From pzuna at redhat.com Fri Oct 1 12:47:56 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 01 Oct 2010 14:47:56 +0200 Subject: [Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups. Message-ID: <4CA5D87C.5010104@redhat.com> Ticket #251 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0024-searchprvgroup.patch Type: text/x-patch Size: 1468 bytes Desc: not available URL: From pzuna at redhat.com Fri Oct 1 12:49:21 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 01 Oct 2010 14:49:21 +0200 Subject: [Freeipa-devel] [PATCH] Add LDAPMultiQuery base class and make it the base of LDAPDelete Message-ID: <4CA5D8D1.6070007@redhat.com> In other words: make *-del commands accept 1 or more primary keys of entries to be deleted. We can now delete more entries at a time with a single command. Ticket #20 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0025-massdelete.patch Type: text/x-patch Size: 5527 bytes Desc: not available URL: From pzuna at redhat.com Fri Oct 1 12:50:54 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 01 Oct 2010 14:50:54 +0200 Subject: [Freeipa-devel] [PATCH] Add Delete capabilities to Search facet in the WebUI. Message-ID: <4CA5D92E.90903@redhat.com> This depends on my patch number 25! It should apply without it, but deleting entries won't work properly. Ticket #206 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0026-webuidelete.patch Type: text/x-patch Size: 6239 bytes Desc: not available URL: From admin at transifex.net Fri Oct 1 12:55:09 2010 From: admin at transifex.net (admin at transifex.net) Date: Fri, 01 Oct 2010 12:55:09 -0000 Subject: [Freeipa-devel] [Transifex] File submitted via email to FreeIPA | master Message-ID: <20101001125509.28895.62228@web1.transifex.net> Hello freeipa, this is Transifex at http://www.transifex.net. The following attached files were submitted to FreeIPA | master by raven Please, visit Transifex at http://www.transifex.net/projects/p/freeipa/c/master/ in order to see the component page. Thank you, Transifex -------------- next part -------------- # translation of pl.po to Polish # Piotr Dr?g , 2010. # msgid "" msgstr "" "Project-Id-Version: pl\n" "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/newticket\n" "POT-Creation-Date: 2010-09-27 10:25-0400\n" "PO-Revision-Date: 2010-10-01 14:54+0200\n" "Last-Translator: Piotr Dr?g \n" "Language-Team: Polish \n" "Language: pl\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 " "|| n%100>=20) ? 1 : 2);\n" #: ../../ipalib/parameters.py:295 msgid "incorrect type" msgstr "niepoprawny typ" #: ../../ipalib/parameters.py:298 msgid "Only one value is allowed" msgstr "Dozwolona jest tylko jedna warto??" #: ../../ipalib/parameters.py:877 msgid "must be True or False" msgstr "musi by? prawd? lub fa?szem" #: ../../ipalib/parameters.py:978 msgid "must be an integer" msgstr "musi by? liczba ca?kowit?" #: ../../ipalib/parameters.py:1029 #, python-format msgid "must be at least %(minvalue)d" msgstr "musi wynosi? co najmniej %(minvalue)d" #: ../../ipalib/parameters.py:1039 #, python-format msgid "can be at most %(maxvalue)d" msgstr "mo?e wynosi? co najwy?ej %(maxvalue)d" #: ../../ipalib/parameters.py:1049 msgid "must be a decimal number" msgstr "musi by? liczb? dziesi?tn?" #: ../../ipalib/parameters.py:1071 #, python-format msgid "must be at least %(minvalue)f" msgstr "musi wynosi? co najmniej %(minvalue)f" #: ../../ipalib/parameters.py:1081 #, python-format msgid "can be at most %(maxvalue)f" msgstr "mo?e wynosi? co najwy?ej %(maxvalue)f" #: ../../ipalib/parameters.py:1145 #, python-format msgid "must match pattern \"%(pattern)s\"" msgstr "musi pasowa? do wzorca \"%(pattern)s\"" #: ../../ipalib/parameters.py:1163 msgid "must be binary data" msgstr "musi by? danymi binarnymi" #: ../../ipalib/parameters.py:1179 #, python-format msgid "must be at least %(minlength)d bytes" msgstr "musi wynosi? co najmniej %(minlength)d bajt?w" #: ../../ipalib/parameters.py:1189 #, python-format msgid "can be at most %(maxlength)d bytes" msgstr "mo?e wynosi? co najwy?ej %(maxlength)d bajt?w" #: ../../ipalib/parameters.py:1199 #, python-format msgid "must be exactly %(length)d bytes" msgstr "musi wynosi? dok?adnie %(length)d bajt?w" #: ../../ipalib/parameters.py:1217 msgid "must be Unicode text" msgstr "musi by? tekstem w unikodzie" #: ../../ipalib/parameters.py:1248 #, python-format msgid "must be at least %(minlength)d characters" msgstr "musi wynosi? co najmniej %(minlength)d znak?w" #: ../../ipalib/parameters.py:1258 #, python-format msgid "can be at most %(maxlength)d characters" msgstr "mo?e wynosi? co najwy?ej %(maxlength)d znak?w" #: ../../ipalib/parameters.py:1268 #, python-format msgid "must be exactly %(length)d characters" msgstr "musi wynosi? dok?adnie %(length)d znak?w" #: ../../ipalib/parameters.py:1307 #, python-format msgid "must be one of %(values)r" msgstr "musi by? jednym z %(values)r" #: ../../ipalib/output.py:92 msgid "A dictionary representing an LDAP entry" msgstr "S?ownik reprezentuj?cy wpis LDAP" #: ../../ipalib/output.py:100 msgid "A list of LDAP entries" msgstr "Lista wpis?w LDAP" #: ../../ipalib/output.py:111 msgid "All commands should at least have a result" msgstr "Wszystkie polecenia powinny powiada? przynajmniej wynik" #: ../../ipalib/cli.py:507 #, python-format msgid "Enter %(label)s again to verify: " msgstr "Prosz? poda? %(label)s ponownie, aby sprawdzi?: " #: ../../ipalib/cli.py:511 msgid "Passwords do not match!" msgstr "Has?a si? nie zgadzaj?." #: ../../ipalib/cli.py:516 msgid "Cancelled." msgstr "Anulowano." #: ../../ipalib/frontend.py:380 msgid "Results are truncated, try a more specific search" msgstr "" "Wyniki zosta?y obci?te, prosz? spr?bowa? bardziej konkretnego wyszukiwania" #: ../../ipalib/frontend.py:797 ../../ipalib/plugins/misc.py:47 msgid "retrieve all attributes" msgstr "odbi?r wszystkich atrybut?w" #: ../../ipalib/frontend.py:803 msgid "print entries as stored on the server" msgstr "wy?wietlenie wpis?w przechowywanych w serwerze" #: ../../ipalib/frontend.py:914 msgid "Forward to server instead of running locally" msgstr "Przekazanie do serwera zamiast uruchamiania lokalnie" #: ../../ipalib/errors.py:297 #, python-format msgid "%(cver)s client incompatible with %(sver)s server at %(server)r" msgstr "" "klient w wersji %(cver)s nie jest zgodny z serwerem w wersji %(sver)s na " "%(server)r" #: ../../ipalib/errors.py:315 #, python-format msgid "unknown error %(code)d from %(server)s: %(error)s" msgstr "nieznany b??d %(code)d z %(server)s: %(error)s" #: ../../ipalib/errors.py:331 msgid "an internal error has occurred" msgstr "wyst?pi? wewn?trzny b??d" #: ../../ipalib/errors.py:353 #, python-format msgid "an internal error has occurred on server at %(server)r" msgstr "wyst?pi? wewn?trzny b??d w serwerze na %(server)r" #: ../../ipalib/errors.py:369 #, python-format msgid "unknown command %(name)r" msgstr "nieznane polecenie %(name)r" #: ../../ipalib/errors.py:386 ../../ipalib/errors.py:411 #, python-format msgid "error on server %(server)r: %(error)s" msgstr "b??d w serwerze %(server)r: %(error)s" #: ../../ipalib/errors.py:402 #, python-format msgid "cannot connect to %(uri)r: %(error)s" msgstr "nie mo?na po??czy? si? z %(uri)r: %(error)s" #: ../../ipalib/errors.py:420 #, python-format msgid "Invalid JSON-RPC request: %(error)s" msgstr "Nieprawid?owe ??danie JSON-RPC: %(error)s" #: ../../ipalib/errors.py:448 #, python-format msgid "Kerberos error: %(major)s/%(minor)s" msgstr "B??d Kerberosa: %(major)s/%(minor)s" #: ../../ipalib/errors.py:465 msgid "did not receive Kerberos credentials" msgstr "nie otrzymano danych uwierzytelniaj?cych Kerberosa" #: ../../ipalib/errors.py:481 #, python-format msgid "Service %(service)r not found in Kerberos database" msgstr "Nie odnaleziono us?ugi %(service)r w bazie danych Kerberosa" #: ../../ipalib/errors.py:497 msgid "No credentials cache found" msgstr "Nie odnaleziono pami?ci podr?cznej danych uwierzytelniaj?cych" #: ../../ipalib/errors.py:513 msgid "Ticket expired" msgstr "Zg?oszenie wygas?o" #: ../../ipalib/errors.py:529 msgid "Credentials cache permissions incorrect" msgstr "" "Uprawnienia pami?ci podr?cznej danych uwierzytelniaj?cych s? niepoprawne" #: ../../ipalib/errors.py:545 msgid "Bad format in credentials cache" msgstr "B??dny format w pami?ci podr?cznej danych uwierzytelniaj?cych" #: ../../ipalib/errors.py:561 msgid "Cannot resolve KDC for requested realm" msgstr "Nie mo?na rozwi?za? KDC dla ??danego obszaru" #: ../../ipalib/errors.py:580 #, python-format msgid "Insufficient access: %(info)s" msgstr "Niewystarczaj?cy dost?p: %(info)s" #: ../../ipalib/errors.py:624 #, python-format msgid "command %(name)r takes no arguments" msgstr "polecenie %(name)r nie przyjmuje parametr?w" #: ../../ipalib/errors.py:644 #, python-format msgid "command %(name)r takes at most %(count)d argument" msgid_plural "command %(name)r takes at most %(count)d arguments" msgstr[0] "polecenie %(name)r przyjmuje co najwy?ej %(count)d parametr" msgstr[1] "polecenie %(name)r przyjmuje co najwy?ej %(count)d parametry" msgstr[2] "polecenie %(name)r przyjmuje co najwy?ej %(count)d parametr?w" #: ../../ipalib/errors.py:674 #, python-format msgid "overlapping arguments and options: %(names)r" msgstr "pokrywanie parametr?w i opcji: %(names)r" #: ../../ipalib/errors.py:690 #, python-format msgid "%(name)r is required" msgstr "%(name)r jest wymagane" #: ../../ipalib/errors.py:706 ../../ipalib/errors.py:722 #, python-format msgid "invalid %(name)r: %(error)s" msgstr "nieprawid?owe %(name)r: %(error)s" #: ../../ipalib/errors.py:738 #, python-format msgid "api has no such namespace: %(name)r" msgstr "API nie posiada takiej przestrzeni nazw: %(name)r" #: ../../ipalib/errors.py:747 msgid "Passwords do not match" msgstr "Has?a si? nie zgadzaj?" #: ../../ipalib/errors.py:755 msgid "Command not implemented" msgstr "Polecenie nie jest zaimplementowane" #: ../../ipalib/errors.py:783 ../../ipalib/errors.py:1023 #, python-format msgid "%(reason)s" msgstr "%(reason)s" #: ../../ipalib/errors.py:799 msgid "This entry already exists" msgstr "Ten wpis ju? istnieje" #: ../../ipalib/errors.py:815 msgid "You must enroll a host in order to create a host service" msgstr "Nale?y zapisa? si? do komputera, aby utworzy? jego us?ug?" #: ../../ipalib/errors.py:831 #, python-format msgid "" "Service principal is not of the form: service/fully-qualified host name: " "%(reason)s" msgstr "" "Naczelnik us?ugi nie jest w formacie: us?uga/w pe?ni kwalifikowana nazwa " "komputera: %(reason)s" #: ../../ipalib/errors.py:847 msgid "" "The realm for the principal does not match the realm for this IPA server" msgstr "Obszar naczelnika nie zgadza si? z obszarem dla tego serwera IPA" #: ../../ipalib/errors.py:863 msgid "This command requires root access" msgstr "Te polecenie wymaga dost?pu roota" #: ../../ipalib/errors.py:879 msgid "This is already a posix group" msgstr "To jest ju? grupa POSIX" #: ../../ipalib/errors.py:895 #, python-format msgid "Principal is not of the form user at REALM: %(principal)r" msgstr "Naczelnik nie jest w formacie u?ytkownik at OBSZAR: %(principal)r" #: ../../ipalib/errors.py:911 msgid "This entry is already unlocked" msgstr "Ten wpis jest ju? odblokowany" #: ../../ipalib/errors.py:927 msgid "This entry is already locked" msgstr "Ten wpis jest ju? zablokowany" #: ../../ipalib/errors.py:943 msgid "This entry has nsAccountLock set, it cannot be locked or unlocked" msgstr "" "Ten wpis posiada ustawione nsAccountLock, nie mo?e by? zablokowany lub " "niezablokowany" #: ../../ipalib/errors.py:959 msgid "This entry is not a member of the group" msgstr "Ten wpis nie jest elementem grupy" #: ../../ipalib/errors.py:975 msgid "A group may not be a member of itself" msgstr "Grupa nie mo?e by? w?asnym elementem" #: ../../ipalib/errors.py:991 msgid "This entry is already a member of the group" msgstr "Ten wpis jest ju? elementem grupy" #: ../../ipalib/errors.py:1007 #, python-format msgid "Base64 decoding failed: %(reason)s" msgstr "Dekodowanie base64 nie powiod?o si?: %(reason)s" #: ../../ipalib/errors.py:1039 msgid "A group may not be added as a member of itself" msgstr "Nie mo?na doda? grupy jako elementu jej samej" #: ../../ipalib/errors.py:1055 msgid "The default users group cannot be removed" msgstr "Nie mo?na usun?? domy?lnej grupy u?ytkownik?w" #: ../../ipalib/errors.py:1071 msgid "Host does not have corresponding DNS A record" msgstr "Komputer nie posiada pasuj?cego wpisu DNS A" #: ../../ipalib/errors.py:1086 msgid "Deleting a managed group is not allowed. It must be detached first." msgstr "" "Usuwanie zarz?dzanej grupy nie jest dozwolone. Musi zosta? najpierw " "od??czona." #: ../../ipalib/errors.py:1109 #, python-format msgid "no command nor help topic %(topic)r" msgstr "nie ma takiego polecenia lub tematu pomocy %(topic)r" #: ../../ipalib/errors.py:1133 msgid "change collided with another change" msgstr "zmiana koliduje z inn? zmian?" #: ../../ipalib/errors.py:1149 msgid "no modifications to be performed" msgstr "?adne modyfikacje nie zostan? wykonane" #: ../../ipalib/errors.py:1165 #, python-format msgid "%(desc)s:%(info)s" msgstr "%(desc)s:%(info)s" #: ../../ipalib/errors.py:1181 msgid "limits exceeded for this query" msgstr "przekroczono ograniczenia dla tego zapytania" #: ../../ipalib/errors.py:1196 #, python-format msgid "%(info)s" msgstr "%(info)s" #: ../../ipalib/errors.py:1221 #, python-format msgid "Certificate operation cannot be completed: %(error)s" msgstr "Nie mo?na uko?czy? dzia?ania na certyfikacie: %(error)s" #: ../../ipalib/plugins/config.py:73 msgid "Configuration" msgstr "Konfiguracja" #: ../../ipalib/plugins/config.py:78 msgid "Max username length" msgstr "Maksymalna d?ugo?? nazwy u?ytkownika" #: ../../ipalib/plugins/config.py:83 msgid "Home directory base" msgstr "Podstawa katalogu domowego" #: ../../ipalib/plugins/config.py:84 msgid "Default location of home directories" msgstr "Domy?lne po?o?enie katalog?w domowych" #: ../../ipalib/plugins/config.py:88 msgid "Default shell" msgstr "Domy?lna pow?oka" #: ../../ipalib/plugins/config.py:89 msgid "Default shell for new users" msgstr "Domy?lna pow?oka dla nowych u?ytkownik?w" #: ../../ipalib/plugins/config.py:93 msgid "Default users group" msgstr "Domy?lna grupa u?ytkownik?w" #: ../../ipalib/plugins/config.py:94 msgid "Default group for new users" msgstr "Domy?lna grupa dla nowych u?ytkownik?w" #: ../../ipalib/plugins/config.py:98 msgid "Default e-mail domain" msgstr "Domy?lna domena e-mail" #: ../../ipalib/plugins/config.py:99 msgid "Default e-mail domain new users" msgstr "Domy?lna domena e-mail dla nowych u?ytkownik?w" #: ../../ipalib/plugins/config.py:103 msgid "Search time limit" msgstr "Ograniczenie czasu wyszukiwania" #: ../../ipalib/plugins/config.py:104 msgid "Max. amount of time (sec.) for a search (-1 is unlimited)" msgstr "" "Maksymalny czas (w sekundach) wyszukiwania (-1 oznacza brak ograniczenia)" #: ../../ipalib/plugins/config.py:109 msgid "Search size limit" msgstr "Ograniczenie rozmiaru wyszukiwania" #: ../../ipalib/plugins/config.py:110 msgid "Max. number of records to search (-1 is unlimited)" msgstr "" "Maksymalna liczba wpis?w do wyszukiwania (-1 oznacza brak ograniczenia)" #: ../../ipalib/plugins/config.py:115 msgid "User search fields" msgstr "Pola wyszukiwania u?ytkownik?w" #: ../../ipalib/plugins/config.py:116 msgid "A comma-separated list of fields to search when searching for users" msgstr "" "Lista p?l oddzielonych przecinkami do przeszukania podczas wyszukiwania " "u?ytkownik?w" #: ../../ipalib/plugins/config.py:121 msgid "A comma-separated list of fields to search when searching for groups" msgstr "" "Lista p?l oddzielonych przecinkami do przeszukania podczas wyszukiwania grup" #: ../../ipalib/plugins/config.py:125 msgid "Migration mode" msgstr "Tryb migracji" #: ../../ipalib/plugins/config.py:126 msgid "Enable migration mode" msgstr "W??czenie trybu migracji" #: ../../ipalib/plugins/config.py:130 msgid "Certificate Subject base" msgstr "Podstawa tematu certyfikatu" #: ../../ipalib/plugins/config.py:131 msgid "Base for certificate subjects (OU=Test,O=Example)" msgstr "Podstawa dla temat?w certyfikat?w (OU=Test,O=Przyk?ad)" #: ../../ipalib/plugins/rolegroup.py:79 msgid "Role Groups" msgstr "Grupy rol" #: ../../ipalib/plugins/rolegroup.py:84 msgid "Role-group name" msgstr "Nazwa grupy rol" #: ../../ipalib/plugins/rolegroup.py:90 ../../ipalib/plugins/host.py:124 #: ../../ipalib/plugins/group.py:108 ../../ipalib/plugins/hbac.py:151 #: ../../ipalib/plugins/automount.py:230 ../../ipalib/plugins/netgroup.py:96 #: ../../ipalib/plugins/taskgroup.py:62 ../../ipalib/plugins/hostgroup.py:81 msgid "Description" msgstr "Opis" #: ../../ipalib/plugins/rolegroup.py:91 msgid "A description of this role-group" msgstr "Opis tej grupy rol" #: ../../ipalib/plugins/rolegroup.py:94 ../../ipalib/plugins/group.py:117 #: ../../ipalib/plugins/taskgroup.py:66 msgid "Member groups" msgstr "Elementy grupy" #: ../../ipalib/plugins/rolegroup.py:98 ../../ipalib/plugins/group.py:121 #: ../../ipalib/plugins/taskgroup.py:70 msgid "Member users" msgstr "Elementy u?ytkownik?w" #: ../../ipalib/plugins/rolegroup.py:102 msgid "Member of task-groups" msgstr "Element grupy zadaniowej" #: ../../ipalib/plugins/rolegroup.py:115 #, python-format msgid "Added rolegroup \"%(value)s\"" msgstr "Dodano grup? roli \"%(value)s\"" #: ../../ipalib/plugins/rolegroup.py:125 #, python-format msgid "Deleted rolegroup \"%(value)s\"" msgstr "Usuni?to grup? roli \"%(value)s\"" #: ../../ipalib/plugins/rolegroup.py:135 #, python-format msgid "Modified rolegroup \"%(value)s\"" msgstr "Zmodyfikowano grup? roli \"%(value)s\"" #: ../../ipalib/plugins/rolegroup.py:146 #, python-format msgid "%(count)d rolegroup matched" msgid_plural "%(count)d rolegroups matched" msgstr[0] "Pasuje %(count)d grupa roli" msgstr[1] "Pasuj? %(count)d grupy roli" msgstr[2] "Pasuje %(count)d grup roli" #: ../../ipalib/plugins/host.py:86 msgid "Fully-qualified hostname required" msgstr "Wymagana jest w pe?ni kwalifikowana nazwa komputera" #: ../../ipalib/plugins/host.py:113 ../../ipalib/plugins/hbac.py:162 msgid "Hosts" msgstr "Komputery" #: ../../ipalib/plugins/host.py:118 msgid "Host name" msgstr "Nazwa komputera" #: ../../ipalib/plugins/host.py:125 msgid "A description of this host" msgstr "Opis tego komputera" #: ../../ipalib/plugins/host.py:129 msgid "Locality" msgstr "Lokalizacja" #: ../../ipalib/plugins/host.py:130 msgid "Host locality (e.g. \"Baltimore, MD\")" msgstr "Lokalizacja komputera (np. \"Baltimore, MD\")" #: ../../ipalib/plugins/host.py:134 ../../ipalib/plugins/automount.py:107 msgid "Location" msgstr "Po?o?enie" #: ../../ipalib/plugins/host.py:135 msgid "Host location (e.g. \"Lab 2\")" msgstr "Po?o?enie komputera (np. \"Laboratorium nr 2\")" #: ../../ipalib/plugins/host.py:139 msgid "Platform" msgstr "Platforma" #: ../../ipalib/plugins/host.py:140 msgid "Host hardware platform (e.g. \"Lenovo T61\")" msgstr "Platforma sprz?towa komputera (np. \"Lenovo T61\")" #: ../../ipalib/plugins/host.py:144 msgid "Operating system" msgstr "System operacyjny" #: ../../ipalib/plugins/host.py:145 msgid "Host operating system and version (e.g. \"Fedora 9\")" msgstr "System operacyjny komputera i jego wersja (np. \"Fedora 9\")" #: ../../ipalib/plugins/host.py:149 msgid "User password" msgstr "Has?o u?ytkownika" #: ../../ipalib/plugins/host.py:150 msgid "Password used in bulk enrollment" msgstr "Has?o u?ywane w zapisywaniu wi?kszej cz??ci" #: ../../ipalib/plugins/host.py:154 ../../ipalib/plugins/service.py:185 #: ../../ipalib/plugins/service.py:265 ../../ipalib/plugins/service.py:304 #: ../../ipalib/plugins/service.py:343 ../../ipalib/plugins/cert.py:187 #: ../../ipalib/plugins/cert.py:392 msgid "Certificate" msgstr "Certyfikat" #: ../../ipalib/plugins/host.py:155 ../../ipalib/plugins/service.py:186 #: ../../ipalib/plugins/service.py:266 ../../ipalib/plugins/service.py:305 #: ../../ipalib/plugins/service.py:344 msgid "Base-64 encoded server certificate" msgstr "Certyfikat serwera zakodowany za pomoc? Base-64" #: ../../ipalib/plugins/host.py:158 ../../ipalib/plugins/host.py:274 msgid "Principal name" msgstr "Nazwa naczelnika" #: ../../ipalib/plugins/host.py:162 ../../ipalib/plugins/hostgroup.py:93 msgid "Member of host-groups" msgstr "Element grupy komputer?w" #: ../../ipalib/plugins/host.py:166 msgid "Member of net-groups" msgstr "Element grupy sieci" #: ../../ipalib/plugins/host.py:170 msgid "Member of role-groups" msgstr "Element grupy roli" #: ../../ipalib/plugins/host.py:199 #, python-format msgid "Added host \"%(value)s\"" msgstr "Dodano komputer \"%(value)s\"" #: ../../ipalib/plugins/host.py:202 msgid "force host name even if not in DNS" msgstr "wymuszenie nazwy komputera nawet, je?li nie w DNS" #: ../../ipalib/plugins/host.py:235 #, python-format msgid "Deleted host \"%(value)s\"" msgstr "Usuni?to komputer \"%(value)s\"" #: ../../ipalib/plugins/host.py:269 #, python-format msgid "Modified host \"%(value)s\"" msgstr "Zmodyfikowano komputer \"%(value)s\"" #: ../../ipalib/plugins/host.py:275 msgid "Kerberos principal name for this host" msgstr "Nazwa naczelnika Kerberosa dla tego komputera" #: ../../ipalib/plugins/host.py:319 #, python-format msgid "%(count)d host matched" msgid_plural "%(count)d hosts matched" msgstr[0] "Pasuje %(count)d komputer" msgstr[1] "Pasuje %(count)d komputery" msgstr[2] "Pasuje %(count)d komputer?w" #: ../../ipalib/plugins/host.py:337 ../../ipalib/plugins/service.py:83 msgid "Keytab" msgstr "Tabela kluczy" #: ../../ipalib/plugins/host.py:359 ../../ipalib/plugins/service.py:386 #, python-format msgid "Removed kerberos key from \"%(value)s\"" msgstr "Usuni?to klucz Kerberosa z \"%(value)s\"" #: ../../ipalib/plugins/host.py:368 msgid "Host principal has no kerberos key" msgstr "Naczelnik komputera nie posiada klucza Kerberosa" #: ../../ipalib/plugins/group.py:94 msgid "User Groups" msgstr "Grupy u?ytkownik?w" #: ../../ipalib/plugins/group.py:102 msgid "Group name" msgstr "Nazwa grupy" #: ../../ipalib/plugins/group.py:109 msgid "Group description" msgstr "Opis grupy" #: ../../ipalib/plugins/group.py:113 msgid "GID" msgstr "GID" #: ../../ipalib/plugins/group.py:114 msgid "GID (use this option to set it manually)" msgstr "GID (ta opcja umo?liwia jego r?czne ustawienie)" #: ../../ipalib/plugins/group.py:134 #, python-format msgid "Added group \"%(value)s\"" msgstr "Dodano grup? \"%(value)s\"" #: ../../ipalib/plugins/group.py:139 msgid "Create as posix group?" msgstr "Utworzy? jako grup? POSIX?" #: ../../ipalib/plugins/group.py:159 #, python-format msgid "Deleted group \"%(value)s\"" msgstr "Usuni?to grup? \"%(value)s\"" #: ../../ipalib/plugins/group.py:188 #, python-format msgid "Modified group \"%(value)s\"" msgstr "Zmodyfikowano grup? \"%(value)s\"" #: ../../ipalib/plugins/group.py:193 msgid "change to posix group" msgstr "zmiana na grup? POSIX" #: ../../ipalib/plugins/group.py:219 #, python-format msgid "%(count)d group matched" msgid_plural "%(count)d groups matched" msgstr[0] "Pasuje %(count)d grupa" msgstr[1] "Pasuj? %(count)d grupy" msgstr[2] "Pasuje %(count)d grup" #: ../../ipalib/plugins/group.py:254 #, python-format msgid "Detached group \"%(value)s\" from user \"%(value)s\"" msgstr "Od??czono grup? \"%(value)s\" od u?ytkownika \"%(value)s\"" #: ../../ipalib/plugins/group.py:270 msgid "not allowed to modify user entries" msgstr "modyfikowanie wpis?w u?ytkownik?w nie jest dozwolone" #: ../../ipalib/plugins/group.py:274 msgid "not allowed to modify group entries" msgstr "modyfikowanie wpis?w grup nie jest dozwolone" #: ../../ipalib/plugins/group.py:281 ../../ipalib/plugins/group.py:292 msgid "Not a managed group" msgstr "Nie jest zarz?dzan? grup?" #: ../../ipalib/plugins/migration.py:44 #, python-format msgid "" "Kerberos principal %s already exists. Use 'ipa user-mod' to set it manually." msgstr "" "Naczelnik Kerberosa %s ju? istnieje. Nale?y u?y? polecenia \"ipa user-mod\", " "aby ustawi? go r?cznie." #: ../../ipalib/plugins/migration.py:45 msgid "" "Failed to add user to the default group. Use 'ipa group-add-member' to add " "manually." msgstr "" "Dodanie u?ytkownika do domy?lnej grupy nie powiod?o si?. Nale?y u?y? " "polecenia \"ipa group-add-member\", aby doda? go r?cznie." #: ../../ipalib/plugins/migration.py:169 msgid "LDAP URI" msgstr "Adres URI LDAP" #: ../../ipalib/plugins/migration.py:170 msgid "LDAP URI of DS server to migrate from" msgstr "Adres URI LDAP serwera DS, z kt?rego migrowa?" #: ../../ipalib/plugins/migration.py:174 msgid "bind password" msgstr "has?o Bind" #: ../../ipalib/plugins/migration.py:181 msgid "Bind DN" msgstr "DN dowi?zania" #: ../../ipalib/plugins/migration.py:187 msgid "User container" msgstr "Kontener u?ytkownika" #: ../../ipalib/plugins/migration.py:188 msgid "RDN of container for users in DS" msgstr "RDN kontenera dla u?ytkownik?w w DS" #: ../../ipalib/plugins/migration.py:194 msgid "Group container" msgstr "Kontener grupy" #: ../../ipalib/plugins/migration.py:195 msgid "RDN of container for groups in DS" msgstr "RDN kontenera dla grup w DS" #: ../../ipalib/plugins/migration.py:204 msgid "Lists of objects migrated; categorized by type." msgstr "Lista migrowanych obiekt?w, u?o?onych w kategorie wed?ug typu." #: ../../ipalib/plugins/migration.py:208 msgid "Lists of objects that could not be migrated; categorized by type." msgstr "" "Lista obiekt?w, kt?re nie mog?y zosta? migrowane, u?o?onych w kategorie " "wed?ug typu." #: ../../ipalib/plugins/migration.py:212 msgid "False if migration mode was disabled." msgstr "Fa?sz, je?li wy??czono tryb migracji" #: ../../ipalib/plugins/migration.py:216 #, python-format msgid "comma-separated list of %s to exclude from migration" msgstr "lista %s oddzielonych przecinkami do wykluczenia z migracji" #: ../../ipalib/plugins/migration.py:218 msgid "" "search results for objects to be migrated\n" "have been truncated by the server;\n" "migration process might be uncomplete\n" msgstr "" "wyniki wyszukiwania obiekt?w do migrowania\n" "zosta?y skr?cone przez serwer. Proces\n" "migracji m?g? nie zosta? uko?czony\n" #: ../../ipalib/plugins/migration.py:223 msgid "Migration mode is disabled. Use 'ipa config-mod' to enable it." msgstr "" "Tryb migracji jest wy??czony. Nale?y u?y? polecenia \"ipa config-mod\", aby " "go w??czy?." #: ../../ipalib/plugins/migration.py:226 msgid "" "Passwords have been migrated in pre-hashed format.\n" "IPA is unable to generate Kerberos keys unless provided\n" "with clear text passwords. All migrated users need to\n" "login at https://your.domain/ipa/migration/ before they\n" "can use their Kerberos accounts." msgstr "" "Has?a zosta?y migrowane w formacie sprzed mieszania.\n" "Program IPA nie mo?e utworzy? kluczy Kerberosa, chyba\n" "?e zosta?y podane z has?ami w zwyk?ym tek?cie. Wszyscy\n" "migrowani u?ytkownicy musz? zalogowa? si? na stronie\n" "https://twoja.domena/ipa/migration/, zanim b?d? mogli\n" "u?ywa? swoich kont Kerberosa." #: ../../ipalib/plugins/service.py:157 ../../ipalib/plugins/hbac.py:174 msgid "Services" msgstr "Us?ugi" #: ../../ipalib/plugins/service.py:162 ../../ipalib/plugins/cert.py:171 msgid "Principal" msgstr "Naczelnik" #: ../../ipalib/plugins/service.py:163 msgid "Service principal" msgstr "Naczelnik us?ugi" #: ../../ipalib/plugins/service.py:176 #, python-format msgid "Added service \"%(value)s\"" msgstr "Dodano us?ug? \"%(value)s\"" #: ../../ipalib/plugins/service.py:181 msgid "force principal name even if not in DNS" msgstr "wymuszenie nazwy naczelnika nawet, je?li nie w DNS" #: ../../ipalib/plugins/service.py:224 #, python-format msgid "Deleted service \"%(value)s\"" msgstr "Usuni?to us?ug? \"%(value)s\"" #: ../../ipalib/plugins/service.py:261 #, python-format msgid "Modified service \"%(value)s\"" msgstr "Zmodyfikowano us?ug? \"%(value)s\"" #: ../../ipalib/plugins/service.py:298 #, python-format msgid "%(count)d service matched" msgid_plural "%(count)d services matched" msgstr[0] "Pasuje %(count)d us?uga" msgstr[1] "Pasuje %(count)d us?ugi" msgstr[2] "Pasuje %(count)d us?ug" #: ../../ipalib/plugins/service.py:396 msgid "Service principal has no kerberos key" msgstr "Naczelnik us?ugi nie posiada klucza Kerberosa" #: ../../ipalib/plugins/passwd.py:52 ../../ipalib/plugins/krbtpolicy.py:62 msgid "User name" msgstr "Nazwa u?ytkownika" #: ../../ipalib/plugins/hbac.py:106 msgid "HBAC" msgstr "HBAC" #: ../../ipalib/plugins/hbac.py:111 msgid "Rule name" msgstr "Nazwa regu?y" #: ../../ipalib/plugins/hbac.py:116 msgid "Rule type (allow or deny)" msgstr "Typ regu?y (zezwalanie lub zabranianie)" #: ../../ipalib/plugins/hbac.py:117 msgid "Rule type" msgstr "Typ regu?y" #: ../../ipalib/plugins/hbac.py:123 msgid "User category" msgstr "Kategoria u?ytkownik?w" #: ../../ipalib/plugins/hbac.py:124 msgid "User category the rule applies to" msgstr "Kategoria u?ytkownik?w, do kt?rych zastosowywana jest regu?a" #: ../../ipalib/plugins/hbac.py:129 msgid "Host category" msgstr "Kategoria komputer?w" #: ../../ipalib/plugins/hbac.py:130 msgid "Host category the rule applies to" msgstr "Kategoria komputer?w, do kt?rych zastosowywana jest regu?a" #: ../../ipalib/plugins/hbac.py:135 msgid "Source host category" msgstr "Kategoria komputer?w ?r?d?owych" #: ../../ipalib/plugins/hbac.py:136 msgid "Source host category the rule applies to" msgstr "Kategoria komputer?w ?r?d?owych, do kt?rych zastosowywana jest regu?a" #: ../../ipalib/plugins/hbac.py:141 msgid "Service category" msgstr "Kategoria us?ug" #: ../../ipalib/plugins/hbac.py:142 msgid "Service category the rule applies to" msgstr "Kategoria us?ug, do kt?rych zastosowywana jest regu?a" #: ../../ipalib/plugins/hbac.py:147 ../../ipalib/plugins/hbac.py:309 #: ../../ipalib/plugins/hbac.py:347 msgid "Access time" msgstr "Czas dost?pu" #: ../../ipalib/plugins/hbac.py:154 msgid "Enabled" msgstr "W??czone" #: ../../ipalib/plugins/hbac.py:158 ../../ipalib/plugins/user.py:76 msgid "Users" msgstr "U?ytkownicy" #: ../../ipalib/plugins/hbac.py:166 ../../ipalib/plugins/hostgroup.py:69 msgid "Host Groups" msgstr "Grupy komputer?w" #: ../../ipalib/plugins/hbac.py:170 msgid "Source hosts" msgstr "Komputery ?r?d?owe" #: ../../ipalib/plugins/hbac.py:178 msgid "Service Groups" msgstr "Grupy us?ug" #: ../../ipalib/plugins/cert.py:93 msgid "Failure decoding Certificate Signing Request:" msgstr "Dekodowanie ??dania podpisywania certyfikatu nie powiod?o si?:" #: ../../ipalib/plugins/cert.py:106 ../../ipalib/plugins/cert.py:118 msgid "Failure decoding Certificate Signing Request" msgstr "Dekodowanie ??dania podpisywania certyfikatu nie powiod?o si?" #: ../../ipalib/plugins/cert.py:120 #, python-format msgid "Failure decoding Certificate Signing Request: %s" msgstr "Dekodowanie ??dania podpisywania certyfikatu nie powiod?o si?: %s" #: ../../ipalib/plugins/cert.py:172 msgid "Service principal for this certificate (e.g. HTTP/test.example.com)" msgstr "Naczelnik us?ugi dla tego certyfikatu (np. HTTP/test.przyk?ad.pl)" #: ../../ipalib/plugins/cert.py:179 msgid "automatically add the principal if it doesn't exist" msgstr "automatycznie dodaj naczelnika, je?li nie istnieje" #: ../../ipalib/plugins/cert.py:191 ../../ipalib/plugins/cert.py:395 msgid "Subject" msgstr "Temat" #: ../../ipalib/plugins/cert.py:195 ../../ipalib/plugins/cert.py:398 msgid "Issuer" msgstr "Wydawca" #: ../../ipalib/plugins/cert.py:199 ../../ipalib/plugins/cert.py:401 msgid "Not Before" msgstr "Nie wcze?niej" #: ../../ipalib/plugins/cert.py:203 ../../ipalib/plugins/cert.py:404 msgid "Not After" msgstr "Nie po" #: ../../ipalib/plugins/cert.py:207 ../../ipalib/plugins/cert.py:407 msgid "Fingerprint (MD5)" msgstr "Odcisk (MD5)" #: ../../ipalib/plugins/cert.py:211 ../../ipalib/plugins/cert.py:410 msgid "Fingerprint (SHA1)" msgstr "Odcisk (SHA1)" #: ../../ipalib/plugins/cert.py:215 ../../ipalib/plugins/cert.py:379 msgid "Serial number" msgstr "Numer seryjny" #: ../../ipalib/plugins/cert.py:223 ../../ipalib/plugins/misc.py:57 msgid "Dictionary mapping variable name to value" msgstr "Nazwa zmiennej mapowania s?ownika do ustawienia jako warto??" #: ../../ipalib/plugins/cert.py:357 msgid "Request id" msgstr "Identyfikator ??dania" #: ../../ipalib/plugins/cert.py:363 msgid "Request status" msgstr "Stan ??dania" #: ../../ipalib/plugins/cert.py:380 msgid "Serial number in decimal or if prefixed with 0x in hexadecimal" msgstr "" "Numer seryjny w formie dziesi?tnej lub szesnastkowej, je?li poprzedzone 0x" #: ../../ipalib/plugins/cert.py:413 msgid "Revocation reason" msgstr "Przyczyna uniewa?nienia" #: ../../ipalib/plugins/cert.py:458 msgid "Revoked" msgstr "Uniewa?niono" #: ../../ipalib/plugins/cert.py:466 msgid "Reason" msgstr "Przyczyna" #: ../../ipalib/plugins/cert.py:467 msgid "Reason for revoking the certificate (0-10)" msgstr "Przyczyna uniewa?nienia certyfikatu (0-10)" #: ../../ipalib/plugins/cert.py:502 msgid "Unrevoked" msgstr "Cofni?to uniewa?nienie" #: ../../ipalib/plugins/cert.py:505 msgid "Error" msgstr "B??d" #: ../../ipalib/plugins/baseldap.py:79 #, python-format msgid "container entry (%(container)s) not found" msgstr "nie odnaleziono wpisu kontenera (%(container)s)" #: ../../ipalib/plugins/baseldap.py:80 #, python-format msgid "%(parent)s: %(oname)s not found" msgstr "%(parent)s: nie odnaleziono %(oname)s" #: ../../ipalib/plugins/baseldap.py:81 #, python-format msgid "%(pkey)s: %(oname)s not found" msgstr "%(pkey)s: nie odnaleziono %(oname)s" #: ../../ipalib/plugins/baseldap.py:150 msgid "Add an attribute/value pair. Format is attr=value" msgstr "Dodaj par? atrybut/warto??. Format to atrybut=warto??" #: ../../ipalib/plugins/baseldap.py:155 msgid "Set an attribute to an name/value pair. Format is attr=value" msgstr "Ustaw atrybut dla pary nazwa/warto??. Format to atrybut=warto??" #: ../../ipalib/plugins/baseldap.py:491 msgid "the entry was deleted while being modified" msgstr "wpis zosta? usuni?ty podczas modyfikowania" #: ../../ipalib/plugins/baseldap.py:627 msgid "Members that could not be added" msgstr "Elementy, kt?re nie mog?y zosta? dodane" #: ../../ipalib/plugins/baseldap.py:631 msgid "Number of members added" msgstr "Liczba dodanych element?w" #: ../../ipalib/plugins/baseldap.py:637 ../../ipalib/plugins/baseldap.py:742 msgid "Failed members" msgstr "Elementy, kt?re si? nie powiod?y" #: ../../ipalib/plugins/baseldap.py:732 msgid "Members that could not be removed" msgstr "Liczba element?w, kt?re nie mog?y zosta? usuni?te" #: ../../ipalib/plugins/baseldap.py:736 msgid "Number of members removed" msgstr "Liczba usuni?tych element?w" #: ../../ipalib/plugins/baseldap.py:833 msgid "Time Limit" msgstr "Ograniczenie czasu" #: ../../ipalib/plugins/baseldap.py:834 msgid "Time limit of search in seconds" msgstr "Ograniczenie czasu wyszukiwania w sekundach" #: ../../ipalib/plugins/baseldap.py:840 msgid "Size Limit" msgstr "Ograniczenie rozmiaru" #: ../../ipalib/plugins/baseldap.py:841 msgid "Maximum number of entries returned" msgstr "Maksymalna liczba zwr?conych wpis?w" #: ../../ipalib/plugins/aci.py:111 msgid "A list of ACI values" msgstr "Lista warto?ci ACI" #: ../../ipalib/plugins/aci.py:142 msgid "type, filter, subtree and targetgroup are mutually exclusive" msgstr "" "warto?ci \"type\", \"filter\", \"subtree\" i \"targetgroup\" s? wzajemnie " "wy??czne" #: ../../ipalib/plugins/aci.py:145 msgid "" "at least one of: type, filter, subtree, targetgroup, attrs or memberof are " "required" msgstr "" "co najmniej jedna z warto?ci: \"type\", \"filter\", \"subtree\", " "\"targetgroup\", \"attrs\" lub \"memberof\" jest wymagana" #: ../../ipalib/plugins/aci.py:151 msgid "group, taskgroup and self are mutually exclusive" msgstr "warto?ci \"group\", \"taskgroup\" i \"self\" s? wzajemnie wy??czne" #: ../../ipalib/plugins/aci.py:153 msgid "One of group, taskgroup or self is required" msgstr "Wymagana jest warto?? \"group\", \"taskgroup\" lub \"self\"" #: ../../ipalib/plugins/aci.py:172 #, python-format msgid "Group '%s' does not exist" msgstr "Grupa \"%s\" nie istnieje" #: ../../ipalib/plugins/aci.py:269 #, python-format msgid "ACI with name \"%s\" not found" msgstr "Nie odnaleziono ACI o nazwie \"%s\"" #: ../../ipalib/plugins/aci.py:286 msgid "ACIs" msgstr "ACI" #: ../../ipalib/plugins/aci.py:291 msgid "ACI name" msgstr "Nazwa ACI" #: ../../ipalib/plugins/aci.py:296 msgid "Taskgroup" msgstr "Grupa zadaniowa" #: ../../ipalib/plugins/aci.py:297 msgid "Taskgroup ACI grants access to" msgstr "Grupa zadaniowa, do kt?rej ACI zapewnia dost?p" #: ../../ipalib/plugins/aci.py:301 msgid "User group" msgstr "Grupa u?ytkownik?w" #: ../../ipalib/plugins/aci.py:302 msgid "User group ACI grants access to" msgstr "Grupa u?ytkownik?w, do kt?rej ACI zapewnia dost?p" #: ../../ipalib/plugins/aci.py:306 msgid "Permissions" msgstr "Uprawnienia" #: ../../ipalib/plugins/aci.py:307 msgid "" "comma-separated list of permissions to grant(read, write, add, delete, all)" msgstr "" "lista uprawnie? oddzielonych przecinkami do udzielenia (odczyt, zapis, " "dodanie, usuni?cie, wszystkie)" #: ../../ipalib/plugins/aci.py:313 msgid "Attributes" msgstr "Atrybuty" #: ../../ipalib/plugins/aci.py:314 msgid "Comma-separated list of attributes" msgstr "Lista atrybut?w oddzielonych przecinkami" #: ../../ipalib/plugins/aci.py:318 msgid "Type" msgstr "Typ" #: ../../ipalib/plugins/aci.py:319 msgid "type of IPA object (user, group, host)" msgstr "typ obiektu IPA (u?ytkownik, grupa, komputer)" #: ../../ipalib/plugins/aci.py:324 msgid "Member of" msgstr "Element" #: ../../ipalib/plugins/aci.py:325 msgid "Member of a group" msgstr "Element grupy" #: ../../ipalib/plugins/aci.py:329 msgid "Filter" msgstr "Filtr" #: ../../ipalib/plugins/aci.py:330 msgid "Legal LDAP filter (e.g. ou=Engineering)" msgstr "Dozwolony filtr LDAP (np. ou=In?ynieria)" #: ../../ipalib/plugins/aci.py:334 msgid "Subtree" msgstr "Poddrzewo" #: ../../ipalib/plugins/aci.py:335 msgid "Subtree to apply ACI to" msgstr "Poddrzewo, do kt?rego zastosowa? ACI" #: ../../ipalib/plugins/aci.py:339 msgid "Target group" msgstr "Grupa docelowa" #: ../../ipalib/plugins/aci.py:340 msgid "Group to apply ACI to" msgstr "Grupa, do kt?rej zastosowa? ACI" #: ../../ipalib/plugins/aci.py:344 msgid "Target your own entry (self)" msgstr "Cel w?asnego wpisu (\"self\")" #: ../../ipalib/plugins/aci.py:345 msgid "Apply ACI to your own entry (self)" msgstr "Zastosowanie ACI do w?asnego wpisu (\"self\")" #: ../../ipalib/plugins/aci.py:357 #, python-format msgid "Created ACI \"%(value)s\"" msgstr "Utworzono ACI \"%(value)s\"" #: ../../ipalib/plugins/aci.py:407 #, python-format msgid "Deleted ACI \"%(value)s\"" msgstr "Usuni?to ACI \"%(value)s\"" #: ../../ipalib/plugins/aci.py:447 #, python-format msgid "Modified ACI \"%(value)s\"" msgstr "Zmodyfikowano ACI \"%(value)s\"" #: ../../ipalib/plugins/aci.py:519 #, python-format msgid "%(count)d ACI matched" msgid_plural "%(count)d ACIs matched" msgstr[0] "Pasuje %(count)d ACI" msgstr[1] "Pasuj? %(count)d ACI" msgstr[2] "Pasuje %(count)d ACI" #: ../../ipalib/plugins/krbtpolicy.py:63 msgid "Manage ticket policy for specific user" msgstr "Zarz?dzanie polityk? zg?osze? dla podanego u?ytkownika" #: ../../ipalib/plugins/krbtpolicy.py:68 msgid "Max life" msgstr "Maksymalny czas ?ycia" #: ../../ipalib/plugins/krbtpolicy.py:69 msgid "Maximum ticket life (seconds)" msgstr "Minimalny czas ?ycia zg?oszenia (sekundy)" #: ../../ipalib/plugins/krbtpolicy.py:73 msgid "Max renew" msgstr "Maksymalne odnowienie" #: ../../ipalib/plugins/krbtpolicy.py:74 msgid "Maximum renewable age (seconds)" msgstr "Maksymalny czas, w kt?rym mo?liwe jest odnowienie (sekundy)" #: ../../ipalib/plugins/dns.py:131 msgid "DNS" msgstr "DNS" #: ../../ipalib/plugins/dns.py:136 msgid "Zone" msgstr "Strefa" #: ../../ipalib/plugins/dns.py:137 msgid "Zone name (FQDN)" msgstr "Nazwa strefy (FQDN)" #: ../../ipalib/plugins/dns.py:143 msgid "Authoritative name server" msgstr "Autorytatywny serwer nazwa" #: ../../ipalib/plugins/dns.py:147 msgid "administrator e-mail address" msgstr "adres e-mail administratora" #: ../../ipalib/plugins/dns.py:153 msgid "SOA serial" msgstr "Numer seryjny SOA" #: ../../ipalib/plugins/dns.py:157 msgid "SOA refresh" msgstr "Od?wie?enie SOA" #: ../../ipalib/plugins/dns.py:161 msgid "SOA retry" msgstr "Ponowienie SOA" #: ../../ipalib/plugins/dns.py:165 msgid "SOA expire" msgstr "Wygaszenie SOA" #: ../../ipalib/plugins/dns.py:169 msgid "SOA minimum" msgstr "Minimalne SOA" #: ../../ipalib/plugins/dns.py:173 msgid "SOA time to live" msgstr "Czas ?ycia SOA" #: ../../ipalib/plugins/dns.py:177 msgid "SOA class" msgstr "Klasa SOA" #: ../../ipalib/plugins/dns.py:182 msgid "allow dynamic update?" msgstr "zezwoli? na dynamiczne aktualizacje?" #: ../../ipalib/plugins/dns.py:186 msgid "BIND update policy" msgstr "Polityka aktualizacji BIND" #: ../../ipalib/plugins/dns.py:411 ../../ipalib/plugins/dns.py:445 #: ../../ipalib/plugins/dns.py:480 ../../ipalib/plugins/dns.py:595 #: ../../ipalib/plugins/dns.py:680 ../../ipalib/plugins/dns.py:804 msgid "Zone name" msgstr "Nazwa strefy" #: ../../ipalib/plugins/dns.py:485 msgid "resource name" msgstr "nazwa zasobu" #: ../../ipalib/plugins/dns.py:490 ../../ipalib/plugins/dns.py:605 #: ../../ipalib/plugins/dns.py:696 msgid "Record type" msgstr "Typ wpisu" #: ../../ipalib/plugins/dns.py:494 ../../ipalib/plugins/dns.py:609 msgid "Data" msgstr "Dane" #: ../../ipalib/plugins/dns.py:495 ../../ipalib/plugins/dns.py:610 msgid "Type-specific data" msgstr "Dane specyficzne dla typu" #: ../../ipalib/plugins/dns.py:502 msgid "Time to live" msgstr "Czas ?ycia" #: ../../ipalib/plugins/dns.py:507 msgid "Class" msgstr "Klasa" #: ../../ipalib/plugins/dns.py:600 ../../ipalib/plugins/dns.py:692 #: ../../ipalib/plugins/dns.py:809 msgid "Resource name" msgstr "Nazwa zasobu" #: ../../ipalib/plugins/dns.py:685 msgid "Search criteria" msgstr "Kryterium wyszukiwania" #: ../../ipalib/plugins/dns.py:700 msgid "type-specific data" msgstr "dane specyficzne dla typu" #: ../../ipalib/plugins/dns.py:850 #, python-format msgid "Found '%(value)s'" msgstr "Odnaleziono \"%(value)s\"" #: ../../ipalib/plugins/dns.py:854 msgid "Hostname" msgstr "Nazwa komputera" #: ../../ipalib/plugins/dns.py:867 #, python-format msgid "Host '%(host)s' not found" msgstr "Nie odnaleziono komputera \"%(host)s\"" #: ../../ipalib/plugins/automount.py:108 msgid "Automount location name" msgstr "Automatyczne montowanie nazwy po?o?enia" #: ../../ipalib/plugins/automount.py:224 msgid "Map" msgstr "Mapa" #: ../../ipalib/plugins/automount.py:225 msgid "Automount map name" msgstr "Automatyczne montowanie nazwy mapy" #: ../../ipalib/plugins/automount.py:234 msgid "Automount Maps" msgstr "Automatyczne montowanie map" #: ../../ipalib/plugins/automount.py:306 msgid "Key" msgstr "Klucz" #: ../../ipalib/plugins/automount.py:307 msgid "Automount key name" msgstr "Automatyczne montowanie nazw kluczy" #: ../../ipalib/plugins/automount.py:312 msgid "Mount information" msgstr "Informacje o montowaniu" #: ../../ipalib/plugins/automount.py:316 msgid "description" msgstr "opis" #: ../../ipalib/plugins/automount.py:320 msgid "Automount Keys" msgstr "Automatyczne montowanie kluczy" #: ../../ipalib/plugins/automount.py:340 msgid "Mount point" msgstr "Punkt montowania" #: ../../ipalib/plugins/automount.py:344 msgid "Parent map" msgstr "Mapa nadrz?dna" #: ../../ipalib/plugins/automount.py:345 msgid "Name of parent automount map (default: auto.master)" msgstr "" "Nazwa nadrz?dnej mapy automatycznego montowania (domy?lnie: auto.master)" #: ../../ipalib/plugins/netgroup.py:57 msgid "Member Host" msgstr "Komputer elementu" #: ../../ipalib/plugins/netgroup.py:63 msgid "External host" msgstr "Zewn?trzny komputer" #: ../../ipalib/plugins/netgroup.py:85 msgid "Net Groups" msgstr "Grupy sieciowe" #: ../../ipalib/plugins/netgroup.py:90 msgid "Netgroup name" msgstr "Nazwa grupy sieciowej" #: ../../ipalib/plugins/netgroup.py:97 msgid "Netgroup description" msgstr "Opis grupy sieciowej" #: ../../ipalib/plugins/netgroup.py:101 msgid "NIS domain name" msgstr "Nazwa domeny NIS" #: ../../ipalib/plugins/netgroup.py:106 msgid "IPA unique ID" msgstr "Unikalny identyfikator IPA" #: ../../ipalib/plugins/misc.py:38 #, python-format msgid "%(count)d variables" msgstr "%(count)d zmiennych" #: ../../ipalib/plugins/misc.py:61 msgid "Total number of variables env (>= count)" msgstr "Ca?kowita liczba zmiennych ?rodowiskowych (>= licznik)" #: ../../ipalib/plugins/misc.py:66 msgid "Number of variables returned (<= total)" msgstr "Liczba zwr?conych zmiennych (<= razem)" #: ../../ipalib/plugins/misc.py:109 #, python-format msgid "%(count)d plugin loaded" msgid_plural "%(count)d plugins loaded" msgstr[0] "Wczytano %(count)d wtyczk?" msgstr[1] "Wczytano %(count)d wtyczki" msgstr[2] "Wczytano %(count)d wtyczek" #: ../../ipalib/plugins/misc.py:116 msgid "Number of plugins loaded" msgstr "Liczba wczytanych wtyczek" #: ../../ipalib/plugins/user.py:84 msgid "User login" msgstr "Login u?ytkownika" #: ../../ipalib/plugins/user.py:91 msgid "First name" msgstr "Imi?" #: ../../ipalib/plugins/user.py:95 msgid "Last name" msgstr "Nazwisko" #: ../../ipalib/plugins/user.py:103 msgid "GECOS field" msgstr "Pole GECOS" #: ../../ipalib/plugins/user.py:109 msgid "Login shell" msgstr "Pow?oka logowania" #: ../../ipalib/plugins/user.py:114 msgid "Kerberos principal" msgstr "Naczelnik Kerberosa" #: ../../ipalib/plugins/user.py:120 msgid "Email address" msgstr "Adres e-mail" #: ../../ipalib/plugins/user.py:124 msgid "Password" msgstr "Has?o" #: ../../ipalib/plugins/user.py:125 msgid "Set the user password" msgstr "Ustaw has?o u?ytkownika" #: ../../ipalib/plugins/user.py:132 msgid "UID" msgstr "UID" #: ../../ipalib/plugins/user.py:133 msgid "User ID Number (system will assign one if not provided)" msgstr "" "Numer identyfikacyjny u?ytkownika (system go przydzieli, je?li nie zostanie " "podany)" #: ../../ipalib/plugins/user.py:139 msgid "Street address" msgstr "Adres zamieszkania" #: ../../ipalib/plugins/user.py:142 msgid "Groups" msgstr "Grupy" #: ../../ipalib/plugins/user.py:146 msgid "Netgroups" msgstr "Grupy sieciowe" #: ../../ipalib/plugins/user.py:150 msgid "Rolegroups" msgstr "Grupy rol" #: ../../ipalib/plugins/user.py:154 msgid "Taskgroups" msgstr "Grupy zadaniowe" #: ../../ipalib/plugins/user.py:167 #, python-format msgid "Added user \"%(value)s\"" msgstr "Dodano u?ytkownika \"%(value)s\"" #: ../../ipalib/plugins/user.py:216 #, python-format msgid "Deleted user \"%(value)s\"" msgstr "Usuni?to u?ytkownika \"%(value)s\"" #: ../../ipalib/plugins/user.py:235 #, python-format msgid "Modified user \"%(value)s\"" msgstr "Zmodyfikowano u?ytkownika \"%(value)s\"" #: ../../ipalib/plugins/user.py:247 msgid "Self" msgstr "W?asny" #: ../../ipalib/plugins/user.py:248 msgid "Display user record for current Kerberos principal" msgstr "Wy?wietlenie wpisu u?ytkownika dla bie??cego naczelnika Kerberosa" #: ../../ipalib/plugins/user.py:258 #, python-format msgid "%(count)d user matched" msgid_plural "%(count)d users matched" msgstr[0] "Pasuje %(count)d u?ytkownik" msgstr[1] "Pasuje %(count)d u?ytkownik?w" msgstr[2] "Pasuje %(count)d u?ytkownik?w" #: ../../ipalib/plugins/user.py:278 #, python-format msgid "Locked user \"%(value)s\"" msgstr "Zablokowany u?ytkownik \"%(value)s\"" #: ../../ipalib/plugins/user.py:304 #, python-format msgid "Unlocked user \"%(value)s\"" msgstr "Odblokowany u?ytkownik \"%(value)s\"" #: ../../ipalib/plugins/taskgroup.py:51 msgid "Task Groups" msgstr "Grupy zadaniowe" #: ../../ipalib/plugins/taskgroup.py:56 msgid "Task-group name" msgstr "Nazwa grupy zadaniowej" #: ../../ipalib/plugins/taskgroup.py:63 msgid "Task-group description" msgstr "Opis grupy zadaniowej" #: ../../ipalib/plugins/taskgroup.py:74 msgid "Member role-groups" msgstr "Element grupy zadaniowej" #: ../../ipalib/plugins/taskgroup.py:87 #, python-format msgid "Added taskgroup \"%(value)s\"" msgstr "Dodano grup? zadaniow? \"%(value)s\"" #: ../../ipalib/plugins/taskgroup.py:97 #, python-format msgid "Deleted taskgroup \"%(value)s\"" msgstr "Usuni?to grup? zadaniow? \"%(value)s\"" #: ../../ipalib/plugins/taskgroup.py:107 #, python-format msgid "Modified taskgroup \"%(value)s\"" msgstr "Zmodyfikowano grup? zadaniow? \"%(value)s\"" #: ../../ipalib/plugins/taskgroup.py:118 #, python-format msgid "%(count)d taskgroup matched" msgid_plural "%(count)d taskgroups matched" msgstr[0] "Pasuje %(count)d grupa zadaniowa" msgstr[1] "Pasuj? %(count)d grupy zadaniowe" msgstr[2] "Pasuje %(count)d grup zadaniowych" #: ../../ipalib/plugins/hostgroup.py:74 msgid "Host-group" msgstr "Grupa komputer?w" #: ../../ipalib/plugins/hostgroup.py:75 msgid "Name of host-group" msgstr "Nazwa grupy komputer?w" #: ../../ipalib/plugins/hostgroup.py:82 msgid "A description of this host-group" msgstr "Opis tej grupy komputer?w" #: ../../ipalib/plugins/hostgroup.py:85 msgid "Member hosts" msgstr "Element komputer?w" #: ../../ipalib/plugins/hostgroup.py:89 msgid "Member host-groups" msgstr "Element grupy komputer?w" #: ../../ipalib/plugins/hostgroup.py:106 #, python-format msgid "Added hostgroup \"%(value)s\"" msgstr "Dodano grup? komputer?w \"%(value)s\"" #: ../../ipalib/plugins/hostgroup.py:116 #, python-format msgid "Deleted hostgroup \"%(value)s\"" msgstr "Usuni?to grup? komputer?w \"%(value)s\"" #: ../../ipalib/plugins/hostgroup.py:126 #, python-format msgid "Modified hostgroup \"%(value)s\"" msgstr "Zmodyfikowano grup? komputer?w \"%(value)s\"" #: ../../ipalib/plugins/hostgroup.py:137 #, python-format msgid "%(count)d hostgroup matched" msgid_plural "%(count)d hostgroups matched" msgstr[0] "Pasuje %(count)d grupa komputer?w" msgstr[1] "Pasuj? %(count)d grupy komputer?w" msgstr[2] "Pasuje %(count)d grup komputer?w" #: ../../ipalib/plugins/pwpolicy.py:84 #, python-format msgid "priority must be a unique value (%(prio)d already used by %(gname)s)" msgstr "" "priorytet musi by? unikaln? warto?ci? (%(prio)d jest ju? u?ywane przez " "%(gname)s)" #: ../../ipalib/plugins/pwpolicy.py:173 msgid "Group" msgstr "Grupa" #: ../../ipalib/plugins/pwpolicy.py:174 msgid "Manage password policy for specific group" msgstr "Zarz?dzanie polityk? hase? dla podanej grupy" #: ../../ipalib/plugins/pwpolicy.py:179 msgid "Max lifetime (days)" msgstr "Maksymalny czas ?ycia (w dniach)" #: ../../ipalib/plugins/pwpolicy.py:180 msgid "Maximum password lifetime (in days)" msgstr "Maksymalny czas ?ycia has?a (w dniach)" #: ../../ipalib/plugins/pwpolicy.py:185 msgid "Min lifetime (hours)" msgstr "Minimalny czas ?ycia (w godzinach)" #: ../../ipalib/plugins/pwpolicy.py:186 msgid "Minimum password lifetime (in hours)" msgstr "Minimalny czas ?ycia has?a (w godzinach)" #: ../../ipalib/plugins/pwpolicy.py:191 msgid "History size" msgstr "Rozmiar historii" #: ../../ipalib/plugins/pwpolicy.py:192 msgid "Password history size" msgstr "Rozmiar historii hase?" #: ../../ipalib/plugins/pwpolicy.py:197 msgid "Character classes" msgstr "Klasy znak?w" #: ../../ipalib/plugins/pwpolicy.py:198 msgid "Minimum number of character classes" msgstr "Minimalna liczba klas znak?w" #: ../../ipalib/plugins/pwpolicy.py:204 msgid "Min length" msgstr "Minimalna d?ugo??" #: ../../ipalib/plugins/pwpolicy.py:205 msgid "Minimum length of password" msgstr "Minimalna d?ugo?? has?a" #: ../../ipalib/plugins/pwpolicy.py:210 msgid "Priority" msgstr "Priorytet" #: ../../ipalib/plugins/pwpolicy.py:211 msgid "Priority of the policy (higher number means lower priority" msgstr "Priorytet polityki (wy?szy numer r?wna si? ni?szemu priorytetowi" #: ../../ipalib/plugins/pwpolicy.py:263 msgid "Maximum password life must be greater than minimum." msgstr "Maksymalny czas ?ycia has?a musi by? wy?szy ni? minimalny." #: ../../ipalib/plugins/pwpolicy.py:326 msgid "priority cannot be set on global policy" msgstr "nie mo?na ustawia? priorytetu dla globalnej polityki" #: ../../ipalib/plugins/pwpolicy.py:365 msgid "User" msgstr "U?ytkownik" #: ../../ipalib/plugins/pwpolicy.py:366 msgid "Display effective policy for a specific user" msgstr "Wy?wietlanie aktywnej polityki dla podanego u?ytkownika" #: ../../ipalib/plugins/internal.py:39 msgid "Logged In As" msgstr "Zalogowano jako" #: ../../ipalib/plugins/internal.py:41 msgid "Add" msgstr "Dodaj" #: ../../ipalib/plugins/internal.py:42 msgid "Find" msgstr "Znajd?" #: ../../ipalib/plugins/internal.py:43 msgid "Reset" msgstr "Przywr??" #: ../../ipalib/plugins/internal.py:44 msgid "Update" msgstr "Zaktualizuj" #: ../../ipalib/plugins/internal.py:45 msgid "Enroll" msgstr "Zapisz si?" #: ../../ipalib/plugins/internal.py:48 msgid "Quick Links" msgstr "Szybkie odno?niki" #: ../../ipalib/plugins/internal.py:51 msgid "Identity Details" msgstr "Informacje o to?samo?ci" #: ../../ipalib/plugins/internal.py:52 msgid "Account Details" msgstr "Informacje o koncie" #: ../../ipalib/plugins/internal.py:53 msgid "Contact Details" msgstr "Informacje o kontakcie" #: ../../ipalib/plugins/internal.py:54 msgid "Mailing Address" msgstr "Adres pocztowy" #: ../../ipalib/plugins/internal.py:55 msgid " Employee Information" msgstr "Informacje o pracowniku" #: ../../ipalib/plugins/internal.py:56 msgid "Misc. Information" msgstr "R??ne informacje" #: ../../ipalib/plugins/internal.py:57 msgid "Back to Top" msgstr "Wr?? na g?r?" #: ../../ipalib/plugins/internal.py:62 msgid "Name of object to export" msgstr "Nazwa obiektu do wyeksportowania" #: ../../ipalib/plugins/internal.py:67 msgid "Dict of JSON encoded IPA Objects" msgstr "S?ownik obiekt?w IPA zakodowanych w formacie JSON" #: ../../ipalib/plugins/internal.py:68 msgid "Dict of I18N messages" msgstr "S?ownik komunikat?w umi?dzynaradawiania" #: ../../ipaserver/install/certs.py:603 ../../ipaserver/plugins/dogtag.py:1313 #: ../../ipaserver/plugins/dogtag.py:1398 #: ../../ipaserver/plugins/dogtag.py:1463 #: ../../ipaserver/plugins/dogtag.py:1543 #: ../../ipaserver/plugins/dogtag.py:1602 #, python-format msgid "Unable to communicate with CMS (%s)" msgstr "Nie mo?na komunikowa? si? z CMS (%s)" #: ../../ipaserver/plugins/selfsign.py:97 #, python-format msgid "" "Request subject \"%(request_subject)s\" does not match the form " "\"%(subject_base)s\"" msgstr "" "Temat ??dania \"%(request_subject)s\" nie pasuje do formatu " "\"%(subject_base)s\"" #: ../../ipaserver/plugins/selfsign.py:102 #, python-format msgid "unable to decode csr: %s" msgstr "nie mo?na dekodowa? csr: %s" #: ../../ipaserver/plugins/selfsign.py:123 #: ../../ipaserver/plugins/selfsign.py:138 msgid "file operation" msgstr "dzia?anie na pliku" #: ../../ipaserver/plugins/selfsign.py:152 msgid "cannot obtain next serial number" msgstr "nie mo?na uzyska? nast?pnego numeru szeregowego" #: ../../ipaserver/plugins/selfsign.py:187 msgid "certutil failure" msgstr "narz?dzie certyfikat?w nie powiod?o si?" #: ../../ipaserver/plugins/join.py:54 msgid "The hostname to register as" msgstr "Nazwa komputera, pod jak? zarejestrowa?" #: ../../ipaserver/plugins/join.py:62 msgid "The IPA realm" msgstr "Obszar IPA" #: ../../ipaserver/plugins/join.py:68 msgid "Hardware platform of the host (e.g. Lenovo T61)" msgstr "Platforma sprz?towa komputera (np. Lenovo T61)" #: ../../ipaserver/plugins/join.py:72 msgid "Operating System and version of the host (e.g. Fedora 9)" msgstr "System operacyjny komputera i jego wersja (np. Fedora 9)" From ayoung at redhat.com Fri Oct 1 13:05:27 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Oct 2010 09:05:27 -0400 Subject: [Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups. In-Reply-To: <4CA5D87C.5010104@redhat.com> References: <4CA5D87C.5010104@redhat.com> Message-ID: <4CA5DC97.5050403@redhat.com> On 10/01/2010 08:47 AM, Pavel Zuna wrote: > Ticket #251 > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Oct 1 14:02:43 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Oct 2010 10:02:43 -0400 Subject: [Freeipa-devel] [PATCH] Refactoring navigation.js. In-Reply-To: <1516477347.826831285883328571.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1516477347.826831285883328571.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CA5EA03.4040707@redhat.com> On 09/30/2010 05:48 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The navigation.js has been modified to make it more abstract, i.e. > unaware of entity facets. The nav_update_tabs() has been modified > such that it activates and updates the tabs based on the current > state stored in the URL. > > The facets are now handled in entity.js. The ipa_entity_setup() has > been modified to update the facets based on the current state and > cached state. > > The navigation.js also has been modified to be more class-like. The > nav_create() has been modified to store the tab configuration and > the tab container in internal variables nav_tabs_lists and > nav_container. The nav_update_tabs() now can be called without any > parameters. > > Functions nav_push_state(), nav_get_state(), and nav_remove_state() > have been added to wrap BBQ API. This is to allow unit tests to > replace them with mockup functions to remove dependency on BBQ. > > -- > Endi S. Dewata > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK: Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Oct 1 14:02:56 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Oct 2010 10:02:56 -0400 Subject: [Freeipa-devel] [PATCH] Add LDAPMultiQuery base class and make it the base of LDAPDelete In-Reply-To: <4CA5D8D1.6070007@redhat.com> References: <4CA5D8D1.6070007@redhat.com> Message-ID: <4CA5EA10.1050800@redhat.com> On 10/01/2010 08:49 AM, Pavel Zuna wrote: > In other words: make *-del commands accept 1 or more primary keys of > entries to be deleted. We can now delete more entries at a time with a > single command. > > Ticket #20 > > Pavel ACK. Pushed to master From ayoung at redhat.com Fri Oct 1 14:03:05 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Oct 2010 10:03:05 -0400 Subject: [Freeipa-devel] [PATCH] Add Delete capabilities to Search facet in the WebUI. In-Reply-To: <4CA5D92E.90903@redhat.com> References: <4CA5D92E.90903@redhat.com> Message-ID: <4CA5EA19.4060400@redhat.com> On 10/01/2010 08:50 AM, Pavel Zuna wrote: > This depends on my patch number 25! It should apply without it, but > deleting entries won't work properly. > > Ticket #206 > > Pavel ACP pushed to master From rcritten at redhat.com Fri Oct 1 14:02:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Oct 2010 10:02:02 -0400 Subject: [Freeipa-devel] [PATCH] Add LDAPMultiQuery base class and make it the base of LDAPDelete In-Reply-To: <4CA5D8D1.6070007@redhat.com> References: <4CA5D8D1.6070007@redhat.com> Message-ID: <4CA5E9DA.2030001@redhat.com> Pavel Zuna wrote: > In other words: make *-del commands accept 1 or more primary keys of > entries to be deleted. We can now delete more entries at a time with a > single command. > > Ticket #20 The code looks ok but I have to nack the patch because I'm assuming this is going to break existing unit tests (returns different values now) and should have its own unit tests for doing multiple deletes. rob From ayoung at redhat.com Fri Oct 1 14:14:44 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Oct 2010 10:14:44 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0046-Corrected-Language-Codes.patch In-Reply-To: <1849646725.617771285716656419.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1849646725.617771285716656419.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CA5ECD4.5060601@redhat.com> On 09/28/2010 07:30 PM, Endi Sukma Dewata wrote: > ----- "Adam Young" wrote: > > >> Corrected Language Codes >> The Gnu document incorrectly listed Japanese as jp and Hebrew as iw. >> That was why the Plurals line passed through directly from the template. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > ACK, one trailing whitespace on line 47. > > -- > Endi S. Dewata > Pushed to master From ayoung at redhat.com Fri Oct 1 14:20:55 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Oct 2010 10:20:55 -0400 Subject: [Freeipa-devel] [PATCH] Add LDAPMultiQuery base class and make it the base of LDAPDelete In-Reply-To: <4CA5E9DA.2030001@redhat.com> References: <4CA5D8D1.6070007@redhat.com> <4CA5E9DA.2030001@redhat.com> Message-ID: <4CA5EE47.3070004@redhat.com> On 10/01/2010 10:02 AM, Rob Crittenden wrote: > Pavel Zuna wrote: >> In other words: make *-del commands accept 1 or more primary keys of >> entries to be deleted. We can now delete more entries at a time with a >> single command. >> >> Ticket #20 > > The code looks ok but I have to nack the patch because I'm assuming > this is going to break existing unit tests (returns different values > now) and should have its own unit tests for doing multiple deletes. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Should I revert? From ssorce at redhat.com Fri Oct 1 14:40:34 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 1 Oct 2010 10:40:34 -0400 Subject: [Freeipa-devel] [PATCH] split password extop plugin in multiple files In-Reply-To: <20100929180015.7d2fd044@willson.li.ssimo.org> References: <20100929180015.7d2fd044@willson.li.ssimo.org> Message-ID: <20101001104034.23f5537e@willson.li.ssimo.org> On Wed, 29 Sep 2010 18:00:15 -0400 Simo Sorce wrote: > > I was looking into a few bugs to fix in the plugin and realized it was > so big an messy that it would greatly help readbility if we splitted > it up. > > This is a first pass (compiles, but not tested). > Only one function needed some minor refactoring (ipapwd_SetPassword). > > Tomorrow I should be able to test it, meanwhile I'd like a generic > ack/nack on the approach. Ok updated patch, this one has been tested and seem to work properly. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Split-ipa_pwd_extop-plugin-in-multiple-files.patch Type: text/x-patch Size: 223609 bytes Desc: not available URL: From rcritten at redhat.com Fri Oct 1 15:16:10 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Oct 2010 11:16:10 -0400 Subject: [Freeipa-devel] [PATCH] split password extop plugin in multiple files In-Reply-To: <20101001104034.23f5537e@willson.li.ssimo.org> References: <20100929180015.7d2fd044@willson.li.ssimo.org> <20101001104034.23f5537e@willson.li.ssimo.org> Message-ID: <4CA5FB3A.4030204@redhat.com> Simo Sorce wrote: > On Wed, 29 Sep 2010 18:00:15 -0400 > Simo Sorce wrote: > >> >> I was looking into a few bugs to fix in the plugin and realized it was >> so big an messy that it would greatly help readbility if we splitted >> it up. >> >> This is a first pass (compiles, but not tested). >> Only one function needed some minor refactoring (ipapwd_SetPassword). >> >> Tomorrow I should be able to test it, meanwhile I'd like a generic >> ack/nack on the approach. > > Ok updated patch, this one has been tested and seem to work properly. > > Simo. ack rob From ssorce at redhat.com Fri Oct 1 15:18:37 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 1 Oct 2010 11:18:37 -0400 Subject: [Freeipa-devel] [PATCH] split password extop plugin in multiple files In-Reply-To: <20101001104034.23f5537e@willson.li.ssimo.org> References: <20100929180015.7d2fd044@willson.li.ssimo.org> <20101001104034.23f5537e@willson.li.ssimo.org> Message-ID: <20101001111837.53321776@willson.li.ssimo.org> On Fri, 1 Oct 2010 10:40:34 -0400 Simo Sorce wrote: > On Wed, 29 Sep 2010 18:00:15 -0400 > Simo Sorce wrote: > > > > > I was looking into a few bugs to fix in the plugin and realized it > > was so big an messy that it would greatly help readbility if we > > splitted it up. > > > > This is a first pass (compiles, but not tested). > > Only one function needed some minor refactoring > > (ipapwd_SetPassword). > > > > Tomorrow I should be able to test it, meanwhile I'd like a generic > > ack/nack on the approach. > > Ok updated patch, this one has been tested and seem to work properly. > > Simo. > Rob Acked on IRC. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Oct 1 17:35:17 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Oct 2010 13:35:17 -0400 Subject: [Freeipa-devel] [PATCH] 555 Create groups as POSIX by default Message-ID: <4CA61BD5.7070403@redhat.com> Groups are now created as POSIX by default. ticket 241 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-555-posix.patch Type: application/mbox Size: 7295 bytes Desc: not available URL: From rcritten at redhat.com Fri Oct 1 17:37:47 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Oct 2010 13:37:47 -0400 Subject: [Freeipa-devel] [PATCH] 548 use consistent CA nickname In-Reply-To: <4CA34691.40802@redhat.com> References: <4CA2AE4A.1070107@redhat.com> <4CA34691.40802@redhat.com> Message-ID: <4CA61C6B.1060706@redhat.com> Adam Young wrote: > On 09/28/2010 11:11 PM, Rob Crittenden wrote: >> Use consistent, specific nickname for the IPA CA certificate. >> >> Also fix some imports for sha. We have a compat module for it, use it. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK pushed to master From rcritten at redhat.com Fri Oct 1 17:41:22 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Oct 2010 13:41:22 -0400 Subject: [Freeipa-devel] [PATCH] 549 remove reliance on admin user In-Reply-To: <4CA39078.7010102@redhat.com> References: <4CA37D87.2060907@redhat.com> <4CA39078.7010102@redhat.com> Message-ID: <4CA61D42.4050102@redhat.com> Adam Young wrote: > On 09/29/2010 01:55 PM, Rob Crittenden wrote: >> Change the finals aci so that the login admin is no longer special. >> The group admins is now controls the "super-user" group. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Do I read it right that now you can delete an admin user? What if there > is only one Admin user, and you delete that? Yes, you can now delete the admin user. If you delete it and have no more admins you will have to use the Directory Manager account to create a new admin, or if you have a user in the group management role they can add a new admins user. rob From rcritten at redhat.com Fri Oct 1 17:42:19 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Oct 2010 13:42:19 -0400 Subject: [Freeipa-devel] [PATCH] 553 quote passwords to pkisilent In-Reply-To: <4CA4E324.3080806@redhat.com> References: <4CA4DCDD.9080500@redhat.com> <4CA4E324.3080806@redhat.com> Message-ID: <4CA61D7B.7040406@redhat.com> Adam Young wrote: > On 09/30/2010 02:54 PM, Rob Crittenden wrote: >> Quote passwords before sending them to pkisilent. This lets you use >> characters in the password the shell would otherwise interpret. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK pushed to master From rcritten at redhat.com Fri Oct 1 17:42:44 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Oct 2010 13:42:44 -0400 Subject: [Freeipa-devel] [PATCH] 554 fix failing test case In-Reply-To: <4CA52154.5060408@redhat.com> References: <4CA5064A.3090009@redhat.com> <4CA52154.5060408@redhat.com> Message-ID: <4CA61D94.804@redhat.com> Adam Young wrote: > On 09/30/2010 05:51 PM, Rob Crittenden wrote: >> Fix failing test case for LDAP client test. This should bring our pass >> rate back up to 100%. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK pushed to master From edewata at redhat.com Fri Oct 1 18:10:30 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 1 Oct 2010 14:10:30 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Autogenerating Quick Links. In-Reply-To: <1868765601.904481285956607299.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <628599377.904501285956630004.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Hi, Please review the attached patch. Thanks! ipa_entity_quick_links() has been added to generate quick links automatically from object's attribute_members, the same logic used for generating facet list. The search definition for each entity has been updated to use the new function. A unit test has been added for this function. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: edewata-freeipa-0014-Autogenerating-Quick-Links.patch Type: text/x-patch Size: 17844 bytes Desc: not available URL: From ayoung at redhat.com Fri Oct 1 18:14:28 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Oct 2010 14:14:28 -0400 Subject: [Freeipa-devel] [PATCH] 555 Create groups as POSIX by default In-Reply-To: <4CA61BD5.7070403@redhat.com> References: <4CA61BD5.7070403@redhat.com> Message-ID: <4CA62504.20507@redhat.com> On 10/01/2010 01:35 PM, Rob Crittenden wrote: > Groups are now created as POSIX by default. > > ticket 241 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Oct 1 18:15:31 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Oct 2010 14:15:31 -0400 Subject: [Freeipa-devel] [PATCH] 549 remove reliance on admin user In-Reply-To: <4CA61D42.4050102@redhat.com> References: <4CA37D87.2060907@redhat.com> <4CA39078.7010102@redhat.com> <4CA61D42.4050102@redhat.com> Message-ID: <4CA62543.5000804@redhat.com> On 10/01/2010 01:41 PM, Rob Crittenden wrote: > Adam Young wrote: >> On 09/29/2010 01:55 PM, Rob Crittenden wrote: >>> Change the finals aci so that the login admin is no longer special. >>> The group admins is now controls the "super-user" group. >>> >>> rob >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Do I read it right that now you can delete an admin user? What if there >> is only one Admin user, and you delete that? > > Yes, you can now delete the admin user. If you delete it and have no > more admins you will have to use the Directory Manager account to > create a new admin, or if you have a user in the group management role > they can add a new admins user. > > rob ACK, please make sure the above info makes it in the the docs. From ayoung at redhat.com Fri Oct 1 18:17:14 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Oct 2010 14:17:14 -0400 Subject: [Freeipa-devel] [PATCH] 555 Create groups as POSIX by default In-Reply-To: <4CA62504.20507@redhat.com> References: <4CA61BD5.7070403@redhat.com> <4CA62504.20507@redhat.com> Message-ID: <4CA625AA.3010602@redhat.com> On 10/01/2010 02:14 PM, Adam Young wrote: > On 10/01/2010 01:35 PM, Rob Crittenden wrote: >> Groups are now created as POSIX by default. >> >> ticket 241 >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Oct 1 18:21:16 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Oct 2010 14:21:16 -0400 Subject: [Freeipa-devel] [PATCH] Autogenerating Quick Links. In-Reply-To: <628599377.904501285956630004.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <628599377.904501285956630004.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CA6269C.1020004@redhat.com> On 10/01/2010 02:10 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > ipa_entity_quick_links() has been added to generate quick links > automatically from object's attribute_members, the same logic used > for generating facet list. The search definition for each entity > has been updated to use the new function. A unit test has been > added for this function. > > -- > Endi S. Dewata > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK. Something seems to be off with Hostgroups: I get three links for enroll. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Oct 1 18:51:07 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Oct 2010 14:51:07 -0400 Subject: [Freeipa-devel] [PATCH] 556 fix couple of tests Message-ID: <4CA62D9B.9020207@redhat.com> I missed a couple of files in the POSIX-by-default patch. This should fix role and taskgroups. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-556-test.patch Type: application/mbox Size: 1714 bytes Desc: not available URL: From rcritten at redhat.com Fri Oct 1 18:57:23 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Oct 2010 14:57:23 -0400 Subject: [Freeipa-devel] [PATCH] 557 return non-zero on membership failure Message-ID: <4CA62F13.7030400@redhat.com> Return non-zero when group membership change fails. There is no point (and it is confusing) to print an empty list when modifying group membership fails, so suppress it. tickets 271, 273, 274 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-557-failed.patch Type: application/mbox Size: 2541 bytes Desc: not available URL: From dpal at redhat.com Fri Oct 1 19:30:46 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 01 Oct 2010 15:30:46 -0400 Subject: [Freeipa-devel] [PATCH] 549 remove reliance on admin user In-Reply-To: <4CA62543.5000804@redhat.com> References: <4CA37D87.2060907@redhat.com> <4CA39078.7010102@redhat.com> <4CA61D42.4050102@redhat.com> <4CA62543.5000804@redhat.com> Message-ID: <4CA636E6.3010901@redhat.com> Adam Young wrote: > On 10/01/2010 01:41 PM, Rob Crittenden wrote: >> Adam Young wrote: >>> On 09/29/2010 01:55 PM, Rob Crittenden wrote: >>>> Change the finals aci so that the login admin is no longer special. >>>> The group admins is now controls the "super-user" group. >>>> >>>> rob >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Do I read it right that now you can delete an admin user? What if there >>> is only one Admin user, and you delete that? >> >> Yes, you can now delete the admin user. If you delete it and have no >> more admins you will have to use the Directory Manager account to >> create a new admin, or if you have a user in the group management >> role they can add a new admins user. >> >> rob > ACK, > please make sure the above info makes it in the the docs. I will open a BZ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Fri Oct 1 20:03:45 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Oct 2010 16:03:45 -0400 Subject: [Freeipa-devel] [PATCH] 556 fix couple of tests In-Reply-To: <4CA62D9B.9020207@redhat.com> References: <4CA62D9B.9020207@redhat.com> Message-ID: <4CA63EA1.6090102@redhat.com> On 10/01/2010 02:51 PM, Rob Crittenden wrote: > I missed a couple of files in the POSIX-by-default patch. This should > fix role and taskgroups. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Oct 1 20:05:53 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Oct 2010 16:05:53 -0400 Subject: [Freeipa-devel] admiyo-freeipa-0050-phonenumbers.patch In-Reply-To: <4CA4D022.5090001@redhat.com> References: <4CA4D022.5090001@redhat.com> Message-ID: <4CA63F21.8030505@redhat.com> On 09/30/2010 02:00 PM, Adam Young wrote: > Added in params for phone number types: mobile, pager, fax, phone > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewate. Pushed ot master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Oct 1 20:21:47 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Oct 2010 16:21:47 -0400 Subject: [Freeipa-devel] [PATCH] Autogenerating Quick Links. In-Reply-To: <4CA6269C.1020004@redhat.com> References: <628599377.904501285956630004.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4CA6269C.1020004@redhat.com> Message-ID: <4CA642DB.2090503@redhat.com> On 10/01/2010 02:21 PM, Adam Young wrote: > On 10/01/2010 02:10 PM, Endi Sukma Dewata wrote: >> Hi, >> >> Please review the attached patch. Thanks! >> >> ipa_entity_quick_links() has been added to generate quick links >> automatically from object's attribute_members, the same logic used >> for generating facet list. The search definition for each entity >> has been updated to use the new function. A unit test has been >> added for this function. >> >> -- >> Endi S. Dewata >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > NACK. Something seems to be off with Hostgroups: I get three links > for enroll. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel OK, on closer review, this patch is OK. ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Oct 1 20:27:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Oct 2010 16:27:26 -0400 Subject: [Freeipa-devel] [PATCH] 549 remove reliance on admin user In-Reply-To: <4CA62543.5000804@redhat.com> References: <4CA37D87.2060907@redhat.com> <4CA39078.7010102@redhat.com> <4CA61D42.4050102@redhat.com> <4CA62543.5000804@redhat.com> Message-ID: <4CA6442E.1060608@redhat.com> Adam Young wrote: > On 10/01/2010 01:41 PM, Rob Crittenden wrote: >> Adam Young wrote: >>> On 09/29/2010 01:55 PM, Rob Crittenden wrote: >>>> Change the finals aci so that the login admin is no longer special. >>>> The group admins is now controls the "super-user" group. >>>> >>>> rob >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Do I read it right that now you can delete an admin user? What if there >>> is only one Admin user, and you delete that? >> >> Yes, you can now delete the admin user. If you delete it and have no >> more admins you will have to use the Directory Manager account to >> create a new admin, or if you have a user in the group management role >> they can add a new admins user. >> >> rob > ACK, > please make sure the above info makes it in the the docs. pushed to master From rcritten at redhat.com Fri Oct 1 20:27:29 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Oct 2010 16:27:29 -0400 Subject: [Freeipa-devel] [PATCH] 556 fix couple of tests In-Reply-To: <4CA63EA1.6090102@redhat.com> References: <4CA62D9B.9020207@redhat.com> <4CA63EA1.6090102@redhat.com> Message-ID: <4CA64431.4090601@redhat.com> Adam Young wrote: > On 10/01/2010 02:51 PM, Rob Crittenden wrote: >> I missed a couple of files in the POSIX-by-default patch. This should >> fix role and taskgroups. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK pushed to master From admin at transifex.net Fri Oct 1 21:29:06 2010 From: admin at transifex.net (admin at transifex.net) Date: Fri, 01 Oct 2010 21:29:06 -0000 Subject: [Freeipa-devel] [Transifex] File submitted via email to FreeIPA | master Message-ID: <20101001212906.12848.30513@web1.transifex.net> Hello freeipa, this is Transifex at http://www.transifex.net. The following attached files were submitted to FreeIPA | master by logan Please, visit Transifex at http://www.transifex.net/projects/p/freeipa/c/master/ in order to see the component page. Thank you, Transifex -------------- next part -------------- # Fedora Spanish translation of freeipa.master.ipa. # This file is distributed under the same license as the freeipa.master.ipa package. # # Domingo Becker , 2010. # H?ctor Daniel Cabrera , 2010. # msgid "" msgstr "" "Project-Id-Version: freeipa.master.ipa\n" "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/newticket\n" "POT-Creation-Date: 2010-09-27 10:25-0400\n" "PO-Revision-Date: \n" "Last-Translator: H?ctor Daniel Cabrera \n" "Language-Team: Fedora Spanisg \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Spanish\n" "X-Poedit-Country: ARGENTINA\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" #: ../../ipalib/parameters.py:295 msgid "incorrect type" msgstr "tipo incorrecto" #: ../../ipalib/parameters.py:298 msgid "Only one value is allowed" msgstr "S?lo se permite un valor" #: ../../ipalib/parameters.py:877 msgid "must be True or False" msgstr "debe ser True o False" #: ../../ipalib/parameters.py:978 msgid "must be an integer" msgstr "debe ser un entero" #: ../../ipalib/parameters.py:1029 #, python-format msgid "must be at least %(minvalue)d" msgstr "debe ser como m?nimo %(minvalue)d" #: ../../ipalib/parameters.py:1039 #, python-format msgid "can be at most %(maxvalue)d" msgstr "puede ser como m?ximo %(maxvalue)d" #: ../../ipalib/parameters.py:1049 msgid "must be a decimal number" msgstr "debe ser un n?mero decimal" #: ../../ipalib/parameters.py:1071 #, python-format msgid "must be at least %(minvalue)f" msgstr "debe ser como m?nimo %(minvalue)f" #: ../../ipalib/parameters.py:1081 #, python-format msgid "can be at most %(maxvalue)f" msgstr "puede ser como m?ximo %(maxvalue)f" #: ../../ipalib/parameters.py:1145 #, python-format msgid "must match pattern \"%(pattern)s\"" msgstr "debe coincidir con el modelo \"%(pattern)s" #: ../../ipalib/parameters.py:1163 msgid "must be binary data" msgstr "debe ser un dato binario" #: ../../ipalib/parameters.py:1179 #, python-format msgid "must be at least %(minlength)d bytes" msgstr "debe ser como m?nimo de %(minlength)d bytes" #: ../../ipalib/parameters.py:1189 #, python-format msgid "can be at most %(maxlength)d bytes" msgstr "puede ser a lo sumo de %(maxlength)d bytes" #: ../../ipalib/parameters.py:1199 #, python-format msgid "must be exactly %(length)d bytes" msgstr "debe ser exactamente de %(length)d bytes" #: ../../ipalib/parameters.py:1217 msgid "must be Unicode text" msgstr "debe ser texto Unicode" #: ../../ipalib/parameters.py:1248 #, python-format msgid "must be at least %(minlength)d characters" msgstr "debe tener como m?nimo %(minlength)d caracteres" #: ../../ipalib/parameters.py:1258 #, python-format msgid "can be at most %(maxlength)d characters" msgstr "puede tener a lo sumo %(maxlength)d caracteres" #: ../../ipalib/parameters.py:1268 #, python-format msgid "must be exactly %(length)d characters" msgstr "debe tener exactamente %(length)d caracteres" #: ../../ipalib/parameters.py:1307 #, python-format msgid "must be one of %(values)r" msgstr "debe ser uno de %(values)r" #: ../../ipalib/output.py:92 msgid "A dictionary representing an LDAP entry" msgstr "Un diccionario representando una entrada LDAP" #: ../../ipalib/output.py:100 msgid "A list of LDAP entries" msgstr "Una lista de entradas LDAP" #: ../../ipalib/output.py:111 msgid "All commands should at least have a result" msgstr "Todos los comandos deber?an por lo menos tener un resultado" #: ../../ipalib/cli.py:507 #, python-format msgid "Enter %(label)s again to verify: " msgstr "ngrese %(label)s nuevamente para su verificaci?n: " #: ../../ipalib/cli.py:511 msgid "Passwords do not match!" msgstr "?Las contrase?as no coinciden!" #: ../../ipalib/cli.py:516 msgid "Cancelled." msgstr "Cancelado." #: ../../ipalib/frontend.py:380 msgid "Results are truncated, try a more specific search" msgstr "Los resultados se encuentran truncados, intente realizar una b?squeda m?s espec?fica" #: ../../ipalib/frontend.py:797 #: ../../ipalib/plugins/misc.py:47 msgid "retrieve all attributes" msgstr "recuperar todos los atributos" #: ../../ipalib/frontend.py:803 msgid "print entries as stored on the server" msgstr "imprime las entradas como se encuentran almacenadas en el servidor" #: ../../ipalib/frontend.py:914 msgid "Forward to server instead of running locally" msgstr "Reenv?a al servidor en lugar de ejecutarse localmente" #: ../../ipalib/errors.py:297 #, python-format msgid "%(cver)s client incompatible with %(sver)s server at %(server)r" msgstr "el cliente %(cver)s no es compatible con el servidor %(sver)s en %(server)r" #: ../../ipalib/errors.py:315 #, python-format msgid "unknown error %(code)d from %(server)s: %(error)s" msgstr "error %(code)d desconocido de %(server)s: %(error)s" #: ../../ipalib/errors.py:331 msgid "an internal error has occurred" msgstr "ha ocurrido un error interno" #: ../../ipalib/errors.py:353 #, python-format msgid "an internal error has occurred on server at %(server)r" msgstr "ha ocurrido un error interno en el servidor en %(server)r" #: ../../ipalib/errors.py:369 #, python-format msgid "unknown command %(name)r" msgstr "comando desconocido %(name)r" #: ../../ipalib/errors.py:386 #: ../../ipalib/errors.py:411 #, python-format msgid "error on server %(server)r: %(error)s" msgstr "error en el servidor %(server)r: %(error)s" #: ../../ipalib/errors.py:402 #, python-format msgid "cannot connect to %(uri)r: %(error)s" msgstr "no es posible conectar con %(uri)r: %(error)s" #: ../../ipalib/errors.py:420 #, python-format msgid "Invalid JSON-RPC request: %(error)s" msgstr "Petici?n JSON-RPC no v?lida: %(error)s" #: ../../ipalib/errors.py:448 #, python-format msgid "Kerberos error: %(major)s/%(minor)s" msgstr "Error de kerberos: %(major)s/%(minor)s" #: ../../ipalib/errors.py:465 msgid "did not receive Kerberos credentials" msgstr "no se ha recibido ninguna credencial Kerberos" #: ../../ipalib/errors.py:481 #, python-format msgid "Service %(service)r not found in Kerberos database" msgstr "El servicio %(service)r no se ha encontrado en la base de datos Kerberos" #: ../../ipalib/errors.py:497 msgid "No credentials cache found" msgstr "No se han encontrado credenciales de cach?" #: ../../ipalib/errors.py:513 msgid "Ticket expired" msgstr "El ticket ha expirado" #: ../../ipalib/errors.py:529 msgid "Credentials cache permissions incorrect" msgstr "Los permisos de credenciales de cach? son incorrectos" #: ../../ipalib/errors.py:545 msgid "Bad format in credentials cache" msgstr "Las credenciales de cach? est?n mal formadas" #: ../../ipalib/errors.py:561 msgid "Cannot resolve KDC for requested realm" msgstr "No es posible resolver KDC para el reinado solicitado" #: ../../ipalib/errors.py:580 #, python-format msgid "Insufficient access: %(info)s" msgstr "Acceso insuficiente: %(info)s" #: ../../ipalib/errors.py:624 #, python-format msgid "command %(name)r takes no arguments" msgstr "el comando %(name)r no tiene argumentos" #: ../../ipalib/errors.py:644 #, python-format msgid "command %(name)r takes at most %(count)d argument" msgid_plural "command %(name)r takes at most %(count)d arguments" msgstr[0] "el comando %(name)r lleva al menos %(count)d argumento" msgstr[1] "el comando %(name)r lleva al menos %(count)d argumentos" #: ../../ipalib/errors.py:674 #, python-format msgid "overlapping arguments and options: %(names)r" msgstr "superponiendo argumentos y opciones: %(names)r" #: ../../ipalib/errors.py:690 #, python-format msgid "%(name)r is required" msgstr "%(name)r es necesario" #: ../../ipalib/errors.py:706 #: ../../ipalib/errors.py:722 #, python-format msgid "invalid %(name)r: %(error)s" msgstr "%(name)r inv?lido: %(error)s" #: ../../ipalib/errors.py:738 #, python-format msgid "api has no such namespace: %(name)r" msgstr "api no posee tal nombre de espacio: %(name)r" #: ../../ipalib/errors.py:747 msgid "Passwords do not match" msgstr "Las contrase?as no coinciden" #: ../../ipalib/errors.py:755 msgid "Command not implemented" msgstr "El comando no se ha implementado" #: ../../ipalib/errors.py:783 #: ../../ipalib/errors.py:1023 #, python-format msgid "%(reason)s" msgstr "%(reason)s" #: ../../ipalib/errors.py:799 msgid "This entry already exists" msgstr "Esta entrada ya existe" #: ../../ipalib/errors.py:815 msgid "You must enroll a host in order to create a host service" msgstr "Debe registrar un equipo para poder generar un servicio de equipo" #: ../../ipalib/errors.py:831 #, python-format msgid "Service principal is not of the form: service/fully-qualified host name: %(reason)s" msgstr "El servicio principal no tiene la forma de servicio/nombre de equipo totalmente calificado: %(reason)s" #: ../../ipalib/errors.py:847 msgid "The realm for the principal does not match the realm for this IPA server" msgstr "El reinado para el principal no coincide con el reinado para este servidor IPA" #: ../../ipalib/errors.py:863 msgid "This command requires root access" msgstr "Este comando necesita acceso de usuario root" #: ../../ipalib/errors.py:879 msgid "This is already a posix group" msgstr "Este ya es un grupo posix" #: ../../ipalib/errors.py:895 #, python-format msgid "Principal is not of the form user at REALM: %(principal)r" msgstr "El principal no tiene la forma usuario at REINADO: %(principal)r" #: ../../ipalib/errors.py:911 msgid "This entry is already unlocked" msgstr "Esta entrada ya se encuentra desbloqueada" #: ../../ipalib/errors.py:927 msgid "This entry is already locked" msgstr "Esta entrada ya se encuentra bloqueada" #: ../../ipalib/errors.py:943 msgid "This entry has nsAccountLock set, it cannot be locked or unlocked" msgstr "Esta entrada posee definido nsAccountLock, no puede ser bloqueada ni desbloqueada" #: ../../ipalib/errors.py:959 msgid "This entry is not a member of the group" msgstr "Esta entrada no es miembro del grupo" #: ../../ipalib/errors.py:975 msgid "A group may not be a member of itself" msgstr "Un grupo no puede ser miembro de s? mismo" #: ../../ipalib/errors.py:991 msgid "This entry is already a member of the group" msgstr "Esta entrada ya es miembro del grupo" #: ../../ipalib/errors.py:1007 #, python-format msgid "Base64 decoding failed: %(reason)s" msgstr "Fall? la decodificaci?n base64: %(reason)s" #: ../../ipalib/errors.py:1039 msgid "A group may not be added as a member of itself" msgstr "Un grupo no puede ser agregado como miembro de s? mismo" #: ../../ipalib/errors.py:1055 msgid "The default users group cannot be removed" msgstr "El grupo de usuarios predeterminado no puede ser eliminado" #: ../../ipalib/errors.py:1071 msgid "Host does not have corresponding DNS A record" msgstr "El equipo no posee un registro DNS A con el que se corresponda " #: ../../ipalib/errors.py:1086 msgid "Deleting a managed group is not allowed. It must be detached first." msgstr "No se permite eliminar un grupo administrado. Primero debe ser desasociado. " #: ../../ipalib/errors.py:1109 #, python-format msgid "no command nor help topic %(topic)r" msgstr "no existe un comando para el t?pico de ayuda %(topic)r" #: ../../ipalib/errors.py:1133 msgid "change collided with another change" msgstr "la modificaci?n choca con otra modificaci?n diferente" #: ../../ipalib/errors.py:1149 msgid "no modifications to be performed" msgstr "no existen modificaciones a ser realizadas" #: ../../ipalib/errors.py:1165 #, python-format msgid "%(desc)s:%(info)s" msgstr "%(desc)s:%(info)s" #: ../../ipalib/errors.py:1181 msgid "limits exceeded for this query" msgstr "han sido excedidos los l?mites para esta consulta" #: ../../ipalib/errors.py:1196 #, python-format msgid "%(info)s" msgstr "%(info)s" #: ../../ipalib/errors.py:1221 #, python-format msgid "Certificate operation cannot be completed: %(error)s" msgstr "La operaci?n certificada no puede ser completada: %(error)s" #: ../../ipalib/plugins/config.py:73 msgid "Configuration" msgstr "Configuraci?n" #: ../../ipalib/plugins/config.py:78 msgid "Max username length" msgstr "Longitud m?xima de nombre de usuario" #: ../../ipalib/plugins/config.py:83 msgid "Home directory base" msgstr "Base del directorio principal" #: ../../ipalib/plugins/config.py:84 msgid "Default location of home directories" msgstr "Ubicaci?n predeterminada de los directorios principales" #: ../../ipalib/plugins/config.py:88 msgid "Default shell" msgstr "Shell predeterminada" #: ../../ipalib/plugins/config.py:89 msgid "Default shell for new users" msgstr "Shell predeterminada para nuevos usuarios" #: ../../ipalib/plugins/config.py:93 msgid "Default users group" msgstr "Grupo de usuarios predeterminado" #: ../../ipalib/plugins/config.py:94 msgid "Default group for new users" msgstr "Grupo predeterminado para nuevos usuarios" #: ../../ipalib/plugins/config.py:98 msgid "Default e-mail domain" msgstr "Dominio predeterminado de correo electr?nico" #: ../../ipalib/plugins/config.py:99 msgid "Default e-mail domain new users" msgstr "Dominio predeterminado de correo electr?nico para nuevos usuarios" #: ../../ipalib/plugins/config.py:103 msgid "Search time limit" msgstr "Buscar l?mite de tiempo" #: ../../ipalib/plugins/config.py:104 msgid "Max. amount of time (sec.) for a search (-1 is unlimited)" msgstr "Cantidad m?xima de tiempo (en segundos) para realizar una b?squeda (-1 es ilimitado)" #: ../../ipalib/plugins/config.py:109 msgid "Search size limit" msgstr "L?mite del tama?o de la b?squeda" #: ../../ipalib/plugins/config.py:110 msgid "Max. number of records to search (-1 is unlimited)" msgstr "cantidad m?xima de registros que buscar (-1 es ilimitado)" #: ../../ipalib/plugins/config.py:115 msgid "User search fields" msgstr "Campos de b?squeda de usuario" #: ../../ipalib/plugins/config.py:116 msgid "A comma-separated list of fields to search when searching for users" msgstr "Una lista separada por comas de campos a buscar, cuando se realice una b?squeda de usuarios" #: ../../ipalib/plugins/config.py:121 msgid "A comma-separated list of fields to search when searching for groups" msgstr "Una lista separada por comas de campos a buscar, cuando se realice una b?squeda de grupos" #: ../../ipalib/plugins/config.py:125 msgid "Migration mode" msgstr "Modo de migraci?n" #: ../../ipalib/plugins/config.py:126 msgid "Enable migration mode" msgstr "Habilita el modo de migraci?n" #: ../../ipalib/plugins/config.py:130 msgid "Certificate Subject base" msgstr "Base de certificado de asunto" #: ../../ipalib/plugins/config.py:131 msgid "Base for certificate subjects (OU=Test,O=Example)" msgstr "Base para certificar asuntos (OU=Prueba,O=Ejemplo)" #: ../../ipalib/plugins/rolegroup.py:79 msgid "Role Groups" msgstr "Grupos de funciones" #: ../../ipalib/plugins/rolegroup.py:84 msgid "Role-group name" msgstr "Nombre del grupo de funci?n" #: ../../ipalib/plugins/rolegroup.py:90 #: ../../ipalib/plugins/host.py:124 #: ../../ipalib/plugins/group.py:108 #: ../../ipalib/plugins/hbac.py:151 #: ../../ipalib/plugins/automount.py:230 #: ../../ipalib/plugins/netgroup.py:96 #: ../../ipalib/plugins/taskgroup.py:62 #: ../../ipalib/plugins/hostgroup.py:81 msgid "Description" msgstr "Descripci?n" #: ../../ipalib/plugins/rolegroup.py:91 msgid "A description of this role-group" msgstr "Una descripci?n de este grupo de funciones" #: ../../ipalib/plugins/rolegroup.py:94 #: ../../ipalib/plugins/group.py:117 #: ../../ipalib/plugins/taskgroup.py:66 msgid "Member groups" msgstr "Grupos de miembros" #: ../../ipalib/plugins/rolegroup.py:98 #: ../../ipalib/plugins/group.py:121 #: ../../ipalib/plugins/taskgroup.py:70 msgid "Member users" msgstr "Usuarios miembros" #: ../../ipalib/plugins/rolegroup.py:102 msgid "Member of task-groups" msgstr "Miembros de los grupos de tareas" #: ../../ipalib/plugins/rolegroup.py:115 #, python-format msgid "Added rolegroup \"%(value)s\"" msgstr "Ha sido agregado el grupo de funciones \"%(value)s\"" #: ../../ipalib/plugins/rolegroup.py:125 #, python-format msgid "Deleted rolegroup \"%(value)s\"" msgstr "Ha sido eliminado el grupo de funciones \"%(value)s\"" #: ../../ipalib/plugins/rolegroup.py:135 #, python-format msgid "Modified rolegroup \"%(value)s\"" msgstr "Ha sido modificado el grupo de funciones \"%(value)s\"" #: ../../ipalib/plugins/rolegroup.py:146 #, python-format msgid "%(count)d rolegroup matched" msgid_plural "%(count)d rolegroups matched" msgstr[0] "%(count)d grupo de roles coincidente" msgstr[1] "%(count)d grupo de roles coincidentes" #: ../../ipalib/plugins/host.py:86 msgid "Fully-qualified hostname required" msgstr "Es necesario un nombre de equipo totalmente certificado" #: ../../ipalib/plugins/host.py:113 #: ../../ipalib/plugins/hbac.py:162 msgid "Hosts" msgstr "Equipos" #: ../../ipalib/plugins/host.py:118 msgid "Host name" msgstr "Nombre del equipo" #: ../../ipalib/plugins/host.py:125 msgid "A description of this host" msgstr "Una descripci?n de este equipo" #: ../../ipalib/plugins/host.py:129 msgid "Locality" msgstr "Localidad" #: ../../ipalib/plugins/host.py:130 msgid "Host locality (e.g. \"Baltimore, MD\")" msgstr "Localidad del equipo (p.ej. \"Barrio latino, Par?s\") " #: ../../ipalib/plugins/host.py:134 #: ../../ipalib/plugins/automount.py:107 msgid "Location" msgstr "Ubicaci?n" #: ../../ipalib/plugins/host.py:135 msgid "Host location (e.g. \"Lab 2\")" msgstr "Ubicaci?n del equipo (p. ej. \"Laboratorio\")" #: ../../ipalib/plugins/host.py:139 msgid "Platform" msgstr "Plataforma" #: ../../ipalib/plugins/host.py:140 msgid "Host hardware platform (e.g. \"Lenovo T61\")" msgstr "Plataforma de hardware del equipo (p. ej. \"Lenovo T61\")" #: ../../ipalib/plugins/host.py:144 msgid "Operating system" msgstr "Sistema operativo" #: ../../ipalib/plugins/host.py:145 msgid "Host operating system and version (e.g. \"Fedora 9\")" msgstr "Sistema operativo que utiliza el equipo y versi?n (p.ej. \"Fedora 11\")" #: ../../ipalib/plugins/host.py:149 msgid "User password" msgstr "Contrase?a de usuario" #: ../../ipalib/plugins/host.py:150 msgid "Password used in bulk enrollment" msgstr "Contrase?a utilizada en el registro bruto" #: ../../ipalib/plugins/host.py:154 #: ../../ipalib/plugins/service.py:185 #: ../../ipalib/plugins/service.py:265 #: ../../ipalib/plugins/service.py:304 #: ../../ipalib/plugins/service.py:343 #: ../../ipalib/plugins/cert.py:187 #: ../../ipalib/plugins/cert.py:392 msgid "Certificate" msgstr "Certificado" #: ../../ipalib/plugins/host.py:155 #: ../../ipalib/plugins/service.py:186 #: ../../ipalib/plugins/service.py:266 #: ../../ipalib/plugins/service.py:305 #: ../../ipalib/plugins/service.py:344 msgid "Base-64 encoded server certificate" msgstr "Certificado del servidor codificado con base-64" #: ../../ipalib/plugins/host.py:158 #: ../../ipalib/plugins/host.py:274 msgid "Principal name" msgstr "Nombre principal" #: ../../ipalib/plugins/host.py:162 #: ../../ipalib/plugins/hostgroup.py:93 msgid "Member of host-groups" msgstr "Miembro de los grupos de equipo" #: ../../ipalib/plugins/host.py:166 msgid "Member of net-groups" msgstr "Miembro de los grupos de red" #: ../../ipalib/plugins/host.py:170 msgid "Member of role-groups" msgstr "Miembro de los grupos de funci?n" #: ../../ipalib/plugins/host.py:199 #, python-format msgid "Added host \"%(value)s\"" msgstr "Ha sido agregado el equipo \"%(value)s\"" #: ../../ipalib/plugins/host.py:202 msgid "force host name even if not in DNS" msgstr "fuerza el nombre del equipo anfitri?n, incluso si no se encuentra en DNS" #: ../../ipalib/plugins/host.py:235 #, python-format msgid "Deleted host \"%(value)s\"" msgstr "Ha sido eliminado el equipo \"%(value)s\"" #: ../../ipalib/plugins/host.py:269 #, python-format msgid "Modified host \"%(value)s\"" msgstr "Ha sido modificado el equipo \"%(value)s\"" #: ../../ipalib/plugins/host.py:275 msgid "Kerberos principal name for this host" msgstr "Nombre del prinicpal de Kerberos para este equipo" #: ../../ipalib/plugins/host.py:319 #, python-format msgid "%(count)d host matched" msgid_plural "%(count)d hosts matched" msgstr[0] "%(count)d equipo coincidente" msgstr[1] "%(count)d equipos coincidentes" #: ../../ipalib/plugins/host.py:337 #: ../../ipalib/plugins/service.py:83 msgid "Keytab" msgstr "Keytab" #: ../../ipalib/plugins/host.py:359 #: ../../ipalib/plugins/service.py:386 #, python-format msgid "Removed kerberos key from \"%(value)s\"" msgstr "Se ha eliminado la llave kerberos de \"%(value)s\"" #: ../../ipalib/plugins/host.py:368 msgid "Host principal has no kerberos key" msgstr "El principal del equipo anfitri?n no posee una llave kerberos " #: ../../ipalib/plugins/group.py:94 msgid "User Groups" msgstr "Grupos de usuarios" #: ../../ipalib/plugins/group.py:102 msgid "Group name" msgstr "Nombre del grupo" #: ../../ipalib/plugins/group.py:109 msgid "Group description" msgstr "Descripci?n del grupo" #: ../../ipalib/plugins/group.py:113 msgid "GID" msgstr "GID" #: ../../ipalib/plugins/group.py:114 msgid "GID (use this option to set it manually)" msgstr "GID (utilice esta opci?n para definirlo manualmente)" #: ../../ipalib/plugins/group.py:134 #, python-format msgid "Added group \"%(value)s\"" msgstr "Ha sido agregado el grupo \"%(value)s\"" #: ../../ipalib/plugins/group.py:139 msgid "Create as posix group?" msgstr "?Crear como un grupo posix?" #: ../../ipalib/plugins/group.py:159 #, python-format msgid "Deleted group \"%(value)s\"" msgstr "Ha sido eliminado el grupo \"%(value)s\"" #: ../../ipalib/plugins/group.py:188 #, python-format msgid "Modified group \"%(value)s\"" msgstr "Ha sido modificado el grupo \"%(value)s\"" #: ../../ipalib/plugins/group.py:193 msgid "change to posix group" msgstr "trasladarse al grupo posix" #: ../../ipalib/plugins/group.py:219 #, python-format msgid "%(count)d group matched" msgid_plural "%(count)d groups matched" msgstr[0] "%(count)d grupo coincidente" msgstr[1] "%(count)d grupos coincidentes" #: ../../ipalib/plugins/group.py:254 #, python-format msgid "Detached group \"%(value)s\" from user \"%(value)s\"" msgstr "Ha sido desasociado el grupo \"%(value)s\" del usuario \"%(value)s\"" #: ../../ipalib/plugins/group.py:270 msgid "not allowed to modify user entries" msgstr "no se permite modificar las entradas de los usuarios" #: ../../ipalib/plugins/group.py:274 msgid "not allowed to modify group entries" msgstr "no se permite modificar las entradas de los grupos" #: ../../ipalib/plugins/group.py:281 #: ../../ipalib/plugins/group.py:292 msgid "Not a managed group" msgstr "No es un grupo administrado" #: ../../ipalib/plugins/migration.py:44 #, python-format msgid "Kerberos principal %s already exists. Use 'ipa user-mod' to set it manually." msgstr "El principal %s de Kerberos ya existe. Utilice 'ipa user-mod' para definirlo manualmente." #: ../../ipalib/plugins/migration.py:45 msgid "Failed to add user to the default group. Use 'ipa group-add-member' to add manually." msgstr "Fall? al intenatar agregar al usuario al grupo predeterminado. Utilice 'ipa group-add-member' para agregarlo manualmente. " #: ../../ipalib/plugins/migration.py:169 msgid "LDAP URI" msgstr "LDAP URI" #: ../../ipalib/plugins/migration.py:170 msgid "LDAP URI of DS server to migrate from" msgstr "LDAP URI del servidor DS desde donde realizar la migraci?n" #: ../../ipalib/plugins/migration.py:174 msgid "bind password" msgstr "asociar contrase?a" #: ../../ipalib/plugins/migration.py:181 msgid "Bind DN" msgstr "Asociar DN" #: ../../ipalib/plugins/migration.py:187 msgid "User container" msgstr "Contenedor de usuario" #: ../../ipalib/plugins/migration.py:188 msgid "RDN of container for users in DS" msgstr "RDN de contenedor para los usuarios en DS" #: ../../ipalib/plugins/migration.py:194 msgid "Group container" msgstr "Contenedor de grupoi" #: ../../ipalib/plugins/migration.py:195 msgid "RDN of container for groups in DS" msgstr "RDN del contenedor para grups en DS" #: ../../ipalib/plugins/migration.py:204 msgid "Lists of objects migrated; categorized by type." msgstr "Lista de objetos migrados; categorizados por tipo." #: ../../ipalib/plugins/migration.py:208 msgid "Lists of objects that could not be migrated; categorized by type." msgstr "Lista de objetos que no pueden ser migrados; categorizados por tipo." #: ../../ipalib/plugins/migration.py:212 msgid "False if migration mode was disabled." msgstr "\"False\", si el modo de migraci?n fue deshabilitado." #: ../../ipalib/plugins/migration.py:216 #, python-format msgid "comma-separated list of %s to exclude from migration" msgstr "lista de %s separada por comas a ser excluida de la migraci?n" #: ../../ipalib/plugins/migration.py:218 msgid "" "search results for objects to be migrated\n" "have been truncated by the server;\n" "migration process might be uncomplete\n" msgstr "" "los resultados de la b?squeda de objetos a ser migrados\n" "ha sido truncada por el servidor;\n" "el proceso de migraci?n podr?a estar incompleto\n" #: ../../ipalib/plugins/migration.py:223 msgid "Migration mode is disabled. Use 'ipa config-mod' to enable it." msgstr "El modo de migraci?n se encuentra deshabilitado. Utilice 'ipa config-mod' para habilitarlo." #: ../../ipalib/plugins/migration.py:226 msgid "" "Passwords have been migrated in pre-hashed format.\n" "IPA is unable to generate Kerberos keys unless provided\n" "with clear text passwords. All migrated users need to\n" "login at https://your.domain/ipa/migration/ before they\n" "can use their Kerberos accounts." msgstr "" "Las contrase?as han sido migradas en formato pre-hasheado.\n" "IPA es incapaz de generar llaves Kerberos a menos que le sean\n" "provistas contrase?as de texto claras. Todos los usuarios migrados\n" "necesitan registrarse en https://su.dominio/ipa/migration/ antes de\n" "poder utilizar sus respectivas cuentas Kerberos." #: ../../ipalib/plugins/service.py:157 #: ../../ipalib/plugins/hbac.py:174 msgid "Services" msgstr "Servicios" #: ../../ipalib/plugins/service.py:162 #: ../../ipalib/plugins/cert.py:171 msgid "Principal" msgstr "Principal" #: ../../ipalib/plugins/service.py:163 msgid "Service principal" msgstr "Servicio principal" #: ../../ipalib/plugins/service.py:176 #, python-format msgid "Added service \"%(value)s\"" msgstr "Ha sido agregado el servicio \"%(value)s\"" #: ../../ipalib/plugins/service.py:181 msgid "force principal name even if not in DNS" msgstr "fuerza el nombre del prinicpal, a?n si no se encuentra en DNS" #: ../../ipalib/plugins/service.py:224 #, python-format msgid "Deleted service \"%(value)s\"" msgstr "Ha sido eliminado el servicio \"%(value)s\"" #: ../../ipalib/plugins/service.py:261 #, python-format msgid "Modified service \"%(value)s\"" msgstr "Ha sido modificado el servicio \"%(value)s\"" #: ../../ipalib/plugins/service.py:298 #, python-format msgid "%(count)d service matched" msgid_plural "%(count)d services matched" msgstr[0] "%(count)d servicio coincidente" msgstr[1] "%(count)d servicios coincidentes " #: ../../ipalib/plugins/service.py:396 msgid "Service principal has no kerberos key" msgstr "El servicio principal no posee una llave kerberos" #: ../../ipalib/plugins/passwd.py:52 #: ../../ipalib/plugins/krbtpolicy.py:62 msgid "User name" msgstr "Nombre de usuario" #: ../../ipalib/plugins/hbac.py:106 msgid "HBAC" msgstr "HBAC" #: ../../ipalib/plugins/hbac.py:111 msgid "Rule name" msgstr "Nombre de la regla" #: ../../ipalib/plugins/hbac.py:116 msgid "Rule type (allow or deny)" msgstr "Tipo de regla (permitir o negar)" #: ../../ipalib/plugins/hbac.py:117 msgid "Rule type" msgstr "Tipo de regla" #: ../../ipalib/plugins/hbac.py:123 msgid "User category" msgstr "Categor?a de usuario" #: ../../ipalib/plugins/hbac.py:124 msgid "User category the rule applies to" msgstr "Categor?a de usuario al que se aplica la regla" #: ../../ipalib/plugins/hbac.py:129 msgid "Host category" msgstr "Categor?a del equipo" #: ../../ipalib/plugins/hbac.py:130 msgid "Host category the rule applies to" msgstr "Categor?a del equipo al que se aplica la regla" #: ../../ipalib/plugins/hbac.py:135 msgid "Source host category" msgstr "Categor?a del equipo de origen" #: ../../ipalib/plugins/hbac.py:136 msgid "Source host category the rule applies to" msgstr "Categor?a del equipo de origen al que se aplica la regla" #: ../../ipalib/plugins/hbac.py:141 msgid "Service category" msgstr "Categor?a de servicio" #: ../../ipalib/plugins/hbac.py:142 msgid "Service category the rule applies to" msgstr "Categor?a de servicio a la que se aplica la regla" #: ../../ipalib/plugins/hbac.py:147 #: ../../ipalib/plugins/hbac.py:309 #: ../../ipalib/plugins/hbac.py:347 msgid "Access time" msgstr "Hora de acceso" #: ../../ipalib/plugins/hbac.py:154 msgid "Enabled" msgstr "Habilitado" #: ../../ipalib/plugins/hbac.py:158 #: ../../ipalib/plugins/user.py:76 msgid "Users" msgstr "Usuarios" #: ../../ipalib/plugins/hbac.py:166 #: ../../ipalib/plugins/hostgroup.py:69 msgid "Host Groups" msgstr "Grupos de equipo" #: ../../ipalib/plugins/hbac.py:170 msgid "Source hosts" msgstr "Equipos fuente" #: ../../ipalib/plugins/hbac.py:178 msgid "Service Groups" msgstr "Grupos de servicio" #: ../../ipalib/plugins/cert.py:93 msgid "Failure decoding Certificate Signing Request:" msgstr "Falla al intentar decodificar la petici?n de identificaci?n de certificado" #: ../../ipalib/plugins/cert.py:106 #: ../../ipalib/plugins/cert.py:118 msgid "Failure decoding Certificate Signing Request" msgstr "Falla al intentar decodificar la petici?n de identificaci?n de certificado" #: ../../ipalib/plugins/cert.py:120 #, python-format msgid "Failure decoding Certificate Signing Request: %s" msgstr "Falla al intentar decodificar la petici?n de identificaci?n de certificado: %s" #: ../../ipalib/plugins/cert.py:172 msgid "Service principal for this certificate (e.g. HTTP/test.example.com)" msgstr "Principal del servicio para este certificado (p.ej. HTTP/prueba.ejemplo.com)" #: ../../ipalib/plugins/cert.py:179 msgid "automatically add the principal if it doesn't exist" msgstr "si no existe, agregar autom?ticamente el principal" #: ../../ipalib/plugins/cert.py:191 #: ../../ipalib/plugins/cert.py:395 msgid "Subject" msgstr "Asunto" #: ../../ipalib/plugins/cert.py:195 #: ../../ipalib/plugins/cert.py:398 msgid "Issuer" msgstr "Emisor" #: ../../ipalib/plugins/cert.py:199 #: ../../ipalib/plugins/cert.py:401 msgid "Not Before" msgstr "No antes de" #: ../../ipalib/plugins/cert.py:203 #: ../../ipalib/plugins/cert.py:404 msgid "Not After" msgstr "No luego de" #: ../../ipalib/plugins/cert.py:207 #: ../../ipalib/plugins/cert.py:407 msgid "Fingerprint (MD5)" msgstr "Huella digital (MD5)" #: ../../ipalib/plugins/cert.py:211 #: ../../ipalib/plugins/cert.py:410 msgid "Fingerprint (SHA1)" msgstr "Huella digital (SHA1)" #: ../../ipalib/plugins/cert.py:215 #: ../../ipalib/plugins/cert.py:379 msgid "Serial number" msgstr "N?mero de serie" #: ../../ipalib/plugins/cert.py:223 #: ../../ipalib/plugins/misc.py:57 msgid "Dictionary mapping variable name to value" msgstr "Nombre de la variable de mapeo de dicionario a valorizar " #: ../../ipalib/plugins/cert.py:357 msgid "Request id" msgstr "Id de la petici?n" #: ../../ipalib/plugins/cert.py:363 msgid "Request status" msgstr "Estado de la petici?n" #: ../../ipalib/plugins/cert.py:380 msgid "Serial number in decimal or if prefixed with 0x in hexadecimal" msgstr "N?mero de serie en decimales, o hexadecimales, si tiene un prefijo 0x" #: ../../ipalib/plugins/cert.py:413 msgid "Revocation reason" msgstr "Motivo de la revocaci?n" #: ../../ipalib/plugins/cert.py:458 msgid "Revoked" msgstr "Revocado" #: ../../ipalib/plugins/cert.py:466 msgid "Reason" msgstr "Motivo" #: ../../ipalib/plugins/cert.py:467 msgid "Reason for revoking the certificate (0-10)" msgstr "Motivo por el cual el certificado ha sido revocado (0-10)" #: ../../ipalib/plugins/cert.py:502 msgid "Unrevoked" msgstr "No revocado" #: ../../ipalib/plugins/cert.py:505 msgid "Error" msgstr "Error" #: ../../ipalib/plugins/baseldap.py:79 #, python-format msgid "container entry (%(container)s) not found" msgstr "no se encuentra la entrada (%(container)s) de contenedor" #: ../../ipalib/plugins/baseldap.py:80 #, python-format msgid "%(parent)s: %(oname)s not found" msgstr "%(parent)s: no se encuentra %(oname)s" #: ../../ipalib/plugins/baseldap.py:81 #, python-format msgid "%(pkey)s: %(oname)s not found" msgstr "%(pkey)s: no se encuentra %(oname)s" #: ../../ipalib/plugins/baseldap.py:150 msgid "Add an attribute/value pair. Format is attr=value" msgstr "Agregar un par de atributo/valor. El formato es attr=value" #: ../../ipalib/plugins/baseldap.py:155 msgid "Set an attribute to an name/value pair. Format is attr=value" msgstr "Define un atributo a un par nombre/valor. El formato es attr=value" #: ../../ipalib/plugins/baseldap.py:491 msgid "the entry was deleted while being modified" msgstr "la entrada fue eliminada mientras estaba siendo modificada" #: ../../ipalib/plugins/baseldap.py:627 msgid "Members that could not be added" msgstr "Miembros que no han podido ser a?adidos" #: ../../ipalib/plugins/baseldap.py:631 msgid "Number of members added" msgstr "Cantidad de miembros a?adidos" #: ../../ipalib/plugins/baseldap.py:637 #: ../../ipalib/plugins/baseldap.py:742 msgid "Failed members" msgstr "Miembros fallidos" #: ../../ipalib/plugins/baseldap.py:732 msgid "Members that could not be removed" msgstr "Miembros que no han podido ser eliminados" #: ../../ipalib/plugins/baseldap.py:736 msgid "Number of members removed" msgstr "Cantidad de miembros eliminados" #: ../../ipalib/plugins/baseldap.py:833 msgid "Time Limit" msgstr "Tiempo l?mite" #: ../../ipalib/plugins/baseldap.py:834 msgid "Time limit of search in seconds" msgstr "Tiempo m?ximo de b?squeda en segundos" #: ../../ipalib/plugins/baseldap.py:840 msgid "Size Limit" msgstr "Tama?o l?mite" #: ../../ipalib/plugins/baseldap.py:841 msgid "Maximum number of entries returned" msgstr "Cantidad m?xima de entradas obtenidas" #: ../../ipalib/plugins/aci.py:111 msgid "A list of ACI values" msgstr "Una lista de valores ACI" #: ../../ipalib/plugins/aci.py:142 msgid "type, filter, subtree and targetgroup are mutually exclusive" msgstr "tipo, filtro, sub?rbol y grupo de destino, se excluyen mutuamente" #: ../../ipalib/plugins/aci.py:145 msgid "at least one of: type, filter, subtree, targetgroup, attrs or memberof are required" msgstr "es necesario como m?nimo alguno de: tipo, filtro, sub?rbol, grupo de destino, atributos, o miembro de " #: ../../ipalib/plugins/aci.py:151 msgid "group, taskgroup and self are mutually exclusive" msgstr "grupo, funci?n del grupo y self se excluyen mutuamente" #: ../../ipalib/plugins/aci.py:153 msgid "One of group, taskgroup or self is required" msgstr "Es necesario o grupo o funci?n del grupo o self" #: ../../ipalib/plugins/aci.py:172 #, python-format msgid "Group '%s' does not exist" msgstr "El grupo '%s' no existe" #: ../../ipalib/plugins/aci.py:269 #, python-format msgid "ACI with name \"%s\" not found" msgstr "No se encuentra un ACI cuyo nombre sea \"%s\"" #: ../../ipalib/plugins/aci.py:286 msgid "ACIs" msgstr "ACIs" #: ../../ipalib/plugins/aci.py:291 msgid "ACI name" msgstr "Nombre de ACI" #: ../../ipalib/plugins/aci.py:296 msgid "Taskgroup" msgstr "Grupo de tareas" #: ../../ipalib/plugins/aci.py:297 msgid "Taskgroup ACI grants access to" msgstr "El grupo de tareas ACI permite el acceso a " #: ../../ipalib/plugins/aci.py:301 msgid "User group" msgstr "Grupo de usuarios" #: ../../ipalib/plugins/aci.py:302 msgid "User group ACI grants access to" msgstr "El grupo de usuarios ACI permite el acceso a" #: ../../ipalib/plugins/aci.py:306 msgid "Permissions" msgstr "Permisos" #: ../../ipalib/plugins/aci.py:307 msgid "comma-separated list of permissions to grant(read, write, add, delete, all)" msgstr "lista separada por comas de la concesi?n de permisos (leer, escribir, agregar, eliminar, todos) " #: ../../ipalib/plugins/aci.py:313 msgid "Attributes" msgstr "Atributos" #: ../../ipalib/plugins/aci.py:314 msgid "Comma-separated list of attributes" msgstr "Lista de atributos separada por comas" #: ../../ipalib/plugins/aci.py:318 msgid "Type" msgstr "Tipo" #: ../../ipalib/plugins/aci.py:319 msgid "type of IPA object (user, group, host)" msgstr "tipo de objeto IPA (usuario, grupo, equipo)" #: ../../ipalib/plugins/aci.py:324 msgid "Member of" msgstr "Miembro de" #: ../../ipalib/plugins/aci.py:325 msgid "Member of a group" msgstr "Miembro de un grupo" #: ../../ipalib/plugins/aci.py:329 msgid "Filter" msgstr "Filtro" #: ../../ipalib/plugins/aci.py:330 msgid "Legal LDAP filter (e.g. ou=Engineering)" msgstr "Filtro legal LDAP (p.ej. ou=Ingenier?a)" #: ../../ipalib/plugins/aci.py:334 msgid "Subtree" msgstr "Sub?rbol" #: ../../ipalib/plugins/aci.py:335 msgid "Subtree to apply ACI to" msgstr "Sub?rbol al que aplicar ACI" #: ../../ipalib/plugins/aci.py:339 msgid "Target group" msgstr "Grupo elegido" #: ../../ipalib/plugins/aci.py:340 msgid "Group to apply ACI to" msgstr "Grupo al que aplicar API" #: ../../ipalib/plugins/aci.py:344 msgid "Target your own entry (self)" msgstr "Dirija su propia entrada (usted)" #: ../../ipalib/plugins/aci.py:345 msgid "Apply ACI to your own entry (self)" msgstr "Aplique ACI a su propia entrada (usted)" #: ../../ipalib/plugins/aci.py:357 #, python-format msgid "Created ACI \"%(value)s\"" msgstr "Ha sido creado ACI \"%(value)s\"" #: ../../ipalib/plugins/aci.py:407 #, python-format msgid "Deleted ACI \"%(value)s\"" msgstr "Ha sido eliminado ACI \"%(value)s\"" #: ../../ipalib/plugins/aci.py:447 #, python-format msgid "Modified ACI \"%(value)s\"" msgstr "Ha sido modificado ACI \"%(value)s\"" #: ../../ipalib/plugins/aci.py:519 #, python-format msgid "%(count)d ACI matched" msgid_plural "%(count)d ACIs matched" msgstr[0] "%(count)d ACI coincidente" msgstr[1] "%(count)d ACIs coincidentes" #: ../../ipalib/plugins/krbtpolicy.py:63 msgid "Manage ticket policy for specific user" msgstr "Administra pol?tica de ticket para un usuario espec?fico" #: ../../ipalib/plugins/krbtpolicy.py:68 msgid "Max life" msgstr "Vida m?xima" #: ../../ipalib/plugins/krbtpolicy.py:69 msgid "Maximum ticket life (seconds)" msgstr "Duraci?n m?xima del ticket (en segundos)" #: ../../ipalib/plugins/krbtpolicy.py:73 msgid "Max renew" msgstr "Renovaci?n m?xima" #: ../../ipalib/plugins/krbtpolicy.py:74 msgid "Maximum renewable age (seconds)" msgstr "Duraci?n m?xima renovable (en segundos)" #: ../../ipalib/plugins/dns.py:131 msgid "DNS" msgstr "DNS" #: ../../ipalib/plugins/dns.py:136 msgid "Zone" msgstr "Zona" #: ../../ipalib/plugins/dns.py:137 msgid "Zone name (FQDN)" msgstr "Nombre de la zona (FQDN)" #: ../../ipalib/plugins/dns.py:143 msgid "Authoritative name server" msgstr "Servidor de nombres de autoridad" #: ../../ipalib/plugins/dns.py:147 msgid "administrator e-mail address" msgstr "direcci?n de correo electr?nico del administrador" #: ../../ipalib/plugins/dns.py:153 msgid "SOA serial" msgstr "Serie SOA" #: ../../ipalib/plugins/dns.py:157 msgid "SOA refresh" msgstr "Actualizar SOA" #: ../../ipalib/plugins/dns.py:161 msgid "SOA retry" msgstr "Reintentar SOA" #: ../../ipalib/plugins/dns.py:165 msgid "SOA expire" msgstr "Expirar SOA" #: ../../ipalib/plugins/dns.py:169 msgid "SOA minimum" msgstr "M?nimo SOA" #: ../../ipalib/plugins/dns.py:173 msgid "SOA time to live" msgstr "Tiempo para abandonar SOA" #: ../../ipalib/plugins/dns.py:177 msgid "SOA class" msgstr "Clase SOA" #: ../../ipalib/plugins/dns.py:182 msgid "allow dynamic update?" msgstr "?permitir actualizaci?n din?mica?" #: ../../ipalib/plugins/dns.py:186 msgid "BIND update policy" msgstr "Pol?tica de actualizaci?n de BIND" #: ../../ipalib/plugins/dns.py:411 #: ../../ipalib/plugins/dns.py:445 #: ../../ipalib/plugins/dns.py:480 #: ../../ipalib/plugins/dns.py:595 #: ../../ipalib/plugins/dns.py:680 #: ../../ipalib/plugins/dns.py:804 msgid "Zone name" msgstr "Nombre de la zona" #: ../../ipalib/plugins/dns.py:485 msgid "resource name" msgstr "nombre del recurso" #: ../../ipalib/plugins/dns.py:490 #: ../../ipalib/plugins/dns.py:605 #: ../../ipalib/plugins/dns.py:696 msgid "Record type" msgstr "Tipo de registro" #: ../../ipalib/plugins/dns.py:494 #: ../../ipalib/plugins/dns.py:609 msgid "Data" msgstr "Datos" #: ../../ipalib/plugins/dns.py:495 #: ../../ipalib/plugins/dns.py:610 msgid "Type-specific data" msgstr "Datos de tipo espec?fico" #: ../../ipalib/plugins/dns.py:502 msgid "Time to live" msgstr "Tiempo para abandonar" #: ../../ipalib/plugins/dns.py:507 msgid "Class" msgstr "Clase" #: ../../ipalib/plugins/dns.py:600 #: ../../ipalib/plugins/dns.py:692 #: ../../ipalib/plugins/dns.py:809 msgid "Resource name" msgstr "Nombre del recurso" #: ../../ipalib/plugins/dns.py:685 msgid "Search criteria" msgstr "Criterio de b?squeda" #: ../../ipalib/plugins/dns.py:700 msgid "type-specific data" msgstr "datos de tipo espec?fico" #: ../../ipalib/plugins/dns.py:850 #, python-format msgid "Found '%(value)s'" msgstr "Ha sido encontrado '%(value)s'" #: ../../ipalib/plugins/dns.py:854 msgid "Hostname" msgstr "Nombre del equipo anfitri?n" #: ../../ipalib/plugins/dns.py:867 #, python-format msgid "Host '%(host)s' not found" msgstr "No ha sido encontrado el equipo anfitri?n '%(host)s' " #: ../../ipalib/plugins/automount.py:108 msgid "Automount location name" msgstr "Nombre de la ubicaci?n de automontaje" #: ../../ipalib/plugins/automount.py:224 msgid "Map" msgstr "Mapeo" #: ../../ipalib/plugins/automount.py:225 msgid "Automount map name" msgstr "Nombre de mapeo de automontaje" #: ../../ipalib/plugins/automount.py:234 msgid "Automount Maps" msgstr "Mapeos de automontaje" #: ../../ipalib/plugins/automount.py:306 msgid "Key" msgstr "Llave" #: ../../ipalib/plugins/automount.py:307 msgid "Automount key name" msgstr "Nombre de llave de automontaje" #: ../../ipalib/plugins/automount.py:312 msgid "Mount information" msgstr "Informaci?n de montaje" #: ../../ipalib/plugins/automount.py:316 msgid "description" msgstr "descripci?n" #: ../../ipalib/plugins/automount.py:320 msgid "Automount Keys" msgstr "Llaves de automontaje" #: ../../ipalib/plugins/automount.py:340 msgid "Mount point" msgstr "Punto de montaje" #: ../../ipalib/plugins/automount.py:344 msgid "Parent map" msgstr "Mapeo del padre" #: ../../ipalib/plugins/automount.py:345 msgid "Name of parent automount map (default: auto.master)" msgstr "Nombre del mapeo del automontaje padre (predeterminado: auto.master)" #: ../../ipalib/plugins/netgroup.py:57 msgid "Member Host" msgstr "Miembro del equipo anfitri?n" #: ../../ipalib/plugins/netgroup.py:63 msgid "External host" msgstr "Equipo externo" #: ../../ipalib/plugins/netgroup.py:85 msgid "Net Groups" msgstr "Grupos de red" #: ../../ipalib/plugins/netgroup.py:90 msgid "Netgroup name" msgstr "Nombre de grupo de red" #: ../../ipalib/plugins/netgroup.py:97 msgid "Netgroup description" msgstr "Descripci?n del grupo de red" #: ../../ipalib/plugins/netgroup.py:101 msgid "NIS domain name" msgstr "Nombre del dominio NIS" #: ../../ipalib/plugins/netgroup.py:106 msgid "IPA unique ID" msgstr "ID unico de IPA" #: ../../ipalib/plugins/misc.py:38 #, python-format msgid "%(count)d variables" msgstr "%(count)d variables" #: ../../ipalib/plugins/misc.py:61 msgid "Total number of variables env (>= count)" msgstr "Cantidad total de variables env (>= count)" #: ../../ipalib/plugins/misc.py:66 msgid "Number of variables returned (<= total)" msgstr "Cantidad de variables devueltas (<= total)" #: ../../ipalib/plugins/misc.py:109 #, python-format msgid "%(count)d plugin loaded" msgid_plural "%(count)d plugins loaded" msgstr[0] "%(count)d complemento cargado" msgstr[1] "%(count)d complementos cargados" #: ../../ipalib/plugins/misc.py:116 msgid "Number of plugins loaded" msgstr "Cantidad de complementos cargados" #: ../../ipalib/plugins/user.py:84 msgid "User login" msgstr "Ingreso de usuario" #: ../../ipalib/plugins/user.py:91 msgid "First name" msgstr "Nombre" #: ../../ipalib/plugins/user.py:95 msgid "Last name" msgstr "Apellido" #: ../../ipalib/plugins/user.py:103 msgid "GECOS field" msgstr "Campo GECOS" #: ../../ipalib/plugins/user.py:109 msgid "Login shell" msgstr "Shel de ingreso" #: ../../ipalib/plugins/user.py:114 msgid "Kerberos principal" msgstr "Principal kerberos" #: ../../ipalib/plugins/user.py:120 msgid "Email address" msgstr "Direcci?n de correo electr?nico" #: ../../ipalib/plugins/user.py:124 msgid "Password" msgstr "Contrase?a" #: ../../ipalib/plugins/user.py:125 msgid "Set the user password" msgstr "Definir la contrase?a de usuario" #: ../../ipalib/plugins/user.py:132 msgid "UID" msgstr "UID" #: ../../ipalib/plugins/user.py:133 msgid "User ID Number (system will assign one if not provided)" msgstr "N?mero de ID de usuario (el sistema le asignar? uno si no se indica ninguno)" #: ../../ipalib/plugins/user.py:139 msgid "Street address" msgstr "Direcci?n postal" #: ../../ipalib/plugins/user.py:142 msgid "Groups" msgstr "Grupos" #: ../../ipalib/plugins/user.py:146 msgid "Netgroups" msgstr "Grupos de red" #: ../../ipalib/plugins/user.py:150 msgid "Rolegroups" msgstr "Grupos de funciones" #: ../../ipalib/plugins/user.py:154 msgid "Taskgroups" msgstr "Grupos de tareas" #: ../../ipalib/plugins/user.py:167 #, python-format msgid "Added user \"%(value)s\"" msgstr "Ha sido agregado el usuario \"%(value)s\"" #: ../../ipalib/plugins/user.py:216 #, python-format msgid "Deleted user \"%(value)s\"" msgstr "Ha sido eliminado el usuario \"%(value)s\"" #: ../../ipalib/plugins/user.py:235 #, python-format msgid "Modified user \"%(value)s\"" msgstr "Ha sido modificado el usuario \"%(value)s\"" #: ../../ipalib/plugins/user.py:247 msgid "Self" msgstr "Self" #: ../../ipalib/plugins/user.py:248 msgid "Display user record for current Kerberos principal" msgstr "Muestra el registro del usuario para el principal de Kerberos actual" #: ../../ipalib/plugins/user.py:258 #, python-format msgid "%(count)d user matched" msgid_plural "%(count)d users matched" msgstr[0] "%(count)d usuario coincidente" msgstr[1] "%(count)d usuarios coincidentes" #: ../../ipalib/plugins/user.py:278 #, python-format msgid "Locked user \"%(value)s\"" msgstr "Ha sido bloqueado el usuario \"%(value)s\"" #: ../../ipalib/plugins/user.py:304 #, python-format msgid "Unlocked user \"%(value)s\"" msgstr "Ha sido desbloqueado el usuario \"%(value)s\"" #: ../../ipalib/plugins/taskgroup.py:51 msgid "Task Groups" msgstr "Grupos de tareas" #: ../../ipalib/plugins/taskgroup.py:56 msgid "Task-group name" msgstr "Nombre de grupos de tareas" #: ../../ipalib/plugins/taskgroup.py:63 msgid "Task-group description" msgstr "Descrici?n del grupo de tareas" #: ../../ipalib/plugins/taskgroup.py:74 msgid "Member role-groups" msgstr "Grupos de funci?n miembro" #: ../../ipalib/plugins/taskgroup.py:87 #, python-format msgid "Added taskgroup \"%(value)s\"" msgstr "Ha sido agregado el grupo de tareas \"%(value)s\"" #: ../../ipalib/plugins/taskgroup.py:97 #, python-format msgid "Deleted taskgroup \"%(value)s\"" msgstr "Ha sido eliminado el grupo de tareas \"%(value)s\"" #: ../../ipalib/plugins/taskgroup.py:107 #, python-format msgid "Modified taskgroup \"%(value)s\"" msgstr "Ha sido modificado el grupo de tareas \"%(value)s\"" #: ../../ipalib/plugins/taskgroup.py:118 #, python-format msgid "%(count)d taskgroup matched" msgid_plural "%(count)d taskgroups matched" msgstr[0] "%(count)d grupo de tarea coincidente" msgstr[1] "%(count)d grupos de tarea coincidentes" #: ../../ipalib/plugins/hostgroup.py:74 msgid "Host-group" msgstr "Grupo de equipo" #: ../../ipalib/plugins/hostgroup.py:75 msgid "Name of host-group" msgstr "Nombre del grupo de equipo" #: ../../ipalib/plugins/hostgroup.py:82 msgid "A description of this host-group" msgstr "Una descripci?n de este grupo de equipo" #: ../../ipalib/plugins/hostgroup.py:85 msgid "Member hosts" msgstr "Equipos miembro" #: ../../ipalib/plugins/hostgroup.py:89 msgid "Member host-groups" msgstr "Grupos de equipo miembro" #: ../../ipalib/plugins/hostgroup.py:106 #, python-format msgid "Added hostgroup \"%(value)s\"" msgstr "Ha sido agregado el grupo de equipo \"%(value)s\"" #: ../../ipalib/plugins/hostgroup.py:116 #, python-format msgid "Deleted hostgroup \"%(value)s\"" msgstr "Ha sido eliminado el grupo de equipo \"%(value)s\"" #: ../../ipalib/plugins/hostgroup.py:126 #, python-format msgid "Modified hostgroup \"%(value)s\"" msgstr "Ha sido modificado el grupo de equipo \"%(value)s\"" #: ../../ipalib/plugins/hostgroup.py:137 #, python-format msgid "%(count)d hostgroup matched" msgid_plural "%(count)d hostgroups matched" msgstr[0] "%(count)d grupo de equipos coincidente" msgstr[1] "%(count)d grupos de equipos coincidentes" #: ../../ipalib/plugins/pwpolicy.py:84 #, python-format msgid "priority must be a unique value (%(prio)d already used by %(gname)s)" msgstr "la prioridad debe ser un valor ?nico (%(prio)d que ya est? siendo utilizado por %(gname)s)" #: ../../ipalib/plugins/pwpolicy.py:173 msgid "Group" msgstr "Grupo" #: ../../ipalib/plugins/pwpolicy.py:174 msgid "Manage password policy for specific group" msgstr "Administra la pol?tica de contrase?a de un grupo espec?fico" #: ../../ipalib/plugins/pwpolicy.py:179 msgid "Max lifetime (days)" msgstr "Vida m?xima (d?as)" #: ../../ipalib/plugins/pwpolicy.py:180 msgid "Maximum password lifetime (in days)" msgstr "Vida m?xima de la contrase?a (d?as)" #: ../../ipalib/plugins/pwpolicy.py:185 msgid "Min lifetime (hours)" msgstr "Vida m?nima (horas)" #: ../../ipalib/plugins/pwpolicy.py:186 msgid "Minimum password lifetime (in hours)" msgstr "Vida m?nima de la contrase?a (en horas)" #: ../../ipalib/plugins/pwpolicy.py:191 msgid "History size" msgstr "Tama?o del historial" #: ../../ipalib/plugins/pwpolicy.py:192 msgid "Password history size" msgstr "Tama?o del historial de la contrase?a" #: ../../ipalib/plugins/pwpolicy.py:197 msgid "Character classes" msgstr "Clases de caracteres" #: ../../ipalib/plugins/pwpolicy.py:198 msgid "Minimum number of character classes" msgstr "Cantidad m?nima de clases de caracteres" #: ../../ipalib/plugins/pwpolicy.py:204 msgid "Min length" msgstr "Longitud m?nima" #: ../../ipalib/plugins/pwpolicy.py:205 msgid "Minimum length of password" msgstr "Longitud m?nima de la contrase?a" #: ../../ipalib/plugins/pwpolicy.py:210 msgid "Priority" msgstr "Prioridad" #: ../../ipalib/plugins/pwpolicy.py:211 msgid "Priority of the policy (higher number means lower priority" msgstr "Prioridad de la pol?tica (a mayor n?mero corresponde una pol?tica menor)" #: ../../ipalib/plugins/pwpolicy.py:263 msgid "Maximum password life must be greater than minimum." msgstr "La duraci?n m?xima de la contrase?a debe ser mayor que la m?nima." #: ../../ipalib/plugins/pwpolicy.py:326 msgid "priority cannot be set on global policy" msgstr "la prioridad no puede ser definida en una pl?tica global" #: ../../ipalib/plugins/pwpolicy.py:365 msgid "User" msgstr "Usuario" #: ../../ipalib/plugins/pwpolicy.py:366 msgid "Display effective policy for a specific user" msgstr "Ofrece la pol?tica efectiva para un determinado usuario" #: ../../ipalib/plugins/internal.py:39 msgid "Logged In As" msgstr "Registrado como" #: ../../ipalib/plugins/internal.py:41 msgid "Add" msgstr "Agregar" #: ../../ipalib/plugins/internal.py:42 msgid "Find" msgstr "Buscar" #: ../../ipalib/plugins/internal.py:43 msgid "Reset" msgstr "Resetear" #: ../../ipalib/plugins/internal.py:44 msgid "Update" msgstr "Actualizar" #: ../../ipalib/plugins/internal.py:45 msgid "Enroll" msgstr "Registro" #: ../../ipalib/plugins/internal.py:48 msgid "Quick Links" msgstr "Enlaces r?pidos" #: ../../ipalib/plugins/internal.py:51 msgid "Identity Details" msgstr "Detalles de la identidad" #: ../../ipalib/plugins/internal.py:52 msgid "Account Details" msgstr "Detalles de la cuenta" #: ../../ipalib/plugins/internal.py:53 msgid "Contact Details" msgstr "Detalles del contacto" #: ../../ipalib/plugins/internal.py:54 msgid "Mailing Address" msgstr "Direcci?n de correo" #: ../../ipalib/plugins/internal.py:55 msgid " Employee Information" msgstr " Datos del empleador" #: ../../ipalib/plugins/internal.py:56 msgid "Misc. Information" msgstr "Informaci?n diversa" #: ../../ipalib/plugins/internal.py:57 msgid "Back to Top" msgstr "Volver al comienzo" #: ../../ipalib/plugins/internal.py:62 msgid "Name of object to export" msgstr "Nombre del objeto a exportar" #: ../../ipalib/plugins/internal.py:67 msgid "Dict of JSON encoded IPA Objects" msgstr "El dict de JSON ha codificado objetos IPA" #: ../../ipalib/plugins/internal.py:68 msgid "Dict of I18N messages" msgstr "Dictado de los mensajes regionales" #: ../../ipaserver/install/certs.py:603 #: ../../ipaserver/plugins/dogtag.py:1313 #: ../../ipaserver/plugins/dogtag.py:1398 #: ../../ipaserver/plugins/dogtag.py:1463 #: ../../ipaserver/plugins/dogtag.py:1543 #: ../../ipaserver/plugins/dogtag.py:1602 #, python-format msgid "Unable to communicate with CMS (%s)" msgstr "No es posible comunicarse con CMS (%s)" #: ../../ipaserver/plugins/selfsign.py:97 #, python-format msgid "Request subject \"%(request_subject)s\" does not match the form \"%(subject_base)s\"" msgstr "El asunto solicitado \"%(request_subject)s\" no coincide con la forma \"%(subject_base)s\"" #: ../../ipaserver/plugins/selfsign.py:102 #, python-format msgid "unable to decode csr: %s" msgstr "no es posible decodificar csr: %s" #: ../../ipaserver/plugins/selfsign.py:123 #: ../../ipaserver/plugins/selfsign.py:138 msgid "file operation" msgstr "operaci?n de archivo" #: ../../ipaserver/plugins/selfsign.py:152 msgid "cannot obtain next serial number" msgstr "no es posible obtener el pr?ximo n?mero de serie" #: ../../ipaserver/plugins/selfsign.py:187 msgid "certutil failure" msgstr "falla de certutil" #: ../../ipaserver/plugins/join.py:54 msgid "The hostname to register as" msgstr "El nombre del equipo a ser registrado como" #: ../../ipaserver/plugins/join.py:62 msgid "The IPA realm" msgstr "El reinado IPA" #: ../../ipaserver/plugins/join.py:68 msgid "Hardware platform of the host (e.g. Lenovo T61)" msgstr "Plataforma de hardware del equipo (p. ej. Lenovo T61)" #: ../../ipaserver/plugins/join.py:72 msgid "Operating System and version of the host (e.g. Fedora 9)" msgstr "Sistema operativo que utiliza el equipo y versi?n (p.ej. Fedora 9)" #~ msgid "Service name" #~ msgstr "Nombre del servicio" #~ msgid "Name of service the rule applies to (e.g. ssh)" #~ msgstr "Nombre del servicio al que se aplica la regla (p.ej. ssh)" #~ msgid "Unable to decode certificate in entry" #~ msgstr "No es posible decodificar el certificado en la entrada" #~ msgid "UID (use this option to set it manually)" #~ msgstr "UID (utilice esta opci?n para definir manualmente)" #~ msgid "Added policy for group \"%(value)s\"" #~ msgstr "Ha sido agregada pol?tica para el grupo \"%(value)s\"" #~ msgid "Group to set policy for" #~ msgstr "Grupo al que definir la pol?tica" #~ msgid "Modified policy for group \"%(value)s\"" #~ msgstr "Ha sido modificada la pol?tica para grupo \"%(value)s\"" #~ msgid "Deleted policy for group \"%(value)s\"" #~ msgstr "Ha sido eliminada la pol?tica para el grupo \"%(value)s\"" #~ msgid "Group to remove policy from" #~ msgstr "Grupo desde donde eliminar la pol?tica" #~ msgid "Group to display policy" #~ msgstr "Grupo al que mostrar la pol?tica" #~ msgid "Display policy applied to a given user" #~ msgstr "Mostrar la pol?tica aplicada a un usuario determinado" From edewata at redhat.com Sat Oct 2 03:31:27 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 1 Oct 2010 23:31:27 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Entity association configuration. In-Reply-To: <644008411.929631285990221065.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1265749950.929651285990287972.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Hi, Please review the attached patch. Thanks! The ipa_entity_set_association_definition() has been added to configure the association between 2 entitites. By default the associator is BulkAssociator and the method is add_member. The entities have been updated to use the right configurations. The ipa_cmd() has been modified to detect IPA errors and invoke the error handler. A bug in refresh_on_success() has been fixed as well. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: edewata-freeipa-0015-Entity-association-configuration.patch Type: text/x-patch Size: 11643 bytes Desc: not available URL: From ayoung at redhat.com Sat Oct 2 22:49:27 2010 From: ayoung at redhat.com (Adam Young) Date: Sat, 02 Oct 2010 18:49:27 -0400 Subject: [Freeipa-devel] [PATCH] Entity association configuration. In-Reply-To: <1265749950.929651285990287972.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1265749950.929651285990287972.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CA7B6F7.10304@redhat.com> On 10/01/2010 11:31 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The ipa_entity_set_association_definition() has been added to configure > the association between 2 entitites. By default the associator is > BulkAssociator and the method is add_member. The entities have been > updated to use the right configurations. > > The ipa_cmd() has been modified to detect IPA errors and invoke the > error handler. > > A bug in refresh_on_success() has been fixed as well. > > -- > Endi S. Dewata > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Sat Oct 2 22:50:08 2010 From: ayoung at redhat.com (Adam Young) Date: Sat, 02 Oct 2010 18:50:08 -0400 Subject: [Freeipa-devel] [PATCH] Entity association configuration. In-Reply-To: <1265749950.929651285990287972.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1265749950.929651285990287972.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CA7B720.6000507@redhat.com> On 10/01/2010 11:31 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The ipa_entity_set_association_definition() has been added to configure > the association between 2 entitites. By default the associator is > BulkAssociator and the method is add_member. The entities have been > updated to use the right configurations. > > The ipa_cmd() has been modified to detect IPA errors and invoke the > error handler. > > A bug in refresh_on_success() has been fixed as well. > > -- > Endi S. Dewata > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sun Oct 3 17:13:00 2010 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 03 Oct 2010 13:13:00 -0400 Subject: [Freeipa-devel] Sudo Schema Bug/Feature In-Reply-To: <4CA50E87.409@redhat.com> References: <416EC0FB-8D70-4A5D-8A5C-FBBEA54C91B1@citrixonline.com> <20100930163731.GS3002@localhost.localdomain> <421210A9-CAD8-430A-885A-546F467F0DE7@citrixonline.com> <4CA50E87.409@redhat.com> Message-ID: <4CA8B99C.6000501@redhat.com> Dmitri Pal wrote: >> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? >> >> > So it looks like current schema would not fly well with SUDO due to SUDO > bug/feature. SUDO will match just any first rule that satisfies the > user-hpost-command combination but we can't guarantee that rules come in > the same order. So there is a possibility that allow rule will come > before deny rule in our case and will be matched. > It is unfortunate and should be fixed by SUDO. In a meantime we need to > alter the schema to be able to express allowed and not allowed commands > in one rule. > It will be up to the admin to know the limitations of SUDO based on the > documentation we provide and construct the rules in a non contradicting > way. We might be able to add some nice checks in future. > > So here is current schema: > > objectClasses: (2.16.840.1.113730.3.8.8.TBD > NAME 'ipaSudoRule' > SUP ipaAssociation > STRUCTURAL > MUST accessRuleType > MAY ( externalUser $ > externalHost $ hostMask $ > memberCmd $ cmdCategory $ > ipaSudoOpt $ > ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ > ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) > X-ORIGIN 'IPA v2' ) > > > We will : > * Remove accessRuleType > * Add memberNotCmd same a memberCmd > > attributeTypes: (2.16.840.1.113730.3.8.7.TBD > NAME 'memberNotCmd' > DESC 'Reference to a command or group of the commands that is not allowed.' > SUP distinguishedName > EQUALITY distinguishedNameMatch > ORDERING distinguishedNameMatch > SUBSTR distinguishedNameMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > X-ORIGIN 'IPA v2' ) > > > The logic then will be: > * If no memberCmd, memberNotCmd or cmdCategory attribute is specified - > no command is allowed > * If cmdCategory is specified (only value is "all") all other attributes > are ignored and all commands are allowed > * If cmdCategory is not specified > * If memberCmd is specified it defines commands or groups of the > commands that are allowed > * If memberNotCmd is specified it defines commands or groups of the > commands that are not allowed > Both attributes are allowed at the same time defining allowed and > not allowed commands within the same rule. > > This does not solve the problem fully but at least gets us into the same > boat as current SUDO schema. > > Comments welcome! > If there are no objections by end of Friday I will craft a patch over > the weekend. > > Thanks > Dmitri > > > I updated the wiki and implemented the change. Patch is attached. > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001--SUDO-Allow-and-deny-commands-in-one-rule.patch Type: text/x-patch Size: 8626 bytes Desc: not available URL: From ayoung at redhat.com Mon Oct 4 01:53:08 2010 From: ayoung at redhat.com (Adam Young) Date: Sun, 03 Oct 2010 21:53:08 -0400 Subject: [Freeipa-devel] Updated DNS Prototype Message-ID: <4CA93384.50802@redhat.com> Based on my discussion with Ben last week, and lots of reflection, I've redone a fragment of the DNS prototype: http://admiyo.fedorapeople.org/ipa/jquery.ui/ A couple points: We are going to have lot of Records in the normal case. Records really need their own page. Unlike Phone numbers, records have their own API call, and shoe horning it in to the details infrastructure leads to a weird disconnect. When someone changes a record or records, that stands alone from the zone details. Phone numbers are a portion of the user details. THe commits happen at a different time for DNS, where as the commit happens at the same time for the user case. It is unlikely that someone will want to move records from say a type A to type AAAA, but not impossible. The ui to do that is a little clunky, so I figured I'd include it if only to make sure we discussed it. There are many types of records that we support but that are not likely to be used in a live situation. Ben suggested that we have a show/hide mechanism, and the types that are unused would just be hidden. I haven;t wired this up in the prototype, but the screen controls are there. Also, at the top of the page, the non hidden types would act as a way to jump directly to the record type. This kind of hypertext navigation is what Tabs is supposed to support and make easy. Perhaps it would make more sense to have one tab per supported record type. Last of all, I've put both PTR and A records on the page. This is an unnatural match: they would normally be in different zones. I'm not sure if there is an implicit relationship between the forward and reverse zones that we would somehow want to represent...For now I will assume 'no' but lets make that an explicit decision. From ayoung at redhat.com Mon Oct 4 02:03:31 2010 From: ayoung at redhat.com (Adam Young) Date: Sun, 03 Oct 2010 22:03:31 -0400 Subject: [Freeipa-devel] Icon Development Message-ID: <4CA935F3.9030503@redhat.com> I got tripped up recently on the similarity between the the singular and plural verisons of the icons: I saw hosts and host groups side by side and thought I was looking at duplicates. I thought I'd take a stab at revising our visual language in reference to singular, plural, and nesting of objects. I've posted my design here. I couldn't find the original images that Kyle used, so please don't laugh too hard at my hand drawn version here. They are not intended to be final cuts, but rather just demos. http://admiyo.fedorapeople.org/ipa/svg-icons/ Singular is basically unchanged. We use the same icon for user as we did before Plural (Group, host group) is the singular arrainged in a circle. Note that netgroups incorporates both user and hosts i Enrollment of a singular into a plural is shown by an arrow moving into the circle Nesting of one plural inside another plural can be show one of three alternatives: Two circles coming together. I've drawn it both with and without the user that would appear at the intersection of the two groups. I think that with the user is clearer I've done a version which is just a simple box around the outside edge of the icon. While more abstract, this motif will hopefully jump out more to the eye. At the bottom of the page I've included some of the svg files that I used to draw these. I'm sure we can come up with better that this, but to make the discussion collaborative, we'll need to use assets that we can share. From pere at hungry.com Mon Oct 4 11:38:44 2010 From: pere at hungry.com (Petter Reinholdtsen) Date: Mon, 04 Oct 2010 13:38:44 +0200 Subject: [Freeipa-devel] Handling nested netgroups (looking for recommendations) References: <4CA23122.7050908@redhat.com> Message-ID: <2fl1v86xk57.fsf@login1.uio.no> [Jeff Schroeder] > Not for the sake of being argumentative, but for the sake of > completeness, why do you want to change the semantics of what an > admin would expect? Especially when most people using sssd are > former pam_ldap users and expect things like netgroups to work a > certain way? While not disagreeing, I'm just curious as to the > reasoning. We use netgroups in NIS and LDAP here at the University of Oslo, and we expect netgroups to behave as they always have, no matter the supplier (nis, ldap or sss :). I use netgroups in /etc/netgroups when I need to debug stuff, to be able to quickly change their values before pushing the final version into our admin too (which is used to populate NIS and LDAP). So to me, it would be a surprise if /etc/nsswitch.conf was ignored when it come to netgroup sources and glibc was not the one in charge of expanding recursive netgroups. If I did not want to consult local files, I would list 'netgroup: sss' instead of 'netgroup files sss' in nsswitch.conf. :) Happy hacking, -- Petter Reinholdtsen From edewata at redhat.com Mon Oct 4 18:02:44 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 4 Oct 2010 14:02:44 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Tooltips for quick links. In-Reply-To: <374372701.1033821286215336287.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1722508816.1033891286215364490.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Hi, Please review the attached patch. Thanks! The ipa_entity_quick_links() has been modified to show tooltips when hovering on quick links. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: edewata-freeipa-0016-Tooltips-for-quick-links.patch Type: text/x-patch Size: 1283 bytes Desc: not available URL: From ayoung at redhat.com Mon Oct 4 18:16:04 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 04 Oct 2010 14:16:04 -0400 Subject: [Freeipa-devel] [PATCH] Tooltips for quick links. In-Reply-To: <1722508816.1033891286215364490.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1722508816.1033891286215364490.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CAA19E4.4030208@redhat.com> On 10/04/2010 02:02 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The ipa_entity_quick_links() has been modified to show tooltips when > hovering on quick links. > > -- > Endi S. Dewata > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon Oct 4 18:53:37 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 4 Oct 2010 14:53:37 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Tooltips for quick links. In-Reply-To: <4CAA19E4.4030208@redhat.com> Message-ID: <774800078.1040971286218417046.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Adam Young" wrote: > ACK Thanks. Pushed to master. -- Endi S. Dewata From ssorce at redhat.com Mon Oct 4 20:07:04 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 4 Oct 2010 16:07:04 -0400 Subject: [Freeipa-devel] [PATCH] Fix 14 char limit with NT hash Message-ID: <20101004160704.7a8b985d@willson.li.ssimo.org> This patch fixes bz#475051/trac#223 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-pwd-plugin-Remove-14-chars-limitation-from-the-NT-ha.patch Type: text/x-patch Size: 979 bytes Desc: not available URL: From ssorce at redhat.com Mon Oct 4 20:08:29 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 4 Oct 2010 16:08:29 -0400 Subject: [Freeipa-devel] [PATCH] Cosmetic fixes Message-ID: <20101004160829.538f92ae@willson.li.ssimo.org> Cosmetic changes to fix code style and LDAP attribute descriptions. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-pwd-plugin-format-style-changes.patch Type: text/x-patch Size: 8336 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Fix-descriptions.patch Type: text/x-patch Size: 3767 bytes Desc: not available URL: From ssorce at redhat.com Mon Oct 4 20:10:10 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 4 Oct 2010 16:10:10 -0400 Subject: [Freeipa-devel] [PATCH] Improve NTLM hash generation configuration Message-ID: <20101004161010.513f06d5@willson.li.ssimo.org> Long overdue, fix TODOs in the code. With this patch it is now possible to configure the password plugin so that only certain types of NTLM hashes are created for Samba objects. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Add-Generic-config-class.patch Type: text/x-patch Size: 2255 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0005-Add-options-to-control-NTLM-hashes.patch Type: text/x-patch Size: 7708 bytes Desc: not available URL: From ssorce at redhat.com Mon Oct 4 20:10:50 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 4 Oct 2010 16:10:50 -0400 Subject: [Freeipa-devel] [PATCH] more style fixes Message-ID: <20101004161050.42f555e0@willson.li.ssimo.org> fix style in some more code. purely cosmetic again. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0006-Fix-ipapwd_start-style.patch Type: text/x-patch Size: 5349 bytes Desc: not available URL: From ayoung at redhat.com Mon Oct 4 20:23:01 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 04 Oct 2010 16:23:01 -0400 Subject: [Freeipa-devel] [PATCH] Fix 14 char limit with NT hash In-Reply-To: <20101004160704.7a8b985d@willson.li.ssimo.org> References: <20101004160704.7a8b985d@willson.li.ssimo.org> Message-ID: <4CAA37A5.3020706@redhat.com> On 10/04/2010 04:07 PM, Simo Sorce wrote: > This patch fixes bz#475051/trac#223 > > Simo. > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Oct 4 20:47:03 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 04 Oct 2010 16:47:03 -0400 Subject: [Freeipa-devel] Sudo Schema Bug/Feature In-Reply-To: <4CA8B99C.6000501@redhat.com> References: <416EC0FB-8D70-4A5D-8A5C-FBBEA54C91B1@citrixonline.com> <20100930163731.GS3002@localhost.localdomain> <421210A9-CAD8-430A-885A-546F467F0DE7@citrixonline.com> <4CA50E87.409@redhat.com> <4CA8B99C.6000501@redhat.com> Message-ID: <4CAA3D47.6050604@redhat.com> Dmitri Pal wrote: > Dmitri Pal wrote: > >>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? >>> >>> >>> >> So it looks like current schema would not fly well with SUDO due to SUDO >> bug/feature. SUDO will match just any first rule that satisfies the >> user-hpost-command combination but we can't guarantee that rules come in >> the same order. So there is a possibility that allow rule will come >> before deny rule in our case and will be matched. >> It is unfortunate and should be fixed by SUDO. In a meantime we need to >> alter the schema to be able to express allowed and not allowed commands >> in one rule. >> It will be up to the admin to know the limitations of SUDO based on the >> documentation we provide and construct the rules in a non contradicting >> way. We might be able to add some nice checks in future. >> >> So here is current schema: >> >> objectClasses: (2.16.840.1.113730.3.8.8.TBD >> NAME 'ipaSudoRule' >> SUP ipaAssociation >> STRUCTURAL >> MUST accessRuleType >> MAY ( externalUser $ >> externalHost $ hostMask $ >> memberCmd $ cmdCategory $ >> ipaSudoOpt $ >> ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ >> ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) >> X-ORIGIN 'IPA v2' ) >> >> >> We will : >> * Remove accessRuleType >> * Add memberNotCmd same a memberCmd >> >> attributeTypes: (2.16.840.1.113730.3.8.7.TBD >> NAME 'memberNotCmd' >> DESC 'Reference to a command or group of the commands that is not allowed.' >> SUP distinguishedName >> EQUALITY distinguishedNameMatch >> ORDERING distinguishedNameMatch >> SUBSTR distinguishedNameMatch >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 >> X-ORIGIN 'IPA v2' ) >> >> >> The logic then will be: >> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified - >> no command is allowed >> * If cmdCategory is specified (only value is "all") all other attributes >> are ignored and all commands are allowed >> * If cmdCategory is not specified >> * If memberCmd is specified it defines commands or groups of the >> commands that are allowed >> * If memberNotCmd is specified it defines commands or groups of the >> commands that are not allowed >> Both attributes are allowed at the same time defining allowed and >> not allowed commands within the same rule. >> >> This does not solve the problem fully but at least gets us into the same >> boat as current SUDO schema. >> >> Comments welcome! >> If there are no objections by end of Friday I will craft a patch over >> the weekend. >> >> Thanks >> Dmitri >> >> >> >> > > I updated the wiki and implemented the change. > Patch is attached. > > > > Rebased patch attached. >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> >> > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001--SUDO-Allow-and-deny-commands-in-one-rule.patch Type: text/x-patch Size: 8053 bytes Desc: not available URL: From rcritten at redhat.com Mon Oct 4 21:02:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Oct 2010 17:02:27 -0400 Subject: [Freeipa-devel] Sudo Schema Bug/Feature In-Reply-To: <4CAA3D47.6050604@redhat.com> References: <416EC0FB-8D70-4A5D-8A5C-FBBEA54C91B1@citrixonline.com> <20100930163731.GS3002@localhost.localdomain> <421210A9-CAD8-430A-885A-546F467F0DE7@citrixonline.com> <4CA50E87.409@redhat.com> <4CA8B99C.6000501@redhat.com> <4CAA3D47.6050604@redhat.com> Message-ID: <4CAA40E3.1030102@redhat.com> Dmitri Pal wrote: > Dmitri Pal wrote: >> Dmitri Pal wrote: >> >>>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? >>>> >>>> >>>> >>> So it looks like current schema would not fly well with SUDO due to SUDO >>> bug/feature. SUDO will match just any first rule that satisfies the >>> user-hpost-command combination but we can't guarantee that rules come in >>> the same order. So there is a possibility that allow rule will come >>> before deny rule in our case and will be matched. >>> It is unfortunate and should be fixed by SUDO. In a meantime we need to >>> alter the schema to be able to express allowed and not allowed commands >>> in one rule. >>> It will be up to the admin to know the limitations of SUDO based on the >>> documentation we provide and construct the rules in a non contradicting >>> way. We might be able to add some nice checks in future. >>> >>> So here is current schema: >>> >>> objectClasses: (2.16.840.1.113730.3.8.8.TBD >>> NAME 'ipaSudoRule' >>> SUP ipaAssociation >>> STRUCTURAL >>> MUST accessRuleType >>> MAY ( externalUser $ >>> externalHost $ hostMask $ >>> memberCmd $ cmdCategory $ >>> ipaSudoOpt $ >>> ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ >>> ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) >>> X-ORIGIN 'IPA v2' ) >>> >>> >>> We will : >>> * Remove accessRuleType >>> * Add memberNotCmd same a memberCmd >>> >>> attributeTypes: (2.16.840.1.113730.3.8.7.TBD >>> NAME 'memberNotCmd' >>> DESC 'Reference to a command or group of the commands that is not allowed.' >>> SUP distinguishedName >>> EQUALITY distinguishedNameMatch >>> ORDERING distinguishedNameMatch >>> SUBSTR distinguishedNameMatch >>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 >>> X-ORIGIN 'IPA v2' ) >>> >>> >>> The logic then will be: >>> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified - >>> no command is allowed >>> * If cmdCategory is specified (only value is "all") all other attributes >>> are ignored and all commands are allowed >>> * If cmdCategory is not specified >>> * If memberCmd is specified it defines commands or groups of the >>> commands that are allowed >>> * If memberNotCmd is specified it defines commands or groups of the >>> commands that are not allowed >>> Both attributes are allowed at the same time defining allowed and >>> not allowed commands within the same rule. >>> >>> This does not solve the problem fully but at least gets us into the same >>> boat as current SUDO schema. >>> >>> Comments welcome! >>> If there are no objections by end of Friday I will craft a patch over >>> the weekend. >>> >>> Thanks >>> Dmitri >>> >>> >>> >>> >> >> I updated the wiki and implemented the change. >> Patch is attached. >> >> >> >> > > Rebased patch attached. ack, pushed to master. JR, can you fix up the sudo plugins to match this new schema? thanks rob From ssorce at redhat.com Mon Oct 4 21:03:57 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 4 Oct 2010 17:03:57 -0400 Subject: [Freeipa-devel] [PATCH] Fix password history rotation Message-ID: <20101004170357.768866e3@willson.li.ssimo.org> This patch properly roatets the password history so the oldest entry is pushed out when we reach the max entries limit. Fixes bz#527879/trac#256 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-pwd-plugin-Remove-the-correct-password-from-the-hist.patch Type: text/x-patch Size: 1613 bytes Desc: not available URL: From JR.Aquino at citrixonline.com Mon Oct 4 21:04:14 2010 From: JR.Aquino at citrixonline.com (JR Aquino) Date: Mon, 4 Oct 2010 14:04:14 -0700 Subject: [Freeipa-devel] Sudo Schema Bug/Feature In-Reply-To: <4CAA40E3.1030102@redhat.com> References: <416EC0FB-8D70-4A5D-8A5C-FBBEA54C91B1@citrixonline.com> <20100930163731.GS3002@localhost.localdomain> <421210A9-CAD8-430A-885A-546F467F0DE7@citrixonline.com> <4CA50E87.409@redhat.com> <4CA8B99C.6000501@redhat.com> <4CAA3D47.6050604@redhat.com> <4CAA40E3.1030102@redhat.com> Message-ID: <3128A03F-F624-4BD7-8907-6113D0107C6C@citrixonline.com> On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> Dmitri Pal wrote: >>> Dmitri Pal wrote: >>> >>>>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? >>>>> >>>>> >>>>> >>>> So it looks like current schema would not fly well with SUDO due to SUDO >>>> bug/feature. SUDO will match just any first rule that satisfies the >>>> user-hpost-command combination but we can't guarantee that rules come in >>>> the same order. So there is a possibility that allow rule will come >>>> before deny rule in our case and will be matched. >>>> It is unfortunate and should be fixed by SUDO. In a meantime we need to >>>> alter the schema to be able to express allowed and not allowed commands >>>> in one rule. >>>> It will be up to the admin to know the limitations of SUDO based on the >>>> documentation we provide and construct the rules in a non contradicting >>>> way. We might be able to add some nice checks in future. >>>> >>>> So here is current schema: >>>> >>>> objectClasses: (2.16.840.1.113730.3.8.8.TBD >>>> NAME 'ipaSudoRule' >>>> SUP ipaAssociation >>>> STRUCTURAL >>>> MUST accessRuleType >>>> MAY ( externalUser $ >>>> externalHost $ hostMask $ >>>> memberCmd $ cmdCategory $ >>>> ipaSudoOpt $ >>>> ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ >>>> ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) >>>> X-ORIGIN 'IPA v2' ) >>>> >>>> >>>> We will : >>>> * Remove accessRuleType >>>> * Add memberNotCmd same a memberCmd >>>> >>>> attributeTypes: (2.16.840.1.113730.3.8.7.TBD >>>> NAME 'memberNotCmd' >>>> DESC 'Reference to a command or group of the commands that is not allowed.' >>>> SUP distinguishedName >>>> EQUALITY distinguishedNameMatch >>>> ORDERING distinguishedNameMatch >>>> SUBSTR distinguishedNameMatch >>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 >>>> X-ORIGIN 'IPA v2' ) >>>> >>>> >>>> The logic then will be: >>>> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified - >>>> no command is allowed >>>> * If cmdCategory is specified (only value is "all") all other attributes >>>> are ignored and all commands are allowed >>>> * If cmdCategory is not specified >>>> * If memberCmd is specified it defines commands or groups of the >>>> commands that are allowed >>>> * If memberNotCmd is specified it defines commands or groups of the >>>> commands that are not allowed >>>> Both attributes are allowed at the same time defining allowed and >>>> not allowed commands within the same rule. >>>> >>>> This does not solve the problem fully but at least gets us into the same >>>> boat as current SUDO schema. >>>> >>>> Comments welcome! >>>> If there are no objections by end of Friday I will craft a patch over >>>> the weekend. >>>> >>>> Thanks >>>> Dmitri >>>> >>>> >>>> >>>> >>> >>> I updated the wiki and implemented the change. >>> Patch is attached. >>> >>> >>> >>> >> >> Rebased patch attached. > > ack, pushed to master. > > JR, can you fix up the sudo plugins to match this new schema? > > thanks > > rob Will get right on it. Try to have it done early tomorrow if not by end of day today. -JR From rcritten at redhat.com Mon Oct 4 21:51:32 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Oct 2010 17:51:32 -0400 Subject: [Freeipa-devel] [PATCH] 558 display indirect members Message-ID: <4CAA4C64.1020001@redhat.com> Populate indirect members when showing a group object. This is done by creating a new attribute, memberindirect, to hold this indirect membership. The new function get_members() can return all members or just indirect or direct. We are only using it to retrieve indirect members currently. This also: * Moves all member display attributes into baseldap.py to reduce duplication * Adds netgroup nesting * Use a unique object name in hbacsvc and hbacsvcgroup ticket 296 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-558-indirect.patch Type: application/mbox Size: 37929 bytes Desc: not available URL: From JR.Aquino at citrixonline.com Mon Oct 4 23:02:20 2010 From: JR.Aquino at citrixonline.com (JR Aquino) Date: Mon, 4 Oct 2010 16:02:20 -0700 Subject: [Freeipa-devel] Sudo Schema Bug/Feature In-Reply-To: <4CAA40E3.1030102@redhat.com> References: <416EC0FB-8D70-4A5D-8A5C-FBBEA54C91B1@citrixonline.com> <20100930163731.GS3002@localhost.localdomain> <421210A9-CAD8-430A-885A-546F467F0DE7@citrixonline.com> <4CA50E87.409@redhat.com> <4CA8B99C.6000501@redhat.com> <4CAA3D47.6050604@redhat.com> <4CAA40E3.1030102@redhat.com> Message-ID: <13EEC62F-49E3-4806-A992-47CE110D415F@citrixonline.com> On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> Dmitri Pal wrote: >>> Dmitri Pal wrote: >>> >>>>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? >>>>> >>>>> >>>>> >>>> So it looks like current schema would not fly well with SUDO due to SUDO >>>> bug/feature. SUDO will match just any first rule that satisfies the >>>> user-hpost-command combination but we can't guarantee that rules come in >>>> the same order. So there is a possibility that allow rule will come >>>> before deny rule in our case and will be matched. >>>> It is unfortunate and should be fixed by SUDO. In a meantime we need to >>>> alter the schema to be able to express allowed and not allowed commands >>>> in one rule. >>>> It will be up to the admin to know the limitations of SUDO based on the >>>> documentation we provide and construct the rules in a non contradicting >>>> way. We might be able to add some nice checks in future. >>>> >>>> So here is current schema: >>>> >>>> objectClasses: (2.16.840.1.113730.3.8.8.TBD >>>> NAME 'ipaSudoRule' >>>> SUP ipaAssociation >>>> STRUCTURAL >>>> MUST accessRuleType >>>> MAY ( externalUser $ >>>> externalHost $ hostMask $ >>>> memberCmd $ cmdCategory $ >>>> ipaSudoOpt $ >>>> ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ >>>> ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) >>>> X-ORIGIN 'IPA v2' ) >>>> >>>> >>>> We will : >>>> * Remove accessRuleType >>>> * Add memberNotCmd same a memberCmd >>>> >>>> attributeTypes: (2.16.840.1.113730.3.8.7.TBD >>>> NAME 'memberNotCmd' >>>> DESC 'Reference to a command or group of the commands that is not allowed.' >>>> SUP distinguishedName >>>> EQUALITY distinguishedNameMatch >>>> ORDERING distinguishedNameMatch >>>> SUBSTR distinguishedNameMatch >>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 >>>> X-ORIGIN 'IPA v2' ) >>>> >>>> >>>> The logic then will be: >>>> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified - >>>> no command is allowed >>>> * If cmdCategory is specified (only value is "all") all other attributes >>>> are ignored and all commands are allowed >>>> * If cmdCategory is not specified >>>> * If memberCmd is specified it defines commands or groups of the >>>> commands that are allowed >>>> * If memberNotCmd is specified it defines commands or groups of the >>>> commands that are not allowed >>>> Both attributes are allowed at the same time defining allowed and >>>> not allowed commands within the same rule. >>>> >>>> This does not solve the problem fully but at least gets us into the same >>>> boat as current SUDO schema. >>>> >>>> Comments welcome! >>>> If there are no objections by end of Friday I will craft a patch over >>>> the weekend. >>>> >>>> Thanks >>>> Dmitri >>>> >>>> >>>> >>>> >>> >>> I updated the wiki and implemented the change. >>> Patch is attached. >>> >>> >>> >>> >> >> Rebased patch attached. > > ack, pushed to master. > > JR, can you fix up the sudo plugins to match this new schema? > > thanks > > rob Attached is the patch for modifications to sudorule and its test suite to accommodate the schema redesign. We now create allow rules or deny rules and no longer reference accessruletype. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-sudorule-mods-for-schema-update.patch Type: application/octet-stream Size: 13142 bytes Desc: 0001-sudorule-mods-for-schema-update.patch URL: From rcritten at redhat.com Tue Oct 5 02:38:31 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Oct 2010 22:38:31 -0400 Subject: [Freeipa-devel] [PATCH] Cosmetic fixes In-Reply-To: <20101004160829.538f92ae@willson.li.ssimo.org> References: <20101004160829.538f92ae@willson.li.ssimo.org> Message-ID: <4CAA8FA7.60105@redhat.com> Simo Sorce wrote: > > Cosmetic changes to fix code style and LDAP attribute descriptions. ACK x2 rob From rcritten at redhat.com Tue Oct 5 02:40:25 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Oct 2010 22:40:25 -0400 Subject: [Freeipa-devel] [PATCH] Improve NTLM hash generation configuration In-Reply-To: <20101004161010.513f06d5@willson.li.ssimo.org> References: <20101004161010.513f06d5@willson.li.ssimo.org> Message-ID: <4CAA9019.50504@redhat.com> Simo Sorce wrote: > > Long overdue, fix TODOs in the code. > With this patch it is now possible to configure the password plugin so > that only certain types of NTLM hashes are created for Samba objects. > > Simo. ACK x2 rob From rcritten at redhat.com Tue Oct 5 02:42:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Oct 2010 22:42:02 -0400 Subject: [Freeipa-devel] [PATCH] more style fixes In-Reply-To: <20101004161050.42f555e0@willson.li.ssimo.org> References: <20101004161050.42f555e0@willson.li.ssimo.org> Message-ID: <4CAA907A.6030902@redhat.com> Simo Sorce wrote: > > fix style in some more code. > purely cosmetic again. > > Simo. > Shouldn't this contain the __func__ fix as well? rob From rcritten at redhat.com Tue Oct 5 03:02:18 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Oct 2010 23:02:18 -0400 Subject: [Freeipa-devel] [PATCH] Fix password history rotation In-Reply-To: <20101004170357.768866e3@willson.li.ssimo.org> References: <20101004170357.768866e3@willson.li.ssimo.org> Message-ID: <4CAA953A.10401@redhat.com> Simo Sorce wrote: > > This patch properly roatets the password history so the oldest entry is > pushed out when we reach the max entries limit. > > Fixes bz#527879/trac#256 > > Simo. This was a little confusing because pH and j are counting from 0 and i, and data->pwHistoryLen are counting from 1 but it does seem to work ok. ack rob From ssorce at redhat.com Tue Oct 5 11:51:27 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 5 Oct 2010 07:51:27 -0400 Subject: [Freeipa-devel] [PATCH] more style fixes In-Reply-To: <4CAA907A.6030902@redhat.com> References: <20101004161050.42f555e0@willson.li.ssimo.org> <4CAA907A.6030902@redhat.com> Message-ID: <20101005075127.1933d911@willson.li.ssimo.org> On Mon, 04 Oct 2010 22:42:02 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > fix style in some more code. > > purely cosmetic again. > > > > Simo. > > > > Shouldn't this contain the __func__ fix as well? I stopped adding __func__ for now as it introduces a lot of warnings. The reason is that __func__ is const char * but the logging function takes a simple char * I need to think a bit what is the best solution, I may add a macro later on that basically replaces the logging function with a version that discards the const. But it is not critical, so I decided to just wait a bit. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Oct 5 12:40:03 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Oct 2010 08:40:03 -0400 Subject: [Freeipa-devel] [PATCH] more style fixes In-Reply-To: <20101005075127.1933d911@willson.li.ssimo.org> References: <20101004161050.42f555e0@willson.li.ssimo.org> <4CAA907A.6030902@redhat.com> <20101005075127.1933d911@willson.li.ssimo.org> Message-ID: <4CAB1CA3.2050005@redhat.com> Simo Sorce wrote: > On Mon, 04 Oct 2010 22:42:02 -0400 > Rob Crittenden wrote: > >> Simo Sorce wrote: >>> >>> fix style in some more code. >>> purely cosmetic again. >>> >>> Simo. >>> >> >> Shouldn't this contain the __func__ fix as well? > > I stopped adding __func__ for now as it introduces a lot of warnings. > The reason is that __func__ is const char * but the logging function > takes a simple char * > > I need to think a bit what is the best solution, I may add a macro > later on that basically replaces the logging function with a version > that discards the const. > > But it is not critical, so I decided to just wait a bit. > > Simo. > Ok, ack rob From ssorce at redhat.com Tue Oct 5 13:03:09 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 5 Oct 2010 09:03:09 -0400 Subject: [Freeipa-devel] [PATCH] Fix 14 char limit with NT hash In-Reply-To: <4CAA37A5.3020706@redhat.com> References: <20101004160704.7a8b985d@willson.li.ssimo.org> <4CAA37A5.3020706@redhat.com> Message-ID: <20101005090309.4c1e82ce@willson.li.ssimo.org> On Mon, 04 Oct 2010 16:23:01 -0400 Adam Young wrote: > On 10/04/2010 04:07 PM, Simo Sorce wrote: > > This patch fixes bz#475051/trac#223 > > > ACK pushed to master -- Simo Sorce * Red Hat, Inc * New York From pzuna at redhat.com Tue Oct 5 14:43:56 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 05 Oct 2010 16:43:56 +0200 Subject: [Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args. Message-ID: <4CAB39AC.8050408@redhat.com> takes_args defined in a baseldap subclass is now transformed into positional arguments that go after primary keys. Before this patch, takes_args in crud subclasses were ignored. example: --- snip --- class user_something(LDAPRetrieve): takes_args = ( Str('randomarg'), ) --- snip --- # ipa help something Usage: ipa [global-options] user-something LOGIN RANDOMARG Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0027-takesargs.patch Type: text/x-patch Size: 1838 bytes Desc: not available URL: From ssorce at redhat.com Tue Oct 5 14:44:41 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 5 Oct 2010 10:44:41 -0400 Subject: [Freeipa-devel] [PATCH] Cosmetic fixes In-Reply-To: <4CAA8FA7.60105@redhat.com> References: <20101004160829.538f92ae@willson.li.ssimo.org> <4CAA8FA7.60105@redhat.com> Message-ID: <20101005104441.65e75f80@willson.li.ssimo.org> On Mon, 04 Oct 2010 22:38:31 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > Cosmetic changes to fix code style and LDAP attribute descriptions. > > ACK x2 pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Oct 5 14:45:03 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 5 Oct 2010 10:45:03 -0400 Subject: [Freeipa-devel] [PATCH] Improve NTLM hash generation configuration In-Reply-To: <4CAA9019.50504@redhat.com> References: <20101004161010.513f06d5@willson.li.ssimo.org> <4CAA9019.50504@redhat.com> Message-ID: <20101005104503.0b8a571e@willson.li.ssimo.org> On Mon, 04 Oct 2010 22:40:25 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > Long overdue, fix TODOs in the code. > > With this patch it is now possible to configure the password plugin > > so that only certain types of NTLM hashes are created for Samba > > objects. > > > > Simo. > > ACK x2 pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Oct 5 14:45:18 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 5 Oct 2010 10:45:18 -0400 Subject: [Freeipa-devel] [PATCH] more style fixes In-Reply-To: <4CAB1CA3.2050005@redhat.com> References: <20101004161050.42f555e0@willson.li.ssimo.org> <4CAA907A.6030902@redhat.com> <20101005075127.1933d911@willson.li.ssimo.org> <4CAB1CA3.2050005@redhat.com> Message-ID: <20101005104518.5282d864@willson.li.ssimo.org> On Tue, 05 Oct 2010 08:40:03 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > On Mon, 04 Oct 2010 22:42:02 -0400 > > Rob Crittenden wrote: > > > >> Simo Sorce wrote: > >>> > >>> fix style in some more code. > >>> purely cosmetic again. > >>> > >>> Simo. > >>> > >> > >> Shouldn't this contain the __func__ fix as well? > > > > I stopped adding __func__ for now as it introduces a lot of > > warnings. The reason is that __func__ is const char * but the > > logging function takes a simple char * > > > > I need to think a bit what is the best solution, I may add a macro > > later on that basically replaces the logging function with a version > > that discards the const. > > > > But it is not critical, so I decided to just wait a bit. > > > > Simo. > > > > Ok, ack pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Oct 5 14:45:29 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 5 Oct 2010 10:45:29 -0400 Subject: [Freeipa-devel] [PATCH] Fix password history rotation In-Reply-To: <4CAA953A.10401@redhat.com> References: <20101004170357.768866e3@willson.li.ssimo.org> <4CAA953A.10401@redhat.com> Message-ID: <20101005104529.6f955a58@willson.li.ssimo.org> On Mon, 04 Oct 2010 23:02:18 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > This patch properly roatets the password history so the oldest > > entry is pushed out when we reach the max entries limit. > > > > Fixes bz#527879/trac#256 > > > > Simo. > > This was a little confusing because pH and j are counting from 0 and > i, and data->pwHistoryLen are counting from 1 but it does seem to > work ok. > > ack pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From pzuna at redhat.com Tue Oct 5 14:47:19 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 05 Oct 2010 16:47:19 +0200 Subject: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests. Message-ID: <4CAB3A77.70901@redhat.com> All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the --continuous flag (off by default). The flag should indicate that the command shouldn't stop on errors and continue operation with the next primary key on the arguments lists. This effectively fixes *-del unit tests, because continuous mode is off by default. (It was on before this patch and there was no option to turn it off.) Ticket #321 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0028-fixdeltests.patch Type: text/x-patch Size: 1302 bytes Desc: not available URL: From pzuna at redhat.com Tue Oct 5 15:49:22 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 05 Oct 2010 17:49:22 +0200 Subject: [Freeipa-devel] [PATCH] Rename user-lock and user-unlock to user-enable user-disable. Message-ID: <4CAB4902.4010506@redhat.com> Also fixes related unit tests and therefore depends on my patch number 28. Ticket #165 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0029-userlock.patch Type: text/x-patch Size: 2834 bytes Desc: not available URL: From pzuna at redhat.com Tue Oct 5 15:52:28 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 05 Oct 2010 17:52:28 +0200 Subject: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests. In-Reply-To: <4CAB3A77.70901@redhat.com> References: <4CAB3A77.70901@redhat.com> Message-ID: <4CAB49BC.5070209@redhat.com> On 10/05/2010 04:47 PM, Pavel Zuna wrote: > All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the > --continuous flag (off by default). The flag should indicate that the > command shouldn't stop on errors and continue operation with the next > primary key on the arguments lists. > > This effectively fixes *-del unit tests, because continuous mode is off > by default. (It was on before this patch and there was no option to turn > it off.) > > Ticket #321 > > Pavel I forgot to mention that this depends on my patch number 27, because they modify the same file (baseldap.py). Pavel From rcritten at redhat.com Tue Oct 5 16:07:32 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Oct 2010 12:07:32 -0400 Subject: [Freeipa-devel] [PATCH] Rename user-lock and user-unlock to user-enable user-disable. In-Reply-To: <4CAB4902.4010506@redhat.com> References: <4CAB4902.4010506@redhat.com> Message-ID: <4CAB4D44.6050002@redhat.com> Pavel Zuna wrote: > Also fixes related unit tests and therefore depends on my patch number 28. > > Ticket #165 > > Pavel This looks ok but you need to update the examples in the top help block too: Lock a user account: ipa user-lock tuser1 Unlock a user account: ipa user-unlock tuser1 Fix those and you have an ack. rob From rob.townley at gmail.com Tue Oct 5 17:25:30 2010 From: rob.townley at gmail.com (Rob Townley) Date: Tue, 5 Oct 2010 12:25:30 -0500 Subject: [Freeipa-devel] Multicast SSL for Server Broadcast Message-ID: i was just wondering if multicast ssl (or multicast over a vpn such as IPsec) has been considered as a way to efficiently replicate information from one server to all other servers. i was specifically thinking of multicasting tracking bad password attempts from one server to all the other servers. i don't know anything about multicast ssl except that IBM worked on it in the late 1990's and it was supposed to support reliable transport. It may simplify things if all the servers had the same certificate... From ayoung at redhat.com Tue Oct 5 17:57:13 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 05 Oct 2010 13:57:13 -0400 Subject: [Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args. In-Reply-To: <4CAB39AC.8050408@redhat.com> References: <4CAB39AC.8050408@redhat.com> Message-ID: <4CAB66F9.90402@redhat.com> On 10/05/2010 10:43 AM, Pavel Zuna wrote: > takes_args defined in a baseldap subclass is now transformed into > positional arguments that go after primary keys. Before this patch, > takes_args in crud subclasses were ignored. > > example: > > --- snip --- > > class user_something(LDAPRetrieve): > takes_args = ( > Str('randomarg'), > ) > > --- snip --- > > # ipa help something > Usage: ipa [global-options] user-something LOGIN RANDOMARG > > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I'll take reviewing this and Pavel's follow on patches. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Oct 5 18:39:26 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 05 Oct 2010 14:39:26 -0400 Subject: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests. In-Reply-To: <4CAB49BC.5070209@redhat.com> References: <4CAB3A77.70901@redhat.com> <4CAB49BC.5070209@redhat.com> Message-ID: <4CAB70DE.6040202@redhat.com> On 10/05/2010 11:52 AM, Pavel Zuna wrote: > On 10/05/2010 04:47 PM, Pavel Zuna wrote: >> All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the >> --continuous flag (off by default). The flag should indicate that the >> command shouldn't stop on errors and continue operation with the next >> primary key on the arguments lists. >> >> This effectively fixes *-del unit tests, because continuous mode is off >> by default. (It was on before this patch and there was no option to turn >> it off.) >> >> Ticket #321 >> >> Pavel > > I forgot to mention that this depends on my patch number 27, because > they modify the same file (baseldap.py). > > Pavel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I still get a slew of test failures. Again, this may be from my setup, but I suspect not. test_group[2]: group_del: Try to delete non-existent u'testgroup1' ... FAIL test_group[13]: group_del: Try to delete non-existent u'testgroup2' ... FAIL test_group[26]: group_del: Try to delete non-existent u'testgroup1' ... FAIL test_group[30]: group_del: Try to delete non-existent u'testgroup2' ... FAIL test_group[37]: group_del: Try to delete a managed group u'tuser1' ... FAIL test_hbacsvcgroup[2]: hbacsvcgroup_del: Try to delete non-existent u'testhbacsvcgroup1' ... FAIL test_host[2]: host_del: Try to delete non-existent u'testhost1.ayoung.boston.devel.redhat.com' ... FAIL test_host[14]: host_del: Try to delete non-existent u'testhost1.ayoung.boston.devel.redhat.com' ... FAIL test_hostgroup[2]: hostgroup_del: Try to delete non-existent u'testhostgroup1' ... FAIL test_rolegroup[2]: rolegroup_del: Try to delete non-existent u'test-rolegroup-1' ... FAIL test_rolegroup[20]: rolegroup_del: Try to delete non-existent u'test-rolegroup-1' ... FAIL test_host[2]: service_del: Try to delete non-existent u'HTTP/testhost1.ayoung.boston.devel.redhat.com at AYOUNG.BOSTON.DEVEL.REDHAT.COM' ... FAIL test_host[16]: service_del: Try to delete non-existent u'HTTP/testhost1.ayoung.boston.devel.redhat.com at AYOUNG.BOSTON.DEVEL.REDHAT.COM' ... FAIL test_sudocmd[2]: sudocmd_del: Try to delete non-existent u'/usr/bin/sudotestcmd1' ... FAIL test_sudocmd[12]: sudocmd_del: Try to delete non-existent u'/usr/bin/sudotestcmd1' ... FAIL test_sudocmdgroup[4]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup1' ... FAIL test_sudocmdgroup[13]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup2' ... FAIL test_sudocmdgroup[26]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup1' ... FAIL test_sudocmdgroup[30]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup2' ... FAIL test_taskgroup[2]: taskgroup_del: Try to delete non-existent u'test-taskgroup-1' ... FAIL test_taskgroup[19]: taskgroup_del: Try to delete non-existent u'test-taskgroup-1' ... FAIL test_user[2]: user_del: Try to delete non-existent u'tuser1' ... FAIL test_user[15]: user_del: Try to delete non-existent u'tuser1' ... FAIL FAIL: test_group[2]: group_del: Try to delete non-existent u'testgroup1' FAIL: test_group[13]: group_del: Try to delete non-existent u'testgroup2' FAIL: test_group[26]: group_del: Try to delete non-existent u'testgroup1' FAIL: test_group[30]: group_del: Try to delete non-existent u'testgroup2' FAIL: test_group[37]: group_del: Try to delete a managed group u'tuser1' FAIL: test_hbacsvcgroup[2]: hbacsvcgroup_del: Try to delete non-existent u'testhbacsvcgroup1' FAIL: test_host[2]: host_del: Try to delete non-existent u'testhost1.ayoung.boston.devel.redhat.com' FAIL: test_host[14]: host_del: Try to delete non-existent u'testhost1.ayoung.boston.devel.redhat.com' FAIL: test_hostgroup[2]: hostgroup_del: Try to delete non-existent u'testhostgroup1' FAIL: test_rolegroup[2]: rolegroup_del: Try to delete non-existent u'test-rolegroup-1' FAIL: test_rolegroup[20]: rolegroup_del: Try to delete non-existent u'test-rolegroup-1' FAIL: test_host[2]: service_del: Try to delete non-existent u'HTTP/testhost1.ayoung.boston.devel.redhat.com at AYOUNG.BOSTON.DEVEL.REDHAT.COM' FAIL: test_host[16]: service_del: Try to delete non-existent u'HTTP/testhost1.ayoung.boston.devel.redhat.com at AYOUNG.BOSTON.DEVEL.REDHAT.COM' FAIL: test_sudocmd[2]: sudocmd_del: Try to delete non-existent u'/usr/bin/sudotestcmd1' FAIL: test_sudocmd[12]: sudocmd_del: Try to delete non-existent u'/usr/bin/sudotestcmd1' FAIL: test_sudocmdgroup[4]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup1' FAIL: test_sudocmdgroup[13]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup2' FAIL: test_sudocmdgroup[26]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup1' FAIL: test_sudocmdgroup[30]: sudocmdgroup_del: Try to delete non-existent u'testsudocmdgroup2' FAIL: test_taskgroup[2]: taskgroup_del: Try to delete non-existent u'test-taskgroup-1' FAIL: test_taskgroup[19]: taskgroup_del: Try to delete non-existent u'test-taskgroup-1' FAIL: test_user[2]: user_del: Try to delete non-existent u'tuser1' FAIL: test_user[15]: user_del: Try to delete non-existent u'tuser1' From ayoung at redhat.com Tue Oct 5 18:48:18 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 05 Oct 2010 14:48:18 -0400 Subject: [Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args. In-Reply-To: <4CAB39AC.8050408@redhat.com> References: <4CAB39AC.8050408@redhat.com> Message-ID: <4CAB72F2.6010601@redhat.com> On 10/05/2010 10:43 AM, Pavel Zuna wrote: > takes_args defined in a baseldap subclass is now transformed into > positional arguments that go after primary keys. Before this patch, > takes_args in crud subclasses were ignored. > > example: > > --- snip --- > > class user_something(LDAPRetrieve): > takes_args = ( > Str('randomarg'), > ) > > --- snip --- > > # ipa help something > Usage: ipa [global-options] user-something LOGIN RANDOMARG > > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Oct 5 20:19:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Oct 2010 16:19:27 -0400 Subject: [Freeipa-devel] [PATCH] 559 update ipa-getkeytab man page Message-ID: <4CAB884F.4000400@redhat.com> Add some missing options to the ipa-getkeytab man page. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-559-man.patch Type: application/mbox Size: 2990 bytes Desc: not available URL: From edewata at redhat.com Tue Oct 5 20:39:26 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 5 Oct 2010 16:39:26 -0400 (EDT) Subject: [Freeipa-devel] UI Unit Tests Docs Message-ID: <1141565350.85371286311166081.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Hi, Here are the docs for the UI Unit Tests: http://www.freeipa.org/page/UI_Unit_Tests Any comments are welcome. Thanks! -- Endi S. Dewata From ayoung at redhat.com Tue Oct 5 20:46:21 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 05 Oct 2010 16:46:21 -0400 Subject: [Freeipa-devel] UI Unit Tests Docs In-Reply-To: <1141565350.85371286311166081.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1141565350.85371286311166081.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CAB8E9D.3090107@redhat.com> On 10/05/2010 04:39 PM, Endi Sukma Dewata wrote: > Hi, > > Here are the docs for the UI Unit Tests: > http://www.freeipa.org/page/UI_Unit_Tests > > Any comments are welcome. Thanks! > > -- > Endi S. Dewata > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > Nice! Well done. From rcritten at redhat.com Tue Oct 5 20:45:44 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Oct 2010 16:45:44 -0400 Subject: [Freeipa-devel] UI Unit Tests Docs In-Reply-To: <1141565350.85371286311166081.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1141565350.85371286311166081.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CAB8E78.7070204@redhat.com> Endi Sukma Dewata wrote: > Hi, > > Here are the docs for the UI Unit Tests: > http://www.freeipa.org/page/UI_Unit_Tests > > Any comments are welcome. Thanks! Looks good to me. Can you add a link from the Testing page here? rob From edewata at redhat.com Tue Oct 5 20:52:13 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 5 Oct 2010 16:52:13 -0400 (EDT) Subject: [Freeipa-devel] UI Unit Tests Docs In-Reply-To: <534602466.87131286311889126.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <877893892.87201286311933874.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Rob Crittenden" wrote: > Endi Sukma Dewata wrote: > > Hi, > > > > Here are the docs for the UI Unit Tests: > > http://www.freeipa.org/page/UI_Unit_Tests > > > > Any comments are welcome. Thanks! > > Looks good to me. Can you add a link from the Testing page here? > > rob You mean the index.html in install/static/test, right? OK, I will do that after this. Do we need to store the source of this wiki page in git too (e.g. README.txt)? The wiki page is already keeping the history. https://fedorahosted.org/freeipa/ticket/295 -- Endi S. Dewata From rcritten at redhat.com Tue Oct 5 20:56:56 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Oct 2010 16:56:56 -0400 Subject: [Freeipa-devel] UI Unit Tests Docs In-Reply-To: <877893892.87201286311933874.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <877893892.87201286311933874.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CAB9118.80209@redhat.com> Endi Sukma Dewata wrote: > ----- "Rob Crittenden" wrote: > >> Endi Sukma Dewata wrote: >>> Hi, >>> >>> Here are the docs for the UI Unit Tests: >>> http://www.freeipa.org/page/UI_Unit_Tests >>> >>> Any comments are welcome. Thanks! >> >> Looks good to me. Can you add a link from the Testing page here? >> >> rob > > You mean the index.html in install/static/test, right? > OK, I will do that after this. Do we need to store the > source of this wiki page in git too (e.g. README.txt)? > The wiki page is already keeping the history. > > https://fedorahosted.org/freeipa/ticket/295 Heh, no I mean http://freeipa.org/page/Testing rob From edewata at redhat.com Tue Oct 5 21:25:30 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 5 Oct 2010 17:25:30 -0400 (EDT) Subject: [Freeipa-devel] UI Unit Tests Docs In-Reply-To: <1125951299.91201286313919074.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <299879746.91221286313930013.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Rob Crittenden" wrote: > >>> http://www.freeipa.org/page/UI_Unit_Tests > >> > >> Looks good to me. Can you add a link from the Testing page here? > > > > You mean the index.html in install/static/test, right? > > OK, I will do that after this. Do we need to store the > > source of this wiki page in git too (e.g. README.txt)? > > The wiki page is already keeping the history. > > > > https://fedorahosted.org/freeipa/ticket/295 > > Heh, no I mean http://freeipa.org/page/Testing OK, the Testing page has been updated. I also added some references to Adam's wiki page. As we discussed over IRC, I added a README file into git pointing to this wiki page. I pushed it to master under One Liner rule. The ticket is now closed. Thanks! -- Endi S. Dewata From ssorce at redhat.com Tue Oct 5 21:25:36 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 5 Oct 2010 17:25:36 -0400 Subject: [Freeipa-devel] Multicast SSL for Server Broadcast In-Reply-To: References: Message-ID: <20101005172536.67cdf915@willson.li.ssimo.org> On Tue, 5 Oct 2010 12:25:30 -0500 Rob Townley wrote: > i was just wondering if multicast ssl (or multicast over a vpn such as > IPsec) has been considered as a way to efficiently replicate > information from one server to all other servers. i was specifically > thinking of multicasting tracking bad password attempts from one > server to all the other servers. > > i don't know anything about multicast ssl except that IBM worked on it > in the late 1990's and it was supposed to support reliable transport. > It may simplify things if all the servers had the same certificate... Hi Rob, I didn't know you could do reliable multicasting, do you have any refernce to an RFC or other document ? Anyway the main problem would be changing quite drastically the replication engine. It would also have impact over the replication topology. Something we should think about, but it's going to be a very long term thing. The amount of changes required to do something like that looks quite big. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Oct 5 21:45:37 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 5 Oct 2010 17:45:37 -0400 Subject: [Freeipa-devel] [PATCH] properly check for ldap headers Message-ID: <20101005174537.56be4776@willson.li.ssimo.org> We need to always use mozldap ldap headers for slapi plugins, untill 389 ds moves to openldap libs. But at the same time we want to move to openldap libs for anything else. Fix configure/makefile to always check for openldap libs and always use them in anything but slapi plugins. (fixes bz#464564/trac#221) Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Always-detect-openldap-and-mozldap-at-the-same-time.patch Type: text/x-patch Size: 5808 bytes Desc: not available URL: From ssorce at redhat.com Tue Oct 5 23:25:07 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 5 Oct 2010 19:25:07 -0400 Subject: [Freeipa-devel] [PATCH] set attribute when changing passwords Message-ID: <20101005192507.45e541c2@willson.li.ssimo.org> Set the sambaPwdLastSet when changing password for a user that has the sambaSamAccount objectclass, so that samba is kept in sync with the status of the user account wrt whether the user need sto change the password or not. fixes trac#313 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-When-dealing-with-samba-password-set-also-the-sambaP.patch Type: text/x-patch Size: 4943 bytes Desc: not available URL: From rob.townley at gmail.com Wed Oct 6 00:13:37 2010 From: rob.townley at gmail.com (Rob Townley) Date: Tue, 5 Oct 2010 19:13:37 -0500 Subject: [Freeipa-devel] Multicast SSL for Server Broadcast In-Reply-To: <20101005172536.67cdf915@willson.li.ssimo.org> References: <20101005172536.67cdf915@willson.li.ssimo.org> Message-ID: On Tue, Oct 5, 2010 at 4:25 PM, Simo Sorce wrote: > On Tue, 5 Oct 2010 12:25:30 -0500 > Rob Townley wrote: > >> i was just wondering if multicast ssl (or multicast over a vpn such as >> IPsec) has been considered as a way to efficiently replicate >> information from one server to all other servers. ?i was specifically >> thinking of multicasting tracking bad password attempts from one >> server to all the other servers. >> >> i don't know anything about multicast ssl except that IBM worked on it >> in the late 1990's and it was supposed to support reliable transport. >> It may simplify things if all the servers had the same certificate... > > Hi Rob, > I didn't know you could do reliable multicasting, do you have any > refernce to an RFC or other document ? > > Anyway the main problem would be changing quite drastically the > replication engine. It would also have impact over the replication > topology. Something we should think about, but it's going to be a very > long term thing. The amount of changes required to do something like > that looks quite big. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > Yes, when i think of multicast, i think udp, therefore unreliable. i do not know a thing about securing multicast communications. But one example is GSAKMP or Group Secure Association Key Management Protocol from the msec group. msec = Multicast Security is a group with a list of rfcs for security as recent as 2010. http://datatracker.ietf.org/wg/msec/charter/ http://tools.ietf.org/html/rfc4535 SecureMulticast.org was the first result of googling "multicast ssl" and a search at the IETF returned some results, all of which expired around ten years ago. At http://datatracker.ietf.org/doc/search/ , enter the terms secure multicast, but many of these expired around 10 years ago. i am sure there are other secure multicast methods and of course just doing multicast over a VPN or IPsec. From davido at redhat.com Wed Oct 6 00:55:27 2010 From: davido at redhat.com (David O'Brien) Date: Wed, 06 Oct 2010 10:55:27 +1000 Subject: [Freeipa-devel] [PATCH] 559 update ipa-getkeytab man page In-Reply-To: <4CAB884F.4000400@redhat.com> References: <4CAB884F.4000400@redhat.com> Message-ID: <4CABC8FF.9080005@redhat.com> Rob Crittenden wrote: > Add some missing options to the ipa-getkeytab man page. > > rob > > Can you be consistent with "Kerberos" instead of adding "kerberos" to the mix as well (unless necessary, of course)? If my understanding is correct, I'd update the following: "The LDAP password when not binding with Kerberos." to include "...password to use when not..." cheers -- David O'Brien Red Hat APAC Pty Ltd "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From rcritten at redhat.com Wed Oct 6 01:35:33 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Oct 2010 21:35:33 -0400 Subject: [Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args. In-Reply-To: <4CAB39AC.8050408@redhat.com> References: <4CAB39AC.8050408@redhat.com> Message-ID: <4CABD265.6050900@redhat.com> Pavel Zuna wrote: > takes_args defined in a baseldap subclass is now transformed into > positional arguments that go after primary keys. Before this patch, > takes_args in crud subclasses were ignored. > > example: > > --- snip --- > > class user_something(LDAPRetrieve): > takes_args = ( > Str('randomarg'), > ) > > --- snip --- > > # ipa help something > Usage: ipa [global-options] user-something LOGIN RANDOMARG > > > Pavel Nack, this breaks the pwpolicy plugin tests (though I'm not 100% sure why). pwpolicy-del defines its own get_args(). I'm guessing it is failing because the local get_args returns a string and the multivalue stuff is expecting a list so pulling the string apart one character at a time. If you run pwpolicy-del testpolicy it will fail with a not found on 't' policy. I think simply removing the get_args() from pwpolicy will fix it: rob From rcritten at redhat.com Wed Oct 6 01:37:35 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Oct 2010 21:37:35 -0400 Subject: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests. In-Reply-To: <4CAB3A77.70901@redhat.com> References: <4CAB3A77.70901@redhat.com> Message-ID: <4CABD2DF.8030306@redhat.com> Pavel Zuna wrote: > All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the > --continuous flag (off by default). The flag should indicate that the > command shouldn't stop on errors and continue operation with the next > primary key on the arguments lists. > > This effectively fixes *-del unit tests, because continuous mode is off > by default. (It was on before this patch and there was no option to turn > it off.) > > Ticket #321 > > Pavel The migration plugin and pending automount plugin patch already define an attribute for continuous operation though it is named continue instead. We should pick one and be consistent. I like continue because it's easier to type. rob From rcritten at redhat.com Wed Oct 6 01:39:00 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Oct 2010 21:39:00 -0400 Subject: [Freeipa-devel] Sudo Schema Bug/Feature In-Reply-To: <13EEC62F-49E3-4806-A992-47CE110D415F@citrixonline.com> References: <416EC0FB-8D70-4A5D-8A5C-FBBEA54C91B1@citrixonline.com> <20100930163731.GS3002@localhost.localdomain> <421210A9-CAD8-430A-885A-546F467F0DE7@citrixonline.com> <4CA50E87.409@redhat.com> <4CA8B99C.6000501@redhat.com> <4CAA3D47.6050604@redhat.com> <4CAA40E3.1030102@redhat.com> <13EEC62F-49E3-4806-A992-47CE110D415F@citrixonline.com> Message-ID: <4CABD334.40705@redhat.com> JR Aquino wrote: > On Oct 4, 2010, at 2:02 PM, Rob Crittenden wrote: > >> Dmitri Pal wrote: >>> Dmitri Pal wrote: >>>> Dmitri Pal wrote: >>>> >>>>>> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? >>>>>> >>>>>> >>>>>> >>>>> So it looks like current schema would not fly well with SUDO due to SUDO >>>>> bug/feature. SUDO will match just any first rule that satisfies the >>>>> user-hpost-command combination but we can't guarantee that rules come in >>>>> the same order. So there is a possibility that allow rule will come >>>>> before deny rule in our case and will be matched. >>>>> It is unfortunate and should be fixed by SUDO. In a meantime we need to >>>>> alter the schema to be able to express allowed and not allowed commands >>>>> in one rule. >>>>> It will be up to the admin to know the limitations of SUDO based on the >>>>> documentation we provide and construct the rules in a non contradicting >>>>> way. We might be able to add some nice checks in future. >>>>> >>>>> So here is current schema: >>>>> >>>>> objectClasses: (2.16.840.1.113730.3.8.8.TBD >>>>> NAME 'ipaSudoRule' >>>>> SUP ipaAssociation >>>>> STRUCTURAL >>>>> MUST accessRuleType >>>>> MAY ( externalUser $ >>>>> externalHost $ hostMask $ >>>>> memberCmd $ cmdCategory $ >>>>> ipaSudoOpt $ >>>>> ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ >>>>> ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) >>>>> X-ORIGIN 'IPA v2' ) >>>>> >>>>> >>>>> We will : >>>>> * Remove accessRuleType >>>>> * Add memberNotCmd same a memberCmd >>>>> >>>>> attributeTypes: (2.16.840.1.113730.3.8.7.TBD >>>>> NAME 'memberNotCmd' >>>>> DESC 'Reference to a command or group of the commands that is not allowed.' >>>>> SUP distinguishedName >>>>> EQUALITY distinguishedNameMatch >>>>> ORDERING distinguishedNameMatch >>>>> SUBSTR distinguishedNameMatch >>>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 >>>>> X-ORIGIN 'IPA v2' ) >>>>> >>>>> >>>>> The logic then will be: >>>>> * If no memberCmd, memberNotCmd or cmdCategory attribute is specified - >>>>> no command is allowed >>>>> * If cmdCategory is specified (only value is "all") all other attributes >>>>> are ignored and all commands are allowed >>>>> * If cmdCategory is not specified >>>>> * If memberCmd is specified it defines commands or groups of the >>>>> commands that are allowed >>>>> * If memberNotCmd is specified it defines commands or groups of the >>>>> commands that are not allowed >>>>> Both attributes are allowed at the same time defining allowed and >>>>> not allowed commands within the same rule. >>>>> >>>>> This does not solve the problem fully but at least gets us into the same >>>>> boat as current SUDO schema. >>>>> >>>>> Comments welcome! >>>>> If there are no objections by end of Friday I will craft a patch over >>>>> the weekend. >>>>> >>>>> Thanks >>>>> Dmitri > >>>>> >>>>> >>>>> >>>>> >>>> >>>> I updated the wiki and implemented the change. >>>> Patch is attached. >>>> >>>> >>>> >>>> >>> >>> Rebased patch attached. >> >> ack, pushed to master. >> >> JR, can you fix up the sudo plugins to match this new schema? >> >> thanks >> >> rob > > > Attached is the patch for modifications to sudorule and its test suite to accommodate the schema redesign. > > We now create allow rules or deny rules and no longer reference accessruletype. > ack, pushed to master. The -del tests are still failing but I confirmed that with Pavel's patches these tests pass. Those patches just need a little more work. rob From pzuna at redhat.com Wed Oct 6 10:11:52 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 06 Oct 2010 12:11:52 +0200 Subject: [Freeipa-devel] [PATCH] Rename user-lock and user-unlock to user-enable user-disable. In-Reply-To: <4CAB4D44.6050002@redhat.com> References: <4CAB4902.4010506@redhat.com> <4CAB4D44.6050002@redhat.com> Message-ID: <4CAC4B68.2070402@redhat.com> On 10/05/2010 06:07 PM, Rob Crittenden wrote: > Pavel Zuna wrote: >> Also fixes related unit tests and therefore depends on my patch number >> 28. >> >> Ticket #165 >> >> Pavel > > This looks ok but you need to update the examples in the top help block > too: > > Lock a user account: > ipa user-lock tuser1 > > Unlock a user account: > ipa user-unlock tuser1 > > Fix those and you have an ack. > > rob Fixed version attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0029-2-userlock.patch Type: text/x-patch Size: 3206 bytes Desc: not available URL: From pzuna at redhat.com Wed Oct 6 10:13:04 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 06 Oct 2010 12:13:04 +0200 Subject: [Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args. In-Reply-To: <4CABD265.6050900@redhat.com> References: <4CAB39AC.8050408@redhat.com> <4CABD265.6050900@redhat.com> Message-ID: <4CAC4BB0.50204@redhat.com> On 10/06/2010 03:35 AM, Rob Crittenden wrote: > Pavel Zuna wrote: >> takes_args defined in a baseldap subclass is now transformed into >> positional arguments that go after primary keys. Before this patch, >> takes_args in crud subclasses were ignored. >> >> example: >> >> --- snip --- >> >> class user_something(LDAPRetrieve): >> takes_args = ( >> Str('randomarg'), >> ) >> >> --- snip --- >> >> # ipa help something >> Usage: ipa [global-options] user-something LOGIN RANDOMARG >> >> >> Pavel > > Nack, this breaks the pwpolicy plugin tests (though I'm not 100% sure > why). pwpolicy-del defines its own get_args(). I'm guessing it is > failing because the local get_args returns a string and the multivalue > stuff is expecting a list so pulling the string apart one character at a > time. If you run pwpolicy-del testpolicy it will fail with a not found > on 't' policy. > > I think simply removing the get_args() from pwpolicy will fix it: > > rob Fixed version attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0027-2-takesargs.patch Type: text/x-patch Size: 2428 bytes Desc: not available URL: From pzuna at redhat.com Wed Oct 6 10:13:57 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 06 Oct 2010 12:13:57 +0200 Subject: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests. In-Reply-To: <4CABD2DF.8030306@redhat.com> References: <4CAB3A77.70901@redhat.com> <4CABD2DF.8030306@redhat.com> Message-ID: <4CAC4BE5.2050601@redhat.com> On 10/06/2010 03:37 AM, Rob Crittenden wrote: > Pavel Zuna wrote: >> All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the >> --continuous flag (off by default). The flag should indicate that the >> command shouldn't stop on errors and continue operation with the next >> primary key on the arguments lists. >> >> This effectively fixes *-del unit tests, because continuous mode is off >> by default. (It was on before this patch and there was no option to turn >> it off.) >> >> Ticket #321 >> >> Pavel > > The migration plugin and pending automount plugin patch already define > an attribute for continuous operation though it is named continue > instead. We should pick one and be consistent. I like continue because > it's easier to type. > > rob Fixed version attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0028-2-fixdeltests.patch Type: text/x-patch Size: 1298 bytes Desc: not available URL: From pzuna at redhat.com Wed Oct 6 12:05:07 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 06 Oct 2010 14:05:07 +0200 Subject: [Freeipa-devel] [PATCH] Fix attribute callbacks on details pages in the webUI. Message-ID: <4CAC65F3.30604@redhat.com> Fixes bug reported by Adam in internal discussion. Ticket #326 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0030-detailscallbacks.patch Type: text/x-patch Size: 1498 bytes Desc: not available URL: From rcritten at redhat.com Wed Oct 6 13:20:58 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 09:20:58 -0400 Subject: [Freeipa-devel] [PATCH] Rename user-lock and user-unlock to user-enable user-disable. In-Reply-To: <4CAC4B68.2070402@redhat.com> References: <4CAB4902.4010506@redhat.com> <4CAB4D44.6050002@redhat.com> <4CAC4B68.2070402@redhat.com> Message-ID: <4CAC77BA.6030909@redhat.com> Pavel Zuna wrote: > On 10/05/2010 06:07 PM, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> Also fixes related unit tests and therefore depends on my patch number >>> 28. >>> >>> Ticket #165 >>> >>> Pavel >> >> This looks ok but you need to update the examples in the top help block >> too: >> >> Lock a user account: >> ipa user-lock tuser1 >> >> Unlock a user account: >> ipa user-unlock tuser1 >> >> Fix those and you have an ack. >> >> rob > > Fixed version attached. > > Pavel ack, pushed to master From rcritten at redhat.com Wed Oct 6 13:21:06 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 09:21:06 -0400 Subject: [Freeipa-devel] [PATCH] Generate additional positional arguments for baseldap commands from takes_args. In-Reply-To: <4CAC4BB0.50204@redhat.com> References: <4CAB39AC.8050408@redhat.com> <4CABD265.6050900@redhat.com> <4CAC4BB0.50204@redhat.com> Message-ID: <4CAC77C2.1060501@redhat.com> Pavel Zuna wrote: > On 10/06/2010 03:35 AM, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> takes_args defined in a baseldap subclass is now transformed into >>> positional arguments that go after primary keys. Before this patch, >>> takes_args in crud subclasses were ignored. >>> >>> example: >>> >>> --- snip --- >>> >>> class user_something(LDAPRetrieve): >>> takes_args = ( >>> Str('randomarg'), >>> ) >>> >>> --- snip --- >>> >>> # ipa help something >>> Usage: ipa [global-options] user-something LOGIN RANDOMARG >>> >>> >>> Pavel >> >> Nack, this breaks the pwpolicy plugin tests (though I'm not 100% sure >> why). pwpolicy-del defines its own get_args(). I'm guessing it is >> failing because the local get_args returns a string and the multivalue >> stuff is expecting a list so pulling the string apart one character at a >> time. If you run pwpolicy-del testpolicy it will fail with a not found >> on 't' policy. >> >> I think simply removing the get_args() from pwpolicy will fix it: >> >> rob > > Fixed version attached. > > Pavel ack, pushed to master From rcritten at redhat.com Wed Oct 6 13:21:14 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 09:21:14 -0400 Subject: [Freeipa-devel] [PATCH] Add 'continuous' mode to LDAPDelete. Fix *-del unit tests. In-Reply-To: <4CAC4BE5.2050601@redhat.com> References: <4CAB3A77.70901@redhat.com> <4CABD2DF.8030306@redhat.com> <4CAC4BE5.2050601@redhat.com> Message-ID: <4CAC77CA.1050007@redhat.com> Pavel Zuna wrote: > On 10/06/2010 03:37 AM, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> All LDAPMultiQuery sub-classes (currently only LDAPDelete) now have the >>> --continuous flag (off by default). The flag should indicate that the >>> command shouldn't stop on errors and continue operation with the next >>> primary key on the arguments lists. >>> >>> This effectively fixes *-del unit tests, because continuous mode is off >>> by default. (It was on before this patch and there was no option to turn >>> it off.) >>> >>> Ticket #321 >>> >>> Pavel >> >> The migration plugin and pending automount plugin patch already define >> an attribute for continuous operation though it is named continue >> instead. We should pick one and be consistent. I like continue because >> it's easier to type. >> >> rob > > Fixed version attached. > > Pavel ack, pushed to master From rcritten at redhat.com Wed Oct 6 13:24:32 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 09:24:32 -0400 Subject: [Freeipa-devel] [PATCH] 559 update ipa-getkeytab man page In-Reply-To: <4CABC8FF.9080005@redhat.com> References: <4CAB884F.4000400@redhat.com> <4CABC8FF.9080005@redhat.com> Message-ID: <4CAC7890.7080708@redhat.com> David O'Brien wrote: > Rob Crittenden wrote: >> Add some missing options to the ipa-getkeytab man page. >> >> rob >> >> > Can you be consistent with "Kerberos" instead of adding "kerberos" to > the mix as well (unless necessary, of course)? > > If my understanding is correct, I'd update the following: > "The LDAP password when not binding with Kerberos." to include > "...password to use when not..." > > cheers Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-559-2-man.patch Type: application/mbox Size: 4109 bytes Desc: not available URL: From pzuna at redhat.com Wed Oct 6 13:51:20 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 06 Oct 2010 15:51:20 +0200 Subject: [Freeipa-devel] [PATCH] Fix inconsistent error message when deleting groups that don't exist. Message-ID: <4CAC7ED8.4020200@redhat.com> The pre_callback in group_del was using a direct ldap2 call with no exception handling. Ticket #292 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0031-groupdelerr.patch Type: text/x-patch Size: 992 bytes Desc: not available URL: From rcritten at redhat.com Wed Oct 6 14:02:23 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 10:02:23 -0400 Subject: [Freeipa-devel] [PATCH] Fix inconsistent error message when deleting groups that don't exist. In-Reply-To: <4CAC7ED8.4020200@redhat.com> References: <4CAC7ED8.4020200@redhat.com> Message-ID: <4CAC816F.6090005@redhat.com> Pavel Zuna wrote: > The pre_callback in group_del was using a direct ldap2 call with no > exception handling. > > Ticket #292 > > Pavel ack, pushed to master From ssorce at redhat.com Wed Oct 6 15:41:34 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 6 Oct 2010 11:41:34 -0400 Subject: [Freeipa-devel] [PATCH] fix uninstall with bind Message-ID: <20101006114134.3c2bd3c3@willson.li.ssimo.org> During uninstall we were asking useless questions about removing SRV and NS records from LDAP. An uninstall implies the LDAP repository will be wiped out anyway. Avoid asking these questions and just let the dirsrv uninstall code remove all contents. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-install-script-Do-not-ask-to-remove-DNS-data.patch Type: text/x-patch Size: 2980 bytes Desc: not available URL: From edewata at redhat.com Wed Oct 6 17:03:08 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Oct 2010 13:03:08 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Fix attribute callbacks on details pages in the webUI. In-Reply-To: <4CAC65F3.30604@redhat.com> Message-ID: <1432561489.58031286384588359.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Pavel Zuna" wrote: > Fixes bug reported by Adam in internal discussion. > > Ticket #326 > > Pavel ACK'd and pushed to master. -- Endi S. Dewata From rcritten at redhat.com Wed Oct 6 17:51:22 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 13:51:22 -0400 Subject: [Freeipa-devel] [PATCH] 561 set default python encoding to utf-8 Message-ID: <4CACB71A.90103@redhat.com> Add a module that we will load that will set the default encoding to utf-8 instead of ascii. $ python >>> import sys >>> sys.getdefaultencoding() 'ascii' >>> import default_encoding_utf8 >>> sys.getdefaultencoding() 'utf-8' This will be linked into IPA in a future patch. The code was written by John, I'm just packaging it, so he gets all the credit :-) Since I was messing with the spec file I also removed glob that was pulling in a slew of duplicate files for the UI. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-561-encoding.patch Type: application/mbox Size: 7683 bytes Desc: not available URL: From rcritten at redhat.com Wed Oct 6 17:59:49 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 13:59:49 -0400 Subject: [Freeipa-devel] [PATCH] fix uninstall with bind In-Reply-To: <20101006114134.3c2bd3c3@willson.li.ssimo.org> References: <20101006114134.3c2bd3c3@willson.li.ssimo.org> Message-ID: <4CACB915.3060403@redhat.com> Simo Sorce wrote: > > During uninstall we were asking useless questions about removing SRV > and NS records from LDAP. > An uninstall implies the LDAP repository will be wiped out anyway. > Avoid asking these questions and just let the dirsrv uninstall code > remove all contents. > > Simo. The addition of 'pass' is unnecessary, otherwise ack. rob From rcritten at redhat.com Wed Oct 6 18:12:40 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 14:12:40 -0400 Subject: [Freeipa-devel] [PATCH] 562 set default encoding, print as unicode Message-ID: <4CACBC18.2010005@redhat.com> Set default encoding to utf-8, use unicode when printing output. The Gettext() object only does the lookup when you print it as a unicode. ticket 308 This patch indirectly relies on patch 561 which provides the encoding plugin that this loads. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-562-encoding.patch Type: application/mbox Size: 1946 bytes Desc: not available URL: From rcritten at redhat.com Wed Oct 6 20:51:30 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 16:51:30 -0400 Subject: [Freeipa-devel] [PATCH] 563 use unique names for acis Message-ID: <4CACE152.9010303@redhat.com> Copy/paste error where I didn't replace Hosts with Hostgroups in aci name. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-563-unique.patch Type: application/mbox Size: 1626 bytes Desc: not available URL: From rcritten at redhat.com Wed Oct 6 20:54:42 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 16:54:42 -0400 Subject: [Freeipa-devel] [PATCH] 564 fix some aci typos Message-ID: <4CACE212.6050604@redhat.com> I mis-spelled the admins group with an extra s which was causing some things to not work as admin. I also noticed a couple of spurious 'aci' in some descriptions, remove those as well. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-564-aci.patch Type: application/mbox Size: 3166 bytes Desc: not available URL: From rcritten at redhat.com Wed Oct 6 20:56:21 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 16:56:21 -0400 Subject: [Freeipa-devel] [PATCH] properly check for ldap headers In-Reply-To: <20101005174537.56be4776@willson.li.ssimo.org> References: <20101005174537.56be4776@willson.li.ssimo.org> Message-ID: <4CACE275.4050202@redhat.com> Simo Sorce wrote: > > We need to always use mozldap ldap headers for slapi plugins, untill > 389 ds moves to openldap libs. > But at the same time we want to move to openldap libs for anything else. > > Fix configure/makefile to always check for openldap libs and always use > them in anything but slapi plugins. > > (fixes bz#464564/trac#221) > > Simo. ack From rcritten at redhat.com Wed Oct 6 20:56:31 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 16:56:31 -0400 Subject: [Freeipa-devel] [PATCH] set attribute when changing passwords In-Reply-To: <20101005192507.45e541c2@willson.li.ssimo.org> References: <20101005192507.45e541c2@willson.li.ssimo.org> Message-ID: <4CACE27F.2030204@redhat.com> Simo Sorce wrote: > > Set the sambaPwdLastSet when changing password for a user that has the > sambaSamAccount objectclass, so that samba is kept in sync with the > status of the user account wrt whether the user need sto change the > password or not. > > fixes trac#313 > > Simo. ack From edewata at redhat.com Wed Oct 6 21:00:46 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Oct 2010 17:00:46 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Displaying AJAX URL in error message. In-Reply-To: <450109907.85031286398817662.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <44900627.85101286398846521.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Hi, Please review the attached patch. Thanks! The ipa_error_handler() has been modified to display the AJAX URL that is having a problem. The ipa_cmd() error handler is now invoked using call() to pass 'this' object which contains the URL. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: edewata-freeipa-0018-Displaying-AJAX-URL-in-error-message.patch Type: text/x-patch Size: 4830 bytes Desc: not available URL: From rcritten at redhat.com Wed Oct 6 21:01:20 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 17:01:20 -0400 Subject: [Freeipa-devel] [PATCH] 560 server generates random password for host Message-ID: <4CACE3A0.9020803@redhat.com> For bulk host enrollment let the server generate a random password when creating a host. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-560-host.patch Type: application/mbox Size: 4238 bytes Desc: not available URL: From ayoung at redhat.com Wed Oct 6 21:21:40 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Oct 2010 17:21:40 -0400 Subject: [Freeipa-devel] [PATCH] Displaying AJAX URL in error message. In-Reply-To: <44900627.85101286398846521.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <44900627.85101286398846521.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CACE864.1080608@redhat.com> On 10/06/2010 05:00 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The ipa_error_handler() has been modified to display the AJAX URL > that is having a problem. The ipa_cmd() error handler is now invoked > using call() to pass 'this' object which contains the URL. > > -- > Endi S. Dewata > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Oct 6 21:30:10 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Oct 2010 17:30:10 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0052-policy-and-config.patch Message-ID: <4CACEA62.8010808@redhat.com> Population of the policy and entities tabs. DNS and ACI are broken due to Plugin issues Fix for entities without search Added new files to Makefile.am used rolegroup.js file as the start point, renamed to serverconfig.js -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0052-policy-and-config.patch Type: text/x-patch Size: 17635 bytes Desc: not available URL: From edewata at redhat.com Wed Oct 6 21:29:34 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Oct 2010 17:29:34 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 564 fix some aci typos In-Reply-To: <4CACE212.6050604@redhat.com> Message-ID: <908685722.88591286400574781.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Rob Crittenden" wrote: > I mis-spelled the admins group with an extra s which was causing some > things to not work as admin. > > I also noticed a couple of spurious 'aci' in some descriptions, remove > those as well. > > rob NACK. The spurious 'aci' should have been 'acl' according to DS docs. -- Endi S. Dewata From ayoung at redhat.com Wed Oct 6 21:31:13 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Oct 2010 17:31:13 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0053-policy-and-config-sample-data.patch Message-ID: <4CACEAA1.1080600@redhat.com> Sample data for config and policy entities. From edewata at redhat.com Wed Oct 6 21:32:53 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Oct 2010 17:32:53 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Displaying AJAX URL in error message. In-Reply-To: <4CACE864.1080608@redhat.com> Message-ID: <523963836.88971286400773267.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Adam Young" wrote: > On 10/06/2010 05:00 PM, Endi Sukma Dewata wrote: > > The ipa_error_handler() has been modified to display the AJAX URL > that is having a problem. The ipa_cmd() error handler is now invoked > using call() to pass 'this' object which contains the URL. > > -- > Endi S. Dewata > ACK Thanks. Pushed to master. -- Endi S. Dewata From rcritten at redhat.com Wed Oct 6 21:33:49 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Oct 2010 17:33:49 -0400 Subject: [Freeipa-devel] [PATCH] 564 fix some aci typos In-Reply-To: <908685722.88591286400574781.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <908685722.88591286400574781.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CACEB3D.7050302@redhat.com> Endi Sukma Dewata wrote: > ----- "Rob Crittenden" wrote: > >> I mis-spelled the admins group with an extra s which was causing some >> things to not work as admin. >> >> I also noticed a couple of spurious 'aci' in some descriptions, remove >> those as well. >> >> rob > > NACK. The spurious 'aci' should have been 'acl' according to DS docs. > > -- > Endi S. Dewata Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-564-2-aci.patch Type: application/mbox Size: 3174 bytes Desc: not available URL: From ayoung at redhat.com Wed Oct 6 21:43:02 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Oct 2010 17:43:02 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0053-policy-and-config-sample-data.patch In-Reply-To: <4CACEAA1.1080600@redhat.com> References: <4CACEAA1.1080600@redhat.com> Message-ID: <4CACED66.1070203@redhat.com> On 10/06/2010 05:31 PM, Adam Young wrote: > Sample data for config and policy entities. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Now with whitespace cleanup. -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0053-2-policy-and-config-sample-data.patch Type: text/x-patch Size: 54006 bytes Desc: not available URL: From ayoung at redhat.com Wed Oct 6 21:44:07 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Oct 2010 17:44:07 -0400 Subject: [Freeipa-devel] [PATCH] 563 use unique names for acis In-Reply-To: <4CACE152.9010303@redhat.com> References: <4CACE152.9010303@redhat.com> Message-ID: <4CACEDA7.5060505@redhat.com> On 10/06/2010 04:51 PM, Rob Crittenden wrote: > Copy/paste error where I didn't replace Hosts with Hostgroups in aci > name. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Oct 6 21:53:14 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Oct 2010 17:53:14 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 564 fix some aci typos In-Reply-To: <762149432.90211286401876621.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1709479676.90281286401994099.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Rob Crittenden" wrote: > >> I mis-spelled the admins group with an extra s which was causing some > >> things to not work as admin. > >> > >> I also noticed a couple of spurious 'aci' in some descriptions, remove > >> those as well. > > > > NACK. The spurious 'aci' should have been 'acl' according to DS docs. > > Updated patch attached. ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Wed Oct 6 21:53:49 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Oct 2010 17:53:49 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 563 use unique names for acis In-Reply-To: <4CACEDA7.5060505@redhat.com> Message-ID: <2142979257.90331286402029198.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Adam Young" wrote: > Copy/paste error where I didn't replace Hosts with Hostgroups in aci > name. > ACK Pushed to master. -- Endi S. Dewata From ayoung at redhat.com Wed Oct 6 21:57:57 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Oct 2010 17:57:57 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0053-policy-and-config-sample-data.patch In-Reply-To: <4CACED66.1070203@redhat.com> References: <4CACEAA1.1080600@redhat.com> <4CACED66.1070203@redhat.com> Message-ID: <4CACF0E5.2030805@redhat.com> On 10/06/2010 05:43 PM, Adam Young wrote: > On 10/06/2010 05:31 PM, Adam Young wrote: >> Sample data for config and policy entities. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Now with whitespace cleanup. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel No, I mean *this* time with whitespace cleanup. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0053-3-policy-and-config-sample-data.patch Type: text/x-patch Size: 53727 bytes Desc: not available URL: From edewata at redhat.com Wed Oct 6 22:13:09 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Oct 2010 18:13:09 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0053-policy-and-config-sample-data.patch In-Reply-To: <4CACF0E5.2030805@redhat.com> Message-ID: <2122415733.91801286403189288.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Adam Young" wrote: > Sample data for config and policy entities. ACK with note: Rob fixed ACI duplicates in his patch #564 so the aci_find.json will need to be fixed later. -- Endi S. Dewata From ayoung at redhat.com Wed Oct 6 23:06:56 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Oct 2010 19:06:56 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0054-dns-metadata.patch Message-ID: <4CAD0110.4060209@redhat.com> In order to generate the metadate, the dns plugin needs to have a __json__ method. Long term, this should be rewritten as a baseldap extension. -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0054-dns-metadata.patch Type: text/x-patch Size: 2466 bytes Desc: not available URL: From ayoung at redhat.com Wed Oct 6 23:30:07 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Oct 2010 19:30:07 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0052-policy-and-config.patch In-Reply-To: <4CACEA62.8010808@redhat.com> References: <4CACEA62.8010808@redhat.com> Message-ID: <4CAD067F.7080700@redhat.com> On 10/06/2010 05:30 PM, Adam Young wrote: > Population of the policy and entities tabs. > DNS and ACI are broken due to Plugin issues > Fix for entities without search > Added new files to Makefile.am > used rolegroup.js file as the start point, renamed to > serverconfig.js > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Missed the Makefile.am additions necessary to pick up the .js files -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0052-2-policy-and-config.patch Type: text/x-patch Size: 18064 bytes Desc: not available URL: From jdennis at redhat.com Wed Oct 6 23:31:59 2010 From: jdennis at redhat.com (John Dennis) Date: Wed, 06 Oct 2010 19:31:59 -0400 Subject: [Freeipa-devel] [PATCH 17/17] Add new translations for es (Spanish) and pl (Polish) Message-ID: <4CAD06EF.1030600@redhat.com> > ipa.pot has 414 messages. There are 17 po translation files. > bn_IN: 24/414 5.8% 390 po untranslated, 0 missing, 390 untranslated > de: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > es: 414/414 100.0% 0 po untranslated, 0 missing, 0 untranslated > fr: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > id: 121/414 29.2% 293 po untranslated, 0 missing, 293 untranslated > he: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > it: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > ja: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > kn: 348/414 84.1% 66 po untranslated, 0 missing, 66 untranslated > ko: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > pl: 414/414 100.0% 0 po untranslated, 0 missing, 0 untranslated > pt: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > pt_BR: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > ru: 135/414 32.6% 279 po untranslated, 0 missing, 279 untranslated > uk: 414/414 100.0% 0 po untranslated, 0 missing, 0 untranslated > zh_CN: 185/414 44.7% 229 po untranslated, 0 missing, 229 untranslated > zh_TW: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0017-Add-new-translations-for-es-Spanish-and-pl-Polish.patch Type: text/x-patch Size: 50945 bytes Desc: not available URL: From mgregg at redhat.com Wed Oct 6 23:56:27 2010 From: mgregg at redhat.com (Michael Gregg) Date: Wed, 06 Oct 2010 16:56:27 -0700 Subject: [Freeipa-devel] netgroup help Message-ID: <4CAD0CAB.7020804@redhat.com> I'm trying to add groups and users to a netgroup, I'm foing thinks like the following: [root at ipaqa64vmb ~]# ipa netgroup-add-member --groups=group1 n1 Netgroup name: n1 Description: aa NIS domain name: testdomain ------------------------- Number of members added 0 ------------------------- Number of members added 0? group1 exists, and netgroup n1 exists. Am I doing this right? Is this a bug? Michael- From ayoung at redhat.com Wed Oct 6 23:58:20 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Oct 2010 19:58:20 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0052-policy-and-config.patch In-Reply-To: <4CAD067F.7080700@redhat.com> References: <4CACEA62.8010808@redhat.com> <4CAD067F.7080700@redhat.com> Message-ID: <4CAD0D1C.9040800@redhat.com> On 10/06/2010 07:30 PM, Adam Young wrote: > On 10/06/2010 05:30 PM, Adam Young wrote: >> Population of the policy and entities tabs. >> DNS and ACI are broken due to Plugin issues >> Fix for entities without search >> Added new files to Makefile.am >> used rolegroup.js file as the start point, renamed to >> serverconfig.js >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Missed the Makefile.am additions necessary to pick up the .js files > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Fixes an issued with missing pkey for the config page. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0052-3-policy-and-config.patch Type: text/x-patch Size: 18817 bytes Desc: not available URL: From ayoung at redhat.com Thu Oct 7 00:19:22 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Oct 2010 20:19:22 -0400 Subject: [Freeipa-devel] netgroup help In-Reply-To: <4CAD0CAB.7020804@redhat.com> References: <4CAD0CAB.7020804@redhat.com> Message-ID: <4CAD120A.9040507@redhat.com> On 10/06/2010 07:56 PM, Michael Gregg wrote: > I'm trying to add groups and users to a netgroup, I'm foing thinks > like the following: > > [root at ipaqa64vmb ~]# ipa netgroup-add-member --groups=group1 n1 > Netgroup name: n1 > Description: aa > NIS domain name: testdomain > ------------------------- > Number of members added 0 > ------------------------- It looks right to me. Here's my output: ipa netgroup-add-member --groups=muppets --hostgroups=host-live net-live Netgroup name: net-live Description: live servers NIS domain name: ayoung.boston.devel.redhat.com Member Group: muppets Member Hostgroup: host-live ------------------------- Number of members added 2 ------------------------- [ayoung at ipa freeipa]$ ipa netgroup-show net-live Netgroup name: net-live Description: live servers NIS domain name: ayoung.boston.devel.redhat.com Member Group: muppets Member Hostgroup: host-live So something else must be going wrong. I assume that both group1 and netgroup n1 already exist in your system? Or maybe they have already been added to the netgroup? If you try to add the same entities more than once, the call succeeds, but the container remains unchanged. > > > Number of members added 0? > group1 exists, and netgroup n1 exists. > Am I doing this right? Is this a bug? > > Michael- > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From davido at redhat.com Thu Oct 7 01:07:37 2010 From: davido at redhat.com (David O'Brien) Date: Thu, 07 Oct 2010 11:07:37 +1000 Subject: [Freeipa-devel] [PATCH] 559 update ipa-getkeytab man page In-Reply-To: <4CAC7890.7080708@redhat.com> References: <4CAB884F.4000400@redhat.com> <4CABC8FF.9080005@redhat.com> <4CAC7890.7080708@redhat.com> Message-ID: <4CAD1D59.5010305@redhat.com> Rob Crittenden wrote: > David O'Brien wrote: >> Rob Crittenden wrote: >>> Add some missing options to the ipa-getkeytab man page. >>> >>> rob >>> >>> >> Can you be consistent with "Kerberos" instead of adding "kerberos" to >> the mix as well (unless necessary, of course)? >> >> If my understanding is correct, I'd update the following: >> "The LDAP password when not binding with Kerberos." to include >> "...password to use when not..." >> >> cheers > > Updated patch attached. > > rob No more complaints from me. (I'm purposely not using "nack" or "ack" because I don't write man pages, and haven't tried to apply this patch. I'm just checking a bit of English.) -- David O'Brien Red Hat APAC Pty Ltd "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From ssorce at redhat.com Thu Oct 7 11:55:02 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 7 Oct 2010 07:55:02 -0400 Subject: [Freeipa-devel] [PATCH] fix uninstall with bind In-Reply-To: <4CACB915.3060403@redhat.com> References: <20101006114134.3c2bd3c3@willson.li.ssimo.org> <4CACB915.3060403@redhat.com> Message-ID: <20101007075502.16199bb0@willson.li.ssimo.org> On Wed, 06 Oct 2010 13:59:49 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > During uninstall we were asking useless questions about removing SRV > > and NS records from LDAP. > > An uninstall implies the LDAP repository will be wiped out anyway. > > Avoid asking these questions and just let the dirsrv uninstall code > > remove all contents. > > > > Simo. > > The addition of 'pass' is unnecessary, otherwise ack. > > rob ok, removed pass and pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 7 11:55:17 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 7 Oct 2010 07:55:17 -0400 Subject: [Freeipa-devel] [PATCH] set attribute when changing passwords In-Reply-To: <4CACE27F.2030204@redhat.com> References: <20101005192507.45e541c2@willson.li.ssimo.org> <4CACE27F.2030204@redhat.com> Message-ID: <20101007075517.3a66f515@willson.li.ssimo.org> On Wed, 06 Oct 2010 16:56:31 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > Set the sambaPwdLastSet when changing password for a user that has > > the sambaSamAccount objectclass, so that samba is kept in sync with > > the status of the user account wrt whether the user need sto change > > the password or not. > > > > fixes trac#313 > > > > Simo. > > ack pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 7 11:55:30 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 7 Oct 2010 07:55:30 -0400 Subject: [Freeipa-devel] [PATCH] properly check for ldap headers In-Reply-To: <4CACE275.4050202@redhat.com> References: <20101005174537.56be4776@willson.li.ssimo.org> <4CACE275.4050202@redhat.com> Message-ID: <20101007075530.3d0ea087@willson.li.ssimo.org> On Wed, 06 Oct 2010 16:56:21 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > We need to always use mozldap ldap headers for slapi plugins, untill > > 389 ds moves to openldap libs. > > But at the same time we want to move to openldap libs for anything > > else. > > > > Fix configure/makefile to always check for openldap libs and always > > use them in anything but slapi plugins. > > > > (fixes bz#464564/trac#221) > > > > Simo. > > ack pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 7 14:36:41 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 7 Oct 2010 10:36:41 -0400 Subject: [Freeipa-devel] [PATCH] Improve logging for pwd plugin Message-ID: <20101007103641.51a08c57@willson.li.ssimo.org> This patch changes all the logging done through slapi_log_error() to go thorugh macros. It simplifies calling the log function and adds information in an automated way to help debugging in case of fatal exceptions. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Improve-logging-facilities.patch Type: text/x-patch Size: 76080 bytes Desc: not available URL: From rcritten at redhat.com Thu Oct 7 15:01:01 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Oct 2010 11:01:01 -0400 Subject: [Freeipa-devel] [PATCH] Improve logging for pwd plugin In-Reply-To: <20101007103641.51a08c57@willson.li.ssimo.org> References: <20101007103641.51a08c57@willson.li.ssimo.org> Message-ID: <4CADE0AD.4030007@redhat.com> Simo Sorce wrote: > This patch changes all the logging done through slapi_log_error() to go > thorugh macros. It simplifies calling the log function and adds > information in an automated way to help debugging in case of fatal > exceptions. > > Simo. ack From ssorce at redhat.com Thu Oct 7 15:20:55 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 7 Oct 2010 11:20:55 -0400 Subject: [Freeipa-devel] [PATCH] fix segfault in pwd plugin Message-ID: <20101007112055.24d473a7@willson.li.ssimo.org> I thought I tested ipa-getkeytab but I was wrong as we do not use it during the install. Turns out my patch to split the pwd plugin in multiple files had still one error that showed up only when using the ipa-getkeytab client. Patch attached. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-pwd-plugin-Fix-unresolve-symbol.patch Type: text/x-patch Size: 1504 bytes Desc: not available URL: From rcritten at redhat.com Thu Oct 7 15:25:50 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Oct 2010 11:25:50 -0400 Subject: [Freeipa-devel] [PATCH] fix segfault in pwd plugin In-Reply-To: <20101007112055.24d473a7@willson.li.ssimo.org> References: <20101007112055.24d473a7@willson.li.ssimo.org> Message-ID: <4CADE67E.6090809@redhat.com> Simo Sorce wrote: > > I thought I tested ipa-getkeytab but I was wrong as we do not use it > during the install. > > Turns out my patch to split the pwd plugin in multiple files had still > one error that showed up only when using the ipa-getkeytab client. > > Patch attached. > > Simo. ack From ssorce at redhat.com Thu Oct 7 15:33:04 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 7 Oct 2010 11:33:04 -0400 Subject: [Freeipa-devel] [PATCH] fix segfault in pwd plugin In-Reply-To: <4CADE67E.6090809@redhat.com> References: <20101007112055.24d473a7@willson.li.ssimo.org> <4CADE67E.6090809@redhat.com> Message-ID: <20101007113304.743df8af@willson.li.ssimo.org> On Thu, 07 Oct 2010 11:25:50 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > I thought I tested ipa-getkeytab but I was wrong as we do not use it > > during the install. > > > > Turns out my patch to split the pwd plugin in multiple files had > > still one error that showed up only when using the ipa-getkeytab > > client. > > > > Patch attached. > > > > Simo. > > ack pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 7 15:33:50 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 7 Oct 2010 11:33:50 -0400 Subject: [Freeipa-devel] [PATCH] Improve logging for pwd plugin In-Reply-To: <4CADE0AD.4030007@redhat.com> References: <20101007103641.51a08c57@willson.li.ssimo.org> <4CADE0AD.4030007@redhat.com> Message-ID: <20101007113350.5dffec90@willson.li.ssimo.org> On Thu, 07 Oct 2010 11:01:01 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > This patch changes all the logging done through slapi_log_error() > > to go thorugh macros. It simplifies calling the log function and > > adds information in an automated way to help debugging in case of > > fatal exceptions. > > > > Simo. > > ack pushed after changing 3 log messages as requested on IRC. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Thu Oct 7 15:54:15 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 7 Oct 2010 11:54:15 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0052-policy-and-config.patch In-Reply-To: <1754005460.158011286466790723.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1360827042.158271286466855385.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Adam Young" wrote: > Population of the policy and entities tabs. > DNS and ACI are broken due to Plugin issues > Fix for entities without search > Added new files to Makefile.am > used rolegroup.js file as the start point, renamed to serverconfig.js > > Missed the Makefile.am additions necessary to pick up the .js files > > Fixes an issued with missing pkey for the config page. I have some comments/questions: 1. The labels of the first level tabs in admin_tab_set are removed. Are they being replaced by translated texts from metadata? 2. In _ipa_entity_setup() the 'unspecified' facet will be displayed only if it equals 'details'. function _ipa_entity_setup(jobj,unspecified) { if (facet == 'details') { setup_details_facet(unspecified); } } Also, maybe a more appropriate name is 'default_facet'? 3. In policy.js the 'dialog-add-dns' and 'Add New Location' are used by automount and pwpolicy: ipa_entity_set_add_definition('automountlocation', [ 'dialog-add-dns', 'Add New Location', [ ipa_entity_set_add_definition('pwpolicy', [ 'dialog-add-dns', 'Add New Location', [ The krbtpolicy doesn't need an add page: ipa_entity_set_add_definition('krbtpolicy', [ 'dialog-add-dns', 'Add New Location', [ 4. Password policy details is not working, it returns this message: GLOBAL: password policy not found 5. Kerberos Ticket Policy & Configuration each has a link to the search page (which is not searchable) and the details page (which is unnecessary because it's the only page), we need to figure out a way not to show them. 6. The HBAC associations don't work, we need to define the association using ipa_entity_set_association_definition(). 7. DNS & ACI don't work as you already mentioned. The automount currently is limited to location. Should any of these issues be fixed before ACK-ing this patch? Thanks! -- Endi S. Dewata From ayoung at redhat.com Thu Oct 7 16:45:37 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 07 Oct 2010 12:45:37 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0052-policy-and-config.patch In-Reply-To: <1360827042.158271286466855385.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1360827042.158271286466855385.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CADF931.6040007@redhat.com> On 10/07/2010 11:54 AM, Endi Sukma Dewata wrote: > ----- "Adam Young" wrote: > > >> Population of the policy and entities tabs. >> DNS and ACI are broken due to Plugin issues >> Fix for entities without search >> Added new files to Makefile.am >> used rolegroup.js file as the start point, renamed to serverconfig.js >> >> Missed the Makefile.am additions necessary to pick up the .js files >> >> Fixes an issued with missing pkey for the config page. >> > I have some comments/questions: > > 1. The labels of the first level tabs in admin_tab_set are removed. > Are they being replaced by translated texts from metadata? > Yes, that is correct. The others will need values in internal.py as well. > 2. In _ipa_entity_setup() the 'unspecified' facet will be displayed > only if it equals 'details'. > > function _ipa_entity_setup(jobj,unspecified) { > if (facet == 'details') { > setup_details_facet(unspecified); > } > } > > Also, maybe a more appropriate name is 'default_facet'? > I came up with unspecified when I discovered that 'default' was a key word in Javascript. I thought unspecified did a good job of explaining that this was the facet to use if it is not specified in the URL params. > 3. In policy.js the 'dialog-add-dns' and 'Add New Location' > are used by automount and pwpolicy: > Cut and paste error. I'll fix that. > ipa_entity_set_add_definition('automountlocation', [ > 'dialog-add-dns', 'Add New Location', [ > > ipa_entity_set_add_definition('pwpolicy', [ > 'dialog-add-dns', 'Add New Location', [ > > The krbtpolicy doesn't need an add page: > > ipa_entity_set_add_definition('krbtpolicy', [ > 'dialog-add-dns', 'Add New Location', [ > > 4. Password policy details is not working, it returns > this message: > > GLOBAL: password policy not found > Hmmm.. Not for me. GLOBAL is the default one, and also should be in the sample data. I'll investigate. > 5. Kerberos Ticket Policy& Configuration each has a link to the > search page (which is not searchable) and the details page > (which is unnecessary because it's the only page), we need to > figure out a way not to show them. > Agreed. > 6. The HBAC associations don't work, we need to define the > association using ipa_entity_set_association_definition(). > Not surprised. I wasn't attempting to complete all of the tabs, just to get the main level entries in for the policy and config tab sets. THere is more work to do on several of the entities. > 7. DNS& ACI don't work as you already mentioned. The automount > currently is limited to location. > Yes. I have a fix in for DNS, and we'll need somthing comparable for ACI. automount and dns have subordinat entities, something we haven't dealt with elsewhere on the site yet. > Should any of these issues be fixed before ACK-ing this patch? > Thanks! > 3 and 4 will be fixed before ACK. > -- > Endi S. Dewata > From ayoung at redhat.com Thu Oct 7 17:05:00 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 07 Oct 2010 13:05:00 -0400 Subject: [Freeipa-devel] [PATCH] 559 update ipa-getkeytab man page In-Reply-To: <4CAD1D59.5010305@redhat.com> References: <4CAB884F.4000400@redhat.com> <4CABC8FF.9080005@redhat.com> <4CAC7890.7080708@redhat.com> <4CAD1D59.5010305@redhat.com> Message-ID: <4CADFDBC.6010205@redhat.com> On 10/06/2010 09:07 PM, David O'Brien wrote: > Rob Crittenden wrote: >> David O'Brien wrote: >>> Rob Crittenden wrote: >>>> Add some missing options to the ipa-getkeytab man page. >>>> >>>> rob >>>> >>>> >>> Can you be consistent with "Kerberos" instead of adding "kerberos" to >>> the mix as well (unless necessary, of course)? >>> >>> If my understanding is correct, I'd update the following: >>> "The LDAP password when not binding with Kerberos." to include >>> "...password to use when not..." >>> >>> cheers >> >> Updated patch attached. >> >> rob > No more complaints from me. > (I'm purposely not using "nack" or "ack" because I don't write man > pages, and haven't tried to apply this patch. I'm just checking a bit > of English.) > David, it is certainly OK for you to ACK/NACK somthing like this. We'll know if it "Breaks the build" pretty quickly, so we're not worried about computer language syntax errors, just natural language syntax errors. From ayoung at redhat.com Thu Oct 7 18:53:41 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 07 Oct 2010 14:53:41 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0052-policy-and-config.patch In-Reply-To: <4CADF931.6040007@redhat.com> References: <1360827042.158271286466855385.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4CADF931.6040007@redhat.com> Message-ID: <4CAE1735.6060505@redhat.com> On 10/07/2010 12:45 PM, Adam Young wrote: > On 10/07/2010 11:54 AM, Endi Sukma Dewata wrote: >> ----- "Adam Young" wrote: >> >>> Population of the policy and entities tabs. >>> DNS and ACI are broken due to Plugin issues >>> Fix for entities without search >>> Added new files to Makefile.am >>> used rolegroup.js file as the start point, renamed to serverconfig.js >>> >>> Missed the Makefile.am additions necessary to pick up the .js files >>> >>> Fixes an issued with missing pkey for the config page. >> I have some comments/questions: >> >> 1. The labels of the first level tabs in admin_tab_set are removed. >> Are they being replaced by translated texts from metadata? > Yes, that is correct. The others will need values in internal.py as > well. > >> 2. In _ipa_entity_setup() the 'unspecified' facet will be displayed >> only if it equals 'details'. >> >> function _ipa_entity_setup(jobj,unspecified) { >> if (facet == 'details') { >> setup_details_facet(unspecified); >> } >> } >> >> Also, maybe a more appropriate name is 'default_facet'? > I came up with unspecified when I discovered that 'default' was a key > word in Javascript. I thought unspecified did a good job of > explaining that this was the facet to use if it is not specified in > the URL params. > >> 3. In policy.js the 'dialog-add-dns' and 'Add New Location' >> are used by automount and pwpolicy: > > Cut and paste error. I'll fix that. >> ipa_entity_set_add_definition('automountlocation', [ >> 'dialog-add-dns', 'Add New Location', [ >> >> ipa_entity_set_add_definition('pwpolicy', [ >> 'dialog-add-dns', 'Add New Location', [ >> >> The krbtpolicy doesn't need an add page: >> >> ipa_entity_set_add_definition('krbtpolicy', [ >> 'dialog-add-dns', 'Add New Location', [ >> >> 4. Password policy details is not working, it returns >> this message: >> >> GLOBAL: password policy not found > > Hmmm.. Not for me. GLOBAL is the default one, and also should be in > the sample data. I'll investigate. >> 5. Kerberos Ticket Policy& Configuration each has a link to the >> search page (which is not searchable) and the details page >> (which is unnecessary because it's the only page), we need to >> figure out a way not to show them. > Agreed. > >> 6. The HBAC associations don't work, we need to define the >> association using ipa_entity_set_association_definition(). > Not surprised. I wasn't attempting to complete all of the tabs, just > to get the main level entries in for the policy and config tab sets. > THere is more work to do on several of the entities. > >> 7. DNS& ACI don't work as you already mentioned. The automount >> currently is limited to location. > > Yes. I have a fix in for DNS, and we'll need somthing comparable for > ACI. automount and dns have subordinat entities, something we haven't > dealt with elsewhere on the site yet. >> Should any of these issues be fixed before ACK-ing this patch? >> Thanks! > 3 and 4 will be fixed before ACK. > >> -- >> Endi S. Dewata > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Fixed and pushed to master From ayoung at redhat.com Thu Oct 7 18:57:20 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 07 Oct 2010 14:57:20 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0049-default-search.patch Message-ID: <4CAE1810.1010806@redhat.com> Resend -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0049-default-search.patch Type: text/x-patch Size: 1244 bytes Desc: not available URL: From ayoung at redhat.com Thu Oct 7 19:11:51 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 07 Oct 2010 15:11:51 -0400 Subject: [Freeipa-devel] admiyo-freeipa-0049-default-search.patch In-Reply-To: <4CA3E160.5030409@redhat.com> References: <4CA3E160.5030409@redhat.com> Message-ID: <4CAE1B77.3070905@redhat.com> On 09/29/2010 09:01 PM, Adam Young wrote: > default search > Populate the entity search pages with the results of a search with > a blank filter even if no filter has been specified > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACked in IRC and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From mgregg at redhat.com Thu Oct 7 19:12:41 2010 From: mgregg at redhat.com (Michael Gregg) Date: Thu, 07 Oct 2010 12:12:41 -0700 Subject: [Freeipa-devel] netgroup help In-Reply-To: <4CAD120A.9040507@redhat.com> References: <4CAD0CAB.7020804@redhat.com> <4CAD120A.9040507@redhat.com> Message-ID: <4CAE1BA9.4090907@redhat.com> I'm still getting a problem. I am able to add groups today, but not netgroups, see my new output. I am unable to add the specified netgroup group2 to group1. What version are you running? I'm running ipa-admintools-1.91-0.2010100715git016f889.fc13.x86_64 [root at ipaqa64vmb install]# ipa netgroup-add-member --groups=muppets --hostgroups=group2 group1 Netgroup name: group1 Description: group1 NIS domain name: testdomain Member Group: muppets Member Host: ipaqa64vmb.idm.lab.bos.redhat.com ------------------------- Number of members added 1 ------------------------- [root at ipaqa64vmb install]# ipa netgroup-show group1 Netgroup name: group1 Description: group1 NIS domain name: testdomain Member Group: muppets Member Host: ipaqa64vmb.idm.lab.bos.redhat.com Adam Young wrote: > On 10/06/2010 07:56 PM, Michael Gregg wrote: >> I'm trying to add groups and users to a netgroup, I'm foing thinks >> like the following: >> >> [root at ipaqa64vmb ~]# ipa netgroup-add-member --groups=group1 n1 >> Netgroup name: n1 >> Description: aa >> NIS domain name: testdomain >> ------------------------- >> Number of members added 0 >> ------------------------- > > > It looks right to me. Here's my output: > > ipa netgroup-add-member --groups=muppets --hostgroups=host-live net-live > Netgroup name: net-live > Description: live servers > NIS domain name: ayoung.boston.devel.redhat.com > Member Group: muppets > Member Hostgroup: host-live > ------------------------- > Number of members added 2 > ------------------------- > [ayoung at ipa freeipa]$ ipa netgroup-show net-live > Netgroup name: net-live > Description: live servers > NIS domain name: ayoung.boston.devel.redhat.com > Member Group: muppets > Member Hostgroup: host-live > > > So something else must be going wrong. I assume that both group1 and > netgroup n1 already exist in your system? Or maybe they have already > been added to the netgroup? If you try to add the same entities more > than once, the call succeeds, but the container remains unchanged. > >> >> >> Number of members added 0? >> group1 exists, and netgroup n1 exists. >> Am I doing this right? Is this a bug? >> >> Michael- >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ayoung at redhat.com Thu Oct 7 19:36:55 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 07 Oct 2010 15:36:55 -0400 Subject: [Freeipa-devel] [PATCH]admiyo-freeipa-0055-record-limit.patch Message-ID: <4CAE2157.6000105@redhat.com> This patch hard codes the record limit for the UI to 100. Next step is to make it configurable. This patch is necessary, as without it, some customers with large records will have problems with default queries. -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0055-record-limit.patch Type: text/x-patch Size: 1530 bytes Desc: not available URL: From ssorce at redhat.com Thu Oct 7 20:20:14 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 7 Oct 2010 16:20:14 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools Message-ID: <20101007162014.1bbcdcf4@willson.li.ssimo.org> This is some very basic initial localization work for the C tools. I do not have any translation yet, and creation and merging of .po and binary files is not yet done. But the clients.pot file is regularly updated when make is run in the main dir (or make gettext in the ipa-clients dir). Fixes trac#186 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Initial-gettext-support-for-C-utils.patch Type: text/x-patch Size: 60164 bytes Desc: not available URL: From ssorce at redhat.com Thu Oct 7 21:03:26 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 7 Oct 2010 17:03:26 -0400 Subject: [Freeipa-devel] [PATCH] 528 make some hbac options mutually exclusive In-Reply-To: <4C90C917.60604@redhat.com> References: <4C8FF6D0.8000906@redhat.com> <4C901663.8010603@redhat.com> <4C90C917.60604@redhat.com> Message-ID: <20101007170326.26ef58ca@willson.li.ssimo.org> On Wed, 15 Sep 2010 09:24:39 -0400 Rob Crittenden wrote: > Using our tools the only available option is lower-case 'all': > > $ ipa hbac-add test --usercat=ALL --type=allow > ipa: ERROR: invalid 'usercategory': must be one of (u'all',) > > In any case, better to be robust. Updated patch attached. ack. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 7 21:06:14 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 7 Oct 2010 17:06:14 -0400 Subject: [Freeipa-devel] [PATCH] 550 estimated install times In-Reply-To: <4CA37E4F.8030903@redhat.com> References: <4CA37E4F.8030903@redhat.com> Message-ID: <20101007170614.0a54c1f2@willson.li.ssimo.org> On Wed, 29 Sep 2010 13:58:39 -0400 Rob Crittenden wrote: > Add estimated install times to the installation. I also log a > duration for each step in /var/log/ipaserver-install.log if anyone > wants to compare their times to mine. > > ticket 139 simple but useful ack Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 7 21:07:09 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 7 Oct 2010 17:07:09 -0400 Subject: [Freeipa-devel] [PATCH] 551 ipa-dns-install updates In-Reply-To: <4CA38B4D.1030400@redhat.com> References: <4CA38B4D.1030400@redhat.com> Message-ID: <20101007170709.4c93eefa@willson.li.ssimo.org> On Wed, 29 Sep 2010 14:54:05 -0400 Rob Crittenden wrote: > Detect if DNS is already configured in IPA, or if IPA is not yet > installed. > > ipa-dns-manage could fail in very odd ways depending on the current > configuration of the server. Handle things a bit better. > > ticket 210 ack Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 7 21:09:28 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 7 Oct 2010 17:09:28 -0400 Subject: [Freeipa-devel] [PATCH] 557 return non-zero on membership failure In-Reply-To: <4CA62F13.7030400@redhat.com> References: <4CA62F13.7030400@redhat.com> Message-ID: <20101007170928.1c7d02ab@willson.li.ssimo.org> On Fri, 01 Oct 2010 14:57:23 -0400 Rob Crittenden wrote: > Return non-zero when group membership change fails. > > There is no point (and it is confusing) to print an empty list when > modifying group membership fails, so suppress it. > > tickets 271, 273, 274 ack Simo. -- Simo Sorce * Red Hat, Inc * New York From mgregg at redhat.com Thu Oct 7 22:57:04 2010 From: mgregg at redhat.com (Michael Gregg) Date: Thu, 07 Oct 2010 15:57:04 -0700 Subject: [Freeipa-devel] add custom attribute to netgroup question Message-ID: <4CAE5040.6060009@redhat.com> What attributes are allowed? [root at ipaqa64vmb install]# ipa netgroup-add --setattr="testattr=yes" tg1 Description: qq ipa: ERROR: attribute "testattr" not allowed [root at ipaqa64vmb install]# ipa netgroup-add --addattr=testattr=yes tg1 Description: yy ipa: ERROR: attribute "testattr" not allowed [root at ipaqa64vmb install]# ipa netgroup-add --addattr=testaty tg1 Description: ll ipa: ERROR: invalid 'addattr': Invalid format. Should be name=value [root at ipaqa64vmb install]# ipa netgroup-add --addattr=t=yes tg1 Description: ll ipa: ERROR: attribute "t" not allowed From davido at redhat.com Fri Oct 8 03:29:04 2010 From: davido at redhat.com (David O'Brien) Date: Fri, 08 Oct 2010 13:29:04 +1000 Subject: [Freeipa-devel] [PATCH] 559 update ipa-getkeytab man page In-Reply-To: <4CADFDBC.6010205@redhat.com> References: <4CAB884F.4000400@redhat.com> <4CABC8FF.9080005@redhat.com> <4CAC7890.7080708@redhat.com> <4CAD1D59.5010305@redhat.com> <4CADFDBC.6010205@redhat.com> Message-ID: <4CAE9000.9020800@redhat.com> Adam Young wrote: > On 10/06/2010 09:07 PM, David O'Brien wrote: >> Rob Crittenden wrote: >>> David O'Brien wrote: >>>> Rob Crittenden wrote: >>>>> Add some missing options to the ipa-getkeytab man page. >>>>> >>>>> rob >>>>> >>>>> >>>> Can you be consistent with "Kerberos" instead of adding "kerberos" to >>>> the mix as well (unless necessary, of course)? >>>> >>>> If my understanding is correct, I'd update the following: >>>> "The LDAP password when not binding with Kerberos." to include >>>> "...password to use when not..." >>>> >>>> cheers >>> >>> Updated patch attached. >>> >>> rob >> No more complaints from me. >> (I'm purposely not using "nack" or "ack" because I don't write man >> pages, and haven't tried to apply this patch. I'm just checking a bit >> of English.) >> > David, it is certainly OK for you to ACK/NACK somthing like this. > We'll know if it "Breaks the build" pretty quickly, so we're not worried > about computer language syntax errors, just natural language syntax errors. > ok, thanks for that. Will bear that in mind for similar patches in the future. -- David From rcritten at redhat.com Fri Oct 8 03:42:14 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Oct 2010 23:42:14 -0400 Subject: [Freeipa-devel] add custom attribute to netgroup question In-Reply-To: <4CAE5040.6060009@redhat.com> References: <4CAE5040.6060009@redhat.com> Message-ID: <4CAE9316.4080603@redhat.com> Michael Gregg wrote: > > What attributes are allowed? > > [root at ipaqa64vmb install]# ipa netgroup-add --setattr="testattr=yes" tg1 > Description: qq > ipa: ERROR: attribute "testattr" not allowed > [root at ipaqa64vmb install]# ipa netgroup-add --addattr=testattr=yes tg1 > Description: yy > ipa: ERROR: attribute "testattr" not allowed > [root at ipaqa64vmb install]# ipa netgroup-add --addattr=testaty tg1 > Description: ll > ipa: ERROR: invalid 'addattr': Invalid format. Should be name=value > [root at ipaqa64vmb install]# ipa netgroup-add --addattr=t=yes tg1 > Description: ll > ipa: ERROR: attribute "t" not allowed For a custom attribute you'd need to add a new objectclass to the netgroup. --setattr and --addattr still must adhere to the available attributes. The available attributes include (not exhaustive): externalHost, nisDomainName, description, memberUser, userCategory, memberHost, hostCategory and ipaEnabledFlag (doesn't make sense in this context). rob From rcritten at redhat.com Fri Oct 8 13:34:48 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Oct 2010 09:34:48 -0400 Subject: [Freeipa-devel] [PATCH] 565 handle both DER and base64 encoded certs in service plugin Message-ID: <4CAF1DF8.4080900@redhat.com> Accept an incoming certificate as either DER or base64 in the service plugin. The plugin required a base64-encoded certificate and always decoded it before processing. This doesn't work with the UI because the json module decodes binary values already. Try to detect if the incoming value is base64-encoded and decode if necessary. Finally, try to pull the cert apart to validate it. This will tell us for sure that the data is a certificate, regardless of the format it came in as. ticket 348 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-565-service.patch Type: application/mbox Size: 10259 bytes Desc: not available URL: From rcritten at redhat.com Fri Oct 8 14:02:49 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Oct 2010 10:02:49 -0400 Subject: [Freeipa-devel] [PATCH]admiyo-freeipa-0055-record-limit.patch In-Reply-To: <4CAE2157.6000105@redhat.com> References: <4CAE2157.6000105@redhat.com> Message-ID: <4CAF2489.1050708@redhat.com> Adam Young wrote: > This patch hard codes the record limit for the UI to 100. Next step is > to make it configurable. This patch is necessary, as without it, some > customers with large records will have problems with default queries. ack From rcritten at redhat.com Fri Oct 8 14:12:25 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Oct 2010 10:12:25 -0400 Subject: [Freeipa-devel] [PATCH] 528 make some hbac options mutually exclusive In-Reply-To: <20101007170326.26ef58ca@willson.li.ssimo.org> References: <4C8FF6D0.8000906@redhat.com> <4C901663.8010603@redhat.com> <4C90C917.60604@redhat.com> <20101007170326.26ef58ca@willson.li.ssimo.org> Message-ID: <4CAF26C9.4080702@redhat.com> Simo Sorce wrote: > On Wed, 15 Sep 2010 09:24:39 -0400 > Rob Crittenden wrote: > >> Using our tools the only available option is lower-case 'all': >> >> $ ipa hbac-add test --usercat=ALL --type=allow >> ipa: ERROR: invalid 'usercategory': must be one of (u'all',) >> >> In any case, better to be robust. Updated patch attached. > > ack. > > Simo. > pushed to master From rcritten at redhat.com Fri Oct 8 14:12:31 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Oct 2010 10:12:31 -0400 Subject: [Freeipa-devel] [PATCH] 550 estimated install times In-Reply-To: <20101007170614.0a54c1f2@willson.li.ssimo.org> References: <4CA37E4F.8030903@redhat.com> <20101007170614.0a54c1f2@willson.li.ssimo.org> Message-ID: <4CAF26CF.4080107@redhat.com> Simo Sorce wrote: > On Wed, 29 Sep 2010 13:58:39 -0400 > Rob Crittenden wrote: > >> Add estimated install times to the installation. I also log a >> duration for each step in /var/log/ipaserver-install.log if anyone >> wants to compare their times to mine. >> >> ticket 139 > > simple but useful > > ack > > Simo. > pushed to master From rcritten at redhat.com Fri Oct 8 14:12:37 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Oct 2010 10:12:37 -0400 Subject: [Freeipa-devel] [PATCH] 551 ipa-dns-install updates In-Reply-To: <20101007170709.4c93eefa@willson.li.ssimo.org> References: <4CA38B4D.1030400@redhat.com> <20101007170709.4c93eefa@willson.li.ssimo.org> Message-ID: <4CAF26D5.80300@redhat.com> Simo Sorce wrote: > On Wed, 29 Sep 2010 14:54:05 -0400 > Rob Crittenden wrote: > >> Detect if DNS is already configured in IPA, or if IPA is not yet >> installed. >> >> ipa-dns-manage could fail in very odd ways depending on the current >> configuration of the server. Handle things a bit better. >> >> ticket 210 > > ack > > Simo. > pushed to master From rcritten at redhat.com Fri Oct 8 14:12:45 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Oct 2010 10:12:45 -0400 Subject: [Freeipa-devel] [PATCH] 557 return non-zero on membership failure In-Reply-To: <20101007170928.1c7d02ab@willson.li.ssimo.org> References: <4CA62F13.7030400@redhat.com> <20101007170928.1c7d02ab@willson.li.ssimo.org> Message-ID: <4CAF26DD.30502@redhat.com> Simo Sorce wrote: > On Fri, 01 Oct 2010 14:57:23 -0400 > Rob Crittenden wrote: > >> Return non-zero when group membership change fails. >> >> There is no point (and it is confusing) to print an empty list when >> modifying group membership fails, so suppress it. >> >> tickets 271, 273, 274 > > ack > > Simo. > pushed to master From rcritten at redhat.com Fri Oct 8 14:22:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Oct 2010 10:22:02 -0400 Subject: [Freeipa-devel] [PATCH] 559 update ipa-getkeytab man page In-Reply-To: <4CAE9000.9020800@redhat.com> References: <4CAB884F.4000400@redhat.com> <4CABC8FF.9080005@redhat.com> <4CAC7890.7080708@redhat.com> <4CAD1D59.5010305@redhat.com> <4CADFDBC.6010205@redhat.com> <4CAE9000.9020800@redhat.com> Message-ID: <4CAF290A.4090703@redhat.com> David O'Brien wrote: > Adam Young wrote: >> On 10/06/2010 09:07 PM, David O'Brien wrote: >>> Rob Crittenden wrote: >>>> David O'Brien wrote: >>>>> Rob Crittenden wrote: >>>>>> Add some missing options to the ipa-getkeytab man page. >>>>>> >>>>>> rob >>>>>> >>>>>> >>>>> Can you be consistent with "Kerberos" instead of adding "kerberos" to >>>>> the mix as well (unless necessary, of course)? >>>>> >>>>> If my understanding is correct, I'd update the following: >>>>> "The LDAP password when not binding with Kerberos." to include >>>>> "...password to use when not..." >>>>> >>>>> cheers >>>> >>>> Updated patch attached. >>>> >>>> rob >>> No more complaints from me. >>> (I'm purposely not using "nack" or "ack" because I don't write man >>> pages, and haven't tried to apply this patch. I'm just checking a bit >>> of English.) >>> >> David, it is certainly OK for you to ACK/NACK somthing like this. >> We'll know if it "Breaks the build" pretty quickly, so we're not >> worried about computer language syntax errors, just natural language >> syntax errors. >> > > ok, thanks for that. Will bear that in mind for similar patches in the > future. > So is that an ack? ;-) rob From rcritten at redhat.com Fri Oct 8 14:26:18 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Oct 2010 10:26:18 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <20101007162014.1bbcdcf4@willson.li.ssimo.org> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> Message-ID: <4CAF2A0A.1060608@redhat.com> Simo Sorce wrote: > > > This is some very basic initial localization work for the C tools. > I do not have any translation yet, and creation and merging of .po > and binary files is not yet done. But the clients.pot file is regularly > updated when make is run in the main dir (or make gettext in the > ipa-clients dir). > > Fixes trac#186 > > Simo. Nack. As discussed in IRC we are going to use a single po file for all translations. rob From edewata at redhat.com Fri Oct 8 16:44:33 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 8 Oct 2010 12:44:33 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 565 handle both DER and base64 encoded certs in service plugin In-Reply-To: <4CAF1DF8.4080900@redhat.com> Message-ID: <286366947.291891286556273715.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Rob Crittenden" wrote: > Accept an incoming certificate as either DER or base64 in the service > plugin. > > The plugin required a base64-encoded certificate and always decoded it > before processing. This doesn't work with the UI because the json module > decodes binary values already. > > Try to detect if the incoming value is base64-encoded and decode if > necessary. Finally, try to pull the cert apart to validate it. This will > tell us for sure that the data is a certificate, regardless of the > format it came in as. > > ticket 348 > > rob ACK, but it needs a rebase against the latest. -- Endi S. Dewata From edewata at redhat.com Fri Oct 8 16:59:57 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 8 Oct 2010 12:59:57 -0400 (EDT) Subject: [Freeipa-devel] [PATCH]admiyo-freeipa-0055-record-limit.patch In-Reply-To: <4CAF2489.1050708@redhat.com> Message-ID: <1363170413.293371286557197327.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Rob Crittenden" wrote: > Adam Young wrote: > > This patch hard codes the record limit for the UI to 100. Next step is > > to make it configurable. This patch is necessary, as without it, some > > customers with large records will have problems with default queries. > > ack Pushed to master. -- Endi S. Dewata From rcritten at redhat.com Fri Oct 8 17:15:32 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Oct 2010 13:15:32 -0400 Subject: [Freeipa-devel] [PATCH] 565 handle both DER and base64 encoded certs in service plugin In-Reply-To: <286366947.291891286556273715.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <286366947.291891286556273715.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CAF51B4.20608@redhat.com> Endi Sukma Dewata wrote: > ----- "Rob Crittenden" wrote: > >> Accept an incoming certificate as either DER or base64 in the service >> plugin. >> >> The plugin required a base64-encoded certificate and always decoded it >> before processing. This doesn't work with the UI because the json module >> decodes binary values already. >> >> Try to detect if the incoming value is base64-encoded and decode if >> necessary. Finally, try to pull the cert apart to validate it. This will >> tell us for sure that the data is a certificate, regardless of the >> format it came in as. >> >> ticket 348 >> >> rob > > ACK, but it needs a rebase against the latest. > > -- > Endi S. Dewata re-based and pushed to master rob From rcritten at redhat.com Fri Oct 8 19:03:56 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Oct 2010 15:03:56 -0400 Subject: [Freeipa-devel] [PATCH] 566 disallow writes on some attributes Message-ID: <4CAF6B1C.3080704@redhat.com> Disallow writes on serverHostName, enrolledBy and memberOf Regular users already can't write these, it just affects admins. serverHostName because this is tied to the FQDN so should only be changed on a host rename (which we don't do). enrolledBy because this should reflect relality. memberOf because the plugin should do this. Directly manging this attribute would be pretty dangerous and confusing. Also remove a redundant aci granting the admins group write access to users and groups. They have it with through the "admins can modify any entry" aci. tickets 300, 302, 304 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-566-write.patch Type: application/mbox Size: 4752 bytes Desc: not available URL: From rcritten at redhat.com Fri Oct 8 19:07:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Oct 2010 15:07:53 -0400 Subject: [Freeipa-devel] [PATCH] 566 disallow writes on some attributes In-Reply-To: <4CAF6B1C.3080704@redhat.com> References: <4CAF6B1C.3080704@redhat.com> Message-ID: <4CAF6C09.70001@redhat.com> Rob Crittenden wrote: > Disallow writes on serverHostName, enrolledBy and memberOf > > Regular users already can't write these, it just affects admins. > > serverHostName because this is tied to the FQDN so should only be > changed on a host rename (which we don't do). > > enrolledBy because this should reflect relality. > > memberOf because the plugin should do this. Directly manging this > attribute would be pretty dangerous and confusing. > > Also remove a redundant aci granting the admins group write access to > users and groups. They have it with through the "admins can modify any > entry" aci. > > tickets 300, 302, 304 > > rob Updated patch. We need to allow writing enrolledBy so we can actually enroll a host! I'll have to prevent writes to this by other means or through a more specific aci. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-566-write.patch Type: application/mbox Size: 4685 bytes Desc: not available URL: From dpal at redhat.com Fri Oct 8 19:53:49 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 08 Oct 2010 15:53:49 -0400 Subject: [Freeipa-devel] Proposal about ACI management in IPA v2 Message-ID: <4CAF76CD.1040103@redhat.com> Hello, For some background see: http://www.freeipa.com/page/Access_Control I took a look at the ACIs in DS. An ACI consists of 6 parts: 1) Name 2) Users and Groups that the permission is granted to 3) The right (read, write, add, delete etc) 4) Target - an object against which the operation is performed effectively an LDAP filter 5) Host - to have different rules for different clients (not interesting for now) 6) Time when the rule is active (we will assume all). Our goal is to provide and easy to was to specify and manage ACIs vi UI and CLI. To accomplish this goal we need to provide a much simple abstraction that can be reused for CLI and UI. But first let us limit the ACI itself and leave only the parts that are really needed. We really need Name, User/Group, Right and Target. We will not do anything about Host and Time. The right can be limited to: write, add, delete. Assume that any authenticated user can read, search and compare. We should also assume that every user can manage a predefined subset of the attributes in his entry. So we actually talking about three rights here: add, delete and modify. For the sake of IPA v2 I am willing to go even further in simplifying ACIs and say that there are three kinds of rights: * full control which translates into add an object, delete an object and modify any attribute (this is a superuser mode) * operational control which translates into add an object, delete an object and modify a predefined subset of the attributes * tuneup control which translates into add an object, delete an object and modify a predefined subset of the attributes Target is the most complex one it consists from the attributes and filters. This is where an abstraction will be really helpful. For this I suggest we create an ACI helper object class. The object class will consist of the following attributes name - a unique name of the helper like: User - full control, User - standard management, User - limited access, etc filter - single value string attribute that denotes a filter that allows to identify the object the helper applies to right - a multi value attribute that specifies rights, in out cases based on the three operations above it will be either triplet add, modify, delete or just modify attributes - a multi value string attribute that stores the set of attributes the ACI applies to negation - a boolean flag that specified how to interpret the attribute list i.e. are those the attributes that the rule applies to or they are the attributes excluded from the rule. here is the example: dn: cn=User - full control, cn=ipaconfig, dc=somewhere, dc=com objectclass: ipaACIHelper cn: User - full control filter: ... attributes: password nagation: true This is just an example and we can sort out the right names so do not pick me if the attribute already exists and we should reuse it. It is semantics at the moment. Any ACI has a name. We need to allow advanced administrators (and ourselves) to manage raw ACIs. On the other hand we need to allow managing "simplified" ACIs in CLI and UI. For this I suggest we use the following linking between the actual ACIs and helper object: The ACI name will store a DN of the helper object. Let us look at the commands that associate ACIs with a "taskgroup": ipa aci-add -aci='User - full control ' taskgroup for this command the management plugin will will lookup helper object and create an ACI based on the data stored in the helper object. ipa aci-del -aci='User - full control' taskgroup for this command the management plugin will find the aci that has the name equal to the DN of the specified helper object. ipa aci-find -aci='User - full control' taskgroup will find the helper object by name, find an ACI by the DN of the helper object. ipa aci-list taskgroup will list the ACIs for the taskgroup. If the ACI name is a DN of a helper object the contents of the helper object will be displayed. If the ACI doe not map to the helper object then it will not be shown. This way only the ACIs that are attached to helper objects will be visible through the UI and CLI and custom CLIs created by IPA at the installation or CLIs created manually by admins will be accessible via LDAP. The helper object will be preloaded and predefined and thus not replicated. This means that each new extension to IPA will need to add its own helper entries. For SUDO for example it will be probably couple entries. One to do everything and another to modify a subset of the attributes in the rule. What is good about this approach is that later we can add an interface to create helper objects. Those are much better structured and would be easier to manage. For example instead of actually typing filter we can have a selectable list of the objects like "user", "group", "sudo", "hbac rule" etc. (The mapping between name and actual filter might be stored in another kind of the helper object - but we will get there later). Yes that would mean that the admin would have to create a helper object then to create ACI using this object, then combine the task into role but it is manageable because the complex task is decomposed into logical parts. I do not suggest that we do it in v2 but I think it is a way to go in general in future. Hope this approach does not have much flaws. Yes it will require some work in the ACI space but I hope it is not a huge rework. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Oct 8 21:09:52 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Oct 2010 17:09:52 -0400 Subject: [Freeipa-devel] Proposal about ACI management in IPA v2 In-Reply-To: <4CAF76CD.1040103@redhat.com> References: <4CAF76CD.1040103@redhat.com> Message-ID: <4CAF88A0.1050607@redhat.com> Dmitri Pal wrote: > Hello, > > For some background see: http://www.freeipa.com/page/Access_Control > > I took a look at the ACIs in DS. An ACI consists of 6 parts: > 1) Name > 2) Users and Groups that the permission is granted to > 3) The right (read, write, add, delete etc) > 4) Target - an object against which the operation is performed > effectively an LDAP filter > 5) Host - to have different rules for different clients (not interesting > for now) > 6) Time when the rule is active (we will assume all). I don't agree with this simplification. I'll try to comment in-line. An ACI has 3 parts: the target, the permissions and who are you granting the rights to (the bind rule). They affect more than just users and groups. They affect anything in the system, or everything in the system. They can control any object in the tree: users, groups, hosts, hostgroups, netgroups, services, hbac, sudo, etc. or attributes in any object. There is also the placement of the ACI which controls what it affects. We currently place all ACIs in the basedn of the tree (a necessary simplification for now). > Our goal is to provide and easy to was to specify and manage ACIs vi UI > and CLI. > To accomplish this goal we need to provide a much simple abstraction > that can be reused for CLI and UI. > But first let us limit the ACI itself and leave only the parts that are > really needed. > We really need Name, User/Group, Right and Target. We will not do > anything about Host and Time. > The right can be limited to: > write, add, delete. > Assume that any authenticated user can read, search and compare. We > should also assume that every user can manage a predefined subset of the > attributes in his entry. So we actually talking about three rights here: > add, delete and modify. For the sake of IPA v2 I am willing to go even > further in simplifying ACIs and say that there are three kinds of rights: > * full control which translates into add an object, delete an object and > modify any attribute (this is a superuser mode) > * operational control which translates into add an object, delete an > object and modify a predefined subset of the attributes > * tuneup control which translates into add an object, delete an object > and modify a predefined subset of the attributes Read is rather important, particularly for things like userPassword. But yes, most acis will use either add, delete or write. Don't assume that users can manage their own entries. This in itself is an ACI that people will want to control. I know we have to start somewhere with the rights abstractions but I think these controls will be misunderstood and lead to problems. > > Target is the most complex one it consists from the attributes and > filters. This is where an abstraction will be really helpful. > For this I suggest we create an ACI helper object class. The object > class will consist of the following attributes > name - a unique name of the helper like: User - full control, User - > standard management, User - limited access, etc > filter - single value string attribute that denotes a filter that allows > to identify the object the helper applies to > right - a multi value attribute that specifies rights, in out cases > based on the three operations above it will be either triplet add, > modify, delete or just modify > attributes - a multi value string attribute that stores the set of > attributes the ACI applies to > negation - a boolean flag that specified how to interpret the attribute > list i.e. are those the attributes that the rule applies to or they are > the attributes excluded from the rule. > > here is the example: > > dn: cn=User - full control, cn=ipaconfig, dc=somewhere, dc=com > objectclass: ipaACIHelper > cn: User - full control > filter: ... > attributes: password > nagation: true I can see what you are trying to do but I am really, very strongly against this. We can manage this data internally just as easily. I think this is a recipe for getting the acis out of sync. We actually have most of this implemented today. What it lacks is a way to *output* an aci so it can be easily represented in a UI or on the command line. That is where our focus should be. I'm not sure I agree with the full/object/etc abstractions, I think they would be easily abused/misunderstood because the definitions of these aren't obvious (and don't actually grant what you might expect them to). You also have to understand how the tree is put together and how we use it. For example, to add a user you need 3 acis: - an aci to add a user to the tree - an aci granting permission to write the password - an aci granting permission to add a member to a group Also, the 389-ds team has very strong recommended against using deny ACIs in the past which is why I don't support them in the current plugin. > > This is just an example and we can sort out the right names so do not > pick me if the attribute already exists and we should reuse it. It is > semantics at the moment. > > Any ACI has a name. We need to allow advanced administrators (and > ourselves) to manage raw ACIs. On the other hand we need to allow > managing "simplified" ACIs in CLI and UI. > For this I suggest we use the following linking between the actual ACIs > and helper object: > The ACI name will store a DN of the helper object. > > Let us look at the commands that associate ACIs with a "taskgroup": > > ipa aci-add -aci='User - full control ' taskgroup > > for this command the management plugin will will lookup helper object > and create an ACI based on the data stored in the helper object. > > ipa aci-del -aci='User - full control' taskgroup > > for this command the management plugin will find the aci that has the > name equal to the DN of the specified helper object. > > ipa aci-find -aci='User - full control' taskgroup > > will find the helper object by name, find an ACI by the DN of the helper > object. > > ipa aci-list taskgroup > > will list the ACIs for the taskgroup. If the ACI name is a DN of a > helper object the contents of the helper object will be displayed. If > the ACI doe not map to the helper object then it will not be shown. > > This way only the ACIs that are attached to helper objects will be > visible through the UI and CLI and custom CLIs created by IPA at the > installation or CLIs created manually by admins will be accessible via LDAP. > > The helper object will be preloaded and predefined and thus not > replicated. This means that each new extension to IPA will need to add > its own helper entries. For SUDO for example it will be probably couple > entries. One to do everything and another to modify a subset of the > attributes in the rule. ACIs are ACIs. There is nothing a plugin would add except perhaps a part of the DIT. See the type enum currently in the plugin. > What is good about this approach is that later we can add an interface > to create helper objects. Those are much better structured and would be > easier to manage. For example instead of actually typing filter we can > have a selectable list of the objects like "user", "group", "sudo", > "hbac rule" etc. (The mapping between name and actual filter might be > stored in another kind of the helper object - but we will get there > later). Yes that would mean that the admin would have to create a helper > object then to create ACI using this object, then combine the task into > role but it is manageable because the complex task is decomposed into > logical parts. I do not suggest that we do it in v2 but I think it is a > way to go in general in future. We actually have these objects implemented in the current plugin. The following aci commands all work today: You can say "This taskgroup can add users": ipa aci-add 'Add Users' --type=user --taskgroup=add_users --permissions=add This creates the aci: (target = "ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=add_users,cn=taskgroups,cn=accounts,dc=example,dc=com";) It will even create the taskgroup for you if it doesn't already exist. Right now I just have defined users, groups and hosts but it is trivial to add the others. I couldn't think of a reason the would want this since we supply pre-canned versions of add/delete/modify for those on install, but I can add them as options if desired. We also need to cover v1-style delegation: group A can write attributes of group B. Secretaries can write the mailing address of engineers: ipa aci-add --attrs=streetAddress,postalCode,c,l,st --memberof=engineering --group=secretaries --permissions=write "Secretaries can write engineering addresses" (targetattr = "streetAddress || postalCode || c || l || st")(targetfilter = "(memberOf=cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com)")(version 3.0;acl "Secretaries can write engineering addresses";allow (write) groupdn = "ldap:///cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com";) Or even simple things like "I want my engineers to be able to add hosts" ipa aci-add --type=host --permissions=write --group=engineering 'Engineers can add hosts' (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=example,dc=com")(version 3.0;acl "Engineers can add hosts";allow (write) groupdn = "ldap:///cn=engineering,cn=groups,cn=accounts,dc=example,dc=com";) Ideally these would be mostly done through existing taskgroups instead: ipa taskgroup-add-member --groups=engineering addhosts Or even more preferably via rolegroups: ipa rolegroup-add-member --groups=engineering hostadmin The aci's here are actual output from the plugin. This is where we need the work. I already have an internal abstraction of the acis so I can operate on them. I merely need to display this instead of the aci string and I think we'll be good to go. Some way to manage the attribute list without requiring one to type the whole thing would be nice too. > > Hope this approach does not have much flaws. Yes it will require some > work in the ACI space but I hope it is not a huge rework. > This would represent a tremendous amount of work. I think we would be better served fixing the way that acis are output so the UI (and by extension cli) can better represent the data to users. The --raw option can display the raw aci. Working with acis is always going to be a bit of a nasty business because by definition you have to deal directly with LDAP attribute names, the DIT and how we create and manage objects in the framework. rob From rmeggins at redhat.com Fri Oct 8 21:20:23 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 08 Oct 2010 15:20:23 -0600 Subject: [Freeipa-devel] Proposal about ACI management in IPA v2 In-Reply-To: <4CAF88A0.1050607@redhat.com> References: <4CAF76CD.1040103@redhat.com> <4CAF88A0.1050607@redhat.com> Message-ID: <4CAF8B17.5070709@redhat.com> Rob Crittenden wrote: > Dmitri Pal wrote: >> Hello, >> >> For some background see: http://www.freeipa.com/page/Access_Control >> >> I took a look at the ACIs in DS. An ACI consists of 6 parts: >> 1) Name >> 2) Users and Groups that the permission is granted to >> 3) The right (read, write, add, delete etc) >> 4) Target - an object against which the operation is performed >> effectively an LDAP filter >> 5) Host - to have different rules for different clients (not interesting >> for now) >> 6) Time when the rule is active (we will assume all). > > I don't agree with this simplification. I'll try to comment in-line. > > An ACI has 3 parts: the target, the permissions and who are you > granting the rights to (the bind rule). They affect more than just > users and groups. They affect anything in the system, or everything in > the system. They can control any object in the tree: users, groups, > hosts, hostgroups, netgroups, services, hbac, sudo, etc. or attributes > in any object. > > There is also the placement of the ACI which controls what it affects. > We currently place all ACIs in the basedn of the tree (a necessary > simplification for now). > >> Our goal is to provide and easy to was to specify and manage ACIs vi UI >> and CLI. >> To accomplish this goal we need to provide a much simple abstraction >> that can be reused for CLI and UI. >> But first let us limit the ACI itself and leave only the parts that are >> really needed. >> We really need Name, User/Group, Right and Target. We will not do >> anything about Host and Time. >> The right can be limited to: >> write, add, delete. >> Assume that any authenticated user can read, search and compare. We >> should also assume that every user can manage a predefined subset of the >> attributes in his entry. So we actually talking about three rights here: >> add, delete and modify. For the sake of IPA v2 I am willing to go even >> further in simplifying ACIs and say that there are three kinds of >> rights: >> * full control which translates into add an object, delete an object and >> modify any attribute (this is a superuser mode) >> * operational control which translates into add an object, delete an >> object and modify a predefined subset of the attributes >> * tuneup control which translates into add an object, delete an object >> and modify a predefined subset of the attributes > > Read is rather important, particularly for things like userPassword. > But yes, most acis will use either add, delete or write. > > Don't assume that users can manage their own entries. This in itself > is an ACI that people will want to control. > > I know we have to start somewhere with the rights abstractions but I > think these controls will be misunderstood and lead to problems. > >> >> Target is the most complex one it consists from the attributes and >> filters. This is where an abstraction will be really helpful. >> For this I suggest we create an ACI helper object class. The object >> class will consist of the following attributes >> name - a unique name of the helper like: User - full control, User - >> standard management, User - limited access, etc >> filter - single value string attribute that denotes a filter that allows >> to identify the object the helper applies to >> right - a multi value attribute that specifies rights, in out cases >> based on the three operations above it will be either triplet add, >> modify, delete or just modify >> attributes - a multi value string attribute that stores the set of >> attributes the ACI applies to >> negation - a boolean flag that specified how to interpret the attribute >> list i.e. are those the attributes that the rule applies to or they are >> the attributes excluded from the rule. >> >> here is the example: >> >> dn: cn=User - full control, cn=ipaconfig, dc=somewhere, dc=com >> objectclass: ipaACIHelper >> cn: User - full control >> filter: ... >> attributes: password >> nagation: true > > I can see what you are trying to do but I am really, very strongly > against this. We can manage this data internally just as easily. I > think this is a recipe for getting the acis out of sync. > > We actually have most of this implemented today. What it lacks is a > way to *output* an aci so it can be easily represented in a UI or on > the command line. That is where our focus should be. > > I'm not sure I agree with the full/object/etc abstractions, I think > they would be easily abused/misunderstood because the definitions of > these aren't obvious (and don't actually grant what you might expect > them to). > > You also have to understand how the tree is put together and how we > use it. For example, to add a user you need 3 acis: > - an aci to add a user to the tree > - an aci granting permission to write the password > - an aci granting permission to add a member to a group > > Also, the 389-ds team has very strong recommended against using deny > ACIs in the past which is why I don't support them in the current plugin. > >> >> This is just an example and we can sort out the right names so do not >> pick me if the attribute already exists and we should reuse it. It is >> semantics at the moment. >> >> Any ACI has a name. We need to allow advanced administrators (and >> ourselves) to manage raw ACIs. On the other hand we need to allow >> managing "simplified" ACIs in CLI and UI. >> For this I suggest we use the following linking between the actual ACIs >> and helper object: >> The ACI name will store a DN of the helper object. >> >> Let us look at the commands that associate ACIs with a "taskgroup": >> >> ipa aci-add -aci='User - full control ' taskgroup >> >> for this command the management plugin will will lookup helper object >> and create an ACI based on the data stored in the helper object. >> >> ipa aci-del -aci='User - full control' taskgroup >> >> for this command the management plugin will find the aci that has the >> name equal to the DN of the specified helper object. >> >> ipa aci-find -aci='User - full control' taskgroup >> >> will find the helper object by name, find an ACI by the DN of the helper >> object. >> >> ipa aci-list taskgroup > >> >> will list the ACIs for the taskgroup. If the ACI name is a DN of a >> helper object the contents of the helper object will be displayed. If >> the ACI doe not map to the helper object then it will not be shown. >> >> This way only the ACIs that are attached to helper objects will be >> visible through the UI and CLI and custom CLIs created by IPA at the >> installation or CLIs created manually by admins will be accessible >> via LDAP. >> >> The helper object will be preloaded and predefined and thus not >> replicated. This means that each new extension to IPA will need to add >> its own helper entries. For SUDO for example it will be probably couple >> entries. One to do everything and another to modify a subset of the >> attributes in the rule. > > ACIs are ACIs. There is nothing a plugin would add except perhaps a > part of the DIT. See the type enum currently in the plugin. > >> What is good about this approach is that later we can add an interface >> to create helper objects. Those are much better structured and would be >> easier to manage. For example instead of actually typing filter we can >> have a selectable list of the objects like "user", "group", "sudo", >> "hbac rule" etc. (The mapping between name and actual filter might be >> stored in another kind of the helper object - but we will get there >> later). Yes that would mean that the admin would have to create a helper >> object then to create ACI using this object, then combine the task into >> role but it is manageable because the complex task is decomposed into >> logical parts. I do not suggest that we do it in v2 but I think it is a >> way to go in general in future. > > We actually have these objects implemented in the current plugin. The > following aci commands all work today: > > You can say "This taskgroup can add users": > > ipa aci-add 'Add Users' --type=user --taskgroup=add_users > --permissions=add > > This creates the aci: > > (target = > "ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com")(version > 3.0;acl "Add Users";allow (add) groupdn = > "ldap:///cn=add_users,cn=taskgroups,cn=accounts,dc=example,dc=com";) > > It will even create the taskgroup for you if it doesn't already exist. > > Right now I just have defined users, groups and hosts but it is > trivial to add the others. I couldn't think of a reason the would want > this since we supply pre-canned versions of add/delete/modify for > those on install, but I can add them as options if desired. > > We also need to cover v1-style delegation: group A can write > attributes of group B. > > Secretaries can write the mailing address of engineers: > > ipa aci-add --attrs=streetAddress,postalCode,c,l,st > --memberof=engineering --group=secretaries --permissions=write > "Secretaries can write engineering addresses" > > (targetattr = "streetAddress || postalCode || c || l || > st")(targetfilter = > "(memberOf=cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com)")(version > 3.0;acl "Secretaries can write engineering addresses";allow (write) > groupdn = > "ldap:///cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com";) > > Or even simple things like "I want my engineers to be able to add hosts" > > ipa aci-add --type=host --permissions=write --group=engineering > 'Engineers can add hosts' > > (target = > "ldap:///fqdn=*,cn=computers,cn=accounts,dc=example,dc=com")(version > 3.0;acl "Engineers can add hosts";allow (write) groupdn = > "ldap:///cn=engineering,cn=groups,cn=accounts,dc=example,dc=com";) > > Ideally these would be mostly done through existing taskgroups instead: > > ipa taskgroup-add-member --groups=engineering addhosts > > Or even more preferably via rolegroups: > > ipa rolegroup-add-member --groups=engineering hostadmin > > The aci's here are actual output from the plugin. This is where we > need the work. I already have an internal abstraction of the acis so I > can operate on them. I merely need to display this instead of the aci > string and I think we'll be good to go. Some way to manage the > attribute list without requiring one to type the whole thing would be > nice too. > >> >> Hope this approach does not have much flaws. Yes it will require some >> work in the ACI space but I hope it is not a huge rework. >> > > This would represent a tremendous amount of work. I think we would be > better served fixing the way that acis are output so the UI (and by > extension cli) can better represent the data to users. The --raw > option can display the raw aci. > > Working with acis is always going to be a bit of a nasty business > because by definition you have to deal directly with LDAP attribute > names, the DIT and how we create and manage objects in the framework. Might I suggest looking at the ACI editor in the 389-console - IMHO it hides as much as it can - one big problem is the fact that we do not have a client side ACI parser. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From rcritten at redhat.com Sat Oct 9 02:47:32 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Oct 2010 22:47:32 -0400 Subject: [Freeipa-devel] [PATCH] 567 fix group deletion Message-ID: <4CAFD7C4.5030407@redhat.com> Group deletion was failing with an error about too many values. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-567-group.patch Type: application/mbox Size: 1025 bytes Desc: not available URL: From edewata at redhat.com Sat Oct 9 04:23:44 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 9 Oct 2010 00:23:44 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Certificate management for services. In-Reply-To: <1262619961.1091286598145011.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1455026464.1111286598224759.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Hi, Please review the attached patch. Thanks! This is an initial implementation of certificate management for services. It addresses the mechanism required to view and update certificates. The complete UI implementation will be addressed in subsequent patches. On the server side, the service.py has been modified to define usercertificate in the service object's takes_params. This is needed to generate the proper JSON metadata which is needed by the UI. It also has been modified to accept null certificate for deletion. On the client side, the service details page has been modified to display the base64-encoded certificate in a text area. When the page is saved, the action handler will store the base64-encoded certificate in the proper JSON structure. Also the service name and service hostname are now displayed in separate fields. The details configuration has been modified to support displaying and updating certificates. The structure is changed to use maps to define sections and fields. A section contains name, label, and an array of fields. A field contains name, label, setup function, load function, and save function. This is used to implement custom interface and behavior for certificates. All other entities, test cases, and test data have been updated accordingly. Some functions and variables have been renamed to improve clarity and consistency. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: edewata-freeipa-0019-Certificate-management-for-services.patch Type: text/x-patch Size: 54614 bytes Desc: not available URL: From davido at redhat.com Mon Oct 11 00:10:31 2010 From: davido at redhat.com (David O'Brien) Date: Mon, 11 Oct 2010 10:10:31 +1000 Subject: [Freeipa-devel] [PATCH] 559 update ipa-getkeytab man page In-Reply-To: <4CAF290A.4090703@redhat.com> References: <4CAB884F.4000400@redhat.com> <4CABC8FF.9080005@redhat.com> <4CAC7890.7080708@redhat.com> <4CAD1D59.5010305@redhat.com> <4CADFDBC.6010205@redhat.com> <4CAE9000.9020800@redhat.com> <4CAF290A.4090703@redhat.com> Message-ID: <4CB255F7.2030806@redhat.com> Rob Crittenden wrote: > David O'Brien wrote: >> Adam Young wrote: >>> On 10/06/2010 09:07 PM, David O'Brien wrote: >>>> Rob Crittenden wrote: >>>>> David O'Brien wrote: >>>>>> Rob Crittenden wrote: >>>>>>> Add some missing options to the ipa-getkeytab man page. >>>>>>> >>>>>>> rob >>>>>>> >>>>>>> >>>>>> Can you be consistent with "Kerberos" instead of adding "kerberos" to >>>>>> the mix as well (unless necessary, of course)? >>>>>> >>>>>> If my understanding is correct, I'd update the following: >>>>>> "The LDAP password when not binding with Kerberos." to include >>>>>> "...password to use when not..." >>>>>> >>>>>> cheers >>>>> >>>>> Updated patch attached. >>>>> >>>>> rob >>>> No more complaints from me. >>>> (I'm purposely not using "nack" or "ack" because I don't write man >>>> pages, and haven't tried to apply this patch. I'm just checking a bit >>>> of English.) >>>> >>> David, it is certainly OK for you to ACK/NACK somthing like this. >>> We'll know if it "Breaks the build" pretty quickly, so we're not >>> worried about computer language syntax errors, just natural language >>> syntax errors. >>> >> >> ok, thanks for that. Will bear that in mind for similar patches in the >> future. >> > > So is that an ack? ;-) > > rob Pedant :P ACK -- David O'Brien Red Hat APAC Pty Ltd "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From dpal at redhat.com Mon Oct 11 03:27:33 2010 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 10 Oct 2010 23:27:33 -0400 Subject: [Freeipa-devel] Proposal about ACI management in IPA v2 In-Reply-To: <4CAF8B17.5070709@redhat.com> References: <4CAF76CD.1040103@redhat.com> <4CAF88A0.1050607@redhat.com> <4CAF8B17.5070709@redhat.com> Message-ID: <4CB28425.60104@redhat.com> Rich Megginson wrote: > Rob Crittenden wrote: >> Dmitri Pal wrote: >>> Hello, >>> >>> For some background see: http://www.freeipa.com/page/Access_Control >>> >>> I took a look at the ACIs in DS. An ACI consists of 6 parts: >>> 1) Name >>> 2) Users and Groups that the permission is granted to >>> 3) The right (read, write, add, delete etc) >>> 4) Target - an object against which the operation is performed >>> effectively an LDAP filter >>> 5) Host - to have different rules for different clients (not >>> interesting >>> for now) >>> 6) Time when the rule is active (we will assume all). >> >> I don't agree with this simplification. I'll try to comment in-line. >> >> An ACI has 3 parts: the target, the permissions and who are you >> granting the rights to (the bind rule). They affect more than just >> users and groups. They affect anything in the system, or everything >> in the system. They can control any object in the tree: users, >> groups, hosts, hostgroups, netgroups, services, hbac, sudo, etc. or >> attributes in any object. >> >> There is also the placement of the ACI which controls what it >> affects. We currently place all ACIs in the basedn of the tree (a >> necessary simplification for now). >> >>> Our goal is to provide and easy to was to specify and manage ACIs vi UI >>> and CLI. >>> To accomplish this goal we need to provide a much simple abstraction >>> that can be reused for CLI and UI. >>> But first let us limit the ACI itself and leave only the parts that are >>> really needed. >>> We really need Name, User/Group, Right and Target. We will not do >>> anything about Host and Time. >>> The right can be limited to: >>> write, add, delete. >>> Assume that any authenticated user can read, search and compare. We >>> should also assume that every user can manage a predefined subset of >>> the >>> attributes in his entry. So we actually talking about three rights >>> here: >>> add, delete and modify. For the sake of IPA v2 I am willing to go even >>> further in simplifying ACIs and say that there are three kinds of >>> rights: >>> * full control which translates into add an object, delete an object >>> and >>> modify any attribute (this is a superuser mode) >>> * operational control which translates into add an object, delete an >>> object and modify a predefined subset of the attributes >>> * tuneup control which translates into add an object, delete an object >>> and modify a predefined subset of the attributes >> >> Read is rather important, particularly for things like userPassword. >> But yes, most acis will use either add, delete or write. >> >> Don't assume that users can manage their own entries. This in itself >> is an ACI that people will want to control. >> >> I know we have to start somewhere with the rights abstractions but I >> think these controls will be misunderstood and lead to problems. >> >>> >>> Target is the most complex one it consists from the attributes and >>> filters. This is where an abstraction will be really helpful. >>> For this I suggest we create an ACI helper object class. The object >>> class will consist of the following attributes >>> name - a unique name of the helper like: User - full control, User - >>> standard management, User - limited access, etc >>> filter - single value string attribute that denotes a filter that >>> allows >>> to identify the object the helper applies to >>> right - a multi value attribute that specifies rights, in out cases >>> based on the three operations above it will be either triplet add, >>> modify, delete or just modify >>> attributes - a multi value string attribute that stores the set of >>> attributes the ACI applies to >>> negation - a boolean flag that specified how to interpret the attribute >>> list i.e. are those the attributes that the rule applies to or they are >>> the attributes excluded from the rule. >>> >>> here is the example: >>> >>> dn: cn=User - full control, cn=ipaconfig, dc=somewhere, dc=com >>> objectclass: ipaACIHelper >>> cn: User - full control >>> filter: ... >>> attributes: password >>> nagation: true >> >> I can see what you are trying to do but I am really, very strongly >> against this. We can manage this data internally just as easily. I >> think this is a recipe for getting the acis out of sync. >> >> We actually have most of this implemented today. What it lacks is a >> way to *output* an aci so it can be easily represented in a UI or on >> the command line. That is where our focus should be. >> >> I'm not sure I agree with the full/object/etc abstractions, I think >> they would be easily abused/misunderstood because the definitions of >> these aren't obvious (and don't actually grant what you might expect >> them to). >> >> You also have to understand how the tree is put together and how we >> use it. For example, to add a user you need 3 acis: >> - an aci to add a user to the tree >> - an aci granting permission to write the password >> - an aci granting permission to add a member to a group >> >> Also, the 389-ds team has very strong recommended against using deny >> ACIs in the past which is why I don't support them in the current >> plugin. >> >>> >>> This is just an example and we can sort out the right names so do not >>> pick me if the attribute already exists and we should reuse it. It is >>> semantics at the moment. >>> >>> Any ACI has a name. We need to allow advanced administrators (and >>> ourselves) to manage raw ACIs. On the other hand we need to allow >>> managing "simplified" ACIs in CLI and UI. >>> For this I suggest we use the following linking between the actual ACIs >>> and helper object: >>> The ACI name will store a DN of the helper object. >>> >>> Let us look at the commands that associate ACIs with a "taskgroup": >>> >>> ipa aci-add -aci='User - full control ' taskgroup >>> >>> for this command the management plugin will will lookup helper object >>> and create an ACI based on the data stored in the helper object. >>> >>> ipa aci-del -aci='User - full control' taskgroup >>> >>> for this command the management plugin will find the aci that has the >>> name equal to the DN of the specified helper object. >>> >>> ipa aci-find -aci='User - full control' taskgroup >>> >>> will find the helper object by name, find an ACI by the DN of the >>> helper >>> object. >>> >>> ipa aci-list taskgroup >> >>> >>> will list the ACIs for the taskgroup. If the ACI name is a DN of a >>> helper object the contents of the helper object will be displayed. If >>> the ACI doe not map to the helper object then it will not be shown. >>> >>> This way only the ACIs that are attached to helper objects will be >>> visible through the UI and CLI and custom CLIs created by IPA at the >>> installation or CLIs created manually by admins will be accessible >>> via LDAP. >>> >>> The helper object will be preloaded and predefined and thus not >>> replicated. This means that each new extension to IPA will need to add >>> its own helper entries. For SUDO for example it will be probably couple >>> entries. One to do everything and another to modify a subset of the >>> attributes in the rule. >> >> ACIs are ACIs. There is nothing a plugin would add except perhaps a >> part of the DIT. See the type enum currently in the plugin. >> >>> What is good about this approach is that later we can add an interface >>> to create helper objects. Those are much better structured and would be >>> easier to manage. For example instead of actually typing filter we can >>> have a selectable list of the objects like "user", "group", "sudo", >>> "hbac rule" etc. (The mapping between name and actual filter might be >>> stored in another kind of the helper object - but we will get there >>> later). Yes that would mean that the admin would have to create a >>> helper >>> object then to create ACI using this object, then combine the task into >>> role but it is manageable because the complex task is decomposed into >>> logical parts. I do not suggest that we do it in v2 but I think it is a >>> way to go in general in future. >> >> We actually have these objects implemented in the current plugin. The >> following aci commands all work today: >> >> You can say "This taskgroup can add users": >> >> ipa aci-add 'Add Users' --type=user --taskgroup=add_users >> --permissions=add >> >> This creates the aci: >> >> (target = >> "ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com")(version >> 3.0;acl "Add Users";allow (add) groupdn = >> "ldap:///cn=add_users,cn=taskgroups,cn=accounts,dc=example,dc=com";) >> >> It will even create the taskgroup for you if it doesn't already exist. >> >> Right now I just have defined users, groups and hosts but it is >> trivial to add the others. I couldn't think of a reason the would >> want this since we supply pre-canned versions of add/delete/modify >> for those on install, but I can add them as options if desired. >> >> We also need to cover v1-style delegation: group A can write >> attributes of group B. >> >> Secretaries can write the mailing address of engineers: >> >> ipa aci-add --attrs=streetAddress,postalCode,c,l,st >> --memberof=engineering --group=secretaries --permissions=write >> "Secretaries can write engineering addresses" >> >> (targetattr = "streetAddress || postalCode || c || l || >> st")(targetfilter = >> "(memberOf=cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com)")(version >> 3.0;acl "Secretaries can write engineering addresses";allow (write) >> groupdn = >> "ldap:///cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com";) >> >> Or even simple things like "I want my engineers to be able to add hosts" >> >> ipa aci-add --type=host --permissions=write --group=engineering >> 'Engineers can add hosts' >> >> (target = >> "ldap:///fqdn=*,cn=computers,cn=accounts,dc=example,dc=com")(version >> 3.0;acl "Engineers can add hosts";allow (write) groupdn = >> "ldap:///cn=engineering,cn=groups,cn=accounts,dc=example,dc=com";) >> >> Ideally these would be mostly done through existing taskgroups instead: >> >> ipa taskgroup-add-member --groups=engineering addhosts >> >> Or even more preferably via rolegroups: >> >> ipa rolegroup-add-member --groups=engineering hostadmin >> >> The aci's here are actual output from the plugin. This is where we >> need the work. I already have an internal abstraction of the acis so >> I can operate on them. I merely need to display this instead of the >> aci string and I think we'll be good to go. Some way to manage the >> attribute list without requiring one to type the whole thing would be >> nice too. >> >>> >>> Hope this approach does not have much flaws. Yes it will require some >>> work in the ACI space but I hope it is not a huge rework. >>> >> >> This would represent a tremendous amount of work. I think we would be >> better served fixing the way that acis are output so the UI (and by >> extension cli) can better represent the data to users. The --raw >> option can display the raw aci. >> >> Working with acis is always going to be a bit of a nasty business >> because by definition you have to deal directly with LDAP attribute >> names, the DIT and how we create and manage objects in the framework. > Might I suggest looking at the ACI editor in the 389-console - IMHO it > hides as much as it can - one big problem is the fact that we do not > have a client side ACI parser. Actually the whole thing was inspired by the ACI UI from the LDAP book that is based on Netscape DS. Rob you say "What it lacks is a way to *output* an aci so it can be easily represented in a UI or on the command line. That is where our focus should be." But I do not understand what the problem is. You either have to display a raw ACI or some abstraction. But how you map the abstraction that you need to show to the raw ACI you have in the system? I was trying to solve exactly this problem. And I really do not see a way to do it differently. Do you? Thanks Dmitri From ssorce at redhat.com Mon Oct 11 12:01:46 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 11 Oct 2010 08:01:46 -0400 Subject: [Freeipa-devel] Proposal about ACI management in IPA v2 In-Reply-To: <4CB28425.60104@redhat.com> References: <4CAF76CD.1040103@redhat.com> <4CAF88A0.1050607@redhat.com> <4CAF8B17.5070709@redhat.com> <4CB28425.60104@redhat.com> Message-ID: <20101011080146.65693100@willson.li.ssimo.org> On Sun, 10 Oct 2010 23:27:33 -0400 Dmitri Pal wrote: > Actually the whole thing was inspired by the ACI UI from the LDAP book > that is based on Netscape DS. > Rob you say "What it lacks is a way to *output* an aci so it can be > easily represented in a UI or on the command line. That is where our > focus should be." But I do not understand what the problem is. You > either have to display a raw ACI or some abstraction. But how you map > the abstraction that you need to show to the raw ACI you have in the > system? I was trying to solve exactly this problem. And I really do > not see a way to do it differently. Do you? The strongest objection is against creating a new LDAP object to hold a duplicate of the ACIs. And I fully agree with the objection we do not need duplicates in the Directory. Especially since parsing the object is already done in the code, so the "objectified" form is not an issue. Rob, what about creating a hash table per ACI that has named attributes for each component of the ACI ? Would that be easier to pass to the UI ? To we have a way to pass arrays of hash tables ? (each element of the array is an ACI in hash table format). Would this actually help at all? Or would it be too complex for the UI to interpret ? Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Mon Oct 11 13:10:58 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 11 Oct 2010 09:10:58 -0400 Subject: [Freeipa-devel] Proposal about ACI management in IPA v2 In-Reply-To: <20101011080146.65693100@willson.li.ssimo.org> References: <4CAF76CD.1040103@redhat.com> <4CAF88A0.1050607@redhat.com> <4CAF8B17.5070709@redhat.com> <4CB28425.60104@redhat.com> <20101011080146.65693100@willson.li.ssimo.org> Message-ID: <4CB30CE2.3030105@redhat.com> Simo Sorce wrote: > On Sun, 10 Oct 2010 23:27:33 -0400 > Dmitri Pal wrote: > > >> Actually the whole thing was inspired by the ACI UI from the LDAP book >> that is based on Netscape DS. >> Rob you say "What it lacks is a way to *output* an aci so it can be >> easily represented in a UI or on the command line. That is where our >> focus should be." But I do not understand what the problem is. You >> either have to display a raw ACI or some abstraction. But how you map >> the abstraction that you need to show to the raw ACI you have in the >> system? I was trying to solve exactly this problem. And I really do >> not see a way to do it differently. Do you? >> > > The strongest objection is against creating a new LDAP object to hold a > duplicate of the ACIs. And I fully agree with the objection we do not > need duplicates in the Directory. I do not see it as duplicate. It is a helper. And it is a loose coupling so there is really not harm for parts to get out of sync. But this all does not matter if this is not the problem we are trying to solve. Simo you are talking about hash tables or sets of hash tables to represent what? The following rule does not decompose well to the set of hash tables: (targetattr = "streetAddress || postalCode || c || l || st")(targetfilter = "(memberOf=cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com)")(version 3.0;acl "Secretaries can write engineering addresses";allow (write) groupdn = "ldap:///cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com";) It is really a: 1) Set of attributes (can be hash table, but rather just a list) 2) Filter - a string but I am not sure one can formalize it 3) Name - a string 4) Right 5) Bind DN - a string that is similar to a filter It seems that the biggest problem is: with filter and Bind DN. Those correspond to an object in the system. We can replace the "groupdn = "ldap:///cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com" with more readable group=secretaries or user=someone or host=mycomputer etc. Is this the abstraction that we are looking for? It is harder with the target filter to do the similar simplification. Can we a simplify it to things like?: a) A member of a group b) An object of the class c) Its attribute has a specific value If we can parse it out to one of these three (or may be some other case that I missed) we can replace it with a much more readable representation. For example: a) A member of a group will translate into: "a member of group secretary", similarly with other groups "a member of hostgroup lab-machines" etc b) An object of the class will translate into: "a user" or "a group" or "a host group" c) Its attribute has a specific value "user.cn is 'blah' " or "host.fqdn is 'host123' " Is this the direction we want to go? > Especially since parsing the object > is already done in the code, so the "objectified" form is not an issue. > > Rob, what about creating a hash table per ACI that has named attributes > for each component of the ACI ? Would that be easier to pass to the UI ? > To we have a way to pass arrays of hash tables ? (each element of the > array is an ACI in hash table format). > > Would this actually help at all? Or would it be too complex for the UI > to interpret ? > > Simo. > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Oct 11 13:58:45 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Oct 2010 09:58:45 -0400 Subject: [Freeipa-devel] Proposal about ACI management in IPA v2 In-Reply-To: <4CB30CE2.3030105@redhat.com> References: <4CAF76CD.1040103@redhat.com> <4CAF88A0.1050607@redhat.com> <4CAF8B17.5070709@redhat.com> <4CB28425.60104@redhat.com> <20101011080146.65693100@willson.li.ssimo.org> <4CB30CE2.3030105@redhat.com> Message-ID: <4CB31815.5000501@redhat.com> Dmitri Pal wrote: > Simo Sorce wrote: >> On Sun, 10 Oct 2010 23:27:33 -0400 >> Dmitri Pal wrote: >> >> >>> Actually the whole thing was inspired by the ACI UI from the LDAP book >>> that is based on Netscape DS. >>> Rob you say "What it lacks is a way to *output* an aci so it can be >>> easily represented in a UI or on the command line. That is where our >>> focus should be." But I do not understand what the problem is. You >>> either have to display a raw ACI or some abstraction. But how you map >>> the abstraction that you need to show to the raw ACI you have in the >>> system? I was trying to solve exactly this problem. And I really do >>> not see a way to do it differently. Do you? >>> >> >> The strongest objection is against creating a new LDAP object to hold a >> duplicate of the ACIs. And I fully agree with the objection we do not >> need duplicates in the Directory. > > I do not see it as duplicate. It is a helper. And it is a loose coupling > so there is really not harm for parts to get out of sync. But this all > does not matter if this is not the problem we are trying to solve. It is, by definition, duplicate. You're storing exactly the same data in two places in different formats. > > Simo you are talking about hash tables or sets of hash tables to > represent what? > The following rule does not decompose well to the set of hash tables: > > (targetattr = "streetAddress || postalCode || c || l || > st")(targetfilter = > "(memberOf=cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com)")(version > 3.0;acl "Secretaries can write engineering addresses";allow (write) > groupdn = > "ldap:///cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com";) > > It is really a: > 1) Set of attributes (can be hash table, but rather just a list) > 2) Filter - a string but I am not sure one can formalize it > 3) Name - a string > 4) Right > 5) Bind DN - a string that is similar to a filter As I said, this is already done. Internally I represent ACIs as: name: string action: string (one of an enumeration) permssions: list target: hash table bindrule: hash table A bindrule is a hash of: keyword, operator, expression, e.g. groupdn != ldap:///cn=admins,... Targets are similar, with an operator and an expression, e.g. targetattr != "foo || bar". The targets supported are targetfilter, targetattr and target (e.g. a subtree). My parser probably doesn't support every possible kind of ACI but it does support those that are allowed in the aci plugin. > It seems that the biggest problem is: with filter and Bind DN. Those > correspond to an object in the system. We can replace the "groupdn = > "ldap:///cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com" with > more readable group=secretaries or user=someone or host=mycomputer etc. > Is this the abstraction that we are looking for? It is harder with the > target filter to do the similar simplification. > Can we a simplify it to things like?: > a) A member of a group > b) An object of the class > c) Its attribute has a specific value > If we can parse it out to one of these three (or may be some other case > that I missed) we can replace it with a much more readable representation. > For example: > a) A member of a group will translate into: "a member of group > secretary", similarly with other groups "a member of hostgroup > lab-machines" etc > b) An object of the class will translate into: "a user" or "a group" or > "a host group" > c) Its attribute has a specific value "user.cn is 'blah' " or "host.fqdn > is 'host123' " Please take a look at the existing aci plugin. Most of this is already covered. Remember that ideally acis will grant access to taskgroups and not direct objects, so make them more generic. Granting access to hostgroups isn't supported right now. In fact, there is no way to grant access to hosts or hostgroups right now, just users and groups. If the problem here is how we do this via the UI then as I said, I need to enhance the output of the aci plugin to provide the data in a format that the UI can handle. rob From rcritten at redhat.com Mon Oct 11 14:09:07 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Oct 2010 10:09:07 -0400 Subject: [Freeipa-devel] [PATCH] 568 fix mutual exclusive comparison in hbac Message-ID: <4CB31A83.5070802@redhat.com> Do better error checking in mutual exclusivity check in hbac plugin. This fixes the acceptance tests. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-568-hbac.patch Type: application/mbox Size: 2638 bytes Desc: not available URL: From dpal at redhat.com Mon Oct 11 14:30:09 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 11 Oct 2010 10:30:09 -0400 Subject: [Freeipa-devel] Proposal about ACI management in IPA v2 In-Reply-To: <4CB31815.5000501@redhat.com> References: <4CAF76CD.1040103@redhat.com> <4CAF88A0.1050607@redhat.com> <4CAF8B17.5070709@redhat.com> <4CB28425.60104@redhat.com> <20101011080146.65693100@willson.li.ssimo.org> <4CB30CE2.3030105@redhat.com> <4CB31815.5000501@redhat.com> Message-ID: <4CB31F71.4080204@redhat.com> Rob Crittenden wrote: > Dmitri Pal wrote: >> Simo Sorce wrote: >>> On Sun, 10 Oct 2010 23:27:33 -0400 >>> Dmitri Pal wrote: >>> >>> >>>> Actually the whole thing was inspired by the ACI UI from the LDAP book >>>> that is based on Netscape DS. >>>> Rob you say "What it lacks is a way to *output* an aci so it can be >>>> easily represented in a UI or on the command line. That is where our >>>> focus should be." But I do not understand what the problem is. You >>>> either have to display a raw ACI or some abstraction. But how you map >>>> the abstraction that you need to show to the raw ACI you have in the >>>> system? I was trying to solve exactly this problem. And I really do >>>> not see a way to do it differently. Do you? >>>> >>> >>> The strongest objection is against creating a new LDAP object to hold a >>> duplicate of the ACIs. And I fully agree with the objection we do not >>> need duplicates in the Directory. >> >> I do not see it as duplicate. It is a helper. And it is a loose coupling >> so there is really not harm for parts to get out of sync. But this all >> does not matter if this is not the problem we are trying to solve. > > It is, by definition, duplicate. You're storing exactly the same data > in two places in different formats. > >> >> Simo you are talking about hash tables or sets of hash tables to >> represent what? >> The following rule does not decompose well to the set of hash tables: >> >> (targetattr = "streetAddress || postalCode || c || l || >> st")(targetfilter = >> "(memberOf=cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com)")(version >> >> 3.0;acl "Secretaries can write engineering addresses";allow (write) >> groupdn = >> "ldap:///cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com";) >> >> It is really a: >> 1) Set of attributes (can be hash table, but rather just a list) >> 2) Filter - a string but I am not sure one can formalize it >> 3) Name - a string >> 4) Right >> 5) Bind DN - a string that is similar to a filter > > As I said, this is already done. Internally I represent ACIs as: > > name: string > action: string (one of an enumeration) > permssions: list > target: hash table > bindrule: hash table > > A bindrule is a hash of: keyword, operator, expression, e.g. groupdn > != ldap:///cn=admins,... > > Targets are similar, with an operator and an expression, e.g. > targetattr != "foo || bar". The targets supported are targetfilter, > targetattr and target (e.g. a subtree). > > My parser probably doesn't support every possible kind of ACI but it > does support those that are allowed in the aci plugin. > >> It seems that the biggest problem is: with filter and Bind DN. Those >> correspond to an object in the system. We can replace the "groupdn = >> "ldap:///cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com" with >> more readable group=secretaries or user=someone or host=mycomputer etc. >> Is this the abstraction that we are looking for? It is harder with the >> target filter to do the similar simplification. >> Can we a simplify it to things like?: >> a) A member of a group >> b) An object of the class >> c) Its attribute has a specific value >> If we can parse it out to one of these three (or may be some other case >> that I missed) we can replace it with a much more readable >> representation. >> For example: >> a) A member of a group will translate into: "a member of group >> secretary", similarly with other groups "a member of hostgroup >> lab-machines" etc >> b) An object of the class will translate into: "a user" or "a group" or >> "a host group" >> c) Its attribute has a specific value "user.cn is 'blah' " or "host.fqdn >> is 'host123' " > > Please take a look at the existing aci plugin. Most of this is already > covered. Remember that ideally acis will grant access to taskgroups > and not direct objects, so make them more generic. Granting access to > hostgroups isn't supported right now. In fact, there is no way to > grant access to hosts or hostgroups right now, just users and groups. > > If the problem here is how we do this via the UI then as I said, I > need to enhance the output of the aci plugin to provide the data in a > format that the UI can handle. > > rob I feel that there is a disconnect. But I do not understand where it is. If all of this already works than what is the problem? Why not just fix the plugin to output whatever is needed. Based on Adam's questions I was under the assumption that there is a bit design gap. Does not seem to be based on this thread. So what are we trying to accomplish here? Fix the plugin to return hash tables? Seems like a simple task. Do we have a ticket? Is it clear what needs to be done there? Or there is more and something needs to be sorted out. Can someone please define the scope of the problem? -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Oct 11 14:55:44 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Oct 2010 10:55:44 -0400 Subject: [Freeipa-devel] [PATCH] 569 detect when DNS is not configured Message-ID: <4CB32570.9060700@redhat.com> Detect when DNS is not configured and return an error message when using the command-line. It would be nicer if we disabled the command altogether but this would require checking the server to see every time the ipa command is executed (which would be bad). We can't store this in a configuration file because it is possible to add a DNS post-install (and it would require adding this to every single client install). ticket 147 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-569-dns.patch Type: application/mbox Size: 4213 bytes Desc: not available URL: From rcritten at redhat.com Mon Oct 11 15:19:12 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Oct 2010 11:19:12 -0400 Subject: [Freeipa-devel] [PATCH] 570 enforce max username length Message-ID: <4CB32AF0.40003@redhat.com> Enforce the configurable max username length from cn=ipaconfig. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-570-length.patch Type: application/mbox Size: 1119 bytes Desc: not available URL: From rcritten at redhat.com Mon Oct 11 16:58:38 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Oct 2010 12:58:38 -0400 Subject: [Freeipa-devel] [PATCH] 571 return non-zero on *-find when nothing is found Message-ID: <4CB3423E.8080903@redhat.com> Return non-zero when the number of entries from *-find returned is zero. ticket 325 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-571-find.patch Type: application/mbox Size: 891 bytes Desc: not available URL: From ssorce at redhat.com Mon Oct 11 17:01:07 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 11 Oct 2010 13:01:07 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <4CAF2A0A.1060608@redhat.com> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> <4CAF2A0A.1060608@redhat.com> Message-ID: <20101011130107.76193e6a@willson.li.ssimo.org> On Fri, 08 Oct 2010 10:26:18 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > > > This is some very basic initial localization work for the C tools. > > I do not have any translation yet, and creation and merging of .po > > and binary files is not yet done. But the clients.pot file is > > regularly updated when make is run in the main dir (or make gettext > > in the ipa-clients dir). > > > > Fixes trac#186 > > > > Simo. > > Nack. As discussed in IRC we are going to use a single po file for > all translations. Ok, here a revised patch that uses the existing intall/po infrastructure and generates a single .po file I took the liberty of converting the Makefile in there to automatically source .py, c and .h files, and also removed install/po/Makefile as the Makefile.in is all we need in git I think. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Initial-gettext-support-for-C-utils.patch Type: text/x-patch Size: 151996 bytes Desc: not available URL: From rcritten at redhat.com Mon Oct 11 17:07:35 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Oct 2010 13:07:35 -0400 Subject: [Freeipa-devel] [PATCH] 572 fix usage help of ipa-replica-install Message-ID: <4CB34457.5040703@redhat.com> Include REPLICA_FILE in usage for ipa-replica-install ticket 247 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-572-replica.patch Type: application/mbox Size: 1026 bytes Desc: not available URL: From jdennis at redhat.com Mon Oct 11 18:18:11 2010 From: jdennis at redhat.com (John Dennis) Date: Mon, 11 Oct 2010 14:18:11 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <20101011130107.76193e6a@willson.li.ssimo.org> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> <4CAF2A0A.1060608@redhat.com> <20101011130107.76193e6a@willson.li.ssimo.org> Message-ID: <4CB354E3.5030909@redhat.com> On 10/11/2010 01:01 PM, Simo Sorce wrote: > On Fri, 08 Oct 2010 10:26:18 -0400 > Rob Crittenden wrote: > >> Simo Sorce wrote: >>> >>> >>> This is some very basic initial localization work for the C tools. >>> I do not have any translation yet, and creation and merging of .po >>> and binary files is not yet done. But the clients.pot file is >>> regularly updated when make is run in the main dir (or make gettext >>> in the ipa-clients dir). >>> >>> Fixes trac#186 >>> >>> Simo. >> >> Nack. As discussed in IRC we are going to use a single po file for >> all translations. > > Ok, here a revised patch that uses the existing intall/po > infrastructure and generates a single .po file > > I took the liberty of converting the Makefile in there to > automatically source .py, c and .h files, and also removed > install/po/Makefile as the Makefile.in is all we need in git I think. NAK There are several things I'd like to see you address: 1) Please keep the independent list of python and c files potfiles as make variables. This is preferred because: a) It allows the use of these as explicit make target and dependencies. b) It permits knowing exactly what these files are and could be dumped out via a trivial make target for debugging and information purposes. c) It avoids bizarre magic. By letting xgettext find some files and have others explicitly listed you've buried inside some cryptic shell commands both implicit and explicit file lists, the implicit file list being invisible. That's just very hard to maintain and understand. 2) By letting xgettext find the files you've exposed ourselves to corruption. If you happen to have a .py or .c file hanging around in your development tree which is not our git repo you'll embed that bogus file into our pot file. 3) You can address both above issues by doing this. Use a shell command to set the PYTHON_POTFILES & C_POTFILES. That shell command should produce the intersection of the git file list and the language. I will send you a Python script to do this. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jdennis at redhat.com Mon Oct 11 18:36:49 2010 From: jdennis at redhat.com (John Dennis) Date: Mon, 11 Oct 2010 14:36:49 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <4CB354E3.5030909@redhat.com> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> <4CAF2A0A.1060608@redhat.com> <20101011130107.76193e6a@willson.li.ssimo.org> <4CB354E3.5030909@redhat.com> Message-ID: <4CB35941.9030300@redhat.com> On 10/11/2010 02:18 PM, John Dennis wrote: > On 10/11/2010 01:01 PM, Simo Sorce wrote: >> On Fri, 08 Oct 2010 10:26:18 -0400 >> Rob Crittenden wrote: >> >>> Simo Sorce wrote: >>>> >>>> >>>> This is some very basic initial localization work for the C tools. >>>> I do not have any translation yet, and creation and merging of .po >>>> and binary files is not yet done. But the clients.pot file is >>>> regularly updated when make is run in the main dir (or make gettext >>>> in the ipa-clients dir). >>>> >>>> Fixes trac#186 >>>> >>>> Simo. >>> >>> Nack. As discussed in IRC we are going to use a single po file for >>> all translations. >> >> Ok, here a revised patch that uses the existing intall/po >> infrastructure and generates a single .po file >> >> I took the liberty of converting the Makefile in there to >> automatically source .py, c and .h files, and also removed >> install/po/Makefile as the Makefile.in is all we need in git I think. > > NAK > > There are several things I'd like to see you address: > > 1) Please keep the independent list of python and c files potfiles as > make variables. This is preferred because: > > a) It allows the use of these as explicit make target and dependencies. > > b) It permits knowing exactly what these files are and could be dumped > out via a trivial make target for debugging and information purposes. > > c) It avoids bizarre magic. By letting xgettext find some files and have > others explicitly listed you've buried inside some cryptic shell > commands both implicit and explicit file lists, the implicit file list > being invisible. That's just very hard to maintain and understand. Oh and I forgot to add: By demanding some files be manually added to the Makefile.in and having others be automatically picked up you've created developer confusion. When do I have to manually add a file? Why does this work sometimes and not others? But it worked when I added foo.py but not when I added the command do_foo, I don't get it. It should be one way or the other for sanity and maintenance sake. Either it's manual or it's automatic, not a mix of the two. > > 2) By letting xgettext find the files you've exposed ourselves to > corruption. If you happen to have a .py or .c file hanging around in > your development tree which is not our git repo you'll embed that bogus > file into our pot file. > > 3) You can address both above issues by doing this. Use a shell command > to set the PYTHON_POTFILES& C_POTFILES. That shell command should > produce the intersection of the git file list and the language. I will > send you a Python script to do this. > > > -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Mon Oct 11 21:09:21 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 11 Oct 2010 17:09:21 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <4CB354E3.5030909@redhat.com> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> <4CAF2A0A.1060608@redhat.com> <20101011130107.76193e6a@willson.li.ssimo.org> <4CB354E3.5030909@redhat.com> Message-ID: <20101011170921.1833fa5c@willson.li.ssimo.org> On Mon, 11 Oct 2010 14:18:11 -0400 John Dennis wrote: > On 10/11/2010 01:01 PM, Simo Sorce wrote: > > On Fri, 08 Oct 2010 10:26:18 -0400 > > Rob Crittenden wrote: > > > >> Simo Sorce wrote: > >>> > >>> > >>> This is some very basic initial localization work for the C tools. > >>> I do not have any translation yet, and creation and merging of .po > >>> and binary files is not yet done. But the clients.pot file is > >>> regularly updated when make is run in the main dir (or make > >>> gettext in the ipa-clients dir). > >>> > >>> Fixes trac#186 > >>> > >>> Simo. > >> > >> Nack. As discussed in IRC we are going to use a single po file for > >> all translations. > > > > Ok, here a revised patch that uses the existing intall/po > > infrastructure and generates a single .po file > > > > I took the liberty of converting the Makefile in there to > > automatically source .py, c and .h files, and also removed > > install/po/Makefile as the Makefile.in is all we need in git I > > think. > > NAK > > There are several things I'd like to see you address: > > 1) Please keep the independent list of python and c files potfiles as > make variables. This is preferred because: I don't think I have changed this, PYTHON_POTFILES and C_POTFILES are make variables afaik ... > a) It allows the use of these as explicit make target and > dependencies. > > b) It permits knowing exactly what these files are and could be > dumped out via a trivial make target for debugging and information > purposes. > > c) It avoids bizarre magic. By letting xgettext find some files and > have others explicitly listed you've buried inside some cryptic shell > commands both implicit and explicit file lists, the implicit file > list being invisible. That's just very hard to maintain and > understand. You also have access to the implicit file list through the PY_FILES variable, so I am not sure what you are asking. Do you want me to have a separate variable with the explict python files that is separate and only then merge the 2 lists into the single PYTHON_POTFILES variable ? Something like: PY_EXPLICIT_FILES = yadda yadda PYTHON_POTFILES = $(PY_FILES) $(PY_EXPLICIT_FILES) perhaps ? > 2) By letting xgettext find the files you've exposed ourselves to > corruption. If you happen to have a .py or .c file hanging around in > your development tree which is not our git repo you'll embed that > bogus file into our pot file. I didn't do that, xgettext does not find anything by itself it takes the list from PY_FILES and C_FILES and H_FILES which are autogenerated out of a git ls-files output. This guarantees only and all committed files that match the extension are taken in consideration. > 3) You can address both above issues by doing this. Use a shell > command to set the PYTHON_POTFILES & C_POTFILES. That shell command > should produce the intersection of the git file list and the > language. I will send you a Python script to do this. Have you actually read the right patch ?? Maybe you looked at the old version I posted before the weekend ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Oct 11 21:10:50 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 11 Oct 2010 17:10:50 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <4CB35941.9030300@redhat.com> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> <4CAF2A0A.1060608@redhat.com> <20101011130107.76193e6a@willson.li.ssimo.org> <4CB354E3.5030909@redhat.com> <4CB35941.9030300@redhat.com> Message-ID: <20101011171050.558aaa55@willson.li.ssimo.org> On Mon, 11 Oct 2010 14:36:49 -0400 John Dennis wrote: > On 10/11/2010 02:18 PM, John Dennis wrote: > > On 10/11/2010 01:01 PM, Simo Sorce wrote: > >> On Fri, 08 Oct 2010 10:26:18 -0400 > >> Rob Crittenden wrote: > >> > >>> Simo Sorce wrote: > >>>> > >>>> > >>>> This is some very basic initial localization work for the C > >>>> tools. I do not have any translation yet, and creation and > >>>> merging of .po and binary files is not yet done. But the > >>>> clients.pot file is regularly updated when make is run in the > >>>> main dir (or make gettext in the ipa-clients dir). > >>>> > >>>> Fixes trac#186 > >>>> > >>>> Simo. > >>> > >>> Nack. As discussed in IRC we are going to use a single po file for > >>> all translations. > >> > >> Ok, here a revised patch that uses the existing intall/po > >> infrastructure and generates a single .po file > >> > >> I took the liberty of converting the Makefile in there to > >> automatically source .py, c and .h files, and also removed > >> install/po/Makefile as the Makefile.in is all we need in git I > >> think. > > > > NAK > > > > There are several things I'd like to see you address: > > > > 1) Please keep the independent list of python and c files potfiles > > as make variables. This is preferred because: > > > > a) It allows the use of these as explicit make target and > > dependencies. > > > > b) It permits knowing exactly what these files are and could be > > dumped out via a trivial make target for debugging and information > > purposes. > > > > c) It avoids bizarre magic. By letting xgettext find some files and > > have others explicitly listed you've buried inside some cryptic > > shell commands both implicit and explicit file lists, the implicit > > file list being invisible. That's just very hard to maintain and > > understand. > > Oh and I forgot to add: > > By demanding some files be manually added to the Makefile.in and > having others be automatically picked up you've created developer > confusion. When do I have to manually add a file? Why does this work > sometimes and not others? But it worked when I added foo.py but not > when I added the command do_foo, I don't get it. It is explained in the NOTE I added to the README file ... > It should be one way or the other for sanity and maintenance sake. > Either it's manual or it's automatic, not a mix of the two. A mix look ok, the rule is simple: - for files the end in .py do nothing - any other python file add to list Simo. -- Simo Sorce * Red Hat, Inc * New York From jdennis at redhat.com Mon Oct 11 21:15:14 2010 From: jdennis at redhat.com (John Dennis) Date: Mon, 11 Oct 2010 17:15:14 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <4CB35941.9030300@redhat.com> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> <4CAF2A0A.1060608@redhat.com> <20101011130107.76193e6a@willson.li.ssimo.org> <4CB354E3.5030909@redhat.com> <4CB35941.9030300@redhat.com> Message-ID: <4CB37E62.2030004@redhat.com> Attached is a python script which will list all the files tracked by git in a particular language. Use -h or --help to get usage. It's basic algorithm is this: cd to specified dir get all files tracked by git in that dir and below exclude any files whose path matches any exclusion pattern foreach path get extension from basename if extension is in list of valid extensions for language then output path else if file has shell interpreter as first line if interpreter in language then output path WARNING!!! If you run this from the root of our tree it will pick up a lot of files which do *not* belong in our pot file!!! WARNING!!! Therefore if you decide to use this instead of explicitly listing the files you're going to have to explicitly list what to exclude. Listing exclusions might be more robust than listing files to include. Either way there is an opportunity to produce the wrong file list. If you do use this script it's easy to set PYTHON_POTFILES and C_POTFILES to the output of this script, see the info page on gmake for the proper syntax. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: find_git_source URL: From jdennis at redhat.com Mon Oct 11 21:27:27 2010 From: jdennis at redhat.com (John Dennis) Date: Mon, 11 Oct 2010 17:27:27 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <20101011170921.1833fa5c@willson.li.ssimo.org> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> <4CAF2A0A.1060608@redhat.com> <20101011130107.76193e6a@willson.li.ssimo.org> <4CB354E3.5030909@redhat.com> <20101011170921.1833fa5c@willson.li.ssimo.org> Message-ID: <4CB3813F.2080308@redhat.com> On 10/11/2010 05:09 PM, Simo Sorce wrote: > On Mon, 11 Oct 2010 14:18:11 -0400 > John Dennis wrote: > >> On 10/11/2010 01:01 PM, Simo Sorce wrote: >>> On Fri, 08 Oct 2010 10:26:18 -0400 >>> Rob Crittenden wrote: >>> >>>> Simo Sorce wrote: >>>>> >>>>> >>>>> This is some very basic initial localization work for the C tools. >>>>> I do not have any translation yet, and creation and merging of .po >>>>> and binary files is not yet done. But the clients.pot file is >>>>> regularly updated when make is run in the main dir (or make >>>>> gettext in the ipa-clients dir). >>>>> >>>>> Fixes trac#186 >>>>> >>>>> Simo. >>>> >>>> Nack. As discussed in IRC we are going to use a single po file for >>>> all translations. >>> >>> Ok, here a revised patch that uses the existing intall/po >>> infrastructure and generates a single .po file >>> >>> I took the liberty of converting the Makefile in there to >>> automatically source .py, c and .h files, and also removed >>> install/po/Makefile as the Makefile.in is all we need in git I >>> think. >> >> NAK >> >> There are several things I'd like to see you address: >> >> 1) Please keep the independent list of python and c files potfiles as >> make variables. This is preferred because: > > I don't think I have changed this, PYTHON_POTFILES and C_POTFILES are > make variables afaik ... > >> a) It allows the use of these as explicit make target and >> dependencies. >> >> b) It permits knowing exactly what these files are and could be >> dumped out via a trivial make target for debugging and information >> purposes. >> >> c) It avoids bizarre magic. By letting xgettext find some files and >> have others explicitly listed you've buried inside some cryptic shell >> commands both implicit and explicit file lists, the implicit file >> list being invisible. That's just very hard to maintain and >> understand. > > You also have access to the implicit file list through the PY_FILES > variable, so I am not sure what you are asking. > > Do you want me to have a separate variable with the explict python > files that is separate and only then merge the 2 lists into the single > PYTHON_POTFILES variable ? > > Something like: > PY_EXPLICIT_FILES = yadda yadda > PYTHON_POTFILES = $(PY_FILES) $(PY_EXPLICIT_FILES) > perhaps ? > > >> 2) By letting xgettext find the files you've exposed ourselves to >> corruption. If you happen to have a .py or .c file hanging around in >> your development tree which is not our git repo you'll embed that >> bogus file into our pot file. > > I didn't do that, xgettext does not find anything by itself it takes > the list from PY_FILES and C_FILES and H_FILES which are autogenerated > out of a git ls-files output. This guarantees only and all committed > files that match the extension are taken in consideration. > >> 3) You can address both above issues by doing this. Use a shell >> command to set the PYTHON_POTFILES& C_POTFILES. That shell command >> should produce the intersection of the git file list and the >> language. I will send you a Python script to do this. > > Have you actually read the right patch ?? Maybe you looked at the old > version I posted before the weekend ? My apologies I missed the git ls-files manipulation. However the list of files it generates still isn't correct. FWIW I think it's easier to run the previously supplied script to get a file list. Then make sure you exclude everything which doesn't belong in the pot file. For instance po/test_i18n.py doesn't belong, I wouldn't be surprised if you found others. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Mon Oct 11 22:43:26 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 11 Oct 2010 18:43:26 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <4CB3813F.2080308@redhat.com> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> <4CAF2A0A.1060608@redhat.com> <20101011130107.76193e6a@willson.li.ssimo.org> <4CB354E3.5030909@redhat.com> <20101011170921.1833fa5c@willson.li.ssimo.org> <4CB3813F.2080308@redhat.com> Message-ID: <20101011184326.19842899@willson.li.ssimo.org> On Mon, 11 Oct 2010 17:27:27 -0400 John Dennis wrote: > However the list of files it generates still isn't correct. > > FWIW I think it's easier to run the previously supplied script to get > a file list. > > Then make sure you exclude everything which doesn't belong in the pot > file. > > For instance po/test_i18n.py doesn't belong, I wouldn't be surprised > if you found others. Ok, I've filtered out a few other files/directories. I think the list now is correct, but whoever will end up reviewing this patchset *please* explicitly ack if you think the list is correct or not (you can run the new shiny "make debug" to get the new list of files :) I also decided to split the patch in 3 separate patches. 1. to delete the Makefile that I think was erroneously committed by Adam 2. to add C files and to fix install/po/Makefile.in 3. to update the .pot and .po files after the changes to the makefile The third patch is compressed (now approx 80KiB) as fully uncompressed it is something monstrous like 1.5MiB ... Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Remove-Makefile-from-git-this-file-is-autogenerated.patch Type: text/x-patch Size: 11615 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Initial-gettext-support-for-C-utils.patch Type: text/x-patch Size: 56274 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Update-.po-t-files-after-adding-C-files-for-translat.patch.bz2 Type: application/x-bzip Size: 80089 bytes Desc: not available URL: From rcritten at redhat.com Tue Oct 12 02:31:49 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Oct 2010 22:31:49 -0400 Subject: [Freeipa-devel] [PATCH] 573 use context to determine RequirementsErrors attributes Message-ID: <4CB3C895.2060905@redhat.com> Use context to decide which name to return on RequirementsErrors When a Requirement fails we throw an exception including the name of the field that is missing. To make the command-line friendlier we have a cli_name defined which may or may not match the LDAP attribute. This can be confusing if you are using ipalib directly because the attribute name missing may not match what is actually required (desc vs description is a good example). If you use the context 'cli' then it will throw exceptions using cli_name. If you use any other context it will use the name of the attribute. ticket 187 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-573-parameter.patch Type: application/mbox Size: 7727 bytes Desc: not available URL: From pzuna at redhat.com Tue Oct 12 12:32:06 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 12 Oct 2010 14:32:06 +0200 Subject: [Freeipa-devel] [PATCH] 567 fix group deletion In-Reply-To: <4CAFD7C4.5030407@redhat.com> References: <4CAFD7C4.5030407@redhat.com> Message-ID: <4CB45546.8010001@redhat.com> On 10/09/2010 04:47 AM, Rob Crittenden wrote: > Group deletion was failing with an error about too many values. > > rob > > ACK. Pavel From pzuna at redhat.com Tue Oct 12 12:57:37 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 12 Oct 2010 14:57:37 +0200 Subject: [Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups. In-Reply-To: <4CA5D87C.5010104@redhat.com> References: <4CA5D87C.5010104@redhat.com> Message-ID: <4CB45B41.8090100@redhat.com> On 10/01/2010 02:47 PM, Pavel Zuna wrote: > Ticket #251 > > Pavel > > New version of patch attached. This time it should work. :) I renamed the flag from --privateonly to --private. Normal searches do not return private groups at all, while searches with this flag only return private groups. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0024-2-searchprvgroup.patch Type: text/x-patch Size: 6095 bytes Desc: not available URL: From ayoung at redhat.com Tue Oct 12 13:49:21 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 12 Oct 2010 09:49:21 -0400 Subject: [Freeipa-devel] [PATCH] 568 fix mutual exclusive comparison in hbac In-Reply-To: <4CB31A83.5070802@redhat.com> References: <4CB31A83.5070802@redhat.com> Message-ID: <4CB46761.2080509@redhat.com> On 10/11/2010 10:09 AM, Rob Crittenden wrote: > Do better error checking in mutual exclusivity check in hbac plugin. > This fixes the acceptance tests. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Tue Oct 12 14:44:29 2010 From: jdennis at redhat.com (John Dennis) Date: Tue, 12 Oct 2010 10:44:29 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <20101011184326.19842899@willson.li.ssimo.org> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> <4CAF2A0A.1060608@redhat.com> <20101011130107.76193e6a@willson.li.ssimo.org> <4CB354E3.5030909@redhat.com> <20101011170921.1833fa5c@willson.li.ssimo.org> <4CB3813F.2080308@redhat.com> <20101011184326.19842899@willson.li.ssimo.org> Message-ID: <4CB4744D.3090202@redhat.com> On 10/11/2010 06:43 PM, Simo Sorce wrote: > Ok, I've filtered out a few other files/directories. I think the list > now is correct, but whoever will end up reviewing this patchset > *please* explicitly ack if you think the list is correct or not (you > can run the new shiny "make debug" to get the new list of files :) > > I also decided to split the patch in 3 separate patches. > 1. to delete the Makefile that I think was erroneously committed by Adam > 2. to add C files and to fix install/po/Makefile.in > 3. to update the .pot and .po files after the changes to the makefile > > The third patch is compressed (now approx 80KiB) as fully uncompressed > it is something monstrous like 1.5MiB ... > > Simo. > Patch 1: ACK Patch 2: This is what I came up with as differences in the file list (all were additions from the previous Makefile.in) checks/check-ra.py doc/examples/examples.py doc/examples/python-api.py install/share/wsgi.py ipa-radius-server/plugins/__init__.py ipa-radius-server/plugins/radiusinstance.py ipalib/plugins/hbacsvc.py ipalib/plugins/hbacsvcgroup.py ipalib/plugins/ping.py ipalib/plugins/sudocmd.py ipalib/plugins/sudocmdgroup.py ipalib/plugins/sudorule.py ipalib/plugins/whoami.py ipapython/certmonger.py ipapython/radius_util.py ipaserver/install/upgradeinstance.py daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c daemons/ipa-slapi-plugins/ipa-version/ipa_repl_version.c daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h The doc directory should be excluded. We're not shipping radius support so radius files should be excluded too. I think the other additions are O.K., others should review as well. The doc and radius inclusions should be fixed to receive ACK, otherwise patch looks fine. Patch 3: These are the msg stats prior to the patch: > ipa.pot has 414 messages. There are 17 po translation files. > bn_IN: 24/414 5.8% 390 po untranslated, 0 missing, 390 untranslated > de: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > es: 380/414 91.8% 34 po untranslated, 0 missing, 34 untranslated > fr: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > id: 121/414 29.2% 293 po untranslated, 0 missing, 293 untranslated > he: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > it: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > ja: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > kn: 348/414 84.1% 66 po untranslated, 0 missing, 66 untranslated > ko: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > pl: 377/414 91.1% 37 po untranslated, 0 missing, 37 untranslated > pt: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > pt_BR: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > ru: 135/414 32.6% 279 po untranslated, 0 missing, 279 untranslated > uk: 414/414 100.0% 0 po untranslated, 0 missing, 0 untranslated > zh_CN: 185/414 44.7% 229 po untranslated, 0 missing, 229 untranslated > zh_TW: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated These are the msg stats after the patch: > ipa.pot has 577 messages. There are 17 po translation files. > bn_IN: 38/577 6.6% 539 po untranslated, 0 missing, 539 untranslated > de: 0/577 0.0% 577 po untranslated, 0 missing, 577 untranslated > es: 425/577 73.7% 152 po untranslated, 0 missing, 152 untranslated > fr: 0/577 0.0% 577 po untranslated, 0 missing, 577 untranslated > id: 137/577 23.7% 440 po untranslated, 0 missing, 440 untranslated > he: 0/577 0.0% 577 po untranslated, 0 missing, 577 untranslated > it: 0/577 0.0% 410 po untranslated, 167 missing, 577 untranslated > ja: 0/577 0.0% 577 po untranslated, 0 missing, 577 untranslated > kn: 392/577 67.9% 185 po untranslated, 0 missing, 185 untranslated > ko: 0/577 0.0% 577 po untranslated, 0 missing, 577 untranslated > pl: 422/577 73.1% 155 po untranslated, 0 missing, 155 untranslated > pt: 0/577 0.0% 577 po untranslated, 0 missing, 577 untranslated > pt_BR: 0/577 0.0% 577 po untranslated, 0 missing, 577 untranslated > ru: 153/577 26.5% 424 po untranslated, 0 missing, 424 untranslated > uk: 459/577 79.5% 118 po untranslated, 0 missing, 118 untranslated > zh_CN: 218/577 37.8% 359 po untranslated, 0 missing, 359 untranslated > zh_TW: 0/577 0.0% 577 po untranslated, 0 missing, 577 untranslated The most obvious thing is 167 missing msgid's from the it.po file. It looks like it.po got corrupted some how (probably wasn't merged from ipa.pot). Could you please check what happened to it.po? NAK -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Tue Oct 12 14:57:11 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 12 Oct 2010 10:57:11 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <4CB4744D.3090202@redhat.com> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> <4CAF2A0A.1060608@redhat.com> <20101011130107.76193e6a@willson.li.ssimo.org> <4CB354E3.5030909@redhat.com> <20101011170921.1833fa5c@willson.li.ssimo.org> <4CB3813F.2080308@redhat.com> <20101011184326.19842899@willson.li.ssimo.org> <4CB4744D.3090202@redhat.com> Message-ID: <20101012105711.6d6a1c1b@willson.li.ssimo.org> On Tue, 12 Oct 2010 10:44:29 -0400 John Dennis wrote: > On 10/11/2010 06:43 PM, Simo Sorce wrote: > > Ok, I've filtered out a few other files/directories. I think the > > list now is correct, but whoever will end up reviewing this patchset > > *please* explicitly ack if you think the list is correct or not (you > > can run the new shiny "make debug" to get the new list of files :) > > > > I also decided to split the patch in 3 separate patches. > > 1. to delete the Makefile that I think was erroneously committed by > > Adam 2. to add C files and to fix install/po/Makefile.in > > 3. to update the .pot and .po files after the changes to the > > makefile > > > > The third patch is compressed (now approx 80KiB) as fully > > uncompressed it is something monstrous like 1.5MiB ... > > > > Simo. > > > > Patch 1: > > ACK > > Patch 2: > > This is what I came up with as differences in the file list (all were > additions from the previous Makefile.in) > > checks/check-ra.py > doc/examples/examples.py > doc/examples/python-api.py > install/share/wsgi.py > ipa-radius-server/plugins/__init__.py > ipa-radius-server/plugins/radiusinstance.py > ipalib/plugins/hbacsvc.py > ipalib/plugins/hbacsvcgroup.py > ipalib/plugins/ping.py > ipalib/plugins/sudocmd.py > ipalib/plugins/sudocmdgroup.py > ipalib/plugins/sudorule.py > ipalib/plugins/whoami.py > ipapython/certmonger.py > ipapython/radius_util.py > ipaserver/install/upgradeinstance.py > daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c > daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c > daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c > daemons/ipa-slapi-plugins/ipa-version/ipa_repl_version.c > daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h > > The doc directory should be excluded. > > We're not shipping radius support so radius files should be excluded > too. > > I think the other additions are O.K., others should review as well. > > The doc and radius inclusions should be fixed to receive ACK, > otherwise patch looks fine. Ok, I'll add the 2 exclusions, although I wonder if we shouldn't just remove the radius code and readd it only once we support it again ? > Patch 3: > > These are the msg stats prior to the patch: > > > ipa.pot has 414 messages. There are 17 po translation files. > > bn_IN: 24/414 5.8% 390 po untranslated, 0 missing, 390 > > untranslated de: 0/414 0.0% 414 po untranslated, 0 > > missing, 414 untranslated es: 380/414 91.8% 34 po > > untranslated, 0 missing, 34 untranslated fr: 0/414 > > 0.0% 414 po untranslated, 0 missing, 414 untranslated id: > > 121/414 29.2% 293 po untranslated, 0 missing, 293 > > untranslated he: 0/414 0.0% 414 po untranslated, 0 > > missing, 414 untranslated it: 0/414 0.0% 414 po > > untranslated, 0 missing, 414 untranslated ja: 0/414 > > 0.0% 414 po untranslated, 0 missing, 414 untranslated kn: > > 348/414 84.1% 66 po untranslated, 0 missing, 66 > > untranslated ko: 0/414 0.0% 414 po untranslated, 0 > > missing, 414 untranslated pl: 377/414 91.1% 37 po > > untranslated, 0 missing, 37 untranslated pt: 0/414 > > 0.0% 414 po untranslated, 0 missing, 414 untranslated > > pt_BR: 0/414 0.0% 414 po untranslated, 0 missing, 414 > > untranslated ru: 135/414 32.6% 279 po untranslated, 0 > > missing, 279 untranslated uk: 414/414 100.0% 0 po > > untranslated, 0 missing, 0 untranslated zh_CN: 185/414 > > 44.7% 229 po untranslated, 0 missing, 229 untranslated > > zh_TW: 0/414 0.0% 414 po untranslated, 0 missing, 414 > > untranslated > > These are the msg stats after the patch: > > > ipa.pot has 577 messages. There are 17 po translation files. > > bn_IN: 38/577 6.6% 539 po untranslated, 0 missing, 539 > > untranslated de: 0/577 0.0% 577 po untranslated, 0 > > missing, 577 untranslated es: 425/577 73.7% 152 po > > untranslated, 0 missing, 152 untranslated fr: 0/577 > > 0.0% 577 po untranslated, 0 missing, 577 untranslated id: > > 137/577 23.7% 440 po untranslated, 0 missing, 440 > > untranslated he: 0/577 0.0% 577 po untranslated, 0 > > missing, 577 untranslated it: 0/577 0.0% 410 po > > untranslated, 167 missing, 577 untranslated ja: 0/577 > > 0.0% 577 po untranslated, 0 missing, 577 untranslated kn: > > 392/577 67.9% 185 po untranslated, 0 missing, 185 > > untranslated ko: 0/577 0.0% 577 po untranslated, 0 > > missing, 577 untranslated pl: 422/577 73.1% 155 po > > untranslated, 0 missing, 155 untranslated pt: 0/577 > > 0.0% 577 po untranslated, 0 missing, 577 untranslated > > pt_BR: 0/577 0.0% 577 po untranslated, 0 missing, 577 > > untranslated ru: 153/577 26.5% 424 po untranslated, 0 > > missing, 424 untranslated uk: 459/577 79.5% 118 po > > untranslated, 0 missing, 118 untranslated zh_CN: 218/577 > > 37.8% 359 po untranslated, 0 missing, 359 untranslated > > zh_TW: 0/577 0.0% 577 po untranslated, 0 missing, 577 > > untranslated > > The most obvious thing is 167 missing msgid's from the it.po file. It > looks like it.po got corrupted some how (probably wasn't merged from > ipa.pot). Could you please check what happened to it.po? I may have inadvertently altered it while investigating the update-po issue. I will make sure I run update-po in a clean tree to regenerate the third patch. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Oct 12 16:01:39 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 12 Oct 2010 12:01:39 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <20101012105711.6d6a1c1b@willson.li.ssimo.org> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> <4CAF2A0A.1060608@redhat.com> <20101011130107.76193e6a@willson.li.ssimo.org> <4CB354E3.5030909@redhat.com> <20101011170921.1833fa5c@willson.li.ssimo.org> <4CB3813F.2080308@redhat.com> <20101011184326.19842899@willson.li.ssimo.org> <4CB4744D.3090202@redhat.com> <20101012105711.6d6a1c1b@willson.li.ssimo.org> Message-ID: <20101012120139.5c428e83@willson.li.ssimo.org> On Tue, 12 Oct 2010 10:57:11 -0400 Simo Sorce wrote: > I may have inadvertently altered it while investigating the update-po > issue. I will make sure I run update-po in a clean tree to regenerate > the third patch. Ok, new patches attached that should address all your requests. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Remove-Makefile-from-git-this-file-is-autogenerated.patch Type: text/x-patch Size: 11615 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Initial-gettext-support-for-C-utils.patch Type: text/x-patch Size: 56310 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Update-.po-t-files-after-adding-C-files-for-translat.patch Type: text/x-patch Size: 1710332 bytes Desc: not available URL: From ayoung at redhat.com Tue Oct 12 18:18:01 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 12 Oct 2010 14:18:01 -0400 Subject: [Freeipa-devel] [PATCH] Certificate management for services. In-Reply-To: <1455026464.1111286598224759.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1455026464.1111286598224759.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CB4A659.9060103@redhat.com> On 10/09/2010 12:23 AM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > This is an initial implementation of certificate management for > services. It addresses the mechanism required to view and update > certificates. The complete UI implementation will be addressed in > subsequent patches. > > On the server side, the service.py has been modified to define > usercertificate in the service object's takes_params. This is > needed to generate the proper JSON metadata which is needed by > the UI. It also has been modified to accept null certificate for > deletion. > > On the client side, the service details page has been modified to > display the base64-encoded certificate in a text area. When the > page is saved, the action handler will store the base64-encoded > certificate in the proper JSON structure. Also the service name > and service hostname are now displayed in separate fields. > > The details configuration has been modified to support displaying > and updating certificates. The structure is changed to use maps > to define sections and fields. A section contains name, label, > and an array of fields. A field contains name, label, setup > function, load function, and save function. This is used to > implement custom interface and behavior for certificates. > > All other entities, test cases, and test data have been updated > accordingly. Some functions and variables have been renamed to > improve clarity and consistency. > > -- > Endi S. Dewata > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Oct 12 18:20:42 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Oct 2010 14:20:42 -0400 Subject: [Freeipa-devel] [PATCH] 544 add import to automount In-Reply-To: <4C9CFB24.7070400@redhat.com> References: <4C9CFB24.7070400@redhat.com> Message-ID: <4CB4A6FA.2030809@redhat.com> Rob Crittenden wrote: > Add ability to import automount files from the command-line. > > Support is fairly basic right now and will only work on the CLI. All the > work is done on the client side. > > To continue past errors use the --continue option. > > Fixed a bug where direct mounts weren't always added properly. > > Added real user documentation to the plugin. > > rob Updated patch. The local get_args() isn't needed any more. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-544-2-automount.patch Type: application/mbox Size: 12494 bytes Desc: not available URL: From jdennis at redhat.com Tue Oct 12 18:25:42 2010 From: jdennis at redhat.com (John Dennis) Date: Tue, 12 Oct 2010 14:25:42 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <20101012120139.5c428e83@willson.li.ssimo.org> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> <4CAF2A0A.1060608@redhat.com> <20101011130107.76193e6a@willson.li.ssimo.org> <4CB354E3.5030909@redhat.com> <20101011170921.1833fa5c@willson.li.ssimo.org> <4CB3813F.2080308@redhat.com> <20101011184326.19842899@willson.li.ssimo.org> <4CB4744D.3090202@redhat.com> <20101012105711.6d6a1c1b@willson.li.ssimo.org> <20101012120139.5c428e83@willson.li.ssimo.org> Message-ID: <4CB4A826.2010103@redhat.com> On 10/12/2010 12:01 PM, Simo Sorce wrote: > On Tue, 12 Oct 2010 10:57:11 -0400 > Simo Sorce wrote: > >> I may have inadvertently altered it while investigating the update-po >> issue. I will make sure I run update-po in a clean tree to regenerate >> the third patch. > > Ok, new patches attached that should address all your requests. Thanks! ACK -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Tue Oct 12 18:31:53 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 12 Oct 2010 14:31:53 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0054-dns-metadata.patch In-Reply-To: <4CAD0110.4060209@redhat.com> References: <4CAD0110.4060209@redhat.com> Message-ID: <4CB4A999.90009@redhat.com> On 10/06/2010 07:06 PM, Adam Young wrote: > In order to generate the metadate, the dns plugin needs to have a > __json__ method. > > Long term, this should be rewritten as a baseldap extension. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata and pushed to master. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Tue Oct 12 19:48:13 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 12 Oct 2010 15:48:13 -0400 Subject: [Freeipa-devel] [PATCH] Initial gettext support for C tools In-Reply-To: <4CB4A826.2010103@redhat.com> References: <20101007162014.1bbcdcf4@willson.li.ssimo.org> <4CAF2A0A.1060608@redhat.com> <20101011130107.76193e6a@willson.li.ssimo.org> <4CB354E3.5030909@redhat.com> <20101011170921.1833fa5c@willson.li.ssimo.org> <4CB3813F.2080308@redhat.com> <20101011184326.19842899@willson.li.ssimo.org> <4CB4744D.3090202@redhat.com> <20101012105711.6d6a1c1b@willson.li.ssimo.org> <20101012120139.5c428e83@willson.li.ssimo.org> <4CB4A826.2010103@redhat.com> Message-ID: <20101012154813.15dba457@willson.li.ssimo.org> On Tue, 12 Oct 2010 14:25:42 -0400 John Dennis wrote: > On 10/12/2010 12:01 PM, Simo Sorce wrote: > > On Tue, 12 Oct 2010 10:57:11 -0400 > > Simo Sorce wrote: > > > >> I may have inadvertently altered it while investigating the > >> update-po issue. I will make sure I run update-po in a clean tree > >> to regenerate the third patch. > > > > Ok, new patches attached that should address all your requests. > > Thanks! > > ACK > ok, Pushed. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Tue Oct 12 21:44:24 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 12 Oct 2010 17:44:24 -0400 Subject: [Freeipa-devel] DNS use cases Message-ID: <4CB4D6B8.1000903@redhat.com> Here is what I have so far. Sorry so long. I'll work to get this down to a more usable size, but would like feedback from any brave soul willing to read through this wall of text. DNS administration is like the story of the blindmen and the elephant. Many people find that do a significant amount of DNS administration only perform a subset of activites that map to their companies business use of DNS. Usage patterns include: A Large organization that provides a hostname for each users desktop system. An online service provider that maps subdomains from their clients to small number servers providing cutomized content. A ISP that hosts a large number of domains managed by the ISPs clients, each on a virtual server that runs on a smaller number of physical servers The clients of that ISP that need to create subdomains for specific uses (CMS, web services etc). Software development shops that create subdomains for a small subset of users who need to routinely create and destroy large numbers of host entries. Typically, the usage falls into a small number of use cases: 1. View and edit all of the records associated with a single host 2. Create or edit a Zone based on a template or simple business rules Of the record types we handle, it makes sense to look at their expected cardinality: A: Typically, an A Record is canonical, not just for a public name, but for man y CNAME recordfs pointing to that host. It hast the split identity of being the name that everyone uses to refer to some resources, but also acts as an insulation layer between a large number of CNAME record alias and a IPAddress that may change over time. CNAME: Often these will refer to A records not even in the same domain. While the recommended usage states that a CNAMe should onluy point to an A Record, in practice people can point one CNAME to another CNAME record. This usage is common when the first CNAME is managed by one organization, and the second is managed by the ISP for the first. SRV Records are rare, but require much more information than a A, AAAA, CNAME, PTR etx record. Like a CNAME or PTR, part of the SRC record is a pointer to another host, and again, this should be a Canonical target (A Record). It probably makes sense for us to force A records to be HOST entries, and to use those to populate the values for CNAME, SRC, PTR, SRV, etc records. Certain large organizations are going to take a Zone based apporoach to DNS. FOr an ISP, each customer is likely to have a Domain name and will need certain basica records. At a minimum, they need an A or CNAME record for the main host that they manage, even if this host is shared buy other users. Management of those Zones may be delegated to the customers. They are also likely to want MX record for their domain. This is likely to point to a centralized mail server for all customers, where the mail will be sorted based on spam filtering before delivery. Again, it should point to an A record. The RFC is pretty clear on this point, so it is unclear whether people actually have MX records which refer to CNAME records. PTR records typically are used for Reverse DNS lookups. As such, DNS should return only one record for a given hostname, although different hostnames may all map to the same IP address. It may not make sense to force this onto an IPA Host object, as it is likely that the end user will want to move the IP address from one host to another, and have all of the PTR records remain valid. However, without forcing it onto a host object, we have no way to say "show me all of the hostnames that map to this IP address." Of the many forms of Key and certificate records, none of them seem to point to other hosts, but are instead associated with a zone. For example, DNSSEC uses the Key record. It is requested based on a Hostname, and returns a key. The IPSEC record is an exception, but we do not currently support that record type. It is unlikely that we will need explicit records for NSEC* records, as they basically say "The host you requested does not exist." Since DNS provides a Canonical answer about existence, denying the existence of a host that does exist tends to break things. Instead, I suspect that these records are autogenerated based on the set of hostnames that we *do* provide answers for. SIG records do not refer to hosts. RRSIG records, which we support use this format. Instead, they sign a record set, or collection of recrods of type RR. We don't seem to support type RR records, which leaves me a little confused. an RR record does have a hostname in it. SOA records are 1-to-1 with a zone. As such, the CLI methods dns-add, dns-mod etc modify the SOA for a given zone. The MNAME is a server that Manges the records. In an ideal world, this would be a host in IPA, so we can see all the zones managed by a given DNS server. Really, there are two use cases for creating a zone: 1. I want the IPA server to manage the zone. it will be the MNAME field for the DNS record. 2. I want IPA to act as the caching server for the zone, which is managed by a remote server. The two use cases are mutually exclusive. It seems that really, only the first makes sense. The second case is really a degenerate case of "act as a caching DNS server for remote server X" where all unresolved queries get forwarded to server X, and the results cached for future use. From ayoung at redhat.com Tue Oct 12 22:04:24 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 12 Oct 2010 18:04:24 -0400 Subject: [Freeipa-devel] [PATCH] 544 add import to automount In-Reply-To: <4CB4A6FA.2030809@redhat.com> References: <4C9CFB24.7070400@redhat.com> <4CB4A6FA.2030809@redhat.com> Message-ID: <4CB4DB68.9050904@redhat.com> On 10/12/2010 02:20 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Add ability to import automount files from the command-line. >> >> Support is fairly basic right now and will only work on the CLI. All the >> work is done on the client side. >> >> To continue past errors use the --continue option. >> >> Fixed a bug where direct mounts weren't always added properly. >> >> Added real user documentation to the plugin. >> >> rob > > Updated patch. The local get_args() isn't needed any more. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK This really should have a unit test. It doesn't fail too cleanly: [ayoung at ipa freeipa]$ echo BLAH > /tmp/automount.garbage [ayoung at ipa freeipa]$ ipa automountlocation-import /tmp/automount.garbage Master file: [ayoung at ipa freeipa]$ ipa automountlocation-import default /tmp/automount.garbage ipa: ERROR: non-public: IndexError: list index out of range Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 125, in execute result = self.Command[_name](*args, **options) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 401, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 675, in run return self.forward(*args, **options) File "/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py", line 358, in forward if am[1].startswith('/'): IndexError: list index out of range ipa: ERROR: an internal error has occurred -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Oct 12 22:21:28 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 12 Oct 2010 18:21:28 -0400 Subject: [Freeipa-devel] [PATCH] 544 add import to automount In-Reply-To: <4CB4DB68.9050904@redhat.com> References: <4C9CFB24.7070400@redhat.com> <4CB4A6FA.2030809@redhat.com> <4CB4DB68.9050904@redhat.com> Message-ID: <4CB4DF68.5000406@redhat.com> On 10/12/2010 06:04 PM, Adam Young wrote: > On 10/12/2010 02:20 PM, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Add ability to import automount files from the command-line. >>> >>> Support is fairly basic right now and will only work on the CLI. All >>> the >>> work is done on the client side. >>> >>> To continue past errors use the --continue option. >>> >>> Fixed a bug where direct mounts weren't always added properly. >>> >>> Added real user documentation to the plugin. >>> >>> rob >> >> Updated patch. The local get_args() isn't needed any more. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > > > This really should have a unit test. > It doesn't fail too cleanly: > > [ayoung at ipa freeipa]$ echo BLAH > /tmp/automount.garbage > [ayoung at ipa freeipa]$ ipa automountlocation-import > /tmp/automount.garbage > Master file: > [ayoung at ipa freeipa]$ ipa automountlocation-import default > /tmp/automount.garbage > ipa: ERROR: non-public: IndexError: list index out of range > Traceback (most recent call last): > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 125, > in execute > result = self.Command[_name](*args, **options) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line > 401, in __call__ > ret = self.run(*args, **options) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line > 675, in run > return self.forward(*args, **options) > File "/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py", > line 358, in forward > if am[1].startswith('/'): > IndexError: list index out of range > ipa: ERROR: an internal error has occurred > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed t0 master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Oct 13 02:07:28 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 12 Oct 2010 22:07:28 -0400 Subject: [Freeipa-devel] DNS use cases In-Reply-To: <4CB4D6B8.1000903@redhat.com> References: <4CB4D6B8.1000903@redhat.com> Message-ID: <4CB51460.4090806@redhat.com> Webmin is probably the oldest web based administrative platform. Here is the Webmin documentation for BIND configuration. http://doxfer.webmin.com/Webmin/BINDDNSServer Some Highlights: Creating a zone is pretty close to our concept, but with out the "Minimum info to create an entity" approach. Creating a new Record is done with a new page, which for us would map to a modal. When creating an A reocrd, there is an option to update the reverse record. When updating a reverse record, it has a link to "update forward" Second "Appy changes" pushes out all changes in bulk. This then tells the BIND server to reread its config. Doesn't map to our BIND implementation approach. Records are not listed by default. If you want to list the records, you have to sleelct the record type to show, or list all. Other notable features: Slave zone support Partial Reverse Resolution. Module Access Control: allowing delegation of who can manage a zone. On 10/12/2010 05:44 PM, Adam Young wrote: > Here is what I have so far. Sorry so long. I'll work to get this > down to a more usable size, but would like feedback from any brave > soul willing to read through this wall of text. > > DNS administration is like the story of the blindmen and the > elephant. Many people find that do a significant amount of DNS > administration only perform a subset of activites that map to their > companies business use of DNS. Usage patterns include: > > A Large organization that provides a hostname for each users desktop > system. > > An online service provider that maps subdomains from their clients to > small number servers providing cutomized content. > > A ISP that hosts a large number of domains managed by the ISPs > clients, each on a virtual server that runs on a smaller number of > physical servers > > The clients of that ISP that need to create subdomains for specific > uses (CMS, web services etc). > > Software development shops that create subdomains for a small subset > of users who need to routinely create and destroy large numbers of > host entries. > > Typically, the usage falls into a small number of use cases: > > 1. View and edit all of the records associated with a single host > 2. Create or edit a Zone based on a template or simple business rules > > Of the record types we handle, it makes sense to look at their > expected cardinality: > > A: Typically, an A Record is canonical, not just for a public name, > but for man y CNAME recordfs pointing to that host. It hast the split > identity of being the name that everyone uses to refer to some > resources, but also acts as an insulation layer between a large number > of CNAME record alias and a IPAddress that may change over time. > > CNAME: Often these will refer to A records not even in the same > domain. While the recommended usage states that a CNAMe should onluy > point to an A Record, in practice people can point one CNAME to > another CNAME record. This usage is common when the first CNAME is > managed by one organization, and the second is managed by the ISP for > the first. > > SRV Records are rare, but require much more information than a A, > AAAA, CNAME, PTR etx record. Like a CNAME or PTR, part of the SRC > record is a pointer to another host, and again, this should be a > Canonical target (A Record). > > It probably makes sense for us to force A records to be HOST entries, > and to use those to populate the values for CNAME, SRC, PTR, SRV, etc > records. > > Certain large organizations are going to take a Zone based apporoach > to DNS. FOr an ISP, each customer is likely to have a Domain name and > will need certain basica records. At a minimum, they need an A or > CNAME record for the main host that they manage, even if this host is > shared buy other users. Management of those Zones may be delegated to > the customers. They are also likely to want MX record for their > domain. This is likely to point to a centralized mail server for all > customers, where the mail will be sorted based on spam filtering > before delivery. Again, it should point to an A record. The RFC is > pretty clear on this point, so it is unclear whether people actually > have MX records which refer to CNAME records. > > PTR records typically are used for Reverse DNS lookups. As such, DNS > should return only one record for a given hostname, although different > hostnames may all map to the same IP address. It may not make sense > to force this onto an IPA Host object, as it is likely that the end > user will want to move the IP address from one host to another, and > have all of the PTR records remain valid. However, without forcing > it onto a host object, we have no way to say "show me all of the > hostnames that map to this IP address." > > > Of the many forms of Key and certificate records, none of them seem to > point to other hosts, but are instead associated with a zone. For > example, DNSSEC uses the Key record. It is requested based on a > Hostname, and returns a key. The IPSEC record is an exception, but we > do not currently support that record type. > > > It is unlikely that we will need explicit records for NSEC* records, > as they basically say "The host you requested does not exist." Since > DNS provides a Canonical answer about existence, denying the existence > of a host that does exist tends to break things. Instead, I suspect > that these records are autogenerated based on the set of hostnames > that we *do* provide answers for. > > SIG records do not refer to hosts. RRSIG records, which we support > use this format. Instead, they sign a record set, or collection of > recrods of type RR. We don't seem to support type RR records, which > leaves me a little confused. an RR record does have a hostname in it. > > > SOA records are 1-to-1 with a zone. As such, the CLI methods dns-add, > dns-mod etc modify the SOA for a given zone. The MNAME is a server > that Manges the records. In an ideal world, this would be a host in > IPA, so we can see all the zones managed by a given DNS server. > > > Really, there are two use cases for creating a zone: > > 1. I want the IPA server to manage the zone. it will be the MNAME > field for the DNS record. > > 2. I want IPA to act as the caching server for the zone, which is > managed by a remote server. > > The two use cases are mutually exclusive. It seems that really, only > the first makes sense. The second case is really a degenerate case of > "act as a caching DNS server for remote server X" where all > unresolved queries get forwarded to server X, and the results cached > for future use. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From pzuna at redhat.com Wed Oct 13 12:46:52 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 13 Oct 2010 14:46:52 +0200 Subject: [Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it. Message-ID: <4CB5AA3C.3020301@redhat.com> This patch adds a check in ldap2 for single-value attributes. DS doesn't seem to care much about attributes being defined as SINGLE-VALUE except for things like uidNumber and gidNumber (I suspect this is handled by the DNA plugin). Ticket #246 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0032-singlevalue.patch Type: text/x-patch Size: 2032 bytes Desc: not available URL: From rcritten at redhat.com Wed Oct 13 13:31:08 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Oct 2010 09:31:08 -0400 Subject: [Freeipa-devel] [PATCH] 575 compare resolver and dns reverse lookups Message-ID: <4CB5B49C.1040500@redhat.com> We check the resolver against the resolver and DNS against DNS but not the resolver against DNS so if something is wrong in /etc/hosts we don't catch it and nasty connection messages occur. Also fix a problem where a bogus error message was being displayed because we were trying to close an unconnected LDAP connection. ticket 327 Review this one carefully. It tested out ok on my relatively closed system but the implications are that you wouldn't be able to install at all or would have to pass --no-host-dns for installation to continue. I tested by setting my own host entry in /etc/host to a bogus IP addr. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-575-install.patch Type: application/mbox Size: 2458 bytes Desc: not available URL: From pzuna at redhat.com Wed Oct 13 13:37:53 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 13 Oct 2010 15:37:53 +0200 Subject: [Freeipa-devel] [PATCH] 570 enforce max username length In-Reply-To: <4CB32AF0.40003@redhat.com> References: <4CB32AF0.40003@redhat.com> Message-ID: <4CB5B631.6070705@redhat.com> On 10/11/2010 05:19 PM, Rob Crittenden wrote: > Enforce the configurable max username length from cn=ipaconfig. > > rob > This will raise an exception if the ipaMaxUsernameLength attribute isn't present in the config entry. I know it's not very likely, but it would be better to retrieve the attribute first and only do the length check if it is set. Pavel From pzuna at redhat.com Wed Oct 13 13:44:55 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 13 Oct 2010 15:44:55 +0200 Subject: [Freeipa-devel] [PATCH] 569 detect when DNS is not configured In-Reply-To: <4CB32570.9060700@redhat.com> References: <4CB32570.9060700@redhat.com> Message-ID: <4CB5B7D7.6060101@redhat.com> On 10/11/2010 04:55 PM, Rob Crittenden wrote: > Detect when DNS is not configured and return an error message when using > the command-line. > > It would be nicer if we disabled the command altogether but this would > require checking the server to see every time the ipa command is > executed (which would be bad). We can't store this in a configuration > file because it is possible to add a DNS post-install (and it would > require adding this to every single client install). > > ticket 147 > > rob > ACK. Pavel From pzuna at redhat.com Wed Oct 13 13:46:15 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 13 Oct 2010 15:46:15 +0200 Subject: [Freeipa-devel] [PATCH] 571 return non-zero on *-find when nothing is found In-Reply-To: <4CB3423E.8080903@redhat.com> References: <4CB3423E.8080903@redhat.com> Message-ID: <4CB5B827.9050703@redhat.com> On 10/11/2010 06:58 PM, Rob Crittenden wrote: > Return non-zero when the number of entries from *-find returned is zero. > > ticket 325 > > rob > ACK. Pavel From rcritten at redhat.com Wed Oct 13 13:46:25 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Oct 2010 09:46:25 -0400 Subject: [Freeipa-devel] [PATCH] 570 enforce max username length In-Reply-To: <4CB5B631.6070705@redhat.com> References: <4CB32AF0.40003@redhat.com> <4CB5B631.6070705@redhat.com> Message-ID: <4CB5B831.2040406@redhat.com> Pavel Zuna wrote: > On 10/11/2010 05:19 PM, Rob Crittenden wrote: >> Enforce the configurable max username length from cn=ipaconfig. >> >> rob >> > > This will raise an exception if the ipaMaxUsernameLength attribute isn't > present in the config entry. I know it's not very likely, but it would > be better to retrieve the attribute first and only do the length check > if it is set. > > Pavel Ok, new patch attached. get_ipa_config() always returns a dict (unless things really go south in which case missing this attribute is the least of our problems). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-570-2-length.patch Type: application/mbox Size: 1174 bytes Desc: not available URL: From pzuna at redhat.com Wed Oct 13 13:47:12 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 13 Oct 2010 15:47:12 +0200 Subject: [Freeipa-devel] [PATCH] 572 fix usage help of ipa-replica-install In-Reply-To: <4CB34457.5040703@redhat.com> References: <4CB34457.5040703@redhat.com> Message-ID: <4CB5B860.1030204@redhat.com> On 10/11/2010 07:07 PM, Rob Crittenden wrote: > Include REPLICA_FILE in usage for ipa-replica-install > > ticket 247 > > rob > ACK. Pavel From pzuna at redhat.com Wed Oct 13 13:48:08 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 13 Oct 2010 15:48:08 +0200 Subject: [Freeipa-devel] [PATCH] 570 enforce max username length In-Reply-To: <4CB5B831.2040406@redhat.com> References: <4CB32AF0.40003@redhat.com> <4CB5B631.6070705@redhat.com> <4CB5B831.2040406@redhat.com> Message-ID: <4CB5B898.70100@redhat.com> On 10/13/2010 03:46 PM, Rob Crittenden wrote: > Pavel Zuna wrote: >> On 10/11/2010 05:19 PM, Rob Crittenden wrote: >>> Enforce the configurable max username length from cn=ipaconfig. >>> >>> rob >>> >> >> This will raise an exception if the ipaMaxUsernameLength attribute isn't >> present in the config entry. I know it's not very likely, but it would >> be better to retrieve the attribute first and only do the length check >> if it is set. >> >> Pavel > > Ok, new patch attached. get_ipa_config() always returns a dict (unless > things really go south in which case missing this attribute is the least > of our problems). > > rob ACK. Pavel From ssorce at redhat.com Wed Oct 13 14:38:32 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 13 Oct 2010 10:38:32 -0400 Subject: [Freeipa-devel] DNS use cases In-Reply-To: <4CB4D6B8.1000903@redhat.com> References: <4CB4D6B8.1000903@redhat.com> Message-ID: <20101013103832.362569e1@willson.li.ssimo.org> On Tue, 12 Oct 2010 17:44:24 -0400 Adam Young wrote: > Really, there are two use cases for creating a zone: > > 1. I want the IPA server to manage the zone. it will be the MNAME > field for the DNS record. > > 2. I want IPA to act as the caching server for the zone, which is > managed by a remote server. > > The two use cases are mutually exclusive. It seems that really, only > the first makes sense. The second case is really a degenerate case > of "act as a caching DNS server for remote server X" where all > unresolved queries get forwarded to server X, and the results cached > for future use. Minor nitpick on zones and caching. Being a secondary is technically not just caching. When you are a secondary, you do zone transfers, and then are able to reply to any request even those not seen before about a specific record in the zone. Zones never expire, they just keep being used until the master updates the zone serial record, at which point the zone is refreshed. It also involves having the right to issue a zone transfer request. Something normally not permitted to random clients. Caching instead is done as part of the normal function of DNS servers and is applied to all records regardless of where they come from. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Oct 13 15:42:55 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 13 Oct 2010 11:42:55 -0400 Subject: [Freeipa-devel] DNS use cases In-Reply-To: <20101013103832.362569e1@willson.li.ssimo.org> References: <4CB4D6B8.1000903@redhat.com> <20101013103832.362569e1@willson.li.ssimo.org> Message-ID: <4CB5D37F.4030802@redhat.com> On 10/13/2010 10:38 AM, Simo Sorce wrote: > On Tue, 12 Oct 2010 17:44:24 -0400 > Adam Young wrote: > > >> Really, there are two use cases for creating a zone: >> >> 1. I want the IPA server to manage the zone. it will be the MNAME >> field for the DNS record. >> >> 2. I want IPA to act as the caching server for the zone, which is >> managed by a remote server. >> >> The two use cases are mutually exclusive. It seems that really, only >> the first makes sense. The second case is really a degenerate case >> of "act as a caching DNS server for remote server X" where all >> unresolved queries get forwarded to server X, and the results cached >> for future use. >> > Minor nitpick on zones and caching. > > Being a secondary is technically not just caching. When you are a > secondary, you do zone transfers, and then are able to reply to any > request even those not seen before about a specific record in the zone. > Zones never expire, they just keep being used until the master updates > the zone serial record, at which point the zone is refreshed. > > It also involves having the right to issue a zone transfer request. > Something normally not permitted to random clients. > > Caching instead is done as part of the normal function of DNS servers > and is applied to all records regardless of where they come from. > Good point. I don't think it changes the heart of my argument, but since this mail is likely to morph into a document used to either explain the design or help the end user, it helps to have it as correct as possible. So, a better version would be: 2. I want IPA to act as a secondary server for the zone, which is managed by a remote server. ... In The second case, the main decisions are made by the primary, and the second server derives the information it needs to make a decision from the primary. > Simo. > > From rcritten at redhat.com Wed Oct 13 17:00:40 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Oct 2010 13:00:40 -0400 Subject: [Freeipa-devel] [PATCH] 569 detect when DNS is not configured In-Reply-To: <4CB5B7D7.6060101@redhat.com> References: <4CB32570.9060700@redhat.com> <4CB5B7D7.6060101@redhat.com> Message-ID: <4CB5E5B8.2060904@redhat.com> Pavel Zuna wrote: > On 10/11/2010 04:55 PM, Rob Crittenden wrote: >> Detect when DNS is not configured and return an error message when using >> the command-line. >> >> It would be nicer if we disabled the command altogether but this would >> require checking the server to see every time the ipa command is >> executed (which would be bad). We can't store this in a configuration >> file because it is possible to add a DNS post-install (and it would >> require adding this to every single client install). >> >> ticket 147 >> >> rob >> > > ACK. > > Pavel pushed to master From rcritten at redhat.com Wed Oct 13 17:01:23 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Oct 2010 13:01:23 -0400 Subject: [Freeipa-devel] [PATCH] 571 return non-zero on *-find when nothing is found In-Reply-To: <4CB5B827.9050703@redhat.com> References: <4CB3423E.8080903@redhat.com> <4CB5B827.9050703@redhat.com> Message-ID: <4CB5E5E3.1040100@redhat.com> Pavel Zuna wrote: > On 10/11/2010 06:58 PM, Rob Crittenden wrote: >> Return non-zero when the number of entries from *-find returned is zero. >> >> ticket 325 >> >> rob >> > > ACK. > > Pavel pushed to master From rcritten at redhat.com Wed Oct 13 17:01:34 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Oct 2010 13:01:34 -0400 Subject: [Freeipa-devel] [PATCH] 572 fix usage help of ipa-replica-install In-Reply-To: <4CB5B860.1030204@redhat.com> References: <4CB34457.5040703@redhat.com> <4CB5B860.1030204@redhat.com> Message-ID: <4CB5E5EE.9010705@redhat.com> Pavel Zuna wrote: > On 10/11/2010 07:07 PM, Rob Crittenden wrote: >> Include REPLICA_FILE in usage for ipa-replica-install >> >> ticket 247 >> >> rob >> > > ACK. > > Pavel pushed to master From rcritten at redhat.com Wed Oct 13 17:01:43 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Oct 2010 13:01:43 -0400 Subject: [Freeipa-devel] [PATCH] 570 enforce max username length In-Reply-To: <4CB5B898.70100@redhat.com> References: <4CB32AF0.40003@redhat.com> <4CB5B631.6070705@redhat.com> <4CB5B831.2040406@redhat.com> <4CB5B898.70100@redhat.com> Message-ID: <4CB5E5F7.6080005@redhat.com> Pavel Zuna wrote: > On 10/13/2010 03:46 PM, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> On 10/11/2010 05:19 PM, Rob Crittenden wrote: >>>> Enforce the configurable max username length from cn=ipaconfig. >>>> >>>> rob >>>> >>> >>> This will raise an exception if the ipaMaxUsernameLength attribute isn't >>> present in the config entry. I know it's not very likely, but it would >>> be better to retrieve the attribute first and only do the length check >>> if it is set. >>> >>> Pavel >> >> Ok, new patch attached. get_ipa_config() always returns a dict (unless >> things really go south in which case missing this attribute is the least >> of our problems). >> >> rob > > ACK. > > Pavel pushed to master From rcritten at redhat.com Wed Oct 13 17:05:24 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Oct 2010 13:05:24 -0400 Subject: [Freeipa-devel] [PATCH 17/17] Add new translations for es (Spanish) and pl (Polish) In-Reply-To: <4CAD06EF.1030600@redhat.com> References: <4CAD06EF.1030600@redhat.com> Message-ID: <4CB5E6D4.2000805@redhat.com> John Dennis wrote: >> ipa.pot has 414 messages. There are 17 po translation files. >> bn_IN: 24/414 5.8% 390 po untranslated, 0 missing, 390 untranslated >> de: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >> es: 414/414 100.0% 0 po untranslated, 0 missing, 0 untranslated >> fr: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >> id: 121/414 29.2% 293 po untranslated, 0 missing, 293 untranslated >> he: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >> it: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >> ja: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >> kn: 348/414 84.1% 66 po untranslated, 0 missing, 66 untranslated >> ko: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >> pl: 414/414 100.0% 0 po untranslated, 0 missing, 0 untranslated >> pt: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >> pt_BR: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >> ru: 135/414 32.6% 279 po untranslated, 0 missing, 279 untranslated >> uk: 414/414 100.0% 0 po untranslated, 0 missing, 0 untranslated >> zh_CN: 185/414 44.7% 229 po untranslated, 0 missing, 229 untranslated >> zh_TW: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated > This doesn't apply to the tip. I'm not sure if it is because of the C support that was added or not. rob From jdennis at redhat.com Wed Oct 13 17:19:30 2010 From: jdennis at redhat.com (John Dennis) Date: Wed, 13 Oct 2010 13:19:30 -0400 Subject: [Freeipa-devel] [PATCH 17/17] Add new translations for es (Spanish) and pl (Polish) In-Reply-To: <4CB5E6D4.2000805@redhat.com> References: <4CAD06EF.1030600@redhat.com> <4CB5E6D4.2000805@redhat.com> Message-ID: <4CB5EA22.2050301@redhat.com> On 10/13/2010 01:05 PM, Rob Crittenden wrote: > John Dennis wrote: >>> ipa.pot has 414 messages. There are 17 po translation files. >>> bn_IN: 24/414 5.8% 390 po untranslated, 0 missing, 390 untranslated >>> de: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >>> es: 414/414 100.0% 0 po untranslated, 0 missing, 0 untranslated >>> fr: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >>> id: 121/414 29.2% 293 po untranslated, 0 missing, 293 untranslated >>> he: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >>> it: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >>> ja: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >>> kn: 348/414 84.1% 66 po untranslated, 0 missing, 66 untranslated >>> ko: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >>> pl: 414/414 100.0% 0 po untranslated, 0 missing, 0 untranslated >>> pt: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >>> pt_BR: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >>> ru: 135/414 32.6% 279 po untranslated, 0 missing, 279 untranslated >>> uk: 414/414 100.0% 0 po untranslated, 0 missing, 0 untranslated >>> zh_CN: 185/414 44.7% 229 po untranslated, 0 missing, 229 untranslated >>> zh_TW: 0/414 0.0% 414 po untranslated, 0 missing, 414 untranslated >> > > This doesn't apply to the tip. I'm not sure if it is because of the C > support that was added or not. Simo's 3rd patch has a dependency on this patch. Simo's 3rd patch should be reverted. This patch applied, and then Simo should regenerate his 3rd patch. By 3rd patch I mean the 3rd patch file in the patch submission which was ACK'ed, in other words it's the patch which regenerated the pot file and merged all the .po files. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Wed Oct 13 17:32:36 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 13 Oct 2010 13:32:36 -0400 Subject: [Freeipa-devel] [PATCH 17/17] Add new translations for es (Spanish) and pl (Polish) In-Reply-To: <4CB5EA22.2050301@redhat.com> References: <4CAD06EF.1030600@redhat.com> <4CB5E6D4.2000805@redhat.com> <4CB5EA22.2050301@redhat.com> Message-ID: <20101013133236.752e546b@willson.li.ssimo.org> On Wed, 13 Oct 2010 13:19:30 -0400 John Dennis wrote: > Simo's 3rd patch has a dependency on this patch. Simo's 3rd patch > should be reverted. This patch applied, and then Simo should > regenerate his 3rd patch. By 3rd patch I mean the 3rd patch file in > the patch submission which was ACK'ed, in other words it's the patch > which regenerated the pot file and merged all the .po files. I'll provide a patch that does not require us to do reverts. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Wed Oct 13 17:58:56 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 13 Oct 2010 13:58:56 -0400 Subject: [Freeipa-devel] DNS use cases In-Reply-To: <4CB4D6B8.1000903@redhat.com> References: <4CB4D6B8.1000903@redhat.com> Message-ID: <4CB5F360.6010001@redhat.com> Adam Young wrote: > Here is what I have so far. Sorry so long. I'll work to get this > down to a more usable size, but would like feedback from any brave > soul willing to read through this wall of text. > > DNS administration is like the story of the blindmen and the > elephant. Many people find that do a significant amount of DNS > administration only perform a subset of activites that map to their > companies business use of DNS. Usage patterns include: > > A Large organization that provides a hostname for each users desktop > system. This is the main use IPA case and we should focus on it. > > An online service provider that maps subdomains from their clients to > small number servers providing cutomized content. I do not think it is the use case where IPA will be used. A stand alone DNS is better for such use case. > > A ISP that hosts a large number of domains managed by the ISPs > clients, each on a virtual server that runs on a smaller number of > physical servers IMO same as above. > > The clients of that ISP that need to create subdomains for specific > uses (CMS, web services etc). > > Software development shops that create subdomains for a small subset > of users who need to routinely create and destroy large numbers of > host entries. How this is different from use case 1 with desktops? What about cloud and VMs? I suspect that is also similar to use case 1 and this one. So I would generalize it as IPA DNS as a primary name server for manged and not managed VM/BM hosts (servers/desktops) > > Typically, the usage falls into a small number of use cases: > > 1. View and edit all of the records associated with a single host > 2. Create or edit a Zone based on a template or simple business rules > Ack. > Of the record types we handle, it makes sense to look at their > expected cardinality: > > A: Typically, an A Record is canonical, not just for a public name, > but for man y CNAME recordfs pointing to that host. It hast the split > identity of being the name that everyone uses to refer to some > resources, but also acts as an insulation layer between a large number > of CNAME record alias and a IPAddress that may change over time. > > CNAME: Often these will refer to A records not even in the same > domain. While the recommended usage states that a CNAMe should onluy > point to an A Record, in practice people can point one CNAME to > another CNAME record. This usage is common when the first CNAME is > managed by one organization, and the second is managed by the ISP for > the first. > > SRV Records are rare, but require much more information than a A, > AAAA, CNAME, PTR etx record. Like a CNAME or PTR, part of the SRC > record is a pointer to another host, and again, this should be a > Canonical target (A Record). > > It probably makes sense for us to force A records to be HOST entries, > and to use those to populate the values for CNAME, SRC, PTR, SRV, etc > records. > > Certain large organizations are going to take a Zone based apporoach > to DNS. FOr an ISP, each customer is likely to have a Domain name and > will need certain basica records. At a minimum, they need an A or > CNAME record for the main host that they manage, even if this host is > shared buy other users. Management of those Zones may be delegated to > the customers. They are also likely to want MX record for their > domain. This is likely to point to a centralized mail server for all > customers, where the mail will be sorted based on spam filtering > before delivery. Again, it should point to an A record. The RFC is > pretty clear on this point, so it is unclear whether people actually > have MX records which refer to CNAME records. IMO not a use case to worry about at least now. > > PTR records typically are used for Reverse DNS lookups. As such, DNS > should return only one record for a given hostname, although different > hostnames may all map to the same IP address. It may not make sense > to force this onto an IPA Host object, as it is likely that the end > user will want to move the IP address from one host to another, and > have all of the PTR records remain valid. However, without forcing > it onto a host object, we have no way to say "show me all of the > hostnames that map to this IP address." > > > Of the many forms of Key and certificate records, none of them seem to > point to other hosts, but are instead associated with a zone. For > example, DNSSEC uses the Key record. It is requested based on a > Hostname, and returns a key. The IPSEC record is an exception, but we > do not currently support that record type. > > > It is unlikely that we will need explicit records for NSEC* records, > as they basically say "The host you requested does not exist." Since > DNS provides a Canonical answer about existence, denying the existence > of a host that does exist tends to break things. Instead, I suspect > that these records are autogenerated based on the set of hostnames > that we *do* provide answers for. > > SIG records do not refer to hosts. RRSIG records, which we support > use this format. Instead, they sign a record set, or collection of > recrods of type RR. We don't seem to support type RR records, which > leaves me a little confused. an RR record does have a hostname in it. > > > SOA records are 1-to-1 with a zone. As such, the CLI methods dns-add, > dns-mod etc modify the SOA for a given zone. The MNAME is a server > that Manges the records. In an ideal world, this would be a host in > IPA, so we can see all the zones managed by a given DNS server. > > > Really, there are two use cases for creating a zone: > > 1. I want the IPA server to manage the zone. it will be the MNAME > field for the DNS record. > > 2. I want IPA to act as the caching server for the zone, which is > managed by a remote server. > Ack with the correction from Simo. > The two use cases are mutually exclusive. It seems that really, only > the first makes sense. The second case is really a degenerate case of > "act as a caching DNS server for remote server X" where all > unresolved queries get forwarded to server X, and the results cached > for future use. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Wed Oct 13 18:07:25 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 13 Oct 2010 14:07:25 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 567 fix group deletion In-Reply-To: <1857139193.356121286993210000.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1080201013.356211286993245308.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Pavel Zuna" wrote: > On 10/09/2010 04:47 AM, Rob Crittenden wrote: > > Group deletion was failing with an error about too many values. > ACK. Pushed to master. -- Endi S. Dewata From ssorce at redhat.com Wed Oct 13 18:32:33 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 13 Oct 2010 14:32:33 -0400 Subject: [Freeipa-devel] [PATCH 17/17] Add new translations for es (Spanish) and pl (Polish) In-Reply-To: <20101013133236.752e546b@willson.li.ssimo.org> References: <4CAD06EF.1030600@redhat.com> <4CB5E6D4.2000805@redhat.com> <4CB5EA22.2050301@redhat.com> <20101013133236.752e546b@willson.li.ssimo.org> Message-ID: <20101013143233.44319c5f@willson.li.ssimo.org> On Wed, 13 Oct 2010 13:32:36 -0400 Simo Sorce wrote: > On Wed, 13 Oct 2010 13:19:30 -0400 > John Dennis wrote: > > > Simo's 3rd patch has a dependency on this patch. Simo's 3rd patch > > should be reverted. This patch applied, and then Simo should > > regenerate his 3rd patch. By 3rd patch I mean the 3rd patch file in > > the patch submission which was ACK'ed, in other words it's the patch > > which regenerated the pot file and merged all the .po files. > > I'll provide a patch that does not require us to do reverts. > > Simo. > Attached patch that updates .po/.pot files and applies the Spanish and Polish translations. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Update-.po-.pot-files-and-add-Spanish-and-Polish-tra.patch Type: text/x-patch Size: 258866 bytes Desc: not available URL: From rcritten at redhat.com Wed Oct 13 18:36:00 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Oct 2010 14:36:00 -0400 Subject: [Freeipa-devel] [PATCH 17/17] Add new translations for es (Spanish) and pl (Polish) In-Reply-To: <20101013143233.44319c5f@willson.li.ssimo.org> References: <4CAD06EF.1030600@redhat.com> <4CB5E6D4.2000805@redhat.com> <4CB5EA22.2050301@redhat.com> <20101013133236.752e546b@willson.li.ssimo.org> <20101013143233.44319c5f@willson.li.ssimo.org> Message-ID: <4CB5FC10.5040302@redhat.com> Simo Sorce wrote: > On Wed, 13 Oct 2010 13:32:36 -0400 > Simo Sorce wrote: > >> On Wed, 13 Oct 2010 13:19:30 -0400 >> John Dennis wrote: >> >>> Simo's 3rd patch has a dependency on this patch. Simo's 3rd patch >>> should be reverted. This patch applied, and then Simo should >>> regenerate his 3rd patch. By 3rd patch I mean the 3rd patch file in >>> the patch submission which was ACK'ed, in other words it's the patch >>> which regenerated the pot file and merged all the .po files. >> >> I'll provide a patch that does not require us to do reverts. >> >> Simo. >> > > Attached patch that updates .po/.pot files and applies the Spanish and > Polish translations. > > Simo. ack, pushed to master From ayoung at redhat.com Wed Oct 13 19:43:06 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 13 Oct 2010 15:43:06 -0400 Subject: [Freeipa-devel] DNS use cases In-Reply-To: <4CB5F360.6010001@redhat.com> References: <4CB4D6B8.1000903@redhat.com> <4CB5F360.6010001@redhat.com> Message-ID: <4CB60BCA.1070602@redhat.com> What this says to me is that we should put less effort into the records page as seen below the zone. and put more effort into a page that shows the records associated with a specific host. So: For the page dns->zone->records: we'll use a similar view as that shown by search results, a modal "add", delete is done off the list, and edit is done as a details type page, one per record. This is, I think, the easiest result. We will also want a way to link from the host tab to the DNS records search result, with an option to create a DNS entry if there is not yet one. The option should create an A ( and eventually AAAA ) record for the host. Of course, right now we don't seem to track IP addresses for hosts, so the host -> A record mapping is going to be tricky. I'm guessing that, long term, we will need to be able to couple the host to the A record, and provide a DHCP tie in as well. We'll probably want to track a set of MAC addresses for the host (one per NIC that can potentially DHCP), IPv4 address (again, per NIC) and IPv6 addresses. This is, of course, not going to happen for January. In the interim, there should be a link from host to DNS record fetched from ipa dns-show-rr where zone is the Hostname minus the value up to the first '.' and resource is the the hostname up to the first '.' On 10/13/2010 01:58 PM, Dmitri Pal wrote: > Adam Young wrote: > >> Here is what I have so far. Sorry so long. I'll work to get this >> down to a more usable size, but would like feedback from any brave >> soul willing to read through this wall of text. >> >> DNS administration is like the story of the blindmen and the >> elephant. Many people find that do a significant amount of DNS >> administration only perform a subset of activites that map to their >> companies business use of DNS. Usage patterns include: >> >> A Large organization that provides a hostname for each users desktop >> system. >> > This is the main use IPA case and we should focus on it. > > >> An online service provider that maps subdomains from their clients to >> small number servers providing cutomized content. >> > I do not think it is the use case where IPA will be used. A stand alone > DNS is better for such use case. > > >> A ISP that hosts a large number of domains managed by the ISPs >> clients, each on a virtual server that runs on a smaller number of >> physical servers >> > IMO same as above. > > >> The clients of that ISP that need to create subdomains for specific >> uses (CMS, web services etc). >> >> Software development shops that create subdomains for a small subset >> of users who need to routinely create and destroy large numbers of >> host entries. >> > How this is different from use case 1 with desktops? > > What about cloud and VMs? I suspect that is also similar to use case 1 > and this one. > So I would generalize it as IPA DNS as a primary name server for manged > and not managed VM/BM hosts (servers/desktops) > >> Typically, the usage falls into a small number of use cases: >> >> 1. View and edit all of the records associated with a single host >> 2. Create or edit a Zone based on a template or simple business rules >> >> > Ack. > > >> Of the record types we handle, it makes sense to look at their >> expected cardinality: >> >> A: Typically, an A Record is canonical, not just for a public name, >> but for man y CNAME recordfs pointing to that host. It hast the split >> identity of being the name that everyone uses to refer to some >> resources, but also acts as an insulation layer between a large number >> of CNAME record alias and a IPAddress that may change over time. >> >> CNAME: Often these will refer to A records not even in the same >> domain. While the recommended usage states that a CNAMe should onluy >> point to an A Record, in practice people can point one CNAME to >> another CNAME record. This usage is common when the first CNAME is >> managed by one organization, and the second is managed by the ISP for >> the first. >> >> SRV Records are rare, but require much more information than a A, >> AAAA, CNAME, PTR etx record. Like a CNAME or PTR, part of the SRC >> record is a pointer to another host, and again, this should be a >> Canonical target (A Record). >> >> It probably makes sense for us to force A records to be HOST entries, >> and to use those to populate the values for CNAME, SRC, PTR, SRV, etc >> records. >> >> Certain large organizations are going to take a Zone based apporoach >> to DNS. FOr an ISP, each customer is likely to have a Domain name and >> will need certain basica records. At a minimum, they need an A or >> CNAME record for the main host that they manage, even if this host is >> shared buy other users. Management of those Zones may be delegated to >> the customers. They are also likely to want MX record for their >> domain. This is likely to point to a centralized mail server for all >> customers, where the mail will be sorted based on spam filtering >> before delivery. Again, it should point to an A record. The RFC is >> pretty clear on this point, so it is unclear whether people actually >> have MX records which refer to CNAME records. >> > IMO not a use case to worry about at least now. > > >> PTR records typically are used for Reverse DNS lookups. As such, DNS >> should return only one record for a given hostname, although different >> hostnames may all map to the same IP address. It may not make sense >> to force this onto an IPA Host object, as it is likely that the end >> user will want to move the IP address from one host to another, and >> have all of the PTR records remain valid. However, without forcing >> it onto a host object, we have no way to say "show me all of the >> hostnames that map to this IP address." >> >> >> Of the many forms of Key and certificate records, none of them seem to >> point to other hosts, but are instead associated with a zone. For >> example, DNSSEC uses the Key record. It is requested based on a >> Hostname, and returns a key. The IPSEC record is an exception, but we >> do not currently support that record type. >> >> >> It is unlikely that we will need explicit records for NSEC* records, >> as they basically say "The host you requested does not exist." Since >> DNS provides a Canonical answer about existence, denying the existence >> of a host that does exist tends to break things. Instead, I suspect >> that these records are autogenerated based on the set of hostnames >> that we *do* provide answers for. >> >> SIG records do not refer to hosts. RRSIG records, which we support >> use this format. Instead, they sign a record set, or collection of >> recrods of type RR. We don't seem to support type RR records, which >> leaves me a little confused. an RR record does have a hostname in it. >> >> >> SOA records are 1-to-1 with a zone. As such, the CLI methods dns-add, >> dns-mod etc modify the SOA for a given zone. The MNAME is a server >> that Manges the records. In an ideal world, this would be a host in >> IPA, so we can see all the zones managed by a given DNS server. >> >> >> Really, there are two use cases for creating a zone: >> >> 1. I want the IPA server to manage the zone. it will be the MNAME >> field for the DNS record. >> >> 2. I want IPA to act as the caching server for the zone, which is >> managed by a remote server. >> >> > Ack with the correction from Simo. > > >> The two use cases are mutually exclusive. It seems that really, only >> the first makes sense. The second case is really a degenerate case of >> "act as a caching DNS server for remote server X" where all >> unresolved queries get forwarded to server X, and the results cached >> for future use. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> > > From ayoung at redhat.com Wed Oct 13 20:52:15 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 13 Oct 2010 16:52:15 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0056-multivalue-fixes.patch Message-ID: <4CB61BFF.3090702@redhat.com> Finally merged with changes from edewata: multivalue fixes. includes: metadata for phone numbers test date for users Undo works for multivalue JQuery UI buttons have custom classes inputs/fields are now managed inside of objects -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0056-multivalue-fixes.patch Type: text/x-patch Size: 338786 bytes Desc: not available URL: From dpal at redhat.com Wed Oct 13 21:10:19 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 13 Oct 2010 17:10:19 -0400 Subject: [Freeipa-devel] Playing with UI Message-ID: <4CB6203B.50405@redhat.com> Hi, I took the liberty of playing with UI a bit and trying different things. Below is some comments on what I observed. Some are cosmetic but they annoy me a bit so I will list them anyways. They probably belong to one (may be already existing) ticket Self service case - logged as a newly created user: a) I do no like the fonts on the tiles. The words "Identity" etc are hard to see. They should be bigger font and bold. b) The green tiles are ok in general but the gray line on them looks weird c) Facets on the user details (and other pages) should be spread out. Currently the are too close to each other d) The mouse pointer does not turn into a hand or something usually associated with clickability when I point to the identity tile, "User" tile or on the undo marker or collapse section "-" sign on the details page e) Tooltips on user details page show LDAP fields. Is this intended? f) Password reset does not work on the user page g) Account status toggle is confusing. It says "inactive" for a newly created user. Toggle should be a link or button. h) Multiple phones and emails are still not implemented i) GID/UID are not "protected" fields on the details page j) Search should be definitely removed from the facets (at least for the self service use case) Admin use case a) Identity->Users page * Columns are very strangely aligned. The checkbox column is too wide * User login though a link by the behavior it does not look like a link c) In the "User groups" facet * "User groups" is ok as a title of the facet but not ok as the title of the list of the groups user is enrolled in. Suggest we change it to "Groups that the user is a member of" or something like this. We have a lot of space in the title to be less confusing * The group names should be links in this list * There is no way to remove user from a group * There is no check box column on the a check box in the title. I think the whole list is broken. * Should there be quick links? d) Enrolling into a group The filter finds even the group that the user is already a member of and dialog allows to add them to the results list. No warning is shown later indicating that user is already in the group. e) Facens for a host are confusing. It has "users" there. f) For services the Hosts facet should not be there I think. There should a link on the details page to jump to the host details page. g) "Back to top" link at the bottom of the page brings you to the list of users. This seems to be wrong. h) Clicking on the "Global" password policy produces an error Generally a lot of progress and a good foundation... ... but there is a lot of cleanup in front of us. I suggest as soon as we agree on the design of the HBAC and DNS we start polishing the UI section by section area by area. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Wed Oct 13 21:37:52 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 13 Oct 2010 17:37:52 -0400 Subject: [Freeipa-devel] [PATCH] #318 Use openldap's ldappasswd Message-ID: <20101013173752.3e2ff0e4@willson.li.ssimo.org> The following patch makes the ldappasswd operation use the openldap's ldappasswd command, as well as avoiding to put passwords in the command line (visible through a ps) and instead using secure temporary files that are deleted immediately after the operation. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-dsinstance-avoid-exposing-passwords-when-invoking-ld.patch Type: text/x-patch Size: 3027 bytes Desc: not available URL: From rcritten at redhat.com Wed Oct 13 22:01:06 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Oct 2010 18:01:06 -0400 Subject: [Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it. In-Reply-To: <4CB5AA3C.3020301@redhat.com> References: <4CB5AA3C.3020301@redhat.com> Message-ID: <4CB62C22.8060206@redhat.com> Pavel Zuna wrote: > This patch adds a check in ldap2 for single-value attributes. DS doesn't > seem to care much about attributes being defined as SINGLE-VALUE except > for things like uidNumber and gidNumber (I suspect this is handled by > the DNA plugin). > > Ticket #246 > > Pavel This is similar to ticket 220 which I have a pending patch for (patch 552). I think both patches are valid but we should test them together to be sure. Can you do that? rob From rcritten at redhat.com Wed Oct 13 22:05:52 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Oct 2010 18:05:52 -0400 Subject: [Freeipa-devel] [PATCH] 576 change password doc string Message-ID: <4CB62D40.9050409@redhat.com> Change the password doc string to indicate that the user will be prompted for the password. ticket 182 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-576-password.patch Type: application/mbox Size: 857 bytes Desc: not available URL: From ssorce at redhat.com Wed Oct 13 23:21:06 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 13 Oct 2010 19:21:06 -0400 Subject: [Freeipa-devel] [PATCH] #316 Avoid installing files in /usr Message-ID: <20101013192106.0a1b83e5@willson.li.ssimo.org> The default setup-ds.pl configuration installs ds scripts in /usr With this patch the customized scripts are kep in /var/lib/dirsrv/scripts- instead of /usr/lib/dirsrv/slapd- Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Avoid-writing-customized-perl-scripts-in-usr.patch Type: text/x-patch Size: 764 bytes Desc: not available URL: From ayoung at redhat.com Thu Oct 14 00:38:45 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 13 Oct 2010 20:38:45 -0400 Subject: [Freeipa-devel] Playing with UI In-Reply-To: <4CB6203B.50405@redhat.com> References: <4CB6203B.50405@redhat.com> Message-ID: <4CB65115.3030708@redhat.com> On 10/13/2010 05:10 PM, Dmitri Pal wrote: > Hi, > > I took the liberty of playing with UI a bit and trying different things. > Below is some comments on what I observed. Some are cosmetic but they > annoy me a bit so I will list them anyways. They probably belong to one > (may be already existing) ticket > Most of these are not in tickets yet.Most of them are known issues. Much of the layout has been modified from the JQuery.UI infrastructure, but needs tweaks. We spent a lot of time on that, so I wanted to move on to implementing functionality before headed back to scrub the UI. A lot of these were going to get chenged/fixed by other wrok, so I wasn't too worried about them. I'll log most of them as individual tickets. They should each be just a small amount of work, but it will keep the details from getting lost. I've made some comments inline that should hopefully give you some context. > > Self service case - logged as a newly created user: > > a) I do no like the fonts on the tiles. The words "Identity" etc are > hard to see. They should be bigger font and bold. > We have to go through and standardize all the Fonts. I don't know if the ones specified in the UXD document are implemented across the board, and if they are, if they are the right size. > b) The green tiles are ok in general but the gray line on them looks weird > The green line is an artifact of a mismatch between the background images that we got from UXD and what JQuery UI requires. I think the right solution is to make the images larger, basically the same size as the JQuery.UI images, but I have not experimented with this yet. > c) Facets on the user details (and other pages) should be spread out. > Currently the are too close to each other > That shoulnd't be too hard to do. Need to modify the CSS class for these. Didn't want to spend too much time on them, since I thought we might replace them with JQUry.UI Tabs, but it looks like the Facets are here to stay. > d) The mouse pointer does not turn into a hand or something usually > associated with clickability when I point to the identity tile, "User" > tile or on the undo marker or collapse section "-" sign on the details page > There is something strange going on with hyperlinks. You need to set the href= to something other than null, but sometimes if you do, it messes up the Javascript. Without it, the pointer goes away. Adding the pointer can be done with additional Javascript, or with CSS. Infact the JQuery.UI tabs should be doing it with CSS. We'll have to investgate. > e) Tooltips on user details page show LDAP fields. Is this intended? > I think we are using the wrong attribute from the Metadata, it should be the Doc field. > f) Password reset does not work on the user page > I'm currently working on fixing that and the other controls that are not automatically generated from the Metadata. > g) Account status toggle is confusing. It says "inactive" for a newly > created user. Toggle should be a link or button. > It is a link, but we've overridden the hyperlink CSS style to remove the underline elsewhere, and it is inherited there. It will be one of the JQuery UI controls when we are done. > h) Multiple phones and emails are still not implemented > Fixed in the patch I sent out for review, modulo some wierdness when adding and removing multiple times on one page. > i) GID/UID are not "protected" fields on the details page > Noted. > j) Search should be definitely removed from the facets (at least for the > self service use case) > Already a Ticket > Admin use case > a) Identity->Users page > * Columns are very strangely aligned. The checkbox column is too wide > Part of the CSS scub. I think it needs its own class. > * User login though a link by the behavior it does not look like a link > Same Hyperlink issue as active/inactive > c) In the "User groups" facet > * "User groups" is ok as a title of the facet but not ok as the title of > the list of the groups user is enrolled in. Suggest we change it to > "Groups that the user is a member of" or something like this. We have a > lot of space in the title to be less confusing > Noted. We can put whatever text we want there. > * The group names should be links in this list > * There is no way to remove user from a group > Ticket for this is 287: Deleting Enrollment https://fedorahosted.org/freeipa/ticket/287 > * There is no check box column on the a check box in the title. I think > the whole list is broken. > Checkbox will probably be put in as part of the delete enrollment ticket > * Should there be quick links? > Not according to the UI doc. > d) Enrolling into a group > The filter finds even the group that the user is already a member of and > dialog allows to add them to the results list. > No warning is shown later indicating that user is already in the group. > Mimics the UI in that effect. We have no way of querying "All groups but the one that the user is in" We obviously should remove the users groups from the list, but then we have an interesting edge case: if the user removes a group (without saving) and then reruns the search, we need to put the group back in to the search results, or there will be no way to recover from accidentally removing a group, short of cancelling out, or removing it and then re-adding it,. > e) Facens for a host are confusing. It has "users" there. > Automatically generated. Not sure why there is any relation between hosts and users. > f) For services the Hosts facet should not be there I think. There > should a link on the details page to jump to the host details page. > Again, auto generated off the Metadata. We have a relationship between hosts and services, as Rob explained on Tuesday. thie is the host that can manage the Service, not the host that the service runs on. > g) "Back to top" link at the bottom of the page brings you to the list > of users. This seems to be wrong. > Yeah. We'll need cutom code for those, as we've taken over the hashchange event, which is what normally does jumps around on the page. > h) Clicking on the "Global" password policy produces an error > Yeah, this is a one-off. There is no Group named GLOBAL, but we treat the name as if it were a group. If the pkey is global, we need to remove it, and make sure we pass no pkey in to the search. > > Generally a lot of progress and a good foundation... > ... but there is a lot of cleanup in front of us. I suggest as soon as > we agree on the design of the HBAC and DNS we start polishing the UI > section by section area by area. > One other thing is that we need to go through all the fields and push the I18N into the plugin. The Code is in place to pick it up, but we are masking a lot of it in The Javascript code. > > > > From pzuna at redhat.com Thu Oct 14 13:16:15 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 14 Oct 2010 15:16:15 +0200 Subject: [Freeipa-devel] [PATCH] 552 handle setattr/addattr better In-Reply-To: <4CA3A9AD.7050006@redhat.com> References: <4CA3A9AD.7050006@redhat.com> Message-ID: <4CB7029F.1050207@redhat.com> On 09/29/2010 11:03 PM, Rob Crittenden wrote: > When doing an addattr check to see if we are creating a multi-value > attribute and see if that is allowed by the Param and/or the attribute > in the schema (SINGLE-VALUE). > > Pavel, check my fix in the exception callback. It was passing attrs_list > but that isn't set until later. I decided to send an empty list instead. > > Also catch RDN update exceptions and return an error about primary keys > (which this essentially means). > > ticket 230 > > rob NACK. The patch isn't all bad, but the single-value check is in the wrong place. As a result, it only applies when someone tries to add a new value to attributes already present in the original entry. It won't fire when someone is trying to add more than one value if there was none before and it also won't fire when creating new entries. I reworked your patch a bit a merged it with my patch number 32, because they overlap in functionality. See freeipa-devel thread: [PATCH] Check if attribute is single-value before trying to add values to it. Pavel From pzuna at redhat.com Thu Oct 14 13:24:22 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 14 Oct 2010 15:24:22 +0200 Subject: [Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it. In-Reply-To: <4CB62C22.8060206@redhat.com> References: <4CB5AA3C.3020301@redhat.com> <4CB62C22.8060206@redhat.com> Message-ID: <4CB70486.1010009@redhat.com> On 10/14/2010 12:01 AM, Rob Crittenden wrote: > Pavel Zuna wrote: >> This patch adds a check in ldap2 for single-value attributes. DS doesn't >> seem to care much about attributes being defined as SINGLE-VALUE except >> for things like uidNumber and gidNumber (I suspect this is handled by >> the DNA plugin). >> >> Ticket #246 >> >> Pavel > > This is similar to ticket 220 which I have a pending patch for (patch > 552). I think both patches are valid but we should test them together to > be sure. Can you do that? > > rob I had to NACK your patch number 552, because the check was in the wrong place. Both patches overlap in functionality, so I decided to merge them into a new version of my original patch. I split the single-value check into two parts: First part is in baseldap classes (LDAPCreate, LDAPUpdate) and it checks if we're not trying to add more values to a Param defined attribute, that is not flagged as multivalue. Second part is in the ldap2 backend. It checks if we're not trying to add more values to an attribute, that is defined as SINGLE-VALUE in the schema. Unfortunately, it seems that python-ldap isn't capable of reporting the SINGLE-VALUE flag reliably and DS doesn't enforce it at all. In other words, this check is a bit weak, but still better than nothing. I hope you don't mind I merged both patches, but it seemed simpler and we can knock out 2 tickets in one commit. :) Ticket #230 Ticket #246 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0032-2-singlevalue.patch Type: text/x-patch Size: 8022 bytes Desc: not available URL: From pzuna at redhat.com Thu Oct 14 13:25:45 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 14 Oct 2010 15:25:45 +0200 Subject: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches. Message-ID: <4CB704D9.1050606@redhat.com> There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0033-limitdefaults.patch Type: text/x-patch Size: 1154 bytes Desc: not available URL: From rcritten at redhat.com Thu Oct 14 13:30:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Oct 2010 09:30:02 -0400 Subject: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches. In-Reply-To: <4CB704D9.1050606@redhat.com> References: <4CB704D9.1050606@redhat.com> Message-ID: <4CB705DA.60607@redhat.com> Pavel Zuna wrote: > There was no default value set even though we were using config.get and > it was throwing exceptions if someone deleted one of the related config > values. > > Pavel Is this needed since get_ipa_config() will always return something for time and search limits? rob From ayoung at redhat.com Thu Oct 14 13:32:00 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 14 Oct 2010 09:32:00 -0400 Subject: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches. In-Reply-To: <4CB704D9.1050606@redhat.com> References: <4CB704D9.1050606@redhat.com> Message-ID: <4CB70650.50900@redhat.com> On 10/14/2010 09:25 AM, Pavel Zuna wrote: > There was no default value set even though we were using config.get > and it was throwing exceptions if someone deleted one of the related > config values. > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Oct 14 14:24:49 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 14 Oct 2010 08:24:49 -0600 Subject: [Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it. In-Reply-To: <4CB70486.1010009@redhat.com> References: <4CB5AA3C.3020301@redhat.com> <4CB62C22.8060206@redhat.com> <4CB70486.1010009@redhat.com> Message-ID: <4CB712B1.2010402@redhat.com> Pavel Zuna wrote: > On 10/14/2010 12:01 AM, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> This patch adds a check in ldap2 for single-value attributes. DS >>> doesn't >>> seem to care much about attributes being defined as SINGLE-VALUE except >>> for things like uidNumber and gidNumber (I suspect this is handled by >>> the DNA plugin). >>> >>> Ticket #246 >>> >>> Pavel >> >> This is similar to ticket 220 which I have a pending patch for (patch >> 552). I think both patches are valid but we should test them together to >> be sure. Can you do that? >> >> rob > > I had to NACK your patch number 552, because the check was in the > wrong place. > > Both patches overlap in functionality, so I decided to merge them into > a new version of my original patch. > > I split the single-value check into two parts: > > First part is in baseldap classes (LDAPCreate, LDAPUpdate) and it > checks if we're not trying to add more values to a Param defined > attribute, that is not flagged as multivalue. > > Second part is in the ldap2 backend. It checks if we're not trying to > add more values to an attribute, that is defined as SINGLE-VALUE in > the schema. Unfortunately, it seems that python-ldap isn't capable of > reporting the SINGLE-VALUE flag reliably and DS doesn't enforce it at > all. In other words, this check is a bit weak, but still better than > nothing. Can you give me an example of an attribute definition that python-ldap doesn't parse correctly? Can you give me an example of an ldapmodify command that adds multiple values to a single valued attribute in 389? > > I hope you don't mind I merged both patches, but it seemed simpler and > we can knock out 2 tickets in one commit. :) > > Ticket #230 > Ticket #246 > > Pavel > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From rcritten at redhat.com Thu Oct 14 17:20:55 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Oct 2010 13:20:55 -0400 Subject: [Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it. In-Reply-To: <4CB70486.1010009@redhat.com> References: <4CB5AA3C.3020301@redhat.com> <4CB62C22.8060206@redhat.com> <4CB70486.1010009@redhat.com> Message-ID: <4CB73BF7.9020703@redhat.com> Pavel Zuna wrote: > On 10/14/2010 12:01 AM, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> This patch adds a check in ldap2 for single-value attributes. DS doesn't >>> seem to care much about attributes being defined as SINGLE-VALUE except >>> for things like uidNumber and gidNumber (I suspect this is handled by >>> the DNA plugin). >>> >>> Ticket #246 >>> >>> Pavel >> >> This is similar to ticket 220 which I have a pending patch for (patch >> 552). I think both patches are valid but we should test them together to >> be sure. Can you do that? >> >> rob > > I had to NACK your patch number 552, because the check was in the wrong > place. > > Both patches overlap in functionality, so I decided to merge them into a > new version of my original patch. > > I split the single-value check into two parts: > > First part is in baseldap classes (LDAPCreate, LDAPUpdate) and it checks > if we're not trying to add more values to a Param defined attribute, > that is not flagged as multivalue. > > Second part is in the ldap2 backend. It checks if we're not trying to > add more values to an attribute, that is defined as SINGLE-VALUE in the > schema. Unfortunately, it seems that python-ldap isn't capable of > reporting the SINGLE-VALUE flag reliably and DS doesn't enforce it at > all. In other words, this check is a bit weak, but still better than > nothing. > > I hope you don't mind I merged both patches, but it seemed simpler and > we can knock out 2 tickets in one commit. :) > > Ticket #230 > Ticket #246 > > Pavel Ack if you fix 2 things: 1. Change the error message of the exception to match the exception name, 'only one value allowed' instead of 'attribute is single-value' 2. You added a space between desc and info in the DatabaseError exception. The example fails because there is no space after the colon (at least for me, since my editor wipes out trailing white space automatically). Can we either drop the space or add something for info to the example? rob From rcritten at redhat.com Thu Oct 14 17:28:14 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Oct 2010 13:28:14 -0400 Subject: [Freeipa-devel] [PATCH] #316 Avoid installing files in /usr In-Reply-To: <20101013192106.0a1b83e5@willson.li.ssimo.org> References: <20101013192106.0a1b83e5@willson.li.ssimo.org> Message-ID: <4CB73DAE.5080201@redhat.com> Simo Sorce wrote: > The default setup-ds.pl configuration installs ds scripts in /usr > > With this patch the customized scripts are kep > in /var/lib/dirsrv/scripts- instead of > /usr/lib/dirsrv/slapd- > > Simo. ack From jgalipea at redhat.com Thu Oct 14 17:30:02 2010 From: jgalipea at redhat.com (Jenny Galipeau) Date: Thu, 14 Oct 2010 13:30:02 -0400 Subject: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches. In-Reply-To: <4CB70650.50900@redhat.com> References: <4CB704D9.1050606@redhat.com> <4CB70650.50900@redhat.com> Message-ID: <4CB73E1A.8090203@redhat.com> I have noticed a change in behavior with this ... BEFORE: --sizelimit=0 returned 0 entries now , it is returning all the entries ... obviously 0 now assumes default ... what is the default ?? Thanks Jenny Adam Young wrote: > On 10/14/2010 09:25 AM, Pavel Zuna wrote: >> There was no default value set even though we were using config.get >> and it was throwing exceptions if someone deleted one of the related >> config values. >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From rcritten at redhat.com Thu Oct 14 17:30:33 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Oct 2010 13:30:33 -0400 Subject: [Freeipa-devel] [PATCH] #318 Use openldap's ldappasswd In-Reply-To: <20101013173752.3e2ff0e4@willson.li.ssimo.org> References: <20101013173752.3e2ff0e4@willson.li.ssimo.org> Message-ID: <4CB73E39.8040202@redhat.com> Simo Sorce wrote: > > The following patch makes the ldappasswd operation use the openldap's > ldappasswd command, as well as avoiding to put passwords in the command > line (visible through a ps) and instead using secure temporary files > that are deleted immediately after the operation. > > Simo. ack From admin at transifex.net Thu Oct 14 17:35:01 2010 From: admin at transifex.net (admin at transifex.net) Date: Thu, 14 Oct 2010 17:35:01 -0000 Subject: [Freeipa-devel] [Transifex] File submitted via email to FreeIPA | master Message-ID: <20101014173501.21069.21217@web1.transifex.net> Hello freeipa, this is Transifex at http://www.transifex.net. The following attached files were submitted to FreeIPA | master by raven Please, visit Transifex at http://www.transifex.net/projects/p/freeipa/c/master/ in order to see the component page. Thank you, Transifex -------------- next part -------------- # translation of pl.po to Polish # Piotr Dr?g , 2010. # msgid "" msgstr "" "Project-Id-Version: pl\n" "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/" "newticket\n" "POT-Creation-Date: 2010-10-13 14:22-0400\n" "PO-Revision-Date: 2010-10-14 19:33+0200\n" "Last-Translator: Piotr Dr?g \n" "Language-Team: Polish \n" "Language: pl\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 " "|| n%100>=20) ? 1 : 2);\n" #: ipalib/cli.py:507 #, python-format msgid "Enter %(label)s again to verify: " msgstr "Prosz? poda? %(label)s ponownie, aby sprawdzi?: " #: ipalib/cli.py:511 ipa-client/ipa-getkeytab.c:730 #, c-format msgid "Passwords do not match!" msgstr "Has?a si? nie zgadzaj?." #: ipalib/cli.py:516 msgid "Cancelled." msgstr "Anulowano." #: ipalib/errors.py:297 #, python-format msgid "%(cver)s client incompatible with %(sver)s server at %(server)r" msgstr "" "klient w wersji %(cver)s nie jest zgodny z serwerem w wersji %(sver)s na " "%(server)r" #: ipalib/errors.py:315 #, python-format msgid "unknown error %(code)d from %(server)s: %(error)s" msgstr "nieznany b??d %(code)d z %(server)s: %(error)s" #: ipalib/errors.py:331 msgid "an internal error has occurred" msgstr "wyst?pi? wewn?trzny b??d" #: ipalib/errors.py:353 #, python-format msgid "an internal error has occurred on server at %(server)r" msgstr "wyst?pi? wewn?trzny b??d w serwerze na %(server)r" #: ipalib/errors.py:369 #, python-format msgid "unknown command %(name)r" msgstr "nieznane polecenie %(name)r" #: ipalib/errors.py:386 ipalib/errors.py:411 #, python-format msgid "error on server %(server)r: %(error)s" msgstr "b??d w serwerze %(server)r: %(error)s" #: ipalib/errors.py:402 #, python-format msgid "cannot connect to %(uri)r: %(error)s" msgstr "nie mo?na po??czy? si? z %(uri)r: %(error)s" #: ipalib/errors.py:420 #, python-format msgid "Invalid JSON-RPC request: %(error)s" msgstr "Nieprawid?owe ??danie JSON-RPC: %(error)s" #: ipalib/errors.py:448 #, python-format msgid "Kerberos error: %(major)s/%(minor)s" msgstr "B??d Kerberosa: %(major)s/%(minor)s" #: ipalib/errors.py:465 msgid "did not receive Kerberos credentials" msgstr "nie otrzymano danych uwierzytelniaj?cych Kerberosa" #: ipalib/errors.py:481 #, python-format msgid "Service %(service)r not found in Kerberos database" msgstr "Nie odnaleziono us?ugi %(service)r w bazie danych Kerberosa" #: ipalib/errors.py:497 msgid "No credentials cache found" msgstr "Nie odnaleziono pami?ci podr?cznej danych uwierzytelniaj?cych" #: ipalib/errors.py:513 msgid "Ticket expired" msgstr "Zg?oszenie wygas?o" #: ipalib/errors.py:529 msgid "Credentials cache permissions incorrect" msgstr "" "Uprawnienia pami?ci podr?cznej danych uwierzytelniaj?cych s? niepoprawne" #: ipalib/errors.py:545 msgid "Bad format in credentials cache" msgstr "B??dny format w pami?ci podr?cznej danych uwierzytelniaj?cych" #: ipalib/errors.py:561 msgid "Cannot resolve KDC for requested realm" msgstr "Nie mo?na rozwi?za? KDC dla ??danego obszaru" #: ipalib/errors.py:580 #, python-format msgid "Insufficient access: %(info)s" msgstr "Niewystarczaj?cy dost?p: %(info)s" #: ipalib/errors.py:624 #, python-format msgid "command %(name)r takes no arguments" msgstr "polecenie %(name)r nie przyjmuje parametr?w" #: ipalib/errors.py:644 #, python-format msgid "command %(name)r takes at most %(count)d argument" msgid_plural "command %(name)r takes at most %(count)d arguments" msgstr[0] "polecenie %(name)r przyjmuje co najwy?ej %(count)d parametr" msgstr[1] "polecenie %(name)r przyjmuje co najwy?ej %(count)d parametry" msgstr[2] "polecenie %(name)r przyjmuje co najwy?ej %(count)d parametr?w" #: ipalib/errors.py:674 #, python-format msgid "overlapping arguments and options: %(names)r" msgstr "pokrywanie parametr?w i opcji: %(names)r" #: ipalib/errors.py:690 #, python-format msgid "%(name)r is required" msgstr "%(name)r jest wymagane" #: ipalib/errors.py:706 ipalib/errors.py:722 #, python-format msgid "invalid %(name)r: %(error)s" msgstr "nieprawid?owe %(name)r: %(error)s" #: ipalib/errors.py:738 #, python-format msgid "api has no such namespace: %(name)r" msgstr "API nie posiada takiej przestrzeni nazw: %(name)r" #: ipalib/errors.py:747 msgid "Passwords do not match" msgstr "Has?a si? nie zgadzaj?" #: ipalib/errors.py:755 msgid "Command not implemented" msgstr "Polecenie nie jest zaimplementowane" #: ipalib/errors.py:783 ipalib/errors.py:1023 ipalib/errors.py:1254 #, python-format msgid "%(reason)s" msgstr "%(reason)s" #: ipalib/errors.py:799 msgid "This entry already exists" msgstr "Ten wpis ju? istnieje" #: ipalib/errors.py:815 msgid "You must enroll a host in order to create a host service" msgstr "Nale?y zapisa? si? do komputera, aby utworzy? jego us?ug?" #: ipalib/errors.py:831 #, python-format msgid "" "Service principal is not of the form: service/fully-qualified host name: " "%(reason)s" msgstr "" "Naczelnik us?ugi nie jest w formacie: us?uga/w pe?ni kwalifikowana nazwa " "komputera: %(reason)s" #: ipalib/errors.py:847 msgid "" "The realm for the principal does not match the realm for this IPA server" msgstr "Obszar naczelnika nie zgadza si? z obszarem dla tego serwera IPA" #: ipalib/errors.py:863 msgid "This command requires root access" msgstr "Te polecenie wymaga dost?pu roota" #: ipalib/errors.py:879 msgid "This is already a posix group" msgstr "To jest ju? grupa POSIX" #: ipalib/errors.py:895 #, python-format msgid "Principal is not of the form user at REALM: %(principal)r" msgstr "Naczelnik nie jest w formacie u?ytkownik at OBSZAR: %(principal)r" #: ipalib/errors.py:911 msgid "This entry is already unlocked" msgstr "Ten wpis jest ju? odblokowany" #: ipalib/errors.py:927 msgid "This entry is already locked" msgstr "Ten wpis jest ju? zablokowany" #: ipalib/errors.py:943 msgid "This entry has nsAccountLock set, it cannot be locked or unlocked" msgstr "" "Ten wpis posiada ustawione nsAccountLock, nie mo?e by? zablokowany lub " "niezablokowany" #: ipalib/errors.py:959 msgid "This entry is not a member of the group" msgstr "Ten wpis nie jest elementem grupy" #: ipalib/errors.py:975 msgid "A group may not be a member of itself" msgstr "Grupa nie mo?e by? w?asnym elementem" #: ipalib/errors.py:991 msgid "This entry is already a member of the group" msgstr "Ten wpis jest ju? elementem grupy" #: ipalib/errors.py:1007 #, python-format msgid "Base64 decoding failed: %(reason)s" msgstr "Dekodowanie base64 nie powiod?o si?: %(reason)s" #: ipalib/errors.py:1039 msgid "A group may not be added as a member of itself" msgstr "Nie mo?na doda? grupy jako elementu jej samej" #: ipalib/errors.py:1055 msgid "The default users group cannot be removed" msgstr "Nie mo?na usun?? domy?lnej grupy u?ytkownik?w" #: ipalib/errors.py:1071 msgid "Host does not have corresponding DNS A record" msgstr "Komputer nie posiada pasuj?cego wpisu DNS A" #: ipalib/errors.py:1086 msgid "Deleting a managed group is not allowed. It must be detached first." msgstr "" "Usuwanie zarz?dzanej grupy nie jest dozwolone. Musi zosta? najpierw " "od??czona." #: ipalib/errors.py:1109 #, python-format msgid "no command nor help topic %(topic)r" msgstr "nie ma takiego polecenia lub tematu pomocy %(topic)r" #: ipalib/errors.py:1133 msgid "change collided with another change" msgstr "zmiana koliduje z inn? zmian?" #: ipalib/errors.py:1149 msgid "no modifications to be performed" msgstr "?adne modyfikacje nie zostan? wykonane" #: ipalib/errors.py:1165 #, python-format msgid "%(desc)s:%(info)s" msgstr "%(desc)s:%(info)s" #: ipalib/errors.py:1181 msgid "limits exceeded for this query" msgstr "przekroczono ograniczenia dla tego zapytania" #: ipalib/errors.py:1196 #, python-format msgid "%(info)s" msgstr "%(info)s" #: ipalib/errors.py:1221 #, python-format msgid "Certificate operation cannot be completed: %(error)s" msgstr "Nie mo?na uko?czy? dzia?ania na certyfikacie: %(error)s" #: ipalib/errors.py:1237 #, python-format msgid "Certificate format error: %(error)s" msgstr "B??d formatu certyfikatu: %(error)s" #: ipalib/frontend.py:380 msgid "Results are truncated, try a more specific search" msgstr "" "Wyniki zosta?y obci?te, prosz? spr?bowa? bardziej konkretnego wyszukiwania" #: ipalib/frontend.py:797 ipalib/plugins/misc.py:47 msgid "retrieve all attributes" msgstr "odbi?r wszystkich atrybut?w" #: ipalib/frontend.py:803 msgid "print entries as stored on the server" msgstr "wy?wietlenie wpis?w przechowywanych w serwerze" #: ipalib/frontend.py:940 msgid "Forward to server instead of running locally" msgstr "Przekazanie do serwera zamiast uruchamiania lokalnie" #: ipalib/output.py:92 msgid "A dictionary representing an LDAP entry" msgstr "S?ownik reprezentuj?cy wpis LDAP" #: ipalib/output.py:100 msgid "A list of LDAP entries" msgstr "Lista wpis?w LDAP" #: ipalib/output.py:111 msgid "All commands should at least have a result" msgstr "Wszystkie polecenia powinny powiada? przynajmniej wynik" #: ipalib/parameters.py:295 msgid "incorrect type" msgstr "niepoprawny typ" #: ipalib/parameters.py:298 msgid "Only one value is allowed" msgstr "Dozwolona jest tylko jedna warto??" #: ipalib/parameters.py:877 msgid "must be True or False" msgstr "musi by? prawd? lub fa?szem" #: ipalib/parameters.py:978 msgid "must be an integer" msgstr "musi by? liczba ca?kowit?" #: ipalib/parameters.py:1029 #, python-format msgid "must be at least %(minvalue)d" msgstr "musi wynosi? co najmniej %(minvalue)d" #: ipalib/parameters.py:1039 #, python-format msgid "can be at most %(maxvalue)d" msgstr "mo?e wynosi? co najwy?ej %(maxvalue)d" #: ipalib/parameters.py:1049 msgid "must be a decimal number" msgstr "musi by? liczb? dziesi?tn?" #: ipalib/parameters.py:1071 #, python-format msgid "must be at least %(minvalue)f" msgstr "musi wynosi? co najmniej %(minvalue)f" #: ipalib/parameters.py:1081 #, python-format msgid "can be at most %(maxvalue)f" msgstr "mo?e wynosi? co najwy?ej %(maxvalue)f" #: ipalib/parameters.py:1145 #, python-format msgid "must match pattern \"%(pattern)s\"" msgstr "musi pasowa? do wzorca \"%(pattern)s\"" #: ipalib/parameters.py:1163 msgid "must be binary data" msgstr "musi by? danymi binarnymi" #: ipalib/parameters.py:1179 #, python-format msgid "must be at least %(minlength)d bytes" msgstr "musi wynosi? co najmniej %(minlength)d bajt?w" #: ipalib/parameters.py:1189 #, python-format msgid "can be at most %(maxlength)d bytes" msgstr "mo?e wynosi? co najwy?ej %(maxlength)d bajt?w" #: ipalib/parameters.py:1199 #, python-format msgid "must be exactly %(length)d bytes" msgstr "musi wynosi? dok?adnie %(length)d bajt?w" #: ipalib/parameters.py:1217 msgid "must be Unicode text" msgstr "musi by? tekstem w unikodzie" #: ipalib/parameters.py:1248 #, python-format msgid "must be at least %(minlength)d characters" msgstr "musi wynosi? co najmniej %(minlength)d znak?w" #: ipalib/parameters.py:1258 #, python-format msgid "can be at most %(maxlength)d characters" msgstr "mo?e wynosi? co najwy?ej %(maxlength)d znak?w" #: ipalib/parameters.py:1268 #, python-format msgid "must be exactly %(length)d characters" msgstr "musi wynosi? dok?adnie %(length)d znak?w" #: ipalib/parameters.py:1307 #, python-format msgid "must be one of %(values)r" msgstr "musi by? jednym z %(values)r" #: ipalib/plugins/aci.py:111 msgid "A list of ACI values" msgstr "Lista warto?ci ACI" #: ipalib/plugins/aci.py:142 msgid "type, filter, subtree and targetgroup are mutually exclusive" msgstr "" "warto?ci \"type\", \"filter\", \"subtree\" i \"targetgroup\" s? wzajemnie " "wy??czne" #: ipalib/plugins/aci.py:145 msgid "" "at least one of: type, filter, subtree, targetgroup, attrs or memberof are " "required" msgstr "" "co najmniej jedna z warto?ci: \"type\", \"filter\", \"subtree\", " "\"targetgroup\", \"attrs\" lub \"memberof\" jest wymagana" #: ipalib/plugins/aci.py:151 msgid "group, taskgroup and self are mutually exclusive" msgstr "warto?ci \"group\", \"taskgroup\" i \"self\" s? wzajemnie wy??czne" #: ipalib/plugins/aci.py:153 msgid "One of group, taskgroup or self is required" msgstr "Wymagana jest warto?? \"group\", \"taskgroup\" lub \"self\"" #: ipalib/plugins/aci.py:172 #, python-format msgid "Group '%s' does not exist" msgstr "Grupa \"%s\" nie istnieje" #: ipalib/plugins/aci.py:269 #, python-format msgid "ACI with name \"%s\" not found" msgstr "Nie odnaleziono ACI o nazwie \"%s\"" #: ipalib/plugins/aci.py:286 msgid "ACIs" msgstr "ACI" #: ipalib/plugins/aci.py:291 msgid "ACI name" msgstr "Nazwa ACI" #: ipalib/plugins/aci.py:296 msgid "Taskgroup" msgstr "Grupa zadaniowa" #: ipalib/plugins/aci.py:297 msgid "Taskgroup ACI grants access to" msgstr "Grupa zadaniowa, do kt?rej ACI zapewnia dost?p" #: ipalib/plugins/aci.py:301 msgid "User group" msgstr "Grupa u?ytkownik?w" #: ipalib/plugins/aci.py:302 msgid "User group ACI grants access to" msgstr "Grupa u?ytkownik?w, do kt?rej ACI zapewnia dost?p" #: ipalib/plugins/aci.py:306 msgid "Permissions" msgstr "Uprawnienia" #: ipalib/plugins/aci.py:307 msgid "" "comma-separated list of permissions to grant(read, write, add, delete, all)" msgstr "" "lista uprawnie? oddzielonych przecinkami do udzielenia (odczyt, zapis, " "dodanie, usuni?cie, wszystkie)" #: ipalib/plugins/aci.py:313 msgid "Attributes" msgstr "Atrybuty" #: ipalib/plugins/aci.py:314 msgid "Comma-separated list of attributes" msgstr "Lista atrybut?w oddzielonych przecinkami" #: ipalib/plugins/aci.py:318 msgid "Type" msgstr "Typ" #: ipalib/plugins/aci.py:319 msgid "type of IPA object (user, group, host)" msgstr "typ obiektu IPA (u?ytkownik, grupa, komputer)" #: ipalib/plugins/aci.py:324 msgid "Member of" msgstr "Element" #: ipalib/plugins/aci.py:325 msgid "Member of a group" msgstr "Element grupy" #: ipalib/plugins/aci.py:329 msgid "Filter" msgstr "Filtr" #: ipalib/plugins/aci.py:330 msgid "Legal LDAP filter (e.g. ou=Engineering)" msgstr "Dozwolony filtr LDAP (np. ou=In?ynieria)" #: ipalib/plugins/aci.py:334 msgid "Subtree" msgstr "Poddrzewo" #: ipalib/plugins/aci.py:335 msgid "Subtree to apply ACI to" msgstr "Poddrzewo, do kt?rego zastosowa? ACI" #: ipalib/plugins/aci.py:339 msgid "Target group" msgstr "Grupa docelowa" #: ipalib/plugins/aci.py:340 msgid "Group to apply ACI to" msgstr "Grupa, do kt?rej zastosowa? ACI" #: ipalib/plugins/aci.py:344 msgid "Target your own entry (self)" msgstr "Cel w?asnego wpisu (\"self\")" #: ipalib/plugins/aci.py:345 msgid "Apply ACI to your own entry (self)" msgstr "Zastosowanie ACI do w?asnego wpisu (\"self\")" #: ipalib/plugins/aci.py:357 #, python-format msgid "Created ACI \"%(value)s\"" msgstr "Utworzono ACI \"%(value)s\"" #: ipalib/plugins/aci.py:407 #, python-format msgid "Deleted ACI \"%(value)s\"" msgstr "Usuni?to ACI \"%(value)s\"" #: ipalib/plugins/aci.py:447 #, python-format msgid "Modified ACI \"%(value)s\"" msgstr "Zmodyfikowano ACI \"%(value)s\"" #: ipalib/plugins/aci.py:519 #, python-format msgid "%(count)d ACI matched" msgid_plural "%(count)d ACIs matched" msgstr[0] "Pasuje %(count)d ACI" msgstr[1] "Pasuj? %(count)d ACI" msgstr[2] "Pasuje %(count)d ACI" #: ipalib/plugins/automount.py:103 msgid "Automount" msgstr "Automatyczne montowanie" #: ipalib/plugins/automount.py:109 ipalib/plugins/host.py:134 msgid "Location" msgstr "Po?o?enie" #: ipalib/plugins/automount.py:110 msgid "Automount location name" msgstr "Automatyczne montowanie nazwy po?o?enia" #: ipalib/plugins/automount.py:226 msgid "Map" msgstr "Mapa" #: ipalib/plugins/automount.py:227 msgid "Automount map name" msgstr "Automatyczne montowanie nazwy mapy" #: ipalib/plugins/automount.py:232 ipalib/plugins/group.py:108 #: ipalib/plugins/hbac.py:151 ipalib/plugins/hbacsvc.py:72 #: ipalib/plugins/hbacsvcgroup.py:77 ipalib/plugins/host.py:124 #: ipalib/plugins/hostgroup.py:81 ipalib/plugins/netgroup.py:96 #: ipalib/plugins/rolegroup.py:90 ipalib/plugins/sudocmd.py:71 #: ipalib/plugins/sudocmdgroup.py:77 ipalib/plugins/sudorule.py:58 #: ipalib/plugins/taskgroup.py:62 msgid "Description" msgstr "Opis" #: ipalib/plugins/automount.py:236 msgid "Automount Maps" msgstr "Automatyczne montowanie map" #: ipalib/plugins/automount.py:308 msgid "Key" msgstr "Klucz" #: ipalib/plugins/automount.py:309 msgid "Automount key name" msgstr "Automatyczne montowanie nazw kluczy" #: ipalib/plugins/automount.py:314 msgid "Mount information" msgstr "Informacje o montowaniu" #: ipalib/plugins/automount.py:318 msgid "description" msgstr "opis" #: ipalib/plugins/automount.py:322 msgid "Automount Keys" msgstr "Automatyczne montowanie kluczy" #: ipalib/plugins/automount.py:342 msgid "Mount point" msgstr "Punkt montowania" #: ipalib/plugins/automount.py:346 msgid "Parent map" msgstr "Mapa nadrz?dna" #: ipalib/plugins/automount.py:347 msgid "Name of parent automount map (default: auto.master)" msgstr "" "Nazwa nadrz?dnej mapy automatycznego montowania (domy?lnie: auto.master)" #: ipalib/plugins/baseldap.py:79 #, python-format msgid "container entry (%(container)s) not found" msgstr "nie odnaleziono wpisu kontenera (%(container)s)" #: ipalib/plugins/baseldap.py:80 #, python-format msgid "%(parent)s: %(oname)s not found" msgstr "%(parent)s: nie odnaleziono %(oname)s" #: ipalib/plugins/baseldap.py:81 #, python-format msgid "%(pkey)s: %(oname)s not found" msgstr "%(pkey)s: nie odnaleziono %(oname)s" #: ipalib/plugins/baseldap.py:150 msgid "Add an attribute/value pair. Format is attr=value" msgstr "Dodaj par? atrybut/warto??. Format to atrybut=warto??" #: ipalib/plugins/baseldap.py:155 msgid "Set an attribute to an name/value pair. Format is attr=value" msgstr "Ustaw atrybut dla pary nazwa/warto??. Format to atrybut=warto??" #: ipalib/plugins/baseldap.py:359 msgid "Continuous mode: Don't stop on errors." msgstr "Tryb ci?g?y: bez zatrzymywania po b??dach." #: ipalib/plugins/baseldap.py:517 msgid "the entry was deleted while being modified" msgstr "wpis zosta? usuni?ty podczas modyfikowania" #: ipalib/plugins/baseldap.py:674 msgid "Members that could not be added" msgstr "Elementy, kt?re nie mog?y zosta? dodane" #: ipalib/plugins/baseldap.py:678 msgid "Number of members added" msgstr "Liczba dodanych element?w" #: ipalib/plugins/baseldap.py:684 ipalib/plugins/baseldap.py:789 msgid "Failed members" msgstr "Elementy, kt?re si? nie powiod?y" #: ipalib/plugins/baseldap.py:779 msgid "Members that could not be removed" msgstr "Liczba element?w, kt?re nie mog?y zosta? usuni?te" #: ipalib/plugins/baseldap.py:783 msgid "Number of members removed" msgstr "Liczba usuni?tych element?w" #: ipalib/plugins/baseldap.py:880 msgid "Time Limit" msgstr "Ograniczenie czasu" #: ipalib/plugins/baseldap.py:881 msgid "Time limit of search in seconds" msgstr "Ograniczenie czasu wyszukiwania w sekundach" #: ipalib/plugins/baseldap.py:887 msgid "Size Limit" msgstr "Ograniczenie rozmiaru" #: ipalib/plugins/baseldap.py:888 msgid "Maximum number of entries returned" msgstr "Maksymalna liczba zwr?conych wpis?w" #: ipalib/plugins/cert.py:93 msgid "Failure decoding Certificate Signing Request:" msgstr "Dekodowanie ??dania podpisywania certyfikatu nie powiod?o si?:" #: ipalib/plugins/cert.py:106 ipalib/plugins/cert.py:118 msgid "Failure decoding Certificate Signing Request" msgstr "Dekodowanie ??dania podpisywania certyfikatu nie powiod?o si?" #: ipalib/plugins/cert.py:120 #, python-format msgid "Failure decoding Certificate Signing Request: %s" msgstr "Dekodowanie ??dania podpisywania certyfikatu nie powiod?o si?: %s" #: ipalib/plugins/cert.py:171 ipalib/plugins/service.py:197 msgid "Principal" msgstr "Naczelnik" #: ipalib/plugins/cert.py:172 msgid "Service principal for this certificate (e.g. HTTP/test.example.com)" msgstr "Naczelnik us?ugi dla tego certyfikatu (np. HTTP/test.przyk?ad.pl)" #: ipalib/plugins/cert.py:179 msgid "automatically add the principal if it doesn't exist" msgstr "automatycznie dodaj naczelnika, je?li nie istnieje" #: ipalib/plugins/cert.py:187 ipalib/plugins/cert.py:392 #: ipalib/plugins/host.py:154 ipalib/plugins/service.py:204 msgid "Certificate" msgstr "Certyfikat" #: ipalib/plugins/cert.py:191 ipalib/plugins/cert.py:395 msgid "Subject" msgstr "Temat" #: ipalib/plugins/cert.py:195 ipalib/plugins/cert.py:398 msgid "Issuer" msgstr "Wydawca" #: ipalib/plugins/cert.py:199 ipalib/plugins/cert.py:401 msgid "Not Before" msgstr "Nie wcze?niej" #: ipalib/plugins/cert.py:203 ipalib/plugins/cert.py:404 msgid "Not After" msgstr "Nie po" #: ipalib/plugins/cert.py:207 ipalib/plugins/cert.py:407 msgid "Fingerprint (MD5)" msgstr "Odcisk (MD5)" #: ipalib/plugins/cert.py:211 ipalib/plugins/cert.py:410 msgid "Fingerprint (SHA1)" msgstr "Odcisk (SHA1)" #: ipalib/plugins/cert.py:215 ipalib/plugins/cert.py:379 msgid "Serial number" msgstr "Numer seryjny" #: ipalib/plugins/cert.py:223 ipalib/plugins/misc.py:57 msgid "Dictionary mapping variable name to value" msgstr "Nazwa zmiennej mapowania s?ownika do ustawienia jako warto??" #: ipalib/plugins/cert.py:357 msgid "Request id" msgstr "Identyfikator ??dania" #: ipalib/plugins/cert.py:363 msgid "Request status" msgstr "Stan ??dania" #: ipalib/plugins/cert.py:380 msgid "Serial number in decimal or if prefixed with 0x in hexadecimal" msgstr "" "Numer seryjny w formie dziesi?tnej lub szesnastkowej, je?li poprzedzone 0x" #: ipalib/plugins/cert.py:413 msgid "Revocation reason" msgstr "Przyczyna uniewa?nienia" #: ipalib/plugins/cert.py:458 msgid "Revoked" msgstr "Uniewa?niono" #: ipalib/plugins/cert.py:466 msgid "Reason" msgstr "Przyczyna" #: ipalib/plugins/cert.py:467 msgid "Reason for revoking the certificate (0-10)" msgstr "Przyczyna uniewa?nienia certyfikatu (0-10)" #: ipalib/plugins/cert.py:502 msgid "Unrevoked" msgstr "Cofni?to uniewa?nienie" #: ipalib/plugins/cert.py:505 msgid "Error" msgstr "B??d" #: ipalib/plugins/config.py:73 msgid "Configuration" msgstr "Konfiguracja" #: ipalib/plugins/config.py:78 msgid "Max username length" msgstr "Maksymalna d?ugo?? nazwy u?ytkownika" #: ipalib/plugins/config.py:83 msgid "Home directory base" msgstr "Podstawa katalogu domowego" #: ipalib/plugins/config.py:84 msgid "Default location of home directories" msgstr "Domy?lne po?o?enie katalog?w domowych" #: ipalib/plugins/config.py:88 msgid "Default shell" msgstr "Domy?lna pow?oka" #: ipalib/plugins/config.py:89 msgid "Default shell for new users" msgstr "Domy?lna pow?oka dla nowych u?ytkownik?w" #: ipalib/plugins/config.py:93 msgid "Default users group" msgstr "Domy?lna grupa u?ytkownik?w" #: ipalib/plugins/config.py:94 msgid "Default group for new users" msgstr "Domy?lna grupa dla nowych u?ytkownik?w" #: ipalib/plugins/config.py:98 msgid "Default e-mail domain" msgstr "Domy?lna domena e-mail" #: ipalib/plugins/config.py:99 msgid "Default e-mail domain new users" msgstr "Domy?lna domena e-mail dla nowych u?ytkownik?w" #: ipalib/plugins/config.py:103 msgid "Search time limit" msgstr "Ograniczenie czasu wyszukiwania" #: ipalib/plugins/config.py:104 msgid "Max. amount of time (sec.) for a search (-1 is unlimited)" msgstr "" "Maksymalny czas (w sekundach) wyszukiwania (-1 oznacza brak ograniczenia)" #: ipalib/plugins/config.py:109 msgid "Search size limit" msgstr "Ograniczenie rozmiaru wyszukiwania" #: ipalib/plugins/config.py:110 msgid "Max. number of records to search (-1 is unlimited)" msgstr "" "Maksymalna liczba wpis?w do wyszukiwania (-1 oznacza brak ograniczenia)" #: ipalib/plugins/config.py:115 msgid "User search fields" msgstr "Pola wyszukiwania u?ytkownik?w" #: ipalib/plugins/config.py:116 msgid "A comma-separated list of fields to search when searching for users" msgstr "" "Lista p?l oddzielonych przecinkami do przeszukania podczas wyszukiwania " "u?ytkownik?w" #: ipalib/plugins/config.py:121 msgid "A comma-separated list of fields to search when searching for groups" msgstr "" "Lista p?l oddzielonych przecinkami do przeszukania podczas wyszukiwania grup" #: ipalib/plugins/config.py:125 msgid "Migration mode" msgstr "Tryb migracji" #: ipalib/plugins/config.py:126 msgid "Enable migration mode" msgstr "W??czenie trybu migracji" #: ipalib/plugins/config.py:130 msgid "Certificate Subject base" msgstr "Podstawa tematu certyfikatu" #: ipalib/plugins/config.py:131 msgid "Base for certificate subjects (OU=Test,O=Example)" msgstr "Podstawa dla temat?w certyfikat?w (OU=Test,O=Przyk?ad)" #: ipalib/plugins/dns.py:131 msgid "DNS" msgstr "DNS" #: ipalib/plugins/dns.py:136 msgid "Zone" msgstr "Strefa" #: ipalib/plugins/dns.py:137 msgid "Zone name (FQDN)" msgstr "Nazwa strefy (FQDN)" #: ipalib/plugins/dns.py:143 msgid "Authoritative name server" msgstr "Autorytatywny serwer nazwa" #: ipalib/plugins/dns.py:147 msgid "administrator e-mail address" msgstr "adres e-mail administratora" #: ipalib/plugins/dns.py:153 msgid "SOA serial" msgstr "Numer seryjny SOA" #: ipalib/plugins/dns.py:157 msgid "SOA refresh" msgstr "Od?wie?enie SOA" #: ipalib/plugins/dns.py:161 msgid "SOA retry" msgstr "Ponowienie SOA" #: ipalib/plugins/dns.py:165 msgid "SOA expire" msgstr "Wygaszenie SOA" #: ipalib/plugins/dns.py:169 msgid "SOA minimum" msgstr "Minimalne SOA" #: ipalib/plugins/dns.py:173 msgid "SOA time to live" msgstr "Czas ?ycia SOA" #: ipalib/plugins/dns.py:177 msgid "SOA class" msgstr "Klasa SOA" #: ipalib/plugins/dns.py:182 msgid "allow dynamic update?" msgstr "zezwoli? na dynamiczne aktualizacje?" #: ipalib/plugins/dns.py:186 msgid "BIND update policy" msgstr "Polityka aktualizacji BIND" #: ipalib/plugins/dns.py:426 ipalib/plugins/dns.py:460 #: ipalib/plugins/dns.py:495 ipalib/plugins/dns.py:610 #: ipalib/plugins/dns.py:695 ipalib/plugins/dns.py:819 msgid "Zone name" msgstr "Nazwa strefy" #: ipalib/plugins/dns.py:500 msgid "resource name" msgstr "nazwa zasobu" #: ipalib/plugins/dns.py:505 ipalib/plugins/dns.py:620 #: ipalib/plugins/dns.py:711 msgid "Record type" msgstr "Typ wpisu" #: ipalib/plugins/dns.py:509 ipalib/plugins/dns.py:624 msgid "Data" msgstr "Dane" #: ipalib/plugins/dns.py:510 ipalib/plugins/dns.py:625 msgid "Type-specific data" msgstr "Dane specyficzne dla typu" #: ipalib/plugins/dns.py:517 msgid "Time to live" msgstr "Czas ?ycia" #: ipalib/plugins/dns.py:522 msgid "Class" msgstr "Klasa" #: ipalib/plugins/dns.py:615 ipalib/plugins/dns.py:707 #: ipalib/plugins/dns.py:824 msgid "Resource name" msgstr "Nazwa zasobu" #: ipalib/plugins/dns.py:700 msgid "Search criteria" msgstr "Kryterium wyszukiwania" #: ipalib/plugins/dns.py:715 msgid "type-specific data" msgstr "dane specyficzne dla typu" #: ipalib/plugins/dns.py:865 #, python-format msgid "Found '%(value)s'" msgstr "Odnaleziono \"%(value)s\"" #: ipalib/plugins/dns.py:869 msgid "Hostname" msgstr "Nazwa komputera" #: ipalib/plugins/dns.py:882 #, python-format msgid "Host '%(host)s' not found" msgstr "Nie odnaleziono komputera \"%(host)s\"" #: ipalib/plugins/group.py:94 msgid "User Groups" msgstr "Grupy u?ytkownik?w" #: ipalib/plugins/group.py:102 msgid "Group name" msgstr "Nazwa grupy" #: ipalib/plugins/group.py:109 ipalib/plugins/sudocmdgroup.py:78 msgid "Group description" msgstr "Opis grupy" #: ipalib/plugins/group.py:113 msgid "GID" msgstr "GID" #: ipalib/plugins/group.py:114 msgid "GID (use this option to set it manually)" msgstr "GID (ta opcja umo?liwia jego r?czne ustawienie)" #: ipalib/plugins/group.py:117 ipalib/plugins/rolegroup.py:94 #: ipalib/plugins/taskgroup.py:66 msgid "Member groups" msgstr "Elementy grupy" #: ipalib/plugins/group.py:121 ipalib/plugins/rolegroup.py:98 #: ipalib/plugins/taskgroup.py:70 msgid "Member users" msgstr "Elementy u?ytkownik?w" #: ipalib/plugins/group.py:134 #, python-format msgid "Added group \"%(value)s\"" msgstr "Dodano grup? \"%(value)s\"" #: ipalib/plugins/group.py:139 msgid "Create as a non-POSIX group?" msgstr "Utworzy? jako grup? nie b?d?c? POSIX?" #: ipalib/plugins/group.py:160 #, python-format msgid "Deleted group \"%(value)s\"" msgstr "Usuni?to grup? \"%(value)s\"" #: ipalib/plugins/group.py:191 #, python-format msgid "Modified group \"%(value)s\"" msgstr "Zmodyfikowano grup? \"%(value)s\"" #: ipalib/plugins/group.py:196 msgid "change to a POSIX group" msgstr "zmiana na grup? POSIX" #: ipalib/plugins/group.py:222 ipalib/plugins/hbacsvcgroup.py:129 #, python-format msgid "%(count)d group matched" msgid_plural "%(count)d groups matched" msgstr[0] "Pasuje %(count)d grupa" msgstr[1] "Pasuj? %(count)d grupy" msgstr[2] "Pasuje %(count)d grup" #: ipalib/plugins/group.py:257 #, python-format msgid "Detached group \"%(value)s\" from user \"%(value)s\"" msgstr "Od??czono grup? \"%(value)s\" od u?ytkownika \"%(value)s\"" #: ipalib/plugins/group.py:273 msgid "not allowed to modify user entries" msgstr "modyfikowanie wpis?w u?ytkownik?w nie jest dozwolone" #: ipalib/plugins/group.py:277 msgid "not allowed to modify group entries" msgstr "modyfikowanie wpis?w grup nie jest dozwolone" #: ipalib/plugins/group.py:284 ipalib/plugins/group.py:295 msgid "Not a managed group" msgstr "Nie jest zarz?dzan? grup?" #: ipalib/plugins/hbac.py:106 msgid "HBAC" msgstr "HBAC" #: ipalib/plugins/hbac.py:111 ipalib/plugins/sudorule.py:53 msgid "Rule name" msgstr "Nazwa regu?y" #: ipalib/plugins/hbac.py:116 msgid "Rule type (allow or deny)" msgstr "Typ regu?y (zezwalanie lub zabranianie)" #: ipalib/plugins/hbac.py:117 msgid "Rule type" msgstr "Typ regu?y" #: ipalib/plugins/hbac.py:123 msgid "User category" msgstr "Kategoria u?ytkownik?w" #: ipalib/plugins/hbac.py:124 msgid "User category the rule applies to" msgstr "Kategoria u?ytkownik?w, do kt?rych zastosowywana jest regu?a" #: ipalib/plugins/hbac.py:129 msgid "Host category" msgstr "Kategoria komputer?w" #: ipalib/plugins/hbac.py:130 msgid "Host category the rule applies to" msgstr "Kategoria komputer?w, do kt?rych zastosowywana jest regu?a" #: ipalib/plugins/hbac.py:135 msgid "Source host category" msgstr "Kategoria komputer?w ?r?d?owych" #: ipalib/plugins/hbac.py:136 msgid "Source host category the rule applies to" msgstr "Kategoria komputer?w ?r?d?owych, do kt?rych zastosowywana jest regu?a" #: ipalib/plugins/hbac.py:141 msgid "Service category" msgstr "Kategoria us?ug" #: ipalib/plugins/hbac.py:142 msgid "Service category the rule applies to" msgstr "Kategoria us?ug, do kt?rych zastosowywana jest regu?a" #: ipalib/plugins/hbac.py:147 ipalib/plugins/hbac.py:325 #: ipalib/plugins/hbac.py:363 msgid "Access time" msgstr "Czas dost?pu" #: ipalib/plugins/hbac.py:154 msgid "Enabled" msgstr "W??czone" #: ipalib/plugins/hbac.py:158 ipalib/plugins/sudorule.py:61 #: ipalib/plugins/user.py:76 msgid "Users" msgstr "U?ytkownicy" #: ipalib/plugins/hbac.py:162 ipalib/plugins/host.py:113 #: ipalib/plugins/sudorule.py:65 msgid "Hosts" msgstr "Komputery" #: ipalib/plugins/hbac.py:166 ipalib/plugins/hostgroup.py:69 #: ipalib/plugins/sudorule.py:69 msgid "Host Groups" msgstr "Grupy komputer?w" #: ipalib/plugins/hbac.py:170 msgid "Source hosts" msgstr "Komputery ?r?d?owe" #: ipalib/plugins/hbac.py:174 ipalib/plugins/hbacsvc.py:60 #: ipalib/plugins/service.py:192 msgid "Services" msgstr "Us?ugi" #: ipalib/plugins/hbac.py:178 msgid "Service Groups" msgstr "Grupy us?ug" #: ipalib/plugins/hbacsvc.py:65 msgid "Service name" msgstr "Nazwa us?ugi" #: ipalib/plugins/hbacsvc.py:66 msgid "HBAC Service" msgstr "Us?uga HBAC" #: ipalib/plugins/hbacsvc.py:73 msgid "Description of service" msgstr "Opis us?ugi" #: ipalib/plugins/hbacsvc.py:84 ipalib/plugins/service.py:216 #, python-format msgid "Added service \"%(value)s\"" msgstr "Dodano us?ug? \"%(value)s\"" #: ipalib/plugins/hbacsvc.py:93 ipalib/plugins/service.py:255 #, python-format msgid "Deleted service \"%(value)s\"" msgstr "Usuni?to us?ug? \"%(value)s\"" #: ipalib/plugins/hbacsvcgroup.py:66 msgid "HBAC Service Groups" msgstr "Grupy us?ugi HBAC" #: ipalib/plugins/hbacsvcgroup.py:71 msgid "Service group name" msgstr "Nazwa grupy us?ugi" #: ipalib/plugins/hbacsvcgroup.py:78 msgid "HBAC service group description" msgstr "Opis grupy us?ugi HBAC" #: ipalib/plugins/hbacsvcgroup.py:81 msgid "Member services" msgstr "Us?ugi element?w" #: ipalib/plugins/hbacsvcgroup.py:85 msgid "Member service groups" msgstr "Grupy us?ugi element?w" #: ipalib/plugins/hbacsvcgroup.py:101 #, python-format msgid "Added HBAC Service group \"%(value)s\"" msgstr "Dodano grup? us?ugi HBAC \"%(value)s\"" #: ipalib/plugins/hbacsvcgroup.py:110 #, python-format msgid "Deleted HBAC Service group \"%(value)s\"" msgstr "Usuni?to grup? us?ugi HBAC \"%(value)s\"" #: ipalib/plugins/hbacsvcgroup.py:119 #, python-format msgid "Modified HBAC Service group \"%(value)s\"" msgstr "Zmodyfikowano grup? us?ugi HBAC \"%(value)s\"" #: ipalib/plugins/host.py:86 msgid "Fully-qualified hostname required" msgstr "Wymagana jest w pe?ni kwalifikowana nazwa komputera" #: ipalib/plugins/host.py:118 msgid "Host name" msgstr "Nazwa komputera" #: ipalib/plugins/host.py:125 msgid "A description of this host" msgstr "Opis tego komputera" #: ipalib/plugins/host.py:129 msgid "Locality" msgstr "Lokalizacja" #: ipalib/plugins/host.py:130 msgid "Host locality (e.g. \"Baltimore, MD\")" msgstr "Lokalizacja komputera (np. \"Baltimore, MD\")" #: ipalib/plugins/host.py:135 msgid "Host location (e.g. \"Lab 2\")" msgstr "Po?o?enie komputera (np. \"Laboratorium nr 2\")" #: ipalib/plugins/host.py:139 msgid "Platform" msgstr "Platforma" #: ipalib/plugins/host.py:140 msgid "Host hardware platform (e.g. \"Lenovo T61\")" msgstr "Platforma sprz?towa komputera (np. \"Lenovo T61\")" #: ipalib/plugins/host.py:144 msgid "Operating system" msgstr "System operacyjny" #: ipalib/plugins/host.py:145 msgid "Host operating system and version (e.g. \"Fedora 9\")" msgstr "System operacyjny komputera i jego wersja (np. \"Fedora 9\")" #: ipalib/plugins/host.py:149 msgid "User password" msgstr "Has?o u?ytkownika" #: ipalib/plugins/host.py:150 msgid "Password used in bulk enrollment" msgstr "Has?o u?ywane w zapisywaniu wi?kszej cz??ci" #: ipalib/plugins/host.py:155 ipalib/plugins/service.py:205 msgid "Base-64 encoded server certificate" msgstr "Certyfikat serwera zakodowany za pomoc? Base-64" #: ipalib/plugins/host.py:158 ipalib/plugins/host.py:274 msgid "Principal name" msgstr "Nazwa naczelnika" #: ipalib/plugins/host.py:162 ipalib/plugins/hostgroup.py:93 msgid "Member of host-groups" msgstr "Element grupy komputer?w" #: ipalib/plugins/host.py:166 msgid "Member of net-groups" msgstr "Element grupy sieci" #: ipalib/plugins/host.py:170 msgid "Member of role-groups" msgstr "Element grupy roli" #: ipalib/plugins/host.py:199 #, python-format msgid "Added host \"%(value)s\"" msgstr "Dodano komputer \"%(value)s\"" #: ipalib/plugins/host.py:202 msgid "force host name even if not in DNS" msgstr "wymuszenie nazwy komputera nawet, je?li nie w DNS" #: ipalib/plugins/host.py:235 #, python-format msgid "Deleted host \"%(value)s\"" msgstr "Usuni?to komputer \"%(value)s\"" #: ipalib/plugins/host.py:269 #, python-format msgid "Modified host \"%(value)s\"" msgstr "Zmodyfikowano komputer \"%(value)s\"" #: ipalib/plugins/host.py:275 msgid "Kerberos principal name for this host" msgstr "Nazwa naczelnika Kerberosa dla tego komputera" #: ipalib/plugins/host.py:319 #, python-format msgid "%(count)d host matched" msgid_plural "%(count)d hosts matched" msgstr[0] "Pasuje %(count)d komputer" msgstr[1] "Pasuje %(count)d komputery" msgstr[2] "Pasuje %(count)d komputer?w" #: ipalib/plugins/host.py:337 ipalib/plugins/service.py:84 msgid "Keytab" msgstr "Tabela kluczy" #: ipalib/plugins/host.py:359 ipalib/plugins/service.py:399 #, python-format msgid "Removed kerberos key from \"%(value)s\"" msgstr "Usuni?to klucz Kerberosa z \"%(value)s\"" #: ipalib/plugins/host.py:368 msgid "Host principal has no kerberos key" msgstr "Naczelnik komputera nie posiada klucza Kerberosa" #: ipalib/plugins/hostgroup.py:74 msgid "Host-group" msgstr "Grupa komputer?w" #: ipalib/plugins/hostgroup.py:75 msgid "Name of host-group" msgstr "Nazwa grupy komputer?w" #: ipalib/plugins/hostgroup.py:82 msgid "A description of this host-group" msgstr "Opis tej grupy komputer?w" #: ipalib/plugins/hostgroup.py:85 msgid "Member hosts" msgstr "Element komputer?w" #: ipalib/plugins/hostgroup.py:89 msgid "Member host-groups" msgstr "Element grupy komputer?w" #: ipalib/plugins/hostgroup.py:106 #, python-format msgid "Added hostgroup \"%(value)s\"" msgstr "Dodano grup? komputer?w \"%(value)s\"" #: ipalib/plugins/hostgroup.py:116 #, python-format msgid "Deleted hostgroup \"%(value)s\"" msgstr "Usuni?to grup? komputer?w \"%(value)s\"" #: ipalib/plugins/hostgroup.py:126 #, python-format msgid "Modified hostgroup \"%(value)s\"" msgstr "Zmodyfikowano grup? komputer?w \"%(value)s\"" #: ipalib/plugins/hostgroup.py:137 #, python-format msgid "%(count)d hostgroup matched" msgid_plural "%(count)d hostgroups matched" msgstr[0] "Pasuje %(count)d grupa komputer?w" msgstr[1] "Pasuj? %(count)d grupy komputer?w" msgstr[2] "Pasuje %(count)d grup komputer?w" #: ipalib/plugins/internal.py:39 msgid "Logged In As" msgstr "Zalogowano jako" #: ipalib/plugins/internal.py:41 msgid "Add" msgstr "Dodaj" #: ipalib/plugins/internal.py:42 msgid "Find" msgstr "Znajd?" #: ipalib/plugins/internal.py:43 msgid "Reset" msgstr "Przywr??" #: ipalib/plugins/internal.py:44 msgid "Update" msgstr "Zaktualizuj" #: ipalib/plugins/internal.py:45 msgid "Enroll" msgstr "Zapisz si?" #: ipalib/plugins/internal.py:46 msgid "Delete" msgstr "Usu?" #: ipalib/plugins/internal.py:49 msgid "Quick Links" msgstr "Szybkie odno?niki" #: ipalib/plugins/internal.py:50 msgid "Select All" msgstr "Zaznacz wszystko" #: ipalib/plugins/internal.py:51 msgid "Unselect All" msgstr "Odznacz wszystko" #: ipalib/plugins/internal.py:52 msgid "Do you really want to delete the selected entries?" msgstr "Na pewno usun?? zaznaczone wpisy?" #: ipalib/plugins/internal.py:55 msgid "Identity Details" msgstr "Informacje o to?samo?ci" #: ipalib/plugins/internal.py:56 msgid "Account Details" msgstr "Informacje o koncie" #: ipalib/plugins/internal.py:57 msgid "Contact Details" msgstr "Informacje o kontakcie" #: ipalib/plugins/internal.py:58 msgid "Mailing Address" msgstr "Adres pocztowy" #: ipalib/plugins/internal.py:59 msgid " Employee Information" msgstr "Informacje o pracowniku" #: ipalib/plugins/internal.py:60 msgid "Misc. Information" msgstr "R??ne informacje" #: ipalib/plugins/internal.py:61 msgid "Back to Top" msgstr "Wr?? na g?r?" #: ipalib/plugins/internal.py:66 msgid "Name of object to export" msgstr "Nazwa obiektu do wyeksportowania" #: ipalib/plugins/internal.py:71 msgid "Dict of JSON encoded IPA Objects" msgstr "S?ownik obiekt?w IPA zakodowanych w formacie JSON" #: ipalib/plugins/internal.py:72 msgid "Dict of I18N messages" msgstr "S?ownik komunikat?w umi?dzynaradawiania" #: ipalib/plugins/krbtpolicy.py:59 msgid "Kerberos Ticket Policy" msgstr "Polityka zg?osze? Kerberosa" #: ipalib/plugins/krbtpolicy.py:64 ipalib/plugins/passwd.py:52 msgid "User name" msgstr "Nazwa u?ytkownika" #: ipalib/plugins/krbtpolicy.py:65 msgid "Manage ticket policy for specific user" msgstr "Zarz?dzanie polityk? zg?osze? dla podanego u?ytkownika" #: ipalib/plugins/krbtpolicy.py:70 msgid "Max life" msgstr "Maksymalny czas ?ycia" #: ipalib/plugins/krbtpolicy.py:71 msgid "Maximum ticket life (seconds)" msgstr "Minimalny czas ?ycia zg?oszenia (sekundy)" #: ipalib/plugins/krbtpolicy.py:75 msgid "Max renew" msgstr "Maksymalne odnowienie" #: ipalib/plugins/krbtpolicy.py:76 msgid "Maximum renewable age (seconds)" msgstr "Maksymalny czas, w kt?rym mo?liwe jest odnowienie (sekundy)" #: ipalib/plugins/migration.py:44 #, python-format msgid "" "Kerberos principal %s already exists. Use 'ipa user-mod' to set it manually." msgstr "" "Naczelnik Kerberosa %s ju? istnieje. Nale?y u?y? polecenia \"ipa user-mod\", " "aby ustawi? go r?cznie." #: ipalib/plugins/migration.py:45 msgid "" "Failed to add user to the default group. Use 'ipa group-add-member' to add " "manually." msgstr "" "Dodanie u?ytkownika do domy?lnej grupy nie powiod?o si?. Nale?y u?y? " "polecenia \"ipa group-add-member\", aby doda? go r?cznie." #: ipalib/plugins/migration.py:169 msgid "LDAP URI" msgstr "Adres URI LDAP" #: ipalib/plugins/migration.py:170 msgid "LDAP URI of DS server to migrate from" msgstr "Adres URI LDAP serwera DS, z kt?rego migrowa?" #: ipalib/plugins/migration.py:174 msgid "bind password" msgstr "has?o Bind" #: ipalib/plugins/migration.py:181 msgid "Bind DN" msgstr "DN dowi?zania" #: ipalib/plugins/migration.py:187 msgid "User container" msgstr "Kontener u?ytkownika" #: ipalib/plugins/migration.py:188 msgid "RDN of container for users in DS" msgstr "RDN kontenera dla u?ytkownik?w w DS" #: ipalib/plugins/migration.py:194 msgid "Group container" msgstr "Kontener grupy" #: ipalib/plugins/migration.py:195 msgid "RDN of container for groups in DS" msgstr "RDN kontenera dla grup w DS" #: ipalib/plugins/migration.py:200 msgid "Continous operation mode. Errors are reported but the process continues" msgstr "" "Tryb dzia?ania ci?g?ego. B??dy s? zg?aszane, ale proces jest kontynuowany" #: ipalib/plugins/migration.py:208 msgid "Lists of objects migrated; categorized by type." msgstr "Lista migrowanych obiekt?w, u?o?onych w kategorie wed?ug typu." #: ipalib/plugins/migration.py:212 msgid "Lists of objects that could not be migrated; categorized by type." msgstr "" "Lista obiekt?w, kt?re nie mog?y zosta? migrowane, u?o?onych w kategorie " "wed?ug typu." #: ipalib/plugins/migration.py:216 msgid "False if migration mode was disabled." msgstr "Fa?sz, je?li wy??czono tryb migracji" #: ipalib/plugins/migration.py:220 #, python-format msgid "comma-separated list of %s to exclude from migration" msgstr "lista %s oddzielonych przecinkami do wykluczenia z migracji" #: ipalib/plugins/migration.py:222 msgid "" "search results for objects to be migrated\n" "have been truncated by the server;\n" "migration process might be uncomplete\n" msgstr "" "wyniki wyszukiwania obiekt?w do migrowania\n" "zosta?y skr?cone przez serwer. Proces\n" "migracji m?g? nie zosta? uko?czony\n" #: ipalib/plugins/migration.py:227 msgid "Migration mode is disabled. Use 'ipa config-mod' to enable it." msgstr "" "Tryb migracji jest wy??czony. Nale?y u?y? polecenia \"ipa config-mod\", aby " "go w??czy?." #: ipalib/plugins/migration.py:230 msgid "" "Passwords have been migrated in pre-hashed format.\n" "IPA is unable to generate Kerberos keys unless provided\n" "with clear text passwords. All migrated users need to\n" "login at https://your.domain/ipa/migration/ before they\n" "can use their Kerberos accounts." msgstr "" "Has?a zosta?y migrowane w formacie sprzed mieszania.\n" "Program IPA nie mo?e utworzy? kluczy Kerberosa, chyba\n" "?e zosta?y podane z has?ami w zwyk?ym tek?cie. Wszyscy\n" "migrowani u?ytkownicy musz? zalogowa? si? na stronie\n" "https://twoja.domena/ipa/migration/, zanim b?d? mogli\n" "u?ywa? swoich kont Kerberosa." #: ipalib/plugins/migration.py:297 #, python-format msgid "Container for %(container)s not found" msgstr "Nie odnaleziono kontenera dla %(container)s" #: ipalib/plugins/misc.py:38 #, python-format msgid "%(count)d variables" msgstr "%(count)d zmiennych" #: ipalib/plugins/misc.py:61 msgid "Total number of variables env (>= count)" msgstr "Ca?kowita liczba zmiennych ?rodowiskowych (>= licznik)" #: ipalib/plugins/misc.py:66 msgid "Number of variables returned (<= total)" msgstr "Liczba zwr?conych zmiennych (<= razem)" #: ipalib/plugins/misc.py:109 #, python-format msgid "%(count)d plugin loaded" msgid_plural "%(count)d plugins loaded" msgstr[0] "Wczytano %(count)d wtyczk?" msgstr[1] "Wczytano %(count)d wtyczki" msgstr[2] "Wczytano %(count)d wtyczek" #: ipalib/plugins/misc.py:116 msgid "Number of plugins loaded" msgstr "Liczba wczytanych wtyczek" #: ipalib/plugins/netgroup.py:57 msgid "Member Host" msgstr "Komputer elementu" #: ipalib/plugins/netgroup.py:63 msgid "External host" msgstr "Zewn?trzny komputer" #: ipalib/plugins/netgroup.py:85 msgid "Net Groups" msgstr "Grupy sieciowe" #: ipalib/plugins/netgroup.py:90 msgid "Netgroup name" msgstr "Nazwa grupy sieciowej" #: ipalib/plugins/netgroup.py:97 msgid "Netgroup description" msgstr "Opis grupy sieciowej" #: ipalib/plugins/netgroup.py:101 msgid "NIS domain name" msgstr "Nazwa domeny NIS" #: ipalib/plugins/netgroup.py:106 msgid "IPA unique ID" msgstr "Unikalny identyfikator IPA" #: ipalib/plugins/pwpolicy.py:84 #, python-format msgid "priority must be a unique value (%(prio)d already used by %(gname)s)" msgstr "" "priorytet musi by? unikaln? warto?ci? (%(prio)d jest ju? u?ywane przez " "%(gname)s)" #: ipalib/plugins/pwpolicy.py:170 msgid "Password Policy" msgstr "Polityka hase?" #: ipalib/plugins/pwpolicy.py:175 msgid "Group" msgstr "Grupa" #: ipalib/plugins/pwpolicy.py:176 msgid "Manage password policy for specific group" msgstr "Zarz?dzanie polityk? hase? dla podanej grupy" #: ipalib/plugins/pwpolicy.py:181 msgid "Max lifetime (days)" msgstr "Maksymalny czas ?ycia (w dniach)" #: ipalib/plugins/pwpolicy.py:182 msgid "Maximum password lifetime (in days)" msgstr "Maksymalny czas ?ycia has?a (w dniach)" #: ipalib/plugins/pwpolicy.py:187 msgid "Min lifetime (hours)" msgstr "Minimalny czas ?ycia (w godzinach)" #: ipalib/plugins/pwpolicy.py:188 msgid "Minimum password lifetime (in hours)" msgstr "Minimalny czas ?ycia has?a (w godzinach)" #: ipalib/plugins/pwpolicy.py:193 msgid "History size" msgstr "Rozmiar historii" #: ipalib/plugins/pwpolicy.py:194 msgid "Password history size" msgstr "Rozmiar historii hase?" #: ipalib/plugins/pwpolicy.py:199 msgid "Character classes" msgstr "Klasy znak?w" #: ipalib/plugins/pwpolicy.py:200 msgid "Minimum number of character classes" msgstr "Minimalna liczba klas znak?w" #: ipalib/plugins/pwpolicy.py:206 msgid "Min length" msgstr "Minimalna d?ugo??" #: ipalib/plugins/pwpolicy.py:207 msgid "Minimum length of password" msgstr "Minimalna d?ugo?? has?a" #: ipalib/plugins/pwpolicy.py:212 msgid "Priority" msgstr "Priorytet" #: ipalib/plugins/pwpolicy.py:213 msgid "Priority of the policy (higher number means lower priority" msgstr "Priorytet polityki (wy?szy numer r?wna si? ni?szemu priorytetowi" #: ipalib/plugins/pwpolicy.py:265 msgid "Maximum password life must be greater than minimum." msgstr "Maksymalny czas ?ycia has?a musi by? wy?szy ni? minimalny." #: ipalib/plugins/pwpolicy.py:330 msgid "priority cannot be set on global policy" msgstr "nie mo?na ustawia? priorytetu dla globalnej polityki" #: ipalib/plugins/pwpolicy.py:369 msgid "User" msgstr "U?ytkownik" #: ipalib/plugins/pwpolicy.py:370 msgid "Display effective policy for a specific user" msgstr "Wy?wietlanie aktywnej polityki dla podanego u?ytkownika" #: ipalib/plugins/rolegroup.py:79 msgid "Role Groups" msgstr "Grupy rol" #: ipalib/plugins/rolegroup.py:84 msgid "Role-group name" msgstr "Nazwa grupy rol" #: ipalib/plugins/rolegroup.py:91 msgid "A description of this role-group" msgstr "Opis tej grupy rol" #: ipalib/plugins/rolegroup.py:102 msgid "Member of task-groups" msgstr "Element grupy zadaniowej" #: ipalib/plugins/rolegroup.py:115 #, python-format msgid "Added rolegroup \"%(value)s\"" msgstr "Dodano grup? roli \"%(value)s\"" #: ipalib/plugins/rolegroup.py:125 #, python-format msgid "Deleted rolegroup \"%(value)s\"" msgstr "Usuni?to grup? roli \"%(value)s\"" #: ipalib/plugins/rolegroup.py:135 #, python-format msgid "Modified rolegroup \"%(value)s\"" msgstr "Zmodyfikowano grup? roli \"%(value)s\"" #: ipalib/plugins/rolegroup.py:146 #, python-format msgid "%(count)d rolegroup matched" msgid_plural "%(count)d rolegroups matched" msgstr[0] "Pasuje %(count)d grupa roli" msgstr[1] "Pasuj? %(count)d grupy roli" msgstr[2] "Pasuje %(count)d grup roli" #: ipalib/plugins/service.py:198 msgid "Service principal" msgstr "Naczelnik us?ugi" #: ipalib/plugins/service.py:221 msgid "force principal name even if not in DNS" msgstr "wymuszenie nazwy naczelnika nawet, je?li nie w DNS" #: ipalib/plugins/service.py:292 #, python-format msgid "Modified service \"%(value)s\"" msgstr "Zmodyfikowano us?ug? \"%(value)s\"" #: ipalib/plugins/service.py:323 #, python-format msgid "%(count)d service matched" msgid_plural "%(count)d services matched" msgstr[0] "Pasuje %(count)d us?uga" msgstr[1] "Pasuje %(count)d us?ugi" msgstr[2] "Pasuje %(count)d us?ug" #: ipalib/plugins/service.py:409 msgid "Service principal has no kerberos key" msgstr "Naczelnik us?ugi nie posiada klucza Kerberosa" #: ipalib/plugins/sudocmd.py:60 msgid "SudoCmds" msgstr "Polecenia sudo" #: ipalib/plugins/sudocmd.py:65 msgid "Sudo Command" msgstr "Polecenie sudo" #: ipalib/plugins/sudocmd.py:72 msgid "A description of this command" msgstr "Opis tego polecenia" #: ipalib/plugins/sudocmd.py:99 #, python-format msgid "Added sudo command \"%(value)s\"" msgstr "Dodano polecenie sudo \"%(value)s\"" #: ipalib/plugins/sudocmd.py:108 #, python-format msgid "Deleted sudo command \"%(value)s\"" msgstr "Usuni?to polecenie sudo \"%(value)s\"" #: ipalib/plugins/sudocmd.py:117 #, python-format msgid "Modified sudo command \"%(value)s\"" msgstr "Zmodyfikowano polecenie sudo \"%(value)s\"" #: ipalib/plugins/sudocmd.py:127 #, python-format msgid "%(count)d sudo command matched" msgid_plural "%(count)d sudo command matched" msgstr[0] "Pasuje %(count)d polecenie sudo" msgstr[1] "Pasuje %(count)d polecenia sudo" msgstr[2] "Pasuje %(count)d polece? sudo" #: ipalib/plugins/sudocmdgroup.py:66 ipalib/plugins/sudocmdgroup.py:85 #: ipalib/plugins/sudorule.py:81 ipalib/plugins/sudorule.py:85 msgid "Sudo Command Groups" msgstr "Grupy polecenia sudo" #: ipalib/plugins/sudocmdgroup.py:71 msgid "Sudo Command Group name" msgstr "Nazwa grupy polecenia sudo" #: ipalib/plugins/sudocmdgroup.py:81 msgid "Commands" msgstr "Polecenia" #: ipalib/plugins/sudocmdgroup.py:98 #, python-format msgid "Added sudo command group \"%(value)s\"" msgstr "Dodano grup? polecenia sudo \"%(value)s\"" #: ipalib/plugins/sudocmdgroup.py:108 #, python-format msgid "Deleted sudo command group \"%(value)s\"" msgstr "Usuni?to grup? polecenia sudo \"%(value)s\"" #: ipalib/plugins/sudocmdgroup.py:118 #, python-format msgid "Modified sudo command group \"%(value)s\"" msgstr "Zmodyfikowano grup? polecenia sudo \"%(value)s\"" #: ipalib/plugins/sudocmdgroup.py:129 #, python-format msgid "%(count)d sudo command group matched" msgid_plural "%(count)d sudo command groups matched" msgstr[0] "Pasuje %(count)d grupa polecenia sudo" msgstr[1] "Pasuj? %(count)d grupy polecenia sudo" msgstr[2] "Pasuje %(count)d grup polecenia sudo" #: ipalib/plugins/sudorule.py:48 msgid "SudoRule" msgstr "Regu?a sudo" #: ipalib/plugins/sudorule.py:73 msgid "Sudo Allow Commands" msgstr "Polecenia zezwolone sudo" #: ipalib/plugins/sudorule.py:77 msgid "Sudo Deny Commands" msgstr "Polecenia zabronione sudo" #: ipalib/plugins/sudorule.py:109 #, python-format msgid "Added sudo rule \"%(value)s\"" msgstr "Dodano regu?? sudo \"%(value)s\"" #: ipalib/plugins/taskgroup.py:51 msgid "Task Groups" msgstr "Grupy zadaniowe" #: ipalib/plugins/taskgroup.py:56 msgid "Task-group name" msgstr "Nazwa grupy zadaniowej" #: ipalib/plugins/taskgroup.py:63 msgid "Task-group description" msgstr "Opis grupy zadaniowej" #: ipalib/plugins/taskgroup.py:74 msgid "Member role-groups" msgstr "Element grupy zadaniowej" #: ipalib/plugins/taskgroup.py:87 #, python-format msgid "Added taskgroup \"%(value)s\"" msgstr "Dodano grup? zadaniow? \"%(value)s\"" #: ipalib/plugins/taskgroup.py:97 #, python-format msgid "Deleted taskgroup \"%(value)s\"" msgstr "Usuni?to grup? zadaniow? \"%(value)s\"" #: ipalib/plugins/taskgroup.py:107 #, python-format msgid "Modified taskgroup \"%(value)s\"" msgstr "Zmodyfikowano grup? zadaniow? \"%(value)s\"" #: ipalib/plugins/taskgroup.py:118 #, python-format msgid "%(count)d taskgroup matched" msgid_plural "%(count)d taskgroups matched" msgstr[0] "Pasuje %(count)d grupa zadaniowa" msgstr[1] "Pasuj? %(count)d grupy zadaniowe" msgstr[2] "Pasuje %(count)d grup zadaniowych" #: ipalib/plugins/user.py:84 msgid "User login" msgstr "Login u?ytkownika" #: ipalib/plugins/user.py:91 msgid "First name" msgstr "Imi?" #: ipalib/plugins/user.py:95 msgid "Last name" msgstr "Nazwisko" #: ipalib/plugins/user.py:103 msgid "GECOS field" msgstr "Pole GECOS" #: ipalib/plugins/user.py:109 msgid "Login shell" msgstr "Pow?oka logowania" #: ipalib/plugins/user.py:114 msgid "Kerberos principal" msgstr "Naczelnik Kerberosa" #: ipalib/plugins/user.py:120 msgid "Email address" msgstr "Adres e-mail" #: ipalib/plugins/user.py:124 msgid "Password" msgstr "Has?o" #: ipalib/plugins/user.py:125 msgid "Set the user password" msgstr "Ustaw has?o u?ytkownika" #: ipalib/plugins/user.py:132 msgid "UID" msgstr "UID" #: ipalib/plugins/user.py:133 msgid "User ID Number (system will assign one if not provided)" msgstr "" "Numer identyfikacyjny u?ytkownika (system go przydzieli, je?li nie zostanie " "podany)" #: ipalib/plugins/user.py:139 msgid "Street address" msgstr "Adres zamieszkania" #: ipalib/plugins/user.py:142 msgid "Groups" msgstr "Grupy" #: ipalib/plugins/user.py:146 msgid "Netgroups" msgstr "Grupy sieciowe" #: ipalib/plugins/user.py:150 msgid "Rolegroups" msgstr "Grupy rol" #: ipalib/plugins/user.py:154 msgid "Taskgroups" msgstr "Grupy zadaniowe" #: ipalib/plugins/user.py:159 msgid "Telephone Number" msgstr "Numer telefonu" #: ipalib/plugins/user.py:161 msgid "Mobile Telephone Number" msgstr "Numer telefonu kom?rkowego" #: ipalib/plugins/user.py:163 msgid "Pager Number" msgstr "Numer pagera" #: ipalib/plugins/user.py:166 msgid "Fax Number" msgstr "Numer faksu" #: ipalib/plugins/user.py:177 #, python-format msgid "Added user \"%(value)s\"" msgstr "Dodano u?ytkownika \"%(value)s\"" #: ipalib/plugins/user.py:226 #, python-format msgid "Deleted user \"%(value)s\"" msgstr "Usuni?to u?ytkownika \"%(value)s\"" #: ipalib/plugins/user.py:240 #, python-format msgid "Modified user \"%(value)s\"" msgstr "Zmodyfikowano u?ytkownika \"%(value)s\"" #: ipalib/plugins/user.py:252 msgid "Self" msgstr "W?asny" #: ipalib/plugins/user.py:253 msgid "Display user record for current Kerberos principal" msgstr "Wy?wietlenie wpisu u?ytkownika dla bie??cego naczelnika Kerberosa" #: ipalib/plugins/user.py:263 #, python-format msgid "%(count)d user matched" msgid_plural "%(count)d users matched" msgstr[0] "Pasuje %(count)d u?ytkownik" msgstr[1] "Pasuje %(count)d u?ytkownik?w" msgstr[2] "Pasuje %(count)d u?ytkownik?w" #: ipalib/plugins/user.py:283 #, python-format msgid "Disabled user account \"%(value)s\"" msgstr "Wy??czono konto u?ytkownika \"%(value)s\"" #: ipalib/plugins/user.py:309 #, python-format msgid "Enabled user account \"%(value)s\"" msgstr "W??czono konto u?ytkownika \"%(value)s\"" #: ipaserver/install/certs.py:599 ipaserver/plugins/dogtag.py:1313 #: ipaserver/plugins/dogtag.py:1398 ipaserver/plugins/dogtag.py:1463 #: ipaserver/plugins/dogtag.py:1543 ipaserver/plugins/dogtag.py:1602 #, python-format msgid "Unable to communicate with CMS (%s)" msgstr "Nie mo?na komunikowa? si? z CMS (%s)" #: ipaserver/plugins/join.py:54 msgid "The hostname to register as" msgstr "Nazwa komputera, pod jak? zarejestrowa?" #: ipaserver/plugins/join.py:62 msgid "The IPA realm" msgstr "Obszar IPA" #: ipaserver/plugins/join.py:68 msgid "Hardware platform of the host (e.g. Lenovo T61)" msgstr "Platforma sprz?towa komputera (np. Lenovo T61)" #: ipaserver/plugins/join.py:72 msgid "Operating System and version of the host (e.g. Fedora 9)" msgstr "System operacyjny komputera i jego wersja (np. Fedora 9)" #: ipaserver/plugins/selfsign.py:98 #, python-format msgid "" "Request subject \"%(request_subject)s\" does not match the form " "\"%(subject_base)s\"" msgstr "" "Temat ??dania \"%(request_subject)s\" nie pasuje do formatu " "\"%(subject_base)s\"" #: ipaserver/plugins/selfsign.py:103 #, python-format msgid "unable to decode csr: %s" msgstr "nie mo?na dekodowa? csr: %s" #: ipaserver/plugins/selfsign.py:124 ipaserver/plugins/selfsign.py:139 msgid "file operation" msgstr "dzia?anie na pliku" #: ipaserver/plugins/selfsign.py:153 msgid "cannot obtain next serial number" msgstr "nie mo?na uzyska? nast?pnego numeru szeregowego" #: ipaserver/plugins/selfsign.py:188 msgid "certutil failure" msgstr "narz?dzie certyfikat?w nie powiod?o si?" #: ipa-client/config.c:55 #, c-format msgid "cannot open configuration file %s\n" msgstr "nie mo?na otworzy? pliku konfiguracji %s\n" #: ipa-client/config.c:62 #, c-format msgid "cannot stat() configuration file %s\n" msgstr "nie mo?na wykona? stat() na pliku konfiguracji %s\n" #: ipa-client/config.c:75 #, c-format msgid "read error\n" msgstr "b??d odczytu\n" #: ipa-client/ipa-getkeytab.c:138 ipa-client/ipa-getkeytab.c:838 #, c-format msgid "No system preferred enctypes ?!\n" msgstr "Brak typ?w szyfrowania preferowanych przez system?\n" #: ipa-client/ipa-getkeytab.c:146 #, c-format msgid "Out of memory!?\n" msgstr "Brak pami?ci?\n" #: ipa-client/ipa-getkeytab.c:164 ipa-client/ipa-getkeytab.c:179 #, c-format msgid "Out of memory\n" msgstr "Brak pami?ci\n" #: ipa-client/ipa-getkeytab.c:194 #, c-format msgid "Warning unrecognized encryption type: [%s]\n" msgstr "Ostrze?enie o nierozpoznanym typie szyfrowania: [%s]\n" #: ipa-client/ipa-getkeytab.c:209 #, c-format msgid "Warning unrecognized salt type: [%s]\n" msgstr "Ostrze?enie o nierozpoznanym typie salt: [%s]\n" #: ipa-client/ipa-getkeytab.c:235 #, c-format msgid "Enctype comparison failed!\n" msgstr "Por?wnanie typ?w szyfrowania nie powiod?o si?.\n" #: ipa-client/ipa-getkeytab.c:297 #, c-format msgid "Failed to create random key!\n" msgstr "Utworzenie losowego klucza nie powiod?o si?.\n" #: ipa-client/ipa-getkeytab.c:310 ipa-client/ipa-getkeytab.c:327 #: ipa-client/ipa-getkeytab.c:335 ipa-client/ipa-getkeytab.c:372 #, c-format msgid "Failed to create key!\n" msgstr "Utworzenie klucza nie powiod?o si?.\n" #: ipa-client/ipa-getkeytab.c:317 ipa-client/ipa-getkeytab.c:350 #, c-format msgid "Out of memory!\n" msgstr "Brak pami?ci.\n" #: ipa-client/ipa-getkeytab.c:361 #, c-format msgid "Bad or unsupported salt type (%d)!\n" msgstr "B??dny lub nieobs?ugiwany typ salt (%d).\n" #: ipa-client/ipa-getkeytab.c:481 #, c-format msgid "No keys accepted by KDC\n" msgstr "?adne klucze nie zosta?y zaakceptowane przez KDC\n" #: ipa-client/ipa-getkeytab.c:496 #, c-format msgid "Out of memory \n" msgstr "Brak pami?ci \n" #: ipa-client/ipa-getkeytab.c:534 #, c-format msgid "Out of Memory!\n" msgstr "Brak pami?ci.\n" #: ipa-client/ipa-getkeytab.c:541 #, c-format msgid "Failed to create control!\n" msgstr "Utworzenie kontroli nie powiod?o si?.\n" #: ipa-client/ipa-getkeytab.c:565 #, c-format msgid "Unable to initialize ldap library!\n" msgstr "Nie mo?na zainicjowa? biblioteki LDAP.\n" #: ipa-client/ipa-getkeytab.c:572 #, c-format msgid "Unable to set ldap options!\n" msgstr "Nie mo?na ustawi? opcji LDAP.\n" #: ipa-client/ipa-getkeytab.c:579 #, c-format msgid "Simple bind failed\n" msgstr "Proste dowi?zanie nie powiod?o si?\n" #: ipa-client/ipa-getkeytab.c:589 #, c-format msgid "SASL Bind failed!\n" msgstr "Dowi?zanie SASL nie powiod?o si?.\n" #: ipa-client/ipa-getkeytab.c:605 ipa-client/ipa-getkeytab.c:618 #: ipa-client/ipa-getkeytab.c:625 ipa-client/ipa-getkeytab.c:632 #, c-format msgid "Operation failed! %s\n" msgstr "Dzia?anie nie powiod?o si?. %s\n" #: ipa-client/ipa-getkeytab.c:638 ipa-client/ipa-getkeytab.c:648 #, c-format msgid "Missing reply control!\n" msgstr "Brak kontroli odpowiedzi.\n" #: ipa-client/ipa-getkeytab.c:655 #, c-format msgid "ber_init() failed, Invalid control ?!\n" msgstr "ber_init() nie powiod?o si?, nieprawid?owa kontrola?\n" #: ipa-client/ipa-getkeytab.c:674 #, c-format msgid "ber_scanf() failed, Invalid control ?!\n" msgstr "ber_scanf() nie powiod?o si?, nieprawid?owa kontrola?\n" #: ipa-client/ipa-getkeytab.c:715 msgid "New Principal Password" msgstr "Nowe has?o naczelnika" #: ipa-client/ipa-getkeytab.c:721 msgid "Verify Principal Password" msgstr "Sprawdzenie has?a naczelnika" #: ipa-client/ipa-getkeytab.c:779 ipa-client/ipa-join.c:965 msgid "Print as little as possible" msgstr "Wy?wietla tak ma?o, jak to mo?liwe" #: ipa-client/ipa-getkeytab.c:779 ipa-client/ipa-join.c:965 msgid "Output only on errors" msgstr "Wy?wietla tylko b??dy" #: ipa-client/ipa-getkeytab.c:781 msgid "Contact this specific KDC Server" msgstr "Kontaktuje si? z konkretnym serwerem KDC" #: ipa-client/ipa-getkeytab.c:782 msgid "Server Name" msgstr "Nazwa serwera" #: ipa-client/ipa-getkeytab.c:784 ipa-client/ipa-rmkeytab.c:188 msgid "The principal to get a keytab for (ex: ftp/ftp.example.com at EXAMPLE.COM)" msgstr "" "Naczelnik, dla kt?rego uzyska? tablic? kluczy (np.: ftp/ftp.przyk?ad.pl@" "PRZYK?AD.PL)" #: ipa-client/ipa-getkeytab.c:785 ipa-client/ipa-rmkeytab.c:189 msgid "Kerberos Service Principal Name" msgstr "Nazwa naczelnika us?ugi Kerberos" #: ipa-client/ipa-getkeytab.c:787 ipa-client/ipa-join.c:973 #: ipa-client/ipa-rmkeytab.c:191 msgid "File were to store the keytab information" msgstr "Plik, w kt?rym przechowywa? informacj? o tablicy kluczy" #: ipa-client/ipa-getkeytab.c:788 ipa-client/ipa-join.c:973 #: ipa-client/ipa-rmkeytab.c:191 msgid "Keytab File Name" msgstr "Nazwa pliku tablicy kluczy" #: ipa-client/ipa-getkeytab.c:790 msgid "Encryption types to request" msgstr "Typy szyfrowania do za??dania" #: ipa-client/ipa-getkeytab.c:791 msgid "Comma separated encryption types list" msgstr "Lista typ?w szyfrowania oddzielonych przecinkami" #: ipa-client/ipa-getkeytab.c:793 msgid "Show the list of permitted encryption types and exit" msgstr "Wy?wietla list? dozwolonych typ?w szyfrowania i ko?czy dzia?anie" #: ipa-client/ipa-getkeytab.c:794 msgid "Permitted Encryption Types" msgstr "Dozwolone typy szyfrowania" #: ipa-client/ipa-getkeytab.c:796 msgid "Asks for a non-random password to use for the principal" msgstr "Pyta o nielosowe has?o do u?ycia z naczelnikiem" #: ipa-client/ipa-getkeytab.c:798 msgid "LDAP DN" msgstr "DN LDAP" #: ipa-client/ipa-getkeytab.c:798 msgid "DN to bind as if not using kerberos" msgstr "DN do dowi?zania, je?li nie jest u?ywany Kerberos" #: ipa-client/ipa-getkeytab.c:800 ipa-client/ipa-join.c:975 msgid "LDAP password" msgstr "Has?o LDAP" #: ipa-client/ipa-getkeytab.c:800 ipa-client/ipa-join.c:975 msgid "password to use if not using kerberos" msgstr "has?o do u?ycia, je?li nie jest u?ywany Kerberos" #: ipa-client/ipa-getkeytab.c:825 ipa-client/ipa-rmkeytab.c:207 #, c-format msgid "Kerberos context initialization failed\n" msgstr "Zainicjowanie kontekstu Kerberosa nie powiod?o si?\n" #: ipa-client/ipa-getkeytab.c:841 #, c-format msgid "Supported encryption types:\n" msgstr "Obs?ugiwane typy szyfrowania:\n" #: ipa-client/ipa-getkeytab.c:845 #, c-format msgid "Warning: failed to convert type (#%d)\n" msgstr "Ostrze?enie: przekonwertowanie typu (#%d) nie powiod?o si?\n" #: ipa-client/ipa-getkeytab.c:864 #, c-format msgid "Bind password required when using a bind DN.\n" msgstr "Has?o dowi?zania jest wymagane podczas u?ywania dowi?zania DN.\n" #: ipa-client/ipa-getkeytab.c:877 #, c-format msgid "" "Warning: salt types are not honored with randomized passwords (see opt. -P)\n" msgstr "" "Ostrze?enie: typy salt nie s? uwzgl?dniane z losowymi has?ami (prosz? " "zobaczy? opcj? -P)\n" #: ipa-client/ipa-getkeytab.c:889 #, c-format msgid "Invalid Service Principal Name\n" msgstr "Nieprawid?owa nazwa naczelnika us?ugi\n" #: ipa-client/ipa-getkeytab.c:897 #, c-format msgid "Kerberos Credential Cache not found. Do you have a Kerberos Ticket?\n" msgstr "" "Nie odnaleziono pami?ci podr?cznej danych uwierzytelniaj?cych. Istnieje " "zg?oszenie Kerberosa?\n" #: ipa-client/ipa-getkeytab.c:905 #, c-format msgid "" "Kerberos User Principal not found. Do you have a valid Credential Cache?\n" msgstr "" "Nie odnaleziono naczelnika u?ytkownika Kerberosa. Istnieje prawid?owa pami?? " "podr?czna danych uwierzytelniaj?cych?\n" #: ipa-client/ipa-getkeytab.c:913 #, c-format msgid "Failed to open Keytab\n" msgstr "Otwarcie tablicy kluczy nie powiod?o si?\n" #: ipa-client/ipa-getkeytab.c:920 #, c-format msgid "Failed to create key material\n" msgstr "Utworzenie materia?u klucza nie powiod?o si?\n" #: ipa-client/ipa-getkeytab.c:939 #, c-format msgid "Failed to add key to the keytab\n" msgstr "Dodanie klucza do tablicy kluczy nie powiod?o si?\n" #: ipa-client/ipa-getkeytab.c:948 #, c-format msgid "Failed to close the keytab\n" msgstr "Zamkni?cie tablicy kluczy nie powiod?o si?\n" #: ipa-client/ipa-getkeytab.c:954 #, c-format msgid "Keytab successfully retrieved and stored in: %s\n" msgstr "Pomy?lnie pobrano tablic? kluczy i przechowano j? w: %s\n" #: ipa-client/ipa-join.c:67 #, c-format msgid "No permission to join this host to the IPA domain.\n" msgstr "Brak uprawnienia do do??czenia do tego komputera w domenie IPA.\n" #: ipa-client/ipa-join.c:104 ipa-client/ipa-join.c:116 #, c-format msgid "No write permissions on keytab file '%s'\n" msgstr "Brak uprawnie? do zapisu pliku tablicy kluczy \"%s\"\n" #: ipa-client/ipa-join.c:121 #, c-format msgid "access() on %s failed: errno = %d\n" msgstr "access() w %s nie powiod?o si?: errno = %d\n" #: ipa-client/ipa-join.c:200 #, c-format msgid "Unable to enable SSL in LDAP\n" msgstr "Nie mo?na w??czy? SSL w LDAP\n" #: ipa-client/ipa-join.c:206 #, c-format msgid "Unable to set LDAP version\n" msgstr "Nie mo?na ustawi? wersji LDAP\n" #: ipa-client/ipa-join.c:216 #, c-format msgid "Bind failed: %s\n" msgstr "Dowi?zanie nie powiod?o si?: %s\n" #: ipa-client/ipa-join.c:249 #, c-format msgid "Search for %s on rootdse failed with error %d" msgstr "Wyszukiwanie %s w rootdse nie powiod?o si? z b??dem %d" #: ipa-client/ipa-join.c:259 ipa-client/ipa-join.c:311 #, c-format msgid "No values for %s" msgstr "Brak warto?ci dla %s" #: ipa-client/ipa-join.c:302 #, c-format msgid "Search for ipaCertificateSubjectBase failed with error %d" msgstr "Wyszukiwanie ipaCertificateSubjectBase nie powiod?o si? z b??dem %d" #: ipa-client/ipa-join.c:368 #, c-format msgid "Unable to determine root DN of %s\n" msgstr "Nie mo?na ustali? g??wnego DN %s\n" #: ipa-client/ipa-join.c:377 #, c-format msgid "Unable to determine certificate subject of %s\n" msgstr "Nie mo?na ustali? tematu certyfikatu %s\n" #: ipa-client/ipa-join.c:385 #, c-format msgid "Unable to make an LDAP connection to %s\n" msgstr "Nie mo?na utworzy? po??czenia LDAP do %s\n" #: ipa-client/ipa-join.c:394 #, c-format msgid "Searching with %s in %s\n" msgstr "Wyszukiwanie %s w %s\n" #: ipa-client/ipa-join.c:400 #, c-format msgid "ldap_search_ext_s: %s\n" msgstr "ldap_search_ext_s: %s\n" #: ipa-client/ipa-join.c:408 #, c-format msgid "Unable to find host '%s'\n" msgstr "Nie mo?na odnale?? komputera \"%s\"\n" #: ipa-client/ipa-join.c:415 #, c-format msgid "Unable to get binddn for host '%s'\n" msgstr "Nie mo?na uzyska? binddn dla komputera \"%s\"\n" #: ipa-client/ipa-join.c:428 #, c-format msgid "Host already has principal, trying bind anyway\n" msgstr "Komputer posiada ju? naczelnika, pr?ba dowi?zania mimo to\n" #: ipa-client/ipa-join.c:442 ipa-client/ipa-join.c:579 #, c-format msgid "Host is already joined.\n" msgstr "Komputer jest ju? do??czony.\n" #: ipa-client/ipa-join.c:446 #, c-format msgid "Incorrect password.\n" msgstr "Niepoprawne has?o.\n" #: ipa-client/ipa-join.c:457 #, c-format msgid "principal not found in host entry\n" msgstr "nie odnaleziono naczelnika we wpisie komputera\n" #: ipa-client/ipa-join.c:564 #, c-format msgid "principal not found in XML-RPC response\n" msgstr "nie odnaleziono naczelnika w odpowiedzi XML-RPC\n" #: ipa-client/ipa-join.c:646 ipa-client/ipa-join.c:823 #, c-format msgid "Unable to determine IPA server from %s\n" msgstr "Nie mo?na ustali? serwera IPA z %s\n" #: ipa-client/ipa-join.c:662 ipa-client/ipa-join.c:838 #, c-format msgid "The hostname must be fully-qualified: %s\n" msgstr "Nazwa komputera musi by? w pe?ni kwalifikowana: %s\n" #: ipa-client/ipa-join.c:671 ipa-client/ipa-join.c:848 #, c-format msgid "Unable to join host: Kerberos context initialization failed\n" msgstr "" "Nie mo?na do??czy? do komputera: zainicjowanie kontekstu Kerberosa nie " "powiod?o si?\n" #: ipa-client/ipa-join.c:679 #, c-format msgid "Error resolving keytab: %s.\n" msgstr "B??d podczas rozwi?zywania tablicy kluczy: %s.\n" #: ipa-client/ipa-join.c:689 #, c-format msgid "Error parsing \"%s\": %s.\n" msgstr "B??d podczas przetwarzania \"%s\": %s.\n" #: ipa-client/ipa-join.c:707 #, c-format msgid "Error obtaining initial credentials: %s.\n" msgstr "" "B??d podczas uzyskiwania pocz?tkowych danych uwierzytelniaj?cych: %s.\n" #: ipa-client/ipa-join.c:718 #, c-format msgid "Unable to generate Kerberos Credential Cache\n" msgstr "" "Nie mo?na utworzy? pami?ci podr?cznej danych uwierzytelniaj?cych Kerberosa\n" #: ipa-client/ipa-join.c:726 #, c-format msgid "Error storing creds in credential cache: %s.\n" msgstr "" "B??d podczas przechowywania danych uwierzytelniaj?cych w pami?ci podr?cznej: " "%s.\n" #: ipa-client/ipa-join.c:769 #, c-format msgid "Unenrollment successful.\n" msgstr "Pomy?lnie wypisano.\n" #: ipa-client/ipa-join.c:772 #, c-format msgid "Unenrollment failed.\n" msgstr "Wypisanie nie powiod?o si?.\n" #: ipa-client/ipa-join.c:777 #, c-format msgid "result not found in XML-RPC response\n" msgstr "nie odnaleziono wyniku w odpowiedzi XML-RPC\n" #: ipa-client/ipa-join.c:855 #, c-format msgid "Unable to join host: Kerberos Credential Cache not found\n" msgstr "" "Nie mo?na do??czy? do komputera: nie odnaleziono pami?ci podr?cznej danych " "uwierzytelniaj?cych Kerberosa\n" #: ipa-client/ipa-join.c:863 #, c-format msgid "" "Unable to join host: Kerberos User Principal not found and host password not " "provided.\n" msgstr "" "Nie mo?na do??czy? do komputera: nie odnaleziono naczelnika u?ytkownika " "Kerberosa oraz nie podano has?a komputera.\n" #: ipa-client/ipa-join.c:877 #, c-format msgid "fork() failed\n" msgstr "fork() nie powiod?o si?\n" #: ipa-client/ipa-join.c:906 #, c-format msgid "ipa-getkeytab not found\n" msgstr "nie odnaleziono ipa-getkeytab\n" #: ipa-client/ipa-join.c:909 #, c-format msgid "ipa-getkeytab has bad permissions?\n" msgstr "ipa-getkeytab posiada b??dne uprawnienia?\n" #: ipa-client/ipa-join.c:912 #, c-format msgid "executing ipa-getkeytab failed, errno %d\n" msgstr "wykonanie ipa-getkeytab nie powiod?o si?, errno %d\n" #: ipa-client/ipa-join.c:924 #, c-format msgid "child exited with %d\n" msgstr "potomek zosta? zako?czony z %d\n" #: ipa-client/ipa-join.c:930 #, c-format msgid "Certificate subject base is: %s\n" msgstr "Podstawa tematu certyfikatu: %s\n" #: ipa-client/ipa-join.c:963 msgid "Print the raw XML-RPC output" msgstr "Wy?wietla surowe wyj?cie XML-RPC" #: ipa-client/ipa-join.c:963 msgid "XML-RPC debugging Output" msgstr "Wyj?cie debugowania XML-RPC" #: ipa-client/ipa-join.c:967 msgid "Unenroll this host" msgstr "Wypisuje ten komputer" #: ipa-client/ipa-join.c:967 msgid "Unenroll this host from IPA server" msgstr "Wypisuje ten komputer z serwera IPA" #: ipa-client/ipa-join.c:969 msgid "Use this hostname instead of the node name" msgstr "U?ywa tej nazwy komputera zamiast nazwy w?z?a" #: ipa-client/ipa-join.c:969 msgid "Host Name" msgstr "Nazwa komputera" #: ipa-client/ipa-join.c:971 msgid "IPA Server to use" msgstr "Serwer IPA do u?ycia" #: ipa-client/ipa-join.c:971 msgid "IPA Server Name" msgstr "Nazwa serwera IPA" #: ipa-client/ipa-rmkeytab.c:44 #, c-format msgid "Unable to parse principal name\n" msgstr "Nie mo?na przetworzy? nazwy naczelnika\n" #: ipa-client/ipa-rmkeytab.c:46 #, c-format msgid "krb5_parse_name %d: %s\n" msgstr "krb5_parse_name %d: %s\n" #: ipa-client/ipa-rmkeytab.c:56 #, c-format msgid "Removing principal %s\n" msgstr "Usuwanie naczelnika %s\n" #: ipa-client/ipa-rmkeytab.c:69 #, c-format msgid "Failed to open keytab\n" msgstr "Otwarcie tablicy kluczy nie powiod?o si?\n" #: ipa-client/ipa-rmkeytab.c:73 #, c-format msgid "principal not found\n" msgstr "nie odnaleziono naczelnika\n" #: ipa-client/ipa-rmkeytab.c:75 #, c-format msgid "krb5_kt_get_entry %d: %s\n" msgstr "krb5_kt_get_entry %d: %s\n" #: ipa-client/ipa-rmkeytab.c:83 #, c-format msgid "Unable to remove entry\n" msgstr "Nie mo?na usun?? wpisu\n" #: ipa-client/ipa-rmkeytab.c:85 #, c-format msgid "kvno %d\n" msgstr "kvno %d\n" #: ipa-client/ipa-rmkeytab.c:86 #, c-format msgid "krb5_kt_remove_entry %d: %s\n" msgstr "krb5_kt_remove_entry %d: %s\n" #: ipa-client/ipa-rmkeytab.c:119 #, c-format msgid "Unable to parse principal\n" msgstr "Nie mo?na przetworzy? naczelnika\n" #: ipa-client/ipa-rmkeytab.c:121 #, c-format msgid "krb5_unparse_name %d: %s\n" msgstr "krb5_unparse_name %d: %s\n" #: ipa-client/ipa-rmkeytab.c:186 msgid "Print debugging information" msgstr "Wy?wietlanie informacji o debugowaniu" #: ipa-client/ipa-rmkeytab.c:186 msgid "Debugging output" msgstr "Wyj?cie debugowania" #: ipa-client/ipa-rmkeytab.c:193 msgid "Remove all principals in this realm" msgstr "Usuwa wszystkich naczelnik?w w tym obszarze" #: ipa-client/ipa-rmkeytab.c:193 msgid "Realm name" msgstr "Nazwa obszaru" #: ipa-client/ipa-rmkeytab.c:241 #, c-format msgid "Failed to open keytab '%s'\n" msgstr "Otwarcie tablicy kluczy \"%s\" nie powiod?o si?\n" #: ipa-client/ipa-rmkeytab.c:255 #, c-format msgid "Closing keytab failed\n" msgstr "Zamkni?cie tablicy kluczy nie powiod?o si?\n" #: ipa-client/ipa-rmkeytab.c:257 #, c-format msgid "krb5_kt_close %d: %s\n" msgstr "krb5_kt_close %d: %s\n" From ssorce at redhat.com Thu Oct 14 18:11:33 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 Oct 2010 14:11:33 -0400 Subject: [Freeipa-devel] [PATCH] #318 Use openldap's ldappasswd In-Reply-To: <4CB73E39.8040202@redhat.com> References: <20101013173752.3e2ff0e4@willson.li.ssimo.org> <4CB73E39.8040202@redhat.com> Message-ID: <20101014141133.5be94bc1@willson.li.ssimo.org> On Thu, 14 Oct 2010 13:30:33 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > The following patch makes the ldappasswd operation use the > > openldap's ldappasswd command, as well as avoiding to put passwords > > in the command line (visible through a ps) and instead using secure > > temporary files that are deleted immediately after the operation. > > > > Simo. > > ack thanks, pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 14 18:11:50 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 Oct 2010 14:11:50 -0400 Subject: [Freeipa-devel] [PATCH] #316 Avoid installing files in /usr In-Reply-To: <4CB73DAE.5080201@redhat.com> References: <20101013192106.0a1b83e5@willson.li.ssimo.org> <4CB73DAE.5080201@redhat.com> Message-ID: <20101014141150.024bc195@willson.li.ssimo.org> On Thu, 14 Oct 2010 13:28:14 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > The default setup-ds.pl configuration installs ds scripts in /usr > > > > With this patch the customized scripts are kep > > in /var/lib/dirsrv/scripts- instead of > > /usr/lib/dirsrv/slapd- > > > > Simo. > > ack pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 14 18:12:49 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 Oct 2010 14:12:49 -0400 Subject: [Freeipa-devel] [PATCH] 576 change password doc string In-Reply-To: <4CB62D40.9050409@redhat.com> References: <4CB62D40.9050409@redhat.com> Message-ID: <20101014141249.47df510a@willson.li.ssimo.org> On Wed, 13 Oct 2010 18:05:52 -0400 Rob Crittenden wrote: > Change the password doc string to indicate that the user will be > prompted for the password. > > ticket 182 > > rob ACK (doesn't this fall under the oneline rule ?) Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 14 18:15:03 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 Oct 2010 14:15:03 -0400 Subject: [Freeipa-devel] [PATCH] 575 compare resolver and dns reverse lookups In-Reply-To: <4CB5B49C.1040500@redhat.com> References: <4CB5B49C.1040500@redhat.com> Message-ID: <20101014141503.6f10d0ab@willson.li.ssimo.org> On Wed, 13 Oct 2010 09:31:08 -0400 Rob Crittenden wrote: > We check the resolver against the resolver and DNS against DNS but > not the resolver against DNS so if something is wrong in /etc/hosts > we don't catch it and nasty connection messages occur. > > Also fix a problem where a bogus error message was being displayed > because we were trying to close an unconnected LDAP connection. > > ticket 327 > > Review this one carefully. It tested out ok on my relatively closed > system but the implications are that you wouldn't be able to install > at all or would have to pass --no-host-dns for installation to > continue. > > I tested by setting my own host entry in /etc/host to a bogus IP addr. ACK, looks good to me. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Oct 14 18:45:20 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Oct 2010 14:45:20 -0400 Subject: [Freeipa-devel] [PATCH] 577 Grant /usr/sbin/ipa_kpasswd "name_bind" access. Message-ID: <4CB74FC0.5000706@redhat.com> Fix an SELinux problem by granting /usr/sbin/ipa_kpasswd "name_bind" access. This requires selinux-policy-3.6.32-123 on F12 and I took an educated guess and set the minimum on F13 to selinux-policy-3.7.19-40. ticket 73 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-577-selinux.patch Type: application/mbox Size: 1393 bytes Desc: not available URL: From rcritten at redhat.com Thu Oct 14 18:50:18 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Oct 2010 14:50:18 -0400 Subject: [Freeipa-devel] [PATCH] 578 remove ldapi socket on uninstall Message-ID: <4CB750EA.4090908@redhat.com> Remove the directory server ldapi socket on uninstall. ticket 350 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-578-uninstall.patch Type: application/mbox Size: 864 bytes Desc: not available URL: From ssorce at redhat.com Thu Oct 14 19:42:25 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 Oct 2010 15:42:25 -0400 Subject: [Freeipa-devel] [PATCH] 578 remove ldapi socket on uninstall In-Reply-To: <4CB750EA.4090908@redhat.com> References: <4CB750EA.4090908@redhat.com> Message-ID: <20101014154225.5bac0b36@willson.li.ssimo.org> On Thu, 14 Oct 2010 14:50:18 -0400 Rob Crittenden wrote: > Remove the directory server ldapi socket on uninstall. > > ticket 350 > ACK Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 14 20:29:42 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 Oct 2010 16:29:42 -0400 Subject: [Freeipa-devel] [PATCH] #319 better cope with ntp config files Message-ID: <20101014162942.109933bd@willson.li.ssimo.org> Instead of replacing the files altogether parse them and add only the options we care about. For ntp.conf those are the server related options. For sysconfig/ntpd we care of adding just -x and -g if missing Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ntpdinstance-Do-not-replace-the-config-files-just-ad.patch Type: text/x-patch Size: 8228 bytes Desc: not available URL: From rcritten at redhat.com Thu Oct 14 21:16:24 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Oct 2010 17:16:24 -0400 Subject: [Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups. In-Reply-To: <4CB45B41.8090100@redhat.com> References: <4CA5D87C.5010104@redhat.com> <4CB45B41.8090100@redhat.com> Message-ID: <4CB77328.3040107@redhat.com> Pavel Zuna wrote: > On 10/01/2010 02:47 PM, Pavel Zuna wrote: >> Ticket #251 >> >> Pavel >> >> > > New version of patch attached. This time it should work. :) I renamed > the flag from --privateonly to --private. Normal searches do not return > private groups at all, while searches with this flag only return private > groups. > > Pavel This works a lot better than the last patch. The code itself is fine, I'd just ask that you add a test case for searching for private groups. The test that is in this patch seems more geared for removing multiple users at once (which is a good thing) but doesn't actually work without this change: --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -358,7 +358,7 @@ class test_user(Declarative): loginshell=[u'/bin/sh'], objectclass=objectclasses.user, sn=[u'User2'], - uid=[user1], + uid=[user2], uidnumber=[fuzzy_digits], ipauniqueid=[fuzzy_uuid], dn=u'uid=tuser2,cn=users,cn=accounts,' + api.env.basedn, So NACK for now but its very close. rob From pzuna at redhat.com Thu Oct 14 21:19:33 2010 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Thu, 14 Oct 2010 23:19:33 +0200 Subject: [Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it. In-Reply-To: <4CB73BF7.9020703@redhat.com> References: <4CB5AA3C.3020301@redhat.com> <4CB62C22.8060206@redhat.com> <4CB70486.1010009@redhat.com> <4CB73BF7.9020703@redhat.com> Message-ID: <4CB773E5.9030808@redhat.com> On 2010-10-14 19:20, Rob Crittenden wrote: > Pavel Zuna wrote: >> On 10/14/2010 12:01 AM, Rob Crittenden wrote: >>> Pavel Zuna wrote: >>>> This patch adds a check in ldap2 for single-value attributes. DS >>>> doesn't >>>> seem to care much about attributes being defined as SINGLE-VALUE except >>>> for things like uidNumber and gidNumber (I suspect this is handled by >>>> the DNA plugin). >>>> >>>> Ticket #246 >>>> >>>> Pavel >>> >>> This is similar to ticket 220 which I have a pending patch for (patch >>> 552). I think both patches are valid but we should test them together to >>> be sure. Can you do that? >>> >>> rob >> >> I had to NACK your patch number 552, because the check was in the wrong >> place. >> >> Both patches overlap in functionality, so I decided to merge them into a >> new version of my original patch. >> >> I split the single-value check into two parts: >> >> First part is in baseldap classes (LDAPCreate, LDAPUpdate) and it checks >> if we're not trying to add more values to a Param defined attribute, >> that is not flagged as multivalue. >> >> Second part is in the ldap2 backend. It checks if we're not trying to >> add more values to an attribute, that is defined as SINGLE-VALUE in the >> schema. Unfortunately, it seems that python-ldap isn't capable of >> reporting the SINGLE-VALUE flag reliably and DS doesn't enforce it at >> all. In other words, this check is a bit weak, but still better than >> nothing. >> >> I hope you don't mind I merged both patches, but it seemed simpler and >> we can knock out 2 tickets in one commit. :) >> >> Ticket #230 >> Ticket #246 >> >> Pavel > > Ack if you fix 2 things: > > 1. Change the error message of the exception to match the exception > name, 'only one value allowed' instead of 'attribute is single-value' Ok. > 2. You added a space between desc and info in the DatabaseError > exception. The example fails because there is no space after the colon > (at least for me, since my editor wipes out trailing white space > automatically). Can we either drop the space or add something for info > to the example? I choose to add something for info, because other exceptions make use of a space after colon in their formats. > > rob Version 3 attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0032-3-singlevalue.patch Type: text/x-patch Size: 8362 bytes Desc: not available URL: From rcritten at redhat.com Thu Oct 14 21:24:27 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Oct 2010 17:24:27 -0400 Subject: [Freeipa-devel] [PATCH] 579 catch socket errors in client Message-ID: <4CB7750B.2050705@redhat.com> Catch socket errors in the client. I ran into this playing around with the ipa command-line on an unconfigured machine. ticket 382 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-579-socket.patch Type: application/mbox Size: 1006 bytes Desc: not available URL: From edewata at redhat.com Thu Oct 14 21:54:47 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 14 Oct 2010 17:54:47 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Service certificate UI. In-Reply-To: <790970098.488561287093245017.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <898728645.488611287093287802.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Hi, Please review the following patch. It might still need to be rebased against Adam's Multivalue Fixes patch which is still being reviewed. Thanks! https://fedorahosted.org/reviewboard/r/92/ The service.py has been modified to include certificate info in the service-show result if the service contains usercertificate. A new file certificate.js has been added to store codes related to certificates (e.g. revocation reasons, dialog boxes). The service.js has been modified to provide the UI for certificate management. The certificate.js can also be used for host certificate management. The Makefile.am and index.xhtml has been modified to include certificate.js. The test data files have been updated to include certificate info. To test revoke and restore operations the server needs to be installed with dogtag CA instead of self-signed CA. The certificate status and revocation reason in the details page will be implemented in subsequent patches. Unit tests and more test data will also be added in subsequent patches. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: edewata-freeipa-0020-Service-certificate-UI.patch Type: text/x-patch Size: 33939 bytes Desc: not available URL: From ayoung at redhat.com Fri Oct 15 01:42:07 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 14 Oct 2010 21:42:07 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0056-multivalue-fixes.patch In-Reply-To: <4CB61BFF.3090702@redhat.com> References: <4CB61BFF.3090702@redhat.com> Message-ID: <4CB7B16F.2080709@redhat.com> On 10/13/2010 04:52 PM, Adam Young wrote: > Finally merged with changes from edewata: > > multivalue fixes. includes: > > metadata for phone numbers > test date for users > Undo works for multivalue > JQuery UI buttons have custom classes > inputs/fields are now managed inside of objects > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Phone numbers are less broken than before: they update and you can delete them, but there are still artifacts. I want to get this patch in to get past the integration conflicts. I'll fix the details on a follow on patch. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0056-2-multivalue-fixes.patch Type: text/x-patch Size: 79139 bytes Desc: not available URL: From rcritten at redhat.com Fri Oct 15 13:16:37 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Oct 2010 09:16:37 -0400 Subject: [Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it. In-Reply-To: <4CB773E5.9030808@redhat.com> References: <4CB5AA3C.3020301@redhat.com> <4CB62C22.8060206@redhat.com> <4CB70486.1010009@redhat.com> <4CB73BF7.9020703@redhat.com> <4CB773E5.9030808@redhat.com> Message-ID: <4CB85435.6060100@redhat.com> Pavel Z?na wrote: > On 2010-10-14 19:20, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> On 10/14/2010 12:01 AM, Rob Crittenden wrote: >>>> Pavel Zuna wrote: >>>>> This patch adds a check in ldap2 for single-value attributes. DS >>>>> doesn't >>>>> seem to care much about attributes being defined as SINGLE-VALUE >>>>> except >>>>> for things like uidNumber and gidNumber (I suspect this is handled by >>>>> the DNA plugin). >>>>> >>>>> Ticket #246 >>>>> >>>>> Pavel >>>> >>>> This is similar to ticket 220 which I have a pending patch for (patch >>>> 552). I think both patches are valid but we should test them >>>> together to >>>> be sure. Can you do that? >>>> >>>> rob >>> >>> I had to NACK your patch number 552, because the check was in the wrong >>> place. >>> >>> Both patches overlap in functionality, so I decided to merge them into a >>> new version of my original patch. >>> >>> I split the single-value check into two parts: >>> >>> First part is in baseldap classes (LDAPCreate, LDAPUpdate) and it checks >>> if we're not trying to add more values to a Param defined attribute, >>> that is not flagged as multivalue. >>> >>> Second part is in the ldap2 backend. It checks if we're not trying to >>> add more values to an attribute, that is defined as SINGLE-VALUE in the >>> schema. Unfortunately, it seems that python-ldap isn't capable of >>> reporting the SINGLE-VALUE flag reliably and DS doesn't enforce it at >>> all. In other words, this check is a bit weak, but still better than >>> nothing. >>> >>> I hope you don't mind I merged both patches, but it seemed simpler and >>> we can knock out 2 tickets in one commit. :) >>> >>> Ticket #230 >>> Ticket #246 >>> >>> Pavel >> >> Ack if you fix 2 things: >> >> 1. Change the error message of the exception to match the exception >> name, 'only one value allowed' instead of 'attribute is single-value' > Ok. > >> 2. You added a space between desc and info in the DatabaseError >> exception. The example fails because there is no space after the colon >> (at least for me, since my editor wipes out trailing white space >> automatically). Can we either drop the space or add something for info >> to the example? > I choose to add something for info, because other exceptions make use of > a space after colon in their formats. > >> >> rob > > Version 3 attached. > > Pavel Ack, just fix the doctest case for OnlyOneValueAllowed() before pushing. The doctest still has the old text for the exception. rob From rcritten at redhat.com Fri Oct 15 13:36:29 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Oct 2010 09:36:29 -0400 Subject: [Freeipa-devel] [PATCH] 580 admintools requires ipa-client, requires config Message-ID: <4CB858DD.7040802@redhat.com> Add Requires on ipa-client to ipa-admintools, ensure ipa client is configured. It makes little sense to install ipa-admintools without ipa-client, require it. Also see if the client has been configured. This is a bit tricky since we have a full set of defaults. Add a new env option that gets set if at least one configuration file is loaded. ticket 213 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-580-client.patch Type: application/mbox Size: 3530 bytes Desc: not available URL: From jdennis at redhat.com Fri Oct 15 14:03:09 2010 From: jdennis at redhat.com (John Dennis) Date: Fri, 15 Oct 2010 10:03:09 -0400 Subject: [Freeipa-devel] [PATCH 18/18] Update Polish translation Message-ID: <4CB85F1D.2050108@redhat.com> -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0018-Update-Polish-translation.patch Type: text/x-patch Size: 31568 bytes Desc: not available URL: From rcritten at redhat.com Fri Oct 15 14:05:50 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Oct 2010 10:05:50 -0400 Subject: [Freeipa-devel] [PATCH] #319 better cope with ntp config files In-Reply-To: <20101014162942.109933bd@willson.li.ssimo.org> References: <20101014162942.109933bd@willson.li.ssimo.org> Message-ID: <4CB85FBE.10608@redhat.com> Simo Sorce wrote: > > Instead of replacing the files altogether parse them and add only the > options we care about. > > For ntp.conf those are the server related options. > For sysconfig/ntpd we care of adding just -x and -g if missing > > Simo. > nack, I don't think this will work. A few comments on the python. You use some C-like syntax with match = 0, should probably be match = False (as you use elsewhere, with file_changed). You don't need the string module to use split, so instead of: opt = string.split(line, " ") You can do: opt = line.split(" ") But what you really want, I think is: opt = line.split() If you split on None it splits on white space, not a single space. The different is: >>> line = 'server 127.127.1.0 # local clock' >>> line.split() ['server', '127.127.1.0', '#', 'local', 'clock'] >>> line.split(' ') ['server', '', '127.127.1.0', '', '', '', '', '#', 'local', 'clock'] Note the extra space after server in the last entry. This would cause your conditional to fail (if opt[1] == srv). I'm not sure your loop for srv actually does the right thing. I wonder if you wanted to set match = 0 within the for loop. rob From rcritten at redhat.com Fri Oct 15 14:07:15 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Oct 2010 10:07:15 -0400 Subject: [Freeipa-devel] [PATCH 18/18] Update Polish translation In-Reply-To: <4CB85F1D.2050108@redhat.com> References: <4CB85F1D.2050108@redhat.com> Message-ID: <4CB86013.3000709@redhat.com> John Dennis wrote: > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack, pushed to master From ssorce at redhat.com Fri Oct 15 14:23:29 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Oct 2010 10:23:29 -0400 Subject: [Freeipa-devel] [PATCH] 580 admintools requires ipa-client, requires config In-Reply-To: <4CB858DD.7040802@redhat.com> References: <4CB858DD.7040802@redhat.com> Message-ID: <20101015102329.6bea91af@willson.li.ssimo.org> On Fri, 15 Oct 2010 09:36:29 -0400 Rob Crittenden wrote: > Add Requires on ipa-client to ipa-admintools, ensure ipa client is > configured. It makes little sense to install ipa-admintools without > ipa-client, require it. > > Also see if the client has been configured. This is a bit tricky > since we have a full set of defaults. Add a new env option that gets > set if at least one configuration file is loaded. > > ticket 213 ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Oct 15 14:24:26 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Oct 2010 10:24:26 -0400 Subject: [Freeipa-devel] [PATCH] 579 catch socket errors in client In-Reply-To: <4CB7750B.2050705@redhat.com> References: <4CB7750B.2050705@redhat.com> Message-ID: <20101015102426.4b602e33@willson.li.ssimo.org> On Thu, 14 Oct 2010 17:24:27 -0400 Rob Crittenden wrote: > Catch socket errors in the client. I ran into this playing around > with the ipa command-line on an unconfigured machine. > > ticket 382 > > rob ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Oct 15 14:27:59 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Oct 2010 10:27:59 -0400 Subject: [Freeipa-devel] [PATCH] #319 better cope with ntp config files In-Reply-To: <4CB85FBE.10608@redhat.com> References: <20101014162942.109933bd@willson.li.ssimo.org> <4CB85FBE.10608@redhat.com> Message-ID: <20101015102759.51ffb927@willson.li.ssimo.org> On Fri, 15 Oct 2010 10:05:50 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > Instead of replacing the files altogether parse them and add only > > the options we care about. > > > > For ntp.conf those are the server related options. > > For sysconfig/ntpd we care of adding just -x and -g if missing > > > > Simo. > > > > nack, I don't think this will work. my tests did work, but I haven't tried all possibilities indeed. > A few comments on the python. You use some C-like syntax with match = > 0, should probably be match = False (as you use elsewhere, with > file_changed). > > You don't need the string module to use split, so instead of: > > opt = string.split(line, " ") > > You can do: > > opt = line.split(" ") > > But what you really want, I think is: > > opt = line.split() ok, will change these. > If you split on None it splits on white space, not a single space. > The different is: > > >>> line = 'server 127.127.1.0 # local clock' > >>> line.split() > ['server', '127.127.1.0', '#', 'local', 'clock'] > >>> line.split(' ') > ['server', '', '127.127.1.0', '', '', '', '', '#', 'local', 'clock'] > > Note the extra space after server in the last entry. This would cause > your conditional to fail (if opt[1] == srv). Right, thanks for catching this, my python got a bit rusty in the last few months :) > I'm not sure your loop for srv actually does the right thing. I > wonder if you wanted to set match = 0 within the for loop. Well, according to my testing it does. But I'll re-check. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Fri Oct 15 15:24:24 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 15 Oct 2010 11:24:24 -0400 Subject: [Freeipa-devel] [PATCH] Service certificate UI. In-Reply-To: <898728645.488611287093287802.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <898728645.488611287093287802.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CB87228.9000308@redhat.com> On 10/14/2010 05:54 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the following patch. It might still need to be > rebased against Adam's Multivalue Fixes patch which is still > being reviewed. Thanks! > > https://fedorahosted.org/reviewboard/r/92/ > > The service.py has been modified to include certificate info in > the service-show result if the service contains usercertificate. > > A new file certificate.js has been added to store codes related > to certificates (e.g. revocation reasons, dialog boxes). The > service.js has been modified to provide the UI for certificate > management. The certificate.js can also be used for host > certificate management. > > The Makefile.am and index.xhtml has been modified to include > certificate.js. The test data files have been updated to include > certificate info. > > To test revoke and restore operations the server needs to be > installed with dogtag CA instead of self-signed CA. > > The certificate status and revocation reason in the details page > will be implemented in subsequent patches. Unit tests and more > test data will also be added in subsequent patches. > > -- > Endi S. Dewata > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, subject to a rebase on top of my pending patch for multivalues -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Fri Oct 15 15:29:08 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Oct 2010 11:29:08 -0400 Subject: [Freeipa-devel] [PATCH] #319 better cope with ntp config files In-Reply-To: <20101015102759.51ffb927@willson.li.ssimo.org> References: <20101014162942.109933bd@willson.li.ssimo.org> <4CB85FBE.10608@redhat.com> <20101015102759.51ffb927@willson.li.ssimo.org> Message-ID: <20101015112908.520a15cd@willson.li.ssimo.org> On Fri, 15 Oct 2010 10:27:59 -0400 Simo Sorce wrote: > Right, thanks for catching this, my python got a bit rusty in the last > few months :) Ok, changed the patch according to your guidelines, and retested. Also caught a bug that didn't show up with the previous way I did stripping. > > I'm not sure your loop for srv actually does the right thing. I > > wonder if you wanted to set match = 0 within the for loop. > > Well, according to my testing it does. > But I'll re-check. Re-checked, yes the way I use match is how I intended it, it is useful only for the inner for loop. Testing shows I can correctly match entries with arbitrary spacing now. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ntpdinstance-Do-not-replace-the-config-files-just-ad.patch Type: text/x-patch Size: 8161 bytes Desc: not available URL: From ssorce at redhat.com Fri Oct 15 15:30:59 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Oct 2010 11:30:59 -0400 Subject: [Freeipa-devel] [PATCH] Remove unused plugin Message-ID: <20101015113059.72ff02a2@willson.li.ssimo.org> ipa-memberof is unused, now we use the memberof version embedded in 389 DS which has bugfixes not reflected in this code. Therefore this patch removes the ipa-memberof code. RIP Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Remove-ipa-memberof-memberof-plugin-is-now-included-.patch Type: text/x-patch Size: 79414 bytes Desc: not available URL: From dpal at redhat.com Fri Oct 15 15:36:50 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 15 Oct 2010 11:36:50 -0400 Subject: [Freeipa-devel] Some thoughts about login services Message-ID: <4CB87512.8080609@redhat.com> Hello, Currently HBAC login group is defined as: objectClasses: (2.16.840.1.113730.3.8.4.11 NAME 'ipaHBACServiceGroup' DESC 'IPA HBAC service group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' ) Which means it can be nested. In the recent discussion about SUDO and groups of SUDO commands we settled down on the objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA object class to store groups of SUDO commands' SUP groupOfNames MUST ( ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' ) Which we decided should not support nesting. Looking at the UI for the HBAC and complexity of the manipulation with the HBAC object and related hbac services and groups of those it occurred to me that one of the simplifications that we can have is disallowing nesting of the HBAC login groups. It is expected that there will be not many of those anyways. If we need it later we will change it to support nesting. However the nesting is already implemented in CLI and actually works. I tried and everything is documented and seems ok. But group nesting in UI is a bit of nightmare. It is unclear whether the nesting is actually a use case that we need to support here. Thoughts? -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Fri Oct 15 16:03:02 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Oct 2010 12:03:02 -0400 Subject: [Freeipa-devel] Some thoughts about login services In-Reply-To: <4CB87512.8080609@redhat.com> References: <4CB87512.8080609@redhat.com> Message-ID: <20101015120302.7183fe25@willson.li.ssimo.org> On Fri, 15 Oct 2010 11:36:50 -0400 Dmitri Pal wrote: > Hello, > > Currently HBAC login group is defined as: > objectClasses: (2.16.840.1.113730.3.8.4.11 NAME 'ipaHBACServiceGroup' > DESC 'IPA HBAC service group object class' SUP nestedGroup STRUCTURAL > X-ORIGIN 'IPA v2' ) > > Which means it can be nested. > > In the recent discussion about SUDO and groups of SUDO commands we > settled down on the > objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC > 'IPA object class to store groups of SUDO commands' SUP groupOfNames > MUST ( ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' ) > > Which we decided should not support nesting. > Looking at the UI for the HBAC and complexity of the manipulation with > the HBAC object and related hbac services and groups of those it > occurred to me that one of the simplifications that we can have is > disallowing nesting of the HBAC login groups. It is expected that > there will be not many of those anyways. If we need it later we will > change it to support nesting. However the nesting is already > implemented in CLI and actually works. I tried and everything is > documented and seems ok. > > But group nesting in UI is a bit of nightmare. It is unclear whether > the nesting is actually a use case that we need to support here. > > Thoughts? Unless there is a good reason to prevent nesting then I don't think it makes sense to undo what has already been done. If complexity is perceived as problematic than what we can do is provide guidelines on how/when it is or not appropriate to use nesting. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Fri Oct 15 16:28:00 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 15 Oct 2010 12:28:00 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0056-multivalue-fixes.patch In-Reply-To: <4CB7B16F.2080709@redhat.com> References: <4CB61BFF.3090702@redhat.com> <4CB7B16F.2080709@redhat.com> Message-ID: <4CB88110.4020109@redhat.com> On 10/14/2010 09:42 PM, Adam Young wrote: > On 10/13/2010 04:52 PM, Adam Young wrote: >> Finally merged with changes from edewata: >> >> multivalue fixes. includes: >> >> metadata for phone numbers >> test date for users >> Undo works for multivalue >> JQuery UI buttons have custom classes >> inputs/fields are now managed inside of objects >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Phone numbers are less broken than before: they update and you can > delete them, but there are still artifacts. I want to get this patch > in to get past the integration conflicts. I'll fix the details on a > follow on patch. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel removed the use of .call. as it was confusing the issue of mismatched parameter lists. Fixed the parameter lists, too. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0056-3-multivalue-fixes.patch Type: text/x-patch Size: 80392 bytes Desc: not available URL: From ayoung at redhat.com Fri Oct 15 16:52:53 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 15 Oct 2010 12:52:53 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0056-multivalue-fixes.patch In-Reply-To: <4CB88110.4020109@redhat.com> References: <4CB61BFF.3090702@redhat.com> <4CB7B16F.2080709@redhat.com> <4CB88110.4020109@redhat.com> Message-ID: <4CB886E5.2030101@redhat.com> On 10/15/2010 12:28 PM, Adam Young wrote: > On 10/14/2010 09:42 PM, Adam Young wrote: >> On 10/13/2010 04:52 PM, Adam Young wrote: >>> Finally merged with changes from edewata: >>> >>> multivalue fixes. includes: >>> >>> metadata for phone numbers >>> test date for users >>> Undo works for multivalue >>> JQuery UI buttons have custom classes >>> inputs/fields are now managed inside of objects >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Phone numbers are less broken than before: they update and you can >> delete them, but there are still artifacts. I want to get this patch >> in to get past the integration conflicts. I'll fix the details on a >> follow on patch. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > removed the use of .call. as it was confusing the issue of > mismatched parameter lists. > Fixed the parameter lists, too. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Oct 15 17:07:43 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Oct 2010 13:07:43 -0400 Subject: [Freeipa-devel] Some thoughts about login services In-Reply-To: <4CB87512.8080609@redhat.com> References: <4CB87512.8080609@redhat.com> Message-ID: <4CB88A5F.5090808@redhat.com> Dmitri Pal wrote: > Hello, > > Currently HBAC login group is defined as: > objectClasses: (2.16.840.1.113730.3.8.4.11 NAME 'ipaHBACServiceGroup' > DESC 'IPA HBAC service group object class' SUP nestedGroup STRUCTURAL > X-ORIGIN 'IPA v2' ) > > Which means it can be nested. > > In the recent discussion about SUDO and groups of SUDO commands we > settled down on the > objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA > object class to store groups of SUDO commands' SUP groupOfNames MUST ( > ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' ) > > Which we decided should not support nesting. > Looking at the UI for the HBAC and complexity of the manipulation with > the HBAC object and related hbac services and groups of those it > occurred to me that one of the simplifications that we can have is > disallowing nesting of the HBAC login groups. It is expected that there > will be not many of those anyways. If we need it later we will change it > to support nesting. However the nesting is already implemented in CLI > and actually works. I tried and everything is documented and seems ok. > > But group nesting in UI is a bit of nightmare. It is unclear whether the > nesting is actually a use case that we need to support here. > > Thoughts? > It seems like there aren't that many services available for HBAC, probably less than a dozen, so nested groups is probably overkill here. rob From ayoung at redhat.com Fri Oct 15 17:12:59 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 15 Oct 2010 13:12:59 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0056-removing-dead-files Message-ID: <4CB88B9B.7070406@redhat.com> Like the journey song, these should have been gone, long ago. -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0056-removing-dead-files.patch Type: text/x-patch Size: 5453 bytes Desc: not available URL: From dpal at redhat.com Fri Oct 15 17:18:18 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 15 Oct 2010 13:18:18 -0400 Subject: [Freeipa-devel] Some thoughts about login services In-Reply-To: <20101015120302.7183fe25@willson.li.ssimo.org> References: <4CB87512.8080609@redhat.com> <20101015120302.7183fe25@willson.li.ssimo.org> Message-ID: <4CB88CDA.7000705@redhat.com> Simo Sorce wrote: > On Fri, 15 Oct 2010 11:36:50 -0400 > Dmitri Pal wrote: > > >> Hello, >> >> Currently HBAC login group is defined as: >> objectClasses: (2.16.840.1.113730.3.8.4.11 NAME 'ipaHBACServiceGroup' >> DESC 'IPA HBAC service group object class' SUP nestedGroup STRUCTURAL >> X-ORIGIN 'IPA v2' ) >> >> Which means it can be nested. >> >> In the recent discussion about SUDO and groups of SUDO commands we >> settled down on the >> objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC >> 'IPA object class to store groups of SUDO commands' SUP groupOfNames >> MUST ( ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' ) >> >> Which we decided should not support nesting. >> Looking at the UI for the HBAC and complexity of the manipulation with >> the HBAC object and related hbac services and groups of those it >> occurred to me that one of the simplifications that we can have is >> disallowing nesting of the HBAC login groups. It is expected that >> there will be not many of those anyways. If we need it later we will >> change it to support nesting. However the nesting is already >> implemented in CLI and actually works. I tried and everything is >> documented and seems ok. >> >> But group nesting in UI is a bit of nightmare. It is unclear whether >> the nesting is actually a use case that we need to support here. >> >> Thoughts? >> > > Unless there is a good reason to prevent nesting then I don't think > it makes sense to undo what has already been done. > If complexity is perceived as problematic than what we can do is > provide guidelines on how/when it is or not appropriate to use nesting. > > Simo. > > The dilemma here is: * Undo schema and CLI to simplify UI Pros: less work in UI Cons: reduces functionality and undoes what is already done (affects help and CLI) * Implement UI to handle nesting and do not touch schema and CLI Pros: Does not undo anything and does not reduce functionality that someone might want at some point Con: Much more work in UI * Leave CLI and schema as is but in UI not support nesting Pros: Medium amount of work Cons: Ugly I do not know what is the best approach here. IMO first option is less risky and less work. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Fri Oct 15 17:34:00 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Oct 2010 13:34:00 -0400 Subject: [Freeipa-devel] Some thoughts about login services In-Reply-To: <4CB88CDA.7000705@redhat.com> References: <4CB87512.8080609@redhat.com> <20101015120302.7183fe25@willson.li.ssimo.org> <4CB88CDA.7000705@redhat.com> Message-ID: <20101015133400.7737fd90@willson.li.ssimo.org> On Fri, 15 Oct 2010 13:18:18 -0400 Dmitri Pal wrote: > Simo Sorce wrote: > > On Fri, 15 Oct 2010 11:36:50 -0400 > > Dmitri Pal wrote: > > > > > >> Hello, > >> > >> Currently HBAC login group is defined as: > >> objectClasses: (2.16.840.1.113730.3.8.4.11 NAME > >> 'ipaHBACServiceGroup' DESC 'IPA HBAC service group object class' > >> SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' ) > >> > >> Which means it can be nested. > >> > >> In the recent discussion about SUDO and groups of SUDO commands we > >> settled down on the > >> objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC > >> 'IPA object class to store groups of SUDO commands' SUP > >> groupOfNames MUST ( ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' ) > >> > >> Which we decided should not support nesting. > >> Looking at the UI for the HBAC and complexity of the manipulation > >> with the HBAC object and related hbac services and groups of those > >> it occurred to me that one of the simplifications that we can have > >> is disallowing nesting of the HBAC login groups. It is expected > >> that there will be not many of those anyways. If we need it later > >> we will change it to support nesting. However the nesting is > >> already implemented in CLI and actually works. I tried and > >> everything is documented and seems ok. > >> > >> But group nesting in UI is a bit of nightmare. It is unclear > >> whether the nesting is actually a use case that we need to support > >> here. > >> > >> Thoughts? > >> > > > > Unless there is a good reason to prevent nesting then I don't think > > it makes sense to undo what has already been done. > > If complexity is perceived as problematic than what we can do is > > provide guidelines on how/when it is or not appropriate to use > > nesting. > > > > Simo. > > > > > The dilemma here is: > * Undo schema and CLI to simplify UI > Pros: less work in UI > Cons: reduces functionality and undoes what is already done (affects > help and CLI) > * Implement UI to handle nesting and do not touch schema and CLI > Pros: Does not undo anything and does not reduce functionality that > someone might want at some point > Con: Much more work in UI > * Leave CLI and schema as is but in UI not support nesting > Pros: Medium amount of work > Cons: Ugly > > I do not know what is the best approach here. > IMO first option is less risky and less work. I'd go for the last one, may be ugly, but does not undo anything that already works and has the effect of simplifying the UI which is what you are after right now. Of course that also means the UI will have to cope (maybe disabling editing) with any entry that has been nested through the CLI or over LDAP directly. This is assuming the UI work would really be more complex. We have nesting to support for other things already so I am not sure it would really be substantially less work to do the same thing elsewhere, I bet a lot of code could simply be reused. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Fri Oct 15 17:47:25 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 15 Oct 2010 13:47:25 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Service certificate UI. In-Reply-To: <1779034812.575111287164672077.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1612917312.575321287164845537.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Adam Young" wrote: >> https://fedorahosted.org/reviewboard/r/92/ > ACK, subject to > a rebase on top of my pending patch for multivalues Rebased on top of your patch. Added some test data files. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: edewata-freeipa-0020-2-Service-certificate-UI.patch Type: text/x-patch Size: 37036 bytes Desc: not available URL: From dpal at redhat.com Fri Oct 15 18:12:22 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 15 Oct 2010 14:12:22 -0400 Subject: [Freeipa-devel] Some thoughts about login services In-Reply-To: <20101015133400.7737fd90@willson.li.ssimo.org> References: <4CB87512.8080609@redhat.com> <20101015120302.7183fe25@willson.li.ssimo.org> <4CB88CDA.7000705@redhat.com> <20101015133400.7737fd90@willson.li.ssimo.org> Message-ID: <4CB89986.8060302@redhat.com> Simo Sorce wrote: > On Fri, 15 Oct 2010 13:18:18 -0400 > Dmitri Pal wrote: > > >> Simo Sorce wrote: >> >>> On Fri, 15 Oct 2010 11:36:50 -0400 >>> Dmitri Pal wrote: >>> >>> >>> >>>> Hello, >>>> >>>> Currently HBAC login group is defined as: >>>> objectClasses: (2.16.840.1.113730.3.8.4.11 NAME >>>> 'ipaHBACServiceGroup' DESC 'IPA HBAC service group object class' >>>> SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' ) >>>> >>>> Which means it can be nested. >>>> >>>> In the recent discussion about SUDO and groups of SUDO commands we >>>> settled down on the >>>> objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC >>>> 'IPA object class to store groups of SUDO commands' SUP >>>> groupOfNames MUST ( ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' ) >>>> >>>> Which we decided should not support nesting. >>>> Looking at the UI for the HBAC and complexity of the manipulation >>>> with the HBAC object and related hbac services and groups of those >>>> it occurred to me that one of the simplifications that we can have >>>> is disallowing nesting of the HBAC login groups. It is expected >>>> that there will be not many of those anyways. If we need it later >>>> we will change it to support nesting. However the nesting is >>>> already implemented in CLI and actually works. I tried and >>>> everything is documented and seems ok. >>>> >>>> But group nesting in UI is a bit of nightmare. It is unclear >>>> whether the nesting is actually a use case that we need to support >>>> here. >>>> >>>> Thoughts? >>>> >>>> >>> Unless there is a good reason to prevent nesting then I don't think >>> it makes sense to undo what has already been done. >>> If complexity is perceived as problematic than what we can do is >>> provide guidelines on how/when it is or not appropriate to use >>> nesting. >>> >>> Simo. >>> >>> >>> >> The dilemma here is: >> * Undo schema and CLI to simplify UI >> Pros: less work in UI >> Cons: reduces functionality and undoes what is already done (affects >> help and CLI) >> * Implement UI to handle nesting and do not touch schema and CLI >> Pros: Does not undo anything and does not reduce functionality that >> someone might want at some point >> Con: Much more work in UI >> * Leave CLI and schema as is but in UI not support nesting >> Pros: Medium amount of work >> Cons: Ugly >> >> I do not know what is the best approach here. >> IMO first option is less risky and less work. >> > > I'd go for the last one, may be ugly, but does not undo anything that > already works and has the effect of simplifying the UI which is what > you are after right now. Of course that also means the UI will have to > cope (maybe disabling editing) with any entry that has been nested > through the CLI or over LDAP directly. > This is where ugliness comes to play. > This is assuming the UI work would really be more complex. We have > nesting to support for other things already so I am not sure it would > really be substantially less work to do the same thing elsewhere, I bet > a lot of code could simply be reused. > > It is not that simple. All the membership is represented by concept "facets" in the UI. Using the facets in the UI for the hbac groups does not look good and intuitive. Ben and I were trying to find a different approach and not use facets for HBAC and SUDO. Keep in mind that we plan to reuse the same UI concepts for SUDO and HBAC since from the UI POW the logic and work flow is very similar. But the underlaying structure is not due to the schema difference we have so we would have to implement different UI approaches for them and deign them conceptually differently. I want to avoid that. Also the hbac services and groups do not make much sense outside the context of HBAC so for UI navigation it does not make sense to have them on the second level menu in parallel to HBAC as it makes sense to have users and group under identities. That suggests having a third level of navigation this is where the complications come and both Ben and I do not see so far a good way of solving it. Facets approach just does not seem to work well in that case. The problem is that CLI does not have navigation hierarchy but UI does and things should be group logically and intuitively and not necessarily in the same way as CLI would suggest. > Simo. > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Fri Oct 15 18:30:03 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 15 Oct 2010 14:30:03 -0400 Subject: [Freeipa-devel] [PATCH] Service certificate UI. In-Reply-To: <1612917312.575321287164845537.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1612917312.575321287164845537.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4CB89DAB.4060803@redhat.com> On 10/15/2010 01:47 PM, Endi Sukma Dewata wrote: > ----- "Adam Young" wrote: > > >>> https://fedorahosted.org/reviewboard/r/92/ >>> > >> ACK, subject to >> a rebase on top of my pending patch for multivalues >> > Rebased on top of your patch. > Added some test data files. > > -- > Endi S. Dewata > ACK. Pushed to master From edewata at redhat.com Fri Oct 15 18:32:18 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 15 Oct 2010 14:32:18 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0056-removing-dead-files In-Reply-To: <4CB88B9B.7070406@redhat.com> Message-ID: <1384140617.581271287167538465.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Adam Young" wrote: > Like the journey song, these should have been gone, long ago. ACKed and pushed to master. -- Endi S. Dewata From ssorce at redhat.com Fri Oct 15 18:49:37 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Oct 2010 14:49:37 -0400 Subject: [Freeipa-devel] Some thoughts about login services In-Reply-To: <4CB89986.8060302@redhat.com> References: <4CB87512.8080609@redhat.com> <20101015120302.7183fe25@willson.li.ssimo.org> <4CB88CDA.7000705@redhat.com> <20101015133400.7737fd90@willson.li.ssimo.org> <4CB89986.8060302@redhat.com> Message-ID: <20101015144937.2f9d8580@willson.li.ssimo.org> On Fri, 15 Oct 2010 14:12:22 -0400 Dmitri Pal wrote: > Simo Sorce wrote: > > I'd go for the last one, may be ugly, but does not undo anything > > that already works and has the effect of simplifying the UI which > > is what you are after right now. Of course that also means the UI > > will have to cope (maybe disabling editing) with any entry that has > > been nested through the CLI or over LDAP directly. > > > > This is where ugliness comes to play. > > > This is assuming the UI work would really be more complex. We have > > nesting to support for other things already so I am not sure it > > would really be substantially less work to do the same thing > > elsewhere, I bet a lot of code could simply be reused. > > > > > > It is not that simple. [..] Ok, then I guess removing the possibility is simpler. Though reading the schema definition I wonder one thing. Why did you make these objectclasses derive from nestedGroup ? I would have expected them to be "SUP groupOfNames" and just have the clients add nestedGroup if they wished to enable them to be nested. Of course this means nestedGroup needs to be AUXILIARY and not STRUCTURAL. Is there any reason to make nestedGroup forcibly structural ? Having it auxiliary means we can later add it to objects not currently nestable, although this may also be seen as a liability. The problem is that if we do not then we are stuck with whatever we decide I think. Changing a fundamental objectclass once we reach 2.0 is one of things we tentatively forbid ourselves to do in the name of compatibility. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Oct 15 18:58:11 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Oct 2010 14:58:11 -0400 Subject: [Freeipa-devel] [PATCH] 575 compare resolver and dns reverse lookups In-Reply-To: <20101014141503.6f10d0ab@willson.li.ssimo.org> References: <4CB5B49C.1040500@redhat.com> <20101014141503.6f10d0ab@willson.li.ssimo.org> Message-ID: <4CB8A443.9070604@redhat.com> Simo Sorce wrote: > On Wed, 13 Oct 2010 09:31:08 -0400 > Rob Crittenden wrote: > >> We check the resolver against the resolver and DNS against DNS but >> not the resolver against DNS so if something is wrong in /etc/hosts >> we don't catch it and nasty connection messages occur. >> >> Also fix a problem where a bogus error message was being displayed >> because we were trying to close an unconnected LDAP connection. >> >> ticket 327 >> >> Review this one carefully. It tested out ok on my relatively closed >> system but the implications are that you wouldn't be able to install >> at all or would have to pass --no-host-dns for installation to >> continue. >> >> I tested by setting my own host entry in /etc/host to a bogus IP addr. > > ACK, looks good to me. > > Simo. > pushed to master From rcritten at redhat.com Fri Oct 15 19:01:24 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Oct 2010 15:01:24 -0400 Subject: [Freeipa-devel] [PATCH] 576 change password doc string In-Reply-To: <20101014141249.47df510a@willson.li.ssimo.org> References: <4CB62D40.9050409@redhat.com> <20101014141249.47df510a@willson.li.ssimo.org> Message-ID: <4CB8A504.6010703@redhat.com> Simo Sorce wrote: > On Wed, 13 Oct 2010 18:05:52 -0400 > Rob Crittenden wrote: > >> Change the password doc string to indicate that the user will be >> prompted for the password. >> >> ticket 182 >> >> rob > > ACK > > (doesn't this fall under the oneline rule ?) > Simo. > When it comes to strings I want consensus :-) pushed to master From rcritten at redhat.com Fri Oct 15 19:02:29 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Oct 2010 15:02:29 -0400 Subject: [Freeipa-devel] [PATCH] 579 catch socket errors in client In-Reply-To: <20101015102426.4b602e33@willson.li.ssimo.org> References: <4CB7750B.2050705@redhat.com> <20101015102426.4b602e33@willson.li.ssimo.org> Message-ID: <4CB8A545.1060004@redhat.com> Simo Sorce wrote: > On Thu, 14 Oct 2010 17:24:27 -0400 > Rob Crittenden wrote: > >> Catch socket errors in the client. I ran into this playing around >> with the ipa command-line on an unconfigured machine. >> >> ticket 382 >> >> rob > > ACK. > > Simo. > pushed to master From ayoung at redhat.com Fri Oct 15 19:05:30 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 15 Oct 2010 15:05:30 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0058-password-dialog.patch Message-ID: <4CB8A5FA.40804@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0058-password-dialog.patch Type: text/x-patch Size: 3125 bytes Desc: not available URL: From rcritten at redhat.com Fri Oct 15 19:04:45 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Oct 2010 15:04:45 -0400 Subject: [Freeipa-devel] [PATCH] Remove unused plugin In-Reply-To: <20101015113059.72ff02a2@willson.li.ssimo.org> References: <20101015113059.72ff02a2@willson.li.ssimo.org> Message-ID: <4CB8A5CD.90805@redhat.com> Simo Sorce wrote: > > ipa-memberof is unused, now we use the memberof version embedded in 389 > DS which has bugfixes not reflected in this code. > Therefore this patch removes the ipa-memberof code. > > RIP > > Simo. ack From ayoung at redhat.com Fri Oct 15 19:23:31 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 15 Oct 2010 15:23:31 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0058-password-dialog.patch In-Reply-To: <4CB8A5FA.40804@redhat.com> References: <4CB8A5FA.40804@redhat.com> Message-ID: <4CB8AA33.6050000@redhat.com> On 10/15/2010 03:05 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Just realized that there is a bug in here. If the admin runs this, he will change his own password. As written, it only works for self service. I'll update shortly. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Oct 15 19:47:58 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 15 Oct 2010 15:47:58 -0400 Subject: [Freeipa-devel] admiyo-freeipa-0059-sample-data-for-DNS.patch Message-ID: <4CB8AFEE.3090406@redhat.com> This fixes the file: URL for displaying DNS search page. -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0059-sample-data-for-DNS.patch Type: text/x-patch Size: 28383 bytes Desc: not available URL: From dpal at redhat.com Fri Oct 15 20:31:50 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 15 Oct 2010 16:31:50 -0400 Subject: [Freeipa-devel] Some thoughts about login services In-Reply-To: <20101015144937.2f9d8580@willson.li.ssimo.org> References: <4CB87512.8080609@redhat.com> <20101015120302.7183fe25@willson.li.ssimo.org> <4CB88CDA.7000705@redhat.com> <20101015133400.7737fd90@willson.li.ssimo.org> <4CB89986.8060302@redhat.com> <20101015144937.2f9d8580@willson.li.ssimo.org> Message-ID: <4CB8BA36.1050701@redhat.com> Simo Sorce wrote: > On Fri, 15 Oct 2010 14:12:22 -0400 > Dmitri Pal wrote: > >> Simo Sorce wrote: >> > > >>> I'd go for the last one, may be ugly, but does not undo anything >>> that already works and has the effect of simplifying the UI which >>> is what you are after right now. Of course that also means the UI >>> will have to cope (maybe disabling editing) with any entry that has >>> been nested through the CLI or over LDAP directly. >>> >>> >> This is where ugliness comes to play. >> >> >>> This is assuming the UI work would really be more complex. We have >>> nesting to support for other things already so I am not sure it >>> would really be substantially less work to do the same thing >>> elsewhere, I bet a lot of code could simply be reused. >>> >>> >>> >> It is not that simple. >> > [..] > > Ok, then I guess removing the possibility is simpler. > Though reading the schema definition I wonder one thing. Why did you > make these objectclasses derive from nestedGroup ? > I would have expected them to be "SUP groupOfNames" and just have the > clients add nestedGroup if they wished to enable them to be nested. > Of course this means nestedGroup needs to be AUXILIARY and not > STRUCTURAL. > Is there any reason to make nestedGroup forcibly structural ? > Having it auxiliary means we can later add it to objects not currently > nestable, although this may also be seen as a liability. > > The problem is that if we do not then we are stuck with whatever we > decide I think. Changing a fundamental objectclass once we reach 2.0 is > one of things we tentatively forbid ourselves to do in the name of > compatibility. > > I disagree. We can move from group of names to nested group at any moment in future by just doing schema change not even requiring full dump and load. We are not locked on it. Nested group is just an alias. Adding "MAY memberOf" will do a trick or we can change it to nestedGroup explicitly. I do not see us generally bound to this specific schema. We are bound to be able to migrate from this schema and not loose functionality. This is definitely the case here. > Simo. > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Oct 15 21:27:07 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Oct 2010 17:27:07 -0400 Subject: [Freeipa-devel] [PATCH] 581 remove enrolledBy when unenrolled Message-ID: <4CB8C72B.4090308@redhat.com> Remove the enrolledBy when a host is unenrolled (which is the same as disabling the host). ticket 301 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-581-unenroll.patch Type: application/mbox Size: 3819 bytes Desc: not available URL: From ssorce at redhat.com Fri Oct 15 22:06:52 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Oct 2010 18:06:52 -0400 Subject: [Freeipa-devel] [PATCH] Remove unused plugin In-Reply-To: <4CB8A5CD.90805@redhat.com> References: <20101015113059.72ff02a2@willson.li.ssimo.org> <4CB8A5CD.90805@redhat.com> Message-ID: <20101015180652.0eff9026@willson.li.ssimo.org> On Fri, 15 Oct 2010 15:04:45 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > ipa-memberof is unused, now we use the memberof version embedded in > > 389 DS which has bugfixes not reflected in this code. > > Therefore this patch removes the ipa-memberof code. > > > > RIP > > > > Simo. > > ack pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Oct 15 22:15:58 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Oct 2010 18:15:58 -0400 Subject: [Freeipa-devel] [PATCH] 581 remove enrolledBy when unenrolled In-Reply-To: <4CB8C72B.4090308@redhat.com> References: <4CB8C72B.4090308@redhat.com> Message-ID: <20101015181558.304fa2d2@willson.li.ssimo.org> On Fri, 15 Oct 2010 17:27:07 -0400 Rob Crittenden wrote: > Remove the enrolledBy when a host is unenrolled (which is the same as > disabling the host). > > ticket 301 > > rob nack, if host can write enrolledBy it can fake info Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri Oct 15 22:28:39 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 15 Oct 2010 18:28:39 -0400 Subject: [Freeipa-devel] [PATCH] 581 remove enrolledBy when unenrolled In-Reply-To: <20101015181558.304fa2d2@willson.li.ssimo.org> References: <4CB8C72B.4090308@redhat.com> <20101015181558.304fa2d2@willson.li.ssimo.org> Message-ID: <4CB8D597.8040802@redhat.com> Simo Sorce wrote: > On Fri, 15 Oct 2010 17:27:07 -0400 > Rob Crittenden wrote: > > >> Remove the enrolledBy when a host is unenrolled (which is the same as >> disabling the host). >> >> ticket 301 >> >> rob >> > > nack, if host can write enrolledBy it can fake info > > Simo. > > I agree. I think it should be "delete" rather than "write". -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Fri Oct 15 22:56:01 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Oct 2010 18:56:01 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0056-removing-dead-files In-Reply-To: <1384140617.581271287167538465.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <4CB88B9B.7070406@redhat.com> <1384140617.581271287167538465.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <20101015185601.4bc0d061@willson.li.ssimo.org> On Fri, 15 Oct 2010 14:32:18 -0400 (EDT) Endi Sukma Dewata wrote: > > ----- "Adam Young" wrote: > > > Like the journey song, these should have been gone, long ago. > > ACKed and pushed to master. This patch broke the build ... fix coming, but guys, please, verify stuff builds from scratch before pushing patches. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Oct 15 23:09:45 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Oct 2010 19:09:45 -0400 Subject: [Freeipa-devel] [PATCH] Fix build Message-ID: <20101015190945.0e035dbd@willson.li.ssimo.org> patch to fix the build Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-build-after-file-was-removed-but-not-eliminated-.patch Type: text/x-patch Size: 702 bytes Desc: not available URL: From edewata at redhat.com Sat Oct 16 00:39:03 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 15 Oct 2010 19:39:03 -0500 Subject: [Freeipa-devel] [PATCH] Service certificate status. Message-ID: <4CB8F427.7080307@redhat.com> Hi, Please review the attached patch. Thanks! The service details page has been modified to show certificate status using bullets. It will also show the revocation reason, and display the restore button only if the certificate is on hold. The buttons action handlers have been moved into service_usercertificate_load() so they can update the bullets. A test data file for cert-show operation has been added. Other test data files containing certificate info has been updated for consistency. The certificate_confirmation_dialog() has been removed because it's no longer used. --- Endi S. Dewata -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: edewata-freeipa-0021-Service-certificate-status.patch URL: From rcritten at redhat.com Mon Oct 18 13:32:25 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Oct 2010 09:32:25 -0400 Subject: [Freeipa-devel] Some thoughts about login services In-Reply-To: <4CB8BA36.1050701@redhat.com> References: <4CB87512.8080609@redhat.com> <20101015120302.7183fe25@willson.li.ssimo.org> <4CB88CDA.7000705@redhat.com> <20101015133400.7737fd90@willson.li.ssimo.org> <4CB89986.8060302@redhat.com> <20101015144937.2f9d8580@willson.li.ssimo.org> <4CB8BA36.1050701@redhat.com> Message-ID: <4CBC4C69.5060105@redhat.com> Dmitri Pal wrote: > Simo Sorce wrote: >> On Fri, 15 Oct 2010 14:12:22 -0400 >> Dmitri Pal wrote: >> >>> Simo Sorce wrote: >>> >> >> >>>> I'd go for the last one, may be ugly, but does not undo anything >>>> that already works and has the effect of simplifying the UI which >>>> is what you are after right now. Of course that also means the UI >>>> will have to cope (maybe disabling editing) with any entry that has >>>> been nested through the CLI or over LDAP directly. >>>> >>>> >>> This is where ugliness comes to play. >>> >>> >>>> This is assuming the UI work would really be more complex. We have >>>> nesting to support for other things already so I am not sure it >>>> would really be substantially less work to do the same thing >>>> elsewhere, I bet a lot of code could simply be reused. >>>> >>>> >>>> >>> It is not that simple. >>> >> [..] >> >> Ok, then I guess removing the possibility is simpler. >> Though reading the schema definition I wonder one thing. Why did you >> make these objectclasses derive from nestedGroup ? >> I would have expected them to be "SUP groupOfNames" and just have the >> clients add nestedGroup if they wished to enable them to be nested. >> Of course this means nestedGroup needs to be AUXILIARY and not >> STRUCTURAL. >> Is there any reason to make nestedGroup forcibly structural ? >> Having it auxiliary means we can later add it to objects not currently >> nestable, although this may also be seen as a liability. >> >> The problem is that if we do not then we are stuck with whatever we >> decide I think. Changing a fundamental objectclass once we reach 2.0 is >> one of things we tentatively forbid ourselves to do in the name of >> compatibility. >> >> > > I disagree. We can move from group of names to nested group at any > moment in future by just doing schema change not even requiring full > dump and load. > We are not locked on it. Nested group is just an alias. Adding "MAY > memberOf" will do a trick or we can change it to nestedGroup explicitly. > > I do not see us generally bound to this specific schema. We are bound to > be able to migrate from this schema and not loose functionality. This is > definitely the case here. We use very specific filters to find the various types of objects in IPA so changing the objectclasses can affect that. Some amount of minor data migration may be required if the underlying objectclasses change. Adding new objectclasses generally won't be a problem, replacing one with another might be. rob From rcritten at redhat.com Mon Oct 18 13:40:56 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Oct 2010 09:40:56 -0400 Subject: [Freeipa-devel] [PATCH] 581 remove enrolledBy when unenrolled In-Reply-To: <4CB8D597.8040802@redhat.com> References: <4CB8C72B.4090308@redhat.com> <20101015181558.304fa2d2@willson.li.ssimo.org> <4CB8D597.8040802@redhat.com> Message-ID: <4CBC4E68.9060804@redhat.com> Dmitri Pal wrote: > Simo Sorce wrote: >> On Fri, 15 Oct 2010 17:27:07 -0400 >> Rob Crittenden wrote: >> >> >>> Remove the enrolledBy when a host is unenrolled (which is the same as >>> disabling the host). >>> >>> ticket 301 >>> >>> rob >>> >> >> nack, if host can write enrolledBy it can fake info >> >> Simo. >> >> > I agree. I think it should be "delete" rather than "write". > The delete permission is for entries, not for attributes. I'll need to ask the 389-ds guys about how to do this, though I think it may be via an attr value aci which will require some work in our aci plugin because it doesn't currently support them. rob From ayoung at redhat.com Mon Oct 18 14:38:15 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 18 Oct 2010 10:38:15 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0056-removing-dead-files In-Reply-To: <20101015185601.4bc0d061@willson.li.ssimo.org> References: <4CB88B9B.7070406@redhat.com> <1384140617.581271287167538465.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <20101015185601.4bc0d061@willson.li.ssimo.org> Message-ID: <4CBC5BD7.9010300@redhat.com> On 10/15/2010 06:56 PM, Simo Sorce wrote: > On Fri, 15 Oct 2010 14:32:18 -0400 (EDT) > Endi Sukma Dewata wrote: > > >> ----- "Adam Young" wrote: >> >> >>> Like the journey song, these should have been gone, long ago. >>> >> ACKed and pushed to master. >> > This patch broke the build ... > fix coming, but guys, please, verify stuff builds from scratch before > pushing patches. > > Simo. > > Simo, very sorry about this. I've removed this file at least once before, and I thought the change was long since out of the Makefile.am. Not sure how it keeps creeping back in. The problem was, of course, that make clean doesn't wipe out the Makefile.am....Dumb on my part. From ayoung at redhat.com Mon Oct 18 14:54:20 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 18 Oct 2010 10:54:20 -0400 Subject: [Freeipa-devel] [PATCH] Fix build In-Reply-To: <20101015190945.0e035dbd@willson.li.ssimo.org> References: <20101015190945.0e035dbd@willson.li.ssimo.org> Message-ID: <4CBC5F9C.3000501@redhat.com> On 10/15/2010 07:09 PM, Simo Sorce wrote: > patch to fix the build > > Simo. > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon Oct 18 15:04:31 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 18 Oct 2010 10:04:31 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0056-removing-dead-files In-Reply-To: <4CBC5BD7.9010300@redhat.com> References: <4CB88B9B.7070406@redhat.com> <1384140617.581271287167538465.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <20101015185601.4bc0d061@willson.li.ssimo.org> <4CBC5BD7.9010300@redhat.com> Message-ID: <4CBC61FF.4050307@redhat.com> On 10/18/2010 9:38 AM, Adam Young wrote: > On 10/15/2010 06:56 PM, Simo Sorce wrote: >> Endi Sukma Dewata wrote: >>> ACKed and pushed to master. >> >> This patch broke the build ... >> fix coming, but guys, please, verify stuff builds from scratch before >> pushing patches. > > Simo, very sorry about this. I've removed this file at least once > before, and I thought the change was long since out of the Makefile.am. > Not sure how it keeps creeping back in. The problem was, of course, that > make clean doesn't wipe out the Makefile.am....Dumb on my part. Oops.. sorry. I thought it's a simple file removal. Lesson learned. -- Endi S. Dewata From ssorce at redhat.com Mon Oct 18 15:47:40 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 18 Oct 2010 11:47:40 -0400 Subject: [Freeipa-devel] [PATCH] #394 Fix ldappasswd on some OSs Message-ID: <20101018114740.2d652740@willson.li.ssimo.org> Apparnetly my f14 test environment didn't need the host name but in some cases w/o it the passwd change will fail because SSL verification fails. The attached patch should fix the issue. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-dsinstance-Fix-ldappasswd-invocation-to-specify-the-.patch Type: text/x-patch Size: 1039 bytes Desc: not available URL: From ssorce at redhat.com Mon Oct 18 15:51:10 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 18 Oct 2010 11:51:10 -0400 Subject: [Freeipa-devel] [PATCH] fix pwd plugin logging Message-ID: <20101018115110.13b4425b@willson.li.ssimo.org> While reviewing the logging macros I realized that the log target was wrong for the LOG_TRACE and LOG_FATAL functions. I also took the liberty of simplifying the macros by removing unnecessary do {} while(0) loops given the final version didn't require more then one function invocation anyway. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-pwd-plugin-fix-slapi-log-target-in-logging-functions.patch Type: text/x-patch Size: 1625 bytes Desc: not available URL: From ssorce at redhat.com Mon Oct 18 15:54:39 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 18 Oct 2010 11:54:39 -0400 Subject: [Freeipa-devel] [PATCH] beef up .gitignore Message-ID: <20101018115439.191f9a45@willson.li.ssimo.org> We are not ignoring enough stuff, every time you run make you get a ton of files in git status These changes returned to me a very clean git status at last :-) Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Ignore-useless-stuff-by-default.patch Type: text/x-patch Size: 1786 bytes Desc: not available URL: From rcritten at redhat.com Mon Oct 18 15:56:10 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Oct 2010 11:56:10 -0400 Subject: [Freeipa-devel] [PATCH] #394 Fix ldappasswd on some OSs In-Reply-To: <20101018114740.2d652740@willson.li.ssimo.org> References: <20101018114740.2d652740@willson.li.ssimo.org> Message-ID: <4CBC6E1A.5050208@redhat.com> Simo Sorce wrote: > > Apparnetly my f14 test environment didn't need the host name but in > some cases w/o it the passwd change will fail because SSL verification > fails. > > The attached patch should fix the issue. > > Simo. ack From ssorce at redhat.com Mon Oct 18 16:05:44 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 18 Oct 2010 12:05:44 -0400 Subject: [Freeipa-devel] [PATCH] #394 Fix ldappasswd on some OSs In-Reply-To: <4CBC6E1A.5050208@redhat.com> References: <20101018114740.2d652740@willson.li.ssimo.org> <4CBC6E1A.5050208@redhat.com> Message-ID: <20101018120544.699da473@willson.li.ssimo.org> On Mon, 18 Oct 2010 11:56:10 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > Apparnetly my f14 test environment didn't need the host name but in > > some cases w/o it the passwd change will fail because SSL > > verification fails. > > > > The attached patch should fix the issue. > > > > Simo. > > ack pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Mon Oct 18 16:07:08 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 18 Oct 2010 12:07:08 -0400 Subject: [Freeipa-devel] [PATCH] beef up .gitignore In-Reply-To: <20101018115439.191f9a45@willson.li.ssimo.org> References: <20101018115439.191f9a45@willson.li.ssimo.org> Message-ID: <4CBC70AC.6000207@redhat.com> On 10/18/2010 11:54 AM, Simo Sorce wrote: > We are not ignoring enough stuff, every time you run make you get a ton > of files in git status > > These changes returned to me a very clean git status at last :-) > > Simo. > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Please add dist/ in there as well. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Mon Oct 18 17:26:38 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 18 Oct 2010 13:26:38 -0400 Subject: [Freeipa-devel] [PATCH] beef up .gitignore In-Reply-To: <4CBC70AC.6000207@redhat.com> References: <20101018115439.191f9a45@willson.li.ssimo.org> <4CBC70AC.6000207@redhat.com> Message-ID: <20101018132638.1fc099cd@willson.li.ssimo.org> On Mon, 18 Oct 2010 12:07:08 -0400 Adam Young wrote: > On 10/18/2010 11:54 AM, Simo Sorce wrote: > > We are not ignoring enough stuff, every time you run make you get a > > ton of files in git status > > > > These changes returned to me a very clean git status at last :-) > > > ACK. Please add dist/ in there as well. Added dist/ and pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Oct 18 17:42:13 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Oct 2010 13:42:13 -0400 Subject: [Freeipa-devel] [PATCH] #319 better cope with ntp config files In-Reply-To: <20101015112908.520a15cd@willson.li.ssimo.org> References: <20101014162942.109933bd@willson.li.ssimo.org> <4CB85FBE.10608@redhat.com> <20101015102759.51ffb927@willson.li.ssimo.org> <20101015112908.520a15cd@willson.li.ssimo.org> Message-ID: <4CBC86F5.9020202@redhat.com> Simo Sorce wrote: > On Fri, 15 Oct 2010 10:27:59 -0400 > Simo Sorce wrote: > >> Right, thanks for catching this, my python got a bit rusty in the last >> few months :) > > Ok, changed the patch according to your guidelines, and retested. > Also caught a bug that didn't show up with the previous way I did > stripping. > >>> I'm not sure your loop for srv actually does the right thing. I >>> wonder if you wanted to set match = 0 within the for loop. >> >> Well, according to my testing it does. >> But I'll re-check. > > Re-checked, yes the way I use match is how I intended it, it is useful > only for the inner for loop. > > Testing shows I can correctly match entries with arbitrary spacing now. > > Simo. Works for me, ack. rob From ssorce at redhat.com Mon Oct 18 17:55:37 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 18 Oct 2010 13:55:37 -0400 Subject: [Freeipa-devel] [PATCH] #319 better cope with ntp config files In-Reply-To: <4CBC86F5.9020202@redhat.com> References: <20101014162942.109933bd@willson.li.ssimo.org> <4CB85FBE.10608@redhat.com> <20101015102759.51ffb927@willson.li.ssimo.org> <20101015112908.520a15cd@willson.li.ssimo.org> <4CBC86F5.9020202@redhat.com> Message-ID: <20101018135537.2f66f7b4@willson.li.ssimo.org> On Mon, 18 Oct 2010 13:42:13 -0400 Rob Crittenden wrote: > Works for me, ack. thanks, pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Mon Oct 18 17:58:08 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 18 Oct 2010 13:58:08 -0400 Subject: [Freeipa-devel] [PATCH] Service certificate status. In-Reply-To: <4CB8F427.7080307@redhat.com> References: <4CB8F427.7080307@redhat.com> Message-ID: <4CBC8AB0.30005@redhat.com> On 10/15/2010 08:39 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > The service details page has been modified to show certificate > status using bullets. It will also show the revocation reason, > and display the restore button only if the certificate is on > hold. The buttons action handlers have been moved into > service_usercertificate_load() so they can update the bullets. > > A test data file for cert-show operation has been added. Other > test data files containing certificate info has been updated for > consistency. > > The certificate_confirmation_dialog() has been removed because > it's no longer used. > > --- > Endi S. Dewata > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Please file a ticket for throwing the error message when installed without dogtag -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Oct 18 18:45:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Oct 2010 14:45:02 -0400 Subject: [Freeipa-devel] [PATCH] Check if attribute is single-value before trying to add values to it. In-Reply-To: <4CB85435.6060100@redhat.com> References: <4CB5AA3C.3020301@redhat.com> <4CB62C22.8060206@redhat.com> <4CB70486.1010009@redhat.com> <4CB73BF7.9020703@redhat.com> <4CB773E5.9030808@redhat.com> <4CB85435.6060100@redhat.com> Message-ID: <4CBC95AE.7000404@redhat.com> Rob Crittenden wrote: > Pavel Z?na wrote: >> On 2010-10-14 19:20, Rob Crittenden wrote: >>> Pavel Zuna wrote: >>>> On 10/14/2010 12:01 AM, Rob Crittenden wrote: >>>>> Pavel Zuna wrote: >>>>>> This patch adds a check in ldap2 for single-value attributes. DS >>>>>> doesn't >>>>>> seem to care much about attributes being defined as SINGLE-VALUE >>>>>> except >>>>>> for things like uidNumber and gidNumber (I suspect this is handled by >>>>>> the DNA plugin). >>>>>> >>>>>> Ticket #246 >>>>>> >>>>>> Pavel >>>>> >>>>> This is similar to ticket 220 which I have a pending patch for (patch >>>>> 552). I think both patches are valid but we should test them >>>>> together to >>>>> be sure. Can you do that? >>>>> >>>>> rob >>>> >>>> I had to NACK your patch number 552, because the check was in the wrong >>>> place. >>>> >>>> Both patches overlap in functionality, so I decided to merge them >>>> into a >>>> new version of my original patch. >>>> >>>> I split the single-value check into two parts: >>>> >>>> First part is in baseldap classes (LDAPCreate, LDAPUpdate) and it >>>> checks >>>> if we're not trying to add more values to a Param defined attribute, >>>> that is not flagged as multivalue. >>>> >>>> Second part is in the ldap2 backend. It checks if we're not trying to >>>> add more values to an attribute, that is defined as SINGLE-VALUE in the >>>> schema. Unfortunately, it seems that python-ldap isn't capable of >>>> reporting the SINGLE-VALUE flag reliably and DS doesn't enforce it at >>>> all. In other words, this check is a bit weak, but still better than >>>> nothing. >>>> >>>> I hope you don't mind I merged both patches, but it seemed simpler and >>>> we can knock out 2 tickets in one commit. :) >>>> >>>> Ticket #230 >>>> Ticket #246 >>>> >>>> Pavel >>> >>> Ack if you fix 2 things: >>> >>> 1. Change the error message of the exception to match the exception >>> name, 'only one value allowed' instead of 'attribute is single-value' >> Ok. >> >>> 2. You added a space between desc and info in the DatabaseError >>> exception. The example fails because there is no space after the colon >>> (at least for me, since my editor wipes out trailing white space >>> automatically). Can we either drop the space or add something for info >>> to the example? >> I choose to add something for info, because other exceptions make use of >> a space after colon in their formats. >> >>> >>> rob >> >> Version 3 attached. >> >> Pavel > > Ack, just fix the doctest case for OnlyOneValueAllowed() before pushing. > The doctest still has the old text for the exception. > > rob I fixed the doctest and pushed to master rob From edewata at redhat.com Mon Oct 18 18:49:34 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 18 Oct 2010 13:49:34 -0500 Subject: [Freeipa-devel] [PATCH] Service certificate status. In-Reply-To: <4CBC8AB0.30005@redhat.com> References: <4CB8F427.7080307@redhat.com> <4CBC8AB0.30005@redhat.com> Message-ID: <4CBC96BE.5030306@redhat.com> On 10/18/2010 12:58 PM, Adam Young wrote: > ACK. Please file a ticket for throwing the error message when installed > without dogtag I see this has been pushed. Thanks! I closed this ticket: https://fedorahosted.org/freeipa/ticket/276 and opened these tickets: https://fedorahosted.org/freeipa/ticket/395 https://fedorahosted.org/freeipa/ticket/396 -- Endi S. Dewata From ayoung at redhat.com Mon Oct 18 18:53:47 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 18 Oct 2010 14:53:47 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0058-password-dialog.patch In-Reply-To: <4CB8AA33.6050000@redhat.com> References: <4CB8A5FA.40804@redhat.com> <4CB8AA33.6050000@redhat.com> Message-ID: <4CBC97BB.7060305@redhat.com> On 10/15/2010 03:23 PM, Adam Young wrote: > On 10/15/2010 03:05 PM, Adam Young wrote: >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Just realized that there is a bug in here. If the admin runs this, he > will change his own password. As written, it only works for self > service. I'll update shortly. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Now check the principal prior to calling passwd, and add that as a parameter for non-selfservice case. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0058-2-password-dialog.patch Type: text/x-patch Size: 4920 bytes Desc: not available URL: From rcritten at redhat.com Mon Oct 18 18:57:17 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Oct 2010 14:57:17 -0400 Subject: [Freeipa-devel] [PATCH] 582 allow rdn changes Message-ID: <4CBC988D.6030706@redhat.com> Allow RDN changes for users, groups, rolegroups and taskgroups. To do a change right now you have to perform a setattr like: ipa user-mod --setattr uid=newuser olduser The RDN change is performed before the rest of the mods. If the RDN change is the only change done then the EmptyModlist that update_entry() throws is ignored. ticket 323 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-582-rdn.patch Type: application/mbox Size: 15146 bytes Desc: not available URL: From dpal at redhat.com Mon Oct 18 19:34:33 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 18 Oct 2010 15:34:33 -0400 Subject: [Freeipa-devel] [Fwd: [PATCH] 582 allow rdn changes] Message-ID: <4CBCA149.8050602@redhat.com> Do we plan/need to have a more convenient format? The setattr seems not intuitive. I seems it should be something like: ipa user-mod --login=newlogin oldlogin But I understand it will affect a lot of CLIs if we do it right for all renames. Well... may be exactly because of that we should do it sooner rather than later. Thoughts? Thanks Dmitri -------- Original Message -------- Subject: [Freeipa-devel] [PATCH] 582 allow rdn changes Date: Mon, 18 Oct 2010 14:57:17 -0400 From: Rob Crittenden To: freeipa-devel Allow RDN changes for users, groups, rolegroups and taskgroups. To do a change right now you have to perform a setattr like: ipa user-mod --setattr uid=newuser olduser The RDN change is performed before the rest of the mods. If the RDN change is the only change done then the EmptyModlist that update_entry() throws is ignored. ticket 323 rob -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Oct 18 19:47:33 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Oct 2010 15:47:33 -0400 Subject: [Freeipa-devel] [PATCH] 568 fix mutual exclusive comparison in hbac In-Reply-To: <4CB46761.2080509@redhat.com> References: <4CB31A83.5070802@redhat.com> <4CB46761.2080509@redhat.com> Message-ID: <4CBCA455.9040007@redhat.com> Adam Young wrote: > On 10/11/2010 10:09 AM, Rob Crittenden wrote: >> Do better error checking in mutual exclusivity check in hbac plugin. >> This fixes the acceptance tests. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK pushed to master From rcritten at redhat.com Mon Oct 18 19:50:23 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Oct 2010 15:50:23 -0400 Subject: [Freeipa-devel] [PATCH] 578 remove ldapi socket on uninstall In-Reply-To: <20101014154225.5bac0b36@willson.li.ssimo.org> References: <4CB750EA.4090908@redhat.com> <20101014154225.5bac0b36@willson.li.ssimo.org> Message-ID: <4CBCA4FF.2000501@redhat.com> Simo Sorce wrote: > On Thu, 14 Oct 2010 14:50:18 -0400 > Rob Crittenden wrote: > >> Remove the directory server ldapi socket on uninstall. >> >> ticket 350 >> > > ACK > > Simo. > This was pushed to master From rcritten at redhat.com Mon Oct 18 19:52:06 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Oct 2010 15:52:06 -0400 Subject: [Freeipa-devel] [PATCH] 580 admintools requires ipa-client, requires config In-Reply-To: <20101015102329.6bea91af@willson.li.ssimo.org> References: <4CB858DD.7040802@redhat.com> <20101015102329.6bea91af@willson.li.ssimo.org> Message-ID: <4CBCA566.5010305@redhat.com> Simo Sorce wrote: > On Fri, 15 Oct 2010 09:36:29 -0400 > Rob Crittenden wrote: > >> Add Requires on ipa-client to ipa-admintools, ensure ipa client is >> configured. It makes little sense to install ipa-admintools without >> ipa-client, require it. >> >> Also see if the client has been configured. This is a bit tricky >> since we have a full set of defaults. Add a new env option that gets >> set if at least one configuration file is loaded. >> >> ticket 213 > > ACK. > > Simo. > pushed to master From rcritten at redhat.com Mon Oct 18 19:52:55 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Oct 2010 15:52:55 -0400 Subject: [Freeipa-devel] [PATCH] fix merge_from_file test Message-ID: <4CBCA597.6040709@redhat.com> Pushed as 1-liner diff --git a/tests/test_ipalib/test_config.py b/tests/test_ipalib/test_config.py index d1ca55d..179ee1f 100644 --- a/tests/test_ipalib/test_config.py +++ b/tests/test_ipalib/test_config.py @@ -389,7 +389,7 @@ class test_Env(ClassChecker): assert o._merge_from_file(override) == (4, 6) for (k, v) in orig.items(): assert o[k] is v - assert list(o) == sorted(keys + ('key0', 'key1', 'key2', 'key3')) + assert list(o) == sorted(keys + ('key0', 'key1', 'key2', 'key3', 'confi g_loaded')) for i in xrange(4): assert o['key%d' % i] == ('var%d' % i) keys = tuple(o) rob From rcritten at redhat.com Mon Oct 18 19:55:01 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Oct 2010 15:55:01 -0400 Subject: [Freeipa-devel] [Fwd: [PATCH] 582 allow rdn changes] In-Reply-To: <4CBCA149.8050602@redhat.com> References: <4CBCA149.8050602@redhat.com> Message-ID: <4CBCA615.1020806@redhat.com> Dmitri Pal wrote: > Do we plan/need to have a more convenient format? The setattr seems not > intuitive. > I seems it should be something like: > ipa user-mod --login=newlogin oldlogin > > But I understand it will affect a lot of CLIs if we do it right for all > renames. > Well... may be exactly because of that we should do it sooner rather > than later. > Thoughts? I'm open to suggestions. I asked informally about this morning but we got side-tracked on another discussion and I never did get an answer whether this would be sufficient. It's easy enough to add this in as an option. The thing is we want this to be a very rare occurrence so making them look for how to do this isn't necessarily a bad thing. rob > > Thanks > Dmitri > > -------- Original Message -------- > Subject: [Freeipa-devel] [PATCH] 582 allow rdn changes > Date: Mon, 18 Oct 2010 14:57:17 -0400 > From: Rob Crittenden > To: freeipa-devel > > > > Allow RDN changes for users, groups, rolegroups and taskgroups. > > To do a change right now you have to perform a setattr like: > > ipa user-mod --setattr uid=newuser olduser > > The RDN change is performed before the rest of the mods. If the RDN > change is the only change done then the EmptyModlist that update_entry() > throws is ignored. > > ticket 323 > > rob > > > From edewata at redhat.com Mon Oct 18 20:33:36 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 18 Oct 2010 15:33:36 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0058-password-dialog.patch In-Reply-To: <4CBC97BB.7060305@redhat.com> References: <4CB8A5FA.40804@redhat.com> <4CB8AA33.6050000@redhat.com> <4CBC97BB.7060305@redhat.com> Message-ID: <4CBCAF20.3060904@redhat.com> On 10/18/2010 1:53 PM, Adam Young wrote: > Now check the principal prior to calling passwd, and add that as a > parameter for non-selfservice case. ACK with note that there's an outstanding bug on password reset: https://fedorahosted.org/freeipa/ticket/390 -- Endi S. Dewata From ayoung at redhat.com Mon Oct 18 21:08:50 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 18 Oct 2010 17:08:50 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0060-Default-search-limit-to-100.patch Message-ID: <4CBCB762.1090704@redhat.com> Trivial patch, coulda pushed under the 1 liner rule, but figured it was worth a second set of eyes. -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0060-Default-search-limit-to-100.patch Type: text/x-patch Size: 833 bytes Desc: not available URL: From ssorce at redhat.com Mon Oct 18 21:15:29 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 18 Oct 2010 17:15:29 -0400 Subject: [Freeipa-devel] [PATCH] #360 ipa-uuid plugin Message-ID: <20101018171529.498fcbc7@willson.li.ssimo.org> These 2 patches configure and load a new plugin that uses internal DS functions to generate UUIDs. The plugin is similar to DNA but instead of generating sequential numbers it generates UUIDs (type 1). These patches do not yet remove the UUID code in the framework. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa-uuid-DNA-like-plugin-that-generates-uuids.patch Type: text/x-patch Size: 41998 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-ipa-uuid-enable-plugin-in-IPA.patch Type: text/x-patch Size: 2515 bytes Desc: not available URL: From admin at transifex.net Tue Oct 19 16:55:01 2010 From: admin at transifex.net (admin at transifex.net) Date: Tue, 19 Oct 2010 16:55:01 -0000 Subject: [Freeipa-devel] [Transifex] File submitted via email to FreeIPA | master Message-ID: <20101019165501.15483.72501@web1.transifex.net> Hello freeipa, this is Transifex at http://www.transifex.net. The following attached files were submitted to FreeIPA | master by yurchor Please, visit Transifex at http://www.transifex.net/projects/p/freeipa/c/master/ in order to see the component page. Thank you, Transifex -------------- next part -------------- # Copyright (C) YEAR Red Hat # This file is distributed under the same license as the PACKAGE package. # # Yuri Chornoivan , 2010. msgid "" msgstr "" "Project-Id-Version: ipa\n" "Report-Msgid-Bugs-To: https://hosted.fedoraproject." "org/projects/freeipa/newticket\n" "POT-Creation-Date: 2010-10-13 14:22-0400\n" "PO-Revision-Date: 2010-10-19 19:53+0300\n" "Last-Translator: Yuri Chornoivan \n" "Language-Team: Ukrainian \n" "Language: uk\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=4; plural=n==1 ? 3 : n%10==1 && n%100!=11 ? 0 : n%10>" "=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n" "X-Generator: Lokalize 1.1\n" #: ipalib/cli.py:507 #, python-format msgid "Enter %(label)s again to verify: " msgstr "??????? %(label)s ?? ??? ??? ?????????: " #: ipalib/cli.py:511 ipa-client/ipa-getkeytab.c:730 #, c-format msgid "Passwords do not match!" msgstr "?????? ?? ??????????!" #: ipalib/cli.py:516 msgid "Cancelled." msgstr "?????????." #: ipalib/errors.py:297 #, python-format msgid "%(cver)s client incompatible with %(sver)s server at %(server)r" msgstr "?????? %(cver)s ? ?????????? ? ???????? %(sver)s ?? %(server)r" #: ipalib/errors.py:315 #, python-format msgid "unknown error %(code)d from %(server)s: %(error)s" msgstr "%(server)s ?????????? ??? ???????? ??????? %(code)d: %(error)s" #: ipalib/errors.py:331 msgid "an internal error has occurred" msgstr "??????? ????????? ???????" #: ipalib/errors.py:353 #, python-format msgid "an internal error has occurred on server at %(server)r" msgstr "?? ??????? %(server)r ??????? ????????? ???????" #: ipalib/errors.py:369 #, python-format msgid "unknown command %(name)r" msgstr "???????? ??????? %(name)r" #: ipalib/errors.py:386 ipalib/errors.py:411 #, python-format msgid "error on server %(server)r: %(error)s" msgstr "??????? ?? ??????? %(server)r: %(error)s" #: ipalib/errors.py:402 #, python-format msgid "cannot connect to %(uri)r: %(error)s" msgstr "?? ??????? ?????????? ????????? ? %(uri)r: %(error)s" #: ipalib/errors.py:420 #, python-format msgid "Invalid JSON-RPC request: %(error)s" msgstr "??????????? ????? JSON-RPC: %(error)s" #: ipalib/errors.py:448 #, python-format msgid "Kerberos error: %(major)s/%(minor)s" msgstr "??????? Kerberos: %(major)s/%(minor)s" #: ipalib/errors.py:465 msgid "did not receive Kerberos credentials" msgstr "?? ???????? ????????????? ????? Kerberos" #: ipalib/errors.py:481 #, python-format msgid "Service %(service)r not found in Kerberos database" msgstr "? ???? ????? Kerberos ?? ???????? ?????? %(service)r" #: ipalib/errors.py:497 msgid "No credentials cache found" msgstr "?? ???????? ???? ????????????? ?????" #: ipalib/errors.py:513 msgid "Ticket expired" msgstr "????? ????? ??? ??????" #: ipalib/errors.py:529 msgid "Credentials cache permissions incorrect" msgstr "????????? ????? ??????? ?? ???? ????????????? ?????" #: ipalib/errors.py:545 msgid "Bad format in credentials cache" msgstr "?????????? ?????? ???? ????????????? ?????" #: ipalib/errors.py:561 msgid "Cannot resolve KDC for requested realm" msgstr "?? ??????? ????????? KDC ??? ??????? ??????? (realm)" #: ipalib/errors.py:580 #, python-format msgid "Insufficient access: %(info)s" msgstr "?????????? ????? ??? ???????: %(info)s" #: ipalib/errors.py:624 #, python-format msgid "command %(name)r takes no arguments" msgstr "??????? %(name)r ?? ??????? ?????? ??????????" #: ipalib/errors.py:644 #, python-format msgid "command %(name)r takes at most %(count)d argument" msgid_plural "command %(name)r takes at most %(count)d arguments" msgstr[0] "??????? %(name)r ??????? ?? ?????? %(count)d ?????????" msgstr[1] "??????? %(name)r ??????? ?? ?????? %(count)d ??????????" msgstr[2] "??????? %(name)r ??????? ?? ?????? %(count)d ??????????" msgstr[3] "??????? %(name)r ??????? ?? ?????? %(count)d ?????????" #: ipalib/errors.py:674 #, python-format msgid "overlapping arguments and options: %(names)r" msgstr "?????????? ?????????? ? ??????????: %(names)r" #: ipalib/errors.py:690 #, python-format msgid "%(name)r is required" msgstr "???? ??????? %(name)r" #: ipalib/errors.py:706 ipalib/errors.py:722 #, python-format msgid "invalid %(name)r: %(error)s" msgstr "?????????? %(name)r: %(error)s" #: ipalib/errors.py:738 #, python-format msgid "api has no such namespace: %(name)r" msgstr "api ?? ????? ?????? ???????? ????: %(name)r" #: ipalib/errors.py:747 msgid "Passwords do not match" msgstr "?????? ?? ??????????" #: ipalib/errors.py:755 msgid "Command not implemented" msgstr "??????? ?? ???????????" #: ipalib/errors.py:783 ipalib/errors.py:1023 ipalib/errors.py:1254 #, python-format msgid "%(reason)s" msgstr "%(reason)s" #: ipalib/errors.py:799 msgid "This entry already exists" msgstr "??? ????? ??? ?????" #: ipalib/errors.py:815 msgid "You must enroll a host in order to create a host service" msgstr "??? ???????? ?????? ?????, ??? ???? ????????????? ?????" #: ipalib/errors.py:831 #, python-format msgid "" "Service principal is not of the form: service/fully-qualified host name: %" "(reason)s" msgstr "" "????????????? ????? ?????? ??????? ? ?????, ????????? ???: ??????/????? " "????? ?????: %(reason)s" #: ipalib/errors.py:847 msgid "" "The realm for the principal does not match the realm for this IPA server" msgstr "" "??????? ??? ?????????????? ?????? ?? ?????????? ? ??????? ????? ??????? IPA" #: ipalib/errors.py:863 msgid "This command requires root access" msgstr "??? ????????? ???? ??????? ???????? ????? ??????? ??????????? root" #: ipalib/errors.py:879 msgid "This is already a posix group" msgstr "??? ? posix-??????" #: ipalib/errors.py:895 #, python-format msgid "Principal is not of the form user at REALM: %(principal)r" msgstr "" "????????????? ????? ??????? ? ?????, ????????? ??? ??????????@???????: %" "(principal)r" #: ipalib/errors.py:911 msgid "This entry is already unlocked" msgstr "??? ????? ??? ????????????" #: ipalib/errors.py:927 msgid "This entry is already locked" msgstr "??? ????? ??? ???????????" #: ipalib/errors.py:943 msgid "This entry has nsAccountLock set, it cannot be locked or unlocked" msgstr "" "??? ????? ?????? ??????????? ??????? nsAccountLock, ????? ?? ????? " "??????????? ??? ????????????" #: ipalib/errors.py:959 msgid "This entry is not a member of the group" msgstr "??? ????? ?? ? ????????? ?????" #: ipalib/errors.py:975 msgid "A group may not be a member of itself" msgstr "????? ?? ???? ???? ????????? ????? ????" #: ipalib/errors.py:991 msgid "This entry is already a member of the group" msgstr "??? ????? ??? ? ????????? ?????" #: ipalib/errors.py:1007 #, python-format msgid "Base64 decoding failed: %(reason)s" msgstr "??????? ??????????? Base64: %(reason)s" #: ipalib/errors.py:1039 msgid "A group may not be added as a member of itself" msgstr "????? ?? ???? ???? ?????? ?? ??????? ????? ????" #: ipalib/errors.py:1055 msgid "The default users group cannot be removed" msgstr "?? ????? ???????? ?????? ????? ????????????" #: ipalib/errors.py:1071 msgid "Host does not have corresponding DNS A record" msgstr "????? ?? ??? ???????????? ?????? DNS A" #: ipalib/errors.py:1086 msgid "Deleting a managed group is not allowed. It must be detached first." msgstr "????????? ????????? ???? ??????????. ???????? ????? ???? ??????????." #: ipalib/errors.py:1109 #, python-format msgid "no command nor help topic %(topic)r" msgstr "?? ???????? ?? ???????, ?? ?????? ??????? %(topic)r" #: ipalib/errors.py:1133 msgid "change collided with another change" msgstr "????? ?????????? ? ????? ???????? ??????" #: ipalib/errors.py:1149 msgid "no modifications to be performed" msgstr "???? ?? ???????" #: ipalib/errors.py:1165 #, python-format msgid "%(desc)s:%(info)s" msgstr "%(desc)s:%(info)s" #: ipalib/errors.py:1181 msgid "limits exceeded for this query" msgstr "??? ??????? ?????????? ?????????" #: ipalib/errors.py:1196 #, python-format msgid "%(info)s" msgstr "%(info)s" #: ipalib/errors.py:1221 #, python-format msgid "Certificate operation cannot be completed: %(error)s" msgstr "?? ??????? ????????? ??? ? ????????????: %(error)s" #: ipalib/errors.py:1237 #, python-format msgid "Certificate format error: %(error)s" msgstr "??????? ???????????? ???????????: %(error)s" #: ipalib/frontend.py:380 msgid "Results are truncated, try a more specific search" msgstr "" "?????? ??????????? ????????. ????????? ??????? ????????? ???????? ??????." #: ipalib/frontend.py:797 ipalib/plugins/misc.py:47 msgid "retrieve all attributes" msgstr "???????? ??? ????????" #: ipalib/frontend.py:803 msgid "print entries as stored on the server" msgstr "??????? ?????? ? ?????, ? ???? ???? ???????????? ?? ???????" #: ipalib/frontend.py:940 msgid "Forward to server instead of running locally" msgstr "?????????????? ?? ?????? ??????? ?????????? ?????????" #: ipalib/output.py:92 msgid "A dictionary representing an LDAP entry" msgstr "???????, ?? ?????????? ?????? LDAP" #: ipalib/output.py:100 msgid "A list of LDAP entries" msgstr "?????? ??????? LDAP" #: ipalib/output.py:111 msgid "All commands should at least have a result" msgstr "????????? ???? ?????? ??? ?????????? ?? ??????? ??????????" #: ipalib/parameters.py:295 msgid "incorrect type" msgstr "?????????? ???" #: ipalib/parameters.py:298 msgid "Only one value is allowed" msgstr "????? ??????????????? ???? ???? ????????" #: ipalib/parameters.py:877 msgid "must be True or False" msgstr "??? ??????????? True ??? False" #: ipalib/parameters.py:978 msgid "must be an integer" msgstr "??? ???? ????? ??????" #: ipalib/parameters.py:1029 #, python-format msgid "must be at least %(minvalue)d" msgstr "??? ???? ??????, ?? ?????? ?? %(minvalue)d" #: ipalib/parameters.py:1039 #, python-format msgid "can be at most %(maxvalue)d" msgstr "?? ???? ???????????? %(maxvalue)d" #: ipalib/parameters.py:1049 msgid "must be a decimal number" msgstr "??? ???? ?????????? ??????" #: ipalib/parameters.py:1071 #, python-format msgid "must be at least %(minvalue)f" msgstr "??? ???? ??????, ?? ?????? ?? %(minvalue)f" #: ipalib/parameters.py:1081 #, python-format msgid "can be at most %(maxvalue)f" msgstr "?? ???? ???????????? %(maxvalue)f" #: ipalib/parameters.py:1145 #, python-format msgid "must match pattern \"%(pattern)s\"" msgstr "??? ??????????? ??????? ?%(pattern)s?" #: ipalib/parameters.py:1163 msgid "must be binary data" msgstr "??? ???? ????????? ??????" #: ipalib/parameters.py:1179 #, python-format msgid "must be at least %(minlength)d bytes" msgstr "??? ???? ????????, ?? ????? ?? %(minlength)d ??????" #: ipalib/parameters.py:1189 #, python-format msgid "can be at most %(maxlength)d bytes" msgstr "?? ??????? ???????????? ?? ???????? %(maxlength)d ??????" #: ipalib/parameters.py:1199 #, python-format msgid "must be exactly %(length)d bytes" msgstr "??? ???? ???????? ????? ? %(length)d ??????" #: ipalib/parameters.py:1217 msgid "must be Unicode text" msgstr "??? ???? ??????? ? Unicode" #: ipalib/parameters.py:1248 #, python-format msgid "must be at least %(minlength)d characters" msgstr "??? ???? ?? ?????? ?? %(minlength)d ???????? ????????" #: ipalib/parameters.py:1258 #, python-format msgid "can be at most %(maxlength)d characters" msgstr "?? ??????? ???????????? %(maxlength)d ???????? ? ???????" #: ipalib/parameters.py:1268 #, python-format msgid "must be exactly %(length)d characters" msgstr "??? ???? ????? %(length)d ???????? ? ???????" #: ipalib/parameters.py:1307 #, python-format msgid "must be one of %(values)r" msgstr "??? ???? ????? ?? ????? ???????: %(values)r" #: ipalib/plugins/aci.py:111 msgid "A list of ACI values" msgstr "?????? ??????? ACI" #: ipalib/plugins/aci.py:142 msgid "type, filter, subtree and targetgroup are mutually exclusive" msgstr "type, filter, subtree ? targetgroup ? ????????????????" #: ipalib/plugins/aci.py:145 msgid "" "at least one of: type, filter, subtree, targetgroup, attrs or memberof are " "required" msgstr "" "???? ??????? ???? ? ???? ?: type, filter, subtree, targetgroup, attrs ??? " "memberof" #: ipalib/plugins/aci.py:151 msgid "group, taskgroup and self are mutually exclusive" msgstr "group, taskgroup ? self ? ????????????????" #: ipalib/plugins/aci.py:153 msgid "One of group, taskgroup or self is required" msgstr "???? ??????? group, taskgroup ??? self" #: ipalib/plugins/aci.py:172 #, python-format msgid "Group '%s' does not exist" msgstr "????? ? ?????? ?%s? ?? ?????" #: ipalib/plugins/aci.py:269 #, python-format msgid "ACI with name \"%s\" not found" msgstr "?? ???????? ACI ? ?????? ?%s?" #: ipalib/plugins/aci.py:286 msgid "ACIs" msgstr "ACI" #: ipalib/plugins/aci.py:291 msgid "ACI name" msgstr "????? ACI" #: ipalib/plugins/aci.py:296 msgid "Taskgroup" msgstr "????? ???????" #: ipalib/plugins/aci.py:297 msgid "Taskgroup ACI grants access to" msgstr "????? ???????, ?? ???? ????? ?????? ACI" #: ipalib/plugins/aci.py:301 msgid "User group" msgstr "????? ????????????" #: ipalib/plugins/aci.py:302 msgid "User group ACI grants access to" msgstr "????? ????????????, ?? ???? ????? ?????? ACI" #: ipalib/plugins/aci.py:306 msgid "Permissions" msgstr "????? ???????" #: ipalib/plugins/aci.py:307 msgid "" "comma-separated list of permissions to grant(read, write, add, delete, all)" msgstr "" "????????????? ?????? ?????? ???? ???????, ??? ???? ?????? (read, write, add, " "delete, all)" #: ipalib/plugins/aci.py:313 msgid "Attributes" msgstr "????????" #: ipalib/plugins/aci.py:314 msgid "Comma-separated list of attributes" msgstr "?????? ?????????, ????????????? ??????" #: ipalib/plugins/aci.py:318 msgid "Type" msgstr "???" #: ipalib/plugins/aci.py:319 msgid "type of IPA object (user, group, host)" msgstr "??? ??????? IPA (??????????, ?????, ?????)" #: ipalib/plugins/aci.py:324 msgid "Member of" msgstr "???????" #: ipalib/plugins/aci.py:325 msgid "Member of a group" msgstr "??????? ?????" #: ipalib/plugins/aci.py:329 msgid "Filter" msgstr "??????" #: ipalib/plugins/aci.py:330 msgid "Legal LDAP filter (e.g. ou=Engineering)" msgstr "??????????? ?????? LDAP (?????????, ou=Engineering)" #: ipalib/plugins/aci.py:334 msgid "Subtree" msgstr "?????????" #: ipalib/plugins/aci.py:335 msgid "Subtree to apply ACI to" msgstr "?????????, ?? ????? ???? ??????????? ACI" #: ipalib/plugins/aci.py:339 msgid "Target group" msgstr "??????? ?????" #: ipalib/plugins/aci.py:340 msgid "Group to apply ACI to" msgstr "?????, ?? ???? ???? ??????????? ACI" #: ipalib/plugins/aci.py:344 msgid "Target your own entry (self)" msgstr "???????? ??? ??????? ??????? (self)" #: ipalib/plugins/aci.py:345 msgid "Apply ACI to your own entry (self)" msgstr "??????????? ACI ?? ?????? ???????? ?????? (self)" #: ipalib/plugins/aci.py:357 #, python-format msgid "Created ACI \"%(value)s\"" msgstr "???????? ACI ?%(value)s?" #: ipalib/plugins/aci.py:407 #, python-format msgid "Deleted ACI \"%(value)s\"" msgstr "???????? ACI ?%(value)s?" #: ipalib/plugins/aci.py:447 #, python-format msgid "Modified ACI \"%(value)s\"" msgstr "??????? ACI ?%(value)s?" #: ipalib/plugins/aci.py:519 #, python-format msgid "%(count)d ACI matched" msgid_plural "%(count)d ACIs matched" msgstr[0] "??????????? ????????????? %(count)d ACI" msgstr[1] "??????????? ????????????? %(count)d ACI" msgstr[2] "??????????? ????????????? %(count)d ACI" msgstr[3] "??????????? ????????????? %(count)d ACI" #: ipalib/plugins/automount.py:103 msgid "Automount" msgstr "??????????? ??????????" #: ipalib/plugins/automount.py:109 ipalib/plugins/host.py:134 msgid "Location" msgstr "????????????" #: ipalib/plugins/automount.py:110 msgid "Automount location name" msgstr "?????? ??????????????" #: ipalib/plugins/automount.py:226 msgid "Map" msgstr "?????" #: ipalib/plugins/automount.py:227 msgid "Automount map name" msgstr "????? ????? ????????????? ??????????" #: ipalib/plugins/automount.py:232 ipalib/plugins/group.py:108 #: ipalib/plugins/hbac.py:151 ipalib/plugins/hbacsvc.py:72 #: ipalib/plugins/hbacsvcgroup.py:77 ipalib/plugins/host.py:124 #: ipalib/plugins/hostgroup.py:81 ipalib/plugins/netgroup.py:96 #: ipalib/plugins/rolegroup.py:90 ipalib/plugins/sudocmd.py:71 #: ipalib/plugins/sudocmdgroup.py:77 ipalib/plugins/sudorule.py:58 #: ipalib/plugins/taskgroup.py:62 msgid "Description" msgstr "????" #: ipalib/plugins/automount.py:236 msgid "Automount Maps" msgstr "????? ????????????? ??????????" #: ipalib/plugins/automount.py:308 msgid "Key" msgstr "????" #: ipalib/plugins/automount.py:309 msgid "Automount key name" msgstr "????? ????? ????????????? ??????????" #: ipalib/plugins/automount.py:314 msgid "Mount information" msgstr "?????????? ???? ??????????" #: ipalib/plugins/automount.py:318 msgid "description" msgstr "????" #: ipalib/plugins/automount.py:322 msgid "Automount Keys" msgstr "????? ??????????????" #: ipalib/plugins/automount.py:342 msgid "Mount point" msgstr "????? ??????????" #: ipalib/plugins/automount.py:346 msgid "Parent map" msgstr "??????????? ?????" #: ipalib/plugins/automount.py:347 msgid "Name of parent automount map (default: auto.master)" msgstr "????? ???????????? ????? ?????????????? (?????? ????????: auto.master)" #: ipalib/plugins/baseldap.py:79 #, python-format msgid "container entry (%(container)s) not found" msgstr "?? ???????? ????? ?????????? (%(container)s)" #: ipalib/plugins/baseldap.py:80 #, python-format msgid "%(parent)s: %(oname)s not found" msgstr "%(parent)s: ?? ???????? %(oname)s" #: ipalib/plugins/baseldap.py:81 #, python-format msgid "%(pkey)s: %(oname)s not found" msgstr "%(pkey)s: ?? ???????? %(oname)s" #: ipalib/plugins/baseldap.py:150 msgid "Add an attribute/value pair. Format is attr=value" msgstr "?????? ???? ???????-????????. ??????: ???????=????????" #: ipalib/plugins/baseldap.py:155 msgid "Set an attribute to an name/value pair. Format is attr=value" msgstr "?????????? ??? ???????? ???? ?????-????????. ??????: ???????=????????" #: ipalib/plugins/baseldap.py:359 msgid "Continuous mode: Don't stop on errors." msgstr "????? ??????????? ??????: ?? ?????????? ? ???? ???????." #: ipalib/plugins/baseldap.py:517 msgid "the entry was deleted while being modified" msgstr "????? ???? ???????? ??? ??? ???????? ????" #: ipalib/plugins/baseldap.py:674 msgid "Members that could not be added" msgstr "????????, ?????? ???? ?? ??????? ??????" #: ipalib/plugins/baseldap.py:678 msgid "Number of members added" msgstr "????????? ??????? ?????????" #: ipalib/plugins/baseldap.py:684 ipalib/plugins/baseldap.py:789 msgid "Failed members" msgstr "????????? ????????" #: ipalib/plugins/baseldap.py:779 msgid "Members that could not be removed" msgstr "????????, ?????? ???? ?? ??????? ????????" #: ipalib/plugins/baseldap.py:783 msgid "Number of members removed" msgstr "????????? ????????? ?????????" #: ipalib/plugins/baseldap.py:880 msgid "Time Limit" msgstr "????????? ????" #: ipalib/plugins/baseldap.py:881 msgid "Time limit of search in seconds" msgstr "????????? ???? ?????? ? ????????" #: ipalib/plugins/baseldap.py:887 msgid "Size Limit" msgstr "????????? ???????" #: ipalib/plugins/baseldap.py:888 msgid "Maximum number of entries returned" msgstr "??????????? ????????? ?????????? ???????" #: ipalib/plugins/cert.py:93 msgid "Failure decoding Certificate Signing Request:" msgstr "??????? ??? ??? ??????????? ?????? ?? ???????????? ??????????? (CSR):" #: ipalib/plugins/cert.py:106 ipalib/plugins/cert.py:118 msgid "Failure decoding Certificate Signing Request" msgstr "??????? ??? ??? ??????????? ?????? ?? ???????????? ??????????? (CSR)" #: ipalib/plugins/cert.py:120 #, python-format msgid "Failure decoding Certificate Signing Request: %s" msgstr "" "??????? ??? ??? ??????????? ?????? ?? ???????????? ??????????? (CSR): %s" #: ipalib/plugins/cert.py:171 ipalib/plugins/service.py:197 msgid "Principal" msgstr "????????????? ?????" #: ipalib/plugins/cert.py:172 msgid "Service principal for this certificate (e.g. HTTP/test.example.com)" msgstr "" "????????????? ????? ?????? ??? ????? ??????????? (????????? HTTP/test." "example.com)" #: ipalib/plugins/cert.py:179 msgid "automatically add the principal if it doesn't exist" msgstr "??????????? ?????? ????????????? ?????, ???? ???? ?? ?????" #: ipalib/plugins/cert.py:187 ipalib/plugins/cert.py:392 #: ipalib/plugins/host.py:154 ipalib/plugins/service.py:204 msgid "Certificate" msgstr "??????????" #: ipalib/plugins/cert.py:191 ipalib/plugins/cert.py:395 msgid "Subject" msgstr "??????" #: ipalib/plugins/cert.py:195 ipalib/plugins/cert.py:398 msgid "Issuer" msgstr "????????" #: ipalib/plugins/cert.py:199 ipalib/plugins/cert.py:401 msgid "Not Before" msgstr "?? ??????" #: ipalib/plugins/cert.py:203 ipalib/plugins/cert.py:404 msgid "Not After" msgstr "?? ???????" #: ipalib/plugins/cert.py:207 ipalib/plugins/cert.py:407 msgid "Fingerprint (MD5)" msgstr "???????? (MD5)" #: ipalib/plugins/cert.py:211 ipalib/plugins/cert.py:410 msgid "Fingerprint (SHA1)" msgstr "???????? (SHA1)" #: ipalib/plugins/cert.py:215 ipalib/plugins/cert.py:379 msgid "Serial number" msgstr "???????? ?????" #: ipalib/plugins/cert.py:223 ipalib/plugins/misc.py:57 msgid "Dictionary mapping variable name to value" msgstr "???????????? ????? ??????? ?? ???????? ?? ?????????" #: ipalib/plugins/cert.py:357 msgid "Request id" msgstr "??. ??????" #: ipalib/plugins/cert.py:363 msgid "Request status" msgstr "???? ??????" #: ipalib/plugins/cert.py:380 msgid "Serial number in decimal or if prefixed with 0x in hexadecimal" msgstr "???????? ?????????? ????? ??? ??????????????? ????? ? ????????? 0x" #: ipalib/plugins/cert.py:413 msgid "Revocation reason" msgstr "??????? ???????????" #: ipalib/plugins/cert.py:458 msgid "Revoked" msgstr "???????????" #: ipalib/plugins/cert.py:466 msgid "Reason" msgstr "????????" #: ipalib/plugins/cert.py:467 msgid "Reason for revoking the certificate (0-10)" msgstr "??????? ??????????? ??????????? (0-10)" #: ipalib/plugins/cert.py:502 msgid "Unrevoked" msgstr "??????????? ?????????" #: ipalib/plugins/cert.py:505 msgid "Error" msgstr "???????" #: ipalib/plugins/config.py:73 msgid "Configuration" msgstr "????????????" #: ipalib/plugins/config.py:78 msgid "Max username length" msgstr "????. ??????? ????? ???????????" #: ipalib/plugins/config.py:83 msgid "Home directory base" msgstr "?????? ???????? ?????????" #: ipalib/plugins/config.py:84 msgid "Default location of home directories" msgstr "?????? ?????? ???????? ?????????" #: ipalib/plugins/config.py:88 msgid "Default shell" msgstr "?????? ????????" #: ipalib/plugins/config.py:89 msgid "Default shell for new users" msgstr "?????? ???????? ??? ????? ????????????" #: ipalib/plugins/config.py:93 msgid "Default users group" msgstr "?????? ????? ????????????" #: ipalib/plugins/config.py:94 msgid "Default group for new users" msgstr "?????? ????? ??? ????? ????????????" #: ipalib/plugins/config.py:98 msgid "Default e-mail domain" msgstr "??????? ????? ??. ?????" #: ipalib/plugins/config.py:99 msgid "Default e-mail domain new users" msgstr "??????? ????? ??????????? ????? ??? ????? ????????????" #: ipalib/plugins/config.py:103 msgid "Search time limit" msgstr "????????? ???? ??????" #: ipalib/plugins/config.py:104 msgid "Max. amount of time (sec.) for a search (-1 is unlimited)" msgstr "" "???????????? ???????? ???? (? ????????) ??? ????????? ?????? ??? ? ?????? (-" "1 ? ??? ????????)" #: ipalib/plugins/config.py:109 msgid "Search size limit" msgstr "????????? ??????? ??????" #: ipalib/plugins/config.py:110 msgid "Max. number of records to search (-1 is unlimited)" msgstr "??????????? ????????? ??????? ??????????? ?????? (-1 ? ??? ????????)" #: ipalib/plugins/config.py:115 msgid "User search fields" msgstr "???? ?????? ????????????" #: ipalib/plugins/config.py:116 msgid "A comma-separated list of fields to search when searching for users" msgstr "" "????????????? ?????? ?????? ?????, ?? ????? ???????????????? ????? " "????????????" #: ipalib/plugins/config.py:121 msgid "A comma-separated list of fields to search when searching for groups" msgstr "" "????????????? ?????? ?????? ?????, ?? ????? ???????????????? ????? ????" #: ipalib/plugins/config.py:125 msgid "Migration mode" msgstr "????? ????????" #: ipalib/plugins/config.py:126 msgid "Enable migration mode" msgstr "????????? ????? ????????" #: ipalib/plugins/config.py:130 msgid "Certificate Subject base" msgstr "??????? ?????? ????????????" #: ipalib/plugins/config.py:131 msgid "Base for certificate subjects (OU=Test,O=Example)" msgstr "?????? ??? ????????? ??????? ???????? ???????????? (OU=Test,O=Example)" #: ipalib/plugins/dns.py:131 msgid "DNS" msgstr "DNS" #: ipalib/plugins/dns.py:136 msgid "Zone" msgstr "????" #: ipalib/plugins/dns.py:137 msgid "Zone name (FQDN)" msgstr "????? ???? (FQDN)" #: ipalib/plugins/dns.py:143 msgid "Authoritative name server" msgstr "???????? ?????? ????" #: ipalib/plugins/dns.py:147 msgid "administrator e-mail address" msgstr "?????? ??????????? ????? ??????????????" #: ipalib/plugins/dns.py:153 msgid "SOA serial" msgstr "???????? ????? SOA" #: ipalib/plugins/dns.py:157 msgid "SOA refresh" msgstr "????????? SOA" #: ipalib/plugins/dns.py:161 msgid "SOA retry" msgstr "?????????? ?????? SOA" #: ipalib/plugins/dns.py:165 msgid "SOA expire" msgstr "???????????? SOA" #: ipalib/plugins/dns.py:169 msgid "SOA minimum" msgstr "??????????? SOA" #: ipalib/plugins/dns.py:173 msgid "SOA time to live" msgstr "????? ??? SOA" #: ipalib/plugins/dns.py:177 msgid "SOA class" msgstr "???? SOA" #: ipalib/plugins/dns.py:182 msgid "allow dynamic update?" msgstr "????????? ????????? ??????????" #: ipalib/plugins/dns.py:186 msgid "BIND update policy" msgstr "??????? ????????? BIND" #: ipalib/plugins/dns.py:426 ipalib/plugins/dns.py:460 #: ipalib/plugins/dns.py:495 ipalib/plugins/dns.py:610 #: ipalib/plugins/dns.py:695 ipalib/plugins/dns.py:819 msgid "Zone name" msgstr "????? ????" #: ipalib/plugins/dns.py:500 msgid "resource name" msgstr "????? ???????" #: ipalib/plugins/dns.py:505 ipalib/plugins/dns.py:620 #: ipalib/plugins/dns.py:711 msgid "Record type" msgstr "??? ??????" #: ipalib/plugins/dns.py:509 ipalib/plugins/dns.py:624 msgid "Data" msgstr "????" #: ipalib/plugins/dns.py:510 ipalib/plugins/dns.py:625 msgid "Type-specific data" msgstr "?????????? ??? ???? ????" #: ipalib/plugins/dns.py:517 msgid "Time to live" msgstr "????? ???" #: ipalib/plugins/dns.py:522 msgid "Class" msgstr "????" #: ipalib/plugins/dns.py:615 ipalib/plugins/dns.py:707 #: ipalib/plugins/dns.py:824 msgid "Resource name" msgstr "????? ???????" #: ipalib/plugins/dns.py:700 msgid "Search criteria" msgstr "???????? ??????" #: ipalib/plugins/dns.py:715 msgid "type-specific data" msgstr "?????????? ??? ???? ????" #: ipalib/plugins/dns.py:865 #, python-format msgid "Found '%(value)s'" msgstr "???????? ?%(value)s?" #: ipalib/plugins/dns.py:869 msgid "Hostname" msgstr "????? ?????" #: ipalib/plugins/dns.py:882 #, python-format msgid "Host '%(host)s' not found" msgstr "????? ?%(host)s? ?? ????????" #: ipalib/plugins/group.py:94 msgid "User Groups" msgstr "????? ????????????" #: ipalib/plugins/group.py:102 msgid "Group name" msgstr "????? ?????" #: ipalib/plugins/group.py:109 ipalib/plugins/sudocmdgroup.py:78 msgid "Group description" msgstr "???? ?????" #: ipalib/plugins/group.py:113 msgid "GID" msgstr "GID" #: ipalib/plugins/group.py:114 msgid "GID (use this option to set it manually)" msgstr "GID (?? ????????? ????? ????????? ????? ?????????? ???????? ??????)" #: ipalib/plugins/group.py:117 ipalib/plugins/rolegroup.py:94 #: ipalib/plugins/taskgroup.py:66 msgid "Member groups" msgstr "?????-????????" #: ipalib/plugins/group.py:121 ipalib/plugins/rolegroup.py:98 #: ipalib/plugins/taskgroup.py:70 msgid "Member users" msgstr "???????????-????????" #: ipalib/plugins/group.py:134 #, python-format msgid "Added group \"%(value)s\"" msgstr "?????? ????? ?%(value)s?" #: ipalib/plugins/group.py:139 msgid "Create as a non-POSIX group?" msgstr "???????? ?? ?????, ?? ?? ?????????? POSIX?" #: ipalib/plugins/group.py:160 #, python-format msgid "Deleted group \"%(value)s\"" msgstr "???????? ????? ?%(value)s?" #: ipalib/plugins/group.py:191 #, python-format msgid "Modified group \"%(value)s\"" msgstr "??????? ????? ?%(value)s?" #: ipalib/plugins/group.py:196 msgid "change to a POSIX group" msgstr "??????? ?? ????? POSIX" #: ipalib/plugins/group.py:222 ipalib/plugins/hbacsvcgroup.py:129 #, python-format msgid "%(count)d group matched" msgid_plural "%(count)d groups matched" msgstr[0] "??????????? ????????????? %(count)d ?????" msgstr[1] "??????????? ????????????? %(count)d ????" msgstr[2] "??????????? ????????????? %(count)d ????" msgstr[3] "??????????? ????????????? %(count)d ?????" #: ipalib/plugins/group.py:257 #, python-format msgid "Detached group \"%(value)s\" from user \"%(value)s\"" msgstr "?????????? ????? ?%(value)s? ??? ??????????? ?%(value)s?" #: ipalib/plugins/group.py:273 msgid "not allowed to modify user entries" msgstr "?????????? ????????? ?????? ????????????" #: ipalib/plugins/group.py:277 msgid "not allowed to modify group entries" msgstr "?????????? ????????? ?????? ????" #: ipalib/plugins/group.py:284 ipalib/plugins/group.py:295 msgid "Not a managed group" msgstr "?? ? ????????? ??????" #: ipalib/plugins/hbac.py:106 msgid "HBAC" msgstr "HBAC" #: ipalib/plugins/hbac.py:111 ipalib/plugins/sudorule.py:53 msgid "Rule name" msgstr "????? ???????" #: ipalib/plugins/hbac.py:116 msgid "Rule type (allow or deny)" msgstr "??? ??????? (????????? (allow) ?? ?????????? (deny))" #: ipalib/plugins/hbac.py:117 msgid "Rule type" msgstr "??? ???????" #: ipalib/plugins/hbac.py:123 msgid "User category" msgstr "????????? ????????????" #: ipalib/plugins/hbac.py:124 msgid "User category the rule applies to" msgstr "????????? ????????????, ?? ???? ?????????????? ???????" #: ipalib/plugins/hbac.py:129 msgid "Host category" msgstr "????????? ??????" #: ipalib/plugins/hbac.py:130 msgid "Host category the rule applies to" msgstr "????????? ??????, ?? ???? ?????????????? ???????" #: ipalib/plugins/hbac.py:135 msgid "Source host category" msgstr "????????? ?????? ???????? ?????" #: ipalib/plugins/hbac.py:136 msgid "Source host category the rule applies to" msgstr "????????? ?????? ???????? ?????, ?? ???? ?????????????? ???????" #: ipalib/plugins/hbac.py:141 msgid "Service category" msgstr "????????? ?????" #: ipalib/plugins/hbac.py:142 msgid "Service category the rule applies to" msgstr "????????? ?????, ?? ???? ?????????????? ???????" #: ipalib/plugins/hbac.py:147 ipalib/plugins/hbac.py:325 #: ipalib/plugins/hbac.py:363 msgid "Access time" msgstr "??? ???????" #: ipalib/plugins/hbac.py:154 msgid "Enabled" msgstr "?????????" #: ipalib/plugins/hbac.py:158 ipalib/plugins/sudorule.py:61 #: ipalib/plugins/user.py:76 msgid "Users" msgstr "???????????" #: ipalib/plugins/hbac.py:162 ipalib/plugins/host.py:113 #: ipalib/plugins/sudorule.py:65 msgid "Hosts" msgstr "?????" #: ipalib/plugins/hbac.py:166 ipalib/plugins/hostgroup.py:69 #: ipalib/plugins/sudorule.py:69 msgid "Host Groups" msgstr "????? ??????" #: ipalib/plugins/hbac.py:170 msgid "Source hosts" msgstr "????? ???????? ?????" #: ipalib/plugins/hbac.py:174 ipalib/plugins/hbacsvc.py:60 #: ipalib/plugins/service.py:192 msgid "Services" msgstr "??????" #: ipalib/plugins/hbac.py:178 msgid "Service Groups" msgstr "????? ?????" #: ipalib/plugins/hbacsvc.py:65 msgid "Service name" msgstr "????? ??????" #: ipalib/plugins/hbacsvc.py:66 msgid "HBAC Service" msgstr "?????? HBAC" #: ipalib/plugins/hbacsvc.py:73 msgid "Description of service" msgstr "???? ??????" #: ipalib/plugins/hbacsvc.py:84 ipalib/plugins/service.py:216 #, python-format msgid "Added service \"%(value)s\"" msgstr "?????? ?????? ?%(value)s?" #: ipalib/plugins/hbacsvc.py:93 ipalib/plugins/service.py:255 #, python-format msgid "Deleted service \"%(value)s\"" msgstr "???????? ?????? ?%(value)s?" #: ipalib/plugins/hbacsvcgroup.py:66 msgid "HBAC Service Groups" msgstr "????? ????? HBAC" #: ipalib/plugins/hbacsvcgroup.py:71 msgid "Service group name" msgstr "????? ????? ?????" #: ipalib/plugins/hbacsvcgroup.py:78 msgid "HBAC service group description" msgstr "???? ????? ????? HBAC" #: ipalib/plugins/hbacsvcgroup.py:81 msgid "Member services" msgstr "?????? ?????????" #: ipalib/plugins/hbacsvcgroup.py:85 msgid "Member service groups" msgstr "????? ????? ?????????" #: ipalib/plugins/hbacsvcgroup.py:101 #, python-format msgid "Added HBAC Service group \"%(value)s\"" msgstr "?????? ????? ????? HBAC ?%(value)s?" #: ipalib/plugins/hbacsvcgroup.py:110 #, python-format msgid "Deleted HBAC Service group \"%(value)s\"" msgstr "???????? ????? ????? HBAC ?%(value)s?" #: ipalib/plugins/hbacsvcgroup.py:119 #, python-format msgid "Modified HBAC Service group \"%(value)s\"" msgstr "??????? ????? ????? HBAC ?%(value)s?" #: ipalib/plugins/host.py:86 msgid "Fully-qualified hostname required" msgstr "???? ??????? ????? ????? ????????" #: ipalib/plugins/host.py:118 msgid "Host name" msgstr "????? ?????" #: ipalib/plugins/host.py:125 msgid "A description of this host" msgstr "???? ????? ?????" #: ipalib/plugins/host.py:129 msgid "Locality" msgstr "??????" #: ipalib/plugins/host.py:130 msgid "Host locality (e.g. \"Baltimore, MD\")" msgstr "?????? ???????????? ????? (?????????, ?????, ????????)" #: ipalib/plugins/host.py:135 msgid "Host location (e.g. \"Lab 2\")" msgstr "???????????? ????? (?????????, ?Lab 2?)" #: ipalib/plugins/host.py:139 msgid "Platform" msgstr "?????????" #: ipalib/plugins/host.py:140 msgid "Host hardware platform (e.g. \"Lenovo T61\")" msgstr "???????? ????????? ????? (?????????, ?Lenovo T61?)" #: ipalib/plugins/host.py:144 msgid "Operating system" msgstr "?????????? ???????" #: ipalib/plugins/host.py:145 msgid "Host operating system and version (e.g. \"Fedora 9\")" msgstr "?????????? ??????? ????? ? ?? ?????? (?????????, ?Fedora 9\")" #: ipalib/plugins/host.py:149 msgid "User password" msgstr "?????? ???????????" #: ipalib/plugins/host.py:150 msgid "Password used in bulk enrollment" msgstr "?????? ??? ?????????? ????????? ?????????????? ????????" #: ipalib/plugins/host.py:155 ipalib/plugins/service.py:205 msgid "Base-64 encoded server certificate" msgstr "?????????? ??????? ? ????????? Base-64" #: ipalib/plugins/host.py:158 ipalib/plugins/host.py:274 msgid "Principal name" msgstr "????? ?????????????? ??????" #: ipalib/plugins/host.py:162 ipalib/plugins/hostgroup.py:93 msgid "Member of host-groups" msgstr "??????? ????? ??????" #: ipalib/plugins/host.py:166 msgid "Member of net-groups" msgstr "??????? ????????? ?????" #: ipalib/plugins/host.py:170 msgid "Member of role-groups" msgstr "??????? ????? ?????" #: ipalib/plugins/host.py:199 #, python-format msgid "Added host \"%(value)s\"" msgstr "?????? ????? ?%(value)s?" #: ipalib/plugins/host.py:202 msgid "force host name even if not in DNS" msgstr "????????? ???????? ????? ?????, ?????? ???? ????? ????? ? DNS" #: ipalib/plugins/host.py:235 #, python-format msgid "Deleted host \"%(value)s\"" msgstr "???????? ????? ?%(value)s?" #: ipalib/plugins/host.py:269 #, python-format msgid "Modified host \"%(value)s\"" msgstr "??????? ????? ?%(value)s?" #: ipalib/plugins/host.py:275 msgid "Kerberos principal name for this host" msgstr "????? ?????????????? ?????? Kerberos ??? ????? ?????" #: ipalib/plugins/host.py:319 #, python-format msgid "%(count)d host matched" msgid_plural "%(count)d hosts matched" msgstr[0] "??????????? ????????????? %(count)d ?????" msgstr[1] "??????????? ????????????? %(count)d ??????" msgstr[2] "??????????? ????????????? %(count)d ??????" msgstr[3] "??????????? ????????????? %(count)d ?????" #: ipalib/plugins/host.py:337 ipalib/plugins/service.py:84 msgid "Keytab" msgstr "??????? ??????" #: ipalib/plugins/host.py:359 ipalib/plugins/service.py:399 #, python-format msgid "Removed kerberos key from \"%(value)s\"" msgstr "???????? ???? kerberos ? ?%(value)s?" #: ipalib/plugins/host.py:368 msgid "Host principal has no kerberos key" msgstr "? ?????????????? ?????? ????? ????? ????? kerberos" #: ipalib/plugins/hostgroup.py:74 msgid "Host-group" msgstr "????? ??????" #: ipalib/plugins/hostgroup.py:75 msgid "Name of host-group" msgstr "????? ????? ??????" #: ipalib/plugins/hostgroup.py:82 msgid "A description of this host-group" msgstr "???? ???? ????? ??????" #: ipalib/plugins/hostgroup.py:85 msgid "Member hosts" msgstr "?????-????????" #: ipalib/plugins/hostgroup.py:89 msgid "Member host-groups" msgstr "????? ??????-????????" #: ipalib/plugins/hostgroup.py:106 #, python-format msgid "Added hostgroup \"%(value)s\"" msgstr "?????? ????? ?????? ?%(value)s?" #: ipalib/plugins/hostgroup.py:116 #, python-format msgid "Deleted hostgroup \"%(value)s\"" msgstr "???????? ????? ?????? ?%(value)s?" #: ipalib/plugins/hostgroup.py:126 #, python-format msgid "Modified hostgroup \"%(value)s\"" msgstr "??????? ????? ?????? ?%(value)s?" #: ipalib/plugins/hostgroup.py:137 #, python-format msgid "%(count)d hostgroup matched" msgid_plural "%(count)d hostgroups matched" msgstr[0] "??????????? ????????????? %(count)d ????? ??????" msgstr[1] "??????????? ????????????? %(count)d ???? ??????" msgstr[2] "??????????? ????????????? %(count)d ???? ??????" msgstr[3] "??????????? ????????????? %(count)d ????? ??????" #: ipalib/plugins/internal.py:39 msgid "Logged In As" msgstr "???? ?? ??????? ??? ?????" #: ipalib/plugins/internal.py:41 msgid "Add" msgstr "??????" #: ipalib/plugins/internal.py:42 msgid "Find" msgstr "??????" #: ipalib/plugins/internal.py:43 msgid "Reset" msgstr "???????" #: ipalib/plugins/internal.py:44 msgid "Update" msgstr "???????" #: ipalib/plugins/internal.py:45 msgid "Enroll" msgstr "?????????????" #: ipalib/plugins/internal.py:46 msgid "Delete" msgstr "????????" #: ipalib/plugins/internal.py:49 msgid "Quick Links" msgstr "?????? ?????????" #: ipalib/plugins/internal.py:50 msgid "Select All" msgstr "??????? ???" #: ipalib/plugins/internal.py:51 msgid "Unselect All" msgstr "????????? ????? ??????" #: ipalib/plugins/internal.py:52 msgid "Do you really want to delete the selected entries?" msgstr "?? ??????? ??????? ???????? ????????? ???????" #: ipalib/plugins/internal.py:55 msgid "Identity Details" msgstr "????????? ???????" #: ipalib/plugins/internal.py:56 msgid "Account Details" msgstr "????????? ?????????? ??????" #: ipalib/plugins/internal.py:57 msgid "Contact Details" msgstr "????????? ????" #: ipalib/plugins/internal.py:58 msgid "Mailing Address" msgstr "?????? ??. ?????" #: ipalib/plugins/internal.py:59 msgid " Employee Information" msgstr " ????????? ???? ??????????" #: ipalib/plugins/internal.py:60 msgid "Misc. Information" msgstr "???? ??????????" #: ipalib/plugins/internal.py:61 msgid "Back to Top" msgstr "??????????? ?? ???????" #: ipalib/plugins/internal.py:66 msgid "Name of object to export" msgstr "????? ???????, ???? ???? ????????????" #: ipalib/plugins/internal.py:71 msgid "Dict of JSON encoded IPA Objects" msgstr "??????? ??????????? JSON ???????? IPA" #: ipalib/plugins/internal.py:72 msgid "Dict of I18N messages" msgstr "??????? ???????????? ???????????" #: ipalib/plugins/krbtpolicy.py:59 msgid "Kerberos Ticket Policy" msgstr "??????? ??????? Kerberos" #: ipalib/plugins/krbtpolicy.py:64 ipalib/plugins/passwd.py:52 msgid "User name" msgstr "??'? ???????????" #: ipalib/plugins/krbtpolicy.py:65 msgid "Manage ticket policy for specific user" msgstr "????????? ????????? ??????? ??????? ??????? ???????????" #: ipalib/plugins/krbtpolicy.py:70 msgid "Max life" msgstr "????. ????? ???" #: ipalib/plugins/krbtpolicy.py:71 msgid "Maximum ticket life (seconds)" msgstr "???????????? ????? ??? ?????? (? ????????)" #: ipalib/plugins/krbtpolicy.py:75 msgid "Max renew" msgstr "????. ??? ??????????" #: ipalib/plugins/krbtpolicy.py:76 msgid "Maximum renewable age (seconds)" msgstr "???????????? ???, ???????? ????? ??????? ?????????? (? ????????)" #: ipalib/plugins/migration.py:44 #, python-format msgid "" "Kerberos principal %s already exists. Use 'ipa user-mod' to set it manually." msgstr "" "????????????? ????? Kerberos %s ??? ?????. ????????????? ???????? ?ipa user-" "mod?, ??? ?????????? ???? ????????? ??????." #: ipalib/plugins/migration.py:45 msgid "" "Failed to add user to the default group. Use 'ipa group-add-member' to add " "manually." msgstr "" "?? ??????? ?????? ??????????? ?? ??????? ?????. ?????? ??????????? ?????? " "????? ?? ????????? ??????? ?ipa group-add-member?." #: ipalib/plugins/migration.py:169 msgid "LDAP URI" msgstr "URI LDAP" #: ipalib/plugins/migration.py:170 msgid "LDAP URI of DS server to migrate from" msgstr "URI LDAP ??????? DS, ? ????? ????????????????? ????????" #: ipalib/plugins/migration.py:174 msgid "bind password" msgstr "?????? ?????????" #: ipalib/plugins/migration.py:181 msgid "Bind DN" msgstr "DN ??? ????'????" #: ipalib/plugins/migration.py:187 msgid "User container" msgstr "????????? ????????????" #: ipalib/plugins/migration.py:188 msgid "RDN of container for users in DS" msgstr "RDN ?????????? ???????????? ? DS" #: ipalib/plugins/migration.py:194 msgid "Group container" msgstr "????????? ????" #: ipalib/plugins/migration.py:195 msgid "RDN of container for groups in DS" msgstr "RDN ?????????? ???? ? DS" #: ipalib/plugins/migration.py:200 msgid "Continous operation mode. Errors are reported but the process continues" msgstr "" "????? ??????????? ???????. ???????? ?????????? ??? ???????, ??? ????????? " "???????." #: ipalib/plugins/migration.py:208 msgid "Lists of objects migrated; categorized by type." msgstr "?????? ????????, ???????? ???? ????????; ????????????? ?? ??????." #: ipalib/plugins/migration.py:212 msgid "Lists of objects that could not be migrated; categorized by type." msgstr "" "?????? ????????, ???????? ???? ?? ??????? ????????; ????????????? ?? ??????." #: ipalib/plugins/migration.py:216 msgid "False if migration mode was disabled." msgstr "False, ???? ????? ???????? ???? ????????." #: ipalib/plugins/migration.py:220 #, python-format msgid "comma-separated list of %s to exclude from migration" msgstr "?????? %s, ????????????? ??????, ??? ???? ????????? ? ??????? ????????" #: ipalib/plugins/migration.py:222 msgid "" "search results for objects to be migrated\n" "have been truncated by the server;\n" "migration process might be uncomplete\n" msgstr "" "?????? ??????????? ?????? ???????? ????????\n" "???? ???????? ????????; ????????,\n" "?????? ???????? ?? ?????????\n" #: ipalib/plugins/migration.py:227 msgid "Migration mode is disabled. Use 'ipa config-mod' to enable it." msgstr "" "????? ???????? ????????. ????????????? ???????? ?ipa config-mod?, ??? " "????????? ????." #: ipalib/plugins/migration.py:230 msgid "" "Passwords have been migrated in pre-hashed format.\n" "IPA is unable to generate Kerberos keys unless provided\n" "with clear text passwords. All migrated users need to\n" "login at https://your.domain/ipa/migration/ before they\n" "can use their Kerberos accounts." msgstr "" "???????? ??????? ??????? ????????? ? ??????? ?? ?????????.\n" "IPA ?? ???????? ???????? ????? Kerberos, ???? ?? ????\n" "?????? ????????? ???????. ???? ???????????? ? ????????????\n" "????????, ?????????? ?????? ????????????? ??\n" "https://your.domain/ipa/migration/ ?? ????, ?? ???? ???????\n" "???????????? ?????????? ???????? Kerberos." #: ipalib/plugins/migration.py:297 #, python-format msgid "Container for %(container)s not found" msgstr "?????????? ??? %(container)s ?? ????????" #: ipalib/plugins/misc.py:38 #, python-format msgid "%(count)d variables" msgstr "%(count)d ???????" #: ipalib/plugins/misc.py:61 msgid "Total number of variables env (>= count)" msgstr "????????? ??????? env (>= count)" #: ipalib/plugins/misc.py:66 msgid "Number of variables returned (<= total)" msgstr "????????? ?????????? ??????? (<= ?????????)" #: ipalib/plugins/misc.py:109 #, python-format msgid "%(count)d plugin loaded" msgid_plural "%(count)d plugins loaded" msgstr[0] "??????????? %(count)d ???????" msgstr[1] "??????????? %(count)d ???????" msgstr[2] "??????????? %(count)d ????????" msgstr[3] "??????????? %(count)d ???????" #: ipalib/plugins/misc.py:116 msgid "Number of plugins loaded" msgstr "????????? ???????????? ????????" #: ipalib/plugins/netgroup.py:57 msgid "Member Host" msgstr "?????-???????" #: ipalib/plugins/netgroup.py:63 msgid "External host" msgstr "????????? ?????" #: ipalib/plugins/netgroup.py:85 msgid "Net Groups" msgstr "???????? ?????" #: ipalib/plugins/netgroup.py:90 msgid "Netgroup name" msgstr "????? ????????? ?????" #: ipalib/plugins/netgroup.py:97 msgid "Netgroup description" msgstr "???? ????????? ?????" #: ipalib/plugins/netgroup.py:101 msgid "NIS domain name" msgstr "????? ?????? NIS" #: ipalib/plugins/netgroup.py:106 msgid "IPA unique ID" msgstr "?????????? ??. IPA" #: ipalib/plugins/pwpolicy.py:84 #, python-format msgid "priority must be a unique value (%(prio)d already used by %(gname)s)" msgstr "" "????????? ??????? ???? ????????? ???????? (%(prio)d ??? ??????????? ??? %" "(gname)s)" #: ipalib/plugins/pwpolicy.py:170 msgid "Password Policy" msgstr "??????? ??? ???????" #: ipalib/plugins/pwpolicy.py:175 msgid "Group" msgstr "?????" #: ipalib/plugins/pwpolicy.py:176 msgid "Manage password policy for specific group" msgstr "????????? ????????? ??????? ??????? ??? ?????? ?????" #: ipalib/plugins/pwpolicy.py:181 msgid "Max lifetime (days)" msgstr "????. ????? ??? (? ????)" #: ipalib/plugins/pwpolicy.py:182 msgid "Maximum password lifetime (in days)" msgstr "???????????? ????? ??? ?????? (? ????)" #: ipalib/plugins/pwpolicy.py:187 msgid "Min lifetime (hours)" msgstr "???. ????? ??? (? ???????)" #: ipalib/plugins/pwpolicy.py:188 msgid "Minimum password lifetime (in hours)" msgstr "??????????? ????? ??? ?????? (? ???????)" #: ipalib/plugins/pwpolicy.py:193 msgid "History size" msgstr "?????? ???????" #: ipalib/plugins/pwpolicy.py:194 msgid "Password history size" msgstr "?????? ??????? ???????" #: ipalib/plugins/pwpolicy.py:199 msgid "Character classes" msgstr "????? ????????" #: ipalib/plugins/pwpolicy.py:200 msgid "Minimum number of character classes" msgstr "?????????? ????????? ?????? ????????" #: ipalib/plugins/pwpolicy.py:206 msgid "Min length" msgstr "???. ???????" #: ipalib/plugins/pwpolicy.py:207 msgid "Minimum length of password" msgstr "?????????? ??????? ??????" #: ipalib/plugins/pwpolicy.py:212 msgid "Priority" msgstr "?????????" #: ipalib/plugins/pwpolicy.py:213 msgid "Priority of the policy (higher number means lower priority" msgstr "????????? ?????? (?????? ????? ? ?????? ?????????)" #: ipalib/plugins/pwpolicy.py:265 msgid "Maximum password life must be greater than minimum." msgstr "" "???????????? ????? ??? ?????? ??? ???????????? ??????????? ????? ???? ???." #: ipalib/plugins/pwpolicy.py:330 msgid "priority cannot be set on global policy" msgstr "??? ????????? ?????? ?? ???? ????????????? ??????????" #: ipalib/plugins/pwpolicy.py:369 msgid "User" msgstr "??????????" #: ipalib/plugins/pwpolicy.py:370 msgid "Display effective policy for a specific user" msgstr "???????? ??????? ??????? ??? ??????? ???????????" #: ipalib/plugins/rolegroup.py:79 msgid "Role Groups" msgstr "????? ?????" #: ipalib/plugins/rolegroup.py:84 msgid "Role-group name" msgstr "????? ????? ?????" #: ipalib/plugins/rolegroup.py:91 msgid "A description of this role-group" msgstr "???? ???? ????? ?????" #: ipalib/plugins/rolegroup.py:102 msgid "Member of task-groups" msgstr "??????? ????? ???????" #: ipalib/plugins/rolegroup.py:115 #, python-format msgid "Added rolegroup \"%(value)s\"" msgstr "?????? ????? ????? ?%(value)s?" #: ipalib/plugins/rolegroup.py:125 #, python-format msgid "Deleted rolegroup \"%(value)s\"" msgstr "???????? ????? ????? ?%(value)s?" #: ipalib/plugins/rolegroup.py:135 #, python-format msgid "Modified rolegroup \"%(value)s\"" msgstr "??????? ????? ????? ?%(value)s?" #: ipalib/plugins/rolegroup.py:146 #, python-format msgid "%(count)d rolegroup matched" msgid_plural "%(count)d rolegroups matched" msgstr[0] "??????????? ????????????? %(count)d ????? ?????" msgstr[1] "??????????? ????????????? %(count)d ???? ?????" msgstr[2] "??????????? ????????????? %(count)d ???? ?????" msgstr[3] "??????????? ????????????? %(count)d ????? ?????" #: ipalib/plugins/service.py:198 msgid "Service principal" msgstr "????????????? ????? ??????" #: ipalib/plugins/service.py:221 msgid "force principal name even if not in DNS" msgstr "" "????????? ???????? ????? ?????????????? ??????, ?????? ???? ????? ????? ? DNS" #: ipalib/plugins/service.py:292 #, python-format msgid "Modified service \"%(value)s\"" msgstr "??????? ?????? ?%(value)s?" #: ipalib/plugins/service.py:323 #, python-format msgid "%(count)d service matched" msgid_plural "%(count)d services matched" msgstr[0] "??????????? ????????????? %(count)d ??????" msgstr[1] "??????????? ????????????? %(count)d ?????" msgstr[2] "??????????? ????????????? %(count)d ?????" msgstr[3] "??????????? ????????????? %(count)d ??????" #: ipalib/plugins/service.py:409 msgid "Service principal has no kerberos key" msgstr "????????????? ????? ?????? ?? ??? ????? kerberos" #: ipalib/plugins/sudocmd.py:60 msgid "SudoCmds" msgstr "??????? sudo" #: ipalib/plugins/sudocmd.py:65 msgid "Sudo Command" msgstr "??????? sudo" #: ipalib/plugins/sudocmd.py:72 msgid "A description of this command" msgstr "???? ???? ???????" #: ipalib/plugins/sudocmd.py:99 #, python-format msgid "Added sudo command \"%(value)s\"" msgstr "?????? ??????? sudo ?%(value)s?" #: ipalib/plugins/sudocmd.py:108 #, python-format msgid "Deleted sudo command \"%(value)s\"" msgstr "???????? ??????? sudo ?%(value)s?" #: ipalib/plugins/sudocmd.py:117 #, python-format msgid "Modified sudo command \"%(value)s\"" msgstr "??????? ??????? sudo ?%(value)s?" #: ipalib/plugins/sudocmd.py:127 #, python-format msgid "%(count)d sudo command matched" msgid_plural "%(count)d sudo command matched" msgstr[0] "??????????? ????????????? %(count)d ??????? sudo" msgstr[1] "??????????? ????????????? %(count)d ?????? sudo" msgstr[2] "??????????? ????????????? %(count)d ?????? sudo" msgstr[3] "??????????? ????????????? %(count)d ??????? sudo" #: ipalib/plugins/sudocmdgroup.py:66 ipalib/plugins/sudocmdgroup.py:85 #: ipalib/plugins/sudorule.py:81 ipalib/plugins/sudorule.py:85 msgid "Sudo Command Groups" msgstr "????? ?????? sudo" #: ipalib/plugins/sudocmdgroup.py:71 msgid "Sudo Command Group name" msgstr "????? ????? ?????? sudo" #: ipalib/plugins/sudocmdgroup.py:81 msgid "Commands" msgstr "???????" #: ipalib/plugins/sudocmdgroup.py:98 #, python-format msgid "Added sudo command group \"%(value)s\"" msgstr "?????? ????? ?????? sudo ?%(value)s?" #: ipalib/plugins/sudocmdgroup.py:108 #, python-format msgid "Deleted sudo command group \"%(value)s\"" msgstr "???????? ????? ?????? sudo ?%(value)s?" #: ipalib/plugins/sudocmdgroup.py:118 #, python-format msgid "Modified sudo command group \"%(value)s\"" msgstr "??????? ????? ?????? sudo ?%(value)s?" #: ipalib/plugins/sudocmdgroup.py:129 #, python-format msgid "%(count)d sudo command group matched" msgid_plural "%(count)d sudo command groups matched" msgstr[0] "??????????? ????????????? %(count)d ????? ?????? sudo" msgstr[1] "??????????? ????????????? %(count)d ???? ?????? sudo" msgstr[2] "??????????? ????????????? %(count)d ???? ?????? sudo" msgstr[3] "??????????? ????????????? %(count)d ????? ?????? sudo" #: ipalib/plugins/sudorule.py:48 msgid "SudoRule" msgstr "??????? sudo" #: ipalib/plugins/sudorule.py:73 msgid "Sudo Allow Commands" msgstr "??????? ??????? sudo" #: ipalib/plugins/sudorule.py:77 msgid "Sudo Deny Commands" msgstr "??????? ???????? sudo" #: ipalib/plugins/sudorule.py:109 #, python-format msgid "Added sudo rule \"%(value)s\"" msgstr "?????? ??????? sudo ?%(value)s?" #: ipalib/plugins/taskgroup.py:51 msgid "Task Groups" msgstr "????? ???????" #: ipalib/plugins/taskgroup.py:56 msgid "Task-group name" msgstr "????? ????? ???????" #: ipalib/plugins/taskgroup.py:63 msgid "Task-group description" msgstr "???? ????? ???????" #: ipalib/plugins/taskgroup.py:74 msgid "Member role-groups" msgstr "????? ?????-????????" #: ipalib/plugins/taskgroup.py:87 #, python-format msgid "Added taskgroup \"%(value)s\"" msgstr "?????? ????? ??????? ?%(value)s?" #: ipalib/plugins/taskgroup.py:97 #, python-format msgid "Deleted taskgroup \"%(value)s\"" msgstr "???????? ????? ??????? ?%(value)s?" #: ipalib/plugins/taskgroup.py:107 #, python-format msgid "Modified taskgroup \"%(value)s\"" msgstr "??????? ????? ??????? ?%(value)s?" #: ipalib/plugins/taskgroup.py:118 #, python-format msgid "%(count)d taskgroup matched" msgid_plural "%(count)d taskgroups matched" msgstr[0] "??????????? ????????????? %(count)d ????? ???????" msgstr[1] "??????????? ????????????? %(count)d ???? ???????" msgstr[2] "??????????? ????????????? %(count)d ???? ???????" msgstr[3] "??????????? ????????????? %(count)d ????? ???????" #: ipalib/plugins/user.py:84 msgid "User login" msgstr "??????????" #: ipalib/plugins/user.py:91 msgid "First name" msgstr "??'?" #: ipalib/plugins/user.py:95 msgid "Last name" msgstr "????????" #: ipalib/plugins/user.py:103 msgid "GECOS field" msgstr "???? GECOS" #: ipalib/plugins/user.py:109 msgid "Login shell" msgstr "???????? ?????" #: ipalib/plugins/user.py:114 msgid "Kerberos principal" msgstr "????????????? ????? Kerberos" #: ipalib/plugins/user.py:120 msgid "Email address" msgstr "?????? ??. ?????" #: ipalib/plugins/user.py:124 msgid "Password" msgstr "??????" #: ipalib/plugins/user.py:125 msgid "Set the user password" msgstr "?????????? ?????? ???????????" #: ipalib/plugins/user.py:132 msgid "UID" msgstr "UID" #: ipalib/plugins/user.py:133 msgid "User ID Number (system will assign one if not provided)" msgstr "" "???????????????? ????? ??????????? (??????? ?????????? ????, ???? ?? ???? " "???????)" #: ipalib/plugins/user.py:139 msgid "Street address" msgstr "?????? ? ???????" #: ipalib/plugins/user.py:142 msgid "Groups" msgstr "?????" #: ipalib/plugins/user.py:146 msgid "Netgroups" msgstr "???????? ?????" #: ipalib/plugins/user.py:150 msgid "Rolegroups" msgstr "????? ?????" #: ipalib/plugins/user.py:154 msgid "Taskgroups" msgstr "????? ???????" #: ipalib/plugins/user.py:159 msgid "Telephone Number" msgstr "????? ????????" #: ipalib/plugins/user.py:161 msgid "Mobile Telephone Number" msgstr "????? ?????????? ????????" #: ipalib/plugins/user.py:163 msgid "Pager Number" msgstr "????? ????????" #: ipalib/plugins/user.py:166 msgid "Fax Number" msgstr "????? ?????" #: ipalib/plugins/user.py:177 #, python-format msgid "Added user \"%(value)s\"" msgstr "?????? ??????????? ?%(value)s?" #: ipalib/plugins/user.py:226 #, python-format msgid "Deleted user \"%(value)s\"" msgstr "???????? ??????????? ?%(value)s?" #: ipalib/plugins/user.py:240 #, python-format msgid "Modified user \"%(value)s\"" msgstr "??????? ??????????? ?%(value)s?" #: ipalib/plugins/user.py:252 msgid "Self" msgstr "Self" #: ipalib/plugins/user.py:253 msgid "Display user record for current Kerberos principal" msgstr "" "???????? ????? ??????????? ??? ????????? ?????????????? ?????? Kerberos" #: ipalib/plugins/user.py:263 #, python-format msgid "%(count)d user matched" msgid_plural "%(count)d users matched" msgstr[0] "??????????? ????????????? %(count)d ???????????" msgstr[1] "??????????? ????????????? %(count)d ????????????" msgstr[2] "??????????? ????????????? %(count)d ????????????" msgstr[3] "??????????? ????????????? %(count)d ???????????" #: ipalib/plugins/user.py:283 #, python-format msgid "Disabled user account \"%(value)s\"" msgstr "???????? ????????? ????? ??????????? ?%(value)s?" #: ipalib/plugins/user.py:309 #, python-format msgid "Enabled user account \"%(value)s\"" msgstr "????????? ????????? ????? ??????????? ?%(value)s?" #: ipaserver/install/certs.py:599 ipaserver/plugins/dogtag.py:1313 #: ipaserver/plugins/dogtag.py:1398 ipaserver/plugins/dogtag.py:1463 #: ipaserver/plugins/dogtag.py:1543 ipaserver/plugins/dogtag.py:1602 #, python-format msgid "Unable to communicate with CMS (%s)" msgstr "?? ??????? ?????????? ?????? ? CMS (%s)" #: ipaserver/plugins/join.py:54 msgid "The hostname to register as" msgstr "????? ????? ??? ??????????" #: ipaserver/plugins/join.py:62 msgid "The IPA realm" msgstr "??????? IPA" #: ipaserver/plugins/join.py:68 msgid "Hardware platform of the host (e.g. Lenovo T61)" msgstr "???????? ????????? ????? (?????????, ?Lenovo T61?)" #: ipaserver/plugins/join.py:72 msgid "Operating System and version of the host (e.g. Fedora 9)" msgstr "?????????? ??????? ????? ? ?? ?????? (?????????, ?Fedora 9?)" #: ipaserver/plugins/selfsign.py:98 #, python-format msgid "" "Request subject \"%(request_subject)s\" does not match the form \"%" "(subject_base)s\"" msgstr "" "?????? ?????? ?%(request_subject)s? ??????? ? ?????, ????????? ??? ?%" "(subject_base)s?" #: ipaserver/plugins/selfsign.py:103 #, python-format msgid "unable to decode csr: %s" msgstr "?? ??????? ?????????? csr: %s" #: ipaserver/plugins/selfsign.py:124 ipaserver/plugins/selfsign.py:139 msgid "file operation" msgstr "??? ??? ???????" #: ipaserver/plugins/selfsign.py:153 msgid "cannot obtain next serial number" msgstr "?? ??????? ???????? ????????? ???????? ?????" #: ipaserver/plugins/selfsign.py:188 msgid "certutil failure" msgstr "??????? certutil" #: ipa-client/config.c:55 #, c-format msgid "cannot open configuration file %s\n" msgstr "?? ??????? ???????? ???? ??????????? %s\n" #: ipa-client/config.c:62 #, c-format msgid "cannot stat() configuration file %s\n" msgstr "?? ??????? ???????? ???????? stat() ???? ???????????? %s\n" #: ipa-client/config.c:75 #, c-format msgid "read error\n" msgstr "??????? ???????\n" #: ipa-client/ipa-getkeytab.c:138 ipa-client/ipa-getkeytab.c:838 #, c-format msgid "No system preferred enctypes ?!\n" msgstr "????? ???????? ????????? ????? ???????????!\n" #: ipa-client/ipa-getkeytab.c:146 #, c-format msgid "Out of memory!?\n" msgstr "?? ???????? ???'???!?\n" #: ipa-client/ipa-getkeytab.c:164 ipa-client/ipa-getkeytab.c:179 #, c-format msgid "Out of memory\n" msgstr "?? ???????? ???'???\n" #: ipa-client/ipa-getkeytab.c:194 #, c-format msgid "Warning unrecognized encryption type: [%s]\n" msgstr "????????????: ????????? ??? ??????????: [%s]\n" #: ipa-client/ipa-getkeytab.c:209 #, c-format msgid "Warning unrecognized salt type: [%s]\n" msgstr "????????????: ????????? ??? ???? (salt): [%s]\n" #: ipa-client/ipa-getkeytab.c:235 #, c-format msgid "Enctype comparison failed!\n" msgstr "?????? ?????????? ??????? ???? ?????????? ??????? ???????!\n" #: ipa-client/ipa-getkeytab.c:297 #, c-format msgid "Failed to create random key!\n" msgstr "?? ??????? ???????? ?????????? ????!\n" #: ipa-client/ipa-getkeytab.c:310 ipa-client/ipa-getkeytab.c:327 #: ipa-client/ipa-getkeytab.c:335 ipa-client/ipa-getkeytab.c:372 #, c-format msgid "Failed to create key!\n" msgstr "?? ??????? ???????? ????!\n" #: ipa-client/ipa-getkeytab.c:317 ipa-client/ipa-getkeytab.c:350 #, c-format msgid "Out of memory!\n" msgstr "?? ???????? ???'???!\n" #: ipa-client/ipa-getkeytab.c:361 #, c-format msgid "Bad or unsupported salt type (%d)!\n" msgstr "?????????? ??? ??????????????? ??? ???? (salt) (%d)!\n" #: ipa-client/ipa-getkeytab.c:481 #, c-format msgid "No keys accepted by KDC\n" msgstr "????? ? ?????? ?? ???????? KDC\n" #: ipa-client/ipa-getkeytab.c:496 #, c-format msgid "Out of memory \n" msgstr "?? ???????? ???'??? \n" #: ipa-client/ipa-getkeytab.c:534 #, c-format msgid "Out of Memory!\n" msgstr "?? ???????? ???'???!\n" #: ipa-client/ipa-getkeytab.c:541 #, c-format msgid "Failed to create control!\n" msgstr "?? ??????? ???????? ?????????!\n" #: ipa-client/ipa-getkeytab.c:565 #, c-format msgid "Unable to initialize ldap library!\n" msgstr "?? ??????? ?????????????? ?????????? ldap!\n" #: ipa-client/ipa-getkeytab.c:572 #, c-format msgid "Unable to set ldap options!\n" msgstr "?? ??????? ?????????? ???????? ?????????? ldap!\n" #: ipa-client/ipa-getkeytab.c:579 #, c-format msgid "Simple bind failed\n" msgstr "??????? ?????? ???????? ?????????????\n" #: ipa-client/ipa-getkeytab.c:589 #, c-format msgid "SASL Bind failed!\n" msgstr "??????? ?????? ????????????? SASL!\n" #: ipa-client/ipa-getkeytab.c:605 ipa-client/ipa-getkeytab.c:618 #: ipa-client/ipa-getkeytab.c:625 ipa-client/ipa-getkeytab.c:632 #, c-format msgid "Operation failed! %s\n" msgstr "??????? ?????? ????????? ???! %s\n" #: ipa-client/ipa-getkeytab.c:638 ipa-client/ipa-getkeytab.c:648 #, c-format msgid "Missing reply control!\n" msgstr "????? ????????? ??????????!\n" #: ipa-client/ipa-getkeytab.c:655 #, c-format msgid "ber_init() failed, Invalid control ?!\n" msgstr "?????? ????????? ber_init() ??????? ???????. ?????????? ??????????!\n" #: ipa-client/ipa-getkeytab.c:674 #, c-format msgid "ber_scanf() failed, Invalid control ?!\n" msgstr "?????? ????????? ber_scanf() ??????? ???????. ?????????? ??????????!\n" #: ipa-client/ipa-getkeytab.c:715 msgid "New Principal Password" msgstr "????? ?????? ?????????????? ??????" #: ipa-client/ipa-getkeytab.c:721 msgid "Verify Principal Password" msgstr "????????? ?????? ?????????????? ??????" #: ipa-client/ipa-getkeytab.c:779 ipa-client/ipa-join.c:965 msgid "Print as little as possible" msgstr "???????? ??????? ?????" #: ipa-client/ipa-getkeytab.c:779 ipa-client/ipa-join.c:965 msgid "Output only on errors" msgstr "???????? ???? ???????????? ??? ???????" #: ipa-client/ipa-getkeytab.c:781 msgid "Contact this specific KDC Server" msgstr "?????????? ??????? ? ???????? ???????? KDC" #: ipa-client/ipa-getkeytab.c:782 msgid "Server Name" msgstr "????? ???????" #: ipa-client/ipa-getkeytab.c:784 ipa-client/ipa-rmkeytab.c:188 msgid "The principal to get a keytab for (ex: ftp/ftp.example.com at EXAMPLE.COM)" msgstr "" "????????????? ?????, ??? ????? ???? ???????? ??????? ?????? (???????: ftp/" "ftp.example.com at EXAMPLE.COM)" #: ipa-client/ipa-getkeytab.c:785 ipa-client/ipa-rmkeytab.c:189 msgid "Kerberos Service Principal Name" msgstr "????? ?????????????? ?????? ?????? Kerberos" #: ipa-client/ipa-getkeytab.c:787 ipa-client/ipa-join.c:973 #: ipa-client/ipa-rmkeytab.c:191 msgid "File were to store the keytab information" msgstr "????, ? ????? ??????????????? ???? ??????? ??????" #: ipa-client/ipa-getkeytab.c:788 ipa-client/ipa-join.c:973 #: ipa-client/ipa-rmkeytab.c:191 msgid "Keytab File Name" msgstr "????? ????? ??????? ??????" #: ipa-client/ipa-getkeytab.c:790 msgid "Encryption types to request" msgstr "???? ??????????, ????? ???? ???? ???? ?????????" #: ipa-client/ipa-getkeytab.c:791 msgid "Comma separated encryption types list" msgstr "?????? ????? ??????????, ????????????? ??????" #: ipa-client/ipa-getkeytab.c:793 msgid "Show the list of permitted encryption types and exit" msgstr "???????? ?????? ?????????? ????? ?????????? ? ????????? ??????" #: ipa-client/ipa-getkeytab.c:794 msgid "Permitted Encryption Types" msgstr "????????? ???? ??????????" #: ipa-client/ipa-getkeytab.c:796 msgid "Asks for a non-random password to use for the principal" msgstr "" "???????? ???????????? ??????, ???? ???? ??????????? ??? ?????????????? ??????" #: ipa-client/ipa-getkeytab.c:798 msgid "LDAP DN" msgstr "DN LDAP" #: ipa-client/ipa-getkeytab.c:798 msgid "DN to bind as if not using kerberos" msgstr "" "DN, ?? ????? ???? ???????? ?????????, ???? ?? ???????????????? kerberos" #: ipa-client/ipa-getkeytab.c:800 ipa-client/ipa-join.c:975 msgid "LDAP password" msgstr "?????? LDAP" #: ipa-client/ipa-getkeytab.c:800 ipa-client/ipa-join.c:975 msgid "password to use if not using kerberos" msgstr "??????, ???? ???? ???????????, ???? ?? ???????????????? kerberos" #: ipa-client/ipa-getkeytab.c:825 ipa-client/ipa-rmkeytab.c:207 #, c-format msgid "Kerberos context initialization failed\n" msgstr "??????? ?????? ????????????? ????????? Kerberos\n" #: ipa-client/ipa-getkeytab.c:841 #, c-format msgid "Supported encryption types:\n" msgstr "???????????? ???? ??????????:\n" #: ipa-client/ipa-getkeytab.c:845 #, c-format msgid "Warning: failed to convert type (#%d)\n" msgstr "????????????: ?? ??????? ???????? ???????????? ???? (?%d)\n" #: ipa-client/ipa-getkeytab.c:864 #, c-format msgid "Bind password required when using a bind DN.\n" msgstr "? ???? ???????????? ????????? DN ???? ??????? ?????? ?????????.\n" #: ipa-client/ipa-getkeytab.c:877 #, c-format msgid "" "Warning: salt types are not honored with randomized passwords (see opt. -P)\n" msgstr "" "????????????: ??? ?????????? ??????? ???? ???? (salt) ?? ????? ???????? (???." " ???????? -P)\n" #: ipa-client/ipa-getkeytab.c:889 #, c-format msgid "Invalid Service Principal Name\n" msgstr "?????????? ????? ?????????????? ?????? ??????\n" #: ipa-client/ipa-getkeytab.c:897 #, c-format msgid "Kerberos Credential Cache not found. Do you have a Kerberos Ticket?\n" msgstr "" "?? ???????? ???? ????????????? ????? Kerberos. ?? ? ? ??? ?????? Kerberos?\n" #: ipa-client/ipa-getkeytab.c:905 #, c-format msgid "" "Kerberos User Principal not found. Do you have a valid Credential Cache?\n" msgstr "" "?? ???????? ?????????????? ?????? ??????????? Kerberos. ?? ????? ?? " "????????? ??? ????????????? ??????\n" #: ipa-client/ipa-getkeytab.c:913 #, c-format msgid "Failed to open Keytab\n" msgstr "?? ??????? ???????? ??????? ??????\n" #: ipa-client/ipa-getkeytab.c:920 #, c-format msgid "Failed to create key material\n" msgstr "?? ??????? ???????? ??????? ???? ??? ?????\n" #: ipa-client/ipa-getkeytab.c:939 #, c-format msgid "Failed to add key to the keytab\n" msgstr "?? ??????? ?????? ???? ?? ??????? ??????\n" #: ipa-client/ipa-getkeytab.c:948 #, c-format msgid "Failed to close the keytab\n" msgstr "?? ??????? ??????? ??????? ??????\n" #: ipa-client/ipa-getkeytab.c:954 #, c-format msgid "Keytab successfully retrieved and stored in: %s\n" msgstr "??????? ?????? ??????? ???????? ? ????????? ??: %s\n" #: ipa-client/ipa-join.c:67 #, c-format msgid "No permission to join this host to the IPA domain.\n" msgstr "????? ??????? ?? ????????? ????? ????? ?? ?????? IPA.\n" #: ipa-client/ipa-join.c:104 ipa-client/ipa-join.c:116 #, c-format msgid "No write permissions on keytab file '%s'\n" msgstr "????? ??????? ?? ????? ?? ????? ??????? ?????? ?%s?\n" #: ipa-client/ipa-join.c:121 #, c-format msgid "access() on %s failed: errno = %d\n" msgstr "??????? ?????? ????????? access() ??? %s: ????? ??????? = %d\n" #: ipa-client/ipa-join.c:200 #, c-format msgid "Unable to enable SSL in LDAP\n" msgstr "?? ??????? ????????? SSL ? LDAP\n" #: ipa-client/ipa-join.c:206 #, c-format msgid "Unable to set LDAP version\n" msgstr "?? ??????? ?????????? ?????? LDAP\n" #: ipa-client/ipa-join.c:216 #, c-format msgid "Bind failed: %s\n" msgstr "??????? ?????? ?????????: %s\n" #: ipa-client/ipa-join.c:249 #, c-format msgid "Search for %s on rootdse failed with error %d" msgstr "" "?????? ?????? %s ? rootdse ??????????? ??????? ? ????????????? ??? ??????? %d" #: ipa-client/ipa-join.c:259 ipa-client/ipa-join.c:311 #, c-format msgid "No values for %s" msgstr "????? ??????? %s" #: ipa-client/ipa-join.c:302 #, c-format msgid "Search for ipaCertificateSubjectBase failed with error %d" msgstr "" "?????? ?????? ipaCertificateSubjectBase ??????????? ??????? ? ???????????? " "??? ??????? %d" #: ipa-client/ipa-join.c:368 #, c-format msgid "Unable to determine root DN of %s\n" msgstr "?? ??????? ????????? ????????? DN %s\n" #: ipa-client/ipa-join.c:377 #, c-format msgid "Unable to determine certificate subject of %s\n" msgstr "?? ??????? ????????? ??????????? ??????????? %s\n" #: ipa-client/ipa-join.c:385 #, c-format msgid "Unable to make an LDAP connection to %s\n" msgstr "?? ??????? ???????? ????????? LDAP ? %s\n" #: ipa-client/ipa-join.c:394 #, c-format msgid "Searching with %s in %s\n" msgstr "????? ?? ?????? %s ? %s\n" #: ipa-client/ipa-join.c:400 #, c-format msgid "ldap_search_ext_s: %s\n" msgstr "ldap_search_ext_s: %s\n" #: ipa-client/ipa-join.c:408 #, c-format msgid "Unable to find host '%s'\n" msgstr "?? ??????? ?????? ????? ?%s?\n" #: ipa-client/ipa-join.c:415 #, c-format msgid "Unable to get binddn for host '%s'\n" msgstr "?? ??????? ???????? binddn ??? ????? ?%s?\n" #: ipa-client/ipa-join.c:428 #, c-format msgid "Host already has principal, trying bind anyway\n" msgstr "? ????? ??? ? ????????????? ?????, ???????? ?????? ?????????\n" #: ipa-client/ipa-join.c:442 ipa-client/ipa-join.c:579 #, c-format msgid "Host is already joined.\n" msgstr "????? ??? ?????????.\n" #: ipa-client/ipa-join.c:446 #, c-format msgid "Incorrect password.\n" msgstr "??????????? ??????.\n" #: ipa-client/ipa-join.c:457 #, c-format msgid "principal not found in host entry\n" msgstr "? ?????? ????? ?????????????? ?????? ?? ????????\n" #: ipa-client/ipa-join.c:564 #, c-format msgid "principal not found in XML-RPC response\n" msgstr "?????????????? ?????? ?? ???????? ? XML-RPC ?????????\n" #: ipa-client/ipa-join.c:646 ipa-client/ipa-join.c:823 #, c-format msgid "Unable to determine IPA server from %s\n" msgstr "?? ??????? ????????? ?????? IPA ? %s\n" #: ipa-client/ipa-join.c:662 ipa-client/ipa-join.c:838 #, c-format msgid "The hostname must be fully-qualified: %s\n" msgstr "????? ????? ???? ????????? ????????: %s\n" #: ipa-client/ipa-join.c:671 ipa-client/ipa-join.c:848 #, c-format msgid "Unable to join host: Kerberos context initialization failed\n" msgstr "" "?? ??????? ???????? ?????: ??????? ?????? ????????????? ????????? Kerberos\n" #: ipa-client/ipa-join.c:679 #, c-format msgid "Error resolving keytab: %s.\n" msgstr "??????? ??? ?????????? ????? ??????? ??????: %s.\n" #: ipa-client/ipa-join.c:689 #, c-format msgid "Error parsing \"%s\": %s.\n" msgstr "??????? ??? ??? ??????? ?%s?: %s.\n" #: ipa-client/ipa-join.c:707 #, c-format msgid "Error obtaining initial credentials: %s.\n" msgstr "??????? ??? ??? ????????? ?????????? ????????????? ?????: %s.\n" #: ipa-client/ipa-join.c:718 #, c-format msgid "Unable to generate Kerberos Credential Cache\n" msgstr "?? ??????? ???????? ??? ????????????? ????? Kerberos\n" #: ipa-client/ipa-join.c:726 #, c-format msgid "Error storing creds in credential cache: %s.\n" msgstr "??????? ??? ??? ?????? ?????????? ????????????? ????? ? ????: %s.\n" #: ipa-client/ipa-join.c:769 #, c-format msgid "Unenrollment successful.\n" msgstr "??????? ?????????? ??????????.\n" #: ipa-client/ipa-join.c:772 #, c-format msgid "Unenrollment failed.\n" msgstr "?????? ?????????? ?????????? ??????? ???????.\n" #: ipa-client/ipa-join.c:777 #, c-format msgid "result not found in XML-RPC response\n" msgstr "? ????????? XML-RPC ?? ???????? ??????????\n" #: ipa-client/ipa-join.c:855 #, c-format msgid "Unable to join host: Kerberos Credential Cache not found\n" msgstr "" "?? ??????? ???????? ?????: ?? ???????? ???? ????????????? ????? Kerberos\n" #: ipa-client/ipa-join.c:863 #, c-format msgid "" "Unable to join host: Kerberos User Principal not found and host password not " "provided.\n" msgstr "" "?? ??????? ???????? ?????: ?? ???????? ?????????????? ?????? ??????????? " "Kerberos ? ?? ??????? ?????? ?????.\n" #: ipa-client/ipa-join.c:877 #, c-format msgid "fork() failed\n" msgstr "??????? ?????? ????????? fork()\n" #: ipa-client/ipa-join.c:906 #, c-format msgid "ipa-getkeytab not found\n" msgstr "?? ???????? ipa-getkeytab\n" #: ipa-client/ipa-join.c:909 #, c-format msgid "ipa-getkeytab has bad permissions?\n" msgstr "????????? ????? ??????? ?? ipa-getkeytab?\n" #: ipa-client/ipa-join.c:912 #, c-format msgid "executing ipa-getkeytab failed, errno %d\n" msgstr "?????? ????????? ipa-getkeytab ??????? ???????, ????? ??????? %d\n" #: ipa-client/ipa-join.c:924 #, c-format msgid "child exited with %d\n" msgstr "???????? ?????? ???????? ?????? ? ????????????? %d\n" #: ipa-client/ipa-join.c:930 #, c-format msgid "Certificate subject base is: %s\n" msgstr "??????? ?????? ????????????: %s\n" #: ipa-client/ipa-join.c:963 msgid "Print the raw XML-RPC output" msgstr "??????? ???? XML-RPC ??? ???????" #: ipa-client/ipa-join.c:963 msgid "XML-RPC debugging Output" msgstr "???????????? ???? XML-RPC" #: ipa-client/ipa-join.c:967 msgid "Unenroll this host" msgstr "????????? ?????????? ????? ?????" #: ipa-client/ipa-join.c:967 msgid "Unenroll this host from IPA server" msgstr "????????? ?????????? ????? ????? ?? ??????? IPA" #: ipa-client/ipa-join.c:969 msgid "Use this hostname instead of the node name" msgstr "??????????????? ?? ????? ??????? ????? ?????" #: ipa-client/ipa-join.c:969 msgid "Host Name" msgstr "????? ?????" #: ipa-client/ipa-join.c:971 msgid "IPA Server to use" msgstr "?????? IPA, ???? ???? ???????????????" #: ipa-client/ipa-join.c:971 msgid "IPA Server Name" msgstr "????? ??????? IPA" #: ipa-client/ipa-rmkeytab.c:44 #, c-format msgid "Unable to parse principal name\n" msgstr "?? ??????? ???????? ????? ?????????????? ??????\n" #: ipa-client/ipa-rmkeytab.c:46 #, c-format msgid "krb5_parse_name %d: %s\n" msgstr "krb5_parse_name %d: %s\n" #: ipa-client/ipa-rmkeytab.c:56 #, c-format msgid "Removing principal %s\n" msgstr "????????? ?????????????? ?????? %s\n" #: ipa-client/ipa-rmkeytab.c:69 #, c-format msgid "Failed to open keytab\n" msgstr "?? ??????? ???????? ??????? ??????\n" #: ipa-client/ipa-rmkeytab.c:73 #, c-format msgid "principal not found\n" msgstr "?????????????? ?????? ?? ????????\n" #: ipa-client/ipa-rmkeytab.c:75 #, c-format msgid "krb5_kt_get_entry %d: %s\n" msgstr "krb5_kt_get_entry %d: %s\n" #: ipa-client/ipa-rmkeytab.c:83 #, c-format msgid "Unable to remove entry\n" msgstr "?? ??????? ???????? ?????\n" #: ipa-client/ipa-rmkeytab.c:85 #, c-format msgid "kvno %d\n" msgstr "kvno %d\n" #: ipa-client/ipa-rmkeytab.c:86 #, c-format msgid "krb5_kt_remove_entry %d: %s\n" msgstr "krb5_kt_remove_entry %d: %s\n" #: ipa-client/ipa-rmkeytab.c:119 #, c-format msgid "Unable to parse principal\n" msgstr "?? ??????? ???????? ????????????? ?????\n" #: ipa-client/ipa-rmkeytab.c:121 #, c-format msgid "krb5_unparse_name %d: %s\n" msgstr "krb5_unparse_name %d: %s\n" #: ipa-client/ipa-rmkeytab.c:186 msgid "Print debugging information" msgstr "??????? ???????????? ????" #: ipa-client/ipa-rmkeytab.c:186 msgid "Debugging output" msgstr "???????????? ??????????" #: ipa-client/ipa-rmkeytab.c:193 msgid "Remove all principals in this realm" msgstr "???????? ??? ???????????? ?????? ? ??? ???????" #: ipa-client/ipa-rmkeytab.c:193 msgid "Realm name" msgstr "????? ???????" #: ipa-client/ipa-rmkeytab.c:241 #, c-format msgid "Failed to open keytab '%s'\n" msgstr "?? ??????? ???????? ??????? ?????? ?%s?\n" #: ipa-client/ipa-rmkeytab.c:255 #, c-format msgid "Closing keytab failed\n" msgstr "?????? ???????? ??????? ?????? ??????? ???????\n" #: ipa-client/ipa-rmkeytab.c:257 #, c-format msgid "krb5_kt_close %d: %s\n" msgstr "krb5_kt_close %d: %s\n" #~ msgid "Locked user \"%(value)s\"" #~ msgstr "??????????? ??????????? ?%(value)s?" #~ msgid "Name of service the rule applies to (e.g. ssh)" #~ msgstr "????? ??????, ?? ???? ?????????????? ??????? (?????????, ssh)" #~ msgid "UID (use this option to set it manually)" #~ msgstr "UID (?? ????????? ????? ????????? ????? ?????????? ???????? ??????)" #~ msgid "Added policy for group \"%(value)s\"" #~ msgstr "?????? ??????? ??? ????? ?%(value)s?" #~ msgid "Group to set policy for" #~ msgstr "?????, ??? ???? ?????????????? ???????" #~ msgid "Modified policy for group \"%(value)s\"" #~ msgstr "??????? ??????? ??? ????? ?%(value)s?" #~ msgid "Deleted policy for group \"%(value)s\"" #~ msgstr "???????? ??????? ??? ????? ?%(value)s?" #~ msgid "Group to remove policy from" #~ msgstr "?????, ??? ???? ??????????? ???????" #~ msgid "Group to display policy" #~ msgstr "????? ??? ?????? ??????" #~ msgid "Display policy applied to a given user" #~ msgstr "???????? ???????, ??????????? ?? ????????? ???????????" From jdennis at redhat.com Tue Oct 19 17:40:09 2010 From: jdennis at redhat.com (John Dennis) Date: Tue, 19 Oct 2010 13:40:09 -0400 Subject: [Freeipa-devel] [PATCH 19/19] Update Ukrainian (uk.po) translation Message-ID: <4CBDD7F9.6030905@redhat.com> Update Ukrainian (uk.po) translation -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0019-Update-Ukrainian-uk.po-translation.patch Type: text/x-patch Size: 45816 bytes Desc: not available URL: From ssorce at redhat.com Tue Oct 19 18:15:18 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 19 Oct 2010 14:15:18 -0400 Subject: [Freeipa-devel] [PATCH 19/19] Update Ukrainian (uk.po) translation In-Reply-To: <4CBDD7F9.6030905@redhat.com> References: <4CBDD7F9.6030905@redhat.com> Message-ID: <20101019141518.418a52ea@willson.li.ssimo.org> On Tue, 19 Oct 2010 13:40:09 -0400 John Dennis wrote: > Update Ukrainian (uk.po) translation Ack and pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Oct 19 18:49:05 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Oct 2010 14:49:05 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0060-Default-search-limit-to-100.patch In-Reply-To: <4CBCB762.1090704@redhat.com> References: <4CBCB762.1090704@redhat.com> Message-ID: <4CBDE821.6080804@redhat.com> Adam Young wrote: > Trivial patch, coulda pushed under the 1 liner rule, but figured it was > worth a second set of eyes. ack From ayoung at redhat.com Tue Oct 19 18:51:59 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 19 Oct 2010 14:51:59 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0060-Default-search-limit-to-100.patch In-Reply-To: <4CBDE821.6080804@redhat.com> References: <4CBCB762.1090704@redhat.com> <4CBDE821.6080804@redhat.com> Message-ID: <4CBDE8CF.10800@redhat.com> On 10/19/2010 02:49 PM, Rob Crittenden wrote: > Adam Young wrote: >> Trivial patch, coulda pushed under the 1 liner rule, but figured it was >> worth a second set of eyes. > > ack Pushed to master From edewata at redhat.com Tue Oct 19 19:12:00 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 19 Oct 2010 14:12:00 -0500 Subject: [Freeipa-devel] [PATCH] Host certificate management Message-ID: <4CBDED80.8010802@redhat.com> Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/94/ The service certificate management UI has been generalized and moved into certificate.js. The host details page is now using the same code to manage certificates. The host.py has been modified to return host certificate info. The Get/Revoke/View buttons behavior has been modified such that they are visible only if there is a valid certificate. The Get dialog box has been fixed to show the correct certificate header and footer. New unit tests for certificate has been added. The test data has been modified to include sample host certificate. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: edewata-freeipa-0022-Host-certificate-management.patch Type: text/x-patch Size: 39307 bytes Desc: not available URL: From ayoung at redhat.com Tue Oct 19 19:33:37 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 19 Oct 2010 15:33:37 -0400 Subject: [Freeipa-devel] Bulk IPA commands Message-ID: <4CBDF291.7000204@redhat.com> I think I have an approach that will work for pacaking up multiple commands at once. Stage 1: 1. We create a new plugin, we call it bulk. For now, it will speak only JSON. 2. The json requests look like this: |{"method":"bulk","params":[[| | {"method":"user_find","params":[[""],{}]},| | {"method":"user_show","params":[[""],{}]},| | {"method":"user_add","params":[[""],{}]},| |{"method":"user_blah","params":[[""],{}]}|, |],{"all":true,"sizelimit":100}],"id":2}| This gets sent as a single json_request. On the server side, each request is pulled out of the params and the common items all=true and sizelimit=100 is added to each request. The resulting json request is then executed locally, without re-requiring the kerberos auth. THe response from the individual requests are put into the response array, like so: |{ || "error": null, || "id": 2, || "result": { || "count": 1, || "result": [{ || "error": null, //start of the response for the first nested command. || "id": 1, || "result": { || "count": 1, || "result": [ || { || "cn": [ || "Administrator" || ],| ... Thus the plugin is responsible for processing each request, marshalling up the return and adding it to the current response. Stage 2: we add an asynchronous mechanism. We add an option for the email notification address to the bulk plugin. The response returns immediately. Meanwhile, the plugin hands off the processing of the initial request to a queue that will be handled by another thread or process, and email the response to the address. Alternatively, we email back just an abbreviated status message. Stage 3: Store the response in a filesystem or the DirSrv, and mail back a link that allows the user to fetch the status. I really only care about Stage 1 for now. THe json_metadata plugin is getting loaded up with too many unrelated calls in it. I'd like to be able to craft and arbitraty message that gets sent and returned with all of the information required to initialize the IPA Web UI. user-find --whoami json_metadata I18N_messages Effective rights plugin lists (to enable/disable UI features based on what is active) While we would do this initially as a JSON only call, the XML-RPC should nest the same way. I leave it to Rob and Simo to figureo ut if this would support the CLI, but it seems to me that it should be pretty easy to do: ipa bulk >ipa user-mod ... >ipa user-del ... >upa group-add ... ^D And have that sent as a single command, with the responses again parsed out by the cli. Then the user can do: cat mycommands | ipa bulk > bulk.response -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Oct 19 19:39:06 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Oct 2010 15:39:06 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CBDF291.7000204@redhat.com> References: <4CBDF291.7000204@redhat.com> Message-ID: <4CBDF3DA.8000903@redhat.com> Adam Young wrote: > I think I have an approach that will work for pacaking up multiple > commands at once. > Just want to mention that XML-RPC has a provision for doing multiple requests in a single HTTP request that has a similar format. We just don't support it currently. rob > Stage 1: > > > 1. We create a new plugin, we call it bulk. For now, it will speak only > JSON. > > 2. The json requests look like this: > > > |{"method":"bulk","params":[[| > | {"method":"user_find","params":[[""],{}]},| > | {"method":"user_show","params":[[""],{}]},| > | {"method":"user_add","params":[[""],{}]},| > |{"method":"user_blah","params":[[""],{}]}|, > |],{"all":true,"sizelimit":100}],"id":2}| > > > This gets sent as a single json_request. > > On the server side, each request is pulled out of the params and the > common items all=true and sizelimit=100 is added to each request. The > resulting json request is then executed locally, without re-requiring > the kerberos auth. THe response from the individual requests are put > into the response array, like so: > > |{ > || "error": null, > || "id": 2, > || "result": { > || "count": 1, > || "result": [{ > || "error": null, //start of the response for the first nested command. > || "id": 1, > || "result": { > || "count": 1, > || "result": [ > || { > || "cn": [ > || "Administrator" > || ],| > > ... > > Thus the plugin is responsible for processing each request, marshalling > up the return and adding it to the current response. > > > > > Stage 2: we add an asynchronous mechanism. We add an option for the > email notification address to the bulk plugin. The response returns > immediately. Meanwhile, the plugin hands off the processing of the > initial request to a queue that will be handled by another thread or > process, and email the response to the address. Alternatively, we email > back just an abbreviated status message. > > > Stage 3: Store the response in a filesystem or the DirSrv, and mail back > a link that allows the user to fetch the status. > > > > > I really only care about Stage 1 for now. THe json_metadata plugin is > getting loaded up with too many unrelated calls in it. I'd like to be > able to craft and arbitraty message that gets sent and returned with all > of the information required to initialize the IPA Web UI. > > user-find --whoami > json_metadata > I18N_messages > Effective rights > plugin lists (to enable/disable UI features based on what is active) > > While we would do this initially as a JSON only call, the XML-RPC should > nest the same way. I leave it to Rob and Simo to figureo ut if this > would support the CLI, but it seems to me that it should be pretty easy > to do: > > > ipa bulk > >ipa user-mod ... > >ipa user-del ... > >upa group-add ... > ^D > > And have that sent as a single command, with the responses again parsed > out by the cli. Then the user can do: > > cat mycommands | ipa bulk > bulk.response > > > > > > > > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ayoung at redhat.com Tue Oct 19 20:57:52 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 19 Oct 2010 16:57:52 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0061-Remove-size-limits.patch Message-ID: <4CBE0650.9080409@redhat.com> Remove size limits. Now use the system wide settings instead of hardcoded size limits. -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0061-Remove-size-limits.patch Type: text/x-patch Size: 1627 bytes Desc: not available URL: From ayoung at redhat.com Tue Oct 19 21:07:21 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 19 Oct 2010 17:07:21 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0062-removing-icons.patch Message-ID: <4CBE0889.7060305@redhat.com> Removing icons We'll later replace them with a new scheme. For now, this is the simplest UI The intention is to look unfinished, so people don't comment on how poor it looks. But still, it looks better than with the oddly spaced icons. -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0062-removing-icons.patch Type: text/x-patch Size: 48226 bytes Desc: not available URL: From ssorce at redhat.com Tue Oct 19 21:13:03 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 19 Oct 2010 17:13:03 -0400 Subject: [Freeipa-devel] [PATCH] #360 ipa-uuid plugin In-Reply-To: <20101018171529.498fcbc7@willson.li.ssimo.org> References: <20101018171529.498fcbc7@willson.li.ssimo.org> Message-ID: <20101019171303.4dcf585d@willson.li.ssimo.org> On Mon, 18 Oct 2010 17:15:29 -0400 Simo Sorce wrote: > > These 2 patches configure and load a new plugin that uses internal DS > functions to generate UUIDs. > The plugin is similar to DNA but instead of generating sequential > numbers it generates UUIDs (type 1). > > These patches do not yet remove the UUID code in the framework. > > Simo. > Rebased patch 0001 to add some minor fixes. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa-uuid-DNA-like-plugin-that-generates-uuids.patch Type: text/x-patch Size: 41991 bytes Desc: not available URL: From edewata at redhat.com Tue Oct 19 21:28:36 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 19 Oct 2010 16:28:36 -0500 Subject: [Freeipa-devel] [PATCH] Dialog boxes for AJAX, HTTP, and IPA errors. Message-ID: <4CBE0D84.5040005@redhat.com> Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/95/ The ipa_cmd() has been modified to identity the type of the error it has received and display the error using the right dialog box. The dialog box can be customized further to display the appropriate amount of information for each type of error. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: edewata-freeipa-0023-Dialog-boxes-for-AJAX-HTTP-and-IPA-errors.patch Type: text/x-patch Size: 7500 bytes Desc: not available URL: From ayoung at redhat.com Tue Oct 19 21:34:21 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 19 Oct 2010 17:34:21 -0400 Subject: [Freeipa-devel] [PATCH] Host certificate management In-Reply-To: <4CBDED80.8010802@redhat.com> References: <4CBDED80.8010802@redhat.com> Message-ID: <4CBE0EDD.4060302@redhat.com> On 10/19/2010 03:12 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > https://fedorahosted.org/reviewboard/r/94/ > > The service certificate management UI has been generalized and moved > into certificate.js. The host details page is now using the same code > to manage certificates. The host.py has been modified to return host > certificate info. > > The Get/Revoke/View buttons behavior has been modified such that they > are visible only if there is a valid certificate. The Get dialog box > has been fixed to show the correct certificate header and footer. > > New unit tests for certificate has been added. The test data has been > modified to include sample host certificate. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel For the most part looks ok. I don't like the appraoch to validating preconditions where we raise an alert for each. Also, make sure you don't code styles like color right into the Javascript, that stuff belonds in ipa.css. With those changes, ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Oct 19 21:58:33 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 19 Oct 2010 16:58:33 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0061-Remove-size-limits.patch In-Reply-To: <4CBE0650.9080409@redhat.com> References: <4CBE0650.9080409@redhat.com> Message-ID: <4CBE1489.5010003@redhat.com> On 10/19/2010 3:57 PM, Adam Young wrote: > Remove size limits. > > Now use the system wide settings instead of hardcoded size limits. ACKed and pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Oct 19 22:10:59 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 19 Oct 2010 17:10:59 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0062-removing-icons.patch In-Reply-To: <4CBE0889.7060305@redhat.com> References: <4CBE0889.7060305@redhat.com> Message-ID: <4CBE1773.3050208@redhat.com> On 10/19/2010 4:07 PM, Adam Young wrote: > Removing icons > We'll later replace them with a new scheme. For now, this is the > simplest UI > The intention is to look unfinished, so people don't comment on how poor > it looks. > But still, it looks better than with the oddly spaced icons. Already ACKed and pushed, but just a note, the quick links now become wider, for some entities it could span multiple lines. There's also a small issue, there's an extra separator at the end of the quick links. -- Endi S. Dewata From dpal at redhat.com Tue Oct 19 22:29:13 2010 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 19 Oct 2010 18:29:13 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CBDF3DA.8000903@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> Message-ID: <4CBE1BB9.5070407@redhat.com> Rob Crittenden wrote: > Adam Young wrote: >> I think I have an approach that will work for pacaking up multiple >> commands at once. >> > > Just want to mention that XML-RPC has a provision for doing multiple > requests in a single HTTP request that has a similar format. We just > don't support it currently. > > rob > The approach makes sense but is it a lot of work? I suggest we defer it till later and focus on the actual visible work. If we have time we will do the optimization. If this eliminates the need for the session cookie at least for now I am Ok with deferring it too. >> Stage 1: >> >> >> 1. We create a new plugin, we call it bulk. For now, it will speak only >> JSON. >> >> 2. The json requests look like this: >> >> >> |{"method":"bulk","params":[[| >> | {"method":"user_find","params":[[""],{}]},| >> | {"method":"user_show","params":[[""],{}]},| >> | {"method":"user_add","params":[[""],{}]},| >> |{"method":"user_blah","params":[[""],{}]}|, >> |],{"all":true,"sizelimit":100}],"id":2}| >> >> >> This gets sent as a single json_request. >> >> On the server side, each request is pulled out of the params and the >> common items all=true and sizelimit=100 is added to each request. The >> resulting json request is then executed locally, without re-requiring >> the kerberos auth. THe response from the individual requests are put >> into the response array, like so: >> >> |{ >> || "error": null, >> || "id": 2, >> || "result": { >> || "count": 1, >> || "result": [{ >> || "error": null, //start of the response for the first nested command. >> || "id": 1, >> || "result": { >> || "count": 1, >> || "result": [ >> || { >> || "cn": [ >> || "Administrator" >> || ],| >> >> ... >> >> Thus the plugin is responsible for processing each request, marshalling >> up the return and adding it to the current response. >> >> >> >> >> Stage 2: we add an asynchronous mechanism. We add an option for the >> email notification address to the bulk plugin. The response returns >> immediately. Meanwhile, the plugin hands off the processing of the >> initial request to a queue that will be handled by another thread or >> process, and email the response to the address. Alternatively, we email >> back just an abbreviated status message. >> >> >> Stage 3: Store the response in a filesystem or the DirSrv, and mail back >> a link that allows the user to fetch the status. >> >> >> >> >> I really only care about Stage 1 for now. THe json_metadata plugin is >> getting loaded up with too many unrelated calls in it. I'd like to be >> able to craft and arbitraty message that gets sent and returned with all >> of the information required to initialize the IPA Web UI. >> >> user-find --whoami >> json_metadata >> I18N_messages >> Effective rights >> plugin lists (to enable/disable UI features based on what is active) >> >> While we would do this initially as a JSON only call, the XML-RPC should >> nest the same way. I leave it to Rob and Simo to figureo ut if this >> would support the CLI, but it seems to me that it should be pretty easy >> to do: >> >> >> ipa bulk >> >ipa user-mod ... >> >ipa user-del ... >> >upa group-add ... >> ^D >> >> And have that sent as a single command, with the responses again parsed >> out by the cli. Then the user can do: >> >> cat mycommands | ipa bulk > bulk.response >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Tue Oct 19 22:50:27 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 19 Oct 2010 17:50:27 -0500 Subject: [Freeipa-devel] [PATCH] Host certificate management In-Reply-To: <4CBE0EDD.4060302@redhat.com> References: <4CBDED80.8010802@redhat.com> <4CBE0EDD.4060302@redhat.com> Message-ID: <4CBE20B3.2070104@redhat.com> On 10/19/2010 4:34 PM, Adam Young wrote: > For the most part looks ok. I don't like the appraoch to validating > preconditions where we raise an alert for each. Also, make sure you > don't code styles like color right into the Javascript, that stuff > belonds in ipa.css. > > With those changes, ACK OK, attached is an updated patch. As I mentioned in the irc the alert is raised only once, just for the first error. This alert indicates a programming error, not user error, because those parameters are required to use the certificate status panel correctly. For now I've removed them until we decide how to handle such error properly. I've moved the bullet styles into ipa.css. We will need to replace them with real images. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: edewata-freeipa-0022-2-Host-certificate-management.patch Type: text/x-patch Size: 39410 bytes Desc: not available URL: From ayoung at redhat.com Wed Oct 20 13:29:28 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 20 Oct 2010 09:29:28 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CBE1BB9.5070407@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> Message-ID: <4CBEEEB8.5030108@redhat.com> On 10/19/2010 06:29 PM, Dmitri Pal wrote: > Rob Crittenden wrote: > >> Adam Young wrote: >> >>> I think I have an approach that will work for pacaking up multiple >>> commands at once. >>> >>> >> Just want to mention that XML-RPC has a provision for doing multiple >> requests in a single HTTP request that has a similar format. We just >> don't support it currently. >> >> rob >> >> > The approach makes sense but is it a lot of work? > I suggest we defer it till later and focus on the actual visible work. > If we have time we will do the optimization. > If this eliminates the need for the session cookie at least for now I am > Ok with deferring it too. > It might be worthwhile to do this as part of Pavel's work on controlling access to the fields based on back end permissions. We are packing more and more stuff into a single json_metadata call, but it will make things much easier for us if we can just make a single bulk call and parse out what we need. I'm most concerned with the approach being approved. > > >>> Stage 1: >>> >>> >>> 1. We create a new plugin, we call it bulk. For now, it will speak only >>> JSON. >>> >>> 2. The json requests look like this: >>> >>> >>> |{"method":"bulk","params":[[| >>> | {"method":"user_find","params":[[""],{}]},| >>> | {"method":"user_show","params":[[""],{}]},| >>> | {"method":"user_add","params":[[""],{}]},| >>> |{"method":"user_blah","params":[[""],{}]}|, >>> |],{"all":true,"sizelimit":100}],"id":2}| >>> >>> >>> This gets sent as a single json_request. >>> >>> On the server side, each request is pulled out of the params and the >>> common items all=true and sizelimit=100 is added to each request. The >>> resulting json request is then executed locally, without re-requiring >>> the kerberos auth. THe response from the individual requests are put >>> into the response array, like so: >>> >>> |{ >>> || "error": null, >>> || "id": 2, >>> || "result": { >>> || "count": 1, >>> || "result": [{ >>> || "error": null, //start of the response for the first nested command. >>> || "id": 1, >>> || "result": { >>> || "count": 1, >>> || "result": [ >>> || { >>> || "cn": [ >>> || "Administrator" >>> || ],| >>> >>> ... >>> >>> Thus the plugin is responsible for processing each request, marshalling >>> up the return and adding it to the current response. >>> >>> >>> >>> >>> Stage 2: we add an asynchronous mechanism. We add an option for the >>> email notification address to the bulk plugin. The response returns >>> immediately. Meanwhile, the plugin hands off the processing of the >>> initial request to a queue that will be handled by another thread or >>> process, and email the response to the address. Alternatively, we email >>> back just an abbreviated status message. >>> >>> >>> Stage 3: Store the response in a filesystem or the DirSrv, and mail back >>> a link that allows the user to fetch the status. >>> >>> >>> >>> >>> I really only care about Stage 1 for now. THe json_metadata plugin is >>> getting loaded up with too many unrelated calls in it. I'd like to be >>> able to craft and arbitraty message that gets sent and returned with all >>> of the information required to initialize the IPA Web UI. >>> >>> user-find --whoami >>> json_metadata >>> I18N_messages >>> Effective rights >>> plugin lists (to enable/disable UI features based on what is active) >>> >>> While we would do this initially as a JSON only call, the XML-RPC should >>> nest the same way. I leave it to Rob and Simo to figureo ut if this >>> would support the CLI, but it seems to me that it should be pretty easy >>> to do: >>> >>> >>> ipa bulk >>> >>>> ipa user-mod ... >>>> ipa user-del ... >>>> upa group-add ... >>>> >>> ^D >>> >>> And have that sent as a single command, with the responses again parsed >>> out by the cli. Then the user can do: >>> >>> cat mycommands | ipa bulk> bulk.response >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > From ayoung at redhat.com Wed Oct 20 13:34:05 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 20 Oct 2010 09:34:05 -0400 Subject: [Freeipa-devel] [PATCH] Host certificate management In-Reply-To: <4CBE20B3.2070104@redhat.com> References: <4CBDED80.8010802@redhat.com> <4CBE0EDD.4060302@redhat.com> <4CBE20B3.2070104@redhat.com> Message-ID: <4CBEEFCD.7030700@redhat.com> On 10/19/2010 06:50 PM, Endi Sukma Dewata wrote: > On 10/19/2010 4:34 PM, Adam Young wrote: >> For the most part looks ok. I don't like the appraoch to validating >> preconditions where we raise an alert for each. Also, make sure you >> don't code styles like color right into the Javascript, that stuff >> belonds in ipa.css. >> >> With those changes, ACK > > OK, attached is an updated patch. > > As I mentioned in the irc the alert is raised only once, just for the > first error. This alert indicates a programming error, not user error, > because those parameters are required to use the certificate status > panel correctly. For now I've removed them until we decide how to > handle such error properly. > > I've moved the bullet styles into ipa.css. We will need to replace > them with real images. > ACK, Pushed to master From dpal at redhat.com Wed Oct 20 13:47:41 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 20 Oct 2010 09:47:41 -0400 Subject: [Freeipa-devel] IPA install with DNS Message-ID: <4CBEF2FD.90200@redhat.com> Hi, Rob I think it is time for us to put down some writeup about the DNS, /etc/hosts, static and dynamic IPs etc. It seems there is a lot of confusion and uncertainty. Please create a page. It should describe how with the current IPA software someone can achieve the following: 1) Setup IPA as a new DNS server and host name different from the actual current host name What is the sequence of operations? What needs to be in the /etc/hosts? Give examples 2) Same but in the case of other DNS server present ... 3) Replica installation Please add examples of the contents of the hosts file, command line etc. These are just examples of the use cases, there are definitely more. I hope Michael will help to come with the scenarios we need to describe. I will open a ticket for this work. Also looking closely at our setup: why do we need IP address argument? Is it ever used anywhere? Where and why? Is it just to create a DNS entry? Is so man page should probably explain that it is used only in case DNS is installed. Anywhere else? I agree we should do the IP address validation and it should support both IPv4 & IPv6. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Oct 20 14:01:58 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 20 Oct 2010 10:01:58 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CBEEEB8.5030108@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> Message-ID: <4CBEF656.2020306@redhat.com> Adam Young wrote: > On 10/19/2010 06:29 PM, Dmitri Pal wrote: >> Rob Crittenden wrote: >> >>> Adam Young wrote: >>> >>>> I think I have an approach that will work for pacaking up multiple >>>> commands at once. >>>> >>>> >>> Just want to mention that XML-RPC has a provision for doing multiple >>> requests in a single HTTP request that has a similar format. We just >>> don't support it currently. >>> >>> rob >>> >>> >> The approach makes sense but is it a lot of work? >> I suggest we defer it till later and focus on the actual visible work. >> If we have time we will do the optimization. >> If this eliminates the need for the session cookie at least for now I am >> Ok with deferring it too. >> > It might be worthwhile to do this as part of Pavel's work on > controlling access to the fields based on back end permissions. We > are packing more and more stuff into a single json_metadata call, but > it will make things much easier for us if we can just make a single > bulk call and parse out what we need. > > I'm most concerned with the approach being approved. > I approve but I want to get approval from Rob, Simo and Pavel too. Please ack or nack this idea. > > >> >> >>>> Stage 1: >>>> >>>> >>>> 1. We create a new plugin, we call it bulk. For now, it will speak >>>> only >>>> JSON. >>>> >>>> 2. The json requests look like this: >>>> >>>> >>>> |{"method":"bulk","params":[[| >>>> | {"method":"user_find","params":[[""],{}]},| >>>> | {"method":"user_show","params":[[""],{}]},| >>>> | {"method":"user_add","params":[[""],{}]},| >>>> |{"method":"user_blah","params":[[""],{}]}|, >>>> |],{"all":true,"sizelimit":100}],"id":2}| >>>> >>>> >>>> This gets sent as a single json_request. >>>> >>>> On the server side, each request is pulled out of the params and the >>>> common items all=true and sizelimit=100 is added to each request. The >>>> resulting json request is then executed locally, without re-requiring >>>> the kerberos auth. THe response from the individual requests are put >>>> into the response array, like so: >>>> >>>> |{ >>>> || "error": null, >>>> || "id": 2, >>>> || "result": { >>>> || "count": 1, >>>> || "result": [{ >>>> || "error": null, //start of the response for the first nested >>>> command. >>>> || "id": 1, >>>> || "result": { >>>> || "count": 1, >>>> || "result": [ >>>> || { >>>> || "cn": [ >>>> || "Administrator" >>>> || ],| >>>> >>>> ... >>>> >>>> Thus the plugin is responsible for processing each request, >>>> marshalling >>>> up the return and adding it to the current response. >>>> >>>> >>>> >>>> >>>> Stage 2: we add an asynchronous mechanism. We add an option for the >>>> email notification address to the bulk plugin. The response returns >>>> immediately. Meanwhile, the plugin hands off the processing of the >>>> initial request to a queue that will be handled by another thread or >>>> process, and email the response to the address. Alternatively, we >>>> email >>>> back just an abbreviated status message. >>>> >>>> >>>> Stage 3: Store the response in a filesystem or the DirSrv, and mail >>>> back >>>> a link that allows the user to fetch the status. >>>> >>>> >>>> >>>> >>>> I really only care about Stage 1 for now. THe json_metadata plugin is >>>> getting loaded up with too many unrelated calls in it. I'd like to be >>>> able to craft and arbitraty message that gets sent and returned >>>> with all >>>> of the information required to initialize the IPA Web UI. >>>> >>>> user-find --whoami >>>> json_metadata >>>> I18N_messages >>>> Effective rights >>>> plugin lists (to enable/disable UI features based on what is active) >>>> >>>> While we would do this initially as a JSON only call, the XML-RPC >>>> should >>>> nest the same way. I leave it to Rob and Simo to figureo ut if this >>>> would support the CLI, but it seems to me that it should be pretty >>>> easy >>>> to do: >>>> >>>> >>>> ipa bulk >>>> >>>>> ipa user-mod ... >>>>> ipa user-del ... >>>>> upa group-add ... >>>>> >>>> ^D >>>> >>>> And have that sent as a single command, with the responses again >>>> parsed >>>> out by the cli. Then the user can do: >>>> >>>> cat mycommands | ipa bulk> bulk.response >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> >> > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From pzuna at redhat.com Wed Oct 20 14:24:57 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 20 Oct 2010 16:24:57 +0200 Subject: [Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups. In-Reply-To: <4CB77328.3040107@redhat.com> References: <4CA5D87C.5010104@redhat.com> <4CB45B41.8090100@redhat.com> <4CB77328.3040107@redhat.com> Message-ID: <4CBEFBB9.9030906@redhat.com> On 10/14/2010 11:16 PM, Rob Crittenden wrote: > Pavel Zuna wrote: >> On 10/01/2010 02:47 PM, Pavel Zuna wrote: >>> Ticket #251 >>> >>> Pavel >>> >>> >> >> New version of patch attached. This time it should work. :) I renamed >> the flag from --privateonly to --private. Normal searches do not return >> private groups at all, while searches with this flag only return private >> groups. >> >> Pavel > > This works a lot better than the last patch. The code itself is fine, > I'd just ask that you add a test case for searching for private groups. > The test that is in this patch seems more geared for removing multiple > users at once (which is a good thing) but doesn't actually work without > this change: > > --- a/tests/test_xmlrpc/test_user_plugin.py > +++ b/tests/test_xmlrpc/test_user_plugin.py > @@ -358,7 +358,7 @@ class test_user(Declarative): > loginshell=[u'/bin/sh'], > objectclass=objectclasses.user, > sn=[u'User2'], > - uid=[user1], > + uid=[user2], > uidnumber=[fuzzy_digits], > ipauniqueid=[fuzzy_uuid], > dn=u'uid=tuser2,cn=users,cn=accounts,' + api.env.basedn, > > So NACK for now but its very close. > > rob Version 3 attached. Added a test case for searching private groups and fixed user tests. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0024-3-searchprvgroup.patch Type: application/mbox Size: 7646 bytes Desc: not available URL: From rcritten at redhat.com Wed Oct 20 14:26:08 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Oct 2010 10:26:08 -0400 Subject: [Freeipa-devel] [PATCH] 583 update DNS when adding/removing host Message-ID: <4CBEFC00.7020303@redhat.com> Add ability to add/remove DNS records when adding/removing a host entry. A host in DNS must have an IP address so a valid IP address is required when adding a host. The --force flag will be needed too since you are adding a host that isn't in DNS. For IPv4 it will create an A and a PTR DNS record. IPv6 isn't quite supported yet. Some basic work in the DNS installer is needed to get this working. Once the get_reverse_zone() returns the right value then this should start working and create an AAAA record and the appropriate reverse entry. When deleting a host with the --updatedns flag it will try to remove all records it can find in the zone for this host. ticket 238 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-583-host.patch Type: application/mbox Size: 8903 bytes Desc: not available URL: From rcritten at redhat.com Wed Oct 20 14:42:32 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Oct 2010 10:42:32 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CBEEEB8.5030108@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> Message-ID: <4CBEFFD8.60906@redhat.com> Adam Young wrote: > On 10/19/2010 06:29 PM, Dmitri Pal wrote: >> Rob Crittenden wrote: >>> Adam Young wrote: >>>> I think I have an approach that will work for pacaking up multiple >>>> commands at once. >>>> >>> Just want to mention that XML-RPC has a provision for doing multiple >>> requests in a single HTTP request that has a similar format. We just >>> don't support it currently. >>> >>> rob >>> >> The approach makes sense but is it a lot of work? >> I suggest we defer it till later and focus on the actual visible work. >> If we have time we will do the optimization. >> If this eliminates the need for the session cookie at least for now I am >> Ok with deferring it too. > It might be worthwhile to do this as part of Pavel's work on controlling > access to the fields based on back end permissions. We are packing more > and more stuff into a single json_metadata call, but it will make things > much easier for us if we can just make a single bulk call and parse out > what we need. > > I'm most concerned with the approach being approved. It seems reasonable but I'm not sure I favor adding it only to json. Our goal has always been to keep all interfaces equal. The XML-RPC equivalent is multicall, http://docs.python.org/library/xmlrpclib.html What are your plans in the case of exceptions? Short-circuit or keep going? rob > > > >> >>>> Stage 1: >>>> >>>> >>>> 1. We create a new plugin, we call it bulk. For now, it will speak only >>>> JSON. >>>> >>>> 2. The json requests look like this: >>>> >>>> >>>> |{"method":"bulk","params":[[| >>>> | {"method":"user_find","params":[[""],{}]},| >>>> | {"method":"user_show","params":[[""],{}]},| >>>> | {"method":"user_add","params":[[""],{}]},| >>>> |{"method":"user_blah","params":[[""],{}]}|, >>>> |],{"all":true,"sizelimit":100}],"id":2}| >>>> >>>> >>>> This gets sent as a single json_request. >>>> >>>> On the server side, each request is pulled out of the params and the >>>> common items all=true and sizelimit=100 is added to each request. The >>>> resulting json request is then executed locally, without re-requiring >>>> the kerberos auth. THe response from the individual requests are put >>>> into the response array, like so: >>>> >>>> |{ >>>> || "error": null, >>>> || "id": 2, >>>> || "result": { >>>> || "count": 1, >>>> || "result": [{ >>>> || "error": null, //start of the response for the first nested command. >>>> || "id": 1, >>>> || "result": { >>>> || "count": 1, >>>> || "result": [ >>>> || { >>>> || "cn": [ >>>> || "Administrator" >>>> || ],| >>>> >>>> ... >>>> >>>> Thus the plugin is responsible for processing each request, marshalling >>>> up the return and adding it to the current response. >>>> >>>> >>>> >>>> >>>> Stage 2: we add an asynchronous mechanism. We add an option for the >>>> email notification address to the bulk plugin. The response returns >>>> immediately. Meanwhile, the plugin hands off the processing of the >>>> initial request to a queue that will be handled by another thread or >>>> process, and email the response to the address. Alternatively, we email >>>> back just an abbreviated status message. >>>> >>>> >>>> Stage 3: Store the response in a filesystem or the DirSrv, and mail >>>> back >>>> a link that allows the user to fetch the status. >>>> >>>> >>>> >>>> >>>> I really only care about Stage 1 for now. THe json_metadata plugin is >>>> getting loaded up with too many unrelated calls in it. I'd like to be >>>> able to craft and arbitraty message that gets sent and returned with >>>> all >>>> of the information required to initialize the IPA Web UI. >>>> >>>> user-find --whoami >>>> json_metadata >>>> I18N_messages >>>> Effective rights >>>> plugin lists (to enable/disable UI features based on what is active) >>>> >>>> While we would do this initially as a JSON only call, the XML-RPC >>>> should >>>> nest the same way. I leave it to Rob and Simo to figureo ut if this >>>> would support the CLI, but it seems to me that it should be pretty easy >>>> to do: >>>> >>>> >>>> ipa bulk >>>>> ipa user-mod ... >>>>> ipa user-del ... >>>>> upa group-add ... >>>> ^D >>>> >>>> And have that sent as a single command, with the responses again parsed >>>> out by the cli. Then the user can do: >>>> >>>> cat mycommands | ipa bulk> bulk.response >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > From ayoung at redhat.com Wed Oct 20 14:47:36 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 20 Oct 2010 10:47:36 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CBEFFD8.60906@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> <4CBEFFD8.60906@redhat.com> Message-ID: <4CBF0108.1010407@redhat.com> On 10/20/2010 10:42 AM, Rob Crittenden wrote: > Adam Young wrote: >> On 10/19/2010 06:29 PM, Dmitri Pal wrote: >>> Rob Crittenden wrote: >>>> Adam Young wrote: >>>>> I think I have an approach that will work for pacaking up multiple >>>>> commands at once. >>>>> >>>> Just want to mention that XML-RPC has a provision for doing multiple >>>> requests in a single HTTP request that has a similar format. We just >>>> don't support it currently. >>>> >>>> rob >>>> >>> The approach makes sense but is it a lot of work? >>> I suggest we defer it till later and focus on the actual visible work. >>> If we have time we will do the optimization. >>> If this eliminates the need for the session cookie at least for now >>> I am >>> Ok with deferring it too. >> It might be worthwhile to do this as part of Pavel's work on controlling >> access to the fields based on back end permissions. We are packing more >> and more stuff into a single json_metadata call, but it will make things >> much easier for us if we can just make a single bulk call and parse out >> what we need. >> >> I'm most concerned with the approach being approved. > > It seems reasonable but I'm not sure I favor adding it only to json. > Our goal has always been to keep all interfaces equal. The XML-RPC > equivalent is multicall, http://docs.python.org/library/xmlrpclib.html > > What are your plans in the case of exceptions? Short-circuit or keep > going? By default, keep going, and return the error codes. We can provide an option to short circuit as well. > > rob > >> >> >> >>> >>>>> Stage 1: >>>>> >>>>> >>>>> 1. We create a new plugin, we call it bulk. For now, it will speak >>>>> only >>>>> JSON. >>>>> >>>>> 2. The json requests look like this: >>>>> >>>>> >>>>> |{"method":"bulk","params":[[| >>>>> | {"method":"user_find","params":[[""],{}]},| >>>>> | {"method":"user_show","params":[[""],{}]},| >>>>> | {"method":"user_add","params":[[""],{}]},| >>>>> |{"method":"user_blah","params":[[""],{}]}|, >>>>> |],{"all":true,"sizelimit":100}],"id":2}| >>>>> >>>>> >>>>> This gets sent as a single json_request. >>>>> >>>>> On the server side, each request is pulled out of the params and the >>>>> common items all=true and sizelimit=100 is added to each request. The >>>>> resulting json request is then executed locally, without re-requiring >>>>> the kerberos auth. THe response from the individual requests are put >>>>> into the response array, like so: >>>>> >>>>> |{ >>>>> || "error": null, >>>>> || "id": 2, >>>>> || "result": { >>>>> || "count": 1, >>>>> || "result": [{ >>>>> || "error": null, //start of the response for the first nested >>>>> command. >>>>> || "id": 1, >>>>> || "result": { >>>>> || "count": 1, >>>>> || "result": [ >>>>> || { >>>>> || "cn": [ >>>>> || "Administrator" >>>>> || ],| >>>>> >>>>> ... >>>>> >>>>> Thus the plugin is responsible for processing each request, >>>>> marshalling >>>>> up the return and adding it to the current response. >>>>> >>>>> >>>>> >>>>> >>>>> Stage 2: we add an asynchronous mechanism. We add an option for the >>>>> email notification address to the bulk plugin. The response returns >>>>> immediately. Meanwhile, the plugin hands off the processing of the >>>>> initial request to a queue that will be handled by another thread or >>>>> process, and email the response to the address. Alternatively, we >>>>> email >>>>> back just an abbreviated status message. >>>>> >>>>> >>>>> Stage 3: Store the response in a filesystem or the DirSrv, and mail >>>>> back >>>>> a link that allows the user to fetch the status. >>>>> >>>>> >>>>> >>>>> >>>>> I really only care about Stage 1 for now. THe json_metadata plugin is >>>>> getting loaded up with too many unrelated calls in it. I'd like to be >>>>> able to craft and arbitraty message that gets sent and returned with >>>>> all >>>>> of the information required to initialize the IPA Web UI. >>>>> >>>>> user-find --whoami >>>>> json_metadata >>>>> I18N_messages >>>>> Effective rights >>>>> plugin lists (to enable/disable UI features based on what is active) >>>>> >>>>> While we would do this initially as a JSON only call, the XML-RPC >>>>> should >>>>> nest the same way. I leave it to Rob and Simo to figureo ut if this >>>>> would support the CLI, but it seems to me that it should be pretty >>>>> easy >>>>> to do: >>>>> >>>>> >>>>> ipa bulk >>>>>> ipa user-mod ... >>>>>> ipa user-del ... >>>>>> upa group-add ... >>>>> ^D >>>>> >>>>> And have that sent as a single command, with the responses again >>>>> parsed >>>>> out by the cli. Then the user can do: >>>>> >>>>> cat mycommands | ipa bulk> bulk.response >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> > From pzuna at redhat.com Wed Oct 20 14:50:27 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 20 Oct 2010 16:50:27 +0200 Subject: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches. In-Reply-To: <4CB705DA.60607@redhat.com> References: <4CB704D9.1050606@redhat.com> <4CB705DA.60607@redhat.com> Message-ID: <4CBF01B3.8060700@redhat.com> On 10/14/2010 03:30 PM, Rob Crittenden wrote: > Pavel Zuna wrote: >> There was no default value set even though we were using config.get and >> it was throwing exceptions if someone deleted one of the related config >> values. >> >> Pavel > > Is this needed since get_ipa_config() will always return something for > time and search limits? > > rob Yes, because get_ipa_config will return defaults for time and search limits only when the whole ipaConfig entry isn't found. I reworked the patch, so that defaults are always returned by get_ipa_config, but I left changes from the previous version, because it doesn't hurt anything and is a (very little) bit safer. New version attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0033-2-limitdefaults.patch Type: application/mbox Size: 2387 bytes Desc: not available URL: From ayoung at redhat.com Wed Oct 20 14:55:37 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 20 Oct 2010 10:55:37 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0058-password-dialog.patch In-Reply-To: <4CBCAF20.3060904@redhat.com> References: <4CB8A5FA.40804@redhat.com> <4CB8AA33.6050000@redhat.com> <4CBC97BB.7060305@redhat.com> <4CBCAF20.3060904@redhat.com> Message-ID: <4CBF02E9.4010504@redhat.com> On 10/18/2010 04:33 PM, Endi Sukma Dewata wrote: > On 10/18/2010 1:53 PM, Adam Young wrote: >> Now check the principal prior to calling passwd, and add that as a >> parameter for non-selfservice case. > > ACK with note that there's an outstanding bug on password reset: > https://fedorahosted.org/freeipa/ticket/390 > Rebased and pushed to master From rcritten at redhat.com Wed Oct 20 15:38:49 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Oct 2010 11:38:49 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CBF0108.1010407@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> <4CBEFFD8.60906@redhat.com> <4CBF0108.1010407@redhat.com> Message-ID: <4CBF0D09.9040909@redhat.com> Adam Young wrote: > On 10/20/2010 10:42 AM, Rob Crittenden wrote: >> Adam Young wrote: >>> On 10/19/2010 06:29 PM, Dmitri Pal wrote: >>>> Rob Crittenden wrote: >>>>> Adam Young wrote: >>>>>> I think I have an approach that will work for pacaking up multiple >>>>>> commands at once. >>>>>> >>>>> Just want to mention that XML-RPC has a provision for doing multiple >>>>> requests in a single HTTP request that has a similar format. We just >>>>> don't support it currently. >>>>> >>>>> rob >>>>> >>>> The approach makes sense but is it a lot of work? >>>> I suggest we defer it till later and focus on the actual visible work. >>>> If we have time we will do the optimization. >>>> If this eliminates the need for the session cookie at least for now >>>> I am >>>> Ok with deferring it too. >>> It might be worthwhile to do this as part of Pavel's work on controlling >>> access to the fields based on back end permissions. We are packing more >>> and more stuff into a single json_metadata call, but it will make things >>> much easier for us if we can just make a single bulk call and parse out >>> what we need. >>> >>> I'm most concerned with the approach being approved. >> >> It seems reasonable but I'm not sure I favor adding it only to json. >> Our goal has always been to keep all interfaces equal. The XML-RPC >> equivalent is multicall, http://docs.python.org/library/xmlrpclib.html >> >> What are your plans in the case of exceptions? Short-circuit or keep >> going? > > By default, keep going, and return the error codes. We can provide an > option to short circuit as well. Ok, we'll just have to be careful that we don't abuse this. I fear about cascading failures of the sort this fails, so that fails, so that fails, etc and trying to unwind it. If you're going to use it to do things like fetch the user and rights at the same time, that's sounds like a good use. rob > >> >> rob >> >>> >>> >>> >>>> >>>>>> Stage 1: >>>>>> >>>>>> >>>>>> 1. We create a new plugin, we call it bulk. For now, it will speak >>>>>> only >>>>>> JSON. >>>>>> >>>>>> 2. The json requests look like this: >>>>>> >>>>>> >>>>>> |{"method":"bulk","params":[[| >>>>>> | {"method":"user_find","params":[[""],{}]},| >>>>>> | {"method":"user_show","params":[[""],{}]},| >>>>>> | {"method":"user_add","params":[[""],{}]},| >>>>>> |{"method":"user_blah","params":[[""],{}]}|, >>>>>> |],{"all":true,"sizelimit":100}],"id":2}| >>>>>> >>>>>> >>>>>> This gets sent as a single json_request. >>>>>> >>>>>> On the server side, each request is pulled out of the params and the >>>>>> common items all=true and sizelimit=100 is added to each request. The >>>>>> resulting json request is then executed locally, without re-requiring >>>>>> the kerberos auth. THe response from the individual requests are put >>>>>> into the response array, like so: >>>>>> >>>>>> |{ >>>>>> || "error": null, >>>>>> || "id": 2, >>>>>> || "result": { >>>>>> || "count": 1, >>>>>> || "result": [{ >>>>>> || "error": null, //start of the response for the first nested >>>>>> command. >>>>>> || "id": 1, >>>>>> || "result": { >>>>>> || "count": 1, >>>>>> || "result": [ >>>>>> || { >>>>>> || "cn": [ >>>>>> || "Administrator" >>>>>> || ],| >>>>>> >>>>>> ... >>>>>> >>>>>> Thus the plugin is responsible for processing each request, >>>>>> marshalling >>>>>> up the return and adding it to the current response. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Stage 2: we add an asynchronous mechanism. We add an option for the >>>>>> email notification address to the bulk plugin. The response returns >>>>>> immediately. Meanwhile, the plugin hands off the processing of the >>>>>> initial request to a queue that will be handled by another thread or >>>>>> process, and email the response to the address. Alternatively, we >>>>>> email >>>>>> back just an abbreviated status message. >>>>>> >>>>>> >>>>>> Stage 3: Store the response in a filesystem or the DirSrv, and mail >>>>>> back >>>>>> a link that allows the user to fetch the status. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> I really only care about Stage 1 for now. THe json_metadata plugin is >>>>>> getting loaded up with too many unrelated calls in it. I'd like to be >>>>>> able to craft and arbitraty message that gets sent and returned with >>>>>> all >>>>>> of the information required to initialize the IPA Web UI. >>>>>> >>>>>> user-find --whoami >>>>>> json_metadata >>>>>> I18N_messages >>>>>> Effective rights >>>>>> plugin lists (to enable/disable UI features based on what is active) >>>>>> >>>>>> While we would do this initially as a JSON only call, the XML-RPC >>>>>> should >>>>>> nest the same way. I leave it to Rob and Simo to figureo ut if this >>>>>> would support the CLI, but it seems to me that it should be pretty >>>>>> easy >>>>>> to do: >>>>>> >>>>>> >>>>>> ipa bulk >>>>>>> ipa user-mod ... >>>>>>> ipa user-del ... >>>>>>> upa group-add ... >>>>>> ^D >>>>>> >>>>>> And have that sent as a single command, with the responses again >>>>>> parsed >>>>>> out by the cli. Then the user can do: >>>>>> >>>>>> cat mycommands | ipa bulk> bulk.response >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>> >> > From rcritten at redhat.com Wed Oct 20 17:19:29 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Oct 2010 13:19:29 -0400 Subject: [Freeipa-devel] [PATCH] 584 fix 2 tests Message-ID: <4CBF24A1.3040105@redhat.com> The first test is a mismatch in the sample output of an exception. The second test adds certificate information output to the service plugin. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-584-test.patch Type: application/mbox Size: 2105 bytes Desc: not available URL: From dpal at redhat.com Wed Oct 20 18:07:44 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 20 Oct 2010 14:07:44 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CBF0108.1010407@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> <4CBEFFD8.60906@redhat.com> <4CBF0108.1010407@redhat.com> Message-ID: <4CBF2FF0.1020303@redhat.com> Adam Young wrote: > On 10/20/2010 10:42 AM, Rob Crittenden wrote: >> Adam Young wrote: >>> On 10/19/2010 06:29 PM, Dmitri Pal wrote: >>>> Rob Crittenden wrote: >>>>> Adam Young wrote: >>>>>> I think I have an approach that will work for pacaking up multiple >>>>>> commands at once. >>>>>> >>>>> Just want to mention that XML-RPC has a provision for doing multiple >>>>> requests in a single HTTP request that has a similar format. We just >>>>> don't support it currently. >>>>> >>>>> rob >>>>> >>>> The approach makes sense but is it a lot of work? >>>> I suggest we defer it till later and focus on the actual visible work. >>>> If we have time we will do the optimization. >>>> If this eliminates the need for the session cookie at least for now >>>> I am >>>> Ok with deferring it too. >>> It might be worthwhile to do this as part of Pavel's work on >>> controlling >>> access to the fields based on back end permissions. We are packing more >>> and more stuff into a single json_metadata call, but it will make >>> things >>> much easier for us if we can just make a single bulk call and parse out >>> what we need. >>> >>> I'm most concerned with the approach being approved. >> >> It seems reasonable but I'm not sure I favor adding it only to json. >> Our goal has always been to keep all interfaces equal. The XML-RPC >> equivalent is multicall, http://docs.python.org/library/xmlrpclib.html >> >> What are your plans in the case of exceptions? Short-circuit or keep >> going? > > By default, keep going, and return the error codes. We can provide an > option to short circuit as well. > I agree it should be an option so that different commands can decide what is right. If you have two commands: create user, put him into the group then it should cont continue if the first command fails If you have add host and dns record it is probably fine to continue. IMO should be decided on case by case basis thus the parameter should be supported. >> >> rob >> >>> >>> >>> >>>> >>>>>> Stage 1: >>>>>> >>>>>> >>>>>> 1. We create a new plugin, we call it bulk. For now, it will >>>>>> speak only >>>>>> JSON. >>>>>> >>>>>> 2. The json requests look like this: >>>>>> >>>>>> >>>>>> |{"method":"bulk","params":[[| >>>>>> | {"method":"user_find","params":[[""],{}]},| >>>>>> | {"method":"user_show","params":[[""],{}]},| >>>>>> | {"method":"user_add","params":[[""],{}]},| >>>>>> |{"method":"user_blah","params":[[""],{}]}|, >>>>>> |],{"all":true,"sizelimit":100}],"id":2}| >>>>>> >>>>>> >>>>>> This gets sent as a single json_request. >>>>>> >>>>>> On the server side, each request is pulled out of the params and the >>>>>> common items all=true and sizelimit=100 is added to each request. >>>>>> The >>>>>> resulting json request is then executed locally, without >>>>>> re-requiring >>>>>> the kerberos auth. THe response from the individual requests are put >>>>>> into the response array, like so: >>>>>> >>>>>> |{ >>>>>> || "error": null, >>>>>> || "id": 2, >>>>>> || "result": { >>>>>> || "count": 1, >>>>>> || "result": [{ >>>>>> || "error": null, //start of the response for the first nested >>>>>> command. >>>>>> || "id": 1, >>>>>> || "result": { >>>>>> || "count": 1, >>>>>> || "result": [ >>>>>> || { >>>>>> || "cn": [ >>>>>> || "Administrator" >>>>>> || ],| >>>>>> >>>>>> ... >>>>>> >>>>>> Thus the plugin is responsible for processing each request, >>>>>> marshalling >>>>>> up the return and adding it to the current response. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Stage 2: we add an asynchronous mechanism. We add an option for the >>>>>> email notification address to the bulk plugin. The response returns >>>>>> immediately. Meanwhile, the plugin hands off the processing of the >>>>>> initial request to a queue that will be handled by another thread or >>>>>> process, and email the response to the address. Alternatively, we >>>>>> email >>>>>> back just an abbreviated status message. >>>>>> >>>>>> >>>>>> Stage 3: Store the response in a filesystem or the DirSrv, and mail >>>>>> back >>>>>> a link that allows the user to fetch the status. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> I really only care about Stage 1 for now. THe json_metadata >>>>>> plugin is >>>>>> getting loaded up with too many unrelated calls in it. I'd like >>>>>> to be >>>>>> able to craft and arbitraty message that gets sent and returned with >>>>>> all >>>>>> of the information required to initialize the IPA Web UI. >>>>>> >>>>>> user-find --whoami >>>>>> json_metadata >>>>>> I18N_messages >>>>>> Effective rights >>>>>> plugin lists (to enable/disable UI features based on what is active) >>>>>> >>>>>> While we would do this initially as a JSON only call, the XML-RPC >>>>>> should >>>>>> nest the same way. I leave it to Rob and Simo to figureo ut if this >>>>>> would support the CLI, but it seems to me that it should be >>>>>> pretty easy >>>>>> to do: >>>>>> >>>>>> >>>>>> ipa bulk >>>>>>> ipa user-mod ... >>>>>>> ipa user-del ... >>>>>>> upa group-add ... >>>>>> ^D >>>>>> >>>>>> And have that sent as a single command, with the responses again >>>>>> parsed >>>>>> out by the cli. Then the user can do: >>>>>> >>>>>> cat mycommands | ipa bulk> bulk.response >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>> >> > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Oct 20 19:42:17 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 20 Oct 2010 15:42:17 -0400 Subject: [Freeipa-devel] [Fwd: [freeipa] #402: SUDO command attribute should be case sensitive] Message-ID: <4CBF4619.9020404@redhat.com> Any suggestions what it should be? Should we create a new attribute or there is something handy to reuse? -------- Original Message -------- Subject: [freeipa] #402: SUDO command attribute should be case sensitive Date: Wed, 20 Oct 2010 19:39:53 -0000 From: freeipa Reply-To: nobody at fedoraproject.org To: undisclosed-recipients:; #402: SUDO command attribute should be case sensitive -----------------------------+---------------------------------------------- Reporter: dpal | Owner: rcritten Type: defect | Status: new Priority: major | Milestone: 0.5 iteration - October Component: Schema | Version: Keywords: | Tests: 0 Testsupdated: 0 | Affects_cli: 0 Candidate_to_defer: 0 | -----------------------------+---------------------------------------------- SUDO command attribute is currently cn and not case sensitive. It should be case sensitive. -- Ticket URL: freeipa FreeIPA -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Wed Oct 20 21:14:56 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Oct 2010 17:14:56 -0400 Subject: [Freeipa-devel] [PATCH] 581 remove enrolledBy when unenrolled In-Reply-To: <4CBC4E68.9060804@redhat.com> References: <4CB8C72B.4090308@redhat.com> <20101015181558.304fa2d2@willson.li.ssimo.org> <4CB8D597.8040802@redhat.com> <4CBC4E68.9060804@redhat.com> Message-ID: <4CBF5BD0.7000206@redhat.com> Rob Crittenden wrote: > Dmitri Pal wrote: >> Simo Sorce wrote: >>> On Fri, 15 Oct 2010 17:27:07 -0400 >>> Rob Crittenden wrote: >>> >>> >>>> Remove the enrolledBy when a host is unenrolled (which is the same as >>>> disabling the host). >>>> >>>> ticket 301 >>>> >>>> rob >>>> >>> >>> nack, if host can write enrolledBy it can fake info >>> >>> Simo. >>> >>> >> I agree. I think it should be "delete" rather than "write". >> > > The delete permission is for entries, not for attributes. > > I'll need to ask the 389-ds guys about how to do this, though I think it > may be via an attr value aci which will require some work in our aci > plugin because it doesn't currently support them. > > rob Updated patch to clear out enrolledBy when a host is unenrolled. This uses a targattrfilters aci that says that enrolledBy can be deleted if it is not empty. We also require that krblastpwddchange be empty, so you can't simply delete enrolledby on an enrolled host. host-disable first deletes the principalkey and lastpwdchange and then removes the enrollment. ticket 301 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-581-2-unenroll.patch Type: application/mbox Size: 4301 bytes Desc: not available URL: From rcritten at redhat.com Wed Oct 20 21:38:13 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Oct 2010 17:38:13 -0400 Subject: [Freeipa-devel] [PATCH] Add flag to group-find to only search on private groups. In-Reply-To: <4CBEFBB9.9030906@redhat.com> References: <4CA5D87C.5010104@redhat.com> <4CB45B41.8090100@redhat.com> <4CB77328.3040107@redhat.com> <4CBEFBB9.9030906@redhat.com> Message-ID: <4CBF6145.5070408@redhat.com> Pavel Zuna wrote: > On 10/14/2010 11:16 PM, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> On 10/01/2010 02:47 PM, Pavel Zuna wrote: >>>> Ticket #251 >>>> >>>> Pavel >>>> >>>> >>> >>> New version of patch attached. This time it should work. :) I renamed >>> the flag from --privateonly to --private. Normal searches do not return >>> private groups at all, while searches with this flag only return private >>> groups. >>> >>> Pavel >> >> This works a lot better than the last patch. The code itself is fine, >> I'd just ask that you add a test case for searching for private groups. >> The test that is in this patch seems more geared for removing multiple >> users at once (which is a good thing) but doesn't actually work without >> this change: >> >> --- a/tests/test_xmlrpc/test_user_plugin.py >> +++ b/tests/test_xmlrpc/test_user_plugin.py >> @@ -358,7 +358,7 @@ class test_user(Declarative): >> loginshell=[u'/bin/sh'], >> objectclass=objectclasses.user, >> sn=[u'User2'], >> - uid=[user1], >> + uid=[user2], >> uidnumber=[fuzzy_digits], >> ipauniqueid=[fuzzy_uuid], >> dn=u'uid=tuser2,cn=users,cn=accounts,' + api.env.basedn, >> >> So NACK for now but its very close. >> >> rob > > Version 3 attached. > > Added a test case for searching private groups and fixed user tests. > > Pavel ack, pushed to master From rcritten at redhat.com Wed Oct 20 21:42:58 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Oct 2010 17:42:58 -0400 Subject: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches. In-Reply-To: <4CBF01B3.8060700@redhat.com> References: <4CB704D9.1050606@redhat.com> <4CB705DA.60607@redhat.com> <4CBF01B3.8060700@redhat.com> Message-ID: <4CBF6262.8020106@redhat.com> Pavel Zuna wrote: > On 10/14/2010 03:30 PM, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> There was no default value set even though we were using config.get and >>> it was throwing exceptions if someone deleted one of the related config >>> values. >>> >>> Pavel >> >> Is this needed since get_ipa_config() will always return something for >> time and search limits? >> >> rob > > Yes, because get_ipa_config will return defaults for time and search > limits only when the whole ipaConfig entry isn't found. > > I reworked the patch, so that defaults are always returned by > get_ipa_config, but I left changes from the previous version, because it > doesn't hurt anything and is a (very little) bit safer. > > New version attached. > > Pavel I see your point. One can do 'ipa config-mod --searchtimelimit=` and blam, everything stops working. This still seems like a bit of a cover-up fix for that. Should we prevent these attributes from being removed? rob From ssorce at redhat.com Wed Oct 20 22:27:43 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Oct 2010 18:27:43 -0400 Subject: [Freeipa-devel] [PATCH] #403 Handle multiline options in sysconfig.ntpd Message-ID: <20101020182743.6ee88860@willson.li.ssimo.org> In some Fedora versions /etc/sysconfig/ntpd has OPTIONS scattered on multiple line through shell expansion. Handle simple cases like that. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Handle-cases-where-ntpd-options-are-scattered-on-mul.patch Type: text/x-patch Size: 3603 bytes Desc: not available URL: From rcritten at redhat.com Thu Oct 21 02:25:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Oct 2010 22:25:26 -0400 Subject: [Freeipa-devel] [PATCH] #403 Handle multiline options in sysconfig.ntpd In-Reply-To: <20101020182743.6ee88860@willson.li.ssimo.org> References: <20101020182743.6ee88860@willson.li.ssimo.org> Message-ID: <4CBFA496.6030609@redhat.com> Simo Sorce wrote: > > In some Fedora versions /etc/sysconfig/ntpd has OPTIONS scattered on > multiple line through shell expansion. > Handle simple cases like that. > > Simo. I think this will work, it's just one heck of a parser. Is something like the attached a simpler approach? My version always adds the new options to the first OPTIONS block, I'm not sure if it matters. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: parseoptions URL: From pzuna at redhat.com Thu Oct 21 10:42:10 2010 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 21 Oct 2010 12:42:10 +0200 Subject: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches. In-Reply-To: <4CBF6262.8020106@redhat.com> References: <4CB704D9.1050606@redhat.com> <4CB705DA.60607@redhat.com> <4CBF01B3.8060700@redhat.com> <4CBF6262.8020106@redhat.com> Message-ID: <4CC01902.1040500@redhat.com> On 10/20/2010 11:42 PM, Rob Crittenden wrote: > Pavel Zuna wrote: >> On 10/14/2010 03:30 PM, Rob Crittenden wrote: >>> Pavel Zuna wrote: >>>> There was no default value set even though we were using config.get and >>>> it was throwing exceptions if someone deleted one of the related config >>>> values. >>>> >>>> Pavel >>> >>> Is this needed since get_ipa_config() will always return something for >>> time and search limits? >>> >>> rob >> >> Yes, because get_ipa_config will return defaults for time and search >> limits only when the whole ipaConfig entry isn't found. >> >> I reworked the patch, so that defaults are always returned by >> get_ipa_config, but I left changes from the previous version, because it >> doesn't hurt anything and is a (very little) bit safer. >> >> New version attached. >> >> Pavel > > I see your point. One can do 'ipa config-mod --searchtimelimit=` and > blam, everything stops working. This still seems like a bit of a > cover-up fix for that. Should we prevent these attributes from being > removed? We could do that, but it's always possible to delete the attribute using ldapmodify or some other tool. > > rob Pavel From ssorce at redhat.com Thu Oct 21 21:07:01 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Oct 2010 17:07:01 -0400 Subject: [Freeipa-devel] [PATCH] #403 Handle multiline options in sysconfig.ntpd In-Reply-To: <4CBFA496.6030609@redhat.com> References: <20101020182743.6ee88860@willson.li.ssimo.org> <4CBFA496.6030609@redhat.com> Message-ID: <20101021170701.536b399c@willson.li.ssimo.org> On Wed, 20 Oct 2010 22:25:26 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > In some Fedora versions /etc/sysconfig/ntpd has OPTIONS scattered on > > multiple line through shell expansion. > > Handle simple cases like that. > > > > Simo. > > I think this will work, it's just one heck of a parser. Is something > like the attached a simpler approach? > > My version always adds the new options to the first OPTIONS block, > I'm not sure if it matters. Your solution looks a lot smaller indeed. And less is more here! I will produce a new patch inspired by this code and post it. Self-nack on the current patch. Simo. -- Simo Sorce * Red Hat, Inc * New York From jgalipea at redhat.com Fri Oct 22 14:51:54 2010 From: jgalipea at redhat.com (Jenny Galipeau) Date: Fri, 22 Oct 2010 10:51:54 -0400 Subject: [Freeipa-devel] IPA install with DNS In-Reply-To: <4CBEF2FD.90200@redhat.com> References: <4CBEF2FD.90200@redhat.com> Message-ID: <4CC1A50A.1050208@redhat.com> Dmitri Pal wrote: > Hi, > > Rob I think it is time for us to put down some writeup about the DNS, > /etc/hosts, static and dynamic IPs etc. > It seems there is a lot of confusion and uncertainty. Please create a > page. It should describe how with the current IPA software someone can > achieve the following: > > 1) Setup IPA as a new DNS server and host name different from the actual > current host name > What is the sequence of operations? What needs to be in the /etc/hosts? > Give examples > > 2) Same but in the case of other DNS server present > ... > > 3) Replica installation > > Please add examples of the contents of the hosts file, command line etc. > These are just examples of the use cases, there are definitely more. I > hope Michael will help to come with the scenarios we need to describe. > > I will open a ticket for this work. > > Also looking closely at our setup: why do we need IP address argument? > Is it ever used anywhere? Where and why? Is it just to create a DNS > entry? Is so man page should probably explain that it is used only in > case DNS is installed. Anywhere else? > I agree we should do the IP address validation and it should support > both IPv4 & IPv6. > > Has there been any traction on this? Thanks Jenny -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From rcritten at redhat.com Fri Oct 22 14:55:32 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 10:55:32 -0400 Subject: [Freeipa-devel] IPA install with DNS In-Reply-To: <4CC1A50A.1050208@redhat.com> References: <4CBEF2FD.90200@redhat.com> <4CC1A50A.1050208@redhat.com> Message-ID: <4CC1A5E4.6000000@redhat.com> Jenny Galipeau wrote: > Dmitri Pal wrote: >> Hi, >> >> Rob I think it is time for us to put down some writeup about the DNS, >> /etc/hosts, static and dynamic IPs etc. >> It seems there is a lot of confusion and uncertainty. Please create a >> page. It should describe how with the current IPA software someone can >> achieve the following: >> >> 1) Setup IPA as a new DNS server and host name different from the actual >> current host name >> What is the sequence of operations? What needs to be in the /etc/hosts? >> Give examples >> >> 2) Same but in the case of other DNS server present >> ... >> >> 3) Replica installation >> >> Please add examples of the contents of the hosts file, command line etc. >> These are just examples of the use cases, there are definitely more. I >> hope Michael will help to come with the scenarios we need to describe. >> >> I will open a ticket for this work. >> >> Also looking closely at our setup: why do we need IP address argument? >> Is it ever used anywhere? Where and why? Is it just to create a DNS >> entry? Is so man page should probably explain that it is used only in >> case DNS is installed. Anywhere else? >> I agree we should do the IP address validation and it should support >> both IPv4 & IPv6. >> > Has there been any traction on this? > Thanks > Jenny > Not really, I haven't had a chance to start it yet. I added a small blurb as the result of some of Michael's research in one of his bugs but that's it. rob From ayoung at redhat.com Fri Oct 22 15:35:54 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Oct 2010 11:35:54 -0400 Subject: [Freeipa-devel] Custom Facets and Views Message-ID: <4CC1AF5A.9080305@redhat.com> I have a proof of concept working for DNS records. It has lead me to think about how we are going to deal with the UI components that we are currently calling facets, what the proper nomenclature should be, and how we are going to manage them moving forward. Thus far, we have a few basic UI elements that probably best deserve the name 'views'. These are: search, details, and associations. I say view to distinguish them from facets, which we've not strictly defined, but seem to be our way of talking about Entities. We've seemed to come to the conclusion that 'search' is not a 'facet'. For DNS Records, I've developed a view that is fairly similar to the standard search view, but has enough differences that I've done it in a separate set of functions. They started off as cut-and-past from search.js and add.js, but have morphed significantly from the origins that merging them back in would require significant changes to the originals. The differences are primarily based on the one-off nature of the DNS plug-in. Since we are discussing a redo of that plug-in, I am reluctant to make changes to the core files that may go away again quickly. This leads to two discussions. First is how to make the core abstractions we have flexible enough to handle variations in the entities. Second is and how to handle the assignment of views to an entity. For the first part, we've already seen some of this with things like the callbacks for custom details/attributes. The places that DNS records require customization is: always requiring the ZONE for other calls, specific fields for search, a small enough set of detail attributes that there is no reason to separate out the add and edit pages, and the inability to delete more than one Record at a time, leading to the method chaining that we see in the Serial Associator. As an aside, I noticed that we could perhaps simplify things in the delete case by calling all of the delete ipa_cmds in a loop. We then merely need to keep track of the number of responses we get. Once there are zero outstanding responses, we can refresh the original search and close the modal. This will work, but leads to questions about the thjreading model in Javascript. Basically, if there is no atomic decrement, and the callbacks can be interrupted, we have the potential for never reaching Zero, and hanging in the modal. As for the assignment of views to an entity, I think we should create an abstraction, which for now I will call view. I am open to better suggestions. A given entity will have a series of views assigned to it. This will be used to handle the facets list generations for the top navigation and the quick links. By default, an entity will have search, details, and associations. Certain entities will not have search or associations. So far these are: Server Configuration and Kerberos Ticket policy. To control this, we will need a top level abstraction. Right now, each of the facet types have their own objects, which are basically dictionaries from entity name to the initialization information for each of the view. For example, to add search, we call ipa_entity_set_search_definition, and pass in an array of the search columns, which gets added to the object in entity.js line 25: ipa_entity_search_list = {}; Instead, I think we should define an object in its entirety in one function call. Something like: ipa_register_entity() which will add it to ipa_entity_list = {}; The entity will have name, pkey, and facets. ipa_register_entity({name:'user', pkey:'uid',facets:{ search: [...], detail: [...], association [...] } } ); Another function ipa_register_view will register the views. Again, each view will have a name, and then the code for rendering the view: ipa_register_view({name:'search', create: function(){}, load:function(){}, display function(){}}); I think these are the only method we will need, but we might want to think about how to extend them, for example, the filter and search requirements for DNS I listed above. I suspect that customization will be done when we register the entities, so that when an entity registers its search facet, it will specify a filter function. Now, when an entity has acustom view, we will register it via ipa_register_view, and then provide a corresponding element inside the facets object. This is not just theoretical. I think that we are going to need this ability to support the UXD layout for HBAC, ACI, and SUDO. It will also provide us more optionsfor UI layouts in the future. From ssorce at redhat.com Fri Oct 22 16:12:12 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 12:12:12 -0400 Subject: [Freeipa-devel] [PATCH] #403 Handle multiline options in sysconfig.ntpd In-Reply-To: <20101021170701.536b399c@willson.li.ssimo.org> References: <20101020182743.6ee88860@willson.li.ssimo.org> <4CBFA496.6030609@redhat.com> <20101021170701.536b399c@willson.li.ssimo.org> Message-ID: <20101022121212.09b70087@willson.li.ssimo.org> On Thu, 21 Oct 2010 17:07:01 -0400 Simo Sorce wrote: > On Wed, 20 Oct 2010 22:25:26 -0400 > Rob Crittenden wrote: > > > Simo Sorce wrote: > > > > > > In some Fedora versions /etc/sysconfig/ntpd has OPTIONS scattered > > > on multiple line through shell expansion. > > > Handle simple cases like that. > > > > > > Simo. > > > > I think this will work, it's just one heck of a parser. Is > > something like the attached a simpler approach? > > > > My version always adds the new options to the first OPTIONS block, > > I'm not sure if it matters. > > Your solution looks a lot smaller indeed. > And less is more here! > I will produce a new patch inspired by this code and post it. > Self-nack on the current patch. Ok, new version that adopts your method attached. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Handle-cases-where-ntpd-options-are-scattered-on-mul.patch Type: text/x-patch Size: 3317 bytes Desc: not available URL: From ssorce at redhat.com Fri Oct 22 16:13:39 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 12:13:39 -0400 Subject: [Freeipa-devel] [PATCH] #360 ipa-uuid plugin In-Reply-To: <20101019171303.4dcf585d@willson.li.ssimo.org> References: <20101018171529.498fcbc7@willson.li.ssimo.org> <20101019171303.4dcf585d@willson.li.ssimo.org> Message-ID: <20101022121339.3d23c890@willson.li.ssimo.org> On Tue, 19 Oct 2010 17:13:03 -0400 Simo Sorce wrote: > On Mon, 18 Oct 2010 17:15:29 -0400 > Simo Sorce wrote: > > > > > These 2 patches configure and load a new plugin that uses internal > > DS functions to generate UUIDs. > > The plugin is similar to DNA but instead of generating sequential > > numbers it generates UUIDs (type 1). > > > > These patches do not yet remove the UUID code in the framework. > > > > Simo. > > > > Rebased patch 0001 to add some minor fixes. Given this patch has not yet been acked I rebased it again with minor issues in comments (old stuff that came in from hte original DNA code I used as base for this code). Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa-uuid-DNA-like-plugin-that-generates-uuids.patch Type: text/x-patch Size: 41671 bytes Desc: not available URL: From dpal at redhat.com Fri Oct 22 16:37:31 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 22 Oct 2010 12:37:31 -0400 Subject: [Freeipa-devel] Custom Facets and Views In-Reply-To: <4CC1AF5A.9080305@redhat.com> References: <4CC1AF5A.9080305@redhat.com> Message-ID: <4CC1BDCB.4070906@redhat.com> Adam Young wrote: > I have a proof of concept working for DNS records. It has lead me to > think about how we are going to deal with the UI components that we > are currently calling facets, what the proper nomenclature should be, > and how we are going to manage them moving forward. > > Thus far, we have a few basic UI elements that probably best deserve > the name 'views'. These are: search, details, and associations. I > say view to distinguish them from facets, which we've not strictly > defined, but seem to be our way of talking about Entities. We've > seemed to come to the conclusion that 'search' is not a 'facet'. > > For DNS Records, I've developed a view that is fairly similar to the > standard search view, but has enough differences that I've done it in > a separate set of functions. They started off as cut-and-past from > search.js and add.js, but have morphed significantly from the origins > that merging them back in would require significant changes to the > originals. The differences are primarily based on the one-off nature > of the DNS plug-in. Since we are discussing a redo of that plug-in, I > am reluctant to make changes to the core files that may go away again > quickly. > > This leads to two discussions. First is how to make the core > abstractions we have flexible enough to handle variations in the > entities. Second is and how to handle the assignment of views to an > entity. For the first part, we've already seen some of this with > things like the callbacks for custom details/attributes. The places > that DNS records require customization is: always requiring the ZONE > for other calls, specific fields for search, a small enough set of > detail attributes that there is no reason to separate out the add and > edit pages, and the inability to delete more than one Record at a > time, leading to the method chaining that we see in the Serial > Associator. > > As an aside, I noticed that we could perhaps simplify things in the > delete case by calling all of the delete ipa_cmds in a loop. We then > merely need to keep track of the number of responses we get. Once > there are zero outstanding responses, we can refresh the original > search and close the modal. This will work, but leads to questions > about the thjreading model in Javascript. Basically, if there is no > atomic decrement, and the callbacks can be interrupted, we have the > potential for never reaching Zero, and hanging in the modal. > > As for the assignment of views to an entity, I think we should create > an abstraction, which for now I will call view. I am open to better > suggestions. A given entity will have a series of views assigned to > it. This will be used to handle the facets list generations for the > top navigation and the quick links. By default, an entity will have > search, details, and associations. Certain entities will not have > search or associations. So far these are: Server Configuration and > Kerberos Ticket policy. > > To control this, we will need a top level abstraction. Right now, > each of the facet types have their own objects, which are basically > dictionaries from entity name to the initialization information for > each of the view. For example, to add search, we call > ipa_entity_set_search_definition, and pass in an array of the search > columns, which gets added to the object in entity.js line 25: > ipa_entity_search_list = {}; > > Instead, I think we should define an object in its entirety in one > function call. Something like: > > ipa_register_entity() which will add it to ipa_entity_list = {}; > > > The entity will have name, pkey, and facets. > > ipa_register_entity({name:'user', pkey:'uid',facets:{ search: [...], > detail: [...], association [...] } } ); > > Another function ipa_register_view will register the views. Again, > each view will have a name, and then the code for rendering the view: > > ipa_register_view({name:'search', create: function(){}, > load:function(){}, display function(){}}); > > I think these are the only method we will need, but we might want to > think about how to extend them, for example, the filter and search > requirements for DNS I listed above. I suspect that customization > will be done when we register the entities, so that when an entity > registers its search facet, it will specify a filter function. > > Now, when an entity has acustom view, we will register it via > ipa_register_view, and then provide a corresponding element inside the > facets object. > > This is not just theoretical. I think that we are going to need this > ability to support the UXD layout for HBAC, ACI, and SUDO. It will > also provide us more optionsfor UI layouts in the future. > You lost me in the middle since I am not in the code. I hope I can summarize you proposal as: let us add an abstraction layer to control what is shown on the "facet" line. Search is a quick link back and should do the same thing as clicking on the menu item so I am not sure it is something special. It should not be show on the screens where there is no search like Kerberos policies or configuration. Details are usually needed - DNS is a special case I agree. The other facets are "associations" of the object. This is how it was speced and if this proposal changes this we need to get approval from UXD. If it just the underlaying change without impact on the UI then I would follow the following rules: a) Do not over engineer things b) Create abstraction if you already see commonality. I doubt we do at the moment until we drill down into HBAC and ACIs. c) Do only things that we must do at the moment and that would save time So at this point I would say - may be look into something else, let the HBAC & ACI get baked better, and then see the commonalities and re-factor then. Just a thought... > > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Fri Oct 22 17:13:23 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Oct 2010 13:13:23 -0400 Subject: [Freeipa-devel] Custom Facets and Views In-Reply-To: <4CC1BDCB.4070906@redhat.com> References: <4CC1AF5A.9080305@redhat.com> <4CC1BDCB.4070906@redhat.com> Message-ID: <4CC1C633.5050200@redhat.com> On 10/22/2010 12:37 PM, Dmitri Pal wrote: > Adam Young wrote: > >> I have a proof of concept working for DNS records. It has lead me to >> think about how we are going to deal with the UI components that we >> are currently calling facets, what the proper nomenclature should be, >> and how we are going to manage them moving forward. >> >> Thus far, we have a few basic UI elements that probably best deserve >> the name 'views'. These are: search, details, and associations. I >> say view to distinguish them from facets, which we've not strictly >> defined, but seem to be our way of talking about Entities. We've >> seemed to come to the conclusion that 'search' is not a 'facet'. >> >> For DNS Records, I've developed a view that is fairly similar to the >> standard search view, but has enough differences that I've done it in >> a separate set of functions. They started off as cut-and-past from >> search.js and add.js, but have morphed significantly from the origins >> that merging them back in would require significant changes to the >> originals. The differences are primarily based on the one-off nature >> of the DNS plug-in. Since we are discussing a redo of that plug-in, I >> am reluctant to make changes to the core files that may go away again >> quickly. >> >> This leads to two discussions. First is how to make the core >> abstractions we have flexible enough to handle variations in the >> entities. Second is and how to handle the assignment of views to an >> entity. For the first part, we've already seen some of this with >> things like the callbacks for custom details/attributes. The places >> that DNS records require customization is: always requiring the ZONE >> for other calls, specific fields for search, a small enough set of >> detail attributes that there is no reason to separate out the add and >> edit pages, and the inability to delete more than one Record at a >> time, leading to the method chaining that we see in the Serial >> Associator. >> >> As an aside, I noticed that we could perhaps simplify things in the >> delete case by calling all of the delete ipa_cmds in a loop. We then >> merely need to keep track of the number of responses we get. Once >> there are zero outstanding responses, we can refresh the original >> search and close the modal. This will work, but leads to questions >> about the thjreading model in Javascript. Basically, if there is no >> atomic decrement, and the callbacks can be interrupted, we have the >> potential for never reaching Zero, and hanging in the modal. >> >> As for the assignment of views to an entity, I think we should create >> an abstraction, which for now I will call view. I am open to better >> suggestions. A given entity will have a series of views assigned to >> it. This will be used to handle the facets list generations for the >> top navigation and the quick links. By default, an entity will have >> search, details, and associations. Certain entities will not have >> search or associations. So far these are: Server Configuration and >> Kerberos Ticket policy. >> >> To control this, we will need a top level abstraction. Right now, >> each of the facet types have their own objects, which are basically >> dictionaries from entity name to the initialization information for >> each of the view. For example, to add search, we call >> ipa_entity_set_search_definition, and pass in an array of the search >> columns, which gets added to the object in entity.js line 25: >> ipa_entity_search_list = {}; >> >> Instead, I think we should define an object in its entirety in one >> function call. Something like: >> >> ipa_register_entity() which will add it to ipa_entity_list = {}; >> >> >> The entity will have name, pkey, and facets. >> >> ipa_register_entity({name:'user', pkey:'uid',facets:{ search: [...], >> detail: [...], association [...] } } ); >> >> Another function ipa_register_view will register the views. Again, >> each view will have a name, and then the code for rendering the view: >> >> ipa_register_view({name:'search', create: function(){}, >> load:function(){}, display function(){}}); >> >> I think these are the only method we will need, but we might want to >> think about how to extend them, for example, the filter and search >> requirements for DNS I listed above. I suspect that customization >> will be done when we register the entities, so that when an entity >> registers its search facet, it will specify a filter function. >> >> Now, when an entity has acustom view, we will register it via >> ipa_register_view, and then provide a corresponding element inside the >> facets object. >> >> This is not just theoretical. I think that we are going to need this >> ability to support the UXD layout for HBAC, ACI, and SUDO. It will >> also provide us more optionsfor UI layouts in the future. >> >> > You lost me in the middle since I am not in the code. I hope I can > summarize you proposal as: let us add an abstraction layer to control > what is shown on the "facet" line. > Search is a quick link back and should do the same thing as clicking on > the menu item so I am not sure it is something special. It should not be > show on the screens where there is no search like Kerberos policies or > configuration. > Details are usually needed - DNS is a special case I agree. > The other facets are "associations" of the object. This is how it was > speced and if this proposal changes this we need to get approval from UXD. > > If it just the underlaying change without impact on the UI then I would > follow the following rules: > a) Do not over engineer things > b) Create abstraction if you already see commonality. I doubt we do at > the moment until we drill down into HBAC and ACIs. > c) Do only things that we must do at the moment and that would save time > > So at this point I would say - may be look into something else, let the > HBAC& ACI get baked better, and then see the commonalities and > re-factor then. > Absolutely. Hence me writing it up like this. Dream big, implement small. I don't think this would be a lot of code, I'm more concerned with getting everyone on the same approach. I think this will play once we get into the new UIs, and I want Pavel and Endi to be able to make changes without us stepping on each other toes. I see this as incrimental, not major refactoring. I'll post my DNS code for review. I suspec that some of the comments will point to the need for these moves forward. > Just a thought... > > > >> >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> > > From ayoung at redhat.com Fri Oct 22 17:15:46 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Oct 2010 13:15:46 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0063-dns-work.patch Message-ID: <4CC1C6C2.7040002@redhat.com> Implementation of the UI for DNS records. Search uses filters. Much of the code has been cut and pasted from search.js and add.js, but then significantly modified. Moving forward, we'll have to determine if it is worth the effort to integrate. -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0063-dns-records.patch Type: text/x-patch Size: 22096 bytes Desc: not available URL: From ayoung at redhat.com Fri Oct 22 19:07:49 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Oct 2010 15:07:49 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CBF2FF0.1020303@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> <4CBEFFD8.60906@redhat.com> <4CBF0108.1010407@redhat.com> <4CBF2FF0.1020303@redhat.com> Message-ID: <4CC1E105.7030107@redhat.com> I did a quick spike into what it would take to implement my idea and got this far (done in internal.py) class bulk(Command): takes_args = ( List('methods?', doc=_('Nested Methods to execute'), ), ) has_output = output.standard_entry def execute(self, *args, **options): results=dict(); for arg in args: for method in arg: results[method]=unicode("OK") return dict(result=results, value=unicode("Something")) api.register(bulk) And tested it using: [ayoung at ipa ~]$ curl -H "Content-Type:application/json" -H "Accept:applicaton/json" -H "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d '{"method":"bulk","params":[[],{"methods":"1,2" }],"id":6}' -X POST http://localhost:8888/ipa/json { "error": null, "id": 6, "result": { "result": { "1": "OK", "2": "OK" }, "summary": null, "value": "Something" } } I don't think the List type is going to work for this. We need, I think, a Dict type here, in order to support the full JSON Parsing, we might need a true array type as well. Or, we could make separate methods for JSON and XML and make a type for each of those. Any thoughts? From rcritten at redhat.com Fri Oct 22 20:08:17 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 16:08:17 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CC1E105.7030107@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> <4CBEFFD8.60906@redhat.com> <4CBF0108.1010407@redhat.com> <4CBF2FF0.1020303@redhat.com> <4CC1E105.7030107@redhat.com> Message-ID: <4CC1EF31.3050608@redhat.com> Adam Young wrote: > I did a quick spike into what it would take to implement my idea and got > this far (done in internal.py) > > > class bulk(Command): > > takes_args = ( > List('methods?', > doc=_('Nested Methods to execute'), > ), > ) > > has_output = output.standard_entry > def execute(self, *args, **options): > results=dict(); > for arg in args: > for method in arg: > results[method]=unicode("OK") > > return dict(result=results, value=unicode("Something")) > > api.register(bulk) > > > > > And tested it using: > > > [ayoung at ipa ~]$ curl -H "Content-Type:application/json" -H > "Accept:applicaton/json" -H "Accept-Language:en" --negotiate -u : > --cacert /etc/ipa/ca.crt -d > '{"method":"bulk","params":[[],{"methods":"1,2" }],"id":6}' -X POST > http://localhost:8888/ipa/json > { > "error": null, > "id": 6, > "result": { > "result": { > "1": "OK", > "2": "OK" > }, > "summary": null, > "value": "Something" > } > } > > > I don't think the List type is going to work for this. We need, I think, > a Dict type here, in order to support the full JSON Parsing, we might > need a true array type as well. Or, we could make separate methods for > JSON and XML and make a type for each of those. Any thoughts? > You can define your own output format, look in ipalib/Output.py. In this case I think a list of a dict of results is probably the right thing. So we have a list of results whose position maps to each method call. In each position we store the name of the method call (just for clarify) and the results of that call. It might look like this to show two separate users: [{'method': 'user_show', result={'result': {'dn': u'uid=admin,cn=users,cn=accounts,dc=greyoak,dc=com', 'memberof_group': (u'admins',), 'uid': (u'admin',), 'loginshell': (u'/bin/bash',), 'homedirectory': (u'/home/admin',), 'sn': (u'Administrator',), 'memberof_rolegroup': (u'replicaadmin',), 'memberof_taskgroup': (u'managereplica', u'deletereplica')}, 'value': u'admin', 'summary': None}}, {'method': 'user_show', result={'result': {'dn': u'uid=kfrog,cn=users,cn=accounts,dc=greyoak,dc=com', 'memberof_group': (u'ipausers',), 'uid': (u'kfrog',), 'loginshell': (u'/bin/bash',), 'homedirectory': (u'/home/kfrog',), 'givenname': (u'Kermit',), 'sn': (u'Frog',)}, 'value': u'kfrog', 'summary': None}}] You could probably even throw in *args and **options too. This way when you pull result[0]['result'] you have what user_show would have returned for user_show admin. rob From ayoung at redhat.com Fri Oct 22 20:28:03 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Oct 2010 16:28:03 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0064-Multivalue-fixes.patch Message-ID: <4CC1F3D3.6010103@redhat.com> https://fedorahosted.org/freeipa/ticket/384 Strikethrough is now a toggle undo resets value to blank for new entries. -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0064-Multivalue-fixes.patch Type: text/x-patch Size: 4475 bytes Desc: not available URL: From ayoung at redhat.com Fri Oct 22 20:31:04 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Oct 2010 16:31:04 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CC1EF31.3050608@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> <4CBEFFD8.60906@redhat.com> <4CBF0108.1010407@redhat.com> <4CBF2FF0.1020303@redhat.com> <4CC1E105.7030107@redhat.com> <4CC1EF31.3050608@redhat.com> Message-ID: <4CC1F488.8020704@redhat.com> On 10/22/2010 04:08 PM, Rob Crittenden wrote: > Adam Young wrote: >> I did a quick spike into what it would take to implement my idea and got >> this far (done in internal.py) >> >> >> class bulk(Command): >> >> takes_args = ( >> List('methods?', >> doc=_('Nested Methods to execute'), >> ), >> ) >> >> has_output = output.standard_entry >> def execute(self, *args, **options): >> results=dict(); >> for arg in args: >> for method in arg: >> results[method]=unicode("OK") >> >> return dict(result=results, value=unicode("Something")) >> >> api.register(bulk) >> >> >> >> >> And tested it using: >> >> >> [ayoung at ipa ~]$ curl -H "Content-Type:application/json" -H >> "Accept:applicaton/json" -H "Accept-Language:en" --negotiate -u : >> --cacert /etc/ipa/ca.crt -d >> '{"method":"bulk","params":[[],{"methods":"1,2" }],"id":6}' -X POST >> http://localhost:8888/ipa/json >> { >> "error": null, >> "id": 6, >> "result": { >> "result": { >> "1": "OK", >> "2": "OK" >> }, >> "summary": null, >> "value": "Something" >> } >> } >> >> >> I don't think the List type is going to work for this. We need, I think, >> a Dict type here, in order to support the full JSON Parsing, we might >> need a true array type as well. Or, we could make separate methods for >> JSON and XML and make a type for each of those. Any thoughts? >> > > You can define your own output format, look in ipalib/Output.py. In > this case I think a list of a dict of results is probably the right > thing. Yeah, problem is input format, not output. Output I know we can do based on how we did the json_metadata, although based on your comment, it looks like we can do it in a more standard manner. > > So we have a list of results whose position maps to each method call. > In each position we store the name of the method call (just for > clarify) and the results of that call. > > It might look like this to show two separate users: > > [{'method': 'user_show', result={'result': {'dn': > u'uid=admin,cn=users,cn=accounts,dc=greyoak,dc=com', 'memberof_group': > (u'admins',), 'uid': (u'admin',), 'loginshell': (u'/bin/bash',), > 'homedirectory': (u'/home/admin',), 'sn': (u'Administrator',), > 'memberof_rolegroup': (u'replicaadmin',), 'memberof_taskgroup': > (u'managereplica', u'deletereplica')}, 'value': u'admin', 'summary': > None}}, > {'method': 'user_show', result={'result': {'dn': > u'uid=kfrog,cn=users,cn=accounts,dc=greyoak,dc=com', 'memberof_group': > (u'ipausers',), 'uid': (u'kfrog',), 'loginshell': (u'/bin/bash',), > 'homedirectory': (u'/home/kfrog',), 'givenname': (u'Kermit',), 'sn': > (u'Frog',)}, 'value': u'kfrog', 'summary': None}}] > > You could probably even throw in *args and **options too. > > This way when you pull result[0]['result'] you have what user_show > would have returned for user_show admin. > > rob From rcritten at redhat.com Fri Oct 22 20:43:47 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 16:43:47 -0400 Subject: [Freeipa-devel] [PATCH] #403 Handle multiline options in sysconfig.ntpd In-Reply-To: <20101022121212.09b70087@willson.li.ssimo.org> References: <20101020182743.6ee88860@willson.li.ssimo.org> <4CBFA496.6030609@redhat.com> <20101021170701.536b399c@willson.li.ssimo.org> <20101022121212.09b70087@willson.li.ssimo.org> Message-ID: <4CC1F783.5050401@redhat.com> Simo Sorce wrote: > On Thu, 21 Oct 2010 17:07:01 -0400 > Simo Sorce wrote: > >> On Wed, 20 Oct 2010 22:25:26 -0400 >> Rob Crittenden wrote: >> >>> Simo Sorce wrote: >>>> >>>> In some Fedora versions /etc/sysconfig/ntpd has OPTIONS scattered >>>> on multiple line through shell expansion. >>>> Handle simple cases like that. >>>> >>>> Simo. >>> >>> I think this will work, it's just one heck of a parser. Is >>> something like the attached a simpler approach? >>> >>> My version always adds the new options to the first OPTIONS block, >>> I'm not sure if it matters. >> >> Your solution looks a lot smaller indeed. >> And less is more here! >> I will produce a new patch inspired by this code and post it. >> Self-nack on the current patch. > > Ok, new version that adopts your method attached. > > Simo. ack From rcritten at redhat.com Fri Oct 22 21:05:46 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 17:05:46 -0400 Subject: [Freeipa-devel] [PATCH] #360 ipa-uuid plugin In-Reply-To: <20101022121339.3d23c890@willson.li.ssimo.org> References: <20101018171529.498fcbc7@willson.li.ssimo.org> <20101019171303.4dcf585d@willson.li.ssimo.org> <20101022121339.3d23c890@willson.li.ssimo.org> Message-ID: <4CC1FCAA.1080100@redhat.com> Simo Sorce wrote: > On Tue, 19 Oct 2010 17:13:03 -0400 > Simo Sorce wrote: > >> On Mon, 18 Oct 2010 17:15:29 -0400 >> Simo Sorce wrote: >> >>> >>> These 2 patches configure and load a new plugin that uses internal >>> DS functions to generate UUIDs. >>> The plugin is similar to DNA but instead of generating sequential >>> numbers it generates UUIDs (type 1). >>> >>> These patches do not yet remove the UUID code in the framework. >>> >>> Simo. >>> >> >> Rebased patch 0001 to add some minor fixes. > > Given this patch has not yet been acked I rebased it again with minor > issues in comments (old stuff that came in from hte original DNA code I > used as base for this code). > > Simo. ack Works great. Don't forget to push the 2nd patch too. rob From rcritten at redhat.com Fri Oct 22 21:08:45 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 17:08:45 -0400 Subject: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches. In-Reply-To: <4CC01902.1040500@redhat.com> References: <4CB704D9.1050606@redhat.com> <4CB705DA.60607@redhat.com> <4CBF01B3.8060700@redhat.com> <4CBF6262.8020106@redhat.com> <4CC01902.1040500@redhat.com> Message-ID: <4CC1FD5D.4020306@redhat.com> Pavel Zuna wrote: > On 10/20/2010 11:42 PM, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> On 10/14/2010 03:30 PM, Rob Crittenden wrote: >>>> Pavel Zuna wrote: >>>>> There was no default value set even though we were using config.get >>>>> and >>>>> it was throwing exceptions if someone deleted one of the related >>>>> config >>>>> values. >>>>> >>>>> Pavel >>>> >>>> Is this needed since get_ipa_config() will always return something for >>>> time and search limits? >>>> >>>> rob >>> >>> Yes, because get_ipa_config will return defaults for time and search >>> limits only when the whole ipaConfig entry isn't found. >>> >>> I reworked the patch, so that defaults are always returned by >>> get_ipa_config, but I left changes from the previous version, because it >>> doesn't hurt anything and is a (very little) bit safer. >>> >>> New version attached. >>> >>> Pavel >> >> I see your point. One can do 'ipa config-mod --searchtimelimit=` and >> blam, everything stops working. This still seems like a bit of a >> cover-up fix for that. Should we prevent these attributes from being >> removed? > > We could do that, but it's always possible to delete the attribute using > ldapmodify or some other tool. > >> >> rob > > Pavel Ok, your patch certainly won't hurt anything. Ack. rob From rcritten at redhat.com Fri Oct 22 21:14:41 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 17:14:41 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0064-Multivalue-fixes.patch In-Reply-To: <4CC1F3D3.6010103@redhat.com> References: <4CC1F3D3.6010103@redhat.com> Message-ID: <4CC1FEC1.60508@redhat.com> Adam Young wrote: > https://fedorahosted.org/freeipa/ticket/384 > > Strikethrough is now a toggle > undo resets value to blank for new entries. ack From ssorce at redhat.com Fri Oct 22 21:24:04 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 17:24:04 -0400 Subject: [Freeipa-devel] [PATCH] #403 Handle multiline options in sysconfig.ntpd In-Reply-To: <4CC1F783.5050401@redhat.com> References: <20101020182743.6ee88860@willson.li.ssimo.org> <4CBFA496.6030609@redhat.com> <20101021170701.536b399c@willson.li.ssimo.org> <20101022121212.09b70087@willson.li.ssimo.org> <4CC1F783.5050401@redhat.com> Message-ID: <20101022172404.001d2446@willson.li.ssimo.org> On Fri, 22 Oct 2010 16:43:47 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 21 Oct 2010 17:07:01 -0400 > > Simo Sorce wrote: > > > >> On Wed, 20 Oct 2010 22:25:26 -0400 > >> Rob Crittenden wrote: > >> > >>> Simo Sorce wrote: > >>>> > >>>> In some Fedora versions /etc/sysconfig/ntpd has OPTIONS scattered > >>>> on multiple line through shell expansion. > >>>> Handle simple cases like that. > >>>> > >>>> Simo. > >>> > >>> I think this will work, it's just one heck of a parser. Is > >>> something like the attached a simpler approach? > >>> > >>> My version always adds the new options to the first OPTIONS block, > >>> I'm not sure if it matters. > >> > >> Your solution looks a lot smaller indeed. > >> And less is more here! > >> I will produce a new patch inspired by this code and post it. > >> Self-nack on the current patch. > > > > Ok, new version that adopts your method attached. > > > > Simo. > > ack pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Oct 22 21:24:20 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 17:24:20 -0400 Subject: [Freeipa-devel] [PATCH] #360 ipa-uuid plugin In-Reply-To: <4CC1FCAA.1080100@redhat.com> References: <20101018171529.498fcbc7@willson.li.ssimo.org> <20101019171303.4dcf585d@willson.li.ssimo.org> <20101022121339.3d23c890@willson.li.ssimo.org> <4CC1FCAA.1080100@redhat.com> Message-ID: <20101022172420.39c0f854@willson.li.ssimo.org> On Fri, 22 Oct 2010 17:05:46 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 19 Oct 2010 17:13:03 -0400 > > Simo Sorce wrote: > > > >> On Mon, 18 Oct 2010 17:15:29 -0400 > >> Simo Sorce wrote: > >> > >>> > >>> These 2 patches configure and load a new plugin that uses internal > >>> DS functions to generate UUIDs. > >>> The plugin is similar to DNA but instead of generating sequential > >>> numbers it generates UUIDs (type 1). > >>> > >>> These patches do not yet remove the UUID code in the framework. > >>> > >>> Simo. > >>> > >> > >> Rebased patch 0001 to add some minor fixes. > > > > Given this patch has not yet been acked I rebased it again with > > minor issues in comments (old stuff that came in from hte original > > DNA code I used as base for this code). > > > > Simo. > > ack > > Works great. Don't forget to push the 2nd patch too. Pushed both to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Oct 22 21:38:35 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 17:38:35 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed Message-ID: <20101022173835.28204736@willson.li.ssimo.org> This plugin intercepts a modrdn change so that when a user is renamed the krbprincipalname is changhed accordingly. The second patch activates the plugin. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-new-plugin-used-to-modify-related-attributes-aft.patch Type: text/x-patch Size: 30877 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-ipa-modrdn-Enable-plugin-to-handle-krbPrincipalName-.patch Type: text/x-patch Size: 2640 bytes Desc: not available URL: From rcritten at redhat.com Fri Oct 22 21:44:41 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 17:44:41 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CC1F488.8020704@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> <4CBEFFD8.60906@redhat.com> <4CBF0108.1010407@redhat.com> <4CBF2FF0.1020303@redhat.com> <4CC1E105.7030107@redhat.com> <4CC1EF31.3050608@redhat.com> <4CC1F488.8020704@redhat.com> Message-ID: <4CC205C9.40203@redhat.com> Adam Young wrote: > On 10/22/2010 04:08 PM, Rob Crittenden wrote: >> Adam Young wrote: >>> I did a quick spike into what it would take to implement my idea and got >>> this far (done in internal.py) >>> >>> >>> class bulk(Command): >>> >>> takes_args = ( >>> List('methods?', >>> doc=_('Nested Methods to execute'), >>> ), >>> ) >>> >>> has_output = output.standard_entry >>> def execute(self, *args, **options): >>> results=dict(); >>> for arg in args: >>> for method in arg: >>> results[method]=unicode("OK") >>> >>> return dict(result=results, value=unicode("Something")) >>> >>> api.register(bulk) >>> >>> >>> >>> >>> And tested it using: >>> >>> >>> [ayoung at ipa ~]$ curl -H "Content-Type:application/json" -H >>> "Accept:applicaton/json" -H "Accept-Language:en" --negotiate -u : >>> --cacert /etc/ipa/ca.crt -d >>> '{"method":"bulk","params":[[],{"methods":"1,2" }],"id":6}' -X POST >>> http://localhost:8888/ipa/json >>> { >>> "error": null, >>> "id": 6, >>> "result": { >>> "result": { >>> "1": "OK", >>> "2": "OK" >>> }, >>> "summary": null, >>> "value": "Something" >>> } >>> } >>> >>> >>> I don't think the List type is going to work for this. We need, I think, >>> a Dict type here, in order to support the full JSON Parsing, we might >>> need a true array type as well. Or, we could make separate methods for >>> JSON and XML and make a type for each of those. Any thoughts? >>> >> >> You can define your own output format, look in ipalib/Output.py. In >> this case I think a list of a dict of results is probably the right >> thing. > > Yeah, problem is input format, not output. Output I know we can do based > on how we did the json_metadata, although based on your comment, it > looks like we can do it in a more standard manner. Ah, ok. I think something like: MULTICALL: list of CALL CALL: dict(METHODNAME, ARGS, OPTIONS) METHODNAME: string ARGS: list OPTIONS: dict ex: [ {'method': 'user_show', 'args': ['admin'], 'options': {'all': True, 'raw': True} }, {'method': 'user_show', 'args': ['kfrog'], 'options': {'all': True, 'raw': True} }, ] IIRC this is pretty similar to what you first proposed. rob > > >> >> So we have a list of results whose position maps to each method call. >> In each position we store the name of the method call (just for >> clarify) and the results of that call. >> >> It might look like this to show two separate users: >> >> [{'method': 'user_show', result={'result': {'dn': >> u'uid=admin,cn=users,cn=accounts,dc=greyoak,dc=com', 'memberof_group': >> (u'admins',), 'uid': (u'admin',), 'loginshell': (u'/bin/bash',), >> 'homedirectory': (u'/home/admin',), 'sn': (u'Administrator',), >> 'memberof_rolegroup': (u'replicaadmin',), 'memberof_taskgroup': >> (u'managereplica', u'deletereplica')}, 'value': u'admin', 'summary': >> None}}, >> {'method': 'user_show', result={'result': {'dn': >> u'uid=kfrog,cn=users,cn=accounts,dc=greyoak,dc=com', 'memberof_group': >> (u'ipausers',), 'uid': (u'kfrog',), 'loginshell': (u'/bin/bash',), >> 'homedirectory': (u'/home/kfrog',), 'givenname': (u'Kermit',), 'sn': >> (u'Frog',)}, 'value': u'kfrog', 'summary': None}}] >> >> You could probably even throw in *args and **options too. >> >> This way when you pull result[0]['result'] you have what user_show >> would have returned for user_show admin. >> >> rob > From rcritten at redhat.com Fri Oct 22 21:46:55 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 17:46:55 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <20101022173835.28204736@willson.li.ssimo.org> References: <20101022173835.28204736@willson.li.ssimo.org> Message-ID: <4CC2064F.6000805@redhat.com> Simo Sorce wrote: > > This plugin intercepts a modrdn change so that when a user is renamed > the krbprincipalname is changhed accordingly. > > The second patch activates the plugin. > > Simo. Should ipaModRDNscope be set to the user container instead of $SUFFIX? rob From ssorce at redhat.com Fri Oct 22 21:48:29 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 17:48:29 -0400 Subject: [Freeipa-devel] [PATCH] 561 set default python encoding to utf-8 In-Reply-To: <4CACB71A.90103@redhat.com> References: <4CACB71A.90103@redhat.com> Message-ID: <20101022174829.23158030@willson.li.ssimo.org> On Wed, 06 Oct 2010 13:51:22 -0400 Rob Crittenden wrote: > Add a module that we will load that will set the default encoding to > utf-8 instead of ascii. > > $ python > >>> import sys > >>> sys.getdefaultencoding() > 'ascii' > >>> import default_encoding_utf8 > >>> sys.getdefaultencoding() > 'utf-8' > > This will be linked into IPA in a future patch. The code was written > by John, I'm just packaging it, so he gets all the credit :-) > > Since I was messing with the spec file I also removed glob that was > pulling in a slew of duplicate files for the UI. Ack. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Oct 22 21:49:41 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 17:49:41 -0400 Subject: [Freeipa-devel] [PATCH] 562 set default encoding, print as unicode In-Reply-To: <4CACBC18.2010005@redhat.com> References: <4CACBC18.2010005@redhat.com> Message-ID: <20101022174941.1f3d281b@willson.li.ssimo.org> On Wed, 06 Oct 2010 14:12:40 -0400 Rob Crittenden wrote: > Set default encoding to utf-8, use unicode when printing output. > > The Gettext() object only does the lookup when you print it as a > unicode. > > ticket 308 > > This patch indirectly relies on patch 561 which provides the encoding > plugin that this loads. > > rob ACK Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri Oct 22 21:50:50 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 22 Oct 2010 17:50:50 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CC205C9.40203@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> <4CBEFFD8.60906@redhat.com> <4CBF0108.1010407@redhat.com> <4CBF2FF0.1020303@redhat.com> <4CC1E105.7030107@redhat.com> <4CC1EF31.3050608@redhat.com> <4CC1F488.8020704@redhat.com> <4CC205C9.40203@redhat.com> Message-ID: <4CC2073A.3030709@redhat.com> Rob Crittenden wrote: > Adam Young wrote: >> On 10/22/2010 04:08 PM, Rob Crittenden wrote: >>> Adam Young wrote: >>>> I did a quick spike into what it would take to implement my idea >>>> and got >>>> this far (done in internal.py) >>>> >>>> >>>> class bulk(Command): >>>> >>>> takes_args = ( >>>> List('methods?', >>>> doc=_('Nested Methods to execute'), >>>> ), >>>> ) >>>> >>>> has_output = output.standard_entry >>>> def execute(self, *args, **options): >>>> results=dict(); >>>> for arg in args: >>>> for method in arg: >>>> results[method]=unicode("OK") >>>> >>>> return dict(result=results, value=unicode("Something")) >>>> >>>> api.register(bulk) >>>> >>>> >>>> >>>> >>>> And tested it using: >>>> >>>> >>>> [ayoung at ipa ~]$ curl -H "Content-Type:application/json" -H >>>> "Accept:applicaton/json" -H "Accept-Language:en" --negotiate -u : >>>> --cacert /etc/ipa/ca.crt -d >>>> '{"method":"bulk","params":[[],{"methods":"1,2" }],"id":6}' -X POST >>>> http://localhost:8888/ipa/json >>>> { >>>> "error": null, >>>> "id": 6, >>>> "result": { >>>> "result": { >>>> "1": "OK", >>>> "2": "OK" >>>> }, >>>> "summary": null, >>>> "value": "Something" >>>> } >>>> } >>>> >>>> >>>> I don't think the List type is going to work for this. We need, I >>>> think, >>>> a Dict type here, in order to support the full JSON Parsing, we might >>>> need a true array type as well. Or, we could make separate methods for >>>> JSON and XML and make a type for each of those. Any thoughts? >>>> >>> >>> You can define your own output format, look in ipalib/Output.py. In >>> this case I think a list of a dict of results is probably the right >>> thing. >> >> Yeah, problem is input format, not output. Output I know we can do based >> on how we did the json_metadata, although based on your comment, it >> looks like we can do it in a more standard manner. > > Ah, ok. I think something like: > > MULTICALL: list of CALL > > CALL: dict(METHODNAME, ARGS, OPTIONS) > > METHODNAME: string > > ARGS: list > > OPTIONS: dict > > ex: > > [ > {'method': 'user_show', > 'args': ['admin'], > 'options': {'all': True, 'raw': True} > }, > {'method': 'user_show', > 'args': ['kfrog'], > 'options': {'all': True, 'raw': True} > }, > ] > > IIRC this is pretty similar to what you first proposed. > > rob There should be some metadata about what to do if some call fails. Like fail the whole thing and stop or continue for the rest. So there should be a dictionary of the multicall properties. > >> >> >>> >>> So we have a list of results whose position maps to each method call. >>> In each position we store the name of the method call (just for >>> clarify) and the results of that call. >>> >>> It might look like this to show two separate users: >>> >>> [{'method': 'user_show', result={'result': {'dn': >>> u'uid=admin,cn=users,cn=accounts,dc=greyoak,dc=com', 'memberof_group': >>> (u'admins',), 'uid': (u'admin',), 'loginshell': (u'/bin/bash',), >>> 'homedirectory': (u'/home/admin',), 'sn': (u'Administrator',), >>> 'memberof_rolegroup': (u'replicaadmin',), 'memberof_taskgroup': >>> (u'managereplica', u'deletereplica')}, 'value': u'admin', 'summary': >>> None}}, >>> {'method': 'user_show', result={'result': {'dn': >>> u'uid=kfrog,cn=users,cn=accounts,dc=greyoak,dc=com', 'memberof_group': >>> (u'ipausers',), 'uid': (u'kfrog',), 'loginshell': (u'/bin/bash',), >>> 'homedirectory': (u'/home/kfrog',), 'givenname': (u'Kermit',), 'sn': >>> (u'Frog',)}, 'value': u'kfrog', 'summary': None}}] >>> >>> You could probably even throw in *args and **options too. >>> >>> This way when you pull result[0]['result'] you have what user_show >>> would have returned for user_show admin. >>> >>> rob >> > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Oct 22 21:54:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 17:54:53 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CC2073A.3030709@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> <4CBEFFD8.60906@redhat.com> <4CBF0108.1010407@redhat.com> <4CBF2FF0.1020303@redhat.com> <4CC1E105.7030107@redhat.com> <4CC1EF31.3050608@redhat.com> <4CC1F488.8020704@redhat.com> <4CC205C9.40203@redhat.com> <4CC2073A.3030709@redhat.com> Message-ID: <4CC2082D.80701@redhat.com> Dmitri Pal wrote: > Rob Crittenden wrote: >> Adam Young wrote: >>> On 10/22/2010 04:08 PM, Rob Crittenden wrote: >>>> Adam Young wrote: >>>>> I did a quick spike into what it would take to implement my idea >>>>> and got >>>>> this far (done in internal.py) >>>>> >>>>> >>>>> class bulk(Command): >>>>> >>>>> takes_args = ( >>>>> List('methods?', >>>>> doc=_('Nested Methods to execute'), >>>>> ), >>>>> ) >>>>> >>>>> has_output = output.standard_entry >>>>> def execute(self, *args, **options): >>>>> results=dict(); >>>>> for arg in args: >>>>> for method in arg: >>>>> results[method]=unicode("OK") >>>>> >>>>> return dict(result=results, value=unicode("Something")) >>>>> >>>>> api.register(bulk) >>>>> >>>>> >>>>> >>>>> >>>>> And tested it using: >>>>> >>>>> >>>>> [ayoung at ipa ~]$ curl -H "Content-Type:application/json" -H >>>>> "Accept:applicaton/json" -H "Accept-Language:en" --negotiate -u : >>>>> --cacert /etc/ipa/ca.crt -d >>>>> '{"method":"bulk","params":[[],{"methods":"1,2" }],"id":6}' -X POST >>>>> http://localhost:8888/ipa/json >>>>> { >>>>> "error": null, >>>>> "id": 6, >>>>> "result": { >>>>> "result": { >>>>> "1": "OK", >>>>> "2": "OK" >>>>> }, >>>>> "summary": null, >>>>> "value": "Something" >>>>> } >>>>> } >>>>> >>>>> >>>>> I don't think the List type is going to work for this. We need, I >>>>> think, >>>>> a Dict type here, in order to support the full JSON Parsing, we might >>>>> need a true array type as well. Or, we could make separate methods for >>>>> JSON and XML and make a type for each of those. Any thoughts? >>>>> >>>> >>>> You can define your own output format, look in ipalib/Output.py. In >>>> this case I think a list of a dict of results is probably the right >>>> thing. >>> >>> Yeah, problem is input format, not output. Output I know we can do based >>> on how we did the json_metadata, although based on your comment, it >>> looks like we can do it in a more standard manner. >> >> Ah, ok. I think something like: >> >> MULTICALL: list of CALL >> >> CALL: dict(METHODNAME, ARGS, OPTIONS) >> >> METHODNAME: string >> >> ARGS: list >> >> OPTIONS: dict >> >> ex: >> >> [ >> {'method': 'user_show', >> 'args': ['admin'], >> 'options': {'all': True, 'raw': True} >> }, >> {'method': 'user_show', >> 'args': ['kfrog'], >> 'options': {'all': True, 'raw': True} >> }, >> ] >> >> IIRC this is pretty similar to what you first proposed. >> >> rob > > There should be some metadata about what to do if some call fails. > Like fail the whole thing and stop or continue for the rest. > So there should be a dictionary of the multicall properties. We have decided to soldier on in case of failure. We'll add additional logic to handle this in the future. It can take the form of additional keys in the request which won't affect backwards compatibility. This will have the effect of keeping bulk processing very tight. rob > > >> >>> >>> >>>> >>>> So we have a list of results whose position maps to each method call. >>>> In each position we store the name of the method call (just for >>>> clarify) and the results of that call. >>>> >>>> It might look like this to show two separate users: >>>> >>>> [{'method': 'user_show', result={'result': {'dn': >>>> u'uid=admin,cn=users,cn=accounts,dc=greyoak,dc=com', 'memberof_group': >>>> (u'admins',), 'uid': (u'admin',), 'loginshell': (u'/bin/bash',), >>>> 'homedirectory': (u'/home/admin',), 'sn': (u'Administrator',), >>>> 'memberof_rolegroup': (u'replicaadmin',), 'memberof_taskgroup': >>>> (u'managereplica', u'deletereplica')}, 'value': u'admin', 'summary': >>>> None}}, >>>> {'method': 'user_show', result={'result': {'dn': >>>> u'uid=kfrog,cn=users,cn=accounts,dc=greyoak,dc=com', 'memberof_group': >>>> (u'ipausers',), 'uid': (u'kfrog',), 'loginshell': (u'/bin/bash',), >>>> 'homedirectory': (u'/home/kfrog',), 'givenname': (u'Kermit',), 'sn': >>>> (u'Frog',)}, 'value': u'kfrog', 'summary': None}}] >>>> >>>> You could probably even throw in *args and **options too. >>>> >>>> This way when you pull result[0]['result'] you have what user_show >>>> would have returned for user_show admin. >>>> >>>> rob >>> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > From ssorce at redhat.com Fri Oct 22 21:57:15 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 17:57:15 -0400 Subject: [Freeipa-devel] [PATCH] 566 disallow writes on some attributes In-Reply-To: <4CAF6C09.70001@redhat.com> References: <4CAF6B1C.3080704@redhat.com> <4CAF6C09.70001@redhat.com> Message-ID: <20101022175715.4add3ac8@willson.li.ssimo.org> On Fri, 08 Oct 2010 15:07:53 -0400 Rob Crittenden wrote: > Rob Crittenden wrote: > > Disallow writes on serverHostName, enrolledBy and memberOf > > > > Regular users already can't write these, it just affects admins. > > > > serverHostName because this is tied to the FQDN so should only be > > changed on a host rename (which we don't do). > > > > enrolledBy because this should reflect relality. > > > > memberOf because the plugin should do this. Directly manging this > > attribute would be pretty dangerous and confusing. > > > > Also remove a redundant aci granting the admins group write access > > to users and groups. They have it with through the "admins can > > modify any entry" aci. > > > > tickets 300, 302, 304 > > > > rob > > Updated patch. We need to allow writing enrolledBy so we can actually > enroll a host! I'll have to prevent writes to this by other means or > through a more specific aci. > > rob ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Oct 22 21:58:57 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 17:58:57 -0400 Subject: [Freeipa-devel] [PATCH] 577 Grant /usr/sbin/ipa_kpasswd "name_bind" access. In-Reply-To: <4CB74FC0.5000706@redhat.com> References: <4CB74FC0.5000706@redhat.com> Message-ID: <20101022175857.38ff84fe@willson.li.ssimo.org> On Thu, 14 Oct 2010 14:45:20 -0400 Rob Crittenden wrote: > Fix an SELinux problem by granting /usr/sbin/ipa_kpasswd "name_bind" > access. > > This requires selinux-policy-3.6.32-123 on F12 and I took an educated > guess and set the minimum on F13 to selinux-policy-3.7.19-40. > > ticket 73 ACK Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Oct 22 22:09:07 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 18:09:07 -0400 Subject: [Freeipa-devel] [PATCH] 581 remove enrolledBy when unenrolled In-Reply-To: <4CBF5BD0.7000206@redhat.com> References: <4CB8C72B.4090308@redhat.com> <20101015181558.304fa2d2@willson.li.ssimo.org> <4CB8D597.8040802@redhat.com> <4CBC4E68.9060804@redhat.com> <4CBF5BD0.7000206@redhat.com> Message-ID: <20101022180907.41cf5bbd@willson.li.ssimo.org> On Wed, 20 Oct 2010 17:14:56 -0400 Rob Crittenden wrote: > Rob Crittenden wrote: > > Dmitri Pal wrote: > >> Simo Sorce wrote: > >>> On Fri, 15 Oct 2010 17:27:07 -0400 > >>> Rob Crittenden wrote: > >>> > >>> > >>>> Remove the enrolledBy when a host is unenrolled (which is the > >>>> same as disabling the host). > >>>> > >>>> ticket 301 > >>>> > >>>> rob > >>>> > >>> > >>> nack, if host can write enrolledBy it can fake info > >>> > >>> Simo. > >>> > >>> > >> I agree. I think it should be "delete" rather than "write". > >> > > > > The delete permission is for entries, not for attributes. > > > > I'll need to ask the 389-ds guys about how to do this, though I > > think it may be via an attr value aci which will require some work > > in our aci plugin because it doesn't currently support them. > > > > rob > > Updated patch to clear out enrolledBy when a host is unenrolled. > > This uses a targattrfilters aci that says that enrolledBy can be > deleted if it is not empty. We also require that krblastpwddchange be > empty, so you can't simply delete enrolledby on an enrolled host. > > host-disable first deletes the principalkey and lastpwdchange and then > removes the enrollment. > > ticket 301 This patch looks good but I was a bit surprised to see that you use krblastpwdchange as a trigger. Why not the principal key ? Also if I read it right (targattrfilters="del=enrolledby:(enrolledBy=*)") allows you to delete enrolledBy but not to change it to another value. This prevents misrepresenting who enrolled the host, but still allows the host to remove the information (the host can remove krblastpwdchange first and then re-add it right ?) So I am wondering if we really solve all relevant abuses with this patch (some of it is solved) or if we are still leaving the door open to something. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Oct 22 22:12:11 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 18:12:11 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CC2073A.3030709@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> <4CBEFFD8.60906@redhat.com> <4CBF0108.1010407@redhat.com> <4CBF2FF0.1020303@redhat.com> <4CC1E105.7030107@redhat.com> <4CC1EF31.3050608@redhat.com> <4CC1F488.8020704@redhat.com> <4CC205C9.40203@redhat.com> <4CC2073A.3030709@redhat.com> Message-ID: <20101022181211.2de7fd0b@willson.li.ssimo.org> On Fri, 22 Oct 2010 17:50:50 -0400 Dmitri Pal wrote: > There should be some metadata about what to do if some call fails. > Like fail the whole thing and stop or continue for the rest. > So there should be a dictionary of the multicall properties. > this would mean introducing "chained" calls, I advice against it, at least, initially. All parallel calls SHOULD be independent and not depend on the result of a previous call. Chaining unveils a pretty big can of worms and makes managing errors potentially quite complex. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Oct 22 22:13:57 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 18:13:57 -0400 Subject: [Freeipa-devel] [PATCH] 584 fix 2 tests In-Reply-To: <4CBF24A1.3040105@redhat.com> References: <4CBF24A1.3040105@redhat.com> Message-ID: <20101022181357.19d71dad@willson.li.ssimo.org> On Wed, 20 Oct 2010 13:19:29 -0400 Rob Crittenden wrote: > The first test is a mismatch in the sample output of an exception. > > The second test adds certificate information output to the service > plugin. ACK Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Oct 22 22:15:02 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 18:15:02 -0400 Subject: [Freeipa-devel] [Fwd: [freeipa] #402: SUDO command attribute should be case sensitive] In-Reply-To: <4CBF4619.9020404@redhat.com> References: <4CBF4619.9020404@redhat.com> Message-ID: <20101022181502.3ac29fdd@willson.li.ssimo.org> On Wed, 20 Oct 2010 15:42:17 -0400 Dmitri Pal wrote: > Any suggestions what it should be? > Should we create a new attribute or there is something handy to reuse? Probably makes sense to add a custom attribute, properly named. Simo. > -------- Original Message -------- > Subject: [freeipa] #402: SUDO command attribute should be > case sensitive Date: Wed, 20 Oct 2010 19:39:53 -0000 > From: freeipa > Reply-To: nobody at fedoraproject.org > To: undisclosed-recipients:; > > > > #402: SUDO command attribute should be case sensitive > -----------------------------+---------------------------------------------- > Reporter: dpal | Owner: rcritten > Type: defect | Status: new > Priority: major | Milestone: 0.5 iteration - October > Component: Schema | Version: > Keywords: | Tests: 0 > Testsupdated: 0 | Affects_cli: 0 > Candidate_to_defer: 0 | > -----------------------------+---------------------------------------------- > SUDO command attribute is currently cn and not case sensitive. It > should be case sensitive. > -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri Oct 22 22:16:00 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 22 Oct 2010 18:16:00 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <20101022181211.2de7fd0b@willson.li.ssimo.org> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> <4CBEFFD8.60906@redhat.com> <4CBF0108.1010407@redhat.com> <4CBF2FF0.1020303@redhat.com> <4CC1E105.7030107@redhat.com> <4CC1EF31.3050608@redhat.com> <4CC1F488.8020704@redhat.com> <4CC205C9.40203@redhat.com> <4CC2073A.3030709@redhat.com> <20101022181211.2de7fd0b@willson.li.ssimo.org> Message-ID: <4CC20D20.4080203@redhat.com> Simo Sorce wrote: > On Fri, 22 Oct 2010 17:50:50 -0400 > Dmitri Pal wrote: > > >> There should be some metadata about what to do if some call fails. >> Like fail the whole thing and stop or continue for the rest. >> So there should be a dictionary of the multicall properties. >> >> > > this would mean introducing "chained" calls, I advice against it, at > least, initially. > All parallel calls SHOULD be independent and not depend on the result > of a previous call. > > Chaining unveils a pretty big can of worms and makes managing errors > potentially quite complex. > > Simo. > > This is true. I am just saying that we need to add to the interface the ability to define additional parameters on the metacall level. We can ignore them for now but the syntax should allow it for future use. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Oct 22 22:16:51 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 22 Oct 2010 18:16:51 -0400 Subject: [Freeipa-devel] [Fwd: [freeipa] #402: SUDO command attribute should be case sensitive] In-Reply-To: <20101022181502.3ac29fdd@willson.li.ssimo.org> References: <4CBF4619.9020404@redhat.com> <20101022181502.3ac29fdd@willson.li.ssimo.org> Message-ID: <4CC20D53.1090503@redhat.com> Simo Sorce wrote: > On Wed, 20 Oct 2010 15:42:17 -0400 > Dmitri Pal wrote: > > >> Any suggestions what it should be? >> Should we create a new attribute or there is something handy to reuse? >> > > Probably makes sense to add a custom attribute, properly named. > > Ok I will propose one. > Simo. > > >> -------- Original Message -------- >> Subject: [freeipa] #402: SUDO command attribute should be >> case sensitive Date: Wed, 20 Oct 2010 19:39:53 -0000 >> From: freeipa >> Reply-To: nobody at fedoraproject.org >> To: undisclosed-recipients:; >> >> >> >> #402: SUDO command attribute should be case sensitive >> -----------------------------+---------------------------------------------- >> Reporter: dpal | Owner: rcritten >> Type: defect | Status: new >> Priority: major | Milestone: 0.5 iteration - October >> Component: Schema | Version: >> Keywords: | Tests: 0 >> Testsupdated: 0 | Affects_cli: 0 >> Candidate_to_defer: 0 | >> -----------------------------+---------------------------------------------- >> SUDO command attribute is currently cn and not case sensitive. It >> should be case sensitive. >> >> > > > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Fri Oct 22 22:22:28 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Oct 2010 18:22:28 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <4CC2064F.6000805@redhat.com> References: <20101022173835.28204736@willson.li.ssimo.org> <4CC2064F.6000805@redhat.com> Message-ID: <20101022182228.51958ca2@willson.li.ssimo.org> On Fri, 22 Oct 2010 17:46:55 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > This plugin intercepts a modrdn change so that when a user is > > renamed the krbprincipalname is changhed accordingly. > > > > The second patch activates the plugin. > > > > Simo. > > Should ipaModRDNscope be set to the user container instead of $SUFFIX? > > rob Good question, I was tempted but then I thought the filter was enough. I am open to changing it if you feel strongly, though. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Fri Oct 22 23:52:21 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Oct 2010 19:52:21 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0064-Multivalue-fixes.patch In-Reply-To: <4CC1FEC1.60508@redhat.com> References: <4CC1F3D3.6010103@redhat.com> <4CC1FEC1.60508@redhat.com> Message-ID: <4CC223B5.1020709@redhat.com> On 10/22/2010 05:14 PM, Rob Crittenden wrote: > Adam Young wrote: >> https://fedorahosted.org/freeipa/ticket/384 >> >> Strikethrough is now a toggle >> undo resets value to blank for new entries. > > ack Pushed to master From ayoung at redhat.com Fri Oct 22 23:57:01 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Oct 2010 19:57:01 -0400 Subject: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches. In-Reply-To: <4CC1FD5D.4020306@redhat.com> References: <4CB704D9.1050606@redhat.com> <4CB705DA.60607@redhat.com> <4CBF01B3.8060700@redhat.com> <4CBF6262.8020106@redhat.com> <4CC01902.1040500@redhat.com> <4CC1FD5D.4020306@redhat.com> Message-ID: <4CC224CD.7090501@redhat.com> On 10/22/2010 05:08 PM, Rob Crittenden wrote: > Pavel Zuna wrote: >> On 10/20/2010 11:42 PM, Rob Crittenden wrote: >>> Pavel Zuna wrote: >>>> On 10/14/2010 03:30 PM, Rob Crittenden wrote: >>>>> Pavel Zuna wrote: >>>>>> There was no default value set even though we were using config.get >>>>>> and >>>>>> it was throwing exceptions if someone deleted one of the related >>>>>> config >>>>>> values. >>>>>> >>>>>> Pavel >>>>> >>>>> Is this needed since get_ipa_config() will always return something >>>>> for >>>>> time and search limits? >>>>> >>>>> rob >>>> >>>> Yes, because get_ipa_config will return defaults for time and search >>>> limits only when the whole ipaConfig entry isn't found. >>>> >>>> I reworked the patch, so that defaults are always returned by >>>> get_ipa_config, but I left changes from the previous version, >>>> because it >>>> doesn't hurt anything and is a (very little) bit safer. >>>> >>>> New version attached. >>>> >>>> Pavel >>> >>> I see your point. One can do 'ipa config-mod --searchtimelimit=` and >>> blam, everything stops working. This still seems like a bit of a >>> cover-up fix for that. Should we prevent these attributes from being >>> removed? >> >> We could do that, but it's always possible to delete the attribute using >> ldapmodify or some other tool. >> >>> >>> rob >> >> Pavel > > Ok, your patch certainly won't hurt anything. Ack. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From ayoung at redhat.com Sat Oct 23 01:19:16 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Oct 2010 21:19:16 -0400 Subject: [Freeipa-devel] Should we remove the reset button? Message-ID: <4CC23814.1040102@redhat.com> http://www.useit.com/alertbox/20000416.html Since we have line level undo (which he advocates) perhaps the reset button is not worth while. Since the user can reload the page at will, there is a built in reset button already, and there slight risk of hitting the wrong button may in fact outweigh the value of putting the feature in place. From rcritten at redhat.com Sat Oct 23 01:39:42 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 21:39:42 -0400 Subject: [Freeipa-devel] [PATCH] 561 set default python encoding to utf-8 In-Reply-To: <20101022174829.23158030@willson.li.ssimo.org> References: <4CACB71A.90103@redhat.com> <20101022174829.23158030@willson.li.ssimo.org> Message-ID: <4CC23CDE.1090207@redhat.com> Simo Sorce wrote: > On Wed, 06 Oct 2010 13:51:22 -0400 > Rob Crittenden wrote: > >> Add a module that we will load that will set the default encoding to >> utf-8 instead of ascii. >> >> $ python >> >>> import sys >> >>> sys.getdefaultencoding() >> 'ascii' >> >>> import default_encoding_utf8 >> >>> sys.getdefaultencoding() >> 'utf-8' >> >> This will be linked into IPA in a future patch. The code was written >> by John, I'm just packaging it, so he gets all the credit :-) >> >> Since I was messing with the spec file I also removed glob that was >> pulling in a slew of duplicate files for the UI. > > Ack. > pushed to master From rcritten at redhat.com Sat Oct 23 01:40:45 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 21:40:45 -0400 Subject: [Freeipa-devel] [PATCH] 562 set default encoding, print as unicode In-Reply-To: <20101022174941.1f3d281b@willson.li.ssimo.org> References: <4CACBC18.2010005@redhat.com> <20101022174941.1f3d281b@willson.li.ssimo.org> Message-ID: <4CC23D1D.7090607@redhat.com> Simo Sorce wrote: > On Wed, 06 Oct 2010 14:12:40 -0400 > Rob Crittenden wrote: > >> Set default encoding to utf-8, use unicode when printing output. >> >> The Gettext() object only does the lookup when you print it as a >> unicode. >> >> ticket 308 >> >> This patch indirectly relies on patch 561 which provides the encoding >> plugin that this loads. >> >> rob > > ACK > > Simo. > pushed to master From rcritten at redhat.com Sat Oct 23 01:43:50 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 21:43:50 -0400 Subject: [Freeipa-devel] [PATCH] 566 disallow writes on some attributes In-Reply-To: <20101022175715.4add3ac8@willson.li.ssimo.org> References: <4CAF6B1C.3080704@redhat.com> <4CAF6C09.70001@redhat.com> <20101022175715.4add3ac8@willson.li.ssimo.org> Message-ID: <4CC23DD6.1090007@redhat.com> Simo Sorce wrote: > On Fri, 08 Oct 2010 15:07:53 -0400 > Rob Crittenden wrote: > >> Rob Crittenden wrote: >>> Disallow writes on serverHostName, enrolledBy and memberOf >>> >>> Regular users already can't write these, it just affects admins. >>> >>> serverHostName because this is tied to the FQDN so should only be >>> changed on a host rename (which we don't do). >>> >>> enrolledBy because this should reflect relality. >>> >>> memberOf because the plugin should do this. Directly manging this >>> attribute would be pretty dangerous and confusing. >>> >>> Also remove a redundant aci granting the admins group write access >>> to users and groups. They have it with through the "admins can >>> modify any entry" aci. >>> >>> tickets 300, 302, 304 >>> >>> rob >> >> Updated patch. We need to allow writing enrolledBy so we can actually >> enroll a host! I'll have to prevent writes to this by other means or >> through a more specific aci. >> >> rob > > ACK. > > Simo. > pushed to master From rcritten at redhat.com Sat Oct 23 01:44:03 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 21:44:03 -0400 Subject: [Freeipa-devel] [PATCH] 577 Grant /usr/sbin/ipa_kpasswd "name_bind" access. In-Reply-To: <20101022175857.38ff84fe@willson.li.ssimo.org> References: <4CB74FC0.5000706@redhat.com> <20101022175857.38ff84fe@willson.li.ssimo.org> Message-ID: <4CC23DE3.1000606@redhat.com> Simo Sorce wrote: > On Thu, 14 Oct 2010 14:45:20 -0400 > Rob Crittenden wrote: > >> Fix an SELinux problem by granting /usr/sbin/ipa_kpasswd "name_bind" >> access. >> >> This requires selinux-policy-3.6.32-123 on F12 and I took an educated >> guess and set the minimum on F13 to selinux-policy-3.7.19-40. >> >> ticket 73 > > ACK > > Simo. > pushed to master From rcritten at redhat.com Sat Oct 23 01:45:29 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 21:45:29 -0400 Subject: [Freeipa-devel] [PATCH] 581 remove enrolledBy when unenrolled In-Reply-To: <20101022180907.41cf5bbd@willson.li.ssimo.org> References: <4CB8C72B.4090308@redhat.com> <20101015181558.304fa2d2@willson.li.ssimo.org> <4CB8D597.8040802@redhat.com> <4CBC4E68.9060804@redhat.com> <4CBF5BD0.7000206@redhat.com> <20101022180907.41cf5bbd@willson.li.ssimo.org> Message-ID: <4CC23E39.1080209@redhat.com> Simo Sorce wrote: > On Wed, 20 Oct 2010 17:14:56 -0400 > Rob Crittenden wrote: > >> Rob Crittenden wrote: >>> Dmitri Pal wrote: >>>> Simo Sorce wrote: >>>>> On Fri, 15 Oct 2010 17:27:07 -0400 >>>>> Rob Crittenden wrote: >>>>> >>>>> >>>>>> Remove the enrolledBy when a host is unenrolled (which is the >>>>>> same as disabling the host). >>>>>> >>>>>> ticket 301 >>>>>> >>>>>> rob >>>>>> >>>>> >>>>> nack, if host can write enrolledBy it can fake info >>>>> >>>>> Simo. >>>>> >>>>> >>>> I agree. I think it should be "delete" rather than "write". >>>> >>> >>> The delete permission is for entries, not for attributes. >>> >>> I'll need to ask the 389-ds guys about how to do this, though I >>> think it may be via an attr value aci which will require some work >>> in our aci plugin because it doesn't currently support them. >>> >>> rob >> >> Updated patch to clear out enrolledBy when a host is unenrolled. >> >> This uses a targattrfilters aci that says that enrolledBy can be >> deleted if it is not empty. We also require that krblastpwddchange be >> empty, so you can't simply delete enrolledby on an enrolled host. >> >> host-disable first deletes the principalkey and lastpwdchange and then >> removes the enrollment. >> >> ticket 301 > > This patch looks good but I was a bit surprised to see that you use > krblastpwdchange as a trigger. Why not the principal key ? Because we can't read the principal key (by design). > > Also if I read it right > (targattrfilters="del=enrolledby:(enrolledBy=*)") allows you to > delete enrolledBy but not to change it to another value. > This prevents misrepresenting who enrolled the host, but still allows > the host to remove the information (the host can remove > krblastpwdchange first and then re-add it right ?) Yes, I suppose that's possible. > > So I am wondering if we really solve all relevant abuses with > this patch (some of it is solved) or if we are still leaving the door > open to something. > > Simo. > Ok, I'll reconsider this some more. rob From rcritten at redhat.com Sat Oct 23 01:45:50 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Oct 2010 21:45:50 -0400 Subject: [Freeipa-devel] [PATCH] 584 fix 2 tests In-Reply-To: <20101022181357.19d71dad@willson.li.ssimo.org> References: <4CBF24A1.3040105@redhat.com> <20101022181357.19d71dad@willson.li.ssimo.org> Message-ID: <4CC23E4E.5010107@redhat.com> Simo Sorce wrote: > On Wed, 20 Oct 2010 13:19:29 -0400 > Rob Crittenden wrote: > >> The first test is a mismatch in the sample output of an exception. >> >> The second test adds certificate information output to the service >> plugin. > > ACK > > Simo. > pushed to master rob From ayoung at redhat.com Sat Oct 23 01:49:18 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Oct 2010 21:49:18 -0400 Subject: [Freeipa-devel] Proposed deltion of Git branches origin/webui-details and origin/webui-cleanup Message-ID: <4CC23F1E.3030509@redhat.com> Unless anyone objects, I will delete these two branches. They have no commits on them that are not reflected in the master, and provide no useful purpose. From ayoung at redhat.com Sat Oct 23 01:56:24 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Oct 2010 21:56:24 -0400 Subject: [Freeipa-devel] Bulk IPA commands In-Reply-To: <4CC205C9.40203@redhat.com> References: <4CBDF291.7000204@redhat.com> <4CBDF3DA.8000903@redhat.com> <4CBE1BB9.5070407@redhat.com> <4CBEEEB8.5030108@redhat.com> <4CBEFFD8.60906@redhat.com> <4CBF0108.1010407@redhat.com> <4CBF2FF0.1020303@redhat.com> <4CC1E105.7030107@redhat.com> <4CC1EF31.3050608@redhat.com> <4CC1F488.8020704@redhat.com> <4CC205C9.40203@redhat.com> Message-ID: <4CC240C8.9050109@redhat.com> > Ah, ok. I think something like: > > MULTICALL: list of CALL > > CALL: dict(METHODNAME, ARGS, OPTIONS) > > METHODNAME: string > > ARGS: list > > OPTIONS: dict > > ex: This looks right, but I lack the Python knowledge to translate this directly to code. Is this something that would be declared in the plugin, or in params.py? Or is this just thinking out loud? > > [ > {'method': 'user_show', > 'args': ['admin'], > 'options': {'all': True, 'raw': True} > }, > {'method': 'user_show', > 'args': ['kfrog'], > 'options': {'all': True, 'raw': True} > }, > ] This would go in the first param field, or as the overall set of params? Can you show the context around how you;d suggest this be called? > > IIRC this is pretty similar to what you first proposed. > > rob From ssorce at redhat.com Sat Oct 23 15:23:01 2010 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 23 Oct 2010 11:23:01 -0400 Subject: [Freeipa-devel] Should we remove the reset button? In-Reply-To: <4CC23814.1040102@redhat.com> References: <4CC23814.1040102@redhat.com> Message-ID: <20101023112301.4fa76e02@willson.li.ssimo.org> On Fri, 22 Oct 2010 21:19:16 -0400 Adam Young wrote: > http://www.useit.com/alertbox/20000416.html > > Since we have line level undo (which he advocates) perhaps the reset > button is not worth while. Since the user can reload the page at > will, there is a built in reset button already, and there slight risk > of hitting the wrong button may in fact outweigh the value of putting > the feature in place. I wouldn't be opposed to removing it. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Sun Oct 24 21:45:06 2010 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 24 Oct 2010 17:45:06 -0400 Subject: [Freeipa-devel] Should we remove the reset button? In-Reply-To: <4CC23814.1040102@redhat.com> References: <4CC23814.1040102@redhat.com> Message-ID: <4CC4A8E2.7070709@redhat.com> Adam Young wrote: > http://www.useit.com/alertbox/20000416.html > > Since we have line level undo (which he advocates) perhaps the reset > button is not worth while. Since the user can reload the page at > will, there is a built in reset button already, and there slight risk > of hitting the wrong button may in fact outweigh the value of putting > the feature in place. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Good point might be worth reevaluating. Ben? -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Oct 25 02:40:33 2010 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 24 Oct 2010 22:40:33 -0400 Subject: [Freeipa-devel] [Fwd: [freeipa] #402: SUDO command attribute should be case sensitive] In-Reply-To: <4CC20D53.1090503@redhat.com> References: <4CBF4619.9020404@redhat.com> <20101022181502.3ac29fdd@willson.li.ssimo.org> <4CC20D53.1090503@redhat.com> Message-ID: <4CC4EE21.6000404@redhat.com> Dmitri Pal wrote: > Simo Sorce wrote: > >> On Wed, 20 Oct 2010 15:42:17 -0400 >> Dmitri Pal wrote: >> >> >> >>> Any suggestions what it should be? >>> Should we create a new attribute or there is something handy to reuse? >>> >>> >> Probably makes sense to add a custom attribute, properly named. >> >> >> > Ok I will propose one. > The attached patch should address the issue. I did the change but I have not done the build so view this patch as a proposal. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001--SUDO-3.-Changing-command-attr-to-be-case-sensitive.patch Type: text/x-patch Size: 3806 bytes Desc: not available URL: From bdubrovsky at redhat.com Mon Oct 25 12:23:35 2010 From: bdubrovsky at redhat.com (Ben Dubrovsky) Date: Mon, 25 Oct 2010 08:23:35 -0400 Subject: [Freeipa-devel] Should we remove the reset button? In-Reply-To: <4CC4A8E2.7070709@redhat.com> References: <4CC23814.1040102@redhat.com> <4CC4A8E2.7070709@redhat.com> Message-ID: <9521E8DD-7E5F-4BB7-B36D-48F112AA44A8@redhat.com> Hi, I'm sympathetic to the argument that Nielsen makes about reset. One thing to consider, however, is that he's arguing from a point of view that differentiates applications from web pages -- that when people are using the web, they are in a different kind of environment from applications, and therefore, "back" is equivalent to "reset". His argument relies on the idea that most people will easily and definitively understand the affordances of the web, vs those of an application. I'm not so sure I agree with that. I think we're blurring the line between web site and application, and our users will be really focused on their work -- they may be conditioned to think "application" for LDAP type management, even though the delivery is in a browser. That said -- I'm OK removing the "reset" button as a device, but would still like to have the functionality to support the case where a user says, "Ah - darn. I was looking at the wrong piece of paper, and I have to start over again quickly." **My suggestion for that is to expand on Adam's line-level undo, and put a link on the screen somewhere that allows the user to "undo all" or something like that.** I do think we need a "Cancel" button still, though. There is something far more definitive in a user clicking "Cancel" than hitting "Back". On Oct 24, 2010, at 5:45 PM, Dmitri Pal wrote: > Adam Young wrote: >> http://www.useit.com/alertbox/20000416.html >> >> Since we have line level undo (which he advocates) perhaps the reset >> button is not worth while. Since the user can reload the page at >> will, there is a built in reset button already, and there slight risk >> of hitting the wrong button may in fact outweigh the value of putting >> the feature in place. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> > Good point might be worth reevaluating. > Ben? > > -- > Thank you, > Dmitri Pal > > Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > From ayoung at redhat.com Mon Oct 25 13:50:53 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Oct 2010 09:50:53 -0400 Subject: [Freeipa-devel] Should we remove the reset button? In-Reply-To: <9521E8DD-7E5F-4BB7-B36D-48F112AA44A8@redhat.com> References: <4CC23814.1040102@redhat.com> <4CC4A8E2.7070709@redhat.com> <9521E8DD-7E5F-4BB7-B36D-48F112AA44A8@redhat.com> Message-ID: <4CC58B3D.2020203@redhat.com> On 10/25/2010 08:23 AM, Ben Dubrovsky wrote: > Hi, > > I'm sympathetic to the argument that Nielsen makes about reset. > > One thing to consider, however, is that he's arguing from a point of view that differentiates applications from web pages -- that when people are using the web, they are in a different kind of environment from applications, and therefore, "back" is equivalent to "reset". His argument relies on the idea that most people will easily and definitively understand the affordances of the web, vs those of an application. > > I'm not so sure I agree with that. I think we're blurring the line between web site and application, and our users will be really focused on their work -- they may be conditioned to think "application" for LDAP type management, even though the delivery is in a browser. > > That said -- I'm OK removing the "reset" button as a device, but would still like to have the functionality to support the case where a user says, "Ah - darn. I was looking at the wrong piece of paper, and I have to start over again quickly." > Yeah. And considering that Back for this would take you to search (most likely) but not to a blank form, probably doesn't equate. I'm going to suggest that we spread the buttons out a bit, and get the rest out of the "good" area of the screen so that it doens't get hit by accident. I've bee nreading a bit through the history of Nielsen's blog. He has some interesting points. One that I think is very interesting is his idea about mege menus: http://www.useit.com/alertbox/mega-dropdown-menus.html THere seems to be a pretty good implementation for JQuery, so if we decided to go that way, it wouldn't be that bad. I think that they would make our Nav a little bit cleaner, as we kindof make things tricky with the multi level tabs. Before we made any changes like that, though, I would like to have some usability testing done. Is there any way we could co-opt a few people for, say, 1/2 an hour and run them through doing the bascis, and get feedback on how easy/hard it is to use our UI? Even if it has been done before, it hasn't been done with the working product, and I think it would be even more valuable if those of us on the UI implementation team could witness it, even if only virtually. Just some ideas for post 2.0 > **My suggestion for that is to expand on Adam's line-level undo, and put a link on the screen somewhere that allows the user to "undo all" or something like that.** > > I do think we need a "Cancel" button still, though. There is something far more definitive in a user clicking "Cancel" than hitting "Back". > > > > On Oct 24, 2010, at 5:45 PM, Dmitri Pal wrote: > > >> Adam Young wrote: >> >>> http://www.useit.com/alertbox/20000416.html >>> >>> Since we have line level undo (which he advocates) perhaps the reset >>> button is not worth while. Since the user can reload the page at >>> will, there is a built in reset button already, and there slight risk >>> of hitting the wrong button may in fact outweigh the value of putting >>> the feature in place. >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> >>> >> Good point might be worth reevaluating. >> Ben? >> >> -- >> Thank you, >> Dmitri Pal >> >> Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> > From rcritten at redhat.com Mon Oct 25 14:39:06 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Oct 2010 10:39:06 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <20101022182228.51958ca2@willson.li.ssimo.org> References: <20101022173835.28204736@willson.li.ssimo.org> <4CC2064F.6000805@redhat.com> <20101022182228.51958ca2@willson.li.ssimo.org> Message-ID: <4CC5968A.1010003@redhat.com> Simo Sorce wrote: > On Fri, 22 Oct 2010 17:46:55 -0400 > Rob Crittenden wrote: > >> Simo Sorce wrote: >>> >>> This plugin intercepts a modrdn change so that when a user is >>> renamed the krbprincipalname is changhed accordingly. >>> >>> The second patch activates the plugin. >>> >>> Simo. >> >> Should ipaModRDNscope be set to the user container instead of $SUFFIX? >> >> rob > > Good question, I was tempted but then I thought the filter was enough. > > I am open to changing it if you feel strongly, though. > > Simo. > Is this going to find users from the compat plugin? If not then it is ok as-is. rob From rcritten at redhat.com Mon Oct 25 14:42:59 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Oct 2010 10:42:59 -0400 Subject: [Freeipa-devel] Should we remove the reset button? In-Reply-To: <4CC58B3D.2020203@redhat.com> References: <4CC23814.1040102@redhat.com> <4CC4A8E2.7070709@redhat.com> <9521E8DD-7E5F-4BB7-B36D-48F112AA44A8@redhat.com> <4CC58B3D.2020203@redhat.com> Message-ID: <4CC59773.4060408@redhat.com> Adam Young wrote: > On 10/25/2010 08:23 AM, Ben Dubrovsky wrote: >> Hi, >> >> I'm sympathetic to the argument that Nielsen makes about reset. >> >> One thing to consider, however, is that he's arguing from a point of >> view that differentiates applications from web pages -- that when >> people are using the web, they are in a different kind of environment >> from applications, and therefore, "back" is equivalent to "reset". His >> argument relies on the idea that most people will easily and >> definitively understand the affordances of the web, vs those of an >> application. >> >> I'm not so sure I agree with that. I think we're blurring the line >> between web site and application, and our users will be really focused >> on their work -- they may be conditioned to think "application" for >> LDAP type management, even though the delivery is in a browser. >> >> That said -- I'm OK removing the "reset" button as a device, but would >> still like to have the functionality to support the case where a user >> says, "Ah - darn. I was looking at the wrong piece of paper, and I >> have to start over again quickly." > > > Yeah. And considering that Back for this would take you to search (most > likely) but not to a blank form, probably doesn't equate. I'm going to > suggest that we spread the buttons out a bit, and get the rest out of > the "good" area of the screen so that it doens't get hit by accident. > > I've bee nreading a bit through the history of Nielsen's blog. He has > some interesting points. One that I think is very interesting is his > idea about mege menus: > > http://www.useit.com/alertbox/mega-dropdown-menus.html > > > THere seems to be a pretty good implementation for JQuery, so if we > decided to go that way, it wouldn't be that bad. I think that they would > make our Nav a little bit cleaner, as we kindof make things tricky with > the multi level tabs. > > Before we made any changes like that, though, I would like to have some > usability testing done. Is there any way we could co-opt a few people > for, say, 1/2 an hour and run them through doing the bascis, and get > feedback on how easy/hard it is to use our UI? Even if it has been done > before, it hasn't been done with the working product, and I think it > would be even more valuable if those of us on the UI implementation team > could witness it, even if only virtually. > > Just some ideas for post 2.0 > I think the button should be positioned dynamically so that when the mouse comes within 2 pixels of the button it moves away. After the user chases the button around the screen for a while they'll see the undo links. rob From ayoung at redhat.com Mon Oct 25 14:45:53 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Oct 2010 10:45:53 -0400 Subject: [Freeipa-devel] Should we remove the reset button? In-Reply-To: <4CC59773.4060408@redhat.com> References: <4CC23814.1040102@redhat.com> <4CC4A8E2.7070709@redhat.com> <9521E8DD-7E5F-4BB7-B36D-48F112AA44A8@redhat.com> <4CC58B3D.2020203@redhat.com> <4CC59773.4060408@redhat.com> Message-ID: <4CC59821.3070408@redhat.com> On 10/25/2010 10:42 AM, Rob Crittenden wrote: > Adam Young wrote: >> On 10/25/2010 08:23 AM, Ben Dubrovsky wrote: >>> Hi, >>> >>> I'm sympathetic to the argument that Nielsen makes about reset. >>> >>> One thing to consider, however, is that he's arguing from a point of >>> view that differentiates applications from web pages -- that when >>> people are using the web, they are in a different kind of environment >>> from applications, and therefore, "back" is equivalent to "reset". His >>> argument relies on the idea that most people will easily and >>> definitively understand the affordances of the web, vs those of an >>> application. >>> >>> I'm not so sure I agree with that. I think we're blurring the line >>> between web site and application, and our users will be really focused >>> on their work -- they may be conditioned to think "application" for >>> LDAP type management, even though the delivery is in a browser. >>> >>> That said -- I'm OK removing the "reset" button as a device, but would >>> still like to have the functionality to support the case where a user >>> says, "Ah - darn. I was looking at the wrong piece of paper, and I >>> have to start over again quickly." >> >> >> Yeah. And considering that Back for this would take you to search (most >> likely) but not to a blank form, probably doesn't equate. I'm going to >> suggest that we spread the buttons out a bit, and get the rest out of >> the "good" area of the screen so that it doens't get hit by accident. >> >> I've bee nreading a bit through the history of Nielsen's blog. He has >> some interesting points. One that I think is very interesting is his >> idea about mege menus: >> >> http://www.useit.com/alertbox/mega-dropdown-menus.html >> >> >> THere seems to be a pretty good implementation for JQuery, so if we >> decided to go that way, it wouldn't be that bad. I think that they would >> make our Nav a little bit cleaner, as we kindof make things tricky with >> the multi level tabs. >> >> Before we made any changes like that, though, I would like to have some >> usability testing done. Is there any way we could co-opt a few people >> for, say, 1/2 an hour and run them through doing the bascis, and get >> feedback on how easy/hard it is to use our UI? Even if it has been done >> before, it hasn't been done with the working product, and I think it >> would be even more valuable if those of us on the UI implementation team >> could witness it, even if only virtually. >> >> Just some ideas for post 2.0 >> > > I think the button should be positioned dynamically so that when the > mouse comes within 2 pixels of the button it moves away. After the > user chases the button around the screen for a while they'll see the > undo links. > > rob +1 From ssorce at redhat.com Mon Oct 25 14:49:56 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Oct 2010 10:49:56 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <4CC5968A.1010003@redhat.com> References: <20101022173835.28204736@willson.li.ssimo.org> <4CC2064F.6000805@redhat.com> <20101022182228.51958ca2@willson.li.ssimo.org> <4CC5968A.1010003@redhat.com> Message-ID: <20101025104956.11d96e09@willson.li.ssimo.org> On Mon, 25 Oct 2010 10:39:06 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > On Fri, 22 Oct 2010 17:46:55 -0400 > > Rob Crittenden wrote: > > > >> Simo Sorce wrote: > >>> > >>> This plugin intercepts a modrdn change so that when a user is > >>> renamed the krbprincipalname is changhed accordingly. > >>> > >>> The second patch activates the plugin. > >>> > >>> Simo. > >> > >> Should ipaModRDNscope be set to the user container instead of > >> $SUFFIX? > >> > >> rob > > > > Good question, I was tempted but then I thought the filter was > > enough. > > > > I am open to changing it if you feel strongly, though. > > > > Simo. > > > > Is this going to find users from the compat plugin? If not then it is > ok as-is. Can you do a modrdn modification on a compat plugin entry ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Oct 25 14:52:00 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Oct 2010 10:52:00 -0400 Subject: [Freeipa-devel] admiyo-freeipa-0059-sample-data-for-DNS.patch In-Reply-To: <4CB8AFEE.3090406@redhat.com> References: <4CB8AFEE.3090406@redhat.com> Message-ID: <4CC59990.1030602@redhat.com> Adam Young wrote: > This fixes the file: URL for displaying DNS search page. > ack From rcritten at redhat.com Mon Oct 25 14:52:41 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Oct 2010 10:52:41 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0063-dns-work.patch In-Reply-To: <4CC1C6C2.7040002@redhat.com> References: <4CC1C6C2.7040002@redhat.com> Message-ID: <4CC599B9.9050604@redhat.com> Adam Young wrote: > Implementation of the UI for DNS records. > > Search uses filters. > > Much of the code has been cut and pasted from search.js and add.js, but > then significantly modified. Moving forward, we'll have to determine if > it is worth the effort to integrate. > ack From rcritten at redhat.com Mon Oct 25 14:53:19 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Oct 2010 10:53:19 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <20101025104956.11d96e09@willson.li.ssimo.org> References: <20101022173835.28204736@willson.li.ssimo.org> <4CC2064F.6000805@redhat.com> <20101022182228.51958ca2@willson.li.ssimo.org> <4CC5968A.1010003@redhat.com> <20101025104956.11d96e09@willson.li.ssimo.org> Message-ID: <4CC599DF.7050402@redhat.com> Simo Sorce wrote: > On Mon, 25 Oct 2010 10:39:06 -0400 > Rob Crittenden wrote: > >> Simo Sorce wrote: >>> On Fri, 22 Oct 2010 17:46:55 -0400 >>> Rob Crittenden wrote: >>> >>>> Simo Sorce wrote: >>>>> >>>>> This plugin intercepts a modrdn change so that when a user is >>>>> renamed the krbprincipalname is changhed accordingly. >>>>> >>>>> The second patch activates the plugin. >>>>> >>>>> Simo. >>>> >>>> Should ipaModRDNscope be set to the user container instead of >>>> $SUFFIX? >>>> >>>> rob >>> >>> Good question, I was tempted but then I thought the filter was >>> enough. >>> >>> I am open to changing it if you feel strongly, though. >>> >>> Simo. >>> >> >> Is this going to find users from the compat plugin? If not then it is >> ok as-is. > > Can you do a modrdn modification on a compat plugin entry ? > > Simo. > Well, right, I don't know :-) And if not, what error would be raised and do/should we catch it? rob From ayoung at redhat.com Mon Oct 25 15:26:34 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Oct 2010 11:26:34 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0063-dns-work.patch In-Reply-To: <4CC599B9.9050604@redhat.com> References: <4CC1C6C2.7040002@redhat.com> <4CC599B9.9050604@redhat.com> Message-ID: <4CC5A1AA.7010307@redhat.com> On 10/25/2010 10:52 AM, Rob Crittenden wrote: > Adam Young wrote: >> Implementation of the UI for DNS records. >> >> Search uses filters. >> >> Much of the code has been cut and pasted from search.js and add.js, but >> then significantly modified. Moving forward, we'll have to determine if >> it is worth the effort to integrate. >> > > ack Actually, NACKed byu edewata due to commentes made on review board. Fixes being made now. From nalin at redhat.com Mon Oct 25 15:42:09 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 25 Oct 2010 11:42:09 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <4CC599DF.7050402@redhat.com> References: <20101022173835.28204736@willson.li.ssimo.org> <4CC2064F.6000805@redhat.com> <20101022182228.51958ca2@willson.li.ssimo.org> <4CC5968A.1010003@redhat.com> <20101025104956.11d96e09@willson.li.ssimo.org> <4CC599DF.7050402@redhat.com> Message-ID: <20101025154209.GA27373@redhat.com> On Mon, Oct 25, 2010 at 10:53:19AM -0400, Rob Crittenden wrote: > Simo Sorce wrote: > >Can you do a modrdn modification on a compat plugin entry ? > > Well, right, I don't know :-) And if not, what error would be raised and > do/should we catch it? You should get an insufficient-access (0.17 and earlier) or unwilling-to-perform (0.18 and later) error result. Nalin From ssorce at redhat.com Mon Oct 25 15:45:45 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Oct 2010 11:45:45 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <20101025154209.GA27373@redhat.com> References: <20101022173835.28204736@willson.li.ssimo.org> <4CC2064F.6000805@redhat.com> <20101022182228.51958ca2@willson.li.ssimo.org> <4CC5968A.1010003@redhat.com> <20101025104956.11d96e09@willson.li.ssimo.org> <4CC599DF.7050402@redhat.com> <20101025154209.GA27373@redhat.com> Message-ID: <20101025114545.042d463f@willson.li.ssimo.org> On Mon, 25 Oct 2010 11:42:09 -0400 Nalin Dahyabhai wrote: > On Mon, Oct 25, 2010 at 10:53:19AM -0400, Rob Crittenden wrote: > > Simo Sorce wrote: > > >Can you do a modrdn modification on a compat plugin entry ? > > > > Well, right, I don't know :-) And if not, what error would be > > raised and do/should we catch it? > > You should get an insufficient-access (0.17 and earlier) or > unwilling-to-perform (0.18 and later) error result. And I guess this happens quite early. The ipa_modrdn plugin is invoked only as a post op, so if an error is thrown earlier I think it is not even invoked. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Mon Oct 25 15:48:14 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Oct 2010 11:48:14 -0400 Subject: [Freeipa-devel] admiyo-freeipa-0059-sample-data-for-DNS.patch In-Reply-To: <4CC59990.1030602@redhat.com> References: <4CB8AFEE.3090406@redhat.com> <4CC59990.1030602@redhat.com> Message-ID: <4CC5A6BE.4080700@redhat.com> On 10/25/2010 10:52 AM, Rob Crittenden wrote: > Adam Young wrote: >> This fixes the file: URL for displaying DNS search page. >> > > ack Pushed to master From nalin at redhat.com Mon Oct 25 15:54:10 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 25 Oct 2010 11:54:10 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <20101025114545.042d463f@willson.li.ssimo.org> References: <20101022173835.28204736@willson.li.ssimo.org> <4CC2064F.6000805@redhat.com> <20101022182228.51958ca2@willson.li.ssimo.org> <4CC5968A.1010003@redhat.com> <20101025104956.11d96e09@willson.li.ssimo.org> <4CC599DF.7050402@redhat.com> <20101025154209.GA27373@redhat.com> <20101025114545.042d463f@willson.li.ssimo.org> Message-ID: <20101025155410.GB27373@redhat.com> On Mon, Oct 25, 2010 at 11:45:45AM -0400, Simo Sorce wrote: > On Mon, 25 Oct 2010 11:42:09 -0400 > Nalin Dahyabhai wrote: > > > On Mon, Oct 25, 2010 at 10:53:19AM -0400, Rob Crittenden wrote: > > > Simo Sorce wrote: > > > >Can you do a modrdn modification on a compat plugin entry ? > > > > > > Well, right, I don't know :-) And if not, what error would be > > > raised and do/should we catch it? > > > > You should get an insufficient-access (0.17 and earlier) or > > unwilling-to-perform (0.18 and later) error result. > > And I guess this happens quite early. > The ipa_modrdn plugin is invoked only as a post op, so if an error is > thrown earlier I think it is not even invoked. Right, the error's returned by a preop callback, so the postop callback in this plugin shouldn't be invoked. Nalin From adam at younglogic.com Mon Oct 25 15:46:40 2010 From: adam at younglogic.com (Adam Young) Date: Mon, 25 Oct 2010 11:46:40 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0065-remove-rule-for-inc-files.patch Message-ID: <4CC5A660.9040501@younglogic.com> Pushed under the 1 line rule -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0065-remove-rule-for-inc-files.patch Type: text/x-patch Size: 627 bytes Desc: not available URL: From ayoung at redhat.com Mon Oct 25 17:09:25 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Oct 2010 13:09:25 -0400 Subject: [Freeipa-devel] [PATCH] remove inc rule from spec Message-ID: <4CC5B9C5.5020108@redhat.com> pushed under the 1 line rule -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0065-remove-rule-for-inc-files.patch Type: text/x-patch Size: 627 bytes Desc: not available URL: From ayoung at redhat.com Mon Oct 25 18:10:16 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Oct 2010 14:10:16 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0063-dns-work.patch In-Reply-To: <4CC5A1AA.7010307@redhat.com> References: <4CC1C6C2.7040002@redhat.com> <4CC599B9.9050604@redhat.com> <4CC5A1AA.7010307@redhat.com> Message-ID: <4CC5C808.5000703@redhat.com> On 10/25/2010 11:26 AM, Adam Young wrote: > On 10/25/2010 10:52 AM, Rob Crittenden wrote: >> Adam Young wrote: >>> Implementation of the UI for DNS records. >>> >>> Search uses filters. >>> >>> Much of the code has been cut and pasted from search.js and add.js, but >>> then significantly modified. Moving forward, we'll have to determine if >>> it is worth the effort to integrate. >>> >> >> ack > Actually, NACKed byu edewata due to commentes made on review board. > Fixes being made now. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Updated with fixes from https://fedorahosted.org/reviewboard/r/96/ -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0063--2-dns-records.patch Type: text/x-patch Size: 22428 bytes Desc: not available URL: From ayoung at redhat.com Mon Oct 25 18:20:59 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Oct 2010 14:20:59 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0066-find_entries-param.patch Message-ID: <4CC5CA8B.2000208@redhat.com> find_entries param Fixes a bug where find_entries was not passed a parameter for filter. Instead of fixing the call point, this patch adds a defaulty value for the parameter, -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0066-find_entries-param.patch Type: text/x-patch Size: 1337 bytes Desc: not available URL: From rcritten at redhat.com Mon Oct 25 18:26:47 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Oct 2010 14:26:47 -0400 Subject: [Freeipa-devel] [PATCH] 585 entitlement plugin Message-ID: <4CC5CBE7.6000204@redhat.com> Add entitlement plugin for counting client entitlements. This just adds the capability to tie to a candlepin server or manually import entitlement certificates. The code to use these to count clients is still under development. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-585-entitle.patch Type: application/mbox Size: 25218 bytes Desc: not available URL: From rcritten at redhat.com Mon Oct 25 19:19:34 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Oct 2010 15:19:34 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0066-find_entries-param.patch In-Reply-To: <4CC5CA8B.2000208@redhat.com> References: <4CC5CA8B.2000208@redhat.com> Message-ID: <4CC5D846.40409@redhat.com> Adam Young wrote: > find_entries param > > Fixes a bug where find_entries was not passed a parameter for filter. > Instead of fixing the call point, this patch adds a defaulty value for > the parameter, ack From ayoung at redhat.com Mon Oct 25 19:22:11 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Oct 2010 15:22:11 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0066-find_entries-param.patch In-Reply-To: <4CC5D846.40409@redhat.com> References: <4CC5CA8B.2000208@redhat.com> <4CC5D846.40409@redhat.com> Message-ID: <4CC5D8E3.2040800@redhat.com> On 10/25/2010 03:19 PM, Rob Crittenden wrote: > Adam Young wrote: >> find_entries param >> >> Fixes a bug where find_entries was not passed a parameter for filter. >> Instead of fixing the call point, this patch adds a defaulty value for >> the parameter, > > ack Pushed to master From edewata at redhat.com Mon Oct 25 19:53:21 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 25 Oct 2010 14:53:21 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0063-dns-work.patch In-Reply-To: <4CC5C808.5000703@redhat.com> References: <4CC1C6C2.7040002@redhat.com> <4CC599B9.9050604@redhat.com> <4CC5A1AA.7010307@redhat.com> <4CC5C808.5000703@redhat.com> Message-ID: <4CC5E031.1060408@redhat.com> On 10/25/2010 1:10 PM, Adam Young wrote: > On 10/25/2010 11:26 AM, Adam Young wrote: >> On 10/25/2010 10:52 AM, Rob Crittenden wrote: >>> Adam Young wrote: >>>> Implementation of the UI for DNS records. >>>> >>>> Search uses filters. >>>> >>>> Much of the code has been cut and pasted from search.js and add.js, but >>>> then significantly modified. Moving forward, we'll have to determine if >>>> it is worth the effort to integrate. >>>> >>> >>> ack >> Actually, NACKed byu edewata due to commentes made on review board. >> Fixes being made now. > Updated with fixes from https://fedorahosted.org/reviewboard/r/96/ ACK. There's a possibility of race conditions when deleting multiple records (which doesn't work right now), but this can be fixed in a later patch. -- Endi S. Dewata From ayoung at redhat.com Mon Oct 25 19:56:00 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Oct 2010 15:56:00 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0063-dns-work.patch In-Reply-To: <4CC5E031.1060408@redhat.com> References: <4CC1C6C2.7040002@redhat.com> <4CC599B9.9050604@redhat.com> <4CC5A1AA.7010307@redhat.com> <4CC5C808.5000703@redhat.com> <4CC5E031.1060408@redhat.com> Message-ID: <4CC5E0D0.50500@redhat.com> On 10/25/2010 03:53 PM, Endi Sukma Dewata wrote: > On 10/25/2010 1:10 PM, Adam Young wrote: >> On 10/25/2010 11:26 AM, Adam Young wrote: >>> On 10/25/2010 10:52 AM, Rob Crittenden wrote: >>>> Adam Young wrote: >>>>> Implementation of the UI for DNS records. >>>>> >>>>> Search uses filters. >>>>> >>>>> Much of the code has been cut and pasted from search.js and >>>>> add.js, but >>>>> then significantly modified. Moving forward, we'll have to >>>>> determine if >>>>> it is worth the effort to integrate. >>>>> >>>> >>>> ack >>> Actually, NACKed byu edewata due to commentes made on review board. >>> Fixes being made now. > >> Updated with fixes from https://fedorahosted.org/reviewboard/r/96/ > > ACK. There's a possibility of race conditions when deleting multiple > records (which doesn't work right now), but this can be fixed in a > later patch. > pushed to master From rcritten at redhat.com Mon Oct 25 22:05:46 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Oct 2010 18:05:46 -0400 Subject: [Freeipa-devel] [PATCH] 586 kerberos password policy Message-ID: <4CC5FF3A.4010509@redhat.com> Use kerberos password policy. This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-586-pwpolicy.patch Type: application/mbox Size: 13925 bytes Desc: not available URL: From nalin at redhat.com Mon Oct 25 22:14:12 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 25 Oct 2010 18:14:12 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <20101022173835.28204736@willson.li.ssimo.org> References: <20101022173835.28204736@willson.li.ssimo.org> Message-ID: <20101025221412.GA4572@redhat.com> On Fri, Oct 22, 2010 at 05:38:35PM -0400, Simo Sorce wrote: > This plugin intercepts a modrdn change so that when a user is renamed > the krbprincipalname is changhed accordingly. Changing the user's principal name usually breaks the client's ability to get initial creds, as the default salt is derived from the principal name. Assuming we don't want to force an administrative password reset, how are we working around that? Nalin From ssorce at redhat.com Mon Oct 25 22:24:40 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Oct 2010 18:24:40 -0400 Subject: [Freeipa-devel] [PATCH] plugins slim down Message-ID: <20101025182440.77ee5be7@willson.li.ssimo.org> I had some unusued functions in the uuid and modrdn plugins, do to copy&paste. Remove unused functions. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa-modrdn-Remove-unused-functions.patch Type: text/x-patch Size: 5005 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa-uuid-Remove-unused-functions.patch Type: text/x-patch Size: 4327 bytes Desc: not available URL: From ssorce at redhat.com Mon Oct 25 22:28:42 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Oct 2010 18:28:42 -0400 Subject: [Freeipa-devel] [PATCHES] UUID Plugin: Code fixes and cleanups Message-ID: <20101025182842.3e632d66@willson.li.ssimo.org> These are a few minor fixes and cleanups I split in multiple patches for easier review. 1. makes sure we reset the generate flag at every loop, so that we do not risk a false positive if multiple UUIDs are generated on an entry. 2. makes unlocks safer by tracking when we need to unlock and doing so in the cleanup code. This is necessary as later code will be introduced that may error out in the middle of the main loop. 3. tidy up some code and remove one nesting level (hopefully making stuff slightly more readable). This is possible thanks to (2). Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa-uuid-Reset-generate-flag-at-every-cycle.patch Type: text/x-patch Size: 1314 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-ipa-uuid-safer-unlock-handling.patch Type: text/x-patch Size: 1486 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-ipa-uuid-Code-cleanups.patch Type: text/x-patch Size: 17643 bytes Desc: not available URL: From ssorce at redhat.com Mon Oct 25 22:34:07 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Oct 2010 18:34:07 -0400 Subject: [Freeipa-devel] [PATCH] UUID Plugin: add "enforce" option Message-ID: <20101025183407.583610aa@willson.li.ssimo.org> When the ipaUuidEnforce option is set to TRUE only the Directory Manager is allowed to set arbitrary values. Any attempt to set values != the ipaUuidGenerate value by non DirMgr users will throw an error. This is useful to enforce UUIDs are always set by the server. At this moment normal users are still allowed to modify the value so that the uuid is regenerated (and therefore changed, although not with arbitrary values). If modifications are unwanted I guess we can easily add an ACI that allow someone to add the attribute but mot modify it afterwards. Currently the install code does not yet set the plugin into enforcing mode as that would break all ipa tools, tomorrow I plan to go through the framework code and rip off the uuid stuff and finally change the default to enforcing for the ipaUniqueID attribute once all client code is converted to always set only "0" on creation. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa-uuid-Add-enforce-mode.patch Type: text/x-patch Size: 2801 bytes Desc: not available URL: From ssorce at redhat.com Mon Oct 25 22:59:18 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Oct 2010 18:59:18 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <20101025221412.GA4572@redhat.com> References: <20101022173835.28204736@willson.li.ssimo.org> <20101025221412.GA4572@redhat.com> Message-ID: <20101025185918.57025176@willson.li.ssimo.org> On Mon, 25 Oct 2010 18:14:12 -0400 Nalin Dahyabhai wrote: > On Fri, Oct 22, 2010 at 05:38:35PM -0400, Simo Sorce wrote: > > This plugin intercepts a modrdn change so that when a user is > > renamed the krbprincipalname is changhed accordingly. > > Changing the user's principal name usually breaks the client's ability > to get initial creds, as the default salt is derived from the > principal name. Assuming we don't want to force an administrative > password reset, how are we working around that? At the moment we will have no choice but reset the credentials. I was meaning to ask you if we have any other way around. Is it possible to use a random salt instead of the principal name ? We do enforce pre-authentication by default, so IIRC it should be possible, but it doesn't seem to make any difference atm, I guess we need to change something in the password plugin ? Simo. -- Simo Sorce * Red Hat, Inc * New York From nalin at redhat.com Tue Oct 26 00:27:04 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 25 Oct 2010 20:27:04 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <20101025185918.57025176@willson.li.ssimo.org> References: <20101022173835.28204736@willson.li.ssimo.org> <20101025221412.GA4572@redhat.com> <20101025185918.57025176@willson.li.ssimo.org> Message-ID: <20101026002704.GA5151@redhat.com> On Mon, Oct 25, 2010 at 06:59:18PM -0400, Simo Sorce wrote: > I was meaning to ask you if we have any other way around. Is it > possible to use a random salt instead of the principal name ? > > We do enforce pre-authentication by default, so IIRC it should be > possible, but it doesn't seem to make any difference atm, I guess we > need to change something in the password plugin ? If the salt stored in the user's key is marked as "special" instead of "normal", the KDC should just send the recorded salt to the client. It looks like encrypt_encode_key() needs to generate and store a random salt when it sees that salt type in the configuration, and we need to start configuring IPA to use that. HTH, Nalin From ayoung at redhat.com Tue Oct 26 00:38:04 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Oct 2010 20:38:04 -0400 Subject: [Freeipa-devel] [PATCH] whoami goodby Message-ID: <4CC622EC.4020902@redhat.com> removal of the whoami plugin -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0067-whoami-goodbye.patch Type: text/x-patch Size: 1794 bytes Desc: not available URL: From ayoung at redhat.com Tue Oct 26 00:47:40 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Oct 2010 20:47:40 -0400 Subject: [Freeipa-devel] [PATCHES] UUID Plugin: Code fixes and cleanups In-Reply-To: <20101025182842.3e632d66@willson.li.ssimo.org> References: <20101025182842.3e632d66@willson.li.ssimo.org> Message-ID: <4CC6252C.8080605@redhat.com> On 10/25/2010 06:28 PM, Simo Sorce wrote: > These are a few minor fixes and cleanups I split in multiple patches > for easier review. > > 1. makes sure we reset the generate flag at every loop, so that we do > not risk a false positive if multiple UUIDs are generated on an entry. > > 2. makes unlocks safer by tracking when we need to unlock and doing so > in the cleanup code. This is necessary as later code will be introduced > that may error out in the middle of the main loop. > > 3. tidy up some code and remove one nesting level (hopefully making > stuff slightly more readable). This is possible thanks to (2). > > Simo. > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ACK ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Oct 26 01:39:25 2010 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Oct 2010 21:39:25 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0068-association-header.patch Message-ID: <4CC6314D.1040809@redhat.com> https://fedorahosted.org/freeipa/ticket/338 -------------- next part -------------- A non-text attachment was scrubbed... Name: admiyo-freeipa-0068-association-header.patch Type: text/x-patch Size: 1247 bytes Desc: not available URL: From rcritten at redhat.com Tue Oct 26 03:03:03 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Oct 2010 23:03:03 -0400 Subject: [Freeipa-devel] [PATCH] 587 get effective rights in *-show Message-ID: <4CC644E7.60906@redhat.com> Add --rights flag to *-show in baseldap so you can retrieve the effective rights to modify the entry you are viewing. The output is a dict of attributes. Each value is a list of rights. It is pretty nasty looking output so I'm only displaying it when --all is used. This is designed for the UI which uses this anyway. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-587-ger.patch Type: application/mbox Size: 1821 bytes Desc: not available URL: From ssorce at redhat.com Tue Oct 26 12:13:53 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 Oct 2010 08:13:53 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <20101026002704.GA5151@redhat.com> References: <20101022173835.28204736@willson.li.ssimo.org> <20101025221412.GA4572@redhat.com> <20101025185918.57025176@willson.li.ssimo.org> <20101026002704.GA5151@redhat.com> Message-ID: <20101026081353.7fb5c4a3@willson.li.ssimo.org> On Mon, 25 Oct 2010 20:27:04 -0400 Nalin Dahyabhai wrote: > On Mon, Oct 25, 2010 at 06:59:18PM -0400, Simo Sorce wrote: > > I was meaning to ask you if we have any other way around. Is it > > possible to use a random salt instead of the principal name ? > > > > We do enforce pre-authentication by default, so IIRC it should be > > possible, but it doesn't seem to make any difference atm, I guess we > > need to change something in the password plugin ? > > If the salt stored in the user's key is marked as "special" instead of > "normal", the KDC should just send the recorded salt to the client. > > It looks like encrypt_encode_key() needs to generate and store a > random salt when it sees that salt type in the configuration, and we > need to start configuring IPA to use that. I'll open a bug with this comment in it. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Oct 26 13:41:00 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 Oct 2010 09:41:00 -0400 Subject: [Freeipa-devel] [PATCH] whoami goodby In-Reply-To: <4CC622EC.4020902@redhat.com> References: <4CC622EC.4020902@redhat.com> Message-ID: <20101026094100.6caf599e@willson.li.ssimo.org> On Mon, 25 Oct 2010 20:38:04 -0400 Adam Young wrote: > removal of the whoami plugin ACK -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Oct 26 13:49:39 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 Oct 2010 09:49:39 -0400 Subject: [Freeipa-devel] [PATCH] 585 entitlement plugin In-Reply-To: <4CC5CBE7.6000204@redhat.com> References: <4CC5CBE7.6000204@redhat.com> Message-ID: <20101026094939.20d35fb3@willson.li.ssimo.org> On Mon, 25 Oct 2010 14:26:47 -0400 Rob Crittenden wrote: > Add entitlement plugin for counting client entitlements. This just > adds the capability to tie to a candlepin server or manually import > entitlement certificates. The code to use these to count clients is > still under development. > > rob This plugin seem to depend on python libraries that are not available in Fedora nor any other distribution. ECANTTEST NACK until that is fixed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Tue Oct 26 14:20:55 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 26 Oct 2010 10:20:55 -0400 Subject: [Freeipa-devel] [PATCH] whoami goodby In-Reply-To: <20101026094100.6caf599e@willson.li.ssimo.org> References: <4CC622EC.4020902@redhat.com> <20101026094100.6caf599e@willson.li.ssimo.org> Message-ID: <4CC6E3C7.4050006@redhat.com> On 10/26/2010 09:41 AM, Simo Sorce wrote: > On Mon, 25 Oct 2010 20:38:04 -0400 > Adam Young wrote: > > >> removal of the whoami plugin >> > ACK > > Pushed to master From edewata at redhat.com Tue Oct 26 16:40:00 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Oct 2010 11:40:00 -0500 Subject: [Freeipa-devel] Framework for custom UI Message-ID: <4CC70460.5060304@redhat.com> Hi, Attached is the patch I'm currently working on. It's not ready to be committed yet, but feel free to send any comments. https://fedorahosted.org/reviewboard/r/97/ This patch creates a new framework implementing custom UI: Main classes: - ipa: global registry for all entities - ipa_entity: base class for entities - ipa_facet: base class for facets Search page: - ipa_search_facet: default search facet - ipa_column: columns in the search result Add dialog: - ipa_add_dialog: default add dialog - ipa_add_field: the field used in the dialog Details page: - ipa_details_facet: default details facet - ipa_details_section: sections in the details page - ipa_details_field: fields in the details page TODO: - associations page - records page To use this framework, create a class extending from ipa_entity (e.g. ipa_hbac). Use the create_* methods to create add dialog, search facet, and details facet. The fields/columns for the dialog and facets can be defined in the init() function. Custom UI can be defined by overwriting the base methods (e.g. setup) implemented in the default dialog/facets. The entity must be registered using ipa.add_entity(). The HBAC and Service entities have been rewritten to use this framework. Other entities will still work using the existing framework. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: edewata-freeipa-0024-Framework-for-custom-UI.patch Type: text/x-patch Size: 52149 bytes Desc: not available URL: From rcritten at redhat.com Tue Oct 26 17:24:46 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Oct 2010 13:24:46 -0400 Subject: [Freeipa-devel] [Fwd: [freeipa] #402: SUDO command attribute should be case sensitive] In-Reply-To: <4CC4EE21.6000404@redhat.com> References: <4CBF4619.9020404@redhat.com> <20101022181502.3ac29fdd@willson.li.ssimo.org> <4CC20D53.1090503@redhat.com> <4CC4EE21.6000404@redhat.com> Message-ID: <4CC70EDE.4020004@redhat.com> Dmitri Pal wrote: > Dmitri Pal wrote: >> Simo Sorce wrote: >> >>> On Wed, 20 Oct 2010 15:42:17 -0400 >>> Dmitri Pal wrote: >>> >>> >>> >>>> Any suggestions what it should be? >>>> Should we create a new attribute or there is something handy to reuse? >>>> >>>> >>> Probably makes sense to add a custom attribute, properly named. >>> >>> >>> >> Ok I will propose one. >> > > The attached patch should address the issue. > I did the change but I have not done the build so view this patch as a > proposal. ACK and pushed to master. I had to hand-apply this because it didn't apply cleanly. Please send all patches with [PATCH] in the subject so they don't get lost in the shuffle. rob From ayoung at redhat.com Tue Oct 26 17:40:11 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 26 Oct 2010 13:40:11 -0400 Subject: [Freeipa-devel] Proposed standard for Patches: RFC Message-ID: <4CC7127B.2010806@redhat.com> We've been doing this informally for a while, and I think, if we all agree to the format, it will help keep track of patches, ACKs, and commits. 1. Patch naming Example patch name: edewata-freeipa-0019-Certificate-management-for-services.patch Format: username-project-seq[-update]-description.extension username: Your Fedora account name. project name: always 'freeeipa' seq: sequnece number. please try to not skip numbers, as we will use this number to ensure all patches from a given contributor get reviewed. update. If a patch requires modifications and additional prior to submisiion, append a number starting at 2 and increasing by one for each update. Thus, if the above patch required additional changes, the first would be: edewata-freeipa-0019-2-Certificate-management-for-services.patch and then edewata-freeipa-0019-3-Certificate-management-for-services.patch description: This is the first line of the git commit, and should be less than six words long (idealy two or three). git format patch will translate this line into the subject of the patch, with hyphens replacing the whitespace. extension: always .patch 2. Patch format: All patches should be in format to apply with 'git am'. This is produced from a git repository using the command 'git format-patch' If a patch addresses a ticket in Trac, the second line of the commit should be the URL to track with the Ticket number. For example: https://fedorahosted.org/freeipa/ticket/339 From rcritten at redhat.com Tue Oct 26 17:59:24 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Oct 2010 13:59:24 -0400 Subject: [Freeipa-devel] [PATCH] 588 Removing HBAC service nesting Message-ID: <4CC716FC.9000203@redhat.com> Remove group nesting from the HBAC service groups. ticket https://fedorahosted.org/freeipa/ticket/389 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: rcrit-freeipa-588-hbac.patch Type: application/mbox Size: 4243 bytes Desc: not available URL: From ssorce at redhat.com Tue Oct 26 18:08:28 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 Oct 2010 14:08:28 -0400 Subject: [Freeipa-devel] Proposed standard for Patches: RFC In-Reply-To: <4CC7127B.2010806@redhat.com> References: <4CC7127B.2010806@redhat.com> Message-ID: <20101026140828.7c2cec0f@willson.li.ssimo.org> On Tue, 26 Oct 2010 13:40:11 -0400 Adam Young wrote: > We've been doing this informally for a while, and I think, if we all > agree to the format, it will help keep track of patches, ACKs, and > commits. > > > 1. Patch naming > Example patch name: > edewata-freeipa-0019-Certificate-management-for-services.patch > > > Format: username-project-seq[-update]-description.extension > > username: Your Fedora account name. > project name: always 'freeeipa' Are these really necessary ? We have the name of the author in the patch anyway, and freeipa (with 2 'e's not 3 :-P) seem really redundant. Bottomline I am lazy and would prefer not to have to rename patches after git format-patch creates them. So I'd like to understand the rationale for this format. After all we always send patches as attachments to emails, where we can explain what is going on. > seq: sequnece number. please try to not skip numbers, as we will > use this number to ensure all patches from a given contributor get > reviewed. update. If a patch requires modifications and additional > prior to submisiion, append a number starting at 2 and increasing by > one for each update. Thus, if the above patch required additional > changes, the first would be: > edewata-freeipa-0019-2-Certificate-management-for-services.patch > and then > edewata-freeipa-0019-3-Certificate-management-for-services.patch > > description: This is the first line of the git commit, and should be > less than six words long (idealy two or three). git format patch > will translate this line into the subject of the patch, with hyphens > replacing the whitespace. > > extension: always .patch > > > 2. Patch format: > All patches should be in format to apply with > 'git am'. > This is produced from a git repository using the command > 'git format-patch' > > > If a patch addresses a ticket in Trac, the second line of the commit > should be the URL to track with the Ticket number. For example: > https://fedorahosted.org/freeipa/ticket/339 This part is worth, but I think we should require only the bug number and have the full URL as a nice optional. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Tue Oct 26 18:22:01 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 26 Oct 2010 14:22:01 -0400 Subject: [Freeipa-devel] Proposed standard for Patches: RFC In-Reply-To: <20101026140828.7c2cec0f@willson.li.ssimo.org> References: <4CC7127B.2010806@redhat.com> <20101026140828.7c2cec0f@willson.li.ssimo.org> Message-ID: <4CC71C49.8010704@redhat.com> On 10/26/2010 02:08 PM, Simo Sorce wrote: > On Tue, 26 Oct 2010 13:40:11 -0400 > Adam Young wrote: > > >> We've been doing this informally for a while, and I think, if we all >> agree to the format, it will help keep track of patches, ACKs, and >> commits. >> >> >> 1. Patch naming >> Example patch name: >> edewata-freeipa-0019-Certificate-management-for-services.patch >> >> >> Format: username-project-seq[-update]-description.extension >> >> username: Your Fedora account name. >> project name: always 'freeeipa' >> > Are these really necessary ? > We have the name of the author in the patch anyway, and freeipa > (with 2 'e's not 3 :-P) seem really redundant. > Otherwise, we get into a conflict over who''s patch 519 it is, and we have no way to order it. We've had enough issues where patch 11 requires patch 10 that it is just cleaner to try to apply all patches from a given developer in order. I have a simple script that does the rename. John Dennis has a more extensive one. We can make this easy for you. http://adam.younglogic.com/2010/09/preparing-patches-for-submission-to-the-freeipa-mailing-list/ > Bottomline I am lazy and would prefer not to have to rename patches > after git format-patch creates them. > > So I'd like to understand the rationale for this format. > After all we always send patches as attachments to emails, where we can > explain what is going on. > > >> seq: sequnece number. please try to not skip numbers, as we will >> use this number to ensure all patches from a given contributor get >> reviewed. update. If a patch requires modifications and additional >> prior to submisiion, append a number starting at 2 and increasing by >> one for each update. Thus, if the above patch required additional >> changes, the first would be: >> edewata-freeipa-0019-2-Certificate-management-for-services.patch >> and then >> edewata-freeipa-0019-3-Certificate-management-for-services.patch >> >> description: This is the first line of the git commit, and should be >> less than six words long (idealy two or three). git format patch >> will translate this line into the subject of the patch, with hyphens >> replacing the whitespace. >> >> extension: always .patch >> >> >> 2. Patch format: >> All patches should be in format to apply with >> 'git am'. >> This is produced from a git repository using the command >> 'git format-patch' >> >> >> If a patch addresses a ticket in Trac, the second line of the commit >> should be the URL to track with the Ticket number. For example: >> https://fedorahosted.org/freeipa/ticket/339 >> > This part is worth, but I think we should require only the bug number > and have the full URL as a nice optional. > I just copy and paste from the browser. It does make it clear whether we are talking about Trac or Bugzilla. > Simo. > > From rcritten at redhat.com Tue Oct 26 18:34:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Oct 2010 14:34:26 -0400 Subject: [Freeipa-devel] [PATCH] 589 disallow group password policy in UPG Message-ID: <4CC71F32.7040606@redhat.com> Don't allow managed groups to have group password policy. UPG cannot have members and we use memberOf in class of service to determine which policy to apply. ticket https://fedorahosted.org/freeipa/ticket/160 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: rcrit-freeipa-589-pwpolicy.patch Type: application/mbox Size: 3001 bytes Desc: not available URL: From ayoung at redhat.com Tue Oct 26 18:40:39 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 26 Oct 2010 14:40:39 -0400 Subject: [Freeipa-devel] [PATCH] 589 disallow group password policy in UPG In-Reply-To: <4CC71F32.7040606@redhat.com> References: <4CC71F32.7040606@redhat.com> Message-ID: <4CC720A7.6010004@redhat.com> On 10/26/2010 02:34 PM, Rob Crittenden wrote: > Don't allow managed groups to have group password policy. > > UPG cannot have members and we use memberOf in class of service to > determine which policy to apply. > > ticket https://fedorahosted.org/freeipa/ticket/160 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Oct 26 18:41:50 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 26 Oct 2010 14:41:50 -0400 Subject: [Freeipa-devel] [PATCH] 588 Removing HBAC service nesting In-Reply-To: <4CC716FC.9000203@redhat.com> References: <4CC716FC.9000203@redhat.com> Message-ID: <4CC720EE.8070803@redhat.com> On 10/26/2010 01:59 PM, Rob Crittenden wrote: > Remove group nesting from the HBAC service groups. > > ticket https://fedorahosted.org/freeipa/ticket/389 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Oct 26 19:16:04 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Oct 2010 15:16:04 -0400 Subject: [Freeipa-devel] [PATCH] 590 error out when missing headers Message-ID: <4CC728F4.3010300@redhat.com> Error out of configure when it finds some missing headers. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: rcrit-freeipa-590-configure.patch Type: application/mbox Size: 3025 bytes Desc: not available URL: From ssorce at redhat.com Tue Oct 26 19:29:08 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 Oct 2010 15:29:08 -0400 Subject: [Freeipa-devel] Proposed standard for Patches: RFC In-Reply-To: <4CC71C49.8010704@redhat.com> References: <4CC7127B.2010806@redhat.com> <20101026140828.7c2cec0f@willson.li.ssimo.org> <4CC71C49.8010704@redhat.com> Message-ID: <20101026152908.66a34a26@willson.li.ssimo.org> On Tue, 26 Oct 2010 14:22:01 -0400 Adam Young wrote: > On 10/26/2010 02:08 PM, Simo Sorce wrote: > > On Tue, 26 Oct 2010 13:40:11 -0400 > > Adam Young wrote: > > > > > >> We've been doing this informally for a while, and I think, if we > >> all agree to the format, it will help keep track of patches, ACKs, > >> and commits. > >> > >> > >> 1. Patch naming > >> Example patch name: > >> edewata-freeipa-0019-Certificate-management-for-services.patch > >> > >> > >> Format: username-project-seq[-update]-description.extension > >> > >> username: Your Fedora account name. > >> project name: always 'freeeipa' > >> > > Are these really necessary ? > > We have the name of the author in the patch anyway, and freeipa > > (with 2 'e's not 3 :-P) seem really redundant. > > > > Otherwise, we get into a conflict over who''s patch 519 it is, and we > have no way to order it. > > We've had enough issues where patch 11 requires patch 10 that it is > just cleaner to try to apply all patches from a given developer in > order. If the problem is tracking which patches have been applied an which are needed wouldn't it be easier instead if each developer published an official tree with the patches he proposes for inclusion ? That way all you need to do is a git log origin/master..dev_tree and you have all pending patches and the order they are applied to. Looks to me *much* handier then trying to order them based on file names and arbitrary sequence numbers. > >> If a patch addresses a ticket in Trac, the second line of the > >> commit should be the URL to track with the Ticket number. For > >> example: https://fedorahosted.org/freeipa/ticket/339 > >> > > This part is worth, but I think we should require only the bug > > number and have the full URL as a nice optional. > > > I just copy and paste from the browser. It does make it clear > whether we are talking about Trac or Bugzilla. bugzilla numbers flies around the 600k mark, looks pretty easy to tell which is which unless we have a sudden, dramatic spike in tickets filed against the trac instance :) Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Oct 26 19:29:50 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 Oct 2010 15:29:50 -0400 Subject: [Freeipa-devel] [PATCH] 590 error out when missing headers In-Reply-To: <4CC728F4.3010300@redhat.com> References: <4CC728F4.3010300@redhat.com> Message-ID: <20101026152950.6b258d83@willson.li.ssimo.org> On Tue, 26 Oct 2010 15:16:04 -0400 Rob Crittenden wrote: > Error out of configure when it finds some missing headers. > > rob ACK -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Oct 26 19:40:19 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Oct 2010 15:40:19 -0400 Subject: [Freeipa-devel] [PATCH] 590 error out when missing headers In-Reply-To: <20101026152950.6b258d83@willson.li.ssimo.org> References: <4CC728F4.3010300@redhat.com> <20101026152950.6b258d83@willson.li.ssimo.org> Message-ID: <4CC72EA3.30808@redhat.com> Simo Sorce wrote: > On Tue, 26 Oct 2010 15:16:04 -0400 > Rob Crittenden wrote: > >> Error out of configure when it finds some missing headers. >> >> rob > > ACK > pushed to master From edewata at redhat.com Tue Oct 26 20:16:47 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Oct 2010 15:16:47 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-freeipa-0068-association-header.patch In-Reply-To: <4CC6314D.1040809@redhat.com> References: <4CC6314D.1040809@redhat.com> Message-ID: <4CC7372F.50508@redhat.com> On 10/25/2010 8:39 PM, Adam Young wrote: > https://fedorahosted.org/freeipa/ticket/338 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Tue Oct 26 20:26:13 2010 From: ayoung at redhat.com (Adam Young) Date: Tue, 26 Oct 2010 16:26:13 -0400 Subject: [Freeipa-devel] Proposed standard for Patches: RFC In-Reply-To: <20101026152908.66a34a26@willson.li.ssimo.org> References: <4CC7127B.2010806@redhat.com> <20101026140828.7c2cec0f@willson.li.ssimo.org> <4CC71C49.8010704@redhat.com> <20101026152908.66a34a26@willson.li.ssimo.org> Message-ID: <4CC73965.30502@redhat.com> On 10/26/2010 03:29 PM, Simo Sorce wrote: > On Tue, 26 Oct 2010 14:22:01 -0400 > Adam Young wrote: > > >> On 10/26/2010 02:08 PM, Simo Sorce wrote: >> >>> On Tue, 26 Oct 2010 13:40:11 -0400 >>> Adam Young wrote: >>> >>> >>> >>>> We've been doing this informally for a while, and I think, if we >>>> all agree to the format, it will help keep track of patches, ACKs, >>>> and commits. >>>> >>>> >>>> 1. Patch naming >>>> Example patch name: >>>> edewata-freeipa-0019-Certificate-management-for-services.patch >>>> >>>> >>>> Format: username-project-seq[-update]-description.extension >>>> >>>> username: Your Fedora account name. >>>> project name: always 'freeeipa' >>>> >>>> >>> Are these really necessary ? >>> We have the name of the author in the patch anyway, and freeipa >>> (with 2 'e's not 3 :-P) seem really redundant. >>> >>> >> Otherwise, we get into a conflict over who''s patch 519 it is, and we >> have no way to order it. >> >> We've had enough issues where patch 11 requires patch 10 that it is >> just cleaner to try to apply all patches from a given developer in >> order. >> > If the problem is tracking which patches have been applied an which are > needed wouldn't it be easier instead if each developer published an > official tree with the patches he proposes for inclusion ? > > That way all you need to do is a git log origin/master..dev_tree and > you have all pending patches and the order they are applied to. > > Looks to me *much* handier then trying to order them based on file > names and arbitrary sequence numbers. > I'll admit this would be useful, but it would be another process that we don't have now, that I was trying to avoid. We all have git repos on fedorapeople. The trick is to deal with patches that have to get changed prior to commit, hence the numbering of -2 -3 after the seq number. Really, the seq number is not needed, but makes a nice ready shorthand for the patch. Pavel, Endi and I often refer to patches by number, like "your patch 0019" which makes it handy. The increasing seq approach to detect a missing packet works in TCP, so why not for us? > >>>> If a patch addresses a ticket in Trac, the second line of the >>>> commit should be the URL to track with the Ticket number. For >>>> example: https://fedorahosted.org/freeipa/ticket/339 >>>> >>>> >>> This part is worth, but I think we should require only the bug >>> number and have the full URL as a nice optional. >>> >>> >> I just copy and paste from the browser. It does make it clear >> whether we are talking about Trac or Bugzilla. >> > bugzilla numbers flies around the 600k mark, looks pretty easy to tell > which is which unless we have a sudden, dramatic spike in tickets > filed against the trac instance :) > Yeah, but the full URL approach is self documenting. > Simo. > > From ssorce at redhat.com Tue Oct 26 20:47:42 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 Oct 2010 16:47:42 -0400 Subject: [Freeipa-devel] Proposed standard for Patches: RFC In-Reply-To: <4CC73965.30502@redhat.com> References: <4CC7127B.2010806@redhat.com> <20101026140828.7c2cec0f@willson.li.ssimo.org> <4CC71C49.8010704@redhat.com> <20101026152908.66a34a26@willson.li.ssimo.org> <4CC73965.30502@redhat.com> Message-ID: <20101026164742.7a8e100c@willson.li.ssimo.org> On Tue, 26 Oct 2010 16:26:13 -0400 Adam Young wrote: > I'll admit this would be useful, but it would be another process that > we don't have now, that I was trying to avoid. We all have git repos > on fedorapeople. The trick is to deal with patches that have to get > changed prior to commit, hence the numbering of -2 -3 after the seq > number. Not sure what's the problem here, if I rebase a patch you have the latest one in my tree, no need to look for -1 -2 -3 as you can't be wrong if you re-fetch from my tree. > Really, the seq number is not needed, but makes a nice ready > shorthand for the patch. Pavel, Endi and I often refer to patches by > number, like "your patch 0019" which makes it handy. The increasing > seq approach to detect a missing packet works in TCP, so why not for > us? Because I am not a machine :) I see we constantly fail at correctly numbering sequentially stuff, from new error numbers to OIDs and other stuff, so I do not see this as a big improvement. I am not saying people shouldn't use this method if so they prefer, but mandating it seems a bit too much. Of course if others strongly feel this is the way to go, I will (try to) comply. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Oct 27 03:21:37 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 Oct 2010 23:21:37 -0400 Subject: [Freeipa-devel] RFC wrt little snag in LDAPCreate when ipa_uuid manipulates the DN on entry add Message-ID: <20101026232137.70bf7176@willson.li.ssimo.org> So, I have been working on this ipa_uuid plugin as of late and one of the last tasks was to let it modify the RDN if ipaUniqueID is part of the DN of an entry we want to create. Example: dn: ipauniqueid=autogenerate,cn=hbac,dc=... cn: foo rule hbactype: allow ... 'autogenerate' is the magic value that makes the ipa_uuid plugin generate a uuid and set it on the entry. The problem is that LDAPCreate, after adding the entry will try to search it back immediately using the DN we passed in. This search will fail as the DN that is stored in LDAP is different (it has the generated uuid instead of 'autogenerate'). So ideas on how to gracefully handle this are welcome. I discussed of 2 with Rob on IRC but we'd like more inputs (Pavel, that would be directed at you :-). 1. Ignore the error in calls that pass in a DN containing ipauniqueid as the RDN and perform a new search. 2. modify LDAPCreate so that we can pass in a filter. If the caller passes in a filter we use that instead of the DN to search the entry back. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Oct 27 12:31:16 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 27 Oct 2010 08:31:16 -0400 Subject: [Freeipa-devel] [PATCHES] Address #413 and Complete UUID related changes Message-ID: <20101027083116.15bd83bd@willson.li.ssimo.org> These patches apply on top of the previous ipa_uuid related patches. #1 handles automatic generation of the uuid when the uuid attribute is the RDN (fixes #413). #2 prevents cases of false positives when enforcing is set and we are handling a simple modification of an object that falls into the plugin scope. #3 remove the python uuid plugin and changes all callers to always pass in the special value 'autogenerate' for the ipauniqueid attribute. This way uuids are generated server side. #3 introduces a problem with the baseldap class LDAPCreate, because that calss always tries to reuse the passed in DN to lookup the entry after creation. Unfortunately when ipaUniqueID is part of the DN, the DN is changed on add so the lookup using the special "autogenerate" value will fail. Pavel is looking into it to provide an alternative way to lookup the entry in these cases. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa_uuid-Handle-generation-of-the-uuid-when-it-is-a-.patch Type: text/x-patch Size: 4052 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-ipa_uuid-prevent-false-positives-on-modifies.patch Type: text/x-patch Size: 2502 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-UUIDs-remove-uuid-python-plugin-and-let-DS-always-au.patch Type: text/x-patch Size: 33242 bytes Desc: not available URL: From ayoung at redhat.com Wed Oct 27 13:33:38 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 27 Oct 2010 09:33:38 -0400 Subject: [Freeipa-devel] Proposed standard for Patches: RFC In-Reply-To: <20101026164742.7a8e100c@willson.li.ssimo.org> References: <4CC7127B.2010806@redhat.com> <20101026140828.7c2cec0f@willson.li.ssimo.org> <4CC71C49.8010704@redhat.com> <20101026152908.66a34a26@willson.li.ssimo.org> <4CC73965.30502@redhat.com> <20101026164742.7a8e100c@willson.li.ssimo.org> Message-ID: <4CC82A32.2090601@redhat.com> On 10/26/2010 04:47 PM, Simo Sorce wrote: > On Tue, 26 Oct 2010 16:26:13 -0400 > Adam Young wrote: > > >> I'll admit this would be useful, but it would be another process that >> we don't have now, that I was trying to avoid. We all have git repos >> on fedorapeople. The trick is to deal with patches that have to get >> changed prior to commit, hence the numbering of -2 -3 after the seq >> number. >> > Not sure what's the problem here, if I rebase a patch you have the > latest one in my tree, no need to look for -1 -2 -3 as you can't be > wrong if you re-fetch from my tree. > Yes, and if we go with a Git based appraoch, that would be fine. But the team seems to havea preference and a system in place that works with straight patches. I am not trying to change that. If you are set on a Git based approach, it is a more significant change from our current process, something that I would not advocate this close to a major release. I'm just trying to codify what Rob, Endi and I are already doing, and which seems to work well. > >> Really, the seq number is not needed, but makes a nice ready >> shorthand for the patch. Pavel, Endi and I often refer to patches by >> number, like "your patch 0019" which makes it handy. The increasing >> seq approach to detect a missing packet works in TCP, so why not for >> us? >> > Because I am not a machine :) > I disagree. So does schoolhouse rock: http://www.youtube.com/watch?v=Kdn0pPcTvN4 > I see we constantly fail at correctly numbering sequentially stuff, > from new error numbers to OIDs and other stuff, so I do not see this as > a big improvement. I am not saying people shouldn't use this method if > so they prefer, but mandating it seems a bit too much. > It seems to be easy enough to do. > Of course if others strongly feel this is the way to go, I will (try to) > comply. > Let's give it a go for a few. > Simo. > > From ayoung at redhat.com Wed Oct 27 13:35:17 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 27 Oct 2010 09:35:17 -0400 Subject: [Freeipa-devel] RFC wrt little snag in LDAPCreate when ipa_uuid manipulates the DN on entry add In-Reply-To: <20101026232137.70bf7176@willson.li.ssimo.org> References: <20101026232137.70bf7176@willson.li.ssimo.org> Message-ID: <4CC82A95.7060201@redhat.com> On 10/26/2010 11:21 PM, Simo Sorce wrote: > So, I have been working on this ipa_uuid plugin as of late and one of > the last tasks was to let it modify the RDN if ipaUniqueID is part of > the DN of an entry we want to create. > > Example: > dn: ipauniqueid=autogenerate,cn=hbac,dc=... > cn: foo rule > hbactype: allow > ... > > 'autogenerate' is the magic value that makes the ipa_uuid plugin > generate a uuid and set it on the entry. > > The problem is that LDAPCreate, after adding the entry will try to > search it back immediately using the DN we passed in. This search will > fail as the DN that is stored in LDAP is different (it has the > generated uuid instead of 'autogenerate'). > > So ideas on how to gracefully handle this are welcome. > > I discussed of 2 with Rob on IRC but we'd like more inputs (Pavel, that > would be directed at you :-). > > 1. Ignore the error in calls that pass in a DN containing ipauniqueid > as the RDN and perform a new search. > > 2. modify LDAPCreate so that we can pass in a filter. If the caller > passes in a filter we use that instead of the DN to search the entry > back. > > Simo. > > I'm not up to speed on this code. Why do a find right after create? From rcritten at redhat.com Wed Oct 27 13:44:42 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Oct 2010 09:44:42 -0400 Subject: [Freeipa-devel] RFC wrt little snag in LDAPCreate when ipa_uuid manipulates the DN on entry add In-Reply-To: <4CC82A95.7060201@redhat.com> References: <20101026232137.70bf7176@willson.li.ssimo.org> <4CC82A95.7060201@redhat.com> Message-ID: <4CC82CCA.9050104@redhat.com> Adam Young wrote: > On 10/26/2010 11:21 PM, Simo Sorce wrote: >> So, I have been working on this ipa_uuid plugin as of late and one of >> the last tasks was to let it modify the RDN if ipaUniqueID is part of >> the DN of an entry we want to create. >> >> Example: >> dn: ipauniqueid=autogenerate,cn=hbac,dc=... >> cn: foo rule >> hbactype: allow >> ... >> >> 'autogenerate' is the magic value that makes the ipa_uuid plugin >> generate a uuid and set it on the entry. >> >> The problem is that LDAPCreate, after adding the entry will try to >> search it back immediately using the DN we passed in. This search will >> fail as the DN that is stored in LDAP is different (it has the >> generated uuid instead of 'autogenerate'). >> >> So ideas on how to gracefully handle this are welcome. >> >> I discussed of 2 with Rob on IRC but we'd like more inputs (Pavel, that >> would be directed at you :-). >> >> 1. Ignore the error in calls that pass in a DN containing ipauniqueid >> as the RDN and perform a new search. >> >> 2. modify LDAPCreate so that we can pass in a filter. If the caller >> passes in a filter we use that instead of the DN to search the entry >> back. >> >> Simo. >> > I'm not up to speed on this code. Why do a find right after create? Normally an add works like this. * Use the get_dn() class method to create the dn based on the primary key and the container. * call add_entry() * do a get_entry() to retrieve the data we just added to we can show the user what we did. In the case of HBAC and netgroups the dn contains the attribute ipaUniqueId which is something we want to autogenerate. So the dn we pass the add function isn't going to match the dn that gets written to the database. The get_entry() is failing because we are trying to read dn: ipauniqueid=autogenerate, ... and what got written was dn: ipauniqueid=1092a93-9as9d-f... So we need some way of finding the entry we just wrote, whose uniqueid we don't know (but we know other stuff about it). rob From ssorce at redhat.com Wed Oct 27 13:45:51 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 27 Oct 2010 09:45:51 -0400 Subject: [Freeipa-devel] RFC wrt little snag in LDAPCreate when ipa_uuid manipulates the DN on entry add In-Reply-To: <4CC82A95.7060201@redhat.com> References: <20101026232137.70bf7176@willson.li.ssimo.org> <4CC82A95.7060201@redhat.com> Message-ID: <20101027094551.21be6166@willson.li.ssimo.org> On Wed, 27 Oct 2010 09:35:17 -0400 Adam Young wrote: > I'm not up to speed on this code. Why do a find right after create? I guess to pick up all attributes added automatically by DS, not sure why it just is. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Oct 27 13:49:35 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 27 Oct 2010 09:49:35 -0400 Subject: [Freeipa-devel] Proposed standard for Patches: RFC In-Reply-To: <4CC7127B.2010806@redhat.com> References: <4CC7127B.2010806@redhat.com> Message-ID: <4CC82DEF.90006@redhat.com> Made a change based on a recommendation by Simo: proejct name now leads, followed by user name. Posted on the wiki here: http://fedorahosted.org/freeipa/wiki/PatchFormat From rcritten at redhat.com Wed Oct 27 13:48:44 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Oct 2010 09:48:44 -0400 Subject: [Freeipa-devel] RFC wrt little snag in LDAPCreate when ipa_uuid manipulates the DN on entry add In-Reply-To: <20101027094551.21be6166@willson.li.ssimo.org> References: <20101026232137.70bf7176@willson.li.ssimo.org> <4CC82A95.7060201@redhat.com> <20101027094551.21be6166@willson.li.ssimo.org> Message-ID: <4CC82DBC.70607@redhat.com> Simo Sorce wrote: > On Wed, 27 Oct 2010 09:35:17 -0400 > Adam Young wrote: > >> I'm not up to speed on this code. Why do a find right after create? > > I guess to pick up all attributes added automatically by DS, not sure > why it just is. > > Simo. > Yes, that's exactly it. We have other autogenerated values (uid, gid) so we fetch the entry to be sure we are representing things as they are. rob From ayoung at redhat.com Wed Oct 27 16:29:12 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 27 Oct 2010 12:29:12 -0400 Subject: [Freeipa-devel] RFC wrt little snag in LDAPCreate when ipa_uuid manipulates the DN on entry add In-Reply-To: <4CC82DBC.70607@redhat.com> References: <20101026232137.70bf7176@willson.li.ssimo.org> <4CC82A95.7060201@redhat.com> <20101027094551.21be6166@willson.li.ssimo.org> <4CC82DBC.70607@redhat.com> Message-ID: <4CC85358.3030509@redhat.com> On 10/27/2010 09:48 AM, Rob Crittenden wrote: > Simo Sorce wrote: >> On Wed, 27 Oct 2010 09:35:17 -0400 >> Adam Young wrote: >> >>> I'm not up to speed on this code. Why do a find right after create? >> >> I guess to pick up all attributes added automatically by DS, not sure >> why it just is. >> >> Simo. >> > > Yes, that's exactly it. We have other autogenerated values (uid, gid) > so we fetch the entry to be sure we are representing things as they are. > > rob So the case where the DN matches is degenrate case? I think the idea of having it as the default 'finder' but an alternative for the 'autogen' cases makes sense. Can we lump all of the autogen cases into a single option? From ssorce at redhat.com Wed Oct 27 16:41:31 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 27 Oct 2010 12:41:31 -0400 Subject: [Freeipa-devel] Fw: RFC wrt little snag in LDAPCreate when ipa_uuid manipulates the DN on entry add Message-ID: <20101027124131.7d3b4018@willson.li.ssimo.org> I just realized this was not sent to the list, but given it seem to work and fix my issues, here it is, I trust Pavel didn't send it to the list only by mistake. If not apologies. Simo. Begin forwarded message: Date: Wed, 27 Oct 2010 15:35:01 +0200 From: Pavel Zuna To: Simo Sorce Subject: Re: [Freeipa-devel] RFC wrt little snag in LDAPCreate when ipa_uuid manipulates the DN on entry add On 10/27/2010 05:21 AM, Simo Sorce wrote: > > So, I have been working on this ipa_uuid plugin as of late and one of > the last tasks was to let it modify the RDN if ipaUniqueID is part of > the DN of an entry we want to create. > > Example: > dn: ipauniqueid=autogenerate,cn=hbac,dc=... > cn: foo rule > hbactype: allow > ... > > 'autogenerate' is the magic value that makes the ipa_uuid plugin > generate a uuid and set it on the entry. > > The problem is that LDAPCreate, after adding the entry will try to > search it back immediately using the DN we passed in. This search will > fail as the DN that is stored in LDAP is different (it has the > generated uuid instead of 'autogenerate'). > > So ideas on how to gracefully handle this are welcome. > > I discussed of 2 with Rob on IRC but we'd like more inputs (Pavel, > that would be directed at you :-). > > 1. Ignore the error in calls that pass in a DN containing ipauniqueid > as the RDN and perform a new search. > > 2. modify LDAPCreate so that we can pass in a filter. If the caller > passes in a filter we use that instead of the DN to search the entry > back. > > Simo. > This patch introduces a new variable in LDAPObject called rnd_attribute. It should be set to the attribute used in the entry DN if it differs from it's primary key. Example: 'ipauniqueid' is the RDN attribute for HBAC rules, but the primary key is 'cn'. I tested it very quickly, because I have to leave right now. It seemed to work. It should apply on top of your tree from fedorapeople. Try it out please, I'm running out of time and will get back to it later. Pavel -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-0034-rdnattr.patch Type: text/x-patch Size: 9159 bytes Desc: not available URL: From ssorce at redhat.com Wed Oct 27 16:42:01 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 27 Oct 2010 12:42:01 -0400 Subject: [Freeipa-devel] RFC wrt little snag in LDAPCreate when ipa_uuid manipulates the DN on entry add In-Reply-To: <4CC85358.3030509@redhat.com> References: <20101026232137.70bf7176@willson.li.ssimo.org> <4CC82A95.7060201@redhat.com> <20101027094551.21be6166@willson.li.ssimo.org> <4CC82DBC.70607@redhat.com> <4CC85358.3030509@redhat.com> Message-ID: <20101027124201.46138808@willson.li.ssimo.org> On Wed, 27 Oct 2010 12:29:12 -0400 Adam Young wrote: > On 10/27/2010 09:48 AM, Rob Crittenden wrote: > > Simo Sorce wrote: > >> On Wed, 27 Oct 2010 09:35:17 -0400 > >> Adam Young wrote: > >> > >>> I'm not up to speed on this code. Why do a find right after > >>> create? > >> > >> I guess to pick up all attributes added automatically by DS, not > >> sure why it just is. > >> > >> Simo. > >> > > > > Yes, that's exactly it. We have other autogenerated values (uid, > > gid) so we fetch the entry to be sure we are representing things as > > they are. > > > > rob > > > So the case where the DN matches is degenrate case? I think the > idea of having it as the default 'finder' but an alternative for the > 'autogen' cases makes sense. Can we lump all of the autogen cases > into a single option? See Pavel's patch ( I just forwarded it as I just realized it missed the list). Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Oct 27 17:44:45 2010 From: ayoung at redhat.com (Adam Young) Date: Wed, 27 Oct 2010 13:44:45 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0069-Field-Errors.patch Message-ID: <4CC8650D.2010507@redhat.com> Field Errors Uses the pattern field of the metat data to see if the input for a given field is valid. If not, displays a red box with the contents of pattern_msg To test this, I artificially modified the meta data for the Group description -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-freeipa-0069-Field-Errors.patch Type: text/x-patch Size: 3562 bytes Desc: not available URL: From rmeggins at redhat.com Wed Oct 27 20:52:17 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 27 Oct 2010 14:52:17 -0600 Subject: [Freeipa-devel] RFC wrt little snag in LDAPCreate when ipa_uuid manipulates the DN on entry add In-Reply-To: <4CC82DBC.70607@redhat.com> References: <20101026232137.70bf7176@willson.li.ssimo.org> <4CC82A95.7060201@redhat.com> <20101027094551.21be6166@willson.li.ssimo.org> <4CC82DBC.70607@redhat.com> Message-ID: <4CC89101.9020607@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Wed, 27 Oct 2010 09:35:17 -0400 >> Adam Young wrote: >> >>> I'm not up to speed on this code. Why do a find right after create? >> >> I guess to pick up all attributes added automatically by DS, not sure >> why it just is. >> >> Simo. >> > > Yes, that's exactly it. We have other autogenerated values (uid, gid) > so we fetch the entry to be sure we are representing things as they are. One enhancement we have discussed adding to 389 is a control sent with update operations - the control response would contain the values of generated attributes, to remove the need to immediately perform a search to get attributes such as uniqueid, uid, gid, createTimestamp, etc. Is this something IPA would be interested in? There has already been some discussion (a long time ago) on the 389 lists. afaik there is no LDAP proposed standard feature for this. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ssorce at redhat.com Wed Oct 27 21:12:39 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 27 Oct 2010 17:12:39 -0400 Subject: [Freeipa-devel] [PATCH] #412 Make always use of special salt type Message-ID: <20101027171239.06113e37@willson.li.ssimo.org> By using the special salt type and generating a random salt we can rename user's principal name without invalidating their password. This works only if pre-authentication is required, but that's how we configure our server anyway. This patch does not disallow "normal" salts, but if used they will prevent renames from working correctly. By default special is used. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0001-pwd-plugin-Always-use-a-special-salt-by-default.patch Type: text/x-patch Size: 4704 bytes Desc: not available URL: From ssorce at redhat.com Wed Oct 27 21:28:55 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 27 Oct 2010 17:28:55 -0400 Subject: [Freeipa-devel] RFC wrt little snag in LDAPCreate when ipa_uuid manipulates the DN on entry add In-Reply-To: <4CC89101.9020607@redhat.com> References: <20101026232137.70bf7176@willson.li.ssimo.org> <4CC82A95.7060201@redhat.com> <20101027094551.21be6166@willson.li.ssimo.org> <4CC82DBC.70607@redhat.com> <4CC89101.9020607@redhat.com> Message-ID: <20101027172855.1c6bb86a@willson.li.ssimo.org> On Wed, 27 Oct 2010 14:52:17 -0600 Rich Megginson wrote: > Rob Crittenden wrote: > > Simo Sorce wrote: > >> On Wed, 27 Oct 2010 09:35:17 -0400 > >> Adam Young wrote: > >> > >>> I'm not up to speed on this code. Why do a find right after > >>> create? > >> > >> I guess to pick up all attributes added automatically by DS, not > >> sure why it just is. > >> > >> Simo. > >> > > > > Yes, that's exactly it. We have other autogenerated values (uid, > > gid) so we fetch the entry to be sure we are representing things as > > they are. > One enhancement we have discussed adding to 389 is a control sent > with update operations - the control response would contain the > values of generated attributes, to remove the need to immediately > perform a search to get attributes such as uniqueid, uid, gid, > createTimestamp, etc. Is this something IPA would be interested in? > There has already been some discussion (a long time ago) on the 389 > lists. afaik there is no LDAP proposed standard feature for this. Looks like an interesting thing. It would also help esp. in the case we change the DN under users noses. But the patch Pavel sent seem to deal well with the current contingency. Still I would mark it as a nice to have. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Oct 28 02:25:26 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Oct 2010 22:25:26 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <20101022173835.28204736@willson.li.ssimo.org> References: <20101022173835.28204736@willson.li.ssimo.org> Message-ID: <4CC8DF16.4010200@redhat.com> Simo Sorce wrote: > > This plugin intercepts a modrdn change so that when a user is renamed > the krbprincipalname is changhed accordingly. > > The second patch activates the plugin. > > Simo. ack x2 rob From rcritten at redhat.com Thu Oct 28 02:25:49 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Oct 2010 22:25:49 -0400 Subject: [Freeipa-devel] [PATCH] plugins slim down In-Reply-To: <20101025182440.77ee5be7@willson.li.ssimo.org> References: <20101025182440.77ee5be7@willson.li.ssimo.org> Message-ID: <4CC8DF2D.6050502@redhat.com> Simo Sorce wrote: > I had some unusued functions in the uuid and modrdn plugins, do to > copy&paste. > > Remove unused functions. > > Simo. ack x2 From rcritten at redhat.com Thu Oct 28 02:26:12 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Oct 2010 22:26:12 -0400 Subject: [Freeipa-devel] [PATCHES] UUID Plugin: Code fixes and cleanups In-Reply-To: <20101025182842.3e632d66@willson.li.ssimo.org> References: <20101025182842.3e632d66@willson.li.ssimo.org> Message-ID: <4CC8DF44.5080300@redhat.com> Simo Sorce wrote: > > These are a few minor fixes and cleanups I split in multiple patches > for easier review. > > 1. makes sure we reset the generate flag at every loop, so that we do > not risk a false positive if multiple UUIDs are generated on an entry. > > 2. makes unlocks safer by tracking when we need to unlock and doing so > in the cleanup code. This is necessary as later code will be introduced > that may error out in the middle of the main loop. > > 3. tidy up some code and remove one nesting level (hopefully making > stuff slightly more readable). This is possible thanks to (2). > > Simo. ack x3 From rcritten at redhat.com Thu Oct 28 02:26:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Oct 2010 22:26:53 -0400 Subject: [Freeipa-devel] [PATCH] UUID Plugin: add "enforce" option In-Reply-To: <20101025183407.583610aa@willson.li.ssimo.org> References: <20101025183407.583610aa@willson.li.ssimo.org> Message-ID: <4CC8DF6D.6020802@redhat.com> Simo Sorce wrote: > > When the ipaUuidEnforce option is set to TRUE only the Directory > Manager is allowed to set arbitrary values. Any attempt to set > values != the ipaUuidGenerate value by non DirMgr users will throw an > error. > > This is useful to enforce UUIDs are always set by the server. > > At this moment normal users are still allowed to modify the value so > that the uuid is regenerated (and therefore changed, although not with > arbitrary values). If modifications are unwanted I guess we can easily > add an ACI that allow someone to add the attribute but mot modify it > afterwards. > > Currently the install code does not yet set the plugin into enforcing > mode as that would break all ipa tools, tomorrow I plan to go through > the framework code and rip off the uuid stuff and finally change the > default to enforcing for the ipaUniqueID attribute once all client code > is converted to always set only "0" on creation. > > Simo. > Ack. I think we still have some acis controlling access to ipauniqueid. I think we can remove them and save a few cycles in the DS aci subsystem. rob From rcritten at redhat.com Thu Oct 28 02:28:23 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Oct 2010 22:28:23 -0400 Subject: [Freeipa-devel] [PATCHES] Address #413 and Complete UUID related changes In-Reply-To: <20101027083116.15bd83bd@willson.li.ssimo.org> References: <20101027083116.15bd83bd@willson.li.ssimo.org> Message-ID: <4CC8DFC7.9010306@redhat.com> Simo Sorce wrote: > > These patches apply on top of the previous ipa_uuid related patches. > > #1 handles automatic generation of the uuid when the uuid > attribute is the RDN (fixes #413). > > #2 prevents cases of false positives when enforcing is set and we are > handling a simple modification of an object that falls into the plugin > scope. > > #3 remove the python uuid plugin and changes all callers to always pass > in the special value 'autogenerate' for the ipauniqueid attribute. This > way uuids are generated server side. > > > #3 introduces a problem with the baseldap class LDAPCreate, because > that calss always tries to reuse the passed in DN to lookup the entry > after creation. Unfortunately when ipaUniqueID is part of the DN, the > DN is changed on add so the lookup using the special "autogenerate" > value will fail. Pavel is looking into it to provide an alternative way > to lookup the entry in these cases. > > Simo. There is one minor problem in the 3rd patch. The admin user has the wrong magic value for ipauniqueid. Fix that and you have a pre-ack x3. rob From edewata at redhat.com Thu Oct 28 03:24:16 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 27 Oct 2010 22:24:16 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0069-Field-Errors.patch In-Reply-To: <4CC8650D.2010507@redhat.com> References: <4CC8650D.2010507@redhat.com> Message-ID: <4CC8ECE0.6040200@redhat.com> On 10/27/2010 12:44 PM, Adam Young wrote: > Field Errors > Uses the pattern field of the metat data to see if the input for a given > field is valid. If not, displays a red box with the contents of pattern_msg > > To test this, I artificially modified the meta data for the Group > description ACKed and pushed to master. Note: the pattern is rather restrictive for a description, but the functionality works. -- Endi S. Dewata From edewata at redhat.com Thu Oct 28 03:51:02 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 27 Oct 2010 22:51:02 -0500 Subject: [Freeipa-devel] [PATCH] Framework for custom UI In-Reply-To: <4CC70460.5060304@redhat.com> References: <4CC70460.5060304@redhat.com> Message-ID: <4CC8F326.7070603@redhat.com> Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/97/diff/2/ This patch introduces a new framework for implementing custom UI. It consists of the following classes: Main: - IPA: global namespace and object repository - ipa_entity: base class for entities - ipa_facet: base class for facets Add dialog: - ipa_add_dialog: default add dialog - ipa_add_field: the fields used in the dialog Search facet: - ipa_search_facet: default search facet - ipa_search_column: the columns in the search result Details facet: - ipa_details_facet: default details facet - ipa_details_section: the sections in the details facet - ipa_details_field: the fields in the details facet Association facet: - ipa_association_facet: default association facet - ipa_association_config: the association configurations To use this framework, create a class extending the ipa_entity (e.g. ipa_hbac). Use the create_* methods to create add dialog, search facet, details facet, and association facet. The fields/columns for the dialog and facets can be specified using the init() function. Custom UI can be defined by overwriting the base methods (e.g. setup, save, load). The entity must be added into the repository using IPA.add_entity(). The original ipa_entity_setup() has been generalized by moving facet- specific codes into the corresponding facet. Some facet names are still hard-coded. This will be fixed in follow-up patches. Some global variables have been removed because their function has been replaced by the object repository: - ipa_entity_add_list - ipa_entity_search_list - ipa_entity_details_list - window_hash_cache Some functions and variables have been moved into IPA namespace: - ipa_json_url -> IPA.json_url - ipa_use_static_files -> IPA.use_static_files - ipa_ajax_options -> IPA.ajax_options - ipa_objs -> IPA.metadata - ipa_messages -> IPA.messages - ipa_dialog -> IPA.error_dialog - ipa_init() -> IPA.init() Initially the HBAC and Service entities have been rewritten to use the new framework. The DNS is partially converted, the ipa_records_facet is used to define custom records facet. Other entities can still work using the old framework. The old framework has been modified to be a wrapper for the new framework. Eventually all entities will be converted to use the new framework. Some unit tests have been modified to use the new framework. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0024-2-Framework-for-custom-UI.patch Type: text/x-patch Size: 106374 bytes Desc: not available URL: From ssorce at redhat.com Thu Oct 28 11:59:37 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 07:59:37 -0400 Subject: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed In-Reply-To: <4CC8DF16.4010200@redhat.com> References: <20101022173835.28204736@willson.li.ssimo.org> <4CC8DF16.4010200@redhat.com> Message-ID: <20101028075937.717cb860@willson.li.ssimo.org> On Wed, 27 Oct 2010 22:25:26 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > This plugin intercepts a modrdn change so that when a user is > > renamed the krbprincipalname is changhed accordingly. > > > > The second patch activates the plugin. > > > > Simo. > > ack x2 > > rob pushed to master -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 28 11:59:46 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 07:59:46 -0400 Subject: [Freeipa-devel] [PATCH] plugins slim down In-Reply-To: <4CC8DF2D.6050502@redhat.com> References: <20101025182440.77ee5be7@willson.li.ssimo.org> <4CC8DF2D.6050502@redhat.com> Message-ID: <20101028075946.266c57cc@willson.li.ssimo.org> On Wed, 27 Oct 2010 22:25:49 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > I had some unusued functions in the uuid and modrdn plugins, do to > > copy&paste. > > > > Remove unused functions. > > > > Simo. > > ack x2 pushed both to master -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 28 11:59:57 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 07:59:57 -0400 Subject: [Freeipa-devel] [PATCHES] UUID Plugin: Code fixes and cleanups In-Reply-To: <4CC8DF44.5080300@redhat.com> References: <20101025182842.3e632d66@willson.li.ssimo.org> <4CC8DF44.5080300@redhat.com> Message-ID: <20101028075957.5f6f383c@willson.li.ssimo.org> On Wed, 27 Oct 2010 22:26:12 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > These are a few minor fixes and cleanups I split in multiple patches > > for easier review. > > > > 1. makes sure we reset the generate flag at every loop, so that we > > do not risk a false positive if multiple UUIDs are generated on an > > entry. > > > > 2. makes unlocks safer by tracking when we need to unlock and doing > > so in the cleanup code. This is necessary as later code will be > > introduced that may error out in the middle of the main loop. > > > > 3. tidy up some code and remove one nesting level (hopefully making > > stuff slightly more readable). This is possible thanks to (2). > > > > Simo. > > ack x3 pushed all to master -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 28 12:00:31 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 08:00:31 -0400 Subject: [Freeipa-devel] [PATCH] UUID Plugin: add "enforce" option In-Reply-To: <4CC8DF6D.6020802@redhat.com> References: <20101025183407.583610aa@willson.li.ssimo.org> <4CC8DF6D.6020802@redhat.com> Message-ID: <20101028080031.05a21a2f@willson.li.ssimo.org> On Wed, 27 Oct 2010 22:26:53 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > When the ipaUuidEnforce option is set to TRUE only the Directory > > Manager is allowed to set arbitrary values. Any attempt to set > > values != the ipaUuidGenerate value by non DirMgr users will throw > > an error. > > > > This is useful to enforce UUIDs are always set by the server. > > > > At this moment normal users are still allowed to modify the value so > > that the uuid is regenerated (and therefore changed, although not > > with arbitrary values). If modifications are unwanted I guess we > > can easily add an ACI that allow someone to add the attribute but > > mot modify it afterwards. > > > > Currently the install code does not yet set the plugin into > > enforcing mode as that would break all ipa tools, tomorrow I plan > > to go through the framework code and rip off the uuid stuff and > > finally change the default to enforcing for the ipaUniqueID > > attribute once all client code is converted to always set only "0" > > on creation. > > > > Simo. > > > > Ack. pushed to master > I think we still have some acis controlling access to ipauniqueid. I > think we can remove them and save a few cycles in the DS aci > subsystem. Ok I will check what's left and propose a separate patch. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 28 12:00:59 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 08:00:59 -0400 Subject: [Freeipa-devel] [PATCHES] Address #413 and Complete UUID related changes In-Reply-To: <4CC8DFC7.9010306@redhat.com> References: <20101027083116.15bd83bd@willson.li.ssimo.org> <4CC8DFC7.9010306@redhat.com> Message-ID: <20101028080059.39db600a@willson.li.ssimo.org> On Wed, 27 Oct 2010 22:28:23 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > These patches apply on top of the previous ipa_uuid related patches. > > > > #1 handles automatic generation of the uuid when the uuid > > attribute is the RDN (fixes #413). > > > > #2 prevents cases of false positives when enforcing is set and we > > are handling a simple modification of an object that falls into the > > plugin scope. > > > > #3 remove the python uuid plugin and changes all callers to always > > pass in the special value 'autogenerate' for the ipauniqueid > > attribute. This way uuids are generated server side. > > > > > > #3 introduces a problem with the baseldap class LDAPCreate, because > > that calss always tries to reuse the passed in DN to lookup the > > entry after creation. Unfortunately when ipaUniqueID is part of the > > DN, the DN is changed on add so the lookup using the special > > "autogenerate" value will fail. Pavel is looking into it to provide > > an alternative way to lookup the entry in these cases. > > > > Simo. > > There is one minor problem in the 3rd patch. The admin user has the > wrong magic value for ipauniqueid. Fix that and you have a pre-ack x3. Fixed admin in the bootstrap template and pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 28 12:02:04 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 08:02:04 -0400 Subject: [Freeipa-devel] Fw: RFC wrt little snag in LDAPCreate when ipa_uuid manipulates the DN on entry add In-Reply-To: <20101027124131.7d3b4018@willson.li.ssimo.org> References: <20101027124131.7d3b4018@willson.li.ssimo.org> Message-ID: <20101028080204.002ef997@willson.li.ssimo.org> > This patch introduces a new variable in LDAPObject called > rnd_attribute. It should be set to the attribute used in the entry DN > if it differs from it's primary key. Example: 'ipauniqueid' is the RDN > attribute for HBAC rules, but the primary key is 'cn'. > > I tested it very quickly, because I have to leave right now. It seemed > to work. > > It should apply on top of your tree from fedorapeople. > > Try it out please, I'm running out of time and will get back to it > later. > > Pavel ack and pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 28 12:40:14 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 08:40:14 -0400 Subject: [Freeipa-devel] [PATCH] 582 allow rdn changes In-Reply-To: <4CBC988D.6030706@redhat.com> References: <4CBC988D.6030706@redhat.com> Message-ID: <20101028084014.0a8636b9@willson.li.ssimo.org> On Mon, 18 Oct 2010 14:57:17 -0400 Rob Crittenden wrote: > Allow RDN changes for users, groups, rolegroups and taskgroups. > > To do a change right now you have to perform a setattr like: > > ipa user-mod --setattr uid=newuser olduser > > The RDN change is performed before the rest of the mods. If the RDN > change is the only change done then the EmptyModlist that > update_entry() throws is ignored. > > ticket 323 > > rob Rebased to fix a conflict, tested, acked and pushed to master! Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Thu Oct 28 15:02:58 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 28 Oct 2010 10:02:58 -0500 Subject: [Freeipa-devel] [PATCH] Dialog boxes for AJAX, HTTP, and IPA errors. In-Reply-To: <4CBE0D84.5040005@redhat.com> References: <4CBE0D84.5040005@redhat.com> Message-ID: <4CC990A2.6030406@redhat.com> On 10/19/2010 4:28 PM, Endi Sukma Dewata wrote: > https://fedorahosted.org/reviewboard/r/95/ > > The ipa_cmd() has been modified to identity the type of the error > it has received and display the error using the right dialog box. > The dialog box can be customized further to display the appropriate > amount of information for each type of error. I've rebased this patch on top of my patch #24. Thanks! -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0023-2-Dialog-boxes-for-AJAX-HTTP-and-IPA-errors.patch Type: text/x-patch Size: 7417 bytes Desc: not available URL: From ayoung at redhat.com Thu Oct 28 17:10:47 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Oct 2010 13:10:47 -0400 Subject: [Freeipa-devel] [PATCH] Framework for custom UI In-Reply-To: <4CC8F326.7070603@redhat.com> References: <4CC70460.5060304@redhat.com> <4CC8F326.7070603@redhat.com> Message-ID: <4CC9AE97.8060108@redhat.com> On 10/27/2010 11:51 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > https://fedorahosted.org/reviewboard/r/97/diff/2/ > > This patch introduces a new framework for implementing custom UI. > It consists of the following classes: > > Main: > - IPA: global namespace and object repository > - ipa_entity: base class for entities > - ipa_facet: base class for facets > > Add dialog: > - ipa_add_dialog: default add dialog > - ipa_add_field: the fields used in the dialog > > Search facet: > - ipa_search_facet: default search facet > - ipa_search_column: the columns in the search result > > Details facet: > - ipa_details_facet: default details facet > - ipa_details_section: the sections in the details facet > - ipa_details_field: the fields in the details facet > > Association facet: > - ipa_association_facet: default association facet > - ipa_association_config: the association configurations > > To use this framework, create a class extending the ipa_entity (e.g. > ipa_hbac). Use the create_* methods to create add dialog, search facet, > details facet, and association facet. The fields/columns for the dialog > and facets can be specified using the init() function. Custom UI can be > defined by overwriting the base methods (e.g. setup, save, load). > The entity must be added into the repository using IPA.add_entity(). > > The original ipa_entity_setup() has been generalized by moving facet- > specific codes into the corresponding facet. Some facet names are still > hard-coded. This will be fixed in follow-up patches. > > Some global variables have been removed because their function has been > replaced by the object repository: > - ipa_entity_add_list > - ipa_entity_search_list > - ipa_entity_details_list > - window_hash_cache > > Some functions and variables have been moved into IPA namespace: > - ipa_json_url -> IPA.json_url > - ipa_use_static_files -> IPA.use_static_files > - ipa_ajax_options -> IPA.ajax_options > - ipa_objs -> IPA.metadata > - ipa_messages -> IPA.messages > - ipa_dialog -> IPA.error_dialog > - ipa_init() -> IPA.init() > > Initially the HBAC and Service entities have been rewritten to use the > new framework. The DNS is partially converted, the ipa_records_facet > is used to define custom records facet. > > Other entities can still work using the old framework. The old framework > has been modified to be a wrapper for the new framework. Eventually all > entities will be converted to use the new framework. > > Some unit tests have been modified to use the new framework. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Oct 28 17:11:25 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Oct 2010 13:11:25 -0400 Subject: [Freeipa-devel] [PATCH] Framework for custom UI In-Reply-To: <4CC8F326.7070603@redhat.com> References: <4CC70460.5060304@redhat.com> <4CC8F326.7070603@redhat.com> Message-ID: <4CC9AEBD.6070809@redhat.com> On 10/27/2010 11:51 PM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > https://fedorahosted.org/reviewboard/r/97/diff/2/ > > This patch introduces a new framework for implementing custom UI. > It consists of the following classes: > > Main: > - IPA: global namespace and object repository > - ipa_entity: base class for entities > - ipa_facet: base class for facets > > Add dialog: > - ipa_add_dialog: default add dialog > - ipa_add_field: the fields used in the dialog > > Search facet: > - ipa_search_facet: default search facet > - ipa_search_column: the columns in the search result > > Details facet: > - ipa_details_facet: default details facet > - ipa_details_section: the sections in the details facet > - ipa_details_field: the fields in the details facet > > Association facet: > - ipa_association_facet: default association facet > - ipa_association_config: the association configurations > > To use this framework, create a class extending the ipa_entity (e.g. > ipa_hbac). Use the create_* methods to create add dialog, search facet, > details facet, and association facet. The fields/columns for the dialog > and facets can be specified using the init() function. Custom UI can be > defined by overwriting the base methods (e.g. setup, save, load). > The entity must be added into the repository using IPA.add_entity(). > > The original ipa_entity_setup() has been generalized by moving facet- > specific codes into the corresponding facet. Some facet names are still > hard-coded. This will be fixed in follow-up patches. > > Some global variables have been removed because their function has been > replaced by the object repository: > - ipa_entity_add_list > - ipa_entity_search_list > - ipa_entity_details_list > - window_hash_cache > > Some functions and variables have been moved into IPA namespace: > - ipa_json_url -> IPA.json_url > - ipa_use_static_files -> IPA.use_static_files > - ipa_ajax_options -> IPA.ajax_options > - ipa_objs -> IPA.metadata > - ipa_messages -> IPA.messages > - ipa_dialog -> IPA.error_dialog > - ipa_init() -> IPA.init() > > Initially the HBAC and Service entities have been rewritten to use the > new framework. The DNS is partially converted, the ipa_records_facet > is used to define custom records facet. > > Other entities can still work using the old framework. The old framework > has been modified to be a wrapper for the new framework. Eventually all > entities will be converted to use the new framework. > > Some unit tests have been modified to use the new framework. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Oct 28 17:14:32 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Oct 2010 13:14:32 -0400 Subject: [Freeipa-devel] [PATCH] Dialog boxes for AJAX, HTTP, and IPA errors. In-Reply-To: <4CC990A2.6030406@redhat.com> References: <4CBE0D84.5040005@redhat.com> <4CC990A2.6030406@redhat.com> Message-ID: <4CC9AF78.3020902@redhat.com> On 10/28/2010 11:02 AM, Endi Sukma Dewata wrote: > On 10/19/2010 4:28 PM, Endi Sukma Dewata wrote: >> https://fedorahosted.org/reviewboard/r/95/ >> >> The ipa_cmd() has been modified to identity the type of the error >> it has received and display the error using the right dialog box. >> The dialog box can be customized further to display the appropriate >> amount of information for each type of error. > > I've rebased this patch on top of my patch #24. Thanks! > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Oct 28 17:39:56 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Oct 2010 13:39:56 -0400 Subject: [Freeipa-devel] [PATCH] 587 get effective rights in *-show In-Reply-To: <4CC644E7.60906@redhat.com> References: <4CC644E7.60906@redhat.com> Message-ID: <4CC9B56C.1080903@redhat.com> On 10/25/2010 11:03 PM, Rob Crittenden wrote: > Add --rights flag to *-show in baseldap so you can retrieve the > effective rights to modify the entry you are viewing. > > The output is a dict of attributes. Each value is a list of rights. > > It is pretty nasty looking output so I'm only displaying it when --all > is used. This is designed for the UI which uses this anyway. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Here's a version with the typo fixed, and that returns the rights as a single string. It reduces the wire size by a third. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-587-2-ger.patch Type: text/x-patch Size: 1969 bytes Desc: not available URL: From ayoung at redhat.com Thu Oct 28 18:36:13 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Oct 2010 14:36:13 -0400 Subject: [Freeipa-devel] [PATCH] 587 get effective rights in *-show In-Reply-To: <4CC9B56C.1080903@redhat.com> References: <4CC644E7.60906@redhat.com> <4CC9B56C.1080903@redhat.com> Message-ID: <4CC9C29D.8050403@redhat.com> On 10/28/2010 01:39 PM, Adam Young wrote: > On 10/25/2010 11:03 PM, Rob Crittenden wrote: >> Add --rights flag to *-show in baseldap so you can retrieve the >> effective rights to modify the entry you are viewing. >> >> The output is a dict of attributes. Each value is a list of rights. >> >> It is pretty nasty looking output so I'm only displaying it when >> --all is used. This is designed for the UI which uses this anyway. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Here's a version with the typo fixed, and that returns the rights as a > single string. It reduces the wire size by a third. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed (with the change) and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Oct 28 18:43:24 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Oct 2010 14:43:24 -0400 Subject: [Freeipa-devel] [PATCH] 591 improve error reporting when adding/removing members Message-ID: <4CC9C44C.3090309@redhat.com> Return reason for failure when updating group membership fails. We used to return a list of dns that failed to be added. We now return a list of tuples instead. The tuple looks like (dn, reason) where reason is the exception that was returned. Also made the label we use for failures to be singular instead of plural since we now print them out individually instead of as comma-separated. https://fedorahosted.org/freeipa/ticket/270 $ ipa group-add-member --users=tuser9,tuser1 --groups=g1 g1 Group name: g1 Description: g1 GID: 1332445043 Member users: tuser1 Failed members: user: tuser9: no such entry user: tuser1: This entry is already a member of the group group: g1: A group may not be added as a member of itself ------------------------- Number of members added 0 ------------------------- rob -------------- next part -------------- A non-text attachment was scrubbed... Name: rcrit-freeipa-591-fail.patch Type: application/mbox Size: 15035 bytes Desc: not available URL: From ayoung at redhat.com Thu Oct 28 18:56:24 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Oct 2010 14:56:24 -0400 Subject: [Freeipa-devel] [PATCH] 591 improve error reporting when adding/removing members In-Reply-To: <4CC9C44C.3090309@redhat.com> References: <4CC9C44C.3090309@redhat.com> Message-ID: <4CC9C758.4010708@redhat.com> On 10/28/2010 02:43 PM, Rob Crittenden wrote: > Return reason for failure when updating group membership fails. > > We used to return a list of dns that failed to be added. We now return > a list of tuples instead. The tuple looks like (dn, reason) where > reason is the exception that was returned. > > Also made the label we use for failures to be singular instead of > plural since we now print them out individually instead of as > comma-separated. > > https://fedorahosted.org/freeipa/ticket/270 > > $ ipa group-add-member --users=tuser9,tuser1 --groups=g1 g1 > Group name: g1 > Description: g1 > GID: 1332445043 > Member users: tuser1 > Failed members: > user: tuser9: no such entry > user: tuser1: This entry is already a member of the group > group: g1: A group may not be added as a member of itself > ------------------------- > Number of members added 0 > ------------------------- > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Thu Oct 28 19:17:38 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 15:17:38 -0400 Subject: [Freeipa-devel] [PATCH] 558 display indirect members In-Reply-To: <4CAA4C64.1020001@redhat.com> References: <4CAA4C64.1020001@redhat.com> Message-ID: <20101028151738.5f6c08e5@willson.li.ssimo.org> On Mon, 04 Oct 2010 17:51:32 -0400 Rob Crittenden wrote: > Populate indirect members when showing a group object. > > This is done by creating a new attribute, memberindirect, to hold > this indirect membership. > > The new function get_members() can return all members or just > indirect or direct. We are only using it to retrieve indirect members > currently. > > This also: > * Moves all member display attributes into baseldap.py to reduce > duplication > * Adds netgroup nesting > * Use a unique object name in hbacsvc and hbacsvcgroup > > ticket 296 > > rob ACK, tested, rebased and pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 28 19:29:00 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 15:29:00 -0400 Subject: [Freeipa-devel] [PATCH] 560 server generates random password for host In-Reply-To: <4CACE3A0.9020803@redhat.com> References: <4CACE3A0.9020803@redhat.com> Message-ID: <20101028152900.4e139a15@willson.li.ssimo.org> On Wed, 06 Oct 2010 17:01:20 -0400 Rob Crittenden wrote: > For bulk host enrollment let the server generate a random password > when creating a host. > > rob ACk, tested, rebased and pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 28 20:07:16 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 16:07:16 -0400 Subject: [Freeipa-devel] [PATCH] 573 use context to determine RequirementsErrors attributes In-Reply-To: <4CB3C895.2060905@redhat.com> References: <4CB3C895.2060905@redhat.com> Message-ID: <20101028160716.26f0d57d@willson.li.ssimo.org> On Mon, 11 Oct 2010 22:31:49 -0400 Rob Crittenden wrote: > Use context to decide which name to return on RequirementsErrors > > When a Requirement fails we throw an exception including the name of > the field that is missing. To make the command-line friendlier we > have a cli_name defined which may or may not match the LDAP > attribute. This can be confusing if you are using ipalib directly > because the attribute name missing may not match what is actually > required (desc vs description is a good example). > > If you use the context 'cli' then it will throw exceptions using > cli_name. If you use any other context it will use the name of the > attribute. > > ticket 187 > > rob ACK, tested and pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 28 20:29:14 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 16:29:14 -0400 Subject: [Freeipa-devel] [PATCH] 583 update DNS when adding/removing host In-Reply-To: <4CBEFC00.7020303@redhat.com> References: <4CBEFC00.7020303@redhat.com> Message-ID: <20101028162914.13f6dbf8@willson.li.ssimo.org> On Wed, 20 Oct 2010 10:26:08 -0400 Rob Crittenden wrote: > Add ability to add/remove DNS records when adding/removing a host > entry. > > A host in DNS must have an IP address so a valid IP address is > required when adding a host. The --force flag will be needed too > since you are adding a host that isn't in DNS. > > For IPv4 it will create an A and a PTR DNS record. > > IPv6 isn't quite supported yet. Some basic work in the DNS installer > is needed to get this working. Once the get_reverse_zone() returns > the right value then this should start working and create an AAAA > record and the appropriate reverse entry. > > When deleting a host with the --updatedns flag it will try to remove > all records it can find in the zone for this host. > > ticket 238 > > rob NACK, this patch introduces a bug when trying to add the same host multiple time with different ip address. The second time the ipa host-ad will correctly return an error that the host already exist yet the A record with the new address is added in DNS. Adding records to the DNS should happen only after the host has been successfully created. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 28 21:09:48 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 17:09:48 -0400 Subject: [Freeipa-devel] [PATCH] 586 kerberos password policy In-Reply-To: <4CC5FF3A.4010509@redhat.com> References: <4CC5FF3A.4010509@redhat.com> Message-ID: <20101028170948.02cb245f@willson.li.ssimo.org> On Mon, 25 Oct 2010 18:05:46 -0400 Rob Crittenden wrote: > Use kerberos password policy. > > This lets the KDC count password failures and can lock out accounts > for a period of time. This only works for KDC >= 1.8. > > There currently is no way to unlock a locked account across a > replica. MIT Kerberos 1.9 is adding support for doing so. Once that > is available unlock will be added. > > The concept of a "global" password policy has changed. When we were > managing the policy using the IPA password plugin it was smart enough > to search up the tree looking for a policy. The KDC is not so smart > and relies on the krbpwdpolicyreference to find the policy. For this > reason every user entry requires this attribute. I've created a new > global_policy entry to store the default password policy. All users > point at this now. The group policy works the same and can override > this setting. > rob Almost but have to NACK because ipa pwpolicy-show --user=user1 returns the wrong group name (always GLOBAL apparently). Everything else works fine. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Oct 28 21:14:54 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Oct 2010 17:14:54 -0400 Subject: [Freeipa-devel] [PATCH] #412 Make always use of special salt type In-Reply-To: <20101027171239.06113e37@willson.li.ssimo.org> References: <20101027171239.06113e37@willson.li.ssimo.org> Message-ID: <4CC9E7CE.3040400@redhat.com> Simo Sorce wrote: > > By using the special salt type and generating a random salt we can > rename user's principal name without invalidating their password. > > This works only if pre-authentication is required, but that's how we > configure our server anyway. > > This patch does not disallow "normal" salts, but if used they will > prevent renames from working correctly. > By default special is used. > > Simo. > ack From rcritten at redhat.com Thu Oct 28 21:15:30 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Oct 2010 17:15:30 -0400 Subject: [Freeipa-devel] [PATCH] fix pwd plugin logging In-Reply-To: <20101018115110.13b4425b@willson.li.ssimo.org> References: <20101018115110.13b4425b@willson.li.ssimo.org> Message-ID: <4CC9E7F2.4030503@redhat.com> Simo Sorce wrote: > > While reviewing the logging macros I realized that the log target was > wrong for the LOG_TRACE and LOG_FATAL functions. > I also took the liberty of simplifying the macros by removing > unnecessary do {} while(0) loops given the final version didn't require > more then one function invocation anyway. > > Simo. ack From ssorce at redhat.com Thu Oct 28 21:18:37 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 17:18:37 -0400 Subject: [Freeipa-devel] [PATCH] #412 Make always use of special salt type In-Reply-To: <4CC9E7CE.3040400@redhat.com> References: <20101027171239.06113e37@willson.li.ssimo.org> <4CC9E7CE.3040400@redhat.com> Message-ID: <20101028171837.0bac0781@willson.li.ssimo.org> On Thu, 28 Oct 2010 17:14:54 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > By using the special salt type and generating a random salt we can > > rename user's principal name without invalidating their password. > > > > This works only if pre-authentication is required, but that's how we > > configure our server anyway. > > > > This patch does not disallow "normal" salts, but if used they will > > prevent renames from working correctly. > > By default special is used. > > > > Simo. > > > > ack pushed to master -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Oct 28 21:18:47 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Oct 2010 17:18:47 -0400 Subject: [Freeipa-devel] [PATCH] fix pwd plugin logging In-Reply-To: <4CC9E7F2.4030503@redhat.com> References: <20101018115110.13b4425b@willson.li.ssimo.org> <4CC9E7F2.4030503@redhat.com> Message-ID: <20101028171847.3ff2980a@willson.li.ssimo.org> On Thu, 28 Oct 2010 17:15:30 -0400 Rob Crittenden wrote: > Simo Sorce wrote: > > > > While reviewing the logging macros I realized that the log target > > was wrong for the LOG_TRACE and LOG_FATAL functions. > > I also took the liberty of simplifying the macros by removing > > unnecessary do {} while(0) loops given the final version didn't > > require more then one function invocation anyway. > > > > Simo. > > ack pushed to master -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Thu Oct 28 21:22:47 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Oct 2010 17:22:47 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0070-delete-associations.patch Message-ID: <4CC9E9A7.7070605@redhat.com> delete associations Uses code very similar to the search code for deleting associations Only uses the serial means of deletion. While this works for all deletes, it is slower than bulk. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-freeipa-0070-delete-associations.patch Type: text/x-patch Size: 5901 bytes Desc: not available URL: From ayoung at redhat.com Thu Oct 28 21:30:13 2010 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Oct 2010 17:30:13 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0070-delete-associations.patch In-Reply-To: <4CC9E9A7.7070605@redhat.com> References: <4CC9E9A7.7070605@redhat.com> Message-ID: <4CC9EB65.7030200@redhat.com> On 10/28/2010 05:22 PM, Adam Young wrote: > delete associations > > Uses code very similar to the search code for deleting associations > Only uses the serial means of deletion. While this works for all > deletes, > it is slower than bulk. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Found one problem myself: the '*_remove_member' approach only works one way, not both for removing associations. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Oct 28 21:35:36 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Oct 2010 17:35:36 -0400 Subject: [Freeipa-devel] [PATCH] 588 Removing HBAC service nesting In-Reply-To: <4CC720EE.8070803@redhat.com> References: <4CC716FC.9000203@redhat.com> <4CC720EE.8070803@redhat.com> Message-ID: <4CC9ECA8.9030602@redhat.com> Adam Young wrote: > On 10/26/2010 01:59 PM, Rob Crittenden wrote: >> Remove group nesting from the HBAC service groups. >> >> ticket https://fedorahosted.org/freeipa/ticket/389 >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > rebased and pushed to master From rcritten at redhat.com Thu Oct 28 21:36:20 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Oct 2010 17:36:20 -0400 Subject: [Freeipa-devel] [PATCH] 589 disallow group password policy in UPG In-Reply-To: <4CC720A7.6010004@redhat.com> References: <4CC71F32.7040606@redhat.com> <4CC720A7.6010004@redhat.com> Message-ID: <4CC9ECD4.4050309@redhat.com> Adam Young wrote: > On 10/26/2010 02:34 PM, Rob Crittenden wrote: >> Don't allow managed groups to have group password policy. >> >> UPG cannot have members and we use memberOf in class of service to >> determine which policy to apply. >> >> ticket https://fedorahosted.org/freeipa/ticket/160 >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > pushed to master From rcritten at redhat.com Thu Oct 28 21:48:34 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Oct 2010 17:48:34 -0400 Subject: [Freeipa-devel] [PATCH] 591 improve error reporting when adding/removing members In-Reply-To: <4CC9C758.4010708@redhat.com> References: <4CC9C44C.3090309@redhat.com> <4CC9C758.4010708@redhat.com> Message-ID: <4CC9EFB2.3020405@redhat.com> Adam Young wrote: > On 10/28/2010 02:43 PM, Rob Crittenden wrote: >> Return reason for failure when updating group membership fails. >> >> We used to return a list of dns that failed to be added. We now return >> a list of tuples instead. The tuple looks like (dn, reason) where >> reason is the exception that was returned. >> >> Also made the label we use for failures to be singular instead of >> plural since we now print them out individually instead of as >> comma-separated. >> >> https://fedorahosted.org/freeipa/ticket/270 >> >> $ ipa group-add-member --users=tuser9,tuser1 --groups=g1 g1 >> Group name: g1 >> Description: g1 >> GID: 1332445043 >> Member users: tuser1 >> Failed members: >> user: tuser9: no such entry >> user: tuser1: This entry is already a member of the group >> group: g1: A group may not be added as a member of itself >> ------------------------- >> Number of members added 0 >> ------------------------- >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK rebased and pushed to master From jhrozek at redhat.com Fri Oct 29 15:03:47 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 29 Oct 2010 17:03:47 +0200 Subject: [Freeipa-devel] [PATCH] 000 Remove extra --prompt-all from ipa(1) man page Message-ID: <4CCAE253.70201@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://fedorahosted.org/freeipa/ticket/328 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzK4kkACgkQHsardTLnvCU99gCeI2BHpKd14eLS0Jtt9SQYR7gU uCwAoILUAdB0NgnE9sBvxZZJIc4z5358 =F7WI -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0000-Remove-extra-prompt-all-from-ipa-1-man-page.patch Type: text/x-patch Size: 1223 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0000-Remove-extra-prompt-all-from-ipa-1-man-page.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Fri Oct 29 15:04:03 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 29 Oct 2010 17:04:03 +0200 Subject: [Freeipa-devel] [PATCH] 001 Clarify the description of --raw and -all Message-ID: <4CCAE263.1000809@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/244 If I understand the code correctly, --all is not really a parameter that affects only output, it also causes all attributes to be retrieved from the server, so I have adjusted the description just a little. - --raw now mentions it only affects output. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzK4loACgkQHsardTLnvCWp6wCggT3duxWyZbG5KQQHYqBYCiVm FPoAoKQrdF+AomtZewsmKWbqKcxGAiCw =yQ4g -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0001-Clarify-the-description-of-raw-and-all.patch Type: text/x-patch Size: 2897 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0001-Clarify-the-description-of-raw-and-all.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Fri Oct 29 15:04:50 2010 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 29 Oct 2010 17:04:50 +0200 Subject: [Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI Message-ID: <4CCAE292.6020602@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/154 The second patch removes the /ipatest section that has been commented out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore :-) I also have two questions: 1) how should exceptions be handled? In the patch, I only explicitly handle exceptions that could happen very easily (like, password being wrong, or the LDAP server down..). Anything else would just trigger 500 Server Error.. 2) When playing with the migration command line plugin, I noticed that it can only handle RFC2307bis groups (member: dn) and has the objectclass for groups hardcoded to "(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))". I think it would be worthwile (and easy, too!) to modify the plugin to accept also RFC2307 schema and allow specifying a different objectclass (posixGroup might come handy..). Thoughts? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzK4oYACgkQHsardTLnvCUANACgwidrGVAya9a/eZ42mg0whdXH cLAAoMnUui/dhEL1Q5chdbXbqlSz1yz2 =n8X6 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0002-Rewrite-the-migration-page-using-WSGI.patch Type: text/x-patch Size: 4882 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0003-Remove-some-more-mod_python-references.patch Type: text/x-patch Size: 1393 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0002-Rewrite-the-migration-page-using-WSGI.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-0003-Remove-some-more-mod_python-references.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From ayoung at redhat.com Fri Oct 29 15:33:01 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 29 Oct 2010 11:33:01 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0070-delete-associations.patch In-Reply-To: <4CC9EB65.7030200@redhat.com> References: <4CC9E9A7.7070605@redhat.com> <4CC9EB65.7030200@redhat.com> Message-ID: <4CCAE92D.5040406@redhat.com> On 10/28/2010 05:30 PM, Adam Young wrote: > On 10/28/2010 05:22 PM, Adam Young wrote: >> delete associations >> >> Uses code very similar to the search code for deleting associations >> Only uses the serial means of deletion. While this works for all >> deletes, >> it is slower than bulk. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Found one problem myself: the '*_remove_member' approach only works > one way, not both for removing associations. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This version matches the serial and bulk associators with the deleter -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-freeipa-0070-2-delete-associations.patch Type: text/x-patch Size: 13446 bytes Desc: not available URL: From rcritten at redhat.com Fri Oct 29 15:36:22 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Oct 2010 11:36:22 -0400 Subject: [Freeipa-devel] [PATCH] 592 Implement nested netgroups Message-ID: <4CCAE9F6.7080606@redhat.com> Implement nested netgroups and include summaries for the commands. Replace the existing netgroup test cases with Declarative tests. This triples the number of tests we were doing. ticket 209 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-592-netgroup.patch Type: application/mbox Size: 58505 bytes Desc: not available URL: From edewata at redhat.com Fri Oct 29 16:45:13 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 29 Oct 2010 11:45:13 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0070-delete-associations.patch In-Reply-To: <4CCAE92D.5040406@redhat.com> References: <4CC9E9A7.7070605@redhat.com> <4CC9EB65.7030200@redhat.com> <4CCAE92D.5040406@redhat.com> Message-ID: <4CCAFA19.3060702@redhat.com> On 10/29/2010 10:33 AM, Adam Young wrote: > On 10/28/2010 05:30 PM, Adam Young wrote: >> On 10/28/2010 05:22 PM, Adam Young wrote: >>> delete associations >>> >>> Uses code very similar to the search code for deleting associations >>> Only uses the serial means of deletion. While this works for all >>> deletes, >>> it is slower than bulk. >> Found one problem myself: the '*_remove_member' approach only works >> one way, not both for removing associations. > This version matches the serial and bulk associators with the deleter NACK. The enrollment & deletion work, but there are some issues: - The unit test failed because it's still referring to the old associator names. - The ipa_entity_set_association_definition() invocation in aci.js is still using the old parameter. - The variable 'that' in serial_delete() is defined as global variable. - The members in the association list are clickable but it brings you to an empty page. I see the note in the code saying that this is not working yet, I think the link should be disabled for now. - Deleter's method name is hardcoded, but this can be fixed later when needed. - There are some trailing white spaces in the patch. -- Endi S. Dewata From ayoung at redhat.com Fri Oct 29 17:13:09 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 29 Oct 2010 13:13:09 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0070-delete-associations.patch In-Reply-To: <4CCAFA19.3060702@redhat.com> References: <4CC9E9A7.7070605@redhat.com> <4CC9EB65.7030200@redhat.com> <4CCAE92D.5040406@redhat.com> <4CCAFA19.3060702@redhat.com> Message-ID: <4CCB00A5.4010401@redhat.com> On 10/29/2010 12:45 PM, Endi Sukma Dewata wrote: > > still using the old parameter. Fixed. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-freeipa-0070-3-delete-associations.patch Type: text/x-patch Size: 17108 bytes Desc: not available URL: From edewata at redhat.com Fri Oct 29 17:27:13 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 29 Oct 2010 12:27:13 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0070-delete-associations.patch In-Reply-To: <4CCB00A5.4010401@redhat.com> References: <4CC9E9A7.7070605@redhat.com> <4CC9EB65.7030200@redhat.com> <4CCAE92D.5040406@redhat.com> <4CCAFA19.3060702@redhat.com> <4CCB00A5.4010401@redhat.com> Message-ID: <4CCB03F1.8070500@redhat.com> On 10/29/2010 12:13 PM, Adam Young wrote: > On 10/29/2010 12:45 PM, Endi Sukma Dewata wrote: >> >> still using the old parameter. > Fixed. ACKed and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Fri Oct 29 17:31:57 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 29 Oct 2010 13:31:57 -0400 Subject: [Freeipa-devel] [PATCH] 592 Implement nested netgroups In-Reply-To: <4CCAE9F6.7080606@redhat.com> References: <4CCAE9F6.7080606@redhat.com> Message-ID: <4CCB050D.5090204@redhat.com> On 10/29/2010 11:36 AM, Rob Crittenden wrote: > Implement nested netgroups and include summaries for the commands. > > Replace the existing netgroup test cases with Declarative tests. This > triples the number of tests we were doing. > > ticket 209 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Oct 29 17:43:26 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 29 Oct 2010 13:43:26 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0071-group_remove_memeber.json.patch Message-ID: <4CCB07BE.2090406@redhat.com> Metadata for testing -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-freeipa-0071-group_remove_memeber.json.patch Type: text/x-patch Size: 1872 bytes Desc: not available URL: From rcritten at redhat.com Fri Oct 29 18:45:17 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Oct 2010 14:45:17 -0400 Subject: [Freeipa-devel] [PATCH] 001 Clarify the description of --raw and -all In-Reply-To: <4CCAE263.1000809@redhat.com> References: <4CCAE263.1000809@redhat.com> Message-ID: <4CCB163D.8020709@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > https://fedorahosted.org/freeipa/ticket/244 > > If I understand the code correctly, --all is not really a parameter that > affects only output, it also causes all attributes to be retrieved from > the server, so I have adjusted the description just a little. > > - --raw now mentions it only affects output. nack, --all only affects output as well. Take the case of adding a user. --all doesn't seem to make sense with this until you consider that it will return all attributes for the user you just created. rob > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzK4loACgkQHsardTLnvCWp6wCggT3duxWyZbG5KQQHYqBYCiVm > FPoAoKQrdF+AomtZewsmKWbqKcxGAiCw > =yQ4g > -----END PGP SIGNATURE----- > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From rcritten at redhat.com Fri Oct 29 18:46:32 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Oct 2010 14:46:32 -0400 Subject: [Freeipa-devel] [PATCH] 000 Remove extra --prompt-all from ipa(1) man page In-Reply-To: <4CCAE253.70201@redhat.com> References: <4CCAE253.70201@redhat.com> Message-ID: <4CCB1688.7080609@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > http://fedorahosted.org/freeipa/ticket/328 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzK4kkACgkQHsardTLnvCU99gCeI2BHpKd14eLS0Jtt9SQYR7gU > uCwAoILUAdB0NgnE9sBvxZZJIc4z5358 > =F7WI > -----END PGP SIGNATURE----- ack, pushed to master rob From ayoung at redhat.com Fri Oct 29 19:50:03 2010 From: ayoung at redhat.com (Adam Young) Date: Fri, 29 Oct 2010 15:50:03 -0400 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch Message-ID: <4CCB256B.109@redhat.com> Check effective rights. If the right is not explicitly allowed, show the field as read only. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-freeipa-0072-rights-check.patch Type: text/x-patch Size: 7309 bytes Desc: not available URL: From rcritten at redhat.com Fri Oct 29 20:39:24 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Oct 2010 16:39:24 -0400 Subject: [Freeipa-devel] [PATCH] 586 kerberos password policy In-Reply-To: <20101028170948.02cb245f@willson.li.ssimo.org> References: <4CC5FF3A.4010509@redhat.com> <20101028170948.02cb245f@willson.li.ssimo.org> Message-ID: <4CCB30FC.2060109@redhat.com> Simo Sorce wrote: > On Mon, 25 Oct 2010 18:05:46 -0400 > Rob Crittenden wrote: > >> Use kerberos password policy. >> >> This lets the KDC count password failures and can lock out accounts >> for a period of time. This only works for KDC>= 1.8. >> >> There currently is no way to unlock a locked account across a >> replica. MIT Kerberos 1.9 is adding support for doing so. Once that >> is available unlock will be added. >> >> The concept of a "global" password policy has changed. When we were >> managing the policy using the IPA password plugin it was smart enough >> to search up the tree looking for a policy. The KDC is not so smart >> and relies on the krbpwdpolicyreference to find the policy. For this >> reason every user entry requires this attribute. I've created a new >> global_policy entry to store the default password policy. All users >> point at this now. The group policy works the same and can override >> this setting. >> rob > > Almost but have to NACK because ipa pwpolicy-show --user=user1 returns > the wrong group name (always GLOBAL apparently). > > Everything else works fine. > > Simo. > Fixed. I dropped the special renaming of GLOBAL. We now show the actual entry name, global_policy. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-586-2-pwpolicy.patch Type: application/mbox Size: 14903 bytes Desc: not available URL: From edewata at redhat.com Fri Oct 29 23:46:17 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 29 Oct 2010 18:46:17 -0500 Subject: [Freeipa-devel] [PATCH] HBAC Details Page Message-ID: <4CCB5CC9.7030800@redhat.com> Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/99/ The ipa_details_section class has been enhanced to support HTML templates. This way the layout can be changed without modifying the code. The ipa_details_field is used to setup the fields in the template, also used to load and save the values. If no template is specified, it will go back to the original behavior: the section will be rendered using the dl/dt/dd tags. Some fields have been added to support standard HTML widgets: - ipa_details_text: text field - ipa_details_radio: radio button - ipa_details_textarea: textarea - ipa_details_button: button The HBAC details page has been implemented using this enhancement. It uses the templates stored in hbac-details-*.html. It also uses HBAC-specific widgets which are defined in these classes: - ipa_hbac_details_table: table for member enrollment - ipa_hbac_details_accesstime: table for access time The buttons for adding and removing members are still not working. There is no hint or undo functionality yet. They will be added in subsequent patches. The ipa_make_button() has been converted into ipa_button class which can be used to replace the standard HTML button. The search-container CSS class has been renamed to entity-container and used for all facets. The unit test and test data have been updated accordingly. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0025-HBAC-Details-Page.patch Type: text/x-patch Size: 84311 bytes Desc: not available URL: From edewata at redhat.com Sat Oct 30 00:09:32 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 29 Oct 2010 19:09:32 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0071-group_remove_memeber.json.patch In-Reply-To: <4CCB07BE.2090406@redhat.com> References: <4CCB07BE.2090406@redhat.com> Message-ID: <4CCB623C.40109@redhat.com> On 10/29/2010 12:43 PM, Adam Young wrote: > Metadata for testing ACK. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Sat Oct 30 01:31:33 2010 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 29 Oct 2010 20:31:33 -0500 Subject: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch In-Reply-To: <4CCB256B.109@redhat.com> References: <4CCB256B.109@redhat.com> Message-ID: <4CCB7575.8050409@redhat.com> On 10/29/2010 2:50 PM, Adam Young wrote: > Check effective rights. If the right is not explicitly allowed, show the > field as read only. It seems to be working, but I think it has to wait until the attributelevelrights is returned in the JSON response because without it the UI would become unusable because all fields would be disabled. -- Endi S. Dewata