easier > it is to do. > > Please make sure at least the patch number is in the title of the > email you send out. There are so many patches, that when someone > refers to their patch 86 it makes it much faster to go and find that > patch. FWIW it seem like thunderbird is not at fault here, but something in between (probably mailman). We will try to get it fixed so that people do not have to care about this at all and we do not have to provide instructions for the gazillion MUAs around there. Simo. -- Simo Sorce * Red Hat, Inc * New York From pzuna at redhat.com Wed Nov 24 19:28:14 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Wed, 24 Nov 2010 20:28:14 +0100 Subject: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests. In-Reply-To: <4CED2D94.9020506@redhat.com> References: <4CEBD19D.9050707@redhat.com> <4CEC77D4.8030208@redhat.com> <4CECD0C8.3030009@redhat.com> <4CED2D94.9020506@redhat.com> Message-ID: <4CED674E.30703@redhat.com> On 2010-11-24 16:21, Adam Young wrote: > On 11/24/2010 03:46 AM, Pavel Zuna wrote: >> On 11/24/2010 03:26 AM, Adam Young wrote: >>> On 11/23/2010 09:37 AM, Pavel Zuna wrote: >>>> Finally managed to rewrite the DNS plugin again. Sorry, it took so >>>> long, we had training in the office and I also had a nasty bug in >>>> baseldap.py I couldn't find. >>>> >>>> Anyway, this version has it all: >>>> - changes we agreed on meeting, the "resource" abstraction is gone and >>>> we now only have zones and records = adding new record automatically >>>> updates and existing entry or creates it if it wasn't there and >>>> deleting the last record deletes the whole entry - all of it >>>> transparent to the user >>>> - unit tests >>>> - ipa help documentation >>>> >>>> Fixes tickets: >>>> #36 >>>> #450 >>>> >>>> I also closed bug #654412. >>>> >>>> It has a new patch sequence number, because it depends on another >>>> patch with a higher number and didn't want to create forward >>>> dependencies. >>>> >>>> Depends on my patches number: >>>> 35 (will repost if needed) >>>> 38 (posted a while ago on freeipa-devel) >>>> >>>> Pavel >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> I keep getting an error when doing simple things like install and ipa >>> help: >>> [ayoung at ipa freeipa]$ ./ipa help dns2 >>> ipa: ERROR: AttributeError: cannot override NameSpace.idnsname value >>> Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)', >>> domain='ipa', localedir=None), label=Gettext('Zone name', domain='ipa', >>> localedir=None), multivalue=False, normalizer=, >>> primary_key=True, query=True, required=True) with Str('idnsname', >>> attribute=True, cli_name='name', doc=Gettext('Record name', >>> domain='ipa', localedir=None), label=Gettext('Record name', >>> domain='ipa', localedir=None), multivalue=False, primary_key=True, >>> query=True, required=True) >>> Traceback (most recent call last): >>> File "/home/ayoung/devel/freeipa/ipalib/cli.py", line 962, in run >>> api.finalize() >>> File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 615, in >>> finalize >>> p.instance.finalize() >>> File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 724, in >>> finalize >>> self._create_param_namespace('args') >>> File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 350, in >>> _create_param_namespace >>> sort=False >>> File "/home/ayoung/devel/freeipa/ipalib/base.py", line 407, in __init__ >>> (self.__class__.__name__, name, self.__map[name], member) >>> AttributeError: cannot override NameSpace.idnsname value Str('idnsname', >>> cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa', >>> localedir=None), label=Gettext('Zone name', domain='ipa', >>> localedir=None), multivalue=False, normalizer=, >>> primary_key=True, query=True, required=True) with Str('idnsname', >>> attribute=True, cli_name='name', doc=Gettext('Record name', >>> domain='ipa', localedir=None), label=Gettext('Record name', >>> domain='ipa', localedir=None), multivalue=False, primary_key=True, >>> query=True, required=True) >>> ipa: ERROR: an internal error has occurred >>> >> >> That's because you need my patch number 35 for it to work... >> >> Pavel > > OK, with that change, the patch applies and works. > > I've tested: creating a zone > Creating an a record > Adding an a record entry to an existing entry (calling ipa dnsrecord-add > a second time with just a different ip address) > Adding an aaaa record. > Deleting one and multiple aaaa records > > > One thing that is a little counter intuitive is that you have to specify > which records to delete: just running > ipa dnsrecord-del ayoung.test.ipa.redhat.com hiphop doesn't delete all > records with the A name of hiphop. I think this is the right behavior, > but it should be better documented. Ok, I'm going to add a few lines about it in the docstring (ipa help). Maybe we should have an option to delete all records associated with a resource name. For example when someone is deleting a host from DNS and wants all of its records gone. > > Have to hold off on pushing it due to F14: python-netaddr Isn't in F14, > so we are adding a new python package with this plugin, too. > > Pavel From dpal at redhat.com Wed Nov 24 19:32:08 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 24 Nov 2010 14:32:08 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <20101124141642.11964da2@willson.li.ssimo.org> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> <4CED3C9D.9070202@redhat.com> <20101124124242.5b3e8c0a@willson.li.ssimo.org> <4CED5572.5000704@redhat.com> <20101124141642.11964da2@willson.li.ssimo.org> Message-ID: <4CED6838.5090303@redhat.com> > I need to think a bit more but I think we may want to radically > simplify the grammar instead by splitting single rules (as seen in the > UI) in multiple values. And use additional attributes to aid the UI, > like having a displayTZ attribute that tells the UI what is the > preferred timezone to look at a rule. > > Simo. > > It seems that may be we really took a wrong approach here. Let us see what Steve and Adam would come up. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From JR.Aquino at citrix.com Wed Nov 24 19:35:16 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 24 Nov 2010 19:35:16 +0000 Subject: [Freeipa-devel] Host groups and netgroups In-Reply-To: <4CED6526.1060702@redhat.com> Message-ID: >If this proposal looks reasonable I will open a ticket. >JR will you be able to provide a patch that does all of this since this >is not exactly what we originally planned? Your premise makes a lot of sense. This is very promising news Dmitri. Let me consider how I would accommodate the patch, and get back to you early next week with an official answer on commitment. -- Thanks! -JR From jdennis at redhat.com Wed Nov 24 19:35:46 2010 From: jdennis at redhat.com (John Dennis) Date: Wed, 24 Nov 2010 14:35:46 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <20101124141642.11964da2@willson.li.ssimo.org> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> <4CED3C9D.9070202@redhat.com> <20101124124242.5b3e8c0a@willson.li.ssimo.org> <4CED5572.5000704@redhat.com> <20101124141642.11964da2@willson.li.ssimo.org> Message-ID: <4CED6912.9090306@redhat.com> On 11/24/2010 02:16 PM, Simo Sorce wrote: > That said I am starting thing that having a grammar that is powerful > enough to express all possible combinations an admin can think of is > not possible to get done right w/o making it extremely complicated. When the HBAC rules first came up over a year ago I pointed out how similar the issue was to the recurrence rules in ical and caldav. I also pointed out how the committees involved struggled to get this right and not fall victim to excessive complexity. The truth is, it's a hard problem, it's no surprise we discover we're struggling with it too. I haven't been following the whole discussion here so maybe I'm off base but I continue to wonder why we aren't looking at open standards that address many of the issues raised here with respect to localized time recurrence and which also happen to have open source implementations for evaluating the rules expressed in the grammar. