From abokovoy at redhat.com Mon Aug 1 10:34:07 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 01 Aug 2011 13:34:07 +0300 Subject: [Freeipa-devel] environment in Param(s) Message-ID: <4E36811F.2010309@redhat.com> Hi, while investigating #1549 and #1550 I stumbled upon a problem. We create Param(s) as read only entities. This means that using standard methods, any modifications to Param instances are denied. What happens in #1549 and #1550 is that the code in Param.validate() relies on availability of existing context to determine whether name or cli_name of a param instance should be used. By itself it is fine as context is passed to Param.validate() within environment. The decision what to pass is done in Param.__call__(): def __call__(self, value, **kw): """ One stop shopping. """ if value in NULLS: value = self.get_default(**kw) else: value = self.convert(self.normalize(value)) if hasattr(self, 'env'): self.validate(value, self.env.context) else: self.validate(value) return value If this Param instance has attribute 'env', we use its context. However, the instance in itself is ReadOnly and gets locked at the very end of Param.__init__(). So this makes a case when immediately after creating a parameter we can't assign it any environment, its environment always stays None and the code in __call__() always calls validate() without context. A fix I found is quite bad as it violates ReadOnly promise: diff --git a/ipalib/frontend.py b/ipalib/frontend.py index 3534310..1c7071a 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -344,6 +344,9 @@ class HasParam(Plugin): for spec in get(): param = create_param(spec) if env is None or param.use_in_context(env): + if env is not None and not hasattr(param, 'env'): + # Force specified environment + object.__setattr__(param, 'env', env) yield param def _create_param_namespace(self, name, env=None): Does anybody have better suggestion? -- / Alexander Bokovoy From mkosek at redhat.com Mon Aug 1 12:40:58 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 01 Aug 2011 14:40:58 +0200 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> Message-ID: <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> On Sat, 2011-07-30 at 00:54 +0000, JR Aquino wrote: > On Jul 21, 2011, at 8:53 AM, JR Aquino wrote: > > > On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: > > > >> Martin Kosek wrote: > >>> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: > >>>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) > >>>>>> > >>>>>> > >>>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? > >>>>>> > >>> > >>> Great, preparing the command parameters in pre_callback is much cleaner. > >>> > >>>>> > >>>>> Good point about the LDAP lookup. > >>>>> > >>>>> This looks a lot better but there are still a few issues: > >>>>> > >>>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. > >>>> > >>>> Ok, I will give that a shot! > >>>> > >>>>> > >>>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. > >>>>> > >>>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: > >>>>> > >>>>> INCLUDE_RE = 'automemberinclusiveregex' > >>>>> EXCLUDE_RE = 'automemberexclusiveregex' > >>>> > >>>> That works, I'll swap em. > >>> > >>> I agree with Rob here, this will make the code better. > >>> > >>>> > >>>>> Is there a way to validate the regex? > >>>> > >>>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. > >>>> > >>>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. > >>>> > >>>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? > >>>> > >>>>> Adding a clarity with no rules won't let you add rules: > >>>>> > >>>>> # ipa hostgroup-add --desc=hg1 hg1 > >>>>> # ipa hostgroupclarity-add hg1 > >>>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 > >>>>> ipa: ERROR: no modifications to be performed > >>>> > >>>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. > >>> > >>> Yes, it is wise :-) But the error message is really not clear to the > >>> user. We should tell him that there must be at least one inclusive rule. > >>> > >>> I wonder if we shouldn't force user to create a hostgroupclarity object > >>> with at least one inclusive rule and than make sure that in all > >>> operations at least one inclusive rule stays here. Or we could delete > >>> the empty LDAP object after the last inclusive rule is removed, as we do > >>> with DNS record LDAP objects in dnsrecord-del. > >>> > >>>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. > >>>> > >>>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. > >>>> > >>>> One final class I have been struggling with that I want to add? > >>>> > >>>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? > >>>> > >>>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? > >>>> > >>>> Any suggestions? > >>>> > >>>> > >>> > >>> I think the best shot would be to create a new command and overload the > >>> execute method in that case. Like in hbacrule_enable. You would be able > >>> to set dn correctly here and do the update. Does it makes sense? Rob? > >>> > >>> Martin > >>> > >> > >> I agree. We are better off abstracting things now so we can get the API right. > >> > >> I think we can stick more or less with the command names, just in a new plugin and some new arguments. > >> > >> I see the plugin with the following methods: > >> > >> Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. > >> > >> There is no mod to change types, you have to delete and re-add. > >> > >> automember-add Add an automember rule > >> --type=ENUM (hostgroup, group) > >> --desc=STR description of this auto membership rule > >> --inclusive-regex=LIST Inclusive Regex > >> --exclusive-regex=LIST Exclusive Regex > >> > >> automember-add-condition Add conditions to automember rule > >> --inclusive-regex=LIST Inclusive Regex > >> --exclusive-regex=LIST Exclusive Regex > >> > >> automember-del Delete an automember rule > >> > >> automember-find Search for automember rules > >> --type=ENUM (hostgroup, group) > >> > >> automember-mod Modify an automember rule. > > > > automember-default-group Set a default group for auto membership > > --group/hostgroup=STR > > > >> > >> automember-remove-condition Remove conditions from an automember rule > >> --inclusive-regex=LIST Inclusive Regex > >> --exclusive-regex=LIST Exclusive Regex > >> > >> automember-show Display an automember rule > > New Patch attached. > > I believe I have addressed the issues highlighted in the thread. > Hello JR, Thanks for the patch, the new approach with automember as a separate plugin is much better and more extensible. I reviewed it and have some feedback: 1) I see that autoMemberScope in automember plugin configuration is set to $SUFFIX. Why don't we use cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com and cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com. IMO this would improve performance 2) Plugin is not configured correctly on a replica: nsslapd-pluginConfigArea in cn=Auto Membership Plugin,cn=plugins,cn=config is not created. Since cn=config is not replicated, it need to be updated also on a replica. Plus, "Applying LDAP updates" got stuck in my case for some reason. 3) I cannot use --inclusive-regex in ipa automember-add even though it is stated in help that I can # ipa automember-add --type=hostgroup --inclusive-regex=^web[1-9]\.example\.com tgroup Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options] ipa: error: no such option: --inclusive-regex 4) Error message when removing a condition is not clear: # ipa automember-show --type=hostgroup tgroup Automember Rule: tgroup Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com Exclusive Regex: fqdn=^www5.example.com Can we detect this situation and change it to something like "Condition not found"? 5) Having a rule with just an exclusive rule does not make sense - can we handle it? # ipa automember-show --type=hostgroup tgroup Automember Rule: tgroup Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com Exclusive Regex: fqdn=^www5.example.com # ipa automember-remove-condition --type=hostgroup tgroup --inclusive-regex=^web[1-9]\.example\.com --inclusive-regex=^www[1-9]\.example\.com -------------------------------- Removed condition(s) to "tgroup" -------------------------------- Automember Rule: tgroup Exclusive Regex: fqdn=^www5.example.com 6) Command names for automember default group seems inconsistent: automember-add-default-group Set default group for all unmatched entries. automember-default-group-show Display information about the default automember groups. automember-remove-default-group Remove default group for all unmatched entries. If we would follow the same patter, "automember-default-group-show" should be automember-show-default-group 7) Parameters of the automember default group seems inconsistent too: a) --desc parameter present in automember-add-default-group and automember-remove-default-group should not be here b) Grouping Type of the automember type is passed as an argument in automember-remove-default-group and automember-default-group-show instead of --type=STR as in all other commands 8) automember.py: In automember_add_condition/automember_remove_condition I see 2 almost identical branches of code - a lot of redundancy. Couldn't we consolidate them, for example to one "for attr in (INCLUDE_RE, EXCLUDE_RE):" construct? 9) test_automember_plugin.py: the test class should be named test_automember, not test_user Martin From rcritten at redhat.com Mon Aug 1 12:56:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Aug 2011 08:56:31 -0400 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E36A27F.4020908@redhat.com> Martin Kosek wrote: > On Sat, 2011-07-30 at 00:54 +0000, JR Aquino wrote: >> On Jul 21, 2011, at 8:53 AM, JR Aquino wrote: >> >>> On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: >>> >>>> Martin Kosek wrote: >>>>> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: >>>>>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) >>>>>>>> >>>>>>>> >>>>>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? >>>>>>>> >>>>> >>>>> Great, preparing the command parameters in pre_callback is much cleaner. >>>>> >>>>>>> >>>>>>> Good point about the LDAP lookup. >>>>>>> >>>>>>> This looks a lot better but there are still a few issues: >>>>>>> >>>>>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. >>>>>> >>>>>> Ok, I will give that a shot! >>>>>> >>>>>>> >>>>>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. >>>>>>> >>>>>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: >>>>>>> >>>>>>> INCLUDE_RE = 'automemberinclusiveregex' >>>>>>> EXCLUDE_RE = 'automemberexclusiveregex' >>>>>> >>>>>> That works, I'll swap em. >>>>> >>>>> I agree with Rob here, this will make the code better. >>>>> >>>>>> >>>>>>> Is there a way to validate the regex? >>>>>> >>>>>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. >>>>>> >>>>>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. >>>>>> >>>>>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? >>>>>> >>>>>>> Adding a clarity with no rules won't let you add rules: >>>>>>> >>>>>>> # ipa hostgroup-add --desc=hg1 hg1 >>>>>>> # ipa hostgroupclarity-add hg1 >>>>>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 >>>>>>> ipa: ERROR: no modifications to be performed >>>>>> >>>>>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. >>>>> >>>>> Yes, it is wise :-) But the error message is really not clear to the >>>>> user. We should tell him that there must be at least one inclusive rule. >>>>> >>>>> I wonder if we shouldn't force user to create a hostgroupclarity object >>>>> with at least one inclusive rule and than make sure that in all >>>>> operations at least one inclusive rule stays here. Or we could delete >>>>> the empty LDAP object after the last inclusive rule is removed, as we do >>>>> with DNS record LDAP objects in dnsrecord-del. >>>>> >>>>>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. >>>>>> >>>>>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. >>>>>> >>>>>> One final class I have been struggling with that I want to add? >>>>>> >>>>>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? >>>>>> >>>>>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? >>>>>> >>>>>> Any suggestions? >>>>>> >>>>>> >>>>> >>>>> I think the best shot would be to create a new command and overload the >>>>> execute method in that case. Like in hbacrule_enable. You would be able >>>>> to set dn correctly here and do the update. Does it makes sense? Rob? >>>>> >>>>> Martin >>>>> >>>> >>>> I agree. We are better off abstracting things now so we can get the API right. >>>> >>>> I think we can stick more or less with the command names, just in a new plugin and some new arguments. >>>> >>>> I see the plugin with the following methods: >>>> >>>> Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. >>>> >>>> There is no mod to change types, you have to delete and re-add. >>>> >>>> automember-add Add an automember rule >>>> --type=ENUM (hostgroup, group) >>>> --desc=STR description of this auto membership rule >>>> --inclusive-regex=LIST Inclusive Regex >>>> --exclusive-regex=LIST Exclusive Regex >>>> >>>> automember-add-condition Add conditions to automember rule >>>> --inclusive-regex=LIST Inclusive Regex >>>> --exclusive-regex=LIST Exclusive Regex >>>> >>>> automember-del Delete an automember rule >>>> >>>> automember-find Search for automember rules >>>> --type=ENUM (hostgroup, group) >>>> >>>> automember-mod Modify an automember rule. >>> >>> automember-default-group Set a default group for auto membership >>> --group/hostgroup=STR >>> >>>> >>>> automember-remove-condition Remove conditions from an automember rule >>>> --inclusive-regex=LIST Inclusive Regex >>>> --exclusive-regex=LIST Exclusive Regex >>>> >>>> automember-show Display an automember rule >> >> New Patch attached. >> >> I believe I have addressed the issues highlighted in the thread. >> > > Hello JR, > > Thanks for the patch, the new approach with automember as a separate > plugin is much better and more extensible. I reviewed it and have some > feedback: > > 1) I see that autoMemberScope in automember plugin configuration is set > to $SUFFIX. Why don't we use > cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com and > cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com. IMO > this would improve performance I believe the scope defines where to find automatic members, so it should point to cn=computerss,cn=$SUFFIX. > > 2) Plugin is not configured correctly on a replica: > nsslapd-pluginConfigArea in cn=Auto Membership > Plugin,cn=plugins,cn=config is not created. Since cn=config is not > replicated, it need to be updated also on a replica. Plus, "Applying > LDAP updates" got stuck in my case for some reason. > > 3) I cannot use --inclusive-regex in ipa automember-add even though it > is stated in help that I can > > # ipa automember-add --type=hostgroup --inclusive-regex=^web[1-9]\.example\.com tgroup > Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options] > > ipa: error: no such option: --inclusive-regex I had him remove this. No other command lets you add an entry and members at the same time. > > 4) Error message when removing a condition is not clear: > # ipa automember-show --type=hostgroup tgroup > Automember Rule: tgroup > Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com > Exclusive Regex: fqdn=^www5.example.com > > Can we detect this situation and change it to something like "Condition > not found"? > > 5) Having a rule with just an exclusive rule does not make sense - can > we handle it? > # ipa automember-show --type=hostgroup tgroup > Automember Rule: tgroup > Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com > Exclusive Regex: fqdn=^www5.example.com > # ipa automember-remove-condition --type=hostgroup tgroup --inclusive-regex=^web[1-9]\.example\.com --inclusive-regex=^www[1-9]\.example\.com > -------------------------------- > Removed condition(s) to "tgroup" > -------------------------------- > Automember Rule: tgroup > Exclusive Regex: fqdn=^www5.example.com > > 6) Command names for automember default group seems inconsistent: > automember-add-default-group Set default group for all unmatched entries. > automember-default-group-show Display information about the default automember groups. > automember-remove-default-group Remove default group for all unmatched entries. > > If we would follow the same patter, "automember-default-group-show" > should be automember-show-default-group I think it should be automember-default-group-*. Since there is only one default for something I thing it should be set instead of add. > 7) Parameters of the automember default group seems inconsistent too: > a) --desc parameter present in automember-add-default-group and > automember-remove-default-group should not be here > b) Grouping Type of the automember type is passed as an argument in > automember-remove-default-group and automember-default-group-show > instead of --type=STR as in all other commands > > 8) automember.py: In > automember_add_condition/automember_remove_condition I see 2 almost > identical branches of code - a lot of redundancy. Couldn't we > consolidate them, for example to one "for attr in (INCLUDE_RE, > EXCLUDE_RE):" construct? > > 9) test_automember_plugin.py: the test class should be named > test_automember, not test_user > > Martin > I'm also wondering about hardcoding a key. Is there a reason we can't ask the regex writer to simply include this themselves? rob From ayoung at redhat.com Mon Aug 1 13:13:56 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 01 Aug 2011 09:13:56 -0400 Subject: [Freeipa-devel] environment in Param(s) In-Reply-To: <4E36811F.2010309@redhat.com> References: <4E36811F.2010309@redhat.com> Message-ID: <4E36A694.2010400@redhat.com> On 08/01/2011 06:34 AM, Alexander Bokovoy wrote: > Hi, > > while investigating #1549 and #1550 I stumbled upon a problem. We create > Param(s) as read only entities. This means that using standard methods, > any modifications to Param instances are denied. What happens in #1549 > and #1550 is that the code in Param.validate() relies on availability of > existing context to determine whether name or cli_name of a param > instance should be used. > > By itself it is fine as context is passed to Param.validate() within > environment. The decision what to pass is done in Param.__call__(): > > def __call__(self, value, **kw): > """ > One stop shopping. > """ > if value in NULLS: > value = self.get_default(**kw) > else: > value = self.convert(self.normalize(value)) > if hasattr(self, 'env'): > self.validate(value, self.env.context) > else: > self.validate(value) > return value > > If this Param instance has attribute 'env', we use its context. However, > the instance in itself is ReadOnly and gets locked at the very end of > Param.__init__(). > > So this makes a case when immediately after creating a parameter we > can't assign it any environment, its environment always stays None and > the code in __call__() always calls validate() without context. > > A fix I found is quite bad as it violates ReadOnly promise: > > diff --git a/ipalib/frontend.py b/ipalib/frontend.py > index 3534310..1c7071a 100644 > --- a/ipalib/frontend.py > +++ b/ipalib/frontend.py > @@ -344,6 +344,9 @@ class HasParam(Plugin): > for spec in get(): > param = create_param(spec) > if env is None or param.use_in_context(env): > + if env is not None and not hasattr(param, 'env'): > + # Force specified environment > + object.__setattr__(param, 'env', env) > yield param > > def _create_param_namespace(self, name, env=None): > > > Does anybody have better suggestion? What is the env supposed to represent? Does it pre-exist the Param creation? If so, it should be passed to the Param constructor. OTOH, if the env is something that can change, then we should not require it for the validate call. Is it possible to validate without an env? From abokovoy at redhat.com Mon Aug 1 13:37:25 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 01 Aug 2011 16:37:25 +0300 Subject: [Freeipa-devel] environment in Param(s) In-Reply-To: <4E36A694.2010400@redhat.com> References: <4E36811F.2010309@redhat.com> <4E36A694.2010400@redhat.com> Message-ID: <4E36AC15.6050508@redhat.com> On 01.08.2011 16:13, Adam Young wrote: > On 08/01/2011 06:34 AM, Alexander Bokovoy wrote: >> Hi, >> >> while investigating #1549 and #1550 I stumbled upon a problem. We create >> Param(s) as read only entities. This means that using standard methods, >> any modifications to Param instances are denied. What happens in #1549 >> and #1550 is that the code in Param.validate() relies on availability of >> existing context to determine whether name or cli_name of a param >> instance should be used. >> >> By itself it is fine as context is passed to Param.validate() within >> environment. The decision what to pass is done in Param.__call__(): >> >> def __call__(self, value, **kw): >> """ >> One stop shopping. >> """ >> if value in NULLS: >> value = self.get_default(**kw) >> else: >> value = self.convert(self.normalize(value)) >> if hasattr(self, 'env'): >> self.validate(value, self.env.context) >> else: >> self.validate(value) >> return value >> >> If this Param instance has attribute 'env', we use its context. However, >> the instance in itself is ReadOnly and gets locked at the very end of >> Param.__init__(). >> >> So this makes a case when immediately after creating a parameter we >> can't assign it any environment, its environment always stays None and >> the code in __call__() always calls validate() without context. >> >> A fix I found is quite bad as it violates ReadOnly promise: >> >> diff --git a/ipalib/frontend.py b/ipalib/frontend.py >> index 3534310..1c7071a 100644 >> --- a/ipalib/frontend.py >> +++ b/ipalib/frontend.py >> @@ -344,6 +344,9 @@ class HasParam(Plugin): >> for spec in get(): >> param = create_param(spec) >> if env is None or param.use_in_context(env): >> + if env is not None and not hasattr(param, 'env'): >> + # Force specified environment >> + object.__setattr__(param, 'env', env) >> yield param >> >> def _create_param_namespace(self, name, env=None): >> >> >> Does anybody have better suggestion? > > What is the env supposed to represent? Does it pre-exist the Param > creation? If so, it should be passed to the Param constructor. At least in CLI case it does pre-exist: (options, argv) = api.bootstrap_with_global_options(context='cli') for klass in cli_plugins: api.register(klass) api.load_plugins() api.finalize() context (and env with it) is created before any plugin is loaded (where Params are created aftewards, when plugins are loaded and initialized). But environment is not available to Params when they created unless you would be referencing api.env directly... We use same trick with object.__setattr__() in api.load_plugins() -- API instance sets 'plugins' attribute on itself after being locked earlier in constructor in non-production mode. > OTOH, if the env is something that can change, then we should not > require it for the validate call. Is it possible to validate without an > env? validate uses it to issue RequirementError exception with correct param name according to the context -- for CLI it wants to use cli_name. As context is always None we get what is shown in #1549 and #1550. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Aug 1 13:53:10 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 01 Aug 2011 16:53:10 +0300 Subject: [Freeipa-devel] environment in Param(s) In-Reply-To: <4E36A694.2010400@redhat.com> References: <4E36811F.2010309@redhat.com> <4E36A694.2010400@redhat.com> Message-ID: <4E36AFC6.6030207@redhat.com> On 01.08.2011 16:13, Adam Young wrote: > OTOH, if the env is something that can change, then we should not > require it for the validate call. Is it possible to validate without an > env? I looked at other exceptions thrown and now pass self.cli_name if it exists and self.name otherwise -- this is what other validation checks were doing without relying on an environment. If parameter has self.cli_name then user would most likely to see it as exception is producing an error message and not used for anything else. diff --git a/ipalib/parameters.py b/ipalib/parameters.py index e1c0b09..e26c33e 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -725,10 +725,10 @@ class Param(ReadOnly): """ if value is None: if self.required: - if context == 'cli': - raise RequirementError(name=self.cli_name) - else: - raise RequirementError(name=self.name) + name = self.cli_name + if not name: + name = self.name + raise RequirementError(name=name) return if self.multivalue: if type(value) is not tuple: @@ -744,7 +744,10 @@ class Param(ReadOnly): def _validate_scalar(self, value, index=None): if type(value) is not self.type: - raise ValidationError(name=self.name, + name = self.cli_name + if not name: + name = self.name + raise ValidationError(name=name, error='need a %r; got %r (a %r)' % ( self.type, value, type(value) ) @@ -1672,10 +1675,16 @@ class AccessTime(Str): try: self._check(value) except ValueError, e: - raise ValidationError(name=self.cli_name, error=e.args[0]) + name = self.cli_name + if not name: + name = self.name + raise ValidationError(name=name, error=e.args[0]) except IndexError: + name = self.cli_name + if not name: + name = self.name raise ValidationError( - name=self.cli_name, error='incomplete time value' + name=name, error='incomplete time value' ) return None -- / Alexander Bokovoy From ayoung at redhat.com Mon Aug 1 14:00:17 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 01 Aug 2011 10:00:17 -0400 Subject: [Freeipa-devel] environment in Param(s) In-Reply-To: <4E36AFC6.6030207@redhat.com> References: <4E36811F.2010309@redhat.com> <4E36A694.2010400@redhat.com> <4E36AFC6.6030207@redhat.com> Message-ID: <4E36B171.3050300@redhat.com> I don't really have the context to ACK it, but it looks a lot better to me than the previous solution. On 08/01/2011 09:53 AM, Alexander Bokovoy wrote: > On 01.08.2011 16:13, Adam Young wrote: >> OTOH, if the env is something that can change, then we should not >> require it for the validate call. Is it possible to validate without an >> env? > I looked at other exceptions thrown and now pass self.cli_name if it > exists and self.name otherwise -- this is what other validation checks > were doing without relying on an environment. If parameter has > self.cli_name then user would most likely to see it as exception is > producing an error message and not used for anything else. > > diff --git a/ipalib/parameters.py b/ipalib/parameters.py > index e1c0b09..e26c33e 100644 > --- a/ipalib/parameters.py > +++ b/ipalib/parameters.py > @@ -725,10 +725,10 @@ class Param(ReadOnly): > """ > if value is None: > if self.required: > - if context == 'cli': > - raise RequirementError(name=self.cli_name) > - else: > - raise RequirementError(name=self.name) > + name = self.cli_name > + if not name: > + name = self.name > + raise RequirementError(name=name) > return > if self.multivalue: > if type(value) is not tuple: > @@ -744,7 +744,10 @@ class Param(ReadOnly): > > def _validate_scalar(self, value, index=None): > if type(value) is not self.type: > - raise ValidationError(name=self.name, > + name = self.cli_name > + if not name: > + name = self.name > + raise ValidationError(name=name, > error='need a %r; got %r (a %r)' % ( > self.type, value, type(value) > ) > @@ -1672,10 +1675,16 @@ class AccessTime(Str): > try: > self._check(value) > except ValueError, e: > - raise ValidationError(name=self.cli_name, error=e.args[0]) > + name = self.cli_name > + if not name: > + name = self.name > + raise ValidationError(name=name, error=e.args[0]) > except IndexError: > + name = self.cli_name > + if not name: > + name = self.name > raise ValidationError( > - name=self.cli_name, error='incomplete time value' > + name=name, error='incomplete time value' > ) > return None > > From abokovoy at redhat.com Mon Aug 1 14:01:34 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 01 Aug 2011 17:01:34 +0300 Subject: [Freeipa-devel] environment in Param(s) In-Reply-To: <4E36B171.3050300@redhat.com> References: <4E36811F.2010309@redhat.com> <4E36A694.2010400@redhat.com> <4E36AFC6.6030207@redhat.com> <4E36B171.3050300@redhat.com> Message-ID: <4E36B1BE.80109@redhat.com> On 01.08.2011 17:00, Adam Young wrote: > I don't really have the context to ACK it, but it looks a lot better to > me than the previous solution. Thanks. Here is what I get without and with the patch: ---------------------------------- $ ./ipa automountkey-add pune Map: ipa: ERROR: 'automountmapautomountmapname' is required $ patch -p1 < ~/params-env.patch patching file ipalib/parameters.py $ ./ipa automountkey-add pune Map: ipa: ERROR: 'automountmap' is required ----------------------------------- On the Web UI side you seem to check required field before submitting data to the server so you shouldn't get to this problem at all. -- / Alexander Bokovoy From ayoung at redhat.com Mon Aug 1 14:15:51 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 01 Aug 2011 10:15:51 -0400 Subject: [Freeipa-devel] environment in Param(s) In-Reply-To: <4E36B1BE.80109@redhat.com> References: <4E36811F.2010309@redhat.com> <4E36A694.2010400@redhat.com> <4E36AFC6.6030207@redhat.com> <4E36B171.3050300@redhat.com> <4E36B1BE.80109@redhat.com> Message-ID: <4E36B517.8060500@redhat.com> On 08/01/2011 10:01 AM, Alexander Bokovoy wrote: > On 01.08.2011 17:00, Adam Young wrote: >> I don't really have the context to ACK it, but it looks a lot better to >> me than the previous solution. > Thanks. > > Here is what I get without and with the patch: > ---------------------------------- > $ ./ipa automountkey-add pune > Map: > ipa: ERROR: 'automountmapautomountmapname' is required > $ patch -p1< ~/params-env.patch > patching file ipalib/parameters.py > $ ./ipa automountkey-add pune > Map: > ipa: ERROR: 'automountmap' is required > ----------------------------------- > > On the Web UI side you seem to check required field before submitting > data to the server so you shouldn't get to this problem at all. We check on add, but not on mod. From abokovoy at redhat.com Mon Aug 1 14:13:09 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 01 Aug 2011 17:13:09 +0300 Subject: [Freeipa-devel] environment in Param(s) In-Reply-To: <4E36B517.8060500@redhat.com> References: <4E36811F.2010309@redhat.com> <4E36A694.2010400@redhat.com> <4E36AFC6.6030207@redhat.com> <4E36B171.3050300@redhat.com> <4E36B1BE.80109@redhat.com> <4E36B517.8060500@redhat.com> Message-ID: <4E36B475.3080608@redhat.com> On 01.08.2011 17:15, Adam Young wrote: > On 08/01/2011 10:01 AM, Alexander Bokovoy wrote: >> On 01.08.2011 17:00, Adam Young wrote: >>> I don't really have the context to ACK it, but it looks a lot better to >>> me than the previous solution. >> Thanks. >> >> Here is what I get without and with the patch: >> ---------------------------------- >> $ ./ipa automountkey-add pune >> Map: >> ipa: ERROR: 'automountmapautomountmapname' is required >> $ patch -p1< ~/params-env.patch >> patching file ipalib/parameters.py >> $ ./ipa automountkey-add pune >> Map: >> ipa: ERROR: 'automountmap' is required >> ----------------------------------- >> >> On the Web UI side you seem to check required field before submitting >> data to the server so you shouldn't get to this problem at all. > We check on add, but not on mod. Should we check on modification as well? -- / Alexander Bokovoy From simo at redhat.com Mon Aug 1 14:26:35 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 01 Aug 2011 10:26:35 -0400 Subject: [Freeipa-devel] Fix regression in #1526 fix Message-ID: <1312208795.19717.305.camel@willson.li.ssimo.org> I reopened #1526 as the fix intorduced a regression. The attached patch fixes it by correctly computing utctime when it needs to be used, previously it was calculated and then replaced by the call to compute the last password change so both attributes were being set to the same value regardless. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-1526-patch.patch Type: text/x-patch Size: 2868 bytes Desc: not available URL: From abokovoy at redhat.com Mon Aug 1 14:36:35 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 01 Aug 2011 17:36:35 +0300 Subject: [Freeipa-devel] [PATCH] 0009 Use cli_name if possible to return errors via exceptions in Param Message-ID: <4E36B9F3.4090707@redhat.com> Hi, as result of discussion on Param and environment/context, here is patch to fix https://fedorahosted.org/freeipa/ticket/1549 https://fedorahosted.org/freeipa/ticket/1550 CLI and Web UI work. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0009-tickets-1549-1550.patch URL: From rcritten at redhat.com Mon Aug 1 14:44:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Aug 2011 10:44:18 -0400 Subject: [Freeipa-devel] [PATCH] 0009 Use cli_name if possible to return errors via exceptions in Param In-Reply-To: <4E36B9F3.4090707@redhat.com> References: <4E36B9F3.4090707@redhat.com> Message-ID: <4E36BBC2.3010506@redhat.com> Alexander Bokovoy wrote: > Hi, > > as result of discussion on Param and environment/context, here is patch > to fix > https://fedorahosted.org/freeipa/ticket/1549 > https://fedorahosted.org/freeipa/ticket/1550 > > CLI and Web UI work. nack. When using ipalib outside of the cli the wrong attribute is in the error message. See the test program in https://fedorahosted.org/freeipa/attachment/ticket/187 In this sample the error when context='cli' should be 'desc' otherwise it should be 'description'. With your patch it is always 'desc'. rob From mkosek at redhat.com Mon Aug 1 15:07:20 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 01 Aug 2011 17:07:20 +0200 Subject: [Freeipa-devel] [PATCH] 103 Fix automountkey-mod In-Reply-To: <1311846562.4103.2.camel@dhcp-25-52.brq.redhat.com> References: <1311773501.12277.12.camel@dhcp-25-52.brq.redhat.com> <4E3023AE.4060500@redhat.com> <1311782411.12277.24.camel@dhcp-25-52.brq.redhat.com> <4E3038C7.4090205@redhat.com> <1311783321.12277.26.camel@dhcp-25-52.brq.redhat.com> <4E305EBB.8090708@redhat.com> <1311846562.4103.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1312211242.2484.8.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-28 at 11:49 +0200, Martin Kosek wrote: > On Wed, 2011-07-27 at 14:53 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > On Wed, 2011-07-27 at 12:11 -0400, Dmitri Pal wrote: > > >> On 07/27/2011 12:00 PM, Martin Kosek wrote: > > >>> On Wed, 2011-07-27 at 10:41 -0400, Rob Crittenden wrote: > > >>>> Martin Kosek wrote: > > >>>>> Fix automountkey-mod so that automountkey attribute is correctly > > >>>>> updated. Add this test case to the unit tests. > > >>>>> > > >>>>> https://fedorahosted.org/freeipa/ticket/1528 > > >>>> It fixes the problem but I've found another: --key isn't required so if > > >>>> you don't pass it in then a backtrace will occur: > > >>>> > > >>>> Traceback (most recent call last): > > >>>> File "/home/rcrit/redhat/freeipa-master/ipaserver/rpcserver.py", line > > >>>> 220, in wsgi_execute > > >>>> result = self.Command[name](*args, **options) > > >>>> File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line > > >>>> 425, in __call__ > > >>>> ret = self.run(*args, **options) > > >>>> File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line > > >>>> 731, in run > > >>>> return self.execute(*args, **options) > > >>>> File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/automount.py", > > >>>> line 873, in execute > > >>>> keys += (self.obj.get_pk(options['automountkey'], > > >>>> KeyError: 'automountkey' > > >>>> > > >>>> Also, automountinformation is already required. This may be a leftover > > >>>> from when we used it in description, this can probably be lifted too. > > >>>> > > >>>> rob > > >>> Good catch. I fixed this bug too and I also made --newinfo optional so > > >>> that automountkey may be just renamed without changing its info > > >>> attribute. > > >>> > > >>> I didn't bump up API VERSION as these are either compatible changes or > > >>> they caused server internal error. > > >>> > > >>> Martin > > >> > > >> Should the ticket be moved into 2.1 July sprint then? > > > > > > Yes, I would like this to be included in 2.1. I will move ticket to > > > correct milestone (2.1) if we manage to review&push it before release. > > > > > > Martin > > > > nack. Something is up with _mod. I can't be sure it is this patch or it > > was always here. > > > > In the UI every change wanted to try to rename the entry. On the > > command-line I wasn't able to update the info at all. > > > > rob > > Hm, I think this problem was in the _mod command all the time. > 'description' field was being filled every time which triggered rename > operation. This caused problems. > > I rewrote _mod command so that 'description' (i.e. rename) is filled > only when needed. > > I checked UI and automountkey_mod command worked OK for me. > > Martin I revisited automountkey_mod command as there was another corner case. get_pk() was changed to include automountinfo in RDN only for direct maps. All tests are OK, even Rob's extended automount test preview. Web UI behaved ok too. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-103-4-fix-automountkey-mod.patch Type: text/x-patch Size: 12467 bytes Desc: not available URL: From rcritten at redhat.com Mon Aug 1 16:01:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Aug 2011 12:01:45 -0400 Subject: [Freeipa-devel] Fix regression in #1526 fix In-Reply-To: <1312208795.19717.305.camel@willson.li.ssimo.org> References: <1312208795.19717.305.camel@willson.li.ssimo.org> Message-ID: <4E36CDE9.8050307@redhat.com> Simo Sorce wrote: > I reopened #1526 as the fix intorduced a regression. > > The attached patch fixes it by correctly computing utctime when it needs > to be used, previously it was calculated and then replaced by the call > to compute the last password change so both attributes were being set to > the same value regardless. > > Simo. ack, pushed to master and ipa-2-0 I added some more description to the commit message. rob From JR.Aquino at citrix.com Mon Aug 1 19:11:56 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 1 Aug 2011 19:11:56 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <4E36A27F.4020908@redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> Message-ID: On Aug 1, 2011, at 5:56 AM, Rob Crittenden wrote: > Martin Kosek wrote: >> On Sat, 2011-07-30 at 00:54 +0000, JR Aquino wrote: >>> On Jul 21, 2011, at 8:53 AM, JR Aquino wrote: >>> >>>> On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: >>>> >>>>> Martin Kosek wrote: >>>>>> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: >>>>>>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) >>>>>>>>> >>>>>>>>> >>>>>>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? >>>>>>>>> >>>>>> >>>>>> Great, preparing the command parameters in pre_callback is much cleaner. >>>>>> >>>>>>>> >>>>>>>> Good point about the LDAP lookup. >>>>>>>> >>>>>>>> This looks a lot better but there are still a few issues: >>>>>>>> >>>>>>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. >>>>>>> >>>>>>> Ok, I will give that a shot! >>>>>>> >>>>>>>> >>>>>>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. >>>>>>>> >>>>>>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: >>>>>>>> >>>>>>>> INCLUDE_RE = 'automemberinclusiveregex' >>>>>>>> EXCLUDE_RE = 'automemberexclusiveregex' >>>>>>> >>>>>>> That works, I'll swap em. >>>>>> >>>>>> I agree with Rob here, this will make the code better. >>>>>> >>>>>>> >>>>>>>> Is there a way to validate the regex? >>>>>>> >>>>>>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. >>>>>>> >>>>>>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. >>>>>>> >>>>>>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? >>>>>>> >>>>>>>> Adding a clarity with no rules won't let you add rules: >>>>>>>> >>>>>>>> # ipa hostgroup-add --desc=hg1 hg1 >>>>>>>> # ipa hostgroupclarity-add hg1 >>>>>>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 >>>>>>>> ipa: ERROR: no modifications to be performed >>>>>>> >>>>>>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. >>>>>> >>>>>> Yes, it is wise :-) But the error message is really not clear to the >>>>>> user. We should tell him that there must be at least one inclusive rule. >>>>>> >>>>>> I wonder if we shouldn't force user to create a hostgroupclarity object >>>>>> with at least one inclusive rule and than make sure that in all >>>>>> operations at least one inclusive rule stays here. Or we could delete >>>>>> the empty LDAP object after the last inclusive rule is removed, as we do >>>>>> with DNS record LDAP objects in dnsrecord-del. >>>>>> >>>>>>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. >>>>>>> >>>>>>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. >>>>>>> >>>>>>> One final class I have been struggling with that I want to add? >>>>>>> >>>>>>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? >>>>>>> >>>>>>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? >>>>>>> >>>>>>> Any suggestions? >>>>>>> >>>>>>> >>>>>> >>>>>> I think the best shot would be to create a new command and overload the >>>>>> execute method in that case. Like in hbacrule_enable. You would be able >>>>>> to set dn correctly here and do the update. Does it makes sense? Rob? >>>>>> >>>>>> Martin >>>>>> >>>>> >>>>> I agree. We are better off abstracting things now so we can get the API right. >>>>> >>>>> I think we can stick more or less with the command names, just in a new plugin and some new arguments. >>>>> >>>>> I see the plugin with the following methods: >>>>> >>>>> Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. >>>>> >>>>> There is no mod to change types, you have to delete and re-add. >>>>> >>>>> automember-add Add an automember rule >>>>> --type=ENUM (hostgroup, group) >>>>> --desc=STR description of this auto membership rule >>>>> --inclusive-regex=LIST Inclusive Regex >>>>> --exclusive-regex=LIST Exclusive Regex >>>>> >>>>> automember-add-condition Add conditions to automember rule >>>>> --inclusive-regex=LIST Inclusive Regex >>>>> --exclusive-regex=LIST Exclusive Regex >>>>> >>>>> automember-del Delete an automember rule >>>>> >>>>> automember-find Search for automember rules >>>>> --type=ENUM (hostgroup, group) >>>>> >>>>> automember-mod Modify an automember rule. >>>> >>>> automember-default-group Set a default group for auto membership >>>> --group/hostgroup=STR >>>> >>>>> >>>>> automember-remove-condition Remove conditions from an automember rule >>>>> --inclusive-regex=LIST Inclusive Regex >>>>> --exclusive-regex=LIST Exclusive Regex >>>>> >>>>> automember-show Display an automember rule >>> >>> New Patch attached. >>> >>> I believe I have addressed the issues highlighted in the thread. >>> >> >> Hello JR, >> >> Thanks for the patch, the new approach with automember as a separate >> plugin is much better and more extensible. I reviewed it and have some >> feedback: >> >> 1) I see that autoMemberScope in automember plugin configuration is set >> to $SUFFIX. Why don't we use >> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com and >> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com. IMO >> this would improve performance > > I believe the scope defines where to find automatic members, so it > should point to cn=computerss,cn=$SUFFIX. autoMemberScope needs to point to the lowest common denominator where the plugin will detect the insertion of new ldap objects that match the rules: (http://directory.fedoraproject.org/wiki/Auto_Membership_Design#Example_Configuration_Entries) With that in mind, it seems that we need to point it to cn=accounts,$SUFFIX > >> >> 2) Plugin is not configured correctly on a replica: >> nsslapd-pluginConfigArea in cn=Auto Membership >> Plugin,cn=plugins,cn=config is not created. Since cn=config is not >> replicated, it need to be updated also on a replica. Plus, "Applying >> LDAP updates" got stuck in my case for some reason. I will be correcting this with Rob's suggestion in irc of moving the operation into __common_setup >> >> 3) I cannot use --inclusive-regex in ipa automember-add even though it >> is stated in help that I can >> >> # ipa automember-add --type=hostgroup --inclusive-regex=^web[1-9]\.example\.com tgroup >> Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options] >> >> ipa: error: no such option: --inclusive-regex > > I had him remove this. No other command lets you add an entry and > members at the same time. I will be removing reference to this in the help/doc. Thank you for catching it. > >> >> 4) Error message when removing a condition is not clear: >> # ipa automember-show --type=hostgroup tgroup >> Automember Rule: tgroup >> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com >> Exclusive Regex: fqdn=^www5.example.com >> >> Can we detect this situation and change it to something like "Condition >> not found"? It appears as though this situation is tricker than just 'condition not found'. Since we can provide a list of both inclusive and exclusive regex, and any one of the provided entries could be /not found/ it looks as though I will need to replicate the functionality of 'failed' similar to how they are treated when removing a list of users/hosts from a group/hostgroup where some of the members are non-existant. It looks like I need to return a failed list, but it is not currently clear how to accomplish that in an LDAPUpdate pre/post_callback, as those are really only looking for the return of a 'dn' >> >> 5) Having a rule with just an exclusive rule does not make sense - can >> we handle it? >> # ipa automember-show --type=hostgroup tgroup >> Automember Rule: tgroup >> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com >> Exclusive Regex: fqdn=^www5.example.com >> # ipa automember-remove-condition --type=hostgroup tgroup --inclusive-regex=^web[1-9]\.example\.com --inclusive-regex=^www[1-9]\.example\.com >> -------------------------------- >> Removed condition(s) to "tgroup" >> -------------------------------- >> Automember Rule: tgroup >> Exclusive Regex: fqdn=^www5.example.com I am adding additional checks to verify that we don't create/leave a rule with a sole exclusive regex. >> 6) Command names for automember default group seems inconsistent: >> automember-add-default-group Set default group for all unmatched entries. >> automember-default-group-show Display information about the default automember groups. >> automember-remove-default-group Remove default group for all unmatched entries. >> >> If we would follow the same patter, "automember-default-group-show" >> should be automember-show-default-group > > I think it should be automember-default-group-*. Since there is only one > default for something I thing it should be set instead of add. I agree with Rob: ipa automember-default-group-set ipa automember-default-group-remove ipa automember-default-group-show > >> 7) Parameters of the automember default group seems inconsistent too: >> a) --desc parameter present in automember-add-default-group and >> automember-remove-default-group should not be here >> b) Grouping Type of the automember type is passed as an argument in >> automember-remove-default-group and automember-default-group-show >> instead of --type=STR as in all other commands This is deliberate. The framework has a mandatory requirement of at least 1 argument. Since these 3 operations require us to operate on parent object's, it does not make sense to force it to provide a 'rule' as the modification does not take place on any 1 rule, but rather the container which they are apart of. I am open to suggestions... >> >> 8) automember.py: In >> automember_add_condition/automember_remove_condition I see 2 almost >> identical branches of code - a lot of redundancy. Couldn't we >> consolidate them, for example to one "for attr in (INCLUDE_RE, >> EXCLUDE_RE):" construct? I will see what I can do to accommodate this. It is likely that there will need to be several pivot points to provide the logic required to prevent the addition of an exclusive regex without an inclusive one present. Likewise with the deletion of the last inclusive regex when there is at least 1 exclusive regex present. >> >> 9) test_automember_plugin.py: the test class should be named >> test_automember, not test_user Ah. Thanks! >> >> Martin >> > > I'm also wondering about hardcoding a key. Is there a reason we can't > ask the regex writer to simply include this themselves? I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? > Stand by for a follow up patch later today after I figure out how to better account for the failed manipulation of conditions. From rcritten at redhat.com Mon Aug 1 19:19:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Aug 2011 15:19:40 -0400 Subject: [Freeipa-devel] [PATCH] 843 reduce dogtag install time Message-ID: <4E36FC4C.4030506@redhat.com> Ade Lee from the dogtag team looked at our installer and found that we restarted the pki-cad process too many times. Re-arranging some code allows us to restart it just once. The new config time for dogtag is 3 1/2 minutes, down from about 5 1/2. Ade is working on improvements in pki-silent as well which can bring the overall install time to 90 seconds. If we can get a change in SELinux policy we're looking at 60 seconds. This patch just contains the reworked installer part. Once an updated dogtag is released we can update the spec file to pull it in. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-843-dogtag.patch Type: application/mbox Size: 9586 bytes Desc: not available URL: From ayoung at redhat.com Tue Aug 2 02:26:35 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 01 Aug 2011 22:26:35 -0400 Subject: [Freeipa-devel] [PATCH] 843 reduce dogtag install time In-Reply-To: <4E36FC4C.4030506@redhat.com> References: <4E36FC4C.4030506@redhat.com> Message-ID: <4E37605B.4080500@redhat.com> On 08/01/2011 03:19 PM, Rob Crittenden wrote: > Ade Lee from the dogtag team looked at our installer and found that we > restarted the pki-cad process too many times. Re-arranging some code > allows us to restart it just once. The new config time for dogtag is 3 > 1/2 minutes, down from about 5 1/2. > > Ade is working on improvements in pki-silent as well which can bring > the overall install time to 90 seconds. If we can get a change in > SELinux policy we're looking at 60 seconds. > > This patch just contains the reworked installer part. Once an updated > dogtag is released we can update the spec file to pull it in. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Something is wrong. When I installed this patch, the browser works fine in a clean mode (never before initiailzied). Howevr, if the browser already has a certificate from the server, in the past I was able to go into Edit->preferences->advanced->Certificates, and remove both the server and the CA certificate, and then restart the browser. That does not work now. I just get the message Secure Connection Failed An error occurred during a connection to server15.ayoung.boston.devel.redhat.com. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial) The page you are trying to view can not be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site. Restarting IPA made no difference. The browser does not provide a lot of info in which to debug this. I'll try again with out the patch and see if there is a difference. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Aug 2 03:03:05 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 01 Aug 2011 23:03:05 -0400 Subject: [Freeipa-devel] [PATCH] 843 reduce dogtag install time In-Reply-To: <4E37605B.4080500@redhat.com> References: <4E36FC4C.4030506@redhat.com> <4E37605B.4080500@redhat.com> Message-ID: <4E3768E9.8030900@redhat.com> On 08/01/2011 10:26 PM, Adam Young wrote: > On 08/01/2011 03:19 PM, Rob Crittenden wrote: >> Ade Lee from the dogtag team looked at our installer and found that >> we restarted the pki-cad process too many times. Re-arranging some >> code allows us to restart it just once. The new config time for >> dogtag is 3 1/2 minutes, down from about 5 1/2. >> >> Ade is working on improvements in pki-silent as well which can bring >> the overall install time to 90 seconds. If we can get a change in >> SELinux policy we're looking at 60 seconds. >> >> This patch just contains the reworked installer part. Once an updated >> dogtag is released we can update the spec file to pull it in. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Disregard: same thing seems to be happening without this patch. > > Something is wrong. When I installed this patch, the browser works > fine in a clean mode (never before initiailzied). Howevr, if the > browser already has a certificate from the server, in the past I was > able to go into Edit->preferences->advanced->Certificates, and remove > both the server and the CA certificate, and then restart the browser. > That does not work now. I just get the message > > Secure Connection Failed > An error occurred during a connection to > server15.ayoung.boston.devel.redhat.com. > > You have received an invalid certificate. Please contact the server > administrator or email correspondent and give them the following > information: > > Your certificate contains the same serial number as another > certificate issued by the certificate authority. Please get a new > certificate containing a unique serial number. > > (Error code: sec_error_reused_issuer_and_serial) > > The page you are trying to view can not be shown because the > authenticity of the received data could not be verified. > Please contact the web site owners to inform them of this problem. > Alternatively, use the command found in the help menu to report this > broken site. > > > Restarting IPA made no difference. The browser does not provide a lot > of info in which to debug this. > > > I'll try again with out the patch and see if there is a difference. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Aug 2 06:28:43 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Aug 2011 08:28:43 +0200 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> Message-ID: <1312266529.2457.7.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-01 at 19:11 +0000, JR Aquino wrote: > On Aug 1, 2011, at 5:56 AM, Rob Crittenden wrote: > > > Martin Kosek wrote: > >> On Sat, 2011-07-30 at 00:54 +0000, JR Aquino wrote: > >>> On Jul 21, 2011, at 8:53 AM, JR Aquino wrote: > >>> > >>>> On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: > >>>> > >>>>> Martin Kosek wrote: > >>>>>> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: > >>>>>>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? > >>>>>>>>> > >>>>>> > >>>>>> Great, preparing the command parameters in pre_callback is much cleaner. > >>>>>> > >>>>>>>> > >>>>>>>> Good point about the LDAP lookup. > >>>>>>>> > >>>>>>>> This looks a lot better but there are still a few issues: > >>>>>>>> > >>>>>>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. > >>>>>>> > >>>>>>> Ok, I will give that a shot! > >>>>>>> > >>>>>>>> > >>>>>>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. > >>>>>>>> > >>>>>>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: > >>>>>>>> > >>>>>>>> INCLUDE_RE = 'automemberinclusiveregex' > >>>>>>>> EXCLUDE_RE = 'automemberexclusiveregex' > >>>>>>> > >>>>>>> That works, I'll swap em. > >>>>>> > >>>>>> I agree with Rob here, this will make the code better. > >>>>>> > >>>>>>> > >>>>>>>> Is there a way to validate the regex? > >>>>>>> > >>>>>>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. > >>>>>>> > >>>>>>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. > >>>>>>> > >>>>>>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? > >>>>>>> > >>>>>>>> Adding a clarity with no rules won't let you add rules: > >>>>>>>> > >>>>>>>> # ipa hostgroup-add --desc=hg1 hg1 > >>>>>>>> # ipa hostgroupclarity-add hg1 > >>>>>>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 > >>>>>>>> ipa: ERROR: no modifications to be performed > >>>>>>> > >>>>>>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. > >>>>>> > >>>>>> Yes, it is wise :-) But the error message is really not clear to the > >>>>>> user. We should tell him that there must be at least one inclusive rule. > >>>>>> > >>>>>> I wonder if we shouldn't force user to create a hostgroupclarity object > >>>>>> with at least one inclusive rule and than make sure that in all > >>>>>> operations at least one inclusive rule stays here. Or we could delete > >>>>>> the empty LDAP object after the last inclusive rule is removed, as we do > >>>>>> with DNS record LDAP objects in dnsrecord-del. > >>>>>> > >>>>>>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. > >>>>>>> > >>>>>>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. > >>>>>>> > >>>>>>> One final class I have been struggling with that I want to add? > >>>>>>> > >>>>>>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? > >>>>>>> > >>>>>>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? > >>>>>>> > >>>>>>> Any suggestions? > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> I think the best shot would be to create a new command and overload the > >>>>>> execute method in that case. Like in hbacrule_enable. You would be able > >>>>>> to set dn correctly here and do the update. Does it makes sense? Rob? > >>>>>> > >>>>>> Martin > >>>>>> > >>>>> > >>>>> I agree. We are better off abstracting things now so we can get the API right. > >>>>> > >>>>> I think we can stick more or less with the command names, just in a new plugin and some new arguments. > >>>>> > >>>>> I see the plugin with the following methods: > >>>>> > >>>>> Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. > >>>>> > >>>>> There is no mod to change types, you have to delete and re-add. > >>>>> > >>>>> automember-add Add an automember rule > >>>>> --type=ENUM (hostgroup, group) > >>>>> --desc=STR description of this auto membership rule > >>>>> --inclusive-regex=LIST Inclusive Regex > >>>>> --exclusive-regex=LIST Exclusive Regex > >>>>> > >>>>> automember-add-condition Add conditions to automember rule > >>>>> --inclusive-regex=LIST Inclusive Regex > >>>>> --exclusive-regex=LIST Exclusive Regex > >>>>> > >>>>> automember-del Delete an automember rule > >>>>> > >>>>> automember-find Search for automember rules > >>>>> --type=ENUM (hostgroup, group) > >>>>> > >>>>> automember-mod Modify an automember rule. > >>>> > >>>> automember-default-group Set a default group for auto membership > >>>> --group/hostgroup=STR > >>>> > >>>>> > >>>>> automember-remove-condition Remove conditions from an automember rule > >>>>> --inclusive-regex=LIST Inclusive Regex > >>>>> --exclusive-regex=LIST Exclusive Regex > >>>>> > >>>>> automember-show Display an automember rule > >>> > >>> New Patch attached. > >>> > >>> I believe I have addressed the issues highlighted in the thread. > >>> > >> > >> Hello JR, > >> > >> Thanks for the patch, the new approach with automember as a separate > >> plugin is much better and more extensible. I reviewed it and have some > >> feedback: > >> > >> 1) I see that autoMemberScope in automember plugin configuration is set > >> to $SUFFIX. Why don't we use > >> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com and > >> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com. IMO > >> this would improve performance > > > > I believe the scope defines where to find automatic members, so it > > should point to cn=computerss,cn=$SUFFIX. > > autoMemberScope needs to point to the lowest common denominator where the plugin will detect the insertion of new ldap objects that match the rules: > (http://directory.fedoraproject.org/wiki/Auto_Membership_Design#Example_Configuration_Entries) > > With that in mind, it seems that we need to point it to cn=accounts,$SUFFIX In that case we can point autoMemberScope to values cn=hostgroups,cn=accounts,$SUFFIX and cn=groups,cn=accounts,$SUFFIX since it is configured per member type. > > > > >> > >> 2) Plugin is not configured correctly on a replica: > >> nsslapd-pluginConfigArea in cn=Auto Membership > >> Plugin,cn=plugins,cn=config is not created. Since cn=config is not > >> replicated, it need to be updated also on a replica. Plus, "Applying > >> LDAP updates" got stuck in my case for some reason. > > I will be correcting this with Rob's suggestion in irc of moving the operation into __common_setup That should do the trick. We just need to make sure, that only records in cn=config are placed to __common_setup. cn=etc,$SUFFIX is replicated and thus shouldn't be filled on a replica setup. > > >> > >> 3) I cannot use --inclusive-regex in ipa automember-add even though it > >> is stated in help that I can > >> > >> # ipa automember-add --type=hostgroup --inclusive-regex=^web[1-9]\.example\.com tgroup > >> Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options] > >> > >> ipa: error: no such option: --inclusive-regex > > > > I had him remove this. No other command lets you add an entry and > > members at the same time. > > I will be removing reference to this in the help/doc. Thank you for catching it. > > > > >> > >> 4) Error message when removing a condition is not clear: > >> # ipa automember-show --type=hostgroup tgroup > >> Automember Rule: tgroup > >> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com > >> Exclusive Regex: fqdn=^www5.example.com > >> > >> Can we detect this situation and change it to something like "Condition > >> not found"? > > It appears as though this situation is tricker than just 'condition not found'. > > Since we can provide a list of both inclusive and exclusive regex, and any one of the provided entries could be /not found/ it looks as though I will need to replicate the functionality of 'failed' similar to how they are treated when removing a list of users/hosts from a group/hostgroup where some of the members are non-existant. > > It looks like I need to return a failed list, but it is not currently clear how to accomplish that in an LDAPUpdate pre/post_callback, as those are really only looking for the return of a 'dn' > > >> > >> 5) Having a rule with just an exclusive rule does not make sense - can > >> we handle it? > >> # ipa automember-show --type=hostgroup tgroup > >> Automember Rule: tgroup > >> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com > >> Exclusive Regex: fqdn=^www5.example.com > >> # ipa automember-remove-condition --type=hostgroup tgroup --inclusive-regex=^web[1-9]\.example\.com --inclusive-regex=^www[1-9]\.example\.com > >> -------------------------------- > >> Removed condition(s) to "tgroup" > >> -------------------------------- > >> Automember Rule: tgroup > >> Exclusive Regex: fqdn=^www5.example.com > > I am adding additional checks to verify that we don't create/leave a rule with a sole exclusive regex. > > >> 6) Command names for automember default group seems inconsistent: > >> automember-add-default-group Set default group for all unmatched entries. > >> automember-default-group-show Display information about the default automember groups. > >> automember-remove-default-group Remove default group for all unmatched entries. > >> > >> If we would follow the same patter, "automember-default-group-show" > >> should be automember-show-default-group > > > > I think it should be automember-default-group-*. Since there is only one > > default for something I thing it should be set instead of add. > > I agree with Rob: > ipa automember-default-group-set > ipa automember-default-group-remove > ipa automember-default-group-show > > > > >> 7) Parameters of the automember default group seems inconsistent too: > >> a) --desc parameter present in automember-add-default-group and > >> automember-remove-default-group should not be here > >> b) Grouping Type of the automember type is passed as an argument in > >> automember-remove-default-group and automember-default-group-show > >> instead of --type=STR as in all other commands > > This is deliberate. > > The framework has a mandatory requirement of at least 1 argument. > > Since these 3 operations require us to operate on parent object's, it does not make sense to force it to provide a 'rule' as the modification does not take place on any 1 rule, but rather the container which they are apart of. > I am open to suggestions... I know, but I still think its worth it even if we would have to bend the framework a bit (like we do for example in pwpolicy plugin - arg is not mandatory here). My point is that having the TYPE passed a completely different way than we do in a rest of the plugin will confuse users. > > >> > >> 8) automember.py: In > >> automember_add_condition/automember_remove_condition I see 2 almost > >> identical branches of code - a lot of redundancy. Couldn't we > >> consolidate them, for example to one "for attr in (INCLUDE_RE, > >> EXCLUDE_RE):" construct? > > I will see what I can do to accommodate this. It is likely that there will need to be several pivot points to provide the logic required to prevent the addition of an exclusive regex without an inclusive one present. Likewise with the deletion of the last inclusive regex when there is at least 1 exclusive regex present. > > >> > >> 9) test_automember_plugin.py: the test class should be named > >> test_automember, not test_user > > Ah. Thanks! > > >> > >> Martin > >> > > > > I'm also wondering about hardcoding a key. Is there a reason we can't > > ask the regex writer to simply include this themselves? > > I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. > > While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) > > Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. > > It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? > > > > Stand by for a follow up patch later today after I figure out how to better account for the failed manipulation of conditions. > Standing by :-) Martin From JR.Aquino at citrix.com Tue Aug 2 07:25:20 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 2 Aug 2011 07:25:20 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <1312266529.2457.7.camel@dhcp-25-52.brq.redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <1312266529.2457.7.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1A470DD5-2478-4E16-8459-9814996787EE@citrix.com> On Aug 1, 2011, at 11:28 PM, "Martin Kosek" wrote: > On Mon, 2011-08-01 at 19:11 +0000, JR Aquino wrote: >> On Aug 1, 2011, at 5:56 AM, Rob Crittenden wrote: >> >>> Martin Kosek wrote: >>>> On Sat, 2011-07-30 at 00:54 +0000, JR Aquino wrote: >>>>> On Jul 21, 2011, at 8:53 AM, JR Aquino wrote: >>>>> >>>>>> On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: >>>>>> >>>>>>> Martin Kosek wrote: >>>>>>>> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: >>>>>>>>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? >>>>>>>>>>> >>>>>>>> >>>>>>>> Great, preparing the command parameters in pre_callback is much cleaner. >>>>>>>> >>>>>>>>>> >>>>>>>>>> Good point about the LDAP lookup. >>>>>>>>>> >>>>>>>>>> This looks a lot better but there are still a few issues: >>>>>>>>>> >>>>>>>>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. >>>>>>>>> >>>>>>>>> Ok, I will give that a shot! >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. >>>>>>>>>> >>>>>>>>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: >>>>>>>>>> >>>>>>>>>> INCLUDE_RE = 'automemberinclusiveregex' >>>>>>>>>> EXCLUDE_RE = 'automemberexclusiveregex' >>>>>>>>> >>>>>>>>> That works, I'll swap em. >>>>>>>> >>>>>>>> I agree with Rob here, this will make the code better. >>>>>>>> >>>>>>>>> >>>>>>>>>> Is there a way to validate the regex? >>>>>>>>> >>>>>>>>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. >>>>>>>>> >>>>>>>>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. >>>>>>>>> >>>>>>>>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? >>>>>>>>> >>>>>>>>>> Adding a clarity with no rules won't let you add rules: >>>>>>>>>> >>>>>>>>>> # ipa hostgroup-add --desc=hg1 hg1 >>>>>>>>>> # ipa hostgroupclarity-add hg1 >>>>>>>>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 >>>>>>>>>> ipa: ERROR: no modifications to be performed >>>>>>>>> >>>>>>>>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. >>>>>>>> >>>>>>>> Yes, it is wise :-) But the error message is really not clear to the >>>>>>>> user. We should tell him that there must be at least one inclusive rule. >>>>>>>> >>>>>>>> I wonder if we shouldn't force user to create a hostgroupclarity object >>>>>>>> with at least one inclusive rule and than make sure that in all >>>>>>>> operations at least one inclusive rule stays here. Or we could delete >>>>>>>> the empty LDAP object after the last inclusive rule is removed, as we do >>>>>>>> with DNS record LDAP objects in dnsrecord-del. >>>>>>>> >>>>>>>>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. >>>>>>>>> >>>>>>>>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. >>>>>>>>> >>>>>>>>> One final class I have been struggling with that I want to add? >>>>>>>>> >>>>>>>>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? >>>>>>>>> >>>>>>>>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? >>>>>>>>> >>>>>>>>> Any suggestions? >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> I think the best shot would be to create a new command and overload the >>>>>>>> execute method in that case. Like in hbacrule_enable. You would be able >>>>>>>> to set dn correctly here and do the update. Does it makes sense? Rob? >>>>>>>> >>>>>>>> Martin >>>>>>>> >>>>>>> >>>>>>> I agree. We are better off abstracting things now so we can get the API right. >>>>>>> >>>>>>> I think we can stick more or less with the command names, just in a new plugin and some new arguments. >>>>>>> >>>>>>> I see the plugin with the following methods: >>>>>>> >>>>>>> Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. >>>>>>> >>>>>>> There is no mod to change types, you have to delete and re-add. >>>>>>> >>>>>>> automember-add Add an automember rule >>>>>>> --type=ENUM (hostgroup, group) >>>>>>> --desc=STR description of this auto membership rule >>>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>>> >>>>>>> automember-add-condition Add conditions to automember rule >>>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>>> >>>>>>> automember-del Delete an automember rule >>>>>>> >>>>>>> automember-find Search for automember rules >>>>>>> --type=ENUM (hostgroup, group) >>>>>>> >>>>>>> automember-mod Modify an automember rule. >>>>>> >>>>>> automember-default-group Set a default group for auto membership >>>>>> --group/hostgroup=STR >>>>>> >>>>>>> >>>>>>> automember-remove-condition Remove conditions from an automember rule >>>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>>> >>>>>>> automember-show Display an automember rule >>>>> >>>>> New Patch attached. >>>>> >>>>> I believe I have addressed the issues highlighted in the thread. >>>>> >>>> >>>> Hello JR, >>>> >>>> Thanks for the patch, the new approach with automember as a separate >>>> plugin is much better and more extensible. I reviewed it and have some >>>> feedback: >>>> >>>> 1) I see that autoMemberScope in automember plugin configuration is set >>>> to $SUFFIX. Why don't we use >>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com and >>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com. IMO >>>> this would improve performance >>> >>> I believe the scope defines where to find automatic members, so it >>> should point to cn=computerss,cn=$SUFFIX. >> >> autoMemberScope needs to point to the lowest common denominator where the plugin will detect the insertion of new ldap objects that match the rules: >> (http://directory.fedoraproject.org/wiki/Auto_Membership_Design#Example_Configuration_Entries) >> >> With that in mind, it seems that we need to point it to cn=accounts,$SUFFIX > > In that case we can point autoMemberScope to values > cn=hostgroups,cn=accounts,$SUFFIX and cn=groups,cn=accounts,$SUFFIX > since it is configured per member type. > >> >>> >>>> >>>> 2) Plugin is not configured correctly on a replica: >>>> nsslapd-pluginConfigArea in cn=Auto Membership >>>> Plugin,cn=plugins,cn=config is not created. Since cn=config is not >>>> replicated, it need to be updated also on a replica. Plus, "Applying >>>> LDAP updates" got stuck in my case for some reason. >> >> I will be correcting this with Rob's suggestion in irc of moving the operation into __common_setup > > That should do the trick. We just need to make sure, that only records > in cn=config are placed to __common_setup. cn=etc,$SUFFIX is replicated > and thus shouldn't be filled on a replica setup. > >> >>>> >>>> 3) I cannot use --inclusive-regex in ipa automember-add even though it >>>> is stated in help that I can >>>> >>>> # ipa automember-add --type=hostgroup --inclusive-regex=^web[1-9]\.example\.com tgroup >>>> Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options] >>>> >>>> ipa: error: no such option: --inclusive-regex >>> >>> I had him remove this. No other command lets you add an entry and >>> members at the same time. >> >> I will be removing reference to this in the help/doc. Thank you for catching it. >> >>> >>>> >>>> 4) Error message when removing a condition is not clear: >>>> # ipa automember-show --type=hostgroup tgroup >>>> Automember Rule: tgroup >>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com >>>> Exclusive Regex: fqdn=^www5.example.com >>>> >>>> Can we detect this situation and change it to something like "Condition >>>> not found"? >> >> It appears as though this situation is tricker than just 'condition not found'. >> >> Since we can provide a list of both inclusive and exclusive regex, and any one of the provided entries could be /not found/ it looks as though I will need to replicate the functionality of 'failed' similar to how they are treated when removing a list of users/hosts from a group/hostgroup where some of the members are non-existant. >> >> It looks like I need to return a failed list, but it is not currently clear how to accomplish that in an LDAPUpdate pre/post_callback, as those are really only looking for the return of a 'dn' >> >>>> >>>> 5) Having a rule with just an exclusive rule does not make sense - can >>>> we handle it? >>>> # ipa automember-show --type=hostgroup tgroup >>>> Automember Rule: tgroup >>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com >>>> Exclusive Regex: fqdn=^www5.example.com >>>> # ipa automember-remove-condition --type=hostgroup tgroup --inclusive-regex=^web[1-9]\.example\.com --inclusive-regex=^www[1-9]\.example\.com >>>> -------------------------------- >>>> Removed condition(s) to "tgroup" >>>> -------------------------------- >>>> Automember Rule: tgroup >>>> Exclusive Regex: fqdn=^www5.example.com >> >> I am adding additional checks to verify that we don't create/leave a rule with a sole exclusive regex. >> >>>> 6) Command names for automember default group seems inconsistent: >>>> automember-add-default-group Set default group for all unmatched entries. >>>> automember-default-group-show Display information about the default automember groups. >>>> automember-remove-default-group Remove default group for all unmatched entries. >>>> >>>> If we would follow the same patter, "automember-default-group-show" >>>> should be automember-show-default-group >>> >>> I think it should be automember-default-group-*. Since there is only one >>> default for something I thing it should be set instead of add. >> >> I agree with Rob: >> ipa automember-default-group-set >> ipa automember-default-group-remove >> ipa automember-default-group-show >> >>> >>>> 7) Parameters of the automember default group seems inconsistent too: >>>> a) --desc parameter present in automember-add-default-group and >>>> automember-remove-default-group should not be here >>>> b) Grouping Type of the automember type is passed as an argument in >>>> automember-remove-default-group and automember-default-group-show >>>> instead of --type=STR as in all other commands >> >> This is deliberate. >> >> The framework has a mandatory requirement of at least 1 argument. >> >> Since these 3 operations require us to operate on parent object's, it does not make sense to force it to provide a 'rule' as the modification does not take place on any 1 rule, but rather the container which they are apart of. >> I am open to suggestions... > > I know, but I still think its worth it even if we would have to bend the > framework a bit (like we do for example in pwpolicy plugin - arg is not > mandatory here). My point is that having the TYPE passed a completely > different way than we do in a rest of the plugin will confuse users. The only other way that I can think of would be to just break it out into it's own command entirely. So that it can just use the cn and forgo the type all together. > >> >>>> >>>> 8) automember.py: In >>>> automember_add_condition/automember_remove_condition I see 2 almost >>>> identical branches of code - a lot of redundancy. Couldn't we >>>> consolidate them, for example to one "for attr in (INCLUDE_RE, >>>> EXCLUDE_RE):" construct? >> >> I will see what I can do to accommodate this. It is likely that there will need to be several pivot points to provide the logic required to prevent the addition of an exclusive regex without an inclusive one present. Likewise with the deletion of the last inclusive regex when there is at least 1 exclusive regex present. >> >>>> >>>> 9) test_automember_plugin.py: the test class should be named >>>> test_automember, not test_user >> >> Ah. Thanks! >> >>>> >>>> Martin >>>> >>> >>> I'm also wondering about hardcoding a key. Is there a reason we can't >>> ask the regex writer to simply include this themselves? >> >> I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. >> >> While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) >> >> Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. >> >> It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? >>> >> >> Stand by for a follow up patch later today after I figure out how to better account for the failed manipulation of conditions. >> > > Standing by :-) > Martin > I made all of the small adjustments and then nearly literally stared frustrated at the code for 6 hours today. I see no way of accomplishing the feat of replicating the ldapmodmember treatment of failed attributes, without overriding LDAPUpdate's exec LDAPUpdate is simply looking to return entrys_attrs as the result, and only a dn for the callbacks... I can't set or send anything back to track the faileds in a callback. You can see it's been bothering me, as it is midnight my time and I'm thinking about it still. :/ From mkosek at redhat.com Tue Aug 2 08:09:12 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Aug 2011 10:09:12 +0200 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <1A470DD5-2478-4E16-8459-9814996787EE@citrix.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <1312266529.2457.7.camel@dhcp-25-52.brq.redhat.com> <1A470DD5-2478-4E16-8459-9814996787EE@citrix.com> Message-ID: <1312272556.2457.24.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-08-02 at 07:25 +0000, JR Aquino wrote: > On Aug 1, 2011, at 11:28 PM, "Martin Kosek" wrote: > > > On Mon, 2011-08-01 at 19:11 +0000, JR Aquino wrote: > >> On Aug 1, 2011, at 5:56 AM, Rob Crittenden wrote: > >> > >>> Martin Kosek wrote: > >>>> On Sat, 2011-07-30 at 00:54 +0000, JR Aquino wrote: > >>>>> On Jul 21, 2011, at 8:53 AM, JR Aquino wrote: > >>>>> > >>>>>> On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: > >>>>>> > >>>>>>> Martin Kosek wrote: > >>>>>>>> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: > >>>>>>>>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? > >>>>>>>>>>> > >>>>>>>> > >>>>>>>> Great, preparing the command parameters in pre_callback is much cleaner. > >>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Good point about the LDAP lookup. > >>>>>>>>>> > >>>>>>>>>> This looks a lot better but there are still a few issues: > >>>>>>>>>> > >>>>>>>>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. > >>>>>>>>> > >>>>>>>>> Ok, I will give that a shot! > >>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. > >>>>>>>>>> > >>>>>>>>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: > >>>>>>>>>> > >>>>>>>>>> INCLUDE_RE = 'automemberinclusiveregex' > >>>>>>>>>> EXCLUDE_RE = 'automemberexclusiveregex' > >>>>>>>>> > >>>>>>>>> That works, I'll swap em. > >>>>>>>> > >>>>>>>> I agree with Rob here, this will make the code better. > >>>>>>>> > >>>>>>>>> > >>>>>>>>>> Is there a way to validate the regex? > >>>>>>>>> > >>>>>>>>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. > >>>>>>>>> > >>>>>>>>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. > >>>>>>>>> > >>>>>>>>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? > >>>>>>>>> > >>>>>>>>>> Adding a clarity with no rules won't let you add rules: > >>>>>>>>>> > >>>>>>>>>> # ipa hostgroup-add --desc=hg1 hg1 > >>>>>>>>>> # ipa hostgroupclarity-add hg1 > >>>>>>>>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 > >>>>>>>>>> ipa: ERROR: no modifications to be performed > >>>>>>>>> > >>>>>>>>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. > >>>>>>>> > >>>>>>>> Yes, it is wise :-) But the error message is really not clear to the > >>>>>>>> user. We should tell him that there must be at least one inclusive rule. > >>>>>>>> > >>>>>>>> I wonder if we shouldn't force user to create a hostgroupclarity object > >>>>>>>> with at least one inclusive rule and than make sure that in all > >>>>>>>> operations at least one inclusive rule stays here. Or we could delete > >>>>>>>> the empty LDAP object after the last inclusive rule is removed, as we do > >>>>>>>> with DNS record LDAP objects in dnsrecord-del. > >>>>>>>> > >>>>>>>>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. > >>>>>>>>> > >>>>>>>>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. > >>>>>>>>> > >>>>>>>>> One final class I have been struggling with that I want to add? > >>>>>>>>> > >>>>>>>>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? > >>>>>>>>> > >>>>>>>>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? > >>>>>>>>> > >>>>>>>>> Any suggestions? > >>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>>> I think the best shot would be to create a new command and overload the > >>>>>>>> execute method in that case. Like in hbacrule_enable. You would be able > >>>>>>>> to set dn correctly here and do the update. Does it makes sense? Rob? > >>>>>>>> > >>>>>>>> Martin > >>>>>>>> > >>>>>>> > >>>>>>> I agree. We are better off abstracting things now so we can get the API right. > >>>>>>> > >>>>>>> I think we can stick more or less with the command names, just in a new plugin and some new arguments. > >>>>>>> > >>>>>>> I see the plugin with the following methods: > >>>>>>> > >>>>>>> Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. > >>>>>>> > >>>>>>> There is no mod to change types, you have to delete and re-add. > >>>>>>> > >>>>>>> automember-add Add an automember rule > >>>>>>> --type=ENUM (hostgroup, group) > >>>>>>> --desc=STR description of this auto membership rule > >>>>>>> --inclusive-regex=LIST Inclusive Regex > >>>>>>> --exclusive-regex=LIST Exclusive Regex > >>>>>>> > >>>>>>> automember-add-condition Add conditions to automember rule > >>>>>>> --inclusive-regex=LIST Inclusive Regex > >>>>>>> --exclusive-regex=LIST Exclusive Regex > >>>>>>> > >>>>>>> automember-del Delete an automember rule > >>>>>>> > >>>>>>> automember-find Search for automember rules > >>>>>>> --type=ENUM (hostgroup, group) > >>>>>>> > >>>>>>> automember-mod Modify an automember rule. > >>>>>> > >>>>>> automember-default-group Set a default group for auto membership > >>>>>> --group/hostgroup=STR > >>>>>> > >>>>>>> > >>>>>>> automember-remove-condition Remove conditions from an automember rule > >>>>>>> --inclusive-regex=LIST Inclusive Regex > >>>>>>> --exclusive-regex=LIST Exclusive Regex > >>>>>>> > >>>>>>> automember-show Display an automember rule > >>>>> > >>>>> New Patch attached. > >>>>> > >>>>> I believe I have addressed the issues highlighted in the thread. > >>>>> > >>>> > >>>> Hello JR, > >>>> > >>>> Thanks for the patch, the new approach with automember as a separate > >>>> plugin is much better and more extensible. I reviewed it and have some > >>>> feedback: > >>>> > >>>> 1) I see that autoMemberScope in automember plugin configuration is set > >>>> to $SUFFIX. Why don't we use > >>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com and > >>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com. IMO > >>>> this would improve performance > >>> > >>> I believe the scope defines where to find automatic members, so it > >>> should point to cn=computerss,cn=$SUFFIX. > >> > >> autoMemberScope needs to point to the lowest common denominator where the plugin will detect the insertion of new ldap objects that match the rules: > >> (http://directory.fedoraproject.org/wiki/Auto_Membership_Design#Example_Configuration_Entries) > >> > >> With that in mind, it seems that we need to point it to cn=accounts,$SUFFIX > > > > In that case we can point autoMemberScope to values > > cn=hostgroups,cn=accounts,$SUFFIX and cn=groups,cn=accounts,$SUFFIX > > since it is configured per member type. > > > >> > >>> > >>>> > >>>> 2) Plugin is not configured correctly on a replica: > >>>> nsslapd-pluginConfigArea in cn=Auto Membership > >>>> Plugin,cn=plugins,cn=config is not created. Since cn=config is not > >>>> replicated, it need to be updated also on a replica. Plus, "Applying > >>>> LDAP updates" got stuck in my case for some reason. > >> > >> I will be correcting this with Rob's suggestion in irc of moving the operation into __common_setup > > > > That should do the trick. We just need to make sure, that only records > > in cn=config are placed to __common_setup. cn=etc,$SUFFIX is replicated > > and thus shouldn't be filled on a replica setup. > > > >> > >>>> > >>>> 3) I cannot use --inclusive-regex in ipa automember-add even though it > >>>> is stated in help that I can > >>>> > >>>> # ipa automember-add --type=hostgroup --inclusive-regex=^web[1-9]\.example\.com tgroup > >>>> Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options] > >>>> > >>>> ipa: error: no such option: --inclusive-regex > >>> > >>> I had him remove this. No other command lets you add an entry and > >>> members at the same time. > >> > >> I will be removing reference to this in the help/doc. Thank you for catching it. > >> > >>> > >>>> > >>>> 4) Error message when removing a condition is not clear: > >>>> # ipa automember-show --type=hostgroup tgroup > >>>> Automember Rule: tgroup > >>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com > >>>> Exclusive Regex: fqdn=^www5.example.com > >>>> > >>>> Can we detect this situation and change it to something like "Condition > >>>> not found"? > >> > >> It appears as though this situation is tricker than just 'condition not found'. > >> > >> Since we can provide a list of both inclusive and exclusive regex, and any one of the provided entries could be /not found/ it looks as though I will need to replicate the functionality of 'failed' similar to how they are treated when removing a list of users/hosts from a group/hostgroup where some of the members are non-existant. > >> > >> It looks like I need to return a failed list, but it is not currently clear how to accomplish that in an LDAPUpdate pre/post_callback, as those are really only looking for the return of a 'dn' > >> > >>>> > >>>> 5) Having a rule with just an exclusive rule does not make sense - can > >>>> we handle it? > >>>> # ipa automember-show --type=hostgroup tgroup > >>>> Automember Rule: tgroup > >>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com > >>>> Exclusive Regex: fqdn=^www5.example.com > >>>> # ipa automember-remove-condition --type=hostgroup tgroup --inclusive-regex=^web[1-9]\.example\.com --inclusive-regex=^www[1-9]\.example\.com > >>>> -------------------------------- > >>>> Removed condition(s) to "tgroup" > >>>> -------------------------------- > >>>> Automember Rule: tgroup > >>>> Exclusive Regex: fqdn=^www5.example.com > >> > >> I am adding additional checks to verify that we don't create/leave a rule with a sole exclusive regex. > >> > >>>> 6) Command names for automember default group seems inconsistent: > >>>> automember-add-default-group Set default group for all unmatched entries. > >>>> automember-default-group-show Display information about the default automember groups. > >>>> automember-remove-default-group Remove default group for all unmatched entries. > >>>> > >>>> If we would follow the same patter, "automember-default-group-show" > >>>> should be automember-show-default-group > >>> > >>> I think it should be automember-default-group-*. Since there is only one > >>> default for something I thing it should be set instead of add. > >> > >> I agree with Rob: > >> ipa automember-default-group-set > >> ipa automember-default-group-remove > >> ipa automember-default-group-show > >> > >>> > >>>> 7) Parameters of the automember default group seems inconsistent too: > >>>> a) --desc parameter present in automember-add-default-group and > >>>> automember-remove-default-group should not be here > >>>> b) Grouping Type of the automember type is passed as an argument in > >>>> automember-remove-default-group and automember-default-group-show > >>>> instead of --type=STR as in all other commands > >> > >> This is deliberate. > >> > >> The framework has a mandatory requirement of at least 1 argument. > >> > >> Since these 3 operations require us to operate on parent object's, it does not make sense to force it to provide a 'rule' as the modification does not take place on any 1 rule, but rather the container which they are apart of. > >> I am open to suggestions... > > > > I know, but I still think its worth it even if we would have to bend the > > framework a bit (like we do for example in pwpolicy plugin - arg is not > > mandatory here). My point is that having the TYPE passed a completely > > different way than we do in a rest of the plugin will confuse users. > > The only other way that I can think of would be to just break it out into it's own command entirely. So that it can just use the cn and forgo the type all together. Here is another idea - what if we make the TYPE to be the argument for all 3 automember-default-group-* operations and let user pass default group by "--group" option? At least they will be consistent between each other. My proposal: automember-default-group-set TYPE --group=STR automember-default-group-show TYPE automember-default-group-remove TYPE Would that make sense? > > > > >> > >>>> > >>>> 8) automember.py: In > >>>> automember_add_condition/automember_remove_condition I see 2 almost > >>>> identical branches of code - a lot of redundancy. Couldn't we > >>>> consolidate them, for example to one "for attr in (INCLUDE_RE, > >>>> EXCLUDE_RE):" construct? > >> > >> I will see what I can do to accommodate this. It is likely that there will need to be several pivot points to provide the logic required to prevent the addition of an exclusive regex without an inclusive one present. Likewise with the deletion of the last inclusive regex when there is at least 1 exclusive regex present. > >> > >>>> > >>>> 9) test_automember_plugin.py: the test class should be named > >>>> test_automember, not test_user > >> > >> Ah. Thanks! > >> > >>>> > >>>> Martin > >>>> > >>> > >>> I'm also wondering about hardcoding a key. Is there a reason we can't > >>> ask the regex writer to simply include this themselves? > >> > >> I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. > >> > >> While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) > >> > >> Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. > >> > >> It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? > >>> > >> > >> Stand by for a follow up patch later today after I figure out how to better account for the failed manipulation of conditions. > >> > > > > Standing by :-) > > Martin > > > > I made all of the small adjustments and then nearly literally stared frustrated at the code for 6 hours today. > > I see no way of accomplishing the feat of replicating the ldapmodmember treatment of failed attributes, without overriding LDAPUpdate's exec > > LDAPUpdate is simply looking to return entrys_attrs as the result, and only a dn for the callbacks... I can't set or send anything back to track the faileds in a callback. > > You can see it's been bothering me, as it is midnight my time and I'm thinking about it still. :/ I see. A good night's sleep always helps to get some perspective, at least for me. I won't press on this point too much, it is not that critical. I would agree with pushing your patch without it when the other issues are resolved. It could be implemented later, as an improvement. Right now, the most important thing is that we get the API + basic behavior right. Martin From mkosek at redhat.com Tue Aug 2 11:49:50 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Aug 2011 13:49:50 +0200 Subject: [Freeipa-devel] [PATCH] 843 reduce dogtag install time In-Reply-To: <4E36FC4C.4030506@redhat.com> References: <4E36FC4C.4030506@redhat.com> Message-ID: <1312285796.2457.27.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote: > Ade Lee from the dogtag team looked at our installer and found that we > restarted the pki-cad process too many times. Re-arranging some code > allows us to restart it just once. The new config time for dogtag is 3 > 1/2 minutes, down from about 5 1/2. > > Ade is working on improvements in pki-silent as well which can bring the > overall install time to 90 seconds. If we can get a change in SELinux > policy we're looking at 60 seconds. > > This patch just contains the reworked installer part. Once an updated > dogtag is released we can update the spec file to pull it in. > > rob This worked fine for standard dogtag installation + CA on a replica, but it failed with external CA: /var/log/ipaserver-install.log: ... admin/console/config/backupkeycertpanel.vm checked Failed to create pkcs12 file. 19 Export Keys and Certificates .... 2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-059.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd 'XXXXXXXX' -preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM" -ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name "CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external true -ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt -ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false' returned non-zero exit status 255 2011-08-02 07:45:38,302 DEBUG Configuration of CA failed ... Martin From abokovoy at redhat.com Tue Aug 2 12:27:43 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 02 Aug 2011 15:27:43 +0300 Subject: [Freeipa-devel] [PATCH] 0009 Use cli_name if possible to return errors via exceptions in Param In-Reply-To: <4E36BBC2.3010506@redhat.com> References: <4E36B9F3.4090707@redhat.com> <4E36BBC2.3010506@redhat.com> Message-ID: <4E37ED3F.5070306@redhat.com> On 01.08.2011 17:44, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> Hi, >> >> as result of discussion on Param and environment/context, here is patch >> to fix >> https://fedorahosted.org/freeipa/ticket/1549 >> https://fedorahosted.org/freeipa/ticket/1550 >> >> CLI and Web UI work. > > nack. > > When using ipalib outside of the cli the wrong attribute is in the error > message. See the test program in > https://fedorahosted.org/freeipa/attachment/ticket/187 > > In this sample the error when context='cli' should be 'desc' otherwise > it should be 'description'. With your patch it is always 'desc'. Following yesterday's discussion on IRC with Rob, I further investigated the issue and came up with a following fix (attached). The patch extends arguments supported by Param class to accept environment and set it if it is not None before locking down the class. It further extends create_param() helper function to re-create params from a passed spec if provided environment is not None. Command and Object now use create_param() to inject their environment into specified arguments, parameters, and options. There are might be more cases where using create_param(spec, env=self.env) would be needed as I have found that, for example, running ipa user-add and not passing first name (--first) would give you $ ./ipa user-add First name: ipa: ERROR: 'givenname' is required while actual error should be ipa: ERROR: 'first' is required This is solved by the attached patch by introducing create_param() call into Object while fixes in Command will give you protection for client-side commands as well. If approach is fine, I can find and fix other places. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: params-env-1.patch URL: From rcritten at redhat.com Tue Aug 2 12:55:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Aug 2011 08:55:09 -0400 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> Message-ID: <4E37F3AD.1030801@redhat.com> JR Aquino wrote: > On Aug 1, 2011, at 5:56 AM, Rob Crittenden wrote: > >> Martin Kosek wrote: >>> On Sat, 2011-07-30 at 00:54 +0000, JR Aquino wrote: >>>> On Jul 21, 2011, at 8:53 AM, JR Aquino wrote: >>>> >>>>> On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: >>>>> >>>>>> Martin Kosek wrote: >>>>>>> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: >>>>>>>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? >>>>>>>>>> >>>>>>> >>>>>>> Great, preparing the command parameters in pre_callback is much cleaner. >>>>>>> >>>>>>>>> >>>>>>>>> Good point about the LDAP lookup. >>>>>>>>> >>>>>>>>> This looks a lot better but there are still a few issues: >>>>>>>>> >>>>>>>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. >>>>>>>> >>>>>>>> Ok, I will give that a shot! >>>>>>>> >>>>>>>>> >>>>>>>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. >>>>>>>>> >>>>>>>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: >>>>>>>>> >>>>>>>>> INCLUDE_RE = 'automemberinclusiveregex' >>>>>>>>> EXCLUDE_RE = 'automemberexclusiveregex' >>>>>>>> >>>>>>>> That works, I'll swap em. >>>>>>> >>>>>>> I agree with Rob here, this will make the code better. >>>>>>> >>>>>>>> >>>>>>>>> Is there a way to validate the regex? >>>>>>>> >>>>>>>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. >>>>>>>> >>>>>>>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. >>>>>>>> >>>>>>>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? >>>>>>>> >>>>>>>>> Adding a clarity with no rules won't let you add rules: >>>>>>>>> >>>>>>>>> # ipa hostgroup-add --desc=hg1 hg1 >>>>>>>>> # ipa hostgroupclarity-add hg1 >>>>>>>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 >>>>>>>>> ipa: ERROR: no modifications to be performed >>>>>>>> >>>>>>>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. >>>>>>> >>>>>>> Yes, it is wise :-) But the error message is really not clear to the >>>>>>> user. We should tell him that there must be at least one inclusive rule. >>>>>>> >>>>>>> I wonder if we shouldn't force user to create a hostgroupclarity object >>>>>>> with at least one inclusive rule and than make sure that in all >>>>>>> operations at least one inclusive rule stays here. Or we could delete >>>>>>> the empty LDAP object after the last inclusive rule is removed, as we do >>>>>>> with DNS record LDAP objects in dnsrecord-del. >>>>>>> >>>>>>>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. >>>>>>>> >>>>>>>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. >>>>>>>> >>>>>>>> One final class I have been struggling with that I want to add? >>>>>>>> >>>>>>>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? >>>>>>>> >>>>>>>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? >>>>>>>> >>>>>>>> Any suggestions? >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> I think the best shot would be to create a new command and overload the >>>>>>> execute method in that case. Like in hbacrule_enable. You would be able >>>>>>> to set dn correctly here and do the update. Does it makes sense? Rob? >>>>>>> >>>>>>> Martin >>>>>>> >>>>>> >>>>>> I agree. We are better off abstracting things now so we can get the API right. >>>>>> >>>>>> I think we can stick more or less with the command names, just in a new plugin and some new arguments. >>>>>> >>>>>> I see the plugin with the following methods: >>>>>> >>>>>> Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. >>>>>> >>>>>> There is no mod to change types, you have to delete and re-add. >>>>>> >>>>>> automember-add Add an automember rule >>>>>> --type=ENUM (hostgroup, group) >>>>>> --desc=STR description of this auto membership rule >>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>> >>>>>> automember-add-condition Add conditions to automember rule >>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>> >>>>>> automember-del Delete an automember rule >>>>>> >>>>>> automember-find Search for automember rules >>>>>> --type=ENUM (hostgroup, group) >>>>>> >>>>>> automember-mod Modify an automember rule. >>>>> >>>>> automember-default-group Set a default group for auto membership >>>>> --group/hostgroup=STR >>>>> >>>>>> >>>>>> automember-remove-condition Remove conditions from an automember rule >>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>> >>>>>> automember-show Display an automember rule >>>> >>>> New Patch attached. >>>> >>>> I believe I have addressed the issues highlighted in the thread. >>>> >>> >>> Hello JR, >>> >>> Thanks for the patch, the new approach with automember as a separate >>> plugin is much better and more extensible. I reviewed it and have some >>> feedback: >>> >>> 1) I see that autoMemberScope in automember plugin configuration is set >>> to $SUFFIX. Why don't we use >>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com and >>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com. IMO >>> this would improve performance >> >> I believe the scope defines where to find automatic members, so it >> should point to cn=computerss,cn=$SUFFIX. > > autoMemberScope needs to point to the lowest common denominator where the plugin will detect the insertion of new ldap objects that match the rules: > (http://directory.fedoraproject.org/wiki/Auto_Membership_Design#Example_Configuration_Entries) > > With that in mind, it seems that we need to point it to cn=accounts,$SUFFIX > >> >>> >>> 2) Plugin is not configured correctly on a replica: >>> nsslapd-pluginConfigArea in cn=Auto Membership >>> Plugin,cn=plugins,cn=config is not created. Since cn=config is not >>> replicated, it need to be updated also on a replica. Plus, "Applying >>> LDAP updates" got stuck in my case for some reason. > > I will be correcting this with Rob's suggestion in irc of moving the operation into __common_setup > >>> >>> 3) I cannot use --inclusive-regex in ipa automember-add even though it >>> is stated in help that I can >>> >>> # ipa automember-add --type=hostgroup --inclusive-regex=^web[1-9]\.example\.com tgroup >>> Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options] >>> >>> ipa: error: no such option: --inclusive-regex >> >> I had him remove this. No other command lets you add an entry and >> members at the same time. > > I will be removing reference to this in the help/doc. Thank you for catching it. > >> >>> >>> 4) Error message when removing a condition is not clear: >>> # ipa automember-show --type=hostgroup tgroup >>> Automember Rule: tgroup >>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com >>> Exclusive Regex: fqdn=^www5.example.com >>> >>> Can we detect this situation and change it to something like "Condition >>> not found"? > > It appears as though this situation is tricker than just 'condition not found'. > > Since we can provide a list of both inclusive and exclusive regex, and any one of the provided entries could be /not found/ it looks as though I will need to replicate the functionality of 'failed' similar to how they are treated when removing a list of users/hosts from a group/hostgroup where some of the members are non-existant. > > It looks like I need to return a failed list, but it is not currently clear how to accomplish that in an LDAPUpdate pre/post_callback, as those are really only looking for the return of a 'dn' > >>> >>> 5) Having a rule with just an exclusive rule does not make sense - can >>> we handle it? >>> # ipa automember-show --type=hostgroup tgroup >>> Automember Rule: tgroup >>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com >>> Exclusive Regex: fqdn=^www5.example.com >>> # ipa automember-remove-condition --type=hostgroup tgroup --inclusive-regex=^web[1-9]\.example\.com --inclusive-regex=^www[1-9]\.example\.com >>> -------------------------------- >>> Removed condition(s) to "tgroup" >>> -------------------------------- >>> Automember Rule: tgroup >>> Exclusive Regex: fqdn=^www5.example.com > > I am adding additional checks to verify that we don't create/leave a rule with a sole exclusive regex. > >>> 6) Command names for automember default group seems inconsistent: >>> automember-add-default-group Set default group for all unmatched entries. >>> automember-default-group-show Display information about the default automember groups. >>> automember-remove-default-group Remove default group for all unmatched entries. >>> >>> If we would follow the same patter, "automember-default-group-show" >>> should be automember-show-default-group >> >> I think it should be automember-default-group-*. Since there is only one >> default for something I thing it should be set instead of add. > > I agree with Rob: > ipa automember-default-group-set > ipa automember-default-group-remove > ipa automember-default-group-show > >> >>> 7) Parameters of the automember default group seems inconsistent too: >>> a) --desc parameter present in automember-add-default-group and >>> automember-remove-default-group should not be here >>> b) Grouping Type of the automember type is passed as an argument in >>> automember-remove-default-group and automember-default-group-show >>> instead of --type=STR as in all other commands > > This is deliberate. > > The framework has a mandatory requirement of at least 1 argument. > > Since these 3 operations require us to operate on parent object's, it does not make sense to force it to provide a 'rule' as the modification does not take place on any 1 rule, but rather the container which they are apart of. > I am open to suggestions... > >>> >>> 8) automember.py: In >>> automember_add_condition/automember_remove_condition I see 2 almost >>> identical branches of code - a lot of redundancy. Couldn't we >>> consolidate them, for example to one "for attr in (INCLUDE_RE, >>> EXCLUDE_RE):" construct? > > I will see what I can do to accommodate this. It is likely that there will need to be several pivot points to provide the logic required to prevent the addition of an exclusive regex without an inclusive one present. Likewise with the deletion of the last inclusive regex when there is at least 1 exclusive regex present. > >>> >>> 9) test_automember_plugin.py: the test class should be named >>> test_automember, not test_user > > Ah. Thanks! > >>> >>> Martin >>> >> >> I'm also wondering about hardcoding a key. Is there a reason we can't >> ask the regex writer to simply include this themselves? > > I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. > > While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) > > Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. > > It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? Ok, but when you display rules fqdn is displayed. How are users to know they shouldn't include fqdn= when removing existing rules? >> > > Stand by for a follow up patch later today after I figure out how to better account for the failed manipulation of conditions. > From abokovoy at redhat.com Tue Aug 2 14:51:49 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 02 Aug 2011 17:51:49 +0300 Subject: [Freeipa-devel] [PATCH] 0009 Use cli_name if possible to return errors via exceptions in Param In-Reply-To: <4E37ED3F.5070306@redhat.com> References: <4E36B9F3.4090707@redhat.com> <4E36BBC2.3010506@redhat.com> <4E37ED3F.5070306@redhat.com> Message-ID: <4E380F05.4030700@redhat.com> On 02.08.2011 15:27, Alexander Bokovoy wrote: > Following yesterday's discussion on IRC with Rob, I further investigated > the issue and came up with a following fix (attached). > > The patch extends arguments supported by Param class to accept > environment and set it if it is not None before locking down the class. > > It further extends create_param() helper function to re-create params > from a passed spec if provided environment is not None. > > Command and Object now use create_param() to inject their environment > into specified arguments, parameters, and options. > > There are might be more cases where using create_param(spec, > env=self.env) would be needed as I have found that, for example, running > > ipa user-add > > and not passing first name (--first) would give you > > $ ./ipa user-add > First name: > ipa: ERROR: 'givenname' is required > > while actual error should be > > ipa: ERROR: 'first' is required > > This is solved by the attached patch by introducing create_param() call > into Object while fixes in Command will give you protection for > client-side commands as well. > > If approach is fine, I can find and fix other places. Self NACK. The problem is that it is pushing env into API and that complicates situation dramatically as unless you ignore Env in _repr() you are getting different API.txt every time makeapi script is run even though there are no really changes in API. I'm going to look deeper into how to avoid that in 2.1.1 but it looks like original two-line patch which injects Env violating ReadOnly promises is working (unit tests pass) and less invasive. Sort of neccessary evil... -- / Alexander Bokovoy From mkosek at redhat.com Tue Aug 2 16:01:03 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Aug 2011 18:01:03 +0200 Subject: [Freeipa-devel] [PATCH] 104 Hide continue option from automountkey-del Message-ID: <1312300865.2457.29.camel@dhcp-25-52.brq.redhat.com> I tested this with WebUI and old client (still with --continue option) and both worked fine. --- This option makes no sense for automount keys. This should be removed in future versions. https://fedorahosted.org/freeipa/ticket/1529 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-104-hide-continue-option-from-automountkey-del.patch Type: text/x-patch Size: 2406 bytes Desc: not available URL: From edewata at redhat.com Tue Aug 2 16:13:07 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 02 Aug 2011 11:13:07 -0500 Subject: [Freeipa-devel] [PATCH] 231 Fixed certificate buttons. Message-ID: <4E382213.2050701@redhat.com> The certificate buttons including Get, View, Revoke, Restore for hosts and services have been fixed to use the correct entity name. Ticket #1556 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0231-Fixed-certificate-buttons.patch Type: text/x-patch Size: 3756 bytes Desc: not available URL: From rcritten at redhat.com Tue Aug 2 17:26:54 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Aug 2011 13:26:54 -0400 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <1A470DD5-2478-4E16-8459-9814996787EE@citrix.