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Wed Nov 24 19:45:14 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 24 Nov 2010 14:45:14 -0500 Subject: [Freeipa-devel] [PATCH]admiyo-0094-xhtml-to-html In-Reply-To: <4CE48853.4040607@redhat.com> References: <4CE435C2.5090705@redhat.com> <4CE45537.2080300@redhat.com> <4CE48853.4040607@redhat.com> Message-ID: <4CED6B4A.6050808@redhat.com> On 11/17/2010 08:58 PM, Adam Young wrote: > On 11/17/2010 05:20 PM, Endi Sukma Dewata wrote: >> On 11/17/2010 2:06 PM, Adam Young wrote: >>> >> >> This patch doesn't apply, the index.html is already created in patch >> #92. >> > OK. Didn't realize I had done that, though it was in another branch. > The index.html file is in the right form, though, so all that really > needs to happen is removing the xhtml file > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mai > lman/listinfo/freeipa-devel 0094 withdrawn 0095 ACKed and pushed -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Nov 24 19:44:15 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 24 Nov 2010 14:44:15 -0500 Subject: [Freeipa-devel] Other issues with HBAC calendar In-Reply-To: <4CED6912.9090306@redhat.com> References: <4CEB3AFB.7000605@redhat.com> <4CEBE16D.5060804@redhat.com> <4CED3C9D.9070202@redhat.com> <20101124124242.5b3e8c0a@willson.li.ssimo.org> <4CED5572.5000704@redhat.com> <20101124141642.11964da2@willson.li.ssimo.org> <4CED6912.9090306@redhat.com> Message-ID: <4CED6B0F.8000005@redhat.com> John Dennis wrote: > On 11/24/2010 02:16 PM, Simo Sorce wrote: >> That said I am starting thing that having a grammar that is powerful >> enough to express all possible combinations an admin can think of is >> not possible to get done right w/o making it extremely complicated. > > When the HBAC rules first came up over a year ago I pointed out how > similar the issue was to the recurrence rules in ical and caldav. I > also pointed out how the committees involved struggled to get this > right and not fall victim to excessive complexity. The truth is, it's > a hard problem, it's no surprise we discover we're struggling with it > too. > > I haven't been following the whole discussion here so maybe I'm off > base but I continue to wonder why we aren't looking at open standards > that address many of the issues raised here with respect to localized > time recurrence and which also happen to have open source > implementations for evaluating the rules expressed in the grammar. We looked at ical and caldev but the grammar for those looked excessively complex. We hoped that we can reduce it to just the part we need to actually reduce the amount of work and potential errors. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Wed Nov 24 19:54:07 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Nov 2010 14:54:07 -0500 Subject: [Freeipa-devel] [PATCH] 619 more aci target docs Message-ID: <4CED6D5F.3050507@redhat.com> I added some more documentation and examples to the aci plugin on targets. ticket 310 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-619-aci.patch Type: text/x-patch Size: 2928 bytes Desc: not available URL: From edewata at redhat.com Wed Nov 24 20:33:21 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 24 Nov 2010 14:33:21 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0102-action-panel-formatting In-Reply-To: <4CED4294.1000007@redhat.com> References: <4CED4294.1000007@redhat.com> Message-ID: <4CED7691.1040802@redhat.com> On 11/24/2010 10:51 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Wed Nov 24 20:34:07 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 24 Nov 2010 14:34:07 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0103-navigation-format In-Reply-To: <4CED6149.6000101@redhat.com> References: <4CED6149.6000101@redhat.com> Message-ID: <4CED76BF.3040609@redhat.com> On 11/24/2010 1:02 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Wed Nov 24 21:49:34 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 24 Nov 2010 16:49:34 -0500 Subject: [Freeipa-devel] PATCH for whoami Message-ID: <4CED886E.80005@redhat.com> Pushed under the 1 liner rule -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0104-whoami-fix.patch Type: text/x-patch Size: 1140 bytes Desc: not available URL: From rcritten at redhat.com Wed Nov 24 21:54:19 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Nov 2010 16:54:19 -0500 Subject: [Freeipa-devel] [PATCH] Make the migration plugin more configurable In-Reply-To: <4CED2BBB.8090902@redhat.com> References: <20101115115657.GB19666@zeppelin.brq.redhat.com> <4CE6CD4F.3090101@redhat.com> <4CEA8953.4030507@redhat.com> <4CEA8A8B.3000901@redhat.com> <4CED2BBB.8090902@redhat.com> Message-ID: <4CED898B.8000205@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/22/2010 04:21 PM, Jakub Hrozek wrote: >> On 11/22/2010 04:16 PM, Jakub Hrozek wrote: >>> The code handles it (I just ran a quick test with --schema=RFC2307bis). >> >>> It just iterates through all members of a group -- be it user member of >>> group member, it's just a DN for the plugin. >> >>> Jakub >> >> Sorry, I found another bug in the plugin. I'll send a new patch shortly, >> so please don't waste time reviewing this one. > > New patch is attached. It fixes two more bugs of the original plugin - > determines whether a group member is a user or a nested group by > checking the DN, not just the RDN attribute name and does not hardcode > primary keys. Will this blow up in convert_members_rfc2307bis() if a member isn't contained in the users and groups containers? Should there be a failsafe to skip over things that don't match (along with appropriate reporting)? Or if one of users or groups search bases isn't provided? It definitely doesn't like this: # ipa migrate-ds --user-container='' --group-container='cn=groups,cn=accounts' ldap://ds.example.com:389 When passed the right set of options it does seem to do the right thing. rob From nalin at redhat.com Wed Nov 24 22:46:18 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 24 Nov 2010 17:46:18 -0500 Subject: [Freeipa-devel] [PATCH] build tweaks Message-ID: <20101124224618.GA12484@redhat.com> The attached patch modifies autogen.sh so that it runs autoreconf with the -f flag, too, so that a source rpm package built on an F14 system will successfully build on a system which has older autotools versions. It also tells automake to run in its 'foreign' mode and dispenses with some workarounds for when we were running it in 'gnu' mode. Nalin -------------- next part -------------- >From 5bb5c58a0ac713069fbd44cb8b7906485648de13 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Wed, 24 Nov 2010 17:39:46 -0500 Subject: [PATCH] build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches --- autogen.sh | 13 +------------ contrib/RHEL4/configure.ac | 2 +- daemons/configure.ac | 2 +- install/configure.ac | 2 +- ipa-client/configure.ac | 2 +- ipa.spec.in | 4 ---- 6 files changed, 5 insertions(+), 20 deletions(-) diff --git a/autogen.sh b/autogen.sh index 99b4805..5eab4a4 100755 --- a/autogen.sh +++ b/autogen.sh @@ -1,14 +1,3 @@ #!