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <1312266529.2457.7.camel@dhcp-25-52.brq.redhat.com> <1A470DD5-2478-4E16-8459-9814996787EE@citrix.com> Message-ID: <4E38335E.9020409@redhat.com> JR Aquino wrote: > On Aug 1, 2011, at 11:28 PM, "Martin Kosek" wrote: > > I made all of the small adjustments and then nearly literally stared frustrated at the code for 6 hours today. > > I see no way of accomplishing the feat of replicating the ldapmodmember treatment of failed attributes, without overriding LDAPUpdate's exec > > LDAPUpdate is simply looking to return entrys_attrs as the result, and only a dn for the callbacks... I can't set or send anything back to track the faileds in a callback. > > You can see it's been bothering me, as it is midnight my time and I'm thinking about it still. :/ Overriding execute is ok, we just didn't like duplicating all the code. If you want to override the return value do something like: def my_function(LDAPUpdate): has_output = ( output.Entry('result'), output.Output('failed', type=dict, doc=_('Members that could not be added'), ), ) def execute(self, *keys, **options): failed = dict('inclusive': [], 'exclusive', []) /* calculate failed */ /* Make options consist of the values you want updated */ result = super(my_function, self).execute(*keys, **options) return(result=result, failed=failed, value=keys[-1]) You may have to tweak failed so it looks ok on Output. The add/remove member methods in baseldap.py may provide some additional guidance. rob From JR.Aquino at citrix.com Tue Aug 2 18:28:24 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 2 Aug 2011 18:28:24 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <1312272556.2457.24.camel@dhcp-25-52.brq.redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <1312266529.2457.7.camel@dhcp-25-52.brq.redhat.com> <1A470DD5-2478-4E16-8459-9814996787EE@citrix.com> <1312272556.2457.24.camel@dhcp-25-52.brq.redhat.com> Message-ID: On Aug 2, 2011, at 1:09 AM, Martin Kosek wrote: > On Tue, 2011-08-02 at 07:25 +0000, JR Aquino wrote: >> On Aug 1, 2011, at 11:28 PM, "Martin Kosek" wrote: >> >>> On Mon, 2011-08-01 at 19:11 +0000, JR Aquino wrote: >>>> On Aug 1, 2011, at 5:56 AM, Rob Crittenden wrote: >>>> >>>>> Martin Kosek wrote: >>>>>> On Sat, 2011-07-30 at 00:54 +0000, JR Aquino wrote: >>>>>>> On Jul 21, 2011, at 8:53 AM, JR Aquino wrote: >>>>>>> >>>>>>>> On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: >>>>>>>> >>>>>>>>> Martin Kosek wrote: >>>>>>>>>> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: >>>>>>>>>>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? >>>>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Great, preparing the command parameters in pre_callback is much cleaner. >>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Good point about the LDAP lookup. >>>>>>>>>>>> >>>>>>>>>>>> This looks a lot better but there are still a few issues: >>>>>>>>>>>> >>>>>>>>>>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. >>>>>>>>>>> >>>>>>>>>>> Ok, I will give that a shot! >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. >>>>>>>>>>>> >>>>>>>>>>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: >>>>>>>>>>>> >>>>>>>>>>>> INCLUDE_RE = 'automemberinclusiveregex' >>>>>>>>>>>> EXCLUDE_RE = 'automemberexclusiveregex' >>>>>>>>>>> >>>>>>>>>>> That works, I'll swap em. >>>>>>>>>> >>>>>>>>>> I agree with Rob here, this will make the code better. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> Is there a way to validate the regex? >>>>>>>>>>> >>>>>>>>>>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. >>>>>>>>>>> >>>>>>>>>>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. >>>>>>>>>>> >>>>>>>>>>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? >>>>>>>>>>> >>>>>>>>>>>> Adding a clarity with no rules won't let you add rules: >>>>>>>>>>>> >>>>>>>>>>>> # ipa hostgroup-add --desc=hg1 hg1 >>>>>>>>>>>> # ipa hostgroupclarity-add hg1 >>>>>>>>>>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 >>>>>>>>>>>> ipa: ERROR: no modifications to be performed >>>>>>>>>>> >>>>>>>>>>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. >>>>>>>>>> >>>>>>>>>> Yes, it is wise :-) But the error message is really not clear to the >>>>>>>>>> user. We should tell him that there must be at least one inclusive rule. >>>>>>>>>> >>>>>>>>>> I wonder if we shouldn't force user to create a hostgroupclarity object >>>>>>>>>> with at least one inclusive rule and than make sure that in all >>>>>>>>>> operations at least one inclusive rule stays here. Or we could delete >>>>>>>>>> the empty LDAP object after the last inclusive rule is removed, as we do >>>>>>>>>> with DNS record LDAP objects in dnsrecord-del. >>>>>>>>>> >>>>>>>>>>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. >>>>>>>>>>> >>>>>>>>>>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. >>>>>>>>>>> >>>>>>>>>>> One final class I have been struggling with that I want to add? >>>>>>>>>>> >>>>>>>>>>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? >>>>>>>>>>> >>>>>>>>>>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? >>>>>>>>>>> >>>>>>>>>>> Any suggestions? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I think the best shot would be to create a new command and overload the >>>>>>>>>> execute method in that case. Like in hbacrule_enable. You would be able >>>>>>>>>> to set dn correctly here and do the update. Does it makes sense? Rob? >>>>>>>>>> >>>>>>>>>> Martin >>>>>>>>>> >>>>>>>>> >>>>>>>>> I agree. We are better off abstracting things now so we can get the API right. >>>>>>>>> >>>>>>>>> I think we can stick more or less with the command names, just in a new plugin and some new arguments. >>>>>>>>> >>>>>>>>> I see the plugin with the following methods: >>>>>>>>> >>>>>>>>> Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. >>>>>>>>> >>>>>>>>> There is no mod to change types, you have to delete and re-add. >>>>>>>>> >>>>>>>>> automember-add Add an automember rule >>>>>>>>> --type=ENUM (hostgroup, group) >>>>>>>>> --desc=STR description of this auto membership rule >>>>>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>>>>> >>>>>>>>> automember-add-condition Add conditions to automember rule >>>>>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>>>>> >>>>>>>>> automember-del Delete an automember rule >>>>>>>>> >>>>>>>>> automember-find Search for automember rules >>>>>>>>> --type=ENUM (hostgroup, group) >>>>>>>>> >>>>>>>>> automember-mod Modify an automember rule. >>>>>>>> >>>>>>>> automember-default-group Set a default group for auto membership >>>>>>>> --group/hostgroup=STR >>>>>>>> >>>>>>>>> >>>>>>>>> automember-remove-condition Remove conditions from an automember rule >>>>>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>>>>> >>>>>>>>> automember-show Display an automember rule >>>>>>> >>>>>>> New Patch attached. >>>>>>> >>>>>>> I believe I have addressed the issues highlighted in the thread. >>>>>>> >>>>>> >>>>>> Hello JR, >>>>>> >>>>>> Thanks for the patch, the new approach with automember as a separate >>>>>> plugin is much better and more extensible. I reviewed it and have some >>>>>> feedback: >>>>>> >>>>>> 1) I see that autoMemberScope in automember plugin configuration is set >>>>>> to $SUFFIX. Why don't we use >>>>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com and >>>>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com. IMO >>>>>> this would improve performance >>>>> >>>>> I believe the scope defines where to find automatic members, so it >>>>> should point to cn=computerss,cn=$SUFFIX. >>>> >>>> autoMemberScope needs to point to the lowest common denominator where the plugin will detect the insertion of new ldap objects that match the rules: >>>> (http://directory.fedoraproject.org/wiki/Auto_Membership_Design#Example_Configuration_Entries) >>>> >>>> With that in mind, it seems that we need to point it to cn=accounts,$SUFFIX >>> >>> In that case we can point autoMemberScope to values >>> cn=hostgroups,cn=accounts,$SUFFIX and cn=groups,cn=accounts,$SUFFIX >>> since it is configured per member type. >>> >>>> >>>>> >>>>>> >>>>>> 2) Plugin is not configured correctly on a replica: >>>>>> nsslapd-pluginConfigArea in cn=Auto Membership >>>>>> Plugin,cn=plugins,cn=config is not created. Since cn=config is not >>>>>> replicated, it need to be updated also on a replica. Plus, "Applying >>>>>> LDAP updates" got stuck in my case for some reason. >>>> >>>> I will be correcting this with Rob's suggestion in irc of moving the operation into __common_setup >>> >>> That should do the trick. We just need to make sure, that only records >>> in cn=config are placed to __common_setup. cn=etc,$SUFFIX is replicated >>> and thus shouldn't be filled on a replica setup. >>> >>>> >>>>>> >>>>>> 3) I cannot use --inclusive-regex in ipa automember-add even though it >>>>>> is stated in help that I can >>>>>> >>>>>> # ipa automember-add --type=hostgroup --inclusive-regex=^web[1-9]\.example\.com tgroup >>>>>> Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options] >>>>>> >>>>>> ipa: error: no such option: --inclusive-regex >>>>> >>>>> I had him remove this. No other command lets you add an entry and >>>>> members at the same time. >>>> >>>> I will be removing reference to this in the help/doc. Thank you for catching it. >>>> >>>>> >>>>>> >>>>>> 4) Error message when removing a condition is not clear: >>>>>> # ipa automember-show --type=hostgroup tgroup >>>>>> Automember Rule: tgroup >>>>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com >>>>>> Exclusive Regex: fqdn=^www5.example.com >>>>>> >>>>>> Can we detect this situation and change it to something like "Condition >>>>>> not found"? >>>> >>>> It appears as though this situation is tricker than just 'condition not found'. >>>> >>>> Since we can provide a list of both inclusive and exclusive regex, and any one of the provided entries could be /not found/ it looks as though I will need to replicate the functionality of 'failed' similar to how they are treated when removing a list of users/hosts from a group/hostgroup where some of the members are non-existant. >>>> >>>> It looks like I need to return a failed list, but it is not currently clear how to accomplish that in an LDAPUpdate pre/post_callback, as those are really only looking for the return of a 'dn' >>>> >>>>>> >>>>>> 5) Having a rule with just an exclusive rule does not make sense - can >>>>>> we handle it? >>>>>> # ipa automember-show --type=hostgroup tgroup >>>>>> Automember Rule: tgroup >>>>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com >>>>>> Exclusive Regex: fqdn=^www5.example.com >>>>>> # ipa automember-remove-condition --type=hostgroup tgroup --inclusive-regex=^web[1-9]\.example\.com --inclusive-regex=^www[1-9]\.example\.com >>>>>> -------------------------------- >>>>>> Removed condition(s) to "tgroup" >>>>>> -------------------------------- >>>>>> Automember Rule: tgroup >>>>>> Exclusive Regex: fqdn=^www5.example.com >>>> >>>> I am adding additional checks to verify that we don't create/leave a rule with a sole exclusive regex. >>>> >>>>>> 6) Command names for automember default group seems inconsistent: >>>>>> automember-add-default-group Set default group for all unmatched entries. >>>>>> automember-default-group-show Display information about the default automember groups. >>>>>> automember-remove-default-group Remove default group for all unmatched entries. >>>>>> >>>>>> If we would follow the same patter, "automember-default-group-show" >>>>>> should be automember-show-default-group >>>>> >>>>> I think it should be automember-default-group-*. Since there is only one >>>>> default for something I thing it should be set instead of add. >>>> >>>> I agree with Rob: >>>> ipa automember-default-group-set >>>> ipa automember-default-group-remove >>>> ipa automember-default-group-show >>>> >>>>> >>>>>> 7) Parameters of the automember default group seems inconsistent too: >>>>>> a) --desc parameter present in automember-add-default-group and >>>>>> automember-remove-default-group should not be here >>>>>> b) Grouping Type of the automember type is passed as an argument in >>>>>> automember-remove-default-group and automember-default-group-show >>>>>> instead of --type=STR as in all other commands >>>> >>>> This is deliberate. >>>> >>>> The framework has a mandatory requirement of at least 1 argument. >>>> >>>> Since these 3 operations require us to operate on parent object's, it does not make sense to force it to provide a 'rule' as the modification does not take place on any 1 rule, but rather the container which they are apart of. >>>> I am open to suggestions... >>> >>> I know, but I still think its worth it even if we would have to bend the >>> framework a bit (like we do for example in pwpolicy plugin - arg is not >>> mandatory here). My point is that having the TYPE passed a completely >>> different way than we do in a rest of the plugin will confuse users. >> >> The only other way that I can think of would be to just break it out into it's own command entirely. So that it can just use the cn and forgo the type all together. > > Here is another idea - what if we make the TYPE to be the argument for > all 3 automember-default-group-* operations and let user pass default > group by "--group" option? At least they will be consistent between each > other. > > My proposal: > automember-default-group-set TYPE --group=STR > automember-default-group-show TYPE > automember-default-group-remove TYPE > > Would that make sense? That seems sane. I will try that. > >> >>> >>>> >>>>>> >>>>>> 8) automember.py: In >>>>>> automember_add_condition/automember_remove_condition I see 2 almost >>>>>> identical branches of code - a lot of redundancy. Couldn't we >>>>>> consolidate them, for example to one "for attr in (INCLUDE_RE, >>>>>> EXCLUDE_RE):" construct? >>>> >>>> I will see what I can do to accommodate this. It is likely that there will need to be several pivot points to provide the logic required to prevent the addition of an exclusive regex without an inclusive one present. Likewise with the deletion of the last inclusive regex when there is at least 1 exclusive regex present. >>>> >>>>>> >>>>>> 9) test_automember_plugin.py: the test class should be named >>>>>> test_automember, not test_user >>>> >>>> Ah. Thanks! >>>> >>>>>> >>>>>> Martin >>>>>> >>>>> >>>>> I'm also wondering about hardcoding a key. Is there a reason we can't >>>>> ask the regex writer to simply include this themselves? >>>> >>>> I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. >>>> >>>> While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) >>>> >>>> Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. >>>> >>>> It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? >>>>> >>>> >>>> Stand by for a follow up patch later today after I figure out how to better account for the failed manipulation of conditions. >>>> >>> >>> Standing by :-) >>> Martin >>> >> >> I made all of the small adjustments and then nearly literally stared frustrated at the code for 6 hours today. >> >> I see no way of accomplishing the feat of replicating the ldapmodmember treatment of failed attributes, without overriding LDAPUpdate's exec >> >> LDAPUpdate is simply looking to return entrys_attrs as the result, and only a dn for the callbacks... I can't set or send anything back to track the faileds in a callback. >> >> You can see it's been bothering me, as it is midnight my time and I'm thinking about it still. :/ > > I see. A good night's sleep always helps to get some perspective, at > least for me. > > I won't press on this point too much, it is not that critical. I would > agree with pushing your patch without it when the other issues are > resolved. It could be implemented later, as an improvement. Right now, > the most important thing is that we get the API + basic behavior right. > > Martin > I don't want to proceed until we have this one right... It will be critical to make sure we have the handling of the regex attrs down correctly since there will be so many other areas with room for error, I'd like to ensure that the handling of the user input is sound. -JR From ayoung at redhat.com Tue Aug 2 18:51:51 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 02 Aug 2011 14:51:51 -0400 Subject: [Freeipa-devel] [PATCH] 231 Fixed certificate buttons. In-Reply-To: <4E382213.2050701@redhat.com> References: <4E382213.2050701@redhat.com> Message-ID: <4E384747.3010509@redhat.com> On 08/02/2011 12:13 PM, Endi Sukma Dewata wrote: > The certificate buttons including Get, View, Revoke, Restore for hosts > and services have been fixed to use the correct entity name. > > Ticket #1556 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Aug 2 19:13:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Aug 2011 15:13:39 -0400 Subject: [Freeipa-devel] [PATCH] 104 Hide continue option from automountkey-del In-Reply-To: <1312300865.2457.29.camel@dhcp-25-52.brq.redhat.com> References: <1312300865.2457.29.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E384C63.6040307@redhat.com> Martin Kosek wrote: > I tested this with WebUI and old client (still with --continue option) > and both worked fine. > --- > This option makes no sense for automount keys. This should be > removed in future versions. > > https://fedorahosted.org/freeipa/ticket/1529 Would a flag ala no_update be a more generic way to go with this? rob From edewata at redhat.com Tue Aug 2 19:28:08 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 02 Aug 2011 14:28:08 -0500 Subject: [Freeipa-devel] [PATCH] 232 Fixed missing icons. Message-ID: <4E384FC8.4030603@redhat.com> The Makefile.am and the spec file have been fixed to include all icons in the install/ui folder. Ticket #1559 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0232-Fixed-missing-icons.patch Type: text/x-patch Size: 4737 bytes Desc: not available URL: From edewata at redhat.com Tue Aug 2 21:07:46 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 02 Aug 2011 16:07:46 -0500 Subject: [Freeipa-devel] [PATCH] 233 Fixed misaligned search icon. Message-ID: <4E386722.4010802@redhat.com> The magnifier icon for the search field has been fixed to display properly in all browsers. Ticket #1541 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0233-Fixed-misaligned-search-icon.patch Type: text/x-patch Size: 737 bytes Desc: not available URL: From rcritten at redhat.com Tue Aug 2 21:18:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Aug 2011 17:18:49 -0400 Subject: [Freeipa-devel] [PATCH] 104 Hide continue option from automountkey-del In-Reply-To: <4E384C63.6040307@redhat.com> References: <1312300865.2457.29.camel@dhcp-25-52.brq.redhat.com> <4E384C63.6040307@redhat.com> Message-ID: <4E3869B9.2000908@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> I tested this with WebUI and old client (still with --continue option) >> and both worked fine. >> --- >> This option makes no sense for automount keys. This should be >> removed in future versions. >> >> https://fedorahosted.org/freeipa/ticket/1529 > > Would a flag ala no_update be a more generic way to go with this? > > rob This won't work, --continue is created in baseldap.py so overriding get_options() is fine. ack, pushed to master and ipa-2-0 rob From edewata at redhat.com Wed Aug 3 01:57:17 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 02 Aug 2011 20:57:17 -0500 Subject: [Freeipa-devel] [PATCH] 234 Resizable adder dialog box. Message-ID: <4E38AAFD.7060707@redhat.com> The tables in the adder dialog have been modified to expand according to the size of the dialog. This patch also fixes the problem with row height on IE. Ticket #1542 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0234-Resizable-adder-dialog-box.patch Type: text/x-patch Size: 10289 bytes Desc: not available URL: From ayoung at redhat.com Wed Aug 3 03:19:53 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 02 Aug 2011 23:19:53 -0400 Subject: [Freeipa-devel] [PATCH] 234 Resizable adder dialog box. In-Reply-To: <4E38AAFD.7060707@redhat.com> References: <4E38AAFD.7060707@redhat.com> Message-ID: <4E38BE59.9030008@redhat.com> On 08/02/2011 09:57 PM, Endi Sukma Dewata wrote: > The tables in the adder dialog have been modified to expand > according to the size of the dialog. > > This patch also fixes the problem with row height on IE. > > Ticket #1542 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Aug 3 03:20:01 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 02 Aug 2011 23:20:01 -0400 Subject: [Freeipa-devel] [PATCH] 233 Fixed misaligned search icon. In-Reply-To: <4E386722.4010802@redhat.com> References: <4E386722.4010802@redhat.com> Message-ID: <4E38BE61.6040407@redhat.com> On 08/02/2011 05:07 PM, Endi Sukma Dewata wrote: > The magnifier icon for the search field has been fixed to display > properly in all browsers. > > Ticket #1541 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Aug 3 03:20:08 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 02 Aug 2011 23:20:08 -0400 Subject: [Freeipa-devel] [PATCH] 232 Fixed missing icons. In-Reply-To: <4E384FC8.4030603@redhat.com> References: <4E384FC8.4030603@redhat.com> Message-ID: <4E38BE68.5040903@redhat.com> On 08/02/2011 03:28 PM, Endi Sukma Dewata wrote: > The Makefile.am and the spec file have been fixed to include all > icons in the install/ui folder. > > Ticket #1559 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Wed Aug 3 07:02:40 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 03 Aug 2011 09:02:40 +0200 Subject: [Freeipa-devel] [PATCH] 843 reduce dogtag install time In-Reply-To: <4E3768E9.8030900@redhat.com> References: <4E36FC4C.4030506@redhat.com> <4E37605B.4080500@redhat.com> <4E3768E9.8030900@redhat.com> Message-ID: <1312354961.2404.6.camel@dhcp-25-197.brq.redhat.com> On Mon, 2011-08-01 at 23:03 -0400, Adam Young wrote: > On 08/01/2011 10:26 PM, Adam Young wrote: > > On 08/01/2011 03:19 PM, Rob Crittenden wrote: > > > Ade Lee from the dogtag team looked at our installer and found > > > that we restarted the pki-cad process too many times. Re-arranging > > > some code allows us to restart it just once. The new config time > > > for dogtag is 3 1/2 minutes, down from about 5 1/2. > > > > > > Ade is working on improvements in pki-silent as well which can > > > bring the overall install time to 90 seconds. If we can get a > > > change in SELinux policy we're looking at 60 seconds. > > > > > > This patch just contains the reworked installer part. Once an > > > updated dogtag is released we can update the spec file to pull it > > > in. > > > > > > rob > > > > > > _______________________________________________ > > > Freeipa-devel mailing list > > > Freeipa-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > Disregard: same thing seems to be happening without this patch. > > > > > Something is wrong. When I installed this patch, the browser works > > fine in a clean mode (never before initiailzied). Howevr, if the > > browser already has a certificate from the server, in the past I was > > able to go into Edit->preferences->advanced->Certificates, and > > remove both the server and the CA certificate, and then restart the > > browser. That does not work now. I just get the message > > > > Secure Connection Failed > > An error occurred during a connection to > > server15.ayoung.boston.devel.redhat.com. > > > > You have received an invalid certificate. Please contact the server > > administrator or email correspondent and give them the following > > information: > > > > Your certificate contains the same serial number as another > > certificate issued by the certificate authority. Please get a new > > certificate containing a unique serial number. > > > > (Error code: sec_error_reused_issuer_and_serial) > > > > The page you are trying to view can not be shown because the > > authenticity of the received data could not be verified. > > Please contact the web site owners to inform them of this problem. > > Alternatively, use the command found in the help menu to report this > > broken site. > > > > > > Restarting IPA made no difference. The browser does not provide a > > lot of info in which to debug this. > > > > > > I'll try again with out the patch and see if there is a difference. > > In Firefox 5 I also have to clear browser cache along with removing certificates to get rid of 'sec_error_reused_issuer_and_serial'. Petr From kchamart at redhat.com Wed Aug 3 07:28:18 2011 From: kchamart at redhat.com (Kashyap Chamarthy) Date: Wed, 03 Aug 2011 12:58:18 +0530 Subject: [Freeipa-devel] [PATCH] 843 reduce dogtag install time In-Reply-To: <1312354961.2404.6.camel@dhcp-25-197.brq.redhat.com> References: <4E36FC4C.4030506@redhat.com> <4E37605B.4080500@redhat.com> <4E3768E9.8030900@redhat.com> <1312354961.2404.6.camel@dhcp-25-197.brq.redhat.com> Message-ID: <4E38F892.4030502@redhat.com> On 08/03/2011 12:32 PM, Petr Vobornik wrote: > On Mon, 2011-08-01 at 23:03 -0400, Adam Young wrote: >> On 08/01/2011 10:26 PM, Adam Young wrote: >>> On 08/01/2011 03:19 PM, Rob Crittenden wrote: >>>> Ade Lee from the dogtag team looked at our installer and found >>>> that we restarted the pki-cad process too many times. Re-arranging >>>> some code allows us to restart it just once. The new config time >>>> for dogtag is 3 1/2 minutes, down from about 5 1/2. >>>> >>>> Ade is working on improvements in pki-silent as well which can >>>> bring the overall install time to 90 seconds. If we can get a >>>> change in SELinux policy we're looking at 60 seconds. >>>> >>>> This patch just contains the reworked installer part. Once an >>>> updated dogtag is released we can update the spec file to pull it >>>> in. >>>> >>>> rob >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> >> Disregard: same thing seems to be happening without this patch. >> >>> >>> Something is wrong. When I installed this patch, the browser works >>> fine in a clean mode (never before initiailzied). Howevr, if the >>> browser already has a certificate from the server, in the past I was >>> able to go into Edit->preferences->advanced->Certificates, and >>> remove both the server and the CA certificate, and then restart the >>> browser. That does not work now. I just get the message >>> >>> Secure Connection Failed >>> An error occurred during a connection to >>> server15.ayoung.boston.devel.redhat.com. >>> >>> You have received an invalid certificate. Please contact the server >>> administrator or email correspondent and give them the following >>> information: >>> >>> Your certificate contains the same serial number as another >>> certificate issued by the certificate authority. Please get a new >>> certificate containing a unique serial number. >>> >>> (Error code: sec_error_reused_issuer_and_serial) >>> >>> The page you are trying to view can not be shown because the >>> authenticity of the received data could not be verified. >>> Please contact the web site owners to inform them of this problem. >>> Alternatively, use the command found in the help menu to report this >>> broken site. >>> >>> >>> Restarting IPA made no difference. The browser does not provide a >>> lot of info in which to debug this. >>> >>> >>> I'll try again with out the patch and see if there is a difference. >>> > > In Firefox 5 I also have to clear browser cache along with removing > certificates to get rid of 'sec_error_reused_issuer_and_serial'. Also, while testing multiple instances of dogtag, IMO, it's better to have a clean FF profile (or ensure to have the security domain name be unique for each CA). Delete the old profile and create a new profile. --- # firefox -ProfileManager --- Or invoke it with a certain new profile.. --- # firefox -P foobar --- > > Petr > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > -- /kashyap From mkosek at redhat.com Wed Aug 3 10:52:05 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 03 Aug 2011 12:52:05 +0200 Subject: [Freeipa-devel] [PATCH] 105 Improve error message in ipactl Message-ID: <1312368727.2841.3.camel@dhcp-25-52.brq.redhat.com> If a hostname configured in /etc/ipa/default.conf is changed and is different from the one stored in LDAP in cn=ipa,cn=etc,$SUFFIX ipactl gives an unintelligible error. This patch improves the error message and also offers a list of configured master so that the hostname setting in IPA configuration can be easily fixed. https://fedorahosted.org/freeipa/ticket/1558 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-105-improve-error-message-in-ipactl.patch Type: text/x-patch Size: 2691 bytes Desc: not available URL: From ayoung at redhat.com Wed Aug 3 13:43:34 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Aug 2011 09:43:34 -0400 Subject: [Freeipa-devel] [PATCH] 843 reduce dogtag install time In-Reply-To: <1312354961.2404.6.camel@dhcp-25-197.brq.redhat.com> References: <4E36FC4C.4030506@redhat.com> <4E37605B.4080500@redhat.com> <4E3768E9.8030900@redhat.com> <1312354961.2404.6.camel@dhcp-25-197.brq.redhat.com> Message-ID: <4E395086.8040408@redhat.com> On 08/03/2011 03:02 AM, Petr Vobornik wrote: > On Mon, 2011-08-01 at 23:03 -0400, Adam Young wrote: >> On 08/01/2011 10:26 PM, Adam Young wrote: >>> On 08/01/2011 03:19 PM, Rob Crittenden wrote: >>>> Ade Lee from the dogtag team looked at our installer and found >>>> that we restarted the pki-cad process too many times. Re-arranging >>>> some code allows us to restart it just once. The new config time >>>> for dogtag is 3 1/2 minutes, down from about 5 1/2. >>>> >>>> Ade is working on improvements in pki-silent as well which can >>>> bring the overall install time to 90 seconds. If we can get a >>>> change in SELinux policy we're looking at 60 seconds. >>>> >>>> This patch just contains the reworked installer part. Once an >>>> updated dogtag is released we can update the spec file to pull it >>>> in. >>>> >>>> rob >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Disregard: same thing seems to be happening without this patch. >> >>> Something is wrong. When I installed this patch, the browser works >>> fine in a clean mode (never before initiailzied). Howevr, if the >>> browser already has a certificate from the server, in the past I was >>> able to go into Edit->preferences->advanced->Certificates, and >>> remove both the server and the CA certificate, and then restart the >>> browser. That does not work now. I just get the message >>> >>> Secure Connection Failed >>> An error occurred during a connection to >>> server15.ayoung.boston.devel.redhat.com. >>> >>> You have received an invalid certificate. Please contact the server >>> administrator or email correspondent and give them the following >>> information: >>> >>> Your certificate contains the same serial number as another >>> certificate issued by the certificate authority. Please get a new >>> certificate containing a unique serial number. >>> >>> (Error code: sec_error_reused_issuer_and_serial) >>> >>> The page you are trying to view can not be shown because the >>> authenticity of the received data could not be verified. >>> Please contact the web site owners to inform them of this problem. >>> Alternatively, use the command found in the help menu to report this >>> broken site. >>> >>> >>> Restarting IPA made no difference. The browser does not provide a >>> lot of info in which to debug this. >>> >>> >>> I'll try again with out the patch and see if there is a difference. >>> > In Firefox 5 I also have to clear browser cache along with removing > certificates to get rid of 'sec_error_reused_issuer_and_serial'. Thanks. I've learned that now, too. I am hoping I can do something more targetted, like just removing the entries for my server, but I haven't tried it yet. > Petr > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ayoung at redhat.com Wed Aug 3 13:46:23 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 03 Aug 2011 09:46:23 -0400 Subject: [Freeipa-devel] [PATCH] 843 reduce dogtag install time In-Reply-To: <4E38F892.4030502@redhat.com> References: <4E36FC4C.4030506@redhat.com> <4E37605B.4080500@redhat.com> <4E3768E9.8030900@redhat.com> <1312354961.2404.6.camel@dhcp-25-197.brq.redhat.com> <4E38F892.4030502@redhat.com> Message-ID: <4E39512F.8010205@redhat.com> On 08/03/2011 03:28 AM, Kashyap Chamarthy wrote: > On 08/03/2011 12:32 PM, Petr Vobornik wrote: >> On Mon, 2011-08-01 at 23:03 -0400, Adam Young wrote: >>> On 08/01/2011 10:26 PM, Adam Young wrote: >>>> On 08/01/2011 03:19 PM, Rob Crittenden wrote: >>>>> Ade Lee from the dogtag team looked at our installer and found >>>>> that we restarted the pki-cad process too many times. Re-arranging >>>>> some code allows us to restart it just once. The new config time >>>>> for dogtag is 3 1/2 minutes, down from about 5 1/2. >>>>> >>>>> Ade is working on improvements in pki-silent as well which can >>>>> bring the overall install time to 90 seconds. If we can get a >>>>> change in SELinux policy we're looking at 60 seconds. >>>>> >>>>> This patch just contains the reworked installer part. Once an >>>>> updated dogtag is released we can update the spec file to pull it >>>>> in. >>>>> >>>>> rob >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>> >>> Disregard: same thing seems to be happening without this patch. >>> >>>> >>>> Something is wrong. When I installed this patch, the browser works >>>> fine in a clean mode (never before initiailzied). Howevr, if the >>>> browser already has a certificate from the server, in the past I was >>>> able to go into Edit->preferences->advanced->Certificates, and >>>> remove both the server and the CA certificate, and then restart the >>>> browser. That does not work now. I just get the message >>>> >>>> Secure Connection Failed >>>> An error occurred during a connection to >>>> server15.ayoung.boston.devel.redhat.com. >>>> >>>> You have received an invalid certificate. Please contact the server >>>> administrator or email correspondent and give them the following >>>> information: >>>> >>>> Your certificate contains the same serial number as another >>>> certificate issued by the certificate authority. Please get a new >>>> certificate containing a unique serial number. >>>> >>>> (Error code: sec_error_reused_issuer_and_serial) >>>> >>>> The page you are trying to view can not be shown because the >>>> authenticity of the received data could not be verified. >>>> Please contact the web site owners to inform them of this problem. >>>> Alternatively, use the command found in the help menu to report this >>>> broken site. >>>> >>>> >>>> Restarting IPA made no difference. The browser does not provide a >>>> lot of info in which to debug this. >>>> >>>> >>>> I'll try again with out the patch and see if there is a difference. >>>> >> >> In Firefox 5 I also have to clear browser cache along with removing >> certificates to get rid of 'sec_error_reused_issuer_and_serial'. > > > Also, while testing multiple instances of dogtag, IMO, it's better to > have a clean FF profile (or ensure to have the security domain name be > unique for each CA). > > Delete the old profile and create a new profile. > --- > # firefox -ProfileManager > --- > > > Or invoke it with a certain new profile.. > --- > # firefox -P foobar > --- Yep, I do that too. I'm going say that while this is good for certain QA tasks, developers cannot and should not expect that end users blow away their profiles. We need to make sure the use cases of normal users are the best tested, and that means figuring out how to clean up a warped profile. If you always start from clean, you avoid this pain. So, best to mix it up, by reuse an existing profile by default. >> >> Petr >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > From JR.Aquino at citrix.com Wed Aug 3 14:24:31 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 3 Aug 2011 14:24:31 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <4E37F3AD.1030801@redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> Message-ID: <24D74CFC-C481-42A2-A52A-5F985A40D9A7@citrix.com> On Aug 2, 2011, at 5:55 AM, "Rob Crittenden" wrote: > JR Aquino wrote: >> >> I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. >> >> While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) >> >> Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. >> >> It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? > > Ok, but when you display rules fqdn is displayed. How are users to know > they shouldn't include fqdn= when removing existing rules? I guess my preference would be to heavily document, in the example, the plugin, and the docs... My concern is that without a default, a typo in the attr would produce unintended results. Without a schema checker, it's kinda tough to take an attr at face value from a user. Does the python ldap implementation have a means to check schema in order to verify an attribute? The design of the automember pluginhHaving the attr in the Regex does make for some complexity.... From rcritten at redhat.com Wed Aug 3 14:32:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Aug 2011 10:32:53 -0400 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <24D74CFC-C481-42A2-A52A-5F985A40D9A7@citrix.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <24D74CFC-C481-42A2-A52A-5F985A40D9A7@citrix.com> Message-ID: <4E395C15.6040209@redhat.com> JR Aquino wrote: > On Aug 2, 2011, at 5:55 AM, "Rob Crittenden" wrote: >> JR Aquino wrote: >>> >>> I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. >>> >>> While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) >>> >>> Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. >>> >>> It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? >> >> Ok, but when you display rules fqdn is displayed. How are users to know >> they shouldn't include fqdn= when removing existing rules? > > I guess my preference would be to heavily document, in the example, the plugin, and the docs... > > My concern is that without a default, a typo in the attr would produce unintended results. Without a schema checker, it's kinda tough to take an attr at face value from a user. Does the python ldap implementation have a means to check schema in order to verify an attribute? > > The design of the automember pluginhHaving the attr in the Regex does make for some complexity.... > We do have a schema checker. You can test for existence of an attribute with something like: import ldap as _ldap obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is None: # Error, no such attribute rob From rcritten at redhat.com Wed Aug 3 19:18:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Aug 2011 15:18:13 -0400 Subject: [Freeipa-devel] [PATCH] 105 Improve error message in ipactl In-Reply-To: <1312368727.2841.3.camel@dhcp-25-52.brq.redhat.com> References: <1312368727.2841.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E399EF5.4020808@redhat.com> Martin Kosek wrote: > If a hostname configured in /etc/ipa/default.conf is changed and > is different from the one stored in LDAP in cn=ipa,cn=etc,$SUFFIX > ipactl gives an unintelligible error. > > This patch improves the error message and also offers a list of > configured master so that the hostname setting in IPA configuration > can be easily fixed. > > https://fedorahosted.org/freeipa/ticket/1558 Ack, works fine. rob From rcritten at redhat.com Wed Aug 3 19:47:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Aug 2011 15:47:23 -0400 Subject: [Freeipa-devel] [PATCH] 844 add netgroup to memberof association of hostgroups Message-ID: <4E39A5CB.50909@redhat.com> Let hostgroups show that they are members of netgroups. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-844-memberof.patch Type: application/mbox Size: 946 bytes Desc: not available URL: From edewata at redhat.com Wed Aug 3 22:34:55 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Aug 2011 17:34:55 -0500 Subject: [Freeipa-devel] [PATCH] 235 Linked entries in HBAC/sudo details page. Message-ID: <4E39CD0F.8090902@redhat.com> The association tables in HBAC/sudo details page have been modified to link the entries to the appropriate details page. Ticket #1535 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0235-Linked-entries-in-HBAC-sudo-details-page.patch Type: text/x-patch Size: 6599 bytes Desc: not available URL: From jdennis at redhat.com Wed Aug 3 23:16:18 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 3 Aug 2011 19:16:18 -0400 Subject: [Freeipa-devel] [PATCH 34/34] ticket 1568 - DN objects should support the insert method Message-ID: <201108032316.p73NGIXT026343@int-mx02.intmail.prod.int.phx2.redhat.com> Add dn.insert() and update unittest -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0034-ticket-1568-DN-objects-should-support-the-insert-met.patch Type: text/x-patch Size: 2853 bytes Desc: not available URL: From jdennis at redhat.com Wed Aug 3 23:35:08 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 3 Aug 2011 19:35:08 -0400 Subject: [Freeipa-devel] [PATCH 35/35] ticket 1569 - Test DN object non-latin Unicode support Message-ID: <201108032335.p73NZ87l018492@int-mx01.intmail.prod.int.phx2.redhat.com> The DN unittest was lacking a test for i18n. The unittest was updated to store "Hello" in Arabic with both utf-8 and unicode and verify the values could be properly retrieved and converted to dn string syntax. During the testing a few problems were discovered and corrected. * passing in utf-8 caused an ASCII decode error becuase of Python's silly default encoding of ASCII. The fix was to explictly use the utf-8 codec. * there were a couple of places where encode/decode were not called correctly. * the internal attr and value members of the AVA class were renamed to explicitly show they are stored as unicode. Of course the unittest was updated as well. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0035-ticket-1569-Test-DN-object-non-latin-Unicode-support.patch Type: text/x-patch Size: 9395 bytes Desc: not available URL: From mkosek at redhat.com Thu Aug 4 06:21:25 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 04 Aug 2011 08:21:25 +0200 Subject: [Freeipa-devel] [PATCH] 105 Improve error message in ipactl In-Reply-To: <4E399EF5.4020808@redhat.com> References: <1312368727.2841.3.camel@dhcp-25-52.brq.redhat.com> <4E399EF5.4020808@redhat.com> Message-ID: <1312438889.22878.0.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-08-03 at 15:18 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > If a hostname configured in /etc/ipa/default.conf is changed and > > is different from the one stored in LDAP in cn=ipa,cn=etc,$SUFFIX > > ipactl gives an unintelligible error. > > > > This patch improves the error message and also offers a list of > > configured master so that the hostname setting in IPA configuration > > can be easily fixed. > > > > https://fedorahosted.org/freeipa/ticket/1558 > > Ack, works fine. > > rob Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Thu Aug 4 08:02:04 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 04 Aug 2011 10:02:04 +0200 Subject: [Freeipa-devel] [PATCH] 106 Improve dnszone-add error message Message-ID: <1312444927.22878.1.camel@dhcp-25-52.brq.redhat.com> Check that NS address passed in dnszone-add is a domain name and not an IP address. Make this clear also the parameter help. https://fedorahosted.org/freeipa/ticket/1567 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-106-improve-dnszone-add-error-message.patch Type: text/x-patch Size: 1825 bytes Desc: not available URL: From pvoborni at redhat.com Thu Aug 4 09:22:11 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 04 Aug 2011 11:22:11 +0200 Subject: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone In-Reply-To: <4E32E9DC.2060609@redhat.com> References: <1311679630.2338.61.camel@dhcp-25-197.brq.redhat.com> <4E2F4932.3080409@redhat.com> <4E2F6A96.706@redhat.com> <1311771699.2079.6.camel@dhcp-25-197.brq.redhat.com> <4E32CA7D.9090909@redhat.com> <4E32CAFD.2030009@redhat.com> <1311955971.10002.11.camel@dhcp-25-197.brq.redhat.com> <4E32E9DC.2060609@redhat.com> Message-ID: <1312449734.20559.17.camel@dhcp-25-197.brq.redhat.com> new version attached On Fri, 2011-07-29 at 12:11 -0500, Endi Sukma Dewata wrote: > On 7/29/2011 11:12 AM, Petr Vobornik wrote: > > There was a small error in add.js:162. Fixed! > > Nice job on the dialog boxes. > > There's a problem though, the Retry doesn't quite work. This is because > 'this' object passed to IPA.error_dialog actually points to Ajax context > instead of the IPA.command, so calling execute() on it will fail. Fixed > > When Ajax call returns, it passes a context via 'this' object to the > callback function. The object might contain some useful information > which we would not be able to get any other way. The original code tries > to maintain the context by passing 'this' object along the chain using > call(). Feel free to add comments in the code to clarify this. > > So in dialog_open() you should pass 'that' into the 'command' parameter. > You also need pass 'this' using another parameter so you can use it to > call the error handler if you click Cancel. > > Also these changes should be reverted back to maintain the Ajax context: > > - that.on_error.call(this, xhr, text_status, error_thrown); > + that.on_error(xhr, text_status, error_thrown); > > - that.on_success.call(this, data, text_status, xhr); > + that.on_success(data, text_status, xhr); Reverted back. Just for my information: ajax context is preserved for some future use, or it is already used somewhere? > The IPA.add_dialog can store the command object as an instance variable > so the IPA.host_adder_dialog can refer to it from the error handler. > > Another thing, in the init() you can access the spec object directly, so > don't really have to pass it as a parameter. Yeah, I know. The purpose for this was to be able to call init method again later (which was made public as xxx_init(spec)). But probably it isn't in compliance with removes of public init methods. petr -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0002-5-Fixed-adding-host-without-DNS-reverse-zone.patch Type: text/x-patch Size: 10333 bytes Desc: not available URL: From jcholast at redhat.com Thu Aug 4 15:02:36 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 04 Aug 2011 17:02:36 +0200 Subject: [Freeipa-devel] [PATCH] 843 reduce dogtag install time In-Reply-To: <1312285796.2457.27.camel@dhcp-25-52.brq.redhat.com> References: <4E36FC4C.4030506@redhat.com> <1312285796.2457.27.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E3AB48C.9040900@redhat.com> On 2.8.2011 13:49, Martin Kosek wrote: > On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote: >> Ade Lee from the dogtag team looked at our installer and found that we >> restarted the pki-cad process too many times. Re-arranging some code >> allows us to restart it just once. The new config time for dogtag is 3 >> 1/2 minutes, down from about 5 1/2. >> >> Ade is working on improvements in pki-silent as well which can bring the >> overall install time to 90 seconds. If we can get a change in SELinux >> policy we're looking at 60 seconds. >> >> This patch just contains the reworked installer part. Once an updated >> dogtag is released we can update the spec file to pull it in. >> >> rob > > This worked fine for standard dogtag installation + CA on a replica, but > it failed with external CA: > > /var/log/ipaserver-install.log: > ... > > admin/console/config/backupkeycertpanel.vm > > > checked > Failed to create pkcs12 file. > 19 > > Export Keys and Certificates > > > > .... > 2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > vm-059.idm.lab.bos.redhat.com -cs_port 9445 > -client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd 'XXXXXXXX' > -preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin > -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM" > -ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn > "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca > -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA > -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad > -token_name internal -ca_subsystem_cert_subject_name "CN=CA > Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP > Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name > "CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM" > -ca_audit_signing_cert_subject_name "CN=CA > Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name > "CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external true > -ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt > -ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false' > returned non-zero exit status 255 > 2011-08-02 07:45:38,302 DEBUG Configuration of CA failed > ... > Works for me. It's just a guess, but didn't you happen to swap --external_cert_file and --external_ca_file? Honza -- Jan Cholasta From mkosek at redhat.com Thu Aug 4 15:24:45 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 04 Aug 2011 17:24:45 +0200 Subject: [Freeipa-devel] [PATCH] 843 reduce dogtag install time In-Reply-To: <4E3AB48C.9040900@redhat.com> References: <4E36FC4C.4030506@redhat.com> <1312285796.2457.27.camel@dhcp-25-52.brq.redhat.com> <4E3AB48C.9040900@redhat.com> Message-ID: <1312471488.3701.3.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-08-04 at 17:02 +0200, Jan Cholasta wrote: > On 2.8.2011 13:49, Martin Kosek wrote: > > On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote: > >> Ade Lee from the dogtag team looked at our installer and found that we > >> restarted the pki-cad process too many times. Re-arranging some code > >> allows us to restart it just once. The new config time for dogtag is 3 > >> 1/2 minutes, down from about 5 1/2. > >> > >> Ade is working on improvements in pki-silent as well which can bring the > >> overall install time to 90 seconds. If we can get a change in SELinux > >> policy we're looking at 60 seconds. > >> > >> This patch just contains the reworked installer part. Once an updated > >> dogtag is released we can update the spec file to pull it in. > >> > >> rob > > > > This worked fine for standard dogtag installation + CA on a replica, but > > it failed with external CA: > > > > /var/log/ipaserver-install.log: > > ... > > > > admin/console/config/backupkeycertpanel.vm > > > > > > checked > > Failed to create pkcs12 file. > > 19 > > > > Export Keys and Certificates > > > > > > > > .... > > 2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command > > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > > vm-059.idm.lab.bos.redhat.com -cs_port 9445 > > -client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd 'XXXXXXXX' > > -preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin > > -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name > > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > > -agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM" > > -ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn > > "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca > > -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA > > -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad > > -token_name internal -ca_subsystem_cert_subject_name "CN=CA > > Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP > > Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name > > "CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM" > > -ca_audit_signing_cert_subject_name "CN=CA > > Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name > > "CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external true > > -ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt > > -ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false' > > returned non-zero exit status 255 > > 2011-08-02 07:45:38,302 DEBUG Configuration of CA failed > > ... > > > > Works for me. > > It's just a guess, but didn't you happen to swap --external_cert_file > and --external_ca_file? > > Honza > That's a good bet. I managed to find CRTs used in my installation and displayed their contents and they were indeed wrong. So the problem was only my side. ACK for Rob's patch then. Martin From jcholast at redhat.com Thu Aug 4 15:33:59 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 04 Aug 2011 17:33:59 +0200 Subject: [Freeipa-devel] [PATCH] 843 reduce dogtag install time In-Reply-To: <1312471488.3701.3.camel@dhcp-25-52.brq.redhat.com> References: <4E36FC4C.4030506@redhat.com> <1312285796.2457.27.camel@dhcp-25-52.brq.redhat.com> <4E3AB48C.9040900@redhat.com> <1312471488.3701.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E3ABBE7.3070202@redhat.com> On 4.8.2011 17:24, Martin Kosek wrote: > On Thu, 2011-08-04 at 17:02 +0200, Jan Cholasta wrote: >> On 2.8.2011 13:49, Martin Kosek wrote: >>> On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote: >>>> Ade Lee from the dogtag team looked at our installer and found that we >>>> restarted the pki-cad process too many times. Re-arranging some code >>>> allows us to restart it just once. The new config time for dogtag is 3 >>>> 1/2 minutes, down from about 5 1/2. >>>> >>>> Ade is working on improvements in pki-silent as well which can bring the >>>> overall install time to 90 seconds. If we can get a change in SELinux >>>> policy we're looking at 60 seconds. >>>> >>>> This patch just contains the reworked installer part. Once an updated >>>> dogtag is released we can update the spec file to pull it in. >>>> >>>> rob >>> >>> This worked fine for standard dogtag installation + CA on a replica, but >>> it failed with external CA: >>> >>> /var/log/ipaserver-install.log: >>> ... >>> >>> admin/console/config/backupkeycertpanel.vm >>> >>> >>> checked >>> Failed to create pkcs12 file. >>> 19 >>> >>> Export Keys and Certificates >>> >>> >>> >>> .... >>> 2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command >>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >>> vm-059.idm.lab.bos.redhat.com -cs_port 9445 >>> -client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd 'XXXXXXXX' >>> -preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin >>> -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name >>> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >>> -agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM" >>> -ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn >>> "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca >>> -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA >>> -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad >>> -token_name internal -ca_subsystem_cert_subject_name "CN=CA >>> Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP >>> Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name >>> "CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM" >>> -ca_audit_signing_cert_subject_name "CN=CA >>> Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name >>> "CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external true >>> -ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt >>> -ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false' >>> returned non-zero exit status 255 >>> 2011-08-02 07:45:38,302 DEBUG Configuration of CA failed >>> ... >>> >> >> Works for me. >> >> It's just a guess, but didn't you happen to swap --external_cert_file >> and --external_ca_file? >> >> Honza >> > > That's a good bet. I managed to find CRTs used in my installation and > displayed their contents and they were indeed wrong. So the problem was > only my side. > > ACK for Rob's patch then. > > Martin > It would be nice to add some sanity checks (verify that --external_cert_file's subject name is correct and that its issuer name matches --external_ca_file's subject name) to prevent this kind of problem in the future. Honza -- Jan Cholasta From rcritten at redhat.com Thu Aug 4 15:36:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Aug 2011 11:36:33 -0400 Subject: [Freeipa-devel] [PATCH] 843 reduce dogtag install time In-Reply-To: <4E3ABBE7.3070202@redhat.com> References: <4E36FC4C.4030506@redhat.com> <1312285796.2457.27.camel@dhcp-25-52.brq.redhat.com> <4E3AB48C.9040900@redhat.com> <1312471488.3701.3.camel@dhcp-25-52.brq.redhat.com> <4E3ABBE7.3070202@redhat.com> Message-ID: <4E3ABC81.5070504@redhat.com> Jan Cholasta wrote: > On 4.8.2011 17:24, Martin Kosek wrote: >> On Thu, 2011-08-04 at 17:02 +0200, Jan Cholasta wrote: >>> On 2.8.2011 13:49, Martin Kosek wrote: >>>> On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote: >>>>> Ade Lee from the dogtag team looked at our installer and found that we >>>>> restarted the pki-cad process too many times. Re-arranging some code >>>>> allows us to restart it just once. The new config time for dogtag is 3 >>>>> 1/2 minutes, down from about 5 1/2. >>>>> >>>>> Ade is working on improvements in pki-silent as well which can >>>>> bring the >>>>> overall install time to 90 seconds. If we can get a change in SELinux >>>>> policy we're looking at 60 seconds. >>>>> >>>>> This patch just contains the reworked installer part. Once an updated >>>>> dogtag is released we can update the spec file to pull it in. >>>>> >>>>> rob >>>> >>>> This worked fine for standard dogtag installation + CA on a replica, >>>> but >>>> it failed with external CA: >>>> >>>> /var/log/ipaserver-install.log: >>>> ... >>>> >>>> admin/console/config/backupkeycertpanel.vm >>>> >>>> >>>> checked >>>> Failed to create pkcs12 file. >>>> 19 >>>> >>>> Export Keys and Certificates >>>> >>>> >>>> >>>> .... >>>> 2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance >>>> Command >>>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >>>> vm-059.idm.lab.bos.redhat.com -cs_port 9445 >>>> -client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd 'XXXXXXXX' >>>> -preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin >>>> -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name >>>> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >>>> -agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM" >>>> -ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn >>>> "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca >>>> -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm >>>> SHA256withRSA >>>> -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad >>>> -token_name internal -ca_subsystem_cert_subject_name "CN=CA >>>> Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP >>>> Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name >>>> "CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM" >>>> -ca_audit_signing_cert_subject_name "CN=CA >>>> Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name >>>> "CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external true >>>> -ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt >>>> -ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false' >>>> returned non-zero exit status 255 >>>> 2011-08-02 07:45:38,302 DEBUG Configuration of CA failed >>>> ... >>>> >>> >>> Works for me. >>> >>> It's just a guess, but didn't you happen to swap --external_cert_file >>> and --external_ca_file? >>> >>> Honza >>> >> >> That's a good bet. I managed to find CRTs used in my installation and >> displayed their contents and they were indeed wrong. So the problem was >> only my side. >> >> ACK for Rob's patch then. >> >> Martin >> > > It would be nice to add some sanity checks (verify that > --external_cert_file's subject name is correct and that its issuer name > matches --external_ca_file's subject name) to prevent this kind of > problem in the future. > > Honza > https://fedorahosted.org/freeipa/ticket/1572 From rcritten at redhat.com Thu Aug 4 15:38:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Aug 2011 11:38:34 -0400 Subject: [Freeipa-devel] [PATCH] 843 reduce dogtag install time In-Reply-To: <1312471488.3701.3.camel@dhcp-25-52.brq.redhat.com> References: <4E36FC4C.4030506@redhat.com> <1312285796.2457.27.camel@dhcp-25-52.brq.redhat.com> <4E3AB48C.9040900@redhat.com> <1312471488.3701.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E3ABCFA.6030705@redhat.com> Martin Kosek wrote: > On Thu, 2011-08-04 at 17:02 +0200, Jan Cholasta wrote: >> On 2.8.2011 13:49, Martin Kosek wrote: >>> On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote: >>>> Ade Lee from the dogtag team looked at our installer and found that we >>>> restarted the pki-cad process too many times. Re-arranging some code >>>> allows us to restart it just once. The new config time for dogtag is 3 >>>> 1/2 minutes, down from about 5 1/2. >>>> >>>> Ade is working on improvements in pki-silent as well which can bring the >>>> overall install time to 90 seconds. If we can get a change in SELinux >>>> policy we're looking at 60 seconds. >>>> >>>> This patch just contains the reworked installer part. Once an updated >>>> dogtag is released we can update the spec file to pull it in. >>>> >>>> rob >>> >>> This worked fine for standard dogtag installation + CA on a replica, but >>> it failed with external CA: >>> >>> /var/log/ipaserver-install.log: >>> ... >>> >>> admin/console/config/backupkeycertpanel.vm >>> >>> >>> checked >>> Failed to create pkcs12 file. >>> 19 >>> >>> Export Keys and Certificates >>> >>> >>> >>> .... >>> 2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command >>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >>> vm-059.idm.lab.bos.redhat.com -cs_port 9445 >>> -client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd 'XXXXXXXX' >>> -preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin >>> -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name >>> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >>> -agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM" >>> -ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn >>> "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca >>> -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA >>> -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad >>> -token_name internal -ca_subsystem_cert_subject_name "CN=CA >>> Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP >>> Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name >>> "CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM" >>> -ca_audit_signing_cert_subject_name "CN=CA >>> Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name >>> "CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external true >>> -ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt >>> -ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false' >>> returned non-zero exit status 255 >>> 2011-08-02 07:45:38,302 DEBUG Configuration of CA failed >>> ... >>> >> >> Works for me. >> >> It's just a guess, but didn't you happen to swap --external_cert_file >> and --external_ca_file? >> >> Honza >> > > That's a good bet. I managed to find CRTs used in my installation and > displayed their contents and they were indeed wrong. So the problem was > only my side. > > ACK for Rob's patch then. > > Martin > Pushed to master and ipa-2-0 From ayoung at redhat.com Thu Aug 4 15:50:10 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 04 Aug 2011 11:50:10 -0400 Subject: [Freeipa-devel] [PATCH] 235 Linked entries in HBAC/sudo details page. In-Reply-To: <4E39CD0F.8090902@redhat.com> References: <4E39CD0F.8090902@redhat.com> Message-ID: <4E3ABFB2.6060103@redhat.com> On 08/03/2011 06:34 PM, Endi Sukma Dewata wrote: > The association tables in HBAC/sudo details page have been modified > to link the entries to the appropriate details page. > > Ticket #1535 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Aug 4 18:24:20 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 04 Aug 2011 13:24:20 -0500 Subject: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone In-Reply-To: <1312449734.20559.17.camel@dhcp-25-197.brq.redhat.com> References: <1311679630.2338.61.camel@dhcp-25-197.brq.redhat.com> <4E2F4932.3080409@redhat.com> <4E2F6A96.706@redhat.com> <1311771699.2079.6.camel@dhcp-25-197.brq.redhat.com> <4E32CA7D.9090909@redhat.com> <4E32CAFD.2030009@redhat.com> <1311955971.10002.11.camel@dhcp-25-197.brq.redhat.com> <4E32E9DC.2060609@redhat.com> <1312449734.20559.17.camel@dhcp-25-197.brq.redhat.com> Message-ID: <4E3AE3D4.50404@redhat.com> On 8/4/2011 4:22 AM, Petr Vobornik wrote: > new version attached Almost there, just a few more minor issues. >> Also these changes should be reverted back to maintain the Ajax context: >> >> - that.on_error.call(this, xhr, text_status, error_thrown); >> + that.on_error(xhr, text_status, error_thrown); >> >> - that.on_success.call(this, data, text_status, xhr); >> + that.on_success(data, text_status, xhr); > > Reverted back. Just for my information: ajax context is preserved for > some future use, or it is already used somewhere? The Ajax context right now is only used to get the URL causing HTTP error (ipa.js:301). Things might have changed, I'm not sure how to generate HTTP error anymore. The URL can actually be obtained from the url variable in the execute() method, but there are other things that you can get from Ajax context that might be useful in the future. Try setting a breakpoint inside the success_handler() or error_handler() and inspect the 'this' variable. I think we should make sure the callback functions behave like real Ajax callback function to avoid future problems, so 'this' should always point to Ajax context. There are actually a few places where the Ajax context doesn't get passed to the callback function: - ipa.js:409,418,428,431,436,620 - host.js:155 A bunch of these are existing issues. We can fix them separately. >> Another thing, in the init() you can access the spec object directly, so >> don't really have to pass it as a parameter. > Yeah, I know. The purpose for this was to be able to call init method > again later (which was made public as xxx_init(spec)). But probably it > isn't in compliance with removes of public init methods. The init() method that we removed recently was a method that was called to initialize the object after the metadata becomes available. In the past some objects were created before the metadata was available, but now it's no longer the case so the object can be created and initialized at the same time. There's nothing wrong with creating an init() method to encapsulate the initialization sequence, but it doesn't need to be made public like before because the subclasses no longer need to call it explicitly. No need to change anything here. The default values in ipa.js:576-579 are redundant because they will be overridden by the spec in init(). I think the assignments in init() can be replaced by something like this: that.xhr = spec.xhr || {}; Note that the default value for xhr and error_thrown should be an empty object. There are some unit test failures in ipa_tests.js because IPA.error_dialog used to point to the dialog instance. You might want to change it to get the instance using something else, e.g. element ID. There are some other other unit test failures, but they seem to be caused by the earlier failure. They actually pass if run separately. -- Endi S. Dewata From JR.Aquino at citrix.com Fri Aug 5 00:03:04 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 5 Aug 2011 00:03:04 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <4E395C15.6040209@redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <24D74CFC-C481-42A2-A52A-5F985A40D9A7@citrix.com> <4E395C15.6040209@redhat.com> Message-ID: <5DFBD544-20B5-4D6C-BED7-FD1AFE973A7D@citrixonline.com> On Aug 3, 2011, at 7:32 AM, Rob Crittenden wrote: > JR Aquino wrote: >> On Aug 2, 2011, at 5:55 AM, "Rob Crittenden" wrote: >>> JR Aquino wrote: >>>> >>>> I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. >>>> >>>> While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) >>>> >>>> Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. >>>> >>>> It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? >>> >>> Ok, but when you display rules fqdn is displayed. How are users to know >>> they shouldn't include fqdn= when removing existing rules? >> >> I guess my preference would be to heavily document, in the example, the plugin, and the docs... >> >> My concern is that without a default, a typo in the attr would produce unintended results. Without a schema checker, it's kinda tough to take an attr at face value from a user. Does the python ldap implementation have a means to check schema in order to verify an attribute? >> >> The design of the automember pluginhHaving the attr in the Regex does make for some complexity.... >> > > We do have a schema checker. You can test for existence of an attribute with something like: > > import ldap as _ldap > obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr) > if obj is None: > # Error, no such attribute def check_attr(self, attr): """ Verify that the user supplied key is a valid attribute in the schema """ ldap = self.api.Backend.ldap2 obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr) return obj [Thu Aug 04 16:58:41 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py", line 209, in check_attr [Thu Aug 04 16:58:41 2011] [error] obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr) [Thu Aug 04 16:58:41 2011] [error] AttributeError: 'NoneType' object has no attribute 'get_obj' Seems that ldap doesn't have a get_obj inside of schema? From mkosek at redhat.com Fri Aug 5 07:02:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 05 Aug 2011 09:02:46 +0200 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <5DFBD544-20B5-4D6C-BED7-FD1AFE973A7D@citrixonline.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <24D74CFC-C481-42A2-A52A-5F985A40D9A7@citrix.com> <4E395C15.6040209@redhat.com> <5DFBD544-20B5-4D6C-BED7-FD1AFE973A7D@citrixonline.com> Message-ID: <1312527768.13567.11.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-08-05 at 00:03 +0000, JR Aquino wrote: > On Aug 3, 2011, at 7:32 AM, Rob Crittenden wrote: > > > JR Aquino wrote: > >> On Aug 2, 2011, at 5:55 AM, "Rob Crittenden" wrote: > >>> JR Aquino wrote: > >>>> > >>>> I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. > >>>> > >>>> While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) > >>>> > >>>> Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. > >>>> > >>>> It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? > >>> > >>> Ok, but when you display rules fqdn is displayed. How are users to know > >>> they shouldn't include fqdn= when removing existing rules? > >> > >> I guess my preference would be to heavily document, in the example, the plugin, and the docs... > >> > >> My concern is that without a default, a typo in the attr would produce unintended results. Without a schema checker, it's kinda tough to take an attr at face value from a user. Does the python ldap implementation have a means to check schema in order to verify an attribute? > >> > >> The design of the automember pluginhHaving the attr in the Regex does make for some complexity.... > >> > > > > We do have a schema checker. You can test for existence of an attribute with something like: > > > > import ldap as _ldap > > obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr) > > if obj is None: > > # Error, no such attribute > > > def check_attr(self, attr): > """ > Verify that the user supplied key is a valid attribute in the schema > """ > ldap = self.api.Backend.ldap2 > obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr) > return obj > > [Thu Aug 04 16:58:41 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py", line 209, in check_attr > [Thu Aug 04 16:58:41 2011] [error] obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr) > [Thu Aug 04 16:58:41 2011] [error] AttributeError: 'NoneType' object has no attribute 'get_obj' > > Seems that ldap doesn't have a get_obj inside of schema? > This error means that schema attribute in the ldap2 object is None. I think the schema may not be loaded yet, there is a lazy retrieval of the LDAP schema. You can either use the following method in ldap2.py instead: def get_syntax(self, attr, value): if not self.schema: self.get_schema() <<<<< obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is not None: return obj.syntax else: return None or add the lazy retrieval function calling yourself: f not self.schema: self.get_schema() Martin From pvoborni at redhat.com Fri Aug 5 13:22:23 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 05 Aug 2011 15:22:23 +0200 Subject: [Freeipa-devel] [PATCH] 003 Redirection after changing browser configuration Message-ID: <1312550545.20559.59.camel@dhcp-25-197.brq.redhat.com> Redirection after changing browser configuration https://fedorahosted.org/freeipa/ticket/1502 Added redirection link. Notes: Modified preferences.html.template to be able to respond to the configuration change. Because of security politics page cannot be automatically redirected. (has to redirect top frame). -> Message with link was added. Redirection link has to use absolute url because page is situated in object frame and its location points to jar archive. -- Petr Voborn?k -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0003-Redirection-after-changing-browser-configuration.patch Type: text/x-patch Size: 1639 bytes Desc: not available URL: From edewata at redhat.com Fri Aug 5 16:12:24 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 05 Aug 2011 11:12:24 -0500 Subject: [Freeipa-devel] [PATCH] 236 Fixed 3rd level tab style. Message-ID: <4E3C1668.9080506@redhat.com> The 3rd level tab style has been adjusted according to UXD input. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0236-Fixed-3rd-level-tab-style.patch Type: text/x-patch Size: 3493 bytes Desc: not available URL: From pvoborni at redhat.com Fri Aug 5 16:33:37 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 05 Aug 2011 18:33:37 +0200 Subject: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone In-Reply-To: <4E3AE3D4.50404@redhat.com> References: <1311679630.2338.61.camel@dhcp-25-197.brq.redhat.com> <4E2F4932.3080409@redhat.com> <4E2F6A96.706@redhat.com> <1311771699.2079.6.camel@dhcp-25-197.brq.redhat.com> <4E32CA7D.9090909@redhat.com> <4E32CAFD.2030009@redhat.com> <1311955971.10002.11.camel@dhcp-25-197.brq.redhat.com> <4E32E9DC.2060609@redhat.com> <1312449734.20559.17.camel@dhcp-25-197.brq.redhat.com> <4E3AE3D4.50404@redhat.com> Message-ID: <1312562020.20559.75.camel@dhcp-25-197.brq.redhat.com> On Thu, 2011-08-04 at 13:24 -0500, Endi Sukma Dewata wrote: > On 8/4/2011 4:22 AM, Petr Vobornik wrote: > > new version attached > > Almost there, just a few more minor issues. > > >> Also these changes should be reverted back to maintain the Ajax context: > >> > >> - that.on_error.call(this, xhr, text_status, error_thrown); > >> + that.on_error(xhr, text_status, error_thrown); > >> > >> - that.on_success.call(this, data, text_status, xhr); > >> + that.on_success(data, text_status, xhr); > > > > Reverted back. Just for my information: ajax context is preserved for > > some future use, or it is already used somewhere? > > The Ajax context right now is only used to get the URL causing HTTP > error (ipa.js:301). Things might have changed, I'm not sure how to > generate HTTP error anymore. The URL can actually be obtained from the > url variable in the execute() method, but there are other things that > you can get from Ajax context that might be useful in the future. Try > setting a breakpoint inside the success_handler() or error_handler() and > inspect the 'this' variable. I think we should make sure the callback > functions behave like real Ajax callback function to avoid future > problems, so 'this' should always point to Ajax context. > > There are actually a few places where the Ajax context doesn't get > passed to the callback function: > - ipa.js:409,418,428,431,436,620 > - host.js:155 > A bunch of these are existing issues. We can fix them separately. > > >> Another thing, in the init() you can access the spec object directly, so > >> don't really have to pass it as a parameter. > > > Yeah, I know. The purpose for this was to be able to call init method > > again later (which was made public as xxx_init(spec)). But probably it > > isn't in compliance with removes of public init methods. > > The init() method that we removed recently was a method that was called > to initialize the object after the metadata becomes available. In the > past some objects were created before the metadata was available, but > now it's no longer the case so the object can be created and initialized > at the same time. There's nothing wrong with creating an init() method > to encapsulate the initialization sequence, but it doesn't need to be > made public like before because the subclasses no longer need to call it > explicitly. No need to change anything here. > > The default values in ipa.js:576-579 are redundant because they will be > overridden by the spec in init(). Removed. > I think the assignments in init() can > be replaced by something like this: > that.xhr = spec.xhr || {}; > Note that the default value for xhr and error_thrown should be an empty > object. Reworked, probably we should add some generic error title to internal.py as default value for error dialog title. > > There are some unit test failures in ipa_tests.js because > IPA.error_dialog used to point to the dialog instance. You might want to > change it to get the instance using something else, e.g. element ID. - Added property 'id' to dialog (which is added to its div) - Added reference to ../dialog.js in ipa.tests.html - Reworked ipa.test.js to work with error_dialog id. > > There are some other other unit test failures, but they seem to be > caused by the earlier failure. They actually pass if run separately. > --> All test should pass. -- Petr Voborn?k -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0002-6-Fixed-adding-host-without-DNS-reverse-zone.patch Type: text/x-patch Size: 14375 bytes Desc: not available URL: From edewata at redhat.com Fri Aug 5 18:25:36 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 05 Aug 2011 13:25:36 -0500 Subject: [Freeipa-devel] [PATCH] 237 Fixed facet group labels. Message-ID: <4E3C35A0.1080003@redhat.com> The facet group labels have been modified according to UXD spec. Some facet groups will have more descriptive labels. Some others will not have any labels because the facet tab is self-explanatory. Ticket #1423, #1561 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0237-Fixed-facet-group-labels.patch Type: text/x-patch Size: 10360 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri Aug 5 18:36:15 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 5 Aug 2011 18:36:15 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <4E37F3AD.1030801@redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> Message-ID: <45137A51-4797-4A17-B3B0-A4301D9A0C85@citrixonline.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino, GCIH | Information Security Specialist Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 jr.aquino at citrixonline.com http://www.citrixonline.com On Aug 2, 2011, at 5:55 AM, Rob Crittenden wrote: > JR Aquino wrote: >> On Aug 1, 2011, at 5:56 AM, Rob Crittenden wrote: >> >>> Martin Kosek wrote: >>>> On Sat, 2011-07-30 at 00:54 +0000, JR Aquino wrote: >>>>> On Jul 21, 2011, at 8:53 AM, JR Aquino wrote: >>>>> >>>>>> On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: >>>>>> >>>>>>> Martin Kosek wrote: >>>>>>>> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: >>>>>>>>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? >>>>>>>>>>> >>>>>>>> >>>>>>>> Great, preparing the command parameters in pre_callback is much cleaner. >>>>>>>> >>>>>>>>>> >>>>>>>>>> Good point about the LDAP lookup. >>>>>>>>>> >>>>>>>>>> This looks a lot better but there are still a few issues: >>>>>>>>>> >>>>>>>>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. >>>>>>>>> >>>>>>>>> Ok, I will give that a shot! >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. >>>>>>>>>> >>>>>>>>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: >>>>>>>>>> >>>>>>>>>> INCLUDE_RE = 'automemberinclusiveregex' >>>>>>>>>> EXCLUDE_RE = 'automemberexclusiveregex' >>>>>>>>> >>>>>>>>> That works, I'll swap em. >>>>>>>> >>>>>>>> I agree with Rob here, this will make the code better. >>>>>>>> >>>>>>>>> >>>>>>>>>> Is there a way to validate the regex? >>>>>>>>> >>>>>>>>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. >>>>>>>>> >>>>>>>>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. >>>>>>>>> >>>>>>>>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? >>>>>>>>> >>>>>>>>>> Adding a clarity with no rules won't let you add rules: >>>>>>>>>> >>>>>>>>>> # ipa hostgroup-add --desc=hg1 hg1 >>>>>>>>>> # ipa hostgroupclarity-add hg1 >>>>>>>>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 >>>>>>>>>> ipa: ERROR: no modifications to be performed >>>>>>>>> >>>>>>>>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. >>>>>>>> >>>>>>>> Yes, it is wise :-) But the error message is really not clear to the >>>>>>>> user. We should tell him that there must be at least one inclusive rule. >>>>>>>> >>>>>>>> I wonder if we shouldn't force user to create a hostgroupclarity object >>>>>>>> with at least one inclusive rule and than make sure that in all >>>>>>>> operations at least one inclusive rule stays here. Or we could delete >>>>>>>> the empty LDAP object after the last inclusive rule is removed, as we do >>>>>>>> with DNS record LDAP objects in dnsrecord-del. >>>>>>>> >>>>>>>>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. >>>>>>>>> >>>>>>>>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. >>>>>>>>> >>>>>>>>> One final class I have been struggling with that I want to add? >>>>>>>>> >>>>>>>>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? >>>>>>>>> >>>>>>>>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? >>>>>>>>> >>>>>>>>> Any suggestions? >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> I think the best shot would be to create a new command and overload the >>>>>>>> execute method in that case. Like in hbacrule_enable. You would be able >>>>>>>> to set dn correctly here and do the update. Does it makes sense? Rob? >>>>>>>> >>>>>>>> Martin >>>>>>>> >>>>>>> >>>>>>> I agree. We are better off abstracting things now so we can get the API right. >>>>>>> >>>>>>> I think we can stick more or less with the command names, just in a new plugin and some new arguments. >>>>>>> >>>>>>> I see the plugin with the following methods: >>>>>>> >>>>>>> Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. >>>>>>> >>>>>>> There is no mod to change types, you have to delete and re-add. >>>>>>> >>>>>>> automember-add Add an automember rule >>>>>>> --type=ENUM (hostgroup, group) >>>>>>> --desc=STR description of this auto membership rule >>>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>>> >>>>>>> automember-add-condition Add conditions to automember rule >>>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>>> >>>>>>> automember-del Delete an automember rule >>>>>>> >>>>>>> automember-find Search for automember rules >>>>>>> --type=ENUM (hostgroup, group) >>>>>>> >>>>>>> automember-mod Modify an automember rule. >>>>>> >>>>>> automember-default-group Set a default group for auto membership >>>>>> --group/hostgroup=STR >>>>>> >>>>>>> >>>>>>> automember-remove-condition Remove conditions from an automember rule >>>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>>> >>>>>>> automember-show Display an automember rule >>>>> >>>>> New Patch attached. >>>>> >>>>> I believe I have addressed the issues highlighted in the thread. >>>>> >>>> >>>> Hello JR, >>>> >>>> Thanks for the patch, the new approach with automember as a separate >>>> plugin is much better and more extensible. I reviewed it and have some >>>> feedback: >>>> >>>> 1) I see that autoMemberScope in automember plugin configuration is set >>>> to $SUFFIX. Why don't we use >>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com and >>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com. IMO >>>> this would improve performance >>> >>> I believe the scope defines where to find automatic members, so it >>> should point to cn=computerss,cn=$SUFFIX. >> >> autoMemberScope needs to point to the lowest common denominator where the plugin will detect the insertion of new ldap objects that match the rules: >> (http://directory.fedoraproject.org/wiki/Auto_Membership_Design#Example_Configuration_Entries) >> >> With that in mind, it seems that we need to point it to cn=accounts,$SUFFIX >> >>> >>>> >>>> 2) Plugin is not configured correctly on a replica: >>>> nsslapd-pluginConfigArea in cn=Auto Membership >>>> Plugin,cn=plugins,cn=config is not created. Since cn=config is not >>>> replicated, it need to be updated also on a replica. Plus, "Applying >>>> LDAP updates" got stuck in my case for some reason. >> >> I will be correcting this with Rob's suggestion in irc of moving the operation into __common_setup >> >>>> >>>> 3) I cannot use --inclusive-regex in ipa automember-add even though it >>>> is stated in help that I can >>>> >>>> # ipa automember-add --type=hostgroup --inclusive-regex=^web[1-9]\.example\.com tgroup >>>> Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options] >>>> >>>> ipa: error: no such option: --inclusive-regex >>> >>> I had him remove this. No other command lets you add an entry and >>> members at the same time. >> >> I will be removing reference to this in the help/doc. Thank you for catching it. >> >>> >>>> >>>> 4) Error message when removing a condition is not clear: >>>> # ipa automember-show --type=hostgroup tgroup >>>> Automember Rule: tgroup >>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com >>>> Exclusive Regex: fqdn=^www5.example.com >>>> >>>> Can we detect this situation and change it to something like "Condition >>>> not found"? >> >> It appears as though this situation is tricker than just 'condition not found'. >> >> Since we can provide a list of both inclusive and exclusive regex, and any one of the provided entries could be /not found/ it looks as though I will need to replicate the functionality of 'failed' similar to how they are treated when removing a list of users/hosts from a group/hostgroup where some of the members are non-existant. >> >> It looks like I need to return a failed list, but it is not currently clear how to accomplish that in an LDAPUpdate pre/post_callback, as those are really only looking for the return of a 'dn' >> >>>> >>>> 5) Having a rule with just an exclusive rule does not make sense - can >>>> we handle it? >>>> # ipa automember-show --type=hostgroup tgroup >>>> Automember Rule: tgroup >>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com >>>> Exclusive Regex: fqdn=^www5.example.com >>>> # ipa automember-remove-condition --type=hostgroup tgroup --inclusive-regex=^web[1-9]\.example\.com --inclusive-regex=^www[1-9]\.example\.com >>>> -------------------------------- >>>> Removed condition(s) to "tgroup" >>>> -------------------------------- >>>> Automember Rule: tgroup >>>> Exclusive Regex: fqdn=^www5.example.com >> >> I am adding additional checks to verify that we don't create/leave a rule with a sole exclusive regex. >> >>>> 6) Command names for automember default group seems inconsistent: >>>> automember-add-default-group Set default group for all unmatched entries. >>>> automember-default-group-show Display information about the default automember groups. >>>> automember-remove-default-group Remove default group for all unmatched entries. >>>> >>>> If we would follow the same patter, "automember-default-group-show" >>>> should be automember-show-default-group >>> >>> I think it should be automember-default-group-*. Since there is only one >>> default for something I thing it should be set instead of add. >> >> I agree with Rob: >> ipa automember-default-group-set >> ipa automember-default-group-remove >> ipa automember-default-group-show >> >>> >>>> 7) Parameters of the automember default group seems inconsistent too: >>>> a) --desc parameter present in automember-add-default-group and >>>> automember-remove-default-group should not be here >>>> b) Grouping Type of the automember type is passed as an argument in >>>> automember-remove-default-group and automember-default-group-show >>>> instead of --type=STR as in all other commands >> >> This is deliberate. >> >> The framework has a mandatory requirement of at least 1 argument. >> >> Since these 3 operations require us to operate on parent object's, it does not make sense to force it to provide a 'rule' as the modification does not take place on any 1 rule, but rather the container which they are apart of. >> I am open to suggestions... >> >>>> >>>> 8) automember.py: In >>>> automember_add_condition/automember_remove_condition I see 2 almost >>>> identical branches of code - a lot of redundancy. Couldn't we >>>> consolidate them, for example to one "for attr in (INCLUDE_RE, >>>> EXCLUDE_RE):" construct? >> >> I will see what I can do to accommodate this. It is likely that there will need to be several pivot points to provide the logic required to prevent the addition of an exclusive regex without an inclusive one present. Likewise with the deletion of the last inclusive regex when there is at least 1 exclusive regex present. >> >>>> >>>> 9) test_automember_plugin.py: the test class should be named >>>> test_automember, not test_user >> >> Ah. Thanks! >> >>>> >>>> Martin >>>> >>> >>> I'm also wondering about hardcoding a key. Is there a reason we can't >>> ask the regex writer to simply include this themselves? >> >> I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. >> >> While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) >> >> Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. >> >> It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? > > Ok, but when you display rules fqdn is displayed. How are users to know > they shouldn't include fqdn= when removing existing rules? > >>> >> >> Stand by for a follow up patch later today after I figure out how to better account for the failed manipulation of conditions. >> Final Draft Patch attached, Please review. The API should all be straightened out. The handling of adding/removing of conditions has been greatly improved. We now require type and key for conditionals. A schema check is performed to catch any bad attributes. Exclusive Conditions: I've thought more about it, and it is a benign condition that does not effect the state of the system. Similarly, Sudo rules can contain deny commands with no additional data which are also benign. I would like to propose that those all cases where this is possible in FreeIPA be reviewed in the future rather than excluding this patch from being committed to master. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch Type: application/octet-stream Size: 47006 bytes Desc: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch URL: From edewata at redhat.com Fri Aug 5 19:17:00 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 05 Aug 2011 14:17:00 -0500 Subject: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone In-Reply-To: <1312562020.20559.75.camel@dhcp-25-197.brq.redhat.com> References: <1311679630.2338.61.camel@dhcp-25-197.brq.redhat.com> <4E2F4932.3080409@redhat.com> <4E2F6A96.706@redhat.com> <1311771699.2079.6.camel@dhcp-25-197.brq.redhat.com> <4E32CA7D.9090909@redhat.com> <4E32CAFD.2030009@redhat.com> <1311955971.10002.11.camel@dhcp-25-197.brq.redhat.com> <4E32E9DC.2060609@redhat.com> <1312449734.20559.17.camel@dhcp-25-197.brq.redhat.com> <4E3AE3D4.50404@redhat.com> <1312562020.20559.75.camel@dhcp-25-197.brq.redhat.com> Message-ID: <4E3C41AC.3080206@redhat.com> On 8/5/2011 11:33 AM, Petr Vobornik wrote: >> The default values in ipa.js:576-579 are redundant because they will be >> overridden by the spec in init(). > Removed. >> I think the assignments in init() can >> be replaced by something like this: >> that.xhr = spec.xhr || {}; >> Note that the default value for xhr and error_thrown should be an empty >> object. > Reworked, probably we should add some generic error title to internal.py > as default value for error dialog title. >> There are some unit test failures in ipa_tests.js because >> IPA.error_dialog used to point to the dialog instance. You might want to >> change it to get the instance using something else, e.g. element ID. > > - Added property 'id' to dialog (which is added to its div) > - Added reference to ../dialog.js in ipa.tests.html > - Reworked ipa.test.js to work with error_dialog id. >> There are some other other unit test failures, but they seem to be >> caused by the earlier failure. They actually pass if run separately. > --> All test should pass. ACK and pushed to master. -- Endi S. Dewata From dpal at redhat.com Fri Aug 5 19:29:16 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 05 Aug 2011 15:29:16 -0400 Subject: [Freeipa-devel] Clarification about FreeIPA milestones Message-ID: <4E3C448C.3000605@redhat.com> Hello, IPA 2.1 is getting close to its release so it is time to set some expectations and explain our roadmap moving forward a little bit. First it is planned to have couple bug fixing iterations on top of 2.1. That translates into 2.1.1 and 2.1.2 milestones respectfully. We do not plan to do any point releases after 2.1 on the same code base. We will maintain this code for some time doing fixes and back porting from the tip but we do not plan to have 2.2 release from it. The next release will be a major release. It will be 3.0. There will be two separate parallel teams contributing to this release. One team is focusing on the cross kerberos trust effort and another on the core enhancements effort. There is not much overlap between the two so the tracking purposes it is easier to create independent milestones for the two teams. The milestones are named "Core effort" and "Trust effort" respectfully. Each will have its own backlog - a general pool of things to do and then individual iterations that are more or less aligned by the month boundaries. We will try to deliver some meaningful features every month but there is no guarantee that there will a build to play with every month as a result of the particular iteration. The former 2.2 bucket was renamed into 3.0 Core Effort Backlog bucket. Next step is to select a subset of those tickets to address during the September iteration. Since this iteration will have an overlap with the 2.1.x bug fixing effort we do not expect to accomplish much and yet we expect that the effort would start and some of the initial design and prototyping steps will be complete. Finally, you can take a look at the specific tickets in the IPA trac to read in more details about the features we plan to work on but here is a high level overview: * Trust effort - it is all about cross kerberos trust between AD and IPA and support of different use cases that would allow AD users to access IPA resources and vice verse. * Core effort - is it about incremental improvements to IPA. We will be looking at key management features, SELinux user context assignments, more Dogtag integration, UI improvements and other security and usability enhancements. The driving factor is the Trust effort. As soon as it is ready we will start preparing a release. The features from the Core effort would be included on the as available basis. Hope this helps... -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Fri Aug 5 21:12:13 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 05 Aug 2011 17:12:13 -0400 Subject: [Freeipa-devel] [PATCH] 003 Redirection after changing browser configuration In-Reply-To: <1312550545.20559.59.camel@dhcp-25-197.brq.redhat.com> References: <1312550545.20559.59.camel@dhcp-25-197.brq.redhat.com> Message-ID: <4E3C5CAD.8000200@redhat.com> On 08/05/2011 09:22 AM, Petr Vobornik wrote: > Redirection after changing browser configuration > > https://fedorahosted.org/freeipa/ticket/1502 > > Added redirection link. > > Notes: > Modified preferences.html.template to be able to respond to the > configuration change. > > Because of security politics page cannot be automatically redirected. > (has to redirect top frame). -> Message with link was added. > > Redirection link has to use absolute url because page is situated in > object frame and its location points to jar archive. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Looks good. The formatting of the Link at the end is wrapped around across multiple lines. Of course, right now, we are missing the css there, so maybe it is due to the stylesheet error. If you can put the message on one line and the link on the second, I'd consider it ACKed -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon Aug 8 09:04:02 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 08 Aug 2011 11:04:02 +0200 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <45137A51-4797-4A17-B3B0-A4301D9A0C85@citrixonline.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <45137A51-4797-4A17-B3B0-A4301D9A0C85@citrixonline.com> Message-ID: <1312794245.29048.21.