/bin/sh - -# automake demands these files exist when run in gnu mode which is the default, -# automake can be run in foreign mode to avoid failing on the absence of these -# files, but unfortunately there is no way to pass the --foreign flag to -# automake when run from autoreconf. -for f in NEWS README AUTHORS ChangeLog; do - if [ ! -e $f ]; then - touch $f - fi -done - -autoreconf -i +autoreconf -i -f ./configure ${1+"$@"} diff --git a/contrib/RHEL4/configure.ac b/contrib/RHEL4/configure.ac index 83676a3..1fd3fd2 100644 --- a/contrib/RHEL4/configure.ac +++ b/contrib/RHEL4/configure.ac @@ -3,7 +3,7 @@ AC_INIT([ipa-client], [0.99.0], [http://www.freeipa.org/]) -AM_INIT_AUTOMAKE +AM_INIT_AUTOMAKE([foreign]) AC_SUBST(VERSION) diff --git a/daemons/configure.ac b/daemons/configure.ac index da86557..d959f98 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -6,7 +6,7 @@ AC_INIT([ipa-server], AC_CONFIG_HEADERS([config.h]) -AM_INIT_AUTOMAKE +AM_INIT_AUTOMAKE([foreign]) AM_MAINTAINER_MODE AC_PROG_CC diff --git a/install/configure.ac b/install/configure.ac index 5cdfb79..2424ef2 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -7,7 +7,7 @@ AC_INIT([ipa-server], #AC_CONFIG_SRCDIR([ipaserver/ipaldap.py]) AC_CONFIG_HEADERS([config.h]) -AM_INIT_AUTOMAKE +AM_INIT_AUTOMAKE([foreign]) AM_MAINTAINER_MODE #AC_PROG_CC diff --git a/ipa-client/configure.ac b/ipa-client/configure.ac index 95becd3..75544ae 100644 --- a/ipa-client/configure.ac +++ b/ipa-client/configure.ac @@ -9,7 +9,7 @@ AC_PROG_LIBTOOL AC_CONFIG_SRCDIR([ipaclient/__init__.py]) AC_CONFIG_HEADERS([config.h]) -AM_INIT_AUTOMAKE +AM_INIT_AUTOMAKE([foreign]) AM_MAINTAINER_MODE diff --git a/ipa.spec.in b/ipa.spec.in index b43aa8e..775c52e 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -223,10 +223,6 @@ administering radius authentication settings in IPA. export CFLAGS="$CFLAGS %{optflags}" export CPPFLAGS="$CPPFLAGS %{optflags}" make version-update -%if ! %{ONLY_CLIENT} -touch daemons/NEWS daemons/README daemons/AUTHORS daemons/ChangeLog -touch install/NEWS install/README install/AUTHORS install/ChangeLog -%endif cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. %if ! %{ONLY_CLIENT} cd daemons; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. -- 1.7.3.2 From jzeleny at redhat.com Thu Nov 25 09:15:58 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Thu, 25 Nov 2010 10:15:58 +0100 Subject: [Freeipa-devel] [PATCH] Some fixes in HBAC module Message-ID: <201011251015.59118.jzeleny@redhat.com> I'm posting two patches fixing some issues with the HBAC plugin: https://fedorahosted.org/freeipa/ticket/487 https://fedorahosted.org/freeipa/ticket/494 https://fedorahosted.org/freeipa/ticket/495 -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0008-Unify-HBAC-error-messages.patch Type: text/x-patch Size: 2445 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0007-Updated-output-when-calling-hbac-show.patch Type: text/x-patch Size: 1593 bytes Desc: not available URL: From jzeleny at redhat.com Thu Nov 25 14:15:05 2010 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 25 Nov 2010 15:15:05 +0100 Subject: [Freeipa-devel] [PATCH] Some fixes in HBAC module In-Reply-To: <201011251015.59118.jzeleny@redhat.com> References: <201011251015.59118.jzeleny@redhat.com> Message-ID: <201011251515.05803.jzeleny@redhat.com> Jan Zelen? wrote: > I'm posting two patches fixing some issues with the HBAC plugin: > > https://fedorahosted.org/freeipa/ticket/487 > https://fedorahosted.org/freeipa/ticket/494 > https://fedorahosted.org/freeipa/ticket/495 Self-nack on the 0008, since there is a much better way to handle one of the cases. Also there are some cases of potential NotFound errors, which the patch doesn't catch. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From ayoung at redhat.com Fri Nov 26 02:24:21 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 25 Nov 2010 21:24:21 -0500 Subject: [Freeipa-devel] [PATCH] 0100-top-nav-index In-Reply-To: <4CEC1CBB.9080507@redhat.com> References: <4CE6F59A.4060507@redhat.com> <4CE70DDF.1040205@redhat.com> <4CEA9D1D.1010204@redhat.com> <4CEC12D1.6080208@redhat.com> <4CEC1CBB.9080507@redhat.com> Message-ID: <4CEF1A55.5080907@redhat.com> Updated version that doesn't break SUDO or HBAC. The third level nesting in the tabs set is only used for this kind of navigation now, but should be used for Action panel shortly. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0100-top-nav-index.patch Type: text/x-patch Size: 4886 bytes Desc: not available URL: From davido at redhat.com Fri Nov 26 04:18:22 2010 From: davido at redhat.com (David O'Brien) Date: Fri, 26 Nov 2010 14:18:22 +1000 Subject: [Freeipa-devel] [PATCH] 611 increase default username len In-Reply-To: <4CDB1DBB.1060805@redhat.com> References: <4CDB1DBB.1060805@redhat.com> Message-ID: <4CEF350E.7010504@redhat.com> Rob Crittenden wrote: > Increase default username length to 32 and max for users and groups to 255. > > rob > There doesn't appear to be a default max groupname length like there is for usernames. Does that mean it defaults to 255? /dob From jhrozek at redhat.com Fri Nov 26 12:59:10 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 26 Nov 2010 13:59:10 +0100 Subject: [Freeipa-devel] [PATCH] 017 Init smods to prevent crash if encode_keys fails Message-ID: <4CEFAF1E.8090005@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If encode_keys() failed, we would free the variable smods which is unitilialized at the time. btw I've seen encode_keys() fail on me during ber-encoding of the octet part of the key..which is how I found this bug. I'm not able to reproduce it ATM and I've been upgrading to 389-ds 1.2.7 just before that, so maybe it was related to the upgrade..should I just file a bug or check if I can reproduce it again? Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzvrx4ACgkQHsardTLnvCUT2gCgtdl5/Q6tt3doF4lB48KyWwVa oqcAn20dPr2vL3Te8YMV65m7DjRm/Su2 =Xb4I -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-017-Init-smods-to-prevent-crash-if-encode_keys-fails.patch Type: text/x-patch Size: 931 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jhrozek-017-Init-smods-to-prevent-crash-if-encode_keys-fails.