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-08-05 at 18:36 +0000, JR Aquino wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jr Aquino, GCIH | Information Security Specialist > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > T: +1 805.690.3478 > jr.aquino at citrixonline.com > http://www.citrixonline.com > > On Aug 2, 2011, at 5:55 AM, Rob Crittenden wrote: > > > JR Aquino wrote: > >> On Aug 1, 2011, at 5:56 AM, Rob Crittenden wrote: > >> > >>> Martin Kosek wrote: > >>>> On Sat, 2011-07-30 at 00:54 +0000, JR Aquino wrote: > >>>>> On Jul 21, 2011, at 8:53 AM, JR Aquino wrote: > >>>>> > >>>>>> On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: > >>>>>> > >>>>>>> Martin Kosek wrote: > >>>>>>>> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: > >>>>>>>>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? > >>>>>>>>>>> > >>>>>>>> > >>>>>>>> Great, preparing the command parameters in pre_callback is much cleaner. > >>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Good point about the LDAP lookup. > >>>>>>>>>> > >>>>>>>>>> This looks a lot better but there are still a few issues: > >>>>>>>>>> > >>>>>>>>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. > >>>>>>>>> > >>>>>>>>> Ok, I will give that a shot! > >>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. > >>>>>>>>>> > >>>>>>>>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: > >>>>>>>>>> > >>>>>>>>>> INCLUDE_RE = 'automemberinclusiveregex' > >>>>>>>>>> EXCLUDE_RE = 'automemberexclusiveregex' > >>>>>>>>> > >>>>>>>>> That works, I'll swap em. > >>>>>>>> > >>>>>>>> I agree with Rob here, this will make the code better. > >>>>>>>> > >>>>>>>>> > >>>>>>>>>> Is there a way to validate the regex? > >>>>>>>>> > >>>>>>>>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. > >>>>>>>>> > >>>>>>>>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. > >>>>>>>>> > >>>>>>>>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? > >>>>>>>>> > >>>>>>>>>> Adding a clarity with no rules won't let you add rules: > >>>>>>>>>> > >>>>>>>>>> # ipa hostgroup-add --desc=hg1 hg1 > >>>>>>>>>> # ipa hostgroupclarity-add hg1 > >>>>>>>>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 > >>>>>>>>>> ipa: ERROR: no modifications to be performed > >>>>>>>>> > >>>>>>>>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. > >>>>>>>> > >>>>>>>> Yes, it is wise :-) But the error message is really not clear to the > >>>>>>>> user. We should tell him that there must be at least one inclusive rule. > >>>>>>>> > >>>>>>>> I wonder if we shouldn't force user to create a hostgroupclarity object > >>>>>>>> with at least one inclusive rule and than make sure that in all > >>>>>>>> operations at least one inclusive rule stays here. Or we could delete > >>>>>>>> the empty LDAP object after the last inclusive rule is removed, as we do > >>>>>>>> with DNS record LDAP objects in dnsrecord-del. > >>>>>>>> > >>>>>>>>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. > >>>>>>>>> > >>>>>>>>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. > >>>>>>>>> > >>>>>>>>> One final class I have been struggling with that I want to add? > >>>>>>>>> > >>>>>>>>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? > >>>>>>>>> > >>>>>>>>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? > >>>>>>>>> > >>>>>>>>> Any suggestions? > >>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>>> I think the best shot would be to create a new command and overload the > >>>>>>>> execute method in that case. Like in hbacrule_enable. You would be able > >>>>>>>> to set dn correctly here and do the update. Does it makes sense? Rob? > >>>>>>>> > >>>>>>>> Martin > >>>>>>>> > >>>>>>> > >>>>>>> I agree. We are better off abstracting things now so we can get the API right. > >>>>>>> > >>>>>>> I think we can stick more or less with the command names, just in a new plugin and some new arguments. > >>>>>>> > >>>>>>> I see the plugin with the following methods: > >>>>>>> > >>>>>>> Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. > >>>>>>> > >>>>>>> There is no mod to change types, you have to delete and re-add. > >>>>>>> > >>>>>>> automember-add Add an automember rule > >>>>>>> --type=ENUM (hostgroup, group) > >>>>>>> --desc=STR description of this auto membership rule > >>>>>>> --inclusive-regex=LIST Inclusive Regex > >>>>>>> --exclusive-regex=LIST Exclusive Regex > >>>>>>> > >>>>>>> automember-add-condition Add conditions to automember rule > >>>>>>> --inclusive-regex=LIST Inclusive Regex > >>>>>>> --exclusive-regex=LIST Exclusive Regex > >>>>>>> > >>>>>>> automember-del Delete an automember rule > >>>>>>> > >>>>>>> automember-find Search for automember rules > >>>>>>> --type=ENUM (hostgroup, group) > >>>>>>> > >>>>>>> automember-mod Modify an automember rule. > >>>>>> > >>>>>> automember-default-group Set a default group for auto membership > >>>>>> --group/hostgroup=STR > >>>>>> > >>>>>>> > >>>>>>> automember-remove-condition Remove conditions from an automember rule > >>>>>>> --inclusive-regex=LIST Inclusive Regex > >>>>>>> --exclusive-regex=LIST Exclusive Regex > >>>>>>> > >>>>>>> automember-show Display an automember rule > >>>>> > >>>>> New Patch attached. > >>>>> > >>>>> I believe I have addressed the issues highlighted in the thread. > >>>>> > >>>> > >>>> Hello JR, > >>>> > >>>> Thanks for the patch, the new approach with automember as a separate > >>>> plugin is much better and more extensible. I reviewed it and have some > >>>> feedback: > >>>> > >>>> 1) I see that autoMemberScope in automember plugin configuration is set > >>>> to $SUFFIX. Why don't we use > >>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com and > >>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com. IMO > >>>> this would improve performance > >>> > >>> I believe the scope defines where to find automatic members, so it > >>> should point to cn=computerss,cn=$SUFFIX. > >> > >> autoMemberScope needs to point to the lowest common denominator where the plugin will detect the insertion of new ldap objects that match the rules: > >> (http://directory.fedoraproject.org/wiki/Auto_Membership_Design#Example_Configuration_Entries) > >> > >> With that in mind, it seems that we need to point it to cn=accounts,$SUFFIX > >> > >>> > >>>> > >>>> 2) Plugin is not configured correctly on a replica: > >>>> nsslapd-pluginConfigArea in cn=Auto Membership > >>>> Plugin,cn=plugins,cn=config is not created. Since cn=config is not > >>>> replicated, it need to be updated also on a replica. Plus, "Applying > >>>> LDAP updates" got stuck in my case for some reason. > >> > >> I will be correcting this with Rob's suggestion in irc of moving the operation into __common_setup > >> > >>>> > >>>> 3) I cannot use --inclusive-regex in ipa automember-add even though it > >>>> is stated in help that I can > >>>> > >>>> # ipa automember-add --type=hostgroup --inclusive-regex=^web[1-9]\.example\.com tgroup > >>>> Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options] > >>>> > >>>> ipa: error: no such option: --inclusive-regex > >>> > >>> I had him remove this. No other command lets you add an entry and > >>> members at the same time. > >> > >> I will be removing reference to this in the help/doc. Thank you for catching it. > >> > >>> > >>>> > >>>> 4) Error message when removing a condition is not clear: > >>>> # ipa automember-show --type=hostgroup tgroup > >>>> Automember Rule: tgroup > >>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com > >>>> Exclusive Regex: fqdn=^www5.example.com > >>>> > >>>> Can we detect this situation and change it to something like "Condition > >>>> not found"? > >> > >> It appears as though this situation is tricker than just 'condition not found'. > >> > >> Since we can provide a list of both inclusive and exclusive regex, and any one of the provided entries could be /not found/ it looks as though I will need to replicate the functionality of 'failed' similar to how they are treated when removing a list of users/hosts from a group/hostgroup where some of the members are non-existant. > >> > >> It looks like I need to return a failed list, but it is not currently clear how to accomplish that in an LDAPUpdate pre/post_callback, as those are really only looking for the return of a 'dn' > >> > >>>> > >>>> 5) Having a rule with just an exclusive rule does not make sense - can > >>>> we handle it? > >>>> # ipa automember-show --type=hostgroup tgroup > >>>> Automember Rule: tgroup > >>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com > >>>> Exclusive Regex: fqdn=^www5.example.com > >>>> # ipa automember-remove-condition --type=hostgroup tgroup --inclusive-regex=^web[1-9]\.example\.com --inclusive-regex=^www[1-9]\.example\.com > >>>> -------------------------------- > >>>> Removed condition(s) to "tgroup" > >>>> -------------------------------- > >>>> Automember Rule: tgroup > >>>> Exclusive Regex: fqdn=^www5.example.com > >> > >> I am adding additional checks to verify that we don't create/leave a rule with a sole exclusive regex. > >> > >>>> 6) Command names for automember default group seems inconsistent: > >>>> automember-add-default-group Set default group for all unmatched entries. > >>>> automember-default-group-show Display information about the default automember groups. > >>>> automember-remove-default-group Remove default group for all unmatched entries. > >>>> > >>>> If we would follow the same patter, "automember-default-group-show" > >>>> should be automember-show-default-group > >>> > >>> I think it should be automember-default-group-*. Since there is only one > >>> default for something I thing it should be set instead of add. > >> > >> I agree with Rob: > >> ipa automember-default-group-set > >> ipa automember-default-group-remove > >> ipa automember-default-group-show > >> > >>> > >>>> 7) Parameters of the automember default group seems inconsistent too: > >>>> a) --desc parameter present in automember-add-default-group and > >>>> automember-remove-default-group should not be here > >>>> b) Grouping Type of the automember type is passed as an argument in > >>>> automember-remove-default-group and automember-default-group-show > >>>> instead of --type=STR as in all other commands > >> > >> This is deliberate. > >> > >> The framework has a mandatory requirement of at least 1 argument. > >> > >> Since these 3 operations require us to operate on parent object's, it does not make sense to force it to provide a 'rule' as the modification does not take place on any 1 rule, but rather the container which they are apart of. > >> I am open to suggestions... > >> > >>>> > >>>> 8) automember.py: In > >>>> automember_add_condition/automember_remove_condition I see 2 almost > >>>> identical branches of code - a lot of redundancy. Couldn't we > >>>> consolidate them, for example to one "for attr in (INCLUDE_RE, > >>>> EXCLUDE_RE):" construct? > >> > >> I will see what I can do to accommodate this. It is likely that there will need to be several pivot points to provide the logic required to prevent the addition of an exclusive regex without an inclusive one present. Likewise with the deletion of the last inclusive regex when there is at least 1 exclusive regex present. > >> > >>>> > >>>> 9) test_automember_plugin.py: the test class should be named > >>>> test_automember, not test_user > >> > >> Ah. Thanks! > >> > >>>> > >>>> Martin > >>>> > >>> > >>> I'm also wondering about hardcoding a key. Is there a reason we can't > >>> ask the regex writer to simply include this themselves? > >> > >> I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. > >> > >> While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) > >> > >> Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. > >> > >> It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? > > > > Ok, but when you display rules fqdn is displayed. How are users to know > > they shouldn't include fqdn= when removing existing rules? > > > >>> > >> > >> Stand by for a follow up patch later today after I figure out how to better account for the failed manipulation of conditions. > >> > > Final Draft Patch attached, Please review. > > The API should all be straightened out. > The handling of adding/removing of conditions has been greatly improved. > We now require type and key for conditionals. > A schema check is performed to catch any bad attributes. > > Exclusive Conditions: I've thought more about it, and it is a benign condition that does not effect the state of the system. > Similarly, Sudo rules can contain deny commands with no additional data which are also benign. I would like to propose that those all cases where this is possible in FreeIPA be reviewed in the future rather than excluding this patch from being committed to master. > I think you attached a wrong patch, its same as the previous one. Btw. if you use freeipa-jraquino-PATCH_NO-PATCH_VER-description.patch naming, it is simpler to recognize the version of the patch. Martin From jcholast at redhat.com Mon Aug 8 13:03:58 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 08 Aug 2011 15:03:58 +0200 Subject: [Freeipa-devel] [PATCH] 36 Ask for reverse DNS zone information right after asking for DNS forwarders Message-ID: <4E3FDEBE.5080008@redhat.com> This patch modifies ipa-server-install and ipa-dns-install so that they ask for reverse DNS zone information right after asking for DNS forwarders so that DNS configuration is done in one place. https://fedorahosted.org/freeipa/ticket/1522 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-36-reverse-zone-attended-install.patch Type: text/x-patch Size: 5052 bytes Desc: not available URL: From jcholast at redhat.com Mon Aug 8 13:33:54 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 08 Aug 2011 15:33:54 +0200 Subject: [Freeipa-devel] [PATCH] 106 Improve dnszone-add error message In-Reply-To: <1312444927.22878.1.camel@dhcp-25-52.brq.redhat.com> References: <1312444927.22878.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E3FE5C2.4050801@redhat.com> On 4.8.2011 10:02, Martin Kosek wrote: > Check that NS address passed in dnszone-add is a domain name and > not an IP address. Make this clear also the parameter help. > > https://fedorahosted.org/freeipa/ticket/1567 > ACK. I'd prefer if doc said "Authoritative nameserver hostname" instead of "Authoritative nameserver domain name", but I guess both are OK? Honza -- Jan Cholasta From pvoborni at redhat.com Mon Aug 8 13:50:27 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 08 Aug 2011 15:50:27 +0200 Subject: [Freeipa-devel] [PATCH] 003 Redirection after changing browser configuration In-Reply-To: <4E3C5CAD.8000200@redhat.com> References: <1312550545.20559.59.camel@dhcp-25-197.brq.redhat.com> <4E3C5CAD.8000200@redhat.com> Message-ID: <4E3FE9A3.5080301@redhat.com> On 08/05/2011 11:12 PM, Adam Young wrote: > On 08/05/2011 09:22 AM, Petr Vobornik wrote: >> Redirection after changing browser configuration >> >> https://fedorahosted.org/freeipa/ticket/1502 >> >> Added redirection link. >> >> Notes: >> Modified preferences.html.template to be able to respond to the >> configuration change. >> >> Because of security politics page cannot be automatically redirected. >> (has to redirect top frame). -> Message with link was added. >> >> Redirection link has to use absolute url because page is situated in >> object frame and its location points to jar archive. >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Looks good. The formatting of the Link at the end is wrapped around > across multiple lines. Of course, right now, we are missing the css > there, so maybe it is due to the stylesheet error. > If you can put the message on one line and the link on the second, I'd > consider it ACKed > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel The link alone can't fit on a single line. - I have expanded the object's area. (and cleaned css from trailing white spaces in the process) - Added css in preferences template in order to look good. In the future it would be better to remove these css and reuse ipa_error.css. But it has to be included in the jar (I don't know where to do it). - Corrected object tag ending so "Back to the Web UI" link is displayed even if user has not configured Firefox (this can be useful for other browser's users or if user don't want to configure browser. But it is redundant with the link which is displayed after configuration.). -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0003-1-Redirection-after-changing-browser-configuration.patch Type: text/x-patch Size: 4734 bytes Desc: not available URL: From jdennis at redhat.com Mon Aug 8 14:07:41 2011 From: jdennis at redhat.com (John Dennis) Date: Mon, 08 Aug 2011 10:07:41 -0400 Subject: [Freeipa-devel] Correct xmlrpc-c version? Message-ID: <4E3FEDAD.3010704@redhat.com> I checked today to see if we have a new xmlrpc-c package that meets our release requirements for 2.1. I see that 1.27.4 was build earlier today for F16 and F17 with the changelog comment just saying it was upgraded to latest upstream (is that our fix?). The upstream tarball does not have a changelog :-( but there is a reference to this URL for change history: http://xmlrpc-c.sourceforge.net/change.html But not much useful information there either. Can someone tell me *exactly* what it is we're waiting for so I can be sure we've got the right release? Also it doesn't look like there has been a rebuild of F15 for a long time so even if F16 and F17 have 1.27.4 and 1.27.4 is what we're looking for (is it?) then that still doesn't meet our needs because we're targeting F15 right? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Mon Aug 8 14:21:03 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 08 Aug 2011 14:21:03 +0000 Subject: [Freeipa-devel] Correct xmlrpc-c version? In-Reply-To: <4E3FEDAD.3010704@redhat.com> References: <4E3FEDAD.3010704@redhat.com> Message-ID: <1312813263.11512.57.camel@willson.li.ssimo.org> On Mon, 2011-08-08 at 10:07 -0400, John Dennis wrote: > I checked today to see if we have a new xmlrpc-c package that meets our > release requirements for 2.1. I see that 1.27.4 was build earlier today > for F16 and F17 with the changelog comment just saying it was upgraded > to latest upstream (is that our fix?). The upstream tarball does not > have a changelog :-( but there is a reference to this URL for change > history: > > http://xmlrpc-c.sourceforge.net/change.html > > But not much useful information there either. > > Can someone tell me *exactly* what it is we're waiting for so I can be > sure we've got the right release? Also it doesn't look like there has > been a rebuild of F15 for a long time so even if F16 and F17 have 1.27.4 > and 1.27.4 is what we're looking for (is it?) then that still doesn't > meet our needs because we're targeting F15 right? John, reading the page above it might not be there. What we are waiting for is: "Curl client: add "gssapi_delegation" option. Needed in some cases with newer Curl libraries to get back old function." It appears this line is under the 1.28 heading which is marked as "Not released yet." Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Mon Aug 8 15:42:13 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 08 Aug 2011 17:42:13 +0200 Subject: [Freeipa-devel] Correct xmlrpc-c version? In-Reply-To: <4E3FEDAD.3010704@redhat.com> References: <4E3FEDAD.3010704@redhat.com> Message-ID: <1312818136.29048.33.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-08 at 10:07 -0400, John Dennis wrote: > I checked today to see if we have a new xmlrpc-c package that meets our > release requirements for 2.1. I see that 1.27.4 was build earlier today > for F16 and F17 with the changelog comment just saying it was upgraded > to latest upstream (is that our fix?). The upstream tarball does not > have a changelog :-( but there is a reference to this URL for change > history: > > http://xmlrpc-c.sourceforge.net/change.html > > But not much useful information there either. > > Can someone tell me *exactly* what it is we're waiting for so I can be > sure we've got the right release? Also it doesn't look like there has > been a rebuild of F15 for a long time so even if F16 and F17 have 1.27.4 > and 1.27.4 is what we're looking for (is it?) then that still doesn't > meet our needs because we're targeting F15 right? > Good news is that the problem in curl package has been fixed and was built for F-15: https://admin.fedoraproject.org/updates/curl-7.21.3-9.fc15 But we need this change to be propagated to the xmlrpc-c too. As you wrote, there is already a fixed version for F-16 and F-17: xmlrpc-c-1.16.24. I checked the source code, the GSSAPI delegation fix should be there. We just need to ask them to release an update for F-15 too. Adding xmlrpc-c Fedora owner to the CC list. Enrico, can you please release the package for F-15 too? When all this is ready, I plan to immediately send a patch & update our .spec to make this work on F-15. Martin From mkosek at redhat.com Mon Aug 8 15:52:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 08 Aug 2011 17:52:46 +0200 Subject: [Freeipa-devel] [PATCH] 106 Improve dnszone-add error message In-Reply-To: <4E3FE5C2.4050801@redhat.com> References: <1312444927.22878.1.camel@dhcp-25-52.brq.redhat.com> <4E3FE5C2.4050801@redhat.com> Message-ID: <1312818768.29048.37.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-08 at 15:33 +0200, Jan Cholasta wrote: > On 4.8.2011 10:02, Martin Kosek wrote: > > Check that NS address passed in dnszone-add is a domain name and > > not an IP address. Make this clear also the parameter help. > > > > https://fedorahosted.org/freeipa/ticket/1567 > > > > ACK. > > I'd prefer if doc said "Authoritative nameserver hostname" instead of > "Authoritative nameserver domain name", but I guess both are OK? > > Honza > In this case I wanted the doc to say "domain name" in order to be keep the terminology exact with respect to the relevant RFC (1035). Pushed to master. Martin From ayoung at redhat.com Mon Aug 8 15:58:39 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 08 Aug 2011 11:58:39 -0400 Subject: [Freeipa-devel] [PATCH] 236 Fixed 3rd level tab style. In-Reply-To: <4E3C1668.9080506@redhat.com> References: <4E3C1668.9080506@redhat.com> Message-ID: <4E4007AF.4010007@redhat.com> On 08/05/2011 12:12 PM, Endi Sukma Dewata wrote: > The 3rd level tab style has been adjusted according to UXD input. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Aug 8 16:00:32 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 08 Aug 2011 12:00:32 -0400 Subject: [Freeipa-devel] [PATCH] 237 Fixed facet group labels. In-Reply-To: <4E3C35A0.1080003@redhat.com> References: <4E3C35A0.1080003@redhat.com> Message-ID: <4E400820.3080007@redhat.com> On 08/05/2011 02:25 PM, Endi Sukma Dewata wrote: > The facet group labels have been modified according to UXD spec. > Some facet groups will have more descriptive labels. Some others > will not have any labels because the facet tab is self-explanatory. > > Ticket #1423, #1561 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Aug 8 16:00:41 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 08 Aug 2011 12:00:41 -0400 Subject: [Freeipa-devel] [PATCH] 236 Fixed 3rd level tab style. In-Reply-To: <4E4007AF.4010007@redhat.com> References: <4E3C1668.9080506@redhat.com> <4E4007AF.4010007@redhat.com> Message-ID: <4E400829.2000000@redhat.com> On 08/08/2011 11:58 AM, Adam Young wrote: > On 08/05/2011 12:12 PM, Endi Sukma Dewata wrote: >> The 3rd level tab style has been adjusted according to UXD input. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Mon Aug 8 16:13:06 2011 From: jdennis at redhat.com (John Dennis) Date: Mon, 08 Aug 2011 12:13:06 -0400 Subject: [Freeipa-devel] Correct xmlrpc-c version? In-Reply-To: <1312818136.29048.33.camel@dhcp-25-52.brq.redhat.com> References: <4E3FEDAD.3010704@redhat.com> <1312818136.29048.33.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E400B12.1040601@redhat.com> On 08/08/2011 11:42 AM, Martin Kosek wrote: > On Mon, 2011-08-08 at 10:07 -0400, John Dennis wrote: >> I checked today to see if we have a new xmlrpc-c package that meets our >> release requirements for 2.1. I see that 1.27.4 was build earlier today >> for F16 and F17 with the changelog comment just saying it was upgraded >> to latest upstream (is that our fix?). The upstream tarball does not >> have a changelog :-( but there is a reference to this URL for change >> history: >> >> http://xmlrpc-c.sourceforge.net/change.html >> >> But not much useful information there either. >> >> Can someone tell me *exactly* what it is we're waiting for so I can be >> sure we've got the right release? Also it doesn't look like there has >> been a rebuild of F15 for a long time so even if F16 and F17 have 1.27.4 >> and 1.27.4 is what we're looking for (is it?) then that still doesn't >> meet our needs because we're targeting F15 right? >> > > Good news is that the problem in curl package has been fixed and was > built for F-15: > > https://admin.fedoraproject.org/updates/curl-7.21.3-9.fc15 > > But we need this change to be propagated to the xmlrpc-c too. As you > wrote, there is already a fixed version for F-16 and F-17: > xmlrpc-c-1.16.24. I checked the source code, the GSSAPI delegation fix > should be there. We just need to ask them to release an update for F-15 > too. Adding xmlrpc-c Fedora owner to the CC list. Enrico, can you please > release the package for F-15 too? > > When all this is ready, I plan to immediately send a patch& update > our .spec to make this work on F-15. You're talking about just the Fedora spec file right? Aren't we also supposed to be doing a RHEL 6.2 build and doesn't RHEL 6.2 have the same issues and requirements? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From JR.Aquino at citrix.com Mon Aug 8 16:16:09 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 8 Aug 2011 16:16:09 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <1312794245.29048.21.camel@dhcp-25-52.brq.redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <45137A51-4797-4A17-B3B0-A4301D9A0C85@citrixonline.com> <1312794245.29048.21.camel@dhcp-25-52.brq.redhat.com> Message-ID: On Aug 8, 2011, at 2:04 AM, Martin Kosek wrote: > On Fri, 2011-08-05 at 18:36 +0000, JR Aquino wrote: >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Jr Aquino, GCIH | Information Security Specialist >> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >> T: +1 805.690.3478 >> jr.aquino at citrixonline.com >> http://www.citrixonline.com >> >> On Aug 2, 2011, at 5:55 AM, Rob Crittenden wrote: >> >>> JR Aquino wrote: >>>> On Aug 1, 2011, at 5:56 AM, Rob Crittenden wrote: >>>> >>>>> Martin Kosek wrote: >>>>>> On Sat, 2011-07-30 at 00:54 +0000, JR Aquino wrote: >>>>>>> On Jul 21, 2011, at 8:53 AM, JR Aquino wrote: >>>>>>> >>>>>>>> On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: >>>>>>>> >>>>>>>>> Martin Kosek wrote: >>>>>>>>>> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: >>>>>>>>>>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? >>>>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Great, preparing the command parameters in pre_callback is much cleaner. >>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Good point about the LDAP lookup. >>>>>>>>>>>> >>>>>>>>>>>> This looks a lot better but there are still a few issues: >>>>>>>>>>>> >>>>>>>>>>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. >>>>>>>>>>> >>>>>>>>>>> Ok, I will give that a shot! >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. >>>>>>>>>>>> >>>>>>>>>>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: >>>>>>>>>>>> >>>>>>>>>>>> INCLUDE_RE = 'automemberinclusiveregex' >>>>>>>>>>>> EXCLUDE_RE = 'automemberexclusiveregex' >>>>>>>>>>> >>>>>>>>>>> That works, I'll swap em. >>>>>>>>>> >>>>>>>>>> I agree with Rob here, this will make the code better. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> Is there a way to validate the regex? >>>>>>>>>>> >>>>>>>>>>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. >>>>>>>>>>> >>>>>>>>>>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. >>>>>>>>>>> >>>>>>>>>>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? >>>>>>>>>>> >>>>>>>>>>>> Adding a clarity with no rules won't let you add rules: >>>>>>>>>>>> >>>>>>>>>>>> # ipa hostgroup-add --desc=hg1 hg1 >>>>>>>>>>>> # ipa hostgroupclarity-add hg1 >>>>>>>>>>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 >>>>>>>>>>>> ipa: ERROR: no modifications to be performed >>>>>>>>>>> >>>>>>>>>>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. >>>>>>>>>> >>>>>>>>>> Yes, it is wise :-) But the error message is really not clear to the >>>>>>>>>> user. We should tell him that there must be at least one inclusive rule. >>>>>>>>>> >>>>>>>>>> I wonder if we shouldn't force user to create a hostgroupclarity object >>>>>>>>>> with at least one inclusive rule and than make sure that in all >>>>>>>>>> operations at least one inclusive rule stays here. Or we could delete >>>>>>>>>> the empty LDAP object after the last inclusive rule is removed, as we do >>>>>>>>>> with DNS record LDAP objects in dnsrecord-del. >>>>>>>>>> >>>>>>>>>>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. >>>>>>>>>>> >>>>>>>>>>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. >>>>>>>>>>> >>>>>>>>>>> One final class I have been struggling with that I want to add? >>>>>>>>>>> >>>>>>>>>>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? >>>>>>>>>>> >>>>>>>>>>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? >>>>>>>>>>> >>>>>>>>>>> Any suggestions? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I think the best shot would be to create a new command and overload the >>>>>>>>>> execute method in that case. Like in hbacrule_enable. You would be able >>>>>>>>>> to set dn correctly here and do the update. Does it makes sense? Rob? >>>>>>>>>> >>>>>>>>>> Martin >>>>>>>>>> >>>>>>>>> >>>>>>>>> I agree. We are better off abstracting things now so we can get the API right. >>>>>>>>> >>>>>>>>> I think we can stick more or less with the command names, just in a new plugin and some new arguments. >>>>>>>>> >>>>>>>>> I see the plugin with the following methods: >>>>>>>>> >>>>>>>>> Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. >>>>>>>>> >>>>>>>>> There is no mod to change types, you have to delete and re-add. >>>>>>>>> >>>>>>>>> automember-add Add an automember rule >>>>>>>>> --type=ENUM (hostgroup, group) >>>>>>>>> --desc=STR description of this auto membership rule >>>>>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>>>>> >>>>>>>>> automember-add-condition Add conditions to automember rule >>>>>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>>>>> >>>>>>>>> automember-del Delete an automember rule >>>>>>>>> >>>>>>>>> automember-find Search for automember rules >>>>>>>>> --type=ENUM (hostgroup, group) >>>>>>>>> >>>>>>>>> automember-mod Modify an automember rule. >>>>>>>> >>>>>>>> automember-default-group Set a default group for auto membership >>>>>>>> --group/hostgroup=STR >>>>>>>> >>>>>>>>> >>>>>>>>> automember-remove-condition Remove conditions from an automember rule >>>>>>>>> --inclusive-regex=LIST Inclusive Regex >>>>>>>>> --exclusive-regex=LIST Exclusive Regex >>>>>>>>> >>>>>>>>> automember-show Display an automember rule >>>>>>> >>>>>>> New Patch attached. >>>>>>> >>>>>>> I believe I have addressed the issues highlighted in the thread. >>>>>>> >>>>>> >>>>>> Hello JR, >>>>>> >>>>>> Thanks for the patch, the new approach with automember as a separate >>>>>> plugin is much better and more extensible. I reviewed it and have some >>>>>> feedback: >>>>>> >>>>>> 1) I see that autoMemberScope in automember plugin configuration is set >>>>>> to $SUFFIX. Why don't we use >>>>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com and >>>>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com. IMO >>>>>> this would improve performance >>>>> >>>>> I believe the scope defines where to find automatic members, so it >>>>> should point to cn=computerss,cn=$SUFFIX. >>>> >>>> autoMemberScope needs to point to the lowest common denominator where the plugin will detect the insertion of new ldap objects that match the rules: >>>> (http://directory.fedoraproject.org/wiki/Auto_Membership_Design#Example_Configuration_Entries) >>>> >>>> With that in mind, it seems that we need to point it to cn=accounts,$SUFFIX >>>> >>>>> >>>>>> >>>>>> 2) Plugin is not configured correctly on a replica: >>>>>> nsslapd-pluginConfigArea in cn=Auto Membership >>>>>> Plugin,cn=plugins,cn=config is not created. Since cn=config is not >>>>>> replicated, it need to be updated also on a replica. Plus, "Applying >>>>>> LDAP updates" got stuck in my case for some reason. >>>> >>>> I will be correcting this with Rob's suggestion in irc of moving the operation into __common_setup >>>> >>>>>> >>>>>> 3) I cannot use --inclusive-regex in ipa automember-add even though it >>>>>> is stated in help that I can >>>>>> >>>>>> # ipa automember-add --type=hostgroup --inclusive-regex=^web[1-9]\.example\.com tgroup >>>>>> Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options] >>>>>> >>>>>> ipa: error: no such option: --inclusive-regex >>>>> >>>>> I had him remove this. No other command lets you add an entry and >>>>> members at the same time. >>>> >>>> I will be removing reference to this in the help/doc. Thank you for catching it. >>>> >>>>> >>>>>> >>>>>> 4) Error message when removing a condition is not clear: >>>>>> # ipa automember-show --type=hostgroup tgroup >>>>>> Automember Rule: tgroup >>>>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com >>>>>> Exclusive Regex: fqdn=^www5.example.com >>>>>> >>>>>> Can we detect this situation and change it to something like "Condition >>>>>> not found"? >>>> >>>> It appears as though this situation is tricker than just 'condition not found'. >>>> >>>> Since we can provide a list of both inclusive and exclusive regex, and any one of the provided entries could be /not found/ it looks as though I will need to replicate the functionality of 'failed' similar to how they are treated when removing a list of users/hosts from a group/hostgroup where some of the members are non-existant. >>>> >>>> It looks like I need to return a failed list, but it is not currently clear how to accomplish that in an LDAPUpdate pre/post_callback, as those are really only looking for the return of a 'dn' >>>> >>>>>> >>>>>> 5) Having a rule with just an exclusive rule does not make sense - can >>>>>> we handle it? >>>>>> # ipa automember-show --type=hostgroup tgroup >>>>>> Automember Rule: tgroup >>>>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com >>>>>> Exclusive Regex: fqdn=^www5.example.com >>>>>> # ipa automember-remove-condition --type=hostgroup tgroup --inclusive-regex=^web[1-9]\.example\.com --inclusive-regex=^www[1-9]\.example\.com >>>>>> -------------------------------- >>>>>> Removed condition(s) to "tgroup" >>>>>> -------------------------------- >>>>>> Automember Rule: tgroup >>>>>> Exclusive Regex: fqdn=^www5.example.com >>>> >>>> I am adding additional checks to verify that we don't create/leave a rule with a sole exclusive regex. >>>> >>>>>> 6) Command names for automember default group seems inconsistent: >>>>>> automember-add-default-group Set default group for all unmatched entries. >>>>>> automember-default-group-show Display information about the default automember groups. >>>>>> automember-remove-default-group Remove default group for all unmatched entries. >>>>>> >>>>>> If we would follow the same patter, "automember-default-group-show" >>>>>> should be automember-show-default-group >>>>> >>>>> I think it should be automember-default-group-*. Since there is only one >>>>> default for something I thing it should be set instead of add. >>>> >>>> I agree with Rob: >>>> ipa automember-default-group-set >>>> ipa automember-default-group-remove >>>> ipa automember-default-group-show >>>> >>>>> >>>>>> 7) Parameters of the automember default group seems inconsistent too: >>>>>> a) --desc parameter present in automember-add-default-group and >>>>>> automember-remove-default-group should not be here >>>>>> b) Grouping Type of the automember type is passed as an argument in >>>>>> automember-remove-default-group and automember-default-group-show >>>>>> instead of --type=STR as in all other commands >>>> >>>> This is deliberate. >>>> >>>> The framework has a mandatory requirement of at least 1 argument. >>>> >>>> Since these 3 operations require us to operate on parent object's, it does not make sense to force it to provide a 'rule' as the modification does not take place on any 1 rule, but rather the container which they are apart of. >>>> I am open to suggestions... >>>> >>>>>> >>>>>> 8) automember.py: In >>>>>> automember_add_condition/automember_remove_condition I see 2 almost >>>>>> identical branches of code - a lot of redundancy. Couldn't we >>>>>> consolidate them, for example to one "for attr in (INCLUDE_RE, >>>>>> EXCLUDE_RE):" construct? >>>> >>>> I will see what I can do to accommodate this. It is likely that there will need to be several pivot points to provide the logic required to prevent the addition of an exclusive regex without an inclusive one present. Likewise with the deletion of the last inclusive regex when there is at least 1 exclusive regex present. >>>> >>>>>> >>>>>> 9) test_automember_plugin.py: the test class should be named >>>>>> test_automember, not test_user >>>> >>>> Ah. Thanks! >>>> >>>>>> >>>>>> Martin >>>>>> >>>>> >>>>> I'm also wondering about hardcoding a key. Is there a reason we can't >>>>> ask the regex writer to simply include this themselves? >>>> >>>> I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. >>>> >>>> While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) >>>> >>>> Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. >>>> >>>> It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? >>> >>> Ok, but when you display rules fqdn is displayed. How are users to know >>> they shouldn't include fqdn= when removing existing rules? >>> >>>>> >>>> >>>> Stand by for a follow up patch later today after I figure out how to better account for the failed manipulation of conditions. >>>> >> >> Final Draft Patch attached, Please review. >> >> The API should all be straightened out. >> The handling of adding/removing of conditions has been greatly improved. >> We now require type and key for conditionals. >> A schema check is performed to catch any bad attributes. >> >> Exclusive Conditions: I've thought more about it, and it is a benign condition that does not effect the state of the system. >> Similarly, Sudo rules can contain deny commands with no additional data which are also benign. I would like to propose that those all cases where this is possible in FreeIPA be reviewed in the future rather than excluding this patch from being committed to master. >> > > I think you attached a wrong patch, its same as the previous one. Btw. > if you use freeipa-jraquino-PATCH_NO-PATCH_VER-description.patch naming, > it is simpler to recognize the version of the patch. Opps! Attached is the corrected patch. Tripled checked that it has the correct modifications. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch Type: application/octet-stream Size: 51517 bytes Desc: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch URL: From edewata at redhat.com Mon Aug 8 18:34:42 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 08 Aug 2011 13:34:42 -0500 Subject: [Freeipa-devel] [PATCH] 238 Fixed error after login on IE Message-ID: <4E402C42.6040801@redhat.com> The IE does not resend the request body during negotiation, so after after a successful authentication the server could not find the JSON request to parse. The Web UI has been modified to detect this error and resend the initialization request. Ticket #1540 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0238-Fixed-error-after-login-on-IE.patch Type: text/x-patch Size: 6867 bytes Desc: not available URL: From ayoung at redhat.com Mon Aug 8 18:47:03 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 08 Aug 2011 14:47:03 -0400 Subject: [Freeipa-devel] [PATCH] 003 Redirection after changing browser configuration In-Reply-To: <4E3FE9A3.5080301@redhat.com> References: <1312550545.20559.59.camel@dhcp-25-197.brq.redhat.com> <4E3C5CAD.8000200@redhat.com> <4E3FE9A3.5080301@redhat.com> Message-ID: <4E402F27.2070508@redhat.com> On 08/08/2011 09:50 AM, Petr Vobornik wrote: > On 08/05/2011 11:12 PM, Adam Young wrote: >> On 08/05/2011 09:22 AM, Petr Vobornik wrote: >>> Redirection after changing browser configuration >>> >>> https://fedorahosted.org/freeipa/ticket/1502 >>> >>> Added redirection link. >>> >>> Notes: >>> Modified preferences.html.template to be able to respond to the >>> configuration change. >>> >>> Because of security politics page cannot be automatically redirected. >>> (has to redirect top frame). -> Message with link was added. >>> >>> Redirection link has to use absolute url because page is situated in >>> object frame and its location points to jar archive. >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Looks good. The formatting of the Link at the end is wrapped around >> across multiple lines. Of course, right now, we are missing the css >> there, so maybe it is due to the stylesheet error. >> If you can put the message on one line and the link on the second, I'd >> consider it ACKed >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > The link alone can't fit on a single line. > - I have expanded the object's area. (and cleaned css from trailing > white spaces in the process) > - Added css in preferences template in order to look good. In the > future it would be better to remove these css and reuse ipa_error.css. > But it has to be included in the jar (I don't know where to do it). > - Corrected object tag ending so "Back to the Web UI" link is > displayed even if user has not configured Firefox (this can be useful > for other browser's users or if user don't want to configure browser. > But it is redundant with the link which is displayed after > configuration.). > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel OK, ACKed and pushed to master. edewata is working on a fix for the CSS for the error/config pages. Please make sure to integrate that fix with tuning the layout issues for this one. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Aug 8 19:32:11 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 08 Aug 2011 21:32:11 +0200 Subject: [Freeipa-devel] Correct xmlrpc-c version? In-Reply-To: <4E400B12.1040601@redhat.com> References: <4E3FEDAD.3010704@redhat.com> <1312818136.29048.33.camel@dhcp-25-52.brq.redhat.com> <4E400B12.1040601@redhat.com> Message-ID: <4E4039BB.5040806@redhat.com> On 08/08/2011 06:13 PM, John Dennis wrote: > On 08/08/2011 11:42 AM, Martin Kosek wrote: >> On Mon, 2011-08-08 at 10:07 -0400, John Dennis wrote: >>> I checked today to see if we have a new xmlrpc-c package that meets our >>> release requirements for 2.1. I see that 1.27.4 was build earlier today >>> for F16 and F17 with the changelog comment just saying it was upgraded >>> to latest upstream (is that our fix?). The upstream tarball does not >>> have a changelog :-( but there is a reference to this URL for change >>> history: >>> >>> http://xmlrpc-c.sourceforge.net/change.html >>> >>> But not much useful information there either. >>> >>> Can someone tell me *exactly* what it is we're waiting for so I can be >>> sure we've got the right release? Also it doesn't look like there has >>> been a rebuild of F15 for a long time so even if F16 and F17 have 1.27.4 >>> and 1.27.4 is what we're looking for (is it?) then that still doesn't >>> meet our needs because we're targeting F15 right? >>> >> >> Good news is that the problem in curl package has been fixed and was >> built for F-15: >> >> https://admin.fedoraproject.org/updates/curl-7.21.3-9.fc15 >> >> But we need this change to be propagated to the xmlrpc-c too. As you >> wrote, there is already a fixed version for F-16 and F-17: >> xmlrpc-c-1.16.24. I checked the source code, the GSSAPI delegation fix >> should be there. We just need to ask them to release an update for F-15 >> too. Adding xmlrpc-c Fedora owner to the CC list. Enrico, can you please >> release the package for F-15 too? >> >> When all this is ready, I plan to immediately send a patch& update >> our .spec to make this work on F-15. > > You're talking about just the Fedora spec file right? Aren't we also > supposed to be doing a RHEL 6.2 build and doesn't RHEL 6.2 have the same > issues and requirements? > Correct - the relevant 6.2 bug is this one: https://bugzilla.redhat.com/show_bug.cgi?id=719945 The status is still ASSIGNED as of now so I think the patch has not been submitted to CVS yet (although Kamil referenced an upstream commit). I've put the RHEL maintainer to CC so he can comment on the ETA of the RHEL fix. From edewata at redhat.com Mon Aug 8 21:13:07 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 08 Aug 2011 16:13:07 -0500 Subject: [Freeipa-devel] [PATCH] 239 Fixed host adder dialog. Message-ID: <4E405163.4070702@redhat.com> The host adder dialog has been modified to use separate fields for hostname and DNS zone. The hostname is a text field and the DNS zone is an editable drop-down list. The fields will have the following behavior: - If the user types a dot into the hostname field, the cursor will automatically move into the DNS zone field. - If the user pastes an FQDN into the hostname field, the value will automatically be split into hostname and DNS zone. - If the user selects a value from the drop-down list, it will only change the DNS zone, not the hostname. Ticket #1457 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0239-Fixed-host-adder-dialog.patch Type: text/x-patch Size: 7713 bytes Desc: not available URL: From ayoung at redhat.com Tue Aug 9 02:17:52 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 08 Aug 2011 22:17:52 -0400 Subject: [Freeipa-devel] [PATCH] 239 Fixed host adder dialog. In-Reply-To: <4E405163.4070702@redhat.com> References: <4E405163.4070702@redhat.com> Message-ID: <4E4098D0.9000709@redhat.com> On 08/08/2011 05:13 PM, Endi Sukma Dewata wrote: > The host adder dialog has been modified to use separate fields for > hostname and DNS zone. The hostname is a text field and the DNS zone > is an editable drop-down list. The fields will have the following > behavior: > > - If the user types a dot into the hostname field, the cursor will > automatically move into the DNS zone field. > - If the user pastes an FQDN into the hostname field, the value will > automatically be split into hostname and DNS zone. > - If the user selects a value from the drop-down list, it will only > change the DNS zone, not the hostname. > > Ticket #1457 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel The JQuery code drawing the table in the create method is cut-and-paste.. It should be possible to make it look right without redrawing the whole table. These two fields should be put into their own section, which can then be responsible for drawing just the rows responsible for these fields, leaving the default behavior for the other rows. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Aug 9 08:32:41 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 09 Aug 2011 10:32:41 +0200 Subject: [Freeipa-devel] [PATCH] 107 Fix idnsUpdatePolicy for reverse zone record Message-ID: <1312878764.19265.10.camel@dhcp-25-52.brq.redhat.com> Make sure that idnsUpdatePolicy for reverse zone does not contain double trailing "dot" after server installation. https://fedorahosted.org/freeipa/ticket/1591 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-107-fix-idnsupdatepolicy-for-reverse-zone-record.patch Type: text/x-patch Size: 1291 bytes Desc: not available URL: From abokovoy at redhat.com Tue Aug 9 09:02:23 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 09 Aug 2011 12:02:23 +0300 Subject: [Freeipa-devel] [PATCH] 107 Fix idnsUpdatePolicy for reverse zone record In-Reply-To: <1312878764.19265.10.camel@dhcp-25-52.brq.redhat.com> References: <1312878764.19265.10.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E40F79F.4060605@redhat.com> On 09.08.2011 11:32, Martin Kosek wrote: > Make sure that idnsUpdatePolicy for reverse zone does not contain > double trailing "dot" after server installation. > > https://fedorahosted.org/freeipa/ticket/1591 ACK. -- / Alexander Bokovoy From mkosek at redhat.com Tue Aug 9 10:56:19 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 09 Aug 2011 12:56:19 +0200 Subject: [Freeipa-devel] [PATCH] 107 Fix idnsUpdatePolicy for reverse zone record In-Reply-To: <4E40F79F.4060605@redhat.com> References: <1312878764.19265.10.camel@dhcp-25-52.brq.redhat.com> <4E40F79F.4060605@redhat.com> Message-ID: <1312887381.19265.11.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-08-09 at 12:02 +0300, Alexander Bokovoy wrote: > On 09.08.2011 11:32, Martin Kosek wrote: > > Make sure that idnsUpdatePolicy for reverse zone does not contain > > double trailing "dot" after server installation. > > > > https://fedorahosted.org/freeipa/ticket/1591 > ACK. > Pushed to master. Martin From pvoborni at redhat.com Tue Aug 9 11:06:40 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 09 Aug 2011 13:06:40 +0200 Subject: [Freeipa-devel] [PATCH] 238 Fixed error after login on IE In-Reply-To: <4E402C42.6040801@redhat.com> References: <4E402C42.6040801@redhat.com> Message-ID: <4E4114C0.7030408@redhat.com> On 08/08/2011 08:34 PM, Endi Sukma Dewata wrote: > The IE does not resend the request body during negotiation, so after > after a successful authentication the server could not find the JSON > request to parse. > > The Web UI has been modified to detect this error and resend the > initialization request. > > Ticket #1540 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Code looks good. But, I didn't test it in IE9, because I don't have one nor Windows vm (will try to get one). Modifications in error handling are OK. If it really works in IE I would consider it ACKed. -- Petr Vobornik From mkosek at redhat.com Tue Aug 9 11:14:14 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 09 Aug 2011 13:14:14 +0200 Subject: [Freeipa-devel] [PATCH] 36 Ask for reverse DNS zone information right after asking for DNS forwarders In-Reply-To: <4E3FDEBE.5080008@redhat.com> References: <4E3FDEBE.5080008@redhat.com> Message-ID: <1312888457.19265.12.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-08 at 15:03 +0200, Jan Cholasta wrote: > This patch modifies ipa-server-install and ipa-dns-install so that they > ask for reverse DNS zone information right after asking for DNS > forwarders so that DNS configuration is done in one place. > > https://fedorahosted.org/freeipa/ticket/1522 > > Honza > ACK. Pushed to master. Martin From pvoborni at redhat.com Tue Aug 9 12:12:39 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 09 Aug 2011 14:12:39 +0200 Subject: [Freeipa-devel] [PATCH] 239 Fixed host adder dialog. In-Reply-To: <4E405163.4070702@redhat.com> References: <4E405163.4070702@redhat.com> Message-ID: <4E412437.2040804@redhat.com> On 08/08/2011 11:13 PM, Endi Sukma Dewata wrote: > The host adder dialog has been modified to use separate fields for > hostname and DNS zone. The hostname is a text field and the DNS zone > is an editable drop-down list. The fields will have the following > behavior: > > - If the user types a dot into the hostname field, the cursor will > automatically move into the DNS zone field. > - If the user pastes an FQDN into the hostname field, the value will > automatically be split into hostname and DNS zone. > - If the user selects a value from the drop-down list, it will only > change the DNS zone, not the hostname. > > Ticket #1457 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK "Add and edit" without existing DNS reverse zone don't redirect to edit page. Field 'fqdn' doesn't exist any more so getting fqdn from field in host.js:280 "fqdn: that.get_field('fqdn').save()" isn't functional. -- Petr Vobornik From mkosek at redhat.com Tue Aug 9 12:17:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 09 Aug 2011 14:17:36 +0200 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <45137A51-4797-4A17-B3B0-A4301D9A0C85@citrixonline.com> <1312794245.29048.21.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1312892259.19265.18.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-08 at 16:16 +0000, JR Aquino wrote: > On Aug 8, 2011, at 2:04 AM, Martin Kosek wrote: > > > On Fri, 2011-08-05 at 18:36 +0000, JR Aquino wrote: > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >> Jr Aquino, GCIH | Information Security Specialist > >> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > >> T: +1 805.690.3478 > >> jr.aquino at citrixonline.com > >> http://www.citrixonline.com > >> > >> On Aug 2, 2011, at 5:55 AM, Rob Crittenden wrote: > >> > >>> JR Aquino wrote: > >>>> On Aug 1, 2011, at 5:56 AM, Rob Crittenden wrote: > >>>> > >>>>> Martin Kosek wrote: > >>>>>> On Sat, 2011-07-30 at 00:54 +0000, JR Aquino wrote: > >>>>>>> On Jul 21, 2011, at 8:53 AM, JR Aquino wrote: > >>>>>>> > >>>>>>>> On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: > >>>>>>>> > >>>>>>>>> Martin Kosek wrote: > >>>>>>>>>> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: > >>>>>>>>>>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? > >>>>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Great, preparing the command parameters in pre_callback is much cleaner. > >>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> Good point about the LDAP lookup. > >>>>>>>>>>>> > >>>>>>>>>>>> This looks a lot better but there are still a few issues: > >>>>>>>>>>>> > >>>>>>>>>>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. > >>>>>>>>>>> > >>>>>>>>>>> Ok, I will give that a shot! > >>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. > >>>>>>>>>>>> > >>>>>>>>>>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: > >>>>>>>>>>>> > >>>>>>>>>>>> INCLUDE_RE = 'automemberinclusiveregex' > >>>>>>>>>>>> EXCLUDE_RE = 'automemberexclusiveregex' > >>>>>>>>>>> > >>>>>>>>>>> That works, I'll swap em. > >>>>>>>>>> > >>>>>>>>>> I agree with Rob here, this will make the code better. > >>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>> Is there a way to validate the regex? > >>>>>>>>>>> > >>>>>>>>>>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. > >>>>>>>>>>> > >>>>>>>>>>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. > >>>>>>>>>>> > >>>>>>>>>>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? > >>>>>>>>>>> > >>>>>>>>>>>> Adding a clarity with no rules won't let you add rules: > >>>>>>>>>>>> > >>>>>>>>>>>> # ipa hostgroup-add --desc=hg1 hg1 > >>>>>>>>>>>> # ipa hostgroupclarity-add hg1 > >>>>>>>>>>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 > >>>>>>>>>>>> ipa: ERROR: no modifications to be performed > >>>>>>>>>>> > >>>>>>>>>>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. > >>>>>>>>>> > >>>>>>>>>> Yes, it is wise :-) But the error message is really not clear to the > >>>>>>>>>> user. We should tell him that there must be at least one inclusive rule. > >>>>>>>>>> > >>>>>>>>>> I wonder if we shouldn't force user to create a hostgroupclarity object > >>>>>>>>>> with at least one inclusive rule and than make sure that in all > >>>>>>>>>> operations at least one inclusive rule stays here. Or we could delete > >>>>>>>>>> the empty LDAP object after the last inclusive rule is removed, as we do > >>>>>>>>>> with DNS record LDAP objects in dnsrecord-del. > >>>>>>>>>> > >>>>>>>>>>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. > >>>>>>>>>>> > >>>>>>>>>>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. > >>>>>>>>>>> > >>>>>>>>>>> One final class I have been struggling with that I want to add? > >>>>>>>>>>> > >>>>>>>>>>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? > >>>>>>>>>>> > >>>>>>>>>>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? > >>>>>>>>>>> > >>>>>>>>>>> Any suggestions? > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> I think the best shot would be to create a new command and overload the > >>>>>>>>>> execute method in that case. Like in hbacrule_enable. You would be able > >>>>>>>>>> to set dn correctly here and do the update. Does it makes sense? Rob? > >>>>>>>>>> > >>>>>>>>>> Martin > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>> I agree. We are better off abstracting things now so we can get the API right. > >>>>>>>>> > >>>>>>>>> I think we can stick more or less with the command names, just in a new plugin and some new arguments. > >>>>>>>>> > >>>>>>>>> I see the plugin with the following methods: > >>>>>>>>> > >>>>>>>>> Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. > >>>>>>>>> > >>>>>>>>> There is no mod to change types, you have to delete and re-add. > >>>>>>>>> > >>>>>>>>> automember-add Add an automember rule > >>>>>>>>> --type=ENUM (hostgroup, group) > >>>>>>>>> --desc=STR description of this auto membership rule > >>>>>>>>> --inclusive-regex=LIST Inclusive Regex > >>>>>>>>> --exclusive-regex=LIST Exclusive Regex > >>>>>>>>> > >>>>>>>>> automember-add-condition Add conditions to automember rule > >>>>>>>>> --inclusive-regex=LIST Inclusive Regex > >>>>>>>>> --exclusive-regex=LIST Exclusive Regex > >>>>>>>>> > >>>>>>>>> automember-del Delete an automember rule > >>>>>>>>> > >>>>>>>>> automember-find Search for automember rules > >>>>>>>>> --type=ENUM (hostgroup, group) > >>>>>>>>> > >>>>>>>>> automember-mod Modify an automember rule. > >>>>>>>> > >>>>>>>> automember-default-group Set a default group for auto membership > >>>>>>>> --group/hostgroup=STR > >>>>>>>> > >>>>>>>>> > >>>>>>>>> automember-remove-condition Remove conditions from an automember rule > >>>>>>>>> --inclusive-regex=LIST Inclusive Regex > >>>>>>>>> --exclusive-regex=LIST Exclusive Regex > >>>>>>>>> > >>>>>>>>> automember-show Display an automember rule > >>>>>>> > >>>>>>> New Patch attached. > >>>>>>> > >>>>>>> I believe I have addressed the issues highlighted in the thread. > >>>>>>> > >>>>>> > >>>>>> Hello JR, > >>>>>> > >>>>>> Thanks for the patch, the new approach with automember as a separate > >>>>>> plugin is much better and more extensible. I reviewed it and have some > >>>>>> feedback: > >>>>>> > >>>>>> 1) I see that autoMemberScope in automember plugin configuration is set > >>>>>> to $SUFFIX. Why don't we use > >>>>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com and > >>>>>> cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com. IMO > >>>>>> this would improve performance > >>>>> > >>>>> I believe the scope defines where to find automatic members, so it > >>>>> should point to cn=computerss,cn=$SUFFIX. > >>>> > >>>> autoMemberScope needs to point to the lowest common denominator where the plugin will detect the insertion of new ldap objects that match the rules: > >>>> (http://directory.fedoraproject.org/wiki/Auto_Membership_Design#Example_Configuration_Entries) > >>>> > >>>> With that in mind, it seems that we need to point it to cn=accounts,$SUFFIX > >>>> > >>>>> > >>>>>> > >>>>>> 2) Plugin is not configured correctly on a replica: > >>>>>> nsslapd-pluginConfigArea in cn=Auto Membership > >>>>>> Plugin,cn=plugins,cn=config is not created. Since cn=config is not > >>>>>> replicated, it need to be updated also on a replica. Plus, "Applying > >>>>>> LDAP updates" got stuck in my case for some reason. > >>>> > >>>> I will be correcting this with Rob's suggestion in irc of moving the operation into __common_setup > >>>> > >>>>>> > >>>>>> 3) I cannot use --inclusive-regex in ipa automember-add even though it > >>>>>> is stated in help that I can > >>>>>> > >>>>>> # ipa automember-add --type=hostgroup --inclusive-regex=^web[1-9]\.example\.com tgroup > >>>>>> Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options] > >>>>>> > >>>>>> ipa: error: no such option: --inclusive-regex > >>>>> > >>>>> I had him remove this. No other command lets you add an entry and > >>>>> members at the same time. > >>>> > >>>> I will be removing reference to this in the help/doc. Thank you for catching it. > >>>> > >>>>> > >>>>>> > >>>>>> 4) Error message when removing a condition is not clear: > >>>>>> # ipa automember-show --type=hostgroup tgroup > >>>>>> Automember Rule: tgroup > >>>>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com > >>>>>> Exclusive Regex: fqdn=^www5.example.com > >>>>>> > >>>>>> Can we detect this situation and change it to something like "Condition > >>>>>> not found"? > >>>> > >>>> It appears as though this situation is tricker than just 'condition not found'. > >>>> > >>>> Since we can provide a list of both inclusive and exclusive regex, and any one of the provided entries could be /not found/ it looks as though I will need to replicate the functionality of 'failed' similar to how they are treated when removing a list of users/hosts from a group/hostgroup where some of the members are non-existant. > >>>> > >>>> It looks like I need to return a failed list, but it is not currently clear how to accomplish that in an LDAPUpdate pre/post_callback, as those are really only looking for the return of a 'dn' > >>>> > >>>>>> > >>>>>> 5) Having a rule with just an exclusive rule does not make sense - can > >>>>>> we handle it? > >>>>>> # ipa automember-show --type=hostgroup tgroup > >>>>>> Automember Rule: tgroup > >>>>>> Inclusive Regex: fqdn=^web[1-9].example.com, fqdn=^www[1-9].example.com > >>>>>> Exclusive Regex: fqdn=^www5.example.com > >>>>>> # ipa automember-remove-condition --type=hostgroup tgroup --inclusive-regex=^web[1-9]\.example\.com --inclusive-regex=^www[1-9]\.example\.com > >>>>>> -------------------------------- > >>>>>> Removed condition(s) to "tgroup" > >>>>>> -------------------------------- > >>>>>> Automember Rule: tgroup > >>>>>> Exclusive Regex: fqdn=^www5.example.com > >>>> > >>>> I am adding additional checks to verify that we don't create/leave a rule with a sole exclusive regex. > >>>> > >>>>>> 6) Command names for automember default group seems inconsistent: > >>>>>> automember-add-default-group Set default group for all unmatched entries. > >>>>>> automember-default-group-show Display information about the default automember groups. > >>>>>> automember-remove-default-group Remove default group for all unmatched entries. > >>>>>> > >>>>>> If we would follow the same patter, "automember-default-group-show" > >>>>>> should be automember-show-default-group > >>>>> > >>>>> I think it should be automember-default-group-*. Since there is only one > >>>>> default for something I thing it should be set instead of add. > >>>> > >>>> I agree with Rob: > >>>> ipa automember-default-group-set > >>>> ipa automember-default-group-remove > >>>> ipa automember-default-group-show > >>>> > >>>>> > >>>>>> 7) Parameters of the automember default group seems inconsistent too: > >>>>>> a) --desc parameter present in automember-add-default-group and > >>>>>> automember-remove-default-group should not be here > >>>>>> b) Grouping Type of the automember type is passed as an argument in > >>>>>> automember-remove-default-group and automember-default-group-show > >>>>>> instead of --type=STR as in all other commands > >>>> > >>>> This is deliberate. > >>>> > >>>> The framework has a mandatory requirement of at least 1 argument. > >>>> > >>>> Since these 3 operations require us to operate on parent object's, it does not make sense to force it to provide a 'rule' as the modification does not take place on any 1 rule, but rather the container which they are apart of. > >>>> I am open to suggestions... > >>>> > >>>>>> > >>>>>> 8) automember.py: In > >>>>>> automember_add_condition/automember_remove_condition I see 2 almost > >>>>>> identical branches of code - a lot of redundancy. Couldn't we > >>>>>> consolidate them, for example to one "for attr in (INCLUDE_RE, > >>>>>> EXCLUDE_RE):" construct? > >>>> > >>>> I will see what I can do to accommodate this. It is likely that there will need to be several pivot points to provide the logic required to prevent the addition of an exclusive regex without an inclusive one present. Likewise with the deletion of the last inclusive regex when there is at least 1 exclusive regex present. > >>>> > >>>>>> > >>>>>> 9) test_automember_plugin.py: the test class should be named > >>>>>> test_automember, not test_user > >>>> > >>>> Ah. Thanks! > >>>> > >>>>>> > >>>>>> Martin > >>>>>> > >>>>> > >>>>> I'm also wondering about hardcoding a key. Is there a reason we can't > >>>>> ask the regex writer to simply include this themselves? > >>>> > >>>> I am fairly opposed to removing 'default' attrs which the rules are applied to... I am happy to provide a means to override them. > >>>> > >>>> While it may be second nature for all of us to know that there is an fqdn attribute, etc, our consumers are likely not going to intrinsically know our schema. We also deliberately mask the real attribute names in the framework. (fqdn = Host name) > >>>> > >>>> Providing a default feels like a happy medium which allows for ease of use and somewhat of a safety belt against users defining an incorrect attribute name. > >>>> > >>>> It also might get somewhat tiring to constantly provide --key=fqdn every time you add a hostname regex? > >>> > >>> Ok, but when you display rules fqdn is displayed. How are users to know > >>> they shouldn't include fqdn= when removing existing rules? > >>> > >>>>> > >>>> > >>>> Stand by for a follow up patch later today after I figure out how to better account for the failed manipulation of conditions. > >>>> > >> > >> Final Draft Patch attached, Please review. > >> > >> The API should all be straightened out. > >> The handling of adding/removing of conditions has been greatly improved. > >> We now require type and key for conditionals. > >> A schema check is performed to catch any bad attributes. > >> > >> Exclusive Conditions: I've thought more about it, and it is a benign condition that does not effect the state of the system. > >> Similarly, Sudo rules can contain deny commands with no additional data which are also benign. I would like to propose that those all cases where this is possible in FreeIPA be reviewed in the future rather than excluding this patch from being committed to master. > >> > > > > I think you attached a wrong patch, its same as the previous one. Btw. > > if you use freeipa-jraquino-PATCH_NO-PATCH_VER-description.patch naming, > > it is simpler to recognize the version of the patch. > > Opps! > > Attached is the corrected patch. > Tripled checked that it has the correct modifications. > Ah, this one's better. I checked the new API, seems consistent to me. I was thinking about the new --key attribute, looks OK. It would be great to have some default setting here, but since it is common for all grouping types, we cannot do that. Its good its at least covered in documentation and checked in schema. Sending the issues I have found: 1) freeipa.spec.in: you changed 389-ds-base Requires to a version that does not even exists: -Requires(pre): 389-ds-base >= 1.2.8.0-1 +Requires(pre): 389-ds-base >= 1.2.9.0.2 Please change it to 1.2.9.5-1 which has been released yesterday and which should fix our reported DS issues (BZ 723937, 725743). If we don't push this patch before 2.1 release I will update the 389-ds-base Requires myself as it contains the fixes for us. 2) Plugin is still not being configured correctly on a replica: This change need to be executed on both master and replica: +dn: cn=Auto Membership Plugin,cn=plugins,cn=config +changetype: modify +add: nsslapd-pluginConfigArea +nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX The initial cn=etc,$SUFFIX population should be done only on master. 3) I see that autoMemberScope in automember plugin configuration is still set to $SUFFIX. I would suggest to set it for hostgroups and groups to cn=hostgroups,cn=accounts,$SUFFIX and cn=groups,cn=accounts, $SUFFIX, respectfully, to improve plugin search performance 4) Automember help is not correct for ipa automember-default-group-set/remove commands. The API has changed there: + Set the default target group: + ipa automember-default-group-set --type=hostgroup webservers + ipa automember-default-group-set --type=group ipausers + + Set the default target group: + ipa automember-default-group-remove --type=hostgroup webservers + ipa automember-default-group-remove --type=group ipausers + 5) I would fix examples for condition manipulating commands: + Add another condition to the rule: + ipa automember-add-condition --inclusive-regex=^web[1-9+]\.example\.com webservers + + Add an exclusive condition to the rule to prevent auto asignment: + ipa automember-add-condition --exclusive-regex=^web5\.example\.com webservers + + Remove a condition from the rule: + ipa automember-remove-condition --inclusive-regex=^www[1-9+]\.example\.com webservers + Currently, the framework asks for both Attribute Key and Grouping type in these commands. I think it is better to have those required attributes already filled, so that user can just simply copy&paste 6) I got internal error when trying to add an duplicate exclusive regex: # ipa automember-show --type=hostgroup webservers Automember Rule: webservers Inclusive Regex: fqdn=^web[1-9+].example.com Exclusive Regex: fqdn=^web5.example.com # ipa automember-add-condition --exclusive-regex=^web5\.example\.com --type=hostgroup --key=fqdn webservers ipa: ERROR: an internal error has occurred Martin From jcholast at redhat.com Tue Aug 9 12:30:58 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 09 Aug 2011 14:30:58 +0200 Subject: [Freeipa-devel] [PATCH] 37 Make sure messagebus service is running before starting certmonger Message-ID: <4E412882.5000206@redhat.com> Start messagebus every time before starting certmonger. https://fedorahosted.org/freeipa/ticket/1580 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-37-certmonger-messagebus.patch Type: text/x-patch Size: 2855 bytes Desc: not available URL: From jcholast at redhat.com Tue Aug 9 13:16:33 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 09 Aug 2011 15:16:33 +0200 Subject: [Freeipa-devel] [PATCH 34/34] ticket 1568 - DN objects should support the insert method In-Reply-To: <201108032316.p73NGIXT026343@int-mx02.intmail.prod.int.phx2.redhat.com> References: <201108032316.p73NGIXT026343@int-mx02.intmail.prod.int.phx2.redhat.com> Message-ID: <4E413331.7030607@redhat.com> On 4.8.2011 01:16, John Dennis wrote: > Add dn.insert() and update unittest > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > ACK. Honza -- Jan Cholasta From jdennis at redhat.com Tue Aug 9 13:41:42 2011 From: jdennis at redhat.com (John Dennis) Date: Tue, 09 Aug 2011 09:41:42 -0400 Subject: [Freeipa-devel] Correct xmlrpc-c version? In-Reply-To: <2096424599.903882.1312881828476.JavaMail.root@zmail02.collab.prod.int.phx2.redhat.com> References: <2096424599.903882.1312881828476.JavaMail.root@zmail02.collab.prod.int.phx2.redhat.com> Message-ID: <4E413916.4090908@redhat.com> It looks like the curl fix for xmlrpc was applied and built in version xmlrpc-c-1.25.1-1501.svn2077.fc15 built in Koji yesterday at 2011-02-08 07:52:36. Correct? However that build has not been pushed to Bohdi yet so it's not in an update channel yet, is there a reason why? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Tue Aug 9 14:08:43 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 09 Aug 2011 09:08:43 -0500 Subject: [Freeipa-devel] [PATCH] 238 Fixed error after login on IE In-Reply-To: <4E4114C0.7030408@redhat.com> References: <4E402C42.6040801@redhat.com> <4E4114C0.7030408@redhat.com> Message-ID: <4E413F6B.8090007@redhat.com> On 8/9/2011 6:06 AM, Petr Vobornik wrote: > Code looks good. > > But, I didn't test it in IE9, because I don't have one nor Windows vm > (will try to get one). > > Modifications in error handling are OK. > > If it really works in IE I would consider it ACKed. Since we don't officially support IE, as long as it still works in Firefox it should be fine. I've verified that it works on IE9 so I pushed this to master. -- Endi S. Dewata From jcholast at redhat.com Tue Aug 9 16:13:18 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 09 Aug 2011 18:13:18 +0200 Subject: [Freeipa-devel] [PATCH 35/35] ticket 1569 - Test DN object non-latin Unicode support In-Reply-To: <201108032335.p73NZ87l018492@int-mx01.intmail.prod.int.phx2.redhat.com> References: <201108032335.p73NZ87l018492@int-mx01.intmail.prod.int.phx2.redhat.com> Message-ID: <4E415C9E.8080401@redhat.com> On 4.8.2011 01:35, John Dennis wrote: > The DN unittest was lacking a test for i18n. The unittest was > updated to store "Hello" in Arabic with both utf-8 and unicode > and verify the values could be properly retrieved and converted > to dn string syntax. > > During the testing a few problems were discovered and corrected. > > * passing in utf-8 caused an ASCII decode error becuase of Python's > silly default encoding of ASCII. The fix was to explictly use > the utf-8 codec. > > * there were a couple of places where encode/decode were not > called correctly. > > * the internal attr and value members of the AVA class were renamed > to explicitly show they are stored as unicode. > > Of course the unittest was updated as well. > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > ACK. Honza -- Jan Cholasta From vvitek at redhat.com Tue Aug 9 09:23:48 2011 From: vvitek at redhat.com (Vojtech Vitek) Date: Tue, 9 Aug 2011 05:23:48 -0400 (EDT) Subject: [Freeipa-devel] Correct xmlrpc-c version? In-Reply-To: <4E4039BB.5040806@redhat.com> Message-ID: <2096424599.903882.1312881828476.JavaMail.root@zmail02.collab.prod.int.phx2.redhat.com> > On 08/08/2011 06:13 PM, John Dennis wrote: > > On 08/08/2011 11:42 AM, Martin Kosek wrote: > >> On Mon, 2011-08-08 at 10:07 -0400, John Dennis wrote: > >>> I checked today to see if we have a new xmlrpc-c package that > >>> meets our > >>> release requirements for 2.1. I see that 1.27.4 was build earlier > >>> today > >>> for F16 and F17 with the changelog comment just saying it was > >>> upgraded > >>> to latest upstream (is that our fix?). The upstream tarball does > >>> not > >>> have a changelog :-( but there is a reference to this URL for > >>> change > >>> history: > >>> > >>> http://xmlrpc-c.sourceforge.net/change.html > >>> > >>> But not much useful information there either. > >>> > >>> Can someone tell me *exactly* what it is we're waiting for so I > >>> can be > >>> sure we've got the right release? Also it doesn't look like there > >>> has > >>> been a rebuild of F15 for a long time so even if F16 and F17 have > >>> 1.27.4 > >>> and 1.27.4 is what we're looking for (is it?) then that still > >>> doesn't > >>> meet our needs because we're targeting F15 right? > >>> > >> > >> Good news is that the problem in curl package has been fixed and > >> was > >> built for F-15: > >> > >> https://admin.fedoraproject.org/updates/curl-7.21.3-9.fc15 > >> > >> But we need this change to be propagated to the xmlrpc-c too. As > >> you > >> wrote, there is already a fixed version for F-16 and F-17: > >> xmlrpc-c-1.16.24. I checked the source code, the GSSAPI delegation > >> fix > >> should be there. We just need to ask them to release an update for > >> F-15 > >> too. Adding xmlrpc-c Fedora owner to the CC list. Enrico, can you > >> please > >> release the package for F-15 too? > >> > >> When all this is ready, I plan to immediately send a patch& update > >> our .spec to make this work on F-15. > > > > You're talking about just the Fedora spec file right? Aren't we also > > supposed to be doing a RHEL 6.2 build and doesn't RHEL 6.2 have the > > same > > issues and requirements? > > > > Correct - the relevant 6.2 bug is this one: > https://bugzilla.redhat.com/show_bug.cgi?id=719945 > > The status is still ASSIGNED as of now so I think the patch has not > been > submitted to CVS yet (although Kamil referenced an upstream commit). > > I've put the RHEL maintainer to CC so he can comment on the ETA of the > RHEL fix. Hi, Ad Fedora) Enrico is now waiting for new curl koji build, then he can release new xmlrpc-c with GSSAPI support (see https://bugzilla.redhat.com/show_bug.cgi?id=719950#c5 ). Ad RHEL 5.7.z/5.8/6.1.z/6.2) I'm now waiting for QA acks, that we've asked for yesterday. Until then, I can't commit to CVS, even though the patch is ready. Hope there is everything ready from curl folks.. /Trying to force the QA for acks today../ - Vojtech From edewata at redhat.com Tue Aug 9 18:04:00 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 09 Aug 2011 13:04:00 -0500 Subject: [Freeipa-devel] [PATCH] 239 Fixed host adder dialog. In-Reply-To: <4E412437.2040804@redhat.com> References: <4E405163.4070702@redhat.com> <4E412437.2040804@redhat.com> Message-ID: <4E417690.7030702@redhat.com> On 8/9/2011 7:12 AM, Petr Vobornik wrote: > NACK > > "Add and edit" without existing DNS reverse zone don't redirect to > edit page. > > Field 'fqdn' doesn't exist any more so getting fqdn from field in > host.js:280 "fqdn: that.get_field('fqdn').save()" isn't functional. Fixed. Now the fqdn is obtained from the command object. On 8/8/2011 9:17 PM, Adam Young wrote: > The JQuery code drawing the table in the create method is > cut-and-paste.. It should be possible to make it look right without > redrawing the whole table. > > These two fields should be put into their own section, which can then > be responsible for drawing just the rows responsible for these > fields, leaving the default behavior for the other rows. As discussed, this will be done separately in this ticket: https://fedorahosted.org/freeipa/ticket/1394 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0239-2-Fixed-host-adder-dialog.patch Type: text/x-patch Size: 8126 bytes Desc: not available URL: From edewata at redhat.com Tue Aug 9 20:09:14 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 09 Aug 2011 15:09:14 -0500 Subject: [Freeipa-devel] [PATCH] 240 Fixed DNS zone adder dialog. Message-ID: <4E4193EA.5060103@redhat.com> The DNS zone adder dialog has been modified to use radio buttons to select whether to enter a zone name or a reverse zone IP network. Ticket #1575 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0240-Fixed-DNS-zone-adder-dialog.patch Type: text/x-patch Size: 9313 bytes Desc: not available URL: From JR.Aquino at citrix.com Tue Aug 9 22:41:14 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 9 Aug 2011 22:41:14 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <1312892259.19265.18.camel@dhcp-25-52.brq.redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <45137A51-4797-4A17-B3B0-A4301D9A0C85@citrixonline.com> <1312794245.29048.21.camel@dhcp-25-52.brq.redhat.com> <1312892259.19265.18.camel@dhcp-25-52.brq.redhat.com> Message-ID: > On Aug 9, 2011, at 5:17 AM, Martin Kosek wrote: > Ah, this one's better. I checked the new API, seems consistent to me. I > was thinking about the new --key attribute, looks OK. It would be great > to have some default setting here, but since it is common for all > grouping types, we cannot do that. Its good its at least covered in > documentation and checked in schema. > > Sending the issues I have found: > > 1) freeipa.spec.in: you changed 389-ds-base Requires to a version that > does not even exists: > > -Requires(pre): 389-ds-base >= 1.2.8.0-1 > +Requires(pre): 389-ds-base >= 1.2.9.0.2 > > Please change it to 1.2.9.5-1 which has been released yesterday and > which should fix our reported DS issues (BZ 723937, 725743). If we don't > push this patch before 2.1 release I will update the 389-ds-base > Requires myself as it contains the fixes for us. > > 2) Plugin is still not being configured correctly on a replica: > > This change need to be executed on both master and replica: > > +dn: cn=Auto Membership Plugin,cn=plugins,cn=config > +changetype: modify > +add: nsslapd-pluginConfigArea > +nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX > > The initial cn=etc,$SUFFIX population should be done only on master. > > 3) I see that autoMemberScope in automember plugin configuration is > still set to $SUFFIX. I would suggest to set it for hostgroups and > groups to cn=hostgroups,cn=accounts,$SUFFIX and cn=groups,cn=accounts, > $SUFFIX, respectfully, to improve plugin search performance > > 4) Automember help is not correct for ipa > automember-default-group-set/remove commands. The API has changed there: > > + Set the default target group: > + ipa automember-default-group-set --type=hostgroup webservers > + ipa automember-default-group-set --type=group ipausers > + > + Set the default target group: > + ipa automember-default-group-remove --type=hostgroup webservers > + ipa automember-default-group-remove --type=group ipausers > + > > > 5) I would fix examples for condition manipulating commands: > > + Add another condition to the rule: > + ipa automember-add-condition --inclusive-regex=^web[1-9+]\.example\.com webservers > + > + Add an exclusive condition to the rule to prevent auto asignment: > + ipa automember-add-condition --exclusive-regex=^web5\.example\.com webservers > + > + Remove a condition from the rule: > + ipa automember-remove-condition --inclusive-regex=^www[1-9+]\.example\.com webservers > + > > Currently, the framework asks for both Attribute Key and Grouping type > in these commands. I think it is better to have those required > attributes already filled, so that user can just simply copy&paste > > 6) I got internal error when trying to add an duplicate exclusive regex: > # ipa automember-show --type=hostgroup webservers > Automember Rule: webservers > Inclusive Regex: fqdn=^web[1-9+].example.com > Exclusive Regex: fqdn=^web5.example.com > # ipa automember-add-condition --exclusive-regex=^web5\.example\.com --type=hostgroup --key=fqdn webservers > ipa: ERROR: an internal error has occurred > > Martin Ok New Patch attached. I believe this addresses the above. 1. Requires(pre): 389-ds-base >= 1.2.9.5-1 2. replica-automember.ldif added for dsinstance to install during replica installs: +dn: cn=Auto Membership Plugin,cn=plugins,cn=config +changetype: modify +add: nsslapd-pluginConfigArea +nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX 3. autoMemberScope is now set for each: groups: cn=users,cn=accounts,$SUFFIX hostgroups: cn=computers,cn=accounts,$SUFFIX 4. Corrected examples Set the default target group: ipa automember-default-group-set --default-group=webservers hostgroup ipa automember-default-group-set --default-group=ipausers group Set the default target group: ipa automember-default-group-remove hostgroup ipa automember-default-group-remove group Show the default target group: ipa automember-default-group-show hostgroup ipa automember-default-group-show group 5. Corrected examples Add a condition to the rule: ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9+]\.example\.com webservers ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins Add an exclusive condition to the rule to prevent auto asignment: ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers Remove a condition from the rule: ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^www[1-9+]\.example\.com webservers 6. Correct bug for adding duplicate conditions. Included test for it in the test suite. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch Type: application/octet-stream Size: 56146 bytes Desc: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT00001.txt URL: From jdennis at redhat.com Wed Aug 10 02:16:58 2011 From: jdennis at redhat.com (John Dennis) Date: Tue, 9 Aug 2011 22:16:58 -0400 Subject: [Freeipa-devel] [PATCH 36/36] ticket 1600 - convert unittests to use DN objects Message-ID: <201108100216.p7A2GwXU017145@int-mx10.intmail.prod.int.phx2.redhat.com> We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0036-ticket-1600-convert-unittests-to-use-DN-objects.patch Type: text/x-patch Size: 127337 bytes Desc: not available URL: From edewata at redhat.com Wed Aug 10 02:21:24 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 09 Aug 2011 21:21:24 -0500 Subject: [Freeipa-devel] [PATCH] 241 Fixed broken links in ipa_error.css and ipa_migration.css. Message-ID: <4E41EB24.70406@redhat.com> Some of the images that were previously deleted are actually needed by ipa_error.css and ipa_migration.css, so they have been restored. Ticket #1564 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0241-Fixed-broken-links-in-ipa_error.css-and-ipa_migratio.patch Type: text/x-patch Size: 16628 bytes Desc: not available URL: From pvoborni at redhat.com Wed Aug 10 06:57:26 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Aug 2011 08:57:26 +0200 Subject: [Freeipa-devel] [PATCH] 239 Fixed host adder dialog. In-Reply-To: <4E417690.7030702@redhat.com> References: <4E405163.4070702@redhat.com> <4E412437.2040804@redhat.com> <4E417690.7030702@redhat.com> Message-ID: <4E422BD6.5080103@redhat.com> On 08/09/2011 08:04 PM, Endi Sukma Dewata wrote: > On 8/9/2011 7:12 AM, Petr Vobornik wrote: >> NACK >> >> "Add and edit" without existing DNS reverse zone don't redirect to >> edit page. >> >> Field 'fqdn' doesn't exist any more so getting fqdn from field in >> host.js:280 "fqdn: that.get_field('fqdn').save()" isn't functional. > > Fixed. Now the fqdn is obtained from the command object. > > On 8/8/2011 9:17 PM, Adam Young wrote: >> The JQuery code drawing the table in the create method is >> cut-and-paste.. It should be possible to make it look right without >> redrawing the whole table. >> >> These two fields should be put into their own section, which can then >> be responsible for drawing just the rows responsible for these >> fields, leaving the default behavior for the other rows. > > As discussed, this will be done separately in this ticket: > https://fedorahosted.org/freeipa/ticket/1394 > ACK -- Petr Vobornik From pvoborni at redhat.com Wed Aug 10 08:08:16 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 10 Aug 2011 10:08:16 +0200 Subject: [Freeipa-devel] [PATCH] 240 Fixed DNS zone adder dialog. In-Reply-To: <4E4193EA.5060103@redhat.com> References: <4E4193EA.5060103@redhat.com> Message-ID: <4E423C70.6060709@redhat.com> On 08/09/2011 10:09 PM, Endi Sukma Dewata wrote: > The DNS zone adder dialog has been modified to use radio buttons to > select whether to enter a zone name or a reverse zone IP network. > > Ticket #1575 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK Same repetitive code as in host adder dialog (1457). But it should be covered by https://fedorahosted.org/freeipa/ticket/1394. -- Petr Vobornik From abokovoy at redhat.com Wed Aug 10 11:57:07 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 10 Aug 2011 14:57:07 +0300 Subject: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install Message-ID: <4E427213.6080306@redhat.com> Ensure network configuration file has proper permissions As network configuration file is created as temporary file, it has stricter permissions than we need for the target system configuration file. Ensure permissions are properly reset before installing file. If permissions are not reset, system may have no networking enabled after reboot. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0010-network-permissions.patch URL: From abokovoy at redhat.com Wed Aug 10 11:59:07 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 10 Aug 2011 14:59:07 +0300 Subject: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install In-Reply-To: <4E427213.6080306@redhat.com> References: <4E427213.6080306@redhat.com> Message-ID: <4E42728B.7020305@redhat.com> On 10.08.2011 14:57, Alexander Bokovoy wrote: > Ensure network configuration file has proper permissions > > As network configuration file is created as temporary file, it has > stricter permissions than we need for the target system configuration > file. Ensure permissions are properly reset before installing file. > > If permissions are not reset, system may have no networking enabled > after reboot. Forgot to add: this is brown bag bug worth including into 2.1 release. At least, it affected fresh server install for me using ipa-devel repo. -- / Alexander Bokovoy From abokovoy at redhat.com Wed Aug 10 12:16:43 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 10 Aug 2011 15:16:43 +0300 Subject: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install In-Reply-To: <4E427213.6080306@redhat.com> References: <4E427213.6080306@redhat.com> Message-ID: <4E4276AB.3080108@redhat.com> On 10.08.2011 14:57, Alexander Bokovoy wrote: > Ensure network configuration file has proper permissions > > As network configuration file is created as temporary file, it has > stricter permissions than we need for the target system configuration > file. Ensure permissions are properly reset before installing file. > > If permissions are not reset, system may have no networking enabled > after reboot. One more fix: relabel SELinux label after copying file. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0010-1-network-permissions.patch URL: From abokovoy at redhat.com Wed Aug 10 13:41:22 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 10 Aug 2011 16:41:22 +0300 Subject: [Freeipa-devel] [PATCH 36/36] ticket 1600 - convert unittests to use DN objects In-Reply-To: <201108100216.p7A2GwXU017145@int-mx10.intmail.prod.int.phx2.redhat.com> References: <201108100216.p7A2GwXU017145@int-mx10.intmail.prod.int.phx2.redhat.com> Message-ID: <4E428A82.3080908@redhat.com> On 10.08.2011 05:16, John Dennis wrote: > We have a larger goal of replacing all DN creation via string > formatting/concatenation with DN object operations because string > operations are not a safe way to form a DN nor to compare a DN. This > work needs to be broken into smaller chunks for easier review and > testing. > > Addressing the unit tests first makes sense because we don't want to > be modifying both the core code and the tests used to verify the core > code simultaneously. If we modify the unittests first with existing > core code and no regressions are found then we can move on to > modifying parts of the core code with the belief the unittests can > validate the changes in the core code. Also by doing the unittests > first we also help to validate the DN objects are working correctly > (although they do have an extensive unittest). > > The fundamental changes are: > > * replace string substitution & concatenation with DN object > constructor > > * when comparing dn's the comparision is done after promotion > to a DN object, then two DN objects are compared > > * when a list of string dn's are to be compared a new list is > formed where each string dn is replaced by a DN object > > * because the unittest framework accepts a complex data structure of > expected values where dn's are represeted as strings the unittest > needs to express the expected value of a dn as a callable object > (e.g. a lambda expression) which promotes the dn string to a DN > object in order to do the comparision. *Huge* work, very appreciated! It is much cleaner to see now what we are actually expecting in a structured way. ACK. Unrelated comment: There are few place where we have CN vs cn like - assert str(subject) == 'CN=ipa.example.com,O=IPA' + assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA')) Does it make sense to normalize to lowcase for those attributes that are case-insensitive like cn, sn, uid, etc? It makes no functional difference but looks a bit out of style to have a mix and also may trick into wrongly using those attributes which are case-sensitive due to schema definition. -- / Alexander Bokovoy From edewata at redhat.com Wed Aug 10 14:30:39 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 10 Aug 2011 09:30:39 -0500 Subject: [Freeipa-devel] [PATCH] 239 Fixed host adder dialog. In-Reply-To: <4E422BD6.5080103@redhat.com> References: <4E405163.4070702@redhat.com> <4E412437.2040804@redhat.com> <4E417690.7030702@redhat.com> <4E422BD6.5080103@redhat.com> Message-ID: <4E42960F.9060200@redhat.com> On 8/10/2011 1:57 AM, Petr Vobornik wrote: > On 08/09/2011 08:04 PM, Endi Sukma Dewata wrote: >> On 8/9/2011 7:12 AM, Petr Vobornik wrote: >>> NACK >>> >>> "Add and edit" without existing DNS reverse zone don't redirect to >>> edit page. >>> >>> Field 'fqdn' doesn't exist any more so getting fqdn from field in >>> host.js:280 "fqdn: that.get_field('fqdn').save()" isn't functional. >> >> Fixed. Now the fqdn is obtained from the command object. >> >> On 8/8/2011 9:17 PM, Adam Young wrote: >>> The JQuery code drawing the table in the create method is >>> cut-and-paste.. It should be possible to make it look right without >>> redrawing the whole table. >>> >>> These two fields should be put into their own section, which can then >>> be responsible for drawing just the rows responsible for these >>> fields, leaving the default behavior for the other rows. >> >> As discussed, this will be done separately in this ticket: >> https://fedorahosted.org/freeipa/ticket/1394 > > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Wed Aug 10 14:32:11 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 10 Aug 2011 09:32:11 -0500 Subject: [Freeipa-devel] [PATCH] 240 Fixed DNS zone adder dialog. In-Reply-To: <4E423C70.6060709@redhat.com> References: <4E4193EA.5060103@redhat.com> <4E423C70.6060709@redhat.com> Message-ID: <4E42966B.7000800@redhat.com> On 8/10/2011 3:08 AM, Petr Vobornik wrote: > On 08/09/2011 10:09 PM, Endi Sukma Dewata wrote: >> The DNS zone adder dialog has been modified to use radio buttons to >> select whether to enter a zone name or a reverse zone IP network. >> >> Ticket #1575 > > ACK > > Same repetitive code as in host adder dialog (1457). But it should be > covered by https://fedorahosted.org/freeipa/ticket/1394. Pushed to mater. -- Endi S. Dewata From mkosek at redhat.com Wed Aug 10 14:35:38 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 10 Aug 2011 16:35:38 +0200 Subject: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install In-Reply-To: <4E4276AB.3080108@redhat.com> References: <4E427213.6080306@redhat.com> <4E4276AB.3080108@redhat.com> Message-ID: <1312986940.9622.9.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-08-10 at 15:16 +0300, Alexander Bokovoy wrote: > On 10.08.2011 14:57, Alexander Bokovoy wrote: > > Ensure network configuration file has proper permissions > > > > As network configuration file is created as temporary file, it has > > stricter permissions than we need for the target system configuration > > file. Ensure permissions are properly reset before installing file. > > > > If permissions are not reset, system may have no networking enabled > > after reboot. > One more fix: relabel SELinux label after copying file. ACK. This one is important so pushed to master. I just added a link to the bug comment before pushing. Martin From pvoborni at redhat.com Thu Aug 11 08:53:20 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 11 Aug 2011 10:53:20 +0200 Subject: [Freeipa-devel] [PATCH] 241 Fixed broken links in ipa_error.css and ipa_migration.css. In-Reply-To: <4E41EB24.70406@redhat.com> References: <4E41EB24.70406@redhat.com> Message-ID: <4E439880.5040102@redhat.com> On 08/10/2011 04:21 AM, Endi Sukma Dewata wrote: > Some of the images that were previously deleted are actually needed > by ipa_error.css and ipa_migration.css, so they have been restored. > > Ticket #1564 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK I don't like that there is no pattern in image file naming. Sometimes it uses dashes, sometimes underscores. Some file names are capitalized. But this isn't the subject of this patch (ticket). -- Petr Vobornik From mkosek at redhat.com Thu Aug 11 09:19:11 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 11 Aug 2011 11:19:11 +0200 Subject: [Freeipa-devel] [PATCH] [WIP] 108 Fix client enrollment Message-ID: <1313054354.2597.8.camel@dhcp-25-52.brq.redhat.com> This is a first shot for client enrollment fix. I had to pull the new version of xmlrpc-c from koji as it is not in updates-testing repo yet: http://koji.fedoraproject.org/koji/buildinfo?buildID=257947 Fixed curl package is already in stable repos. Unfortunately, it seems that credentials are not delegated yet. I still get "did not receive Kerberos credentials" error from the server. Any idea what went wrong? Adding xmlrpc-c maintainer on CC. Thanks, Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-108-fix-client-enrollment.patch Type: text/x-patch Size: 2757 bytes Desc: not available URL: From abokovoy at redhat.com Thu Aug 11 10:07:58 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 11 Aug 2011 13:07:58 +0300 Subject: [Freeipa-devel] [PATCH] [WIP] 108 Fix client enrollment In-Reply-To: <1313054354.2597.8.camel@dhcp-25-52.brq.redhat.com> References: <1313054354.2597.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E43A9FE.2090301@redhat.com> On 11.08.2011 12:19, Martin Kosek wrote: > This is a first shot for client enrollment fix. I had to pull the new > version of xmlrpc-c from koji as it is not in updates-testing repo yet: > > http://koji.fedoraproject.org/koji/buildinfo?buildID=257947 > > Fixed curl package is already in stable repos. > > Unfortunately, it seems that credentials are not delegated yet. I still > get "did not receive Kerberos credentials" error from the server. Any > idea what went wrong? Adding xmlrpc-c maintainer on CC. Looking at ipa-join.c patch, I noticed one thing: > diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c > index 95f2939cd9812d70aab6d29fb526ac9eb7b5479d..23af923e9d3ae1c466ffa19ea5f2aaac89ebec37 100644 > --- a/ipa-client/ipa-join.c > +++ b/ipa-client/ipa-join.c > @@ -149,6 +149,8 @@ callRPC(xmlrpc_env * const envP, > curlXportParmsP->no_ssl_verifypeer = 1; > curlXportParmsP->no_ssl_verifyhost = 1; > curlXportParmsP->cainfo = "/etc/ipa/ca.crt"; > + /* Enable GSSAPI credentials delegation */ > + curlXportParmsP->gssapi_delegation = 1; > > clientparms.transport = "curl"; > clientparms.transportparmsP = (struct xmlrpc_xportparms *) I think you also need to bump XMLRPC_CXPSIZE() to gssapi_delegation: diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c index 95f2939..f6ca693 100644 --- a/ipa-client/ipa-join.c +++ b/ipa-client/ipa-join.c @@ -149,11 +149,13 @@ callRPC(xmlrpc_env * const envP, curlXportParmsP->no_ssl_verifypeer = 1; curlXportParmsP->no_ssl_verifyhost = 1; curlXportParmsP->cainfo = "/etc/ipa/ca.crt"; + /* Enable GSSAPI credentials delegation */ + curlXportParmsP->gssapi_delegation = 1; clientparms.transport = "curl"; clientparms.transportparmsP = (struct xmlrpc_xportparms *) curlXportParmsP; - clientparms.transportparm_size = XMLRPC_CXPSIZE(cainfo); + clientparms.transportparm_size = XMLRPC_CXPSIZE(gssapi_delegation); xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION, &clientparms, sizeof(clientparms), &clientP); -- / Alexander Bokovoy From mkosek at redhat.com Thu Aug 11 11:59:18 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 11 Aug 2011 13:59:18 +0200 Subject: [Freeipa-devel] [PATCH] [WIP] 108 Fix client enrollment In-Reply-To: <4E43A9FE.2090301@redhat.com> References: <1313054354.2597.8.camel@dhcp-25-52.brq.redhat.com> <4E43A9FE.2090301@redhat.com> Message-ID: <1313063961.2597.11.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-08-11 at 13:07 +0300, Alexander Bokovoy wrote: > On 11.08.2011 12:19, Martin Kosek wrote: > > This is a first shot for client enrollment fix. I had to pull the new > > version of xmlrpc-c from koji as it is not in updates-testing repo yet: > > > > http://koji.fedoraproject.org/koji/buildinfo?buildID=257947 > > > > Fixed curl package is already in stable repos. > > > > Unfortunately, it seems that credentials are not delegated yet. I still > > get "did not receive Kerberos credentials" error from the server. Any > > idea what went wrong? Adding xmlrpc-c maintainer on CC. > > Looking at ipa-join.c patch, I noticed one thing: > > diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c > > index 95f2939cd9812d70aab6d29fb526ac9eb7b5479d..23af923e9d3ae1c466ffa19ea5f2aaac89ebec37 100644 > > --- a/ipa-client/ipa-join.c > > +++ b/ipa-client/ipa-join.c > > @@ -149,6 +149,8 @@ callRPC(xmlrpc_env * const envP, > > curlXportParmsP->no_ssl_verifypeer = 1; > > curlXportParmsP->no_ssl_verifyhost = 1; > > curlXportParmsP->cainfo = "/etc/ipa/ca.crt"; > > + /* Enable GSSAPI credentials delegation */ > > + curlXportParmsP->gssapi_delegation = 1; > > > > clientparms.transport = "curl"; > > clientparms.transportparmsP = (struct xmlrpc_xportparms *) > > I think you also need to bump XMLRPC_CXPSIZE() to gssapi_delegation: > > diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c > index 95f2939..f6ca693 100644 > --- a/ipa-client/ipa-join.c > +++ b/ipa-client/ipa-join.c > @@ -149,11 +149,13 @@ callRPC(xmlrpc_env * const envP, > curlXportParmsP->no_ssl_verifypeer = 1; > curlXportParmsP->no_ssl_verifyhost = 1; > curlXportParmsP->cainfo = "/etc/ipa/ca.crt"; > + /* Enable GSSAPI credentials delegation */ > + curlXportParmsP->gssapi_delegation = 1; > > clientparms.transport = "curl"; > clientparms.transportparmsP = (struct xmlrpc_xportparms *) > curlXportParmsP; > - clientparms.transportparm_size = XMLRPC_CXPSIZE(cainfo); > + clientparms.transportparm_size = XMLRPC_CXPSIZE(gssapi_delegation); > xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION, > &clientparms, sizeof(clientparms), > &clientP); > Thanks, that was the problem. I wonder how I missed it. Attaching the updated patch, client enrollment on F-15 works. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-108-2-fix-client-enrollment.patch Type: text/x-patch Size: 3065 bytes Desc: not available URL: From abokovoy at redhat.com Thu Aug 11 12:06:48 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 11 Aug 2011 15:06:48 +0300 Subject: [Freeipa-devel] [PATCH] [WIP] 108 Fix client enrollment In-Reply-To: <1313063961.2597.11.camel@dhcp-25-52.brq.redhat.com> References: <1313054354.2597.8.camel@dhcp-25-52.brq.redhat.com> <4E43A9FE.2090301@redhat.com> <1313063961.2597.11.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E43C5D8.9040101@redhat.com> On 11.08.2011 14:59, Martin Kosek wrote: > On Thu, 2011-08-11 at 13:07 +0300, Alexander Bokovoy wrote: >> On 11.08.2011 12:19, Martin Kosek wrote: >>> This is a first shot for client enrollment fix. I had to pull the new >>> version of xmlrpc-c from koji as it is not in updates-testing repo yet: >>> >>> http://koji.fedoraproject.org/koji/buildinfo?buildID=257947 >>> >>> Fixed curl package is already in stable repos. >>> >>> Unfortunately, it seems that credentials are not delegated yet. I still >>> get "did not receive Kerberos credentials" error from the server. Any >>> idea what went wrong? Adding xmlrpc-c maintainer on CC. >> >> Looking at ipa-join.c patch, I noticed one thing: >>> diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c >>> index 95f2939cd9812d70aab6d29fb526ac9eb7b5479d..23af923e9d3ae1c466ffa19ea5f2aaac89ebec37 100644 >>> --- a/ipa-client/ipa-join.c >>> +++ b/ipa-client/ipa-join.c >>> @@ -149,6 +149,8 @@ callRPC(xmlrpc_env * const envP, >>> curlXportParmsP->no_ssl_verifypeer = 1; >>> curlXportParmsP->no_ssl_verifyhost = 1; >>> curlXportParmsP->cainfo = "/etc/ipa/ca.crt"; >>> + /* Enable GSSAPI credentials delegation */ >>> + curlXportParmsP->gssapi_delegation = 1; >>> >>> clientparms.transport = "curl"; >>> clientparms.transportparmsP = (struct xmlrpc_xportparms *) >> >> I think you also need to bump XMLRPC_CXPSIZE() to gssapi_delegation: >> >> diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c >> index 95f2939..f6ca693 100644 >> --- a/ipa-client/ipa-join.c >> +++ b/ipa-client/ipa-join.c >> @@ -149,11 +149,13 @@ callRPC(xmlrpc_env * const envP, >> curlXportParmsP->no_ssl_verifypeer = 1; >> curlXportParmsP->no_ssl_verifyhost = 1; >> curlXportParmsP->cainfo = "/etc/ipa/ca.crt"; >> + /* Enable GSSAPI credentials delegation */ >> + curlXportParmsP->gssapi_delegation = 1; >> >> clientparms.transport = "curl"; >> clientparms.transportparmsP = (struct xmlrpc_xportparms *) >> curlXportParmsP; >> - clientparms.transportparm_size = XMLRPC_CXPSIZE(cainfo); >> + clientparms.transportparm_size = XMLRPC_CXPSIZE(gssapi_delegation); >> xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION, >> &clientparms, sizeof(clientparms), >> &clientP); >> > > Thanks, that was the problem. I wonder how I missed it. Attaching the > updated patch, client enrollment on F-15 works. ACK. Should we wait until xmlrpc-c flies into F15 updates? -- / Alexander Bokovoy From mkosek at redhat.com Thu Aug 11 12:07:43 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 11 Aug 2011 14:07:43 +0200 Subject: [Freeipa-devel] [PATCH] 109 Update 389-ds-base version Message-ID: <1313064465.2597.13.camel@dhcp-25-52.brq.redhat.com> The patch is applicable on top of my patch 108. --- Bump minimal 389-ds-base version in spec file to get in recent Directory Server bug fixes. https://fedorahosted.org/freeipa/ticket/1513 https://fedorahosted.org/freeipa/ticket/1525 https://fedorahosted.org/freeipa/ticket/1552 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-109-update-389-ds-base-version.patch Type: text/x-patch Size: 1903 bytes Desc: not available URL: From abokovoy at redhat.com Thu Aug 11 12:12:15 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 11 Aug 2011 15:12:15 +0300 Subject: [Freeipa-devel] [PATCH] 109 Update 389-ds-base version In-Reply-To: <1313064465.2597.13.camel@dhcp-25-52.brq.redhat.com> References: <1313064465.2597.13.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E43C71F.6080902@redhat.com> On 11.08.2011 15:07, Martin Kosek wrote: > The patch is applicable on top of my patch 108. > > --- > Bump minimal 389-ds-base version in spec file to get in recent > Directory Server bug fixes. > > https://fedorahosted.org/freeipa/ticket/1513 > https://fedorahosted.org/freeipa/ticket/1525 > https://fedorahosted.org/freeipa/ticket/1552 ACK as well. This is straight-forward. -- / Alexander Bokovoy From simo at redhat.com Thu Aug 11 12:46:58 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 11 Aug 2011 08:46:58 -0400 Subject: [Freeipa-devel] [PATCH] 109 Update 389-ds-base version In-Reply-To: <1313064465.2597.13.camel@dhcp-25-52.brq.redhat.com> References: <1313064465.2597.13.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1313066818.11512.98.camel@willson.li.ssimo.org> On Thu, 2011-08-11 at 14:07 +0200, Martin Kosek wrote: > The patch is applicable on top of my patch 108. Shouldn't we also have a requires on libcurl and xmlrpc-c >= the version with the fixes ? Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Thu Aug 11 12:53:53 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 11 Aug 2011 15:53:53 +0300 Subject: [Freeipa-devel] [PATCH] 109 Update 389-ds-base version In-Reply-To: <1313066818.11512.98.camel@willson.li.ssimo.org> References: <1313064465.2597.13.camel@dhcp-25-52.brq.redhat.com> <1313066818.11512.98.camel@willson.li.ssimo.org> Message-ID: <4E43D0E1.1080602@redhat.com> On 11.08.2011 15:46, Simo Sorce wrote: > On Thu, 2011-08-11 at 14:07 +0200, Martin Kosek wrote: >> The patch is applicable on top of my patch 108. > > Shouldn't we also have a requires on libcurl and xmlrpc-c >= the version > with the fixes ? These are in patch 108 already. -- / Alexander Bokovoy From mkosek at redhat.com Thu Aug 11 13:12:58 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 11 Aug 2011 15:12:58 +0200 Subject: [Freeipa-devel] [PATCH] 109 Update 389-ds-base version In-Reply-To: <1313066818.11512.98.camel@willson.li.ssimo.org> References: <1313064465.2597.13.camel@dhcp-25-52.brq.redhat.com> <1313066818.11512.98.camel@willson.li.ssimo.org> Message-ID: <1313068380.2597.14.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-08-11 at 08:46 -0400, Simo Sorce wrote: > On Thu, 2011-08-11 at 14:07 +0200, Martin Kosek wrote: > > The patch is applicable on top of my patch 108. > > Shouldn't we also have a requires on libcurl and xmlrpc-c >= the version > with the fixes ? > > Simo. > We do. Please check my patch 108. I wanted to keep these 2 patches separate. Martin From simo at redhat.com Thu Aug 11 13:15:00 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 11 Aug 2011 09:15:00 -0400 Subject: [Freeipa-devel] [PATCH] 109 Update 389-ds-base version In-Reply-To: <1313068380.2597.14.camel@dhcp-25-52.brq.redhat.com> References: <1313064465.2597.13.camel@dhcp-25-52.brq.redhat.com> <1313066818.11512.98.camel@willson.li.ssimo.org> <1313068380.2597.14.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1313068500.11512.99.camel@willson.li.ssimo.org> On Thu, 2011-08-11 at 15:12 +0200, Martin Kosek wrote: > On Thu, 2011-08-11 at 08:46 -0400, Simo Sorce wrote: > > On Thu, 2011-08-11 at 14:07 +0200, Martin Kosek wrote: > > > The patch is applicable on top of my patch 108. > > > > Shouldn't we also have a requires on libcurl and xmlrpc-c >= the version > > with the fixes ? > > > > Simo. > > > > We do. Please check my patch 108. I wanted to keep these 2 patches > separate. Yeah, sorry, I didn't notice. -- Simo Sorce * Red Hat, Inc * New York From pvoborni at redhat.com Thu Aug 11 14:01:15 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 11 Aug 2011 16:01:15 +0200 Subject: [Freeipa-devel] [PATCH] 004 error dialog for batch command Message-ID: <4E43E0AB.1000603@redhat.com> [PATCH] error dialog for batch command https://fedorahosted.org/freeipa/ticket/1597 https://fedorahosted.org/freeipa/ticket/1592 Added option to show multiple errors in error dialog. Notes: - also covering '[ipa webui] Does not return appropriate error when deleting an external host but checking update dns' (1592) - added support(element's classes) for css styling of aggregated errors - except search dialog delete (1592) - no other batch command uses this feature (has to be explicitly turned on). -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0004-error-dialog-for-batch-command.patch Type: text/x-patch Size: 10003 bytes Desc: not available URL: From edewata at redhat.com Thu Aug 11 14:04:00 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 11 Aug 2011 09:04:00 -0500 Subject: [Freeipa-devel] [PATCH] 241 Fixed broken links in ipa_error.css and ipa_migration.css. In-Reply-To: <4E439880.5040102@redhat.com> References: <4E41EB24.70406@redhat.com> <4E439880.5040102@redhat.com> Message-ID: <4E43E150.9030300@redhat.com> On 8/11/2011 3:53 AM, Petr Vobornik wrote: > ACK > > I don't like that there is no pattern in image file naming. Sometimes it > uses dashes, sometimes underscores. Some file names are capitalized. But > this isn't the subject of this patch (ticket). Yes, it's an existing issue. I opened a new ticket for that: https://fedorahosted.org/freeipa/ticket/1613 Pushed to master. -- Endi S. Dewata From mkosek at redhat.com Thu Aug 11 16:02:43 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 11 Aug 2011 18:02:43 +0200 Subject: [Freeipa-devel] [PATCH] 110 Update pki-ca version Message-ID: <1313078566.29790.0.camel@dhcp-25-52.brq.redhat.com> Bump minimal pki-ca version in spec file to get fix for ipa cert-request command. https://fedorahosted.org/freeipa/ticket/1578 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-110-update-pki-ca-version.patch Type: text/x-patch Size: 1295 bytes Desc: not available URL: From edewata at redhat.com Thu Aug 11 16:03:34 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 11 Aug 2011 11:03:34 -0500 Subject: [Freeipa-devel] [PATCH] 004 error dialog for batch command In-Reply-To: <4E43E0AB.1000603@redhat.com> References: <4E43E0AB.1000603@redhat.com> Message-ID: <4E43FD56.1030804@redhat.com> On 8/11/2011 9:01 AM, Petr Vobornik wrote: > [PATCH] error dialog for batch command > > https://fedorahosted.org/freeipa/ticket/1597 > https://fedorahosted.org/freeipa/ticket/1592 > > Added option to show multiple errors in error dialog. > > Notes: > - also covering '[ipa webui] Does not return appropriate error when > deleting an external host but checking update dns' (1592) > - added support(element's classes) for css styling of aggregated errors > - except search dialog delete (1592) - no other batch command uses this > feature (has to be explicitly turned on). Some issues: 1. I think by default all batch commands should use this feature. The batch command is used for various purposes, not just for deletion. Consider this scenario: First, find a way to log in simultaneously using different accounts. You can use either multiple machines, accounts, or browsers, whichever is the easiest. In the first session, log in as admin, create a test user, add it into the admins group. Then in the second session, login as the test user, then edit a sudo rule. Modify the description and the enabled flag (this will be executed as separate operations in a single batch). Don't click Update yet. Back to the first session, remove the test user from the admins group. Then go back to the second session, click Update. Since the test user doesn't have admin rights anymore the operations will fail. However, currently these failures are not reported and the values simply revert back to the original. The error dialog should show these errors. So in this case we don't really need the 'partial_success_notify' flag, or it can be renamed into 'show_error' which should be true by default. The 'retry' flag in IPA.command can be renamed to 'show_error' too. 2. The 'partial_success_message' probably can be renamed into 'error_message' which will say something like 'Some operations failed.' 3. Instead of a checkbox for show_errors_checkbox, it might be better to use 'Show details' and 'Hide details' links. 4. In ipa.js:510 instead of repeating the error message the error_thrown.name could say something like 'Batch Error' or 'Operations Error'. 5. The add_error() could be moved into IPA.error_dialog so the IPA.batch_command doesn't need to hold the 'errors' list. 6. The list of errors should be displayed as a list (with bullets) like in the deleter dialog. -- Endi S. Dewata From mkosek at redhat.com Thu Aug 11 16:06:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 11 Aug 2011 18:06:36 +0200 Subject: [Freeipa-devel] [PATCH] 110 Update pki-ca version In-Reply-To: <1313078566.29790.0.camel@dhcp-25-52.brq.redhat.com> References: <1313078566.29790.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1313078799.29790.2.camel@dhcp-25-52.brq.redhat.com> Just a note - applies on top of 108 and 109. When all these new packages are in updates-testing repo, I will push the patches upstream. A hint how to test this: 1) Install newest pki-ca from koji 2) run ./make-testcert - it should succeed Martin On Thu, 2011-08-11 at 18:02 +0200, Martin Kosek wrote: > Bump minimal pki-ca version in spec file to get fix for ipa > cert-request command. > > https://fedorahosted.org/freeipa/ticket/1578 > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From jdennis at redhat.com Thu Aug 11 16:13:40 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 11 Aug 2011 12:13:40 -0400 Subject: [Freeipa-devel] [PATCH 37/37] Transifex translation adjustment Message-ID: <4E43FFB4.4090102@redhat.com> -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0037-Transifex-translation-adjustment.patch Type: text/x-patch Size: 1654569 bytes Desc: not available URL: From edewata at redhat.com Thu Aug 11 16:16:16 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 11 Aug 2011 11:16:16 -0500 Subject: [Freeipa-devel] [PATCH] 004 error dialog for batch command In-Reply-To: <4E43FD56.1030804@redhat.com> References: <4E43E0AB.1000603@redhat.com> <4E43FD56.1030804@redhat.com> Message-ID: <4E440050.8080209@redhat.com> On 8/11/2011 11:03 AM, Endi Sukma Dewata wrote: > Some issues: > > 1. I think by default all batch commands should use this feature. The > batch command is used for various purposes, not just for deletion. > Consider this scenario: > > First, find a way to log in simultaneously using different accounts. You > can use either multiple machines, accounts, or browsers, whichever is > the easiest. > > In the first session, log in as admin, create a test user, add it into > the admins group. > > Then in the second session, login as the test user, then edit a sudo > rule. Modify the description and the enabled flag (this will be executed > as separate operations in a single batch). Don't click Update yet. > > Back to the first session, remove the test user from the admins group. > Then go back to the second session, click Update. > > Since the test user doesn't have admin rights anymore the operations > will fail. However, currently these failures are not reported and the > values simply revert back to the original. The error dialog should show > these errors. > > So in this case we don't really need the 'partial_success_notify' flag, > or it can be renamed into 'show_error' which should be true by default. > The 'retry' flag in IPA.command can be renamed to 'show_error' too. > > 2. The 'partial_success_message' probably can be renamed into > 'error_message' which will say something like 'Some operations failed.' > > 3. Instead of a checkbox for show_errors_checkbox, it might be better to > use 'Show details' and 'Hide details' links. > > 4. In ipa.js:510 instead of repeating the error message the > error_thrown.name could say something like 'Batch Error' or 'Operations > Error'. > > 5. The add_error() could be moved into IPA.error_dialog so the > IPA.batch_command doesn't need to hold the 'errors' list. > > 6. The list of errors should be displayed as a list (with bullets) like > in the deleter dialog. 7. Just for consistency, the Retry label declaration in ipa.js:737 could be moved into the if-statement like the other labels. -- Endi S. Dewata From edewata at redhat.com Thu Aug 11 17:44:09 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 11 Aug 2011 12:44:09 -0500 Subject: [Freeipa-devel] [PATCH] 242 Removed custom layout for password reset. Message-ID: <4E4414E9.5000108@redhat.com> The dialog box for resetting user password has been modified to use the standard layout. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0242-Removed-custom-layout-for-password-reset.patch Type: text/x-patch Size: 4269 bytes Desc: not available URL: From edewata at redhat.com Thu Aug 11 18:43:11 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 11 Aug 2011 13:43:11 -0500 Subject: [Freeipa-devel] [PATCH] 243 Fixed problem clicking 3rd level tabs. Message-ID: <4E4422BF.6080400@redhat.com> The 3rd level tabs were partially covered by the content panel, so only the top portion can be clicked. The content panel has been repositioned to avoid the problem. Pushed under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0243-Fixed-problem-clicking-3rd-level-tabs.patch Type: text/x-patch Size: 1135 bytes Desc: not available URL: From jdennis at redhat.com Thu Aug 11 21:32:29 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 11 Aug 2011 17:32:29 -0400 Subject: [Freeipa-devel] [PATCH 36/36] ticket 1600 - convert unittests to use DN objects In-Reply-To: <4E428A82.3080908@redhat.com> References: <201108100216.p7A2GwXU017145@int-mx10.intmail.prod.int.phx2.redhat.com> <4E428A82.3080908@redhat.com> Message-ID: <4E444A6D.5070207@redhat.com> On 08/10/2011 09:41 AM, Alexander Bokovoy wrote: > *Huge* work, very appreciated! It is much cleaner to see now what we are > actually expecting in a structured way. Thank you. There are plenty more similar fixes coming to a review near you soon :-) > Unrelated comment: > There are few place where we have CN vs cn like > - assert str(subject) == 'CN=ipa.example.com,O=IPA' > + assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA')) > > Does it make sense to normalize to lowcase for those attributes that are > case-insensitive like cn, sn, uid, etc? It makes no functional > difference but looks a bit out of style to have a mix and also may trick > into wrongly using those attributes which are case-sensitive due to > schema definition. Sure, good question. Since the comparison is case-insenstive there is no logic change and my goal was to maintain things as originally written but use the the correct method. We could lower case everything but as you say there is no functional difference, it's a style issue and we don't have a style guide for dn's (yet?). However there does seem to be an unwritten convention (at least by observation on my part) that dn attr's used in ldap are lowercase but dn attr's in X509 certs are uppercase, go figure. The example you cited happens to be a dn associated with a X509 cert. Short answer: I don't have a strong opinion on this either way, if others do chime in. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Thu Aug 11 22:09:35 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 11 Aug 2011 17:09:35 -0500 Subject: [Freeipa-devel] [PATCH] [WIP] 108 Fix client enrollment In-Reply-To: <4E43C5D8.9040101@redhat.com> References: <1313054354.2597.8.camel@dhcp-25-52.brq.redhat.com> <4E43A9FE.2090301@redhat.com> <1313063961.2597.11.camel@dhcp-25-52.brq.redhat.com> <4E43C5D8.9040101@redhat.com> Message-ID: <4E44531F.1060808@redhat.com> On 8/11/2011 7:06 AM, Alexander Bokovoy wrote: > On 11.08.2011 14:59, Martin Kosek wrote: >> Thanks, that was the problem. I wonder how I missed it. Attaching the >> updated patch, client enrollment on F-15 works. > ACK. > Should we wait until xmlrpc-c flies into F15 updates? Pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Aug 11 22:10:23 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 11 Aug 2011 17:10:23 -0500 Subject: [Freeipa-devel] [PATCH] 109 Update 389-ds-base version In-Reply-To: <4E43C71F.6080902@redhat.com> References: <1313064465.2597.13.camel@dhcp-25-52.brq.redhat.com> <4E43C71F.6080902@redhat.com> Message-ID: <4E44534F.8000203@redhat.com> On 8/11/2011 7:12 AM, Alexander Bokovoy wrote: > On 11.08.2011 15:07, Martin Kosek wrote: >> The patch is applicable on top of my patch 108. > ACK as well. This is straight-forward. Pushed to master. -- Endi S. Dewata From jdennis at redhat.com Fri Aug 12 00:00:18 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 11 Aug 2011 20:00:18 -0400 Subject: [Freeipa-devel] [PATCH 38/38] transifex translation adjustment Message-ID: <201108120000.p7C00IqV009346@int-mx10.intmail.prod.int.phx2.redhat.com> Pull the new translations for Spanish (es) and Ukrainian (uk) Update the LINGUAS file to add comment showing the friendly name for the language abbreviation. The make target msg-stats which produces a report about the state of the translations no longer maintained it's column alignment due to larger numbers so the formating was tweaked to maintain column alignment. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0038-transifex-translation-adjustment.patch Type: text/x-patch Size: 570297 bytes Desc: not available URL: From jdennis at redhat.com Fri Aug 12 00:09:30 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 11 Aug 2011 20:09:30 -0400 Subject: [Freeipa-devel] [PATCH 37/37] Transifex translation adjustment In-Reply-To: <4E43FFB4.4090102@redhat.com> References: <4E43FFB4.4090102@redhat.com> Message-ID: <4E446F3A.9070405@redhat.com> Self NAK'ing. There was no reason to pull in new translations at this juncture. Plus the new po files didn't have correct plural-forms and only the translators know what they should be. This patch has been superseded by [PATCH 38/38] transifex translation adjustment -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Fri Aug 12 01:21:36 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 11 Aug 2011 21:21:36 -0400 Subject: [Freeipa-devel] [PATCH 38/38] transifex translation adjustment In-Reply-To: <201108120000.p7C00IqV009346@int-mx10.intmail.prod.int.phx2.redhat.com> References: <201108120000.p7C00IqV009346@int-mx10.intmail.prod.int.phx2.redhat.com> Message-ID: <4E448020.5020504@redhat.com> On 08/11/2011 08:00 PM, John Dennis wrote: > Pull the new translations for Spanish (es) and Ukrainian (uk) > > Update the LINGUAS file to add comment showing the friendly > name for the language abbreviation. > > The make target msg-stats which produces a report about the state > of the translations no longer maintained it's column alignment > due to larger numbers so the formating was tweaked to maintain > column alignment. > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel The es.po files seem to have had a regression in the header: First line is now: # SOME DESCRIPTIVE TITLE. It was # Fedora Spanish translation of freeipa.master.ipa. Also, lost a translator from the list: domingobecker at gmail.com. The uk File has the same generic first line, but it didn't have anything before. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Aug 12 03:29:24 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 11 Aug 2011 23:29:24 -0400 Subject: [Freeipa-devel] [PATCH 38/38] transifex translation adjustment In-Reply-To: <4E448020.5020504@redhat.com> References: <201108120000.p7C00IqV009346@int-mx10.intmail.prod.int.phx2.redhat.com> <4E448020.5020504@redhat.com> Message-ID: <4E449E14.6000704@redhat.com> On 08/11/2011 09:21 PM, Adam Young wrote: > On 08/11/2011 08:00 PM, John Dennis wrote: >> Pull the new translations for Spanish (es) and Ukrainian (uk) >> >> Update the LINGUAS file to add comment showing the friendly >> name for the language abbreviation. >> >> The make target msg-stats which produces a report about the state >> of the translations no longer maintained it's column alignment >> due to larger numbers so the formating was tweaked to maintain >> column alignment. >> >> -- >> John Dennis >> >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > The es.po files seem to have had a regression in the header: > > First line is now: > # SOME DESCRIPTIVE TITLE. > > It was > > # Fedora Spanish translation of freeipa.master.ipa. > > > Also, lost a translator from the list: domingobecker at gmail.com. > > > The uk File has the same generic first line, but it didn't have > anything before. > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Got it to build and deploy. Looks good in Spanish. Aside from the issues listed above, ACK. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Aug 12 04:58:32 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 12 Aug 2011 07:58:32 +0300 Subject: [Freeipa-devel] [PATCH 38/38] transifex translation adjustment In-Reply-To: <201108120000.p7C00IqV009346@int-mx10.intmail.prod.int.phx2.redhat.com> References: <201108120000.p7C00IqV009346@int-mx10.intmail.prod.int.phx2.redhat.com> Message-ID: <4E44B2F8.1030409@redhat.com> On 12.08.2011 03:00, John Dennis wrote: > Pull the new translations for Spanish (es) and Ukrainian (uk) > > Update the LINGUAS file to add comment showing the friendly > name for the language abbreviation. > > The make target msg-stats which produces a report about the state > of the translations no longer maintained it's column alignment > due to larger numbers so the formating was tweaked to maintain > column alignment. I have some reservations about Ukrainian translation -- stylistically it needs improvements and some places are not acceptable, like, for example, this one: > #: ipalib/plugins/internal.py:395 > msgid "" > "Your Kerberos ticket is no longer valid. Please run kinit and then click " > -"'Retry'. If this is your first time running the IPA Web UI follow these directions to configure your " > -"browser." > +"'Retry'. If this is your first time running the IPA Web UI +"href='/ipa/config/unauthorized.html'>follow these directions to " > +"configure your browser." > msgstr "" > +"??? ?????? Kerberos ??????? ????????. ???? ?????, ????????? kinit and then " > +"click 'Retry'. If this is your first time running the IPA Web UI +"href='/ipa/config/unauthorized.html'>follow these directions to " > +"configure your browser." Note first line of the actual translation and what follows it. It would probably be better to not include such translated message at all. ACK for the patch itself. -- / Alexander Bokovoy From abokovoy at redhat.com Fri Aug 12 06:44:56 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 12 Aug 2011 09:44:56 +0300 Subject: [Freeipa-devel] [PATCH] 110 Update pki-ca version In-Reply-To: <1313078566.29790.0.camel@dhcp-25-52.brq.redhat.com> References: <1313078566.29790.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E44CBE8.3000805@redhat.com> On 11.08.2011 19:02, Martin Kosek wrote: > Bump minimal pki-ca version in spec file to get fix for ipa > cert-request command. > > https://fedorahosted.org/freeipa/ticket/1578 ACK. There is some confusion in the original bug report about F14 but reading it through becomes apparent F14 is not affected as diversion in the output has happened after 9.0.0.3 which is latest F14 package version for pki-core. -- / Alexander Bokovoy From mkosek at redhat.com Fri Aug 12 06:56:17 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 12 Aug 2011 08:56:17 +0200 Subject: [Freeipa-devel] [PATCH] 110 Update pki-ca version In-Reply-To: <4E44CBE8.3000805@redhat.com> References: <1313078566.29790.0.camel@dhcp-25-52.brq.redhat.com> <4E44CBE8.3000805@redhat.com> Message-ID: <1313132179.2432.1.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-08-12 at 09:44 +0300, Alexander Bokovoy wrote: > On 11.08.2011 19:02, Martin Kosek wrote: > > Bump minimal pki-ca version in spec file to get fix for ipa > > cert-request command. > > > > https://fedorahosted.org/freeipa/ticket/1578 > ACK. There is some confusion in the original bug report about F14 but > reading it through becomes apparent F14 is not affected as diversion in > the output has happened after 9.0.0.3 which is latest F14 package > version for pki-core. > Pushed to master. Martin From mkosek at redhat.com Fri Aug 12 07:38:58 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 12 Aug 2011 09:38:58 +0200 Subject: [Freeipa-devel] [PATCH 38/38] transifex translation adjustment In-Reply-To: <4E44B2F8.1030409@redhat.com> References: <201108120000.p7C00IqV009346@int-mx10.intmail.prod.int.phx2.redhat.com> <4E44B2F8.1030409@redhat.com> Message-ID: <1313134740.2432.9.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-08-12 at 07:58 +0300, Alexander Bokovoy wrote: > On 12.08.2011 03:00, John Dennis wrote: > > Pull the new translations for Spanish (es) and Ukrainian (uk) > > > > Update the LINGUAS file to add comment showing the friendly > > name for the language abbreviation. > > > > The make target msg-stats which produces a report about the state > > of the translations no longer maintained it's column alignment > > due to larger numbers so the formating was tweaked to maintain > > column alignment. > I have some reservations about Ukrainian translation -- stylistically it > needs improvements and some places are not acceptable, like, for > example, this one: > > > #: ipalib/plugins/internal.py:395 > > msgid "" > > "Your Kerberos ticket is no longer valid. Please run kinit and then click " > > -"'Retry'. If this is your first time running the IPA Web UI follow these directions to configure your " > > -"browser." > > +"'Retry'. If this is your first time running the IPA Web UI > +"href='/ipa/config/unauthorized.html'>follow these directions to " > > +"configure your browser." > > msgstr "" > > +"??? ?????? Kerberos ??????? ????????. ???? ?????, ????????? kinit and then " > > +"click 'Retry'. If this is your first time running the IPA Web UI > +"href='/ipa/config/unauthorized.html'>follow these directions to " > > +"configure your browser." > > Note first line of the actual translation and what follows it. It would > probably be better to not include such translated message at all. > > ACK for the patch itself. Pushed to master. Martin From jcholast at redhat.com Mon Aug 15 07:11:34 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 15 Aug 2011 09:11:34 +0200 Subject: [Freeipa-devel] [PATCH] 38 Verify length of passwords in ipa-server-install Message-ID: <4E48C6A6.4050303@redhat.com> Verify that passwords specified through command line options of ipa-server-install meet the length requirement (at least 8 characters long). https://fedorahosted.org/freeipa/ticket/1621 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-38-verify-password-length.patch Type: text/x-patch Size: 1208 bytes Desc: not available URL: From abokovoy at redhat.com Mon Aug 15 09:05:57 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 15 Aug 2011 12:05:57 +0300 Subject: [Freeipa-devel] [PATCH] 38 Verify length of passwords in ipa-server-install In-Reply-To: <4E48C6A6.4050303@redhat.com> References: <4E48C6A6.4050303@redhat.com> Message-ID: <4E48E175.1030200@redhat.com> On 15.08.2011 10:11, Jan Cholasta wrote: > Verify that passwords specified through command line options of > ipa-server-install meet the length requirement (at least 8 characters > long). > > https://fedorahosted.org/freeipa/ticket/1621 ACK. Are there any additional requirements towards the password complexity other than 8 letters minimum length? -- / Alexander Bokovoy From mkosek at redhat.com Mon Aug 15 12:20:11 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 15 Aug 2011 14:20:11 +0200 Subject: [Freeipa-devel] [PATCH] 111 Let Bind track data changes Message-ID: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> A new version of bind-dyndb-ldap has been released. Thanks to the new persistent search feature, the name server can immediately pull new DNS zones when they are created in IPA. Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one has to use the provided src.rpm: http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm or rpms I built for x86_64 F-15: http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ There is one setback though. When I investigated DNS persistent search behavior I still miss the ability to detect changes to the DNS zone itself. Adding a record (for example MX record) to the zone does not trigger an update of the zone in nameserver cache. We still have to wait for cache timeout (argument "cache_ttl"). We cannot therefore use this feature as a solution of: https://fedorahosted.org/freeipa/ticket/1114 https://fedorahosted.org/freeipa/ticket/1125 https://fedorahosted.org/freeipa/ticket/1126 Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-111-let-bind-track-data-changes.patch Type: text/x-patch Size: 11764 bytes Desc: not available URL: From jcholast at redhat.com Mon Aug 15 13:56:54 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 15 Aug 2011 15:56:54 +0200 Subject: [Freeipa-devel] [PATCH] 39 Fix internal error when removing the last PTR record from a DNS record entry. Message-ID: <4E4925A6.1010906@redhat.com> https://fedorahosted.org/freeipa/ticket/1632 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-39-fix-ptr-delete.patch Type: text/x-patch Size: 1332 bytes Desc: not available URL: From edewata at redhat.com Mon Aug 15 14:07:21 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 15 Aug 2011 09:07:21 -0500 Subject: [Freeipa-devel] [PATCH] 244 Fixed link style in dialog box. Message-ID: <4E492819.6000006@redhat.com> The general link style defined in ipa.css was overriden by a more specific rule in jquery-ui.css. So the style has been modified to include the more specific rule. Ticket #1623 Pushed under one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0244-Fixed-link-style-in-dialog-box.patch Type: text/x-patch Size: 846 bytes Desc: not available URL: From dpal at redhat.com Mon Aug 15 14:22:09 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 15 Aug 2011 10:22:09 -0400 Subject: [Freeipa-devel] [PATCH] 111 Let Bind track data changes In-Reply-To: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> References: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E492B91.5080506@redhat.com> On 08/15/2011 08:20 AM, Martin Kosek wrote: > A new version of bind-dyndb-ldap has been released. Thanks to the new > persistent search feature, the name server can immediately pull new DNS > zones when they are created in IPA. > > Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one > has to use the provided src.rpm: > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm > > or rpms I built for x86_64 F-15: > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ > > There is one setback though. When I investigated DNS persistent search > behavior I still miss the ability to detect changes to the DNS zone > itself. Adding a record (for example MX record) to the zone does not > trigger an update of the zone in nameserver cache. We still have to wait > for cache timeout (argument "cache_ttl"). We cannot therefore use this > feature as a solution of: > > https://fedorahosted.org/freeipa/ticket/1114 > https://fedorahosted.org/freeipa/ticket/1125 > https://fedorahosted.org/freeipa/ticket/1126 So what are our options here? > Martin > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon Aug 15 14:29:43 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 15 Aug 2011 09:29:43 -0500 Subject: [Freeipa-devel] [PATCH] 245 Fixed problem with buttons in enrollment dialog. Message-ID: <4E492D57.8040904@redhat.com> The panel for selection buttons (i.e. ">>" and "<<") has been re- positioned to avoid being covered by the adder-dialog-right panel. Ticket #1626 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0245-Fixed-problem-with-buttons-in-enrollment-dialog.patch Type: text/x-patch Size: 2248 bytes Desc: not available URL: From simo at redhat.com Mon Aug 15 14:36:02 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 15 Aug 2011 10:36:02 -0400 Subject: [Freeipa-devel] [PATCH] 111 Let Bind track data changes In-Reply-To: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> References: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1313418962.11512.140.camel@willson.li.ssimo.org> On Mon, 2011-08-15 at 14:20 +0200, Martin Kosek wrote: > A new version of bind-dyndb-ldap has been released. Thanks to the new > persistent search feature, the name server can immediately pull new DNS > zones when they are created in IPA. > > Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one > has to use the provided src.rpm: > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm > > or rpms I built for x86_64 F-15: > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ > > There is one setback though. When I investigated DNS persistent search > behavior I still miss the ability to detect changes to the DNS zone > itself. Adding a record (for example MX record) to the zone does not > trigger an update of the zone in nameserver cache. We still have to wait > for cache timeout (argument "cache_ttl"). We cannot therefore use this > feature as a solution of: > > https://fedorahosted.org/freeipa/ticket/1114 > https://fedorahosted.org/freeipa/ticket/1125 > https://fedorahosted.org/freeipa/ticket/1126 Is this a bug/deficiency of the plugin ? Or is it something that depends on named internals somehow ? Simo. -- Simo Sorce * Red Hat, Inc * New York From pvoborni at redhat.com Mon Aug 15 14:43:16 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 15 Aug 2011 16:43:16 +0200 Subject: [Freeipa-devel] [PATCH] 245 Fixed problem with buttons in enrollment dialog. In-Reply-To: <4E492D57.8040904@redhat.com> References: <4E492D57.8040904@redhat.com> Message-ID: <4E493084.9090609@redhat.com> On 08/15/2011 04:29 PM, Endi Sukma Dewata wrote: > The panel for selection buttons (i.e. ">>" and "<<") has been re- > positioned to avoid being covered by the adder-dialog-right panel. > > Ticket #1626 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik From edewata at redhat.com Mon Aug 15 14:48:25 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 15 Aug 2011 09:48:25 -0500 Subject: [Freeipa-devel] [PATCH] 245 Fixed problem with buttons in enrollment dialog. In-Reply-To: <4E493084.9090609@redhat.com> References: <4E492D57.8040904@redhat.com> <4E493084.9090609@redhat.com> Message-ID: <4E4931B9.6030006@redhat.com> On 8/15/2011 9:43 AM, Petr Vobornik wrote: > On 08/15/2011 04:29 PM, Endi Sukma Dewata wrote: >> The panel for selection buttons (i.e. ">>" and "<<") has been re- >> positioned to avoid being covered by the adder-dialog-right panel. >> >> Ticket #1626 > ACK Pushed to master. -- Endi S. Dewata From pvoborni at redhat.com Mon Aug 15 15:28:48 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 15 Aug 2011 17:28:48 +0200 Subject: [Freeipa-devel] [PATCH] 004 error dialog for batch command In-Reply-To: <4E440050.8080209@redhat.com> References: <4E43E0AB.1000603@redhat.com> <4E43FD56.1030804@redhat.com> <4E440050.8080209@redhat.com> Message-ID: <4E493B30.5010507@redhat.com> On 08/11/2011 06:16 PM, Endi Sukma Dewata wrote: > On 8/11/2011 11:03 AM, Endi Sukma Dewata wrote: >> Some issues: >> >> 1. I think by default all batch commands should use this feature. The >> batch command is used for various purposes, not just for deletion. >> Consider this scenario: >> >> First, find a way to log in simultaneously using different accounts. You >> can use either multiple machines, accounts, or browsers, whichever is >> the easiest. >> >> In the first session, log in as admin, create a test user, add it into >> the admins group. >> >> Then in the second session, login as the test user, then edit a sudo >> rule. Modify the description and the enabled flag (this will be executed >> as separate operations in a single batch). Don't click Update yet. >> >> Back to the first session, remove the test user from the admins group. >> Then go back to the second session, click Update. >> >> Since the test user doesn't have admin rights anymore the operations >> will fail. However, currently these failures are not reported and the >> values simply revert back to the original. The error dialog should show >> these errors. >> >> So in this case we don't really need the 'partial_success_notify' flag, >> or it can be renamed into 'show_error' which should be true by default. done >> The 'retry' flag in IPA.command can be renamed to 'show_error' too. sending without this (not essential part of this patch - not batch_command). But I agree it should be probably changed - to be consistent. >> >> 2. The 'partial_success_message' probably can be renamed intofile: >> 'error_message' which will say something like 'Some operations failed.' done >> >> 3. Instead of a checkbox for show_errors_checkbox, it might be better to >> use 'Show details' and 'Hide details' links. done >> >> 4. In ipa.js:510 instead of repeating the error message the >> error_thrown.name could say something like 'Batch Error' or 'Operations >> Error'. used 'Operations Error' - batch is internal naming and probably confusing to user >> >> 5. The add_error() could be moved into IPA.error_dialog so the >> IPA.batch_command doesn't need to hold the 'errors' list. left in batch_command for possible future use in custom handlers >> >> 6. The list of errors should be displayed as a list (with bullets) like >> in the deleter dialog. done > 7. Just for consistency, the Retry label declaration in ipa.js:737 could > be moved into the if-statement like the other labels. > done -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0004-1-error-dialog-for-batch-command.patch Type: text/x-patch Size: 12492 bytes Desc: not available URL: From abokovoy at redhat.com Mon Aug 15 15:41:04 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 15 Aug 2011 18:41:04 +0300 Subject: [Freeipa-devel] [PATCH] 39 Fix internal error when removing the last PTR record from a DNS record entry. In-Reply-To: <4E4925A6.1010906@redhat.com> References: <4E4925A6.1010906@redhat.com> Message-ID: <4E493E10.2010607@redhat.com> On 15.08.2011 16:56, Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1632 NACK. I would rather see it fixed for all record types similarly. In order to do that, instead of fixing a callback for PTR record it would be good to fix pre_callback that calls it. Patch attached. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0011-ticket-1362.patch URL: From pvoborni at redhat.com Mon Aug 15 15:44:40 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 15 Aug 2011 17:44:40 +0200 Subject: [Freeipa-devel] [PATCH] 242 Removed custom layout for password reset. In-Reply-To: <4E4414E9.5000108@redhat.com> References: <4E4414E9.5000108@redhat.com> Message-ID: <4E493EE8.7050602@redhat.com> On 08/11/2011 07:44 PM, Endi Sukma Dewata wrote: > The dialog box for resetting user password has been modified to use > the standard layout. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel patch from code and working perspective is OK. Has this patch assigned some ticket? Don't know exactly what is IPA's policy for submitting patches without tickets in Trac (for future tracking). -- Petr Vobornik From dpal at redhat.com Mon Aug 15 16:01:21 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 15 Aug 2011 12:01:21 -0400 Subject: [Freeipa-devel] [PATCH] 242 Removed custom layout for password reset. In-Reply-To: <4E493EE8.7050602@redhat.com> References: <4E4414E9.5000108@redhat.com> <4E493EE8.7050602@redhat.com> Message-ID: <4E4942D1.7080403@redhat.com> On 08/15/2011 11:44 AM, Petr Vobornik wrote: > On 08/11/2011 07:44 PM, Endi Sukma Dewata wrote: >> The dialog box for resetting user password has been modified to use >> the standard layout. >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > patch from code and working perspective is OK. > > Has this patch assigned some ticket? Don't know exactly what is IPA's > policy for submitting patches without tickets in Trac (for future > tracking). > I would prefer to have a ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Mon Aug 15 16:29:29 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 15 Aug 2011 11:29:29 -0500 Subject: [Freeipa-devel] [PATCH] 242 Removed custom layout for password reset. In-Reply-To: <4E4942D1.7080403@redhat.com> References: <4E4414E9.5000108@redhat.com> <4E493EE8.7050602@redhat.com> <4E4942D1.7080403@redhat.com> Message-ID: <4E494969.5050308@redhat.com> On 8/15/2011 11:01 AM, Dmitri Pal wrote: >> patch from code and working perspective is OK. >> >> Has this patch assigned some ticket? Don't know exactly what is IPA's >> policy for submitting patches without tickets in Trac (for future >> tracking). > > I would prefer to have a ticket. OK, I'll open a ticket for this. Usually it's part of a clean up process or needed for subsequent bug fixing. -- Endi S. Dewata From rcritten at redhat.com Mon Aug 15 17:25:30 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Aug 2011 13:25:30 -0400 Subject: [Freeipa-devel] [PATCH] preview of threading patch Message-ID: <4E49568A.5030307@redhat.com> According to the 389-ds team we should use pthread read-write locks for now to avoid a deadlock. I borrowed some nice wrapper code which supports both from slapi-nis. I expect that we'll change this to the slapi lock api once it is available. I'm still testing this code, sending patch out to confirm approach. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: thread.patch Type: application/mbox Size: 13171 bytes Desc: not available URL: From edewata at redhat.com Mon Aug 15 17:49:33 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 15 Aug 2011 12:49:33 -0500 Subject: [Freeipa-devel] [PATCH] 004 error dialog for batch command In-Reply-To: <4E493B30.5010507@redhat.com> References: <4E43E0AB.1000603@redhat.com> <4E43FD56.1030804@redhat.com> <4E440050.8080209@redhat.com> <4E493B30.5010507@redhat.com> Message-ID: <4E495C2D.7080402@redhat.com> On 8/15/2011 10:28 AM, Petr Vobornik wrote: > done ACK. Will push after release. -- Endi S. Dewata From dpal at redhat.com Mon Aug 15 18:14:31 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 15 Aug 2011 14:14:31 -0400 Subject: [Freeipa-devel] [PATCH] 242 Removed custom layout for password reset. In-Reply-To: <4E494969.5050308@redhat.com> References: <4E4414E9.5000108@redhat.com> <4E493EE8.7050602@redhat.com> <4E4942D1.7080403@redhat.com> <4E494969.5050308@redhat.com> Message-ID: <4E496207.5040906@redhat.com> On 08/15/2011 12:29 PM, Endi Sukma Dewata wrote: > On 8/15/2011 11:01 AM, Dmitri Pal wrote: >>> patch from code and working perspective is OK. >>> >>> Has this patch assigned some ticket? Don't know exactly what is IPA's >>> policy for submitting patches without tickets in Trac (for future >>> tracking). >> >> I would prefer to have a ticket. > > OK, I'll open a ticket for this. Usually it's part of a clean up > process or needed for subsequent bug fixing. > Which means that there should be a ticket for the cleanup effort that encompasses several patches. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rmeggins at redhat.com Mon Aug 15 18:28:13 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 15 Aug 2011 12:28:13 -0600 Subject: [Freeipa-devel] [PATCH] preview of threading patch In-Reply-To: <4E49568A.5030307@redhat.com> References: <4E49568A.5030307@redhat.com> Message-ID: <4E49653D.5090701@redhat.com> On 08/15/2011 11:25 AM, Rob Crittenden wrote: > According to the 389-ds team we should use pthread read-write locks > for now to avoid a deadlock. I borrowed some nice wrapper code which > supports both from slapi-nis. I expect that we'll change this to the > slapi lock api once it is available. > > I'm still testing this code, sending patch out to confirm approach. I don't know if you want all of the stuff in wrap.c/.h - for example, the rpc include - but I suppose it does make it cleaner if you want to update this in the future directly from slapi-nis Also, you might want to add configure.ac tests to decide whether or not to use nspr threads/locks, pthread locks, and/or slapi_rwlocks. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Aug 15 18:39:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Aug 2011 14:39:39 -0400 Subject: [Freeipa-devel] [PATCH] preview of threading patch In-Reply-To: <4E49568A.5030307@redhat.com> References: <4E49568A.5030307@redhat.com> Message-ID: <4E4967EB.2000503@redhat.com> Rob Crittenden wrote: > According to the 389-ds team we should use pthread read-write locks for > now to avoid a deadlock. I borrowed some nice wrapper code which > supports both from slapi-nis. I expect that we'll change this to the > slapi lock api once it is available. > > I'm still testing this code, sending patch out to confirm approach. > > rob Using wrap seems like overkill, here is a simpler solution. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: thread-1.patch Type: application/mbox Size: 3506 bytes Desc: not available URL: From simo at redhat.com Mon Aug 15 18:43:35 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 15 Aug 2011 14:43:35 -0400 Subject: [Freeipa-devel] [PATCH] preview of threading patch In-Reply-To: <4E4967EB.2000503@redhat.com> References: <4E49568A.5030307@redhat.com> <4E4967EB.2000503@redhat.com> Message-ID: <1313433815.11512.145.camel@willson.li.ssimo.org> On Mon, 2011-08-15 at 14:39 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > According to the 389-ds team we should use pthread read-write locks for > > now to avoid a deadlock. I borrowed some nice wrapper code which > > supports both from slapi-nis. I expect that we'll change this to the > > slapi lock api once it is available. > > > > I'm still testing this code, sending patch out to confirm approach. > > > > rob > > Using wrap seems like overkill, here is a simpler solution. Looks much simpler to digest, I prefer this one. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Mon Aug 15 19:13:36 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Aug 2011 15:13:36 -0400 Subject: [Freeipa-devel] testing pki-ca behind apache for ipa In-Reply-To: <1313424029.10402.32.camel@localhost.localdomain> References: <1313424029.10402.32.camel@localhost.localdomain> Message-ID: <4E496FE0.4040305@redhat.com> Cross posting to the freeipa devel list, as I think this is where people are going to be most interested. On 08/15/2011 12:00 PM, Ade Lee wrote: > Adam, > > As you know, I have been testing putting a dogtag CA behind an apache > instance - and using the standard ports to contact the CA. The basic > idea is to let apache handle the client authentication required, and > then to pass the relevant parameters to tomcat using AJP. > > What this means is there will be a dogtag.conf file placed > under /etc/httpd/httpd.conf - and this file will contain Location > elements with ProxyPass directives. Some of these (agent pages) will > require client authentication, and some will not. > > I had run into an issue with my browser where when switching from > non-client-auth to client-auth, renegotiations were being disallowed. > This is, I strongly suspect due to the fixes in NSS for the MITM issue, > where "unsafe" legacy renegotiations will be disallowed. Attempts to > pass the relevant environment parameters to NSS failed to alter this > result. I'll continue to work with Rob on this. > > However, I believe that this problem will not affect the installation/ > interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is > using the latest NSS under the covers - which uses the new safe > regotiation protocol. > > My initial testing seems to indicate that this is in fact the case. > However, as I have been pulled into fips issues, I was hoping you could > continue the testing. Once we have a working setup, we can worry about > the code changes to pkicreate/pkisilent to do most of the > configuration. > > Here is what you need to do: > > 1. Install ipa with dogtag > 2. Stop the CA (service pki-cad stop pki-ca) > 3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port, > and have it redirect for SSL to the EE port (9444) > 4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to > turn off the filtering mechanism. You will see stanzas like the > following for ee, agent and admin ports. Make sure that active is set > to false for all. > > > AgentRequestFilter > com.netscape.cms.servlet.filter.AgentRequestFilter > > https_port > 9203 > > > active > false > > > 5. Place the attached dogtag.conf file into /etc/httpd/conf.d/ > 6. restart the ca. (service pki-cad start pki-ca) > > We are now ready to do some testing. > > 1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443 > 2. Do your IPA cert tests and confirm that it works ok. > 3. Try installing a replica. Make sure to pass https://hostname:443 > That is - do not leave out the 443 part as the installation code will > not recognize 443 as a default port. Actually, now that I think about > it - there will be more changes needed in the Installation Panel code to > get all this to work. So I'll get to this when I can. > > Thanks, > > Ade > > > From rcritten at redhat.com Mon Aug 15 19:34:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Aug 2011 15:34:00 -0400 Subject: [Freeipa-devel] [PATCH] 39 Fix internal error when removing the last PTR record from a DNS record entry. In-Reply-To: <4E493E10.2010607@redhat.com> References: <4E4925A6.1010906@redhat.com> <4E493E10.2010607@redhat.com> Message-ID: <4E4974A8.7030505@redhat.com> Alexander Bokovoy wrote: > On 15.08.2011 16:56, Jan Cholasta wrote: >> https://fedorahosted.org/freeipa/ticket/1632 > NACK. > > I would rather see it fixed for all record types similarly. In order to > do that, instead of fixing a callback for PTR record it would be good to > fix pre_callback that calls it. > > Patch attached. ack, pushed to master From ayoung at redhat.com Tue Aug 16 01:57:52 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Aug 2011 21:57:52 -0400 Subject: [Freeipa-devel] Setting user password by default Message-ID: <4E49CEA0.8040904@redhat.com> A user commented in IRC that the WebUI used to allow setting the default password when the user was added. WHile the simple use cae of "Add and edit" makes it easy enough to do for a single user, adding users in bulk (Add and add another) gets annoying if you need to really do add and edit, then update the password, then got back to the list...etc. Should default password be on the add page? The CLI use case can have the user prompted for it if they so desire. This means that, while it would be tough to do in bulk, doing one at a time is pretty straightforward. I'm not sold. Does anyone want to chime in before I open a ticket.? From ayoung at redhat.com Tue Aug 16 02:10:05 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Aug 2011 22:10:05 -0400 Subject: [Freeipa-devel] testing pki-ca behind apache for ipa In-Reply-To: <1313424029.10402.32.camel@localhost.localdomain> References: <1313424029.10402.32.camel@localhost.localdomain> Message-ID: <4E49D17D.5050906@redhat.com> On 08/15/2011 12:00 PM, Ade Lee wrote: > Adam, > > As you know, I have been testing putting a dogtag CA behind an apache > instance - and using the standard ports to contact the CA. The basic > idea is to let apache handle the client authentication required, and > then to pass the relevant parameters to tomcat using AJP. > > What this means is there will be a dogtag.conf file placed > under /etc/httpd/httpd.conf - and this file will contain Location > elements with ProxyPass directives. Some of these (agent pages) will > require client authentication, and some will not. > > I had run into an issue with my browser where when switching from > non-client-auth to client-auth, renegotiations were being disallowed. > This is, I strongly suspect due to the fixes in NSS for the MITM issue, > where "unsafe" legacy renegotiations will be disallowed. Attempts to > pass the relevant environment parameters to NSS failed to alter this > result. I'll continue to work with Rob on this. > > However, I believe that this problem will not affect the installation/ > interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is > using the latest NSS under the covers - which uses the new safe > regotiation protocol. > > My initial testing seems to indicate that this is in fact the case. > However, as I have been pulled into fips issues, I was hoping you could > continue the testing. Once we have a working setup, we can worry about > the code changes to pkicreate/pkisilent to do most of the > configuration. > > Here is what you need to do: > > 1. Install ipa with dogtag > 2. Stop the CA (service pki-cad stop pki-ca) service ipa stop > 3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port, > and have it redirect for SSL to the EE port (9444) [root at f15server ~]# diff /etc/pki-ca/server.xml.orig /etc/pki-ca/server.xml 216a217 > > 4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to > turn off the filtering mechanism. You will see stanzas like the > following for ee, agent and admin ports. Make sure that active is set > to false for all. > > > AgentRequestFilter > com.netscape.cms.servlet.filter.AgentRequestFilter > > https_port > 9203 > > > active > false > > [root at f15server WEB-INF]# git diff web.xml.orig web.xml diff --git a/web.xml.orig b/web.xml index 7f757bd..affa315 100644 --- a/web.xml.orig +++ b/web.xml @@ -12,7 +12,7 @@ active - true + false @@ -25,7 +25,7 @@ active - true + false @@ -42,7 +42,7 @@ active - true + false @@ -55,7 +55,7 @@ active - true + false > 5. Place the attached dogtag.conf file into /etc/httpd/conf.d/ mv ~/dogtag.conf /etc/httpd/conf.d/ > 6. restart the ca. (service pki-cad start pki-ca) service ipa start > > We are now ready to do some testing. > > 1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443 diff /usr/lib/python2.7/site-packages/ipalib/constants.py.orig /usr/lib/python2.7/site-packages/ipalib/constants.py 140c140 < ('ca_agent_port', 9443), --- > ('ca_agent_port', 443), > 2. Do your IPA cert tests and confirm that it works ok. service ipa restart .... cannot connect to 'https://f15server.ayoung.boston.devel.redhat.com:443/ca/agent/ca/displayBySerial': '' From ayoung at redhat.com Tue Aug 16 02:50:05 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 15 Aug 2011 22:50:05 -0400 Subject: [Freeipa-devel] testing pki-ca behind apache for ipa In-Reply-To: <4E49D17D.5050906@redhat.com> References: <1313424029.10402.32.camel@localhost.localdomain> <4E49D17D.5050906@redhat.com> Message-ID: <4E49DADD.2020107@redhat.com> Just to keep the lists informed: We found a couple more things out after that last posting: The suburl /ca/ee/ca/ works fine, so mod_proxcy_ajp does work in some cases. Calling the CA from IPA does not work as we get the error: [Mon Aug 15 22:44:17 2011] [debug] nss_engine_kernel.c(418): Re-negotation request failed: returned error -12176 You can see this by making the changes to logging: diff /etc/httpd/conf.d/nss.conf.orig /etc/httpd/conf.d/nss.conf 95c95,96 < LogLevel warn --- > #LogLevel warn > LogLevel debug On 08/15/2011 10:10 PM, Adam Young wrote: > On 08/15/2011 12:00 PM, Ade Lee wrote: >> Adam, >> >> As you know, I have been testing putting a dogtag CA behind an apache >> instance - and using the standard ports to contact the CA. The basic >> idea is to let apache handle the client authentication required, and >> then to pass the relevant parameters to tomcat using AJP. >> >> What this means is there will be a dogtag.conf file placed >> under /etc/httpd/httpd.conf - and this file will contain Location >> elements with ProxyPass directives. Some of these (agent pages) will >> require client authentication, and some will not. >> >> I had run into an issue with my browser where when switching from >> non-client-auth to client-auth, renegotiations were being disallowed. >> This is, I strongly suspect due to the fixes in NSS for the MITM issue, >> where "unsafe" legacy renegotiations will be disallowed. Attempts to >> pass the relevant environment parameters to NSS failed to alter this >> result. I'll continue to work with Rob on this. >> >> However, I believe that this problem will not affect the installation/ >> interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is >> using the latest NSS under the covers - which uses the new safe >> regotiation protocol. >> >> My initial testing seems to indicate that this is in fact the case. >> However, as I have been pulled into fips issues, I was hoping you could >> continue the testing. Once we have a working setup, we can worry about >> the code changes to pkicreate/pkisilent to do most of the >> configuration. >> >> Here is what you need to do: >> >> 1. Install ipa with dogtag >> 2. Stop the CA (service pki-cad stop pki-ca) > service ipa stop >> 3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port, >> and have it redirect for SSL to the EE port (9444) > > [root at f15server ~]# diff /etc/pki-ca/server.xml.orig > /etc/pki-ca/server.xml > 216a217 > > > >> 4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to >> turn off the filtering mechanism. You will see stanzas like the >> following for ee, agent and admin ports. Make sure that active is set >> to false for all. >> >> >> AgentRequestFilter >> com.netscape.cms.servlet.filter.AgentRequestFilter >> >> https_port >> 9203 >> >> >> active >> false >> >> > [root at f15server WEB-INF]# git diff web.xml.orig web.xml > diff --git a/web.xml.orig b/web.xml > index 7f757bd..affa315 100644 > --- a/web.xml.orig > +++ b/web.xml > @@ -12,7 +12,7 @@ > > > active > - true > + false > > > > @@ -25,7 +25,7 @@ > > > active > - true > + false > > > > @@ -42,7 +42,7 @@ > > > active > - true > + false > > > > @@ -55,7 +55,7 @@ > > > active > - true > + false > > > > > > >> 5. Place the attached dogtag.conf file into /etc/httpd/conf.d/ > mv ~/dogtag.conf /etc/httpd/conf.d/ > > >> 6. restart the ca. (service pki-cad start pki-ca) > service ipa start > >> >> We are now ready to do some testing. >> >> 1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443 > diff /usr/lib/python2.7/site-packages/ipalib/constants.py.orig > /usr/lib/python2.7/site-packages/ipalib/constants.py > 140c140 > < ('ca_agent_port', 9443), > --- > > ('ca_agent_port', 443), > >> 2. Do your IPA cert tests and confirm that it works ok. > service ipa restart > > > .... > > cannot connect to > 'https://f15server.ayoung.boston.devel.redhat.com:443/ca/agent/ca/displayBySerial': > '' > > > > > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From mkosek at redhat.com Tue Aug 16 08:59:05 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 16 Aug 2011 10:59:05 +0200 Subject: [Freeipa-devel] [PATCH] 111 Let Bind track data changes In-Reply-To: <4E492B91.5080506@redhat.com> References: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> <4E492B91.5080506@redhat.com> Message-ID: <1313485147.2514.23.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-15 at 10:22 -0400, Dmitri Pal wrote: > On 08/15/2011 08:20 AM, Martin Kosek wrote: > > A new version of bind-dyndb-ldap has been released. Thanks to the new > > persistent search feature, the name server can immediately pull new DNS > > zones when they are created in IPA. > > > > Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one > > has to use the provided src.rpm: > > > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm > > > > or rpms I built for x86_64 F-15: > > > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ > > > > There is one setback though. When I investigated DNS persistent search > > behavior I still miss the ability to detect changes to the DNS zone > > itself. Adding a record (for example MX record) to the zone does not > > trigger an update of the zone in nameserver cache. We still have to wait > > for cache timeout (argument "cache_ttl"). We cannot therefore use this > > feature as a solution of: > > > > https://fedorahosted.org/freeipa/ticket/1114 > > https://fedorahosted.org/freeipa/ticket/1125 > > https://fedorahosted.org/freeipa/ticket/1126 > > So what are our options here? I see we have the following options here: 1) Consult this with AdamT and let him enhance bind-dyndb-ldap to track not only add/modification operations with DNS zone (for example modifying SOA record of example.com - this works), but also adding of a new DNS record to the zone (a new MX record in example.com) or even to regular DNS records (A record foo.example.com). When I spoke with Adam last week (for following 2 weeks he is on PTO) he said it is doable but has a potential if creating bugs in the plugin so he implemented just the first part that we see. 2) Let user adjust "cache_ttl" parameter. This bind-dyndb-ldap parameter sets validity of the internal DNS record cache. When a DNS record is changed/updated, user can get the updated value after $cache_ttl seconds. This is the same for updating DNS records in the zone (MX of example.com) and updating regular DNS records (A record of foo.example.com). User can set it to the value that reflects his needs for the speed of propagation of the DNS record updates and requirements on DNS performance. We just have to make sure that this behavior is clearly explained in our documentation. Martin From mkosek at redhat.com Tue Aug 16 09:01:54 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 16 Aug 2011 11:01:54 +0200 Subject: [Freeipa-devel] [PATCH] 111 Let Bind track data changes In-Reply-To: <1313418962.11512.140.camel@willson.li.ssimo.org> References: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> <1313418962.11512.140.camel@willson.li.ssimo.org> Message-ID: <1313485316.2514.26.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-15 at 10:36 -0400, Simo Sorce wrote: > On Mon, 2011-08-15 at 14:20 +0200, Martin Kosek wrote: > > A new version of bind-dyndb-ldap has been released. Thanks to the new > > persistent search feature, the name server can immediately pull new DNS > > zones when they are created in IPA. > > > > Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one > > has to use the provided src.rpm: > > > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm > > > > or rpms I built for x86_64 F-15: > > > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ > > > > There is one setback though. When I investigated DNS persistent search > > behavior I still miss the ability to detect changes to the DNS zone > > itself. Adding a record (for example MX record) to the zone does not > > trigger an update of the zone in nameserver cache. We still have to wait > > for cache timeout (argument "cache_ttl"). We cannot therefore use this > > feature as a solution of: > > > > https://fedorahosted.org/freeipa/ticket/1114 > > https://fedorahosted.org/freeipa/ticket/1125 > > https://fedorahosted.org/freeipa/ticket/1126 > > Is this a bug/deficiency of the plugin ? Or is it something that depends > on named internals somehow ? > > Simo. > I don't see it as a bug in bind-dyndb-plugin, this behavior is just not implemented (yet). Right now, we can only recommend tuning cache_ttl parameter for users reporting tickets 1114, 1125, and 1126. You can check my mail to Dmitri for more details. Martin From jgalipea at redhat.com Tue Aug 16 12:55:18 2011 From: jgalipea at redhat.com (Jenny Galipeau) Date: Tue, 16 Aug 2011 08:55:18 -0400 (EDT) Subject: [Freeipa-devel] Setting user password by default In-Reply-To: <4E49CEA0.8040904@redhat.com> Message-ID: <1163959253.196166.1313499318883.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > A user commented in IRC that the WebUI used to allow setting the > default > password when the user was added. > > WHile the simple use cae of "Add and edit" makes it easy enough to do > for a single user, adding users in bulk (Add and add another) gets > annoying if you need to really do add and edit, then update the > password, then got back to the list...etc. > > Should default password be on the add page? > > The CLI use case can have the user prompted for it if they so desire. > This means that, while it would be tough to do in bulk, doing one at a > time is pretty straightforward. > > I'm not sold. Does anyone want to chime in before I open a ticket.? I'm sold ... just like Active Directory when you add a user, you set the initial password ..... > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From mkosek at redhat.com Tue Aug 16 14:25:43 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 16 Aug 2011 16:25:43 +0200 Subject: [Freeipa-devel] [PATCH] 112 Fix automountlocation-import conflicts Message-ID: <1313504745.2514.33.camel@dhcp-25-52.brq.redhat.com> Do not fail import operation with DuplicateEntry when imported maps/keys conflict with maps/keys pre-created by automountlocation-add command. Currently, this applies for map 'auto.direct' and key '/-'. https://fedorahosted.org/freeipa/ticket/1551 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-112-fix-automountlocation-import-conflicts.patch Type: text/x-patch Size: 2859 bytes Desc: not available URL: From simo at redhat.com Tue Aug 16 17:19:17 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 16 Aug 2011 13:19:17 -0400 Subject: [Freeipa-devel] Setting user password by default In-Reply-To: <1163959253.196166.1313499318883.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1163959253.196166.1313499318883.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1313515157.11512.154.camel@willson.li.ssimo.org> On Tue, 2011-08-16 at 08:55 -0400, Jenny Galipeau wrote: > > ----- Original Message ----- > > A user commented in IRC that the WebUI used to allow setting the > > default > > password when the user was added. > > > > WHile the simple use cae of "Add and edit" makes it easy enough to do > > for a single user, adding users in bulk (Add and add another) gets > > annoying if you need to really do add and edit, then update the > > password, then got back to the list...etc. > > > > Should default password be on the add page? > > > > The CLI use case can have the user prompted for it if they so desire. > > This means that, while it would be tough to do in bulk, doing one at a > > time is pretty straightforward. > > > > I'm not sold. Does anyone want to chime in before I open a ticket.? > > > I'm sold ... just like Active Directory when you add a user, you set the initial password ..... I am ok as long as we do not adopt the same braindead behavior of AD UI :-) A few years ago while experimenting with the dirsync control I found they will create the user and set the password in 2 steps and if the password fails to met complexity criteria they will "rollback" and will delete the user just created and return you an error in the UI. You will not see all this so if you retry 5/10 times to create a user and every time you select a too weak password you end up creating/deleting in a rapid cycle 5/10 times the same user (burning SIDs and causing replications for nothing in the process). Simo. -- Simo Sorce * Red Hat, Inc * New York From jcholast at redhat.com Tue Aug 16 17:40:45 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 16 Aug 2011 19:40:45 +0200 Subject: [Freeipa-devel] [PATCH] 40 Add option to ipa-server-install to disable the automatic redirect to the Web UI Message-ID: <4E4AAB9D.60908@redhat.com> https://fedorahosted.org/freeipa/ticket/1570 The help message might need some tweaking. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-40-no-redirect-option.patch Type: text/x-patch Size: 4775 bytes Desc: not available URL: From edewata at redhat.com Tue Aug 16 21:13:42 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 16 Aug 2011 16:13:42 -0500 Subject: [Freeipa-devel] [PATCH] 242 Removed custom layout for password reset. In-Reply-To: <4E493EE8.7050602@redhat.com> References: <4E4414E9.5000108@redhat.com> <4E493EE8.7050602@redhat.com> Message-ID: <4E4ADD86.9040105@redhat.com> On 8/15/2011 10:44 AM, Petr Vobornik wrote: > On 08/11/2011 07:44 PM, Endi Sukma Dewata wrote: >> The dialog box for resetting user password has been modified to use >> the standard layout. > patch from code and working perspective is OK. > Has this patch assigned some ticket? Don't know exactly what is IPA's > policy for submitting patches without tickets in Trac (for future > tracking). I attached the patch into this ticket: https://fedorahosted.org/freeipa/ticket/1641 We'll push it when we start working on 3.0 stuff. -- Endi S. Dewata From edewata at redhat.com Tue Aug 16 21:20:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 16 Aug 2011 16:20:57 -0500 Subject: [Freeipa-devel] [PATCH] 246 Fixed browser configuration pages Message-ID: <4E4ADF39.7060101@redhat.com> The browser configuration pages have been modified to improve the content and appearance. Ticket #1624 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0246-Fixed-browser-configuration-pages.patch Type: text/x-patch Size: 6860 bytes Desc: not available URL: From ayoung at redhat.com Tue Aug 16 21:45:01 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 16 Aug 2011 17:45:01 -0400 Subject: [Freeipa-devel] testing pki-ca behind apache for ipa In-Reply-To: <4E49DADD.2020107@redhat.com> References: <1313424029.10402.32.camel@localhost.localdomain> <4E49D17D.5050906@redhat.com> <4E49DADD.2020107@redhat.com> Message-ID: <4E4AE4DD.5010207@redhat.com> Success with these additional changes: [root at ipa-server-3 python2.7]# diff /etc/httpd/conf.d/nss.conf.orig /etc/httpd/conf.d/nss.conf 74c74 < NSSRenegotiation off --- > NSSRenegotiation on [root at ipa-server-3 python2.7]# diff -u ./site-packages/ipapython/nsslib.py.orig ./site-packages/ipapython/nsslib.py --- ./site-packages/ipapython/nsslib.py.orig 2011-08-16 17:19:53.000000000 -0400 +++ ./site-packages/ipapython/nsslib.py 2011-08-16 17:35:17.000000000 -0400 @@ -213,7 +213,10 @@ self.sock = ssl.SSLSocket(family=self.family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) - + #ssl.define SSL_REQUIRE_SAFE_NEGOTIATION 21 + self.sock.set_ssl_option(21, False) + #ssl.h define SSL_ENABLE_RENEGOTIATION 20 + self.sock.set_ssl_option(20, 2) # Provide a callback which notifies us when the SSL handshake is complete self.sock.set_handshake_callback(self.handshake_callback) On 08/15/2011 10:50 PM, Adam Young wrote: > Just to keep the lists informed: > > We found a couple more things out after that last posting: > > The suburl /ca/ee/ca/ works fine, so mod_proxcy_ajp does work in > some cases. > > Calling the CA from IPA does not work as we get the error: > > [Mon Aug 15 22:44:17 2011] [debug] nss_engine_kernel.c(418): > Re-negotation request failed: returned error -12176 > > You can see this by making the changes to logging: > > diff /etc/httpd/conf.d/nss.conf.orig /etc/httpd/conf.d/nss.conf > 95c95,96 > < LogLevel warn > --- > > #LogLevel warn > > LogLevel debug > > > > On 08/15/2011 10:10 PM, Adam Young wrote: >> On 08/15/2011 12:00 PM, Ade Lee wrote: >>> Adam, >>> >>> As you know, I have been testing putting a dogtag CA behind an apache >>> instance - and using the standard ports to contact the CA. The basic >>> idea is to let apache handle the client authentication required, and >>> then to pass the relevant parameters to tomcat using AJP. >>> >>> What this means is there will be a dogtag.conf file placed >>> under /etc/httpd/httpd.conf - and this file will contain Location >>> elements with ProxyPass directives. Some of these (agent pages) will >>> require client authentication, and some will not. >>> >>> I had run into an issue with my browser where when switching from >>> non-client-auth to client-auth, renegotiations were being disallowed. >>> This is, I strongly suspect due to the fixes in NSS for the MITM issue, >>> where "unsafe" legacy renegotiations will be disallowed. Attempts to >>> pass the relevant environment parameters to NSS failed to alter this >>> result. I'll continue to work with Rob on this. >>> >>> However, I believe that this problem will not affect the installation/ >>> interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is >>> using the latest NSS under the covers - which uses the new safe >>> regotiation protocol. >>> >>> My initial testing seems to indicate that this is in fact the case. >>> However, as I have been pulled into fips issues, I was hoping you could >>> continue the testing. Once we have a working setup, we can worry about >>> the code changes to pkicreate/pkisilent to do most of the >>> configuration. >>> >>> Here is what you need to do: >>> >>> 1. Install ipa with dogtag >>> 2. Stop the CA (service pki-cad stop pki-ca) >> service ipa stop >>> 3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port, >>> and have it redirect for SSL to the EE port (9444) >> >> [root at f15server ~]# diff /etc/pki-ca/server.xml.orig >> /etc/pki-ca/server.xml >> 216a217 >> > >> >>> 4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to >>> turn off the filtering mechanism. You will see stanzas like the >>> following for ee, agent and admin ports. Make sure that active is set >>> to false for all. >>> >>> >>> AgentRequestFilter >>> com.netscape.cms.servlet.filter.AgentRequestFilter >>> >>> >>> https_port >>> 9203 >>> >>> >>> active >>> false >>> >>> >> [root at f15server WEB-INF]# git diff web.xml.orig web.xml >> diff --git a/web.xml.orig b/web.xml >> index 7f757bd..affa315 100644 >> --- a/web.xml.orig >> +++ b/web.xml >> @@ -12,7 +12,7 @@ >> >> >> active >> - true >> + false >> >> >> >> @@ -25,7 +25,7 @@ >> >> >> active >> - true >> + false >> >> >> >> @@ -42,7 +42,7 @@ >> >> >> active >> - true >> + false >> >> >> >> @@ -55,7 +55,7 @@ >> >> >> active >> - true >> + false >> >> >> >> >> >> >>> 5. Place the attached dogtag.conf file into /etc/httpd/conf.d/ >> mv ~/dogtag.conf /etc/httpd/conf.d/ >> >> >>> 6. restart the ca. (service pki-cad start pki-ca) >> service ipa start >> >>> >>> We are now ready to do some testing. >>> >>> 1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443 >> diff /usr/lib/python2.7/site-packages/ipalib/constants.py.orig >> /usr/lib/python2.7/site-packages/ipalib/constants.py >> 140c140 >> < ('ca_agent_port', 9443), >> --- >> > ('ca_agent_port', 443), >> >>> 2. Do your IPA cert tests and confirm that it works ok. >> service ipa restart >> >> >> .... >> >> cannot connect to >> 'https://f15server.ayoung.boston.devel.redhat.com:443/ca/agent/ca/displayBySerial': >> '' >> >> >> >> >> >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From edewata at redhat.com Tue Aug 16 21:49:32 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 16 Aug 2011 16:49:32 -0500 Subject: [Freeipa-devel] [PATCH] 247 Hide activation/deactivation link from regular users. Message-ID: <4E4AE5EC.1080305@redhat.com> The IPA.user_status_widget has been modified to show/hide the link for activating/deactivating users according to the attributelevelrights. Ticket #1625 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0247-Hide-activation-deactivation-link-from-regular-users.patch Type: text/x-patch Size: 1669 bytes Desc: not available URL: From simo at redhat.com Tue Aug 16 22:29:28 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 16 Aug 2011 18:29:28 -0400 Subject: [Freeipa-devel] [Freeipa-users] Extending Schema, CLI and Web UI for use with Samba 3 (groups!) In-Reply-To: <4E4AE8AC.4040209@redhat.com> References: <4E4AC9FB.9050602@pet.ubc.ca> <4E4AD830.7070005@redhat.com> <1313529082.11512.179.camel@willson.li.ssimo.org> <4E4AE8AC.4040209@redhat.com> Message-ID: <1313533768.11512.181.camel@willson.li.ssimo.org> Moved to -devel, On Tue, 2011-08-16 at 18:01 -0400, Dmitri Pal wrote: > On 08/16/2011 05:11 PM, Simo Sorce wrote: > > On Tue, 2011-08-16 at 16:50 -0400, Dmitri Pal wrote: > >> Should we open a ticket and have a way to just turn this integration > >> on? > >> Something like ipa-server-install install flag --samba-integration. > >> Then > >> it will translate into enabling all of the above at the install time > >> or > >> after. > >> > > It may conflict with the adtrust work if not done right, so I would > > prefer to do this as part of the 3.0-Trust work. > > > > Simo. > > > I am not suggesting to do it earlier. Can you please create a ticket to > track it as a part of the trust effort? The necessary steps should already be performed by ipa-datrust-install, do we need an additional option to ipa-server-install ? Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Tue Aug 16 22:52:54 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 16 Aug 2011 18:52:54 -0400 Subject: [Freeipa-devel] [Freeipa-users] Extending Schema, CLI and Web UI for use with Samba 3 (groups!) In-Reply-To: <1313533768.11512.181.camel@willson.li.ssimo.org> References: <4E4AC9FB.9050602@pet.ubc.ca> <4E4AD830.7070005@redhat.com> <1313529082.11512.179.camel@willson.li.ssimo.org> <4E4AE8AC.4040209@redhat.com> <1313533768.11512.181.camel@willson.li.ssimo.org> Message-ID: <4E4AF4C6.7050907@redhat.com> On 08/16/2011 06:29 PM, Simo Sorce wrote: > Moved to -devel, > > On Tue, 2011-08-16 at 18:01 -0400, Dmitri Pal wrote: >> On 08/16/2011 05:11 PM, Simo Sorce wrote: >>> On Tue, 2011-08-16 at 16:50 -0400, Dmitri Pal wrote: >>>> Should we open a ticket and have a way to just turn this integration >>>> on? >>>> Something like ipa-server-install install flag --samba-integration. >>>> Then >>>> it will translate into enabling all of the above at the install time >>>> or >>>> after. >>>> >>> It may conflict with the adtrust work if not done right, so I would >>> prefer to do this as part of the 3.0-Trust work. >>> >>> Simo. >>> >> I am not suggesting to do it earlier. Can you please create a ticket to >> track it as a part of the trust effort? > The necessary steps should already be performed by ipa-datrust-install, > do we need an additional option to ipa-server-install ? > > Simo. > No, it should be clear that there is a way to enable samba attributes without actually using/establishing the trusts. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Wed Aug 17 02:42:50 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 16 Aug 2011 22:42:50 -0400 Subject: [Freeipa-devel] [Freeipa-users] Extending Schema, CLI and Web UI for use with Samba 3 (groups!) In-Reply-To: <4E4AF4C6.7050907@redhat.com> References: <4E4AC9FB.9050602@pet.ubc.ca> <4E4AD830.7070005@redhat.com> <1313529082.11512.179.camel@willson.li.ssimo.org> <4E4AE8AC.4040209@redhat.com> <1313533768.11512.181.camel@willson.li.ssimo.org> <4E4AF4C6.7050907@redhat.com> Message-ID: <1313548970.11512.183.camel@willson.li.ssimo.org> On Tue, 2011-08-16 at 18:52 -0400, Dmitri Pal wrote: > On 08/16/2011 06:29 PM, Simo Sorce wrote: > > Moved to -devel, > > > > On Tue, 2011-08-16 at 18:01 -0400, Dmitri Pal wrote: > >> On 08/16/2011 05:11 PM, Simo Sorce wrote: > >>> On Tue, 2011-08-16 at 16:50 -0400, Dmitri Pal wrote: > >>>> Should we open a ticket and have a way to just turn this integration > >>>> on? > >>>> Something like ipa-server-install install flag --samba-integration. > >>>> Then > >>>> it will translate into enabling all of the above at the install time > >>>> or > >>>> after. > >>>> > >>> It may conflict with the adtrust work if not done right, so I would > >>> prefer to do this as part of the 3.0-Trust work. > >>> > >>> Simo. > >>> > >> I am not suggesting to do it earlier. Can you please create a ticket to > >> track it as a part of the trust effort? > > The necessary steps should already be performed by ipa-datrust-install, > > do we need an additional option to ipa-server-install ? > > > > Simo. > > > No, it should be clear that there is a way to enable samba attributes > without actually using/establishing the trusts. ipa-adtrust-install does not establish trusts, it merely prepares the IPA tree to handle them including setting up a specially configured samba. The probelm I see is that if we allow --samba-integration and then we stomp over it when doing ipa-adtrust-install people will not be really happy ... Simo. -- Simo Sorce * Red Hat, Inc * New York From adam at younglogic.com Wed Aug 17 02:57:00 2011 From: adam at younglogic.com (Adam Young) Date: Tue, 16 Aug 2011 22:57:00 -0400 Subject: [Freeipa-devel] Can't install on F16 due to dependency issues Message-ID: <4E4B2DFC.9000709@younglogic.com> Getting started on F16 Development. --> Finished Dependency Resolution Error: Package: certmonger-0.45-0.20110811T1730Zgit77ca985.fc16.x86_64 (ipa-devel) Requires: libtevent.so.0(TEVENT_0.9.9)(64bit) Error: Package: 389-ds-base-1.2.9.0-1.fc16.2.x86_64 (fedora) Requires: libnetsnmpmibs.so.25()(64bit) Error: Package: 389-ds-base-1.2.9.0-1.fc16.2.x86_64 (fedora) Requires: libnetsnmp.so.25()(64bit) Error: Package: 389-ds-base-1.2.9.0-1.fc16.2.x86_64 (fedora) Requires: libnetsnmpagent.so.25()(64bit) You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest I suspect that in all these case the rpm should require >= not =. I had a similar problem with pki, but ended up installing a local build that bumped the release number up to 11. Cuz 10 wasn't quite loud enough. The version in the So, I have dependency issues. Acceptance is the first step. From ayoung at redhat.com Wed Aug 17 03:17:15 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 16 Aug 2011 23:17:15 -0400 Subject: [Freeipa-devel] Can't install on F16 due to dependency issues In-Reply-To: <4E4B2DFC.9000709@younglogic.com> References: <4E4B2DFC.9000709@younglogic.com> Message-ID: <4E4B32BB.7040407@redhat.com> On 08/16/2011 10:57 PM, Adam Young wrote: > Getting started on F16 Development. > > > --> Finished Dependency Resolution > Error: Package: certmonger-0.45-0.20110811T1730Zgit77ca985.fc16.x86_64 > (ipa-devel) > Requires: libtevent.so.0(TEVENT_0.9.9)(64bit) > Error: Package: 389-ds-base-1.2.9.0-1.fc16.2.x86_64 (fedora) > Requires: libnetsnmpmibs.so.25()(64bit) > Error: Package: 389-ds-base-1.2.9.0-1.fc16.2.x86_64 (fedora) > Requires: libnetsnmp.so.25()(64bit) > Error: Package: 389-ds-base-1.2.9.0-1.fc16.2.x86_64 (fedora) > Requires: libnetsnmpagent.so.25()(64bit) > You could try using --skip-broken to work around the problem > You could try running: rpm -Va --nofiles --nodigest > > > I suspect that in all these case the rpm should require >= not =. > > I had a similar problem with pki, but ended up installing a local > build that bumped the release number up to 11. Cuz 10 wasn't quite > loud enough. The version in the Sorry, I didn't complete this line. The version in the yum repo is : pki-ca-9.0.7-1.fc16.noarch.rpm Freeipa requires Requires: pki-ca >= 9.0.11 Requires: pki-silent >= 9.0.11 Requires: pki-ca >= 9.0.5 Requires: pki-silent >= 9.0.5 > > > So, I have dependency issues. Acceptance is the first step. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From mkosek at redhat.com Wed Aug 17 07:01:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 17 Aug 2011 09:01:42 +0200 Subject: [Freeipa-devel] Can't install on F16 due to dependency issues In-Reply-To: <4E4B32BB.7040407@redhat.com> References: <4E4B2DFC.9000709@younglogic.com> <4E4B32BB.7040407@redhat.com> Message-ID: <1313564504.21773.0.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-08-16 at 23:17 -0400, Adam Young wrote: > On 08/16/2011 10:57 PM, Adam Young wrote: > > Getting started on F16 Development. > > > > > > --> Finished Dependency Resolution > > Error: Package: certmonger-0.45-0.20110811T1730Zgit77ca985.fc16.x86_64 > > (ipa-devel) > > Requires: libtevent.so.0(TEVENT_0.9.9)(64bit) > > Error: Package: 389-ds-base-1.2.9.0-1.fc16.2.x86_64 (fedora) > > Requires: libnetsnmpmibs.so.25()(64bit) > > Error: Package: 389-ds-base-1.2.9.0-1.fc16.2.x86_64 (fedora) > > Requires: libnetsnmp.so.25()(64bit) > > Error: Package: 389-ds-base-1.2.9.0-1.fc16.2.x86_64 (fedora) > > Requires: libnetsnmpagent.so.25()(64bit) > > You could try using --skip-broken to work around the problem > > You could try running: rpm -Va --nofiles --nodigest > > > > > > I suspect that in all these case the rpm should require >= not =. > > > > I had a similar problem with pki, but ended up installing a local > > build that bumped the release number up to 11. Cuz 10 wasn't quite > > loud enough. The version in the > Sorry, I didn't complete this line. The version in the yum repo is : > pki-ca-9.0.7-1.fc16.noarch.rpm > > Freeipa requires > Requires: pki-ca >= 9.0.11 > Requires: pki-silent >= 9.0.11 > Requires: pki-ca >= 9.0.5 > Requires: pki-silent >= 9.0.5 > > > > > > > So, I have dependency issues. Acceptance is the first step. > > Ok, it seems that the latest fixes to spec Requires caused this problem. I have created a ticket to fix this: https://fedorahosted.org/freeipa/ticket/1651 Martin From pvoborni at redhat.com Wed Aug 17 07:57:22 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 17 Aug 2011 09:57:22 +0200 Subject: [Freeipa-devel] [PATCH] 247 Hide activation/deactivation link from regular users. In-Reply-To: <4E4AE5EC.1080305@redhat.com> References: <4E4AE5EC.1080305@redhat.com> Message-ID: <4E4B7462.20807@redhat.com> On 08/16/2011 11:49 PM, Endi Sukma Dewata wrote: > The IPA.user_status_widget has been modified to show/hide the link for > activating/deactivating users according to the attributelevelrights. > > Ticket #1625 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik From mkosek at redhat.com Wed Aug 17 08:16:20 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 17 Aug 2011 10:16:20 +0200 Subject: [Freeipa-devel] [PATCH] 113 Add missing attribute labels for sudorule Message-ID: <1313568982.21773.3.camel@dhcp-25-52.brq.redhat.com> I had doubts how to name ipasudorunasgroup_group attribute, this is the result. Btw what is the difference between attributes ipasudorunasgroup_group and ipasudorunas_group? Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-113-add-missing-attribute-labels-for-sudorule.patch Type: text/x-patch Size: 1110 bytes Desc: not available URL: From jcholast at redhat.com Wed Aug 17 08:27:03 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 17 Aug 2011 10:27:03 +0200 Subject: [Freeipa-devel] [PATCH] 41 Verify that the external CA certificate files are correct Message-ID: <4E4B7B57.2010208@redhat.com> Verify that --external_cert_file and --external_ca_file are both readable, valid PEM files and that their subject/issuer is correct. Also fixes ipalib.x509.load_certificate_from_file. https://fedorahosted.org/freeipa/ticket/1572 Honza -- Jan Cholasta From pvoborni at redhat.com Wed Aug 17 08:38:41 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 17 Aug 2011 10:38:41 +0200 Subject: [Freeipa-devel] [PATCH] 246 Fixed browser configuration pages In-Reply-To: <4E4ADF39.7060101@redhat.com> References: <4E4ADF39.7060101@redhat.com> Message-ID: <4E4B7E11.7030401@redhat.com> On 08/16/2011 11:20 PM, Endi Sukma Dewata wrote: > The browser configuration pages have been modified to improve the > content and appearance. > > Ticket #1624 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik From jcholast at redhat.com Wed Aug 17 10:46:38 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 17 Aug 2011 12:46:38 +0200 Subject: [Freeipa-devel] [PATCH] 41 Verify that the external CA certificate files are correct In-Reply-To: <4E4B7B57.2010208@redhat.com> References: <4E4B7B57.2010208@redhat.com> Message-ID: <4E4B9C0E.9070204@redhat.com> On 17.8.2011 10:27, Jan Cholasta wrote: > Verify that --external_cert_file and --external_ca_file are both > readable, valid PEM files and that their subject/issuer is correct. > > Also fixes ipalib.x509.load_certificate_from_file. > > https://fedorahosted.org/freeipa/ticket/1572 > > Honza > Patch attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-41-external-ca-verify.patch Type: text/x-patch Size: 3580 bytes Desc: not available URL: From abokovoy at redhat.com Wed Aug 17 12:52:08 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 17 Aug 2011 15:52:08 +0300 Subject: [Freeipa-devel] [PATCH] 0009 (1) Propagate environment when it is required Message-ID: <4E4BB978.8010904@redhat.com> Hi, Patch for #1549 and #1550 (and all others where command line option name is different from attribute name). As discussed before, this is least evil implementation. Other approaches force substantially noticeable performance degradation or API changes that prevent from re-using memoized API.txt. See following threads on freeipa-devel@ for references: https://www.redhat.com/archives/freeipa-devel/2011-August/msg00000.html https://www.redhat.com/archives/freeipa-devel/2011-August/msg00011.html -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0009-tickets-1-1549-1550.patch URL: From jdennis at redhat.com Wed Aug 17 13:19:49 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 17 Aug 2011 09:19:49 -0400 Subject: [Freeipa-devel] Please do not edit po files, please watch for this in patch review Message-ID: <4E4BBFF5.3090902@redhat.com> While investigating issues with our translations I discovered a git commit in which some of the po files in install/po were directly edited. Please do not edit the po files, for all practical purposes you should consider them machine generated. Patch reviewers should watch for po edits. The only time po files should appear in a git commit is after pulling new po files from Transifex [1] Details: po files are essentially a set of pairs where msgid is the raw untranslated string extracted from our source code and the msgstr is the translated version of that string. msgid's are collected from our sources via a process called "extraction" (e.g. xgettext) and are placed in a pot file (i.e. po template). msgid's arrive in a po file by a process called "message merging" whereby the msgid's in the pot file are merged into a po file. If you directly edit msgid's in a po file you will have broken the automated workflow and will likely have caused the language translation to be incorrect. If you are a native speaker and discover a problem with a language specific translation (i.e. you want to update the msgstr in the po file) then that should be done in Transifex and the resulting po file pulled from Transifex with the correction. Thanks!! John 1. We currently have a make target called "update-po" which merges changes from an updated pot file into each po file. We used to perform this step after updating the pot file but the current Transifex workflow obviates the need for this and is potentially problematic. As such it may be removed to prevent "accidents". -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Wed Aug 17 13:29:41 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 17 Aug 2011 09:29:41 -0400 Subject: [Freeipa-devel] Can't install on F16 due to dependency issues In-Reply-To: <4E4B2DFC.9000709@younglogic.com> References: <4E4B2DFC.9000709@younglogic.com> Message-ID: <1313587781.11512.191.camel@willson.li.ssimo.org> On Tue, 2011-08-16 at 22:57 -0400, Adam Young wrote: > Error: Package: > certmonger-0.45-0.20110811T1730Zgit77ca985.fc16.x86_64 > (ipa-devel) > Requires: libtevent.so.0(TEVENT_0.9.9)(64bit) We are working on this issue, it is complicated and will require the rebuild of a bunch of packages in f16 all at the same time. We should be able to fix it early next week. In the meanwhile you can rebuild certmonger/sssd locally. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Aug 17 13:30:49 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 17 Aug 2011 09:30:49 -0400 Subject: [Freeipa-devel] Please do not edit po files, please watch for this in patch review In-Reply-To: <4E4BBFF5.3090902@redhat.com> References: <4E4BBFF5.3090902@redhat.com> Message-ID: <1313587849.11512.192.camel@willson.li.ssimo.org> On Wed, 2011-08-17 at 09:19 -0400, John Dennis wrote: > 1. We currently have a make target called "update-po" which merges > changes from an updated pot file into each po file. We used to > perform > this step after updating the pot file but the current Transifex > workflow > obviates the need for this and is potentially problematic. As such it > may be removed to prevent "accidents". Please open a ticket for this. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Aug 17 14:39:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Aug 2011 10:39:04 -0400 Subject: [Freeipa-devel] [PATCH] 40 Add option to ipa-server-install to disable the automatic redirect to the Web UI In-Reply-To: <4E4AAB9D.60908@redhat.com> References: <4E4AAB9D.60908@redhat.com> Message-ID: <4E4BD288.60809@redhat.com> Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1570 > > The help message might need some tweaking. > > Honza NACK. Whatever solution we come up with needs to apply to replicas as well. Ideally it would be automatic. Since this is a bit of a corner case in general it might be acceptable to have an option on ipa-replica-install. rob From rcritten at redhat.com Wed Aug 17 15:00:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Aug 2011 11:00:58 -0400 Subject: [Freeipa-devel] Announcing FreeIPA 2.1.0 Message-ID: <4E4BD7AA.6030606@redhat.com> The FreeIPA Project is proud to announce the latest release of the FreeIPA. As always, the latest tarball can be found at http://freeipa.org/ FreeIPA 2.1 is available in Fedora 15. It is currently in the updates-testing repository along with a number of its dependencies. Fedora 16 and rawhide builds will be coming soon. == Highlights == * General client and server installation improvements. Server installation is significantly faster. * Improved support for IPv6. * General UI improvements related to navigation and work flow. * Added UI for automount. * A Host-based Access Control (HBAC) test tool * Deprecation of HBAC deny rules * A CA is no longer required on every replica and may be added post-install to a replica (see ipa-ca-install). * A new replication tool for dogtag has been added (ipa-cs-manage). This allows you to control the replication topology of your CA. == Upgrading == === Server === To upgrade a 2.0.0 or 2.0.1 server do the following: # yum update freeipa-server --enablerepo=updates-testing This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c packages (and perhaps some others). A script will be executed in the rpm postinstall phase to update the IPA LDAP server with any required changes. There is a bug reported against 389-ds, https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to read-write locks. The NSPR RW lock implementation does not safely allow re-entrant use of reader locks. This is a timing issue so it is difficult to predict. During testing one user experienced this and the upgrade hung. To break the hang kill the ns-slapd process for your realm, wait for the yum transaction to complete, then restart 389-ds and manually run the update process: # service dirsrv start # ipa-ldap-updater === Client === The ipa-client-install tool in the ipa-client package is just a configuration tool. There should be no need to re-run this on every client already enrolled. == Detailed Changelog == Adam Young (62): * Fixed labels for sudo and hbac rules * update metadata with label changes * define entities using builder and more declarative syntax * default all false no longer default to all: true for searches, only specify it for user searches * code review fixes * make use of new user-find columns. * fix JSL error * Upgrade to jquery 1.5.2 * action panel to top tabs * remove jquery-cookie library * update ipa init a simple script to update the metatdate et alles that come s from the ipa_init batch call * whitespace and -x removal * create entities on demand. fixed changes from code review * automount UI * redirect on show error. * redirect on error Code for redirecting on error has been moved to IPA.face t so it can be called from both details and assocaiton facets. * automount delete key indirect automount maps * scrollable content areas * dialog scrolling table * JSON marshalling list * dns multiple records show multiple records that share the same dnsname * no redirect on search * test for dirty * test dirty textarea runs the testdirty check before setting the undo tag for a textarea * test dirty multivalue test the multivalue widgets for changes before showing the undo link. * test dirty onchange * entity select widget for manager * hide automount tabs. * service host entity select Use the entity select widget for add service * entity select undo * no redirect on unknown error If the error name is indicates a server wide error, do not attempt to redirect. * editable entity_select * ipaddress for host add * entity select for password policy * tooltips for host add * automountkey details * identify target as section for permissions * optional uid * validate required fields * Generate record type list from metadata * shorten url cache state in a javascript variable, and leave on information about the current entity in the URL hash params * containing entity pkeys * undefined pkeys * config fields * ipadefaultemaildomain * config widgets entity select default group checkbox for migration * entity link for password policy * validate ints * password expiration label * HBAC deny warning * check required on add * clear errors on reset * indirect admins * entity_select naming * remove HBAC warning from static UI * dnsrecord-mod ui * no dns * remove hardcoded DNS label for record name. * move dns to identity tab * removing setters setup and init * dns section header i18n. * use other_entity for adder columns Alexander Bokovoy (10): * Convert Bool to TRUE/FALSE when working with LDAP backend * Minor typos in the examples * Convert nsaccountlock to always work as bool towards Python code * Rearrange logging for NSCD daemon. * Fix sssd.conf to always have IPA certificate for the domain. * Add hbactest command. * Modify /etc/sysconfig/network on a client when IPA manages hostname * Make proper LDAP configuration reporting for ipa-client-install * Ensure network configuration file has proper permissions * Pass empty options as empty arrays for supported dns record types. Endi S. Dewata (114): * Fixed undefined label in permission adder dialog box. * Initial Selenium test cases. * Added functional test runner. * Refactored action panel and client area. * Refactored builder interface. * Refactored search facet. * Entitlements. * Updated Selenium tests. * Merged IPA.cmd() into IPA.command(). * Entitlement registration. * Entitlement import. * Entitlement download. * Moved adder dialog box into entity. * Standardized action panel buttons creation. * Entitlement quantity validation. * Refactored navigation. * Use entity names for tab state. * Moved entity contents outside navigation. * Added facet container. * Fixed self-service UI. * Updated Selenium tests. * Updated Selenium tests. * Updated DNS interface. * Added Selenium tests for DNS. * Added UUID field for entitlement registration. * Added Self-Service and Delegation tests. * Customizable facet groups. * Read-only association facet. * jQuery ordered map. * Fixed problem disabling HBAC and SUDO rules. * Fixed Ajax error handling. * Fixed details tests. * Fixed adder dialog title. * Fixed Add and Edit without primary key. * Fixed Selenium tests. * Fixed URL parameter parsing. * Added Update and Reset buttons into Dirty dialog. * Fixed problem deleting value in text field. * Added pagination for associations. * Fixed pagination problem. * Temporary fix for indirect member tabs. * Fixed blank dialog box on internal error. * Fixed resizing issues. * Added selectable option for table widget. * Entitlement status. * Fixed tab navigation. * Fixed build break. * Fixed paging for indirect members. * Renamed associate.js to association.js. * Fixed self-service links. * Merged direct and indirect association facets * Storing page number in URL. * Removed FreeWay font files. * Fixed problem with navigation tabs on reload. * Converted entity header into facet header. * Added navigation breadcrumb. * Added record count into association facet tabs. * Added singular entity labels. * Fixed entity labels. * Fixed DNS records page title. * Fixed undo all problem. * Removed unused images. * Fixed hard-coded messages. * Added confirmation dialog for user activation. * Fixed button style in Entitlements * Removed invalid associations. * Added arrow icons for details sections. * Fixed object_name usage. * Fixed HBAC/Sudo rules associations. * Fixed blank self-service page. * Fixed dirty dialog problems in HBAC/Sudo rules. * Fixed test fixture file name. * Fixed missing entitlement import button label * Added sudo options. * Fixed collapsed table in Chrome. * Fixed object_name and object_name_plural internationalization * Fixed label capitalization * Entity select widget improvements * Removed reverse zones from host adder dialog. * Fixed host details fields. * Added checkbox to remove hosts from DNS. * Creating reverse zones from IP address. * Removed entitlement registration UUID field. * Fixed problem loading data in HBAC/sudo details page. * Removed HBAC access time code. * Removed custom layouts using HTML templates. * Refactored IPA.current_facet(). * Fixed problem with navigation state loading. * Fixed navigation problems. * Fixed navigation unit test. * Fixed click handlers on certificate buttons. * New icons for entitlement buttons * Fixed problem bookmarking Policy/IPA Server tabs * Fixed problem setting host OTP. * Fixed hard-coded labels in sudo rules. * Fixed hard-coded label in Find button. * Fixed missing section header in sudo command group. * Fixed problem unprovisioning service. * Fixed missing memberof definition in HBAC service. * Added association facets for HBAC and sudo. * Fixed certificate buttons. * Fixed missing icons. * Fixed misaligned search icon. * Resizable adder dialog box. * Linked entries in HBAC/sudo details page. * Fixed 3rd level tab style. * Fixed facet group labels. * Fixed error after login on IE * Fixed host adder dialog. * Fixed DNS zone adder dialog. * Fixed broken links in ipa_error.css and ipa_migration.css. * Fixed problem clicking 3rd level tabs. * Fixed link style in dialog box. * Fixed problem with buttons in enrollment dialog. Jakub Hrozek (1): * Remove wrong kpasswd sysconfig Jan Cholasta (34): * Fix wording of error message. * Add note about ipa-dns-install to ipa-server-install man page. * Fix typo in ipa-server-install. * Fix uninitialized variables. * Fix double definition of output_for_cli. * Add lint script for static code analysis. * Fix lint false positives. * Remove unused classes. * Fix some minor issues uncovered by pylint. * Fix uninitialized attributes. * Run lint during each build. * Several improvements of the lint script. * Fix issues found by Coverity. * Fix regressions introduced by pylint false positive fixes. * Assume ipa help for plugins. * Parse netmasks in IP addresses passed to server install. * Honor netmask in DNS reverse zone setup. * Do stricter checking of IP addressed passed to server install. * Fix directory manager password validation in ipa-nis-manage. * Improve IP address handling in the host-add command. * Verify that the hostname is fully-qualified before accessing the service information in ipactl. * Remove redundant configuration values from krb5.conf. * Replace the 'private' option in netgroup-find with 'managed'. * Configure SSSD to store user password if offline. * Fix creation of reverse DNS zones. * Add ability to specify DNS reverse zone name by IP network address. * Fix exit status of ipa-nis-manage enable. * Update minimum required version of python-netaddr. * Clean up of IP address checks in install scripts. * Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable'. * Fix ipa-compat-manage not working after recent ipa-nis-manage change. * Make sure that hostname specified by user is not an IP address. * Fix external CA install. * Ask for reverse DNS zone information in attended install right after asking for DNS forwarders, so that DNS configuration is done in one place. John Dennis (9): * Module for DN objects plus unit test * assert_deepequal supports callback for equality testing * Add backslash escape support for cvs reader * Use DN class in get_primary_key_from_dn to return decoded value * Update test_role_plugin test to include a comma in a privilege * Ticket 1485 - DN pairwise grouping * Make AVA, RDN & DN comparison case insensitive. No need for lowercase normalization. * Clean up existing DN object usage * transifex translation adjustment Jr Aquino (15): * Escape LDAP characters in member and memberof searches * Add memberHost and memberUser to default indexes * Optimize and dynamically verify group membership * Delete the sudoers entry when disabling Schema Compat * Return copy of config from ipa_get_config() * Typo in host_nis_groups has been creating 2 CN's * Add sudorule and hbacrule to memberof and indirectmemberof attributes * Display remaining external hosts when removing from sudorule * Raise DuplicateEntry Error when adding a duplicate sudo option * Don't add empty tuple to entry_attrs['externalhost'] * oneliner correct typo in ipasudorunas_group * Return correct "RunAs External Group" when removing members * remove escapes from the cvs parser in ipaserver/install/ldapupdate * Correct behavior for sudorunasgroup vs sudorunasuser * Correct sudo runasuser and runasgroup attributes in schema Martin Kosek (68): * Inconsistent error message for duplicate user * Replica installation fails for self-signed server * Remove doc from API.txt * Revert "Remove doc from API.txt" * Password policy commands do not include cospriority * Improve DNS PTR record validation * Remove unwanted trimming in text fields * Need force option in DNS zone adder dialog * IPA replica is not started after the reboot * Improve Directory Service open port checker * Log temporary files in ipa-client-install * Prevent uninstalling client on the IPA server * pwpolicy-mod doesn't accept old attribute values * Forbid reinstallation in ipa-client-install * ipa-client-install uninstall does not work on IPA server * LDAP Updater may crash IPA installer * NS records not updated by replica * Bad return values for ipa-rmkeytab command * Update spec with missing BuildRequires for pylint check * Let selinux-policy handle port 7390 * Limit passwd plugin to user container * Consolidate man pages and IPA tools help * Remove doc from API.txt * Improve service manipulation in client install * Running ipa-replica-manage as non-root cause errors * KDC autodiscovery may fail when domain is not realm * A new flag to disable creation of UPG * Fix reverse zone creation in ipa-replica-prepare * Improve interactive mode for DNS plugin * Localization fails for MaxArgumentError * Fix forward zone creation in ipa-replica-prepare * Connection check program for replica installation * Fix support for nss-pam-ldapd * Skip know_host check for ipa-replica-conncheck * IPA installation with --no-host-dns fails * Handle LDAP search references * Add ignore lists to migrate-ds command * Improve DNS zone creation * Add a list of managed hosts * Missing krbprincipalname when uid is not set * Add port 9443 to replica port checking * Fix doc for sudorule runasuser commands * Improve IP address handling in IPA option parser * Multi-process build problems * DNS installation fails when domain and host domain mismatch * Fix IPA install for secure umask * Allow recursion by default * Add DNS record modification command * Filter reverse zones in dnszone-find * Remove sensitive information from logs * Fix ipa-dns-install * Fix self-signed replica installation * Check IPA configuration in install tools * Add new dnszone-find test * Fix typo in ipa-replica-prepare * Improve long integer type validation * Fix sudorule-remove-user * Add missing automount summaries * Fix man page ipa-csreplica-manage * Fix automountkey commands summary * Fix invalid issuer in unit tests * Hide continue option from automountkey-del * Improve error message in ipactl * Improve dnszone-add error message * Fix idnsUpdatePolicy for reverse zone record * Fix client enrollment * Update 389-ds-base version * Update pki-ca version Nalin Dahyabhai (1): * Select a server with a CA on it when submitting signing requests. Pavel Zuna (1): * Fix gidnumber option of user-add command. Petr Vobornik (3): * fixed empty dns record update * Fixed adding host without DNS reverse zone * Redirection after changing browser configuration Rich Megginson (3): * winsync enables disabled users in AD * modify user deleted in AD crashes winsync * memory leak in ipa_winsync_get_new_ds_user_dn_cb Rob Crittenden (90): * Allow a client to enroll using principal when the host has a OTP * Make retrieval of the CA during DNS discovery non-fatal. * Cache the value of get_ipa_config() in the request context. * Change default gecos from uid to first and last name. * Fix ORDERING in some attributetypes and remove other unnecessary elements. * postalCode should be a string not an integer. * Fix traceback in ipa-nis-manage. * Suppress --on-master from ipa-client-install command-line and man page. * Sort entries returned by *-find by the primary key (if any). * The default groups we create should have ipaUniqueId set * Always ask members in LDAP*ReverseMember commands. * Provide attributelevelrights for the aci components in permission_show. * Wait for memberof task and DS to start before proceeding in installation. * Convert manager from userid to dn for storage and back for displaying. * Modify the default attributes shown in user-find to match the UI design. * Ensure that the zonemgr passed to the installer conforms to IA5String. * Handle principal not found errors when converting replication a greements * Bump version to 2.0.90 to distinguish between 2.0.x * Properly handle --no-reverse being passed on the CLI in interactive mode * Update min nvr for selinux-policy and pki-ca for F-15+ * Test for forwarded Kerberos credentials cache in wsgi code. * Properly configure nsswitch.conf when using the --no-sssd option. * Enable 389-ds SSL host checking by defauilt * Configure Managed Entries on replicas. * Document that deleting and re-adding a replica requires a dirsrv restart. * Fix migration to work between v2 servers and remove search/size limits. * Add option to limit the attributes allowed in an entry. * Include the word 'member' with autogenerated optional member labels. * Do a lazy retrieval of the LDAP schema rather than at module load. * Add UID, GID and e-mail to the user default attributes. * Fix external CA installation * Remove root autobind search restriction, fix upgrade logging & error handling * Support initializing memberof during replication re-init using GSSAPI * Do better detection on status of CA DS instance when installing. * Fix indirect member calculation * Remove automountinformation as part of the DN for automount. * Don't let a JSON error get lost in cascading errors. * Add message output summary to sudorule del, mod and find. * Return an error message when revocation reason 7 is used * Require an imported certificate's issuer to match our issuer. * On a master configure sssd to only talk to the local master. * The IP address provided to ipa-server-install must be local * Do lazy LDAP schema retrieval in json handler. * Make data type of certificates more obvious/predictable internally. * Update translation files * Let the framework be able to override the hostname. * Make dogtag an optional (and default un-) installed component in a replica. * Slight performance improvement by not doing some checking in production mode * Set the client auth callback after creating the SSL connection. * Add pwd expiration notif (ipapwdexpadvnotify) to config plugin def attr list * Enforce class rules when query=True, continue to not run validators. * find_entry_by_attr() should fail if multiple entries are found * Fix error in AttrValueNotFound exception example * Fix test failure in updater when adding values to a single-value attr * Reset failed login count to 0 when admin resets password. * Disallow direct modifications to enrolledBy. * Document registering to an entitlement server with a UUID as not implemented. * In sudo labels we should use RunAs and not Run As. * Remove the ability to create new HBAC deny rules. * Validate that the certificate subject base is in valid DN format. * Use information from the certificate subject when setting the NSS nickname. * Create tool to manage dogtag replication agreements * Fix failing tests due to object name changes * Set nickname of the RA to 'IPA RA' to avoid confusion with dogtag RA * Set the ipa-modrdn plugin precedence to 60 so it runs last * Generate a database password by default in all cases. * Specify the package name when the replication plugin is missing. * Change client enrollment principal prompt to hopefully be clearer. * Optionally wait for 389-ds postop plugins to complete * A removed external host is shown in output when removing external hosts. * Don't set krbLastPwdChange when setting a host OTP password. * Fix regression when calculating external groups. * With the external user/group management fixed, correct the unit tests. * Set a default minimum value for class Int, handle long values better. * Make ipa-client-install error messages more understandable and relevant. * Add Alexander Bokovoy and Jan Cholasta to contributors file * Only call entry_from_entry() after waiting for the new entry. * Hide the HBAC access type attribute now that deny is deprecated. * Autofill the default revocation reason * Don't check for leading/trailing spaces in a File parameter * Add an arch-specific Requires on cyrus-sasl-gssapi * Revert use of 'can be at least' to 'must be at least' in minvalue validator * Don't leave dangling map if adding an indirect map fails * Fix message in test case for checking minimum values * When setting a host password don't set krbPasswordExpiration. * Set minimum version of pki-ca to 9.0.10 to pick up new ipa cert profile * Deprecated managing users and runas user/group in sudorule add/mod * Fix date order in changelog. * Re-arrange CA configuration code to reduce the number of restarts. Simo Sorce (4): * Fix resource leaks. * ipautil: Preserve environment unless explicitly overridden by caller. * install-scripts: avoid using --list with chkconfig * Don't set the password expiration to the current time Yuri Chornoivan (1): * Typos in freeIPA messages and man page Kyle Baker (5): * Background images and tab hover * Search bar style and positioning changes * List page spacing changes * Tab and spacing on list * Facet icon swap and tab sizing From dpal at redhat.com Wed Aug 17 15:32:29 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 17 Aug 2011 11:32:29 -0400 Subject: [Freeipa-devel] [Freeipa-users] Extending Schema, CLI and Web UI for use with Samba 3 (groups!) In-Reply-To: <1313548970.11512.183.camel@willson.li.ssimo.org> References: <4E4AC9FB.9050602@pet.ubc.ca> <4E4AD830.7070005@redhat.com> <1313529082.11512.179.camel@willson.li.ssimo.org> <4E4AE8AC.4040209@redhat.com> <1313533768.11512.181.camel@willson.li.ssimo.org> <4E4AF4C6.7050907@redhat.com> <1313548970.11512.183.camel@willson.li.ssimo.org> Message-ID: <4E4BDF0D.6040700@redhat.com> On 08/16/2011 10:42 PM, Simo Sorce wrote: > On Tue, 2011-08-16 at 18:52 -0400, Dmitri Pal wrote: >> On 08/16/2011 06:29 PM, Simo Sorce wrote: >>> Moved to -devel, >>> >>> On Tue, 2011-08-16 at 18:01 -0400, Dmitri Pal wrote: >>>> On 08/16/2011 05:11 PM, Simo Sorce wrote: >>>>> On Tue, 2011-08-16 at 16:50 -0400, Dmitri Pal wrote: >>>>>> Should we open a ticket and have a way to just turn this integration >>>>>> on? >>>>>> Something like ipa-server-install install flag --samba-integration. >>>>>> Then >>>>>> it will translate into enabling all of the above at the install time >>>>>> or >>>>>> after. >>>>>> >>>>> It may conflict with the adtrust work if not done right, so I would >>>>> prefer to do this as part of the 3.0-Trust work. >>>>> >>>>> Simo. >>>>> >>>> I am not suggesting to do it earlier. Can you please create a ticket to >>>> track it as a part of the trust effort? >>> The necessary steps should already be performed by ipa-datrust-install, >>> do we need an additional option to ipa-server-install ? >>> >>> Simo. >>> >> No, it should be clear that there is a way to enable samba attributes >> without actually using/establishing the trusts. > ipa-adtrust-install does not establish trusts, it merely prepares the > IPA tree to handle them including setting up a specially configured > samba. The probelm I see is that if we allow --samba-integration and > then we stomp over it when doing ipa-adtrust-install people will not be > really happy ... > > Simo. > True. It was just an idea. May be not a good one in the context of the adtrust work. The only problem with your proposal is that it is not intuitive to expect ipa-adtrust-install to just set samba configuration. Based on the name it assumes that you are going to setup trusts later. May be we should change the name then (sorry once again) to something like ipa-adinterop-install. Then it would be logical to run such utility to enable samba schema but not go full nine yards for preparing IPA to establish trusts. Just another thought... -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From pvoborni at redhat.com Wed Aug 17 15:38:56 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 17 Aug 2011 17:38:56 +0200 Subject: [Freeipa-devel] [PATCH] 005 Show error in serial association Message-ID: <4E4BE090.4050308@redhat.com> Ticket #1628 - https://fedorahosted.org/freeipa/ticket/1628 Unreported insufficient access error This patch is dependant on freeipa-pvoborni-0004-1-error-dialog-for-batch-command.patch. This may be only a checking if approach of this patch is good. I was not sure if this type of error message (result.failed property) is more general or it only appears in adding members. So I put error handling in serial_associator instead of command. If it would be put in command and success will be transformed to error, it will change the behaviour of executing commands - other commands after error won't be executed. If the approach is good, it could be probably better to change it a little and offer same logic for batch_associator. It should be working for adding users to groups, netgroups, roles and assigning hbac rules (tested as non admin user). Modified association test - data in success handler should not be undefined. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0005-Show-error-in-serial-association.patch Type: text/x-patch Size: 6877 bytes Desc: not available URL: From rcritten at redhat.com Wed Aug 17 15:56:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Aug 2011 11:56:17 -0400 Subject: [Freeipa-devel] [PATCH] 845 add external source hosts to HBAC Message-ID: <4E4BE4A1.4070504@redhat.com> You should be able to specify hosts that aren't in IPA in HBAC source host rules. This adds support for it. ticket https://fedorahosted.org/freeipa/ticket/1574 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-845-hbac.patch Type: application/mbox Size: 8457 bytes Desc: not available URL: From edewata at redhat.com Wed Aug 17 18:08:42 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 17 Aug 2011 13:08:42 -0500 Subject: [Freeipa-devel] [PATCH] 004 error dialog for batch command In-Reply-To: <4E495C2D.7080402@redhat.com> References: <4E43E0AB.1000603@redhat.com> <4E43FD56.1030804@redhat.com> <4E440050.8080209@redhat.com> <4E493B30.5010507@redhat.com> <4E495C2D.7080402@redhat.com> Message-ID: <4E4C03AA.9080709@redhat.com> On 8/15/2011 12:49 PM, Endi Sukma Dewata wrote: > On 8/15/2011 10:28 AM, Petr Vobornik wrote: >> done > > ACK. Will push after release. Pushed to master and ipa-2-1. -- Endi S. Dewata From edewata at redhat.com Wed Aug 17 18:09:18 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 17 Aug 2011 13:09:18 -0500 Subject: [Freeipa-devel] [PATCH] 246 Fixed browser configuration pages In-Reply-To: <4E4B7E11.7030401@redhat.com> References: <4E4ADF39.7060101@redhat.com> <4E4B7E11.7030401@redhat.com> Message-ID: <4E4C03CE.7010500@redhat.com> On 8/17/2011 3:38 AM, Petr Vobornik wrote: > On 08/16/2011 11:20 PM, Endi Sukma Dewata wrote: >> The browser configuration pages have been modified to improve the >> content and appearance. >> >> Ticket #1624 > ACK Pushed to master and ipa-2-1. -- Endi S. Dewata From edewata at redhat.com Wed Aug 17 18:09:36 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 17 Aug 2011 13:09:36 -0500 Subject: [Freeipa-devel] [PATCH] 247 Hide activation/deactivation link from regular users. In-Reply-To: <4E4B7462.20807@redhat.com> References: <4E4AE5EC.1080305@redhat.com> <4E4B7462.20807@redhat.com> Message-ID: <4E4C03E0.8090101@redhat.com> On 8/17/2011 2:57 AM, Petr Vobornik wrote: > On 08/16/2011 11:49 PM, Endi Sukma Dewata wrote: >> The IPA.user_status_widget has been modified to show/hide the link for >> activating/deactivating users according to the attributelevelrights. >> >> Ticket #1625 > ACK Pushed to master and ipa-2-1. -- Endi S. Dewata From edewata at redhat.com Wed Aug 17 18:11:15 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 17 Aug 2011 13:11:15 -0500 Subject: [Freeipa-devel] [PATCH] 248 Fixed problem selecting value from combobox Message-ID: <4E4C0443.3050502@redhat.com> The IPA.combobox_widget has been modified to use the 'change' event to capture the selected value from the drop-down list. Ticket #1654 Pushed to master and ipa-2-1 under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0248-Fixed-problem-selecting-value-from-combobox.patch Type: text/x-patch Size: 1211 bytes Desc: not available URL: From rcritten at redhat.com Wed Aug 17 18:23:50 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Aug 2011 14:23:50 -0400 Subject: [Freeipa-devel] [PATCH] 844 add netgroup to memberof association of hostgroups In-Reply-To: <4E39A5CB.50909@redhat.com> References: <4E39A5CB.50909@redhat.com> Message-ID: <4E4C0736.5030000@redhat.com> Rob Crittenden wrote: > Let hostgroups show that they are members of netgroups. > > rob Updated patch -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-844-2-memberof.patch Type: application/mbox Size: 8766 bytes Desc: not available URL: From rcritten at redhat.com Wed Aug 17 18:26:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Aug 2011 14:26:23 -0400 Subject: [Freeipa-devel] [PATCH 34/34] ticket 1568 - DN objects should support the insert method In-Reply-To: <4E413331.7030607@redhat.com> References: <201108032316.p73NGIXT026343@int-mx02.intmail.prod.int.phx2.redhat.com> <4E413331.7030607@redhat.com> Message-ID: <4E4C07CF.4070302@redhat.com> Jan Cholasta wrote: > On 4.8.2011 01:16, John Dennis wrote: >> Add dn.insert() and update unittest >> >> -- >> John Dennis >> >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> > > ACK. > > Honza > pushed to master and ipa-2-1 From rcritten at redhat.com Wed Aug 17 18:28:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Aug 2011 14:28:56 -0400 Subject: [Freeipa-devel] [PATCH 35/35] ticket 1569 - Test DN object non-latin Unicode support In-Reply-To: <4E415C9E.8080401@redhat.com> References: <201108032335.p73NZ87l018492@int-mx01.intmail.prod.int.phx2.redhat.com> <4E415C9E.8080401@redhat.com> Message-ID: <4E4C0868.1080107@redhat.com> Jan Cholasta wrote: > On 4.8.2011 01:35, John Dennis wrote: >> The DN unittest was lacking a test for i18n. The unittest was >> updated to store "Hello" in Arabic with both utf-8 and unicode >> and verify the values could be properly retrieved and converted >> to dn string syntax. >> >> During the testing a few problems were discovered and corrected. >> >> * passing in utf-8 caused an ASCII decode error becuase of Python's >> silly default encoding of ASCII. The fix was to explictly use >> the utf-8 codec. >> >> * there were a couple of places where encode/decode were not >> called correctly. >> >> * the internal attr and value members of the AVA class were renamed >> to explicitly show they are stored as unicode. >> >> Of course the unittest was updated as well. >> >> -- >> John Dennis >> >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> > > ACK. > > Honza > pushed to master and ipa-2-1 From rcritten at redhat.com Wed Aug 17 18:53:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Aug 2011 14:53:42 -0400 Subject: [Freeipa-devel] [PATCH 36/36] ticket 1600 - convert unittests to use DN objects In-Reply-To: <4E428A82.3080908@redhat.com> References: <201108100216.p7A2GwXU017145@int-mx10.intmail.prod.int.phx2.redhat.com> <4E428A82.3080908@redhat.com> Message-ID: <4E4C0E36.8000600@redhat.com> Alexander Bokovoy wrote: > On 10.08.2011 05:16, John Dennis wrote: >> We have a larger goal of replacing all DN creation via string >> formatting/concatenation with DN object operations because string >> operations are not a safe way to form a DN nor to compare a DN. This >> work needs to be broken into smaller chunks for easier review and >> testing. >> >> Addressing the unit tests first makes sense because we don't want to >> be modifying both the core code and the tests used to verify the core >> code simultaneously. If we modify the unittests first with existing >> core code and no regressions are found then we can move on to >> modifying parts of the core code with the belief the unittests can >> validate the changes in the core code. Also by doing the unittests >> first we also help to validate the DN objects are working correctly >> (although they do have an extensive unittest). >> >> The fundamental changes are: >> >> * replace string substitution& concatenation with DN object >> constructor >> >> * when comparing dn's the comparision is done after promotion >> to a DN object, then two DN objects are compared >> >> * when a list of string dn's are to be compared a new list is >> formed where each string dn is replaced by a DN object >> >> * because the unittest framework accepts a complex data structure of >> expected values where dn's are represeted as strings the unittest >> needs to express the expected value of a dn as a callable object >> (e.g. a lambda expression) which promotes the dn string to a DN >> object in order to do the comparision. > *Huge* work, very appreciated! It is much cleaner to see now what we are > actually expecting in a structured way. > > ACK. > > Unrelated comment: > There are few place where we have CN vs cn like > - assert str(subject) == 'CN=ipa.example.com,O=IPA' > + assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA')) > > Does it make sense to normalize to lowcase for those attributes that are > case-insensitive like cn, sn, uid, etc? It makes no functional > difference but looks a bit out of style to have a mix and also may trick > into wrongly using those attributes which are case-sensitive due to > schema definition. pushed to master and ipa-2-1 From rcritten at redhat.com Wed Aug 17 20:12:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Aug 2011 16:12:35 -0400 Subject: [Freeipa-devel] [PATCH] 113 Add missing attribute labels for sudorule In-Reply-To: <1313568982.21773.3.camel@dhcp-25-52.brq.redhat.com> References: <1313568982.21773.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E4C20B3.30008@redhat.com> Martin Kosek wrote: > I had doubts how to name ipasudorunasgroup_group attribute, this is the > result. Btw what is the difference between attributes > ipasudorunasgroup_group and ipasudorunas_group? > ACK This confused me as well so I double-checked with JR. ipasudorunasgroup sets the gid to when executing the command. ipasudorunas group sets a group of allowed users to run a command as. JR's example was: sudo -u rcrit /bin/less If rcrit is in either the ipasudorunas user or group then you can run the command as me. I opened ticket 1657 to improve the documentation. I think connecting it to the sudo options and/or providing examples like this will help. pushed to master and ipa-2-1 rob From rcritten at redhat.com Wed Aug 17 21:11:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Aug 2011 17:11:20 -0400 Subject: [Freeipa-devel] [PATCH] 0009 (1) Propagate environment when it is required In-Reply-To: <4E4BB978.8010904@redhat.com> References: <4E4BB978.8010904@redhat.com> Message-ID: <4E4C2E78.8040908@redhat.com> Alexander Bokovoy wrote: > Hi, > > Patch for #1549 and #1550 (and all others where command line option name > is different from attribute name). > > As discussed before, this is least evil implementation. Other approaches > force substantially noticeable performance degradation or API changes > that prevent from re-using memoized API.txt. > > See following threads on freeipa-devel@ for references: > https://www.redhat.com/archives/freeipa-devel/2011-August/msg00000.html > https://www.redhat.com/archives/freeipa-devel/2011-August/msg00011.html > ACK, pushed to master. I removed one trailing whitespace before pushing. rob From jdennis at redhat.com Wed Aug 17 22:20:08 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 17 Aug 2011 18:20:08 -0400 Subject: [Freeipa-devel] Lost translations on Transifex In-Reply-To: <4E4444DD.40507@redhat.com> References: <4E42EF52.6030102@redhat.com> <4E42F7BC.1010302@redhat.com> <4E431E17.6060406@redhat.com> <4E4444DD.40507@redhat.com> Message-ID: <4E4C3E98.3060907@redhat.com> This issue has been opened as Trac ticket 1650 (https://fedorahosted.org/freeipa/ticket/1650). The attached discussion has been added to that ticket. I'm copying it here to reach a wider audience and changing the mailing list to freeipa-devel because public discussion is preferred (prior discussions had erroneously occurred on an internal mailing list). -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: fuzzy_notes.txt URL: From jdennis at redhat.com Wed Aug 17 22:35:22 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 17 Aug 2011 18:35:22 -0400 Subject: [Freeipa-devel] [PATCH 39/39] ticket 1650 - compute accurate translation statistics Message-ID: <201108172235.p7HMZM4U029171@int-mx10.intmail.prod.int.phx2.redhat.com> ticket 1650 (https://fedorahosted.org/freeipa/ticket/1650) has an extensive discussion of the issues, please refer to that. This patch does the following: * does not count fuzzy translations when computing translation statistics via the "msg-stats" make target in install/po * adds a new make target called "pull-po" which pulls updated po files from Transifex (configure.ac includes some trailing whitespace fixes) * turns off the generation of fuzzy translation suggestions during the message merge phase. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0039-ticket-1650-compute-accurate-translation-statistics.patch Type: text/x-patch Size: 4831 bytes Desc: not available URL: From jdennis at redhat.com Wed Aug 17 22:54:37 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 17 Aug 2011 18:54:37 -0400 Subject: [Freeipa-devel] [PATCH 40/40] ticket 1659 - invalid i18n string in dns.py Message-ID: <201108172254.p7HMsbU6000852@int-mx10.intmail.prod.int.phx2.redhat.com> dns.py at line 976 has an invalid i18n string and cannot be processed during message extraction causing message catalog generation to fail. The format parameters are trapped inside the i18n string. Also it's not necessary to promote the i18n string literal to unicode via the u prefix because the _() function returns unicode. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0040-ticket-1659-invalid-i18n-string-in-dns.py.patch Type: text/x-patch Size: 1755 bytes Desc: not available URL: From jdennis at redhat.com Wed Aug 17 23:40:14 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 17 Aug 2011 19:40:14 -0400 Subject: [Freeipa-devel] [PATCH 41/41] ticket 1660 - update LINGUAS file, add missing po files Message-ID: <201108172340.p7HNeEd3011844@int-mx12.intmail.prod.int.phx2.redhat.com> Our LINGUAS file and the set of po files have diverged from what's on Transifex. We should update the LINGUAS file to match the set of translations on Transifex and add po files currently on Transifex but not in our git repo to our git repo. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0041-ticket-1660-update-LINGUAS-file-add-missing-po-files.patch Type: text/x-patch Size: 1261479 bytes Desc: not available URL: From jdennis at redhat.com Thu Aug 18 00:56:15 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 17 Aug 2011 20:56:15 -0400 Subject: [Freeipa-devel] [PATCH 42/42] ticket 1661 - Update all po files Message-ID: <201108180056.p7I0uFEs001687@int-mx12.intmail.prod.int.phx2.redhat.com> After updating po's current translation status is: ipa.pot has 1329 messages. There are 21 po translation files. as: 0/1329 0.0% 1329 untranslated, 0 fuzzy bn_IN: 13/1329 1.0% 1316 untranslated, 0 fuzzy zh_CN: 133/1329 10.0% 1196 untranslated, 0 fuzzy zh_TW: 0/1329 0.0% 1329 untranslated, 0 fuzzy nl: 1/1329 0.1% 1328 untranslated, 0 fuzzy fr: 0/1329 0.0% 1329 untranslated, 0 fuzzy de: 27/1329 2.0% 1302 untranslated, 0 fuzzy el: 0/1329 0.0% 1329 untranslated, 0 fuzzy gu: 0/1329 0.0% 1329 untranslated, 0 fuzzy id: 89/1329 6.7% 1240 untranslated, 0 fuzzy ja_JP: 0/1329 0.0% 1329 untranslated, 0 fuzzy ja: 0/1329 0.0% 1329 untranslated, 0 fuzzy kn: 243/1329 18.3% 1086 untranslated, 0 fuzzy fa: 0/1329 0.0% 1329 untranslated, 0 fuzzy pl: 492/1329 37.0% 837 untranslated, 0 fuzzy pt_BR: 0/1329 0.0% 1329 untranslated, 0 fuzzy pt: 0/1329 0.0% 1329 untranslated, 0 fuzzy ru: 162/1329 12.2% 1167 untranslated, 0 fuzzy es: 1329/1329 100.0% 0 untranslated, 0 fuzzy sv: 0/1329 0.0% 1329 untranslated, 0 fuzzy uk: 1329/1329 100.0% 0 untranslated, 0 fuzzy -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0042-ticket-1661-Update-all-po-files.patch Type: text/x-patch Size: 759847 bytes Desc: not available URL: From abokovoy at redhat.com Thu Aug 18 07:43:16 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 18 Aug 2011 10:43:16 +0300 Subject: [Freeipa-devel] [PATCH 40/40] ticket 1659 - invalid i18n string in dns.py In-Reply-To: <201108172254.p7HMsbU6000852@int-mx10.intmail.prod.int.phx2.redhat.com> References: <201108172254.p7HMsbU6000852@int-mx10.intmail.prod.int.phx2.redhat.com> Message-ID: <4E4CC294.3060307@redhat.com> On 18.08.2011 01:54, John Dennis wrote: > dns.py at line 976 has an invalid i18n string and cannot be processed > during message extraction causing message catalog generation to fail. > > The format parameters are trapped inside the i18n string. Also it's > not necessary to promote the i18n string literal to unicode via the u > prefix because the _() function returns unicode. ACK -- / Alexander Bokovoy From abokovoy at redhat.com Thu Aug 18 07:45:56 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 18 Aug 2011 10:45:56 +0300 Subject: [Freeipa-devel] [PATCH 41/41] ticket 1660 - update LINGUAS file, add missing po files In-Reply-To: <201108172340.p7HNeEd3011844@int-mx12.intmail.prod.int.phx2.redhat.com> References: <201108172340.p7HNeEd3011844@int-mx12.intmail.prod.int.phx2.redhat.com> Message-ID: <4E4CC334.1060608@redhat.com> On 18.08.2011 02:40, John Dennis wrote: > Our LINGUAS file and the set of po files have diverged from what's on > Transifex. We should update the LINGUAS file to match the set of > translations on Transifex and add po files currently on Transifex but > not in our git repo to our git repo. ACK as quality of translation is subject of another topic and should really be raised with translators at Transifex. -- / Alexander Bokovoy From abokovoy at redhat.com Thu Aug 18 07:47:01 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 18 Aug 2011 10:47:01 +0300 Subject: [Freeipa-devel] [PATCH 42/42] ticket 1661 - Update all po files In-Reply-To: <201108180056.p7I0uFEs001687@int-mx12.intmail.prod.int.phx2.redhat.com> References: <201108180056.p7I0uFEs001687@int-mx12.intmail.prod.int.phx2.redhat.com> Message-ID: <4E4CC375.2030605@redhat.com> On 18.08.2011 03:56, John Dennis wrote: > After updating po's current translation status is: > > ipa.pot has 1329 messages. There are 21 po translation files. > as: 0/1329 0.0% 1329 untranslated, 0 fuzzy > bn_IN: 13/1329 1.0% 1316 untranslated, 0 fuzzy > zh_CN: 133/1329 10.0% 1196 untranslated, 0 fuzzy > zh_TW: 0/1329 0.0% 1329 untranslated, 0 fuzzy > nl: 1/1329 0.1% 1328 untranslated, 0 fuzzy > fr: 0/1329 0.0% 1329 untranslated, 0 fuzzy > de: 27/1329 2.0% 1302 untranslated, 0 fuzzy > el: 0/1329 0.0% 1329 untranslated, 0 fuzzy > gu: 0/1329 0.0% 1329 untranslated, 0 fuzzy > id: 89/1329 6.7% 1240 untranslated, 0 fuzzy > ja_JP: 0/1329 0.0% 1329 untranslated, 0 fuzzy > ja: 0/1329 0.0% 1329 untranslated, 0 fuzzy > kn: 243/1329 18.3% 1086 untranslated, 0 fuzzy > fa: 0/1329 0.0% 1329 untranslated, 0 fuzzy > pl: 492/1329 37.0% 837 untranslated, 0 fuzzy > pt_BR: 0/1329 0.0% 1329 untranslated, 0 fuzzy > pt: 0/1329 0.0% 1329 untranslated, 0 fuzzy > ru: 162/1329 12.2% 1167 untranslated, 0 fuzzy > es: 1329/1329 100.0% 0 untranslated, 0 fuzzy > sv: 0/1329 0.0% 1329 untranslated, 0 fuzzy > uk: 1329/1329 100.0% 0 untranslated, 0 fuzzy ACK -- / Alexander Bokovoy From pvoborni at redhat.com Thu Aug 18 08:28:23 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 18 Aug 2011 10:28:23 +0200 Subject: [Freeipa-devel] [PATCH] 005 Show error in serial association In-Reply-To: <4E4BE090.4050308@redhat.com> References: <4E4BE090.4050308@redhat.com> Message-ID: <4E4CCD27.1000503@redhat.com> On 08/17/2011 05:38 PM, Petr Vobornik wrote: > Ticket #1628 - https://fedorahosted.org/freeipa/ticket/1628 > Unreported insufficient access error > > This patch is dependant on > freeipa-pvoborni-0004-1-error-dialog-for-batch-command.patch. > > This may be only a checking if approach of this patch is good. > > I was not sure if this type of error message (result.failed property) is > more general or it only appears in adding members. So I put error > handling in serial_associator instead of command. If it would be put in > command and success will be transformed to error, it will change the > behaviour of executing commands - other commands after error won't be > executed. If the approach is good, it could be probably better to change > it a little and offer same logic for batch_associator. > > It should be working for adding users to groups, netgroups, roles and > assigning hbac rules (tested as non admin user). > > > Modified association test - data in success handler should not be > undefined. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Modified to work with bulk association. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0005-Show-error-in-adding-associations.patch Type: text/x-patch Size: 8031 bytes Desc: not available URL: From mkosek at redhat.com Thu Aug 18 11:21:54 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 18 Aug 2011 13:21:54 +0200 Subject: [Freeipa-devel] [PATCH 40/40] ticket 1659 - invalid i18n string in dns.py In-Reply-To: <4E4CC294.3060307@redhat.com> References: <201108172254.p7HMsbU6000852@int-mx10.intmail.prod.int.phx2.redhat.com> <4E4CC294.3060307@redhat.com> Message-ID: <1313666517.20293.9.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-08-18 at 10:43 +0300, Alexander Bokovoy wrote: > On 18.08.2011 01:54, John Dennis wrote: > > dns.py at line 976 has an invalid i18n string and cannot be processed > > during message extraction causing message catalog generation to fail. > > > > The format parameters are trapped inside the i18n string. Also it's > > not necessary to promote the i18n string literal to unicode via the u > > prefix because the _() function returns unicode. > ACK > > Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Thu Aug 18 11:22:03 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 18 Aug 2011 13:22:03 +0200 Subject: [Freeipa-devel] [PATCH 41/41] ticket 1660 - update LINGUAS file, add missing po files In-Reply-To: <4E4CC334.1060608@redhat.com> References: <201108172340.p7HNeEd3011844@int-mx12.intmail.prod.int.phx2.redhat.com> <4E4CC334.1060608@redhat.com> Message-ID: <1313666526.20293.10.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-08-18 at 10:45 +0300, Alexander Bokovoy wrote: > On 18.08.2011 02:40, John Dennis wrote: > > Our LINGUAS file and the set of po files have diverged from what's on > > Transifex. We should update the LINGUAS file to match the set of > > translations on Transifex and add po files currently on Transifex but > > not in our git repo to our git repo. > ACK as quality of translation is subject of another topic and should > really be raised with translators at Transifex. > > Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Thu Aug 18 11:22:13 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 18 Aug 2011 13:22:13 +0200 Subject: [Freeipa-devel] [PATCH 42/42] ticket 1661 - Update all po files In-Reply-To: <4E4CC375.2030605@redhat.com> References: <201108180056.p7I0uFEs001687@int-mx12.intmail.prod.int.phx2.redhat.com> <4E4CC375.2030605@redhat.com> Message-ID: <1313666535.20293.11.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-08-18 at 10:47 +0300, Alexander Bokovoy wrote: > On 18.08.2011 03:56, John Dennis wrote: > > After updating po's current translation status is: > > > > ipa.pot has 1329 messages. There are 21 po translation files. > > as: 0/1329 0.0% 1329 untranslated, 0 fuzzy > > bn_IN: 13/1329 1.0% 1316 untranslated, 0 fuzzy > > zh_CN: 133/1329 10.0% 1196 untranslated, 0 fuzzy > > zh_TW: 0/1329 0.0% 1329 untranslated, 0 fuzzy > > nl: 1/1329 0.1% 1328 untranslated, 0 fuzzy > > fr: 0/1329 0.0% 1329 untranslated, 0 fuzzy > > de: 27/1329 2.0% 1302 untranslated, 0 fuzzy > > el: 0/1329 0.0% 1329 untranslated, 0 fuzzy > > gu: 0/1329 0.0% 1329 untranslated, 0 fuzzy > > id: 89/1329 6.7% 1240 untranslated, 0 fuzzy > > ja_JP: 0/1329 0.0% 1329 untranslated, 0 fuzzy > > ja: 0/1329 0.0% 1329 untranslated, 0 fuzzy > > kn: 243/1329 18.3% 1086 untranslated, 0 fuzzy > > fa: 0/1329 0.0% 1329 untranslated, 0 fuzzy > > pl: 492/1329 37.0% 837 untranslated, 0 fuzzy > > pt_BR: 0/1329 0.0% 1329 untranslated, 0 fuzzy > > pt: 0/1329 0.0% 1329 untranslated, 0 fuzzy > > ru: 162/1329 12.2% 1167 untranslated, 0 fuzzy > > es: 1329/1329 100.0% 0 untranslated, 0 fuzzy > > sv: 0/1329 0.0% 1329 untranslated, 0 fuzzy > > uk: 1329/1329 100.0% 0 untranslated, 0 fuzzy > ACK > Pushed to master, ipa-2-1. Martin From abokovoy at redhat.com Thu Aug 18 12:00:36 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 18 Aug 2011 15:00:36 +0300 Subject: [Freeipa-devel] [PATCH 39/39] ticket 1650 - compute accurate translation statistics In-Reply-To: <201108172235.p7HMZM4U029171@int-mx10.intmail.prod.int.phx2.redhat.com> References: <201108172235.p7HMZM4U029171@int-mx10.intmail.prod.int.phx2.redhat.com> Message-ID: <4E4CFEE4.1070506@redhat.com> On 18.08.2011 01:35, John Dennis wrote: > ticket 1650 (https://fedorahosted.org/freeipa/ticket/1650) has > an extensive discussion of the issues, please refer to that. > > This patch does the following: > > * does not count fuzzy translations when computing translation > statistics via the "msg-stats" make target in install/po > > * adds a new make target called "pull-po" which pulls updated po files > from Transifex (configure.ac includes some trailing whitespace fixes) > > * turns off the generation of fuzzy translation suggestions during the > message merge phase. ACK. -- / Alexander Bokovoy From mkosek at redhat.com Thu Aug 18 12:28:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 18 Aug 2011 14:28:46 +0200 Subject: [Freeipa-devel] [PATCH 39/39] ticket 1650 - compute accurate translation statistics In-Reply-To: <4E4CFEE4.1070506@redhat.com> References: <201108172235.p7HMZM4U029171@int-mx10.intmail.prod.int.phx2.redhat.com> <4E4CFEE4.1070506@redhat.com> Message-ID: <1313670528.20293.13.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-08-18 at 15:00 +0300, Alexander Bokovoy wrote: > On 18.08.2011 01:35, John Dennis wrote: > > ticket 1650 (https://fedorahosted.org/freeipa/ticket/1650) has > > an extensive discussion of the issues, please refer to that. > > > > This patch does the following: > > > > * does not count fuzzy translations when computing translation > > statistics via the "msg-stats" make target in install/po > > > > * adds a new make target called "pull-po" which pulls updated po files > > from Transifex (configure.ac includes some trailing whitespace fixes) > > > > * turns off the generation of fuzzy translation suggestions during the > > message merge phase. > ACK. > Pushed to master, ipa-2-1. Martin From jcholast at redhat.com Thu Aug 18 13:13:15 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 18 Aug 2011 15:13:15 +0200 Subject: [Freeipa-devel] [PATCH] 40 Add option to ipa-server-install to disable the automatic redirect to the Web UI In-Reply-To: <4E4BD288.60809@redhat.com> References: <4E4AAB9D.60908@redhat.com> <4E4BD288.60809@redhat.com> Message-ID: <4E4D0FEB.2010705@redhat.com> On 17.8.2011 16:39, Rob Crittenden wrote: > Jan Cholasta wrote: >> https://fedorahosted.org/freeipa/ticket/1570 >> >> The help message might need some tweaking. >> >> Honza > > NACK. Whatever solution we come up with needs to apply to replicas as > well. Ideally it would be automatic. Since this is a bit of a corner > case in general it might be acceptable to have an option on > ipa-replica-install. > > rob Added the option to ipa-replica-install. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-40.1-no-redirect-option.patch Type: text/x-patch Size: 7451 bytes Desc: not available URL: From pvoborni at redhat.com Thu Aug 18 13:18:07 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 18 Aug 2011 15:18:07 +0200 Subject: [Freeipa-devel] [PATCH] 006 Uncheck checkboxes in association after deletion Message-ID: <4E4D110F.6010306@redhat.com> https://fedorahosted.org/freeipa/ticket/1639 - added unchecking all checkboxes of table_widget and its derivates to on_load method. line '$('input[name=select]', that.tbody).attr('checked', false);' can be unnecessary because load method is recreating all rows in table. But I sense, it could be useful later. As I was implementing it, I noticed that after removing or adding sudo option it refreshes facet -> all other associations. Don't know if it's a feature or a bug. (sudo.js: 679, 683, 723, 727). -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0006-Uncheck-checkboxes-in-association-after-deletion.patch Type: text/x-patch Size: 2175 bytes Desc: not available URL: From pvoborni at redhat.com Thu Aug 18 14:52:01 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 18 Aug 2011 16:52:01 +0200 Subject: [Freeipa-devel] [PATCH] 005 Show error in serial association In-Reply-To: <4E4CCD27.1000503@redhat.com> References: <4E4BE090.4050308@redhat.com> <4E4CCD27.1000503@redhat.com> Message-ID: <4E4D2711.3020307@redhat.com> On 08/18/2011 10:28 AM, Petr Vobornik wrote: > On 08/17/2011 05:38 PM, Petr Vobornik wrote: >> Ticket #1628 - https://fedorahosted.org/freeipa/ticket/1628 >> Unreported insufficient access error >> >> This patch is dependant on >> freeipa-pvoborni-0004-1-error-dialog-for-batch-command.patch. >> >> This may be only a checking if approach of this patch is good. >> >> I was not sure if this type of error message (result.failed property) is >> more general or it only appears in adding members. So I put error >> handling in serial_associator instead of command. If it would be put in >> command and success will be transformed to error, it will change the >> behaviour of executing commands - other commands after error won't be >> executed. If the approach is good, it could be probably better to change >> it a little and offer same logic for batch_associator. >> >> It should be working for adding users to groups, netgroups, roles and >> assigning hbac rules (tested as non admin user). >> >> >> Modified association test - data in success handler should not be >> undefined. >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Modified to work with bulk association. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel After implementation error notification in associations. I noticed one 'bug?' : After adding users to hbac rule, batch error notification is shown saying 'no modifications to be performed'. Reproduce: - create hbacrule named 'aa' - add several users - in example 'admin' and 'ttest' Request: {"method":"batch","params":[[{"method":"hbacrule_mod","params":[["aa"],{"all":true,"rights":true,"usercategory":""}]},{"method":"hbacrule_add_user","params":[["aa"],{"user":"admin,ttest"}]}],{}]} Response: ============================================================ { "error": null, "id": null, "result": { "count": 2, "results": [ { "error": "no modifications to be performed" }, { "completed": 2, "error": null, "failed": { "memberuser": { "group": [], "user": [] } }, "result": { "cn": [ "aa" ], "dn": "ipauniqueid=cfb492f2-c8dc-11e0-9504-00163e06af05,cn=hbac,dc=vm-021,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", "ipaenabledflag": [ "TRUE" ], "memberuser_group": [ "admins" ], "memberuser_user": [ "admin", "ttest" ] } } ] } } ============================================================ I think the problem is that the first command should be included only if something changed. It isn't a bug in this patch, but with it it is a new annoyance (you have to click OK). -- Petr Vobornik From edewata at redhat.com Thu Aug 18 14:53:27 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Aug 2011 09:53:27 -0500 Subject: [Freeipa-devel] [PATCH] 249 Removed 'Hide already enrolled' checkbox. Message-ID: <4E4D2767.8000102@redhat.com> The 'Hide already enrolled' has been removed from the enrollment dialog because it is checked by default and entries that are already enrolled cannot be enrolled again. Ticket #1638 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0249-Removed-Hide-already-enrolled-checkbox.patch Type: text/x-patch Size: 3751 bytes Desc: not available URL: From simo at redhat.com Thu Aug 18 15:03:30 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 18 Aug 2011 11:03:30 -0400 Subject: [Freeipa-devel] [PATCH] 242 Removed custom layout for password reset. In-Reply-To: <4E4ADD86.9040105@redhat.com> References: <4E4414E9.5000108@redhat.com> <4E493EE8.7050602@redhat.com> <4E4ADD86.9040105@redhat.com> Message-ID: <1313679810.11512.222.camel@willson.li.ssimo.org> On Tue, 2011-08-16 at 16:13 -0500, Endi Sukma Dewata wrote: > On 8/15/2011 10:44 AM, Petr Vobornik wrote: > > On 08/11/2011 07:44 PM, Endi Sukma Dewata wrote: > >> The dialog box for resetting user password has been modified to use > >> the standard layout. > > > patch from code and working perspective is OK. > > > Has this patch assigned some ticket? Don't know exactly what is IPA's > > policy for submitting patches without tickets in Trac (for future > > tracking). > > I attached the patch into this ticket: > https://fedorahosted.org/freeipa/ticket/1641 > We'll push it when we start working on 3.0 stuff. Have you pushed this one ? The master branch now is 3.0 material :) Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Aug 18 15:47:30 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Aug 2011 11:47:30 -0400 Subject: [Freeipa-devel] [PATCH] 41 Verify that the external CA certificate files are correct In-Reply-To: <4E4B9C0E.9070204@redhat.com> References: <4E4B7B57.2010208@redhat.com> <4E4B9C0E.9070204@redhat.com> Message-ID: <4E4D3412.4040701@redhat.com> Jan Cholasta wrote: > On 17.8.2011 10:27, Jan Cholasta wrote: >> Verify that --external_cert_file and --external_ca_file are both >> readable, valid PEM files and that their subject/issuer is correct. >> >> Also fixes ipalib.x509.load_certificate_from_file. >> >> https://fedorahosted.org/freeipa/ticket/1572 >> >> Honza >> > > Patch attached. nack, but this is very close. If the CA is a chain the signing check may fail if the first cert isn't the one that signed the CSR. You need to check all CA certs in the file. rob From rcritten at redhat.com Thu Aug 18 15:57:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Aug 2011 11:57:40 -0400 Subject: [Freeipa-devel] [PATCH] 846 update ipactl man page Message-ID: <4E4D3674.80803@redhat.com> Add a blurb about setting api.env.host for use in ipactl to control how it queries for services. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-846-ipactl.patch Type: application/mbox Size: 1305 bytes Desc: not available URL: From edewata at redhat.com Thu Aug 18 16:25:58 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Aug 2011 11:25:58 -0500 Subject: [Freeipa-devel] [PATCH] 005 Show error in serial association In-Reply-To: <4E4BE090.4050308@redhat.com> References: <4E4BE090.4050308@redhat.com> Message-ID: <4E4D3D16.8030406@redhat.com> On 8/17/2011 10:38 AM, Petr Vobornik wrote: > Ticket #1628 - https://fedorahosted.org/freeipa/ticket/1628 > Unreported insufficient access error > > This patch is dependant on > freeipa-pvoborni-0004-1-error-dialog-for-batch-command.patch. > > This may be only a checking if approach of this patch is good. > > I was not sure if this type of error message (result.failed property) is > more general or it only appears in adding members. So I put error > handling in serial_associator instead of command. If it would be put in > command and success will be transformed to error, it will change the > behaviour of executing commands - other commands after error won't be > executed. If the approach is good, it could be probably better to change > it a little and offer same logic for batch_associator. > > It should be working for adding users to groups, netgroups, roles and > assigning hbac rules (tested as non admin user). > > Modified association test - data in success handler should not be > undefined. Currently with serial associator if there's a failure the rest of the commands will not be executed, so it's an existing problem. You can test this by adding a user into multiple groups via UI but remove one of the groups via CLI just before adding. The user will not be added into the remaining groups. Bulk associator doesn't have this problem because it's executed as a single command. I think eventually we want to convert the serial associator to use batch commands (no need to do it now, but you can if you want). Once it's converted, all error checking (including result.failed) should be done in IPA.command so it can be captured by the batch handler. I'm not sure about other scenarios that will return result.failed, but I wouldn't assume it's limited to associations. So I think it should be handled in a more generic way in IPA.command. One other thing, I think we should avoid using plural class name (i.e. IPA.errors) because suppose we have a collection of instances of this class the variable name could become confusing (e.g. that.errorss :) ). IPA.error_list might be better. -- Endi S. Dewata From edewata at redhat.com Thu Aug 18 20:30:34 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Aug 2011 15:30:34 -0500 Subject: [Freeipa-devel] [PATCH] 006 Uncheck checkboxes in association after deletion In-Reply-To: <4E4D110F.6010306@redhat.com> References: <4E4D110F.6010306@redhat.com> Message-ID: <4E4D766A.1020109@redhat.com> On 8/18/2011 8:18 AM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/1639 > > - added unchecking all checkboxes of table_widget and its derivates to > on_load method. > > line '$('input[name=select]', that.tbody).attr('checked', false);' can > be unnecessary because load method is recreating all rows in table. But > I sense, it could be useful later. > > As I was implementing it, I noticed that after removing or adding sudo > option it refreshes facet -> all other associations. Don't know if it's > a feature or a bug. (sudo.js: 679, 683, 723, 727). Some issues: 1. In IPA.table_widget when the select all checkbox is changed the tooltip will change too (see line 1265). When the checkbox is changed using unselect_all() it doesn't trigger the 'changed' event so the tooltip is not updated. I think the code in 1265 can be moved into a separate function and the unselect_all() can call this function too. You can replace the loop with your code: $('input[name=select]', that.tbody).attr('checked', false); 2. In IPA.association_facet the select all checkbox is not unchecked because the content is loaded using refresh_table() in line 1017. 3. In IPA.search_facet the select all checkbox is unchecked at line 248. It would be better to call the table.unselect_all() from the search_facet.load() at line 226. Optional: the code inside search_facet.load() probably could be moved into table.load() then the search_facet.load() can call table.load(). 4. About the sudo options refreshing the whole facet, it would be nicer if we can limit the update to the options table only. This can be fixed separately. -- Endi S. Dewata From edewata at redhat.com Thu Aug 18 20:46:01 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Aug 2011 15:46:01 -0500 Subject: [Freeipa-devel] [PATCH] 242 Removed custom layout for password reset. In-Reply-To: <1313679810.11512.222.camel@willson.li.ssimo.org> References: <4E4414E9.5000108@redhat.com> <4E493EE8.7050602@redhat.com> <4E4ADD86.9040105@redhat.com> <1313679810.11512.222.camel@willson.li.ssimo.org> Message-ID: <4E4D7A09.2050503@redhat.com> On 8/18/2011 10:03 AM, Simo Sorce wrote: > On Tue, 2011-08-16 at 16:13 -0500, Endi Sukma Dewata wrote: >> On 8/15/2011 10:44 AM, Petr Vobornik wrote: >>> On 08/11/2011 07:44 PM, Endi Sukma Dewata wrote: >>>> The dialog box for resetting user password has been modified to use >>>> the standard layout. >> >>> patch from code and working perspective is OK. >> >>> Has this patch assigned some ticket? Don't know exactly what is IPA's >>> policy for submitting patches without tickets in Trac (for future >>> tracking). >> >> I attached the patch into this ticket: >> https://fedorahosted.org/freeipa/ticket/1641 >> We'll push it when we start working on 3.0 stuff. > > Have you pushed this one ? > The master branch now is 3.0 material :) OK, I pushed this to master and ipa-2-1 because it's only a cleanup, not a new functionality, also minimizing diverging branch. -- Endi S. Dewata From rcritten at redhat.com Thu Aug 18 20:49:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Aug 2011 16:49:46 -0400 Subject: [Freeipa-devel] [PATCH] 847 log batch commands, fix logging Message-ID: <4E4D7AEA.8010906@redhat.com> Log each call and result for commands in a batch call. This also fixes logging in general. I broke it pretty badly when trying to properly report JSON errors. Both should work now. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-847-logging.patch Type: application/mbox Size: 3694 bytes Desc: not available URL: From ayoung at redhat.com Fri Aug 19 03:23:34 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 18 Aug 2011 23:23:34 -0400 Subject: [Freeipa-devel] Trying to update nss.conf during install time Message-ID: <4E4DD736.7090508@redhat.com> Here's a segment from my patch. All it shoudl be doing is switching NSSRenegotiation from off to on, but it doesn't have any effect. Am I missing something conceptually here? +++ b/ipaserver/install/httpinstance.py @@ -160,6 +160,9 @@ class HTTPInstance(service.Service): def __set_mod_nss_nickname(self, nickname): installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) + def __enable_mod_nss_renegotiate(self): + installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on') + def __set_mod_nss_passwordfile(self): installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/ @@ -189,6 +192,7 @@ class HTTPInstance(service.Service): db.track_server_cert(nickname, self.principal, db.passwd_fname) self.__set_mod_nss_nickname(nickname) + self.__enable_mod_nss_renegotiate() else: if self.self_signed_ca: db.create_from_cacert(ca_db.cacert_fname) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index d1234a0..23d06ab 100644 From mkosek at redhat.com Fri Aug 19 06:43:18 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 19 Aug 2011 08:43:18 +0200 Subject: [Freeipa-devel] [PATCH] 846 update ipactl man page In-Reply-To: <4E4D3674.80803@redhat.com> References: <4E4D3674.80803@redhat.com> Message-ID: <1313736200.2526.4.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-08-18 at 11:57 -0400, Rob Crittenden wrote: > Add a blurb about setting api.env.host for use in ipactl to control how > it queries for services. > > rob ACK. This improves the situation. Plus, since I fixed the ticket #1558 and a list of FQDNs is printed in case of an LDAP failure, we should be covered here. Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Fri Aug 19 07:25:06 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 19 Aug 2011 09:25:06 +0200 Subject: [Freeipa-devel] [PATCH] 847 log batch commands, fix logging In-Reply-To: <4E4D7AEA.8010906@redhat.com> References: <4E4D7AEA.8010906@redhat.com> Message-ID: <1313738709.2526.7.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-08-18 at 16:49 -0400, Rob Crittenden wrote: > Log each call and result for commands in a batch call. > > This also fixes logging in general. I broke it pretty badly when trying > to properly report JSON errors. Both should work now. > > rob ACK. Works fine, tests are clean. I won't push the patch right now in case WebUI guys wouldn't like it. Martin From mkosek at redhat.com Fri Aug 19 09:16:35 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 19 Aug 2011 11:16:35 +0200 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <45137A51-4797-4A17-B3B0-A4301D9A0C85@citrixonline.com> <1312794245.29048.21.camel@dhcp-25-52.brq.redhat.com> <1312892259.19265.18.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1313745402.2526.20.camel@dhcp-25-52.brq.redhat.com> Hi JR, I get to your plugin again. You can see my findings below. On Tue, 2011-08-09 at 22:41 +0000, JR Aquino wrote: ... > Ok New Patch attached. > > I believe this addresses the above. > > 1. Requires(pre): 389-ds-base >= 1.2.9.5-1 1) Please, remove the change to FreeIPA spec, its no longer needed since we shipped version 2.1 and it already requires sufficient 389-ds-base version. > > 2. replica-automember.ldif added for dsinstance to install during replica installs: > +dn: cn=Auto Membership Plugin,cn=plugins,cn=config > +changetype: modify > +add: nsslapd-pluginConfigArea > +nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX 2) OK. I would do it a bit different - have one LDIF for nsslapd-pluginConfigArea setting and second for creating the base automember structure. Master would then use both LDIFs and a replica both of them. We would then be without duplicates in LDIF. But your way acceptable. > > 3. autoMemberScope is now set for each: > groups: cn=users,cn=accounts,$SUFFIX > hostgroups: cn=computers,cn=accounts,$SUFFIX OK > > 4. Corrected examples > Set the default target group: > ipa automember-default-group-set --default-group=webservers hostgroup > ipa automember-default-group-set --default-group=ipausers group > > Set the default target group: > ipa automember-default-group-remove hostgroup > ipa automember-default-group-remove group > > Show the default target group: > ipa automember-default-group-show hostgroup > ipa automember-default-group-show group > > 5. Corrected examples > Add a condition to the rule: > ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9+]\.example\.com webservers 3) Please fix the regex to ^web[1-9]+\.example\.com. I think its just a mistake - right now for example a host web11.example.com does not match. > ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins > 4) I think you wanted to use devel rule instead of non-existent "admins" automember rule. > Add an exclusive condition to the rule to prevent auto asignment: > ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers > > Remove a condition from the rule: > ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^www[1-9+]\.example\.com webservers 5) The same as in 3) > > 6. Correct bug for adding duplicate conditions. Included test for it in the test suite. > OK. Here are my additional findings: 6) There some more example commands in doc which are not complete and require some user typing: Display a automember rule: ipa automember-show webservers Delete an automember rule: ipa automember-del webservers Grouping type option is missing 7) I get internal error when running examples from the automember doc: # ipa automember-add --type=group devel ----------------------------- Added automember rule "devel" ----------------------------- Automember Rule: devel # ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins ipa: ERROR: an internal error has occurred That's all. The plugin gets better with every version, I think we may soon be ready for pushing - when all of the issues are resolved. Martin From mkosek at redhat.com Fri Aug 19 10:49:33 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 19 Aug 2011 12:49:33 +0200 Subject: [Freeipa-devel] [PATCH] 111 Let Bind track data changes In-Reply-To: <1313485147.2514.23.camel@dhcp-25-52.brq.redhat.com> References: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> <4E492B91.5080506@redhat.com> <1313485147.2514.23.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1313750976.2526.29.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-08-16 at 10:59 +0200, Martin Kosek wrote: > On Mon, 2011-08-15 at 10:22 -0400, Dmitri Pal wrote: > > On 08/15/2011 08:20 AM, Martin Kosek wrote: > > > A new version of bind-dyndb-ldap has been released. Thanks to the new > > > persistent search feature, the name server can immediately pull new DNS > > > zones when they are created in IPA. > > > > > > Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one > > > has to use the provided src.rpm: > > > > > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm > > > > > > or rpms I built for x86_64 F-15: > > > > > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ > > > > > > There is one setback though. When I investigated DNS persistent search > > > behavior I still miss the ability to detect changes to the DNS zone > > > itself. Adding a record (for example MX record) to the zone does not > > > trigger an update of the zone in nameserver cache. We still have to wait > > > for cache timeout (argument "cache_ttl"). We cannot therefore use this > > > feature as a solution of: > > > > > > https://fedorahosted.org/freeipa/ticket/1114 > > > https://fedorahosted.org/freeipa/ticket/1125 > > > https://fedorahosted.org/freeipa/ticket/1126 > > > > So what are our options here? > > I see we have the following options here: > 1) Consult this with AdamT and let him enhance bind-dyndb-ldap to track > not only add/modification operations with DNS zone (for example > modifying SOA record of example.com - this works), but also adding of a > new DNS record to the zone (a new MX record in example.com) or even to > regular DNS records (A record foo.example.com). > > When I spoke with Adam last week (for following 2 weeks he is on PTO) he > said it is doable but has a potential if creating bugs in the plugin so > he implemented just the first part that we see. > > 2) Let user adjust "cache_ttl" parameter. This bind-dyndb-ldap parameter > sets validity of the internal DNS record cache. When a DNS record is > changed/updated, user can get the updated value after $cache_ttl > seconds. > > This is the same for updating DNS records in the zone (MX of > example.com) and updating regular DNS records (A record of > foo.example.com). > > User can set it to the value that reflects his needs for the speed of > propagation of the DNS record updates and requirements on DNS > performance. We just have to make sure that this behavior is clearly > explained in our documentation. > > Martin I see no further opinions, here is what I propose: 1) Let us use the current bind-dyndb-ldap persistent search feature as is, so that this feature can be tested - if it is well accepted, we can ask Adam to implement persistent search also for DNS records, i.e. records directly in zone records (MX) and for records in zones (A) - this would be implemented in another version of bind-dyndb-ldap - we should ask AdamT for time expectations when he returns from PTO 2) Make sure that current DNS behavior is well documented, and users are aware of that when they change/add a record, it may be seen after $cache_ttl seconds or when they reload the cache using `rndc reload`. 3) Tickets 1114, 1125 and 1126 would be closed as documentation fix. 4) Ticket 649 (An option to push updates) can be partially solved with the documentation fixes in step 3) and fully when full persistent search is implemented. Martin From pvoborni at redhat.com Fri Aug 19 12:04:24 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 19 Aug 2011 14:04:24 +0200 Subject: [Freeipa-devel] [PATCH] 249 Removed 'Hide already enrolled' checkbox. In-Reply-To: <4E4D2767.8000102@redhat.com> References: <4E4D2767.8000102@redhat.com> Message-ID: <4E4E5148.9060209@redhat.com> On 08/18/2011 04:53 PM, Endi Sukma Dewata wrote: > The 'Hide already enrolled' has been removed from the enrollment > dialog because it is checked by default and entries that are already > enrolled cannot be enrolled again. > > Ticket #1638 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK if leaving string in internal.py is the right thing to do when deleting related label (the string isn't used anywhere else). -- Petr Vobornik From rcritten at redhat.com Fri Aug 19 13:08:50 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Aug 2011 09:08:50 -0400 Subject: [Freeipa-devel] Trying to update nss.conf during install time In-Reply-To: <4E4DD736.7090508@redhat.com> References: <4E4DD736.7090508@redhat.com> Message-ID: <4E4E6062.5030102@redhat.com> Adam Young wrote: > Here's a segment from my patch. All it shoudl be doing is switching > NSSRenegotiation from off to on, but it doesn't have any effect. Am I > missing something conceptually here? > > > +++ b/ipaserver/install/httpinstance.py > @@ -160,6 +160,9 @@ class HTTPInstance(service.Service): > def __set_mod_nss_nickname(self, nickname): > installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) > > + def __enable_mod_nss_renegotiate(self): > + installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on') > + > def __set_mod_nss_passwordfile(self): > installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/ > > @@ -189,6 +192,7 @@ class HTTPInstance(service.Service): > db.track_server_cert(nickname, self.principal, db.passwd_fname) > > self.__set_mod_nss_nickname(nickname) > + self.__enable_mod_nss_renegotiate() > else: > if self.self_signed_ca: > db.create_from_cacert(ca_db.cacert_fname) > diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py > index d1234a0..23d06ab 100644 This is only called when a user provides their own PKCS#12 files (and replica installations) We don't set the nickname on most installations because we assume a vanilla server therefore the nickname is already set to Server-Cert (probably not the best assumption these days). You'll want to set this in a step in create_instance() instead. rob From dpal at redhat.com Fri Aug 19 13:20:10 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 19 Aug 2011 09:20:10 -0400 Subject: [Freeipa-devel] [PATCH] 111 Let Bind track data changes In-Reply-To: <1313750976.2526.29.camel@dhcp-25-52.brq.redhat.com> References: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> <4E492B91.5080506@redhat.com> <1313485147.2514.23.camel@dhcp-25-52.brq.redhat.com> <1313750976.2526.29.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E4E630A.7000300@redhat.com> On 08/19/2011 06:49 AM, Martin Kosek wrote: > On Tue, 2011-08-16 at 10:59 +0200, Martin Kosek wrote: >> On Mon, 2011-08-15 at 10:22 -0400, Dmitri Pal wrote: >>> On 08/15/2011 08:20 AM, Martin Kosek wrote: >>>> A new version of bind-dyndb-ldap has been released. Thanks to the new >>>> persistent search feature, the name server can immediately pull new DNS >>>> zones when they are created in IPA. >>>> >>>> Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one >>>> has to use the provided src.rpm: >>>> >>>> http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm >>>> >>>> or rpms I built for x86_64 F-15: >>>> >>>> http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ >>>> >>>> There is one setback though. When I investigated DNS persistent search >>>> behavior I still miss the ability to detect changes to the DNS zone >>>> itself. Adding a record (for example MX record) to the zone does not >>>> trigger an update of the zone in nameserver cache. We still have to wait >>>> for cache timeout (argument "cache_ttl"). We cannot therefore use this >>>> feature as a solution of: >>>> >>>> https://fedorahosted.org/freeipa/ticket/1114 >>>> https://fedorahosted.org/freeipa/ticket/1125 >>>> https://fedorahosted.org/freeipa/ticket/1126 >>> So what are our options here? >> I see we have the following options here: >> 1) Consult this with AdamT and let him enhance bind-dyndb-ldap to track >> not only add/modification operations with DNS zone (for example >> modifying SOA record of example.com - this works), but also adding of a >> new DNS record to the zone (a new MX record in example.com) or even to >> regular DNS records (A record foo.example.com). >> >> When I spoke with Adam last week (for following 2 weeks he is on PTO) he >> said it is doable but has a potential if creating bugs in the plugin so >> he implemented just the first part that we see. >> >> 2) Let user adjust "cache_ttl" parameter. This bind-dyndb-ldap parameter >> sets validity of the internal DNS record cache. When a DNS record is >> changed/updated, user can get the updated value after $cache_ttl >> seconds. >> >> This is the same for updating DNS records in the zone (MX of >> example.com) and updating regular DNS records (A record of >> foo.example.com). >> >> User can set it to the value that reflects his needs for the speed of >> propagation of the DNS record updates and requirements on DNS >> performance. We just have to make sure that this behavior is clearly >> explained in our documentation. >> >> Martin > I see no further opinions, here is what I propose: > > 1) Let us use the current bind-dyndb-ldap persistent search feature as > is, so that this feature can be tested > - if it is well accepted, we can ask Adam to implement persistent search > also for DNS records, i.e. records directly in zone records (MX) and for > records in zones (A) > - this would be implemented in another version of bind-dyndb-ldap - we > should ask AdamT for time expectations when he returns from PTO > > 2) Make sure that current DNS behavior is well documented, and users are > aware of that when they change/add a record, it may be seen after > $cache_ttl seconds or when they reload the cache using `rndc reload`. > > 3) Tickets 1114, 1125 and 1126 would be closed as documentation fix. > > 4) Ticket 649 (An option to push updates) can be partially solved with > the documentation fixes in step 3) and fully when full persistent search > is implemented. > > Martin > > Ack -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Aug 19 15:18:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Aug 2011 11:18:57 -0400 Subject: [Freeipa-devel] [PATCH] 37 Make sure messagebus service is running before starting certmonger In-Reply-To: <4E412882.5000206@redhat.com> References: <4E412882.5000206@redhat.com> Message-ID: <4E4E7EE1.7060601@redhat.com> Jan Cholasta wrote: > Start messagebus every time before starting certmonger. > > https://fedorahosted.org/freeipa/ticket/1580 > > Honza ack, pushed to master and ipa-2-1 From rcritten at redhat.com Fri Aug 19 15:36:51 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Aug 2011 11:36:51 -0400 Subject: [Freeipa-devel] [PATCH] 103 Fix automountkey-mod In-Reply-To: <1312211242.2484.8.camel@dhcp-25-52.brq.redhat.com> References: <1311773501.12277.12.camel@dhcp-25-52.brq.redhat.com> <4E3023AE.4060500@redhat.com> <1311782411.12277.24.camel@dhcp-25-52.brq.redhat.com> <4E3038C7.4090205@redhat.com> <1311783321.12277.26.camel@dhcp-25-52.brq.redhat.com> <4E305EBB.8090708@redhat.com> <1311846562.4103.2.camel@dhcp-25-52.brq.redhat.com> <1312211242.2484.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E4E8313.9040905@redhat.com> Martin Kosek wrote: > On Thu, 2011-07-28 at 11:49 +0200, Martin Kosek wrote: >> On Wed, 2011-07-27 at 14:53 -0400, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Wed, 2011-07-27 at 12:11 -0400, Dmitri Pal wrote: >>>>> On 07/27/2011 12:00 PM, Martin Kosek wrote: >>>>>> On Wed, 2011-07-27 at 10:41 -0400, Rob Crittenden wrote: >>>>>>> Martin Kosek wrote: >>>>>>>> Fix automountkey-mod so that automountkey attribute is correctly >>>>>>>> updated. Add this test case to the unit tests. >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/1528 >>>>>>> It fixes the problem but I've found another: --key isn't required so if >>>>>>> you don't pass it in then a backtrace will occur: >>>>>>> >>>>>>> Traceback (most recent call last): >>>>>>> File "/home/rcrit/redhat/freeipa-master/ipaserver/rpcserver.py", line >>>>>>> 220, in wsgi_execute >>>>>>> result = self.Command[name](*args, **options) >>>>>>> File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line >>>>>>> 425, in __call__ >>>>>>> ret = self.run(*args, **options) >>>>>>> File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line >>>>>>> 731, in run >>>>>>> return self.execute(*args, **options) >>>>>>> File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/automount.py", >>>>>>> line 873, in execute >>>>>>> keys += (self.obj.get_pk(options['automountkey'], >>>>>>> KeyError: 'automountkey' >>>>>>> >>>>>>> Also, automountinformation is already required. This may be a leftover >>>>>>> from when we used it in description, this can probably be lifted too. >>>>>>> >>>>>>> rob >>>>>> Good catch. I fixed this bug too and I also made --newinfo optional so >>>>>> that automountkey may be just renamed without changing its info >>>>>> attribute. >>>>>> >>>>>> I didn't bump up API VERSION as these are either compatible changes or >>>>>> they caused server internal error. >>>>>> >>>>>> Martin >>>>> >>>>> Should the ticket be moved into 2.1 July sprint then? >>>> >>>> Yes, I would like this to be included in 2.1. I will move ticket to >>>> correct milestone (2.1) if we manage to review&push it before release. >>>> >>>> Martin >>> >>> nack. Something is up with _mod. I can't be sure it is this patch or it >>> was always here. >>> >>> In the UI every change wanted to try to rename the entry. On the >>> command-line I wasn't able to update the info at all. >>> >>> rob >> >> Hm, I think this problem was in the _mod command all the time. >> 'description' field was being filled every time which triggered rename >> operation. This caused problems. >> >> I rewrote _mod command so that 'description' (i.e. rename) is filled >> only when needed. >> >> I checked UI and automountkey_mod command worked OK for me. >> >> Martin > > I revisited automountkey_mod command as there was another corner case. > get_pk() was changed to include automountinfo in RDN only for direct > maps. > > All tests are OK, even Rob's extended automount test preview. Web UI > behaved ok too. > > Martin ack, pushed to master and ipa-2-1 From rcritten at redhat.com Fri Aug 19 15:54:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Aug 2011 11:54:38 -0400 Subject: [Freeipa-devel] [PATCH] 38 Verify length of passwords in ipa-server-install In-Reply-To: <4E48E175.1030200@redhat.com> References: <4E48C6A6.4050303@redhat.com> <4E48E175.1030200@redhat.com> Message-ID: <4E4E873E.8030507@redhat.com> Alexander Bokovoy wrote: > On 15.08.2011 10:11, Jan Cholasta wrote: >> Verify that passwords specified through command line options of >> ipa-server-install meet the length requirement (at least 8 characters >> long). >> >> https://fedorahosted.org/freeipa/ticket/1621 > ACK. > > Are there any additional requirements towards the password complexity > other than 8 letters minimum length? > > Pushed to master and ipa-2-1. Filed ticket 1683 to investigate additional complexity testing. rob From edewata at redhat.com Fri Aug 19 16:46:41 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Aug 2011 11:46:41 -0500 Subject: [Freeipa-devel] [PATCH] 249 Removed 'Hide already enrolled' checkbox. In-Reply-To: <4E4E5148.9060209@redhat.com> References: <4E4D2767.8000102@redhat.com> <4E4E5148.9060209@redhat.com> Message-ID: <4E4E9371.2020305@redhat.com> On 8/19/2011 7:04 AM, Petr Vobornik wrote: > On 08/18/2011 04:53 PM, Endi Sukma Dewata wrote: >> The 'Hide already enrolled' has been removed from the enrollment >> dialog because it is checked by default and entries that are already >> enrolled cannot be enrolled again. >> >> Ticket #1638 > ACK if leaving string in internal.py is the right thing to do when > deleting related label (the string isn't used anywhere else). Nope :) Removed the label. Pushed to master and ipa-2-1. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0249-2-Removed-Hide-already-enrolled-checkbox.patch Type: text/x-patch Size: 5292 bytes Desc: not available URL: From edewata at redhat.com Fri Aug 19 16:46:49 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Aug 2011 11:46:49 -0500 Subject: [Freeipa-devel] [PATCH] 250 Replaced page dirty dialog title. Message-ID: <4E4E9379.9080606@redhat.com> The title of page dirty dialog has been changed to 'Unsaved Changes'. Ticket #1653 Pushed to master and ipa-2-1 under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0250-Replaced-page-dirty-dialog-title.patch Type: text/x-patch Size: 1968 bytes Desc: not available URL: From pvoborni at redhat.com Fri Aug 19 16:50:02 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 19 Aug 2011 18:50:02 +0200 Subject: [Freeipa-devel] [PATCH] 006 Uncheck checkboxes in association after deletion In-Reply-To: <4E4D766A.1020109@redhat.com> References: <4E4D110F.6010306@redhat.com> <4E4D766A.1020109@redhat.com> Message-ID: <4E4E943A.8040903@redhat.com> On 08/18/2011 10:30 PM, Endi Sukma Dewata wrote: > On 8/18/2011 8:18 AM, Petr Vobornik wrote: >> https://fedorahosted.org/freeipa/ticket/1639 >> >> - added unchecking all checkboxes of table_widget and its derivates to >> on_load method. >> >> line '$('input[name=select]', that.tbody).attr('checked', false);' can >> be unnecessary because load method is recreating all rows in table. But >> I sense, it could be useful later. >> >> As I was implementing it, I noticed that after removing or adding sudo >> option it refreshes facet -> all other associations. Don't know if it's >> a feature or a bug. (sudo.js: 679, 683, 723, 727). > > Some issues: > > 1. In IPA.table_widget when the select all checkbox is changed the > tooltip will change too (see line 1265). When the checkbox is changed > using unselect_all() it doesn't trigger the 'changed' event so the > tooltip is not updated. done > > I think the code in 1265 can be moved into a separate function and the > unselect_all() can call this function too. You can replace the loop with > your code: > $('input[name=select]', that.tbody).attr('checked', false); done > > 2. In IPA.association_facet the select all checkbox is not unchecked > because the content is loaded using refresh_table() in line 1017. done > > 3. In IPA.search_facet the select all checkbox is unchecked at line 248. > It would be better to call the table.unselect_all() from the > search_facet.load() at line 226. done > > Optional: the code inside search_facet.load() probably could be moved > into table.load() then the search_facet.load() can call table.load(). done > > 4. About the sudo options refreshing the whole facet, it would be nicer > if we can limit the update to the options table only. This can be fixed > separately. > agree -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0006-1-Uncheck-checkboxes-in-association-after-deletion.patch Type: text/x-patch Size: 5078 bytes Desc: not available URL: From ayoung at redhat.com Fri Aug 19 17:19:48 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 19 Aug 2011 13:19:48 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag Message-ID: <4E4E9B34.10309@redhat.com> The complete solution for this patch requires changes in Dogtag that Ade Lee is working on right now. In order to test, I have provided a couple of files that I have been using: 1. Apply patch, build and install IPA rpms, run ipaserver-install as per usual. 2. Move the dogtag.conf file into /etc/httpd/conf.d directorys 3. Run the proxy_dogtag.py script to modify the Dogtag instance to accept AJP connections from httpd so httpd can act as a proxy 4. Restart IPA To test: 1. add a host. 2. Generate a csr: http://freeipa.org/page/Certificate_Authority#Request_a_certificate 3. request a certificate for the newly added host. 4. Optionally, Revoke the certificate for the host -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: dogtag.conf URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: proxy_dogtag.py URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0283-enable-proxy-for-dogtag.patch Type: text/x-patch Size: 7357 bytes Desc: not available URL: From rcritten at redhat.com Fri Aug 19 17:53:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Aug 2011 13:53:33 -0400 Subject: [Freeipa-devel] [PATCH] 112 Fix automountlocation-import conflicts In-Reply-To: <1313504745.2514.33.camel@dhcp-25-52.brq.redhat.com> References: <1313504745.2514.33.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E4EA31D.7040402@redhat.com> Martin Kosek wrote: > Do not fail import operation with DuplicateEntry when imported > maps/keys conflict with maps/keys pre-created by > automountlocation-add command. Currently, this applies for map > 'auto.direct' and key '/-'. > > https://fedorahosted.org/freeipa/ticket/1551 ack. Rebased and pushed to master and ipa-2-1 From dpal at redhat.com Fri Aug 19 17:57:41 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 19 Aug 2011 13:57:41 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <4E4E9B34.10309@redhat.com> References: <4E4E9B34.10309@redhat.com> Message-ID: <4E4EA415.9010907@redhat.com> On 08/19/2011 01:19 PM, Adam Young wrote: > The complete solution for this patch requires changes in Dogtag that > Ade Lee is working on right now. In order to test, I have provided a > couple of files that I have been using: > > > 1. Apply patch, build and install IPA rpms, run ipaserver-install as > per usual. > 2. Move the dogtag.conf file into /etc/httpd/conf.d directorys > 3. Run the proxy_dogtag.py script to modify the Dogtag instance to > accept AJP connections from httpd so httpd can act as a proxy > 4. Restart IPA > > > To test: > > 1. add a host. > 2. Generate a csr: > http://freeipa.org/page/Certificate_Authority#Request_a_certificate > 3. request a certificate for the newly added host. > 4. Optionally, Revoke the certificate for the host > Please do not forget to test the proxy test when replica does not have the CA installed and has to forward the request to the one that has. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Aug 19 20:22:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Aug 2011 16:22:25 -0400 Subject: [Freeipa-devel] [PATCH] 847 log batch commands, fix logging In-Reply-To: <1313738709.2526.7.camel@dhcp-25-52.brq.redhat.com> References: <4E4D7AEA.8010906@redhat.com> <1313738709.2526.7.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E4EC601.8080102@redhat.com> Martin Kosek wrote: > On Thu, 2011-08-18 at 16:49 -0400, Rob Crittenden wrote: >> Log each call and result for commands in a batch call. >> >> This also fixes logging in general. I broke it pretty badly when trying >> to properly report JSON errors. Both should work now. >> >> rob > > ACK. Works fine, tests are clean. I won't push the patch right now in > case WebUI guys wouldn't like it. > > Martin > Endi and Adam acked in IRC. I added the principal to the logging output to match the other logs. Pushed to master and ipa-2-1 rob From rcritten at redhat.com Fri Aug 19 20:36:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Aug 2011 16:36:39 -0400 Subject: [Freeipa-devel] [PATCH] 847 log batch commands, fix logging In-Reply-To: <4E4EC601.8080102@redhat.com> References: <4E4D7AEA.8010906@redhat.com> <1313738709.2526.7.camel@dhcp-25-52.brq.redhat.com> <4E4EC601.8080102@redhat.com> Message-ID: <4E4EC957.5000806@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Thu, 2011-08-18 at 16:49 -0400, Rob Crittenden wrote: >>> Log each call and result for commands in a batch call. >>> >>> This also fixes logging in general. I broke it pretty badly when trying >>> to properly report JSON errors. Both should work now. >>> >>> rob >> >> ACK. Works fine, tests are clean. I won't push the patch right now in >> case WebUI guys wouldn't like it. >> >> Martin >> > > Endi and Adam acked in IRC. I added the principal to the logging output > to match the other logs. > > Pushed to master and ipa-2-1 > Endi noticed that I didn't add the principal to successful individual batch sub-commands. I added that as a one-liner. rob From edewata at redhat.com Fri Aug 19 20:58:08 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Aug 2011 15:58:08 -0500 Subject: [Freeipa-devel] [PATCH] 006 Uncheck checkboxes in association after deletion In-Reply-To: <4E4E943A.8040903@redhat.com> References: <4E4D110F.6010306@redhat.com> <4E4D766A.1020109@redhat.com> <4E4E943A.8040903@redhat.com> Message-ID: <4E4ECE60.9040904@redhat.com> On 8/19/2011 11:50 AM, Petr Vobornik wrote: > done Pushed to master and ipa-2-1. -- Endi S. Dewata From rcritten at redhat.com Fri Aug 19 21:12:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Aug 2011 17:12:56 -0400 Subject: [Freeipa-devel] [PATCH] 848 suppress debug logging in ipactl Message-ID: <4E4ED1D8.3030404@redhat.com> If debugging was set 389-ds then when ipactl was used to start the services a ton of output could be produced. This patch will suppress it by default. If the user wants this output they can add the --debug flag. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-848-ipactl.patch Type: application/mbox Size: 5100 bytes Desc: not available URL: From rcritten at redhat.com Fri Aug 19 21:41:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Aug 2011 17:41:06 -0400 Subject: [Freeipa-devel] [PATCH] 849 fix up apostrophes in help text Message-ID: <4E4ED872.9070902@redhat.com> David wanted subjects and verbs to agree, so here is my shot at it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-849-delegation.patch Type: application/mbox Size: 1655 bytes Desc: not available URL: From rcritten at redhat.com Fri Aug 19 21:55:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Aug 2011 17:55:26 -0400 Subject: [Freeipa-devel] [PATCH] 849 fix up apostrophes in help text In-Reply-To: <4E4ED872.9070902@redhat.com> References: <4E4ED872.9070902@redhat.com> Message-ID: <4E4EDBCE.6010605@redhat.com> Rob Crittenden wrote: > David wanted subjects and verbs to agree, so here is my shot at it. > > rob > Reviewed by Deon in irc, pushed to master and ipa-2-1 From simo at redhat.com Mon Aug 22 13:30:51 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 22 Aug 2011 09:30:51 -0400 Subject: [Freeipa-devel] [PATCHES] freeipa-v3 Message-ID: <1314019851.20296.20.camel@willson.li.ssimo.org> As we finally branched ipa-2-1 from master we are now open to put 3.0 related material on the tree. Here is my rebased set of patches that apply on top of master: http://fedorapeople.org/gitweb?p=simo/public_git/freeipa.git;a=summary They are in the freeipa-v3 branch. Please review and work with me to rebase/refactor any patch that would get a nack. We will fix them until your liking and will finally emit just a one, huge, ACK, or NACK :) Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Aug 22 14:24:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Aug 2011 10:24:34 -0400 Subject: [Freeipa-devel] [PATCH] 40 Add option to ipa-server-install to disable the automatic redirect to the Web UI In-Reply-To: <4E4D0FEB.2010705@redhat.com> References: <4E4AAB9D.60908@redhat.com> <4E4BD288.60809@redhat.com> <4E4D0FEB.2010705@redhat.com> Message-ID: <4E5266A2.3020109@redhat.com> Jan Cholasta wrote: > On 17.8.2011 16:39, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> https://fedorahosted.org/freeipa/ticket/1570 >>> >>> The help message might need some tweaking. >>> >>> Honza >> >> NACK. Whatever solution we come up with needs to apply to replicas as >> well. Ideally it would be automatic. Since this is a bit of a corner >> case in general it might be acceptable to have an option on >> ipa-replica-install. >> >> rob > > Added the option to ipa-replica-install. > > Honza > Ack, pushed to master and ipa-2-1 (on Friday) From pvoborni at redhat.com Mon Aug 22 15:06:53 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 22 Aug 2011 17:06:53 +0200 Subject: [Freeipa-devel] [PATCH] 005 Show error in serial association In-Reply-To: <4E4D3D16.8030406@redhat.com> References: <4E4BE090.4050308@redhat.com> <4E4D3D16.8030406@redhat.com> Message-ID: <4E52708D.9030809@redhat.com> On 08/18/2011 06:25 PM, Endi Sukma Dewata wrote: > On 8/17/2011 10:38 AM, Petr Vobornik wrote: >> Ticket #1628 - https://fedorahosted.org/freeipa/ticket/1628 >> Unreported insufficient access error >> >> This patch is dependant on >> freeipa-pvoborni-0004-1-error-dialog-for-batch-command.patch. >> >> This may be only a checking if approach of this patch is good. >> >> I was not sure if this type of error message (result.failed property) is >> more general or it only appears in adding members. So I put error >> handling in serial_associator instead of command. If it would be put in >> command and success will be transformed to error, it will change the >> behaviour of executing commands - other commands after error won't be >> executed. If the approach is good, it could be probably better to change >> it a little and offer same logic for batch_associator. >> >> It should be working for adding users to groups, netgroups, roles and >> assigning hbac rules (tested as non admin user). >> >> Modified association test - data in success handler should not be >> undefined. > > Currently with serial associator if there's a failure the rest of the > commands will not be executed, so it's an existing problem. You can test > this by adding a user into multiple groups via UI but remove one of the > groups via CLI just before adding. The user will not be added into the > remaining groups. Bulk associator doesn't have this problem because it's > executed as a single command. > > I think eventually we want to convert the serial associator to use batch > commands (no need to do it now, but you can if you want). Once it's > converted, all error checking (including result.failed) should be done > in IPA.command so it can be captured by the batch handler. > > I'm not sure about other scenarios that will return result.failed, but I > wouldn't assume it's limited to associations. So I think it should be > handled in a more generic way in IPA.command. > > One other thing, I think we should avoid using plural class name (i.e. > IPA.errors) because suppose we have a collection of instances of this > class the variable name could become confusing (e.g. that.errorss :) ). > IPA.error_list might be better. > Reworked. 'Failed' moved to command. On 'failed' success is transformed to error - can be change behaviour of serial associator in some commands (previously some commands were executed even after 'failed' of previous). It isn't probably big issue because they fail probably from the same reason (consequent commands would fail to). - 'failed' message is extended by related object (so user would know for which command in the batch it is related to). - there is still the problem ('no modifications to be performed') I wrote about on Aug 18. I think it should be fixed before commiting this path. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0005-1-Show-error-in-adding-associations.patch Type: text/x-patch Size: 7870 bytes Desc: not available URL: From abokovoy at redhat.com Mon Aug 22 15:17:07 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 22 Aug 2011 18:17:07 +0300 Subject: [Freeipa-devel] [PATCHES] freeipa-v3 In-Reply-To: <1314019851.20296.20.camel@willson.li.ssimo.org> References: <1314019851.20296.20.camel@willson.li.ssimo.org> Message-ID: <4E5272F3.3020101@redhat.com> On 22.08.2011 16:30, Simo Sorce wrote: > As we finally branched ipa-2-1 from master we are now open to put 3.0 > related material on the tree. > > Here is my rebased set of patches that apply on top of master: > http://fedorapeople.org/gitweb?p=simo/public_git/freeipa.git;a=summary > > They are in the freeipa-v3 branch. > > Please review and work with me to rebase/refactor any patch that would > get a nack. We will fix them until your liking and will finally emit > just a one, huge, ACK, or NACK :) I went through first 14 commits. ACK for 13 first. In 6385c80c6c71ae8c4d1f11230c8408bd4bf3f9e3 ipadb_realm_to_ldapi_uri() uses two string constants "ldapi://" and "%2fslapd-" four times each. It would be nice to #define them and use macros instead, purely for maintenance purposes. In the same function there is comment with typo (patch instead of path). These are minor and you probably can ignore them. I'll continue with remaining ones tomorrow. -- / Alexander Bokovoy From rcritten at redhat.com Mon Aug 22 15:21:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Aug 2011 11:21:00 -0400 Subject: [Freeipa-devel] [PATCH] 850 use pthrea read/write locks instead of NSPR RW locks Message-ID: <4E5273DC.40107@redhat.com> NSPR PR_RWLocks are not re-entrant, use pthread read-write locks instead. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-850-rwlock.patch Type: application/mbox Size: 3505 bytes Desc: not available URL: From edewata at redhat.com Mon Aug 22 17:05:24 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 22 Aug 2011 12:05:24 -0500 Subject: [Freeipa-devel] [PATCH] 005 Show error in serial association In-Reply-To: <4E52708D.9030809@redhat.com> References: <4E4BE090.4050308@redhat.com> <4E4D3D16.8030406@redhat.com> <4E52708D.9030809@redhat.com> Message-ID: <4E528C54.5000000@redhat.com> On 8/22/2011 10:06 AM, Petr Vobornik wrote: > 'Failed' moved to command. On 'failed' success is transformed to error - > can be change behaviour of serial associator in some commands > (previously some commands were executed even after 'failed' of > previous). It isn't probably big issue because they fail probably from > the same reason (consequent commands would fail to). This will be addressed in ticket #1688. > - 'failed' message is extended by related object (so user would know for > which command in the batch it is related to). Just to be consistent, I think we should format the message like this: ": ". > - there is still the problem ('no modifications to be performed') I > wrote about on Aug 18. I think it should be fixed before commiting this > path. This will be addressed in ticket #1692. One more issue, a command could return multiple error messages in each failure, but right now the get_failed() only reads the first message in each failure. Try adding several users into a group, but remove some of them just before adding it, only the first missing user is reported. I think the code in ipa.js:395-401 should iterate through all messages. -- Endi S. Dewata From edewata at redhat.com Mon Aug 22 18:50:03 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 22 Aug 2011 13:50:03 -0500 Subject: [Freeipa-devel] [PATCH] 251 Updated add and delete association dialog titles. Message-ID: <4E52A4DB.70808@redhat.com> The association table widget and facet have been modified to accept titles for the add and delete dialogs. The table and facet definitions have been modified to specify the appropriate titles. Some unused code have been removed. Ticket #1629 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0251-Updated-add-and-delete-association-dialog-titles.patch Type: text/x-patch Size: 31589 bytes Desc: not available URL: From JR.Aquino at citrix.com Mon Aug 22 20:19:22 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 22 Aug 2011 20:19:22 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <1313745402.2526.20.camel@dhcp-25-52.brq.redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <45137A51-4797-4A17-B3B0-A4301D9A0C85@citrixonline.com> <1312794245.29048.21.camel@dhcp-25-52.brq.redhat.com> <1312892259.19265.18.camel@dhcp-25-52.brq.redhat.com> <1313745402.2526.20.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1180CF1B-AB45-4E9C-B038-4A35D7E635F1@citrixonline.com> On Aug 19, 2011, at 2:16 AM, Martin Kosek wrote: > Hi JR, > > I get to your plugin again. You can see my findings below. > > On Tue, 2011-08-09 at 22:41 +0000, JR Aquino wrote: > ... >> Ok New Patch attached. >> >> I believe this addresses the above. >> >> 1. Requires(pre): 389-ds-base >= 1.2.9.5-1 > > 1) Please, remove the change to FreeIPA spec, its no longer needed since > we shipped version 2.1 and it already requires sufficient 389-ds-base > version. Done. > >> >> 2. replica-automember.ldif added for dsinstance to install during replica installs: >> +dn: cn=Auto Membership Plugin,cn=plugins,cn=config >> +changetype: modify >> +add: nsslapd-pluginConfigArea >> +nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX > > 2) OK. I would do it a bit different - have one LDIF for > nsslapd-pluginConfigArea setting and second for creating the base > automember structure. Master would then use both LDIFs and a replica > both of them. We would then be without duplicates in LDIF. But your way > acceptable. Please allow the 2 ldif's in as they are. I tried to split them to leverage cn=config change in common, however, I encountered a 389 ds bug. I will be opening a bug with Nathan in BZ to address the bug. If you feel strongly, we can either: A: Accept the two LDIFs as is and revisit after a newer version of 389 ds is available. B: Wait until 389 ds addresses the bug and make the minor modification you suggested above. > >> >> 3. autoMemberScope is now set for each: >> groups: cn=users,cn=accounts,$SUFFIX >> hostgroups: cn=computers,cn=accounts,$SUFFIX > > OK > >> >> 4. Corrected examples >> Set the default target group: >> ipa automember-default-group-set --default-group=webservers hostgroup >> ipa automember-default-group-set --default-group=ipausers group >> >> Set the default target group: >> ipa automember-default-group-remove hostgroup >> ipa automember-default-group-remove group >> >> Show the default target group: >> ipa automember-default-group-show hostgroup >> ipa automember-default-group-show group >> >> 5. Corrected examples >> Add a condition to the rule: >> ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9+]\.example\.com webservers > > 3) Please fix the regex to ^web[1-9]+\.example\.com. I think its just a > mistake - right now for example a host web11.example.com does not match. Fixed > >> ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins >> > > 4) I think you wanted to use devel rule instead of non-existent "admins" > automember rule. > You are correct, this has been fixed. >> Add an exclusive condition to the rule to prevent auto asignment: >> ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers >> >> Remove a condition from the rule: >> ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^www[1-9+]\.example\.com webservers > > 5) The same as in 3) Fixed > >> >> 6. Correct bug for adding duplicate conditions. Included test for it in the test suite. >> > > OK. Here are my additional findings: > > 6) There some more example commands in doc which are not complete and > require some user typing: > > Display a automember rule: > ipa automember-show webservers > > Delete an automember rule: > ipa automember-del webservers > > Grouping type option is missing Fixed. Added the appropriate flags in the examples > > 7) I get internal error when running examples from the automember doc: > # ipa automember-add --type=group devel > ----------------------------- > Added automember rule "devel" > ----------------------------- > Automember Rule: devel > # ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins > ipa: ERROR: an internal error has occurred Fixed. > > > That's all. The plugin gets better with every version, I think we may > soon be ready for pushing - when all of the issues are resolved. > > Martin > Please let me know how it looks now. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch Type: application/octet-stream Size: 56152 bytes Desc: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch URL: From edewata at redhat.com Mon Aug 22 21:37:11 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 22 Aug 2011 16:37:11 -0500 Subject: [Freeipa-devel] [PATCH] 252 Removed unnecessary HBAC/sudo rule category modification. Message-ID: <4E52CC07.8080101@redhat.com> Since the Add/Delete links in the association table are disabled when the category is set to 'all', it's no longer necessary to check the category before showing the add/delete dialogs and modify the category before adding entries. Thus, the IPA.rule_association_table_widget is no longer needed. Ticket #1692 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0252-Removed-unnecessary-HBAC-sudo-rule-category-modifica.patch Type: text/x-patch Size: 18958 bytes Desc: not available URL: From rcritten at redhat.com Mon Aug 22 22:26:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Aug 2011 18:26:52 -0400 Subject: [Freeipa-devel] [PATCH] 851 add password indicator Message-ID: <4E52D7AC.5010807@redhat.com> We used to calculate has_keytab based on whether krblastpwdchange was set. We did this because you can't see whether a krbPrincipalKey is set. We had a need to see whether a password was set on hosts. What I did was create a new ACI that allows search on krbPrincpalKey and userPassword. This means you can search for attribute existence and gives us a better picture of what entries have. This adds a new fake attribute, has_password. I've added has_password and has_keytab to user objects as well so you can see whether a password is set on a user (and may be useful during migration). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-851-indicator.patch Type: application/mbox Size: 40559 bytes Desc: not available URL: From ayoung at redhat.com Tue Aug 23 02:42:02 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 22 Aug 2011 22:42:02 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <4E4EA415.9010907@redhat.com> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> Message-ID: <4E53137A.4000501@redhat.com> With this version, and Ade's patch posted to the PKI list, we have a functioning proxy. I still need to do some cleanup in the /etc/httpd/conf.d directory: the modifications to nss.conf are not removed in uninstall, nor is the symlink to /etc/pki-ca/proxy.conf. We also need to limit the number of suburls of the PKI CA that the proxy exposes. This version exposes all of the. I think we need a very limited subset. I've created a replica --no-pki and successfully requested a certificate on it. On 08/19/2011 01:57 PM, Dmitri Pal wrote: > On 08/19/2011 01:19 PM, Adam Young wrote: >> The complete solution for this patch requires changes in Dogtag that >> Ade Lee is working on right now. In order to test, I have provided a >> couple of files that I have been using: >> >> >> 1. Apply patch, build and install IPA rpms, run ipaserver-install as >> per usual. >> 2. Move the dogtag.conf file into /etc/httpd/conf.d directorys >> 3. Run the proxy_dogtag.py script to modify the Dogtag instance to >> accept AJP connections from httpd so httpd can act as a proxy >> 4. Restart IPA >> >> >> To test: >> >> 1. add a host. >> 2. Generate a csr: >> http://freeipa.org/page/Certificate_Authority#Request_a_certificate >> 3. request a certificate for the newly added host. >> 4. Optionally, Revoke the certificate for the host >> > > > Please do not forget to test the proxy test when replica does not have > the CA installed and has to forward the request to the one that has. > >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0283-1-enable-proxy-for-dogtag.patch Type: text/x-patch Size: 9680 bytes Desc: not available URL: From jcholast at redhat.com Tue Aug 23 09:15:45 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 23 Aug 2011 11:15:45 +0200 Subject: [Freeipa-devel] [PATCH] 42 Search for users in all the naming contexts present on the directory server Message-ID: <4E536FC1.8090608@redhat.com> This patch fixes ipa-kpasswd in cases where we have more than one naming context in the directory server. https://fedorahosted.org/freeipa/ticket/1655 https://fedorahosted.org/freeipa/ticket/1656 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-42-ipa-kpasswd-naming-contexts.patch Type: text/x-patch Size: 3071 bytes Desc: not available URL: From pvoborni at redhat.com Tue Aug 23 11:34:48 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 23 Aug 2011 13:34:48 +0200 Subject: [Freeipa-devel] [PATCH] 005 Show error in serial association In-Reply-To: <4E528C54.5000000@redhat.com> References: <4E4BE090.4050308@redhat.com> <4E4D3D16.8030406@redhat.com> <4E52708D.9030809@redhat.com> <4E528C54.5000000@redhat.com> Message-ID: <4E539058.3040907@redhat.com> On 08/22/2011 07:05 PM, Endi Sukma Dewata wrote: > On 8/22/2011 10:06 AM, Petr Vobornik wrote: >> 'Failed' moved to command. On 'failed' success is transformed to error - >> can be change behaviour of serial associator in some commands >> (previously some commands were executed even after 'failed' of >> previous). It isn't probably big issue because they fail probably from >> the same reason (consequent commands would fail to). > > This will be addressed in ticket #1688. > >> - 'failed' message is extended by related object (so user would know for >> which command in the batch it is related to). > > Just to be consistent, I think we should format the message like this: > ": ". > OK >> - there is still the problem ('no modifications to be performed') I >> wrote about on Aug 18. I think it should be fixed before commiting this >> path. > > This will be addressed in ticket #1692. > > One more issue, a command could return multiple error messages in each > failure, but right now the get_failed() only reads the first message in > each failure. Try adding several users into a group, but remove some of > them just before adding it, only the first missing user is reported. I > think the code in ipa.js:395-401 should iterate through all messages. > Reworked. I'm thinking that we should show only notification dialog (like in batch error for 'failed' commands. The reason is that part of the command can be successfully executed, so offering retry is wrong because it may cause other error (try it in the example above). Second reason is that if we want to show all errors we have to concatenate error messages with some separator (quite easy, current implementation) or to pass array of error messages to error dialog like in batch error (needs to add suppor for it in command). I'm thinking about dialog with this content: Operation Error

Some parts of operation failed. Completed: $completed.