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From pzuna at redhat.com Mon Nov 29 06:54:32 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Mon, 29 Nov 2010 07:54:32 +0100 Subject: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes. Message-ID: <4CF34E28.2040209@redhat.com> LDAPSearch base class has now the ability to generate additional options for objects with member attributes. These options are used to filter search results - search only for objects without the specified members. Any class that extends LDAPSearch can benefit from this functionality. This patch enables it for the following objects: group, netgroup, rolegroup, hostgroup, taskgroup Example: ipa group-find --no-users=admin Only direct members are taken into account, but if we need indirect members as well - it's not a problem. Ticket #288 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0042-filterenroll.patch Type: application/mbox Size: 5467 bytes Desc: not available URL: From jzeleny at redhat.com Mon Nov 29 10:20:37 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 29 Nov 2010 11:20:37 +0100 Subject: [Freeipa-devel] [PATCH] Error message handling in HBAC module Message-ID: <201011291120.37878.jzeleny@redhat.com> This patch contains a part of my original 0008 patch. The rest of it is solved differently (see my patch 0010). -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0009-Handle-error-messages-during-various-HBAC-operations.patch Type: text/x-patch Size: 1914 bytes Desc: not available URL: From jzeleny at redhat.com Mon Nov 29 10:28:10 2010 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 29 Nov 2010 11:28:10 +0100 Subject: [Freeipa-devel] [PATCH] Refactoring of baseldap callback invokation Message-ID: <201011291128.11090.jzeleny@redhat.com> This patch modifies how PRE, POST and EXC callbacks are invoked in baseldap module. It provides method invoke_callbacks which can be used in all classes derived from baseldap classes as well. Pavel, since you originally wrote the baseldap module, I'd be grateful if you could review the patch, since you know the best if it covers all callback processing possibilities. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0010-Refactoring-of-baseldap-callback-invokation.patch Type: text/x-patch Size: 20721 bytes Desc: not available URL: From pzuna at redhat.com Mon Nov 29 14:19:48 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 29 Nov 2010 15:19:48 +0100 Subject: [Freeipa-devel] [PATCH] Error message handling in HBAC module In-Reply-To: <201011291120.37878.jzeleny@redhat.com> References: <201011291120.37878.jzeleny@redhat.com> Message-ID: <4CF3B684.4000003@redhat.com> On 11/29/2010 11:20 AM, Jan Zelen? wrote: > This patch contains a part of my original 0008 patch. The rest of it is solved > differently (see my patch 0010). > > ACK. Pavel From rcritten at redhat.com Mon Nov 29 14:29:56 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Nov 2010 09:29:56 -0500 Subject: [Freeipa-devel] [PATCH] 611 increase default username len In-Reply-To: <4CEF350E.7010504@redhat.com> References: <4CDB1DBB.1060805@redhat.com> <4CEF350E.7010504@redhat.com> Message-ID: <4CF3B8E4.9030205@redhat.com> David O'Brien wrote: > Rob Crittenden wrote: >> Increase default username length to 32 and max for users and groups to >> 255. >> >> rob >> > > There doesn't appear to be a default max groupname length like there is > for usernames. Does that mean it defaults to 255? > > /dob It just isn't configurable like usernames are. The max is also 255. rob From rcritten at redhat.com Mon Nov 29 16:40:04 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Nov 2010 11:40:04 -0500 Subject: [Freeipa-devel] [PATCH] build tweaks In-Reply-To: <20101124224618.GA12484@redhat.com> References: <20101124224618.GA12484@redhat.com> Message-ID: <4CF3D764.1010509@redhat.com> Nalin Dahyabhai wrote: > The attached patch modifies autogen.sh so that it runs autoreconf with > the -f flag, too, so that a source rpm package built on an F14 system > will successfully build on a system which has older autotools versions. > > It also tells automake to run in its 'foreign' mode and dispenses with > some workarounds for when we were running it in 'gnu' mode. > > Nalin Works for me. I built in F-12, shipped the srpm to F-14, built that, then send the srpm from F-14 back to F-12 and rebuilt again and all is well. Pushed to master. rob From edewata at redhat.com Mon Nov 29 18:08:19 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Nov 2010 12:08:19 -0600 Subject: [Freeipa-devel] [PATCH] 0100-top-nav-index In-Reply-To: <4CEF1A55.5080907@redhat.com> References: <4CE6F59A.4060507@redhat.com> <4CE70DDF.1040205@redhat.com> <4CEA9D1D.1010204@redhat.com> <4CEC12D1.6080208@redhat.com> <4CEC1CBB.9080507@redhat.com> <4CEF1A55.5080907@redhat.com> Message-ID: <4CF3EC13.7000803@redhat.com> On 11/25/2010 8:24 PM, Adam Young wrote: > Updated version that doesn't break SUDO or HBAC. The third level nesting > in the tabs set is only used for this kind of navigation now, but should > be used for Action panel shortly. Conditional ACK... :) There are some additional changes that need to be done to get SUDO navigation working properly. Please take a look at the attached patch. If this is OK we can commit both patches together. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0040-Fixed-navigation-problem-with-nested-entities.patch Type: text/x-patch Size: 5013 bytes Desc: not available URL: From edewata at redhat.com Mon Nov 29 21:17:59 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Nov 2010 15:17:59 -0600 Subject: [Freeipa-devel] [PATCH] 0100-top-nav-index In-Reply-To: <4CF3EC13.7000803@redhat.com> References: <4CE6F59A.4060507@redhat.com> <4CE70DDF.1040205@redhat.com> <4CEA9D1D.1010204@redhat.com> <4CEC12D1.6080208@redhat.com> <4CEC1CBB.9080507@redhat.com> <4CEF1A55.5080907@redhat.com> <4CF3EC13.7000803@redhat.com> Message-ID: <4CF41887.2000900@redhat.com> On 11/29/2010 12:08 PM, Endi Sukma Dewata wrote: > On 11/25/2010 8:24 PM, Adam Young wrote: >> Updated version that doesn't break SUDO or HBAC. The third level nesting >> in the tabs set is only used for this kind of navigation now, but should >> be used for Action panel shortly. > > Conditional ACK... :) > > There are some additional changes that need to be done to get SUDO > navigation working properly. Please take a look at the attached patch. > If this is OK we can commit both patches together. ACKed on IRC. Pushed both patches to master. -- Endi S. Dewata From rcritten at redhat.com Mon Nov 29 22:12:41 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Nov 2010 17:12:41 -0500 Subject: [Freeipa-devel] [PATCH] 620 add ipaUniqueId to UPGs Message-ID: <4CF42559.3040306@redhat.com> Add ipaUniqueId to user private groups. If we didn't then when the group is detached we need to add it and this makes the acis more problematic. I had to move where we load the UPG ldif until after the restart so the schema is available. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-620-upg.patch Type: text/x-patch Size: 2976 bytes Desc: not available URL: From rcritten at redhat.com Mon Nov 29 22:19:55 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Nov 2010 17:19:55 -0500 Subject: [Freeipa-devel] [PATCH] Error message handling in HBAC module In-Reply-To: <4CF3B684.4000003@redhat.com> References: <201011291120.37878.jzeleny@redhat.com> <4CF3B684.4000003@redhat.com> Message-ID: <4CF4270B.4020107@redhat.com> Pavel Zuna wrote: > On 11/29/2010 11:20 AM, Jan Zelen? wrote: >> This patch contains a part of my original 0008 patch. The rest of it >> is solved >> differently (see my patch 0010). >> >> > > ACK. > > Pavel Pushed to master From rcritten at redhat.com Mon Nov 29 22:21:54 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Nov 2010 17:21:54 -0500 Subject: [Freeipa-devel] [PATCH] 017 Init smods to prevent crash if encode_keys fails In-Reply-To: <4CEFAF1E.8090005@redhat.com> References: <4CEFAF1E.8090005@redhat.com> Message-ID: <4CF42782.2040906@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If encode_keys() failed, we would free the variable smods which is > unitilialized at the time. Ok, seems simple enough. Ack, pushed to master. > > btw I've seen encode_keys() fail on me during ber-encoding of the octet > part of the key..which