  • $key: $message
  • $key2: $message2
The 'Completed' part would be shown only if present. Other problem in error dialog is that there are used untranslated strings. We should modify it to use translated and as fallback (like in init method) untranslated. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0005-2-Show-error-in-adding-associations.patch Type: text/x-patch Size: 8673 bytes Desc: not available URL: From jcholast at redhat.com Tue Aug 23 12:02:07 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 23 Aug 2011 14:02:07 +0200 Subject: [Freeipa-devel] [PATCH] 41 Verify that the external CA certificate files are correct In-Reply-To: <4E4D3412.4040701@redhat.com> References: <4E4B7B57.2010208@redhat.com> <4E4B9C0E.9070204@redhat.com> <4E4D3412.4040701@redhat.com> Message-ID: <4E5396BF.9050601@redhat.com> On 18.8.2011 17:47, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 17.8.2011 10:27, Jan Cholasta wrote: >>> Verify that --external_cert_file and --external_ca_file are both >>> readable, valid PEM files and that their subject/issuer is correct. >>> >>> Also fixes ipalib.x509.load_certificate_from_file. >>> >>> https://fedorahosted.org/freeipa/ticket/1572 >>> >>> Honza >>> >> >> Patch attached. > > nack, but this is very close. > > If the CA is a chain the signing check may fail if the first cert isn't > the one that signed the CSR. You need to check all CA certs in the file. > > rob Fixed. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-41.1-external-ca-verify.patch Type: text/x-patch Size: 5109 bytes Desc: not available URL: From jcholast at redhat.com Tue Aug 23 12:27:15 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 23 Aug 2011 14:27:15 +0200 Subject: [Freeipa-devel] [PATCH] 43 Add subscription-manager dependency for RHEL Message-ID: <4E539CA3.2040308@redhat.com> https://fedorahosted.org/freeipa/ticket/1664 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-43-rhel-subscription-manager.patch Type: text/x-patch Size: 1038 bytes Desc: not available URL: From rcritten at redhat.com Tue Aug 23 13:36:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 23 Aug 2011 09:36:21 -0400 Subject: [Freeipa-devel] [PATCH] 41 Verify that the external CA certificate files are correct In-Reply-To: <4E5396BF.9050601@redhat.com> References: <4E4B7B57.2010208@redhat.com> <4E4B9C0E.9070204@redhat.com> <4E4D3412.4040701@redhat.com> <4E5396BF.9050601@redhat.com> Message-ID: <4E53ACD5.8080505@redhat.com> Jan Cholasta wrote: > On 18.8.2011 17:47, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 17.8.2011 10:27, Jan Cholasta wrote: >>>> Verify that --external_cert_file and --external_ca_file are both >>>> readable, valid PEM files and that their subject/issuer is correct. >>>> >>>> Also fixes ipalib.x509.load_certificate_from_file. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1572 >>>> >>>> Honza >>>> >>> >>> Patch attached. >> >> nack, but this is very close. >> >> If the CA is a chain the signing check may fail if the first cert isn't >> the one that signed the CSR. You need to check all CA certs in the file. >> >> rob > > Fixed. > > Honza > Nice, I really like the way you import the cert chain. One more small request. When a failure occurs can you print more detail on why? For example, we mandate that the subject of the CA cert be CN=Certificate Authority,. Can you include what we expect if this fails? Similarly when reviewing the cert chain display can you show what CA is missing? rob From pvoborni at redhat.com Tue Aug 23 13:56:41 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 23 Aug 2011 15:56:41 +0200 Subject: [Freeipa-devel] [PATCH] 251 Updated add and delete association dialog titles. In-Reply-To: <4E52A4DB.70808@redhat.com> References: <4E52A4DB.70808@redhat.com> Message-ID: <4E53B199.7040501@redhat.com> On 08/22/2011 08:50 PM, Endi Sukma Dewata wrote: > The association table widget and facet have been modified to accept > titles for the add and delete dialogs. The table and facet definitions > have been modified to specify the appropriate titles. > > Some unused code have been removed. > > Ticket #1629 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik From rcritten at redhat.com Tue Aug 23 14:05:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 23 Aug 2011 10:05:37 -0400 Subject: [Freeipa-devel] [PATCH] 42 Search for users in all the naming contexts present on the directory server In-Reply-To: <4E536FC1.8090608@redhat.com> References: <4E536FC1.8090608@redhat.com> Message-ID: <4E53B3B1.6080207@redhat.com> Jan Cholasta wrote: > This patch fixes ipa-kpasswd in cases where we have more than one naming > context in the directory server. > > https://fedorahosted.org/freeipa/ticket/1655 > https://fedorahosted.org/freeipa/ticket/1656 > > Honza Ack, pushed to master and ipa-2-1. I tested by enabling the retro changelog plugin which adds another namingcontext. rob From rcritten at redhat.com Tue Aug 23 14:22:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 23 Aug 2011 10:22:22 -0400 Subject: [Freeipa-devel] [PATCH] 43 Add subscription-manager dependency for RHEL In-Reply-To: <4E539CA3.2040308@redhat.com> References: <4E539CA3.2040308@redhat.com> Message-ID: <4E53B79E.2030504@redhat.com> Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1664 > > Honza nack, this requires only needs to be on freeipa-server. rob From jcholast at redhat.com Tue Aug 23 15:55:42 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 23 Aug 2011 17:55:42 +0200 Subject: [Freeipa-devel] [PATCH] 41 Verify that the external CA certificate files are correct In-Reply-To: <4E53ACD5.8080505@redhat.com> References: <4E4B7B57.2010208@redhat.com> <4E4B9C0E.9070204@redhat.com> <4E4D3412.4040701@redhat.com> <4E5396BF.9050601@redhat.com> <4E53ACD5.8080505@redhat.com> Message-ID: <4E53CD7E.4010605@redhat.com> On 23.8.2011 15:36, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 18.8.2011 17:47, Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> On 17.8.2011 10:27, Jan Cholasta wrote: >>>>> Verify that --external_cert_file and --external_ca_file are both >>>>> readable, valid PEM files and that their subject/issuer is correct. >>>>> >>>>> Also fixes ipalib.x509.load_certificate_from_file. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/1572 >>>>> >>>>> Honza >>>>> >>>> >>>> Patch attached. >>> >>> nack, but this is very close. >>> >>> If the CA is a chain the signing check may fail if the first cert isn't >>> the one that signed the CSR. You need to check all CA certs in the file. >>> >>> rob >> >> Fixed. >> >> Honza >> > > Nice, I really like the way you import the cert chain. > > One more small request. When a failure occurs can you print more detail > on why? For example, we mandate that the subject of the CA cert be > CN=Certificate Authority,. Can you include what we expect > if this fails? Similarly when reviewing the cert chain display can you > show what CA is missing? > > rob Updated patch attached. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-41.2-external-ca-verify.patch Type: text/x-patch Size: 5404 bytes Desc: not available URL: From jcholast at redhat.com Tue Aug 23 16:01:25 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 23 Aug 2011 18:01:25 +0200 Subject: [Freeipa-devel] [PATCH] 43 Add subscription-manager dependency for RHEL In-Reply-To: <4E53B79E.2030504@redhat.com> References: <4E539CA3.2040308@redhat.com> <4E53B79E.2030504@redhat.com> Message-ID: <4E53CED5.9000507@redhat.com> On 23.8.2011 16:22, Rob Crittenden wrote: > Jan Cholasta wrote: >> https://fedorahosted.org/freeipa/ticket/1664 >> >> Honza > > nack, this requires only needs to be on freeipa-server. > > rob OK, I thought I'd put it in the package where entitle.py is located. Updated patch attached. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-43.1-rhel-subscription-manager.patch Type: text/x-patch Size: 1106 bytes Desc: not available URL: From edewata at redhat.com Tue Aug 23 16:15:38 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 23 Aug 2011 11:15:38 -0500 Subject: [Freeipa-devel] [PATCH] 251 Updated add and delete association dialog titles. In-Reply-To: <4E53B199.7040501@redhat.com> References: <4E52A4DB.70808@redhat.com> <4E53B199.7040501@redhat.com> Message-ID: <4E53D22A.9010207@redhat.com> On 8/23/2011 8:56 AM, Petr Vobornik wrote: > On 08/22/2011 08:50 PM, Endi Sukma Dewata wrote: >> The association table widget and facet have been modified to accept >> titles for the add and delete dialogs. The table and facet definitions >> have been modified to specify the appropriate titles. >> >> Some unused code have been removed. >> >> Ticket #1629 > ACK Pushed to master and ipa-2-1. -- Endi S. Dewata From pvoborni at redhat.com Tue Aug 23 17:12:01 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 23 Aug 2011 19:12:01 +0200 Subject: [Freeipa-devel] [PATCH] 252 Removed unnecessary HBAC/sudo rule category modification. In-Reply-To: <4E52CC07.8080101@redhat.com> References: <4E52CC07.8080101@redhat.com> Message-ID: <4E53DF61.2000406@redhat.com> On 08/22/2011 11:37 PM, Endi Sukma Dewata wrote: > Since the Add/Delete links in the association table are disabled when > the category is set to 'all', it's no longer necessary to check the > category before showing the add/delete dialogs and modify the category > before adding entries. Thus, the IPA.rule_association_table_widget is > no longer needed. > > Ticket #1692 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik From JR.Aquino at citrix.com Tue Aug 23 17:37:44 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 23 Aug 2011 17:37:44 +0000 Subject: [Freeipa-devel] [PATCH] 39 Improve sudorule documentation Message-ID: https://fedorahosted.org/freeipa/ticket/1657 Added brief explanations for the various Sudo components in the top level doc. Added doc entries for RunAs User and RunAs Group. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0039-Improve-sudorule-documentation.patch Type: application/octet-stream Size: 2108 bytes Desc: freeipa-jraquino-0039-Improve-sudorule-documentation.patch URL: From rcritten at redhat.com Tue Aug 23 19:25:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 23 Aug 2011 15:25:53 -0400 Subject: [Freeipa-devel] [PATCH] 39 Improve sudorule documentation In-Reply-To: References: Message-ID: <4E53FEC1.4040008@redhat.com> JR Aquino wrote: > https://fedorahosted.org/freeipa/ticket/1657 > Added brief explanations for the various Sudo components in the top level doc. > Added doc entries for RunAs User and RunAs Group. Deon suggested a minor grammar correction and I modified the commit message a little. ack, pushed to master and ipa-2-1 From rcritten at redhat.com Tue Aug 23 19:31:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 23 Aug 2011 15:31:15 -0400 Subject: [Freeipa-devel] [PATCH] 43 Add subscription-manager dependency for RHEL In-Reply-To: <4E53CED5.9000507@redhat.com> References: <4E539CA3.2040308@redhat.com> <4E53B79E.2030504@redhat.com> <4E53CED5.9000507@redhat.com> Message-ID: <4E540003.2080307@redhat.com> Jan Cholasta wrote: > On 23.8.2011 16:22, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> https://fedorahosted.org/freeipa/ticket/1664 >>> >>> Honza >> >> nack, this requires only needs to be on freeipa-server. >> >> rob > > OK, I thought I'd put it in the package where entitle.py is located. > > Updated patch attached. > > Honza > ack, pushed to master and ipa-2-1 From rcritten at redhat.com Tue Aug 23 20:24:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 23 Aug 2011 16:24:47 -0400 Subject: [Freeipa-devel] [PATCH] 41 Verify that the external CA certificate files are correct In-Reply-To: <4E53CD7E.4010605@redhat.com> References: <4E4B7B57.2010208@redhat.com> <4E4B9C0E.9070204@redhat.com> <4E4D3412.4040701@redhat.com> <4E5396BF.9050601@redhat.com> <4E53ACD5.8080505@redhat.com> <4E53CD7E.4010605@redhat.com> Message-ID: <4E540C8F.8090004@redhat.com> Jan Cholasta wrote: > On 23.8.2011 15:36, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 18.8.2011 17:47, Rob Crittenden wrote: >>>> Jan Cholasta wrote: >>>>> On 17.8.2011 10:27, Jan Cholasta wrote: >>>>>> Verify that --external_cert_file and --external_ca_file are both >>>>>> readable, valid PEM files and that their subject/issuer is correct. >>>>>> >>>>>> Also fixes ipalib.x509.load_certificate_from_file. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/1572 >>>>>> >>>>>> Honza >>>>>> >>>>> >>>>> Patch attached. >>>> >>>> nack, but this is very close. >>>> >>>> If the CA is a chain the signing check may fail if the first cert isn't >>>> the one that signed the CSR. You need to check all CA certs in the >>>> file. >>>> >>>> rob >>> >>> Fixed. >>> >>> Honza >>> >> >> Nice, I really like the way you import the cert chain. >> >> One more small request. When a failure occurs can you print more detail >> on why? For example, we mandate that the subject of the CA cert be >> CN=Certificate Authority,. Can you include what we expect >> if this fails? Similarly when reviewing the cert chain display can you >> show what CA is missing? >> >> rob > > Updated patch attached. > > Honza > ack, pushed to master and ipa-2-1 From edewata at redhat.com Tue Aug 23 21:09:44 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 23 Aug 2011 16:09:44 -0500 Subject: [Freeipa-devel] [PATCH] 005 Show error in serial association In-Reply-To: <4E539058.3040907@redhat.com> References: <4E4BE090.4050308@redhat.com> <4E4D3D16.8030406@redhat.com> <4E52708D.9030809@redhat.com> <4E528C54.5000000@redhat.com> <4E539058.3040907@redhat.com> Message-ID: <4E541718.4050700@redhat.com> On 8/23/2011 6:34 AM, Petr Vobornik wrote: > On 08/22/2011 07:05 PM, Endi Sukma Dewata wrote: >> One more issue, a command could return multiple error messages in each >> failure, but right now the get_failed() only reads the first message in >> each failure. Try adding several users into a group, but remove some of >> them just before adding it, only the first missing user is reported. I >> think the code in ipa.js:395-401 should iterate through all messages. >> > Reworked. > > I'm thinking that we should show only notification dialog (like in batch > error for 'failed' commands. The reason is that part of the command can > be successfully executed, so offering retry is wrong because it may > cause other error (try it in the example above). Second reason is that > if we want to show all errors we have to concatenate error messages with > some separator (quite easy, current implementation) or to pass array of > error messages to error dialog like in batch error (needs to add suppor > for it in command). Please take a look at the attached patch. This should be applied on top of your patch. It does several things: 1. As mentioned over IRC, we should be treating these partial failure as a success (the command does return a success). This way it's not going to show the Retry button. 2. Instead of concatenating the messages, they are now added into the error list. This way they will appear nicely as a list. 3. If the error dialog appears, it will wait until you click OK before continuing. 4. Since some of the membership operations are done using serial associator you might get multiple dialogs, but this should be gone once we fix #1688. Please feel free to merge this patch into yours if you want to make further modifications. Or we can push both patches if you think it's good enough. I can think of some more improvements, but it can be done separately. > I'm thinking about dialog with this content: > > Operation Error > >

> Some parts of operation failed. Completed: $completed. >

> >
    >
  • $key: $message
    • >
  • $key2: $message2
    • >
> > > The 'Completed' part would be shown only if present. I'm not sure if we need to show the completed operations because we should be able to infer that from the command we're trying to execute and the error message we're getting. No error means it's completed. Maybe we should try to provide a better error message, e.g. "Some failures occurred when removing users from group editors". Also, we might want to change the 'Operations Error' title because it's actually a success. How about 'Operation Completed'? This can be done separately. If you think showing the completed operations would be useful please file a ticket and we'll discuss it. We might be able to show the completed operations under 'Show details'. > Other problem in error dialog is that there are used untranslated > strings. We should modify it to use translated and as fallback (like in > init method) untranslated. Let's put the locations of any untranslated messages we find into this ticket: https://fedorahosted.org/freeipa/ticket/1701 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0253-Fixed-command-partial-failure-handling.patch Type: text/x-patch Size: 6923 bytes Desc: not available URL: From rcritten at redhat.com Tue Aug 23 21:43:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 23 Aug 2011 17:43:55 -0400 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <1180CF1B-AB45-4E9C-B038-4A35D7E635F1@citrixonline.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <45137A51-4797-4A17-B3B0-A4301D9A0C85@citrixonline.com> <1312794245.29048.21.camel@dhcp-25-52.brq.redhat.com> <1312892259.19265.18.camel@dhcp-25-52.brq.redhat.com> <1313745402.2526.20.camel@dhcp-25-52.brq.redhat.com> <1180CF1B-AB45-4E9C-B038-4A35D7E635F1@citrixonline.com> Message-ID: <4E541F1B.4090007@redhat.com> JR Aquino wrote: > > On Aug 19, 2011, at 2:16 AM, Martin Kosek wrote: > >> Hi JR, >> >> I get to your plugin again. You can see my findings below. >> >> On Tue, 2011-08-09 at 22:41 +0000, JR Aquino wrote: >> ... >>> Ok New Patch attached. >>> >>> I believe this addresses the above. >>> >>> 1. Requires(pre): 389-ds-base>= 1.2.9.5-1 >> >> 1) Please, remove the change to FreeIPA spec, its no longer needed since >> we shipped version 2.1 and it already requires sufficient 389-ds-base >> version. > > Done. > >> >>> >>> 2. replica-automember.ldif added for dsinstance to install during replica installs: >>> +dn: cn=Auto Membership Plugin,cn=plugins,cn=config >>> +changetype: modify >>> +add: nsslapd-pluginConfigArea >>> +nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX >> >> 2) OK. I would do it a bit different - have one LDIF for >> nsslapd-pluginConfigArea setting and second for creating the base >> automember structure. Master would then use both LDIFs and a replica >> both of them. We would then be without duplicates in LDIF. But your way >> acceptable. > > Please allow the 2 ldif's in as they are. > > I tried to split them to leverage cn=config change in common, however, I encountered a 389 ds bug. > I will be opening a bug with Nathan in BZ to address the bug. If you feel strongly, we can either: > > A: Accept the two LDIFs as is and revisit after a newer version of 389 ds is available. > B: Wait until 389 ds addresses the bug and make the minor modification you suggested above. > >> >>> >>> 3. autoMemberScope is now set for each: >>> groups: cn=users,cn=accounts,$SUFFIX >>> hostgroups: cn=computers,cn=accounts,$SUFFIX >> >> OK >> >>> >>> 4. Corrected examples >>> Set the default target group: >>> ipa automember-default-group-set --default-group=webservers hostgroup >>> ipa automember-default-group-set --default-group=ipausers group >>> >>> Set the default target group: >>> ipa automember-default-group-remove hostgroup >>> ipa automember-default-group-remove group >>> >>> Show the default target group: >>> ipa automember-default-group-show hostgroup >>> ipa automember-default-group-show group >>> >>> 5. Corrected examples >>> Add a condition to the rule: >>> ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9+]\.example\.com webservers >> >> 3) Please fix the regex to ^web[1-9]+\.example\.com. I think its just a >> mistake - right now for example a host web11.example.com does not match. > > Fixed > >> >>> ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins >>> >> >> 4) I think you wanted to use devel rule instead of non-existent "admins" >> automember rule. >> > > You are correct, this has been fixed. > >>> Add an exclusive condition to the rule to prevent auto asignment: >>> ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers >>> >>> Remove a condition from the rule: >>> ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^www[1-9+]\.example\.com webservers >> >> 5) The same as in 3) > > Fixed > >> >>> >>> 6. Correct bug for adding duplicate conditions. Included test for it in the test suite. >>> >> >> OK. Here are my additional findings: >> >> 6) There some more example commands in doc which are not complete and >> require some user typing: >> >> Display a automember rule: >> ipa automember-show webservers >> >> Delete an automember rule: >> ipa automember-del webservers >> >> Grouping type option is missing > > Fixed. Added the appropriate flags in the examples > >> >> 7) I get internal error when running examples from the automember doc: >> # ipa automember-add --type=group devel >> ----------------------------- >> Added automember rule "devel" >> ----------------------------- >> Automember Rule: devel >> # ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins >> ipa: ERROR: an internal error has occurred > > Fixed. > >> >> >> That's all. The plugin gets better with every version, I think we may >> soon be ready for pushing - when all of the issues are resolved. >> >> Martin >> > > Please let me know how it looks now. > Looks lots better, just a couple of nits: * The default-group api has type as an arg and everywhere else it is --type, can we make it consistent? We can argue about this with Martin tomorrow if you'd like. * The tests focus mainly on bucket allocation, it also needs to test adding/removing conditions and rules. I wonder if there should actually be two test suites, one to test the basics of the plugin and one to make sure it operates properly when creating entries. * Can you document in the ldifs and the installer why there are separate ones for master and replicas (for dsinstance.py I think you can just say # see ldifs for details). rob From ayoung at redhat.com Wed Aug 24 01:37:48 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 23 Aug 2011 21:37:48 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <4E4EA415.9010907@redhat.com> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> Message-ID: <4E5455EC.2020505@redhat.com> NACK. Replicate uses the install code, which grabs the local constants. Need to extend it to use the local constants for a base install, but the remote constants for the replica installs. On 08/19/2011 01:57 PM, Dmitri Pal wrote: > On 08/19/2011 01:19 PM, Adam Young wrote: >> The complete solution for this patch requires changes in Dogtag that >> Ade Lee is working on right now. In order to test, I have provided a >> couple of files that I have been using: >> >> >> 1. Apply patch, build and install IPA rpms, run ipaserver-install as >> per usual. >> 2. Move the dogtag.conf file into /etc/httpd/conf.d directorys >> 3. Run the proxy_dogtag.py script to modify the Dogtag instance to >> accept AJP connections from httpd so httpd can act as a proxy >> 4. Restart IPA >> >> >> To test: >> >> 1. add a host. >> 2. Generate a csr: >> http://freeipa.org/page/Certificate_Authority#Request_a_certificate >> 3. request a certificate for the newly added host. >> 4. Optionally, Revoke the certificate for the host >> > > > Please do not forget to test the proxy test when replica does not have > the CA installed and has to forward the request to the one that has. > >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Aug 24 02:10:28 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 23 Aug 2011 21:10:28 -0500 Subject: [Freeipa-devel] [PATCH] 254 Fixed default map type in automount map adder dialog. Message-ID: <4E545D94.9010805@redhat.com> The adder dialog for automount map has been modified to select the direct map by default. Ticket #1698 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0254-Fixed-default-map-type-in-automount-map-adder-dialog.patch Type: text/x-patch Size: 6485 bytes Desc: not available URL: From mkosek at redhat.com Wed Aug 24 06:59:50 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 24 Aug 2011 08:59:50 +0200 Subject: [Freeipa-devel] [PATCH] 848 suppress debug logging in ipactl In-Reply-To: <4E4ED1D8.3030404@redhat.com> References: <4E4ED1D8.3030404@redhat.com> Message-ID: <1314169192.2466.8.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-08-19 at 17:12 -0400, Rob Crittenden wrote: > If debugging was set 389-ds then when ipactl was used to start the > services a ton of output could be produced. This patch will suppress it > by default. If the user wants this output they can add the --debug flag. > > rob Works fine, but I still have some comments. IIUC default log level for DS is 16384 (critical messages), the disturbing debug output from DS plug-ins is printed when log level >= 65536. Would it be wise to capture DS output when log level >= 65536 only so that user doesn't loose potential error messages when his error log setting is lower? Martin From pvoborni at redhat.com Wed Aug 24 08:40:44 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 24 Aug 2011 10:40:44 +0200 Subject: [Freeipa-devel] [PATCH] 005 Show error in serial association In-Reply-To: <4E541718.4050700@redhat.com> References: <4E4BE090.4050308@redhat.com> <4E4D3D16.8030406@redhat.com> <4E52708D.9030809@redhat.com> <4E528C54.5000000@redhat.com> <4E539058.3040907@redhat.com> <4E541718.4050700@redhat.com> Message-ID: <4E54B90C.60405@redhat.com> On 08/23/2011 11:09 PM, Endi Sukma Dewata wrote: > On 8/23/2011 6:34 AM, Petr Vobornik wrote: > > Please take a look at the attached patch. This should be applied on top > of your patch. It does several things: > > 1. As mentioned over IRC, we should be treating these partial failure as > a success (the command does return a success). This way it's not going > to show the Retry button. > > 2. Instead of concatenating the messages, they are now added into the > error list. This way they will appear nicely as a list. > > 3. If the error dialog appears, it will wait until you click OK before > continuing. > > 4. Since some of the membership operations are done using serial > associator you might get multiple dialogs, but this should be gone once > we fix #1688. > > Please feel free to merge this patch into yours if you want to make > further modifications. Or we can push both patches if you think it's > good enough. It's good enough for #1628 so we can push both patches. > > I can think of some more improvements, but it can be done separately. > > > I'm not sure if we need to show the completed operations because we > should be able to infer that from the command we're trying to execute > and the error message we're getting. No error means it's completed. > > Maybe we should try to provide a better error message, e.g. "Some > failures occurred when removing users from group editors". This isn't probably important. If user is removing some users from group he should know that message "Some parts of operation failed" is related to his action. > Also, we > might want to change the 'Operations Error' title because it's actually > a success. How about 'Operation Completed'? This can be done separately. Agree > > If you think showing the completed operations would be useful please > file a ticket and we'll discuss it. We might be able to show the > completed operations under 'Show details'. It can be useful, but I think it isn't high priority. I filed enhancement ticket https://fedorahosted.org/freeipa/ticket/1702 . > >> Other problem in error dialog is that there are used untranslated >> strings. We should modify it to use translated and as fallback (like in >> init method) untranslated. > > Let's put the locations of any untranslated messages we find into this > ticket: https://fedorahosted.org/freeipa/ticket/1701 > -- Petr Vobornik From mkosek at redhat.com Wed Aug 24 09:57:55 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 24 Aug 2011 11:57:55 +0200 Subject: [Freeipa-devel] [PATCH] 851 add password indicator In-Reply-To: <4E52D7AC.5010807@redhat.com> References: <4E52D7AC.5010807@redhat.com> Message-ID: <1314179877.2466.12.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-22 at 18:26 -0400, Rob Crittenden wrote: > We used to calculate has_keytab based on whether krblastpwdchange was > set. We did this because you can't see whether a krbPrincipalKey is set. > > We had a need to see whether a password was set on hosts. What I did was > create a new ACI that allows search on krbPrincpalKey and userPassword. > This means you can search for attribute existence and gives us a better > picture of what entries have. > > This adds a new fake attribute, has_password. I've added has_password > and has_keytab to user objects as well so you can see whether a password > is set on a user (and may be useful during migration). > > rob This all seems to work fine for hosts. With user object, I just wonder if it is possible to detect if user has a keytab, but I guess not. I generated a keytab for user but I have not seen some valuable difference in user LDAP data. This way, has_keytab seems to always have the same value as has_password even though no keytab has been generated. Wouldn't has_keytab=True confuse users? Martin From mkosek at redhat.com Wed Aug 24 10:15:26 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 24 Aug 2011 12:15:26 +0200 Subject: [Freeipa-devel] [PATCH] 850 use pthrea read/write locks instead of NSPR RW locks In-Reply-To: <4E5273DC.40107@redhat.com> References: <4E5273DC.40107@redhat.com> Message-ID: <1314180928.2466.18.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-22 at 11:21 -0400, Rob Crittenden wrote: > NSPR PR_RWLocks are not re-entrant, use pthread read-write locks instead. > > rob Reference ticket in the commit message is wrong - I think you wanted to reference ticket 1635. This all looks good. But I was thinking - why don't we use the locking interface from slapi-plugin.h? I mean slapi_new_rwlock(), slapi_rwlock_rdlock etc. implemented in BZ 730387. It would let us abstract from underlying locking details (pthread versus NSPR) and just use the slapi plugin interface + save possible changes to locking mechanism in the future. Martin From abokovoy at redhat.com Wed Aug 24 10:57:55 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 24 Aug 2011 13:57:55 +0300 Subject: [Freeipa-devel] [PATCH] 850 use pthrea read/write locks instead of NSPR RW locks In-Reply-To: <1314180928.2466.18.camel@dhcp-25-52.brq.redhat.com> References: <4E5273DC.40107@redhat.com> <1314180928.2466.18.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E54D933.90800@redhat.com> On 24.08.2011 13:15, Martin Kosek wrote: > On Mon, 2011-08-22 at 11:21 -0400, Rob Crittenden wrote: >> NSPR PR_RWLocks are not re-entrant, use pthread read-write locks instead. >> >> rob > > Reference ticket in the commit message is wrong - I think you wanted to > reference ticket 1635. > > This all looks good. But I was thinking - why don't we use the locking > interface from slapi-plugin.h? I mean slapi_new_rwlock(), > slapi_rwlock_rdlock etc. implemented in BZ 730387. It would let us > abstract from underlying locking details (pthread versus NSPR) and just > use the slapi plugin interface + save possible changes to locking > mechanism in the future. Do we have any ETA for release of the bug? It is not yet released. -- / Alexander Bokovoy From mkosek at redhat.com Wed Aug 24 11:09:12 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 24 Aug 2011 13:09:12 +0200 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <4E541F1B.4090007@redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <45137A51-4797-4A17-B3B0-A4301D9A0C85@citrixonline.com> <1312794245.29048.21.camel@dhcp-25-52.brq.redhat.com> <1312892259.19265.18.camel@dhcp-25-52.brq.redhat.com> <1313745402.2526.20.camel@dhcp-25-52.brq.redhat.com> <1180CF1B-AB45-4E9C-B038-4A35D7E635F1@citrixonline.com> <4E541F1B.4090007@redhat.com> Message-ID: <1314184159.2466.25.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-08-23 at 17:43 -0400, Rob Crittenden wrote: ... > > Looks lots better, just a couple of nits: > > * The default-group api has type as an arg and everywhere else it is > --type, can we make it consistent? We can argue about this with Martin > tomorrow if you'd like. > I suggested this API to JR when he had difficulties using IPA command without an argument, i.e. ipa automember-default-group-remove --type=group. I wanted to keep the automember-default-group-* commands consistent compared to having automember-default-group-{remove, show} TYPE as an argument and automember-default-group-add with TYPE as an option. Martin From rcritten at redhat.com Wed Aug 24 11:35:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Aug 2011 07:35:37 -0400 Subject: [Freeipa-devel] [PATCH] 848 suppress debug logging in ipactl In-Reply-To: <1314169192.2466.8.camel@dhcp-25-52.brq.redhat.com> References: <4E4ED1D8.3030404@redhat.com> <1314169192.2466.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E54E209.9050605@redhat.com> Martin Kosek wrote: > On Fri, 2011-08-19 at 17:12 -0400, Rob Crittenden wrote: >> If debugging was set 389-ds then when ipactl was used to start the >> services a ton of output could be produced. This patch will suppress it >> by default. If the user wants this output they can add the --debug flag. >> >> rob > > Works fine, but I still have some comments. IIUC default log level for > DS is 16384 (critical messages), the disturbing debug output from DS > plug-ins is printed when log level>= 65536. > > Would it be wise to capture DS output when log level>= 65536 only so > that user doesn't loose potential error messages when his error log > setting is lower? > > Martin > The default log level is 0. The worst levels are 1, 2 and 4 but I didn't want to wire in too much intimate knowledge of 389-ds. If the user wants to see these messages they can either run with --debug or the output also goes to the 389-ds log. rob From rcritten at redhat.com Wed Aug 24 11:40:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Aug 2011 07:40:24 -0400 Subject: [Freeipa-devel] [PATCH] 851 add password indicator In-Reply-To: <1314179877.2466.12.camel@dhcp-25-52.brq.redhat.com> References: <4E52D7AC.5010807@redhat.com> <1314179877.2466.12.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E54E328.6060009@redhat.com> Martin Kosek wrote: > On Mon, 2011-08-22 at 18:26 -0400, Rob Crittenden wrote: >> We used to calculate has_keytab based on whether krblastpwdchange was >> set. We did this because you can't see whether a krbPrincipalKey is set. >> >> We had a need to see whether a password was set on hosts. What I did was >> create a new ACI that allows search on krbPrincpalKey and userPassword. >> This means you can search for attribute existence and gives us a better >> picture of what entries have. >> >> This adds a new fake attribute, has_password. I've added has_password >> and has_keytab to user objects as well so you can see whether a password >> is set on a user (and may be useful during migration). >> >> rob > > This all seems to work fine for hosts. With user object, I just wonder > if it is possible to detect if user has a keytab, but I guess not. I > generated a keytab for user but I have not seen some valuable difference > in user LDAP data. > > This way, has_keytab seems to always have the same value as has_password > even though no keytab has been generated. Wouldn't has_keytab=True > confuse users? > > Martin > If you search as Directory Manager you can see the attributes. The typical case is if the user has a password they have a keytab, our password plugin enforces that. If you are migrating users though you can have the case where you have a password but not a keytab. For users we can suppress these if --all isn't requested if you'd like. rob From rcritten at redhat.com Wed Aug 24 11:41:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Aug 2011 07:41:15 -0400 Subject: [Freeipa-devel] [PATCH] 850 use pthrea read/write locks instead of NSPR RW locks In-Reply-To: <1314180928.2466.18.camel@dhcp-25-52.brq.redhat.com> References: <4E5273DC.40107@redhat.com> <1314180928.2466.18.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E54E35B.5000205@redhat.com> Martin Kosek wrote: > On Mon, 2011-08-22 at 11:21 -0400, Rob Crittenden wrote: >> NSPR PR_RWLocks are not re-entrant, use pthread read-write locks instead. >> >> rob > > Reference ticket in the commit message is wrong - I think you wanted to > reference ticket 1635. > > This all looks good. But I was thinking - why don't we use the locking > interface from slapi-plugin.h? I mean slapi_new_rwlock(), > slapi_rwlock_rdlock etc. implemented in BZ 730387. It would let us > abstract from underlying locking details (pthread versus NSPR) and just > use the slapi plugin interface + save possible changes to locking > mechanism in the future. > > Martin > The 389-ds team suggested I go ahead with the pthread fix as their api may not be complete soon. rob From mkosek at redhat.com Wed Aug 24 11:56:09 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 24 Aug 2011 13:56:09 +0200 Subject: [Freeipa-devel] [PATCH] 848 suppress debug logging in ipactl In-Reply-To: <4E54E209.9050605@redhat.com> References: <4E4ED1D8.3030404@redhat.com> <1314169192.2466.8.camel@dhcp-25-52.brq.redhat.com> <4E54E209.9050605@redhat.com> Message-ID: <1314186971.2466.26.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-08-24 at 07:35 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-08-19 at 17:12 -0400, Rob Crittenden wrote: > >> If debugging was set 389-ds then when ipactl was used to start the > >> services a ton of output could be produced. This patch will suppress it > >> by default. If the user wants this output they can add the --debug flag. > >> > >> rob > > > > Works fine, but I still have some comments. IIUC default log level for > > DS is 16384 (critical messages), the disturbing debug output from DS > > plug-ins is printed when log level>= 65536. > > > > Would it be wise to capture DS output when log level>= 65536 only so > > that user doesn't loose potential error messages when his error log > > setting is lower? > > > > Martin > > > > The default log level is 0. The worst levels are 1, 2 and 4 but I didn't > want to wire in too much intimate knowledge of 389-ds. If the user wants > to see these messages they can either run with --debug or the output > also goes to the 389-ds log. > > rob OK. ACK & Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Wed Aug 24 12:02:01 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 24 Aug 2011 14:02:01 +0200 Subject: [Freeipa-devel] [PATCH] 850 use pthrea read/write locks instead of NSPR RW locks In-Reply-To: <4E54E35B.5000205@redhat.com> References: <4E5273DC.40107@redhat.com> <1314180928.2466.18.camel@dhcp-25-52.brq.redhat.com> <4E54E35B.5000205@redhat.com> Message-ID: <1314187323.2466.27.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-08-24 at 07:41 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-08-22 at 11:21 -0400, Rob Crittenden wrote: > >> NSPR PR_RWLocks are not re-entrant, use pthread read-write locks instead. > >> > >> rob > > > > Reference ticket in the commit message is wrong - I think you wanted to > > reference ticket 1635. > > > > This all looks good. But I was thinking - why don't we use the locking > > interface from slapi-plugin.h? I mean slapi_new_rwlock(), > > slapi_rwlock_rdlock etc. implemented in BZ 730387. It would let us > > abstract from underlying locking details (pthread versus NSPR) and just > > use the slapi plugin interface + save possible changes to locking > > mechanism in the future. > > > > Martin > > > > The 389-ds team suggested I go ahead with the pthread fix as their api > may not be complete soon. > > rob OK - the fix is pretty straightforward then. ACK & Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Wed Aug 24 12:14:03 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 24 Aug 2011 14:14:03 +0200 Subject: [Freeipa-devel] [PATCH] 851 add password indicator In-Reply-To: <4E54E328.6060009@redhat.com> References: <4E52D7AC.5010807@redhat.com> <1314179877.2466.12.camel@dhcp-25-52.brq.redhat.com> <4E54E328.6060009@redhat.com> Message-ID: <1314188045.2466.30.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-08-24 at 07:40 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-08-22 at 18:26 -0400, Rob Crittenden wrote: > >> We used to calculate has_keytab based on whether krblastpwdchange was > >> set. We did this because you can't see whether a krbPrincipalKey is set. > >> > >> We had a need to see whether a password was set on hosts. What I did was > >> create a new ACI that allows search on krbPrincpalKey and userPassword. > >> This means you can search for attribute existence and gives us a better > >> picture of what entries have. > >> > >> This adds a new fake attribute, has_password. I've added has_password > >> and has_keytab to user objects as well so you can see whether a password > >> is set on a user (and may be useful during migration). > >> > >> rob > > > > This all seems to work fine for hosts. With user object, I just wonder > > if it is possible to detect if user has a keytab, but I guess not. I > > generated a keytab for user but I have not seen some valuable difference > > in user LDAP data. > > > > This way, has_keytab seems to always have the same value as has_password > > even though no keytab has been generated. Wouldn't has_keytab=True > > confuse users? > > > > Martin > > > > If you search as Directory Manager you can see the attributes. I am. That was an misunderstanding, I saw the key attributes I just didn't know that our password plugin enforces the keytab. > > The typical case is if the user has a password they have a keytab, our > password plugin enforces that. > > If you are migrating users though you can have the case where you have a > password but not a keytab. OK, this justifies the usefulness of has_keytab :-) > > For users we can suppress these if --all isn't requested if you'd like. > > rob Not necessary, lets keep it consistent with the host plugin. ACK & Pushed to master, ipa-2-1. Martin From pvoborni at redhat.com Wed Aug 24 13:59:24 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 24 Aug 2011 15:59:24 +0200 Subject: [Freeipa-devel] [PATCH] 007 Validation of details facet before update Message-ID: <4E5503BC.4050105@redhat.com> Validation of details facet before update https://fedorahosted.org/freeipa/ticket/1676 The ticket is a duplicate of server error, but it revealed few UI errors. Newly performs validation of details facet before update. If validation fails, notification dialog is shown and command isn't executed. Fixed integer minimum and maximum value checking. Read-only and non-writeable fields are no longer considered required. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0007-Validation-of-details-facet-before-update.patch Type: text/x-patch Size: 6836 bytes Desc: not available URL: From abokovoy at redhat.com Wed Aug 24 14:21:14 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 24 Aug 2011 17:21:14 +0300 Subject: [Freeipa-devel] [PATCHES] freeipa-v3 In-Reply-To: <4E5272F3.3020101@redhat.com> References: <1314019851.20296.20.camel@willson.li.ssimo.org> <4E5272F3.3020101@redhat.com> Message-ID: <4E5508DA.9070906@redhat.com> On 22.08.2011 18:17, Alexander Bokovoy wrote: > On 22.08.2011 16:30, Simo Sorce wrote: >> As we finally branched ipa-2-1 from master we are now open to put 3.0 >> related material on the tree. >> >> Here is my rebased set of patches that apply on top of master: >> http://fedorapeople.org/gitweb?p=simo/public_git/freeipa.git;a=summary >> >> They are in the freeipa-v3 branch. >> >> Please review and work with me to rebase/refactor any patch that would >> get a nack. We will fix them until your liking and will finally emit >> just a one, huge, ACK, or NACK :) > I went through first 14 commits. ACK for 13 first. > > In 6385c80c6c71ae8c4d1f11230c8408bd4bf3f9e3 ipadb_realm_to_ldapi_uri() > uses two string constants "ldapi://" and "%2fslapd-" four times each. It > would be nice to #define them and use macros instead, purely for > maintenance purposes. > > In the same function there is comment with typo (patch instead of path). > > These are minor and you probably can ignore them. > > I'll continue with remaining ones tomorrow. Finally went through all patches. Simo did make squash-in commits to address found issues (which were discussed on #freeipa over past few days). I don't have comments anymore. ACK. -- / Alexander Bokovoy From rcritten at redhat.com Wed Aug 24 14:58:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Aug 2011 10:58:27 -0400 Subject: [Freeipa-devel] [PATCH] 852 remove more files in uninstaller Message-ID: <4E551193.6040809@redhat.com> We were missing a few 389-ds files and directories. This removes everything but the logs. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-852-uninstall.patch Type: text/x-patch Size: 1683 bytes Desc: not available URL: From edewata at redhat.com Wed Aug 24 15:22:28 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 24 Aug 2011 10:22:28 -0500 Subject: [Freeipa-devel] [PATCH] 005 Show error in serial association In-Reply-To: <4E54B90C.60405@redhat.com> References: <4E4BE090.4050308@redhat.com> <4E4D3D16.8030406@redhat.com> <4E52708D.9030809@redhat.com> <4E528C54.5000000@redhat.com> <4E539058.3040907@redhat.com> <4E541718.4050700@redhat.com> <4E54B90C.60405@redhat.com> Message-ID: <4E551734.6060605@redhat.com> On 8/24/2011 3:40 AM, Petr Vobornik wrote: > It's good enough for #1628 so we can push both patches. Pushed to master and ipa-2-1. -- Endi S. Dewata From rcritten at redhat.com Wed Aug 24 15:38:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Aug 2011 11:38:04 -0400 Subject: [Freeipa-devel] [PATCH] 853 remove upgrade state when uninstalling Message-ID: <4E551ADC.1010803@redhat.com> The upgrade process makes saves some information in the IPA sysrestore state. If any of this state remains after an uninstall then you will get an error during re-install. Theoretically all this state should be removed as part of the upgrade process but on the outside chance, lets remove the state at uninstall to prevent problems. I've had just one report of this, it may have been due to a blown upgrade, I'm not sure. I've been unable to reproduce it but at worst this is a noop and at best allows easy re-installation. This requires patch 852. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-853-unistall.patch Type: text/x-patch Size: 1499 bytes Desc: not available URL: From ayoung at redhat.com Wed Aug 24 17:21:14 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 24 Aug 2011 13:21:14 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <4E5455EC.2020505@redhat.com> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> <4E5455EC.2020505@redhat.com> Message-ID: <4E55330A.9070906@redhat.com> This version tells pkisilent to use the remote ports for cloning. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0283-2-enable-proxy-for-dogtag.patch Type: text/x-patch Size: 11476 bytes Desc: not available URL: From mkosek at redhat.com Wed Aug 24 19:17:18 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 24 Aug 2011 21:17:18 +0200 Subject: [Freeipa-devel] [PATCH] 111 Let Bind track data changes In-Reply-To: <1313750976.2526.29.camel@dhcp-25-52.brq.redhat.com> References: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> <4E492B91.5080506@redhat.com> <1313485147.2514.23.camel@dhcp-25-52.brq.redhat.com> <1313750976.2526.29.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1314213441.2466.35.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-08-19 at 12:49 +0200, Martin Kosek wrote: ... > 2) Make sure that current DNS behavior is well documented, and users are > aware of that when they change/add a record, it may be seen after > $cache_ttl seconds or when they reload the cache using `rndc reload`. > > 3) Tickets 1114, 1125 and 1126 would be closed as documentation fix. I created a documentation ticket for Deon: https://fedorahosted.org/freeipa/ticket/1709 Proposed change to DNS documentation is attached to this mail and the ticket 1709. It is dependent on my patch 111 CLI but it shouldn't change greatly. Martin -------------- next part -------------- 10.1. About DNS in FreeIPA ... [DELETE] FreeIPA communicates with both the BIND services and the LDAP directory using the bind-dyndb-ldap plug-in. [ADD_START] 10.1.1 DNS and Directory Server BIND service communicates with Directory Server using the bind-dyndb-ldap plug-in. When FreeIPA is configured with --setup-dns or ipa-dns-install command (see chapter 10.2) a section "dynamic-db" configuring the plug-in is created in /etc/named.conf. Properly configured plug-in is then able to provide the name server with DNS records from Directory Server. The configuration in the dynamic-db section of /etc/named.conf can be later changed to tune the plug-in behavior. 10.1.2 DNS cache bind-dyndb-ldap contains a DNS record cache for zones and successful DNS resolutions in order to increase Directory Server performance. Without the cache the name server would have to run an LDAP query for every DNS resolution. Default validity of DNS record in the cache is set to 120 seconds, i.e. a change to existing DNS record may not be resolvable instantly but maximally in 120 seconds. If the DNS record change should be propagated immediately, name server should be reloaded using the following command: # rndc reload The default value of the cache validity may be changed in /etc/named.conf. If the Directory Server is under heavy load and/or records are not updated very often, the cache validity can be set to a higher value using cache_ttl argument of bind-dyndb-ldap. The following example shows how to change default cache validity in /etc/named.conf: dynamic-db "ipa" { ... arg "cache_ttl 60"; }; When the name service is restarted, DNS record cache validity would be set to 60 seconds. 10.1.3 New zones By default, the bind-dyndb-ldap plugin resolves only these zones, that were configured in the Directory Server in the time when the name server started and were enabled. In order to enable DNS resolution for a new zone or a disabled one, there exist 3 ways: 1) Reload name service when a new zone is added using the following command # rndc reload 2) Let bind-dyndb-ldap periodically poll for new zones defined in FreeIPA controlled Directory server. This is the default option when FreeIPA is being configured with DNS. By default this is set to 60 seconds, i.e. every 60 seconds bind-dyndb-ldap makes an LDAP query for new zones and if those are detected, the zones (and DNS records in them) are loaded and made resolvable. The default value can be changed during ipa-server-install or ipa-dns-install with option --zone-refresh. To change the value for existing FreeIPA installation, the bind-dyndb-ldap argument zone_refresh (set to number of seconds between polls) can be defined in /etc/named.conf: dynamic-db "ipa" { ... arg "zone_refresh 30"; }; In above example, bind-dyndb-ldap zone refresh has been set to 30 seconds. 3) Let bind-dyndb-ldap use LDAP persistent search mechanism to immediately get notification when a new DNS zone is added. By default, this feature is disabled and can be enabled with --zone-notif install option. To enable this feature for existing FreeIPA installation, the bind-dyndb-ldap argument psearch (set to "yes" or "no") can be defined in /etc/named.conf: dynamic-db "ipa" { ... arg "psearch yes"; }; In above example, persistent search feature will be enabled. [ADD_END] ... 10.5. Adding DNS Zones ... To add a zone entry: 1. Add the new zone. For example: $ ipa dnszone-add newserver.example.com --admin-email=admin at example.com --minimum=3000 --allow-dynupdate 2. [REPLACE_STEP2_START]According to chosen new zone detection mechanism described in 10.1.3 either reload the name server, wait for next bind-dyndb-ldap new zone poll or have it immediately resolvable with persistent search option.[REPLACE_STEP2_END] From jdennis at redhat.com Wed Aug 24 19:24:11 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 24 Aug 2011 15:24:11 -0400 Subject: [Freeipa-devel] [PATCH 43/43] ticket 1707 - add documentation validation to makeapi tool Message-ID: <201108241924.p7OJOBse029526@int-mx09.intmail.prod.int.phx2.redhat.com> Iterate over all API commands and perform the following validation: * Every command must have documentation and it must be marked for international translation * Every module hosting a command must have documentation and it must be marked for international translation * Every module topic must be marked for international translation For every error found emit a diagnostic. Emit a summary of total errors found. Return error flag if errors found, zero otherwise. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0043-ticket-1707-add-documentation-validation-to-makeapi-.patch Type: text/x-patch Size: 7014 bytes Desc: not available URL: From jdennis at redhat.com Wed Aug 24 21:32:41 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 24 Aug 2011 17:32:41 -0400 Subject: [Freeipa-devel] [PATCH 44/44] ticket 1705 - internationalize help topics Message-ID: <201108242132.p7OLWfma003036@int-mx01.intmail.prod.int.phx2.redhat.com> * Wrap each topic description in _() * Replace the use of if 'topic' in dir(module) with the more Pythonic and efficient getattr(module, 'topic', None) * Make sure to invoke unicode on the value returned from _() otherwise you'll get a GettextFactory instance, not a string * Clean up trailing whitespace errors -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0044-ticket-1705-internationalize-help-topics.patch Type: text/x-patch Size: 5301 bytes Desc: not available URL: From rcritten at redhat.com Wed Aug 24 21:35:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Aug 2011 17:35:26 -0400 Subject: [Freeipa-devel] [PATCH] 854 Add ftp HBAC services Message-ID: <4E556E9E.70809@redhat.com> Add a few more ftp HBAC services. This adds vsftpd, proftpd, pure-ftpd and gssftp. An HBAC service equates to a pam service and since there is no Linux ftp daemon that uses ftp as its service name it wasn't very useful. I added a ftp HBAC service group to tie them all together. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-854-ftp.patch Type: text/x-patch Size: 2588 bytes Desc: not available URL: From jdennis at redhat.com Wed Aug 24 21:39:44 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 24 Aug 2011 17:39:44 -0400 Subject: [Freeipa-devel] [PATCH 45/45] ticket 1706 - internationalize cli help framework Message-ID: <201108242139.p7OLdiww018216@int-mx10.intmail.prod.int.phx2.redhat.com> In cli.py is a framework for printing out help information. The command documentation being displayed is internationalized, however the text generated by the help framework itself is not internationalized. The strings output by the help subsystem need to be internationalized. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0045-ticket-1706-internationalize-cli-help-framework.patch Type: text/x-patch Size: 2642 bytes Desc: not available URL: From rcritten at redhat.com Wed Aug 24 21:49:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Aug 2011 17:49:03 -0400 Subject: [Freeipa-devel] [PATCH] 855 add label for HBAC service group members Message-ID: <4E5571CF.2020002@redhat.com> There was no Param for member_hbacsvc so members weren't showing by default with ipa hbacsvcgroup-show. This fixes it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-855-hbacsvc.patch Type: text/x-patch Size: 828 bytes Desc: not available URL: From rcritten at redhat.com Wed Aug 24 22:17:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Aug 2011 18:17:39 -0400 Subject: [Freeipa-devel] [PATCH] 856 add option to only prompt once for passwords Message-ID: <4E557883.4050304@redhat.com> The Password parameter was set up to take passwords for users where you would want to confirm the entered password. There is a case in the entitlement plugin where we want to prompt for a password to an external service, so prompt just once. This adds a new option to Password, confirm, to decide what to do. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-856-password.patch Type: text/x-patch Size: 3720 bytes Desc: not available URL: From edewata at redhat.com Wed Aug 24 22:58:09 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 24 Aug 2011 17:58:09 -0500 Subject: [Freeipa-devel] [PATCH] 255 Fixed host OTP status. Message-ID: <4E558201.5090707@redhat.com> The host details page has been modified to show the status of the OTP. Setting a new OTP is now done using a dialog box. Ticket #1710 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0255-Fixed-host-OTP-status.patch Type: text/x-patch Size: 43854 bytes Desc: not available URL: From edewata at redhat.com Thu Aug 25 00:55:32 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 24 Aug 2011 19:55:32 -0500 Subject: [Freeipa-devel] [PATCH] 007 Validation of details facet before update In-Reply-To: <4E5503BC.4050105@redhat.com> References: <4E5503BC.4050105@redhat.com> Message-ID: <4E559D84.80305@redhat.com> On 8/24/2011 8:59 AM, Petr Vobornik wrote: > Validation of details facet before update > https://fedorahosted.org/freeipa/ticket/1676 The ticket is a duplicate > of server error, but it revealed few UI errors. > > Newly performs validation of details facet before update. If validation > fails, notification dialog is shown and command isn't executed. > Fixed integer minimum and maximum value checking. > Read-only and non-writeable fields are no longer considered required. ACK. Pushed to master and ipa-2-1. -- Endi S. Dewata From edewata at redhat.com Thu Aug 25 01:29:08 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 24 Aug 2011 20:29:08 -0500 Subject: [Freeipa-devel] [PATCH] 255 Fixed host OTP status. In-Reply-To: <4E558201.5090707@redhat.com> References: <4E558201.5090707@redhat.com> Message-ID: <4E55A564.1050009@redhat.com> On 8/24/2011 5:58 PM, Endi Sukma Dewata wrote: > The host details page has been modified to show the status of the OTP. > Setting a new OTP is now done using a dialog box. > > Ticket #1710 Attached is a rebased version. Note: As mentioned in rcrit's patch #851, setting a new password will make has_keytab false. Currently the UI doesn't refresh the keytab's status. I'm still considering several options. This will be fixed in a separate patch. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0255-2-Fixed-host-OTP-status.patch Type: text/x-patch Size: 43855 bytes Desc: not available URL: From adam at younglogic.com Thu Aug 25 02:29:01 2011 From: adam at younglogic.com (Adam Young) Date: Wed, 24 Aug 2011 22:29:01 -0400 Subject: [Freeipa-devel] Proxy/Port work status Message-ID: <4E55B36D.4080808@younglogic.com> Had some success earlier today, but I seem to be unable to replicate it. I've been working with the "full" proxy.conf file lately,. and even that seems to be preventing a replica. It is quite possible that the problem is something on one of the two systems, as I've found that install/uninstall often leaves some of the files being owned by non-existent users. At this point, I'm not sure if the patch I've submitted will work on a vanilla system. Testing it has proven to be a pretty time consuming endeavour. Here's what I've gotten it down to: ON One machine, run ipa-server-install -U -r ` hostname | tr '[:lower:]' '[:upper:]'` -p freeipa4all -a freeipa4all --setup-dns --no-forwarders once that succeeds, I have to reset /etc/resolv.conf as the lab DNS server gets removed: cp ~/resolve.conf /etc then ipa-replica-prepare $REPLICA scp /var/lib/ipa/replica-info-$REPLICA.gpg root@$REPLICA: On the replica: ipa-replica-install --setup-ca replica-info-$HOSTNAME.gpg I have firewall off on master and replica At one point I had a replica install that worked with the Proxy, so I know it is possible, but for the last couple of hours this last command has been failing with: creation of replica failed: Configuration of CA failed pkisilent reports the failure in the debug log, but not the URL it is trying to reach. I'm going to modify it to give some more information in the morning. I'm not seeing anything in /var/log/httpd/error|access.log on the master, which is weird. I see this in /var/log/ipareplica-conncheck.log. We should not be trying to do anything in /home/admin 2011-08-24 21:52:18,544 DEBUG stderr= 2011-08-24 21:52:19,521 DEBUG args=/usr/bin/ssh -q -o StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null admin at vm-088.idm.lab.bos.redhat.com /usr/sbin/ipa-replica-conncheck --replica vm-116.idm.lab.bos.redhat.com --check-ca 2011-08-24 21:52:19,521 DEBUG stdout=Check connection from master to remote replica 'vm-116.idm.lab.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos (88): OK PKI-CA: Directory Service port (7389): OK PKI-CA: Agent secure port (9443): OK PKI-CA: EE secure port (9444): OK PKI-CA: Admin secure port (9445): OK PKI-CA: EE secure client auth port (9446): OK PKI-CA: Unsecure port (9180): OK Connection from master to replica is OK. 2011-08-24 21:52:19,522 DEBUG stderr=Could not chdir to home directory /home/admin: No such file or directory Ade Lee noticed that the replica install is failing before it ever attempts to talk to the Master, which corresponds with what I am seeing. I see in the PKI install log that [2011-08-24 22:23:50] [error] FAILED run_command("/sbin/service pki-cad restart pki-ca"), exit status=1 output="Stopping pki-ca: [FAILED] Starting pki-ca: [ OK ]^M" Running this command by hand gets the same output. In less /var/log/pki-ca/catalina.out /var/lib/pki-ca/logs/catalina.out: Permission denied /var/log/pki-ca/catalina.out (END) SO it looks like another cleanup issue. From jdennis at redhat.com Thu Aug 25 03:46:45 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 24 Aug 2011 23:46:45 -0400 Subject: [Freeipa-devel] [PATCH 46/46] ticket 1669 - improve i18n docstring extraction Message-ID: <201108250346.p7P3kjKq004751@int-mx12.intmail.prod.int.phx2.redhat.com> This patch reverts the use of pygettext for i18n string extraction. It was originally introduced because the help documentation for commands are in the class docstring and module docstring. Docstrings are a Python construct whereby any string which immediately follows a class declaration, function/method declaration or appears first in a module is taken to be the documentation for that object. Python automatically assigns that string to the __doc__ variable associated with the object. Explicitly assigning to the __doc__ variable is equivalent and permitted. We mark strings in the source for i18n translation by embedding them in _() or ngettext(). Specialized extraction tools (e.g. xgettext) scan the source code looking for strings with those markers and extracts the string for inclusion in a translation catalog. It was mistakingly assumed one could not mark for translation Python docstrings. Since some docstrings are vital for our command help system some method had to be devised to extract docstrings for the translation catalog. pygettext has the ability to locate and extract docstrings and it was introduced to acquire the documentation for our commands located in module and class docstrings. However pygettext was too large a hammer for this task, it lacked any fined grained ability to extract only the docstrings we were interested in. In practice it extracted EVERY docstring in each file it was presented with. This caused a large number strings to be extracted for translation which had no reason to be translated, the string might have been internal code documentation never meant to be seen by users. Often the superfluous docstrings were long, complex and likely difficult to translate. This placed an unnecessary burden on our volunteer translators. Instead what is needed is some method to extract only those strings intended for translation. We already have such a mechanism and it is already widely used, namely wrapping strings intended for translation in calls to _() or _negettext(), i.e. marking a string for i18n translation. Thus the solution to the docstring translation problem is to mark the docstrings exactly as we have been doing, it only requires that instead of a bare Python docstring we instead assign the marked string to the __doc__ variable. Using the hypothetical class foo as an example. class foo(Command): ''' The foo command takes out the garbage. ''' Would become: class foo(Command): __doc__ = _('The foo command takes out the garbage.') But which docstrings need to be marked for translation? The makeapi tool knows how to iterate over every command in our public API. It was extended to validate every command's documentation and report if any documentation is missing or not marked for translation. That information was then used to identify each docstring in the code which needed to be transformed. In summary what this patch does is: * Remove the use of pygettext (modification to install/po/Makefile.in) * Replace every docstring with an explicit assignment to __doc__ where the rhs of the assignment is an i18n marking function. * Single line docstrings appearing in multi-line string literals (e.g. ''' or """) were replaced with single line string literals because the multi-line literals were introducing unnecessary whitespace and newlines in the string extracted for translation. For example: ''' The foo command takes out the garbage. ''' Would appear in the translation catalog as: "\n The foo command takes out the garbage.\n " The superfluous whitespace and newlines are confusing to translators and requires us to strip leading and trailing whitespace from the translation at run time. * Import statements were moved from below the docstring to above it. This was necessary because the i18n markers are imported functions and must be available before the the doc is parsed. Technically only the import of the i18n markers had to appear before the doc but stylistically it's better to keep all the imports together. * It was observed during the docstring editing process that the command documentation was inconsistent with respect to the use of periods to terminate a sentence. Some doc had a trailing period, others didn't. Consistency was enforced by adding a period to end of every docstring if one was missing. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0046-ticket-1669-improve-i18n-docstring-extraction.patch Type: text/x-patch Size: 97786 bytes Desc: not available URL: From jdennis at redhat.com Thu Aug 25 04:30:41 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 25 Aug 2011 00:30:41 -0400 Subject: [Freeipa-devel] [Pki-devel] Proxy/Port work status In-Reply-To: <1314241171.10368.78.camel@localhost.localdomain> References: <4E55B36D.4080808@younglogic.com> <1314241171.10368.78.camel@localhost.localdomain> Message-ID: <4E55CFF1.1020509@redhat.com> On 08/24/2011 10:59 PM, Ade Lee wrote: > When I looked at one point, I noticed that /var/log/pki-ca/catalina.out > was owned by root. And in fact the whole /var/log/pki-ca directory was > owned by root. > > If the CA process runs as pkiuser, that would explain the permission > denied bit. /var/log/pki-ca and it's contents should be owned by pkiuser. However not all copies of catalina.out which get created should be owned by pkiuser, see: https://bugzilla.redhat.com/show_bug.cgi?id=693815 The distinction is there is a log file written to by the initscript before the pki process begins. Doesn't sound like this applies to in this instance, but just FYI. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From abokovoy at redhat.com Thu Aug 25 10:22:33 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 25 Aug 2011 13:22:33 +0300 Subject: [Freeipa-devel] [PATCH 45/45] ticket 1706 - internationalize cli help framework In-Reply-To: <201108242139.p7OLdiww018216@int-mx10.intmail.prod.int.phx2.redhat.com> References: <201108242139.p7OLdiww018216@int-mx10.intmail.prod.int.phx2.redhat.com> Message-ID: <4E562269.1040203@redhat.com> On 25.08.2011 00:39, John Dennis wrote: > In cli.py is a framework for printing out help information. The > command documentation being displayed is internationalized, however > the text generated by the help framework itself is not > internationalized. > > The strings output by the help subsystem need to be internationalized. ACK. -- / Alexander Bokovoy From pvoborni at redhat.com Thu Aug 25 10:23:25 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 25 Aug 2011 12:23:25 +0200 Subject: [Freeipa-devel] [PATCH] 254 Fixed default map type in automount map adder dialog. In-Reply-To: <4E545D94.9010805@redhat.com> References: <4E545D94.9010805@redhat.com> Message-ID: <4E56229D.8070307@redhat.com> On 08/24/2011 04:10 AM, Endi Sukma Dewata wrote: > The adder dialog for automount map has been modified to select the > direct map by default. > > Ticket #1698 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik From abokovoy at redhat.com Thu Aug 25 10:43:58 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 25 Aug 2011 13:43:58 +0300 Subject: [Freeipa-devel] [PATCH] 854 Add ftp HBAC services In-Reply-To: <4E556E9E.70809@redhat.com> References: <4E556E9E.70809@redhat.com> Message-ID: <4E56276E.8050507@redhat.com> On 25.08.2011 00:35, Rob Crittenden wrote: > Add a few more ftp HBAC services. This adds vsftpd, proftpd, pure-ftpd > and gssftp. An HBAC service equates to a pam service and since there is > no Linux ftp daemon that uses ftp as its service name it wasn't very > useful. > > I added a ftp HBAC service group to tie them all together. ACK What about other services? There are 'sudo', 'sudo-i', 'su', 'su-l', 'runuser', 'runuser-l' in Fedora which represent 'sudo' and 'su', and 'runuser' and dash-variants are used when launched with appropriate options. For gdm there are gdm{,-autologin,-fingerprint,-password} which are different PAM services to use with different GDM options. I think is is worth to create HBAC service groups for them as well but this is clearly distribution-dependent behaviour. -- / Alexander Bokovoy From mkosek at redhat.com Thu Aug 25 11:31:51 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 25 Aug 2011 13:31:51 +0200 Subject: [Freeipa-devel] [PATCH] 114 Fix sudo help and summaries Message-ID: <1314271916.2681.1.camel@dhcp-25-52.brq.redhat.com> 1) Add sudorule docstring headline 2) Fix naming inconsistency in Sudo plugins help and summaries, especially capitalization of Sudo objects - Sudo Rule, Sudo Command and Sudo Command Group 3) Add missing summaries for sudorule-add-option and sudorule-remove-option https://fedorahosted.org/freeipa/ticket/1595 https://fedorahosted.org/freeipa/ticket/1596 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-114-fix-sudo-help-and-summaries.patch Type: text/x-patch Size: 23244 bytes Desc: not available URL: From rcritten at redhat.com Thu Aug 25 11:36:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Aug 2011 07:36:14 -0400 Subject: [Freeipa-devel] [PATCH] 854 Add ftp HBAC services In-Reply-To: <4E56276E.8050507@redhat.com> References: <4E556E9E.70809@redhat.com> <4E56276E.8050507@redhat.com> Message-ID: <4E5633AE.4080303@redhat.com> Alexander Bokovoy wrote: > On 25.08.2011 00:35, Rob Crittenden wrote: >> Add a few more ftp HBAC services. This adds vsftpd, proftpd, pure-ftpd >> and gssftp. An HBAC service equates to a pam service and since there is >> no Linux ftp daemon that uses ftp as its service name it wasn't very >> useful. >> >> I added a ftp HBAC service group to tie them all together. > ACK > > What about other services? There are 'sudo', 'sudo-i', 'su', 'su-l', > 'runuser', 'runuser-l' in Fedora which represent 'sudo' and 'su', and > 'runuser' and dash-variants are used when launched with appropriate > options. > > For gdm there are gdm{,-autologin,-fingerprint,-password} which are > different PAM services to use with different GDM options. > > I think is is worth to create HBAC service groups for them as well but > this is clearly distribution-dependent behaviour. We have some of these sudo services already, but not all of them. I'm certainly open to adding more services and service groups by default. Can you open a ticket with your suggestions? thanks rob From abokovoy at redhat.com Thu Aug 25 11:39:46 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 25 Aug 2011 14:39:46 +0300 Subject: [Freeipa-devel] [PATCH] 854 Add ftp HBAC services In-Reply-To: <4E5633AE.4080303@redhat.com> References: <4E556E9E.70809@redhat.com> <4E56276E.8050507@redhat.com> <4E5633AE.4080303@redhat.com> Message-ID: <4E563482.7060801@redhat.com> On 25.08.2011 14:36, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> On 25.08.2011 00:35, Rob Crittenden wrote: >>> Add a few more ftp HBAC services. This adds vsftpd, proftpd, pure-ftpd >>> and gssftp. An HBAC service equates to a pam service and since there is >>> no Linux ftp daemon that uses ftp as its service name it wasn't very >>> useful. >>> >>> I added a ftp HBAC service group to tie them all together. >> ACK >> >> What about other services? There are 'sudo', 'sudo-i', 'su', 'su-l', >> 'runuser', 'runuser-l' in Fedora which represent 'sudo' and 'su', and >> 'runuser' and dash-variants are used when launched with appropriate >> options. >> >> For gdm there are gdm{,-autologin,-fingerprint,-password} which are >> different PAM services to use with different GDM options. >> >> I think is is worth to create HBAC service groups for them as well but >> this is clearly distribution-dependent behaviour. > > We have some of these sudo services already, but not all of them. I'm > certainly open to adding more services and service groups by default. > Can you open a ticket with your suggestions? I'll make a task ticket for 3.0 Core effort. -- / Alexander Bokovoy From abokovoy at redhat.com Thu Aug 25 11:40:31 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 25 Aug 2011 14:40:31 +0300 Subject: [Freeipa-devel] [PATCH] 855 add label for HBAC service group members In-Reply-To: <4E5571CF.2020002@redhat.com> References: <4E5571CF.2020002@redhat.com> Message-ID: <4E5634AF.7070802@redhat.com> On 25.08.2011 00:49, Rob Crittenden wrote: > There was no Param for member_hbacsvc so members weren't showing by > default with ipa hbacsvcgroup-show. This fixes it. ACK -- / Alexander Bokovoy From rcritten at redhat.com Thu Aug 25 11:41:50 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Aug 2011 07:41:50 -0400 Subject: [Freeipa-devel] Proxy/Port work status In-Reply-To: <4E55B36D.4080808@younglogic.com> References: <4E55B36D.4080808@younglogic.com> Message-ID: <4E5634FE.50206@redhat.com> Adam Young wrote: > Had some success earlier today, but I seem to be unable to replicate it. > I've been working with the "full" proxy.conf file lately,. and even that > seems to be preventing a replica. It is quite possible that the problem > is something on one of the two systems, as I've found that > install/uninstall often leaves some of the files being owned by > non-existent users. At this point, I'm not sure if the patch I've > submitted will work on a vanilla system. Testing it has proven to be a > pretty time consuming endeavour. > > > Here's what I've gotten it down to: > > ON One machine, run > > ipa-server-install -U -r ` hostname | tr '[:lower:]' '[:upper:]'` -p > freeipa4all -a freeipa4all --setup-dns --no-forwarders > > > once that succeeds, I have to reset /etc/resolv.conf as the lab DNS > server gets removed: > > cp ~/resolve.conf /etc You could also not use --setup-dns on the master. > > then > > ipa-replica-prepare $REPLICA > > scp /var/lib/ipa/replica-info-$REPLICA.gpg root@$REPLICA: > > On the replica: > > ipa-replica-install --setup-ca replica-info-$HOSTNAME.gpg > > I have firewall off on master and replica > > > At one point I had a replica install that worked with the Proxy, so I > know it is possible, but for the last couple of hours this last command > has been failing with: > > creation of replica failed: Configuration of CA failed > > > > pkisilent reports the failure in the debug log, but not the URL it is > trying to reach. I'm going to modify it to give some more information in > the morning. > > > I'm not seeing anything in /var/log/httpd/error|access.log on the > master, which is weird. > > > I see this in /var/log/ipareplica-conncheck.log. We should not be trying > to do anything in /home/admin > > > 2011-08-24 21:52:18,544 DEBUG stderr= > 2011-08-24 21:52:19,521 DEBUG args=/usr/bin/ssh -q -o > StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null > admin at vm-088.idm.lab.bos.redhat.com /usr/sbin/ipa-replica-conncheck > --replica vm-116.idm.lab.bos.redhat.com --check-ca > 2011-08-24 21:52:19,521 DEBUG stdout=Check connection from master to > remote replica 'vm-116.idm.lab.bos.redhat.com': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos (88): OK > PKI-CA: Directory Service port (7389): OK > PKI-CA: Agent secure port (9443): OK > PKI-CA: EE secure port (9444): OK > PKI-CA: Admin secure port (9445): OK > PKI-CA: EE secure client auth port (9446): OK > PKI-CA: Unsecure port (9180): OK > > Connection from master to replica is OK. > > 2011-08-24 21:52:19,522 DEBUG stderr=Could not chdir to home directory > /home/admin: No such file or directory We ssh to the remote machine so we can be sure that the firewall is open in both directions. This is just a side-effect of authenticating as admin. > > > Ade Lee noticed that the replica install is failing before it ever > attempts to talk to the Master, which corresponds with what I am seeing. > I see in the PKI install log that > > [2011-08-24 22:23:50] [error] FAILED run_command("/sbin/service pki-cad > restart pki-ca"), exit status=1 output="Stopping pki-ca: [FAILED] > Starting pki-ca: [ OK ]^M" > > > Running this command by hand gets the same output. > > In less /var/log/pki-ca/catalina.out > > /var/lib/pki-ca/logs/catalina.out: Permission denied > /var/log/pki-ca/catalina.out (END) > > > SO it looks like another cleanup issue. I don't think so. pkiremove removes all pki-ca directories including logs. You might try strace on it to see what is going on. rob From abokovoy at redhat.com Thu Aug 25 11:43:49 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 25 Aug 2011 14:43:49 +0300 Subject: [Freeipa-devel] [PATCH] 856 add option to only prompt once for passwords In-Reply-To: <4E557883.4050304@redhat.com> References: <4E557883.4050304@redhat.com> Message-ID: <4E563575.6050500@redhat.com> On 25.08.2011 01:17, Rob Crittenden wrote: > The Password parameter was set up to take passwords for users where you > would want to confirm the entered password. There is a case in the > entitlement plugin where we want to prompt for a password to an external > service, so prompt just once. This adds a new option to Password, > confirm, to decide what to do. You forgot to re-generate API.txt. -option: Password('password', label=Gettext('Password', domain='ipa', localedir=None)) +option: Password('password', confirm=False, label=Gettext('Password', domain='ipa', localedir=None)) -- / Alexander Bokovoy From alee at redhat.com Thu Aug 25 02:59:31 2011 From: alee at redhat.com (Ade Lee) Date: Wed, 24 Aug 2011 22:59:31 -0400 Subject: [Freeipa-devel] [Pki-devel] Proxy/Port work status In-Reply-To: <4E55B36D.4080808@younglogic.com> References: <4E55B36D.4080808@younglogic.com> Message-ID: <1314241171.10368.78.camel@localhost.localdomain> When I looked at one point, I noticed that /var/log/pki-ca/catalina.out was owned by root. And in fact the whole /var/log/pki-ca directory was owned by root. If the CA process runs as pkiuser, that would explain the permission denied bit. Adam, please reproduce and do not clean up. I can go in at that point and try to figure out what went wrong. Ade On Wed, 2011-08-24 at 22:29 -0400, Adam Young wrote: > Had some success earlier today, but I seem to be unable to replicate > it. I've been working with the "full" proxy.conf file lately,. and even > that seems to be preventing a replica. It is quite possible that the > problem is something on one of the two systems, as I've found that > install/uninstall often leaves some of the files being owned by > non-existent users. At this point, I'm not sure if the patch I've > submitted will work on a vanilla system. Testing it has proven to be a > pretty time consuming endeavour. > > > Here's what I've gotten it down to: > > ON One machine, run > > ipa-server-install -U -r ` hostname | tr '[:lower:]' '[:upper:]'` -p > freeipa4all -a freeipa4all --setup-dns --no-forwarders > > > once that succeeds, I have to reset /etc/resolv.conf as the lab DNS > server gets removed: > > cp ~/resolve.conf /etc > > then > > ipa-replica-prepare $REPLICA > > scp /var/lib/ipa/replica-info-$REPLICA.gpg root@$REPLICA: > > On the replica: > > ipa-replica-install --setup-ca replica-info-$HOSTNAME.gpg > > I have firewall off on master and replica > > > At one point I had a replica install that worked with the Proxy, so I > know it is possible, but for the last couple of hours this last command > has been failing with: > > creation of replica failed: Configuration of CA failed > > > > pkisilent reports the failure in the debug log, but not the URL it is > trying to reach. I'm going to modify it to give some more information > in the morning. > > > I'm not seeing anything in /var/log/httpd/error|access.log on the > master, which is weird. > > > I see this in /var/log/ipareplica-conncheck.log. We should not be > trying to do anything in /home/admin > > > 2011-08-24 21:52:18,544 DEBUG stderr= > 2011-08-24 21:52:19,521 DEBUG args=/usr/bin/ssh -q -o > StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null > admin at vm-088.idm.lab.bos.redhat.com /usr/sbin/ipa-replica-conncheck > --replica vm-116.idm.lab.bos.redhat.com --check-ca > 2011-08-24 21:52:19,521 DEBUG stdout=Check connection from master to > remote replica 'vm-116.idm.lab.bos.redhat.com': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos (88): OK > PKI-CA: Directory Service port (7389): OK > PKI-CA: Agent secure port (9443): OK > PKI-CA: EE secure port (9444): OK > PKI-CA: Admin secure port (9445): OK > PKI-CA: EE secure client auth port (9446): OK > PKI-CA: Unsecure port (9180): OK > > Connection from master to replica is OK. > > 2011-08-24 21:52:19,522 DEBUG stderr=Could not chdir to home directory > /home/admin: No such file or directory > > > > Ade Lee noticed that the replica install is failing before it ever > attempts to talk to the Master, which corresponds with what I am > seeing. I see in the PKI install log that > > [2011-08-24 22:23:50] [error] FAILED run_command("/sbin/service pki-cad > restart pki-ca"), exit status=1 output="Stopping pki-ca: [FAILED] > Starting pki-ca: [ OK ]^M" > > > Running this command by hand gets the same output. > > In less /var/log/pki-ca/catalina.out > > /var/lib/pki-ca/logs/catalina.out: Permission denied > /var/log/pki-ca/catalina.out (END) > > > SO it looks like another cleanup issue. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From abokovoy at redhat.com Thu Aug 25 11:50:26 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 25 Aug 2011 14:50:26 +0300 Subject: [Freeipa-devel] [PATCH 46/46] ticket 1669 - improve i18n docstring extraction In-Reply-To: <201108250346.p7P3kjKq004751@int-mx12.intmail.prod.int.phx2.redhat.com> References: <201108250346.p7P3kjKq004751@int-mx12.intmail.prod.int.phx2.redhat.com> Message-ID: <4E563702.6090006@redhat.com> On 25.08.2011 06:46, John Dennis wrote: > class foo(Command): > ''' > The foo command takes out the garbage. > ''' > > Would become: > > class foo(Command): > __doc__ = _('The foo command takes out the garbage.') > > But which docstrings need to be marked for translation? The makeapi > tool knows how to iterate over every command in our public API. It was > extended to validate every command's documentation and report if any > documentation is missing or not marked for translation. That > information was then used to identify each docstring in the code which > needed to be transformed. Read through whole patch. This is one of rare cases where gettext's use of original text as translation id isn't helpful from both performance (longer calculation of Id hash during run-time) and maintenance. Looks like we have to live with that if Transifex is unable to work with indirected translation ids -- that would mean authoritative original text would be in 'en' translation, not as original translation id. If that can't be solved, I'm fine with this approach. > In summary what this patch does is: > > * Remove the use of pygettext (modification to install/po/Makefile.in) ACK > * Replace every docstring with an explicit assignment to __doc__ where > the rhs of the assignment is an i18n marking function. ACK > * Single line docstrings appearing in multi-line string literals > (e.g. ''' or """) were replaced with single line string literals > because the multi-line literals were introducing unnecessary > whitespace and newlines in the string extracted for translation. For > example: ACK > * Import statements were moved from below the docstring to above > it. This was necessary because the i18n markers are imported > functions and must be available before the the doc is > parsed. Technically only the import of the i18n markers had to > appear before the doc but stylistically it's better to keep all the > imports together. ACK > * It was observed during the docstring editing process that the > command documentation was inconsistent with respect to the use of > periods to terminate a sentence. Some doc had a trailing period, > others didn't. Consistency was enforced by adding a period to end of > every docstring if one was missing. ACK. -- / Alexander Bokovoy From rcritten at redhat.com Thu Aug 25 11:55:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Aug 2011 07:55:04 -0400 Subject: [Freeipa-devel] [PATCH] 856 add option to only prompt once for passwords In-Reply-To: <4E563575.6050500@redhat.com> References: <4E557883.4050304@redhat.com> <4E563575.6050500@redhat.com> Message-ID: <4E563818.3040704@redhat.com> Alexander Bokovoy wrote: > On 25.08.2011 01:17, Rob Crittenden wrote: >> The Password parameter was set up to take passwords for users where you >> would want to confirm the entered password. There is a case in the >> entitlement plugin where we want to prompt for a password to an external >> service, so prompt just once. This adds a new option to Password, >> confirm, to decide what to do. > You forgot to re-generate API.txt. > -option: Password('password', label=Gettext('Password', domain='ipa', > localedir=None)) > +option: Password('password', confirm=False, label=Gettext('Password', > domain='ipa', localedir=None)) > Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-856-2-password.patch Type: text/x-patch Size: 4673 bytes Desc: not available URL: From abokovoy at redhat.com Thu Aug 25 11:55:57 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 25 Aug 2011 14:55:57 +0300 Subject: [Freeipa-devel] [PATCH] 856 add option to only prompt once for passwords In-Reply-To: <4E563818.3040704@redhat.com> References: <4E557883.4050304@redhat.com> <4E563575.6050500@redhat.com> <4E563818.3040704@redhat.com> Message-ID: <4E56384D.60103@redhat.com> On 25.08.2011 14:55, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> On 25.08.2011 01:17, Rob Crittenden wrote: >>> The Password parameter was set up to take passwords for users where you >>> would want to confirm the entered password. There is a case in the >>> entitlement plugin where we want to prompt for a password to an external >>> service, so prompt just once. This adds a new option to Password, >>> confirm, to decide what to do. >> You forgot to re-generate API.txt. >> -option: Password('password', label=Gettext('Password', domain='ipa', >> localedir=None)) >> +option: Password('password', confirm=False, label=Gettext('Password', >> domain='ipa', localedir=None)) >> > > Updated patch attached. ACK -- / Alexander Bokovoy From abokovoy at redhat.com Thu Aug 25 12:15:28 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 25 Aug 2011 15:15:28 +0300 Subject: [Freeipa-devel] [PATCH] 854 Add ftp HBAC services In-Reply-To: <4E563482.7060801@redhat.com> References: <4E556E9E.70809@redhat.com> <4E56276E.8050507@redhat.com> <4E5633AE.4080303@redhat.com> <4E563482.7060801@redhat.com> Message-ID: <4E563CE0.5080400@redhat.com> On 25.08.2011 14:39, Alexander Bokovoy wrote: >>> What about other services? There are 'sudo', 'sudo-i', 'su', 'su-l', >>> 'runuser', 'runuser-l' in Fedora which represent 'sudo' and 'su', and >>> 'runuser' and dash-variants are used when launched with appropriate >>> options. >>> >>> For gdm there are gdm{,-autologin,-fingerprint,-password} which are >>> different PAM services to use with different GDM options. >>> >>> I think is is worth to create HBAC service groups for them as well but >>> this is clearly distribution-dependent behaviour. >> >> We have some of these sudo services already, but not all of them. I'm >> certainly open to adding more services and service groups by default. >> Can you open a ticket with your suggestions? > I'll make a task ticket for 3.0 Core effort. https://fedorahosted.org/freeipa/ticket/1712 -- / Alexander Bokovoy From rcritten at redhat.com Thu Aug 25 12:31:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Aug 2011 08:31:35 -0400 Subject: [Freeipa-devel] [PATCH] 854 Add ftp HBAC services In-Reply-To: <4E56276E.8050507@redhat.com> References: <4E556E9E.70809@redhat.com> <4E56276E.8050507@redhat.com> Message-ID: <4E5640A7.4060408@redhat.com> Alexander Bokovoy wrote: > On 25.08.2011 00:35, Rob Crittenden wrote: >> Add a few more ftp HBAC services. This adds vsftpd, proftpd, pure-ftpd >> and gssftp. An HBAC service equates to a pam service and since there is >> no Linux ftp daemon that uses ftp as its service name it wasn't very >> useful. >> >> I added a ftp HBAC service group to tie them all together. > ACK pushed to master and ipa-2-1 > > What about other services? There are 'sudo', 'sudo-i', 'su', 'su-l', > 'runuser', 'runuser-l' in Fedora which represent 'sudo' and 'su', and > 'runuser' and dash-variants are used when launched with appropriate > options. > > For gdm there are gdm{,-autologin,-fingerprint,-password} which are > different PAM services to use with different GDM options. > > I think is is worth to create HBAC service groups for them as well but > this is clearly distribution-dependent behaviour. From rcritten at redhat.com Thu Aug 25 12:34:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Aug 2011 08:34:10 -0400 Subject: [Freeipa-devel] [PATCH] 855 add label for HBAC service group members In-Reply-To: <4E5634AF.7070802@redhat.com> References: <4E5571CF.2020002@redhat.com> <4E5634AF.7070802@redhat.com> Message-ID: <4E564142.2090901@redhat.com> Alexander Bokovoy wrote: > On 25.08.2011 00:49, Rob Crittenden wrote: >> There was no Param for member_hbacsvc so members weren't showing by >> default with ipa hbacsvcgroup-show. This fixes it. > ACK > pushed to master and ipa-2-1 From rcritten at redhat.com Thu Aug 25 12:36:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Aug 2011 08:36:41 -0400 Subject: [Freeipa-devel] [PATCH] 856 add option to only prompt once for passwords In-Reply-To: <4E56384D.60103@redhat.com> References: <4E557883.4050304@redhat.com> <4E563575.6050500@redhat.com> <4E563818.3040704@redhat.com> <4E56384D.60103@redhat.com> Message-ID: <4E5641D9.2080108@redhat.com> Alexander Bokovoy wrote: > On 25.08.2011 14:55, Rob Crittenden wrote: >> Alexander Bokovoy wrote: >>> On 25.08.2011 01:17, Rob Crittenden wrote: >>>> The Password parameter was set up to take passwords for users where you >>>> would want to confirm the entered password. There is a case in the >>>> entitlement plugin where we want to prompt for a password to an external >>>> service, so prompt just once. This adds a new option to Password, >>>> confirm, to decide what to do. >>> You forgot to re-generate API.txt. >>> -option: Password('password', label=Gettext('Password', domain='ipa', >>> localedir=None)) >>> +option: Password('password', confirm=False, label=Gettext('Password', >>> domain='ipa', localedir=None)) >>> >> >> Updated patch attached. > ACK > pushed to master and ipa-2-1 From abokovoy at redhat.com Thu Aug 25 13:13:16 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 25 Aug 2011 16:13:16 +0300 Subject: [Freeipa-devel] [PATCH 44/44] ticket 1705 - internationalize help topics In-Reply-To: <201108242132.p7OLWfma003036@int-mx01.intmail.prod.int.phx2.redhat.com> References: <201108242132.p7OLWfma003036@int-mx01.intmail.prod.int.phx2.redhat.com> Message-ID: <4E564A6C.2060405@redhat.com> On 25.08.2011 00:32, John Dennis wrote: > * Wrap each topic description in _() > > * Replace the use of if 'topic' in dir(module) with the more > Pythonic and efficient getattr(module, 'topic', None) > > * Make sure to invoke unicode on the value returned from _() > otherwise you'll get a GettextFactory instance, not a string > > * Clean up trailing whitespace errors ACK -- / Alexander Bokovoy From pvoborni at redhat.com Thu Aug 25 13:23:00 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 25 Aug 2011 15:23:00 +0200 Subject: [Freeipa-devel] [PATCH] 008 Modify serial associator to use batch Message-ID: <4E564CB4.2060503@redhat.com> https://fedorahosted.org/freeipa/ticket/1688 The serial associator is used to execute a command multiple times with different parameters. This is used for adding/removing a user into/from multiple groups. It has some issues: Each command is executed one-by-one, so it could be slow. * If there's a failure the rest of the commands will not be executed. * This can be fixed by putting the commands into a batch and execute them at once. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0008-Modify-serial-associator-to-use-batch.patch Type: text/x-patch Size: 4863 bytes Desc: not available URL: From rcritten at redhat.com Thu Aug 25 13:28:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Aug 2011 09:28:37 -0400 Subject: [Freeipa-devel] [PATCH] 114 Fix sudo help and summaries In-Reply-To: <1314271916.2681.1.camel@dhcp-25-52.brq.redhat.com> References: <1314271916.2681.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E564E05.3030208@redhat.com> Martin Kosek wrote: > 1) Add sudorule docstring headline > > 2) Fix naming inconsistency in Sudo plugins help and summaries, > especially capitalization of Sudo objects - Sudo Rule, Sudo > Command and Sudo Command Group > > 3) Add missing summaries for sudorule-add-option and > sudorule-remove-option > > https://fedorahosted.org/freeipa/ticket/1595 > https://fedorahosted.org/freeipa/ticket/1596 This breaks compatibility with old clients: $ ipa sudorule-add-option test2 Sudo Option: foo ipa: ERROR: non-public: ValueError: sudorule_add_option.validate_output(): unexpected keys ['summary'] in {'result': {'ipasudoopt': (u'foo',), 'cn': (u'test2',), 'ipaenabledflag': (u'TRUE',)}, 'summary': u'Added option "foo" to Sudo Rule "test2"'} Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 125, in execute result = self.Command[_name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__ self.validate_output(ret) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 895, in validate_output nice, extra, output) ValueError: sudorule_add_option.validate_output(): unexpected keys ['summary'] in {'result': {'ipasudoopt': (u'foo',), 'cn': (u'test2',), 'ipaenabledflag': (u'TRUE',)}, 'summary': u'Added option "foo" to Sudo Rule "test2"'} ipa: ERROR: an internal error has occurred From jdennis at redhat.com Thu Aug 25 13:53:08 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 25 Aug 2011 09:53:08 -0400 Subject: [Freeipa-devel] [PATCH 46/46] ticket 1669 - improve i18n docstring extraction In-Reply-To: <4E563702.6090006@redhat.com> References: <201108250346.p7P3kjKq004751@int-mx12.intmail.prod.int.phx2.redhat.com> <4E563702.6090006@redhat.com> Message-ID: <4E5653C4.6060706@redhat.com> On 08/25/2011 07:50 AM, Alexander Bokovoy wrote: > Read through whole patch. This is one of rare cases where gettext's use > of original text as translation id isn't helpful from both performance > (longer calculation of Id hash during run-time) and maintenance. Looks > like we have to live with that if Transifex is unable to work with > indirected translation ids -- that would mean authoritative original > text would be in 'en' translation, not as original translation id. > > If that can't be solved, I'm fine with this approach. To the best of my knowledge gettext can only use the original string as the message id. Transifex is built upon the gettext architecture. To the best of my knowledge gettext is the only i18n translation framework in use for the software in our distribution. I agree with you that hashing the original string for lookup is less than ideal but given the above I think we have to live with it. I'm not aware of any performance complaints due to the hashing, but I don't read the gettext mailing list. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Thu Aug 25 14:26:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 25 Aug 2011 09:26:12 -0500 Subject: [Freeipa-devel] [PATCH] 252 Removed unnecessary HBAC/sudo rule category modification. In-Reply-To: <4E53DF61.2000406@redhat.com> References: <4E52CC07.8080101@redhat.com> <4E53DF61.2000406@redhat.com> Message-ID: <4E565B84.6060408@redhat.com> On 8/23/2011 12:12 PM, Petr Vobornik wrote: > On 08/22/2011 11:37 PM, Endi Sukma Dewata wrote: >> Since the Add/Delete links in the association table are disabled when >> the category is set to 'all', it's no longer necessary to check the >> category before showing the add/delete dialogs and modify the category >> before adding entries. Thus, the IPA.rule_association_table_widget is >> no longer needed. >> >> Ticket #1692 > ACK Pushed to master and ipa-2-1. -- Endi S. Dewata From edewata at redhat.com Thu Aug 25 14:26:50 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 25 Aug 2011 09:26:50 -0500 Subject: [Freeipa-devel] [PATCH] 254 Fixed default map type in automount map adder dialog. In-Reply-To: <4E56229D.8070307@redhat.com> References: <4E545D94.9010805@redhat.com> <4E56229D.8070307@redhat.com> Message-ID: <4E565BAA.9080308@redhat.com> On 8/25/2011 5:23 AM, Petr Vobornik wrote: > On 08/24/2011 04:10 AM, Endi Sukma Dewata wrote: >> The adder dialog for automount map has been modified to select the >> direct map by default. >> >> Ticket #1698 > ACK Pushed to master and ipa-2-1. -- Endi S. Dewata From abokovoy at redhat.com Thu Aug 25 14:36:35 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 25 Aug 2011 17:36:35 +0300 Subject: [Freeipa-devel] [PATCH 46/46] ticket 1669 - improve i18n docstring extraction In-Reply-To: <4E5653C4.6060706@redhat.com> References: <201108250346.p7P3kjKq004751@int-mx12.intmail.prod.int.phx2.redhat.com> <4E563702.6090006@redhat.com> <4E5653C4.6060706@redhat.com> Message-ID: <4E565DF3.6090900@redhat.com> On 25.08.2011 16:53, John Dennis wrote: > On 08/25/2011 07:50 AM, Alexander Bokovoy wrote: >> Read through whole patch. This is one of rare cases where gettext's use >> of original text as translation id isn't helpful from both performance >> (longer calculation of Id hash during run-time) and maintenance. Looks >> like we have to live with that if Transifex is unable to work with >> indirected translation ids -- that would mean authoritative original >> text would be in 'en' translation, not as original translation id. >> >> If that can't be solved, I'm fine with this approach. > > > To the best of my knowledge gettext can only use the original string as > the message id. Transifex is built upon the gettext architecture. To the > best of my knowledge gettext is the only i18n translation framework in > use for the software in our distribution. I agree with you that hashing > the original string for lookup is less than ideal but given the above I > think we have to live with it. I'm not aware of any performance > complaints due to the hashing, but I don't read the gettext mailing list. Here is what we have now: $ rpm -ql freeipa-python|grep locale /usr/share/locale/bn_IN/LC_MESSAGES/ipa.mo /usr/share/locale/de/LC_MESSAGES/ipa.mo /usr/share/locale/es/LC_MESSAGES/ipa.mo /usr/share/locale/fr/LC_MESSAGES/ipa.mo /usr/share/locale/he/LC_MESSAGES/ipa.mo /usr/share/locale/id/LC_MESSAGES/ipa.mo /usr/share/locale/it/LC_MESSAGES/ipa.mo /usr/share/locale/ja/LC_MESSAGES/ipa.mo /usr/share/locale/kn/LC_MESSAGES/ipa.mo /usr/share/locale/ko/LC_MESSAGES/ipa.mo /usr/share/locale/pl/LC_MESSAGES/ipa.mo /usr/share/locale/pt/LC_MESSAGES/ipa.mo /usr/share/locale/pt_BR/LC_MESSAGES/ipa.mo /usr/share/locale/ru/LC_MESSAGES/ipa.mo /usr/share/locale/uk/LC_MESSAGES/ipa.mo /usr/share/locale/zh_CN/LC_MESSAGES/ipa.mo /usr/share/locale/zh_TW/LC_MESSAGES/ipa.mo With translation id being a hash instead of original message all the difference would be that there will be /usr/share/locale/en/LC_MESSAGES/ipa.mo /usr/share/locale/C/LC_MESSAGES/ipa.mo This would have been enough if only gettext supported fallback between language translations on the same domain. I.e. if Russian translation is not available, try English one and if not, return translation Id. There is discussion about similar cases in ambiguous translations of GUI messages and solution proposed is a wrapper around gettext() to lookup other means for fetching translations. -- / Alexander Bokovoy From jdennis at redhat.com Thu Aug 25 15:02:21 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 25 Aug 2011 11:02:21 -0400 Subject: [Freeipa-devel] [PATCH 46/46] ticket 1669 - improve i18n docstring extraction In-Reply-To: <4E565DF3.6090900@redhat.com> References: <201108250346.p7P3kjKq004751@int-mx12.intmail.prod.int.phx2.redhat.com> <4E563702.6090006@redhat.com> <4E5653C4.6060706@redhat.com> <4E565DF3.6090900@redhat.com> Message-ID: <4E5663FD.6030308@redhat.com> On 08/25/2011 10:36 AM, Alexander Bokovoy wrote: > This would have been enough if only gettext supported fallback between > language translations on the same domain. I.e. if Russian translation is > not available, try English one and if not, return translation Id. There > is discussion about similar cases in ambiguous translations of GUI > messages and solution proposed is a wrapper around gettext() to lookup > other means for fetching translations. Gettext does support fallback to the original msgid. In other words if the msgid (the original string, English in our case) cannot be located in the current catalog (i.e. the mo file mapped to the locale in domain) then the original msgid is returned. The difference is the gettext uses strings as id's, other systems use integers and require a default catalog to be installed. If the integer id is not present in the locale it's fetched from the fallback locale. Each approach has advantages. On the plus side the gettext approach is the fact you'll always get the most current string provided by the programmer in the source code, there are fewer catalog maintenance issues and penalties for letting the catalogs drift out of sync. Of course the other approach has some compelling features too. Bottom line, there are no plans to move away from gettext nor re-implement it, so it is what it is :-) We just want to make sure we're using gettext and Transifex ecosystem to it's full advantage. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From abokovoy at redhat.com Thu Aug 25 15:21:49 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 25 Aug 2011 18:21:49 +0300 Subject: [Freeipa-devel] [PATCH 46/46] ticket 1669 - improve i18n docstring extraction In-Reply-To: <4E5663FD.6030308@redhat.com> References: <201108250346.p7P3kjKq004751@int-mx12.intmail.prod.int.phx2.redhat.com> <4E563702.6090006@redhat.com> <4E5653C4.6060706@redhat.com> <4E565DF3.6090900@redhat.com> <4E5663FD.6030308@redhat.com> Message-ID: <4E56688D.50707@redhat.com> On 25.08.2011 18:02, John Dennis wrote: > On 08/25/2011 10:36 AM, Alexander Bokovoy wrote: >> This would have been enough if only gettext supported fallback between >> language translations on the same domain. I.e. if Russian translation is >> not available, try English one and if not, return translation Id. There >> is discussion about similar cases in ambiguous translations of GUI >> messages and solution proposed is a wrapper around gettext() to lookup >> other means for fetching translations. > > Gettext does support fallback to the original msgid. In other words if > the msgid (the original string, English in our case) cannot be located > in the current catalog (i.e. the mo file mapped to the locale in domain) > then the original msgid is returned. > > The difference is the gettext uses strings as id's, other systems use > integers and require a default catalog to be installed. If the integer > id is not present in the locale it's fetched from the fallback locale. Oh, I wasn't really talking about 'other' systems. Look at "info libc 'GUI program problems'" to what I was referring. -- / Alexander Bokovoy From rcritten at redhat.com Thu Aug 25 15:36:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Aug 2011 11:36:37 -0400 Subject: [Freeipa-devel] [PATCH] 857 get password/keytab status in host-mod Message-ID: <4E566C05.5030707@redhat.com> I missed retrieving password/keytab status when doing a host-mod. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-857-hostmod.patch Type: text/x-patch Size: 1516 bytes Desc: not available URL: From rcritten at redhat.com Thu Aug 25 15:51:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Aug 2011 11:51:48 -0400 Subject: [Freeipa-devel] [PATCH] 857 get password/keytab status in host-mod In-Reply-To: <4E566C05.5030707@redhat.com> References: <4E566C05.5030707@redhat.com> Message-ID: <4E566F94.8070802@redhat.com> Rob Crittenden wrote: > I missed retrieving password/keytab status when doing a host-mod. > > rob Revised patch rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-857-2-hostmod.patch Type: text/x-patch Size: 1711 bytes Desc: not available URL: From edewata at redhat.com Thu Aug 25 16:04:04 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 25 Aug 2011 11:04:04 -0500 Subject: [Freeipa-devel] [PATCH] 008 Modify serial associator to use batch In-Reply-To: <4E564CB4.2060503@redhat.com> References: <4E564CB4.2060503@redhat.com> Message-ID: <4E567274.3090108@redhat.com> On 8/25/2011 8:23 AM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/1688 > > The serial associator is used to execute a command multiple times with > different parameters. This is used for adding/removing a user into/from > multiple groups. It has some issues: > > Each command is executed one-by-one, so it could be slow. > * If there's a failure the rest of the commands will not be executed. > * This can be fixed by putting the commands into a batch and execute > them at once. There's one comment that's still referring to the old 'command': //alert(JSON.stringify(command.to_json())); It's not important because it's only used for debugging. The comment can be fixed or even deleted in another patch. ACK. Pushed to master and ipa-2-1. -- Endi S. Dewata From jcholast at redhat.com Thu Aug 25 16:21:21 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 25 Aug 2011 18:21:21 +0200 Subject: [Freeipa-devel] [PATCH] 44 Fix parameter validation Message-ID: <4E567681.8080308@redhat.com> What this patch does: * Make sure arguments are validated and default values are filled in before calling a command. * Add new parameter flag "validate_search" to force validation on search arguments. * Fix validation of IP network parameters in the DNS plugin. https://fedorahosted.org/freeipa/ticket/1627 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-44-parameter-validation.patch Type: text/x-patch Size: 10843 bytes Desc: not available URL: From edewata at redhat.com Thu Aug 25 16:41:47 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 25 Aug 2011 11:41:47 -0500 Subject: [Freeipa-devel] [PATCH] 857 get password/keytab status in host-mod In-Reply-To: <4E566F94.8070802@redhat.com> References: <4E566C05.5030707@redhat.com> <4E566F94.8070802@redhat.com> Message-ID: <4E567B4B.2080200@redhat.com> On 8/25/2011 10:51 AM, Rob Crittenden wrote: > Rob Crittenden wrote: >> I missed retrieving password/keytab status when doing a host-mod. > Revised patch ACK. Pushed to master and ipa-2-1. -- Endi S. Dewata From rcritten at redhat.com Thu Aug 25 20:13:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Aug 2011 16:13:32 -0400 Subject: [Freeipa-devel] [PATCH 43/43] ticket 1707 - add documentation validation to makeapi tool In-Reply-To: <201108241924.p7OJOBse029526@int-mx09.intmail.prod.int.phx2.redhat.com> References: <201108241924.p7OJOBse029526@int-mx09.intmail.prod.int.phx2.redhat.com> Message-ID: <4E56ACEC.1010208@redhat.com> John Dennis wrote: > Iterate over all API commands and perform the following validation: > > * Every command must have documentation > and it must be marked for international translation > > * Every module hosting a command must have documentation > and it must be marked for international translation > > * Every module topic must be marked for international translation > > For every error found emit a diagnostic. > Emit a summary of total errors found. > > Return error flag if errors found, zero otherwise. ack, pushed to master and ipa-2-1 From rcritten at redhat.com Thu Aug 25 20:14:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Aug 2011 16:14:55 -0400 Subject: [Freeipa-devel] [PATCH 44/44] ticket 1705 - internationalize help topics In-Reply-To: <4E564A6C.2060405@redhat.com> References: <201108242132.p7OLWfma003036@int-mx01.intmail.prod.int.phx2.redhat.com> <4E564A6C.2060405@redhat.com> Message-ID: <4E56AD3F.1040500@redhat.com> Alexander Bokovoy wrote: > On 25.08.2011 00:32, John Dennis wrote: >> * Wrap each topic description in _() >> >> * Replace the use of if 'topic' in dir(module) with the more >> Pythonic and efficient getattr(module, 'topic', None) >> >> * Make sure to invoke unicode on the value returned from _() >> otherwise you'll get a GettextFactory instance, not a string >> >> * Clean up trailing whitespace errors > ACK > > ACK from me too, pushed to master and ipa-2-1 From rcritten at redhat.com Thu Aug 25 20:16:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Aug 2011 16:16:06 -0400 Subject: [Freeipa-devel] [PATCH 45/45] ticket 1706 - internationalize cli help framework In-Reply-To: <4E562269.1040203@redhat.com> References: <201108242139.p7OLdiww018216@int-mx10.intmail.prod.int.phx2.redhat.com> <4E562269.1040203@redhat.com> Message-ID: <4E56AD86.1060405@redhat.com> Alexander Bokovoy wrote: > On 25.08.2011 00:39, John Dennis wrote: >> In cli.py is a framework for printing out help information. The >> command documentation being displayed is internationalized, however >> the text generated by the help framework itself is not >> internationalized. >> >> The strings output by the help subsystem need to be internationalized. > ACK. > > ACK from me too, pushed to master and ipa-2-1 From rcritten at redhat.com Thu Aug 25 20:27:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Aug 2011 16:27:09 -0400 Subject: [Freeipa-devel] [PATCH 46/46] ticket 1669 - improve i18n docstring extraction In-Reply-To: <4E563702.6090006@redhat.com> References: <201108250346.p7P3kjKq004751@int-mx12.intmail.prod.int.phx2.redhat.com> <4E563702.6090006@redhat.com> Message-ID: <4E56B01D.7040002@redhat.com> Alexander Bokovoy wrote: > On 25.08.2011 06:46, John Dennis wrote: >> class foo(Command): >> ''' >> The foo command takes out the garbage. >> ''' >> >> Would become: >> >> class foo(Command): >> __doc__ = _('The foo command takes out the garbage.') >> >> But which docstrings need to be marked for translation? The makeapi >> tool knows how to iterate over every command in our public API. It was >> extended to validate every command's documentation and report if any >> documentation is missing or not marked for translation. That >> information was then used to identify each docstring in the code which >> needed to be transformed. > Read through whole patch. This is one of rare cases where gettext's use > of original text as translation id isn't helpful from both performance > (longer calculation of Id hash during run-time) and maintenance. Looks > like we have to live with that if Transifex is unable to work with > indirected translation ids -- that would mean authoritative original > text would be in 'en' translation, not as original translation id. > > If that can't be solved, I'm fine with this approach. >> In summary what this patch does is: >> >> * Remove the use of pygettext (modification to install/po/Makefile.in) > ACK > >> * Replace every docstring with an explicit assignment to __doc__ where >> the rhs of the assignment is an i18n marking function. > ACK > >> * Single line docstrings appearing in multi-line string literals >> (e.g. ''' or """) were replaced with single line string literals >> because the multi-line literals were introducing unnecessary >> whitespace and newlines in the string extracted for translation. For >> example: > ACK > >> * Import statements were moved from below the docstring to above >> it. This was necessary because the i18n markers are imported >> functions and must be available before the the doc is >> parsed. Technically only the import of the i18n markers had to >> appear before the doc but stylistically it's better to keep all the >> imports together. > ACK > >> * It was observed during the docstring editing process that the >> command documentation was inconsistent with respect to the use of >> periods to terminate a sentence. Some doc had a trailing period, >> others didn't. Consistency was enforced by adding a period to end of >> every docstring if one was missing. > ACK. > ACK from me too, pushed to master and ipa-2-1 I discovered some issues with the Spanish translation while testing this and opened a ticket to investigate. It isn't related to these changes. rob From ayoung at redhat.com Thu Aug 25 21:24:18 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 25 Aug 2011 17:24:18 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <4E5455EC.2020505@redhat.com> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> <4E5455EC.2020505@redhat.com> Message-ID: <4E56BD82.6060501@redhat.com> Uses the updated version of pkicreate which makes an ipa specific proxy config file. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0283-3-enable-proxy-for-dogtag.patch Type: text/x-patch Size: 11742 bytes Desc: not available URL: From edewata at redhat.com Thu Aug 25 22:14:33 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 25 Aug 2011 17:14:33 -0500 Subject: [Freeipa-devel] [PATCH] 256 Fixed host keytab status after setting OTP. Message-ID: <4E56C949.40200@redhat.com> The host details page has been modified to update the keytab status based on the data returned by the host-mod command for setting OTP. Ticket #1710 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0256-Fixed-host-keytab-status-after-setting-OTP.patch Type: text/x-patch Size: 7504 bytes Desc: not available URL: From ayoung at redhat.com Fri Aug 26 00:06:29 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 25 Aug 2011 20:06:29 -0400 Subject: [Freeipa-devel] [PATCH] 853 remove upgrade state when uninstalling In-Reply-To: <4E551ADC.1010803@redhat.com> References: <4E551ADC.1010803@redhat.com> Message-ID: <4E56E385.4070106@redhat.com> On 08/24/2011 11:38 AM, Rob Crittenden wrote: > The upgrade process makes saves some information in the IPA sysrestore > state. If any of this state remains after an uninstall then you will > get an error during re-install. Theoretically all this state should be > removed as part of the upgrade process but on the outside chance, lets > remove the state at uninstall to prevent problems. > > I've had just one report of this, it may have been due to a blown > upgrade, I'm not sure. I've been unable to reproduce it but at worst > this is a noop and at best allows easy re-installation. > > This requires patch 852. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel So my latest patch changes .etc.httpd/nss.conf. Is this an appropriate approach for that file as well? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Aug 26 01:32:11 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 25 Aug 2011 21:32:11 -0400 Subject: [Freeipa-devel] [PATCH] 852 remove more files in uninstaller In-Reply-To: <4E551193.6040809@redhat.com> References: <4E551193.6040809@redhat.com> Message-ID: <4E56F79B.2060609@redhat.com> On 08/24/2011 10:58 AM, Rob Crittenden wrote: > We were missing a few 389-ds files and directories. This removes > everything but the logs. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel OK... Here's what I did: Had an install on a VM. I uninstalled the old RPMs, installed new ones with this fix in it (confirmed the Git Hash) and ran the uninstaller. Twice. There is still a file /etc/sysconfig/dirsrv-F15SERVER-AYOUNG-BOSTON-DEVEL-REDHAT-COM /etc/dirsrv/ds.keytab but /var/lib/dirsrv/ is empty Removing them and rerunning the installer now, then will rerun the uninstall. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Aug 26 02:05:06 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 25 Aug 2011 22:05:06 -0400 Subject: [Freeipa-devel] [PATCH] 852 remove more files in uninstaller In-Reply-To: <4E56F79B.2060609@redhat.com> References: <4E551193.6040809@redhat.com> <4E56F79B.2060609@redhat.com> Message-ID: <4E56FF52.7000302@redhat.com> On 08/25/2011 09:32 PM, Adam Young wrote: > On 08/24/2011 10:58 AM, Rob Crittenden wrote: >> We were missing a few 389-ds files and directories. This removes >> everything but the logs. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > OK... Here's what I did: > > Had an install on a VM. I uninstalled the old RPMs, installed new > ones with this fix in it (confirmed the Git Hash) and ran the > uninstaller. Twice. > > There is still a file > /etc/sysconfig/dirsrv-F15SERVER-AYOUNG-BOSTON-DEVEL-REDHAT-COM > /etc/dirsrv/ds.keytab > but /var/lib/dirsrv/ is empty > > > Removing them and rerunning the installer now, then will rerun the > uninstall. > > > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Deleted those files, then reran the install, and then the uninstall, the files this is supposed to remove are gone. Not sure why they didn't get removed the last go-round. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Aug 26 07:31:16 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 26 Aug 2011 09:31:16 +0200 Subject: [Freeipa-devel] [PATCH] 114 Fix sudo help and summaries In-Reply-To: <4E564E05.3030208@redhat.com> References: <1314271916.2681.1.camel@dhcp-25-52.brq.redhat.com> <4E564E05.3030208@redhat.com> Message-ID: <1314343878.6077.8.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-08-25 at 09:28 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > 1) Add sudorule docstring headline > > > > 2) Fix naming inconsistency in Sudo plugins help and summaries, > > especially capitalization of Sudo objects - Sudo Rule, Sudo > > Command and Sudo Command Group > > > > 3) Add missing summaries for sudorule-add-option and > > sudorule-remove-option > > > > https://fedorahosted.org/freeipa/ticket/1595 > > https://fedorahosted.org/freeipa/ticket/1596 > > This breaks compatibility with old clients: > > $ ipa sudorule-add-option test2 > Sudo Option: foo > ipa: ERROR: non-public: ValueError: > sudorule_add_option.validate_output(): unexpected keys ['summary'] in > {'result': {'ipasudoopt': (u'foo',), 'cn': (u'test2',), > 'ipaenabledflag': (u'TRUE',)}, 'summary': u'Added option "foo" to Sudo > Rule "test2"'} > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 125, > in execute > result = self.Command[_name](*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, > in __call__ > self.validate_output(ret) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 895, > in validate_output > nice, extra, output) > ValueError: sudorule_add_option.validate_output(): unexpected keys > ['summary'] in {'result': {'ipasudoopt': (u'foo',), 'cn': (u'test2',), > 'ipaenabledflag': (u'TRUE',)}, 'summary': u'Added option "foo" to Sudo > Rule "test2"'} > ipa: ERROR: an internal error has occurred > Thanks for catching this. I wonder if we should let output param validation skip unexpected keys in order to be able to do the change in Output + keep backwards compatibility in cases like this one. I reworked the patch so that the summaries are printed via output_for_cli() - this solves this problem. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-114-2-fix-sudo-help-and-summaries.patch Type: text/x-patch Size: 18117 bytes Desc: not available URL: From sbose at redhat.com Fri Aug 26 09:39:26 2011 From: sbose at redhat.com (Sumit Bose) Date: Fri, 26 Aug 2011 11:39:26 +0200 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility Message-ID: <20110826093926.GF2374@localhost.localdomain> Hi, with this patch an initial samba configuration for the AD trust feature can be created by calling ipa-adtrust-install. Please be aware that you will need a samba/master build to start smbd with the created configuration, because only here all the needed features are available. G?nther is working on a spec file so that we can include a samba package in the IPA development repository (https://fedorahosted.org/freeipa/ticket/1610). I haven't used python for quite some time and since this is my first contribution I'm happy to fix any violations to coding style and other guidelines. bye, Sumit -------------- next part -------------- From 6012f921ed4d0bb9359d70018881a8ebbdfde0f9 Mon Sep 17 00:00:00 2001 From: sbose Date: Wed, 24 Aug 2011 11:18:56 +0200 Subject: [PATCH] Add ipa-adtrust-install utility https://fedorahosted.org/freeipa/ticket/1619 --- freeipa.spec.in | 2 + install/po/Makefile.in | 1 + install/tools/Makefile.am | 1 + install/tools/ipa-adtrust-install | 198 +++++++++++++++++++++++ install/tools/man/Makefile.am | 1 + install/tools/man/ipa-adtrust-install.1 | 44 +++++ ipaserver/install/Makefile.am | 1 + ipaserver/install/service.py | 3 +- ipaserver/install/smbinstance.py | 261 +++++++++++++++++++++++++++++++ 9 files changed, 511 insertions(+), 1 deletions(-) create mode 100755 install/tools/ipa-adtrust-install create mode 100644 install/tools/man/ipa-adtrust-install.1 create mode 100644 ipaserver/install/smbinstance.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 1bf52b952177598bd24afc0560802f1883fa5a60..a67e9329f8230c05b0e9feeb321fb07e4f41a350 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -370,6 +370,7 @@ fi %doc COPYING README Contributors.txt %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-dns-install +%{_sbindir}/ipa-adtrust-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install @@ -448,6 +449,7 @@ fi %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz %{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-adtrust-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz diff --git a/install/po/Makefile.in b/install/po/Makefile.in index a5468752723636b005c1d0876f10326e5c970814..d20a5d9628cb119f7704fcdb2917f1c897194147 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -54,6 +54,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-server-install \ install/tools/ipa-ldap-updater \ install/tools/ipa-dns-install \ + install/tools/ipa-adtrust-install \ install/tools/ipa-ca-install \ ipa-client/ipa-install/ipa-client-install diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index fc615ec04f324c2d9c98dc8cf674938e1064bec6..96da7531764598878f94b6abd54c27a74671c028 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -8,6 +8,7 @@ sbin_SCRIPTS = \ ipa-ca-install \ ipa-dns-install \ ipa-server-install \ + ipa-adtrust-install \ ipa-replica-conncheck \ ipa-replica-install \ ipa-replica-prepare \ diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install new file mode 100755 index 0000000000000000000000000000000000000000..3514690027cdbd25c0d5b8cbc56096051a5be809 --- /dev/null +++ b/install/tools/ipa-adtrust-install @@ -0,0 +1,198 @@ +#! /usr/bin/python +# +# Authors: Sumit Bose +# Based on ipa-server-install by Karl MacMillan +# and ipa-dns-install by Martin Nagy +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import traceback + +from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install import smbinstance +from ipaserver.install.installutils import * +from ipaserver.install import installutils +from ipapython import version +from ipapython import ipautil, sysrestore +from ipalib import api, errors, util +from ipapython.config import IPAOptionParser +import krbV +import ldap + +def parse_options(): + parser = IPAOptionParser(version=version.VERSION) + parser.add_option("-p", "--ds-password", dest="dm_password", + sensitive=True, help="admin password") + parser.add_option("-d", "--debug", dest="debug", action="store_true", + default=False, help="print debugging information") + parser.add_option("--ip-address", dest="ip_address", + type="ip", ip_local=True, help="Master Server IP Address") + parser.add_option("-U", "--unattended", dest="unattended", action="store_true", + default=False, help="unattended installation never prompts the user") + + options, args = parser.parse_args() + safe_options = parser.get_safe_opts(options) + + return safe_options, options + +def main(): + safe_options, options = parse_options() + + if os.getegid() != 0: + sys.exit("Must be root to setup AD trusts on server") + + installutils.check_server_configuration() + + standard_logging_setup("/var/log/ipaserver-install.log", options.debug, filemode='a') + print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" + + logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) + logging.debug("missing options might be asked for interactively later\n") + + global fstore + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + print "==============================================================================" + print "This program will setup components neede to establish trust to AD domains for" + print "the FreeIPA Server." + print "" + print "This includes:" + print " * Configure Samba" + print " * Add trust related objects to FreeIPA LDAP server" + #TODO: + #print " * Add a SID to all users and Posix groups" + print "" + print "To accept the default shown in brackets, press the Enter key." + print "" + + # Check if samba packages are installed + if not smbinstance.check_inst(options.unattended): + sys.exit("Aborting installation.") + + # Initialize the ipalib api + cfg = dict( + in_server=True, + debug=options.debug, + ) + api.bootstrap(**cfg) + api.finalize() + + if smbinstance.ipa_smb_conf_exists(): + sys.exit("Aborting installation.") + + # Check we have a public IP that is associated with the hostname + if options.ip_address: + ip = options.ip_address + else: + hostaddr = resolve_host(api.env.host) + try: + ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True) + except Exception, e: + print "Error: Invalid IP Address %s: %s" % (ip, e) + ip = None + + if not ip: + if options.unattended: + sys.exit("Unable to resolve IP address for host name") + else: + ip = read_ip_address(api.env.host, fstore) + ip_address = str(ip) + logging.debug("will use ip_address: %s\n", ip_address) + + if not options.unattended: + print "" + print "The following operations may take some minutes to complete." + print "Please wait until the prompt is returned." + print "" + + # Create a BIND instance + if options.unattended and not options.dm_password: + sys.exit("\nIn unattended mode you need to provide at least the -p option") + + dm_password = options.dm_password or read_password("Directory Manager", + confirm=False, validate=False) + smb = smbinstance.SMBInstance(fstore, dm_password) + + # try the connection + try: + smb.ldap_connect() + smb.ldap_disconnect() + except ldap.INVALID_CREDENTIALS, e: + sys.exit("Password is not valid!") + + if smb.dm_password: + api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=smb.dm_password) + else: + # See if our LDAP server is up and we can talk to it over GSSAPI + ccache = krbV.default_context().default_ccache().name + api.Backend.ldap2.connect(ccache) + + print api.env.host + print api.env.realm + print api.env.domain + smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain) + smb.create_instance() + + print "==============================================================================" + print "Setup complete" + print "" + print "\tYou must make sure these network ports are open:" + print "\t\tTCP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "\t\tUDP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "" + print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached" + print "\tby any domain controller in the Active Directory domain by closing the" + print "\tfollowing ports for these servers:" + print "\t\tTCP Ports:" + print "\t\t * 389, 636: LDAP/LDAPS" + print "\t\tUDP Ports:" + print "\t\t * 389: (C)LDAP" + print "\tYou may want to choose to REJECT the packages instead of DROPing them to" + print "\tavoid timeouts on the AD domain controllers." + + return 0 + +try: + sys.exit(main()) +except SystemExit, e: + sys.exit(e) +except KeyboardInterrupt: + print "Installation cancelled." +except RuntimeError, e: + print str(e) +except HostnameLocalhost: + print "The hostname resolves to the localhost address (127.0.0.1/::1)" + print "Please change your /etc/hosts file so that the hostname" + print "resolves to the ip address of your network interface." + print "The KDC service does not listen on localhost" + print "" + print "Please fix your /etc/hosts file and restart the setup program" +except Exception, e: + message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e) + print message + message = str(e) + for str in traceback.format_tb(sys.exc_info()[2]): + message = message + "\n" + str + logging.debug(message) + sys.exit(1) diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index 71d9b29c87d2b24c51d3048dc1050e099a89835d..d5b5976b0fd8c8e6683d09e7ade575fda2527832 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -13,6 +13,7 @@ man1_MANS = \ ipa-server-certinstall.1 \ ipa-server-install.1 \ ipa-dns-install.1 \ + ipa-adtrust-install.1 \ ipa-ca-install.1 \ ipa-ldap-updater.1 \ ipa-compat-manage.1 \ diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 new file mode 100644 index 0000000000000000000000000000000000000000..9e976d83bcd16abfca4e8eedfccf23a908c43400 --- /dev/null +++ b/install/tools/man/ipa-adtrust-install.1 @@ -0,0 +1,44 @@ +.\" A man page for ipa-adtrust-install +.\" Copyright (C) 2011 Red Hat, Inc. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see . +.\" +.\" Author: Sumit Bose +.\" +.TH "ipa-adtrust-install" "1" "Aug 23, 2011" "freeipa" "" +.SH "NAME" +ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains +.SH "SYNOPSIS" +ipa\-adtrust\-install [\fIOPTION\fR]... +.SH "DESCRIPTION" +Adds all necesary objects and configuration to allow an IPA server to create a +trust to an Active Directory domain. This requires that the IPA server is +already installed and configured. +.SH "OPTIONS" +.TP +\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR +The password to be used by the Directory Server for the Directory Manager user +.TP +\fB\-d\fR, \fB\-\-debug\fR +Enable debug logging when more verbose output is needed +.TP +\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR +The IP address of the IPA server. If not provided then this is determined based on the hostname of the server. +.TP +\fB\-U\fR, \fB\-\-unattended\fR +An unattended installation that will never prompt for user input +.SH "EXIT STATUS" +0 if the installation was successful + +1 if an error occurred diff --git a/ipaserver/install/Makefile.am b/ipaserver/install/Makefile.am index 8932eadbb7ace71372277259a557884d989ea2c1..398551bd78aa4ba893a3953f0c7ee7bcb23d1a14 100644 --- a/ipaserver/install/Makefile.am +++ b/ipaserver/install/Makefile.am @@ -10,6 +10,7 @@ app_PYTHON = \ krbinstance.py \ httpinstance.py \ ntpinstance.py \ + smbinstance.py \ service.py \ installutils.py \ replication.py \ diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index a7f6ff4eea1b67f714e18f882a082d4ad7d83026..7e0d2bd314f00ccf0b0ee37a9d572bdd5ee89414 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -37,7 +37,8 @@ SERVICE_LIST = { 'KPASSWD':('kadmin', 20), 'DNS':('named', 30), 'HTTP':('httpd', 40), - 'CA':('pki-cad', 50) + 'CA':('pki-cad', 50), + 'SMB':('smb', 60) } def stop(service_name, instance_name="", capture_output=True): diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py new file mode 100644 index 0000000000000000000000000000000000000000..5988f1e056d29af6686d53237b82d460cdc719da --- /dev/null +++ b/ipaserver/install/smbinstance.py @@ -0,0 +1,261 @@ +# Authors: Sumit Bose +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import logging + +import os +import ldap +import service +import tempfile +from ipaserver import ipaldap +from ipalib import errors +from ipapython import sysrestore +from ipapython import ipautil + +import random +import string +import struct + +def check_inst(unattended): + has_smb = True + + if not os.path.exists('/usr/sbin/smbd'): + print "Samba was not found on this system" + print "Please install the 'samba' package and start the installation again" + has_smb = False + + #TODO: Add check for needed samba4 libraries + + return has_smb + +def ipa_smb_conf_exists(): + if os.path.exists('/etc/ipa/smb.conf'): + print "Samba is already configured for this IPA server." + return True + + return False + +def random_password(length=16): + myrg = random.SystemRandom() + alphabet = string.letters[0:52] + string.digits + string.punctuation + pw = str().join(myrg.choice(alphabet) for _ in range(length)) + return pw + +class SMBInstance(service.Service): + def __init__(self, fstore=None, dm_password=None): + service.Service.__init__(self, "smb", dm_password=dm_password) + + if fstore: + self.fstore = fstore + else: + self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + def __create_samba_user(self): + print "The user for Samba is %s" % self.smb_dn + try: + self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) + print "Samba user entry exists, not resetting password" + return + except errors.NotFound: + pass + + # The user doesn't exist, add it + entry = ipaldap.Entry(self.smb_dn) + entry.setValues("objectclass", ["account", "simplesecurityobject"]) + entry.setValues("uid", "samba") + entry.setValues("userPassword", self.smb_dn_pwd) + self.admin_conn.add_s(entry) + + # And finally grant it permission to read NT passwords, we do not want + # to support LM passwords so there is no need to allow access to them + mod = [(ldap.MOD_ADD, 'aci', + str(['(targetattr = "sambaNTPassword")(version 3.0; acl "Samba user can read NT passwords"; allow (read) userdn="ldap:///%s";)' % self.smb_dn]))] + try: + self.admin_conn.modify_s(self.suffix, mod) + except ldap.TYPE_OR_VALUE_EXISTS: + logging.debug("samba user aci already exists in suffix %s on %s" % (self.suffix, self.admin_conn.host)) + + def __gen_sid_string(self): + sub_ids = struct.unpack(" References: <20110826093926.GF2374@localhost.localdomain> Message-ID: <4E577EAB.6080609@redhat.com> Hi, On 26.08.2011 12:39, Sumit Bose wrote: > Hi, > > with this patch an initial samba configuration for the AD trust feature > can be created by calling ipa-adtrust-install. Please be aware that you > will need a samba/master build to start smbd with the created > configuration, because only here all the needed features are available. > G?nther is working on a spec file so that we can include a samba package > in the IPA development repository > (https://fedorahosted.org/freeipa/ticket/1610). > +def parse_options(): > + parser = IPAOptionParser(version=version.VERSION) > + parser.add_option("-p", "--ds-password", dest="dm_password", > + sensitive=True, help="admin password") If this is the only password you need, then make it --password. And it is Directory Manager's account password, right? Would be nice to change help to be more explicit. > + parser.add_option("--ip-address", dest="ip_address", > + type="ip", ip_local=True, help="Master Server IP Address") > +def main(): > + safe_options, options = parse_options() > + > + if os.getegid() != 0: > + sys.exit("Must be root to setup AD trusts on server") > + > + installutils.check_server_configuration() > + > + standard_logging_setup("/var/log/ipaserver-install.log", options.debug, filemode='a') > + print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" > + > + logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) > + logging.debug("missing options might be asked for interactively later\n") > + > + global fstore > + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') > + > + print "==============================================================================" > + print "This program will setup components neede to establish trust to AD domains for" Typo: "neede_d_" > + # Check we have a public IP that is associated with the hostname > + if options.ip_address: > + ip = options.ip_address I would also run options.ip_address through ipautil.CheckedIPAddress() to make sure it is correct and is one of local addresses. > + else: > + hostaddr = resolve_host(api.env.host) > + try: > + ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True) > + except Exception, e: > + print "Error: Invalid IP Address %s: %s" % (ip, e) > + ip = None > + > + if not ip: > + if options.unattended: > + sys.exit("Unable to resolve IP address for host name") > + else: > + ip = read_ip_address(api.env.host, fstore) > + ip_address = str(ip) > + logging.debug("will use ip_address: %s\n", ip_address) And same here. You don't really want to blindly believe into what's entered. > + print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached" > + print "\tby any domain controller in the Active Directory domain by closing the" > + print "\tfollowing ports for these servers:" > + print "\t\tTCP Ports:" > + print "\t\t * 389, 636: LDAP/LDAPS" > + print "\t\tUDP Ports:" > + print "\t\t * 389: (C)LDAP" > + print "\tYou may want to choose to REJECT the packages instead of DROPing them to" s/packages/network packets/ > diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py > new file mode 100644 The code in smbinstance.py assumes Samba has been compiled with /etc/ipa/smb.conf as default configuration file location. Is that correct? -- / Alexander Bokovoy From rcritten at redhat.com Fri Aug 26 12:02:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 26 Aug 2011 08:02:28 -0400 Subject: [Freeipa-devel] [PATCH] 853 remove upgrade state when uninstalling In-Reply-To: <4E56E385.4070106@redhat.com> References: <4E551ADC.1010803@redhat.com> <4E56E385.4070106@redhat.com> Message-ID: <4E578B54.2050006@redhat.com> Adam Young wrote: > On 08/24/2011 11:38 AM, Rob Crittenden wrote: >> The upgrade process makes saves some information in the IPA sysrestore >> state. If any of this state remains after an uninstall then you will >> get an error during re-install. Theoretically all this state should be >> removed as part of the upgrade process but on the outside chance, lets >> remove the state at uninstall to prevent problems. >> >> I've had just one report of this, it may have been due to a blown >> upgrade, I'm not sure. I've been unable to reproduce it but at worst >> this is a noop and at best allows easy re-installation. >> >> This requires patch 852. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > So my latest patch changes .etc.httpd/nss.conf. Is this an appropriate > approach for that file as well? No, we back up the entire file. It should get restored to its previous state on uninstall. rob From simo at redhat.com Fri Aug 26 12:14:33 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 26 Aug 2011 08:14:33 -0400 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <20110826093926.GF2374@localhost.localdomain> References: <20110826093926.GF2374@localhost.localdomain> Message-ID: <1314360873.20296.197.camel@willson.li.ssimo.org> On Fri, 2011-08-26 at 11:39 +0200, Sumit Bose wrote: > > +def check_inst(unattended): > + has_smb = True > + > + if not os.path.exists('/usr/sbin/smbd'): > + print "Samba was not found on this system" > + print "Please install the 'samba' package and start the > installation again" > + has_smb = False > + > + #TODO: Add check for needed samba4 libraries > + > + return has_smb > + We should probably run smbd -b and parse the output to see if it has all the options we need, perhaps check the version number too. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Fri Aug 26 12:30:13 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 26 Aug 2011 08:30:13 -0400 Subject: [Freeipa-devel] [PATCHES] freeipa-v3 In-Reply-To: <4E5508DA.9070906@redhat.com> References: <1314019851.20296.20.camel@willson.li.ssimo.org> <4E5272F3.3020101@redhat.com> <4E5508DA.9070906@redhat.com> Message-ID: <1314361813.20296.200.camel@willson.li.ssimo.org> On Wed, 2011-08-24 at 17:21 +0300, Alexander Bokovoy wrote: > On 22.08.2011 18:17, Alexander Bokovoy wrote: > > On 22.08.2011 16:30, Simo Sorce wrote: > >> As we finally branched ipa-2-1 from master we are now open to put 3.0 > >> related material on the tree. > >> > >> Here is my rebased set of patches that apply on top of master: > >> http://fedorapeople.org/gitweb?p=simo/public_git/freeipa.git;a=summary > >> > >> They are in the freeipa-v3 branch. > >> > >> Please review and work with me to rebase/refactor any patch that would > >> get a nack. We will fix them until your liking and will finally emit > >> just a one, huge, ACK, or NACK :) > > I went through first 14 commits. ACK for 13 first. > > > > In 6385c80c6c71ae8c4d1f11230c8408bd4bf3f9e3 ipadb_realm_to_ldapi_uri() > > uses two string constants "ldapi://" and "%2fslapd-" four times each. It > > would be nice to #define them and use macros instead, purely for > > maintenance purposes. > > > > In the same function there is comment with typo (patch instead of path). > > > > These are minor and you probably can ignore them. > > > > I'll continue with remaining ones tomorrow. > Finally went through all patches. > > Simo did make squash-in commits to address found issues (which were > discussed on #freeipa over past few days). > > I don't have comments anymore. ACK. We did a smoke test and fixed 2 remaining issues. One introduced during the review phase One introduce by me with the latest schema patches. All has been fixed and I pushed the patches (after squashing in the squash-ins) to master. Master is now officially on the 3.0 track. Please note that until F15/F16 MIT Kerberos packages are updated you will need the packages in the ipa-devel repo to successfully install ipa due to an issue with the kadmin init scripts. Happy hacking! Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Fri Aug 26 13:14:27 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 26 Aug 2011 09:14:27 -0400 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <20110826093926.GF2374@localhost.localdomain> References: <20110826093926.GF2374@localhost.localdomain> Message-ID: <1314364467.20296.226.camel@willson.li.ssimo.org> More comments. On Fri, 2011-08-26 at 11:39 +0200, Sumit Bose wrote: [..] > + if not options.unattended: > + print "" > + print "The following operations may take some minutes to > complete." > + print "Please wait until the prompt is returned." > + print "" > + > + # Create a BIND instance comment seem to be wrong here :) > + if options.unattended and not options.dm_password: > + sys.exit("\nIn unattended mode you need to provide at least > the -p option") > + > + dm_password = options.dm_password or read_password("Directory > Manager", > + confirm=False, > validate=False) > + smb = smbinstance.SMBInstance(fstore, dm_password) [..] > diff --git a/ipaserver/install/service.py > b/ipaserver/install/service.py > index > a7f6ff4eea1b67f714e18f882a082d4ad7d83026..7e0d2bd314f00ccf0b0ee37a9d572bdd5ee89414 100644 > --- a/ipaserver/install/service.py > +++ b/ipaserver/install/service.py > @@ -37,7 +37,8 @@ SERVICE_LIST = { > 'KPASSWD':('kadmin', 20), > 'DNS':('named', 30), > 'HTTP':('httpd', 40), > - 'CA':('pki-cad', 50) > + 'CA':('pki-cad', 50), > + 'SMB':('smb', 60) Please do not use SMB (in general I do not think SMB is the right prefix). Use something like ADTRUST or MSRPC or WINCOMPAT. > } > > def stop(service_name, instance_name="", capture_output=True): > diff --git a/ipaserver/install/smbinstance.py > b/ipaserver/install/smbinstance.py > new file mode 100644 > index > 0000000000000000000000000000000000000000..5988f1e056d29af6686d53237b82d460cdc719da > --- /dev/null > +++ b/ipaserver/install/smbinstance.py > @@ -0,0 +1,261 @@ > +# Authors: Sumit Bose > +# > +# Copyright (C) 2011 Red Hat > +# see file 'COPYING' for use and warranty information > +# > +# This program is free software; you can redistribute it and/or > modify > +# it under the terms of the GNU General Public License as published > by > +# the Free Software Foundation, either version 3 of the License, or > +# (at your option) any later version. > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > +# > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see > . > +# > + > +import logging > + > +import os > +import ldap > +import service > +import tempfile > +from ipaserver import ipaldap > +from ipalib import errors > +from ipapython import sysrestore > +from ipapython import ipautil > + > +import random > +import string > +import struct > + > +def check_inst(unattended): > + has_smb = True > + > + if not os.path.exists('/usr/sbin/smbd'): > + print "Samba was not found on this system" > + print "Please install the 'samba' package and start the > installation again" > + has_smb = False > + > + #TODO: Add check for needed samba4 libraries > + > + return has_smb > + > +def ipa_smb_conf_exists(): > + if os.path.exists('/etc/ipa/smb.conf'): > + print "Samba is already configured for this IPA server." > + return True > + > + return False > + > +def random_password(length=16): > + myrg = random.SystemRandom() > + alphabet = string.letters[0:52] + string.digits + > string.punctuation > + pw = str().join(myrg.choice(alphabet) for _ in range(length)) > + return pw We have a utility function to generate a proper random password IIRC. > +class SMBInstance(service.Service): > + def __init__(self, fstore=None, dm_password=None): > + service.Service.__init__(self, "smb", > dm_password=dm_password) > + > + if fstore: > + self.fstore = fstore > + else: > + self.fstore = > sysrestore.FileStore('/var/lib/ipa/sysrestore') > + > + def __create_samba_user(self): > + print "The user for Samba is %s" % self.smb_dn > + try: > + self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) > + print "Samba user entry exists, not resetting password" > + return > + except errors.NotFound: > + pass > + > + # The user doesn't exist, add it > + entry = ipaldap.Entry(self.smb_dn) > + entry.setValues("objectclass", ["account", > "simplesecurityobject"]) > + entry.setValues("uid", "samba") > + entry.setValues("userPassword", self.smb_dn_pwd) > + self.admin_conn.add_s(entry) > + > + # And finally grant it permission to read NT passwords, we do > not want > + # to support LM passwords so there is no need to allow access > to them > + mod = [(ldap.MOD_ADD, 'aci', > + str(['(targetattr = "sambaNTPassword")(version 3.0; acl > "Samba user can read NT passwords"; allow (read) userdn="ldap:///% > s";)' % self.smb_dn]))] > + try: > + self.admin_conn.modify_s(self.suffix, mod) > + except ldap.TYPE_OR_VALUE_EXISTS: > + logging.debug("samba user aci already exists in suffix %s > on %s" % (self.suffix, self.admin_conn.host)) > + > + def __gen_sid_string(self): > + sub_ids = struct.unpack(" + return "S-1-5-21-%d-%d-%d" % (sub_ids[0], sub_ids[1], > sub_ids[2]) > + > + def __create_samba_domain_object(self): > + trust_dn = "cn=trusts,%s" % self.suffix > + smb_dom_dn = "cn=ad,%s" % trust_dn > + > + try: > + self.admin_conn.getEntry(smb_dom_dn, ldap.SCOPE_BASE) > + print "Samba domain object already exists" > + return > + except errors.NotFound: > + pass > + > + try: > + self.admin_conn.getEntry(trust_dn, ldap.SCOPE_BASE) > + except errors.NotFound: > + entry = ipaldap.Entry(trust_dn) > + entry.setValues("objectclass", ["nsContainer"]) > + entry.setValues("cn", "trusts") > + self.admin_conn.add_s(entry) > + > + entry = ipaldap.Entry(smb_dom_dn) > + entry.setValues("objectclass", ["sambaDomain", > "nsContainer"]) > + entry.setValues("cn", "ad") > + entry.setValues("sambaDomainName", self.domain_name) The sambaDomainName is generally a netbios name (or short name), it appears you are setting the DNS domain name here. Should we prompt the user for a short domain name to be used instead ? Or maybe default to the first DNS domain component and allow the user to override ? > + entry.setValues("sambaSID", self.__gen_sid_string()) > + #TODO: which MAY attributes do we want to set ? > + self.admin_conn.add_s(entry) > + > + def __write_sysconfig_samba(self): > + self.fstore.backup_file(self.sysconfig_file) > + > + fd = open(self.sysconfig_file, "w") > + fd.write('### Added by IPA Installer ###\n') > + fd.write('# Options to smbd\n') > + fd.write('SMBDOPTIONS="-D -s /etc/ipa/smb.conf"\n') > + fd.write('# Options to nmbd\n') > + fd.write('NMBDOPTIONS="-D"\n') > + fd.write('# Options for winbindd\n') > + fd.write('WINBINDOPTIONS=""\n') > + fd.close() If we are running nmbd and/or winbindd we need to pass them the proper smb.conf file too. > + def __write_smb_conf(self): > + fd = open(self.smb_conf, "w") > + fd.write('### Added by IPA Installer ###\n') > + fd.write('[global]\n') > + fd.write('config backend = registry\n') > + fd.close() > + > + > + def __write_smb_registry(self): > + [fd, tmp_name] = tempfile.mkstemp() > + > + os.write(fd, '[global]\n') > + os.write(fd, 'workgroup = %s\n' % self.domain_name) This again shuld be the netbios domain name, not the fqdn. The workgroup name can't be longer than 15 chars IIRC. > + os.write(fd, 'realm = %s\n' % self.realm_name) > + os.write(fd, 'security = ads\n') Why ADS ? This should probably be security = user > + os.write(fd, 'domain master = yes\n') > + os.write(fd, 'domain logons = yes\n') > + os.write(fd, 'passdb backend = IPA_ldapsam:ldap://%s\n' % > self.fqdn) We should use ldapi here, not ldap:// > + os.write(fd, 'ldapsam:trusted=yes\n') > + os.write(fd, 'ldapsam:editposix=yes\n') We do not allow to create users so editposix should not be necessary. > + os.write(fd, 'ldap ssl = startTLS\n') We shouldn't need SSL if we use ldapi above. > + os.write(fd, 'ldap admin dn = %s\n' % self.smb_dn) > + os.write(fd, 'ldap suffix = cn=accounts,dc=ipa,dc=test\n') > + os.write(fd, 'ldap user suffix = cn=users\n') > + os.write(fd, 'ldap group suffix = cn=groups\n') > + os.write(fd, 'ldap machine suffix = cn=computers\n') > + os.write(fd, 'ldap idmap suffix = cn=idmap\n') We probably won't use this. > + os.write(fd, 'rpc_server:epmapper = external\n') > + os.write(fd, 'rpc_server:lsarpc = external\n') We may need also the alias 'lsass' pipe name configured here. > + os.write(fd, 'rpc_server:samr = external\n') > + os.write(fd, 'rpc_server:netlogon = external\n') > + os.write(fd, 'rpc_daemon:epmd = fork\n') > + os.write(fd, 'rpc_daemon:lsasd = fork\n') > + os.close(fd) We may also want to set some defaults for logging (log level, max size of logs before rotating, log name format ?) > + args = ["/usr/bin/net", "conf", "import", tmp_name] > + > + try: > + ipautil.run(args) > + finally: > + os.remove(tmp_name) > + > + def __set_smb_ldap_password(self): > + args = ["/usr/bin/smbpasswd", "-c", self.smb_conf, "-w", > self.smb_dn_pwd ] We should either pass this password in via stdin (using -W) or you should at least pass ipautil.run below the password to be blacked out of install logs. > + ipautil.run(args) > + [..] Do we want to run winbindd at all on ipa servers ? Should we join it to ourselves ? (Would require creation of a computer account). Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Fri Aug 26 14:12:25 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 26 Aug 2011 10:12:25 -0400 Subject: [Freeipa-devel] [PATCH] 852 remove more files in uninstaller In-Reply-To: <4E551193.6040809@redhat.com> References: <4E551193.6040809@redhat.com> Message-ID: <4E57A9C9.7040500@redhat.com> On 08/24/2011 10:58 AM, Rob Crittenden wrote: > We were missing a few 389-ds files and directories. This removes > everything but the logs. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. I am not convinced this is a 100% solution for the original problem. The files like the keytab are only deleted if a A DS instance is found, but if the ywere lying around from a previous installation that did not remove them, they will still be there after running uninstall. Probably a corner case, and should probably be OK in the longer term, unless having these files around prevent an install from getting to the point that the DS gets installed...we'd be in a situation where we can't move forward and can't move back. We'll keep an eye out for that, but I think it is unlikely. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Aug 26 14:14:31 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 26 Aug 2011 10:14:31 -0400 Subject: [Freeipa-devel] [PATCH] 853 remove upgrade state when uninstalling In-Reply-To: <4E551ADC.1010803@redhat.com> References: <4E551ADC.1010803@redhat.com> Message-ID: <4E57AA47.80601@redhat.com> On 08/24/2011 11:38 AM, Rob Crittenden wrote: > The upgrade process makes saves some information in the IPA sysrestore > state. If any of this state remains after an uninstall then you will > get an error during re-install. Theoretically all this state should be > removed as part of the upgrade process but on the outside chance, lets > remove the state at uninstall to prevent problems. > > I've had just one report of this, it may have been due to a blown > upgrade, I'm not sure. I've been unable to reproduce it but at worst > this is a noop and at best allows easy re-installation. > > This requires patch 852. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Fri Aug 26 14:26:15 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 26 Aug 2011 16:26:15 +0200 Subject: [Freeipa-devel] [PATCH] 255 Fixed host OTP status. In-Reply-To: <4E55A564.1050009@redhat.com> References: <4E558201.5090707@redhat.com> <4E55A564.1050009@redhat.com> Message-ID: <4E57AD07.9040503@redhat.com> On 08/25/2011 03:29 AM, Endi Sukma Dewata wrote: > On 8/24/2011 5:58 PM, Endi Sukma Dewata wrote: >> The host details page has been modified to show the status of the OTP. >> Setting a new OTP is now done using a dialog box. >> >> Ticket #1710 > > Attached is a rebased version. > > Note: As mentioned in rcrit's patch #851, setting a new password will > make has_keytab false. Currently the UI doesn't refresh the keytab's > status. I'm still considering several options. This will be fixed in a > separate patch. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK - didn't thoroughly check ipa_init.json. I assume it's valid because it's generated. -- Petr Vobornik From pvoborni at redhat.com Fri Aug 26 14:26:27 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 26 Aug 2011 16:26:27 +0200 Subject: [Freeipa-devel] [PATCH] 256 Fixed host keytab status after setting OTP. In-Reply-To: <4E56C949.40200@redhat.com> References: <4E56C949.40200@redhat.com> Message-ID: <4E57AD13.8030409@redhat.com> On 08/26/2011 12:14 AM, Endi Sukma Dewata wrote: > The host details page has been modified to update the keytab status > based on the data returned by the host-mod command for setting OTP. > > Ticket #1710 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik From rcritten at redhat.com Fri Aug 26 15:06:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 26 Aug 2011 11:06:48 -0400 Subject: [Freeipa-devel] [PATCH] 858 set SASL_NOCANON in client installer Message-ID: <4E57B688.3050602@redhat.com> If the IPA server's reverse DNS is broken, such as the PTR entry pointing to a different name then enrollment will fail and ipa-getkeytab won't work. I tested with: [rcrit at dane freeipa]$ getent hosts slinky 192.168.166.39 slinky.example.com [rcrit at dane freeipa]$ getent hosts 192.168.166.39 192.168.166.39 lego.example.com This relies on fixes in openldap and krb5 in Fedora-15. It is testable in RHEL 6.2 though. sssd has similar problems and they are making a change as well. Without the sssd fix enrollment will succeed but nss won't work. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-858-rdns.patch Type: text/x-patch Size: 1784 bytes Desc: not available URL: From edewata at redhat.com Fri Aug 26 15:27:37 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 26 Aug 2011 10:27:37 -0500 Subject: [Freeipa-devel] [PATCH] 255 Fixed host OTP status. In-Reply-To: <4E57AD07.9040503@redhat.com> References: <4E558201.5090707@redhat.com> <4E55A564.1050009@redhat.com> <4E57AD07.9040503@redhat.com> Message-ID: <4E57BB69.9070803@redhat.com> On 8/26/2011 9:26 AM, Petr Vobornik wrote: > On 08/25/2011 03:29 AM, Endi Sukma Dewata wrote: >>> The host details page has been modified to show the status of the OTP. >>> Setting a new OTP is now done using a dialog box. >>> >>> Ticket #1710 >> >> Attached is a rebased version. >> >> Note: As mentioned in rcrit's patch #851, setting a new password will >> make has_keytab false. Currently the UI doesn't refresh the keytab's >> status. I'm still considering several options. This will be fixed in a >> separate patch. > ACK > > - didn't thoroughly check ipa_init.json. I assume it's valid because > it's generated. Yes, it's the actual server output captured using update_ipa_init.sh. Pushed to master and ipa-2-1. -- Endi S. Dewata From edewata at redhat.com Fri Aug 26 15:28:16 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 26 Aug 2011 10:28:16 -0500 Subject: [Freeipa-devel] [PATCH] 256 Fixed host keytab status after setting OTP. In-Reply-To: <4E57AD13.8030409@redhat.com> References: <4E56C949.40200@redhat.com> <4E57AD13.8030409@redhat.com> Message-ID: <4E57BB90.6000203@redhat.com> On 8/26/2011 9:26 AM, Petr Vobornik wrote: > On 08/26/2011 12:14 AM, Endi Sukma Dewata wrote: >> The host details page has been modified to update the keytab status >> based on the data returned by the host-mod command for setting OTP. >> >> Ticket #1710 > ACK Pushed to master and ipa-2-1. -- Endi S. Dewata From simo at redhat.com Fri Aug 26 15:29:37 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 26 Aug 2011 11:29:37 -0400 Subject: [Freeipa-devel] [PATCH] 858 set SASL_NOCANON in client installer In-Reply-To: <4E57B688.3050602@redhat.com> References: <4E57B688.3050602@redhat.com> Message-ID: <1314372577.20296.227.camel@willson.li.ssimo.org> On Fri, 2011-08-26 at 11:06 -0400, Rob Crittenden wrote: > If the IPA server's reverse DNS is broken, such as the PTR entry > pointing to a different name then enrollment will fail and > ipa-getkeytab > won't work. > > I tested with: > > [rcrit at dane freeipa]$ getent hosts slinky > 192.168.166.39 slinky.example.com > [rcrit at dane freeipa]$ getent hosts 192.168.166.39 > 192.168.166.39 lego.example.com > > This relies on fixes in openldap and krb5 in Fedora-15. It is > testable > in RHEL 6.2 though. > > sssd has similar problems and they are making a change as well. > Without > the sssd fix enrollment will succeed but nss won't work. > ACK! Simo. > -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Fri Aug 26 15:59:27 2011 From: sbose at redhat.com (Sumit Bose) Date: Fri, 26 Aug 2011 17:59:27 +0200 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <4E577EAB.6080609@redhat.com> References: <20110826093926.GF2374@localhost.localdomain> <4E577EAB.6080609@redhat.com> Message-ID: <20110826155927.GH2374@localhost.localdomain> On Fri, Aug 26, 2011 at 02:08:27PM +0300, Alexander Bokovoy wrote: > Hi, > > On 26.08.2011 12:39, Sumit Bose wrote: > > Hi, > > > > with this patch an initial samba configuration for the AD trust feature > > can be created by calling ipa-adtrust-install. Please be aware that you > > will need a samba/master build to start smbd with the created > > configuration, because only here all the needed features are available. > > G?nther is working on a spec file so that we can include a samba package > > in the IPA development repository > > (https://fedorahosted.org/freeipa/ticket/1610). > > > +def parse_options(): > > + parser = IPAOptionParser(version=version.VERSION) > > + parser.add_option("-p", "--ds-password", dest="dm_password", > > + sensitive=True, help="admin password") > If this is the only password you need, then make it --password. And it > is Directory Manager's account password, right? Would be nice to change > help to be more explicit. ipa-server-install and ipa-dns-install use the same option for the same purpose, so I thought it might be a good idea to use the same. But you are right "admin password" is misleading here. Maybe the help should be fixed in ipa-server-install and ipa-dns-install, too? > > > + parser.add_option("--ip-address", dest="ip_address", > > + type="ip", ip_local=True, help="Master Server IP Address") > > > +def main(): > > + safe_options, options = parse_options() > > + > > + if os.getegid() != 0: > > + sys.exit("Must be root to setup AD trusts on server") > > + > > + installutils.check_server_configuration() > > + > > + standard_logging_setup("/var/log/ipaserver-install.log", options.debug, filemode='a') > > + print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" > > + > > + logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) > > + logging.debug("missing options might be asked for interactively later\n") > > + > > + global fstore > > + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') > > + > > + print "==============================================================================" > > + print "This program will setup components neede to establish trust to AD domains for" > Typo: "neede_d_" fixed > > > + # Check we have a public IP that is associated with the hostname > > + if options.ip_address: > > + ip = options.ip_address > I would also run options.ip_address through ipautil.CheckedIPAddress() > to make sure it is correct and is one of local addresses. > > > + else: > > + hostaddr = resolve_host(api.env.host) > > + try: > > + ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True) > > + except Exception, e: > > + print "Error: Invalid IP Address %s: %s" % (ip, e) > > + ip = None > > + > > + if not ip: > > + if options.unattended: > > + sys.exit("Unable to resolve IP address for host name") > > + else: > > + ip = read_ip_address(api.env.host, fstore) > > + ip_address = str(ip) > > + logging.debug("will use ip_address: %s\n", ip_address) > And same here. You don't really want to blindly believe into what's entered. fixed > > > + print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached" > > + print "\tby any domain controller in the Active Directory domain by closing the" > > + print "\tfollowing ports for these servers:" > > + print "\t\tTCP Ports:" > > + print "\t\t * 389, 636: LDAP/LDAPS" > > + print "\t\tUDP Ports:" > > + print "\t\t * 389: (C)LDAP" > > + print "\tYou may want to choose to REJECT the packages instead of DROPing them to" > s/packages/network packets/ fixed > > > diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py > > new file mode 100644 > The code in smbinstance.py assumes Samba has been compiled with > /etc/ipa/smb.conf as default configuration file location. Is that correct? > no, __write_sysconfig_samba() adds "-s /etc/ipa/smb.conf" to SMBDOPTIONS in /etc/sysconfig/samba. Thanks for the review. I will send a new patch when I've fixed the issues Simo found. bye, Sumit > -- > / Alexander Bokovoy > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From pvoborni at redhat.com Fri Aug 26 16:41:26 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 26 Aug 2011 18:41:26 +0200 Subject: [Freeipa-devel] [PATCH] 009 Modifying sudo options refreshes the whole page Message-ID: <4E57CCB6.2030303@redhat.com> https://fedorahosted.org/freeipa/ticket/1689 Currently adding or deleting sudo options will refresh the entire page. It's not a problem but the code could be optimized to refresh only the sudo options table -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0009-Modifying-sudo-options-refreshes-the-whole-page.patch Type: text/x-patch Size: 3630 bytes Desc: not available URL: From ayoung at redhat.com Fri Aug 26 16:45:28 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 26 Aug 2011 12:45:28 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <4E56BD82.6060501@redhat.com> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> <4E5455EC.2020505@redhat.com> <4E56BD82.6060501@redhat.com> Message-ID: <4E57CDA8.6080303@redhat.com> On 08/25/2011 05:24 PM, Adam Young wrote: > Uses the updated version of pkicreate which makes an ipa specific > proxy config file. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was "isfile' but since the file is actually a symlink, it needs to be "islink". This one checks for either. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0283-4-enable-proxy-for-dogtag.patch Type: text/x-patch Size: 10750 bytes Desc: not available URL: From rcritten at redhat.com Fri Aug 26 17:54:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 26 Aug 2011 13:54:03 -0400 Subject: [Freeipa-devel] [PATCH] 858 set SASL_NOCANON in client installer In-Reply-To: <1314372577.20296.227.camel@willson.li.ssimo.org> References: <4E57B688.3050602@redhat.com> <1314372577.20296.227.camel@willson.li.ssimo.org> Message-ID: <4E57DDBB.6070505@redhat.com> Simo Sorce wrote: > On Fri, 2011-08-26 at 11:06 -0400, Rob Crittenden wrote: >> If the IPA server's reverse DNS is broken, such as the PTR entry >> pointing to a different name then enrollment will fail and >> ipa-getkeytab >> won't work. >> >> I tested with: >> >> [rcrit at dane freeipa]$ getent hosts slinky >> 192.168.166.39 slinky.example.com >> [rcrit at dane freeipa]$ getent hosts 192.168.166.39 >> 192.168.166.39 lego.example.com >> >> This relies on fixes in openldap and krb5 in Fedora-15. It is >> testable >> in RHEL 6.2 though. >> >> sssd has similar problems and they are making a change as well. >> Without >> the sssd fix enrollment will succeed but nss won't work. >> > > ACK! > > Simo. >> pushed to master and ipa-2-1 From rcritten at redhat.com Fri Aug 26 18:01:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 26 Aug 2011 14:01:01 -0400 Subject: [Freeipa-devel] [PATCH] 852 remove more files in uninstaller In-Reply-To: <4E57A9C9.7040500@redhat.com> References: <4E551193.6040809@redhat.com> <4E57A9C9.7040500@redhat.com> Message-ID: <4E57DF5D.4080500@redhat.com> Adam Young wrote: > On 08/24/2011 10:58 AM, Rob Crittenden wrote: >> We were missing a few 389-ds files and directories. This removes >> everything but the logs. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK. > > I am not convinced this is a 100% solution for the original problem. The > files like the keytab are only deleted if a A DS instance is found, but > if the ywere lying around from a previous installation that did not > remove them, they will still be there after running uninstall. Probably > a corner case, and should probably be OK in the longer term, unless > having these files around prevent an install from getting to the point > that the DS gets installed...we'd be in a situation where we can't move > forward and can't move back. We'll keep an eye out for that, but I think > it is unlikely. > pushed to master and ipa-2-1 From simo at redhat.com Fri Aug 26 18:03:58 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 26 Aug 2011 14:03:58 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <4E57CDA8.6080303@redhat.com> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> <4E5455EC.2020505@redhat.com> <4E56BD82.6060501@redhat.com> <4E57CDA8.6080303@redhat.com> Message-ID: <1314381838.20296.242.camel@willson.li.ssimo.org> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: > On 08/25/2011 05:24 PM, Adam Young wrote: > > Uses the updated version of pkicreate which makes an ipa specific > > proxy config file. > > > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > The test for the proxy file in /etc/httpd/conf.d was "isfile' but > since the file is actually a symlink, it needs to be "islink". This > one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Aug 26 18:05:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 26 Aug 2011 14:05:27 -0400 Subject: [Freeipa-devel] [PATCH] 853 remove upgrade state when uninstalling In-Reply-To: <4E57AA47.80601@redhat.com> References: <4E551ADC.1010803@redhat.com> <4E57AA47.80601@redhat.com> Message-ID: <4E57E067.9080306@redhat.com> Adam Young wrote: > On 08/24/2011 11:38 AM, Rob Crittenden wrote: >> The upgrade process makes saves some information in the IPA sysrestore >> state. If any of this state remains after an uninstall then you will >> get an error during re-install. Theoretically all this state should be >> removed as part of the upgrade process but on the outside chance, lets >> remove the state at uninstall to prevent problems. >> >> I've had just one report of this, it may have been due to a blown >> upgrade, I'm not sure. I've been unable to reproduce it but at worst >> this is a noop and at best allows easy re-installation. >> >> This requires patch 852. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK pushed to master From simo at redhat.com Fri Aug 26 18:34:32 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 26 Aug 2011 14:34:32 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <1314381838.20296.242.camel@willson.li.ssimo.org> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> <4E5455EC.2020505@redhat.com> <4E56BD82.6060501@redhat.com> <4E57CDA8.6080303@redhat.com> <1314381838.20296.242.camel@willson.li.ssimo.org> Message-ID: <1314383672.20296.245.camel@willson.li.ssimo.org> On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: > On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: > > On 08/25/2011 05:24 PM, Adam Young wrote: > > > Uses the updated version of pkicreate which makes an ipa specific > > > proxy config file. > > > > > > > > > _______________________________________________ > > > Freeipa-devel mailing list > > > Freeipa-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > The test for the proxy file in /etc/httpd/conf.d was "isfile' but > > since the file is actually a symlink, it needs to be "islink". This > > one checks for either. > > Nack, install fails after configuring the http service. > Restart bails out > > using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it > was suppressing the error output) I get an permission denied error > trying to open /etc/httpd/conf.d/proxy-ipa.conf > That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned > by pkiuser:pkiuser with permission 660 (therefore not readable by the > apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Fri Aug 26 18:35:16 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 26 Aug 2011 21:35:16 +0300 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <20110826155927.GH2374@localhost.localdomain> References: <20110826093926.GF2374@localhost.localdomain> <4E577EAB.6080609@redhat.com> <20110826155927.GH2374@localhost.localdomain> Message-ID: <4E57E764.70305@redhat.com> On 26.08.2011 18:59, Sumit Bose wrote: >>> +def parse_options(): >>> + parser = IPAOptionParser(version=version.VERSION) >>> + parser.add_option("-p", "--ds-password", dest="dm_password", >>> + sensitive=True, help="admin password") >> If this is the only password you need, then make it --password. And it >> is Directory Manager's account password, right? Would be nice to change >> help to be more explicit. > > ipa-server-install and ipa-dns-install use the same option for the same > purpose, so I thought it might be a good idea to use the same. But you > are right "admin password" is misleading here. Maybe the help should be > fixed in ipa-server-install and ipa-dns-install, too? Please file a ticket for that. >>> diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py >>> new file mode 100644 >> The code in smbinstance.py assumes Samba has been compiled with >> /etc/ipa/smb.conf as default configuration file location. Is that correct? >> > > no, __write_sysconfig_samba() adds "-s /etc/ipa/smb.conf" to > SMBDOPTIONS in /etc/sysconfig/samba. But then net utility will not be able to use it. Same for nmbd and winbindd. If for last two you could use /etc/sysconfig/samba to direct them to a proper configuration, you can't do so for /usr/bin/net. -- / Alexander Bokovoy From sbose at redhat.com Fri Aug 26 18:52:15 2011 From: sbose at redhat.com (Sumit Bose) Date: Fri, 26 Aug 2011 20:52:15 +0200 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <4E57E764.70305@redhat.com> References: <20110826093926.GF2374@localhost.localdomain> <4E577EAB.6080609@redhat.com> <20110826155927.GH2374@localhost.localdomain> <4E57E764.70305@redhat.com> Message-ID: <20110826185215.GI2374@localhost.localdomain> On Fri, Aug 26, 2011 at 09:35:16PM +0300, Alexander Bokovoy wrote: > >>> diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py > >>> new file mode 100644 > >> The code in smbinstance.py assumes Samba has been compiled with > >> /etc/ipa/smb.conf as default configuration file location. Is that correct? > >> > > > > no, __write_sysconfig_samba() adds "-s /etc/ipa/smb.conf" to > > SMBDOPTIONS in /etc/sysconfig/samba. > But then net utility will not be able to use it. Same for nmbd and > winbindd. If for last two you could use /etc/sysconfig/samba to direct > them to a proper configuration, you can't do so for /usr/bin/net. Currently we plan not to use nmbd or winbind. But you are right about net or other utilities. Maybe we should just use the default samba config file, otherwise we would have to add some paragraphs to the documentation explaining how to use the samba utilities. Simo, what do you think? bye, Sumit > > -- > / Alexander Bokovoy > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From simo at redhat.com Fri Aug 26 19:19:08 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 26 Aug 2011 15:19:08 -0400 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <20110826185215.GI2374@localhost.localdomain> References: <20110826093926.GF2374@localhost.localdomain> <4E577EAB.6080609@redhat.com> <20110826155927.GH2374@localhost.localdomain> <4E57E764.70305@redhat.com> <20110826185215.GI2374@localhost.localdomain> Message-ID: <1314386348.20296.248.camel@willson.li.ssimo.org> On Fri, 2011-08-26 at 20:52 +0200, Sumit Bose wrote: > On Fri, Aug 26, 2011 at 09:35:16PM +0300, Alexander Bokovoy wrote: > > >>> diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py > > >>> new file mode 100644 > > >> The code in smbinstance.py assumes Samba has been compiled with > > >> /etc/ipa/smb.conf as default configuration file location. Is that correct? > > >> > > > > > > no, __write_sysconfig_samba() adds "-s /etc/ipa/smb.conf" to > > > SMBDOPTIONS in /etc/sysconfig/samba. > > But then net utility will not be able to use it. Same for nmbd and > > winbindd. If for last two you could use /etc/sysconfig/samba to direct > > them to a proper configuration, you can't do so for /usr/bin/net. > > Currently we plan not to use nmbd or winbind. But you are right about > net or other utilities. Maybe we should just use the default samba > config file, otherwise we would have to add some paragraphs to the > documentation explaining how to use the samba utilities. > > Simo, what do you think? I guess we should use the standard /etc/samba/smb.conf After all we are only setting one line in there and then using the standard registry tdbs to hold configuration, so it's not like we are not going to stomp all over the default samba tdbs anyway. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Fri Aug 26 21:04:50 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 26 Aug 2011 16:04:50 -0500 Subject: [Freeipa-devel] [PATCH] 009 Modifying sudo options refreshes the whole page In-Reply-To: <4E57CCB6.2030303@redhat.com> References: <4E57CCB6.2030303@redhat.com> Message-ID: <4E580A72.60005@redhat.com> On 8/26/2011 11:41 AM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/1689 > > Currently adding or deleting sudo options will refresh the entire page. > It's not a problem but the code could be optimized to refresh only the > sudo options table We have several scenarios for sudo options: 1. Add succeeded: The command returns the new record, so we can use it to load the table. No problem here. 2. Add failed: We may be able to assume the data on the server didn't change, so we don't have to update the table. (Yes, the old code does a refresh, but I don't think it's necessary.) 3. Delete batch failed: I think we can assume nothing was executed, same as #2. 4. Delete batch succeeded: It could contain a mix of successes and failures. Like you said, we should use the last successful result. But instead of checking only the last result and do a load() or update(), we could iterate through the results and find the last successful one (the one with non-empty result). If we find one, then we can use it to load the table. If there isn't any, it means all failed, so we don't do anything, same as #2. What do you think? -- Endi S. Dewata From ayoung at redhat.com Fri Aug 26 21:41:07 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 26 Aug 2011 17:41:07 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <1314383672.20296.245.camel@willson.li.ssimo.org> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> <4E5455EC.2020505@redhat.com> <4E56BD82.6060501@redhat.com> <4E57CDA8.6080303@redhat.com> <1314381838.20296.242.camel@willson.li.ssimo.org> <1314383672.20296.245.camel@willson.li.ssimo.org> Message-ID: <4E5812F3.9030001@redhat.com> On 08/26/2011 02:34 PM, Simo Sorce wrote: > On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: >> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: >>> On 08/25/2011 05:24 PM, Adam Young wrote: >>>> Uses the updated version of pkicreate which makes an ipa specific >>>> proxy config file. >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> The test for the proxy file in /etc/httpd/conf.d was "isfile' but >>> since the file is actually a symlink, it needs to be "islink". This >>> one checks for either. >> Nack, install fails after configuring the http service. >> Restart bails out >> >> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it >> was suppressing the error output) I get an permission denied error >> trying to open /etc/httpd/conf.d/proxy-ipa.conf >> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned >> by pkiuser:pkiuser with permission 660 (therefore not readable by the >> apache user). > Ok it turns out permissions are not the real issue as the file is read > while apache is till root, it's a selinux issue. > Apache starts if I setenforce 0 > > Still a NAck of course, it needs to work with selinux in enforcing mode > > Simo. > This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0283-5-enable-proxy-for-dogtag.patch Type: text/x-patch Size: 12540 bytes Desc: not available URL: From simo at redhat.com Fri Aug 26 22:30:06 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 26 Aug 2011 18:30:06 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <4E5812F3.9030001@redhat.com> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> <4E5455EC.2020505@redhat.com> <4E56BD82.6060501@redhat.com> <4E57CDA8.6080303@redhat.com> <1314381838.20296.242.camel@willson.li.ssimo.org> <1314383672.20296.245.camel@willson.li.ssimo.org> <4E5812F3.9030001@redhat.com> Message-ID: <1314397806.20296.252.camel@willson.li.ssimo.org> On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: > On 08/26/2011 02:34 PM, Simo Sorce wrote: > > On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: > >> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: > >>> On 08/25/2011 05:24 PM, Adam Young wrote: > >>>> Uses the updated version of pkicreate which makes an ipa specific > >>>> proxy config file. > >>>> > >>>> > >>>> _______________________________________________ > >>>> Freeipa-devel mailing list > >>>> Freeipa-devel at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel > >>> The test for the proxy file in /etc/httpd/conf.d was "isfile' but > >>> since the file is actually a symlink, it needs to be "islink". This > >>> one checks for either. > >> Nack, install fails after configuring the http service. > >> Restart bails out > >> > >> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it > >> was suppressing the error output) I get an permission denied error > >> trying to open /etc/httpd/conf.d/proxy-ipa.conf > >> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned > >> by pkiuser:pkiuser with permission 660 (therefore not readable by the > >> apache user). > > Ok it turns out permissions are not the real issue as the file is read > > while apache is till root, it's a selinux issue. > > Apache starts if I setenforce 0 > > > > Still a NAck of course, it needs to work with selinux in enforcing mode > > > > Simo. > > > This version owns the proxy config file. It works with setenforce 0, > but does not work with SELinux, so, preemptive-nack. But I will be gone > for a week, so if someone wants to pick this up and run with it, start > from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Sat Aug 27 00:57:41 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 26 Aug 2011 20:57:41 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <1314397806.20296.252.camel@willson.li.ssimo.org> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> <4E5455EC.2020505@redhat.com> <4E56BD82.6060501@redhat.com> <4E57CDA8.6080303@redhat.com> <1314381838.20296.242.camel@willson.li.ssimo.org> <1314383672.20296.245.camel@willson.li.ssimo.org> <4E5812F3.9030001@redhat.com> <1314397806.20296.252.camel@willson.li.ssimo.org> Message-ID: <4E584105.8040508@redhat.com> On 08/26/2011 06:30 PM, Simo Sorce wrote: > On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: >> On 08/26/2011 02:34 PM, Simo Sorce wrote: >>> On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: >>>> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: >>>>> On 08/25/2011 05:24 PM, Adam Young wrote: >>>>>> Uses the updated version of pkicreate which makes an ipa specific >>>>>> proxy config file. >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> The test for the proxy file in /etc/httpd/conf.d was "isfile' but >>>>> since the file is actually a symlink, it needs to be "islink". This >>>>> one checks for either. >>>> Nack, install fails after configuring the http service. >>>> Restart bails out >>>> >>>> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it >>>> was suppressing the error output) I get an permission denied error >>>> trying to open /etc/httpd/conf.d/proxy-ipa.conf >>>> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned >>>> by pkiuser:pkiuser with permission 660 (therefore not readable by the >>>> apache user). >>> Ok it turns out permissions are not the real issue as the file is read >>> while apache is till root, it's a selinux issue. >>> Apache starts if I setenforce 0 >>> >>> Still a NAck of course, it needs to work with selinux in enforcing mode >>> >>> Simo. >>> >> This version owns the proxy config file. It works with setenforce 0, >> but does not work with SELinux, so, preemptive-nack. But I will be gone >> for a week, so if someone wants to pick this up and run with it, start >> from here. > The previous patch with the corrected isfile vs islink issue works fine > as long as the SELinux policy is fixed to allow access > to /etc/pki-ca/proxy-ipa.conf > > I have tested a mastyer and then replica install with no issues after I > loaded a custom SeLinux policy that allow that. > > So tentative ACK to the former patch. > I will discuss with Ade how to resolve the SELinux issue and willpush to > master once that is solved. > > Simo. > Previous patch is based on a change for PKI-CA that we are not going to push, so we can't go with that. The file /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. Whatever the issue is with this patch it has to be fairly minor. The difference in approach is that this one includes the conf file and places it in /etc/httpd/conf.d. The problem is possibly the fact that this one uses localhost instead of the FQDN, although I did test it both ways prior to adding it to the RPM, and it worked with localhost and SELinux in enforcing mode. From ayoung at redhat.com Sat Aug 27 02:28:26 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 26 Aug 2011 22:28:26 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <4E584105.8040508@redhat.com> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> <4E5455EC.2020505@redhat.com> <4E56BD82.6060501@redhat.com> <4E57CDA8.6080303@redhat.com> <1314381838.20296.242.camel@willson.li.ssimo.org> <1314383672.20296.245.camel@willson.li.ssimo.org> <4E5812F3.9030001@redhat.com> <1314397806.20296.252.camel@willson.li.ssimo.org> <4E584105.8040508@redhat.com> Message-ID: <4E58564A.9050405@redhat.com> On 08/26/2011 08:57 PM, Adam Young wrote: > On 08/26/2011 06:30 PM, Simo Sorce wrote: >> On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: >>> On 08/26/2011 02:34 PM, Simo Sorce wrote: >>>> On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: >>>>> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: >>>>>> On 08/25/2011 05:24 PM, Adam Young wrote: >>>>>>> Uses the updated version of pkicreate which makes an ipa specific >>>>>>> proxy config file. >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Freeipa-devel mailing list >>>>>>> Freeipa-devel at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>> The test for the proxy file in /etc/httpd/conf.d was "isfile' but >>>>>> since the file is actually a symlink, it needs to be "islink". >>>>>> This >>>>>> one checks for either. >>>>> Nack, install fails after configuring the http service. >>>>> Restart bails out >>>>> >>>>> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the >>>>> way (it >>>>> was suppressing the error output) I get an permission denied error >>>>> trying to open /etc/httpd/conf.d/proxy-ipa.conf >>>>> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file >>>>> owned >>>>> by pkiuser:pkiuser with permission 660 (therefore not readable by the >>>>> apache user). >>>> Ok it turns out permissions are not the real issue as the file is read >>>> while apache is till root, it's a selinux issue. >>>> Apache starts if I setenforce 0 >>>> >>>> Still a NAck of course, it needs to work with selinux in enforcing >>>> mode >>>> >>>> Simo. >>>> >>> This version owns the proxy config file. It works with setenforce 0, >>> but does not work with SELinux, so, preemptive-nack. But I will be gone >>> for a week, so if someone wants to pick this up and run with it, start >>> from here. >> The previous patch with the corrected isfile vs islink issue works fine >> as long as the SELinux policy is fixed to allow access >> to /etc/pki-ca/proxy-ipa.conf >> >> I have tested a mastyer and then replica install with no issues after I >> loaded a custom SeLinux policy that allow that. >> >> So tentative ACK to the former patch. >> I will discuss with Ade how to resolve the SELinux issue and willpush to >> master once that is solved. >> >> Simo. >> > Previous patch is based on a change for PKI-CA that we are not going > to push, so we can't go with that. The file > /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. > Whatever the issue is with this patch it has to be fairly minor. The > difference in approach is that this one includes the conf file and > places it in /etc/httpd/conf.d. The problem is possibly the fact that > this one uses localhost instead of the FQDN, although I did test it > both ways prior to adding it to the RPM, and it worked with localhost > and SELinux in enforcing mode. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Failure seems to be from this step in the install log: After configuration, the server can be operated by the command: /sbin/service pki-cad restart pki-ca 2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED run_command("/sbin/service p ki-cad restart pki-ca"), exit status=126 output="Stopping pki-ca: [ OK ] /usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied" And in the Audit log: type=AVC msg=audit(1314409907.089:2397): avc: denied { transition } for pid=21040 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0 ino=35449 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process type=AVC msg=audit(1314410048.272:2398): avc: denied { transition } for pid=21124 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0 ino=35449 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process From mkosek at redhat.com Mon Aug 29 08:27:51 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 29 Aug 2011 10:27:51 +0200 Subject: [Freeipa-devel] [PATCH] 115 ipa-client-install breaks network configuration Message-ID: <1314606473.3219.22.camel@dhcp-25-52.brq.redhat.com> I would like to get this patch included in upcoming 6.2, the issue is quite serious. --- Do not forget to add new line in updated /etc/sysconfig/network configuration. Move the actual change of the hostname after the user confirmation about proceeding with installation. It confused users when the hostname change occurred before this prompt. https://fedorahosted.org/freeipa/ticket/1724 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-115-ipa-client-install-breaks-network-configuration.patch Type: text/x-patch Size: 2433 bytes Desc: not available URL: From abokovoy at redhat.com Mon Aug 29 08:36:57 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 29 Aug 2011 11:36:57 +0300 Subject: [Freeipa-devel] [PATCH] 115 ipa-client-install breaks network configuration In-Reply-To: <1314606473.3219.22.camel@dhcp-25-52.brq.redhat.com> References: <1314606473.3219.22.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E5B4FA9.4010306@redhat.com> On 29.08.2011 11:27, Martin Kosek wrote: > I would like to get this patch included in upcoming 6.2, the issue is > quite serious. > --- > Do not forget to add new line in updated /etc/sysconfig/network > configuration. Move the actual change of the hostname after the > user confirmation about proceeding with installation. It confused > users when the hostname change occurred before this prompt. > > https://fedorahosted.org/freeipa/ticket/1724 ACK. Poor me. There was discussion where to put the change but this part wasn't considered. Please push. -- / Alexander Bokovoy From simo at redhat.com Mon Aug 29 12:34:32 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 29 Aug 2011 08:34:32 -0400 Subject: [Freeipa-devel] [PATCH] 115 ipa-client-install breaks network configuration In-Reply-To: <4E5B4FA9.4010306@redhat.com> References: <1314606473.3219.22.camel@dhcp-25-52.brq.redhat.com> <4E5B4FA9.4010306@redhat.com> Message-ID: <1314621272.20296.279.camel@willson.li.ssimo.org> On Mon, 2011-08-29 at 11:36 +0300, Alexander Bokovoy wrote: > On 29.08.2011 11:27, Martin Kosek wrote: > > I would like to get this patch included in upcoming 6.2, the issue is > > quite serious. > > --- > > Do not forget to add new line in updated /etc/sysconfig/network > > configuration. Move the actual change of the hostname after the > > user confirmation about proceeding with installation. It confused > > users when the hostname change occurred before this prompt. > > > > https://fedorahosted.org/freeipa/ticket/1724 > ACK. > > Poor me. There was discussion where to put the change but this part > wasn't considered. > > Please push. Martin forgot to mention he pushed this patch. Simo. -- Simo Sorce * Red Hat, Inc * New York From pvoborni at redhat.com Mon Aug 29 12:58:06 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 29 Aug 2011 14:58:06 +0200 Subject: [Freeipa-devel] [PATCH] 009 Modifying sudo options refreshes the whole page In-Reply-To: <4E580A72.60005@redhat.com> References: <4E57CCB6.2030303@redhat.com> <4E580A72.60005@redhat.com> Message-ID: <4E5B8CDE.7030100@redhat.com> On 08/26/2011 11:04 PM, Endi Sukma Dewata wrote: > On 8/26/2011 11:41 AM, Petr Vobornik wrote: >> https://fedorahosted.org/freeipa/ticket/1689 >> >> Currently adding or deleting sudo options will refresh the entire page. >> It's not a problem but the code could be optimized to refresh only the >> sudo options table > > We have several scenarios for sudo options: > > 1. Add succeeded: The command returns the new record, so we can use it > to load the table. No problem here. > > 2. Add failed: We may be able to assume the data on the server didn't > change, so we don't have to update the table. (Yes, the old code does a > refresh, but I don't think it's necessary.) In most cases it's true. One scenario, when update could be useful is when there is an network error while receiving response. But in this case updating the table would probably ended with the same error. Another case is when someone added the same option right before you. > > 3. Delete batch failed: I think we can assume nothing was executed, same > as #2. This time only some network issue can occur. > > 4. Delete batch succeeded: It could contain a mix of successes and > failures. Like you said, we should use the last successful result. > > But instead of checking only the last result and do a load() or > update(), we could iterate through the results and find the last > successful one (the one with non-empty result). Updated > > If we find one, then we can use it to load the table. If there isn't > any, it means all failed, so we don't do anything, same as #2. Same as 2 only for delete operation - you'll end with invalid table in concurrent deletion. > > What do you think? > Summary: I would say that the network issue and the same concurrent edit issue can be so rare, that the update isn't much necessary and it slows down more frequent failures like non-concurrent adding of the same option. If we want UI to be faster, we should removed updates. If we want it to be more valid in rare cases we should keep updates. Included updated patches for both options (1-without updates, 2-with updates). -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0009-1-Modifying-sudo-options-refreshes-the-whole-page.patch Type: text/x-patch Size: 3117 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0009-2-Modifying-sudo-options-refreshes-the-whole-page.patch Type: text/x-patch Size: 3787 bytes Desc: not available URL: From mkosek at redhat.com Mon Aug 29 13:52:47 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 29 Aug 2011 15:52:47 +0200 Subject: [Freeipa-devel] [PATCH] 845 add external source hosts to HBAC In-Reply-To: <4E4BE4A1.4070504@redhat.com> References: <4E4BE4A1.4070504@redhat.com> Message-ID: <1314625969.3219.25.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-08-17 at 11:56 -0400, Rob Crittenden wrote: > You should be able to specify hosts that aren't in IPA in HBAC source > host rules. This adds support for it. > > ticket https://fedorahosted.org/freeipa/ticket/1574 > > rob ACK. Works fine. Although, I am thinking that we now have the same algorithm (add user/host as external when not found in LDAP) for both hbac and sudorule. We may think about consolidating it so that we don't have duplicates. Martin From edewata at redhat.com Mon Aug 29 14:09:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Aug 2011 09:09:12 -0500 Subject: [Freeipa-devel] [PATCH] 257 Fixed host adder dialog to show default DNS zone. Message-ID: <4E5B9D88.9080608@redhat.com> The DNS zone widget for host adder dialog has been modified not to provide an empty option, so it will show the first available zone. Ticket #1685 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0257-Fixed-host-adder-dialog-to-show-default-DNS-zone.patch Type: text/x-patch Size: 2672 bytes Desc: not available URL: From rcritten at redhat.com Mon Aug 29 14:29:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Aug 2011 10:29:43 -0400 Subject: [Freeipa-devel] [PATCH] 859 bump dogtag min n-v-r Message-ID: <4E5BA257.8060408@redhat.com> Update pki-* n-v-r to pick up SELinux fix in https://bugzilla.redhat.com/show_bug.cgi?id=700505. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-859-dogtag.patch Type: text/x-patch Size: 1176 bytes Desc: not available URL: From mkosek at redhat.com Mon Aug 29 14:45:34 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 29 Aug 2011 16:45:34 +0200 Subject: [Freeipa-devel] [PATCH] 859 bump dogtag min n-v-r In-Reply-To: <4E5BA257.8060408@redhat.com> References: <4E5BA257.8060408@redhat.com> Message-ID: <1314629136.3219.35.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-29 at 10:29 -0400, Rob Crittenden wrote: > Update pki-* n-v-r to pick up SELinux fix in > https://bugzilla.redhat.com/show_bug.cgi?id=700505. > > rob Looks good. Just one thing - the spec log confused me. Who is doing this change - you or Honza? :-) Martin From mkosek at redhat.com Mon Aug 29 14:59:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 29 Aug 2011 16:59:46 +0200 Subject: [Freeipa-devel] [PATCH] 859 bump dogtag min n-v-r In-Reply-To: <1314629136.3219.35.camel@dhcp-25-52.brq.redhat.com> References: <4E5BA257.8060408@redhat.com> <1314629136.3219.35.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1314629988.3219.38.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-29 at 16:45 +0200, Martin Kosek wrote: > On Mon, 2011-08-29 at 10:29 -0400, Rob Crittenden wrote: > > Update pki-* n-v-r to pick up SELinux fix in > > https://bugzilla.redhat.com/show_bug.cgi?id=700505. > > > > rob > > Looks good. Just one thing - the spec log confused me. Who is doing this > change - you or Honza? :-) > > Martin One more thing: Why don't we fix also #1651 with this change? Highest version of pki-ca on F-16 is still just pki-core-9.0.9-1.fc16. Martin From rcritten at redhat.com Mon Aug 29 15:05:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Aug 2011 11:05:55 -0400 Subject: [Freeipa-devel] [PATCH] 859 bump dogtag min n-v-r In-Reply-To: <1314629988.3219.38.camel@dhcp-25-52.brq.redhat.com> References: <4E5BA257.8060408@redhat.com> <1314629136.3219.35.camel@dhcp-25-52.brq.redhat.com> <1314629988.3219.38.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E5BAAD3.5010900@redhat.com> Martin Kosek wrote: > On Mon, 2011-08-29 at 16:45 +0200, Martin Kosek wrote: >> On Mon, 2011-08-29 at 10:29 -0400, Rob Crittenden wrote: >>> Update pki-* n-v-r to pick up SELinux fix in >>> https://bugzilla.redhat.com/show_bug.cgi?id=700505. >>> >>> rob >> >> Looks good. Just one thing - the spec log confused me. Who is doing this >> change - you or Honza? :-) >> >> Martin > > One more thing: Why don't we fix also #1651 with this change? Highest > version of pki-ca on F-16 is still just pki-core-9.0.9-1.fc16. Because I haven't actually tested to see if IPA builds and works on F-16 yet (it was unbuildable for reasons beyond dogtag when we released 2.1). From what I understand the java packaging changed significantly in F-16 causing problems with dogtag. rob From rcritten at redhat.com Mon Aug 29 15:09:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Aug 2011 11:09:34 -0400 Subject: [Freeipa-devel] [PATCH] 859 bump dogtag min n-v-r In-Reply-To: <1314629136.3219.35.camel@dhcp-25-52.brq.redhat.com> References: <4E5BA257.8060408@redhat.com> <1314629136.3219.35.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E5BABAE.3020903@redhat.com> Martin Kosek wrote: > On Mon, 2011-08-29 at 10:29 -0400, Rob Crittenden wrote: >> Update pki-* n-v-r to pick up SELinux fix in >> https://bugzilla.redhat.com/show_bug.cgi?id=700505. >> >> rob > > Looks good. Just one thing - the spec log confused me. Who is doing this > change - you or Honza? :-) Oh, heh. I just copied the previous entry, guess I forgot to change the name. I can do that when pushing. rob From mkosek at redhat.com Mon Aug 29 15:13:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 29 Aug 2011 17:13:46 +0200 Subject: [Freeipa-devel] [PATCH] 859 bump dogtag min n-v-r In-Reply-To: <4E5BAAD3.5010900@redhat.com> References: <4E5BA257.8060408@redhat.com> <1314629136.3219.35.camel@dhcp-25-52.brq.redhat.com> <1314629988.3219.38.camel@dhcp-25-52.brq.redhat.com> <4E5BAAD3.5010900@redhat.com> Message-ID: <1314630828.3219.39.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-29 at 11:05 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-08-29 at 16:45 +0200, Martin Kosek wrote: > >> On Mon, 2011-08-29 at 10:29 -0400, Rob Crittenden wrote: > >>> Update pki-* n-v-r to pick up SELinux fix in > >>> https://bugzilla.redhat.com/show_bug.cgi?id=700505. > >>> > >>> rob > >> > >> Looks good. Just one thing - the spec log confused me. Who is doing this > >> change - you or Honza? :-) > >> > >> Martin > > > > One more thing: Why don't we fix also #1651 with this change? Highest > > version of pki-ca on F-16 is still just pki-core-9.0.9-1.fc16. > > Because I haven't actually tested to see if IPA builds and works on F-16 > yet (it was unbuildable for reasons beyond dogtag when we released 2.1). > > From what I understand the java packaging changed significantly in F-16 > causing problems with dogtag. > > rob OK then. ACK if you change the name in the log before pushing. Martin From rcritten at redhat.com Mon Aug 29 15:26:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Aug 2011 11:26:23 -0400 Subject: [Freeipa-devel] [PATCH] 860 make uninstall logging more robust Message-ID: <4E5BAF9F.7010300@redhat.com> The uninstaller would not often report problems, may exceptions were ignored with pass. This beefs up the debug logging a bit more and will attempt to find anything left over that may prevent a re-install. This also unifies the installed-status functions. ipa-server-install looked at the install state and ipactl looked to see if files were tracked. Now both are considered. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-860-uninstall.patch Type: text/x-patch Size: 9417 bytes Desc: not available URL: From edewata at redhat.com Mon Aug 29 15:32:30 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Aug 2011 10:32:30 -0500 Subject: [Freeipa-devel] [PATCH] 009 Modifying sudo options refreshes the whole page In-Reply-To: <4E5B8CDE.7030100@redhat.com> References: <4E57CCB6.2030303@redhat.com> <4E580A72.60005@redhat.com> <4E5B8CDE.7030100@redhat.com> Message-ID: <4E5BB10E.1060706@redhat.com> On 8/29/2011 7:58 AM, Petr Vobornik wrote: > I would say that the network issue and the same concurrent edit issue > can be so rare, that the update isn't much necessary and it slows down > more frequent failures like non-concurrent adding of the same option. > > If we want UI to be faster, we should removed updates. If we want it to > be more valid in rare cases we should keep updates. > > Included updated patches for both options (1-without updates, 2-with > updates). As discussed over IRC, considering the sudo rule details page could be left open for some time, it's better to update after failure to see any change on the server. ACK patch #9-2 and pushed to master and ipa-2-1. -- Endi S. Dewata From rcritten at redhat.com Mon Aug 29 18:05:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Aug 2011 14:05:53 -0400 Subject: [Freeipa-devel] [PATCH] 859 bump dogtag min n-v-r In-Reply-To: <1314630828.3219.39.camel@dhcp-25-52.brq.redhat.com> References: <4E5BA257.8060408@redhat.com> <1314629136.3219.35.camel@dhcp-25-52.brq.redhat.com> <1314629988.3219.38.camel@dhcp-25-52.brq.redhat.com> <4E5BAAD3.5010900@redhat.com> <1314630828.3219.39.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E5BD501.6020300@redhat.com> Martin Kosek wrote: > On Mon, 2011-08-29 at 11:05 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Mon, 2011-08-29 at 16:45 +0200, Martin Kosek wrote: >>>> On Mon, 2011-08-29 at 10:29 -0400, Rob Crittenden wrote: >>>>> Update pki-* n-v-r to pick up SELinux fix in >>>>> https://bugzilla.redhat.com/show_bug.cgi?id=700505. >>>>> >>>>> rob >>>> >>>> Looks good. Just one thing - the spec log confused me. Who is doing this >>>> change - you or Honza? :-) >>>> >>>> Martin >>> >>> One more thing: Why don't we fix also #1651 with this change? Highest >>> version of pki-ca on F-16 is still just pki-core-9.0.9-1.fc16. >> >> Because I haven't actually tested to see if IPA builds and works on F-16 >> yet (it was unbuildable for reasons beyond dogtag when we released 2.1). >> >> From what I understand the java packaging changed significantly in F-16 >> causing problems with dogtag. >> >> rob > > OK then. ACK if you change the name in the log before pushing. > > Martin > Fixed and pushed to master and ipa-2-1 (had to do minor rebase for master) rob From rcritten at redhat.com Mon Aug 29 21:49:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Aug 2011 17:49:39 -0400 Subject: [Freeipa-devel] [PATCH] 861 roll back client changes on failed install Message-ID: <4E5C0973.9070704@redhat.com> There are still places where the client installation can fail that can cause /etc/sysconfig/network to be restored. I went through a number of iterations on restoring this and finally decided that we should just call uninstall() and undo everything. When we do automatic uninstallation I made it to be quiet since the user probably doesn't care what the individual steps are. We had a lot of sys.exit() interspersed in the installer that I replaced with print and return to make the code paths easier. I also replaced a bunch of magic integer values with constants. If --force is passed we leave things as they are. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-861-rollback.patch Type: text/x-patch Size: 20705 bytes Desc: not available URL: From simo at redhat.com Mon Aug 29 21:58:36 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 29 Aug 2011 17:58:36 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <4E58564A.9050405@redhat.com> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> <4E5455EC.2020505@redhat.com> <4E56BD82.6060501@redhat.com> <4E57CDA8.6080303@redhat.com> <1314381838.20296.242.camel@willson.li.ssimo.org> <1314383672.20296.245.camel@willson.li.ssimo.org> <4E5812F3.9030001@redhat.com> <1314397806.20296.252.camel@willson.li.ssimo.org> <4E584105.8040508@redhat.com> <4E58564A.9050405@redhat.com> Message-ID: <1314655116.20296.290.camel@willson.li.ssimo.org> On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote: > On 08/26/2011 08:57 PM, Adam Young wrote: > > On 08/26/2011 06:30 PM, Simo Sorce wrote: > >> On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: > >>> On 08/26/2011 02:34 PM, Simo Sorce wrote: > >>>> On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: > >>>>> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: > >>>>>> On 08/25/2011 05:24 PM, Adam Young wrote: > >>>>>>> Uses the updated version of pkicreate which makes an ipa specific > >>>>>>> proxy config file. > >>>>>>> > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> Freeipa-devel mailing list > >>>>>>> Freeipa-devel at redhat.com > >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel > >>>>>> The test for the proxy file in /etc/httpd/conf.d was "isfile' but > >>>>>> since the file is actually a symlink, it needs to be "islink". > >>>>>> This > >>>>>> one checks for either. > >>>>> Nack, install fails after configuring the http service. > >>>>> Restart bails out > >>>>> > >>>>> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the > >>>>> way (it > >>>>> was suppressing the error output) I get an permission denied error > >>>>> trying to open /etc/httpd/conf.d/proxy-ipa.conf > >>>>> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file > >>>>> owned > >>>>> by pkiuser:pkiuser with permission 660 (therefore not readable by the > >>>>> apache user). > >>>> Ok it turns out permissions are not the real issue as the file is read > >>>> while apache is till root, it's a selinux issue. > >>>> Apache starts if I setenforce 0 > >>>> > >>>> Still a NAck of course, it needs to work with selinux in enforcing > >>>> mode > >>>> > >>>> Simo. > >>>> > >>> This version owns the proxy config file. It works with setenforce 0, > >>> but does not work with SELinux, so, preemptive-nack. But I will be gone > >>> for a week, so if someone wants to pick this up and run with it, start > >>> from here. > >> The previous patch with the corrected isfile vs islink issue works fine > >> as long as the SELinux policy is fixed to allow access > >> to /etc/pki-ca/proxy-ipa.conf > >> > >> I have tested a mastyer and then replica install with no issues after I > >> loaded a custom SeLinux policy that allow that. > >> > >> So tentative ACK to the former patch. > >> I will discuss with Ade how to resolve the SELinux issue and willpush to > >> master once that is solved. > >> > >> Simo. > >> > > Previous patch is based on a change for PKI-CA that we are not going > > to push, so we can't go with that. The file > > /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. > > Whatever the issue is with this patch it has to be fairly minor. The > > difference in approach is that this one includes the conf file and > > places it in /etc/httpd/conf.d. The problem is possibly the fact that > > this one uses localhost instead of the FQDN, although I did test it > > both ways prior to adding it to the RPM, and it worked with localhost > > and SELinux in enforcing mode. > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > Failure seems to be from this step in the install log: > > > > After configuration, the server can be operated by the command: > > /sbin/service pki-cad restart pki-ca > > > 2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED > run_command("/sbin/service p > ki-cad restart pki-ca"), exit status=126 output="Stopping pki-ca: [ OK ] > /usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied" > > > And in the Audit log: > > > type=AVC msg=audit(1314409907.089:2397): avc: denied { transition } > for pid=21040 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0 > ino=35449 scontext=system_u:system_r:kernel_t:s0 > tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process > type=AVC msg=audit(1314410048.272:2398): avc: denied { transition } > for pid=21124 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0 > ino=35449 scontext=system_u:system_r:kernel_t:s0 > tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process I guess these AVCs were due to mislabeling of your development system. I tried multiple times w/o any issues. I added a few minor corrections. a) actually copying the file to /etc/httpd/conf.d was missing, I do that as an additional final configuration step in cainstance.py b) renamed the file to ipa-pki-proxy.conf, the orginal name was fine as a dogtag file, but as an ipa file it lacked context c) I added an httpd server restart in ipa-ca-install as that script does not otherwise restart apache and we need it to read the new conf file that was just dropped down. This was tested and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From jcholast at redhat.com Tue Aug 30 07:44:58 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 30 Aug 2011 09:44:58 +0200 Subject: [Freeipa-devel] [PATCH] 861 roll back client changes on failed install In-Reply-To: <4E5C0973.9070704@redhat.com> References: <4E5C0973.9070704@redhat.com> Message-ID: <4E5C94FA.6000708@redhat.com> On 29.8.2011 23:49, Rob Crittenden wrote: > There are still places where the client installation can fail that can > cause /etc/sysconfig/network to be restored. I went through a number of > iterations on restoring this and finally decided that we should just > call uninstall() and undo everything. > > When we do automatic uninstallation I made it to be quiet since the user > probably doesn't care what the individual steps are. > > We had a lot of sys.exit() interspersed in the installer that I replaced > with print and return to make the code paths easier. I also replaced a > bunch of magic integer values with constants. > > If --force is passed we leave things as they are. > > rob > ipa-client/ipa-install/ipa-client-install:276: [E0602, uninstall] Undefined variable 'emit_erro' Besides that, ACK. Honza -- Jan Cholasta From pvoborni at redhat.com Tue Aug 30 08:21:02 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 30 Aug 2011 10:21:02 +0200 Subject: [Freeipa-devel] [PATCH] 257 Fixed host adder dialog to show default DNS zone. In-Reply-To: <4E5B9D88.9080608@redhat.com> References: <4E5B9D88.9080608@redhat.com> Message-ID: <4E5C9D6E.4040709@redhat.com> On 08/29/2011 04:09 PM, Endi Sukma Dewata wrote: > The DNS zone widget for host adder dialog has been modified not to > provide an empty option, so it will show the first available zone. > > Ticket #1685 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik From mkosek at redhat.com Tue Aug 30 08:56:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 30 Aug 2011 10:56:36 +0200 Subject: [Freeipa-devel] [PATCH] 860 make uninstall logging more robust In-Reply-To: <4E5BAF9F.7010300@redhat.com> References: <4E5BAF9F.7010300@redhat.com> Message-ID: <1314694599.20515.2.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-29 at 11:26 -0400, Rob Crittenden wrote: > The uninstaller would not often report problems, may exceptions were > ignored with pass. This beefs up the debug logging a bit more and will > attempt to find anything left over that may prevent a re-install. > > This also unifies the installed-status functions. ipa-server-install > looked at the install state and ipactl looked to see if files were > tracked. Now both are considered. > > rob Generally, it looks good. I just missed "kadmin" and "named" modules in IPA_MODULES. Martin From atkac at redhat.com Tue Aug 30 10:40:03 2011 From: atkac at redhat.com (Adam Tkac) Date: Tue, 30 Aug 2011 12:40:03 +0200 Subject: [Freeipa-devel] [PATCH] 111 Let Bind track data changes In-Reply-To: <1313418962.11512.140.camel@willson.li.ssimo.org> References: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> <1313418962.11512.140.camel@willson.li.ssimo.org> Message-ID: <4E5CBE03.4060707@redhat.com> On 08/15/2011 04:36 PM, Simo Sorce wrote: > On Mon, 2011-08-15 at 14:20 +0200, Martin Kosek wrote: >> A new version of bind-dyndb-ldap has been released. Thanks to the new >> persistent search feature, the name server can immediately pull new DNS >> zones when they are created in IPA. >> >> Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one >> has to use the provided src.rpm: >> >> http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm >> >> or rpms I built for x86_64 F-15: >> >> http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ >> >> There is one setback though. When I investigated DNS persistent search >> behavior I still miss the ability to detect changes to the DNS zone >> itself. Adding a record (for example MX record) to the zone does not >> trigger an update of the zone in nameserver cache. We still have to wait >> for cache timeout (argument "cache_ttl"). We cannot therefore use this >> feature as a solution of: >> >> https://fedorahosted.org/freeipa/ticket/1114 >> https://fedorahosted.org/freeipa/ticket/1125 >> https://fedorahosted.org/freeipa/ticket/1126 > Is this a bug/deficiency of the plugin ? Or is it something that depends > on named internals somehow ? > > Simo. > Sorry for late response, I'm finally back from vacation. There are two separate issues. The first one is that the plugin didn't purge outdated (i.e. persistent-search modified) zone data from cache. Patch for this issue is attached. The second issue is that the plugin doesn't recognize newly added records which have same FQDN as zone, which are KX/MX/LOC records for example. I haven't found why this happens, yet. Regards, Adam -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Expire-SOA-record-in-cache-when-we-modify-the-zone.patch URL: From pvoborni at redhat.com Tue Aug 30 12:36:57 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 30 Aug 2011 14:36:57 +0200 Subject: [Freeipa-devel] [PATCH] 010 Enable update and reset buttons only if dirty Message-ID: <4E5CD969.8010203@redhat.com> https://fedorahosted.org/freeipa/ticket/1697 Original problem: Update name of the automount location (Policy -> Automount -> custom_location -> Settings -> Update) in the WEBUI refer to an unknown command. Solution: Tracking dirty state in field -> section -> details facet. 