is how I found this bug. I'm not able to > reproduce it ATM and I've been upgrading to 389-ds 1.2.7 just before > that, so maybe it was related to the upgrade..should I just file a bug > or check if I can reproduce it again? Yes, if you can find a reproducer please file a bug. rob From JR.Aquino at citrix.com Mon Nov 29 22:47:37 2010 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 29 Nov 2010 22:47:37 +0000 Subject: [Freeipa-devel] Host groups and netgroups In-Reply-To: <4CED6526.1060702@redhat.com> Message-ID: On 11/24/10 11:19 AM, "Dmitri Pal" wrote: >Hello, > >It is well known that with IPA we want to try to move people from the >netgroups to host groups but many companies currently use netgroups as >hostgroups. To simplify migration I suggest that we by default always >create a managed "nisnetgroup" entry that would map 1-1 to the host >group using managed entry plugin. The logic would work the following way: > >1) When the host group is created the netgroup also will be created with >the same name and memberHost attribute pointing to the DN of the newly >created host group >2) The deletion of the host group will automatically remove managed >netgroup >3) The rename of the host group (if allowed) should cause the managed >group to be renamed too. > >In the UI/CLI we will filter out managed netgroups in all cases related >to identity part of the server (list of netgroups, users members of the >netgroup, hosts members of netgroup, ect.). The netgroups will be >available only in the special cases like SUDO plugin. > >The work will consist of: >1) Defining the managed entry plugin config for this case >2) Adding this configuration to the installation sequence >3) Updating netgroup searches to filter out managed entries >4) Allow all netgroups in SUDO plugin (I think this is already the case). > >If this proposal looks reasonable I will open a ticket. >JR will you be able to provide a patch that does all of this since this >is not exactly what we originally planned? This proposal looks reasonable. I will be working this week to explore handling this in either the 'Managed Entries' or 'Plugin' Route to see which is the most appropriate. From rcritten at redhat.com Tue Nov 30 03:06:00 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Nov 2010 22:06:00 -0500 Subject: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes. In-Reply-To: <4CF34E28.2040209@redhat.com> References: <4CF34E28.2040209@redhat.com> Message-ID: <4CF46A18.3020906@redhat.com> Pavel Z?na wrote: > LDAPSearch base class has now the ability to generate additional > options for objects with member attributes. These options are > used to filter search results - search only for objects without > the specified members. > > Any class that extends LDAPSearch can benefit from this functionality. > This patch enables it for the following objects: > group, netgroup, rolegroup, hostgroup, taskgroup > > Example: > ipa group-find --no-users=admin > > Only direct members are taken into account, but if we need indirect > members as well - it's not a problem. > > Ticket #288 > > Pavel This works as advertised but I wonder what would happen if a huge list of members was passed in to ignore. Is there a limit on the search filter size (remember that the member will be translated into a full dn so will quickly grow in size). Should we impose a cofigurable limit on the # of members to be excluded? Is there a max search filter size and should we check that we haven't exceeded that before doing a search? rob From dpal at redhat.com Tue Nov 30 13:26:38 2010 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 30 Nov 2010 08:26:38 -0500 Subject: [Freeipa-devel] Host groups and netgroups In-Reply-To: References: Message-ID: <4CF4FB8E.4090600@redhat.com> JR Aquino wrote: > On 11/24/10 11:19 AM, "Dmitri Pal" wrote: > > >> Hello, >> >> It is well known that with IPA we want to try to move people from the >> netgroups to host groups but many companies currently use netgroups as >> hostgroups. To simplify migration I suggest that we by default always >> create a managed "nisnetgroup" entry that would map 1-1 to the host >> group using managed entry plugin. The logic would work the following way: >> >> 1) When the host group is created the netgroup also will be created with >> the same name and memberHost attribute pointing to the DN of the newly >> created host group >> 2) The deletion of the host group will automatically remove managed >> netgroup >> 3) The rename of the host group (if allowed) should cause the managed >> group to be renamed too. >> >> In the UI/CLI we will filter out managed netgroups in all cases related >> to identity part of the server (list of netgroups, users members of the >> netgroup, hosts members of netgroup, ect.). The netgroups will be >> available only in the special cases like SUDO plugin. >> >> The work will consist of: >> 1) Defining the managed entry plugin config for this case >> 2) Adding this configuration to the installation sequence >> 3) Updating netgroup searches to filter out managed entries >> 4) Allow all netgroups in SUDO plugin (I think this is already the case). >> >> If this proposal looks reasonable I will open a ticket. >> JR will you be able to provide a patch that does all of this since this >> is not exactly what we originally planned? >> > > This proposal looks reasonable. > > I will be working this week to explore handling this in either the > 'Managed Entries' or 'Plugin' Route to see which is the most appropriate. > > I opened a ticket https://fedorahosted.org/freeipa/ticket/543 JR do you have a Fedora account? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Tue Nov 30 14:42:41 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 30 Nov 2010 09:42:41 -0500 Subject: [Freeipa-devel] [PATCH] 620 add ipaUniqueId to UPGs In-Reply-To: <4CF42559.3040306@redhat.com> References: <4CF42559.3040306@redhat.com> Message-ID: <20101130094241.42566527@willson.li.ssimo.org> On Mon, 29 Nov 2010 17:12:41 -0500 Rob Crittenden wrote: > Add ipaUniqueId to user private groups. If we didn't then when the > group is detached we need to add it and this makes the acis more > problematic. > > I had to move where we load the UPG ldif until after the restart so > the schema is available. > > rob ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Nov 30 14:52:17 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Nov 2010 09:52:17 -0500 Subject: [Freeipa-devel] [PATCH] 620 add ipaUniqueId to UPGs In-Reply-To: <20101130094241.42566527@willson.li.ssimo.org> References: <4CF42559.3040306@redhat.com> <20101130094241.42566527@willson.li.ssimo.org> Message-ID: <4CF50FA1.7000107@redhat.com> Simo Sorce wrote: > On Mon, 29 Nov 2010 17:12:41 -0500 > Rob Crittenden wrote: > >> Add ipaUniqueId to user private groups. If we didn't then when the >> group is detached we need to add it and this makes the acis more >> problematic. >> >> I had to move where we load the UPG ldif until after the restart so >> the schema is available. >> >> rob > > ACK. > > Simo. > pushed to master From rcritten at redhat.com Tue Nov 30 15:28:41 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Nov 2010 10:28:41 -0500 Subject: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write. In-Reply-To: <20101124094528.72f40f83@willson.li.ssimo.org> References: <4CDB0DBE.4020803@redhat.com> <20101115130352.GE19666@zeppelin.brq.redhat.com> <4CE1591A.5030703@redhat.com> <4CE435E7.5070203@redhat.com> <20101124094528.72f40f83@willson.li.ssimo.org> Message-ID: <4CF51829.8080700@redhat.com> Simo Sorce wrote: > On Wed, 17 Nov 2010 15:07:03 -0500 > Rob Crittenden wrote: > >> +aci: (targetattr != "userPassword || krbPrincipalKey || >> sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || >> krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || >> krbTicketPolicyReference || krbPrincipalExpiration || >> krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || >> krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || >> krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || >> krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || >> serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any >> entry"; allow (all) groupdn = >> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) > > Ah also forgot to say that I am not sure we want admin to be able to > change krbPwdHistory and krbLastPwdChange. > Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, while > we might let admin write krbLoginFailedCount in order to unlock an > automatically locked account that failed preauth too many times. > > We also probably do not want admin to be able to change ipaUniqueId. > > Simo. > These are already attributes that the admin cannot write. Can I just remove the duplicate krbMKey? rob From rcritten at redhat.com Tue Nov 30 15:46:28 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Nov 2010 10:46:28 -0500 Subject: [Freeipa-devel] [PATCH] 614 Display user and host membership in netgroups. In-Reply-To: <20101124084030.22b3226f@willson.li.ssimo.org> References: <4CE6A3B5.8060606@redhat.com> <201011240900.25066.jzeleny@redhat.com> <20101124084030.22b3226f@willson.li.ssimo.org> Message-ID: <4CF51C54.3090505@redhat.com> Simo Sorce wrote: > On Wed, 24 Nov 2010 09:00:24 +0100 > Jan Zelen? wrote: > >> Rob Crittenden wrote: >>> This uses an enhanced memberof plugin that allows multiple >>> attributes to be configured to create memberOf attributes. >>> >>> This patch requires a new 389-ds-base, 1.2.7. This is currently only >>> available in updates-testing. >>> >>> tickets 109 and 110 >>> >>> To validate: >>> >>> # ipa user-add --first=Jim --last=User juser >>> # ipa netgroup-add --desc=netgroup net1 >>> # ipa netgroup-add-member --users=juser --hosts=`hostname` net1 >>> # ipa netgroup-show net1 (should have the host and user as members) >>> # ipa user-show juser (should have Member of netgroups) >>> # ipa host-show `hostname` (should have Member of netgroups) >>> >>> rob >> >> ACK >> > > Ok pushed to master after rebasing the patch. > Rob please check as one chunk had to be removed. I believe the change > is correct but I prefer you to double-check. > > Simo. > > Just to close the loop on thisk, yes your rebase is fine. Thanks. rob From ssorce at redhat.com Tue Nov 30 15:47:38 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 30 Nov 2010 10:47:38 -0500 Subject: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write. In-Reply-To: <4CF51829.8080700@redhat.com> References: <4CDB0DBE.4020803@redhat.com> <20101115130352.GE19666@zeppelin.brq.redhat.com> <4CE1591A.5030703@redhat.com> <4CE435E7.5070203@redhat.com> <20101124094528.72f40f83@willson.li.ssimo.org> <4CF51829.8080700@redhat.com> Message-ID: <20101130104738.16bdcec9@willson.li.ssimo.org> On Tue, 30 Nov 2010 10:28:41 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > On Wed, 17 Nov 2010 15:07:03 -0500 > > Rob Crittenden wrote: > > > >> +aci: (targetattr != "userPassword || krbPrincipalKey || > >> sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || > >> krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || > >> krbTicketPolicyReference || krbPrincipalExpiration || > >> krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType > >> || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || > >> krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || > >> krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || > >> serverHostName || enrolledBy")(version 3.0; acl "Admin can manage > >> any entry"; allow (all) groupdn = > >> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) > > > > Ah also forgot to say that I am not sure we want admin to be able to > > change krbPwdHistory and krbLastPwdChange. > > Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, > > while we might let admin write krbLoginFailedCount in order to > > unlock an automatically locked account that failed preauth too many > > times. > > > > We also probably do not want admin to be able to change ipaUniqueId. > > > > Simo. > > > > These are already attributes that the admin cannot write. Can I just > remove the duplicate krbMKey? I guess so. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Nov 30 19:02:00 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Nov 2010 14:02:00 -0500 Subject: [Freeipa-devel] [PATCH] 621 drop install/tools/README Message-ID: <4CF54A28.9060101@redhat.com> The README in install/tools is really for v1 and contains almost nothing useful for v2 so I'm proposing to drop it altogether. I'm also adding a link to the QuickStart guide on the trac wiki. The guide itself needs a lot of work but its a start. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-621-readme.patch Type: text/x-patch Size: 2583 bytes Desc: not available URL: From edewata at redhat.com Tue Nov 30 19:21:01 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 30 Nov 2010 13:21:01 -0600 Subject: [Freeipa-devel] [PATCH] Multicolumn association facet Message-ID: <4CF54E9D.6050808@redhat.com> Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/111/ The association facet has been modified to support multiple columns. By default the facet will have one column which is the primary key of the associated object (e.g. username of a group member), so the existing code will work like before. Other fields (e.g. user's full name) can be added by subclassing the ipa_association_facet class and specifying the additional columns to display. These additional fields will be retrieved using a batch operation. Previously a single association facet instance will be used for all associations in an entity. Now each association will have its own association facet. This way each association facet can be customized differently as needed. The -enroll URL parameter has been removed because it's no longer needed. The ipa_entity.create_association_facets() is provided to generate the default association facets with one column for the primary key. The column click handler has been moved out of ipa_column to provide more flexibility for customization. The get_action_panel() and get_client_area() have been modified to search within the entity's container. The group entity has been fully converted to use the new UI framework. Association facets that have been modified to use multiple columns are: - User Group's member_user - HBAC Service Group's member_hbacsvc - SUDO Command Group's member_sudocmd - Service's managedby_host New test data files have been added. Unit tests have been updated. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0041-Multicolumn-association-facet.patch Type: text/x-patch Size: 72484 bytes Desc: not available URL: From rcritten at redhat.com Tue Nov 30 19:31:37 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Nov 2010 14:31:37 -0500 Subject: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write. In-Reply-To: <20101130104738.16bdcec9@willson.li.ssimo.org> References: <4CDB0DBE.4020803@redhat.com> <20101115130352.GE19666@zeppelin.brq.redhat.com> <4CE1591A.5030703@redhat.com> <4CE435E7.5070203@redhat.com> <20101124094528.72f40f83@willson.li.ssimo.org> <4CF51829.8080700@redhat.com> <20101130104738.16bdcec9@willson.li.ssimo.org> Message-ID: <4CF55119.3050007@redhat.com> Simo Sorce wrote: > I guess so. Ok, removed the duplicate krbMKey and pushed to master rob From ayoung at redhat.com Tue Nov 30 20:10:53 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 30 Nov 2010 15:10:53 -0500 Subject: [Freeipa-devel] [PATCH] Multicolumn association facet In-Reply-To: <4CF54E9D.6050808@redhat.com> References: <4CF54E9D.6050808@redhat.com> Message-ID: <4CF55A4D.6040209@redhat.com> On 11/30/2010 02:21 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > https://fedorahosted.org/reviewboard/r/111/ > > The association facet has been modified to support multiple columns. > By default the facet will have one column which is the primary key of > the associated object (e.g. username of a group member), so the > existing code will work like before. Other fields (e.g. user's full > name) can be added by subclassing the ipa_association_facet class and > specifying the additional columns to display. These additional fields > will be retrieved using a batch operation. > > Previously a single association facet instance will be used for all > associations in an entity. Now each association will have its own > association facet. This way each association facet can be customized > differently as needed. The -enroll URL parameter has been > removed because it's no longer needed. > > The ipa_entity.create_association_facets() is provided to generate > the default association facets with one column for the primary key. > > The column click handler has been moved out of ipa_column to provide > more flexibility for customization. > > The get_action_panel() and get_client_area() have been modified to > search within the entity's container. > > The group entity has been fully converted to use the new UI framework. > > Association facets that have been modified to use multiple columns are: > - User Group's member_user > - HBAC Service Group's member_hbacsvc > - SUDO Command Group's member_sudocmd > - Service's managedby_host > > New test data files have been added. Unit tests have been updated. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Nov 30 20:13:15 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Nov 2010 15:13:15 -0500 Subject: [Freeipa-devel] [PATCH] 622 fix passwd output Message-ID: <4CF55ADB.5010101@redhat.com> A couple of Password attributes had no label so prompting looked bad. When printing exceptions we need to convert the label and error to unicode so translations work. Use standard output routines instead of output_for_cli() in passwd plugin. ticket 352 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-622-passwd.patch Type: text/x-patch Size: 3800 bytes Desc: not available URL: From rcritten at redhat.com Tue Nov 30 20:14:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Nov 2010 15:14:48 -0500 Subject: [Freeipa-devel] [PATCH] Prompt correctly for required Password params. In-Reply-To: <4CED0DC7.8030806@redhat.com> References: <4CED0DC7.8030806@redhat.com> Message-ID: <4CF55B38.1000307@redhat.com> Pavel Zuna wrote: > Required Password params were prompted for like any other non-Password > params, resulting in the password being displayed on the command line > and there was no confirmation. > > Ticket #361 > > Pavel Ack, pushed to master rob From pzuna at redhat.com Tue Nov 30 22:27:15 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Tue, 30 Nov 2010 23:27:15 +0100 Subject: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes. In-Reply-To: <4CF46A18.3020906@redhat.com> References: <4CF34E28.2040209@redhat.com> <4CF46A18.3020906@redhat.com> Message-ID: <4CF57A43.8090006@redhat.com> On 2010-11-30 04:06, Rob Crittenden wrote: > Pavel Z?na wrote: >> LDAPSearch base class has now the ability to generate additional >> options for objects with member attributes. These options are >> used to filter search results - search only for objects without >> the specified members. >> >> Any class that extends LDAPSearch can benefit from this functionality. >> This patch enables it for the following objects: >> group, netgroup, rolegroup, hostgroup, taskgroup >> >> Example: >> ipa group-find --no-users=admin >> >> Only direct members are taken into account, but if we need indirect >> members as well - it's not a problem. >> >> Ticket #288 >> >> Pavel > > This works as advertised but I wonder what would happen if a huge list > of members was passed in to ignore. Is there a limit on the search > filter size (remember that the member will be translated into a full dn > so will quickly grow in size). > > Should we impose a cofigurable limit on the # of members to be excluded? > > Is there a max search filter size and should we check that we haven't > exceeded that before doing a search? > > rob I tried it out with more than a 1000 users and was getting an unwilling to perform error (search filter nested too deep). After a little bit of investigation, I figured the filter was being generated like this: (&(&(!(a=v))(!(a2=v2)))) We were going deeper with each additional DN! I updated the patch to generate the filter like this instead: (!(|(a=v)(a2=v2))) Tried it again with more than 1000 users (~55Kb) - it worked and wasn't even slow. Updated patch attached. I also had to fix a bug in ldap2 filter generator, as a result this patch depends on my patch number 43. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0042-2-filterenroll.patch Type: text/x-patch Size: 5487 bytes Desc: not available URL: From pzuna at redhat.com Tue Nov 30 22:28:28 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Tue, 30 Nov 2010 23:28:28 +0100 Subject: [Freeipa-devel] [PATCH] Fix search filter generator in ldap2 for NOT operator. Message-ID: <4CF57A8C.9050707@redhat.com> Search filters generated from attributes with multiple values were incorrect when the NOT operator was used (ldap.MATCH_NONE). Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0043-notfilter.patch Type: text/x-patch Size: 1193 bytes Desc: not available URL: From ayoung at redhat.com Tue Nov 30 22:39:33 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 30 Nov 2010 17:39:33 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0105-action-panel-sibling Message-ID: <4CF57D25.1000306@redhat.com> A note on this patch: I changed the labels on a couple of the entities for consitancy sake, including: Added 'HBAC' to the label for HBAC services Capitalized SUDO Removed the word Rule from the SUDO label Not sure if these will have any effect on the CLI. I suspect not, and that the QW team isn't writing tests for SUDO yet that makes use of the Label field. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0105-action-panel-sibling.patch Type: text/x-patch Size: 31256 bytes Desc: not available URL: From rcritten at redhat.com Tue Nov 30 22:38:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Nov 2010 17:38:53 -0500 Subject: [Freeipa-devel] [PATCH] 623 quote passwords, don't log 'em Message-ID: <4CF57CFD.6030904@redhat.com> Properly quote passwords sent to pkisilent so special characters work. Also check for url-encoded passwords before logging them. ticket 324 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-623-password.patch Type: text/x-patch Size: 4674 bytes Desc: not available URL: From ayoung at redhat.com Tue Nov 30 22:41:52 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 30 Nov 2010 17:41:52 -0500 Subject: [Freeipa-devel] [PATCH] Refactoring of baseldap callback invokation In-Reply-To: <201011291128.11090.jzeleny@redhat.com> References: <201011291128.11090.jzeleny@redhat.com> Message-ID: <4CF57DB0.4020104@redhat.com> On 11/29/2010 05:28 AM, Jan Zelen? wrote: > This patch modifies how PRE, POST and EXC callbacks are invoked in baseldap > module. It provides method invoke_callbacks which can be used in all classes > derived from baseldap classes as well. > > Pavel, since you originally wrote the baseldap module, I'd be grateful if you > could review the patch, since you know the best if it covers all callback > processing possibilities. > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pavel, can you take a look at this one. I want to ACK, but after the last one I looked at like this had unintended consequences, I'm a little wary. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Nov 30 23:14:03 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Nov 2010 18:14:03 -0500 Subject: [Freeipa-devel] [PATCH] 0022 Enable EntryUSN plugin by default In-Reply-To: <20101123172433.7261d1f2@willson.li.ssimo.org> References: <20101123172433.7261d1f2@willson.li.ssimo.org> Message-ID: <4CF5853B.3050608@redhat.com> Simo Sorce wrote: > > This patch enables the entryUSN plugin by default at install time. > > EntryUSN numbers are ususful fro clients that want to track newest > objects w/o having to care about timestamps dated in the past and > replicated by other masters. > EntrUSN numbers are valid only in the context of a single server, as > each master in the domain keeps its own entryUSN numbers. > > Fixes 526 > > Simo. ack From ssorce at redhat.com Tue Nov 30 23:27:13 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 30 Nov 2010 18:27:13 -0500 Subject: [Freeipa-devel] [PATCH] 0022 Enable EntryUSN plugin by default In-Reply-To: <4CF5853B.3050608@redhat.com> References: <20101123172433.7261d1f2@willson.li.ssimo.org> <4CF5853B.3050608@redhat.com> Message-ID: <20101130182713.34bdfcef@willson.li.ssimo.org> On Tue, 30 Nov 2010 18:14:03 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > > > This patch enables the entryUSN plugin by default at install time. > > > > EntryUSN numbers are ususful fro clients that want to track newest > > objects w/o having to care about timestamps dated in the past and > > replicated by other masters. > > EntrUSN numbers are valid only in the context of a single server, as > > each master in the domain keeps its own entryUSN numbers. > > > > Fixes 526 > > > > Simo. > > ack pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From nalin at redhat.com Tue Nov 30 23:38:44 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 30 Nov 2010 18:38:44 -0500 Subject: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates Message-ID: <20101130233844.GF5731@redhat.com> This is what I've got now; I think it's correct. - fix quoting in the netgroup compat configuration entry - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" or "memberUser" or "memberHost" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container Feel free to adjust the "schema-compat-container-group" for the "cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config" entry -- the location of the compat sudo entries is of no concern to me. Cheers, Nalin -------------- next part -------------- >From 9baefea23f5b944d244eed4bef3f85df3203ae45 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 30 Nov 2010 18:25:33 -0500 Subject: [PATCH] sudo and netgroup schema compat updates - fix quoting in the netgroup compat configuration entry - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" or "memberUser" or "memberHost" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container --- install/share/bootstrap-template.ldif | 6 ----- install/share/schema_compat.uldif | 37 ++++++++++++++++++++++++++++---- ipa.spec.in | 2 +- 3 files changed, 33 insertions(+), 12 deletions(-) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 7946526..283d226 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -64,12 +64,6 @@ objectClass: top objectClass: nsContainer cn: sudorules -dn: cn=SUDOers,$SUFFIX -changetype: add -objectClass: nsContainer -objectClass: top -cn: SUDOers - dn: cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index 22e3141..52c8d5a 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -47,7 +47,6 @@ default:schema-compat-entry-attribute: objectclass=posixGroup default:schema-compat-entry-attribute: gidNumber=%{gidNumber} default:schema-compat-entry-attribute: memberUid=%{memberUid} default:schema-compat-entry-attribute: memberUid=%deref("member","uid") -default:schema-compat-entry-attribute: memberUid=%referred("cn=users","memberOf","uid") dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config add:objectClass: top @@ -56,14 +55,42 @@ add:cn: ng add:schema-compat-container-group: 'cn=compat, $SUFFIX' add:schema-compat-container-rdn: cn=ng add:schema-compat-check-access: yes -add:schema-compat-search-base: 'cn=ng,cn=alt,$SUFFIX' -add:schema-compat-search-filter: !(cn=ng) +add:schema-compat-search-base: 'cn=ng, cn=alt, $SUFFIX' +add:schema-compat-search-filter: (objectclass=ipaNisNetgroup) add:schema-compat-entry-rdn: cn=%{cn} add:schema-compat-entry-attribute: objectclass=nisNetgroup add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r("member","cn")' -add:schema-compat-entry-attribute: 'memberNisNetgroup=%referred_r("cn=ng","memberOf","cn")' -add:schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) +add:schema-compat-entry-attribute: 'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})' + +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add:objectClass: top +add:objectClass: extensibleObject +add:cn: sudoers +add:schema-compat-container-group: 'cn=SUDOers, $SUFFIX' +add:schema-compat-search-base: 'cn=sudorules, $SUFFIX' +add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) +add:schema-compat-entry-rdn: cn=%{cn} +add:schema-compat-entry-attribute: objectclass=sudoRole +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(objectclass=ipaHostGroup)\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref(\"memberDenyCmd\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref_r(\"memberDenyCmd\",\"member\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoRunAsUser=%{ipaSudoRunAsExtUser}' +add:schema-compat-entry-attribute: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")' +add:schema-compat-entry-attribute: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}' +add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")' +add:schema-compat-entry-attribute: 'sudoOption=%{ipaSudoOpt}' # Enable anonymous VLV browsing for Solaris dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config only:aci: '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )' + diff --git a/ipa.spec.in b/ipa.spec.in index 775c52e..389dd08 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -91,7 +91,7 @@ Requires: libcap Requires: selinux-policy %endif Requires(post): selinux-policy-base -Requires: slapi-nis >= 0.15 +Requires: slapi-nis >= 0.21 Requires: pki-ca >= 1.3.6 Requires: pki-silent >= 1.3.4 -- 1.7.3.2