'Reset' and 'Updates' buttons in details facet are enabled only if facet is dirty. Removes the problem above and 'no modification to be performed' annoyance. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0010-Enable-update-and-reset-button-only-if-dirty.patch Type: text/x-patch Size: 8600 bytes Desc: not available URL: From rcritten at redhat.com Tue Aug 30 14:06:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Aug 2011 10:06:58 -0400 Subject: [Freeipa-devel] [PATCH] 860 make uninstall logging more robust In-Reply-To: <1314694599.20515.2.camel@dhcp-25-52.brq.redhat.com> References: <4E5BAF9F.7010300@redhat.com> <1314694599.20515.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E5CEE82.7010107@redhat.com> Martin Kosek wrote: > On Mon, 2011-08-29 at 11:26 -0400, Rob Crittenden wrote: >> The uninstaller would not often report problems, may exceptions were >> ignored with pass. This beefs up the debug logging a bit more and will >> attempt to find anything left over that may prevent a re-install. >> >> This also unifies the installed-status functions. ipa-server-install >> looked at the install state and ipactl looked to see if files were >> tracked. Now both are considered. >> >> rob > > Generally, it looks good. I just missed "kadmin" and "named" modules in > IPA_MODULES. > > Martin > As Martin points out, I needed to add named to both the master and ipa-2-1 branches. We dropped ipa_kpasswd in master, replacing it with kadmin. I fixed up both of these and pushed to master and ipa-2-1. rob From rcritten at redhat.com Tue Aug 30 14:14:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Aug 2011 10:14:48 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <1314655116.20296.290.camel@willson.li.ssimo.org> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> <4E5455EC.2020505@redhat.com> <4E56BD82.6060501@redhat.com> <4E57CDA8.6080303@redhat.com> <1314381838.20296.242.camel@willson.li.ssimo.org> <1314383672.20296.245.camel@willson.li.ssimo.org> <4E5812F3.9030001@redhat.com> <1314397806.20296.252.camel@willson.li.ssimo.org> <4E584105.8040508@redhat.com> <4E58564A.9050405@redhat.com> <1314655116.20296.290.camel@willson.li.ssimo.org> Message-ID: <4E5CF058.2080802@redhat.com> Simo Sorce wrote: > On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote: >> On 08/26/2011 08:57 PM, Adam Young wrote: >>> On 08/26/2011 06:30 PM, Simo Sorce wrote: >>>> On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: >>>>> On 08/26/2011 02:34 PM, Simo Sorce wrote: >>>>>> On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: >>>>>>> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: >>>>>>>> On 08/25/2011 05:24 PM, Adam Young wrote: >>>>>>>>> Uses the updated version of pkicreate which makes an ipa specific >>>>>>>>> proxy config file. >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Freeipa-devel mailing list >>>>>>>>> Freeipa-devel at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>> The test for the proxy file in /etc/httpd/conf.d was "isfile' but >>>>>>>> since the file is actually a symlink, it needs to be "islink". >>>>>>>> This >>>>>>>> one checks for either. >>>>>>> Nack, install fails after configuring the http service. >>>>>>> Restart bails out >>>>>>> >>>>>>> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the >>>>>>> way (it >>>>>>> was suppressing the error output) I get an permission denied error >>>>>>> trying to open /etc/httpd/conf.d/proxy-ipa.conf >>>>>>> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file >>>>>>> owned >>>>>>> by pkiuser:pkiuser with permission 660 (therefore not readable by the >>>>>>> apache user). >>>>>> Ok it turns out permissions are not the real issue as the file is read >>>>>> while apache is till root, it's a selinux issue. >>>>>> Apache starts if I setenforce 0 >>>>>> >>>>>> Still a NAck of course, it needs to work with selinux in enforcing >>>>>> mode >>>>>> >>>>>> Simo. >>>>>> >>>>> This version owns the proxy config file. It works with setenforce 0, >>>>> but does not work with SELinux, so, preemptive-nack. But I will be gone >>>>> for a week, so if someone wants to pick this up and run with it, start >>>>> from here. >>>> The previous patch with the corrected isfile vs islink issue works fine >>>> as long as the SELinux policy is fixed to allow access >>>> to /etc/pki-ca/proxy-ipa.conf >>>> >>>> I have tested a mastyer and then replica install with no issues after I >>>> loaded a custom SeLinux policy that allow that. >>>> >>>> So tentative ACK to the former patch. >>>> I will discuss with Ade how to resolve the SELinux issue and willpush to >>>> master once that is solved. >>>> >>>> Simo. >>>> >>> Previous patch is based on a change for PKI-CA that we are not going >>> to push, so we can't go with that. The file >>> /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. >>> Whatever the issue is with this patch it has to be fairly minor. The >>> difference in approach is that this one includes the conf file and >>> places it in /etc/httpd/conf.d. The problem is possibly the fact that >>> this one uses localhost instead of the FQDN, although I did test it >>> both ways prior to adding it to the RPM, and it worked with localhost >>> and SELinux in enforcing mode. >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Failure seems to be from this step in the install log: >> >> >> >> After configuration, the server can be operated by the command: >> >> /sbin/service pki-cad restart pki-ca >> >> >> 2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED >> run_command("/sbin/service p >> ki-cad restart pki-ca"), exit status=126 output="Stopping pki-ca: [ OK ] >> /usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied" >> >> >> And in the Audit log: >> >> >> type=AVC msg=audit(1314409907.089:2397): avc: denied { transition } >> for pid=21040 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0 >> ino=35449 scontext=system_u:system_r:kernel_t:s0 >> tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process >> type=AVC msg=audit(1314410048.272:2398): avc: denied { transition } >> for pid=21124 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0 >> ino=35449 scontext=system_u:system_r:kernel_t:s0 >> tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process > > > I guess these AVCs were due to mislabeling of your development system. > I tried multiple times w/o any issues. > > I added a few minor corrections. > > a) actually copying the file to /etc/httpd/conf.d was missing, I do that > as an additional final configuration step in cainstance.py > b) renamed the file to ipa-pki-proxy.conf, the orginal name was fine as > a dogtag file, but as an ipa file it lacked context > c) I added an httpd server restart in ipa-ca-install as that script does > not otherwise restart apache and we need it to read the new conf file > that was just dropped down. > > This was tested and pushed to master. > > Simo. > I pushed it to ipa-2-1. From rcritten at redhat.com Tue Aug 30 14:23:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Aug 2011 10:23:43 -0400 Subject: [Freeipa-devel] [PATCH] 845 add external source hosts to HBAC In-Reply-To: <1314625969.3219.25.camel@dhcp-25-52.brq.redhat.com> References: <4E4BE4A1.4070504@redhat.com> <1314625969.3219.25.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E5CF26F.1040504@redhat.com> Martin Kosek wrote: > On Wed, 2011-08-17 at 11:56 -0400, Rob Crittenden wrote: >> You should be able to specify hosts that aren't in IPA in HBAC source >> host rules. This adds support for it. >> >> ticket https://fedorahosted.org/freeipa/ticket/1574 >> >> rob > > ACK. Works fine. > > Although, I am thinking that we now have the same algorithm (add > user/host as external when not found in LDAP) for both hbac and > sudorule. We may think about consolidating it so that we don't have > duplicates. > > Martin > I filed https://fedorahosted.org/freeipa/ticket/1734 for the code consolidation. pushed to master and ipa-2-1 From rcritten at redhat.com Tue Aug 30 14:27:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Aug 2011 10:27:34 -0400 Subject: [Freeipa-devel] [PATCH] 861 roll back client changes on failed install In-Reply-To: <4E5C94FA.6000708@redhat.com> References: <4E5C0973.9070704@redhat.com> <4E5C94FA.6000708@redhat.com> Message-ID: <4E5CF356.1020905@redhat.com> Jan Cholasta wrote: > On 29.8.2011 23:49, Rob Crittenden wrote: >> There are still places where the client installation can fail that can >> cause /etc/sysconfig/network to be restored. I went through a number of >> iterations on restoring this and finally decided that we should just >> call uninstall() and undo everything. >> >> When we do automatic uninstallation I made it to be quiet since the user >> probably doesn't care what the individual steps are. >> >> We had a lot of sys.exit() interspersed in the installer that I replaced >> with print and return to make the code paths easier. I also replaced a >> bunch of magic integer values with constants. >> >> If --force is passed we leave things as they are. >> >> rob >> > > ipa-client/ipa-install/ipa-client-install:276: [E0602, uninstall] > Undefined variable 'emit_erro' > > Besides that, ACK. > > Honza > Fixed and pushed to master and ipa-2-1 From sbose at redhat.com Tue Aug 30 14:40:28 2011 From: sbose at redhat.com (Sumit Bose) Date: Tue, 30 Aug 2011 16:40:28 +0200 Subject: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility In-Reply-To: <1314364467.20296.226.camel@willson.li.ssimo.org> References: <20110826093926.GF2374@localhost.localdomain> <1314364467.20296.226.camel@willson.li.ssimo.org> Message-ID: <20110830144028.GE12659@localhost.localdomain> On Fri, Aug 26, 2011 at 09:14:27AM -0400, Simo Sorce wrote: > More comments. > > On Fri, 2011-08-26 at 11:39 +0200, Sumit Bose wrote: > > [..] > > > + if not options.unattended: > > + print "" > > + print "The following operations may take some minutes to > > complete." > > + print "Please wait until the prompt is returned." > > + print "" > > + > > + # Create a BIND instance > > comment seem to be wrong here :) fixed > > > + if options.unattended and not options.dm_password: > > + sys.exit("\nIn unattended mode you need to provide at least > > the -p option") > > + > > + dm_password = options.dm_password or read_password("Directory > > Manager", > > + confirm=False, > > validate=False) > > + smb = smbinstance.SMBInstance(fstore, dm_password) > > [..] > > > diff --git a/ipaserver/install/service.py > > b/ipaserver/install/service.py > > index > > a7f6ff4eea1b67f714e18f882a082d4ad7d83026..7e0d2bd314f00ccf0b0ee37a9d572bdd5ee89414 100644 > > --- a/ipaserver/install/service.py > > +++ b/ipaserver/install/service.py > > @@ -37,7 +37,8 @@ SERVICE_LIST = { > > 'KPASSWD':('kadmin', 20), > > 'DNS':('named', 30), > > 'HTTP':('httpd', 40), > > - 'CA':('pki-cad', 50) > > + 'CA':('pki-cad', 50), > > + 'SMB':('smb', 60) > > Please do not use SMB (in general I do not think SMB is the right > prefix). Use something like ADTRUST or MSRPC or WINCOMPAT. > changed to ADTRUST > > } > > > > def stop(service_name, instance_name="", capture_output=True): > > diff --git a/ipaserver/install/smbinstance.py > > b/ipaserver/install/smbinstance.py > > new file mode 100644 > > index > > 0000000000000000000000000000000000000000..5988f1e056d29af6686d53237b82d460cdc719da > > --- /dev/null > > +++ b/ipaserver/install/smbinstance.py > > @@ -0,0 +1,261 @@ > > +# Authors: Sumit Bose > > +# > > +# Copyright (C) 2011 Red Hat > > +# see file 'COPYING' for use and warranty information > > +# > > +# This program is free software; you can redistribute it and/or > > modify > > +# it under the terms of the GNU General Public License as published > > by > > +# the Free Software Foundation, either version 3 of the License, or > > +# (at your option) any later version. > > +# > > +# This program is distributed in the hope that it will be useful, > > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > > +# GNU General Public License for more details. > > +# > > +# You should have received a copy of the GNU General Public License > > +# along with this program. If not, see > > . > > +# > > + > > +import logging > > + > > +import os > > +import ldap > > +import service > > +import tempfile > > +from ipaserver import ipaldap > > +from ipalib import errors > > +from ipapython import sysrestore > > +from ipapython import ipautil > > + > > +import random > > +import string > > +import struct > > + > > +def check_inst(unattended): > > + has_smb = True > > + > > + if not os.path.exists('/usr/sbin/smbd'): > > + print "Samba was not found on this system" > > + print "Please install the 'samba' package and start the > > installation again" > > + has_smb = False > > + > > + #TODO: Add check for needed samba4 libraries > > + > > + return has_smb > > + > > +def ipa_smb_conf_exists(): > > + if os.path.exists('/etc/ipa/smb.conf'): > > + print "Samba is already configured for this IPA server." > > + return True > > + > > + return False > > + > > +def random_password(length=16): > > + myrg = random.SystemRandom() > > + alphabet = string.letters[0:52] + string.digits + > > string.punctuation > > + pw = str().join(myrg.choice(alphabet) for _ in range(length)) > > + return pw > > We have a utility function to generate a proper random password IIRC. fixed > > > +class SMBInstance(service.Service): > > + def __init__(self, fstore=None, dm_password=None): > > + service.Service.__init__(self, "smb", > > dm_password=dm_password) > > + > > + if fstore: > > + self.fstore = fstore > > + else: > > + self.fstore = > > sysrestore.FileStore('/var/lib/ipa/sysrestore') > > + > > + def __create_samba_user(self): > > + print "The user for Samba is %s" % self.smb_dn > > + try: > > + self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) > > + print "Samba user entry exists, not resetting password" > > + return > > + except errors.NotFound: > > + pass > > + > > + # The user doesn't exist, add it > > + entry = ipaldap.Entry(self.smb_dn) > > + entry.setValues("objectclass", ["account", > > "simplesecurityobject"]) > > + entry.setValues("uid", "samba") > > + entry.setValues("userPassword", self.smb_dn_pwd) > > + self.admin_conn.add_s(entry) > > + > > + # And finally grant it permission to read NT passwords, we do > > not want > > + # to support LM passwords so there is no need to allow access > > to them > > + mod = [(ldap.MOD_ADD, 'aci', > > + str(['(targetattr = "sambaNTPassword")(version 3.0; acl > > "Samba user can read NT passwords"; allow (read) userdn="ldap:///% > > s";)' % self.smb_dn]))] > > + try: > > + self.admin_conn.modify_s(self.suffix, mod) > > + except ldap.TYPE_OR_VALUE_EXISTS: > > + logging.debug("samba user aci already exists in suffix %s > > on %s" % (self.suffix, self.admin_conn.host)) > > + > > + def __gen_sid_string(self): > > + sub_ids = struct.unpack(" > + return "S-1-5-21-%d-%d-%d" % (sub_ids[0], sub_ids[1], > > sub_ids[2]) > > + > > + def __create_samba_domain_object(self): > > + trust_dn = "cn=trusts,%s" % self.suffix > > + smb_dom_dn = "cn=ad,%s" % trust_dn > > + > > + try: > > + self.admin_conn.getEntry(smb_dom_dn, ldap.SCOPE_BASE) > > + print "Samba domain object already exists" > > + return > > + except errors.NotFound: > > + pass > > + > > + try: > > + self.admin_conn.getEntry(trust_dn, ldap.SCOPE_BASE) > > + except errors.NotFound: > > + entry = ipaldap.Entry(trust_dn) > > + entry.setValues("objectclass", ["nsContainer"]) > > + entry.setValues("cn", "trusts") > > + self.admin_conn.add_s(entry) > > + > > + entry = ipaldap.Entry(smb_dom_dn) > > + entry.setValues("objectclass", ["sambaDomain", > > "nsContainer"]) > > + entry.setValues("cn", "ad") > > + entry.setValues("sambaDomainName", self.domain_name) > > The sambaDomainName is generally a netbios name (or short name), it > appears you are setting the DNS domain name here. > Should we prompt the user for a short domain name to be used instead ? > Or maybe default to the first DNS domain component and allow the user to > override ? I added a --netbios-name option, for unattended installations a sanitized version of the first DNS domain component is taken. Currently I only allow upper case letters and numbers. This might be a bit too strict, but I haven't found a good list of safe characters for NetBIOS names. Please tell me if I should add more characters. > > > + entry.setValues("sambaSID", self.__gen_sid_string()) > > + #TODO: which MAY attributes do we want to set ? > > + self.admin_conn.add_s(entry) > > + > > + def __write_sysconfig_samba(self): > > + self.fstore.backup_file(self.sysconfig_file) > > + > > + fd = open(self.sysconfig_file, "w") > > + fd.write('### Added by IPA Installer ###\n') > > + fd.write('# Options to smbd\n') > > + fd.write('SMBDOPTIONS="-D -s /etc/ipa/smb.conf"\n') > > + fd.write('# Options to nmbd\n') > > + fd.write('NMBDOPTIONS="-D"\n') > > + fd.write('# Options for winbindd\n') > > + fd.write('WINBINDOPTIONS=""\n') > > + fd.close() > > If we are running nmbd and/or winbindd we need to pass them the proper > smb.conf file too. > > > > + def __write_smb_conf(self): > > + fd = open(self.smb_conf, "w") > > + fd.write('### Added by IPA Installer ###\n') > > + fd.write('[global]\n') > > + fd.write('config backend = registry\n') > > + fd.close() > > + > > + > > + def __write_smb_registry(self): > > + [fd, tmp_name] = tempfile.mkstemp() > > + > > + os.write(fd, '[global]\n') > > + os.write(fd, 'workgroup = %s\n' % self.domain_name) > > This again shuld be the netbios domain name, not the fqdn. > The workgroup name can't be longer than 15 chars IIRC. fixed > > > + os.write(fd, 'realm = %s\n' % self.realm_name) > > + os.write(fd, 'security = ads\n') > > Why ADS ? This should probably be security = user fixed > > > + os.write(fd, 'domain master = yes\n') > > + os.write(fd, 'domain logons = yes\n') > > + os.write(fd, 'passdb backend = IPA_ldapsam:ldap://%s\n' % > > self.fqdn) > > We should use ldapi here, not ldap:// fixed > > > + os.write(fd, 'ldapsam:trusted=yes\n') > > + os.write(fd, 'ldapsam:editposix=yes\n') > > We do not allow to create users so editposix should not be necessary. fixed > > > + os.write(fd, 'ldap ssl = startTLS\n') > > We shouldn't need SSL if we use ldapi above. fixed > > > + os.write(fd, 'ldap admin dn = %s\n' % self.smb_dn) > > + os.write(fd, 'ldap suffix = cn=accounts,dc=ipa,dc=test\n') > > + os.write(fd, 'ldap user suffix = cn=users\n') > > + os.write(fd, 'ldap group suffix = cn=groups\n') > > + os.write(fd, 'ldap machine suffix = cn=computers\n') > > + os.write(fd, 'ldap idmap suffix = cn=idmap\n') > > We probably won't use this. fixed > > > + os.write(fd, 'rpc_server:epmapper = external\n') > > + os.write(fd, 'rpc_server:lsarpc = external\n') > > We may need also the alias 'lsass' pipe name configured here. fixed > > > + os.write(fd, 'rpc_server:samr = external\n') > > + os.write(fd, 'rpc_server:netlogon = external\n') > > + os.write(fd, 'rpc_daemon:epmd = fork\n') > > + os.write(fd, 'rpc_daemon:lsasd = fork\n') > > + os.close(fd) > > We may also want to set some defaults for logging > (log level, max size of logs before rotating, log name format ?) > fixed > > + args = ["/usr/bin/net", "conf", "import", tmp_name] > > + > > + try: > > + ipautil.run(args) > > + finally: > > + os.remove(tmp_name) > > + > > + def __set_smb_ldap_password(self): > > + args = ["/usr/bin/smbpasswd", "-c", self.smb_conf, "-w", > > self.smb_dn_pwd ] > > We should either pass this password in via stdin (using -W) or you > should at least pass ipautil.run below the password to be blacked out of > install logs. fixed > > > + ipautil.run(args) > > + > > [..] > > Do we want to run winbindd at all on ipa servers ? > Should we join it to ourselves ? (Would require creation of a computer > account). I don't think that we should run winbind. I also changed the path to the smb.conf file from /etc/ipa to /etc/samba which makes the change to /etc/sysconfig/samba unnecessary. Thanks for review. bye, Sumit > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- From 7929cb97ad2f7df9506ee97dbfd1213f4273c66c Mon Sep 17 00:00:00 2001 From: sbose Date: Wed, 24 Aug 2011 11:18:56 +0200 Subject: [PATCH] Add ipa-adtrust-install utility https://fedorahosted.org/freeipa/ticket/1619 --- freeipa.spec.in | 2 + install/po/Makefile.in | 1 + install/tools/Makefile.am | 1 + install/tools/ipa-adtrust-install | 213 ++++++++++++++++++ install/tools/man/Makefile.am | 1 + install/tools/man/ipa-adtrust-install.1 | 44 ++++ ipaserver/install/Makefile.am | 1 + ipaserver/install/service.py | 3 +- ipaserver/install/smbinstance.py | 259 ++++++++++++++++++++++ tests/test_ipaserver/install/test_smbinstance.py | 59 +++++ 10 files changed, 583 insertions(+), 1 deletions(-) create mode 100755 install/tools/ipa-adtrust-install create mode 100644 install/tools/man/ipa-adtrust-install.1 create mode 100644 ipaserver/install/smbinstance.py create mode 100755 tests/test_ipaserver/install/test_smbinstance.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 1bf52b952177598bd24afc0560802f1883fa5a60..a67e9329f8230c05b0e9feeb321fb07e4f41a350 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -370,6 +370,7 @@ fi %doc COPYING README Contributors.txt %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-dns-install +%{_sbindir}/ipa-adtrust-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install @@ -448,6 +449,7 @@ fi %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz %{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-adtrust-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz diff --git a/install/po/Makefile.in b/install/po/Makefile.in index a5468752723636b005c1d0876f10326e5c970814..d20a5d9628cb119f7704fcdb2917f1c897194147 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -54,6 +54,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-server-install \ install/tools/ipa-ldap-updater \ install/tools/ipa-dns-install \ + install/tools/ipa-adtrust-install \ install/tools/ipa-ca-install \ ipa-client/ipa-install/ipa-client-install diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index fc615ec04f324c2d9c98dc8cf674938e1064bec6..96da7531764598878f94b6abd54c27a74671c028 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -8,6 +8,7 @@ sbin_SCRIPTS = \ ipa-ca-install \ ipa-dns-install \ ipa-server-install \ + ipa-adtrust-install \ ipa-replica-conncheck \ ipa-replica-install \ ipa-replica-prepare \ diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install new file mode 100755 index 0000000000000000000000000000000000000000..883f9d608f6f4f62788009842b1fbd8f8cbe72d4 --- /dev/null +++ b/install/tools/ipa-adtrust-install @@ -0,0 +1,213 @@ +#! /usr/bin/python +# +# Authors: Sumit Bose +# Based on ipa-server-install by Karl MacMillan +# and ipa-dns-install by Martin Nagy +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import traceback + +from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install import smbinstance +from ipaserver.install.installutils import * +from ipaserver.install import installutils +from ipapython import version +from ipapython import ipautil, sysrestore +from ipalib import api, errors, util +from ipapython.config import IPAOptionParser +import krbV +import ldap + +def parse_options(): + parser = IPAOptionParser(version=version.VERSION) + parser.add_option("-p", "--ds-password", dest="dm_password", + sensitive=True, help="directory manager password") + parser.add_option("-d", "--debug", dest="debug", action="store_true", + default=False, help="print debugging information") + parser.add_option("--ip-address", dest="ip_address", + type="ip", ip_local=True, help="Master Server IP Address") + parser.add_option("--netbios-name", dest="netbios_name", + help="NetBIOS name of the IPA domain") + parser.add_option("-U", "--unattended", dest="unattended", action="store_true", + default=False, help="unattended installation never prompts the user") + + options, args = parser.parse_args() + safe_options = parser.get_safe_opts(options) + + return safe_options, options + +def main(): + safe_options, options = parse_options() + + if os.getegid() != 0: + sys.exit("Must be root to setup AD trusts on server") + + installutils.check_server_configuration() + + standard_logging_setup("/var/log/ipaserver-install.log", options.debug, filemode='a') + print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" + + logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) + logging.debug("missing options might be asked for interactively later\n") + + global fstore + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + print "==============================================================================" + print "This program will setup components needed to establish trust to AD domains for" + print "the FreeIPA Server." + print "" + print "This includes:" + print " * Configure Samba" + print " * Add trust related objects to FreeIPA LDAP server" + #TODO: + #print " * Add a SID to all users and Posix groups" + print "" + print "To accept the default shown in brackets, press the Enter key." + print "" + + # Check if samba packages are installed + if not smbinstance.check_inst(options.unattended): + sys.exit("Aborting installation.") + + # Initialize the ipalib api + cfg = dict( + in_server=True, + debug=options.debug, + ) + api.bootstrap(**cfg) + api.finalize() + + if smbinstance.ipa_smb_conf_exists(): + sys.exit("Aborting installation.") + + # Check we have a public IP that is associated with the hostname + try: + if options.ip_address: + ip = ipautil.CheckedIPAddress(options.ip_address, match_local=True) + else: + hostaddr = resolve_host(api.env.host) + ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True) + except Exception, e: + print "Error: Invalid IP Address %s: %s" % (ip, e) + ip = None + + if not ip: + if options.unattended: + sys.exit("Unable to resolve IP address for host name") + else: + read_ip = read_ip_address(api.env.host, fstore) + try: + ip = ipautil.CheckedIPAddress(read_ip, match_local=True) + except Exception, e: + print "Error: Invalid IP Address %s: %s" % (ip, e) + sys.exit("Aborting installation.") + + ip_address = str(ip) + logging.debug("will use ip_address: %s\n", ip_address) + + if not options.unattended: + print "" + print "The following operations may take some minutes to complete." + print "Please wait until the prompt is returned." + print "" + + # Create a Samba instance + if options.unattended and not options.dm_password: + sys.exit("\nIn unattended mode you need to provide at least the -p option") + + netbios_name = options.netbios_name + if options.unattended and not netbios_name: + netbios_name = smbinstance.make_netbios_name(api.env.domain) + + if not smbinstance.check_netbios_name(netbios_name): + print "Illegal NetBIOS name [%s].\n" % netbios_name + print "Up to 15 characters and only uppercase ASCII letter and digits are allowed." + sys.exit("Aborting installation.") + + dm_password = options.dm_password or read_password("Directory Manager", + confirm=False, validate=False) + smb = smbinstance.SMBInstance(fstore, dm_password) + + # try the connection + try: + smb.ldap_connect() + smb.ldap_disconnect() + except ldap.INVALID_CREDENTIALS, e: + sys.exit("Password is not valid!") + + if smb.dm_password: + api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=smb.dm_password) + else: + # See if our LDAP server is up and we can talk to it over GSSAPI + ccache = krbV.default_context().default_ccache().name + api.Backend.ldap2.connect(ccache) + + smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, + netbios_name) + smb.create_instance() + + print "==============================================================================" + print "Setup complete" + print "" + print "\tYou must make sure these network ports are open:" + print "\t\tTCP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "\t\tUDP Ports:" + print "\t\t * 138: netbios-dgm" + print "\t\t * 139: netbios-ssn" + print "\t\t * 445: microsoft-ds" + print "" + print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached" + print "\tby any domain controller in the Active Directory domain by closing the" + print "\tfollowing ports for these servers:" + print "\t\tTCP Ports:" + print "\t\t * 389, 636: LDAP/LDAPS" + print "\t\tUDP Ports:" + print "\t\t * 389: (C)LDAP" + print "\tYou may want to choose to REJECT the network packets instead of DROPing them" + print "\tto avoid timeouts on the AD domain controllers." + + return 0 + +try: + sys.exit(main()) +except SystemExit, e: + sys.exit(e) +except KeyboardInterrupt: + print "Installation cancelled." +except RuntimeError, e: + print str(e) +except HostnameLocalhost: + print "The hostname resolves to the localhost address (127.0.0.1/::1)" + print "Please change your /etc/hosts file so that the hostname" + print "resolves to the ip address of your network interface." + print "The KDC service does not listen on localhost" + print "" + print "Please fix your /etc/hosts file and restart the setup program" +except Exception, e: + message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e) + print message + message = str(e) + for str in traceback.format_tb(sys.exc_info()[2]): + message = message + "\n" + str + logging.debug(message) + sys.exit(1) diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index 71d9b29c87d2b24c51d3048dc1050e099a89835d..d5b5976b0fd8c8e6683d09e7ade575fda2527832 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -13,6 +13,7 @@ man1_MANS = \ ipa-server-certinstall.1 \ ipa-server-install.1 \ ipa-dns-install.1 \ + ipa-adtrust-install.1 \ ipa-ca-install.1 \ ipa-ldap-updater.1 \ ipa-compat-manage.1 \ diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 new file mode 100644 index 0000000000000000000000000000000000000000..9e976d83bcd16abfca4e8eedfccf23a908c43400 --- /dev/null +++ b/install/tools/man/ipa-adtrust-install.1 @@ -0,0 +1,44 @@ +.\" A man page for ipa-adtrust-install +.\" Copyright (C) 2011 Red Hat, Inc. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see . +.\" +.\" Author: Sumit Bose +.\" +.TH "ipa-adtrust-install" "1" "Aug 23, 2011" "freeipa" "" +.SH "NAME" +ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains +.SH "SYNOPSIS" +ipa\-adtrust\-install [\fIOPTION\fR]... +.SH "DESCRIPTION" +Adds all necesary objects and configuration to allow an IPA server to create a +trust to an Active Directory domain. This requires that the IPA server is +already installed and configured. +.SH "OPTIONS" +.TP +\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR +The password to be used by the Directory Server for the Directory Manager user +.TP +\fB\-d\fR, \fB\-\-debug\fR +Enable debug logging when more verbose output is needed +.TP +\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR +The IP address of the IPA server. If not provided then this is determined based on the hostname of the server. +.TP +\fB\-U\fR, \fB\-\-unattended\fR +An unattended installation that will never prompt for user input +.SH "EXIT STATUS" +0 if the installation was successful + +1 if an error occurred diff --git a/ipaserver/install/Makefile.am b/ipaserver/install/Makefile.am index 8932eadbb7ace71372277259a557884d989ea2c1..398551bd78aa4ba893a3953f0c7ee7bcb23d1a14 100644 --- a/ipaserver/install/Makefile.am +++ b/ipaserver/install/Makefile.am @@ -10,6 +10,7 @@ app_PYTHON = \ krbinstance.py \ httpinstance.py \ ntpinstance.py \ + smbinstance.py \ service.py \ installutils.py \ replication.py \ diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index a7f6ff4eea1b67f714e18f882a082d4ad7d83026..dcce0b1e86071458d353c59e40d56460ff48837c 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -37,7 +37,8 @@ SERVICE_LIST = { 'KPASSWD':('kadmin', 20), 'DNS':('named', 30), 'HTTP':('httpd', 40), - 'CA':('pki-cad', 50) + 'CA':('pki-cad', 50), + 'ADTRUST':('smb', 60) } def stop(service_name, instance_name="", capture_output=True): diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py new file mode 100644 index 0000000000000000000000000000000000000000..31b6136ec45dac92c45f40a65e202a6ea90757ae --- /dev/null +++ b/ipaserver/install/smbinstance.py @@ -0,0 +1,259 @@ +# Authors: Sumit Bose +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import logging + +import os +import ldap +import service +import tempfile +from ipaserver import ipaldap +from ipalib import errors +from ipapython import sysrestore +from ipapython import ipautil + +import random +import string +import struct + +allowed_netbios_chars = string.ascii_uppercase + string.digits + +def check_inst(unattended): + has_smb = True + + if not os.path.exists('/usr/sbin/smbd'): + print "Samba was not found on this system" + print "Please install the 'samba' package and start the installation again" + has_smb = False + + #TODO: Add check for needed samba4 libraries + + return has_smb + +def ipa_smb_conf_exists(): + fd = open('/etc/samba/smb.conf', 'r') + lines = fd.readlines() + fd.close() + for line in lines: + if line.startswith('### Added by IPA Installer ###'): + return True + return False + + +def check_netbios_name(s): + # NetBIOS names may not be longer than 15 allowed characters + if not s or len(s) > 15 or ''.join([c for c in s if c not in allowed_netbios_chars]): + return False + + return True + +def make_netbios_name(s): + return ''.join([c for c in s.split('.')[0].upper() if c in allowed_netbios_chars])[:15] + +class SMBInstance(service.Service): + def __init__(self, fstore=None, dm_password=None): + service.Service.__init__(self, "smb", dm_password=dm_password) + + if fstore: + self.fstore = fstore + else: + self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + def __create_samba_user(self): + print "The user for Samba is %s" % self.smb_dn + try: + self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) + print "Samba user entry exists, not resetting password" + return + except errors.NotFound: + pass + + # The user doesn't exist, add it + entry = ipaldap.Entry(self.smb_dn) + entry.setValues("objectclass", ["account", "simplesecurityobject"]) + entry.setValues("uid", "samba") + entry.setValues("userPassword", self.smb_dn_pwd) + self.admin_conn.add_s(entry) + + # And finally grant it permission to read NT passwords, we do not want + # to support LM passwords so there is no need to allow access to them + mod = [(ldap.MOD_ADD, 'aci', + str(['(targetattr = "sambaNTPassword")(version 3.0; acl "Samba user can read NT passwords"; allow (read) userdn="ldap:///%s";)' % self.smb_dn]))] + try: + self.admin_conn.modify_s(self.suffix, mod) + except ldap.TYPE_OR_VALUE_EXISTS: + logging.debug("samba user aci already exists in suffix %s on %s" % (self.suffix, self.admin_conn.host)) + + def __gen_sid_string(self): + sub_ids = struct.unpack(" +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +""" +Test `smbinstance` +""" + +import os +import nose + +from ipaserver.install import smbinstance + +class test_smbinstance: + """ + Test `smbinstance`. + """ + + def test_make_netbios_name(self): + s = smbinstance.make_netbios_name("ABCDEF") + assert s == 'ABCDEF' and isinstance(s, str) + s = smbinstance.make_netbios_name(U"ABCDEF") + assert s == 'ABCDEF' and isinstance(s, unicode) + s = smbinstance.make_netbios_name("abcdef") + assert s == 'ABCDEF' + s = smbinstance.make_netbios_name("abc.def") + assert s == 'ABC' + s = smbinstance.make_netbios_name("abcdefghijklmnopqr.def") + assert s == 'ABCDEFGHIJKLMNO' + s = smbinstance.make_netbios_name("A!$%B&/()C=?+*D") + assert s == 'ABCD' + s = smbinstance.make_netbios_name("!$%&/()=?+*") + assert not s + + def test_check_netbios_name(self): + assert smbinstance.check_netbios_name("ABCDEF") + assert not smbinstance.check_netbios_name("abcdef") + assert smbinstance.check_netbios_name("ABCDE12345ABCDE") + assert not smbinstance.check_netbios_name("ABCDE12345ABCDE1") + assert not smbinstance.check_netbios_name("") + + assert smbinstance.check_netbios_name(U"ABCDEF") + assert not smbinstance.check_netbios_name(U"abcdef") + assert smbinstance.check_netbios_name(U"ABCDE12345ABCDE") + assert not smbinstance.check_netbios_name(U"ABCDE12345ABCDE1") -- 1.7.6 From simo at redhat.com Tue Aug 30 14:42:15 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 30 Aug 2011 10:42:15 -0400 Subject: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag In-Reply-To: <4E5CF058.2080802@redhat.com> References: <4E4E9B34.10309@redhat.com> <4E4EA415.9010907@redhat.com> <4E5455EC.2020505@redhat.com> <4E56BD82.6060501@redhat.com> <4E57CDA8.6080303@redhat.com> <1314381838.20296.242.camel@willson.li.ssimo.org> <1314383672.20296.245.camel@willson.li.ssimo.org> <4E5812F3.9030001@redhat.com> <1314397806.20296.252.camel@willson.li.ssimo.org> <4E584105.8040508@redhat.com> <4E58564A.9050405@redhat.com> <1314655116.20296.290.camel@willson.li.ssimo.org> <4E5CF058.2080802@redhat.com> Message-ID: <1314715335.20296.302.camel@willson.li.ssimo.org> On Tue, 2011-08-30 at 10:14 -0400, Rob Crittenden wrote: > > This was tested and pushed to master. > > > > Simo. > > > > I pushed it to ipa-2-1. Thanks. I think we really need to start marking what branch patches should go into clearly. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Tue Aug 30 14:43:03 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 30 Aug 2011 09:43:03 -0500 Subject: [Freeipa-devel] [PATCH] 258 Fixed hard-coded UI messages. Message-ID: <4E5CF6F7.7020503@redhat.com> Some hard-coded messages in ipa.js have been moved into internal.py. The messages in internal.py have been rearranged to match the output (ipa_init.json). A new method IPA.get_message() has been added to take a message ID and return the translated message or a default message if not found. Ticket #1701 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0258-Fixed-hard-coded-UI-messages.patch Type: text/x-patch Size: 51050 bytes Desc: not available URL: From edewata at redhat.com Tue Aug 30 14:57:08 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 30 Aug 2011 09:57:08 -0500 Subject: [Freeipa-devel] [PATCH] 257 Fixed host adder dialog to show default DNS zone. In-Reply-To: <4E5C9D6E.4040709@redhat.com> References: <4E5B9D88.9080608@redhat.com> <4E5C9D6E.4040709@redhat.com> Message-ID: <4E5CFA44.603@redhat.com> On 8/30/2011 3:21 AM, Petr Vobornik wrote: > On 08/29/2011 04:09 PM, Endi Sukma Dewata wrote: >> The DNS zone widget for host adder dialog has been modified not to >> provide an empty option, so it will show the first available zone. >> >> Ticket #1685 > ACK Pushed to master and ipa-2-1. -- Endi S. Dewata From mkosek at redhat.com Tue Aug 30 15:13:54 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 30 Aug 2011 17:13:54 +0200 Subject: [Freeipa-devel] [PATCH] 114 Fix sudo help and summaries In-Reply-To: <1314343878.6077.8.camel@dhcp-25-52.brq.redhat.com> References: <1314271916.2681.1.camel@dhcp-25-52.brq.redhat.com> <4E564E05.3030208@redhat.com> <1314343878.6077.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1314717237.396.1.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-08-26 at 09:31 +0200, Martin Kosek wrote: > On Thu, 2011-08-25 at 09:28 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > 1) Add sudorule docstring headline > > > > > > 2) Fix naming inconsistency in Sudo plugins help and summaries, > > > especially capitalization of Sudo objects - Sudo Rule, Sudo > > > Command and Sudo Command Group > > > > > > 3) Add missing summaries for sudorule-add-option and > > > sudorule-remove-option > > > > > > https://fedorahosted.org/freeipa/ticket/1595 > > > https://fedorahosted.org/freeipa/ticket/1596 > > > > This breaks compatibility with old clients: > > > > $ ipa sudorule-add-option test2 > > Sudo Option: foo > > ipa: ERROR: non-public: ValueError: > > sudorule_add_option.validate_output(): unexpected keys ['summary'] in > > {'result': {'ipasudoopt': (u'foo',), 'cn': (u'test2',), > > 'ipaenabledflag': (u'TRUE',)}, 'summary': u'Added option "foo" to Sudo > > Rule "test2"'} > > Traceback (most recent call last): > > File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 125, > > in execute > > result = self.Command[_name](*args, **options) > > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, > > in __call__ > > self.validate_output(ret) > > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 895, > > in validate_output > > nice, extra, output) > > ValueError: sudorule_add_option.validate_output(): unexpected keys > > ['summary'] in {'result': {'ipasudoopt': (u'foo',), 'cn': (u'test2',), > > 'ipaenabledflag': (u'TRUE',)}, 'summary': u'Added option "foo" to Sudo > > Rule "test2"'} > > ipa: ERROR: an internal error has occurred > > > > Thanks for catching this. I wonder if we should let output param > validation skip unexpected keys in order to be able to do the change in > Output + keep backwards compatibility in cases like this one. > > I reworked the patch so that the summaries are printed via > output_for_cli() - this solves this problem. > > Martin I had to rework the whole patch because of latest i18n patches. Here it is, it can be applied to current master. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-114-3-fix-sudo-help-and-summaries.patch Type: text/x-patch Size: 16794 bytes Desc: not available URL: From mkosek at redhat.com Tue Aug 30 15:51:26 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 30 Aug 2011 17:51:26 +0200 Subject: [Freeipa-devel] [PATCH] 844 add netgroup to memberof association of hostgroups In-Reply-To: <4E4C0736.5030000@redhat.com> References: <4E39A5CB.50909@redhat.com> <4E4C0736.5030000@redhat.com> Message-ID: <1314719489.396.9.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-08-17 at 14:23 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Let hostgroups show that they are members of netgroups. > > > > rob > > Updated patch It works fine with CLI. Still, I have 2 remarks: 1) Although the new "netgroup" tab in the WebUI screen for Host Group was displayed, Delete/Enroll actions in this new tab did not work. I did not find any problem in CLI, maybe Endi or Petr can provide a hint what is wrong. 2) This patch's needs to be rebased, there were conflicts in updated tests. So its ACK from me if the tests are fixed + WebUI guys don't object to the patch. Martin From rcritten at redhat.com Tue Aug 30 18:09:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Aug 2011 14:09:40 -0400 Subject: [Freeipa-devel] [PATCH] 844 add netgroup to memberof association of hostgroups In-Reply-To: <1314719489.396.9.camel@dhcp-25-52.brq.redhat.com> References: <4E39A5CB.50909@redhat.com> <4E4C0736.5030000@redhat.com> <1314719489.396.9.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E5D2764.6060601@redhat.com> Martin Kosek wrote: > On Wed, 2011-08-17 at 14:23 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Let hostgroups show that they are members of netgroups. >>> >>> rob >> >> Updated patch > > It works fine with CLI. Still, I have 2 remarks: > > 1) Although the new "netgroup" tab in the WebUI screen for Host Group > was displayed, Delete/Enroll actions in this new tab did not work. I did > not find any problem in CLI, maybe Endi or Petr can provide a hint what > is wrong. > > 2) This patch's needs to be rebased, there were conflicts in updated > tests. > > So its ACK from me if the tests are fixed + WebUI guys don't object to > the patch. > > Martin > Updated patch so Endi can give it a quick looksee rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-844-3-memberof.patch Type: text/x-patch Size: 9034 bytes Desc: not available URL: From rcritten at redhat.com Tue Aug 30 18:36:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Aug 2011 14:36:10 -0400 Subject: [Freeipa-devel] [PATCH] 114 Fix sudo help and summaries In-Reply-To: <1314717237.396.1.camel@dhcp-25-52.brq.redhat.com> References: <1314271916.2681.1.camel@dhcp-25-52.brq.redhat.com> <4E564E05.3030208@redhat.com> <1314343878.6077.8.camel@dhcp-25-52.brq.redhat.com> <1314717237.396.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E5D2D9A.5020207@redhat.com> Martin Kosek wrote: > On Fri, 2011-08-26 at 09:31 +0200, Martin Kosek wrote: >> On Thu, 2011-08-25 at 09:28 -0400, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> 1) Add sudorule docstring headline >>>> >>>> 2) Fix naming inconsistency in Sudo plugins help and summaries, >>>> especially capitalization of Sudo objects - Sudo Rule, Sudo >>>> Command and Sudo Command Group >>>> >>>> 3) Add missing summaries for sudorule-add-option and >>>> sudorule-remove-option >>>> >>>> https://fedorahosted.org/freeipa/ticket/1595 >>>> https://fedorahosted.org/freeipa/ticket/1596 >>> >>> This breaks compatibility with old clients: >>> >>> $ ipa sudorule-add-option test2 >>> Sudo Option: foo >>> ipa: ERROR: non-public: ValueError: >>> sudorule_add_option.validate_output(): unexpected keys ['summary'] in >>> {'result': {'ipasudoopt': (u'foo',), 'cn': (u'test2',), >>> 'ipaenabledflag': (u'TRUE',)}, 'summary': u'Added option "foo" to Sudo >>> Rule "test2"'} >>> Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 125, >>> in execute >>> result = self.Command[_name](*args, **options) >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, >>> in __call__ >>> self.validate_output(ret) >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 895, >>> in validate_output >>> nice, extra, output) >>> ValueError: sudorule_add_option.validate_output(): unexpected keys >>> ['summary'] in {'result': {'ipasudoopt': (u'foo',), 'cn': (u'test2',), >>> 'ipaenabledflag': (u'TRUE',)}, 'summary': u'Added option "foo" to Sudo >>> Rule "test2"'} >>> ipa: ERROR: an internal error has occurred >>> >> >> Thanks for catching this. I wonder if we should let output param >> validation skip unexpected keys in order to be able to do the change in >> Output + keep backwards compatibility in cases like this one. >> >> I reworked the patch so that the summaries are printed via >> output_for_cli() - this solves this problem. >> >> Martin > > I had to rework the whole patch because of latest i18n patches. Here it > is, it can be applied to current master. > > Martin ACK Fixed a couple of whitespace issues and pushed to master and ipa-2-1 rob From rcritten at redhat.com Tue Aug 30 18:38:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Aug 2011 14:38:52 -0400 Subject: [Freeipa-devel] [PATCH] 844 add netgroup to memberof association of hostgroups In-Reply-To: <4E5D2764.6060601@redhat.com> References: <4E39A5CB.50909@redhat.com> <4E4C0736.5030000@redhat.com> <1314719489.396.9.camel@dhcp-25-52.brq.redhat.com> <4E5D2764.6060601@redhat.com> Message-ID: <4E5D2E3C.2040306@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Wed, 2011-08-17 at 14:23 -0400, Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Let hostgroups show that they are members of netgroups. >>>> >>>> rob >>> >>> Updated patch >> >> It works fine with CLI. Still, I have 2 remarks: >> >> 1) Although the new "netgroup" tab in the WebUI screen for Host Group >> was displayed, Delete/Enroll actions in this new tab did not work. I did >> not find any problem in CLI, maybe Endi or Petr can provide a hint what >> is wrong. >> >> 2) This patch's needs to be rebased, there were conflicts in updated >> tests. >> >> So its ACK from me if the tests are fixed + WebUI guys don't object to >> the patch. >> >> Martin >> > > Updated patch so Endi can give it a quick looksee > > rob ACK'd by endi in IRC, pushed to master and ipa-2-1. There is a problem in the UI, Endi is going to create a new ticket to fix it. rob From edewata at redhat.com Tue Aug 30 19:06:02 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 30 Aug 2011 14:06:02 -0500 Subject: [Freeipa-devel] [PATCH] 259 Fixed problem adding hostgroup into netgroup. Message-ID: <4E5D349A.1060509@redhat.com> The memberof_netgroup association facet for hostgroup has been explicitly defined to use the serial associator so it will invoke the right methods. Ticket #1737 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0259-Fixed-problem-adding-hostgroup-into-netgroup.patch Type: application/mbox Size: 1109 bytes Desc: not available URL: From JR.Aquino at citrix.com Tue Aug 30 19:44:32 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 30 Aug 2011 19:44:32 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <4E541F1B.4090007@redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <45137A51-4797-4A17-B3B0-A4301D9A0C85@citrixonline.com> <1312794245.29048.21.camel@dhcp-25-52.brq.redhat.com> <1312892259.19265.18.camel@dhcp-25-52.brq.redhat.com> <1313745402.2526.20.camel@dhcp-25-52.brq.redhat.com> <1180CF1B-AB45-4E9C-B038-4A35D7E635F1@citrixonline.com> <4E541F1B.4090007@redhat.com> Message-ID: On Aug 23, 2011, at 2:43 PM, Rob Crittenden wrote: > JR Aquino wrote: >> >> On Aug 19, 2011, at 2:16 AM, Martin Kosek wrote: >> >>> Hi JR, >>> >>> I get to your plugin again. You can see my findings below. >>> >>> On Tue, 2011-08-09 at 22:41 +0000, JR Aquino wrote: >>> ... >>>> Ok New Patch attached. >>>> >>>> I believe this addresses the above. >>>> >>>> 1. Requires(pre): 389-ds-base>= 1.2.9.5-1 >>> >>> 1) Please, remove the change to FreeIPA spec, its no longer needed since >>> we shipped version 2.1 and it already requires sufficient 389-ds-base >>> version. >> >> Done. >> >>> >>>> >>>> 2. replica-automember.ldif added for dsinstance to install during replica installs: >>>> +dn: cn=Auto Membership Plugin,cn=plugins,cn=config >>>> +changetype: modify >>>> +add: nsslapd-pluginConfigArea >>>> +nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX >>> >>> 2) OK. I would do it a bit different - have one LDIF for >>> nsslapd-pluginConfigArea setting and second for creating the base >>> automember structure. Master would then use both LDIFs and a replica >>> both of them. We would then be without duplicates in LDIF. But your way >>> acceptable. >> >> Please allow the 2 ldif's in as they are. >> >> I tried to split them to leverage cn=config change in common, however, I encountered a 389 ds bug. >> I will be opening a bug with Nathan in BZ to address the bug. If you feel strongly, we can either: >> >> A: Accept the two LDIFs as is and revisit after a newer version of 389 ds is available. >> B: Wait until 389 ds addresses the bug and make the minor modification you suggested above. >> >>> >>>> >>>> 3. autoMemberScope is now set for each: >>>> groups: cn=users,cn=accounts,$SUFFIX >>>> hostgroups: cn=computers,cn=accounts,$SUFFIX >>> >>> OK >>> >>>> >>>> 4. Corrected examples >>>> Set the default target group: >>>> ipa automember-default-group-set --default-group=webservers hostgroup >>>> ipa automember-default-group-set --default-group=ipausers group >>>> >>>> Set the default target group: >>>> ipa automember-default-group-remove hostgroup >>>> ipa automember-default-group-remove group >>>> >>>> Show the default target group: >>>> ipa automember-default-group-show hostgroup >>>> ipa automember-default-group-show group >>>> >>>> 5. Corrected examples >>>> Add a condition to the rule: >>>> ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9+]\.example\.com webservers >>> >>> 3) Please fix the regex to ^web[1-9]+\.example\.com. I think its just a >>> mistake - right now for example a host web11.example.com does not match. >> >> Fixed >> >>> >>>> ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins >>>> >>> >>> 4) I think you wanted to use devel rule instead of non-existent "admins" >>> automember rule. >>> >> >> You are correct, this has been fixed. >> >>>> Add an exclusive condition to the rule to prevent auto asignment: >>>> ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers >>>> >>>> Remove a condition from the rule: >>>> ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^www[1-9+]\.example\.com webservers >>> >>> 5) The same as in 3) >> >> Fixed >> >>> >>>> >>>> 6. Correct bug for adding duplicate conditions. Included test for it in the test suite. >>>> >>> >>> OK. Here are my additional findings: >>> >>> 6) There some more example commands in doc which are not complete and >>> require some user typing: >>> >>> Display a automember rule: >>> ipa automember-show webservers >>> >>> Delete an automember rule: >>> ipa automember-del webservers >>> >>> Grouping type option is missing >> >> Fixed. Added the appropriate flags in the examples >> >>> >>> 7) I get internal error when running examples from the automember doc: >>> # ipa automember-add --type=group devel >>> ----------------------------- >>> Added automember rule "devel" >>> ----------------------------- >>> Automember Rule: devel >>> # ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins >>> ipa: ERROR: an internal error has occurred >> >> Fixed. >> >>> >>> >>> That's all. The plugin gets better with every version, I think we may >>> soon be ready for pushing - when all of the issues are resolved. >>> >>> Martin >>> >> >> Please let me know how it looks now. >> > > Looks lots better, just a couple of nits: > > * The default-group api has type as an arg and everywhere else it is --type, can we make it consistent? We can argue about this with Martin tomorrow if you'd like. This has now been fixed with some help from Rob removing 'cn' as a primary key. > > * The tests focus mainly on bucket allocation, it also needs to test adding/removing conditions and rules. I wonder if there should actually be two test suites, one to test the basics of the plugin and one to make sure it operates properly when creating entries. I have added many new tests in the xml test for automember. It now verifies the functionality of multiple entries, as well as the logic behind exclusive and inclusive regex. > > * Can you document in the ldifs and the installer why there are separate ones for master and replicas (for dsinstance.py I think you can just say # see ldifs for details). The ldifs and dsinstance have now been commented. > > rob > As per Rob via IRC, I have made a very minor modification to user.py which allows the test suite to wait for memberof to finish so that it will provide consistent output with automember assignment. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch Type: application/octet-stream Size: 73441 bytes Desc: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch URL: From JR.Aquino at citrix.com Wed Aug 31 00:59:08 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 31 Aug 2011 00:59:08 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <45137A51-4797-4A17-B3B0-A4301D9A0C85@citrixonline.com> <1312794245.29048.21.camel@dhcp-25-52.brq.redhat.com> <1312892259.19265.18.camel@dhcp-25-52.brq.redhat.com> <1313745402.2526.20.camel@dhcp-25-52.brq.redhat.com> <1180CF1B-AB45-4E9C-B038-4A35D7E635F1@citrixonline.com> <4E541F1B.4090007@redhat.com> Message-ID: <936B922C-E34E-4189-B73F-FA9D6F6FAD71@citrixonline.com> On Aug 30, 2011, at 12:44 PM, Jr Aquino wrote: > > On Aug 23, 2011, at 2:43 PM, Rob Crittenden wrote: > >> JR Aquino wrote: >>> >>> On Aug 19, 2011, at 2:16 AM, Martin Kosek wrote: >>> >>>> Hi JR, >>>> >>>> I get to your plugin again. You can see my findings below. >>>> >>>> On Tue, 2011-08-09 at 22:41 +0000, JR Aquino wrote: >>>> ... >>>>> Ok New Patch attached. >>>>> >>>>> I believe this addresses the above. >>>>> >>>>> 1. Requires(pre): 389-ds-base>= 1.2.9.5-1 >>>> >>>> 1) Please, remove the change to FreeIPA spec, its no longer needed since >>>> we shipped version 2.1 and it already requires sufficient 389-ds-base >>>> version. >>> >>> Done. >>> >>>> >>>>> >>>>> 2. replica-automember.ldif added for dsinstance to install during replica installs: >>>>> +dn: cn=Auto Membership Plugin,cn=plugins,cn=config >>>>> +changetype: modify >>>>> +add: nsslapd-pluginConfigArea >>>>> +nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX >>>> >>>> 2) OK. I would do it a bit different - have one LDIF for >>>> nsslapd-pluginConfigArea setting and second for creating the base >>>> automember structure. Master would then use both LDIFs and a replica >>>> both of them. We would then be without duplicates in LDIF. But your way >>>> acceptable. >>> >>> Please allow the 2 ldif's in as they are. >>> >>> I tried to split them to leverage cn=config change in common, however, I encountered a 389 ds bug. >>> I will be opening a bug with Nathan in BZ to address the bug. If you feel strongly, we can either: >>> >>> A: Accept the two LDIFs as is and revisit after a newer version of 389 ds is available. >>> B: Wait until 389 ds addresses the bug and make the minor modification you suggested above. >>> >>>> >>>>> >>>>> 3. autoMemberScope is now set for each: >>>>> groups: cn=users,cn=accounts,$SUFFIX >>>>> hostgroups: cn=computers,cn=accounts,$SUFFIX >>>> >>>> OK >>>> >>>>> >>>>> 4. Corrected examples >>>>> Set the default target group: >>>>> ipa automember-default-group-set --default-group=webservers hostgroup >>>>> ipa automember-default-group-set --default-group=ipausers group >>>>> >>>>> Set the default target group: >>>>> ipa automember-default-group-remove hostgroup >>>>> ipa automember-default-group-remove group >>>>> >>>>> Show the default target group: >>>>> ipa automember-default-group-show hostgroup >>>>> ipa automember-default-group-show group >>>>> >>>>> 5. Corrected examples >>>>> Add a condition to the rule: >>>>> ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9+]\.example\.com webservers >>>> >>>> 3) Please fix the regex to ^web[1-9]+\.example\.com. I think its just a >>>> mistake - right now for example a host web11.example.com does not match. >>> >>> Fixed >>> >>>> >>>>> ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins >>>>> >>>> >>>> 4) I think you wanted to use devel rule instead of non-existent "admins" >>>> automember rule. >>>> >>> >>> You are correct, this has been fixed. >>> >>>>> Add an exclusive condition to the rule to prevent auto asignment: >>>>> ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers >>>>> >>>>> Remove a condition from the rule: >>>>> ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^www[1-9+]\.example\.com webservers >>>> >>>> 5) The same as in 3) >>> >>> Fixed >>> >>>> >>>>> >>>>> 6. Correct bug for adding duplicate conditions. Included test for it in the test suite. >>>>> >>>> >>>> OK. Here are my additional findings: >>>> >>>> 6) There some more example commands in doc which are not complete and >>>> require some user typing: >>>> >>>> Display a automember rule: >>>> ipa automember-show webservers >>>> >>>> Delete an automember rule: >>>> ipa automember-del webservers >>>> >>>> Grouping type option is missing >>> >>> Fixed. Added the appropriate flags in the examples >>> >>>> >>>> 7) I get internal error when running examples from the automember doc: >>>> # ipa automember-add --type=group devel >>>> ----------------------------- >>>> Added automember rule "devel" >>>> ----------------------------- >>>> Automember Rule: devel >>>> # ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins >>>> ipa: ERROR: an internal error has occurred >>> >>> Fixed. >>> >>>> >>>> >>>> That's all. The plugin gets better with every version, I think we may >>>> soon be ready for pushing - when all of the issues are resolved. >>>> >>>> Martin >>>> >>> >>> Please let me know how it looks now. >>> >> >> Looks lots better, just a couple of nits: >> >> * The default-group api has type as an arg and everywhere else it is --type, can we make it consistent? We can argue about this with Martin tomorrow if you'd like. > > This has now been fixed with some help from Rob removing 'cn' as a primary key. > >> >> * The tests focus mainly on bucket allocation, it also needs to test adding/removing conditions and rules. I wonder if there should actually be two test suites, one to test the basics of the plugin and one to make sure it operates properly when creating entries. > > I have added many new tests in the xml test for automember. It now verifies the functionality of multiple entries, as well as the logic behind exclusive and inclusive regex. > >> >> * Can you document in the ldifs and the installer why there are separate ones for master and replicas (for dsinstance.py I think you can just say # see ldifs for details). > > The ldifs and dsinstance have now been commented. > >> >> rob >> > > As per Rob via IRC, I have made a very minor modification to user.py which allows the test suite to wait for memberof to finish so that it will provide consistent output with automember assignment. Confirmed with Rob that there is a bug with the list compare function in the tests (users + memberof + automember can result in unpredictable order. He will be adding a separate patch for that. Additional fixes suggested by Rob via IRC: Added additional info in help to demonstrate the user/host being auto assigned to their respective groups Added additional testing for mod / show / find Added summaries for the automember-default-group set of commands Correct behavior for find to return the cn label Added spelling corrections -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch Type: application/octet-stream Size: 80511 bytes Desc: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch URL: From rcritten at redhat.com Wed Aug 31 03:50:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Aug 2011 23:50:04 -0400 Subject: [Freeipa-devel] [PATCH] 862 sort lists in tests Message-ID: <4E5DAF6C.1040004@redhat.com> JR ran into an issue with his automember patch where the order of memberof wasn't predictable which caused tests to fail. To resolve this we just need to sort the lists and then compare. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-862-sort_test.patch Type: text/x-patch Size: 2217 bytes Desc: not available URL: From rcritten at redhat.com Wed Aug 31 03:50:54 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Aug 2011 23:50:54 -0400 Subject: [Freeipa-devel] [PATCH] 863 netgroups memberof Message-ID: <4E5DAF9E.2090208@redhat.com> This was spawned by another recent patch I pushed that showed netgroups that a hostgroup is a member of. We want to suppress the automatic netgroup that is created with hostgroups. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-863-hostgroup.patch Type: text/x-patch Size: 9956 bytes Desc: not available URL: From edewata at redhat.com Wed Aug 31 05:10:05 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 31 Aug 2011 00:10:05 -0500 Subject: [Freeipa-devel] [PATCH] 010 Enable update and reset buttons only if dirty In-Reply-To: <4E5CD969.8010203@redhat.com> References: <4E5CD969.8010203@redhat.com> Message-ID: <4E5DC22D.3090709@redhat.com> On 8/30/2011 7:36 AM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/1697 > > Original problem: > Update name of the automount location (Policy -> Automount -> > custom_location -> Settings -> Update) in the WEBUI refer to an unknown > command. > > Solution: > Tracking dirty state in field -> section -> details facet. > 'Reset' and 'Updates' buttons in details facet are enabled only if facet > is dirty. > > Removes the problem above and 'no modification to be performed' annoyance. The patch works, so it's ACKed and pushed to master and ipa-2-1. One minor thing, in details.js:322: if(!that.update_button.hasClass('action-button-disabled')) { that.reset(); } It probably should have been a reset_button instead of update_button. Right now it doesn't make any difference because both are enabled and disabled together, but that might not be the case in the future. -- Endi S. Dewata From edewata at redhat.com Wed Aug 31 05:30:45 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 31 Aug 2011 00:30:45 -0500 Subject: [Freeipa-devel] [PATCH] 260 Fixed problem with combobox. Message-ID: <4E5DC705.1090108@redhat.com> The entity select widget has been modified to handle timing issue in both dialog box and details page. Ticket #1736 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0260-Fixed-problem-with-combobox.patch Type: application/mbox Size: 7807 bytes Desc: not available URL: From pvoborni at redhat.com Wed Aug 31 07:42:42 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 31 Aug 2011 09:42:42 +0200 Subject: [Freeipa-devel] [PATCH] 258 Fixed hard-coded UI messages. In-Reply-To: <4E5CF6F7.7020503@redhat.com> References: <4E5CF6F7.7020503@redhat.com> Message-ID: <4E5DE5F2.2070302@redhat.com> On 08/30/2011 04:43 PM, Endi Sukma Dewata wrote: > Some hard-coded messages in ipa.js have been moved into internal.py. > The messages in internal.py have been rearranged to match the output > (ipa_init.json). > > A new method IPA.get_message() has been added to take a message ID and > return the translated message or a default message if not found. > > Ticket #1701 > for the changes: ACK I found one more string: "'

Error: '+error_thrown.name+'

';" entity.js:126 -- Petr Vobornik From mkosek at redhat.com Wed Aug 31 07:59:24 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 31 Aug 2011 09:59:24 +0200 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <936B922C-E34E-4189-B73F-FA9D6F6FAD71@citrixonline.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> <1312202461.2484.4.camel@dhcp-25-52.brq.redhat.com> <4E36A27F.4020908@redhat.com> <4E37F3AD.1030801@redhat.com> <45137A51-4797-4A17-B3B0-A4301D9A0C85@citrixonline.com> <1312794245.29048.21.camel@dhcp-25-52.brq.redhat.com> <1312892259.19265.18.camel@dhcp-25-52.brq.redhat.com> <1313745402.2526.20.camel@dhcp-25-52.brq.redhat.com> <1180CF1B-AB45-4E9C-B038-4A35D7E635F1@citrixonline.com> <4E541F1B.4090007@redhat.com> <936B922C-E34E-4189-B73F-FA9D6F6FAD71@citrixonline.com> Message-ID: <1314777567.10684.18.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-08-31 at 00:59 +0000, JR Aquino wrote: > On Aug 30, 2011, at 12:44 PM, Jr Aquino wrote: > > > > > On Aug 23, 2011, at 2:43 PM, Rob Crittenden wrote: > > > >> JR Aquino wrote: > >>> > >>> On Aug 19, 2011, at 2:16 AM, Martin Kosek wrote: > >>> > >>>> Hi JR, > >>>> > >>>> I get to your plugin again. You can see my findings below. > >>>> > >>>> On Tue, 2011-08-09 at 22:41 +0000, JR Aquino wrote: > >>>> ... > >>>>> Ok New Patch attached. > >>>>> > >>>>> I believe this addresses the above. > >>>>> > >>>>> 1. Requires(pre): 389-ds-base>= 1.2.9.5-1 > >>>> > >>>> 1) Please, remove the change to FreeIPA spec, its no longer needed since > >>>> we shipped version 2.1 and it already requires sufficient 389-ds-base > >>>> version. > >>> > >>> Done. > >>> > >>>> > >>>>> > >>>>> 2. replica-automember.ldif added for dsinstance to install during replica installs: > >>>>> +dn: cn=Auto Membership Plugin,cn=plugins,cn=config > >>>>> +changetype: modify > >>>>> +add: nsslapd-pluginConfigArea > >>>>> +nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX > >>>> > >>>> 2) OK. I would do it a bit different - have one LDIF for > >>>> nsslapd-pluginConfigArea setting and second for creating the base > >>>> automember structure. Master would then use both LDIFs and a replica > >>>> both of them. We would then be without duplicates in LDIF. But your way > >>>> acceptable. > >>> > >>> Please allow the 2 ldif's in as they are. > >>> > >>> I tried to split them to leverage cn=config change in common, however, I encountered a 389 ds bug. > >>> I will be opening a bug with Nathan in BZ to address the bug. If you feel strongly, we can either: > >>> > >>> A: Accept the two LDIFs as is and revisit after a newer version of 389 ds is available. > >>> B: Wait until 389 ds addresses the bug and make the minor modification you suggested above. > >>> > >>>> > >>>>> > >>>>> 3. autoMemberScope is now set for each: > >>>>> groups: cn=users,cn=accounts,$SUFFIX > >>>>> hostgroups: cn=computers,cn=accounts,$SUFFIX > >>>> > >>>> OK > >>>> > >>>>> > >>>>> 4. Corrected examples > >>>>> Set the default target group: > >>>>> ipa automember-default-group-set --default-group=webservers hostgroup > >>>>> ipa automember-default-group-set --default-group=ipausers group > >>>>> > >>>>> Set the default target group: > >>>>> ipa automember-default-group-remove hostgroup > >>>>> ipa automember-default-group-remove group > >>>>> > >>>>> Show the default target group: > >>>>> ipa automember-default-group-show hostgroup > >>>>> ipa automember-default-group-show group > >>>>> > >>>>> 5. Corrected examples > >>>>> Add a condition to the rule: > >>>>> ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9+]\.example\.com webservers > >>>> > >>>> 3) Please fix the regex to ^web[1-9]+\.example\.com. I think its just a > >>>> mistake - right now for example a host web11.example.com does not match. > >>> > >>> Fixed > >>> > >>>> > >>>>> ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins > >>>>> > >>>> > >>>> 4) I think you wanted to use devel rule instead of non-existent "admins" > >>>> automember rule. > >>>> > >>> > >>> You are correct, this has been fixed. > >>> > >>>>> Add an exclusive condition to the rule to prevent auto asignment: > >>>>> ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers > >>>>> > >>>>> Remove a condition from the rule: > >>>>> ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^www[1-9+]\.example\.com webservers > >>>> > >>>> 5) The same as in 3) > >>> > >>> Fixed > >>> > >>>> > >>>>> > >>>>> 6. Correct bug for adding duplicate conditions. Included test for it in the test suite. > >>>>> > >>>> > >>>> OK. Here are my additional findings: > >>>> > >>>> 6) There some more example commands in doc which are not complete and > >>>> require some user typing: > >>>> > >>>> Display a automember rule: > >>>> ipa automember-show webservers > >>>> > >>>> Delete an automember rule: > >>>> ipa automember-del webservers > >>>> > >>>> Grouping type option is missing > >>> > >>> Fixed. Added the appropriate flags in the examples > >>> > >>>> > >>>> 7) I get internal error when running examples from the automember doc: > >>>> # ipa automember-add --type=group devel > >>>> ----------------------------- > >>>> Added automember rule "devel" > >>>> ----------------------------- > >>>> Automember Rule: devel > >>>> # ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins > >>>> ipa: ERROR: an internal error has occurred > >>> > >>> Fixed. > >>> > >>>> > >>>> > >>>> That's all. The plugin gets better with every version, I think we may > >>>> soon be ready for pushing - when all of the issues are resolved. > >>>> > >>>> Martin > >>>> > >>> > >>> Please let me know how it looks now. > >>> > >> > >> Looks lots better, just a couple of nits: > >> > >> * The default-group api has type as an arg and everywhere else it is --type, can we make it consistent? We can argue about this with Martin tomorrow if you'd like. > > > > This has now been fixed with some help from Rob removing 'cn' as a primary key. > > > >> > >> * The tests focus mainly on bucket allocation, it also needs to test adding/removing conditions and rules. I wonder if there should actually be two test suites, one to test the basics of the plugin and one to make sure it operates properly when creating entries. > > > > I have added many new tests in the xml test for automember. It now verifies the functionality of multiple entries, as well as the logic behind exclusive and inclusive regex. > > > >> > >> * Can you document in the ldifs and the installer why there are separate ones for master and replicas (for dsinstance.py I think you can just say # see ldifs for details). > > > > The ldifs and dsinstance have now been commented. > > > >> > >> rob > >> > > > > As per Rob via IRC, I have made a very minor modification to user.py which allows the test suite to wait for memberof to finish so that it will provide consistent output with automember assignment. > > > Confirmed with Rob that there is a bug with the list compare function in the tests (users + memberof + automember can result in unpredictable order. He will be adding a separate patch for that. > > Additional fixes suggested by Rob via IRC: > > Added additional info in help to demonstrate the user/host being auto assigned to their respective groups > Added additional testing for mod / show / find > Added summaries for the automember-default-group set of commands > Correct behavior for find to return the cn label > Added spelling corrections OK then. I did not find any major issues preventing me from acking the ticket. If we find an issue later, we can create a ticket. So ACK and pushed to master, ipa-2-1. Before pushing I fixed commit message and few minor nits in automember examples: - changed automember-remove-condition to match automember-add-condition before it - changed automember-add-condition --key=manager so that it actually matches the manager - automember-mod indentation Martin From pvoborni at redhat.com Wed Aug 31 08:46:22 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 31 Aug 2011 10:46:22 +0200 Subject: [Freeipa-devel] [PATCH] 259 Fixed problem adding hostgroup into netgroup. In-Reply-To: <4E5D349A.1060509@redhat.com> References: <4E5D349A.1060509@redhat.com> Message-ID: <4E5DF4DE.5080200@redhat.com> On 08/30/2011 09:06 PM, Endi Sukma Dewata wrote: > The memberof_netgroup association facet for hostgroup has been > explicitly defined to use the serial associator so it will invoke > the right methods. > > Ticket #1737 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK I think, we should unite the usage of serial and bulk associators. Currently the usage of entity and other_entity is inverted. This could be achieved by proper initialization of spec from association type (association name - something similar to what is used now in association_table) and do not blindly copy entity from facet as it is done now (association entity often isn't equal to facet entity (eg in memberof association)). This could be part of https://fedorahosted.org/freeipa/ticket/1690 . -- Petr Vobornik From mkosek at redhat.com Wed Aug 31 08:54:03 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 31 Aug 2011 10:54:03 +0200 Subject: [Freeipa-devel] [PATCH] 863 netgroups memberof In-Reply-To: <4E5DAF9E.2090208@redhat.com> References: <4E5DAF9E.2090208@redhat.com> Message-ID: <1314780846.10684.23.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-08-30 at 23:50 -0400, Rob Crittenden wrote: > This was spawned by another recent patch I pushed that showed netgroups > that a hostgroup is a member of. We want to suppress the automatic > netgroup that is created with hostgroups. > > rob NACK. I see several issues with the patch: 1) Lint problem: ipalib/plugins/hostgroup.py:107: [E0602, hostgroup.suppress_netgroup_memberof] Undefined variable 'NotFound' 2) When there is not hostgroup, `ipa hostgroup-find` throws an exception: [Wed Aug 31 04:36:11 2011] [error] ipa: ERROR: non-public: UnboundLocalError: local variable 'dn' referenced before assignment [Wed Aug 31 04:36:11 2011] [error] Traceback (most recent call last): [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in wsgi_execute [Wed Aug 31 04:36:11 2011] [error] result = self.Command[name](*args, **options) [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__ [Wed Aug 31 04:36:11 2011] [error] ret = self.run(*args, **options) [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run [Wed Aug 31 04:36:11 2011] [error] return self.execute(*args, **options) [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1596, in execute [Wed Aug 31 04:36:11 2011] [error] callback(ldap, entries, truncated, *args, **options) [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py", line 163, in post_callback [Wed Aug 31 04:36:11 2011] [error] return dn [Wed Aug 31 04:36:11 2011] [error] UnboundLocalError: local variable 'dn' referenced before assignment 3) JR's automember tests that were pushed today will need to have memberof_netgroup removed too. Martin From mkosek at redhat.com Wed Aug 31 09:19:09 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 31 Aug 2011 11:19:09 +0200 Subject: [Freeipa-devel] [PATCH] 862 sort lists in tests In-Reply-To: <4E5DAF6C.1040004@redhat.com> References: <4E5DAF6C.1040004@redhat.com> Message-ID: <1314782353.10684.24.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-08-30 at 23:50 -0400, Rob Crittenden wrote: > JR ran into an issue with his automember patch where the order of > memberof wasn't predictable which caused tests to fail. > > To resolve this we just need to sort the lists and then compare. > > rob ACK. Pushed to master, ipa-2-1. Martin From pvoborni at redhat.com Wed Aug 31 11:36:12 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 31 Aug 2011 13:36:12 +0200 Subject: [Freeipa-devel] [PATCH] 260 Fixed problem with combobox. In-Reply-To: <4E5DC705.1090108@redhat.com> References: <4E5DC705.1090108@redhat.com> Message-ID: <4E5E1CAC.9040801@redhat.com> On 08/31/2011 07:30 AM, Endi Sukma Dewata wrote: > The entity select widget has been modified to handle timing issue > in both dialog box and details page. > > Ticket #1736 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik From atkac at redhat.com Wed Aug 31 12:13:54 2011 From: atkac at redhat.com (Adam Tkac) Date: Wed, 31 Aug 2011 14:13:54 +0200 Subject: [Freeipa-devel] bind-dyndb-ldap 1.0.0b1 has been released Message-ID: <4E5E2582.2000103@redhat.com> Hello, bind-dyndb-ldap 1.0.0b1 has been released. The most notable change is new "psearch (yes/no)" option. When set to "yes" then the plugin is able to immediately propagate addition/modification/deletion of zones, without need of the `rndc reload` command. Tarball: https://fedorahosted.org/released/bind-dyndb-ldap/bind-dyndb-ldap-1.0.0b1.tar.gz Links to Fedora updates: https://admin.fedoraproject.org/updates/bind-dyndb-ldap-1.0.0-0.1.b1.fc16 https://admin.fedoraproject.org/updates/bind-dyndb-ldap-1.0.0-0.1.b1.fc15 Please report any bugs to https://bugzilla.redhat.com Check the NEWS file for other notable changes. Regards, Adam From rcritten at redhat.com Wed Aug 31 12:22:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 31 Aug 2011 08:22:48 -0400 Subject: [Freeipa-devel] [PATCH] 863 netgroups memberof In-Reply-To: <1314780846.10684.23.camel@dhcp-25-52.brq.redhat.com> References: <4E5DAF9E.2090208@redhat.com> <1314780846.10684.23.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E5E2798.2020206@redhat.com> Martin Kosek wrote: > On Tue, 2011-08-30 at 23:50 -0400, Rob Crittenden wrote: >> This was spawned by another recent patch I pushed that showed netgroups >> that a hostgroup is a member of. We want to suppress the automatic >> netgroup that is created with hostgroups. >> >> rob > > NACK. I see several issues with the patch: > > 1) Lint problem: > ipalib/plugins/hostgroup.py:107: [E0602, hostgroup.suppress_netgroup_memberof] Undefined variable 'NotFound' > > 2) When there is not hostgroup, `ipa hostgroup-find` throws an > exception: > [Wed Aug 31 04:36:11 2011] [error] ipa: ERROR: non-public: UnboundLocalError: local variable 'dn' referenced before assignment > [Wed Aug 31 04:36:11 2011] [error] Traceback (most recent call last): > [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in wsgi_execute > [Wed Aug 31 04:36:11 2011] [error] result = self.Command[name](*args, **options) > [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__ > [Wed Aug 31 04:36:11 2011] [error] ret = self.run(*args, **options) > [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run > [Wed Aug 31 04:36:11 2011] [error] return self.execute(*args, **options) > [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1596, in execute > [Wed Aug 31 04:36:11 2011] [error] callback(ldap, entries, truncated, *args, **options) > [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py", line 163, in post_callback > [Wed Aug 31 04:36:11 2011] [error] return dn > [Wed Aug 31 04:36:11 2011] [error] UnboundLocalError: local variable 'dn' referenced before assignment > > 3) JR's automember tests that were pushed today will need to have > memberof_netgroup removed too. > > Martin > All issues addressed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-863-2-hostgroup.patch Type: text/x-patch Size: 14117 bytes Desc: not available URL: From mkosek at redhat.com Wed Aug 31 12:36:34 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 31 Aug 2011 14:36:34 +0200 Subject: [Freeipa-devel] [PATCH] 863 netgroups memberof In-Reply-To: <4E5E2798.2020206@redhat.com> References: <4E5DAF9E.2090208@redhat.com> <1314780846.10684.23.camel@dhcp-25-52.brq.redhat.com> <4E5E2798.2020206@redhat.com> Message-ID: <1314794197.10684.25.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-08-31 at 08:22 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Tue, 2011-08-30 at 23:50 -0400, Rob Crittenden wrote: > >> This was spawned by another recent patch I pushed that showed netgroups > >> that a hostgroup is a member of. We want to suppress the automatic > >> netgroup that is created with hostgroups. > >> > >> rob > > > > NACK. I see several issues with the patch: > > > > 1) Lint problem: > > ipalib/plugins/hostgroup.py:107: [E0602, hostgroup.suppress_netgroup_memberof] Undefined variable 'NotFound' > > > > 2) When there is not hostgroup, `ipa hostgroup-find` throws an > > exception: > > [Wed Aug 31 04:36:11 2011] [error] ipa: ERROR: non-public: UnboundLocalError: local variable 'dn' referenced before assignment > > [Wed Aug 31 04:36:11 2011] [error] Traceback (most recent call last): > > [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in wsgi_execute > > [Wed Aug 31 04:36:11 2011] [error] result = self.Command[name](*args, **options) > > [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__ > > [Wed Aug 31 04:36:11 2011] [error] ret = self.run(*args, **options) > > [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run > > [Wed Aug 31 04:36:11 2011] [error] return self.execute(*args, **options) > > [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1596, in execute > > [Wed Aug 31 04:36:11 2011] [error] callback(ldap, entries, truncated, *args, **options) > > [Wed Aug 31 04:36:11 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py", line 163, in post_callback > > [Wed Aug 31 04:36:11 2011] [error] return dn > > [Wed Aug 31 04:36:11 2011] [error] UnboundLocalError: local variable 'dn' referenced before assignment > > > > 3) JR's automember tests that were pushed today will need to have > > memberof_netgroup removed too. > > > > Martin > > > > All issues addressed. > > rob ACK. Pushed to master, ipa-2-1. Martin From mkosek at redhat.com Wed Aug 31 12:47:24 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 31 Aug 2011 14:47:24 +0200 Subject: [Freeipa-devel] [PATCH] 111 Let Bind track data changes In-Reply-To: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> References: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1314794847.10684.27.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-08-15 at 14:20 +0200, Martin Kosek wrote: > A new version of bind-dyndb-ldap has been released. Thanks to the new > persistent search feature, the name server can immediately pull new DNS > zones when they are created in IPA. > > Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one > has to use the provided src.rpm: > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm > > or rpms I built for x86_64 F-15: > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ > > There is one setback though. When I investigated DNS persistent search > behavior I still miss the ability to detect changes to the DNS zone > itself. Adding a record (for example MX record) to the zone does not > trigger an update of the zone in nameserver cache. We still have to wait > for cache timeout (argument "cache_ttl"). We cannot therefore use this > feature as a solution of: > > https://fedorahosted.org/freeipa/ticket/1114 > https://fedorahosted.org/freeipa/ticket/1125 > https://fedorahosted.org/freeipa/ticket/1126 > > Martin > Sending a rebased version of the patch. It requires new bind-dyndb-ldap version that Adam has just sent to the list. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-111-2-let-bind-track-data-changes.patch Type: text/x-patch Size: 11774 bytes Desc: not available URL: From pvoborni at redhat.com Wed Aug 31 13:04:57 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 31 Aug 2011 15:04:57 +0200 Subject: [Freeipa-devel] [PATCH] 011 Attributes table not scrollable Message-ID: <4E5E3179.3070108@redhat.com> https://fedorahosted.org/freeipa/ticket/1739 The attributes table (IPA.attributes_widget) used in Permissions, Self-Service Permissions, and Delegations is supposed to be short but scrollable. In Firefox 3.6 it works fine, but in Firefox 6.0 it appears as a long non-scrollable table which makes it more difficult to use. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0011-Attributes-table-not-scrollable.patch Type: text/x-patch Size: 1148 bytes Desc: not available URL: From mkosek at redhat.com Wed Aug 31 14:08:16 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 31 Aug 2011 16:08:16 +0200 Subject: [Freeipa-devel] [PATCH] 111 Let Bind track data changes In-Reply-To: <1314794847.10684.27.camel@dhcp-25-52.brq.redhat.com> References: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> <1314794847.10684.27.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1314799699.10684.35.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-08-31 at 14:47 +0200, Martin Kosek wrote: > On Mon, 2011-08-15 at 14:20 +0200, Martin Kosek wrote: > > A new version of bind-dyndb-ldap has been released. Thanks to the new > > persistent search feature, the name server can immediately pull new DNS > > zones when they are created in IPA. > > > > Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one > > has to use the provided src.rpm: > > > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm > > > > or rpms I built for x86_64 F-15: > > > > http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ > > > > There is one setback though. When I investigated DNS persistent search > > behavior I still miss the ability to detect changes to the DNS zone > > itself. Adding a record (for example MX record) to the zone does not > > trigger an update of the zone in nameserver cache. We still have to wait > > for cache timeout (argument "cache_ttl"). We cannot therefore use this > > feature as a solution of: > > > > https://fedorahosted.org/freeipa/ticket/1114 > > https://fedorahosted.org/freeipa/ticket/1125 > > https://fedorahosted.org/freeipa/ticket/1126 > > > > Martin > > > > Sending a rebased version of the patch. It requires new bind-dyndb-ldap > version that Adam has just sent to the list. > > Martin I would also like to add a hint for reviewers how to test: 1) Install refered bind-dyndb-ldap package 2) Configure FreeIPA with DNS using 2a) ipa-dns-install without any arguments to enable zone refresh (scenario A) 2b) ipa-dns-install --zone-notif to enable persistent search (scenario B) 3) Add new zone using "ipa dnszone-add $ZONE" 4) Use following command to see if the zone is already resolvable: $ dig -t soa $ZONE 4a) scenario A: the new zone does not have to be resolvable immediately, but in default number of seconds for zone refresh (defaults to 30) 4b) scenario B: the new zone should be immediately resolvable From rcritten at redhat.com Wed Aug 31 14:40:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 31 Aug 2011 10:40:05 -0400 Subject: [Freeipa-devel] [PATCH] 111 Let Bind track data changes In-Reply-To: <1314794847.10684.27.camel@dhcp-25-52.brq.redhat.com> References: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> <1314794847.10684.27.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E5E47C5.9020606@redhat.com> Martin Kosek wrote: > On Mon, 2011-08-15 at 14:20 +0200, Martin Kosek wrote: >> A new version of bind-dyndb-ldap has been released. Thanks to the new >> persistent search feature, the name server can immediately pull new DNS >> zones when they are created in IPA. >> >> Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one >> has to use the provided src.rpm: >> >> http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm >> >> or rpms I built for x86_64 F-15: >> >> http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ >> >> There is one setback though. When I investigated DNS persistent search >> behavior I still miss the ability to detect changes to the DNS zone >> itself. Adding a record (for example MX record) to the zone does not >> trigger an update of the zone in nameserver cache. We still have to wait >> for cache timeout (argument "cache_ttl"). We cannot therefore use this >> feature as a solution of: >> >> https://fedorahosted.org/freeipa/ticket/1114 >> https://fedorahosted.org/freeipa/ticket/1125 >> https://fedorahosted.org/freeipa/ticket/1126 >> >> Martin >> > > Sending a rebased version of the patch. It requires new bind-dyndb-ldap > version that Adam has just sent to the list. > > Martin Ack. Tested this with the older bind-dyndb-ldap too and it doesn't cause anything to blow up, so ok to push now rather than waiting for bind-dyndb-ldap to hit updates-testing. rob From mkosek at redhat.com Wed Aug 31 14:47:34 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 31 Aug 2011 16:47:34 +0200 Subject: [Freeipa-devel] [PATCH] 111 Let Bind track data changes In-Reply-To: <4E5E47C5.9020606@redhat.com> References: <1313410813.2633.28.camel@dhcp-25-52.brq.redhat.com> <1314794847.10684.27.camel@dhcp-25-52.brq.redhat.com> <4E5E47C5.9020606@redhat.com> Message-ID: <1314802056.10684.41.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-08-31 at 10:40 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-08-15 at 14:20 +0200, Martin Kosek wrote: > >> A new version of bind-dyndb-ldap has been released. Thanks to the new > >> persistent search feature, the name server can immediately pull new DNS > >> zones when they are created in IPA. > >> > >> Since the bind-dyndb-ldap plugin has not been released in F-15 yet, one > >> has to use the provided src.rpm: > >> > >> http://mkosek.fedorapeople.org/bind-dyndb-ldap/srpm/bind-dyndb-ldap-0.2.0-5.fc17.src.rpm > >> > >> or rpms I built for x86_64 F-15: > >> > >> http://mkosek.fedorapeople.org/bind-dyndb-ldap/x86_64/ > >> > >> There is one setback though. When I investigated DNS persistent search > >> behavior I still miss the ability to detect changes to the DNS zone > >> itself. Adding a record (for example MX record) to the zone does not > >> trigger an update of the zone in nameserver cache. We still have to wait > >> for cache timeout (argument "cache_ttl"). We cannot therefore use this > >> feature as a solution of: > >> > >> https://fedorahosted.org/freeipa/ticket/1114 > >> https://fedorahosted.org/freeipa/ticket/1125 > >> https://fedorahosted.org/freeipa/ticket/1126 > >> > >> Martin > >> > > > > Sending a rebased version of the patch. It requires new bind-dyndb-ldap > > version that Adam has just sent to the list. > > > > Martin > > Ack. Tested this with the older bind-dyndb-ldap too and it doesn't cause > anything to blow up, so ok to push now rather than waiting for > bind-dyndb-ldap to hit updates-testing. > > rob Pushed to master, ipa-2-1. Martin From simo at redhat.com Wed Aug 31 14:57:29 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 31 Aug 2011 10:57:29 -0400 Subject: [Freeipa-devel] bind-dyndb-ldap 1.0.0b1 has been released In-Reply-To: <4E5E2582.2000103@redhat.com> References: <4E5E2582.2000103@redhat.com> Message-ID: <1314802649.20296.338.camel@willson.li.ssimo.org> On Wed, 2011-08-31 at 14:13 +0200, Adam Tkac wrote: > Hello, > > bind-dyndb-ldap 1.0.0b1 has been released. The most notable change is > new "psearch (yes/no)" option. When set to "yes" then the plugin is able > to immediately propagate addition/modification/deletion of zones, > without need of the `rndc reload` command. > > Tarball: > https://fedorahosted.org/released/bind-dyndb-ldap/bind-dyndb-ldap-1.0.0b1.tar.gz > > Links to Fedora updates: > https://admin.fedoraproject.org/updates/bind-dyndb-ldap-1.0.0-0.1.b1.fc16 > https://admin.fedoraproject.org/updates/bind-dyndb-ldap-1.0.0-0.1.b1.fc15 > > Please report any bugs to https://bugzilla.redhat.com > > Check the NEWS file for other notable changes. > > Regards, Adam Thanks Adam, this feature is really useful! Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Wed Aug 31 16:31:17 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 31 Aug 2011 11:31:17 -0500 Subject: [Freeipa-devel] [PATCH] 258 Fixed hard-coded UI messages. In-Reply-To: <4E5DE5F2.2070302@redhat.com> References: <4E5CF6F7.7020503@redhat.com> <4E5DE5F2.2070302@redhat.com> Message-ID: <4E5E61D5.7080302@redhat.com> On 8/31/2011 2:42 AM, Petr Vobornik wrote: > On 08/30/2011 04:43 PM, Endi Sukma Dewata wrote: >> Some hard-coded messages in ipa.js have been moved into internal.py. >> The messages in internal.py have been rearranged to match the output >> (ipa_init.json). >> >> A new method IPA.get_message() has been added to take a message ID and >> return the translated message or a default message if not found. >> >> Ticket #1701 > for the changes: ACK Pushed to master and ipa-2-1. > I found one more string: "'

Error: '+error_thrown.name+'

';" > entity.js:126 We'll fix that in another patch. -- Endi S. Dewata From edewata at redhat.com Wed Aug 31 16:31:58 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 31 Aug 2011 11:31:58 -0500 Subject: [Freeipa-devel] [PATCH] 259 Fixed problem adding hostgroup into netgroup. In-Reply-To: <4E5DF4DE.5080200@redhat.com> References: <4E5D349A.1060509@redhat.com> <4E5DF4DE.5080200@redhat.com> Message-ID: <4E5E61FE.6020205@redhat.com> On 8/31/2011 3:46 AM, Petr Vobornik wrote: > On 08/30/2011 09:06 PM, Endi Sukma Dewata wrote: >> The memberof_netgroup association facet for hostgroup has been >> explicitly defined to use the serial associator so it will invoke >> the right methods. >> >> Ticket #1737 > ACK Pushed to master and ipa-2-1. > I think, we should unite the usage of serial and bulk associators. > Currently the usage of entity and other_entity is inverted. This could > be achieved by proper initialization of spec from association type > (association name - something similar to what is used now in > association_table) and do not blindly copy entity from facet as it is > done now (association entity often isn't equal to facet entity (eg in > memberof association)). This could be part of > https://fedorahosted.org/freeipa/ticket/1690 . I agree that the associators need some cleanup. The serial & bulk associators right now determines the type of the association. MemberOf association uses serial because the 'entity' has to be added into 'other entities' using multiple -add-member commands. Member association uses bulk because the 'other entities' can be added into the 'entity' at once using a single -add-member command. We could combine them into a single class and use a variable 'type' to determine how to generate the commands. We could also keep them separate and use the class itself to determine the 'type'. We would rename them into memberof_association and member_association. Then the association_facet() in the entity_builder will map the association names into the right 'type'. That way we don't have to specify it explicitly in the entity declarations. -- Endi S. Dewata From edewata at redhat.com Wed Aug 31 16:32:16 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 31 Aug 2011 11:32:16 -0500 Subject: [Freeipa-devel] [PATCH] 260 Fixed problem with combobox. In-Reply-To: <4E5E1CAC.9040801@redhat.com> References: <4E5DC705.1090108@redhat.com> <4E5E1CAC.9040801@redhat.com> Message-ID: <4E5E6210.6010400@redhat.com> On 8/31/2011 6:36 AM, Petr Vobornik wrote: > On 08/31/2011 07:30 AM, Endi Sukma Dewata wrote: >> The entity select widget has been modified to handle timing issue >> in both dialog box and details page. >> >> Ticket #1736 > ACK Pushed to master and ipa-2-1. -- Endi S. Dewata From rcritten at redhat.com Wed Aug 31 18:02:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 31 Aug 2011 14:02:59 -0400 Subject: [Freeipa-devel] [PATCH] 865 update minimum 389-ds-base version Message-ID: <4E5E7753.1090503@redhat.com> Bump up minimum version of 389-ds to pick up fix to allow it to start with an expired cert Pushed under the 1-liner rule. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-865-dirsrv.patch Type: text/x-patch Size: 1241 bytes Desc: not available URL: From rcritten at redhat.com Wed Aug 31 18:05:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 31 Aug 2011 14:05:58 -0400 Subject: [Freeipa-devel] [PATCH] 864 use IPA cert profile in installer Message-ID: <4E5E7806.4030603@redhat.com> We were still using the caRAserverCert profile when installing IPA and replicas resulting in 6 month server certs. Use the IPA profile instead to get 2 year certs. Pushed as a one-liner to master and ipa-2-1 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-864-profile.patch Type: text/x-patch Size: 1026 bytes Desc: not available URL: From simo at redhat.com Wed Aug 31 18:06:18 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 31 Aug 2011 14:06:18 -0400 Subject: [Freeipa-devel] [PATCH] #1743 Fix ipa-replica-prepare Message-ID: <1314813978.20296.342.camel@willson.li.ssimo.org> We stopped using lpaddwd and kpasswd.keytab when we moved from ipa_kpasswd to kadmind. Unfortunately I forgot to remove their use in all places and didn't notice issues during testing because I used a "dirty" virtual machine that had a ldappwd file in place. These patches get rid of these vestiges of the past and fix the replica installation issues. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-install-We-do-not-need-a-ldap-password-anymore.patch Type: text/x-patch Size: 4207 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-install-We-do-not-need-a-kpasswd-keytab-anymore.patch Type: text/x-patch Size: 4768 bytes Desc: not available URL: From rcritten at redhat.com Wed Aug 31 18:25:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 31 Aug 2011 14:25:10 -0400 Subject: [Freeipa-devel] [PATCH] #1743 Fix ipa-replica-prepare In-Reply-To: <1314813978.20296.342.camel@willson.li.ssimo.org> References: <1314813978.20296.342.camel@willson.li.ssimo.org> Message-ID: <4E5E7C86.6010600@redhat.com> Simo Sorce wrote: > We stopped using lpaddwd and kpasswd.keytab when we moved from > ipa_kpasswd to kadmind. > > Unfortunately I forgot to remove their use in all places and didn't > notice issues during testing because I used a "dirty" virtual machine > that had a ldappwd file in place. > > These patches get rid of these vestiges of the past and fix the replica > installation issues. > > Simo. ACK From abokovoy at redhat.com Wed Aug 31 19:02:26 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 31 Aug 2011 22:02:26 +0300 Subject: [Freeipa-devel] [PATCH, FreeIPA2.1] Review request for platform abstraction refactoring Message-ID: <4E5E8542.4090001@redhat.com> Hi! In branch 'platform' of http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=summary you can find four commits which represent working code to address https://fedorahosted.org/freeipa/ticket/1605. What is done: 1. ipapython.services module represents system-agnostic way to communicate with platform-specific services management and other platform-specific functions. 2. ipapython.platform.* implements platform-specific functionality. The code is pulled in by ipapython.services module and should not be adressed directly. 3. ipapython.platform.redhat module (not to be called directly!) is what FreeIPA 2.1 has had previously -- current RHEL6 and Fedora14/15 implementation. 4. Install tools, IPA client, and IPA server install code is converted to use ipapython.services. To facilitate more expressive way of working with often used services, ipapython.services module provides a shortcut to access them by name via ipapython.services.knownservices.. A typical code change looks like this: ------------------------------------------------ (from ipapython import services as ipaservices) - service.restart("dirsrv") - service.restart("krb5kdc") - service.restart("httpd") + ipaservices.knownservices.dirsrv.restart() + ipaservices.knownservices.krb5kdc.restart() + ipaservices.knownservices.httpd.restart() ------------------------------------------------ Besides expression change this also makes more explicit to platform providers access to what services they have to implement. Service names are defined in ipapython.platform.base.wellknownservices and represent definitive names to access these services from FreeIPA code. Of course, platform provider should remap those names to platform-specific ones -- for ipapython.platform.redhat provider mapping is identity. If code needs direct access to some unnamed service, one could use ipapython.services.service class: ------------------------------------------------ for (order, svc) in sorted(svc_list): svc_name = service.SERVICE_LIST[svc][0] + svchandle = ipaservices.service(svc_name) try: print "Starting %s Service" % svc - service.start(svc_name, capture_output=get_capture_output(svc_name, options.debug)) + svchandle.start(capture_output=get_capture_output(svc_name, options.debug)) except: emit_err("Failed to start %s Service" % svc) ------------------------------------------------ Server-side installation code depends on quite a delicate arrangement of Certificate Server, Directory Server, and is not really portable to other environments unless you do provide same packages as Fedora or RHEL have. However, I tried to abstract service-specific calls in such way that they all go through ipapython.platform.* so even here remapping of names is possible. Unfortunately, not for file paths yet. Client side is more ready for porting except authconfig(8) use. One of substantial issues for porting FreeIPA client code to platforms other than Red Hat's is use of authconfig(8) utility to configure authentication services. What I ended up is a flexible interface (ipapython.platform.base.AuthConfig) to specify options and execute external apps. As with knownservices, one step more is to make those options accessible as member attributes instead of strings but even with current approach this gives full isolation of implementation of authconfig replacement from FreeIPA code. Typical use for AuthConfig is via ipapython.services.authconfig class: ------------------------------------------------ - run(["/usr/sbin/authconfig", "--disableldap", "--disablekrb5", "--disablesssd", "--disablesssdauth", "--disablemkhomedir", "--update"]) + auth_config = ipaservices.authconfig() + auth_config.disable("ldap").\ + disable("krb5").\ + disable("sssd").\ + disable("sssdauth").\ + disable("mkhomedir").\ + add_option("update") + auth_config.execute() ------------------------------------------------ This should make porting much simpler -- less code to touch in core FreeIPA. Now good things: this all works! :) I tried on F15, doing ipa-server-install with different options and uninstalling as well, joining another client and removing it later. Of course, more testing is needed too. -- / Alexander Bokovoy From edewata at redhat.com Wed Aug 31 19:39:23 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 31 Aug 2011 14:39:23 -0500 Subject: [Freeipa-devel] [PATCH] 011 Attributes table not scrollable In-Reply-To: <4E5E3179.3070108@redhat.com> References: <4E5E3179.3070108@redhat.com> Message-ID: <4E5E8DEB.4060003@redhat.com> On 8/31/2011 8:04 AM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/1739 > > The attributes table (IPA.attributes_widget) used in Permissions, > Self-Service Permissions, and Delegations is supposed to be short but > scrollable. In Firefox 3.6 it works fine, but in Firefox 6.0 it appears > as a long non-scrollable table which makes it more difficult to use. ACK and pushed to master and ipa-2-1. -- Endi S. Dewata From simo at redhat.com Wed Aug 31 20:24:41 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 31 Aug 2011 16:24:41 -0400 Subject: [Freeipa-devel] [PATCH] stop checking for CA ports Message-ID: <1314822281.20296.345.camel@willson.li.ssimo.org> We use the new proxy code for dogtag now, so we do not need to open all the CA ports as all connections go through the standard https port. Fixes https://fedorahosted.org/freeipa/ticket/1745 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-conncheck-No-need-to-check-for-CA-ports-anymore.patch Type: text/x-patch Size: 5564 bytes Desc: not available URL: From simo at redhat.com Wed Aug 31 20:26:20 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 31 Aug 2011 16:26:20 -0400 Subject: [Freeipa-devel] [PATCH] Double check kinit return Message-ID: <1314822380.20296.347.camel@willson.li.ssimo.org> At least once I had kinit fail to get a proper ticket and yet not return an error. I honestly was not able to reproduce, but add a double check to make sure we actually got a usable ticket so that ssh does no prompt again for the admin user password. Fixes: https://fedorahosted.org/freeipa/ticket/1746 -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-conncheck-Additional-check-to-verify-the-admin-passw.patch Type: text/x-patch Size: 1537 bytes Desc: not available URL: From simo at redhat.com Wed Aug 31 20:27:55 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 31 Aug 2011 16:27:55 -0400 Subject: [Freeipa-devel] [PATCH] #1743 Fix ipa-replica-prepare In-Reply-To: <4E5E7C86.6010600@redhat.com> References: <1314813978.20296.342.camel@willson.li.ssimo.org> <4E5E7C86.6010600@redhat.com> Message-ID: <1314822475.20296.348.camel@willson.li.ssimo.org> On Wed, 2011-08-31 at 14:25 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > We stopped using lpaddwd and kpasswd.keytab when we moved from > > ipa_kpasswd to kadmind. > > > > Unfortunately I forgot to remove their use in all places and didn't > > notice issues during testing because I used a "dirty" virtual machine > > that had a ldappwd file in place. > > > > These patches get rid of these vestiges of the past and fix the replica > > installation issues. > > > > Simo. > > ACK Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Wed Aug 31 21:03:34 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 31 Aug 2011 16:03:34 -0500 Subject: [Freeipa-devel] [PATCH] 261 Fixed hard-coded UI message in entity.js. Message-ID: <4E5EA1A6.5040403@redhat.com> The hard-coded label in IPA.facet has been moved into internal.py to allow translation. Ticket #1701 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0261-Fixed-hard-coded-UI-message-in-entity.js.patch Type: application/mbox Size: 2785 bytes Desc: not available URL: From edewata at redhat.com Wed Aug 31 22:42:30 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 31 Aug 2011 17:42:30 -0500 Subject: [Freeipa-devel] [PATCH] 262 Fixed missing permission filter field. Message-ID: <4E5EB8D6.3020903@redhat.com> Due to a recent change, all dialog boxes are now reset initially. The IPA.target_section has been modified to show the default target (i.e. filter) and the fields properly when reset. Ticket #1748 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0262-Fixed-missing-permission-filter-field.patch Type: application/mbox Size: 3034 bytes Desc: not available URL: