From ayoung at redhat.com Tue Feb 1 00:20:54 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 31 Jan 2011 19:20:54 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0182-association-fixes Message-ID: <4D4751E6.3050902@redhat.com> This is necessary, but not sure if it is suffcieint. THere is at least one problem still: group->users doesn't allow enrollment. Need to fix that, but should be in a follow on patch. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0182-association-fixes.patch Type: text/x-patch Size: 2281 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 1 01:10:37 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 31 Jan 2011 20:10:37 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0182-association-fixes In-Reply-To: <4D4751E6.3050902@redhat.com> References: <4D4751E6.3050902@redhat.com> Message-ID: <4D475D8D.6030902@redhat.com> On 01/31/2011 07:20 PM, Adam Young wrote: > This is necessary, but not sure if it is suffcieint. THere is at > least one problem still: group->users doesn't allow enrollment. Need > to fix that, but should be in a follow on patch. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK my self...got a slightly better one coming. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Feb 1 01:11:34 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 31 Jan 2011 20:11:34 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0182-association-fixes In-Reply-To: <4D4751E6.3050902@redhat.com> References: <4D4751E6.3050902@redhat.com> Message-ID: <4D475DC6.4020807@redhat.com> On 01/31/2011 07:20 PM, Adam Young wrote: > This is necessary, but not sure if it is suffcieint. THere is at > least one problem still: group->users doesn't allow enrollment. Need > to fix that, but should be in a follow on patch. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Fixes the part about "group->users doesn't allow enrollment." -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0182-1-association-fixes.patch Type: text/x-patch Size: 3027 bytes Desc: not available URL: From edewata at redhat.com Tue Feb 1 01:42:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 31 Jan 2011 19:42:57 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0182-association-fixes In-Reply-To: <4D475DC6.4020807@redhat.com> References: <4D4751E6.3050902@redhat.com> <4D475DC6.4020807@redhat.com> Message-ID: <4D476521.9030505@redhat.com> On 1/31/2011 7:11 PM, Adam Young wrote: > On 01/31/2011 07:20 PM, Adam Young wrote: >> This is necessary, but not sure if it is suffcieint. THere is at least >> one problem still: group->users doesn't allow enrollment. Need to fix >> that, but should be in a follow on patch. > Fixes the part about "group->users doesn't allow enrollment." ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Feb 1 01:48:00 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 31 Jan 2011 19:48:00 -0600 Subject: [Freeipa-devel] [PATCH] Added undo for permission rights. Message-ID: <4D476650.2000601@redhat.com> https://fedorahosted.org/freeipa/ticket/884 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0087-Added-undo-for-permission-rights.patch Type: text/x-patch Size: 7800 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 1 02:35:18 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 31 Jan 2011 21:35:18 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0183-aci-association-fixes Message-ID: <4D477166.1080402@redhat.com> https://fedorahosted.org/freeipa/ticket/662 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0183-aci-association-fixes.patch Type: text/x-patch Size: 4989 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 1 02:53:43 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 31 Jan 2011 21:53:43 -0500 Subject: [Freeipa-devel] [PATCH] Added undo for permission rights. In-Reply-To: <4D476650.2000601@redhat.com> References: <4D476650.2000601@redhat.com> Message-ID: <4D4775B7.1000001@redhat.com> On 01/31/2011 08:48 PM, Endi Sukma Dewata wrote: > https://fedorahosted.org/freeipa/ticket/884 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK is_dirty is broken now on permissions. A lot of code is gone from aci.js. Is that intentional? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Feb 1 03:15:54 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 31 Jan 2011 22:15:54 -0500 Subject: [Freeipa-devel] [PATCH] 047 Add an address for a nameserver when a new zone is created during install In-Reply-To: <20110131231427.GA5306@zeppelin.brq.redhat.com> References: <20110131214442.GA26516@zeppelin.brq.redhat.com> <20110131175208.0f2b41c3@willson.li.ssimo.org> <20110131231427.GA5306@zeppelin.brq.redhat.com> Message-ID: <4D477AEA.1000405@redhat.com> Jakub Hrozek wrote: > On Mon, Jan 31, 2011 at 05:52:08PM -0500, Simo Sorce wrote: >> On Mon, 31 Jan 2011 22:44:43 +0100 >> Jakub Hrozek wrote: >> >>> https://fedorahosted.org/freeipa/ticket/881 >>> >>> We've run into a chicken-and-egg problem during installation. If the >>> hostname of the IPA server is not resolvable with DNS during >>> installation, we'd add it as a NS server for a zone in both the SOA >>> entry and a NS record -- but no records from the new zone are >>> resolvable until Bind is restarted, including the new A/AAAA records >>> for the nameserver. >>> >>> I tried restarting the named service during Bind instance creation but >>> that didn't help..not exactly sure why. Anyway, attached is a patch >>> that forces the NS record creation. >>> >>> Please note that the --force flag is available via XML-RPC only, it is >>> completely hidden from the user otherwise. >> >> Minor issue but requires NACK. >> >> You changed the add_zone() signature to always require some parameters, >> but did not update it in ipa-replica-prepare >> >> Simo. > > Good catch, thank you! > > Attached is a new patch. I also found out that I don't have to require > all the parameters as some (such as admin email) have nice defaults in > the DNS plugin. This fixes it but I did have problems with overall approach. To test this I changed the host entry of my machine from slinky to spanky and ran the installer with --hostname=spanky.domain. This worked for the initial install and I was able to find the previous problem with ipa-replica-prepare. But I ran into other problems when testing this fix. The `hostname` of the machine is still slinky and very little actually worked. Restarting httpd failed and running ipa-replica-prepare failed because both were trying to contact the LDAP server on slinky, etc. Once I ran hostname spanky.domain everything worked fine. So ack for this bug but how should we handle these other problems? Oh, and I've pushed it to master. rob From rcritten at redhat.com Tue Feb 1 03:18:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 31 Jan 2011 22:18:28 -0500 Subject: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions. In-Reply-To: <4D46FBBD.5010005@redhat.com> References: <4D46FBBD.5010005@redhat.com> Message-ID: <4D477B84.7030507@redhat.com> Rob Crittenden wrote: > There are some permissions we can't display because they are stored > outside of the basedn (such as the replication permissions). We are > adding a new attribute to store extra information to make this clear, in > this case READONLY. > > ticket 853 > > rob I goofed on the schema, updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-697-2-permissions.patch Type: text/x-patch Size: 18336 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 1 04:07:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 31 Jan 2011 23:07:24 -0500 Subject: [Freeipa-devel] [PATCH] 0080 Sync in both direction before changing replication agreement in replica In-Reply-To: <20110131184526.58758ea5@willson.li.ssimo.org> References: <20110131183847.680de330@willson.li.ssimo.org> <20110131184526.58758ea5@willson.li.ssimo.org> Message-ID: <4D4786FC.10609@redhat.com> Simo Sorce wrote: > On Mon, 31 Jan 2011 18:38:47 -0500 > Simo Sorce wrote: > >> >> See also ticket #887 >> >> Simo. >> > > With a patch file it works better I guess :-) > > Simo. > > I wasn't entirely sure how to test this so I use ipa-replica-manage re-initialize --from=master.example.com It seemed to work, not sure how I can really tell. I did notice this in my 389-ds error log: [31/Jan/2011:23:05:59 -0500] - import userRoot: Import complete. Processed 159 entries in 4 seconds. (39.75 entries/sec) [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=example,dc=com is coming online; enabling replication [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica dc=example,dc=com does not match the data in the changelog. Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. rob From edewata at redhat.com Tue Feb 1 04:12:06 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 31 Jan 2011 22:12:06 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0183-aci-association-fixes In-Reply-To: <4D477166.1080402@redhat.com> References: <4D477166.1080402@redhat.com> Message-ID: <4D478816.3070802@redhat.com> On 1/31/2011 8:35 PM, Adam Young wrote: > https://fedorahosted.org/freeipa/ticket/662 ACK and pushed with minor corrections. -- Endi S. Dewata From edewata at redhat.com Tue Feb 1 04:31:50 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 31 Jan 2011 22:31:50 -0600 Subject: [Freeipa-devel] [PATCH] Fixed missing object reference. Message-ID: <4D478CB6.2040300@redhat.com> Pushed under one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0090-Fixed-missing-object-reference.patch Type: text/x-patch Size: 1132 bytes Desc: not available URL: From edewata at redhat.com Tue Feb 1 05:02:39 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 31 Jan 2011 23:02:39 -0600 Subject: [Freeipa-devel] [PATCH] Added undo for permission rights. In-Reply-To: <4D4775B7.1000001@redhat.com> References: <4D476650.2000601@redhat.com> <4D4775B7.1000001@redhat.com> Message-ID: <4D4793EF.5000107@redhat.com> On 1/31/2011 8:53 PM, Adam Young wrote: > On 01/31/2011 08:48 PM, Endi Sukma Dewata wrote: >> https://fedorahosted.org/freeipa/ticket/884 > > NACK > > is_dirty is broken now on permissions. Could you describe which one is broken? I tried a number of things on permission and delegation but so far everything seems to be working just fine. > A lot of code is gone from aci.js. Is that intentional? Yes, the IPA.rights_widget now inherits from IPA.checkboxes_widget which works the same way. The only thing left is custom html generation. I added IPA.widget.create_undo() to generate standardized undo button. -- Endi S. Dewata From jhrozek at redhat.com Tue Feb 1 09:10:32 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 01 Feb 2011 10:10:32 +0100 Subject: [Freeipa-devel] [PATCH] 047 Add an address for a nameserver when a new zone is created during install In-Reply-To: <4D477AEA.1000405@redhat.com> References: <20110131214442.GA26516@zeppelin.brq.redhat.com> <20110131175208.0f2b41c3@willson.li.ssimo.org> <20110131231427.GA5306@zeppelin.brq.redhat.com> <4D477AEA.1000405@redhat.com> Message-ID: <4D47CE08.4070703@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/01/2011 04:15 AM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> On Mon, Jan 31, 2011 at 05:52:08PM -0500, Simo Sorce wrote: >>> On Mon, 31 Jan 2011 22:44:43 +0100 >>> Jakub Hrozek wrote: >>> >>>> https://fedorahosted.org/freeipa/ticket/881 >>>> >>>> We've run into a chicken-and-egg problem during installation. If the >>>> hostname of the IPA server is not resolvable with DNS during >>>> installation, we'd add it as a NS server for a zone in both the SOA >>>> entry and a NS record -- but no records from the new zone are >>>> resolvable until Bind is restarted, including the new A/AAAA records >>>> for the nameserver. >>>> >>>> I tried restarting the named service during Bind instance creation but >>>> that didn't help..not exactly sure why. Anyway, attached is a patch >>>> that forces the NS record creation. >>>> >>>> Please note that the --force flag is available via XML-RPC only, it is >>>> completely hidden from the user otherwise. >>> >>> Minor issue but requires NACK. >>> >>> You changed the add_zone() signature to always require some parameters, >>> but did not update it in ipa-replica-prepare >>> >>> Simo. >> >> Good catch, thank you! >> >> Attached is a new patch. I also found out that I don't have to require >> all the parameters as some (such as admin email) have nice defaults in >> the DNS plugin. > > This fixes it but I did have problems with overall approach. > > To test this I changed the host entry of my machine from slinky to > spanky and ran the installer with --hostname=spanky.domain. > > This worked for the initial install and I was able to find the previous > problem with ipa-replica-prepare. > > But I ran into other problems when testing this fix. The `hostname` of > the machine is still slinky and very little actually worked. Restarting > httpd failed and running ipa-replica-prepare failed because both were > trying to contact the LDAP server on slinky, etc. > > Once I ran hostname spanky.domain everything worked fine. > > So ack for this bug but how should we handle these other problems? > > Oh, and I've pushed it to master. > > rob > This makes me wonder if we tested the same setup as QE did - I was under the impression that before I introduced the "NS must be resolvable" constraint, their setup just worked even after installation. I think I tested a little differently, too - I just added a ipaserver.testdomain entry to /etc/hosts and ran "ipa-server-install - --hostname ipaserver.testdomain --no-host-dns -r TESTDOMAIN -n TESTDOMAIN" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1HzggACgkQHsardTLnvCWR2ACfUjcxyhByWq/p/Mj0h9uwfsMy p0EAnAz/rHVnN/GRz0d71jHWgaRk9n55 =5n7k -----END PGP SIGNATURE----- From mkosek at redhat.com Tue Feb 1 09:54:08 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 01 Feb 2011 10:54:08 +0100 Subject: [Freeipa-devel] [PATCH] 696 fix modifying delegation In-Reply-To: <4D46FB8C.3070502@redhat.com> References: <4D46FB8C.3070502@redhat.com> Message-ID: <1296554048.3051.21.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-01-31 at 13:12 -0500, Rob Crittenden wrote: > Modifying membergroup in a delegation was failing because of an > inconsnstent use of the cli name and the attribute name and also because > the aci plugin was not always treating memberof as a special kind of filter. > > ticket 869 > > rob ACK. This will fix ticket 870 too. (you may want to fix a type in commit message: 'inconsnstent') Martin From jhrozek at redhat.com Tue Feb 1 11:24:50 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 01 Feb 2011 12:24:50 +0100 Subject: [Freeipa-devel] [PATCH] 664 entitlement support In-Reply-To: <4D46D569.5010300@redhat.com> References: <4D24906A.2060604@redhat.com> <4D4677A9.3040004@redhat.com> <4D46D569.5010300@redhat.com> Message-ID: <4D47ED82.7070905@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/31/2011 04:29 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/05/2011 04:38 PM, Rob Crittenden wrote: >>> This patch adds a plugin and tools for managing entitlements for host >>> machines. >>> >>> Testing is rather complex so I've attached a script to help set up the >>> Candlepin server. You'll need to ping me out of band for the backend >>> data. This configures the Candlepin server with an in-memory database so >>> any time tomcat6 is restarted you'll need to reload the data. >>> >>> You have to run candlepin.setup as root. This will configure your Fedora >>> tomcat6 instance. >>> >>> Once your candlepin server is setup and IPA is installed do something >>> like: >>> >>> $ ipa entitle-register admin >>> (password is admin) >>> >>> $ ipa entitle-consume 25 >>> >>> $ ipa entitle-status >>> (verify that it is 25) >>> >>> # ipa-compliance >>> (should be 1 of 50) >>> >>> Our tools can consume only, not return entitlements. >>> >>> tickets 28, 79 and 278. >>> >>> rob >>> >>> >> >> can you rebase the patch so it applies cleanly on the current master? > > attached > > rob Functionally, the patch seems to be working fine -- great job!. I just have a couple of minor comments: * I think a recent change to delegation.ldif conflicts with the patch. I was able to do a 3-way merge, but please check it merges OK. * During build, rpm-build complains about /etc/cron.d/ipa-compliance being listed twice * the two commented lines in ipa-compliance that test Bind using DM and Bind using GSSAPI should be removed * I think that the ipa-compliance tool never deletes the directory with the ccache (tmpdir) * in ipa-compliance: + if not truncated: + hostcount = len(entries) + else: + # FIXME: raise an error + pass I'm not opposed to FIXMEs in the code, but maybe there should be a ticket so we don't forget them. Also, hostcount should be initialized in the else: branch, later on, the code accesses it and would blow up. * In the entitlement plugin, the 'hidden' attributes could have flags=['no_option', 'no_output'] so they don't show up in the UI * If I consume all the entitlements with ipa entitle-consume and ask for more, I get an internal server error - we should probably catch the RestlibException from candlepin * when I started testing I made a typo in the candlepin instance hostname. ipa entitle-register then blew up.. The traceback looks like it comes from rhsm. I don't think we absolutely need to fix it now, but we should at least track it in a ticket. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1H7YIACgkQHsardTLnvCVdQQCgw98b/bWhJMXTA7AKWRsco9K0 QGQAoIoE1fEydABb+F70GXm12sDyEI0k =a1Jv -----END PGP SIGNATURE----- From mkosek at redhat.com Tue Feb 1 11:35:16 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 01 Feb 2011 12:35:16 +0100 Subject: [Freeipa-devel] [PATCH] 021 Permission rename test failing Message-ID: <1296560116.3051.22.camel@dhcp-25-52.brq.redhat.com> This patch fixes test for Permission plugin - mainly permission-mod part. Description field that the tests expected and which was removed in ticket 792 was removed from the tests. https://fedorahosted.org/freeipa/ticket/892 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-021-permission-rename-test-failing.patch Type: text/x-patch Size: 3259 bytes Desc: not available URL: From ssorce at redhat.com Tue Feb 1 12:35:28 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 1 Feb 2011 07:35:28 -0500 Subject: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions. In-Reply-To: <4D477B84.7030507@redhat.com> References: <4D46FBBD.5010005@redhat.com> <4D477B84.7030507@redhat.com> Message-ID: <20110201073528.1d1361ab@willson.li.ssimo.org> On Mon, 31 Jan 2011 22:18:28 -0500 Rob Crittenden wrote: > +output_params = ( > + Str('ipapermissionflag', > + label=_('Permission Type'), > + ), > +) > + Why do you call the attribute "ipaPermissionFlag" if it is a type ? Wouldn't it make more sense to call it ipaPermissionType ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Feb 1 12:39:14 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 1 Feb 2011 07:39:14 -0500 Subject: [Freeipa-devel] [PATCH] 0080 Sync in both direction before changing replication agreement in replica In-Reply-To: <4D4786FC.10609@redhat.com> References: <20110131183847.680de330@willson.li.ssimo.org> <20110131184526.58758ea5@willson.li.ssimo.org> <4D4786FC.10609@redhat.com> Message-ID: <20110201073914.0208ff2c@willson.li.ssimo.org> On Mon, 31 Jan 2011 23:07:24 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > On Mon, 31 Jan 2011 18:38:47 -0500 > > Simo Sorce wrote: > > > >> > >> See also ticket #887 > >> > >> Simo. > >> > > > > With a patch file it works better I guess :-) > > > > Simo. > > > > > > I wasn't entirely sure how to test this so I use ipa-replica-manage > re-initialize --from=master.example.com > > It seemed to work, not sure how I can really tell. I did notice this > in my 389-ds error log: > > [31/Jan/2011:23:05:59 -0500] - import userRoot: Import complete. > Processed 159 entries in 4 seconds. (39.75 entries/sec) > [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=example,dc=com is coming > online; enabling replication > [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - > replica_reload_ruv: Warning: new data for replica dc=example,dc=com > does not match the data in the changelog. > Recreating the changelog file. This could affect replication with > replica's consumers in which case the consumers should be > reinitialized. > > rob I changed force-sync not re-inititialize :-) And the actual real change happend in ipa-replica-install So the way to test it would be to install a replica and make sure it works (I tested it on my side and it did). Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Tue Feb 1 13:11:44 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 01 Feb 2011 14:11:44 +0100 Subject: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions. In-Reply-To: <4D477B84.7030507@redhat.com> References: <4D46FBBD.5010005@redhat.com> <4D477B84.7030507@redhat.com> Message-ID: <1296565904.3051.40.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-01-31 at 22:18 -0500, Rob Crittenden wrote: > Rob Crittenden wrote: > > There are some permissions we can't display because they are stored > > outside of the basedn (such as the replication permissions). We are > > adding a new attribute to store extra information to make this clear, in > > this case READONLY. > > > > ticket 853 > > > > rob > > I goofed on the schema, updated patch attached. > > rob NACK (but a small one) The patch is fine, I have found only 2 minor issues and a question: 1) Permission tests got broken. You may want to apply my "[PATCH] 021 Permission rename test failing" before fixing that - so that Permission test suite is clean. 2) In delegation.ldif: ipapermission object class is missing for removeentitlements and modifyentitlements (it has been added for addentitlements though) QUESTION: In this patch you add READONLY flag to Replica permissions. However it is not actually used and stays as just an informative flag. It won't prevent user from modifying/removing READONLY permissions. I guess enhancing permission-mod and permission-del of READONLY check will be a subject of another ticket? Martin From pzuna at redhat.com Tue Feb 1 13:16:37 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 01 Feb 2011 14:16:37 +0100 Subject: [Freeipa-devel] [PATCH] Make 'ipa help' localizable. Message-ID: <4D4807B5.4070208@redhat.com> For a long time, I was trying to find a way to localize python docstrings, that we use to generate the built-in documentation system. Unfortunately, python docstrings aren't meant to be localized and therefore I had to use a dirty trick: setting the __doc__ variable manually to a gettext instance. There is one major disadvantage: tools that generate developer documentation (like epydoc) won't display docstrings set like this. One solution would be to have docstrings twice in each module: once normally and once set using __doc__, but that would be very ugly. This patch doesn't update .po files, because it's already big as it is. They are regenerated automatically anyway. Ticket #179 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-66-helpi18n.patch Type: text/x-patch Size: 26416 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 1 13:37:07 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 01 Feb 2011 08:37:07 -0500 Subject: [Freeipa-devel] [PATCH] Added undo for permission rights. In-Reply-To: <4D4793EF.5000107@redhat.com> References: <4D476650.2000601@redhat.com> <4D4775B7.1000001@redhat.com> <4D4793EF.5000107@redhat.com> Message-ID: <4D480C83.1010905@redhat.com> On 02/01/2011 12:02 AM, Endi Sukma Dewata wrote: > On 1/31/2011 8:53 PM, Adam Young wrote: >> On 01/31/2011 08:48 PM, Endi Sukma Dewata wrote: >>> https://fedorahosted.org/freeipa/ticket/884 >> >> NACK >> >> is_dirty is broken now on permissions. > > Could you describe which one is broken? I tried a number of things on > permission and delegation but so far everything seems to be working > just fine. Can't reproduce now what I was seeing, so it is likely it was just the product of a tired mind. Code works well . > >> A lot of code is gone from aci.js. Is that intentional? > > Yes, the IPA.rights_widget now inherits from IPA.checkboxes_widget > which works the same way. The only thing left is custom html generation. > I added IPA.widget.create_undo() to generate standardized undo butt ACK pushed to master From jgalipea at redhat.com Tue Feb 1 13:47:46 2011 From: jgalipea at redhat.com (Jenny Galipeau) Date: Tue, 01 Feb 2011 08:47:46 -0500 Subject: [Freeipa-devel] [PATCH] 047 Add an address for a nameserver when a new zone is created during install In-Reply-To: <4D47CE08.4070703@redhat.com> References: <20110131214442.GA26516@zeppelin.brq.redhat.com> <20110131175208.0f2b41c3@willson.li.ssimo.org> <20110131231427.GA5306@zeppelin.brq.redhat.com> <4D477AEA.1000405@redhat.com> <4D47CE08.4070703@redhat.com> Message-ID: <4D480F02.6010201@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/01/2011 04:15 AM, Rob Crittenden wrote: > >> Jakub Hrozek wrote: >> >>> On Mon, Jan 31, 2011 at 05:52:08PM -0500, Simo Sorce wrote: >>> >>>> On Mon, 31 Jan 2011 22:44:43 +0100 >>>> Jakub Hrozek wrote: >>>> >>>> >>>>> https://fedorahosted.org/freeipa/ticket/881 >>>>> >>>>> We've run into a chicken-and-egg problem during installation. If the >>>>> hostname of the IPA server is not resolvable with DNS during >>>>> installation, we'd add it as a NS server for a zone in both the SOA >>>>> entry and a NS record -- but no records from the new zone are >>>>> resolvable until Bind is restarted, including the new A/AAAA records >>>>> for the nameserver. >>>>> >>>>> I tried restarting the named service during Bind instance creation but >>>>> that didn't help..not exactly sure why. Anyway, attached is a patch >>>>> that forces the NS record creation. >>>>> >>>>> Please note that the --force flag is available via XML-RPC only, it is >>>>> completely hidden from the user otherwise. >>>>> >>>> Minor issue but requires NACK. >>>> >>>> You changed the add_zone() signature to always require some parameters, >>>> but did not update it in ipa-replica-prepare >>>> >>>> Simo. >>>> >>> Good catch, thank you! >>> >>> Attached is a new patch. I also found out that I don't have to require >>> all the parameters as some (such as admin email) have nice defaults in >>> the DNS plugin. >>> >> This fixes it but I did have problems with overall approach. >> >> To test this I changed the host entry of my machine from slinky to >> spanky and ran the installer with --hostname=spanky.domain. >> >> This worked for the initial install and I was able to find the previous >> problem with ipa-replica-prepare. >> >> But I ran into other problems when testing this fix. The `hostname` of >> the machine is still slinky and very little actually worked. Restarting >> httpd failed and running ipa-replica-prepare failed because both were >> trying to contact the LDAP server on slinky, etc. >> >> Once I ran hostname spanky.domain everything worked fine. >> >> So ack for this bug but how should we handle these other problems? >> >> Oh, and I've pushed it to master. >> >> rob >> >> > > This makes me wonder if we tested the same setup as QE did - I was under > the impression that before I introduced the "NS must be resolvable" > constraint, their setup just worked even after installation. > It seemed to just work before :-) > I think I tested a little differently, too - I just added a > ipaserver.testdomain entry to /etc/hosts and ran "ipa-server-install > - --hostname ipaserver.testdomain --no-host-dns -r TESTDOMAIN -n TESTDOMAIN" > you used --no-host-dns ....... > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk1HzggACgkQHsardTLnvCWR2ACfUjcxyhByWq/p/Mj0h9uwfsMy > p0EAnAz/rHVnN/GRz0d71jHWgaRk9n55 > =5n7k > -----END PGP SIGNATURE----- > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From rcritten at redhat.com Tue Feb 1 14:02:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Feb 2011 09:02:56 -0500 Subject: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions. In-Reply-To: <20110201073528.1d1361ab@willson.li.ssimo.org> References: <4D46FBBD.5010005@redhat.com> <4D477B84.7030507@redhat.com> <20110201073528.1d1361ab@willson.li.ssimo.org> Message-ID: <4D481290.5030404@redhat.com> Simo Sorce wrote: > On Mon, 31 Jan 2011 22:18:28 -0500 > Rob Crittenden wrote: > >> +output_params = ( >> + Str('ipapermissionflag', >> + label=_('Permission Type'), >> + ), >> +) >> + > > Why do you call the attribute "ipaPermissionFlag" if it is a type ? > Wouldn't it make more sense to call it ipaPermissionType ? > > Simo. > I like to keep people guessing but ok, I'll fix it up per your recommendation and resubmit. rob From rcritten at redhat.com Tue Feb 1 14:07:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Feb 2011 09:07:15 -0500 Subject: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions. In-Reply-To: <1296565904.3051.40.camel@dhcp-25-52.brq.redhat.com> References: <4D46FBBD.5010005@redhat.com> <4D477B84.7030507@redhat.com> <1296565904.3051.40.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D481393.5010402@redhat.com> Martin Kosek wrote: > On Mon, 2011-01-31 at 22:18 -0500, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> There are some permissions we can't display because they are stored >>> outside of the basedn (such as the replication permissions). We are >>> adding a new attribute to store extra information to make this clear, in >>> this case READONLY. >>> >>> ticket 853 >>> >>> rob >> >> I goofed on the schema, updated patch attached. >> >> rob > > NACK (but a small one) > > The patch is fine, I have found only 2 minor issues and a question: > > 1) Permission tests got broken. You may want to apply my "[PATCH] 021 > Permission rename test failing" before fixing that - so that Permission > test suite is clean. Ouch, ok I'll take a look. > > 2) In delegation.ldif: ipapermission object class is missing for > removeentitlements and modifyentitlements (it has been added for > addentitlements though) This was on purpose, I should have been clearer. Patch 664 makes major changes to these and I'm trying to make the merge easier. I'll fix them up when 664 gets pushed. > > > QUESTION: > In this patch you add READONLY flag to Replica permissions. However it > is not actually used and stays as just an informative flag. It won't > prevent user from modifying/removing READONLY permissions. > > I guess enhancing permission-mod and permission-del of READONLY check > will be a subject of another ticket? Ok, interesting point. I considered the aci itself to be read-only. The only thing a user could do is rename the permission, right? I think that would maintain consistency so it shouldn't be a problem. It would probably be easy to really make these read-only but that would have a UI impact as well, perhaps a problematic one. I suppose if they could handle any read-only exceptions we'd raise that would be adequate. rob From jdennis at redhat.com Tue Feb 1 14:08:41 2011 From: jdennis at redhat.com (John Dennis) Date: Tue, 01 Feb 2011 09:08:41 -0500 Subject: [Freeipa-devel] [PATCH] Make 'ipa help' localizable. In-Reply-To: <4D4807B5.4070208@redhat.com> References: <4D4807B5.4070208@redhat.com> Message-ID: <4D4813E9.2020200@redhat.com> On 02/01/2011 08:16 AM, Pavel Zuna wrote: > For a long time, I was trying to find a way to localize python docstrings, that > we use to generate the built-in documentation system. Unfortunately, python > docstrings aren't meant to be localized and therefore I had to use a dirty > trick: setting the __doc__ variable manually to a gettext instance. > > There is one major disadvantage: tools that generate developer documentation > (like epydoc) won't display docstrings set like this. > > One solution would be to have docstrings twice in each module: once normally and > once set using __doc__, but that would be very ugly. > > This patch doesn't update .po files, because it's already big as it is. They are > regenerated automatically anyway. > > Ticket #179 > > Pavel Hi Pavel: I'm not sure this is the right approach. What we really want is to be able to extract the docstrings and put them in a pot file. Normally xgettext is used to "xtract" translatable strings but I don't think the python parser in xgettext is docstring aware (we should probably confirm that). However pygettext in the python-tools package is docstring aware. From it's help text: -D --docstrings Extract module, class, method, and function docstrings. These do not need to be wrapped in _() markers, and in fact cannot be for Python to consider them docstrings. (See also the -X option). So rather than changing all the source code and making it non-standard I think we're better off using a more appropriate tool when building the pot file. Use of pygettext is discussed and documented in this Python documentation link: http://docs.python.org/library/gettext.html#internationalizing-your-programs-and-modules You can find an interesting discussion of the docstring extraction issue in this thread: http://mail.python.org/pipermail/i18n-sig/2001-August/001292.html BTW, Barry Warsaw is the man behind Mailman and is one of the Python community luminaries. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From pzuna at redhat.com Tue Feb 1 14:10:59 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 01 Feb 2011 15:10:59 +0100 Subject: [Freeipa-devel] [PATCH] Make 'ipa help' localizable. In-Reply-To: <4D4813E9.2020200@redhat.com> References: <4D4807B5.4070208@redhat.com> <4D4813E9.2020200@redhat.com> Message-ID: <4D481473.8080706@redhat.com> On 02/01/2011 03:08 PM, John Dennis wrote: > On 02/01/2011 08:16 AM, Pavel Zuna wrote: >> For a long time, I was trying to find a way to localize python >> docstrings, that >> we use to generate the built-in documentation system. Unfortunately, >> python >> docstrings aren't meant to be localized and therefore I had to use a >> dirty >> trick: setting the __doc__ variable manually to a gettext instance. >> >> There is one major disadvantage: tools that generate developer >> documentation >> (like epydoc) won't display docstrings set like this. >> >> One solution would be to have docstrings twice in each module: once >> normally and >> once set using __doc__, but that would be very ugly. >> >> This patch doesn't update .po files, because it's already big as it >> is. They are >> regenerated automatically anyway. >> >> Ticket #179 >> >> Pavel > > Hi Pavel: > > I'm not sure this is the right approach. What we really want is to be > able to extract the docstrings and put them in a pot file. Normally > xgettext is used to "xtract" translatable strings but I don't think the > python parser in xgettext is docstring aware (we should probably confirm > that). > > However pygettext in the python-tools package is docstring aware. From > it's help text: > > -D > --docstrings > Extract module, class, method, and function docstrings. These do > not need to be wrapped in _() markers, and in fact cannot be for > Python to consider them docstrings. (See also the -X option). > > So rather than changing all the source code and making it non-standard I > think we're better off using a more appropriate tool when building the > pot file. > > Use of pygettext is discussed and documented in this Python > documentation link: > > http://docs.python.org/library/gettext.html#internationalizing-your-programs-and-modules > > > You can find an interesting discussion of the docstring extraction issue > in this thread: > > http://mail.python.org/pipermail/i18n-sig/2001-August/001292.html > > BTW, Barry Warsaw is the man behind Mailman and is one of the Python > community luminaries. > > Thanks for the tips! I'll see what I can do. Pavel From mkosek at redhat.com Tue Feb 1 14:16:18 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 01 Feb 2011 15:16:18 +0100 Subject: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions. In-Reply-To: <4D481393.5010402@redhat.com> References: <4D46FBBD.5010005@redhat.com> <4D477B84.7030507@redhat.com> <1296565904.3051.40.camel@dhcp-25-52.brq.redhat.com> <4D481393.5010402@redhat.com> Message-ID: <1296569778.3051.45.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > 2) In delegation.ldif: ipapermission object class is missing for > > removeentitlements and modifyentitlements (it has been added for > > addentitlements though) > > This was on purpose, I should have been clearer. Patch 664 makes major > changes to these and I'm trying to make the merge easier. I'll fix them > up when 664 gets pushed. I thought so. I was confused by addentitlements permission which objectclass was updated. We just have to make sure, that the entitlements patch includes this new objectClass. > > > > > > > QUESTION: > > In this patch you add READONLY flag to Replica permissions. However it > > is not actually used and stays as just an informative flag. It won't > > prevent user from modifying/removing READONLY permissions. > > > > I guess enhancing permission-mod and permission-del of READONLY check > > will be a subject of another ticket? > > Ok, interesting point. I considered the aci itself to be read-only. The > only thing a user could do is rename the permission, right? I think that > would maintain consistency so it shouldn't be a problem. It would > probably be easy to really make these read-only but that would have a UI > impact as well, perhaps a problematic one. I suppose if they could > handle any read-only exceptions we'd raise that would be adequate. > > rob Yes, user could rename or delete permission. In both cases it won't have any effect to the ACI as ACI plugin does not see it. But I think it would be nice to prevent modifications to these permissions when we have this new and shiny READONLY flag. Read-only exception may be a way to achieve this... Martin From rcritten at redhat.com Tue Feb 1 15:15:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Feb 2011 10:15:34 -0500 Subject: [Freeipa-devel] [PATCH] 664 entitlement support In-Reply-To: <4D47ED82.7070905@redhat.com> References: <4D24906A.2060604@redhat.com> <4D4677A9.3040004@redhat.com> <4D46D569.5010300@redhat.com> <4D47ED82.7070905@redhat.com> Message-ID: <4D482396.6070305@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/31/2011 04:29 PM, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 01/05/2011 04:38 PM, Rob Crittenden wrote: >>>> This patch adds a plugin and tools for managing entitlements for host >>>> machines. >>>> >>>> Testing is rather complex so I've attached a script to help set up the >>>> Candlepin server. You'll need to ping me out of band for the backend >>>> data. This configures the Candlepin server with an in-memory database so >>>> any time tomcat6 is restarted you'll need to reload the data. >>>> >>>> You have to run candlepin.setup as root. This will configure your Fedora >>>> tomcat6 instance. >>>> >>>> Once your candlepin server is setup and IPA is installed do something >>>> like: >>>> >>>> $ ipa entitle-register admin >>>> (password is admin) >>>> >>>> $ ipa entitle-consume 25 >>>> >>>> $ ipa entitle-status >>>> (verify that it is 25) >>>> >>>> # ipa-compliance >>>> (should be 1 of 50) >>>> >>>> Our tools can consume only, not return entitlements. >>>> >>>> tickets 28, 79 and 278. >>>> >>>> rob >>>> >>>> >>> >>> can you rebase the patch so it applies cleanly on the current master? >> >> attached >> >> rob > > Functionally, the patch seems to be working fine -- great job!. > > I just have a couple of minor comments: > * I think a recent change to delegation.ldif conflicts with the patch. > I was able to do a 3-way merge, but please check it merges OK. > > * During build, rpm-build complains about /etc/cron.d/ipa-compliance > being listed twice > > * the two commented lines in ipa-compliance that test Bind using DM and > Bind using GSSAPI should be removed > > * I think that the ipa-compliance tool never deletes the directory with > the ccache (tmpdir) > > * in ipa-compliance: > + if not truncated: > + hostcount = len(entries) > + else: > + # FIXME: raise an error > + pass > I'm not opposed to FIXMEs in the code, but maybe there should be a > ticket so we don't forget them. Also, hostcount should be initialized in > the else: branch, later on, the code accesses it and would blow up. > > * In the entitlement plugin, the 'hidden' attributes could have > flags=['no_option', 'no_output'] so they don't show up in the UI > > * If I consume all the entitlements with ipa entitle-consume and ask > for more, I get an internal server error - we should probably catch the > RestlibException from candlepin > > * when I started testing I made a typo in the candlepin instance > hostname. ipa entitle-register then blew up.. The traceback looks like > it comes from rhsm. I don't think we absolutely need to fix it now, but > we should at least track it in a ticket. Here is a diff of the changes you suggested, I think they cover all the bases. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: changes URL: From rmeggins at redhat.com Tue Feb 1 16:07:58 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 01 Feb 2011 09:07:58 -0700 Subject: [Freeipa-devel] [PATCH] 0080 Sync in both direction before changing replication agreement in replica In-Reply-To: <4D4786FC.10609@redhat.com> References: <20110131183847.680de330@willson.li.ssimo.org> <20110131184526.58758ea5@willson.li.ssimo.org> <4D4786FC.10609@redhat.com> Message-ID: <4D482FDE.50500@redhat.com> On 01/31/2011 09:07 PM, Rob Crittenden wrote: > Simo Sorce wrote: >> On Mon, 31 Jan 2011 18:38:47 -0500 >> Simo Sorce wrote: >> >>> >>> See also ticket #887 >>> >>> Simo. >>> >> >> With a patch file it works better I guess :-) >> >> Simo. >> >> > > I wasn't entirely sure how to test this so I use ipa-replica-manage > re-initialize --from=master.example.com > > It seemed to work, not sure how I can really tell. I did notice this > in my 389-ds error log: > > [31/Jan/2011:23:05:59 -0500] - import userRoot: Import complete. > Processed 159 entries in 4 seconds. (39.75 entries/sec) > [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=example,dc=com is coming > online; enabling replication > [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - > replica_reload_ruv: Warning: new data for replica dc=example,dc=com > does not match the data in the changelog. > Recreating the changelog file. This could affect replication with > replica's consumers in which case the consumers should be reinitialized. This should be ok. This basically means "hey, your database has just be reloaded". The server should wipe out the changelog and create a new one. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ssorce at redhat.com Tue Feb 1 16:14:38 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 1 Feb 2011 11:14:38 -0500 Subject: [Freeipa-devel] Changelog error after re-initialize. [WAS [PATCH] 0080 ..] In-Reply-To: <4D482FDE.50500@redhat.com> References: <20110131183847.680de330@willson.li.ssimo.org> <20110131184526.58758ea5@willson.li.ssimo.org> <4D4786FC.10609@redhat.com> <4D482FDE.50500@redhat.com> Message-ID: <20110201111438.1a2e0373@willson.li.ssimo.org> On Tue, 01 Feb 2011 09:07:58 -0700 Rich Megginson wrote: > On 01/31/2011 09:07 PM, Rob Crittenden wrote: > > Simo Sorce wrote: > >> On Mon, 31 Jan 2011 18:38:47 -0500 > >> Simo Sorce wrote: > >> > >>> > >>> See also ticket #887 > >>> > >>> Simo. > >>> > >> > >> With a patch file it works better I guess :-) > >> > >> Simo. > >> > >> > > > > I wasn't entirely sure how to test this so I use ipa-replica-manage > > re-initialize --from=master.example.com > > > > It seemed to work, not sure how I can really tell. I did notice > > this in my 389-ds error log: > > > > [31/Jan/2011:23:05:59 -0500] - import userRoot: Import complete. > > Processed 159 entries in 4 seconds. (39.75 entries/sec) > > [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - > > multimaster_be_state_change: replica dc=example,dc=com is coming > > online; enabling replication > > [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - > > replica_reload_ruv: Warning: new data for replica dc=example,dc=com > > does not match the data in the changelog. > > Recreating the changelog file. This could affect replication with > > replica's consumers in which case the consumers should be > > reinitialized. > This should be ok. This basically means "hey, your database has just > be reloaded". The server should wipe out the changelog and create a > new one. Is this something the server will do automatically? Or is it an action we need to add to our scripts ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Tue Feb 1 16:20:17 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 01 Feb 2011 09:20:17 -0700 Subject: [Freeipa-devel] Changelog error after re-initialize. [WAS [PATCH] 0080 ..] In-Reply-To: <20110201111438.1a2e0373@willson.li.ssimo.org> References: <20110131183847.680de330@willson.li.ssimo.org> <20110131184526.58758ea5@willson.li.ssimo.org> <4D4786FC.10609@redhat.com> <4D482FDE.50500@redhat.com> <20110201111438.1a2e0373@willson.li.ssimo.org> Message-ID: <4D4832C1.5050302@redhat.com> On 02/01/2011 09:14 AM, Simo Sorce wrote: > On Tue, 01 Feb 2011 09:07:58 -0700 > Rich Megginson wrote: > >> On 01/31/2011 09:07 PM, Rob Crittenden wrote: >>> Simo Sorce wrote: >>>> On Mon, 31 Jan 2011 18:38:47 -0500 >>>> Simo Sorce wrote: >>>> >>>>> See also ticket #887 >>>>> >>>>> Simo. >>>>> >>>> With a patch file it works better I guess :-) >>>> >>>> Simo. >>>> >>>> >>> I wasn't entirely sure how to test this so I use ipa-replica-manage >>> re-initialize --from=master.example.com >>> >>> It seemed to work, not sure how I can really tell. I did notice >>> this in my 389-ds error log: >>> >>> [31/Jan/2011:23:05:59 -0500] - import userRoot: Import complete. >>> Processed 159 entries in 4 seconds. (39.75 entries/sec) >>> [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - >>> multimaster_be_state_change: replica dc=example,dc=com is coming >>> online; enabling replication >>> [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - >>> replica_reload_ruv: Warning: new data for replica dc=example,dc=com >>> does not match the data in the changelog. >>> Recreating the changelog file. This could affect replication with >>> replica's consumers in which case the consumers should be >>> reinitialized. >> This should be ok. This basically means "hey, your database has just >> be reloaded". The server should wipe out the changelog and create a >> new one. > Is this something the server will do automatically? Yes. > Or is it an action we need to add to our scripts ? No. > Simo. > > From rcritten at redhat.com Tue Feb 1 16:58:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Feb 2011 11:58:53 -0500 Subject: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions. In-Reply-To: <1296569778.3051.45.camel@dhcp-25-52.brq.redhat.com> References: <4D46FBBD.5010005@redhat.com> <4D477B84.7030507@redhat.com> <1296565904.3051.40.camel@dhcp-25-52.brq.redhat.com> <4D481393.5010402@redhat.com> <1296569778.3051.45.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D483BCD.8010604@redhat.com> Martin Kosek wrote: > On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote: >> Martin Kosek wrote: >>> 2) In delegation.ldif: ipapermission object class is missing for >>> removeentitlements and modifyentitlements (it has been added for >>> addentitlements though) >> >> This was on purpose, I should have been clearer. Patch 664 makes major >> changes to these and I'm trying to make the merge easier. I'll fix them >> up when 664 gets pushed. > > I thought so. I was confused by addentitlements permission which > objectclass was updated. We just have to make sure, that the > entitlements patch includes this new objectClass. > >> >>> >>> >>> QUESTION: >>> In this patch you add READONLY flag to Replica permissions. However it >>> is not actually used and stays as just an informative flag. It won't >>> prevent user from modifying/removing READONLY permissions. >>> >>> I guess enhancing permission-mod and permission-del of READONLY check >>> will be a subject of another ticket? >> >> Ok, interesting point. I considered the aci itself to be read-only. The >> only thing a user could do is rename the permission, right? I think that >> would maintain consistency so it shouldn't be a problem. It would >> probably be easy to really make these read-only but that would have a UI >> impact as well, perhaps a problematic one. I suppose if they could >> handle any read-only exceptions we'd raise that would be adequate. >> >> rob > > Yes, user could rename or delete permission. In both cases it won't have > any effect to the ACI as ACI plugin does not see it. But I think it > would be nice to prevent modifications to these permissions when we have > this new and shiny READONLY flag. Read-only exception may be a way to > achieve this... > > Martin > I think I got everything. Simo suggested using SYSTEM instead of READONLY so I switched to that. I also renamed the attribute to ipapermissiontype and added enforcement over mod/del. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-697-3-permissions.patch Type: text/x-patch Size: 19659 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 1 17:06:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Feb 2011 12:06:13 -0500 Subject: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation In-Reply-To: <201101310951.36041.jzeleny@redhat.com> References: <201101261439.24085.jzeleny@redhat.com> <4D430839.9080705@redhat.com> <201101310951.36041.jzeleny@redhat.com> Message-ID: <4D483D85.7020702@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> Since some LDAP attributes have their cli_name value defined, >>> so they can be more user friendly, it can be difficult for user to find >>> out which attributes do the parameteres given to CLI really represent. >>> This patch provides new command, which will take another IPA command as >>> and argument and display attributes which given command takes and what >>> LDAP attributes are they mapped to. >>> >>> https://fedorahosted.org/freeipa/ticket/447 >>> >>> When reviewing, please pay attention to line 39 of the patch (detection >>> of the 'webui' in param.excludes). I think this is the right approach, >>> but I'm not 100% sure. >>> >>> Thanks >>> Jan >> >> nack. > > I'm sending updated patch. Few comments: > >> The argument should be a Str, not Bytes. > > Should I change it in class help then? That's where I copied this from. I think so. >> >> This will blow up as expected in the FIXME if an unknown command is >> passed in. > > Fixed, thanks. Not to be pedantic but I think it should return a non-zero error code too on error. > >> ipa show-mappings user-show returns just 'rights' > > If it was the acting correctly, it shouldn't be displayed at all, because it > is not LDAP based (and user-show doesn't take any other LDAP-based > arguments/options). > > I'm just not sure how to do this with minimal changes. One option is to create > new flag denoting whether parameter is LDAP based or not and for each parameter > set it appropriately, but that is just too much effort for something that is > not that important. That's why I use the 'webui' flag to filter things at least > a little bit. You should have the object Params list available, right? Can you use that to show at least some attributes? > >> Should it take a second arg or an option to lookup a specific >> attribute/option pair? > > Frankly I don't see any real benefit. I thought about it when Dmitri suggested > it, but commands don't take that many options - IMO it's not a problem to find > one in a list of ten. Ok, that's true rob From edewata at redhat.com Tue Feb 1 17:06:59 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 01 Feb 2011 11:06:59 -0600 Subject: [Freeipa-devel] [PATCH] Fixed attribute name for delegation member group. Message-ID: <4D483DB3.5060601@redhat.com> This is the UI fix for this bug: https://fedorahosted.org/freeipa/ticket/870 Pushed under one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0091-Fixed-attribute-name-for-delegation-member-group.patch Type: text/x-patch Size: 1102 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 1 17:07:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Feb 2011 12:07:58 -0500 Subject: [Freeipa-devel] [PATCH] 696 fix modifying delegation In-Reply-To: <1296554048.3051.21.camel@dhcp-25-52.brq.redhat.com> References: <4D46FB8C.3070502@redhat.com> <1296554048.3051.21.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D483DEE.9000406@redhat.com> Martin Kosek wrote: > On Mon, 2011-01-31 at 13:12 -0500, Rob Crittenden wrote: >> Modifying membergroup in a delegation was failing because of an >> inconsnstent use of the cli name and the attribute name and also because >> the aci plugin was not always treating memberof as a special kind of filter. >> >> ticket 869 >> >> rob > > ACK. This will fix ticket 870 too. > > (you may want to fix a type in commit message: 'inconsnstent') > > Martin > thanks, pushed to master (and yes, I forgot to fix the typo :-( ) From rcritten at redhat.com Tue Feb 1 17:12:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Feb 2011 12:12:35 -0500 Subject: [Freeipa-devel] [PATCH] Changed dns permission types In-Reply-To: <201101251335.13954.jzeleny@redhat.com> References: <201101071805.18499.jzeleny@redhat.com> <4D3E42D3.2020604@redhat.com> <201101251135.41893.jzeleny@redhat.com> <201101251335.13954.jzeleny@redhat.com> Message-ID: <4D483F03.1010709@redhat.com> Jan Zelen? wrote: > Jan Zelen? wrote: >> Rob Crittenden wrote: >>> Jan Zelen? wrote: >>>> Rob Crittenden wrote: >>>>> Jan Zelen? wrote: >>>>>> Recent change of DNS module to version caused that dns object type >>>>>> was replaced by dnszone and dnsrecord. This patch corrects dns types >>>>>> in permissions class. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/646 >>>>> >>>>> Nack. These values need to be added as valid types to the aci plugin >>>>> and the _type_map needs to be updated. >>>>> >>>>> rob >>>> >>>> I'm sending an updated patch. >>>> >>>> Jan >>> >>> Since dnszone and dnsrecord point to the same kind of entry what is the >>> point of having two separate names for them? When we read the entry we >>> aren't going to be able to differentiate between the two. >> >> I didn't take a look how the type thing works, so I'm kinda guessing here >> (please ignore the comment if it is wrong): >> Sure, object with idnszone class is always also in dnsrecord class, but >> that's not the case backwards (idnsrecord object isn't always idnszone) - >> so I think it is possible to set different ACIs for these two types. >> >>> Can the type be made more specific? >> >> If the mapping doesn't distinguish object classes and it can, maybe that's >> the answer. Will investagate further. But if not, I still think this is >> the way to go considering the underline issue which we tried to solve by >> this change. > > From what I found I think that making changes necessary to distinguish > dnsrecord and dnszone are not worth it, especially that user can use "filter" > for that purpose. Since having both of them doesn't have any additional value, > I'm sending new version of the patch, which is only adding dnsrecord type. > > Jan Ack but this patch needs a rebase. rob From jhrozek at redhat.com Tue Feb 1 18:02:09 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 01 Feb 2011 19:02:09 +0100 Subject: [Freeipa-devel] [PATCH] 664 entitlement support In-Reply-To: <4D482396.6070305@redhat.com> References: <4D24906A.2060604@redhat.com> <4D4677A9.3040004@redhat.com> <4D46D569.5010300@redhat.com> <4D47ED82.7070905@redhat.com> <4D482396.6070305@redhat.com> Message-ID: <4D484AA1.20603@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/01/2011 04:15 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/31/2011 04:29 PM, Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> On 01/05/2011 04:38 PM, Rob Crittenden wrote: >>>>> This patch adds a plugin and tools for managing entitlements for host >>>>> machines. >>>>> >>>>> Testing is rather complex so I've attached a script to help set up the >>>>> Candlepin server. You'll need to ping me out of band for the backend >>>>> data. This configures the Candlepin server with an in-memory >>>>> database so >>>>> any time tomcat6 is restarted you'll need to reload the data. >>>>> >>>>> You have to run candlepin.setup as root. This will configure your >>>>> Fedora >>>>> tomcat6 instance. >>>>> >>>>> Once your candlepin server is setup and IPA is installed do something >>>>> like: >>>>> >>>>> $ ipa entitle-register admin >>>>> (password is admin) >>>>> >>>>> $ ipa entitle-consume 25 >>>>> >>>>> $ ipa entitle-status >>>>> (verify that it is 25) >>>>> >>>>> # ipa-compliance >>>>> (should be 1 of 50) >>>>> >>>>> Our tools can consume only, not return entitlements. >>>>> >>>>> tickets 28, 79 and 278. >>>>> >>>>> rob >>>>> >>>>> >>>> >>>> can you rebase the patch so it applies cleanly on the current master? >>> >>> attached >>> >>> rob >> >> Functionally, the patch seems to be working fine -- great job!. >> >> I just have a couple of minor comments: >> * I think a recent change to delegation.ldif conflicts with the patch. >> I was able to do a 3-way merge, but please check it merges OK. >> >> * During build, rpm-build complains about /etc/cron.d/ipa-compliance >> being listed twice >> >> * the two commented lines in ipa-compliance that test Bind using DM and >> Bind using GSSAPI should be removed >> >> * I think that the ipa-compliance tool never deletes the directory with >> the ccache (tmpdir) >> >> * in ipa-compliance: >> + if not truncated: >> + hostcount = len(entries) >> + else: >> + # FIXME: raise an error >> + pass >> I'm not opposed to FIXMEs in the code, but maybe there should be a >> ticket so we don't forget them. Also, hostcount should be initialized in >> the else: branch, later on, the code accesses it and would blow up. >> >> * In the entitlement plugin, the 'hidden' attributes could have >> flags=['no_option', 'no_output'] so they don't show up in the UI >> >> * If I consume all the entitlements with ipa entitle-consume and ask >> for more, I get an internal server error - we should probably catch the >> RestlibException from candlepin >> >> * when I started testing I made a typo in the candlepin instance >> hostname. ipa entitle-register then blew up.. The traceback looks like >> it comes from rhsm. I don't think we absolutely need to fix it now, but >> we should at least track it in a ticket. > > Here is a diff of the changes you suggested, I think they cover all the > bases. > > rob Looks good, thank you. If you can send a new patch with these squashed in, I'll just run a couple of quick tests and ack. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ISqEACgkQHsardTLnvCUQDgCfbHeiSCEhhyzepiEkr6Qp6S/W CtkAoKmz9r+b6bVck0Cviul4eiyskc0D =6Jh9 -----END PGP SIGNATURE----- From adam at younglogic.com Tue Feb 1 18:08:55 2011 From: adam at younglogic.com (Adam Young) Date: Tue, 01 Feb 2011 13:08:55 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0184-use-entity-select-widget-for-permissions Message-ID: <4D484C37.7080605@younglogic.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0184-use-entity-select-widget-for-permissions.patch Type: text/x-patch Size: 10117 bytes Desc: not available URL: From ssorce at redhat.com Tue Feb 1 18:51:25 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 1 Feb 2011 13:51:25 -0500 Subject: [Freeipa-devel] [PATCH] 0080 Sync in both direction before changing replication agreement in replica In-Reply-To: <20110201073914.0208ff2c@willson.li.ssimo.org> References: <20110131183847.680de330@willson.li.ssimo.org> <20110131184526.58758ea5@willson.li.ssimo.org> <4D4786FC.10609@redhat.com> <20110201073914.0208ff2c@willson.li.ssimo.org> Message-ID: <20110201135125.77f6dd00@willson.li.ssimo.org> On Tue, 1 Feb 2011 07:39:14 -0500 Simo Sorce wrote: > On Mon, 31 Jan 2011 23:07:24 -0500 > Rob Crittenden wrote: > > > Simo Sorce wrote: > > > On Mon, 31 Jan 2011 18:38:47 -0500 > > > Simo Sorce wrote: > > > > > >> > > >> See also ticket #887 > > >> > > >> Simo. > > >> > > > > > > With a patch file it works better I guess :-) > > > > > > Simo. > > > > > > > > > > I wasn't entirely sure how to test this so I use ipa-replica-manage > > re-initialize --from=master.example.com > > > > It seemed to work, not sure how I can really tell. I did notice this > > in my 389-ds error log: > > > > [31/Jan/2011:23:05:59 -0500] - import userRoot: Import complete. > > Processed 159 entries in 4 seconds. (39.75 entries/sec) > > [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - > > multimaster_be_state_change: replica dc=example,dc=com is coming > > online; enabling replication > > [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - > > replica_reload_ruv: Warning: new data for replica dc=example,dc=com > > does not match the data in the changelog. > > Recreating the changelog file. This could affect replication with > > replica's consumers in which case the consumers should be > > reinitialized. > > > > rob > > I changed force-sync not re-inititialize :-) > > And the actual real change happend in ipa-replica-install > So the way to test it would be to install a replica and make sure it > works (I tested it on my side and it did). Acked in private by Rob and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Tue Feb 1 18:53:05 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 01 Feb 2011 19:53:05 +0100 Subject: [Freeipa-devel] [PATCH] 048 IPv6 enhancements Message-ID: <4D485691.2040409@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Attached is a patch that fixes the remaining IPv6 problems. Many were testable on a v4 installation, like the host plugin changes. I only verified the v6 reverse zone creation in bindinstance with ldapsearch so far. https://fedorahosted.org/freeipa/ticket/398 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1IVpEACgkQHsardTLnvCU6zgCfbGIORjtpz85kJN/BXU/YwLvO ueAAoN/hkGEA8hBZj6IR3iZ6tv96oarm =u6DS -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-048-ipv6.patch Type: text/x-patch Size: 9910 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-048-ipv6.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 1 19:25:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Feb 2011 14:25:28 -0500 Subject: [Freeipa-devel] [PATCH] 664 entitlement support In-Reply-To: <4D484AA1.20603@redhat.com> References: <4D24906A.2060604@redhat.com> <4D4677A9.3040004@redhat.com> <4D46D569.5010300@redhat.com> <4D47ED82.7070905@redhat.com> <4D482396.6070305@redhat.com> <4D484AA1.20603@redhat.com> Message-ID: <4D485E28.1050001@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/01/2011 04:15 PM, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 01/31/2011 04:29 PM, Rob Crittenden wrote: >>>> Jakub Hrozek wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> On 01/05/2011 04:38 PM, Rob Crittenden wrote: >>>>>> This patch adds a plugin and tools for managing entitlements for host >>>>>> machines. >>>>>> >>>>>> Testing is rather complex so I've attached a script to help set up the >>>>>> Candlepin server. You'll need to ping me out of band for the backend >>>>>> data. This configures the Candlepin server with an in-memory >>>>>> database so >>>>>> any time tomcat6 is restarted you'll need to reload the data. >>>>>> >>>>>> You have to run candlepin.setup as root. This will configure your >>>>>> Fedora >>>>>> tomcat6 instance. >>>>>> >>>>>> Once your candlepin server is setup and IPA is installed do something >>>>>> like: >>>>>> >>>>>> $ ipa entitle-register admin >>>>>> (password is admin) >>>>>> >>>>>> $ ipa entitle-consume 25 >>>>>> >>>>>> $ ipa entitle-status >>>>>> (verify that it is 25) >>>>>> >>>>>> # ipa-compliance >>>>>> (should be 1 of 50) >>>>>> >>>>>> Our tools can consume only, not return entitlements. >>>>>> >>>>>> tickets 28, 79 and 278. >>>>>> >>>>>> rob >>>>>> >>>>>> >>>>> >>>>> can you rebase the patch so it applies cleanly on the current master? >>>> >>>> attached >>>> >>>> rob >>> >>> Functionally, the patch seems to be working fine -- great job!. >>> >>> I just have a couple of minor comments: >>> * I think a recent change to delegation.ldif conflicts with the patch. >>> I was able to do a 3-way merge, but please check it merges OK. >>> >>> * During build, rpm-build complains about /etc/cron.d/ipa-compliance >>> being listed twice >>> >>> * the two commented lines in ipa-compliance that test Bind using DM and >>> Bind using GSSAPI should be removed >>> >>> * I think that the ipa-compliance tool never deletes the directory with >>> the ccache (tmpdir) >>> >>> * in ipa-compliance: >>> + if not truncated: >>> + hostcount = len(entries) >>> + else: >>> + # FIXME: raise an error >>> + pass >>> I'm not opposed to FIXMEs in the code, but maybe there should be a >>> ticket so we don't forget them. Also, hostcount should be initialized in >>> the else: branch, later on, the code accesses it and would blow up. >>> >>> * In the entitlement plugin, the 'hidden' attributes could have >>> flags=['no_option', 'no_output'] so they don't show up in the UI >>> >>> * If I consume all the entitlements with ipa entitle-consume and ask >>> for more, I get an internal server error - we should probably catch the >>> RestlibException from candlepin >>> >>> * when I started testing I made a typo in the candlepin instance >>> hostname. ipa entitle-register then blew up.. The traceback looks like >>> it comes from rhsm. I don't think we absolutely need to fix it now, but >>> we should at least track it in a ticket. >> >> Here is a diff of the changes you suggested, I think they cover all the >> bases. >> >> rob > > Looks good, thank you. If you can send a new patch with these squashed > in, I'll just run a couple of quick tests and ack. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk1ISqEACgkQHsardTLnvCUQDgCfbHeiSCEhhyzepiEkr6Qp6S/W > CtkAoKmz9r+b6bVck0Cviul4eiyskc0D > =6Jh9 > -----END PGP SIGNATURE----- attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-664-3-entitle.patch Type: text/x-patch Size: 50361 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 1 19:57:53 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 01 Feb 2011 14:57:53 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0185-undo-entity-widget Message-ID: <4D4865C1.40600@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0185-undo-entity-widget.patch Type: text/x-patch Size: 1387 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 1 19:57:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Feb 2011 14:57:14 -0500 Subject: [Freeipa-devel] [PATCH] 021 Permission rename test failing In-Reply-To: <1296560116.3051.22.camel@dhcp-25-52.brq.redhat.com> References: <1296560116.3051.22.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D48659A.7030404@redhat.com> Martin Kosek wrote: > This patch fixes test for Permission plugin - mainly permission-mod > part. Description field that the tests expected and which was > removed in ticket 792 was removed from the tests. > > https://fedorahosted.org/freeipa/ticket/892 > ack, pushed to master From rcritten at redhat.com Tue Feb 1 19:57:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Feb 2011 14:57:47 -0500 Subject: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions. In-Reply-To: <4D483BCD.8010604@redhat.com> References: <4D46FBBD.5010005@redhat.com> <4D477B84.7030507@redhat.com> <1296565904.3051.40.camel@dhcp-25-52.brq.redhat.com> <4D481393.5010402@redhat.com> <1296569778.3051.45.camel@dhcp-25-52.brq.redhat.com> <4D483BCD.8010604@redhat.com> Message-ID: <4D4865BB.2060001@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> 2) In delegation.ldif: ipapermission object class is missing for >>>> removeentitlements and modifyentitlements (it has been added for >>>> addentitlements though) >>> >>> This was on purpose, I should have been clearer. Patch 664 makes major >>> changes to these and I'm trying to make the merge easier. I'll fix them >>> up when 664 gets pushed. >> >> I thought so. I was confused by addentitlements permission which >> objectclass was updated. We just have to make sure, that the >> entitlements patch includes this new objectClass. >> >>> >>>> >>>> >>>> QUESTION: >>>> In this patch you add READONLY flag to Replica permissions. However it >>>> is not actually used and stays as just an informative flag. It won't >>>> prevent user from modifying/removing READONLY permissions. >>>> >>>> I guess enhancing permission-mod and permission-del of READONLY check >>>> will be a subject of another ticket? >>> >>> Ok, interesting point. I considered the aci itself to be read-only. The >>> only thing a user could do is rename the permission, right? I think that >>> would maintain consistency so it shouldn't be a problem. It would >>> probably be easy to really make these read-only but that would have a UI >>> impact as well, perhaps a problematic one. I suppose if they could >>> handle any read-only exceptions we'd raise that would be adequate. >>> >>> rob >> >> Yes, user could rename or delete permission. In both cases it won't have >> any effect to the ACI as ACI plugin does not see it. But I think it >> would be nice to prevent modifications to these permissions when we have >> this new and shiny READONLY flag. Read-only exception may be a way to >> achieve this... >> >> Martin >> > > I think I got everything. Simo suggested using SYSTEM instead of > READONLY so I switched to that. I also renamed the attribute to > ipapermissiontype and added enforcement over mod/del. > > rob Martin found a few more problems, here is another patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-697-4-permissions.patch Type: text/x-patch Size: 20036 bytes Desc: not available URL: From edewata at redhat.com Tue Feb 1 19:59:37 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 01 Feb 2011 13:59:37 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0184-use-entity-select-widget-for-permissions In-Reply-To: <4D484C37.7080605@younglogic.com> References: <4D484C37.7080605@younglogic.com> Message-ID: <4D486629.9030001@redhat.com> On 2/1/2011 12:08 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Tue Feb 1 20:49:58 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 01 Feb 2011 15:49:58 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0185-undo-entity-widget In-Reply-To: <4D4865C1.40600@redhat.com> References: <4D4865C1.40600@redhat.com> Message-ID: <4D4871F6.70607@redhat.com> On 02/01/2011 02:57 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NOw shows undo link if the filter changes -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0185-1-undo-entity-widget.patch Type: text/x-patch Size: 1682 bytes Desc: not available URL: From mkosek at redhat.com Tue Feb 1 20:58:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 01 Feb 2011 21:58:36 +0100 Subject: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions. In-Reply-To: <4D4865BB.2060001@redhat.com> References: <4D46FBBD.5010005@redhat.com> <4D477B84.7030507@redhat.com> <1296565904.3051.40.camel@dhcp-25-52.brq.redhat.com> <4D481393.5010402@redhat.com> <1296569778.3051.45.camel@dhcp-25-52.brq.redhat.com> <4D483BCD.8010604@redhat.com> <4D4865BB.2060001@redhat.com> Message-ID: <1296593916.15450.3.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-02-01 at 14:57 -0500, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote: > >>> Martin Kosek wrote: > >>>> 2) In delegation.ldif: ipapermission object class is missing for > >>>> removeentitlements and modifyentitlements (it has been added for > >>>> addentitlements though) > >>> > >>> This was on purpose, I should have been clearer. Patch 664 makes major > >>> changes to these and I'm trying to make the merge easier. I'll fix them > >>> up when 664 gets pushed. > >> > >> I thought so. I was confused by addentitlements permission which > >> objectclass was updated. We just have to make sure, that the > >> entitlements patch includes this new objectClass. > >> > >>> > >>>> > >>>> > >>>> QUESTION: > >>>> In this patch you add READONLY flag to Replica permissions. However it > >>>> is not actually used and stays as just an informative flag. It won't > >>>> prevent user from modifying/removing READONLY permissions. > >>>> > >>>> I guess enhancing permission-mod and permission-del of READONLY check > >>>> will be a subject of another ticket? > >>> > >>> Ok, interesting point. I considered the aci itself to be read-only. The > >>> only thing a user could do is rename the permission, right? I think that > >>> would maintain consistency so it shouldn't be a problem. It would > >>> probably be easy to really make these read-only but that would have a UI > >>> impact as well, perhaps a problematic one. I suppose if they could > >>> handle any read-only exceptions we'd raise that would be adequate. > >>> > >>> rob > >> > >> Yes, user could rename or delete permission. In both cases it won't have > >> any effect to the ACI as ACI plugin does not see it. But I think it > >> would be nice to prevent modifications to these permissions when we have > >> this new and shiny READONLY flag. Read-only exception may be a way to > >> achieve this... > >> > >> Martin > >> > > > > I think I got everything. Simo suggested using SYSTEM instead of > > READONLY so I switched to that. I also renamed the attribute to > > ipapermissiontype and added enforcement over mod/del. > > > > rob > > Martin found a few more problems, here is another patch. > > rob ACK, all permission tests are OK. Good job. Martin From rcritten at redhat.com Tue Feb 1 21:01:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Feb 2011 16:01:06 -0500 Subject: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions. In-Reply-To: <1296593916.15450.3.camel@dhcp-25-52.brq.redhat.com> References: <4D46FBBD.5010005@redhat.com> <4D477B84.7030507@redhat.com> <1296565904.3051.40.camel@dhcp-25-52.brq.redhat.com> <4D481393.5010402@redhat.com> <1296569778.3051.45.camel@dhcp-25-52.brq.redhat.com> <4D483BCD.8010604@redhat.com> <4D4865BB.2060001@redhat.com> <1296593916.15450.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D487492.4070203@redhat.com> Martin Kosek wrote: > On Tue, 2011-02-01 at 14:57 -0500, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>>>>> 2) In delegation.ldif: ipapermission object class is missing for >>>>>> removeentitlements and modifyentitlements (it has been added for >>>>>> addentitlements though) >>>>> >>>>> This was on purpose, I should have been clearer. Patch 664 makes major >>>>> changes to these and I'm trying to make the merge easier. I'll fix them >>>>> up when 664 gets pushed. >>>> >>>> I thought so. I was confused by addentitlements permission which >>>> objectclass was updated. We just have to make sure, that the >>>> entitlements patch includes this new objectClass. >>>> >>>>> >>>>>> >>>>>> >>>>>> QUESTION: >>>>>> In this patch you add READONLY flag to Replica permissions. However it >>>>>> is not actually used and stays as just an informative flag. It won't >>>>>> prevent user from modifying/removing READONLY permissions. >>>>>> >>>>>> I guess enhancing permission-mod and permission-del of READONLY check >>>>>> will be a subject of another ticket? >>>>> >>>>> Ok, interesting point. I considered the aci itself to be read-only. The >>>>> only thing a user could do is rename the permission, right? I think that >>>>> would maintain consistency so it shouldn't be a problem. It would >>>>> probably be easy to really make these read-only but that would have a UI >>>>> impact as well, perhaps a problematic one. I suppose if they could >>>>> handle any read-only exceptions we'd raise that would be adequate. >>>>> >>>>> rob >>>> >>>> Yes, user could rename or delete permission. In both cases it won't have >>>> any effect to the ACI as ACI plugin does not see it. But I think it >>>> would be nice to prevent modifications to these permissions when we have >>>> this new and shiny READONLY flag. Read-only exception may be a way to >>>> achieve this... >>>> >>>> Martin >>>> >>> >>> I think I got everything. Simo suggested using SYSTEM instead of >>> READONLY so I switched to that. I also renamed the attribute to >>> ipapermissiontype and added enforcement over mod/del. >>> >>> rob >> >> Martin found a few more problems, here is another patch. >> >> rob > > ACK, all permission tests are OK. > > Good job. > Martin > pushed to master From jhrozek at redhat.com Tue Feb 1 21:22:35 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 01 Feb 2011 22:22:35 +0100 Subject: [Freeipa-devel] [PATCH] 664 entitlement support In-Reply-To: <4D485E28.1050001@redhat.com> References: <4D24906A.2060604@redhat.com> <4D4677A9.3040004@redhat.com> <4D46D569.5010300@redhat.com> <4D47ED82.7070905@redhat.com> <4D482396.6070305@redhat.com> <4D484AA1.20603@redhat.com> <4D485E28.1050001@redhat.com> Message-ID: <4D48799B.5030301@redhat.com> On 02/01/2011 08:25 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 02/01/2011 04:15 PM, Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> On 01/31/2011 04:29 PM, Rob Crittenden wrote: >>>>> Jakub Hrozek wrote: >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> On 01/05/2011 04:38 PM, Rob Crittenden wrote: >>>>>>> This patch adds a plugin and tools for managing entitlements for >>>>>>> host >>>>>>> machines. >>>>>>> >>>>>>> Testing is rather complex so I've attached a script to help set >>>>>>> up the >>>>>>> Candlepin server. You'll need to ping me out of band for the backend >>>>>>> data. This configures the Candlepin server with an in-memory >>>>>>> database so >>>>>>> any time tomcat6 is restarted you'll need to reload the data. >>>>>>> >>>>>>> You have to run candlepin.setup as root. This will configure your >>>>>>> Fedora >>>>>>> tomcat6 instance. >>>>>>> >>>>>>> Once your candlepin server is setup and IPA is installed do >>>>>>> something >>>>>>> like: >>>>>>> >>>>>>> $ ipa entitle-register admin >>>>>>> (password is admin) >>>>>>> >>>>>>> $ ipa entitle-consume 25 >>>>>>> >>>>>>> $ ipa entitle-status >>>>>>> (verify that it is 25) >>>>>>> >>>>>>> # ipa-compliance >>>>>>> (should be 1 of 50) >>>>>>> >>>>>>> Our tools can consume only, not return entitlements. >>>>>>> >>>>>>> tickets 28, 79 and 278. >>>>>>> >>>>>>> rob >>>>>>> >>>>>>> >>>>>> >>>>>> can you rebase the patch so it applies cleanly on the current master? >>>>> >>>>> attached >>>>> >>>>> rob >>>> >>>> Functionally, the patch seems to be working fine -- great job!. >>>> >>>> I just have a couple of minor comments: >>>> * I think a recent change to delegation.ldif conflicts with the patch. >>>> I was able to do a 3-way merge, but please check it merges OK. >>>> >>>> * During build, rpm-build complains about /etc/cron.d/ipa-compliance >>>> being listed twice >>>> >>>> * the two commented lines in ipa-compliance that test Bind using DM and >>>> Bind using GSSAPI should be removed >>>> >>>> * I think that the ipa-compliance tool never deletes the directory with >>>> the ccache (tmpdir) >>>> >>>> * in ipa-compliance: >>>> + if not truncated: >>>> + hostcount = len(entries) >>>> + else: >>>> + # FIXME: raise an error >>>> + pass >>>> I'm not opposed to FIXMEs in the code, but maybe there should be a >>>> ticket so we don't forget them. Also, hostcount should be >>>> initialized in >>>> the else: branch, later on, the code accesses it and would blow up. >>>> >>>> * In the entitlement plugin, the 'hidden' attributes could have >>>> flags=['no_option', 'no_output'] so they don't show up in the UI >>>> >>>> * If I consume all the entitlements with ipa entitle-consume and ask >>>> for more, I get an internal server error - we should probably catch the >>>> RestlibException from candlepin >>>> >>>> * when I started testing I made a typo in the candlepin instance >>>> hostname. ipa entitle-register then blew up.. The traceback looks like >>>> it comes from rhsm. I don't think we absolutely need to fix it now, but >>>> we should at least track it in a ticket. >>> >>> Here is a diff of the changes you suggested, I think they cover all the >>> bases. >>> >>> rob >> >> Looks good, thank you. If you can send a new patch with these squashed >> in, I'll just run a couple of quick tests and ack. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.11 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ >> >> iEYEARECAAYFAk1ISqEACgkQHsardTLnvCUQDgCfbHeiSCEhhyzepiEkr6Qp6S/W >> CtkAoKmz9r+b6bVck0Cviul4eiyskc0D >> =6Jh9 >> -----END PGP SIGNATURE----- > > attached Ack but please check that the 3-way rebase is OK and also please import socket in ipalib/plugins/entitle.py, currently it is an undefined symbol. From ayoung at redhat.com Tue Feb 1 21:25:58 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 01 Feb 2011 16:25:58 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0185-undo-entity-widget In-Reply-To: <4D4871F6.70607@redhat.com> References: <4D4865C1.40600@redhat.com> <4D4871F6.70607@redhat.com> Message-ID: <4D487A66.1080700@redhat.com> On 02/01/2011 03:49 PM, Adam Young wrote: > On 02/01/2011 02:57 PM, Adam Young wrote: >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > NOw shows undo link if the filter changes > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel edewata noticed that the the search wasn't working under the following sequence: double click to highlight all, then backspace to remove it: the undo shows up, but the list is not updated That was due to triggering the login on keyp[ress instead of key up -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0185-2-undo-entity-widget.patch Type: text/x-patch Size: 1825 bytes Desc: not available URL: From edewata at redhat.com Tue Feb 1 21:39:44 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 01 Feb 2011 15:39:44 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0185-undo-entity-widget In-Reply-To: <4D487A66.1080700@redhat.com> References: <4D4865C1.40600@redhat.com> <4D4871F6.70607@redhat.com> <4D487A66.1080700@redhat.com> Message-ID: <4D487DA0.4040506@redhat.com> On 2/1/2011 3:25 PM, Adam Young wrote: >> NOw shows undo link if the filter changes > edewata noticed that the the search wasn't working under the following > sequence: > double click to highlight all, then backspace to remove it: > the undo shows up, but the list is not updated > > That was due to triggering the login on keyp[ress instead of key up ACK and pushed to master. -- Endi S. Dewata From rcritten at redhat.com Tue Feb 1 22:36:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Feb 2011 17:36:52 -0500 Subject: [Freeipa-devel] [PATCH] 698 Translate exception messages Message-ID: <4D488B04.30604@redhat.com> Pavel mentioned this morning that translations didn't seem to be working. I remembered that I did some things on the cli so I re-tested. Turned out that exceptions aren't being translated. I'm not at all sure this patch does the right thing, so take it with a grain of salt. What it does is translates the message before stuffing it into the exception. Note that this will also translate messages returned via XML-RPC so I wonder if we need to force LANG to en_US.UTF-8 there. In any case, this seems to fix the client side anyway. I'm open to criticism on this one. To test do something like: $ kinit admin $ export LANG=es_US.UTF-8 $ ipa user-add --first=Kermit --last=Frog kfrog $ ipa user-add --first=Kermit --last=Frog kfrog You should get a DuplicateEntry() response in Spanish. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-698-translate.patch Type: text/x-diff Size: 1588 bytes Desc: not available URL: From ayoung at redhat.com Wed Feb 2 03:17:00 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 01 Feb 2011 22:17:00 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0186-core-widget-unit-tests Message-ID: <4D48CCAC.2050801@redhat.com> https://fedorahosted.org/freeipa/ticket/882 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0186-core-widget-unit-tests.patch Type: text/x-patch Size: 697582 bytes Desc: not available URL: From jzeleny at redhat.com Wed Feb 2 07:24:13 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 2 Feb 2011 08:24:13 +0100 Subject: [Freeipa-devel] [PATCH] Changed dns permission types In-Reply-To: <4D483F03.1010709@redhat.com> References: <201101071805.18499.jzeleny@redhat.com> <201101251335.13954.jzeleny@redhat.com> <4D483F03.1010709@redhat.com> Message-ID: <201102020824.13446.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Jan Zelen? wrote: > >> Rob Crittenden wrote: > >>> Jan Zelen? wrote: > >>>> Rob Crittenden wrote: > >>>>> Jan Zelen? wrote: > >>>>>> Recent change of DNS module to version caused that dns object type > >>>>>> was replaced by dnszone and dnsrecord. This patch corrects dns types > >>>>>> in permissions class. > >>>>>> > >>>>>> https://fedorahosted.org/freeipa/ticket/646 > >>>>> > >>>>> Nack. These values need to be added as valid types to the aci plugin > >>>>> and the _type_map needs to be updated. > >>>>> > >>>>> rob > >>>> > >>>> I'm sending an updated patch. > >>>> > >>>> Jan > >>> > >>> Since dnszone and dnsrecord point to the same kind of entry what is the > >>> point of having two separate names for them? When we read the entry we > >>> aren't going to be able to differentiate between the two. > >> > >> I didn't take a look how the type thing works, so I'm kinda guessing > >> here (please ignore the comment if it is wrong): > >> Sure, object with idnszone class is always also in dnsrecord class, but > >> that's not the case backwards (idnsrecord object isn't always idnszone) > >> - so I think it is possible to set different ACIs for these two types. > >> > >>> Can the type be made more specific? > >> > >> If the mapping doesn't distinguish object classes and it can, maybe > >> that's the answer. Will investagate further. But if not, I still think > >> this is the way to go considering the underline issue which we tried to > >> solve by this change. > >> > > From what I found I think that making changes necessary to distinguish > > > > dnsrecord and dnszone are not worth it, especially that user can use > > "filter" for that purpose. Since having both of them doesn't have any > > additional value, I'm sending new version of the patch, which is only > > adding dnsrecord type. > > > > Jan > > Ack but this patch needs a rebase. > > rob Rebased patch in attachment Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0021-4-Changed-dns-permission-types.patch Type: text/x-patch Size: 2479 bytes Desc: not available URL: From jzeleny at redhat.com Wed Feb 2 07:47:00 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 2 Feb 2011 08:47:00 +0100 Subject: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation In-Reply-To: <4D483D85.7020702@redhat.com> References: <201101261439.24085.jzeleny@redhat.com> <201101310951.36041.jzeleny@redhat.com> <4D483D85.7020702@redhat.com> Message-ID: <201102020847.00282.jzeleny@redhat.com> Ok, I'm sending updated patch in attachment > > Should I change it in class help then? That's where I copied this from. > > I think so. Ok, I'll send another patch, so me don't mix it together with this patch. I'll do a review of the code in cli.py, maybe the same issue is elsewhere as well. > >> This will blow up as expected in the FIXME if an unknown command is > >> passed in. > > > > Fixed, thanks. > > Not to be pedantic but I think it should return a non-zero error code > too on error. Yep, replaced this with exception. > >> ipa show-mappings user-show returns just 'rights' > > > > If it was the acting correctly, it shouldn't be displayed at all, because > > it is not LDAP based (and user-show doesn't take any other LDAP-based > > arguments/options). > > > > I'm just not sure how to do this with minimal changes. One option is to > > create new flag denoting whether parameter is LDAP based or not and for > > each parameter set it appropriately, but that is just too much effort > > for something that is not that important. That's why I use the 'webui' > > flag to filter things at least a little bit. > > You should have the object Params list available, right? Can you use > that to show at least some attributes? I already thought of that, but that would add only primary key, since Params is a concatenation of Options and Args - in args there are usually only mandatory arguments (i.e. primary keys, uid in case of user-show) and options are already iterated over and printed out. I think adding this is too much effort. For one thing user-show takes no other options than --rights (and the purpose of the patch is to show mapping between CLI options and LDAP attributes) and user can always see real LDAP attributes of user object by using --raw. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0030-03-Provide-a-way-to-display-CLI-LDAP-relation.patch Type: text/x-patch Size: 2438 bytes Desc: not available URL: From jzeleny at redhat.com Wed Feb 2 07:54:47 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 2 Feb 2011 08:54:47 +0100 Subject: [Freeipa-devel] [PATCH] Fixed type of argument in class help Message-ID: <201102020854.47812.jzeleny@redhat.com> At Rob's suggestion I changed the argument type in class help, this is only oneliner, I think it can be pushed directly. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0035-Fixed-type-of-argument-in-class-help.patch Type: text/x-patch Size: 680 bytes Desc: not available URL: From pzuna at redhat.com Wed Feb 2 12:51:03 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 02 Feb 2011 13:51:03 +0100 Subject: [Freeipa-devel] [PATCH] Fix crash in ipa help for NO_CLI plugins. Message-ID: <4D495337.9040804@redhat.com> Fix #854 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-67-noclihelp.patch Type: text/x-patch Size: 2025 bytes Desc: not available URL: From pzuna at redhat.com Wed Feb 2 13:50:32 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 02 Feb 2011 14:50:32 +0100 Subject: [Freeipa-devel] [PATCH] Fix minor bug in host-add logic. Message-ID: <4D496128.3020208@redhat.com> Fix #798 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-68-fixhostadd.patch Type: text/x-patch Size: 1091 bytes Desc: not available URL: From mkosek at redhat.com Wed Feb 2 14:36:24 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 02 Feb 2011 15:36:24 +0100 Subject: [Freeipa-devel] [PATCH] 022 Inconsistent error message for ipa group-detach Message-ID: <1296657384.2972.0.camel@dhcp-25-52.brq.redhat.com> When attempting to detach a private group that doesn't exist, the error message returned is not consistent with the error returned by the other topic commands. This patch adds a standard message. https://fedorahosted.org/freeipa/ticket/291 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-022-inconsistent-error-message-for-ipa-group-detach.patch Type: text/x-patch Size: 1387 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 2 15:01:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Feb 2011 10:01:49 -0500 Subject: [Freeipa-devel] [PATCH] 664 entitlement support In-Reply-To: <4D48799B.5030301@redhat.com> References: <4D24906A.2060604@redhat.com> <4D4677A9.3040004@redhat.com> <4D46D569.5010300@redhat.com> <4D47ED82.7070905@redhat.com> <4D482396.6070305@redhat.com> <4D484AA1.20603@redhat.com> <4D485E28.1050001@redhat.com> <4D48799B.5030301@redhat.com> Message-ID: <4D4971DD.5080109@redhat.com> Jakub Hrozek wrote: > On 02/01/2011 08:25 PM, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 02/01/2011 04:15 PM, Rob Crittenden wrote: >>>> Jakub Hrozek wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> On 01/31/2011 04:29 PM, Rob Crittenden wrote: >>>>>> Jakub Hrozek wrote: >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>> Hash: SHA1 >>>>>>> >>>>>>> On 01/05/2011 04:38 PM, Rob Crittenden wrote: >>>>>>>> This patch adds a plugin and tools for managing entitlements for >>>>>>>> host >>>>>>>> machines. >>>>>>>> >>>>>>>> Testing is rather complex so I've attached a script to help set >>>>>>>> up the >>>>>>>> Candlepin server. You'll need to ping me out of band for the >>>>>>>> backend >>>>>>>> data. This configures the Candlepin server with an in-memory >>>>>>>> database so >>>>>>>> any time tomcat6 is restarted you'll need to reload the data. >>>>>>>> >>>>>>>> You have to run candlepin.setup as root. This will configure your >>>>>>>> Fedora >>>>>>>> tomcat6 instance. >>>>>>>> >>>>>>>> Once your candlepin server is setup and IPA is installed do >>>>>>>> something >>>>>>>> like: >>>>>>>> >>>>>>>> $ ipa entitle-register admin >>>>>>>> (password is admin) >>>>>>>> >>>>>>>> $ ipa entitle-consume 25 >>>>>>>> >>>>>>>> $ ipa entitle-status >>>>>>>> (verify that it is 25) >>>>>>>> >>>>>>>> # ipa-compliance >>>>>>>> (should be 1 of 50) >>>>>>>> >>>>>>>> Our tools can consume only, not return entitlements. >>>>>>>> >>>>>>>> tickets 28, 79 and 278. >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> can you rebase the patch so it applies cleanly on the current >>>>>>> master? >>>>>> >>>>>> attached >>>>>> >>>>>> rob >>>>> >>>>> Functionally, the patch seems to be working fine -- great job!. >>>>> >>>>> I just have a couple of minor comments: >>>>> * I think a recent change to delegation.ldif conflicts with the patch. >>>>> I was able to do a 3-way merge, but please check it merges OK. >>>>> >>>>> * During build, rpm-build complains about /etc/cron.d/ipa-compliance >>>>> being listed twice >>>>> >>>>> * the two commented lines in ipa-compliance that test Bind using DM >>>>> and >>>>> Bind using GSSAPI should be removed >>>>> >>>>> * I think that the ipa-compliance tool never deletes the directory >>>>> with >>>>> the ccache (tmpdir) >>>>> >>>>> * in ipa-compliance: >>>>> + if not truncated: >>>>> + hostcount = len(entries) >>>>> + else: >>>>> + # FIXME: raise an error >>>>> + pass >>>>> I'm not opposed to FIXMEs in the code, but maybe there should be a >>>>> ticket so we don't forget them. Also, hostcount should be >>>>> initialized in >>>>> the else: branch, later on, the code accesses it and would blow up. >>>>> >>>>> * In the entitlement plugin, the 'hidden' attributes could have >>>>> flags=['no_option', 'no_output'] so they don't show up in the UI >>>>> >>>>> * If I consume all the entitlements with ipa entitle-consume and ask >>>>> for more, I get an internal server error - we should probably catch >>>>> the >>>>> RestlibException from candlepin >>>>> >>>>> * when I started testing I made a typo in the candlepin instance >>>>> hostname. ipa entitle-register then blew up.. The traceback looks like >>>>> it comes from rhsm. I don't think we absolutely need to fix it now, >>>>> but >>>>> we should at least track it in a ticket. >>>> >>>> Here is a diff of the changes you suggested, I think they cover all the >>>> bases. >>>> >>>> rob >>> >>> Looks good, thank you. If you can send a new patch with these squashed >>> in, I'll just run a couple of quick tests and ack. >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.11 (GNU/Linux) >>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ >>> >>> iEYEARECAAYFAk1ISqEACgkQHsardTLnvCUQDgCfbHeiSCEhhyzepiEkr6Qp6S/W >>> CtkAoKmz9r+b6bVck0Cviul4eiyskc0D >>> =6Jh9 >>> -----END PGP SIGNATURE----- >> >> attached > > Ack but please check that the 3-way rebase is OK and also please import > socket in ipalib/plugins/entitle.py, currently it is an undefined symbol. Fixed, rebased and pushed to master. I also fixed up a couple of permissions, adding the ipapermission objectclass. Thanks for the review, it is a relief to get this off my plate. rob From jzeleny at redhat.com Wed Feb 2 15:14:46 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 2 Feb 2011 16:14:46 +0100 Subject: [Freeipa-devel] [PATCH] Fix crash in ipa help for NO_CLI plugins. In-Reply-To: <4D495337.9040804@redhat.com> References: <4D495337.9040804@redhat.com> Message-ID: <201102021614.46313.jzeleny@redhat.com> Pavel Zuna wrote: > Fix #854 > > Pavel ack Jan From jzeleny at redhat.com Wed Feb 2 15:24:14 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 2 Feb 2011 16:24:14 +0100 Subject: [Freeipa-devel] [PATCH] Fix minor bug in host-add logic. In-Reply-To: <4D496128.3020208@redhat.com> References: <4D496128.3020208@redhat.com> Message-ID: <201102021624.14242.jzeleny@redhat.com> Pavel Zuna wrote: > Fix #798 > > Pavel ack Jan From pzuna at redhat.com Wed Feb 2 15:31:02 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 02 Feb 2011 16:31:02 +0100 Subject: [Freeipa-devel] [PATCH] 698 Translate exception messages In-Reply-To: <4D488B04.30604@redhat.com> References: <4D488B04.30604@redhat.com> Message-ID: <4D4978B6.5070209@redhat.com> On 02/01/2011 11:36 PM, Rob Crittenden wrote: > Pavel mentioned this morning that translations didn't seem to be > working. I remembered that I did some things on the cli so I re-tested. > Turned out that exceptions aren't being translated. > > I'm not at all sure this patch does the right thing, so take it with a > grain of salt. What it does is translates the message before stuffing it > into the exception. > > Note that this will also translate messages returned via XML-RPC so I > wonder if we need to force LANG to en_US.UTF-8 there. > > In any case, this seems to fix the client side anyway. I'm open to > criticism on this one. > > To test do something like: > > $ kinit admin > $ export LANG=es_US.UTF-8 > $ ipa user-add --first=Kermit --last=Frog kfrog > $ ipa user-add --first=Kermit --last=Frog kfrog > > You should get a DuplicateEntry() response in Spanish. > > rob > nack. While this patch works, it doesn't solve the problem at its root. After some investigation I figured out, that functions initializing translations in ipalib/request.py are not called from anywhere. All the translation code in ipalib/request.py is currently deprecated in favor of ipalib/text.py. I'm preparing a patch, that removes the unused code and replaces references to it. Pavel From mkosek at redhat.com Wed Feb 2 15:33:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 02 Feb 2011 16:33:42 +0100 Subject: [Freeipa-devel] [PATCH] 023 ipa-server-install inconsistent capitalization Message-ID: <1296660822.2972.1.camel@dhcp-25-52.brq.redhat.com> A cosmetic patch to IPA server installation output aimed to make capitalization in installer output consistent. Several installation tasks started with a lowercase letter and several installation task steps started with an uppercase letter. https://fedorahosted.org/freeipa/ticket/776 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-023-ipa-server-install-inconsistent-capitalization.patch Type: text/x-patch Size: 4402 bytes Desc: not available URL: From pzuna at redhat.com Wed Feb 2 15:46:24 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 02 Feb 2011 16:46:24 +0100 Subject: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it. Message-ID: <4D497C50.1000705@redhat.com> This ticket effectively fixes the translation of exception messages. Ticket #903 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-69-rmi18nrequest.patch Type: text/x-patch Size: 8312 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 2 15:48:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Feb 2011 10:48:24 -0500 Subject: [Freeipa-devel] [PATCH] Fix crash in ipa help for NO_CLI plugins. In-Reply-To: <201102021614.46313.jzeleny@redhat.com> References: <4D495337.9040804@redhat.com> <201102021614.46313.jzeleny@redhat.com> Message-ID: <4D497CC8.9000101@redhat.com> Jan Zelen? wrote: > Pavel Zuna wrote: >> Fix #854 >> >> Pavel > > ack > > Jan pushed to master From rcritten at redhat.com Wed Feb 2 15:48:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Feb 2011 10:48:33 -0500 Subject: [Freeipa-devel] [PATCH] Fix minor bug in host-add logic. In-Reply-To: <201102021624.14242.jzeleny@redhat.com> References: <4D496128.3020208@redhat.com> <201102021624.14242.jzeleny@redhat.com> Message-ID: <4D497CD1.4050409@redhat.com> Jan Zelen? wrote: > Pavel Zuna wrote: >> Fix #798 >> >> Pavel > > ack > > Jan pushed to master From edewata at redhat.com Wed Feb 2 16:00:55 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 02 Feb 2011 10:00:55 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0186-core-widget-unit-tests In-Reply-To: <4D48CCAC.2050801@redhat.com> References: <4D48CCAC.2050801@redhat.com> Message-ID: <4D497FB7.3090205@redhat.com> On 2/1/2011 9:17 PM, Adam Young wrote: > https://fedorahosted.org/freeipa/ticket/882 ACK and pushed to master. -- Endi S. Dewata From mkosek at redhat.com Wed Feb 2 16:17:34 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 02 Feb 2011 17:17:34 +0100 Subject: [Freeipa-devel] [PATCH] 024 Typos in freeIPA messages Message-ID: <1296663454.2972.2.camel@dhcp-25-52.brq.redhat.com> This patch fixes several reported typos in IPA messages and in comments. https://fedorahosted.org/freeipa/ticket/848 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-024-typos-in-freeipa-messages.patch Type: text/x-patch Size: 5601 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 2 16:20:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Feb 2011 11:20:10 -0500 Subject: [Freeipa-devel] [PATCH] 024 Typos in freeIPA messages In-Reply-To: <1296663454.2972.2.camel@dhcp-25-52.brq.redhat.com> References: <1296663454.2972.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D49843A.8040008@redhat.com> Martin Kosek wrote: > This patch fixes several reported typos in IPA messages and > in comments. > > https://fedorahosted.org/freeipa/ticket/848 > > Can you add the user that submitted the original patch for this to Contributors.txt? rob From mkosek at redhat.com Wed Feb 2 16:38:27 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 02 Feb 2011 17:38:27 +0100 Subject: [Freeipa-devel] [PATCH] 024 Typos in freeIPA messages In-Reply-To: <4D49843A.8040008@redhat.com> References: <1296663454.2972.2.camel@dhcp-25-52.brq.redhat.com> <4D49843A.8040008@redhat.com> Message-ID: <1296664707.2972.4.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-02-02 at 11:20 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > This patch fixes several reported typos in IPA messages and > > in comments. > > > > https://fedorahosted.org/freeipa/ticket/848 > > > > > > Can you add the user that submitted the original patch for this to > Contributors.txt? > > rob Sure, patch attached. I have updated Contributors file with the missing people I know if. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-024-02-typos-in-freeipa-messages.patch Type: text/x-patch Size: 6672 bytes Desc: not available URL: From pzuna at redhat.com Wed Feb 2 16:41:13 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 02 Feb 2011 17:41:13 +0100 Subject: [Freeipa-devel] [PATCH] Translate exception messages on the client side. Message-ID: <4D498929.2060708@redhat.com> Ticket #904 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-70-exci18nclient.patch Type: text/x-patch Size: 693 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 2 20:07:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Feb 2011 15:07:47 -0500 Subject: [Freeipa-devel] [PATCH] 699 fix city and state in framework Message-ID: <4D49B993.4010809@redhat.com> City and state in the user object were using the wrong LDAP attributes. I also added a unit test for address. This will cause the ui to display undefined for city and state, Adam said he'd take a look. ticket 889 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-699-city.patch Type: application/mbox Size: 3504 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 2 20:11:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Feb 2011 15:11:42 -0500 Subject: [Freeipa-devel] [PATCH] 024 Typos in freeIPA messages In-Reply-To: <1296664707.2972.4.camel@dhcp-25-52.brq.redhat.com> References: <1296663454.2972.2.camel@dhcp-25-52.brq.redhat.com> <4D49843A.8040008@redhat.com> <1296664707.2972.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D49BA7E.5090604@redhat.com> Martin Kosek wrote: > On Wed, 2011-02-02 at 11:20 -0500, Rob Crittenden wrote: >> Martin Kosek wrote: >>> This patch fixes several reported typos in IPA messages and >>> in comments. >>> >>> https://fedorahosted.org/freeipa/ticket/848 >>> >>> >> >> Can you add the user that submitted the original patch for this to >> Contributors.txt? >> >> rob > > Sure, patch attached. I have updated Contributors file with the missing > people I know if. > > Martin ack, pushed to master From ayoung at redhat.com Wed Feb 2 20:35:06 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Feb 2011 15:35:06 -0500 Subject: [Freeipa-devel] [PATCH] 048 IPv6 enhancements In-Reply-To: <4D485691.2040409@redhat.com> References: <4D485691.2040409@redhat.com> Message-ID: <4D49BFFA.3090408@redhat.com> On 02/01/2011 01:53 PM, Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Attached is a patch that fixes the remaining IPv6 problems. Many were > testable on a v4 installation, like the host plugin changes. I only > verified the v6 reverse zone creation in bindinstance with ldapsearch so > far. > > https://fedorahosted.org/freeipa/ticket/398 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk1IVpEACgkQHsardTLnvCU6zgCfbGIORjtpz85kJN/BXU/YwLvO > ueAAoN/hkGEA8hBZj6IR3iZ6tv96oarm > =u6DS > -----END PGP SIGNATURE----- > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Feb 2 20:36:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Feb 2011 15:36:00 -0500 Subject: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it. In-Reply-To: <4D497C50.1000705@redhat.com> References: <4D497C50.1000705@redhat.com> Message-ID: <4D49C030.8030901@redhat.com> Pavel Zuna wrote: > This ticket effectively fixes the translation of exception messages. > > Ticket #903 > > Pavel > On hold for now, see also patch 'Translate exception messages on the client side.' rob From rcritten at redhat.com Wed Feb 2 20:37:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Feb 2011 15:37:10 -0500 Subject: [Freeipa-devel] [PATCH] Translate exception messages on the client side. In-Reply-To: <4D498929.2060708@redhat.com> References: <4D498929.2060708@redhat.com> Message-ID: <4D49C076.2030806@redhat.com> Pavel Zuna wrote: > Ticket #904 > > Pavel nack, it fails for exceptions that take keywords. Try deleting a non-existent user and you'll get this traceback: $ export LANG=fr_FR.UTF-8 $ ipa user-del tuser1 Traceback (most recent call last): File "./ipa", line 32, in cli.run(api) File "/home/rcrit/redhat/freeipa-tests/ipalib/cli.py", line 1084, in run api.log.error(_(error.format) % error.kw) File "/home/rcrit/redhat/freeipa-tests/ipalib/text.py", line 247, in __mod__ return self.__unicode__() % kw KeyError: u'reason' From edewata at redhat.com Wed Feb 2 20:40:25 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 02 Feb 2011 14:40:25 -0600 Subject: [Freeipa-devel] [PATCH] Added undo for permission target. Message-ID: <4D49C139.5030408@redhat.com> https://fedorahosted.org/freeipa/ticket/885 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0088-Added-undo-for-permission-target.patch Type: text/x-patch Size: 29260 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 2 20:48:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Feb 2011 15:48:31 -0500 Subject: [Freeipa-devel] [PATCH] 699 fix city and state in framework In-Reply-To: <4D49B993.4010809@redhat.com> References: <4D49B993.4010809@redhat.com> Message-ID: <4D49C31F.5090309@redhat.com> Rob Crittenden wrote: > City and state in the user object were using the wrong LDAP attributes. > > I also added a unit test for address. > > This will cause the ui to display undefined for city and state, Adam > said he'd take a look. > > ticket 889 > > rob With updated API.txt rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-699-2-city.patch Type: application/mbox Size: 9126 bytes Desc: not available URL: From ayoung at redhat.com Wed Feb 2 20:56:23 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Feb 2011 15:56:23 -0500 Subject: [Freeipa-devel] [PATCH] Added undo for permission target. In-Reply-To: <4D49C139.5030408@redhat.com> References: <4D49C139.5030408@redhat.com> Message-ID: <4D49C4F7.3040903@redhat.com> On 02/02/2011 03:40 PM, Endi Sukma Dewata wrote: > https://fedorahosted.org/freeipa/ticket/885 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Feb 2 21:34:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Feb 2011 16:34:44 -0500 Subject: [Freeipa-devel] [PATCH] 700 update some minimum versions Message-ID: <4D49CDF4.6030103@redhat.com> Update min version of 389-ds-base, mod_nss and selinux-policy. As of this writing the selinux-policy update hasn't actually gone out to updates-testing so I'm going to hold onto this even if I get an ack. The selinux-policy update is needed to fix slapi-nis working as an nis responder. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-700-spec.patch Type: application/mbox Size: 2158 bytes Desc: not available URL: From ayoung at redhat.com Wed Feb 2 21:53:10 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Feb 2011 16:53:10 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0187-city-and-state Message-ID: <4D49D246.7050100@redhat.com> requires freeipa-rcrit-699-2-city.patch -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0187-city-and-state.patch Type: text/x-patch Size: 2440 bytes Desc: not available URL: From ayoung at redhat.com Wed Feb 2 21:54:51 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Feb 2011 16:54:51 -0500 Subject: [Freeipa-devel] [PATCH] 699 fix city and state in framework In-Reply-To: <4D49C31F.5090309@redhat.com> References: <4D49B993.4010809@redhat.com> <4D49C31F.5090309@redhat.com> Message-ID: <4D49D2AB.8020400@redhat.com> On 02/02/2011 03:48 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> City and state in the user object were using the wrong LDAP attributes. >> >> I also added a unit test for address. >> >> This will cause the ui to display undefined for city and state, Adam >> said he'd take a look. >> >> ticket 889 >> >> rob > > With updated API.txt > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Feb 2 22:01:58 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Feb 2011 17:01:58 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0187-city-and-state In-Reply-To: <4D49D246.7050100@redhat.com> References: <4D49D246.7050100@redhat.com> Message-ID: <4D49D456.3060101@redhat.com> On 02/02/2011 04:53 PM, Adam Young wrote: > requires freeipa-rcrit-699-2-city.patch > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Hadn't removed the broken custom widget -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0187-1-city-and-state.patch Type: text/x-patch Size: 2324 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 2 22:03:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Feb 2011 17:03:14 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0187-city-and-state In-Reply-To: <4D49D456.3060101@redhat.com> References: <4D49D246.7050100@redhat.com> <4D49D456.3060101@redhat.com> Message-ID: <4D49D4A2.4080007@redhat.com> Adam Young wrote: > On 02/02/2011 04:53 PM, Adam Young wrote: >> requires freeipa-rcrit-699-2-city.patch >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Hadn't removed the broken custom widget ack From ayoung at redhat.com Wed Feb 2 22:29:32 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 02 Feb 2011 17:29:32 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0187-city-and-state In-Reply-To: <4D49D4A2.4080007@redhat.com> References: <4D49D246.7050100@redhat.com> <4D49D456.3060101@redhat.com> <4D49D4A2.4080007@redhat.com> Message-ID: <4D49DACC.10504@redhat.com> On 02/02/2011 05:03 PM, Rob Crittenden wrote: > Adam Young wrote: >> On 02/02/2011 04:53 PM, Adam Young wrote: >>> requires freeipa-rcrit-699-2-city.patch >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Hadn't removed the broken custom widget > > ack Pushed to master From jhrozek at redhat.com Wed Feb 2 22:59:32 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 2 Feb 2011 23:59:32 +0100 Subject: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware Message-ID: <20110202225932.GA28047@zeppelin.brq.redhat.com> Hi, attached is a patch to nsslib.py that changes its semantics so it is able to work with different address families. It is the last piece of IPv6 support. Aside from the hunks in the patch, I still need to set Requires: in the patch (don't know the exact version yet). Also, the attached patch always tries IPv4 first and only falls back to IPv6. I think there should be a config option that tells IPA to prefer one of the address families or use it exclusively for performance reasons. Please note that the patch requires the latest changes to python-nss in order to work correctly. Since John is still working on python-nss packages, this patch should be treated as a preview and not pushed even if it is deemed OK. At this stage, I'd like to get at least the general approach and code reviewed so I can fix it tomorrow. Thank you, Jakub -------------- next part -------------- >From 4b85251c303e8519939b702254ee0def932f8ed6 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 2 Feb 2011 13:57:16 +0100 Subject: [PATCH] Make nsslib IPv6 aware --- ipapython/nsslib.py | 89 +++++++++++++++++++++++++++++++++++++++++--------- 1 files changed, 73 insertions(+), 16 deletions(-) diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index 129f1a0..7abbcf0 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -21,12 +21,14 @@ import sys import httplib import getpass +import socket import logging from nss.error import NSPRError import nss.io as io import nss.nss as nss import nss.ssl as ssl +import nss.error as error def auth_certificate_callback(sock, check_sig, is_server, certdb): cert_is_valid = False @@ -113,11 +115,65 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb): return False return False -class NSSConnection(httplib.HTTPConnection): +class NSSAddressFamilyFallback(object): + def __init__(self, family): + self.sock_family = family + self.family = self._get_nss_family(self.sock_family) + + def _get_nss_family(self, sock_family): + """ + Translate a family from python socket module to nss family. + """ + if sock_family in [ socket.AF_INET, socket.AF_UNSPEC ]: + return io.PR_AF_INET + elif sock_family == socket.AF_INET6: + return io.PR_AF_INET6 + else: + raise ValueError('Uknown socket family %d\n', sock_family) + + def _get_next_family(self): + if self.sock_family == socket.AF_UNSPEC and \ + self.family == io.PR_AF_INET: + return io.PR_AF_INET6 + + return None + + def _connect_socket_family(self, host, port, family): + logging.debug("connect_socket_family: host=%s port=%s family=%s", + host, port, io.addr_family_name(family)) + try: + net_addr = io.NetworkAddress(host, port, family) + except ValueError, e: + raise NSPRError(error.PR_ADDRESS_NOT_SUPPORTED_ERROR, e.message) + logging.debug("connect: %s", net_addr) + self.sock.connect(net_addr, family) + + def _create_socket(self): + self.sock = io.Socket(family=self.family) + + def connect_socket(self, host, port): + try: + self._connect_socket_family(host, port, self.family) + except NSPRError, e: + if e.errno == error.PR_ADDRESS_NOT_SUPPORTED_ERROR: + next_family = self._get_next_family() + if next_family: + self.family = next_family + self._create_socket() + self._connect_socket_family(host, port, self.family) + else: + logging.debug('No next family to try..') + raise e + else: + raise e + +class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): default_port = httplib.HTTPSConnection.default_port - def __init__(self, host, port=None, strict=None, dbdir=None): + def __init__(self, host, port=None, strict=None, + dbdir=None, family=socket.AF_UNSPEC): httplib.HTTPConnection.__init__(self, host, port, strict) + NSSAddressFamilyFallback.__init__(self, family) if not dbdir: raise RuntimeError("dbdir is required") @@ -130,10 +186,12 @@ class NSSConnection(httplib.HTTPConnection): nss.nss_init(dbdir) ssl.set_domestic_policy() nss.set_password_callback(self.password_callback) + self._create_socket() + def _create_socket(self): # Create the socket here so we can do things like let the caller # override the NSS callbacks - self.sock = ssl.SSLSocket() + self.sock = ssl.SSLSocket(family=self.family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) @@ -142,7 +200,8 @@ class NSSConnection(httplib.HTTPConnection): # Provide a callback to verify the servers certificate self.sock.set_auth_certificate_callback(auth_certificate_callback, - nss.get_default_certdb()) + nss.get_default_certdb()) + self.sock.set_hostname(self.host) def password_callback(self, slot, retry, password): if not retry and password: return password @@ -156,11 +215,7 @@ class NSSConnection(httplib.HTTPConnection): pass def connect(self): - logging.debug("connect: host=%s port=%s", self.host, self.port) - self.sock.set_hostname(self.host) - net_addr = io.NetworkAddress(self.host, self.port) - logging.debug("connect: %s", net_addr) - self.sock.connect(net_addr) + self.connect_socket(self.host, self.port) def endheaders(self, message=None): """ @@ -206,20 +261,22 @@ class NSSHTTPS(httplib.HTTP): port = None self._setup(self._connection_class(host, port, strict, dbdir=dbdir)) -class NSPRConnection(httplib.HTTPConnection): +class NSPRConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): default_port = httplib.HTTPConnection.default_port - def __init__(self, host, port=None, strict=None): + def __init__(self, host, port=None, strict=None, family=socket.AF_UNSPEC): httplib.HTTPConnection.__init__(self, host, port, strict) + NSSAddressFamilyFallback.__init__(self, family) logging.debug('%s init %s', self.__class__.__name__, host) + self._create_socket() + + def _create_socket(self): + super(NSPRConnection, self)._create_socket() + self.sock.set_hostname(self.host) - self.sock = io.Socket() def connect(self): - logging.debug("connect: host=%s port=%s", self.host, self.port) - net_addr = io.NetworkAddress(self.host, self.port) - logging.debug("connect: %s", net_addr) - self.sock.connect(net_addr) + self.connect_socket(self.host, self.port) class NSPRHTTP(httplib.HTTP): _http_vsn = 11 -- 1.7.3.5 From jzeleny at redhat.com Thu Feb 3 08:19:13 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 3 Feb 2011 09:19:13 +0100 Subject: [Freeipa-devel] [PATCH] 022 Inconsistent error message for ipa group-detach In-Reply-To: <1296657384.2972.0.camel@dhcp-25-52.brq.redhat.com> References: <1296657384.2972.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <201102030919.13988.jzeleny@redhat.com> Martin Kosek wrote: > When attempting to detach a private group that doesn't exist, the > error message returned is not consistent with the error returned by > the other topic commands. This patch adds a standard message. > > https://fedorahosted.org/freeipa/ticket/291 ack Jan From jzeleny at redhat.com Thu Feb 3 08:20:54 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 3 Feb 2011 09:20:54 +0100 Subject: [Freeipa-devel] [PATCH] 023 ipa-server-install inconsistent capitalization In-Reply-To: <1296660822.2972.1.camel@dhcp-25-52.brq.redhat.com> References: <1296660822.2972.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <201102030920.54393.jzeleny@redhat.com> Martin Kosek wrote: > A cosmetic patch to IPA server installation output aimed to make > capitalization in installer output consistent. Several installation > tasks started with a lowercase letter and several installation > task steps started with an uppercase letter. > > https://fedorahosted.org/freeipa/ticket/776 ack Jan From jzeleny at redhat.com Thu Feb 3 10:02:20 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 3 Feb 2011 11:02:20 +0100 Subject: [Freeipa-devel] [PATCH] 700 update some minimum versions In-Reply-To: <4D49CDF4.6030103@redhat.com> References: <4D49CDF4.6030103@redhat.com> Message-ID: <201102031102.20440.jzeleny@redhat.com> Rob Crittenden wrote: > Update min version of 389-ds-base, mod_nss and selinux-policy. > > As of this writing the selinux-policy update hasn't actually gone out to > updates-testing so I'm going to hold onto this even if I get an ack. > > The selinux-policy update is needed to fix slapi-nis working as an nis > responder. > > rob Seems good, build and installation on F14 works. ACK Jan From edewata at redhat.com Thu Feb 3 12:52:59 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 03 Feb 2011 06:52:59 -0600 Subject: [Freeipa-devel] [PATCH] Fixed section expand/collapse in user details. Message-ID: <4D4AA52B.4000601@redhat.com> The section names were missing from the entity definition. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0089-Fixed-section-expand-collapse-in-user-details.patch Type: text/x-patch Size: 3538 bytes Desc: not available URL: From edewata at redhat.com Thu Feb 3 12:57:15 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 03 Feb 2011 06:57:15 -0600 Subject: [Freeipa-devel] [PATCH] Added multi-valued text widget. Message-ID: <4D4AA62B.1040306@redhat.com> A multi-valued text widget has been created to replace the old IPA.details_field. There are some differences: The old code was designed to handle all data types, so the code is incomplete and complex. The new code was designed to handle multi- valued text attributes only, so it's easier to maintain. There are already other widgets that can be used to handle other data types. In the old code, if an attribute contains multiple values there will be one undo link for each value. In the new code there will be only one undo link for the whole attribute. In the old code, when a value is removed, the value will be crossed out. In the new code when a value is removed the entire line will disappear. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0092-Added-multi-valued-text-widget.patch Type: text/x-patch Size: 15472 bytes Desc: not available URL: From jzeleny at redhat.com Thu Feb 3 13:23:11 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 3 Feb 2011 14:23:11 +0100 Subject: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware In-Reply-To: <20110202225932.GA28047@zeppelin.brq.redhat.com> References: <20110202225932.GA28047@zeppelin.brq.redhat.com> Message-ID: <201102031423.11366.jzeleny@redhat.com> Jakub Hrozek wrote: > Hi, > > attached is a patch to nsslib.py that changes its semantics so > it is able to work with different address families. It is the last piece > of IPv6 support. > > Aside from the hunks in the patch, I still need to set Requires: in the > patch (don't know the exact version yet). Also, the attached patch always > tries IPv4 first and only falls back to IPv6. I think there should be a > config option that tells IPA to prefer one of the address families or use > it exclusively for performance reasons. > > Please note that the patch requires the latest changes to python-nss > in order to work correctly. Since John is still working on python-nss > packages, this patch should be treated as a preview and not pushed even > if it is deemed OK. At this stage, I'd like to get at least the general > approach and code reviewed so I can fix it tomorrow. > > Thank you, > Jakub The patch looks ok, all my questions answered off-list. Also tested with IPv4 (latest python-nss installed) and IPv6, both work fine. ACK Jan From jhrozek at redhat.com Thu Feb 3 13:40:06 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 03 Feb 2011 14:40:06 +0100 Subject: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware In-Reply-To: <201102031423.11366.jzeleny@redhat.com> References: <20110202225932.GA28047@zeppelin.brq.redhat.com> <201102031423.11366.jzeleny@redhat.com> Message-ID: <4D4AB036.7040804@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/03/2011 02:23 PM, Jan Zelen? wrote: > The patch looks ok, all my questions answered off-list. Also tested with IPv4 > (latest python-nss installed) and IPv6, both work fine. > > ACK > > Jan > As noted in the original mail, please don't push until python-nss is in the repos we want. Currently this patch would break because there are new functions and constants used, but mainly nss.io.NetworkAddress changed its API. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1KsDYACgkQHsardTLnvCUB5QCdEe+HK+VByOuC4nIFUCYWZjUV jxoAn1w24yOLWsmuj64wo4cZIh/J9bPf =vlIt -----END PGP SIGNATURE----- From ayoung at redhat.com Thu Feb 3 14:05:30 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 03 Feb 2011 09:05:30 -0500 Subject: [Freeipa-devel] [PATCH] Fixed section expand/collapse in user details. In-Reply-To: <4D4AA52B.4000601@redhat.com> References: <4D4AA52B.4000601@redhat.com> Message-ID: <4D4AB62A.5040104@redhat.com> On 02/03/2011 07:52 AM, Endi Sukma Dewata wrote: > The section names were missing from the entity definition. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From pzuna at redhat.com Thu Feb 3 14:34:48 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 03 Feb 2011 15:34:48 +0100 Subject: [Freeipa-devel] python i18n options Message-ID: <4D4ABD08.6040907@redhat.com> I've been playing around with localizing python strings for a while and this is what I figured out: Currently we use xgettext to get strings to be translated from python files. From withing python we call the gettext library wrapped in ipalib/text.py classes to provide on request translation. We need on request translation, so that we can translate strings on the client. Apart from the classes in ipalib/text.py, there are also localization functions in ipalib/request.py. These function are old and deprecated. Despite this they are still used when translating exception messages. That's why exceptions aren't currently being localized. Rob posted a patch recently that fixes this, but it wasn't fixing the problem at its root. There's another patch by me (69: Remove deprecated i18n code...) that removes references to ipalib/request.py and replaces it with ipalib/text.py classes. This patch should definitely be accepted. It doesn't change anything - it just removes code that shouldn't be there anyway. There's another problem with exceptions. They are localized when they are first created on the server. When transmitting exceptions from server to client, the data is wrapped in a xmlrpclib.Fault class. This class can only contain an error code and string making it impossible to reconstruct on the client especially if it contains template strings (i.e. '%(reason)s'). I propose we change the way exceptions are created and encode information about them as Fault string data. We can then reconstruct them on the client a perform localization there. Python 2.6+ provides secure ways to encode and decode literal types to/from strings. This will require changes to the PublicError class. Now there's the issue of localizing the built-in help system ('ipa help') which translates to localizing python docstrings. xgettext can't do that on its own. There's an alternative called pygettext. Unfortunately pygettext can't translated ngettext string (meaning strings that have a singular and plural form). I found two solutions around this: 1) a) use both xgettext and pygettext b) merge the resulting .po files c) use msguniq utility to get unique translatable strings 2) theres a patch for pygettext to handle ngettext string Solution 1) will probably works fine, but it's not very effective. I would prefer the second solution, but I still have to determine how good the patch is since it was sent by some random guy on the python mailing list. Links: http://bugs.python.org/issue8502 http://bugs.python.org/file17639/pygettext.py.patch Opinions? Summary: ======== Unless we agree on a better way; I'm going to try the pygettext patch and see how usable it is. If it's not then I'll try the solution with merging pygettext and xgettext output. We also need to rethink the PublicError class and it's encoding/decoding in {JSON,XML}-RPC to have them translated on the client. Pavel From ayoung at redhat.com Thu Feb 3 14:41:45 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 03 Feb 2011 09:41:45 -0500 Subject: [Freeipa-devel] [PATCH] Added multi-valued text widget. In-Reply-To: <4D4AA62B.1040306@redhat.com> References: <4D4AA62B.1040306@redhat.com> Message-ID: <4D4ABEA9.6020708@redhat.com> On 02/03/2011 07:57 AM, Endi Sukma Dewata wrote: > A multi-valued text widget has been created to replace the old > IPA.details_field. There are some differences: > > The old code was designed to handle all data types, so the code is > incomplete and complex. The new code was designed to handle multi- > valued text attributes only, so it's easier to maintain. There are > already other widgets that can be used to handle other data types. > > In the old code, if an attribute contains multiple values there > will be one undo link for each value. In the new code there will > be only one undo link for the whole attribute. > > In the old code, when a value is removed, the value will be crossed > out. In the new code when a value is removed the entire line will > disappear. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK. Mostly good, but not sure I agree 100%. Line level Undo we very specific for the multi values. Undo should be for individuals, not for the overall. I realize that this makes the logic a little bit harder if you want to, say, abandon your changes on phonen numbers, but keep them for Title, it is hard to get the undo just right. So: Multi values should have an "undo all" in addition to line level undo. I'd like to leave the "line-out" approach in there for removed entries as well. A user can always repurpose a line, so there undo/redo will be valuable at the line level. For straight delete, I think it is valuable for the user to see the original value. Also, it looks like the code for "create_remove_link" is still in IPA.details_field. I'm guessing that this is dead code that should be removed. At a minimum, it should be moved to the new widget. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Feb 3 15:33:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Feb 2011 10:33:35 -0500 Subject: [Freeipa-devel] [PATCH] 022 Inconsistent error message for ipa group-detach In-Reply-To: <201102030919.13988.jzeleny@redhat.com> References: <1296657384.2972.0.camel@dhcp-25-52.brq.redhat.com> <201102030919.13988.jzeleny@redhat.com> Message-ID: <4D4ACACF.4000403@redhat.com> Jan Zelen? wrote: > Martin Kosek wrote: >> When attempting to detach a private group that doesn't exist, the >> error message returned is not consistent with the error returned by >> the other topic commands. This patch adds a standard message. >> >> https://fedorahosted.org/freeipa/ticket/291 > > ack > > Jan pushed to master From rcritten at redhat.com Thu Feb 3 15:34:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Feb 2011 10:34:13 -0500 Subject: [Freeipa-devel] [PATCH] 023 ipa-server-install inconsistent capitalization In-Reply-To: <201102030920.54393.jzeleny@redhat.com> References: <1296660822.2972.1.camel@dhcp-25-52.brq.redhat.com> <201102030920.54393.jzeleny@redhat.com> Message-ID: <4D4ACAF5.50107@redhat.com> Jan Zelen? wrote: > Martin Kosek wrote: >> A cosmetic patch to IPA server installation output aimed to make >> capitalization in installer output consistent. Several installation >> tasks started with a lowercase letter and several installation >> task steps started with an uppercase letter. >> >> https://fedorahosted.org/freeipa/ticket/776 > > ack > > Jan pushed to master From rcritten at redhat.com Thu Feb 3 15:35:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Feb 2011 10:35:32 -0500 Subject: [Freeipa-devel] [PATCH] 700 update some minimum versions In-Reply-To: <201102031102.20440.jzeleny@redhat.com> References: <4D49CDF4.6030103@redhat.com> <201102031102.20440.jzeleny@redhat.com> Message-ID: <4D4ACB44.6000906@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Update min version of 389-ds-base, mod_nss and selinux-policy. >> >> As of this writing the selinux-policy update hasn't actually gone out to >> updates-testing so I'm going to hold onto this even if I get an ack. >> >> The selinux-policy update is needed to fix slapi-nis working as an nis >> responder. >> >> rob > > Seems good, build and installation on F14 works. ACK > > Jan Thanks, and the new policy is in updates-testing, pushed. rob From edewata at redhat.com Thu Feb 3 16:05:22 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 03 Feb 2011 10:05:22 -0600 Subject: [Freeipa-devel] [PATCH] Fixed CSS error. Message-ID: <4D4AD242.5090302@redhat.com> Pushed under one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0093-Fixed-CSS-error.patch Type: text/x-patch Size: 639 bytes Desc: not available URL: From jdennis at redhat.com Thu Feb 3 16:13:29 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 03 Feb 2011 11:13:29 -0500 Subject: [Freeipa-devel] python i18n options In-Reply-To: <4D4ABD08.6040907@redhat.com> References: <4D4ABD08.6040907@redhat.com> Message-ID: <4D4AD429.60704@redhat.com> On 02/03/2011 09:34 AM, Pavel Zuna wrote: > Python 2.6+ provides secure ways to encode and decode > literal types to/from strings. I'm not sure what you mean by this, could you elaborate please? > Summary: > ======== > Unless we agree on a better way; I'm going to try the pygettext patch and see > how usable it is. If it's not then I'll try the solution with merging pygettext > and xgettext output. We also need to rethink the PublicError class and it's > encoding/decoding in {JSON,XML}-RPC to have them translated on the client. I think your proposal sounds fine if we expect the message catalog on the client to be in sync with the server. I'm not sure that's a good assumption. When they drift apart the effect will be that some messages appear localized and others won't. That will be a poor user experience. One way we could address this problem is by following the web model. The client sends their language preference in each request. When the server responds it performs the message translation prior to sending it back to the client. We're already doing this for the web UI, any reason not to follow the same model for other clients? I can't comment on the quality of the upstream pygettext patch, but one way to find out is to start using it :-) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mkosek at redhat.com Thu Feb 3 16:33:31 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 03 Feb 2011 17:33:31 +0100 Subject: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install Message-ID: <1296750811.6407.0.camel@dhcp-25-52.brq.redhat.com> When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-025-detection-of-v1-server-during-ipa-client-install.patch Type: text/x-patch Size: 2303 bytes Desc: not available URL: From mkosek at redhat.com Thu Feb 3 16:43:47 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 03 Feb 2011 17:43:47 +0100 Subject: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install Message-ID: <1296751427.6435.0.camel@dhcp-25-52.brq.redhat.com> When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-025-detection-of-v1-server-during-ipa-client-install.patch Type: text/x-patch Size: 2303 bytes Desc: not available URL: From ssorce at redhat.com Thu Feb 3 19:02:39 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 3 Feb 2011 14:02:39 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0176-unmatched-aciattrs In-Reply-To: <4D432CDD.7040106@redhat.com> References: <4D432CDD.7040106@redhat.com> Message-ID: <20110203140239.1c9cbba2@willson.li.ssimo.org> On Fri, 28 Jan 2011 15:53:49 -0500 Adam Young wrote: This one was pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Feb 3 19:04:27 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 3 Feb 2011 14:04:27 -0500 Subject: [Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights. In-Reply-To: <4D3586B8.2080405@redhat.com> References: <4D1C502A.8050409@redhat.com> <4D2770BE.3010509@redhat.com> <4D3586B8.2080405@redhat.com> Message-ID: <20110203140427.633d90cc@willson.li.ssimo.org> On Tue, 18 Jan 2011 13:25:28 +0100 Pavel Zuna wrote: > On 01/07/2011 08:59 PM, Rob Crittenden wrote: > > Pavel Z?na wrote: > >> LDAPObject sub-classes can define a custom list of attributes for > >> effective rights retrieval. > >> > >> Fix #677 > >> > >> Pavel > >> > > > > Nack. --rights should only return data when --all is also included. > > > > Otherwise it looks ok. > > > > rob > > Fixed version attached. > > Pavel Is this one still on the table ? Or did some other patch supersede it ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Thu Feb 3 19:45:56 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 03 Feb 2011 14:45:56 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0188-favicon.patch Message-ID: <4D4B05F4.6020000@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0188-favicon.patch Type: text/x-patch Size: 2295 bytes Desc: not available URL: From edewata at redhat.com Thu Feb 3 20:06:49 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 03 Feb 2011 14:06:49 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0188-favicon.patch In-Reply-To: <4D4B05F4.6020000@redhat.com> References: <4D4B05F4.6020000@redhat.com> Message-ID: <4D4B0AD9.5000709@redhat.com> On 2/3/2011 1:45 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From ssorce at redhat.com Thu Feb 3 20:08:54 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 3 Feb 2011 15:08:54 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0188-favicon.patch In-Reply-To: <4D4B05F4.6020000@redhat.com> References: <4D4B05F4.6020000@redhat.com> Message-ID: <20110203150854.2f9f1d71@willson.li.ssimo.org> On Thu, 03 Feb 2011 14:45:56 -0500 Adam Young wrote: ack Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Thu Feb 3 21:18:10 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 03 Feb 2011 15:18:10 -0600 Subject: [Freeipa-devel] [PATCH] Added multi-valued text widget. In-Reply-To: <4D4ABEA9.6020708@redhat.com> References: <4D4AA62B.1040306@redhat.com> <4D4ABEA9.6020708@redhat.com> Message-ID: <4D4B1B92.6090709@redhat.com> On 2/3/2011 8:41 AM, Adam Young wrote: > NACK. Mostly good, but not sure I agree 100%. Line level Undo we very > specific for the multi values. Undo should be for individuals, not for > the overall. > > I realize that this makes the logic a little bit harder if you want to, > say, abandon your changes on phonen numbers, but keep them for Title, it > is hard to get the undo just right. > > So: Multi values should have an "undo all" in addition to line level undo. Attached is an updated patch. The line-level undo has been added. > I'd like to leave the "line-out" approach in there for removed entries > as well. A user can always repurpose a line, so there undo/redo will be > valuable at the line level. For straight delete, I think it is valuable > for the user to see the original value. > > Also, it looks like the code for "create_remove_link" is still in > IPA.details_field. I'm guessing that this is dead code that should be > removed. At a minimum, it should be moved to the new widget. Line-out removal has been added as well. Please see the new patch description. Thanks! -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0092-2-Added-multi-valued-text-widget.patch Type: text/x-patch Size: 18669 bytes Desc: not available URL: From ayoung at redhat.com Fri Feb 4 01:36:53 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 03 Feb 2011 20:36:53 -0500 Subject: [Freeipa-devel] [PATCH] Added multi-valued text widget. In-Reply-To: <4D4B1B92.6090709@redhat.com> References: <4D4AA62B.1040306@redhat.com> <4D4ABEA9.6020708@redhat.com> <4D4B1B92.6090709@redhat.com> Message-ID: <4D4B5835.5090605@redhat.com> On 02/03/2011 04:18 PM, Endi Sukma Dewata wrote: > On 2/3/2011 8:41 AM, Adam Young wrote: >> NACK. Mostly good, but not sure I agree 100%. Line level Undo we very >> specific for the multi values. Undo should be for individuals, not for >> the overall. >> >> I realize that this makes the logic a little bit harder if you want to, >> say, abandon your changes on phonen numbers, but keep them for Title, it >> is hard to get the undo just right. >> >> So: Multi values should have an "undo all" in addition to line level >> undo. > > Attached is an updated patch. The line-level undo has been added. > >> I'd like to leave the "line-out" approach in there for removed entries >> as well. A user can always repurpose a line, so there undo/redo will be >> valuable at the line level. For straight delete, I think it is valuable >> for the user to see the original value. >> >> Also, it looks like the code for "create_remove_link" is still in >> IPA.details_field. I'm guessing that this is dead code that should be >> removed. At a minimum, it should be moved to the new widget. > > Line-out removal has been added as well. Please see the new patch > description. Thanks! > ACK, pushed to master. Nicely done. From dpal at redhat.com Fri Feb 4 04:31:57 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 03 Feb 2011 23:31:57 -0500 Subject: [Freeipa-devel] Announcing FreeIPA v2 Server Beta 2 Release Message-ID: <4D4B813D.9050809@redhat.com> To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Beta 2 release of freeIPA 2.0 server [1]. * Binaries are available for F-14. * With the release of this Beta, freeIPA moves into the Release Candidate cycle. * Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-users at redhat.com Main Highlights of the Beta This beta has a set of significant improvements across all areas of the project. Modifications include but are not limited to: * Support of the latest Dogtag packages. * Installation fixes. * Changes in the DIT structure. * New permissions defined against different elements of the tree. * Better startup and shutdown handling. * Replication improvements. * Incremental improvements in IPv6 support. * DNS improvements. * The package name has been changed to "freeipa" to avoid collision with IPA v1.x and many others. Focus of the Beta Testing * There is a Fedora test day for FreeIPA coming on Feb 10th [3]. Please join us in testing FreeIPA. The exact instructions will be provided later and will be available off the link on the page. * The following section outlines the areas that we are mostly interested to test [4]. Significant Changes Since Beta 1 To see all the tickets addressed between the two beta releases see [2]. Repositories and Installation * Use the following link to install the beta 2 packages [5]. * On Fedora-14 FreeIPA relies on the latest versions of the packages currently available from the updates-testing repository. Please make sure to enable this repository before you proceed with installation. Known Issues: * There are known issues that currently prevent FreeIPA from successfully installing on F-15 [6]. We will send a separate message when these issues are resolved. * Server-generated error messages are not translated yet. * IPv6 support is not complete. * The 'ipa help' command does not support localization. We plan to address all the outstanding tickets before the final 2.0 release. For the complete list see [7]. Thank you, The FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] https://fedorahosted.org/freeipa/milestone/0.8%20iteration%20-%20January%20%28cleanup%29 [3] https://fedoraproject.org/wiki/QA/Fedora_15_test_days [4] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test [5] http://freeipa.org/downloads/freeipa-devel.repo [6] https://bugzilla.redhat.com/show_bug.cgi?id=674916 [7] https://fedorahosted.org/freeipa/milestone/2.0.1%20Bug%20fixing From jzeleny at redhat.com Fri Feb 4 08:05:32 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Fri, 4 Feb 2011 09:05:32 +0100 Subject: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install In-Reply-To: <1296750811.6407.0.camel@dhcp-25-52.brq.redhat.com> References: <1296750811.6407.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <201102040905.32981.jzeleny@redhat.com> Martin Kosek wrote: > When v2 IPA client is trying to join an IPA v1 server > a strange exception is printed out to the user. This patch > detects this by catching an XML-RPC error reported by ipa-join > binary called in the process which fails on unexisting IPA server > 'join' method. > > wget call had to be changed so that IPA client may get to the > ipa-join step. --no-check-certificate had to be added as V1 > server automatically redirects the request to self-signed secure > connection. > > https://fedorahosted.org/freeipa/ticket/553 The patch is ok and applies correctly. My only thought was to download the certificate directly from https://..../ca.crt instead of plain http, but there is probably no real benefit. ack Jan From mkosek at redhat.com Fri Feb 4 13:08:45 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 04 Feb 2011 14:08:45 +0100 Subject: [Freeipa-devel] [PATCH] 026 HBAC plugin inconsistent output Message-ID: <1296824925.7595.8.camel@dhcp-25-52.brq.redhat.com> This patch adds a proper summary text to HBAC command which is then printed out in CLI. Now, HBAC plugin output is consistent with other plugins. https://fedorahosted.org/freeipa/ticket/596 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-026-hbac-plugin-inconsistent-output.patch Type: text/x-patch Size: 4369 bytes Desc: not available URL: From mkosek at redhat.com Fri Feb 4 14:20:55 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 04 Feb 2011 15:20:55 +0100 Subject: [Freeipa-devel] [PATCH] 027 Support of user default email domain Message-ID: <1296829255.7595.9.camel@dhcp-25-52.brq.redhat.com> This patch fixes the default domain functionality for user email(s). This setting may be configured via: ipa config-mod --emaildomain=example.com Then, when user is added/modified and --mail option is passed, the default domain is appended if the passed attribute does not contain another domain already. https://fedorahosted.org/freeipa/ticket/598 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-027-support-of-user-default-email-domain.patch Type: text/x-patch Size: 2439 bytes Desc: not available URL: From pzuna at redhat.com Fri Feb 4 14:55:39 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 04 Feb 2011 15:55:39 +0100 Subject: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it. In-Reply-To: <4D49C030.8030901@redhat.com> References: <4D497C50.1000705@redhat.com> <4D49C030.8030901@redhat.com> Message-ID: <4D4C136B.4040702@redhat.com> On 02/02/2011 09:36 PM, Rob Crittenden wrote: > Pavel Zuna wrote: >> This ticket effectively fixes the translation of exception messages. >> >> Ticket #903 >> >> Pavel >> > > On hold for now, see also patch 'Translate exception messages on the > client side.' > > rob This should get pushed for the translation in exceptions to work. It only removes the defunct code and replaces it with something functional. Pavel From pzuna at redhat.com Fri Feb 4 15:01:12 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 04 Feb 2011 16:01:12 +0100 Subject: [Freeipa-devel] [PATCH] Send Accept-Language header over XML-RPC and translate on server. Message-ID: <4D4C14B8.6060800@redhat.com> This patch makes the ipa client send the Accept-Language header, so that the server can translate things like exceptions, that cannot be translated on the client. It also fixes the language recognition for the webUI. The values in Accept-Language header are a bit different than what is accepted by the LANG variable as a valid locale - some additional parsing was needed. For example: >>> Accept-Language: es-es;q=1 needs to translate to >>> es_ES otherwise it won't be recognized by gettext Fix #904 Fix #917 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-71-acceptlang.patch Type: application/mbox Size: 4436 bytes Desc: not available URL: From rcritten at redhat.com Fri Feb 4 15:03:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Feb 2011 10:03:01 -0500 Subject: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it. In-Reply-To: <4D4C136B.4040702@redhat.com> References: <4D497C50.1000705@redhat.com> <4D49C030.8030901@redhat.com> <4D4C136B.4040702@redhat.com> Message-ID: <4D4C1525.9010904@redhat.com> Pavel Zuna wrote: > On 02/02/2011 09:36 PM, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> This ticket effectively fixes the translation of exception messages. >>> >>> Ticket #903 >>> >>> Pavel >>> >> >> On hold for now, see also patch 'Translate exception messages on the >> client side.' >> >> rob > > This should get pushed for the translation in exceptions to work. It > only removes the defunct code and replaces it with something functional. > > Pavel If the server locale is not en_US.UTF-8 then messages are translated. rob From pzuna at redhat.com Fri Feb 4 15:09:02 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 04 Feb 2011 16:09:02 +0100 Subject: [Freeipa-devel] python i18n options In-Reply-To: <4D4AD429.60704@redhat.com> References: <4D4ABD08.6040907@redhat.com> <4D4AD429.60704@redhat.com> Message-ID: <4D4C168E.5080408@redhat.com> On 02/03/2011 05:13 PM, John Dennis wrote: > On 02/03/2011 09:34 AM, Pavel Zuna wrote: >> Python 2.6+ provides secure ways to encode and decode >> literal types to/from strings. > > I'm not sure what you mean by this, could you elaborate please? http://docs.python.org/library/ast.html#ast.literal_eval We could use it to send data about the exception and have the client translate it for itself. However I decided to drop this idea, because it would require changes in a lot of places where we construct exceptions and that's just not worth it. > >> Summary: >> ======== >> Unless we agree on a better way; I'm going to try the pygettext patch >> and see >> how usable it is. If it's not then I'll try the solution with merging >> pygettext >> and xgettext output. We also need to rethink the PublicError class and >> it's >> encoding/decoding in {JSON,XML}-RPC to have them translated on the >> client. > > I think your proposal sounds fine if we expect the message catalog on > the client to be in sync with the server. I'm not sure that's a good > assumption. When they drift apart the effect will be that some messages > appear localized and others won't. That will be a poor user experience. > One way we could address this problem is by following the web model. The > client sends their language preference in each request. When the server > responds it performs the message translation prior to sending it back to > the client. We're already doing this for the web UI, any reason not to > follow the same model for other clients? Yes, we're going to use the same model in the end. Already posted a patch on the list that does just that (71). > I can't comment on the quality of the upstream pygettext patch, but one > way to find out is to start using it :-) That's exactly what I'm planning to do. :) Pavel From pzuna at redhat.com Fri Feb 4 15:10:47 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 04 Feb 2011 16:10:47 +0100 Subject: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it. In-Reply-To: <4D4C1525.9010904@redhat.com> References: <4D497C50.1000705@redhat.com> <4D49C030.8030901@redhat.com> <4D4C136B.4040702@redhat.com> <4D4C1525.9010904@redhat.com> Message-ID: <4D4C16F7.8060102@redhat.com> On 02/04/2011 04:03 PM, Rob Crittenden wrote: > Pavel Zuna wrote: >> On 02/02/2011 09:36 PM, Rob Crittenden wrote: >>> Pavel Zuna wrote: >>>> This ticket effectively fixes the translation of exception messages. >>>> >>>> Ticket #903 >>>> >>>> Pavel >>>> >>> >>> On hold for now, see also patch 'Translate exception messages on the >>> client side.' >>> >>> rob >> >> This should get pushed for the translation in exceptions to work. It >> only removes the defunct code and replaces it with something functional. >> >> Pavel > > If the server locale is not en_US.UTF-8 then messages are translated. > > rob I know, but it's not the purpose of this patch to do the right translation for the client. It's purpose is to fix the code to actually perform the translation. There's another patch (71) to do the right thing and it depends on this one. Pavel From rcritten at redhat.com Fri Feb 4 15:23:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Feb 2011 10:23:33 -0500 Subject: [Freeipa-devel] [PATCH] Send Accept-Language header over XML-RPC and translate on server. In-Reply-To: <4D4C14B8.6060800@redhat.com> References: <4D4C14B8.6060800@redhat.com> Message-ID: <4D4C19F5.2020602@redhat.com> Pavel Zuna wrote: > This patch makes the ipa client send the Accept-Language header, so that > the server can translate things like exceptions, that cannot be > translated on the client. > > It also fixes the language recognition for the webUI. The values in > Accept-Language header are a bit different than what is accepted by the > LANG variable as a valid locale - some additional parsing was needed. > For example: > >>> Accept-Language: es-es;q=1 > needs to translate to > >>> es_ES > otherwise it won't be recognized by gettext > > Fix #904 > Fix #917 > > Pavel nack. ast is imported but not used Why are you calling locale.setlocale() instead of locale.getlocale()? If extra_headers is passed in as a string this will drop it: + if not isinstance(extra_headers, list): + extra_headers = [] Multiple Authorization is actually legal though it may be a good idea to remove any others found, so I'll let this part go. I don't know that it is really needed though. Some formatting is changed to make it less readable IMHO: - else: - scheme = "http" + else: scheme = "http" The code to break HTTP_ACCEPT_LANGUAGE into language and region is broken. Passing in en-gb returns en_EN. (I think you want [1] not [0]). Ideally we would loop through all acceptable languages until we find one that we actually provide. So if we are passed in da, en-gb;q=0.8, en;q=0.7 we would first look for Danish but fall back to British English or any other English (preferring British English). rob From rcritten at redhat.com Fri Feb 4 15:24:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Feb 2011 10:24:58 -0500 Subject: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it. In-Reply-To: <4D4C16F7.8060102@redhat.com> References: <4D497C50.1000705@redhat.com> <4D49C030.8030901@redhat.com> <4D4C136B.4040702@redhat.com> <4D4C1525.9010904@redhat.com> <4D4C16F7.8060102@redhat.com> Message-ID: <4D4C1A4A.1050200@redhat.com> Pavel Zuna wrote: > On 02/04/2011 04:03 PM, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> On 02/02/2011 09:36 PM, Rob Crittenden wrote: >>>> Pavel Zuna wrote: >>>>> This ticket effectively fixes the translation of exception messages. >>>>> >>>>> Ticket #903 >>>>> >>>>> Pavel >>>>> >>>> >>>> On hold for now, see also patch 'Translate exception messages on the >>>> client side.' >>>> >>>> rob >>> >>> This should get pushed for the translation in exceptions to work. It >>> only removes the defunct code and replaces it with something functional. >>> >>> Pavel >> >> If the server locale is not en_US.UTF-8 then messages are translated. >> >> rob > > I know, but it's not the purpose of this patch to do the right > translation for the client. It's purpose is to fix the code to actually > perform the translation. > > There's another patch (71) to do the right thing and it depends on this > one. > > Pavel Right but 71 fails if there are keywords to translate. I'd prefer to hold off on both of these until we come to a more complete solution. rob From pzuna at redhat.com Fri Feb 4 17:09:39 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Fri, 04 Feb 2011 18:09:39 +0100 Subject: [Freeipa-devel] [PATCH] Remove deprecated i18n code from ipalib.request and all references to it. In-Reply-To: <4D4C1A4A.1050200@redhat.com> References: <4D497C50.1000705@redhat.com> <4D49C030.8030901@redhat.com> <4D4C136B.4040702@redhat.com> <4D4C1525.9010904@redhat.com> <4D4C16F7.8060102@redhat.com> <4D4C1A4A.1050200@redhat.com> Message-ID: <4D4C32D3.6010907@redhat.com> On 2011-02-04 16:24, Rob Crittenden wrote: > Pavel Zuna wrote: >> On 02/04/2011 04:03 PM, Rob Crittenden wrote: >>> Pavel Zuna wrote: >>>> On 02/02/2011 09:36 PM, Rob Crittenden wrote: >>>>> Pavel Zuna wrote: >>>>>> This ticket effectively fixes the translation of exception messages. >>>>>> >>>>>> Ticket #903 >>>>>> >>>>>> Pavel >>>>>> >>>>> >>>>> On hold for now, see also patch 'Translate exception messages on the >>>>> client side.' >>>>> >>>>> rob >>>> >>>> This should get pushed for the translation in exceptions to work. It >>>> only removes the defunct code and replaces it with something >>>> functional. >>>> >>>> Pavel >>> >>> If the server locale is not en_US.UTF-8 then messages are translated. >>> >>> rob >> >> I know, but it's not the purpose of this patch to do the right >> translation for the client. It's purpose is to fix the code to actually >> perform the translation. >> >> There's another patch (71) to do the right thing and it depends on this >> one. >> >> Pavel > > Right but 71 fails if there are keywords to translate. I'd prefer to > hold off on both of these until we come to a more complete solution. > > rob No, that's 70 failing. :) 71 is the Accept-Language patch I posted today. Pavel From pzuna at redhat.com Fri Feb 4 17:35:35 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Fri, 04 Feb 2011 18:35:35 +0100 Subject: [Freeipa-devel] [PATCH] Send Accept-Language header over XML-RPC and translate on server. In-Reply-To: <4D4C19F5.2020602@redhat.com> References: <4D4C14B8.6060800@redhat.com> <4D4C19F5.2020602@redhat.com> Message-ID: <4D4C38E7.5030507@redhat.com> On 2011-02-04 16:23, Rob Crittenden wrote: > Pavel Zuna wrote: >> This patch makes the ipa client send the Accept-Language header, so that >> the server can translate things like exceptions, that cannot be >> translated on the client. >> >> It also fixes the language recognition for the webUI. The values in >> Accept-Language header are a bit different than what is accepted by the >> LANG variable as a valid locale - some additional parsing was needed. >> For example: >> >>> Accept-Language: es-es;q=1 >> needs to translate to >> >>> es_ES >> otherwise it won't be recognized by gettext >> >> Fix #904 >> Fix #917 >> >> Pavel > > nack. > > ast is imported but not used Leftover. Removed in the attached updated version. > Why are you calling locale.setlocale() instead of locale.getlocale()? Because that's how it should be done. setlocale() with an empty string as second argument gets the current environment settings. getlocale() without a previous call to setlocale returns (None, None). > If extra_headers is passed in as a string this will drop it: That's never going to happen. I checked the underlying implementation in xmlrpclib and it can either be a list or dict. In this case, LanguageAwareTransport is calling Transport.get_host_info() which always returns extra_headers as a list or None if empty. The original implementation (before this patch) always dropped the whole thing and used a new list instead. > + if not isinstance(extra_headers, list): > + extra_headers = [] > > Multiple Authorization is actually legal though it may be a good idea to > remove any others found, so I'll let this part go. I don't know that it > is really needed though. Because the underlying Transport class can fill Authorization with 'Basic ' and the original implementation was dropping it as well. > Some formatting is changed to make it less readable IMHO: > > - else: > - scheme = "http" > + else: scheme = "http" That's unintentional, sorry. > The code to break HTTP_ACCEPT_LANGUAGE into language and region is > broken. Passing in en-gb returns en_EN. (I think you want [1] not [0]). Nice catch. I was probably thinking that since I'm using rsplit(), the indexes will be the other way around. :) Fixed in attached version. > Ideally we would loop through all acceptable languages until we find one > that we actually provide. > > So if we are passed in da, en-gb;q=0.8, en;q=0.7 we would first look for > Danish but fall back to British English or any other English (preferring > British English). That's a good idea! However I would keep it simple for now and do this in a separate patch. > rob Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-71-2-acceptlang.patch Type: application/mbox Size: 3955 bytes Desc: not available URL: From jzeleny at redhat.com Fri Feb 4 17:40:54 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Fri, 4 Feb 2011 18:40:54 +0100 Subject: [Freeipa-devel] [PATCH] Fixed command delegation-show Message-ID: <201102041840.54168.jzeleny@redhat.com> Recent changes in permission prefixes influenced also delegations. The plugin has been updated accordingly, but this one line has been forgotten. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0036-Fixed-command-delegation-show.patch Type: text/x-patch Size: 957 bytes Desc: not available URL: From jzeleny at redhat.com Fri Feb 4 17:41:41 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Fri, 4 Feb 2011 18:41:41 +0100 Subject: [Freeipa-devel] [PATCH] Fix of a small typo Message-ID: <201102041841.41525.jzeleny@redhat.com> Trivial fix, can be pushed directly Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0037-Fix-of-a-small-typo.patch Type: text/x-patch Size: 920 bytes Desc: not available URL: From ayoung at redhat.com Fri Feb 4 18:50:59 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 04 Feb 2011 13:50:59 -0500 Subject: [Freeipa-devel] [PATHC] admiyo-0190-target-section-undo Message-ID: <4D4C4A93.6050002@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0190-target-section-undo.patch Type: text/x-patch Size: 2737 bytes Desc: not available URL: From ayoung at redhat.com Fri Feb 4 19:02:40 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 04 Feb 2011 14:02:40 -0500 Subject: [Freeipa-devel] [PATHC] admiyo-0190-target-section-undo In-Reply-To: <4D4C4A93.6050002@redhat.com> References: <4D4C4A93.6050002@redhat.com> Message-ID: <4D4C4D50.6070303@redhat.com> On 02/04/2011 01:50 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK. I don't like the way the whole page moves. I have a slighly better approach. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Feb 4 19:30:12 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 04 Feb 2011 14:30:12 -0500 Subject: [Freeipa-devel] [PATHC] admiyo-0190-target-section-undo In-Reply-To: <4D4C4D50.6070303@redhat.com> References: <4D4C4A93.6050002@redhat.com> <4D4C4D50.6070303@redhat.com> Message-ID: <4D4C53C4.5010304@redhat.com> On 02/04/2011 02:02 PM, Adam Young wrote: > On 02/04/2011 01:50 PM, Adam Young wrote: >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > NACK. I don't like the way the whole page moves. I have a slighly > better approach. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This uses visibility instead of display for the css, which keeps the page from expanding and contracting. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0190-1-target-section-undo.patch Type: text/x-patch Size: 4065 bytes Desc: not available URL: From erinn.looneytriggs at gmail.com Fri Feb 4 21:07:18 2011 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Fri, 04 Feb 2011 12:07:18 -0900 Subject: [Freeipa-devel] Upgrade to beta 2 failed Message-ID: <4D4C6A86.80606@gmail.com> I tried to run the uninstall and a re-install however it is stating that it is already installed: [root at ipa ~]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring web server Unconfiguring krb5kdc Unconfiguring ipa_kpasswd Unconfiguring directory server [root at ipa ~]# ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log IPA server is already configured on this system. Any suggestions? -Erinn From ayoung at redhat.com Fri Feb 4 21:15:05 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 04 Feb 2011 16:15:05 -0500 Subject: [Freeipa-devel] [PATCH] one liner to remove duplicate position value in css Message-ID: <4D4C6C59.4050104@redhat.com> pushed under the one line rule [master a6849ef] removed duplicate position only need to specify once 1 files changed, 0 insertions(+), 1 deletions(-) [ayoung at ayoung ui]$ git diff HEAD~1 HEAD diff --git a/install/ui/ipa.css b/install/ui/ipa.css index c851a40..29b7fe3 100644 --- a/install/ui/ipa.css +++ b/install/ui/ipa.css @@ -597,7 +597,6 @@ span.main-separator{ margin-left: -19.5em; margin-right: 0; padding-left: 0; - position: fixed; width: 18em; background-image:url("panel-background.png"); background-repeat:no-repeat; From rcritten at redhat.com Fri Feb 4 21:12:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Feb 2011 16:12:28 -0500 Subject: [Freeipa-devel] Upgrade to beta 2 failed In-Reply-To: <4D4C6A86.80606@gmail.com> References: <4D4C6A86.80606@gmail.com> Message-ID: <4D4C6BBC.7020105@redhat.com> Erinn Looney-Triggs wrote: > I tried to run the uninstall and a re-install however it is stating that > it is already installed: > > [root at ipa ~]# ipa-server-install --uninstall > > This is a NON REVERSIBLE operation and will delete all data and > configuration! > > Are you sure you want to continue with the uninstall procedure? [no]: yes > Shutting down all IPA services > Removing IPA client configuration > Unconfiguring ntpd > Unconfiguring web server > Unconfiguring krb5kdc > Unconfiguring ipa_kpasswd > Unconfiguring directory server > [root at ipa ~]# ipa-server-install > > The log file for this installation can be found in > /var/log/ipaserver-install.log > IPA server is already configured on this system. Yes, something isn't getting cleaned up properly, we're looking into it. In the meantime you can get around this by removing the files in /var/lib/ipa/sysrestore/ rob From ayoung at redhat.com Fri Feb 4 21:16:48 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 04 Feb 2011 16:16:48 -0500 Subject: [Freeipa-devel] Upgrade to beta 2 failed In-Reply-To: <4D4C6A86.80606@gmail.com> References: <4D4C6A86.80606@gmail.com> Message-ID: <4D4C6CC0.7040900@redhat.com> On 02/04/2011 04:07 PM, Erinn Looney-Triggs wrote: > I tried to run the uninstall and a re-install however it is stating that > it is already installed: > > [root at ipa ~]# ipa-server-install --uninstall > > This is a NON REVERSIBLE operation and will delete all data and > configuration! > > Are you sure you want to continue with the uninstall procedure? [no]: yes > Shutting down all IPA services > Removing IPA client configuration > Unconfiguring ntpd > Unconfiguring web server > Unconfiguring krb5kdc > Unconfiguring ipa_kpasswd > Unconfiguring directory server > [root at ipa ~]# ipa-server-install > > The log file for this installation can be found in > /var/log/ipaserver-install.log > IPA server is already configured on this system. > > Any suggestions? > > -Erinn > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I've run across the same thing. I have to run the uninstall 3 times. And then it works. From erinn.looneytriggs at gmail.com Fri Feb 4 21:18:52 2011 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Fri, 04 Feb 2011 12:18:52 -0900 Subject: [Freeipa-devel] Upgrade to beta 2 failed In-Reply-To: <4D4C6BBC.7020105@redhat.com> References: <4D4C6A86.80606@gmail.com> <4D4C6BBC.7020105@redhat.com> Message-ID: <4D4C6D3C.3070606@gmail.com> On 02/04/2011 12:12 PM, Rob Crittenden wrote: > Erinn Looney-Triggs wrote: >> I tried to run the uninstall and a re-install however it is stating that >> it is already installed: >> >> [root at ipa ~]# ipa-server-install --uninstall >> >> This is a NON REVERSIBLE operation and will delete all data and >> configuration! >> >> Are you sure you want to continue with the uninstall procedure? [no]: >> yes >> Shutting down all IPA services >> Removing IPA client configuration >> Unconfiguring ntpd >> Unconfiguring web server >> Unconfiguring krb5kdc >> Unconfiguring ipa_kpasswd >> Unconfiguring directory server >> [root at ipa ~]# ipa-server-install >> >> The log file for this installation can be found in >> /var/log/ipaserver-install.log >> IPA server is already configured on this system. > > Yes, something isn't getting cleaned up properly, we're looking into it. > > In the meantime you can get around this by removing the files in > /var/lib/ipa/sysrestore/ > > rob Thanks and sorry I just realized I probably should have sent this to the users list. -Erinn From edewata at redhat.com Sat Feb 5 02:11:32 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 04 Feb 2011 20:11:32 -0600 Subject: [Freeipa-devel] [PATHC] admiyo-0190-target-section-undo In-Reply-To: <4D4C53C4.5010304@redhat.com> References: <4D4C4A93.6050002@redhat.com> <4D4C4D50.6070303@redhat.com> <4D4C53C4.5010304@redhat.com> Message-ID: <4D4CB1D4.4010104@redhat.com> On 2/4/2011 1:30 PM, Adam Young wrote: >> NACK. I don't like the way the whole page moves. I have a slighly >> better approach. > This uses visibility instead of display for the css, which keeps the > page from expanding and contracting. The code is good and can be pushed after fixing some jslint warnings. However, currently it isn't possible to switch into a different target type (update will return an error). I remember we're discussing about changing the details page to show only the fields for the current target type. Is it still the plan or are we going to fix the server to support changing target type? -- Endi S. Dewata From ayoung at redhat.com Sat Feb 5 04:18:50 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 04 Feb 2011 23:18:50 -0500 Subject: [Freeipa-devel] [PATHC] admiyo-0190-target-section-undo In-Reply-To: <4D4CB1D4.4010104@redhat.com> References: <4D4C4A93.6050002@redhat.com> <4D4C4D50.6070303@redhat.com> <4D4C53C4.5010304@redhat.com> <4D4CB1D4.4010104@redhat.com> Message-ID: <4D4CCFAA.1040104@redhat.com> On 02/04/2011 09:11 PM, Endi Sukma Dewata wrote: > On 2/4/2011 1:30 PM, Adam Young wrote: >>> NACK. I don't like the way the whole page moves. I have a slighly >>> better approach. > >> This uses visibility instead of display for the css, which keeps the >> page from expanding and contracting. > > The code is good and can be pushed after fixing some jslint warnings. > However, currently it isn't possible to switch into a different target > type (update will return an error). I remember we're discussing about > changing the details page to show only the fields for the current > target type. Is it still the plan or are we going to fix the server to > support changing target type? > OK, you are right. Opened a ticket for that. https://fedorahosted.org/freeipa/ticket/924 From jzeleny at redhat.com Mon Feb 7 09:38:07 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 7 Feb 2011 10:38:07 +0100 Subject: [Freeipa-devel] [PATCH] 026 HBAC plugin inconsistent output In-Reply-To: <1296824925.7595.8.camel@dhcp-25-52.brq.redhat.com> References: <1296824925.7595.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <201102071038.07391.jzeleny@redhat.com> Martin Kosek wrote: > This patch adds a proper summary text to HBAC command which is > then printed out in CLI. Now, HBAC plugin output is consistent > with other plugins. > > https://fedorahosted.org/freeipa/ticket/596 I believe API.txt should be updated (you change hbacrule_enable and hbacrule_disable return values), so NACK for now. Jan From jhrozek at redhat.com Mon Feb 7 09:46:10 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 7 Feb 2011 10:46:10 +0100 Subject: [Freeipa-devel] [PATCH] Fixed type of argument in class help In-Reply-To: <201102020854.47812.jzeleny@redhat.com> References: <201102020854.47812.jzeleny@redhat.com> Message-ID: <20110207094602.GA31284@zeppelin.brq.redhat.com> On Wed, Feb 02, 2011 at 08:54:47AM +0100, Jan Zelen? wrote: > At Rob's suggestion I changed the argument type in class help, this is only > oneliner, I think it can be pushed directly. > > Jan > - takes_args = (Bytes('command?'),) > + takes_args = (Str('command?'),) Nack, you also need to import Str from parameters. From jzeleny at redhat.com Mon Feb 7 09:54:46 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 7 Feb 2011 10:54:46 +0100 Subject: [Freeipa-devel] [PATCH] Fixed type of argument in class help In-Reply-To: <20110207094602.GA31284@zeppelin.brq.redhat.com> References: <201102020854.47812.jzeleny@redhat.com> <20110207094602.GA31284@zeppelin.brq.redhat.com> Message-ID: <201102071054.46730.jzeleny@redhat.com> Jakub Hrozek wrote: > On Wed, Feb 02, 2011 at 08:54:47AM +0100, Jan Zelen? wrote: > > At Rob's suggestion I changed the argument type in class help, this is > > only oneliner, I think it can be pushed directly. > > > > Jan > > > > - takes_args = (Bytes('command?'),) > > + takes_args = (Str('command?'),) > > Nack, you also need to import Str from parameters. Sorry, could have give you headsup: this patch should be pushed along with my 30-3 patch from last wednesday which still waits to be re-reviewed. The import is in that patch. Jan From jhrozek at redhat.com Mon Feb 7 10:05:29 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 7 Feb 2011 11:05:29 +0100 Subject: [Freeipa-devel] [PATCH] Fix of a small typo In-Reply-To: <201102041841.41525.jzeleny@redhat.com> References: <201102041841.41525.jzeleny@redhat.com> Message-ID: <20110207100528.GB31284@zeppelin.brq.redhat.com> On Fri, Feb 04, 2011 at 06:41:41PM +0100, Jan Zeleny wrote: > Trivial fix, can be pushed directly > > Jan Ack From jhrozek at redhat.com Mon Feb 7 10:12:32 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 7 Feb 2011 11:12:32 +0100 Subject: [Freeipa-devel] [PATCH] Fixed command delegation-show In-Reply-To: <201102041840.54168.jzeleny@redhat.com> References: <201102041840.54168.jzeleny@redhat.com> Message-ID: <20110207101231.GC31284@zeppelin.brq.redhat.com> On Fri, Feb 04, 2011 at 06:40:54PM +0100, Jan Zeleny wrote: > Recent changes in permission prefixes influenced also delegations. The > plugin has been updated accordingly, but this one line has been > forgotten. > > Jan I think it is not needed, the only command preceding return from the function is is_delegation() that has the value of aciprefix hardcoded. Jakub From pzuna at redhat.com Mon Feb 7 10:13:56 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 07 Feb 2011 11:13:56 +0100 Subject: [Freeipa-devel] [PATCH] 72 Set minimum for Kerberos policy max life and max renew Message-ID: <4D4FC5E4.6040808@redhat.com> Fix #847 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-72-krbtpmin.patch Type: application/mbox Size: 921 bytes Desc: not available URL: From jzeleny at redhat.com Mon Feb 7 10:16:28 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 7 Feb 2011 11:16:28 +0100 Subject: [Freeipa-devel] [PATCH] Fixed command delegation-show In-Reply-To: <20110207101231.GC31284@zeppelin.brq.redhat.com> References: <201102041840.54168.jzeleny@redhat.com> <20110207101231.GC31284@zeppelin.brq.redhat.com> Message-ID: <201102071116.28880.jzeleny@redhat.com> Jakub Hrozek wrote: > On Fri, Feb 04, 2011 at 06:40:54PM +0100, Jan Zeleny wrote: > > Recent changes in permission prefixes influenced also delegations. The > > plugin has been updated accordingly, but this one line has been > > forgotten. > > > > Jan > > I think it is not needed, the only command preceding return from the > function is is_delegation() that has the value of aciprefix hardcoded. > > Jakub Sorry, withdrawing the patch. I originally made it because delegation-show didn't work for me, but it was probably only typo on the command line or something. The code is indeed ok. Thanks for catching that. Jan From jhrozek at redhat.com Mon Feb 7 11:29:01 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 7 Feb 2011 12:29:01 +0100 Subject: [Freeipa-devel] [PATCH] 027 Support of user default email domain In-Reply-To: <1296829255.7595.9.camel@dhcp-25-52.brq.redhat.com> References: <1296829255.7595.9.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110207112859.GD31284@zeppelin.brq.redhat.com> On Fri, Feb 04, 2011 at 03:20:55PM +0100, Martin Kosek wrote: > This patch fixes the default domain functionality for user email(s). > This setting may be configured via: > > ipa config-mod --emaildomain=example.com > > Then, when user is added/modified and --mail option is passed, > the default domain is appended if the passed attribute does not > contain another domain already. > > https://fedorahosted.org/freeipa/ticket/598 > Ack From pzuna at redhat.com Mon Feb 7 11:47:19 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 07 Feb 2011 12:47:19 +0100 Subject: [Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit. Message-ID: <4D4FDBC7.5010402@redhat.com> Fix #837 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-73-configdoc.patch Type: application/mbox Size: 1389 bytes Desc: not available URL: From jhrozek at redhat.com Mon Feb 7 12:10:16 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 7 Feb 2011 13:10:16 +0100 Subject: [Freeipa-devel] [PATCH] 72 Set minimum for Kerberos policy max life and max renew In-Reply-To: <4D4FC5E4.6040808@redhat.com> References: <4D4FC5E4.6040808@redhat.com> Message-ID: <20110207121015.GA5695@zeppelin.brq.redhat.com> On Mon, Feb 07, 2011 at 11:13:56AM +0100, Pavel Zuna wrote: > Fix #847 > > Pavel > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack, please update API.txt From jhrozek at redhat.com Mon Feb 7 12:27:03 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 07 Feb 2011 13:27:03 +0100 Subject: [Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit. In-Reply-To: <4D4FDBC7.5010402@redhat.com> References: <4D4FDBC7.5010402@redhat.com> Message-ID: <4D4FE517.8000905@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/07/2011 12:47 PM, Pavel Zuna wrote: > Fix #837 > > Pavel > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1P5RcACgkQHsardTLnvCX8ZACgo6Q/1rjYnKJHLnK/hmsHCZZs ze4AoIXTQ1TyeOqxdE4jz83F/c2keFzt =3hgs -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Feb 7 12:27:55 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 07 Feb 2011 13:27:55 +0100 Subject: [Freeipa-devel] [PATCH] Fixed type of argument in class help In-Reply-To: <201102071054.46730.jzeleny@redhat.com> References: <201102020854.47812.jzeleny@redhat.com> <20110207094602.GA31284@zeppelin.brq.redhat.com> <201102071054.46730.jzeleny@redhat.com> Message-ID: <4D4FE54B.7000602@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/07/2011 10:54 AM, Jan Zelen? wrote: > Jakub Hrozek wrote: >> On Wed, Feb 02, 2011 at 08:54:47AM +0100, Jan Zelen? wrote: >>> At Rob's suggestion I changed the argument type in class help, this is >>> only oneliner, I think it can be pushed directly. >>> >>> Jan >>> >>> - takes_args = (Bytes('command?'),) >>> + takes_args = (Str('command?'),) >> >> Nack, you also need to import Str from parameters. > > Sorry, could have give you headsup: this patch should be pushed along with my > 30-3 patch from last wednesday which still waits to be re-reviewed. The import > is in that patch. > > Jan OK, in that case ack on top of patch #30 (or simply squash the change into 30-4, there's no separate ticket anyway) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1P5UsACgkQHsardTLnvCUjOACeI2Bdkhtarcms+ePkcNhLyika dysAn2oVbPs1Jv5Bu2FpFCQJ7nopT68b =+5+r -----END PGP SIGNATURE----- From pzuna at redhat.com Mon Feb 7 12:56:52 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 07 Feb 2011 13:56:52 +0100 Subject: [Freeipa-devel] [PATCH] 74 Fix crash in DNS installer. Message-ID: <4D4FEC14.8090707@redhat.com> Fix #927 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-74-dnsinstallcrash.patch Type: application/mbox Size: 1853 bytes Desc: not available URL: From pzuna at redhat.com Mon Feb 7 13:00:17 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 07 Feb 2011 14:00:17 +0100 Subject: [Freeipa-devel] [PATCH] 75 Display error messages for failed manageby in service-add/remove-host. Message-ID: <4D4FECE1.3000504@redhat.com> Fix #830 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-75-managedbyerr.patch Type: application/mbox Size: 1258 bytes Desc: not available URL: From pzuna at redhat.com Mon Feb 7 13:10:40 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 07 Feb 2011 14:10:40 +0100 Subject: [Freeipa-devel] [PATCH] 72 Set minimum for Kerberos policy max life and max renew In-Reply-To: <20110207121015.GA5695@zeppelin.brq.redhat.com> References: <4D4FC5E4.6040808@redhat.com> <20110207121015.GA5695@zeppelin.brq.redhat.com> Message-ID: <4D4FEF50.50300@redhat.com> On 02/07/2011 01:10 PM, Jakub Hrozek wrote: > On Mon, Feb 07, 2011 at 11:13:56AM +0100, Pavel Zuna wrote: >> Fix #847 >> >> Pavel > > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Nack, please update API.txt > Forgot about that, sorry. Version with updated API.txt attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-72-2-krbtpmin.patch Type: application/mbox Size: 2383 bytes Desc: not available URL: From pzuna at redhat.com Mon Feb 7 13:12:39 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 07 Feb 2011 14:12:39 +0100 Subject: [Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights. In-Reply-To: <20110203140427.633d90cc@willson.li.ssimo.org> References: <4D1C502A.8050409@redhat.com> <4D2770BE.3010509@redhat.com> <4D3586B8.2080405@redhat.com> <20110203140427.633d90cc@willson.li.ssimo.org> Message-ID: <4D4FEFC7.7080201@redhat.com> On 02/03/2011 08:04 PM, Simo Sorce wrote: > On Tue, 18 Jan 2011 13:25:28 +0100 > Pavel Zuna wrote: > >> On 01/07/2011 08:59 PM, Rob Crittenden wrote: >>> Pavel Z?na wrote: >>>> LDAPObject sub-classes can define a custom list of attributes for >>>> effective rights retrieval. >>>> >>>> Fix #677 >>>> >>>> Pavel >>>> >>> >>> Nack. --rights should only return data when --all is also included. >>> >>> Otherwise it looks ok. >>> >>> rob >> >> Fixed version attached. >> >> Pavel > > Is this one still on the table ? > Or did some other patch supersede it ? > > Simo. > We can throw this one away. The problem was somewhere else and the ticket is already closed. Pavel From pzuna at redhat.com Mon Feb 7 13:31:13 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 07 Feb 2011 14:31:13 +0100 Subject: [Freeipa-devel] [PATCH] 76 Fallback to default locale (en_US) if env. setting is corrupt. Message-ID: <4D4FF421.2020100@redhat.com> This is a follow-up to my patches 69 and 71 (70 is garbage). It prevents a crash when user misconfigures his locale settings. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-76-deflocale.patch Type: application/mbox Size: 959 bytes Desc: not available URL: From pzuna at redhat.com Mon Feb 7 13:57:45 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 07 Feb 2011 14:57:45 +0100 Subject: [Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed. Message-ID: <4D4FFA59.4080804@redhat.com> It seems that restarting krb5kdc is only needed when changes to the global policy are made. Per-user policies take effect immediately for newly requested tickets. Can someone please confirm? Fix #844 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-77-krbtpdoc.patch Type: application/mbox Size: 1536 bytes Desc: not available URL: From jgalipea at redhat.com Mon Feb 7 15:06:03 2011 From: jgalipea at redhat.com (Jenny Galipeau) Date: Mon, 07 Feb 2011 10:06:03 -0500 Subject: [Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed. In-Reply-To: <4D4FFA59.4080804@redhat.com> References: <4D4FFA59.4080804@redhat.com> Message-ID: <4D500A5B.6000801@redhat.com> Pavel Zuna wrote: > It seems that restarting krb5kdc is only needed when changes to the > global policy are made. Per-user policies take effect immediately for > newly requested tickets. Can someone please confirm? Yes, in testing this is the behavior. If the help could specify that a ipactl restart is required after global policy change, that would be great. Thanks Jenny > > Fix #844 > > Pavel > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ From edewata at redhat.com Mon Feb 7 15:20:40 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 07 Feb 2011 09:20:40 -0600 Subject: [Freeipa-devel] [PATCH] Restructuring details page. Message-ID: <4D500DC8.7020304@redhat.com> Previously the IPA.details_list_section can only be used with widgets that generates
tag because it uses the following structure:
Telephone Number:
111-1111
222-2222
The
tag was previously used to handle multi-valued attributes. Since multi-valued attributes are now handled by the recently added IPA.multivalued_text_widget, the structure can be changed as follows:
Telephone Number:
111-1111
222-2222
This allows IPA.details_list_section to be used with any widgets without requiring the
tag. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0094-Restructuring-details-page.patch Type: text/x-patch Size: 44478 bytes Desc: not available URL: From edewata at redhat.com Mon Feb 7 15:27:44 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 7 Feb 2011 10:27:44 -0500 (EST) Subject: [Freeipa-devel] [PATCH] Removed unused code. In-Reply-To: <858222117.49828.1297092455133.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <2116435702.49831.1297092464634.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> This depends on freeipa-edewata-0094-Restructuring-details-page.patch. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0095-Removed-unused-code.patch Type: text/x-patch Size: 16005 bytes Desc: not available URL: From ayoung at redhat.com Mon Feb 7 17:02:47 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 07 Feb 2011 12:02:47 -0500 Subject: [Freeipa-devel] [PATCH] Restructuring details page. In-Reply-To: <4D500DC8.7020304@redhat.com> References: <4D500DC8.7020304@redhat.com> Message-ID: <4D5025B7.5040801@redhat.com> On 02/07/2011 10:20 AM, Endi Sukma Dewata wrote: > Previously the IPA.details_list_section can only be used with widgets > that generates
tag because it uses the following structure: > >
>
Telephone Number:
> >
111-1111
>
222-2222
> >
> > The
tag was previously used to handle multi-valued attributes. > Since multi-valued attributes are now handled by the recently added > IPA.multivalued_text_widget, the structure can be changed as follows: > >
>
Telephone Number:
>
> >
111-1111
>
222-2222
> >
>
> > This allows IPA.details_list_section to be used with any widgets > without requiring the
tag. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Feb 7 17:03:00 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 07 Feb 2011 12:03:00 -0500 Subject: [Freeipa-devel] [PATCH] Removed unused code. In-Reply-To: <2116435702.49831.1297092464634.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <2116435702.49831.1297092464634.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D5025C4.3070201@redhat.com> On 02/07/2011 10:27 AM, Endi Sukma Dewata wrote: > This depends on freeipa-edewata-0094-Restructuring-details-page.patch. > > -- > Endi S. Dewata > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK: pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon Feb 7 17:58:28 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 7 Feb 2011 12:58:28 -0500 (EST) Subject: [Freeipa-devel] [PATCH] Hide initial status. In-Reply-To: <3095890.53712.1297101444062.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <875458468.53719.1297101508858.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Previously all certificate & Kerberos key statuses (valid, missing and revoked) will appear briefly at the same time during page load. This has been fixed by setting the initial style to hidden. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0096-Hide-initial-status.patch Type: text/x-patch Size: 3422 bytes Desc: not available URL: From rcritten at redhat.com Mon Feb 7 18:35:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 07 Feb 2011 13:35:47 -0500 Subject: [Freeipa-devel] [PATCH] 701 fix uninstallation Message-ID: <4D503B83.7020306@redhat.com> The state file is read early on in the uninstall and then each service manages its own uninstallation, resetting state as it goes along. Finally we remove the shared 389-ds user but the state is still the original state at the start of the uninstall so everything basically gets reset. Re-read the state again fixes it. ticket 916 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-701-uninstall.patch Type: application/mbox Size: 1025 bytes Desc: not available URL: From rcritten at redhat.com Mon Feb 7 18:38:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 07 Feb 2011 13:38:31 -0500 Subject: [Freeipa-devel] [PATCH] 702 add entitlement API Message-ID: <4D503C27.5090103@redhat.com> The entitlement plugin was being skipped completely if the python-rhsm package wasn't installed. We want to let it limp through if the package isn't installed but we're doing API validation. ticket 919 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-702-entitle.patch Type: application/mbox Size: 7630 bytes Desc: not available URL: From ayoung at redhat.com Mon Feb 7 19:37:17 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 07 Feb 2011 14:37:17 -0500 Subject: [Freeipa-devel] [PATCH] Hide initial status. In-Reply-To: <875458468.53719.1297101508858.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <875458468.53719.1297101508858.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D5049ED.8000601@redhat.com> On 02/07/2011 12:58 PM, Endi Sukma Dewata wrote: > Previously all certificate& Kerberos key statuses (valid, missing > and revoked) will appear briefly at the same time during page load. > This has been fixed by setting the initial style to hidden. > > -- > Endi S. Dewata > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Feb 7 20:18:14 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 07 Feb 2011 15:18:14 -0500 Subject: [Freeipa-devel] [PATCH] 701 fix uninstallation In-Reply-To: <4D503B83.7020306@redhat.com> References: <4D503B83.7020306@redhat.com> Message-ID: <4D505386.3020008@redhat.com> On 02/07/2011 01:35 PM, Rob Crittenden wrote: > The state file is read early on in the uninstall and then each service > manages its own uninstallation, resetting state as it goes along. > Finally we remove the shared 389-ds user but the state is still the > original state at the start of the uninstall so everything basically > gets reset. Re-read the state again fixes it. > > ticket 916 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK . pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Feb 7 20:22:23 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 07 Feb 2011 15:22:23 -0500 Subject: [Freeipa-devel] [PATCH] 026 HBAC plugin inconsistent output In-Reply-To: <201102071038.07391.jzeleny@redhat.com> References: <1296824925.7595.8.camel@dhcp-25-52.brq.redhat.com> <201102071038.07391.jzeleny@redhat.com> Message-ID: <4D50547F.9090308@redhat.com> On 02/07/2011 04:38 AM, Jan Zelen? wrote: > Martin Kosek wrote: >> This patch adds a proper summary text to HBAC command which is >> then printed out in CLI. Now, HBAC plugin output is consistent >> with other plugins. >> >> https://fedorahosted.org/freeipa/ticket/596 > I believe API.txt should be updated (you change hbacrule_enable and > hbacrule_disable return values), so NACK for now. > > Jan > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Can we Mark these as : ACK, needs API.txt update? There are going to be conflicts as different people modify the API. The ones that require API.txt updates just need to have the update done prior to check-in. From edewata at redhat.com Mon Feb 7 20:34:06 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 7 Feb 2011 15:34:06 -0500 (EST) Subject: [Freeipa-devel] [PATCH] Read-only text widget's save() should return null. In-Reply-To: <1285177553.56732.1297110808819.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1330735387.56735.1297110846064.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Pushed under one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0097-Read-only-text-widget-s-save-should-return-null.patch Type: text/x-patch Size: 863 bytes Desc: not available URL: From davido at redhat.com Mon Feb 7 23:34:59 2011 From: davido at redhat.com (David O'Brien) Date: Tue, 08 Feb 2011 09:34:59 +1000 Subject: [Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit. In-Reply-To: <4D4FDBC7.5010402@redhat.com> References: <4D4FDBC7.5010402@redhat.com> Message-ID: <4D5081A3.5080908@redhat.com> Pavel Zuna wrote: > Fix #837 > > Pavel > /me hesitantly asks... Doesn't this mean that "1" is illegal? doc=_('Max. amount of time (sec.) for a search (> 1 or -1 for unlimited)'), Neither is there any mention of zero being illegal. It may be implicit or self-evident, but I don't rely on that in doc. I'd be inclined to change it to (> 0, or -1 for unlimited) but remember, I'm not a coder :) cheers -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From davido at redhat.com Mon Feb 7 23:46:46 2011 From: davido at redhat.com (David O'Brien) Date: Tue, 08 Feb 2011 09:46:46 +1000 Subject: [Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed. In-Reply-To: <4D500A5B.6000801@redhat.com> References: <4D4FFA59.4080804@redhat.com> <4D500A5B.6000801@redhat.com> Message-ID: <4D508466.6010508@redhat.com> Jenny Galipeau wrote: > Pavel Zuna wrote: >> It seems that restarting krb5kdc is only needed when changes to the >> global policy are made. Per-user policies take effect immediately for >> newly requested tickets. Can someone please confirm? > Yes, in testing this is the behavior. If the help could specify that a > ipactl restart is required after global policy change, that would be great. > Thanks > Jenny > Please raise a suitable bugzilla to get this included in the user doc. So far I only have doc about restarting IPA services after ipa krbtpolicy-reset. thanks >> >> Fix #844 >> >> Pavel >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From dpal at redhat.com Tue Feb 8 00:02:14 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 07 Feb 2011 19:02:14 -0500 Subject: [Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed. In-Reply-To: <4D508466.6010508@redhat.com> References: <4D4FFA59.4080804@redhat.com> <4D500A5B.6000801@redhat.com> <4D508466.6010508@redhat.com> Message-ID: <4D508806.7000108@redhat.com> On 02/07/2011 06:46 PM, David O'Brien wrote: > Jenny Galipeau wrote: >> Pavel Zuna wrote: >>> It seems that restarting krb5kdc is only needed when changes to the >>> global policy are made. Per-user policies take effect immediately >>> for newly requested tickets. Can someone please confirm? >> Yes, in testing this is the behavior. If the help could specify that >> a ipactl restart is required after global policy change, that would >> be great. >> Thanks >> Jenny >> > Please raise a suitable bugzilla to get this included in the user doc. > So far I only have doc about restarting IPA services after ipa > krbtpolicy-reset. Isn't it the same thing? > > thanks >>> >>> Fix #844 >>> >>> Pavel >>> ------------------------------------------------------------------------ >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From davido at redhat.com Tue Feb 8 04:36:24 2011 From: davido at redhat.com (David O'Brien) Date: Tue, 08 Feb 2011 14:36:24 +1000 Subject: [Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed. In-Reply-To: <4D508806.7000108@redhat.com> References: <4D4FFA59.4080804@redhat.com> <4D500A5B.6000801@redhat.com> <4D508466.6010508@redhat.com> <4D508806.7000108@redhat.com> Message-ID: <4D50C848.9030209@redhat.com> Dmitri Pal wrote: > On 02/07/2011 06:46 PM, David O'Brien wrote: >> Jenny Galipeau wrote: >>> Pavel Zuna wrote: >>>> It seems that restarting krb5kdc is only needed when changes to the >>>> global policy are made. Per-user policies take effect immediately >>>> for newly requested tickets. Can someone please confirm? >>> Yes, in testing this is the behavior. If the help could specify that >>> a ipactl restart is required after global policy change, that would >>> be great. >>> Thanks >>> Jenny >>> >> Please raise a suitable bugzilla to get this included in the user doc. >> So far I only have doc about restarting IPA services after ipa >> krbtpolicy-reset. > > Isn't it the same thing? I took "changes" to mean using krbtpolicy-mod and any others, not just -reset, which is the info I received last time. > >> thanks >>>> Fix #844 >>>> >>>> Pavel >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> > > -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From jzeleny at redhat.com Tue Feb 8 11:48:26 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Tue, 8 Feb 2011 12:48:26 +0100 Subject: [Freeipa-devel] [PATCH] 702 add entitlement API In-Reply-To: <4D503C27.5090103@redhat.com> References: <4D503C27.5090103@redhat.com> Message-ID: <201102081248.26324.jzeleny@redhat.com> Rob Crittenden wrote: > The entitlement plugin was being skipped completely if the python-rhsm > package wasn't installed. We want to let it limp through if the package > isn't installed but we're doing API validation. > > ticket 919 > > rob Patch looks and applies ok, installation and subsequent behavior works as expected (both with and without python-rhsm package), validation as well. ACK Jan From pzuna at redhat.com Tue Feb 8 12:06:19 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 08 Feb 2011 13:06:19 +0100 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. Message-ID: <4D5131BB.6080400@redhat.com> The patch also corrects exception handling in some of the tools. Fix #874 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-78-toolsldapi.patch Type: application/mbox Size: 11138 bytes Desc: not available URL: From jhrozek at redhat.com Tue Feb 8 13:28:06 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 8 Feb 2011 14:28:06 +0100 Subject: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware In-Reply-To: <201102031423.11366.jzeleny@redhat.com> References: <20110202225932.GA28047@zeppelin.brq.redhat.com> <201102031423.11366.jzeleny@redhat.com> Message-ID: <20110208132805.GB16467@zeppelin.brq.redhat.com> On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelen? wrote: > Jakub Hrozek wrote: > > Hi, > > > > attached is a patch to nsslib.py that changes its semantics so > > it is able to work with different address families. It is the last piece > > of IPv6 support. > > > > Aside from the hunks in the patch, I still need to set Requires: in the > > patch (don't know the exact version yet). Also, the attached patch always > > tries IPv4 first and only falls back to IPv6. I think there should be a > > config option that tells IPA to prefer one of the address families or use > > it exclusively for performance reasons. > > > > Please note that the patch requires the latest changes to python-nss > > in order to work correctly. Since John is still working on python-nss > > packages, this patch should be treated as a preview and not pushed even > > if it is deemed OK. At this stage, I'd like to get at least the general > > approach and code reviewed so I can fix it tomorrow. > > > > Thank you, > > Jakub > > The patch looks ok, all my questions answered off-list. Also tested with IPv4 > (latest python-nss installed) and IPv6, both work fine. > > ACK > > Jan > Thanks for the review. But attached is a new version of the patch that changes the semantics a little based on what's recommended by the new version of python-nss: don't construct the NetworkAddress object manually, but rather resolve the hostname using the AddrInfo object and then try connecting to the list of of NetworkAddress object manually. -------------- next part -------------- >From 6598d9dff9b2b29d004991b0d8a73fe5ea2efe1e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 2 Feb 2011 13:57:16 +0100 Subject: [PATCH] Make nsslib IPv6 aware --- ipapython/nsslib.py | 108 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 92 insertions(+), 16 deletions(-) diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index 129f1a0..3c42b61 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -21,12 +21,14 @@ import sys import httplib import getpass +import socket import logging from nss.error import NSPRError import nss.io as io import nss.nss as nss import nss.ssl as ssl +import nss.error as error def auth_certificate_callback(sock, check_sig, is_server, certdb): cert_is_valid = False @@ -113,11 +115,84 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb): return False return False -class NSSConnection(httplib.HTTPConnection): +class NSSAddressFamilyFallback(object): + def __init__(self, family): + self.sock_family = family + self.family = self._get_nss_family(self.sock_family) + + def _get_nss_family(self, sock_family): + """ + Translate a family from python socket module to nss family. + """ + if sock_family in [ socket.AF_INET, socket.AF_UNSPEC ]: + return io.PR_AF_INET + elif sock_family == socket.AF_INET6: + return io.PR_AF_INET6 + else: + raise ValueError('Uknown socket family %d\n', sock_family) + + def _get_next_family(self): + if self.sock_family == socket.AF_UNSPEC and \ + self.family == io.PR_AF_INET: + return io.PR_AF_INET6 + + return None + + def _create_socket(self): + self.sock = io.Socket(family=self.family) + + def _connect_socket_family(self, host, port, family): + logging.debug("connect_socket_family: host=%s port=%s family=%s", + host, port, io.addr_family_name(family)) + try: + addr_info = [ ai for ai in io.AddrInfo(host) if ai.family == family ] + # No suitable families + if len(addr_info) == 0: + raise NSPRError(error.PR_ADDRESS_NOT_SUPPORTED_ERROR, + "Cannot resolve %s using family %s" % (host, io.addr_family_name(family))) + + # Try connecting to the NetworkAddresses + for net_addr in addr_info: + net_addr.port = port + logging.debug("connecting: %s", net_addr) + try: + self.sock.connect(net_addr, family) + except Exception, e: + logging.debug("Could not connect socket to %s, error: %s, retrying..", + net_addr, str(e)) + continue + else: + return + + # Could not connect with any of NetworkAddresses + raise NSPRError(error.PR_ADDRESS_NOT_SUPPORTED_ERROR, + "Could not connect to %s using any address" % host) + except ValueError, e: + raise NSPRError(error.PR_ADDRESS_NOT_SUPPORTED_ERROR, e.message) + + def connect_socket(self, host, port): + try: + self._connect_socket_family(host, port, self.family) + except NSPRError, e: + if e.errno == error.PR_ADDRESS_NOT_SUPPORTED_ERROR: + next_family = self._get_next_family() + if next_family: + self.family = next_family + self._create_socket() + self._connect_socket_family(host, port, self.family) + else: + logging.debug('No next family to try..') + raise e + else: + raise e + +class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): default_port = httplib.HTTPSConnection.default_port - def __init__(self, host, port=None, strict=None, dbdir=None): + def __init__(self, host, port=None, strict=None, + dbdir=None, family=socket.AF_UNSPEC): httplib.HTTPConnection.__init__(self, host, port, strict) + NSSAddressFamilyFallback.__init__(self, family) if not dbdir: raise RuntimeError("dbdir is required") @@ -130,10 +205,12 @@ class NSSConnection(httplib.HTTPConnection): nss.nss_init(dbdir) ssl.set_domestic_policy() nss.set_password_callback(self.password_callback) + self._create_socket() + def _create_socket(self): # Create the socket here so we can do things like let the caller # override the NSS callbacks - self.sock = ssl.SSLSocket() + self.sock = ssl.SSLSocket(family=self.family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) @@ -142,7 +219,8 @@ class NSSConnection(httplib.HTTPConnection): # Provide a callback to verify the servers certificate self.sock.set_auth_certificate_callback(auth_certificate_callback, - nss.get_default_certdb()) + nss.get_default_certdb()) + self.sock.set_hostname(self.host) def password_callback(self, slot, retry, password): if not retry and password: return password @@ -156,11 +234,7 @@ class NSSConnection(httplib.HTTPConnection): pass def connect(self): - logging.debug("connect: host=%s port=%s", self.host, self.port) - self.sock.set_hostname(self.host) - net_addr = io.NetworkAddress(self.host, self.port) - logging.debug("connect: %s", net_addr) - self.sock.connect(net_addr) + self.connect_socket(self.host, self.port) def endheaders(self, message=None): """ @@ -206,20 +280,22 @@ class NSSHTTPS(httplib.HTTP): port = None self._setup(self._connection_class(host, port, strict, dbdir=dbdir)) -class NSPRConnection(httplib.HTTPConnection): +class NSPRConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): default_port = httplib.HTTPConnection.default_port - def __init__(self, host, port=None, strict=None): + def __init__(self, host, port=None, strict=None, family=socket.AF_UNSPEC): httplib.HTTPConnection.__init__(self, host, port, strict) + NSSAddressFamilyFallback.__init__(self, family) logging.debug('%s init %s', self.__class__.__name__, host) + self._create_socket() + + def _create_socket(self): + super(NSPRConnection, self)._create_socket() + self.sock.set_hostname(self.host) - self.sock = io.Socket() def connect(self): - logging.debug("connect: host=%s port=%s", self.host, self.port) - net_addr = io.NetworkAddress(self.host, self.port) - logging.debug("connect: %s", net_addr) - self.sock.connect(net_addr) + self.connect_socket(self.host, self.port) class NSPRHTTP(httplib.HTTP): _http_vsn = 11 -- 1.7.4 From pzuna at redhat.com Tue Feb 8 13:33:26 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 08 Feb 2011 14:33:26 +0100 Subject: [Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit. In-Reply-To: <4D5081A3.5080908@redhat.com> References: <4D4FDBC7.5010402@redhat.com> <4D5081A3.5080908@redhat.com> Message-ID: <4D514626.8060100@redhat.com> On 02/08/2011 12:34 AM, David O'Brien wrote: > Pavel Zuna wrote: >> Fix #837 >> >> Pavel >> > /me hesitantly asks... > Doesn't this mean that "1" is illegal? > > doc=_('Max. amount of time (sec.) for a search (> 1 or -1 for unlimited)'), > > Neither is there any mention of zero being illegal. It may be implicit > or self-evident, but I don't rely on that in doc. I'd be inclined to > change it to (> 0, or -1 for unlimited) but remember, I'm not a coder :) > > cheers > You're right. :) Fixed version attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-73-2-configdoc.patch Type: application/mbox Size: 1391 bytes Desc: not available URL: From jhrozek at redhat.com Tue Feb 8 13:47:10 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 8 Feb 2011 14:47:10 +0100 Subject: [Freeipa-devel] [PATCH] 72 Set minimum for Kerberos policy max life and max renew In-Reply-To: <4D4FEF50.50300@redhat.com> References: <4D4FC5E4.6040808@redhat.com> <20110207121015.GA5695@zeppelin.brq.redhat.com> <4D4FEF50.50300@redhat.com> Message-ID: <20110208134710.GA19184@zeppelin.brq.redhat.com> On Mon, Feb 07, 2011 at 02:10:40PM +0100, Pavel Zuna wrote: > On 02/07/2011 01:10 PM, Jakub Hrozek wrote: > >On Mon, Feb 07, 2011 at 11:13:56AM +0100, Pavel Zuna wrote: > >>Fix #847 > >> > >>Pavel > > > > > >>_______________________________________________ > >>Freeipa-devel mailing list > >>Freeipa-devel at redhat.com > >>https://www.redhat.com/mailman/listinfo/freeipa-devel > > > >Nack, please update API.txt > > > > Forgot about that, sorry. > > Version with updated API.txt attached. > > Pavel Ack From rcritten at redhat.com Tue Feb 8 15:12:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Feb 2011 10:12:27 -0500 Subject: [Freeipa-devel] [PATCH] 703 389-ds startup with krb config Message-ID: <4D515D5B.9080800@redhat.com> If /etc/krb5.conf doesn't exist or contains no default kerberos realm then 389-ds won't start at all. This is a problem during installation because we configure 389 first. This patch will let the server come up, you just won't be able to do any joins or password changes until you configure kerberos. ticket 606 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-703-startup.patch Type: application/mbox Size: 4708 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 8 15:28:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Feb 2011 10:28:59 -0500 Subject: [Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed. In-Reply-To: <4D50C848.9030209@redhat.com> References: <4D4FFA59.4080804@redhat.com> <4D500A5B.6000801@redhat.com> <4D508466.6010508@redhat.com> <4D508806.7000108@redhat.com> <4D50C848.9030209@redhat.com> Message-ID: <4D51613B.50708@redhat.com> David O'Brien wrote: > Dmitri Pal wrote: >> On 02/07/2011 06:46 PM, David O'Brien wrote: >>> Jenny Galipeau wrote: >>>> Pavel Zuna wrote: >>>>> It seems that restarting krb5kdc is only needed when changes to the >>>>> global policy are made. Per-user policies take effect immediately >>>>> for newly requested tickets. Can someone please confirm? >>>> Yes, in testing this is the behavior. If the help could specify that >>>> a ipactl restart is required after global policy change, that would >>>> be great. >>>> Thanks >>>> Jenny >>>> >>> Please raise a suitable bugzilla to get this included in the user doc. >>> So far I only have doc about restarting IPA services after ipa >>> krbtpolicy-reset. >> >> Isn't it the same thing? > > I took "changes" to mean using krbtpolicy-mod and any others, not just > -reset, which is the info I received last time. The bottom line is that any change to the global Kerberos ticket policy requires a restart of the KDC to see the changes (/sbin/service krb5kdc restart). IMHO restarting the entire IPA world for this is overkill. rob From jcholast at redhat.com Tue Feb 8 17:30:42 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 08 Feb 2011 18:30:42 +0100 Subject: [Freeipa-devel] [PATCH] 1 Remove unnecessary BuildRequires Message-ID: <4D517DC2.8050402@redhat.com> Removed 2 unnecessary BuildRequires from freeipa.spec.in: * e2fsprogs-devel: obsoleted by libuuid-devel * libcap-devel: not needed to build the RPM -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-1-buildrequires.patch Type: text/x-patch Size: 461 bytes Desc: not available URL: From jcholast at redhat.com Tue Feb 8 17:39:05 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 08 Feb 2011 18:39:05 +0100 Subject: [Freeipa-devel] [PATCH] 1 Remove unnecessary BuildRequires In-Reply-To: <4D517DC2.8050402@redhat.com> References: <4D517DC2.8050402@redhat.com> Message-ID: <4D517FB9.9040508@redhat.com> Fixing newbie mistake: included properly formated patch. It was tested in mock. Dne 8.2.2011 18:30, Jan Cholasta napsal(a): > Removed 2 unnecessary BuildRequires from freeipa.spec.in: > > * e2fsprogs-devel: obsoleted by libuuid-devel > * libcap-devel: not needed to build the RPM > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-1-buildrequires.patch Type: text/x-patch Size: 774 bytes Desc: not available URL: From nalin at redhat.com Tue Feb 8 22:15:49 2011 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 8 Feb 2011 17:15:49 -0500 Subject: [Freeipa-devel] [PATCH] drop the group.upg NIS map Message-ID: <20110208221549.GC31444@redhat.com> The group.upg NIS map was an experiment in providing UPG groups dynamically, and is not one of the maps that I'd ever expect a NIS client to "know" to search. We should probably just drop it. --- install/share/nis.uldif | 12 ------------ 1 files changed, 0 insertions(+), 12 deletions(-) diff --git a/install/share/nis.uldif b/install/share/nis.uldif index f23b49e..639c88a 100644 --- a/install/share/nis.uldif +++ b/install/share/nis.uldif @@ -45,18 +45,6 @@ default:nis-map: group.bygid default:nis-base: cn=groups, cn=accounts, $SUFFIX default:nis-secure: no -dn: nis-domain=$DOMAIN+nis-map=group.upg, cn=NIS Server, cn=plugins, cn=config -default:objectclass: top -default:objectclass: extensibleObject -default:nis-domain: $DOMAIN -default:nis-map: group.upg -default:nis-base: cn=users, cn=accounts, $SUFFIX -default:nis-filter: (objectclass=posixAccount) -default:nis-key-format: %{uid} -default:nis-value-format: %{uid}:*:%{gidNumber}:%{uid} -default:nis-secure: no -default:nis-disallowed-chars: :, - dn: nis-domain=$DOMAIN+nis-map=netid.byname, cn=NIS Server, cn=plugins, cn=config default:objectclass: top default:objectclass: extensibleObject -- 1.7.4 From edewata at redhat.com Tue Feb 8 22:59:33 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 08 Feb 2011 16:59:33 -0600 Subject: [Freeipa-devel] [PATCH] Moved add dialog into search facet. Message-ID: <4D51CAD5.8070900@redhat.com> Previously the add dialog is added into entity. The dialog is only used by the search facet, so it's now moved into the search facet. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0098-Moved-add-dialog-into-search-facet.patch Type: text/x-patch Size: 41966 bytes Desc: not available URL: From davido at redhat.com Wed Feb 9 02:21:33 2011 From: davido at redhat.com (David O'Brien) Date: Wed, 09 Feb 2011 12:21:33 +1000 Subject: [Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit. In-Reply-To: <4D514626.8060100@redhat.com> References: <4D4FDBC7.5010402@redhat.com> <4D5081A3.5080908@redhat.com> <4D514626.8060100@redhat.com> Message-ID: <4D51FA2D.1050207@redhat.com> Pavel Zuna wrote: > On 02/08/2011 12:34 AM, David O'Brien wrote: >> Pavel Zuna wrote: >>> Fix #837 >>> >>> Pavel >>> >> /me hesitantly asks... >> Doesn't this mean that "1" is illegal? >> >> doc=_('Max. amount of time (sec.) for a search (> 1 or -1 for >> unlimited)'), >> >> Neither is there any mention of zero being illegal. It may be implicit >> or self-evident, but I don't rely on that in doc. I'd be inclined to >> change it to (> 0, or -1 for unlimited) but remember, I'm not a coder :) >> >> cheers >> > > You're right. :) > > Fixed version attached. > > Pavel my ACK -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From davido at redhat.com Wed Feb 9 02:30:21 2011 From: davido at redhat.com (David O'Brien) Date: Wed, 09 Feb 2011 12:30:21 +1000 Subject: [Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed. In-Reply-To: <4D51613B.50708@redhat.com> References: <4D4FFA59.4080804@redhat.com> <4D500A5B.6000801@redhat.com> <4D508466.6010508@redhat.com> <4D508806.7000108@redhat.com> <4D50C848.9030209@redhat.com> <4D51613B.50708@redhat.com> Message-ID: <4D51FC3D.4090808@redhat.com> Rob Crittenden wrote: > David O'Brien wrote: >> Dmitri Pal wrote: >>> On 02/07/2011 06:46 PM, David O'Brien wrote: >>>> Jenny Galipeau wrote: >>>>> Pavel Zuna wrote: >>>>>> It seems that restarting krb5kdc is only needed when changes to the >>>>>> global policy are made. Per-user policies take effect immediately >>>>>> for newly requested tickets. Can someone please confirm? >>>>> Yes, in testing this is the behavior. If the help could specify that >>>>> a ipactl restart is required after global policy change, that would >>>>> be great. >>>>> Thanks >>>>> Jenny >>>>> >>>> Please raise a suitable bugzilla to get this included in the user doc. >>>> So far I only have doc about restarting IPA services after ipa >>>> krbtpolicy-reset. >>> >>> Isn't it the same thing? >> >> I took "changes" to mean using krbtpolicy-mod and any others, not just >> -reset, which is the info I received last time. > > The bottom line is that any change to the global Kerberos ticket policy > requires a restart of the KDC to see the changes (/sbin/service krb5kdc > restart). IMHO restarting the entire IPA world for this is overkill. > > rob ok, so we're still talking about any changes to the global ticket policy, not just using ipa krbtpolicy-reset, which is what I had before. I'll update this bit and just recommend krb5kdc restart like you say. cheers -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From ayoung at redhat.com Wed Feb 9 03:10:16 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 08 Feb 2011 22:10:16 -0500 Subject: [Freeipa-devel] Hosts, A recs, and AAAA recs Message-ID: <4D520598.1000809@redhat.com> The current process to add a host today is: Create an A record run add host We have --force which will allow us to add the host even if the A record doesn't exist, but do we have a way to say, add this host, A record, and AAAA record all at the same time? From a cloud perspective, it seems like we are going to get a lot of short lived VMs that will need all three at once. I can see a work flow like this: User requests a number of VMs. VMs get clones from templates and spun up VMs get IP address from DHCP server. DHCP server notifies IPA server of new hosts IPA server adds host entries, A and AAAA records VM runs ipa-client install as part of firstboot The IPA server might even get notified earlier. I could see the cloud provider pushing the info to ipa prior to cloning the VM. How would we go about doing that today? From rcritten at redhat.com Wed Feb 9 03:27:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Feb 2011 22:27:57 -0500 Subject: [Freeipa-devel] [PATCH] 704 replication version plugin fix Message-ID: <4D5209BD.8020704@redhat.com> The 389-ds replication plugin may not be installed on all platforms and our replication version plugin will cause 389-ds to not start if it is loaded and the replication plugin is not. So disable by default. When a replica is prepared we check for the replication plugin. If it exists we will enable the replication version plugin. Likewise on installation of a replica we check for existence of the repliation plugin and if it is there then we enable the version plugin before replication begins. ticket 918 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-704-replication.patch Type: application/mbox Size: 4900 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 9 04:12:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Feb 2011 23:12:12 -0500 Subject: [Freeipa-devel] [PATCH] 705 make main selfservice aci visible Message-ID: <4D52141C.4030206@redhat.com> The main aci that grants user's the ability to manage themselves wasn't visible to the selfservice plugin. Move the location of the aci and fix the description. ticket 934 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-705-aci.patch Type: application/mbox Size: 2145 bytes Desc: not available URL: From ssorce at redhat.com Wed Feb 9 04:30:29 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 8 Feb 2011 23:30:29 -0500 Subject: [Freeipa-devel] Hosts, A recs, and AAAA recs In-Reply-To: <4D520598.1000809@redhat.com> References: <4D520598.1000809@redhat.com> Message-ID: <20110208233029.1be85f2f@willson.li.ssimo.org> On Tue, 08 Feb 2011 22:10:16 -0500 Adam Young wrote: > The current process to add a host today is: > > Create an A record > run add host > > We have --force which will allow us to add the host even if the A > record doesn't exist, but do we have a way to say, add this host, A > record, and AAAA record all at the same time? > > > From a cloud perspective, it seems like we are going to get a lot of > short lived VMs that will need all three at once. I can see a work > flow like this: > > > User requests a number of VMs. > VMs get clones from templates and spun up > VMs get IP address from DHCP server. > DHCP server notifies IPA server of new hosts What do you mean by this ^^^^ ? Do you want to give the DHCP server the power to perform DNS updates ? Can be done although I am not sure DHCP Servers know how to do GSS-TSIG protected updates, we may have to open up DNS access control to accept everything from the DHCP Server. > IPA server adds host entries, A and AAAA records Host entries must be added by the cloud engine as it needs to set the enrollment password it passes down to the VM. > VM runs ipa-client install as part of firstboot ipa-client-install could also add DNS records, but there is a credential problem if it is an automated process. > The IPA server might even get notified earlier. I could see the > cloud provider pushing the info to ipa prior to cloning the VM. This might be a better choice as long as the cloud provider can also change the DHCP configuration to assign the right IP address to the VMs using the MAC address. > How would we go about doing that today? I think we are missing the part that creates the VMs yet, so ... Simo. -- Simo Sorce * Red Hat, Inc * New York From jzeleny at redhat.com Wed Feb 9 09:23:27 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 9 Feb 2011 10:23:27 +0100 Subject: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware In-Reply-To: <20110208132805.GB16467@zeppelin.brq.redhat.com> References: <20110202225932.GA28047@zeppelin.brq.redhat.com> <201102031423.11366.jzeleny@redhat.com> <20110208132805.GB16467@zeppelin.brq.redhat.com> Message-ID: <201102091023.27755.jzeleny@redhat.com> Jakub Hrozek wrote: > On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelen? wrote: > > Jakub Hrozek wrote: > > > Hi, > > > > > > attached is a patch to nsslib.py that changes its semantics so > > > it is able to work with different address families. It is the last > > > piece of IPv6 support. > > > > > > Aside from the hunks in the patch, I still need to set Requires: in the > > > patch (don't know the exact version yet). Also, the attached patch > > > always tries IPv4 first and only falls back to IPv6. I think there > > > should be a config option that tells IPA to prefer one of the address > > > families or use it exclusively for performance reasons. > > > > > > Please note that the patch requires the latest changes to python-nss > > > in order to work correctly. Since John is still working on python-nss > > > packages, this patch should be treated as a preview and not pushed even > > > if it is deemed OK. At this stage, I'd like to get at least the general > > > approach and code reviewed so I can fix it tomorrow. > > > > > > Thank you, > > > > > > Jakub > > > > The patch looks ok, all my questions answered off-list. Also tested with > > IPv4 (latest python-nss installed) and IPv6, both work fine. > > > > ACK > > > > Jan > > Thanks for the review. But attached is a new version of the patch that > changes the semantics a little based on what's recommended by the new > version of python-nss: don't construct the NetworkAddress object > manually, but rather resolve the hostname using the AddrInfo object and > then try connecting to the list of of NetworkAddress object manually. Changes consulted off-list, the patch looks good. Will do some more testing on RHEL6. Unless I find some issues, this patch is ACKed. Jan From mkosek at redhat.com Wed Feb 9 09:23:27 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 09 Feb 2011 10:23:27 +0100 Subject: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install In-Reply-To: <201102040905.32981.jzeleny@redhat.com> References: <1296750811.6407.0.camel@dhcp-25-52.brq.redhat.com> <201102040905.32981.jzeleny@redhat.com> Message-ID: <1297243407.3003.9.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-02-04 at 09:05 +0100, Jan Zelen? wrote: > Martin Kosek wrote: > > When v2 IPA client is trying to join an IPA v1 server > > a strange exception is printed out to the user. This patch > > detects this by catching an XML-RPC error reported by ipa-join > > binary called in the process which fails on unexisting IPA server > > 'join' method. > > > > wget call had to be changed so that IPA client may get to the > > ipa-join step. --no-check-certificate had to be added as V1 > > server automatically redirects the request to self-signed secure > > connection. > > > > https://fedorahosted.org/freeipa/ticket/553 > > The patch is ok and applies correctly. My only thought was to download the > certificate directly from https://..../ca.crt instead of plain http, but there > is probably no real benefit. > > ack > > Jan Jan, thanks for the review. And yes, I could not see a benefit too. Since the IPA sever certificate is not a confidential information the secure connection is not needed. And since we do not trust the server's certificate in this step of installation and --no-check-certificate is used, a secure connection would be used for server identity validation either. Therefore, I would ask for the patch to be pushed. Martin From mkosek at redhat.com Wed Feb 9 10:00:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 09 Feb 2011 11:00:46 +0100 Subject: [Freeipa-devel] [PATCH] 026 HBAC plugin inconsistent output In-Reply-To: <201102071038.07391.jzeleny@redhat.com> References: <1296824925.7595.8.camel@dhcp-25-52.brq.redhat.com> <201102071038.07391.jzeleny@redhat.com> Message-ID: <1297245646.3003.12.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-02-07 at 10:38 +0100, Jan Zelen? wrote: > Martin Kosek wrote: > > This patch adds a proper summary text to HBAC command which is > > then printed out in CLI. Now, HBAC plugin output is consistent > > with other plugins. > > > > https://fedorahosted.org/freeipa/ticket/596 > > I believe API.txt should be updated (you change hbacrule_enable and > hbacrule_disable return values), so NACK for now. > > Jan Patch has been rebased, API.txt updated along with some minor changes to achieve consistency between HBAC plugins. All tests pass. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-026-02-hbac-plugin-inconsistent-output.patch Type: text/x-patch Size: 10940 bytes Desc: not available URL: From jzeleny at redhat.com Wed Feb 9 11:36:45 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 9 Feb 2011 12:36:45 +0100 Subject: [Freeipa-devel] [PATCH] 026 HBAC plugin inconsistent output In-Reply-To: <1297245646.3003.12.camel@dhcp-25-52.brq.redhat.com> References: <1296824925.7595.8.camel@dhcp-25-52.brq.redhat.com> <201102071038.07391.jzeleny@redhat.com> <1297245646.3003.12.camel@dhcp-25-52.brq.redhat.com> Message-ID: <201102091236.45877.jzeleny@redhat.com> Martin Kosek wrote: > On Mon, 2011-02-07 at 10:38 +0100, Jan Zelen? wrote: > > Martin Kosek wrote: > > > This patch adds a proper summary text to HBAC command which is > > > then printed out in CLI. Now, HBAC plugin output is consistent > > > with other plugins. > > > > > > https://fedorahosted.org/freeipa/ticket/596 > > > > I believe API.txt should be updated (you change hbacrule_enable and > > hbacrule_disable return values), so NACK for now. > > > > Jan > > Patch has been rebased, API.txt updated along with some minor changes to > achieve consistency between HBAC plugins. All tests pass. > > Martin Looks good now, ack Jan From jzeleny at redhat.com Wed Feb 9 11:56:18 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 9 Feb 2011 12:56:18 +0100 Subject: [Freeipa-devel] [PATCH] 74 Fix crash in DNS installer. In-Reply-To: <4D4FEC14.8090707@redhat.com> References: <4D4FEC14.8090707@redhat.com> Message-ID: <201102091256.18293.jzeleny@redhat.com> Pavel Zuna wrote: > Fix #927 > > Pavel Ack Jan From jzeleny at redhat.com Wed Feb 9 12:07:54 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 9 Feb 2011 13:07:54 +0100 Subject: [Freeipa-devel] [PATCH] 705 make main selfservice aci visible In-Reply-To: <4D52141C.4030206@redhat.com> References: <4D52141C.4030206@redhat.com> Message-ID: <201102091307.54520.jzeleny@redhat.com> Rob Crittenden wrote: > The main aci that grants user's the ability to manage themselves wasn't > visible to the selfservice plugin. Move the location of the aci and fix > the description. > > ticket 934 > > rob ack Jan From jhrozek at redhat.com Wed Feb 9 13:09:19 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 09 Feb 2011 14:09:19 +0100 Subject: [Freeipa-devel] [PATCH] 050 Fix migration page Message-ID: <4D5291FF.2020503@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 During some UI rewrite, the password migration form completely lost the action= field and defaulted to GET instead of POST. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1Skf4ACgkQHsardTLnvCXJUACgjTNaASanb8VaGc/wy1sb2Vf6 3nAAnR/rc1foyjcF1I9uXN2whH1z5AKp =3v5+ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-050-migration.patch Type: text/x-patch Size: 781 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-050-migration.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From pzuna at redhat.com Wed Feb 9 13:14:11 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 09 Feb 2011 14:14:11 +0100 Subject: [Freeipa-devel] [PATCH] 050 Fix migration page In-Reply-To: <4D5291FF.2020503@redhat.com> References: <4D5291FF.2020503@redhat.com> Message-ID: <4D529323.30708@redhat.com> On 02/09/2011 02:09 PM, Jakub Hrozek wrote: > During some UI rewrite, the password migration form completely lost the > action= field and defaulted to GET instead of POST. ACK. Pavel From rcritten at redhat.com Wed Feb 9 14:54:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Feb 2011 09:54:13 -0500 Subject: [Freeipa-devel] [PATCH] Fix of a small typo In-Reply-To: <20110207100528.GB31284@zeppelin.brq.redhat.com> References: <201102041841.41525.jzeleny@redhat.com> <20110207100528.GB31284@zeppelin.brq.redhat.com> Message-ID: <4D52AA95.4020902@redhat.com> Jakub Hrozek wrote: > On Fri, Feb 04, 2011 at 06:41:41PM +0100, Jan Zeleny wrote: >> Trivial fix, can be pushed directly >> >> Jan > > Ack pushed to master From kybaker at redhat.com Wed Feb 9 14:57:35 2011 From: kybaker at redhat.com (Kyle Baker) Date: Wed, 9 Feb 2011 09:57:35 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 0009-Cross-brower-adjustments-for-the-action-panel In-Reply-To: <1745958154.86562.1297263312538.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <2064891232.86644.1297263455655.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Adjusted for action panel for Safari and Chrome. -------------- next part -------------- A non-text attachment was scrubbed... Name: kybaker-freeipa-0009-Cross-brower-adjustments-for-the-action-panel.patch Type: text/x-patch Size: 17093 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 9 15:02:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Feb 2011 10:02:49 -0500 Subject: [Freeipa-devel] [PATCH] 72 Set minimum for Kerberos policy max life and max renew In-Reply-To: <20110208134710.GA19184@zeppelin.brq.redhat.com> References: <4D4FC5E4.6040808@redhat.com> <20110207121015.GA5695@zeppelin.brq.redhat.com> <4D4FEF50.50300@redhat.com> <20110208134710.GA19184@zeppelin.brq.redhat.com> Message-ID: <4D52AC99.7050300@redhat.com> Jakub Hrozek wrote: > On Mon, Feb 07, 2011 at 02:10:40PM +0100, Pavel Zuna wrote: >> On 02/07/2011 01:10 PM, Jakub Hrozek wrote: >>> On Mon, Feb 07, 2011 at 11:13:56AM +0100, Pavel Zuna wrote: >>>> Fix #847 >>>> >>>> Pavel >>> >>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> Nack, please update API.txt >>> >> >> Forgot about that, sorry. >> >> Version with updated API.txt attached. >> >> Pavel > > Ack pushed to master From rcritten at redhat.com Wed Feb 9 15:03:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Feb 2011 10:03:58 -0500 Subject: [Freeipa-devel] [PATCH] 73 Update config doc to reflect that 0 is not allowed for search time limit. In-Reply-To: <4D51FA2D.1050207@redhat.com> References: <4D4FDBC7.5010402@redhat.com> <4D5081A3.5080908@redhat.com> <4D514626.8060100@redhat.com> <4D51FA2D.1050207@redhat.com> Message-ID: <4D52ACDE.6090803@redhat.com> David O'Brien wrote: > Pavel Zuna wrote: >> On 02/08/2011 12:34 AM, David O'Brien wrote: >>> Pavel Zuna wrote: >>>> Fix #837 >>>> >>>> Pavel >>>> >>> /me hesitantly asks... >>> Doesn't this mean that "1" is illegal? >>> >>> doc=_('Max. amount of time (sec.) for a search (> 1 or -1 for >>> unlimited)'), >>> >>> Neither is there any mention of zero being illegal. It may be implicit >>> or self-evident, but I don't rely on that in doc. I'd be inclined to >>> change it to (> 0, or -1 for unlimited) but remember, I'm not a coder :) >>> >>> cheers >>> >> >> You're right. :) >> >> Fixed version attached. >> >> Pavel > my ACK > Fine with me too, pushed to master From rcritten at redhat.com Wed Feb 9 15:04:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Feb 2011 10:04:58 -0500 Subject: [Freeipa-devel] [PATCH] 74 Fix crash in DNS installer. In-Reply-To: <201102091256.18293.jzeleny@redhat.com> References: <4D4FEC14.8090707@redhat.com> <201102091256.18293.jzeleny@redhat.com> Message-ID: <4D52AD1A.306@redhat.com> Jan Zelen? wrote: > Pavel Zuna wrote: >> Fix #927 >> >> Pavel > > Ack pushed to master From rcritten at redhat.com Wed Feb 9 15:07:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Feb 2011 10:07:19 -0500 Subject: [Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed. In-Reply-To: <4D51FC3D.4090808@redhat.com> References: <4D4FFA59.4080804@redhat.com> <4D500A5B.6000801@redhat.com> <4D508466.6010508@redhat.com> <4D508806.7000108@redhat.com> <4D50C848.9030209@redhat.com> <4D51613B.50708@redhat.com> <4D51FC3D.4090808@redhat.com> Message-ID: <4D52ADA7.4000408@redhat.com> David O'Brien wrote: > Rob Crittenden wrote: >> David O'Brien wrote: >>> Dmitri Pal wrote: >>>> On 02/07/2011 06:46 PM, David O'Brien wrote: >>>>> Jenny Galipeau wrote: >>>>>> Pavel Zuna wrote: >>>>>>> It seems that restarting krb5kdc is only needed when changes to the >>>>>>> global policy are made. Per-user policies take effect immediately >>>>>>> for newly requested tickets. Can someone please confirm? >>>>>> Yes, in testing this is the behavior. If the help could specify that >>>>>> a ipactl restart is required after global policy change, that would >>>>>> be great. >>>>>> Thanks >>>>>> Jenny >>>>>> >>>>> Please raise a suitable bugzilla to get this included in the user doc. >>>>> So far I only have doc about restarting IPA services after ipa >>>>> krbtpolicy-reset. >>>> >>>> Isn't it the same thing? >>> >>> I took "changes" to mean using krbtpolicy-mod and any others, not just >>> -reset, which is the info I received last time. >> >> The bottom line is that any change to the global Kerberos ticket >> policy requires a restart of the KDC to see the changes (/sbin/service >> krb5kdc restart). IMHO restarting the entire IPA world for this is >> overkill. >> >> rob > ok, so we're still talking about any changes to the global ticket > policy, not just using ipa krbtpolicy-reset, which is what I had before. > I'll update this bit and just recommend krb5kdc restart like you say. > > cheers > ACK, pushed to master From rcritten at redhat.com Wed Feb 9 15:07:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Feb 2011 10:07:58 -0500 Subject: [Freeipa-devel] [PATCH] 702 add entitlement API In-Reply-To: <201102081248.26324.jzeleny@redhat.com> References: <4D503C27.5090103@redhat.com> <201102081248.26324.jzeleny@redhat.com> Message-ID: <4D52ADCE.2040808@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> The entitlement plugin was being skipped completely if the python-rhsm >> package wasn't installed. We want to let it limp through if the package >> isn't installed but we're doing API validation. >> >> ticket 919 >> >> rob > > Patch looks and applies ok, installation and subsequent behavior works as > expected (both with and without python-rhsm package), validation as well. ACK > > Jan pushed to master From rcritten at redhat.com Wed Feb 9 15:09:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Feb 2011 10:09:17 -0500 Subject: [Freeipa-devel] [PATCH] 705 make main selfservice aci visible In-Reply-To: <201102091307.54520.jzeleny@redhat.com> References: <4D52141C.4030206@redhat.com> <201102091307.54520.jzeleny@redhat.com> Message-ID: <4D52AE1D.5000204@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> The main aci that grants user's the ability to manage themselves wasn't >> visible to the selfservice plugin. Move the location of the aci and fix >> the description. >> >> ticket 934 >> >> rob > > ack > > Jan pushed to master From dpal at redhat.com Wed Feb 9 15:56:06 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 09 Feb 2011 10:56:06 -0500 Subject: [Freeipa-devel] Hosts, A recs, and AAAA recs In-Reply-To: <20110208233029.1be85f2f@willson.li.ssimo.org> References: <4D520598.1000809@redhat.com> <20110208233029.1be85f2f@willson.li.ssimo.org> Message-ID: <4D52B916.2000400@redhat.com> On 02/08/2011 11:30 PM, Simo Sorce wrote: > On Tue, 08 Feb 2011 22:10:16 -0500 > Adam Young wrote: > >> The current process to add a host today is: >> >> Create an A record >> run add host >> >> We have --force which will allow us to add the host even if the A >> record doesn't exist, but do we have a way to say, add this host, A >> record, and AAAA record all at the same time? >> >> >> From a cloud perspective, it seems like we are going to get a lot of >> short lived VMs that will need all three at once. I can see a work >> flow like this: >> >> >> User requests a number of VMs. >> VMs get clones from templates and spun up >> VMs get IP address from DHCP server. >> DHCP server notifies IPA server of new hosts > What do you mean by this ^^^^ ? > Do you want to give the DHCP server the power to perform DNS updates ? > Can be done although I am not sure DHCP Servers know how to do GSS-TSIG > protected updates, we may have to open up DNS access control to accept > everything from the DHCP Server. > >> IPA server adds host entries, A and AAAA records > Host entries must be added by the cloud engine as it needs to set the > enrollment password it passes down to the VM. > >> VM runs ipa-client install as part of firstboot > ipa-client-install could also add DNS records, but there is a > credential problem if it is an automated process. > >> The IPA server might even get notified earlier. I could see the >> cloud provider pushing the info to ipa prior to cloning the VM. > This might be a better choice as long as the cloud provider can also > change the DHCP configuration to assign the right IP address to the > VMs using the MAC address. > >> How would we go about doing that today? > I think we are missing the part that creates the VMs yet, so ... > > Simo. > In the cloud the cloud provider gives a VM a name and IP that it knows about. It is completely different from what you want the machine to think about itself. I did some emulation of the bootstrapping sequence as a proof of concept to make sure we can enroll the host with a different hostname. To emulate the provisioning of a new VM in the cloud I created a new host in IPA with corresponding DNS entries. I gave it a generated static IP of 1.1.1.1. It created an OTP for me. Then I turned around and to the client added ipa to the resolve.conf of the client and ran the ipa-client-install passing in the OTP, ipa host name and machine name. That completed the provisioning. The cloud engine will be driving the creation of the DNS and host entries. IPA already has all capabilities that are needed. What you suggest seems to be an optimization that would save cloud engine a line in a script. Simo is right about firstboot - it is not implemented yet. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Wed Feb 9 16:06:08 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 09 Feb 2011 11:06:08 -0500 Subject: [Freeipa-devel] Hosts, A recs, and AAAA recs In-Reply-To: <4D52B916.2000400@redhat.com> References: <4D520598.1000809@redhat.com> <20110208233029.1be85f2f@willson.li.ssimo.org> <4D52B916.2000400@redhat.com> Message-ID: <4D52BB70.1000608@redhat.com> On 02/09/2011 10:56 AM, Dmitri Pal wrote: > On 02/08/2011 11:30 PM, Simo Sorce wrote: >> On Tue, 08 Feb 2011 22:10:16 -0500 >> Adam Young wrote: >> >>> The current process to add a host today is: >>> >>> Create an A record >>> run add host >>> >>> We have --force which will allow us to add the host even if the A >>> record doesn't exist, but do we have a way to say, add this host, A >>> record, and AAAA record all at the same time? >>> >>> >>> From a cloud perspective, it seems like we are going to get a lot of >>> short lived VMs that will need all three at once. I can see a work >>> flow like this: >>> >>> >>> User requests a number of VMs. >>> VMs get clones from templates and spun up >>> VMs get IP address from DHCP server. >>> DHCP server notifies IPA server of new hosts >> What do you mean by this ^^^^ ? >> Do you want to give the DHCP server the power to perform DNS updates ? >> Can be done although I am not sure DHCP Servers know how to do GSS-TSIG >> protected updates, we may have to open up DNS access control to accept >> everything from the DHCP Server. >> >>> IPA server adds host entries, A and AAAA records >> Host entries must be added by the cloud engine as it needs to set the >> enrollment password it passes down to the VM. >> >>> VM runs ipa-client install as part of firstboot >> ipa-client-install could also add DNS records, but there is a >> credential problem if it is an automated process. >> >>> The IPA server might even get notified earlier. I could see the >>> cloud provider pushing the info to ipa prior to cloning the VM. >> This might be a better choice as long as the cloud provider can also >> change the DHCP configuration to assign the right IP address to the >> VMs using the MAC address. >> >>> How would we go about doing that today? >> I think we are missing the part that creates the VMs yet, so ... >> >> Simo. >> > In the cloud the cloud provider gives a VM a name and IP that it knows > about. > It is completely different from what you want the machine to think about > itself. > I did some emulation of the bootstrapping sequence as a proof of concept > to make sure we can enroll the host with a different hostname. > > To emulate the provisioning of a new VM in the cloud I created a new > host in IPA with corresponding DNS entries. I gave it a generated static > IP of 1.1.1.1. > It created an OTP for me. > Then I turned around and to the client added ipa to the resolve.conf of > the client and ran the ipa-client-install passing in the OTP, ipa host > name and machine name. > That completed the provisioning. > > The cloud engine will be driving the creation of the DNS and host > entries. IPA already has all capabilities that are needed. > What you suggest seems to be an optimization that would save cloud > engine a line in a script. > > Simo is right about firstboot - it is not implemented yet. To create a new vm is just a matter of using libvirt's clone call. But I'm not sure if libvirt has the means to notify the IPA server "new machine is about to come up, I'm going to give it the IP Address 10.1.1.1" What do you mean about firstboot? From ayoung at redhat.com Wed Feb 9 16:40:10 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 09 Feb 2011 11:40:10 -0500 Subject: [Freeipa-devel] [PATCH] 0009-Cross-brower-adjustments-for-the-action-panel In-Reply-To: <2064891232.86644.1297263455655.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <2064891232.86644.1297263455655.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D52C36A.8020501@redhat.com> On 02/09/2011 09:57 AM, Kyle Baker wrote: > Adjusted for action panel for Safari and Chrome. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Removed the patch file embedded in the other patch file. ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Feb 9 17:12:22 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 09 Feb 2011 11:12:22 -0600 Subject: [Freeipa-devel] [PATCH] Append realm name to service principal name. Message-ID: <4D52CAF6.1050200@redhat.com> The realm name is necessary to create the correct service. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0099-Append-realm-name-to-service-principal-name.patch Type: text/x-patch Size: 5116 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 9 18:26:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Feb 2011 13:26:25 -0500 Subject: [Freeipa-devel] [PATCH] 706 remove certificate from service-find Message-ID: <4D52DC51.5080505@redhat.com> Remove certificate as service a search option. There is no point on searching on binary objects. ticket 912 rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-rcrit-706-service.path URL: From rcritten at redhat.com Wed Feb 9 18:53:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Feb 2011 13:53:00 -0500 Subject: [Freeipa-devel] [PATCH] 707 fix wrapping prompt Message-ID: <4D52E28C.3090506@redhat.com> At least in my xterm the prompt for "Do you want to proceed and configure the system with fixed values with no DNS discovery?" wraps around over itself. This patch shortens the message. ticket 940 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-707-client.patch Type: application/mbox Size: 1175 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 9 18:57:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Feb 2011 13:57:46 -0500 Subject: [Freeipa-devel] [PATCH] 708 move nscd disablement code Message-ID: <4D52E3AA.50506@redhat.com> Disable nscd before starting sssd. We used to disable it after configuring sssd which would cause a warning message to appear in /var/log/messages from sssd. This was in effect bogus because we killed nscd as the very next step after starting sssd but lets not confuse our users. ticket 743 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-708-nscd.patch Type: application/mbox Size: 2795 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 9 19:27:54 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Feb 2011 14:27:54 -0500 Subject: [Freeipa-devel] [PATCH] 709 set minimum version of sssd to 1.5.1. Message-ID: <4D52EABA.2080608@redhat.com> Title says it all. ticket 926 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-709-sssd.patch Type: application/mbox Size: 1012 bytes Desc: not available URL: From dpal at redhat.com Wed Feb 9 20:58:43 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 09 Feb 2011 15:58:43 -0500 Subject: [Freeipa-devel] Fedora 15 test day is moved to Feb 15th. Message-ID: <4D530003.1020208@redhat.com> Hello, Please join us in testing FreeIPA v2 on Tuesday Feb 15th as a part of the Fedora 15 Test Day. Originally we planned to have a test day on Thursday February 10th (tomorrow) but for different reasons we had to delay this effort. The details of what to test and how to test will be published later this week. Please follow the changes on the Fedora test page [1] and on the FreeIPA wiki [2]. [1] https://fedoraproject.org/wiki/Test_Day:2011-02-15_FreeIPAv2 (incomplete as of Feb 9th) [2] www.freeipa.org -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Feb 9 21:41:15 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 09 Feb 2011 16:41:15 -0500 Subject: [Freeipa-devel] Hosts, A recs, and AAAA recs In-Reply-To: <4D52BB70.1000608@redhat.com> References: <4D520598.1000809@redhat.com> <20110208233029.1be85f2f@willson.li.ssimo.org> <4D52B916.2000400@redhat.com> <4D52BB70.1000608@redhat.com> Message-ID: <4D5309FB.3070003@redhat.com> On 02/09/2011 11:06 AM, Adam Young wrote: > On 02/09/2011 10:56 AM, Dmitri Pal wrote: >> On 02/08/2011 11:30 PM, Simo Sorce wrote: >>> On Tue, 08 Feb 2011 22:10:16 -0500 >>> Adam Young wrote: >>> >>>> The current process to add a host today is: >>>> >>>> Create an A record >>>> run add host >>>> >>>> We have --force which will allow us to add the host even if the A >>>> record doesn't exist, but do we have a way to say, add this host, A >>>> record, and AAAA record all at the same time? >>>> >>>> >>>> From a cloud perspective, it seems like we are going to get a lot of >>>> short lived VMs that will need all three at once. I can see a work >>>> flow like this: >>>> >>>> >>>> User requests a number of VMs. >>>> VMs get clones from templates and spun up >>>> VMs get IP address from DHCP server. >>>> DHCP server notifies IPA server of new hosts >>> What do you mean by this ^^^^ ? >>> Do you want to give the DHCP server the power to perform DNS updates ? >>> Can be done although I am not sure DHCP Servers know how to do GSS-TSIG >>> protected updates, we may have to open up DNS access control to accept >>> everything from the DHCP Server. >>> >>>> IPA server adds host entries, A and AAAA records >>> Host entries must be added by the cloud engine as it needs to set the >>> enrollment password it passes down to the VM. >>> >>>> VM runs ipa-client install as part of firstboot >>> ipa-client-install could also add DNS records, but there is a >>> credential problem if it is an automated process. >>> >>>> The IPA server might even get notified earlier. I could see the >>>> cloud provider pushing the info to ipa prior to cloning the VM. >>> This might be a better choice as long as the cloud provider can also >>> change the DHCP configuration to assign the right IP address to the >>> VMs using the MAC address. >>> >>>> How would we go about doing that today? >>> I think we are missing the part that creates the VMs yet, so ... >>> >>> Simo. >>> >> In the cloud the cloud provider gives a VM a name and IP that it knows >> about. >> It is completely different from what you want the machine to think about >> itself. >> I did some emulation of the bootstrapping sequence as a proof of concept >> to make sure we can enroll the host with a different hostname. >> >> To emulate the provisioning of a new VM in the cloud I created a new >> host in IPA with corresponding DNS entries. I gave it a generated static >> IP of 1.1.1.1. >> It created an OTP for me. >> Then I turned around and to the client added ipa to the resolve.conf of >> the client and ran the ipa-client-install passing in the OTP, ipa host >> name and machine name. >> That completed the provisioning. >> >> The cloud engine will be driving the creation of the DNS and host >> entries. IPA already has all capabilities that are needed. >> What you suggest seems to be an optimization that would save cloud >> engine a line in a script. >> >> Simo is right about firstboot - it is not implemented yet. > > To create a new vm is just a matter of using libvirt's clone call. > But I'm not sure if libvirt has the means to notify the IPA server > "new machine is about to come up, I'm going to give it the IP Address > 10.1.1.1" > > What do you mean about firstboot? > I talking about a generic case. When you are bringing up machine in a cloud you can't assume libvirt. It can be Amazon cloud or Rackspace or GoGrid or something else. In such cases Cloud Engine will tell the cloud provider: here is the image, boot it and pass those parameters to it (parameters are passed in different ways for different cloud providers). On the "first boot" (and this is where the first boot comes from) the image comes up and executes "First boot sequence". As a part of the sequence it connects to the configuration server to pull in its configuration. But before this it needs to register to IPA using passed in OTP. The cloud engine would pre-create the right entries on the IPA server side (host and DNS) and pass the OTP, its name and host name of the machine to the VM as parameters. The first boot script will do ipa-client-install with those parameters and then using obtained ticket connect to the configuration server. Since the VM is now authenticated the Configuration server would be able to tell VM what to do next and how to configure itself. Bottom line is that there is a third party called Cloud Engine that will orchestrate the process. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Wed Feb 9 22:04:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Feb 2011 17:04:57 -0500 Subject: [Freeipa-devel] [PATCH] 710 fix test failures Message-ID: <4D530F89.2050506@redhat.com> The performance patch depended on self.env.mode != 'production'. env and mode aren't guaranteed to exist in the object so check for those and only skip the work if the mode is explicitly production. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-710-tests.patch Type: application/mbox Size: 4130 bytes Desc: not available URL: From ayoung at redhat.com Thu Feb 10 00:53:53 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 09 Feb 2011 19:53:53 -0500 Subject: [Freeipa-devel] [PATCH] Moved add dialog into search facet. In-Reply-To: <4D51CAD5.8070900@redhat.com> References: <4D51CAD5.8070900@redhat.com> Message-ID: <4D533721.1040205@redhat.com> On 02/08/2011 05:59 PM, Endi Sukma Dewata wrote: > Previously the add dialog is added into entity. The dialog is only > used by the search facet, so it's now moved into the search facet. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Feb 10 01:06:57 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 09 Feb 2011 20:06:57 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons Message-ID: <4D533A31.6060607@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0191-1-target-section-without-radio-buttons.patch Type: text/x-patch Size: 20961 bytes Desc: not available URL: From edewata at redhat.com Thu Feb 10 06:13:29 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 10 Feb 2011 00:13:29 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons In-Reply-To: <4D533A31.6060607@redhat.com> References: <4D533A31.6060607@redhat.com> Message-ID: <4D538209.8080301@redhat.com> On 2/9/2011 7:06 PM, Adam Young wrote: > A few comments: 1. The functionality seems to be working, but the layout is a bit different. Previously the label (e.g. Filter) and the widget (e.g. text field) occupy the same line. Right now they occupy different lines and not aligned with the labels & widgets above it (e.g. Permission name). I'd like the UXD team to review this change. 2. The jQuery selectors on lines 427, 462, 472 in aci.js are not qualified, so they will be doing a global search. I'd rather store the object reference somewhere and use it directly without searching for it again. For example, line 411 can be changed as follows: target_type.container = $('
', { Then line 427 can be changed as follows: target_type.container.css('display', 'block'); 3. The indentation of the target_types array in aci.js is inconsistent. 4. The IPA.hidden_widget doesn't seem to be used. Should this be removed? 5. For the changes in dialog.js, it's not necessary to check section.reset()'s presence before calling it. All sections will have a reset() function because it's inherited from the base class. 6. For the changes in widget.js, let's do this in a separate patch. We'll combine the create/setup in a more consistent way. 7. There are some jslint warnings. -- Endi S. Dewata From jhrozek at redhat.com Thu Feb 10 09:55:08 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 10 Feb 2011 10:55:08 +0100 Subject: [Freeipa-devel] [PATCH] 709 set minimum version of sssd to 1.5.1. In-Reply-To: <4D52EABA.2080608@redhat.com> References: <4D52EABA.2080608@redhat.com> Message-ID: <20110210095507.GA27864@zeppelin.brq.redhat.com> On Wed, Feb 09, 2011 at 02:27:54PM -0500, Rob Crittenden wrote: > Title says it all. > > ticket 926 > > rob Ack From jhrozek at redhat.com Thu Feb 10 09:55:33 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 10 Feb 2011 10:55:33 +0100 Subject: [Freeipa-devel] [PATCH] 707 fix wrapping prompt In-Reply-To: <4D52E28C.3090506@redhat.com> References: <4D52E28C.3090506@redhat.com> Message-ID: <20110210095533.GB27864@zeppelin.brq.redhat.com> On Wed, Feb 09, 2011 at 01:53:00PM -0500, Rob Crittenden wrote: > At least in my xterm the prompt for "Do you want to proceed and > configure the system with fixed values with no DNS discovery?" wraps > around over itself. > > This patch shortens the message. > > ticket 940 > > rob Ack From jzeleny at redhat.com Thu Feb 10 09:59:23 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 10 Feb 2011 10:59:23 +0100 Subject: [Freeipa-devel] [PATCH] 706 remove certificate from service-find In-Reply-To: <4D52DC51.5080505@redhat.com> References: <4D52DC51.5080505@redhat.com> Message-ID: <201102101059.23662.jzeleny@redhat.com> Rob Crittenden wrote: > Remove certificate as service a search option. There is no point on > searching on binary objects. > > ticket 912 > > rob ack Jan From jhrozek at redhat.com Thu Feb 10 10:01:43 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 10 Feb 2011 11:01:43 +0100 Subject: [Freeipa-devel] [PATCH] 708 move nscd disablement code In-Reply-To: <4D52E3AA.50506@redhat.com> References: <4D52E3AA.50506@redhat.com> Message-ID: <20110210100142.GC27864@zeppelin.brq.redhat.com> On Wed, Feb 09, 2011 at 01:57:46PM -0500, Rob Crittenden wrote: > Disable nscd before starting sssd. We used to disable it after > configuring sssd which would cause a warning message to appear in > /var/log/messages from sssd. This was in effect bogus because we > killed nscd as the very next step after starting sssd but lets not > confuse our users. > > ticket 743 > > rob Ack From jzeleny at redhat.com Thu Feb 10 10:02:40 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 10 Feb 2011 11:02:40 +0100 Subject: [Freeipa-devel] [PATCH] 75 Display error messages for failed manageby in service-add/remove-host. In-Reply-To: <4D4FECE1.3000504@redhat.com> References: <4D4FECE1.3000504@redhat.com> Message-ID: <201102101102.40861.jzeleny@redhat.com> Pavel Zuna wrote: > Fix #830 > > Pavel ack Jan From jzeleny at redhat.com Thu Feb 10 10:06:14 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 10 Feb 2011 11:06:14 +0100 Subject: [Freeipa-devel] [PATCH] 76 Fallback to default locale (en_US) if env. setting is corrupt. In-Reply-To: <4D4FF421.2020100@redhat.com> References: <4D4FF421.2020100@redhat.com> Message-ID: <201102101106.14088.jzeleny@redhat.com> Pavel Zuna wrote: > This is a follow-up to my patches 69 and 71 (70 is garbage). > > It prevents a crash when user misconfigures his locale settings. > > Pavel ack Jan From pzuna at redhat.com Thu Feb 10 10:42:44 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 10 Feb 2011 11:42:44 +0100 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <4D5131BB.6080400@redhat.com> References: <4D5131BB.6080400@redhat.com> Message-ID: <4D53C124.30800@redhat.com> On 02/08/2011 01:06 PM, Pavel Zuna wrote: > The patch also corrects exception handling in some of the tools. > > Fix #874 > > Pavel > Updated patch attached. Forgot to rename an identifier in exception handling. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-78-2-toolsldapi.patch Type: application/mbox Size: 11502 bytes Desc: not available URL: From jzeleny at redhat.com Thu Feb 10 10:47:52 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 10 Feb 2011 11:47:52 +0100 Subject: [Freeipa-devel] =?iso-8859-15?q?=5BPATCH=5D_78_Use_ldapi=3A_inste?= =?iso-8859-15?q?ad_of_unsecured_ldap=3A_in=09ipa_core_tools=2E?= In-Reply-To: <4D53C124.30800@redhat.com> References: <4D5131BB.6080400@redhat.com> <4D53C124.30800@redhat.com> Message-ID: <201102101147.52617.jzeleny@redhat.com> Pavel Zuna wrote: > On 02/08/2011 01:06 PM, Pavel Zuna wrote: > > The patch also corrects exception handling in some of the tools. > > > > Fix #874 > > > > Pavel > > Updated patch attached. Forgot to rename an identifier in exception > handling. > > Pavel ack Jan From jhrozek at redhat.com Thu Feb 10 11:41:37 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 10 Feb 2011 12:41:37 +0100 Subject: [Freeipa-devel] [PATCH] 704 replication version plugin fix In-Reply-To: <4D5209BD.8020704@redhat.com> References: <4D5209BD.8020704@redhat.com> Message-ID: <20110210114136.GA6695@zeppelin.brq.redhat.com> On Tue, Feb 08, 2011 at 10:27:57PM -0500, Rob Crittenden wrote: > The 389-ds replication plugin may not be installed on all platforms > and our replication version plugin will cause 389-ds to not start if > it is loaded and the replication plugin is not. So disable by > default. > > When a replica is prepared we check for the replication plugin. If > it exists we will enable the replication version plugin. > > Likewise on installation of a replica we check for existence of the > repliation plugin and if it is there then we enable the version > plugin before replication begins. > > ticket 918 > > rob +def enable_replication_version_checking(hostname, realm, dirman_passwd): + """ + Check the replication version checking plugin. If it is not + enabled then enable it and restart 389-ds. If it is enabled + the do nothing. + """ + import pdb + pdb.set_trace() ^^^ please remove these and you'll get an ack :-) From jhrozek at redhat.com Thu Feb 10 12:03:00 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 10 Feb 2011 13:03:00 +0100 Subject: [Freeipa-devel] [PATCH] 1 Remove unnecessary BuildRequires In-Reply-To: <4D517FB9.9040508@redhat.com> References: <4D517DC2.8050402@redhat.com> <4D517FB9.9040508@redhat.com> Message-ID: <20110210120300.GB6695@zeppelin.brq.redhat.com> On Tue, Feb 08, 2011 at 06:39:05PM +0100, Jan Cholasta wrote: > Fixing newbie mistake: included properly formated patch. > > It was tested in mock. > > Dne 8.2.2011 18:30, Jan Cholasta napsal(a): > >Removed 2 unnecessary BuildRequires from freeipa.spec.in: > > > >* e2fsprogs-devel: obsoleted by libuuid-devel > >* libcap-devel: not needed to build the RPM > > > > Ack. Also tested with Koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=2829532 From mkosek at redhat.com Thu Feb 10 12:01:55 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 10 Feb 2011 13:01:55 +0100 Subject: [Freeipa-devel] [PATCH] 028 Extend API validator Message-ID: <1297339315.3003.14.camel@dhcp-25-52.brq.redhat.com> makeapi script is used to check if ipalib API is consistent with the known state in API.txt. When the API is changed, major API version should be updated. However, when new options/arguments/outputs were added to an ipalib command, `makeapi --validate' call did not capture this. This patch fixes this issue and ensures that also the last command in API.txt is checked (it was not before this patch). https://fedorahosted.org/freeipa/ticket/868 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-028-extend-api-validator.patch Type: text/x-patch Size: 7727 bytes Desc: not available URL: From jhrozek at redhat.com Thu Feb 10 12:06:48 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 10 Feb 2011 13:06:48 +0100 Subject: [Freeipa-devel] [PATCH] 710 fix test failures In-Reply-To: <4D530F89.2050506@redhat.com> References: <4D530F89.2050506@redhat.com> Message-ID: <20110210120647.GA28156@zeppelin.brq.redhat.com> On Wed, Feb 09, 2011 at 05:04:57PM -0500, Rob Crittenden wrote: > The performance patch depended on self.env.mode != 'production'. env > and mode aren't guaranteed to exist in the object so check for those > and only skip the work if the mode is explicitly production. > > rob Ack From jhrozek at redhat.com Thu Feb 10 12:41:13 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 10 Feb 2011 13:41:13 +0100 Subject: [Freeipa-devel] [PATCH] 703 389-ds startup with krb config In-Reply-To: <4D515D5B.9080800@redhat.com> References: <4D515D5B.9080800@redhat.com> Message-ID: <20110210124112.GB28156@zeppelin.brq.redhat.com> On Tue, Feb 08, 2011 at 10:12:27AM -0500, Rob Crittenden wrote: > If /etc/krb5.conf doesn't exist or contains no default kerberos > realm then 389-ds won't start at all. This is a problem during > installation because we configure 389 first. > > This patch will let the server come up, you just won't be able to do > any joins or password changes until you configure kerberos. > > ticket 606 > > rob I wasn't able to install with this patch when I had no /etc/krb5.conf at all. Here's what the DS error log said: --- 10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin ipa_enrollment_extop [10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin ipa_enrollment_extop [10/Feb/2011:07:30:36 -0500] ipaenrollment_start - [file ipa_enrollment.c, line 389]: Failed to get default realm?! [10/Feb/2011:07:30:36 -0500] - Failed to start extendedop plugin ipa_enrollment_extop --- Looking at ipaenrollment_start(), it looks like the culprit is that when krb5_get_default_realm() fails, ret is set to an error code and returned. It should be either reset to LDAP_SUCCESS or maybe rc should be used instead. Also one nitpick. This: -static char *realm; -static const char *ipa_realm_dn; +static char *realm = NULL; +static const char *ipa_realm_dn = NULL; Is not neccessary, global variables are initialized to NULL automatically. From jzeleny at redhat.com Thu Feb 10 13:09:30 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Thu, 10 Feb 2011 14:09:30 +0100 Subject: [Freeipa-devel] [PATCH] Updated default Kerberos password policy Message-ID: <201102101409.30118.jzeleny@redhat.com> https://fedorahosted.org/freeipa/ticket/930 I put there a value Dmitri suggested. Feel free to change it before pushing if you think there should be the originally suggested 10 login attempts. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0039-Updated-default-Kerberos-password-policy.patch Type: text/x-patch Size: 839 bytes Desc: not available URL: From mkosek at redhat.com Thu Feb 10 13:24:29 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 10 Feb 2011 14:24:29 +0100 Subject: [Freeipa-devel] [PATCH] 029 ipa-dns-install does not exit on error Message-ID: <1297344269.3003.15.camel@dhcp-25-52.brq.redhat.com> This patch fixes behavior of ipa-dns-install, which does not exit when an invalid configuration of /etc/hosts is detected. https://fedorahosted.org/freeipa/ticket/736 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-029-ipa-dns-install-does-not-exit-on-error.patch Type: text/x-patch Size: 2424 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 10 13:43:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 08:43:59 -0500 Subject: [Freeipa-devel] [PATCH] Updated default Kerberos password policy In-Reply-To: <201102101409.30118.jzeleny@redhat.com> References: <201102101409.30118.jzeleny@redhat.com> Message-ID: <4D53EB9F.3020500@redhat.com> Jan Zelen? wrote: > https://fedorahosted.org/freeipa/ticket/930 > > I put there a value Dmitri suggested. Feel free to change it before pushing if > you think there should be the originally suggested 10 login attempts. > We want to increase krbPwdLockoutDuration too, to 600. rob From mkosek at redhat.com Thu Feb 10 15:56:29 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 10 Feb 2011 16:56:29 +0100 Subject: [Freeipa-devel] [PATCH] 030 Fix return codes for ipactl Message-ID: <1297353389.3003.16.camel@dhcp-25-52.brq.redhat.com> This patch fixes ipactl to return non-zero value when something goes wrong. https://fedorahosted.org/freeipa/ticket/894 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-030-fix-return-codes-for-ipactl.patch Type: text/x-patch Size: 3326 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 10 16:12:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 11:12:31 -0500 Subject: [Freeipa-devel] Help define the roles IPA has by default Message-ID: <4D540E6F.5090303@redhat.com> One of the features of IPAv2 is it is much easier to delegate permissions to perform tasks (add, delete, modify, etc). This delegation is broken out into three pieces: * permissions * privileges * roles A permission is a very low-level object that says who can do what to whom. These permissions are grouped together into permissions so one can perform a whole task. This is needed for something like adding a user which requires a couple of different permission such as actually writing the user entry, adding the user to the default group and setting the password. A role is a collection of privileges and the users/groups that are granted those privileges. Right now we are defining a single role, helpdesk, and have assigned no privileges to that yet. I was thinking about just assigning it the ability to reset passwords. But what other roles do we need? The mind boggles and rather than dictating what the initial ones will be I'm looking for some guidance/suggestions. thanks rob From jzeleny at redhat.com Thu Feb 10 16:25:54 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Thu, 10 Feb 2011 17:25:54 +0100 Subject: [Freeipa-devel] [PATCH] Updated default Kerberos password policy In-Reply-To: <4D53EB9F.3020500@redhat.com> References: <201102101409.30118.jzeleny@redhat.com> <4D53EB9F.3020500@redhat.com> Message-ID: <201102101725.54656.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > https://fedorahosted.org/freeipa/ticket/930 > > > > I put there a value Dmitri suggested. Feel free to change it before > > pushing if you think there should be the originally suggested 10 login > > attempts. > > We want to increase krbPwdLockoutDuration too, to 600. > > rob Sorry, I didn't realize it was in seconds. I just saw 10 and figured it's ok it's already there. Anyway, I'm sending the updated patch. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0039-02-Updated-default-Kerberos-password-policy.patch Type: text/x-patch Size: 869 bytes Desc: not available URL: From jzeleny at redhat.com Thu Feb 10 17:22:44 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Thu, 10 Feb 2011 18:22:44 +0100 Subject: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation In-Reply-To: <201102020847.00282.jzeleny@redhat.com> References: <201101261439.24085.jzeleny@redhat.com> <4D483D85.7020702@redhat.com> <201102020847.00282.jzeleny@redhat.com> Message-ID: <201102101822.44626.jzeleny@redhat.com> Jan Zelen? wrote: > Ok, I'm sending updated patch in attachment > > > > Should I change it in class help then? That's where I copied this from. > > > > I think so. > > Ok, I'll send another patch, so me don't mix it together with this patch. > I'll do a review of the code in cli.py, maybe the same issue is elsewhere > as well. > > > >> This will blow up as expected in the FIXME if an unknown command is > > >> passed in. > > > > > > Fixed, thanks. > > > > Not to be pedantic but I think it should return a non-zero error code > > too on error. > > Yep, replaced this with exception. > > > >> ipa show-mappings user-show returns just 'rights' > > > > > > If it was the acting correctly, it shouldn't be displayed at all, > > > because it is not LDAP based (and user-show doesn't take any other > > > LDAP-based arguments/options). > > > > > > I'm just not sure how to do this with minimal changes. One option is to > > > create new flag denoting whether parameter is LDAP based or not and for > > > each parameter set it appropriately, but that is just too much effort > > > for something that is not that important. That's why I use the 'webui' > > > flag to filter things at least a little bit. > > > > You should have the object Params list available, right? Can you use > > that to show at least some attributes? > > I already thought of that, but that would add only primary key, since > Params is a concatenation of Options and Args - in args there are usually > only mandatory arguments (i.e. primary keys, uid in case of user-show) and > options are already iterated over and printed out. > > I think adding this is too much effort. For one thing user-show takes no > other options than --rights (and the purpose of the patch is to show > mapping between CLI options and LDAP attributes) and user can always see > real LDAP attributes of user object by using --raw. > > Jan Just a reminder that this patch waits for review. Thanks Jan From grajaiya at redhat.com Thu Feb 10 17:41:26 2011 From: grajaiya at redhat.com (Gowrishankar Rajaiyan) Date: Thu, 10 Feb 2011 23:11:26 +0530 Subject: [Freeipa-devel] Help define the roles IPA has by default In-Reply-To: <4D540E6F.5090303@redhat.com> References: <4D540E6F.5090303@redhat.com> Message-ID: <4D542346.90506@redhat.com> On 02/10/2011 09:42 PM, Rob Crittenden wrote: > One of the features of IPAv2 is it is much easier to delegate > permissions to perform tasks (add, delete, modify, etc). > > This delegation is broken out into three pieces: > > * permissions > * privileges > * roles > > A permission is a very low-level object that says who can do what to > whom. These permissions are grouped together into permissions so one can > perform a whole task. This is needed for something like adding a user > which requires a couple of different permission such as actually writing > the user entry, adding the user to the default group and setting the > password. > > A role is a collection of privileges and the users/groups that are > granted those privileges. > > Right now we are defining a single role, helpdesk, and have assigned no > privileges to that yet. I was thinking about just assigning it the > ability to reset passwords. > > But what other roles do we need? The mind boggles and rather than > dictating what the initial ones will be I'm looking for some > guidance/suggestions. Thinking about helpdesk and whenever a user joins/leaves a company the helpdesk needs the privileges to add/delete their user accounts. I would suggest all the privileges like: - creating users - resetting passwords - deleting users - disabling user accounts - unlocking user accounts - modifying user accounts Groups are something that are more involved with their respective departments and can be left out for the administrators to decide on if they would like to upgrade the helpdesk role/ or create new roles as per their department listings. > thanks > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- regards /shanks From jzeleny at redhat.com Thu Feb 10 18:11:18 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Thu, 10 Feb 2011 19:11:18 +0100 Subject: [Freeipa-devel] Help define the roles IPA has by default In-Reply-To: <4D540E6F.5090303@redhat.com> References: <4D540E6F.5090303@redhat.com> Message-ID: <201102101911.18376.jzeleny@redhat.com> Rob Crittenden wrote: > One of the features of IPAv2 is it is much easier to delegate > permissions to perform tasks (add, delete, modify, etc). > > This delegation is broken out into three pieces: > > * permissions > * privileges > * roles > > A permission is a very low-level object that says who can do what to > whom. These permissions are grouped together into permissions so one can > perform a whole task. This is needed for something like adding a user > which requires a couple of different permission such as actually writing > the user entry, adding the user to the default group and setting the > password. > > A role is a collection of privileges and the users/groups that are > granted those privileges. > > Right now we are defining a single role, helpdesk, and have assigned no > privileges to that yet. I was thinking about just assigning it the > ability to reset passwords. > > But what other roles do we need? The mind boggles and rather than > dictating what the initial ones will be I'm looking for some > guidance/suggestions. I think a role called something like "IT" might be good. Their privileges would cover mainly access to different parts of the network. They should have privilegese to manage: - hosts - hostgroups - hbac rules - sudo rules? - dns - groups (for example to create new group of users which will have access to a particular machine) - services Now looking at the list, this group can be split into two - one managing the hosts/services and one granting users access. Jan From rcritten at redhat.com Thu Feb 10 18:34:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 13:34:57 -0500 Subject: [Freeipa-devel] [PATCH] 711 Convert json strings to unicode Message-ID: <4D542FD1.5020409@redhat.com> Convert json strings to unicode when they are unmarshalled. This patch removes some individual work-arounds of converting strings to unicode, they only masked the problem. String values are not passed to the validator or normalizers so things like adding the realm automatically to services weren't happening. ticket 941 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-711-json.patch Type: application/mbox Size: 4928 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 10 18:39:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 13:39:40 -0500 Subject: [Freeipa-devel] [PATCH] 712 drop kw from JSON error Message-ID: <4D5430EC.4060502@redhat.com> The kw could contain another exception which was blowing up the marshalling. It doesn't seem to be used anywhere and contains information we've already saved in error as far as I can tell. ticket 905 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-712-json.patch Type: application/mbox Size: 915 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 10 18:42:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 13:42:40 -0500 Subject: [Freeipa-devel] [PATCH] 75 Display error messages for failed manageby in service-add/remove-host. In-Reply-To: <201102101102.40861.jzeleny@redhat.com> References: <4D4FECE1.3000504@redhat.com> <201102101102.40861.jzeleny@redhat.com> Message-ID: <4D5431A0.5010805@redhat.com> Jan Zelen? wrote: > Pavel Zuna wrote: >> Fix #830 >> >> Pavel > > ack > > Jan pushed to master From ayoung at redhat.com Thu Feb 10 18:49:08 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 10 Feb 2011 13:49:08 -0500 Subject: [Freeipa-devel] Help define the roles IPA has by default In-Reply-To: <201102101911.18376.jzeleny@redhat.com> References: <4D540E6F.5090303@redhat.com> <201102101911.18376.jzeleny@redhat.com> Message-ID: <4D543324.2020603@redhat.com> On 02/10/2011 01:11 PM, Jan Zeleny wrote: > Rob Crittenden wrote: >> One of the features of IPAv2 is it is much easier to delegate >> permissions to perform tasks (add, delete, modify, etc). >> >> This delegation is broken out into three pieces: >> >> * permissions >> * privileges >> * roles >> >> A permission is a very low-level object that says who can do what to >> whom. These permissions are grouped together into permissions so one can >> perform a whole task. This is needed for something like adding a user >> which requires a couple of different permission such as actually writing >> the user entry, adding the user to the default group and setting the >> password. >> >> A role is a collection of privileges and the users/groups that are >> granted those privileges. >> >> Right now we are defining a single role, helpdesk, and have assigned no >> privileges to that yet. I was thinking about just assigning it the >> ability to reset passwords. >> >> But what other roles do we need? The mind boggles and rather than >> dictating what the initial ones will be I'm looking for some >> guidance/suggestions. > I think a role called something like "IT" might be good. Their privileges > would cover mainly access to different parts of the network. They should have > privilegese to manage: > - hosts > - hostgroups > - hbac rules > - sudo rules? > - dns > - groups (for example to create new group of users which will have access to a > particular machine) > - services > > Now looking at the list, this group can be split into two - one managing the > hosts/services and one granting users access. > > Jan > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Desktop support: needs to be able to add a new host to the server. Probably means they need delete host as well. Can't mess with the user info. Right now, they would also need to be able to create the A record, too. From rcritten at redhat.com Thu Feb 10 18:48:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 13:48:09 -0500 Subject: [Freeipa-devel] [PATCH] 1 Remove unnecessary BuildRequires In-Reply-To: <20110210120300.GB6695@zeppelin.brq.redhat.com> References: <4D517DC2.8050402@redhat.com> <4D517FB9.9040508@redhat.com> <20110210120300.GB6695@zeppelin.brq.redhat.com> Message-ID: <4D5432E9.9090509@redhat.com> Jakub Hrozek wrote: > On Tue, Feb 08, 2011 at 06:39:05PM +0100, Jan Cholasta wrote: >> Fixing newbie mistake: included properly formated patch. >> >> It was tested in mock. >> >> Dne 8.2.2011 18:30, Jan Cholasta napsal(a): >>> Removed 2 unnecessary BuildRequires from freeipa.spec.in: >>> >>> * e2fsprogs-devel: obsoleted by libuuid-devel >>> * libcap-devel: not needed to build the RPM >>> >>> > > Ack. > > Also tested with Koji scratch build: > http://koji.fedoraproject.org/koji/taskinfo?taskID=2829532 pushed to master From rcritten at redhat.com Thu Feb 10 18:52:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 13:52:43 -0500 Subject: [Freeipa-devel] [PATCH] 710 fix test failures In-Reply-To: <20110210120647.GA28156@zeppelin.brq.redhat.com> References: <4D530F89.2050506@redhat.com> <20110210120647.GA28156@zeppelin.brq.redhat.com> Message-ID: <4D5433FB.3070203@redhat.com> Jakub Hrozek wrote: > On Wed, Feb 09, 2011 at 05:04:57PM -0500, Rob Crittenden wrote: >> The performance patch depended on self.env.mode != 'production'. env >> and mode aren't guaranteed to exist in the object so check for those >> and only skip the work if the mode is explicitly production. >> >> rob > > Ack pushed to master From rcritten at redhat.com Thu Feb 10 18:54:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 13:54:59 -0500 Subject: [Freeipa-devel] [PATCH] 704 replication version plugin fix In-Reply-To: <20110210114136.GA6695@zeppelin.brq.redhat.com> References: <4D5209BD.8020704@redhat.com> <20110210114136.GA6695@zeppelin.brq.redhat.com> Message-ID: <4D543483.3060501@redhat.com> Jakub Hrozek wrote: > On Tue, Feb 08, 2011 at 10:27:57PM -0500, Rob Crittenden wrote: >> The 389-ds replication plugin may not be installed on all platforms >> and our replication version plugin will cause 389-ds to not start if >> it is loaded and the replication plugin is not. So disable by >> default. >> >> When a replica is prepared we check for the replication plugin. If >> it exists we will enable the replication version plugin. >> >> Likewise on installation of a replica we check for existence of the >> repliation plugin and if it is there then we enable the version >> plugin before replication begins. >> >> ticket 918 >> >> rob > > +def enable_replication_version_checking(hostname, realm, dirman_passwd): > + """ > + Check the replication version checking plugin. If it is not > + enabled then enable it and restart 389-ds. If it is enabled > + the do nothing. > + """ > + import pdb > + pdb.set_trace() > > ^^^ please remove these and you'll get an ack :-) Removed and pushed to master rob From rcritten at redhat.com Thu Feb 10 18:58:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 13:58:14 -0500 Subject: [Freeipa-devel] [PATCH] 029 ipa-dns-install does not exit on error In-Reply-To: <1297344269.3003.15.camel@dhcp-25-52.brq.redhat.com> References: <1297344269.3003.15.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D543546.1030904@redhat.com> Martin Kosek wrote: > This patch fixes behavior of ipa-dns-install, which does not > exit when an invalid configuration of /etc/hosts is detected. > > https://fedorahosted.org/freeipa/ticket/736 I'm not positive but was the address info checking done within the try to catch any possible exception? This code dates back to very early IPA code (say 4 years old or so) when we were pretty new to python and somethings catching things in a very broad way. Is it possible that running through the addresses could raise an unhandled exception? rob From rcritten at redhat.com Thu Feb 10 18:59:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 13:59:19 -0500 Subject: [Freeipa-devel] [PATCH] 030 Fix return codes for ipactl In-Reply-To: <1297353389.3003.16.camel@dhcp-25-52.brq.redhat.com> References: <1297353389.3003.16.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D543587.7020806@redhat.com> Martin Kosek wrote: > This patch fixes ipactl to return non-zero value when something > goes wrong. > > https://fedorahosted.org/freeipa/ticket/894 > ack, pushed to master From rcritten at redhat.com Thu Feb 10 19:03:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 14:03:37 -0500 Subject: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation In-Reply-To: <201102020847.00282.jzeleny@redhat.com> References: <201101261439.24085.jzeleny@redhat.com> <201101310951.36041.jzeleny@redhat.com> <4D483D85.7020702@redhat.com> <201102020847.00282.jzeleny@redhat.com> Message-ID: <4D543689.6050809@redhat.com> Jan Zelen? wrote: > Ok, I'm sending updated patch in attachment > >>> Should I change it in class help then? That's where I copied this from. >> >> I think so. > > Ok, I'll send another patch, so me don't mix it together with this patch. I'll > do a review of the code in cli.py, maybe the same issue is elsewhere as well. > >>>> This will blow up as expected in the FIXME if an unknown command is >>>> passed in. >>> >>> Fixed, thanks. >> >> Not to be pedantic but I think it should return a non-zero error code >> too on error. > > Yep, replaced this with exception. > >>>> ipa show-mappings user-show returns just 'rights' >>> >>> If it was the acting correctly, it shouldn't be displayed at all, because >>> it is not LDAP based (and user-show doesn't take any other LDAP-based >>> arguments/options). >>> >>> I'm just not sure how to do this with minimal changes. One option is to >>> create new flag denoting whether parameter is LDAP based or not and for >>> each parameter set it appropriately, but that is just too much effort >>> for something that is not that important. That's why I use the 'webui' >>> flag to filter things at least a little bit. >> >> You should have the object Params list available, right? Can you use >> that to show at least some attributes? > > I already thought of that, but that would add only primary key, since Params > is a concatenation of Options and Args - in args there are usually only > mandatory arguments (i.e. primary keys, uid in case of user-show) and options > are already iterated over and printed out. > > I think adding this is too much effort. For one thing user-show takes no other > options than --rights (and the purpose of the patch is to show mapping between > CLI options and LDAP attributes) and user can always see real LDAP attributes > of user object by using --raw. > > Jan Just a really minor nit. Can you define a label for the argument? Otherwise if you run: `ipa show-mappings` it will prompt for . rob From dpal at redhat.com Thu Feb 10 19:20:07 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 10 Feb 2011 14:20:07 -0500 Subject: [Freeipa-devel] Help define the roles IPA has by default In-Reply-To: <201102101911.18376.jzeleny@redhat.com> References: <4D540E6F.5090303@redhat.com> <201102101911.18376.jzeleny@redhat.com> Message-ID: <4D543A67.4030905@redhat.com> On 02/10/2011 01:11 PM, Jan Zeleny wrote: > Rob Crittenden wrote: >> One of the features of IPAv2 is it is much easier to delegate >> permissions to perform tasks (add, delete, modify, etc). >> >> This delegation is broken out into three pieces: >> >> * permissions >> * privileges >> * roles >> >> A permission is a very low-level object that says who can do what to >> whom. These permissions are grouped together into permissions so one can >> perform a whole task. This is needed for something like adding a user >> which requires a couple of different permission such as actually writing >> the user entry, adding the user to the default group and setting the >> password. >> >> A role is a collection of privileges and the users/groups that are >> granted those privileges. >> >> Right now we are defining a single role, helpdesk, and have assigned no >> privileges to that yet. I was thinking about just assigning it the >> ability to reset passwords. >> >> But what other roles do we need? The mind boggles and rather than >> dictating what the initial ones will be I'm looking for some >> guidance/suggestions. > I think a role called something like "IT" might be good. Their privileges > would cover mainly access to different parts of the network. They should have > privilegese to manage: > - hosts > - hostgroups > - hbac rules > - sudo rules? > - dns > - groups (for example to create new group of users which will have access to a > particular machine) > - services > > Now looking at the list, this group can be split into two - one managing the > hosts/services and one granting users access. > > Jan > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > There is a superuser who can do anything. There is also helpdesk supervisor who can do all identity management There is a security architect who can define the access control but can't change the system configuration or global policies. We talked about user person in the past. Here is what we had in mind: Persona 1: /Security Architect/ /Description:/ Oversees the security of a system as a whole. Has access to everything. A super-user. /Goals:/ * IPA configuration * Define the policies of IPA itself * Replication * Define delegation of roles to other, lower-level administrators * Management of installed/active plugins? Persona 2: /IPA Administrator/ /Description:/ Defines different kinds of objects. Implements and manages roles (mostly using groups). Does the "heavy lifting" of a system. /Goals:/ * Define and create groups * Define the relationships between groups * Define and create roles for users and groups (in one model or another) * Create nested groups * Define the supported applications Persona 3: /Application Administrator/ /Description:/ Utilizes domain knowledge related to applications. Manages applications and systems as opposed to users and groups. /Goals:/ * Define policies for a specific application * Define roles for a specific application * Define actions for a specific application * Apply policies and actions to hosts or group of hosts * Apply roles to users and hosts or groups of them Persona 4: /Help Desk person/ /Description:/ Person on the front line when problems arise (users can't log in, need password reset, etc.). Simple user management. /Goals:/ * Review user roles (can't modify) * Review what groups are enabled on what hosts * Set up/manage a user's attributes * Place a user in a specific group * Reset a user password Persona 5: /End User/ /Description:/ End user accessing the system through self-service. Goals: * Reset password via Web UI * Set personal properties like phone Personas for later consideration * Windows admin who has to deal with IPA synch * Member of security team who will be looking at the audit logs, doing forensics, etc once we have A of IPA * End users who deal with the clients could be fleshed out into a couple of parts: o sysadmins who initially rack and configure the box in the first place and connect it to IPA o database and application admins who go to the box to take care of their stuff on that box o security admins who access servers in the database, configure the local security, check on it etc. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Feb 10 19:52:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 14:52:53 -0500 Subject: [Freeipa-devel] [PATCH] 713 handle failed passwords in tools Message-ID: <4D544215.4010400@redhat.com> Handle bad DM password in ipa-host-net-manage & ipa-copmat-manage. This was resulting in a traceback because while conn was not None it wasn't connected either. ticket 920 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-713-password.patch Type: application/mbox Size: 1887 bytes Desc: not available URL: From jzeleny at redhat.com Thu Feb 10 19:57:27 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Thu, 10 Feb 2011 20:57:27 +0100 Subject: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation In-Reply-To: <4D543689.6050809@redhat.com> References: <201101261439.24085.jzeleny@redhat.com> <201102020847.00282.jzeleny@redhat.com> <4D543689.6050809@redhat.com> Message-ID: <201102102057.27400.jzeleny@redhat.com> Rob Crittenden wrote: > Just a really minor nit. Can you define a label for the argument? > Otherwise if you run: `ipa show-mappings` it will prompt for > . > > rob Done, sending in attachment. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0030-04-Provide-a-way-to-display-CLI-LDAP-relation.patch Type: text/x-patch Size: 2502 bytes Desc: not available URL: From ayoung at redhat.com Thu Feb 10 20:02:11 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 10 Feb 2011 15:02:11 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons In-Reply-To: <4D538209.8080301@redhat.com> References: <4D533A31.6060607@redhat.com> <4D538209.8080301@redhat.com> Message-ID: <4D544443.3090201@redhat.com> On 02/10/2011 01:13 AM, Endi Sukma Dewata wrote: > On 2/9/2011 7:06 PM, Adam Young wrote: >> > > A few comments: > > 1. The functionality seems to be working, but the layout is a bit > different. Previously the label (e.g. Filter) and the widget (e.g. > text field) occupy the same line. Right now they occupy different > lines and not aligned with the labels & widgets above it (e.g. > Permission name). I'd like the UXD team to review this change. I had mIssed the classes that these things needed. Added them back in. > > 2. The jQuery selectors on lines 427, 462, 472 in aci.js are not > qualified, so they will be doing a global search. I'd rather store the > object reference somewhere and use it directly without searching for > it again. For example, line 411 can be changed as follows: > > target_type.container = $('
', { > > Then line 427 can be changed as follows: > > target_type.container.css('display', 'block'); Done. Good idea/ > > 3. The indentation of the target_types array in aci.js is inconsistent. Fixed > > 4. The IPA.hidden_widget doesn't seem to be used. Should this be removed? Gone baby gone > > 5. For the changes in dialog.js, it's not necessary to check > section.reset()'s presence before calling it. All sections will have a > reset() function because it's inherited from the base class. Removed > > 6. For the changes in widget.js, let's do this in a separate patch. > We'll combine the create/setup in a more consistent way. Agreed. This was actually part of trial and error to get it to work, and it didn't need to be there. Gone. > > 7. There are some jslint warnings. > Fixed -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0191-4-target-section-without-radio-buttons.patch Type: text/x-patch Size: 25815 bytes Desc: not available URL: From jhrozek at redhat.com Thu Feb 10 20:05:09 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 10 Feb 2011 21:05:09 +0100 Subject: [Freeipa-devel] Help define the roles IPA has by default In-Reply-To: <4D540E6F.5090303@redhat.com> References: <4D540E6F.5090303@redhat.com> Message-ID: <4D5444F5.5020604@redhat.com> On 02/10/2011 05:12 PM, Rob Crittenden wrote: > But what other roles do we need? The mind boggles and rather than > dictating what the initial ones will be I'm looking for some > guidance/suggestions. > > thanks > > rob I'm actually wondering if we need to define many default roles in the upstream project. I'm thinking that every organization will have different needs and different ways of role delegation anyway, so I would rather make sure this feature is well documented with examples and use cases. From ayoung at redhat.com Thu Feb 10 20:09:51 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 10 Feb 2011 15:09:51 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons In-Reply-To: <4D544443.3090201@redhat.com> References: <4D533A31.6060607@redhat.com> <4D538209.8080301@redhat.com> <4D544443.3090201@redhat.com> Message-ID: <4D54460F.2020304@redhat.com> Last version was a little too zealos in remivng style info, and I removed the code that hid the select boxthat chose the target. Added that code back in here. On 02/10/2011 03:02 PM, Adam Young wrote: > On 02/10/2011 01:13 AM, Endi Sukma Dewata wrote: >> On 2/9/2011 7:06 PM, Adam Young wrote: >>> >> >> A few comments: >> >> 1. The functionality seems to be working, but the layout is a bit >> different. Previously the label (e.g. Filter) and the widget (e.g. >> text field) occupy the same line. Right now they occupy different >> lines and not aligned with the labels & widgets above it (e.g. >> Permission name). I'd like the UXD team to review this change. > > I had mIssed the classes that these things needed. Added them back in. > >> >> 2. The jQuery selectors on lines 427, 462, 472 in aci.js are not >> qualified, so they will be doing a global search. I'd rather store >> the object reference somewhere and use it directly without searching >> for it again. For example, line 411 can be changed as follows: >> >> target_type.container = $('
', { >> >> Then line 427 can be changed as follows: >> >> target_type.container.css('display', 'block'); > > Done. Good idea/ > >> >> 3. The indentation of the target_types array in aci.js is inconsistent. > Fixed >> >> 4. The IPA.hidden_widget doesn't seem to be used. Should this be >> removed? > Gone baby gone >> >> 5. For the changes in dialog.js, it's not necessary to check >> section.reset()'s presence before calling it. All sections will have >> a reset() function because it's inherited from the base class. > > Removed >> >> 6. For the changes in widget.js, let's do this in a separate patch. >> We'll combine the create/setup in a more consistent way. > > Agreed. This was actually part of trial and error to get it to work, > and it didn't need to be there. Gone. >> >> 7. There are some jslint warnings. >> > Fixed > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0191-5-target-section-without-radio-buttons.patch Type: text/x-patch Size: 25813 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 10 20:16:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 15:16:03 -0500 Subject: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation In-Reply-To: <201102102057.27400.jzeleny@redhat.com> References: <201101261439.24085.jzeleny@redhat.com> <201102020847.00282.jzeleny@redhat.com> <4D543689.6050809@redhat.com> <201102102057.27400.jzeleny@redhat.com> Message-ID: <4D544783.30907@redhat.com> Jan Zeleny wrote: > Rob Crittenden wrote: >> Just a really minor nit. Can you define a label for the argument? >> Otherwise if you run: `ipa show-mappings` it will prompt for >> . >> >> rob > > Done, sending in attachment. > > Jan I made one minor change to the patch before pushing. I wrapper 'Command name' in _() so it can be localized. pushed to master rob From ayoung at redhat.com Thu Feb 10 21:27:51 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 10 Feb 2011 16:27:51 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons In-Reply-To: <4D54460F.2020304@redhat.com> References: <4D533A31.6060607@redhat.com> <4D538209.8080301@redhat.com> <4D544443.3090201@redhat.com> <4D54460F.2020304@redhat.com> Message-ID: <4D545857.90307@redhat.com> On 02/10/2011 03:09 PM, Adam Young wrote: > Last version was a little too zealos in remivng style info, and I > removed the code that hid the select boxthat chose the target. Added > that code back in here. > > > On 02/10/2011 03:02 PM, Adam Young wrote: >> On 02/10/2011 01:13 AM, Endi Sukma Dewata wrote: >>> On 2/9/2011 7:06 PM, Adam Young wrote: >>>> >>> >>> A few comments: >>> >>> 1. The functionality seems to be working, but the layout is a bit >>> different. Previously the label (e.g. Filter) and the widget (e.g. >>> text field) occupy the same line. Right now they occupy different >>> lines and not aligned with the labels & widgets above it (e.g. >>> Permission name). I'd like the UXD team to review this change. >> >> I had mIssed the classes that these things needed. Added them back in. >> >>> >>> 2. The jQuery selectors on lines 427, 462, 472 in aci.js are not >>> qualified, so they will be doing a global search. I'd rather store >>> the object reference somewhere and use it directly without searching >>> for it again. For example, line 411 can be changed as follows: >>> >>> target_type.container = $('
', { >>> >>> Then line 427 can be changed as follows: >>> >>> target_type.container.css('display', 'block'); >> >> Done. Good idea/ >> >>> >>> 3. The indentation of the target_types array in aci.js is inconsistent. >> Fixed >>> >>> 4. The IPA.hidden_widget doesn't seem to be used. Should this be >>> removed? >> Gone baby gone >>> >>> 5. For the changes in dialog.js, it's not necessary to check >>> section.reset()'s presence before calling it. All sections will have >>> a reset() function because it's inherited from the base class. >> >> Removed >>> >>> 6. For the changes in widget.js, let's do this in a separate patch. >>> We'll combine the create/setup in a more consistent way. >> >> Agreed. This was actually part of trial and error to get it to work, >> and it didn't need to be there. Gone. >>> >>> 7. There are some jslint warnings. >>> >> Fixed >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0191-6-target-section-without-radio-buttons.patch Type: text/x-patch Size: 25701 bytes Desc: not available URL: From dpal at redhat.com Thu Feb 10 21:28:39 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 10 Feb 2011 16:28:39 -0500 Subject: [Freeipa-devel] Help define the roles IPA has by default In-Reply-To: <4D5444F5.5020604@redhat.com> References: <4D540E6F.5090303@redhat.com> <4D5444F5.5020604@redhat.com> Message-ID: <4D545887.7080204@redhat.com> On 02/10/2011 03:05 PM, Jakub Hrozek wrote: > On 02/10/2011 05:12 PM, Rob Crittenden wrote: >> But what other roles do we need? The mind boggles and rather than >> dictating what the initial ones will be I'm looking for some >> guidance/suggestions. >> >> thanks >> >> rob > > I'm actually wondering if we need to define many default roles in the > upstream project. I'm thinking that every organization will have > different needs and different ways of role delegation anyway, so I > would rather make sure this feature is well documented with examples > and use cases. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I think that a reasonble set of 3 -5 roles and documentation how to change them should be sufficient. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Thu Feb 10 21:32:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 16:32:48 -0500 Subject: [Freeipa-devel] [PATCH] 703 389-ds startup with krb config In-Reply-To: <20110210124112.GB28156@zeppelin.brq.redhat.com> References: <4D515D5B.9080800@redhat.com> <20110210124112.GB28156@zeppelin.brq.redhat.com> Message-ID: <4D545980.3080701@redhat.com> Jakub Hrozek wrote: > On Tue, Feb 08, 2011 at 10:12:27AM -0500, Rob Crittenden wrote: >> If /etc/krb5.conf doesn't exist or contains no default kerberos >> realm then 389-ds won't start at all. This is a problem during >> installation because we configure 389 first. >> >> This patch will let the server come up, you just won't be able to do >> any joins or password changes until you configure kerberos. >> >> ticket 606 >> >> rob > > > I wasn't able to install with this patch when I had no /etc/krb5.conf at > all. > > Here's what the DS error log said: > --- > 10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file > ipa_enrollment.c, line 389]: Failed to get default realm?! > [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin > ipa_enrollment_extop > [10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file > ipa_enrollment.c, line 389]: Failed to get default realm?! > [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin > ipa_enrollment_extop > [10/Feb/2011:07:30:36 -0500] ipaenrollment_start - [file > ipa_enrollment.c, line 389]: Failed to get default realm?! > [10/Feb/2011:07:30:36 -0500] - Failed to start extendedop plugin > ipa_enrollment_extop > --- > > Looking at ipaenrollment_start(), it looks like the culprit is that when > krb5_get_default_realm() fails, ret is set to an error code and > returned. It should be either reset to LDAP_SUCCESS or maybe rc should > be used instead. > > Also one nitpick. This: > > -static char *realm; > -static const char *ipa_realm_dn; > +static char *realm = NULL; > +static const char *ipa_realm_dn = NULL; > > Is not neccessary, global variables are initialized to NULL > automatically. Updated patch attached. I was able to do full install with this one. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-703-2-startup.patch Type: application/mbox Size: 6142 bytes Desc: not available URL: From edewata at redhat.com Thu Feb 10 21:42:16 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 10 Feb 2011 15:42:16 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons In-Reply-To: <4D545857.90307@redhat.com> References: <4D533A31.6060607@redhat.com> <4D538209.8080301@redhat.com> <4D544443.3090201@redhat.com> <4D54460F.2020304@redhat.com> <4D545857.90307@redhat.com> Message-ID: <4D545BB8.3010505@redhat.com> On 2/10/2011 3:27 PM, Adam Young wrote: > NACK. As discussed over IRC, the "is_dirty" functionality is not working for permissions that have an "object by type" target. -- Endi S. Dewata From edewata at redhat.com Thu Feb 10 21:45:15 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 10 Feb 2011 15:45:15 -0600 Subject: [Freeipa-devel] [PATCH] Fixed add service dialog box. Message-ID: <4D545C6B.9050307@redhat.com> Previously the add service dialog box shows a 'Principal:' label with no text field next to it. It now has been removed. The dialog box has been widened to avoid line wrapping of the buttons. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0100-Fixed-add-service-dialog-box.patch Type: text/x-patch Size: 4873 bytes Desc: not available URL: From ayoung at redhat.com Thu Feb 10 21:51:20 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 10 Feb 2011 16:51:20 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0192-column-formatting Message-ID: <4D545DD8.9070708@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0192-column-formatting.patch Type: text/x-patch Size: 3030 bytes Desc: not available URL: From ssorce at redhat.com Thu Feb 10 21:56:06 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 10 Feb 2011 16:56:06 -0500 Subject: [Freeipa-devel] [PATCH] 0081 Set KrbExtraData when changing passwords Message-ID: <20110210165606.38be6c36@willson.li.ssimo.org> Fixes ticket #937 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0081-Update-krbExtraData-too-when-changing-passwords.patch Type: text/x-patch Size: 7108 bytes Desc: not available URL: From edewata at redhat.com Thu Feb 10 22:19:13 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 10 Feb 2011 16:19:13 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0192-column-formatting In-Reply-To: <4D545DD8.9070708@redhat.com> References: <4D545DD8.9070708@redhat.com> Message-ID: <4D546461.6050503@redhat.com> On 2/10/2011 3:51 PM, Adam Young wrote: > Should we use one of these functions? http://www.w3schools.com/jsref/jsref_tostring_date.asp http://www.w3schools.com/jsref/jsref_tolocalestring.asp http://www.w3schools.com/jsref/jsref_toutcstring.asp -- Endi S. Dewata From rcritten at redhat.com Thu Feb 10 22:54:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 17:54:24 -0500 Subject: [Freeipa-devel] [PATCH] one-liner to fix BUILD.txt Message-ID: <4D546CA0.3030702@redhat.com> Pushed this one-liner to fix reference to ipa.spec.in in BUILD.txt ticket 859 diff --git a/BUILD.txt b/BUILD.txt index d70351d..df029a5 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -5,7 +5,7 @@ Dependencies The quickest way to get the dependencies needed for building is: -# yum install rpm-build `grep "^BuildRequires" ipa.spec.in | awk '{ print $2 }' | grep -v "^/"` +# yum install rpm-build `grep "^BuildRequires" freeipa.spec.in | awk '{ print $ 2 }' | grep -v "^/"` From ayoung at redhat.com Thu Feb 10 23:00:59 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 10 Feb 2011 18:00:59 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0192-column-formatting In-Reply-To: <4D546461.6050503@redhat.com> References: <4D545DD8.9070708@redhat.com> <4D546461.6050503@redhat.com> Message-ID: <4D546E2B.90309@redhat.com> On 02/10/2011 05:19 PM, Endi Sukma Dewata wrote: > On 2/10/2011 3:51 PM, Adam Young wrote: >> > > Should we use one of these functions? > http://www.w3schools.com/jsref/jsref_tostring_date.asp > http://www.w3schools.com/jsref/jsref_tolocalestring.asp > http://www.w3schools.com/jsref/jsref_toutcstring.asp > Our dates are not conisdered valid dates, so we can't just use them. This version fixes whitespace and jsl issue -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0192-1-column-formatting.patch Type: text/x-patch Size: 3034 bytes Desc: not available URL: From ayoung at redhat.com Thu Feb 10 23:02:04 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 10 Feb 2011 18:02:04 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons In-Reply-To: <4D545BB8.3010505@redhat.com> References: <4D533A31.6060607@redhat.com> <4D538209.8080301@redhat.com> <4D544443.3090201@redhat.com> <4D54460F.2020304@redhat.com> <4D545857.90307@redhat.com> <4D545BB8.3010505@redhat.com> Message-ID: <4D546E6C.9070000@redhat.com> On 02/10/2011 04:42 PM, Endi Sukma Dewata wrote: > On 2/10/2011 3:27 PM, Adam Young wrote: >> > > NACK. As discussed over IRC, the "is_dirty" functionality is not > working for permissions that have an "object by type" target. > Was worse than that, load was broken. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0191-7-target-section-without-radio-buttons.patch Type: text/x-patch Size: 27895 bytes Desc: not available URL: From edewata at redhat.com Thu Feb 10 23:35:38 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 10 Feb 2011 17:35:38 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0192-column-formatting In-Reply-To: <4D546E2B.90309@redhat.com> References: <4D545DD8.9070708@redhat.com> <4D546461.6050503@redhat.com> <4D546E2B.90309@redhat.com> Message-ID: <4D54764A.4010104@redhat.com> On 2/10/2011 5:00 PM, Adam Young wrote: >> Should we use one of these functions? >> http://www.w3schools.com/jsref/jsref_tostring_date.asp >> http://www.w3schools.com/jsref/jsref_tolocalestring.asp >> http://www.w3schools.com/jsref/jsref_toutcstring.asp > Our dates are not conisdered valid dates, so we can't just use them. Isn't it a valid UTC time? We can parse it like what you're doing now using substring(), then use the values to construct a Date object in JS. Then we can invoke one of the above methods to display a properly formatted date. -- Endi S. Dewata From edewata at redhat.com Thu Feb 10 23:46:28 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 10 Feb 2011 17:46:28 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons In-Reply-To: <4D546E6C.9070000@redhat.com> References: <4D533A31.6060607@redhat.com> <4D538209.8080301@redhat.com> <4D544443.3090201@redhat.com> <4D54460F.2020304@redhat.com> <4D545857.90307@redhat.com> <4D545BB8.3010505@redhat.com> <4D546E6C.9070000@redhat.com> Message-ID: <4D5478D4.6090106@redhat.com> On 2/10/2011 5:02 PM, Adam Young wrote: > On 02/10/2011 04:42 PM, Endi Sukma Dewata wrote: >> On 2/10/2011 3:27 PM, Adam Young wrote: >>> >> >> NACK. As discussed over IRC, the "is_dirty" functionality is not >> working for permissions that have an "object by type" target. >> > Was worse than that, load was broken. It still has some problems: 1. Updating a permission with a filter doesn't work. Clicking the update button didn't execute anything, the undo button didn't disappear. 2. Resetting the user details page is not working properly, some fields did not get reset. I think the addition of undo_span in widgets.js is not needed and causing a problem because not all (custom) widgets will call create_undo(). -- Endi S. Dewata From davido at redhat.com Fri Feb 11 00:25:57 2011 From: davido at redhat.com (David O'Brien) Date: Fri, 11 Feb 2011 10:25:57 +1000 Subject: [Freeipa-devel] Help define the roles IPA has by default In-Reply-To: <4D545887.7080204@redhat.com> References: <4D540E6F.5090303@redhat.com> <4D5444F5.5020604@redhat.com> <4D545887.7080204@redhat.com> Message-ID: <4D548215.7090906@redhat.com> Dmitri Pal wrote: > On 02/10/2011 03:05 PM, Jakub Hrozek wrote: >> On 02/10/2011 05:12 PM, Rob Crittenden wrote: >>> But what other roles do we need? The mind boggles and rather than >>> dictating what the initial ones will be I'm looking for some >>> guidance/suggestions. >>> >>> thanks >>> >>> rob >> I'm actually wondering if we need to define many default roles in the >> upstream project. I'm thinking that every organization will have >> different needs and different ways of role delegation anyway, so I >> would rather make sure this feature is well documented with examples >> and use cases. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > I think that a reasonble set of 3 -5 roles and documentation how to > change them should be sufficient. > I agree. On top of what Dmitri has already sent out, this thread is a really good continuation of documenting delegation, permissions, roles, etc., especially because this area is so different from v1. If we look at it from two perspectives, one being What does IPA need to function?, and the other being What do customers need?, then we can probably come up with a short list and provide some basic use cases, descriptions, and examples. Dmitri's list of 5 is good, although I would suggest settling on a naming format, by which I mean rather than a combination of person-based and role-based names, use a consistent format. Security Architect & IPA Administrator are people (faiap), while Helpdesk is a department. Anyway, you get the idea. We've already started with Name, Description, Goals; with a few use cases I can put together short sections with links to existing docs on how to use the relevant commands, or write them as needed. cheers -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From rcritten at redhat.com Fri Feb 11 03:17:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 22:17:18 -0500 Subject: [Freeipa-devel] [PATCH] 714 fix dogtag installation Message-ID: <4D54AA3E.8010803@redhat.com> Reset file ownership after calling update_file() and set_preference() in installutils. Out of the blue these would change file ownership to root:root which was breaking a dogtag profile. This fixes the error from cert-request: FAILURE (Profile caIPAserviceCert Not Found) ticket 928 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-714-ownership.patch Type: application/mbox Size: 1961 bytes Desc: not available URL: From rcritten at redhat.com Fri Feb 11 03:27:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 22:27:43 -0500 Subject: [Freeipa-devel] [PATCH] 703 389-ds startup with krb config In-Reply-To: <4D545980.3080701@redhat.com> References: <4D515D5B.9080800@redhat.com> <20110210124112.GB28156@zeppelin.brq.redhat.com> <4D545980.3080701@redhat.com> Message-ID: <4D54ACAF.9080309@redhat.com> Rob Crittenden wrote: > Jakub Hrozek wrote: >> On Tue, Feb 08, 2011 at 10:12:27AM -0500, Rob Crittenden wrote: >>> If /etc/krb5.conf doesn't exist or contains no default kerberos >>> realm then 389-ds won't start at all. This is a problem during >>> installation because we configure 389 first. >>> >>> This patch will let the server come up, you just won't be able to do >>> any joins or password changes until you configure kerberos. >>> >>> ticket 606 >>> >>> rob >> >> >> I wasn't able to install with this patch when I had no /etc/krb5.conf at >> all. >> >> Here's what the DS error log said: >> --- >> 10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file >> ipa_enrollment.c, line 389]: Failed to get default realm?! >> [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin >> ipa_enrollment_extop >> [10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file >> ipa_enrollment.c, line 389]: Failed to get default realm?! >> [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin >> ipa_enrollment_extop >> [10/Feb/2011:07:30:36 -0500] ipaenrollment_start - [file >> ipa_enrollment.c, line 389]: Failed to get default realm?! >> [10/Feb/2011:07:30:36 -0500] - Failed to start extendedop plugin >> ipa_enrollment_extop >> --- >> >> Looking at ipaenrollment_start(), it looks like the culprit is that when >> krb5_get_default_realm() fails, ret is set to an error code and >> returned. It should be either reset to LDAP_SUCCESS or maybe rc should >> be used instead. >> >> Also one nitpick. This: >> >> -static char *realm; >> -static const char *ipa_realm_dn; >> +static char *realm = NULL; >> +static const char *ipa_realm_dn = NULL; >> >> Is not neccessary, global variables are initialized to NULL >> automatically. > > Updated patch attached. I was able to do full install with this one. > > rob Found another problem, new patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-703-3-startup.patch Type: application/mbox Size: 6196 bytes Desc: not available URL: From rcritten at redhat.com Fri Feb 11 03:47:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Feb 2011 22:47:13 -0500 Subject: [Freeipa-devel] [PATCH] 715 ensure required variables are required Message-ID: <4D54B141.7020900@redhat.com> Yi found a tricky way to remove required attributes that aren't required in the schema. The problem was we weren't enforcing parameter.required in mods (because it was enforcing that every variable with required be provided). I added a new check routine that is executed after setattr/addattr does its work and verifies that no required parameters get skipped. ticket 852 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-715-required.patch Type: application/mbox Size: 4912 bytes Desc: not available URL: From edewata at redhat.com Fri Feb 11 03:57:48 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 10 Feb 2011 21:57:48 -0600 Subject: [Freeipa-devel] [PATCH] Added expand/collapse all. Message-ID: <4D54B3BC.90905@redhat.com> Hi Kyle, I added the expand/collapse all link into the details page. See the following demo: http://edewata.fedorapeople.org/freeipa/install/ui/index.html#navigation=0&identity=0&user-facet=details&user-pkey=kfrog Please let me know if this is sufficient for this ticket: https://fedorahosted.org/freeipa/ticket/737 Thanks! -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0101-Added-expand-collapse-all.patch Type: text/x-patch Size: 8513 bytes Desc: not available URL: From mkosek at redhat.com Fri Feb 11 07:45:23 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 11 Feb 2011 08:45:23 +0100 Subject: [Freeipa-devel] [PATCH] 029 ipa-dns-install does not exit on error In-Reply-To: <4D543546.1030904@redhat.com> References: <1297344269.3003.15.camel@dhcp-25-52.brq.redhat.com> <4D543546.1030904@redhat.com> Message-ID: <1297410323.2984.8.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-02-10 at 13:58 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > This patch fixes behavior of ipa-dns-install, which does not > > exit when an invalid configuration of /etc/hosts is detected. > > > > https://fedorahosted.org/freeipa/ticket/736 > > I'm not positive but was the address info checking done within the try > to catch any possible exception? > > This code dates back to very early IPA code (say 4 years old or so) when > we were pretty new to python and somethings catching things in a very > broad way. > > Is it possible that running through the addresses could raise an > unhandled exception? > > rob Rob, thanks for the review. Well, I think the unhandled code should not raise any exception - we are not calling any external function, just going through an array. But to bulletproof it, I have added a check just to be sure that we do it right even when socket.getaddrinfo would return empty result and did not raise an exception. Patch is attached. I moved the exception handling closer to the socket.getaddrinfo to actually be able to easily call sys.exit(). Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-029-02-ipa-dns-install-does-not-exit-on-error.patch Type: text/x-patch Size: 2452 bytes Desc: not available URL: From jhrozek at redhat.com Fri Feb 11 10:00:21 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 11 Feb 2011 11:00:21 +0100 Subject: [Freeipa-devel] [PATCH] 714 fix dogtag installation In-Reply-To: <4D54AA3E.8010803@redhat.com> References: <4D54AA3E.8010803@redhat.com> Message-ID: <20110211100020.GA9354@zeppelin.brq.redhat.com> On Thu, Feb 10, 2011 at 10:17:18PM -0500, Rob Crittenden wrote: > Reset file ownership after calling update_file() and > set_preference() in installutils. Out of the blue these would change > file ownership to root:root which was breaking a dogtag profile. > > This fixes the error from cert-request: FAILURE (Profile > caIPAserviceCert Not Found) > > ticket 928 > > rob Ack From jhrozek at redhat.com Fri Feb 11 10:05:09 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 11 Feb 2011 11:05:09 +0100 Subject: [Freeipa-devel] [PATCH] 712 drop kw from JSON error In-Reply-To: <4D5430EC.4060502@redhat.com> References: <4D5430EC.4060502@redhat.com> Message-ID: <20110211100509.GB9354@zeppelin.brq.redhat.com> On Thu, Feb 10, 2011 at 01:39:40PM -0500, Rob Crittenden wrote: > The kw could contain another exception which was blowing up the > marshalling. It doesn't seem to be used anywhere and contains > information we've already saved in error as far as I can tell. > > ticket 905 > > rob Ack From jhrozek at redhat.com Fri Feb 11 10:22:18 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 11 Feb 2011 11:22:18 +0100 Subject: [Freeipa-devel] [PATCH] 051 Remove obsolete record types from DNS Message-ID: <20110211102217.GC9354@zeppelin.brq.redhat.com> https://fedorahosted.org/freeipa/ticket/923 -------------- next part -------------- >From 5fdd046fb631a9c57cf6e9c6c98ee09e2cd77a6d Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 10 Feb 2011 21:17:21 +0100 Subject: [PATCH] Remove obsolete record types from DNS https://fedorahosted.org/freeipa/ticket/923 --- API.txt | 24 ++++-------------------- ipalib/plugins/dns.py | 8 ++++---- 2 files changed, 8 insertions(+), 24 deletions(-) diff --git a/API.txt b/API.txt index 8736a07..d58f3a4 100644 --- a/API.txt +++ b/API.txt @@ -486,7 +486,7 @@ output: Output('summary', (, ), 'User-friendly output: Output('result', , 'True means the operation was successful') output: Output('value', , "The primary_key value of the entry, e.g. 'jdoe' for a user") command: dnsrecord_add -args: 2,46,3 +args: 2,42,3 arg: Str('dnszoneidnsname', cli_name='dnszone', label=Gettext('Zone name', domain='ipa', localedir=None), query=True, required=True) arg: Str('idnsname', attribute=True, cli_name='name', label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, required=True) option: Int('dnsttl', attribute=True, cli_name='ttl', label=Gettext('Time to live', domain='ipa', localedir=None), multivalue=False, required=False) @@ -509,21 +509,17 @@ option: List('dlvrecord?', attribute=True, cli_name='dlv_rec',ist('dlvrecord?', option: List('dnamerecord?', attribute=True, cli_name='dname_rec',ist('dnamerecord?', attribute=True, cli_name='dname_rec', doc='comma-separated list of DNAME records', label='DNAME record', multivalue=True) option: List('dnskeyrecord?', attribute=True, cli_name='dnskey_rec',ist('dnskeyrecord?', attribute=True, cli_name='dnskey_rec', doc='comma-separated list of DNSKEY records', label='DNSKEY record', multivalue=True) option: List('dsrecord?', attribute=True, cli_name='ds_rec',ist('dsrecord?', attribute=True, cli_name='ds_rec', doc='comma-separated list of DS records', label='DS record', multivalue=True) -option: List('hinforecord?', attribute=True, cli_name='hinfo_rec',ist('hinforecord?', attribute=True, cli_name='hinfo_rec', doc='comma-separated list of HINFO records', label='HINFO record', multivalue=True) option: List('hiprecord?', attribute=True, cli_name='hip_rec',ist('hiprecord?', attribute=True, cli_name='hip_rec', doc='comma-separated list of HIP records', label='HIP record', multivalue=True) option: List('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec',ist('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec', doc='comma-separated list of IPSECKEY records', label='IPSECKEY record', multivalue=True) option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', attribute=True, cli_name='key_rec', doc='comma-separated list of KEY records', label='KEY record', multivalue=True) option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) -option: List('mdrecord?', attribute=True, cli_name='md_rec',ist('mdrecord?', attribute=True, cli_name='md_rec', doc='comma-separated list of MD records', label='MD record', multivalue=True) -option: List('minforecord?', attribute=True, cli_name='minfo_rec',ist('minforecord?', attribute=True, cli_name='minfo_rec', doc='comma-separated list of MINFO records', label='MINFO record', multivalue=True) option: List('mxrecord?', attribute=True, cli_name='mx_rec',ist('mxrecord?', attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True) option: List('nsec3paramrecord?', attribute=True, cli_name='nsec3param_rec',ist('nsec3paramrecord?', attribute=True, cli_name='nsec3param_rec', doc='comma-separated list of NSEC3PARAM records', label='NSEC3PARAM record', multivalue=True) -option: List('nxtrecord?', attribute=True, cli_name='nxt_rec',ist('nxtrecord?', attribute=True, cli_name='nxt_rec', doc='comma-separated list of NXT records', label='NXT record', multivalue=True) option: List('ptrrecord?', attribute=True, cli_name='ptr_rec',ist('ptrrecord?', attribute=True, cli_name='ptr_rec', doc='comma-separated list of PTR records', label='PTR record', multivalue=True) option: List('rrsigrecord?', attribute=True, cli_name='rrsig_rec',ist('rrsigrecord?', attribute=True, cli_name='rrsig_rec', doc='comma-separated list of RRSIG records', label='RRSIG record', multivalue=True) option: List('rprecord?', attribute=True, cli_name='rp_rec',ist('rprecord?', attribute=True, cli_name='rp_rec', doc='comma-separated list of RP records', label='RP record', multivalue=True) @@ -539,7 +535,7 @@ output: Output('summary', (, ), 'User-friendly output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , "The primary_key value of the entry, e.g. 'jdoe' for a user") command: dnsrecord_add_record -args: 2,41,3 +args: 2,37,3 arg: Str('dnszoneidnsname', cli_name='dnszone', label=Gettext('Zone name', domain='ipa', localedir=None), query=True, required=True) arg: Str('idnsname', attribute=True, cli_name='name', label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', flags=['no_output']) @@ -557,21 +553,17 @@ option: List('dlvrecord?', attribute=True, cli_name='dlv_rec',ist('dlvrecord?', option: List('dnamerecord?', attribute=True, cli_name='dname_rec',ist('dnamerecord?', attribute=True, cli_name='dname_rec', doc='comma-separated list of DNAME records', label='DNAME record', multivalue=True) option: List('dnskeyrecord?', attribute=True, cli_name='dnskey_rec',ist('dnskeyrecord?', attribute=True, cli_name='dnskey_rec', doc='comma-separated list of DNSKEY records', label='DNSKEY record', multivalue=True) option: List('dsrecord?', attribute=True, cli_name='ds_rec',ist('dsrecord?', attribute=True, cli_name='ds_rec', doc='comma-separated list of DS records', label='DS record', multivalue=True) -option: List('hinforecord?', attribute=True, cli_name='hinfo_rec',ist('hinforecord?', attribute=True, cli_name='hinfo_rec', doc='comma-separated list of HINFO records', label='HINFO record', multivalue=True) option: List('hiprecord?', attribute=True, cli_name='hip_rec',ist('hiprecord?', attribute=True, cli_name='hip_rec', doc='comma-separated list of HIP records', label='HIP record', multivalue=True) option: List('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec',ist('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec', doc='comma-separated list of IPSECKEY records', label='IPSECKEY record', multivalue=True) option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', attribute=True, cli_name='key_rec', doc='comma-separated list of KEY records', label='KEY record', multivalue=True) option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) -option: List('mdrecord?', attribute=True, cli_name='md_rec',ist('mdrecord?', attribute=True, cli_name='md_rec', doc='comma-separated list of MD records', label='MD record', multivalue=True) -option: List('minforecord?', attribute=True, cli_name='minfo_rec',ist('minforecord?', attribute=True, cli_name='minfo_rec', doc='comma-separated list of MINFO records', label='MINFO record', multivalue=True) option: List('mxrecord?', attribute=True, cli_name='mx_rec',ist('mxrecord?', attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True) option: List('nsec3paramrecord?', attribute=True, cli_name='nsec3param_rec',ist('nsec3paramrecord?', attribute=True, cli_name='nsec3param_rec', doc='comma-separated list of NSEC3PARAM records', label='NSEC3PARAM record', multivalue=True) -option: List('nxtrecord?', attribute=True, cli_name='nxt_rec',ist('nxtrecord?', attribute=True, cli_name='nxt_rec', doc='comma-separated list of NXT records', label='NXT record', multivalue=True) option: List('ptrrecord?', attribute=True, cli_name='ptr_rec',ist('ptrrecord?', attribute=True, cli_name='ptr_rec', doc='comma-separated list of PTR records', label='PTR record', multivalue=True) option: List('rrsigrecord?', attribute=True, cli_name='rrsig_rec',ist('rrsigrecord?', attribute=True, cli_name='rrsig_rec', doc='comma-separated list of RRSIG records', label='RRSIG record', multivalue=True) option: List('rprecord?', attribute=True, cli_name='rp_rec',ist('rprecord?', attribute=True, cli_name='rp_rec', doc='comma-separated list of RP records', label='RP record', multivalue=True) @@ -587,7 +579,7 @@ output: Output('summary', (, ), 'User-friendly output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , "The primary_key value of the entry, e.g. 'jdoe' for a user") command: dnsrecord_del -args: 2,42,3 +args: 2,38,3 arg: Str('dnszoneidnsname', cli_name='dnszone', label=Gettext('Zone name', domain='ipa', localedir=None), query=True, required=True) arg: Str('idnsname', attribute=True, cli_name='name', label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) option: Flag('del_all', autofill=True, default=False, label=Gettext('Delete all associated records', domain='ipa', localedir=None)) @@ -606,21 +598,17 @@ option: List('dlvrecord?', attribute=True, cli_name='dlv_rec',ist('dlvrecord?', option: List('dnamerecord?', attribute=True, cli_name='dname_rec',ist('dnamerecord?', attribute=True, cli_name='dname_rec', doc='comma-separated list of DNAME records', label='DNAME record', multivalue=True) option: List('dnskeyrecord?', attribute=True, cli_name='dnskey_rec',ist('dnskeyrecord?', attribute=True, cli_name='dnskey_rec', doc='comma-separated list of DNSKEY records', label='DNSKEY record', multivalue=True) option: List('dsrecord?', attribute=True, cli_name='ds_rec',ist('dsrecord?', attribute=True, cli_name='ds_rec', doc='comma-separated list of DS records', label='DS record', multivalue=True) -option: List('hinforecord?', attribute=True, cli_name='hinfo_rec',ist('hinforecord?', attribute=True, cli_name='hinfo_rec', doc='comma-separated list of HINFO records', label='HINFO record', multivalue=True) option: List('hiprecord?', attribute=True, cli_name='hip_rec',ist('hiprecord?', attribute=True, cli_name='hip_rec', doc='comma-separated list of HIP records', label='HIP record', multivalue=True) option: List('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec',ist('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec', doc='comma-separated list of IPSECKEY records', label='IPSECKEY record', multivalue=True) option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', attribute=True, cli_name='key_rec', doc='comma-separated list of KEY records', label='KEY record', multivalue=True) option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) -option: List('mdrecord?', attribute=True, cli_name='md_rec',ist('mdrecord?', attribute=True, cli_name='md_rec', doc='comma-separated list of MD records', label='MD record', multivalue=True) -option: List('minforecord?', attribute=True, cli_name='minfo_rec',ist('minforecord?', attribute=True, cli_name='minfo_rec', doc='comma-separated list of MINFO records', label='MINFO record', multivalue=True) option: List('mxrecord?', attribute=True, cli_name='mx_rec',ist('mxrecord?', attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True) option: List('nsec3paramrecord?', attribute=True, cli_name='nsec3param_rec',ist('nsec3paramrecord?', attribute=True, cli_name='nsec3param_rec', doc='comma-separated list of NSEC3PARAM records', label='NSEC3PARAM record', multivalue=True) -option: List('nxtrecord?', attribute=True, cli_name='nxt_rec',ist('nxtrecord?', attribute=True, cli_name='nxt_rec', doc='comma-separated list of NXT records', label='NXT record', multivalue=True) option: List('ptrrecord?', attribute=True, cli_name='ptr_rec',ist('ptrrecord?', attribute=True, cli_name='ptr_rec', doc='comma-separated list of PTR records', label='PTR record', multivalue=True) option: List('rrsigrecord?', attribute=True, cli_name='rrsig_rec',ist('rrsigrecord?', attribute=True, cli_name='rrsig_rec', doc='comma-separated list of RRSIG records', label='RRSIG record', multivalue=True) option: List('rprecord?', attribute=True, cli_name='rp_rec',ist('rprecord?', attribute=True, cli_name='rp_rec', doc='comma-separated list of RP records', label='RP record', multivalue=True) @@ -644,7 +632,7 @@ output: Output('summary', (, ), 'User-friendly output: Output('result', , 'list of deletions that failed') output: Output('value', , "The primary_key value of the entry, e.g. 'jdoe' for a user") command: dnsrecord_find -args: 2,46,4 +args: 2,42,4 arg: Str('dnszoneidnsname', cli_name='dnszone', label=Gettext('Zone name', domain='ipa', localedir=None), query=True, required=True) arg: Str('criteria?') option: Str('idnsname', attribute=True, autofill=False, cli_name='name', label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=False) @@ -667,21 +655,17 @@ option: List('dlvrecord', attribute=True, cli_name='dlv_rec',ist('dlvrecord', at option: List('dnamerecord', attribute=True, cli_name='dname_rec',ist('dnamerecord', attribute=True, cli_name='dname_rec', doc='comma-separated list of DNAME records', label='DNAME record', multivalue=True, query=True, required=False) option: List('dnskeyrecord', attribute=True, cli_name='dnskey_rec',ist('dnskeyrecord', attribute=True, cli_name='dnskey_rec', doc='comma-separated list of DNSKEY records', label='DNSKEY record', multivalue=True, query=True, required=False) option: List('dsrecord', attribute=True, cli_name='ds_rec',ist('dsrecord', attribute=True, cli_name='ds_rec', doc='comma-separated list of DS records', label='DS record', multivalue=True, query=True, required=False) -option: List('hinforecord', attribute=True, cli_name='hinfo_rec',ist('hinforecord', attribute=True, cli_name='hinfo_rec', doc='comma-separated list of HINFO records', label='HINFO record', multivalue=True, query=True, required=False) option: List('hiprecord', attribute=True, cli_name='hip_rec',ist('hiprecord', attribute=True, cli_name='hip_rec', doc='comma-separated list of HIP records', label='HIP record', multivalue=True, query=True, required=False) option: List('ipseckeyrecord', attribute=True, cli_name='ipseckey_rec',ist('ipseckeyrecord', attribute=True, cli_name='ipseckey_rec', doc='comma-separated list of IPSECKEY records', label='IPSECKEY record', multivalue=True, query=True, required=False) option: List('keyrecord', attribute=True, cli_name='key_rec',ist('keyrecord', attribute=True, cli_name='key_rec', doc='comma-separated list of KEY records', label='KEY record', multivalue=True, query=True, required=False) option: List('kxrecord', attribute=True, cli_name='kx_rec',ist('kxrecord', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True, query=True, required=False) option: List('locrecord', attribute=True, cli_name='loc_rec',ist('locrecord', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True, query=True, required=False) -option: List('mdrecord', attribute=True, cli_name='md_rec',ist('mdrecord', attribute=True, cli_name='md_rec', doc='comma-separated list of MD records', label='MD record', multivalue=True, query=True, required=False) -option: List('minforecord', attribute=True, cli_name='minfo_rec',ist('minforecord', attribute=True, cli_name='minfo_rec', doc='comma-separated list of MINFO records', label='MINFO record', multivalue=True, query=True, required=False) option: List('mxrecord', attribute=True, cli_name='mx_rec',ist('mxrecord', attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True, query=True, required=False) option: List('naptrrecord', attribute=True, cli_name='naptr_rec',ist('naptrrecord', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True, query=True, required=False) option: List('nsrecord', attribute=True, cli_name='ns_rec',ist('nsrecord', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True, query=True, required=False) option: List('nsecrecord', attribute=True, cli_name='nsec_rec',ist('nsecrecord', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True, query=True, required=False) option: List('nsec3record', attribute=True, cli_name='nsec3_rec',ist('nsec3record', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True, query=True, required=False) option: List('nsec3paramrecord', attribute=True, cli_name='nsec3param_rec',ist('nsec3paramrecord', attribute=True, cli_name='nsec3param_rec', doc='comma-separated list of NSEC3PARAM records', label='NSEC3PARAM record', multivalue=True, query=True, required=False) -option: List('nxtrecord', attribute=True, cli_name='nxt_rec',ist('nxtrecord', attribute=True, cli_name='nxt_rec', doc='comma-separated list of NXT records', label='NXT record', multivalue=True, query=True, required=False) option: List('ptrrecord', attribute=True, cli_name='ptr_rec',ist('ptrrecord', attribute=True, cli_name='ptr_rec', doc='comma-separated list of PTR records', label='PTR record', multivalue=True, query=True, required=False) option: List('rrsigrecord', attribute=True, cli_name='rrsig_rec',ist('rrsigrecord', attribute=True, cli_name='rrsig_rec', doc='comma-separated list of RRSIG records', label='RRSIG record', multivalue=True, query=True, required=False) option: List('rprecord', attribute=True, cli_name='rp_rec',ist('rprecord', attribute=True, cli_name='rp_rec', doc='comma-separated list of RP records', label='RP record', multivalue=True, query=True, required=False) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index ed117e2..fea48db 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -84,10 +84,10 @@ from ipapython import dnsclient # supported resource record types _record_types = ( u'A', u'AAAA', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV', - u'DNAME', u'DNSKEY', u'DS', u'HINFO', u'HIP', u'IPSECKEY', u'KEY', u'KX', - u'LOC', u'MD', u'MINFO', u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3', - u'NSEC3PARAM', u'NXT', u'PTR', u'RRSIG', u'RP', u'SIG', u'SPF', u'SRV', - u'SSHFP', u'TA', u'TKEY', u'TSIG', u'TXT', + u'DNAME', u'DNSKEY', u'DS', u'HIP', u'IPSECKEY', u'KEY', u'KX', u'LOC', + u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3', u'NSEC3PARAM', u'PTR', + u'RRSIG', u'RP', u'SIG', u'SPF', u'SRV', u'SSHFP', u'TA', u'TKEY', + u'TSIG', u'TXT', ) # attributes derived from record types -- 1.7.4 From dpal at redhat.com Fri Feb 11 14:26:41 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 11 Feb 2011 09:26:41 -0500 Subject: [Freeipa-devel] Help define the roles IPA has by default In-Reply-To: <4D548215.7090906@redhat.com> References: <4D540E6F.5090303@redhat.com> <4D5444F5.5020604@redhat.com> <4D545887.7080204@redhat.com> <4D548215.7090906@redhat.com> Message-ID: <4D554721.7040809@redhat.com> On 02/10/2011 07:25 PM, David O'Brien wrote: > Dmitri Pal wrote: >> On 02/10/2011 03:05 PM, Jakub Hrozek wrote: >>> On 02/10/2011 05:12 PM, Rob Crittenden wrote: >>>> But what other roles do we need? The mind boggles and rather than >>>> dictating what the initial ones will be I'm looking for some >>>> guidance/suggestions. >>>> >>>> thanks >>>> >>>> rob >>> I'm actually wondering if we need to define many default roles in the >>> upstream project. I'm thinking that every organization will have >>> different needs and different ways of role delegation anyway, so I >>> would rather make sure this feature is well documented with examples >>> and use cases. >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> I think that a reasonble set of 3 -5 roles and documentation how to >> change them should be sufficient. >> > I agree. On top of what Dmitri has already sent out, this thread is a > really good continuation of documenting delegation, permissions, > roles, etc., especially because this area is so different from v1. If > we look at it from two perspectives, one being What does IPA need to > function?, and the other being What do customers need?, then we can > probably come up with a short list and provide some basic use cases, > descriptions, and examples. > > Dmitri's list of 5 is good, although I would suggest settling on a > naming format, by which I mean rather than a combination of > person-based and role-based names, use a consistent format. Security > Architect & IPA Administrator are people (faiap), while Helpdesk is a > department. Anyway, you get the idea. > > We've already started with Name, Description, Goals; with a few use > cases I can put together short sections with links to existing docs on > how to use the relevant commands, or write them as needed. > > cheers Sounds like a good idea. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Feb 11 14:37:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 09:37:08 -0500 Subject: [Freeipa-devel] [PATCH] fix build Message-ID: <4D554994.2060406@redhat.com> We were missing a BuildRequires for pyOpenSSL that was causing the build to fail in mock. This fixes a build failure, pushed as a 1-liner. diff --git a/freeipa.spec.in b/freeipa.spec.in index 729c7a2..69945db 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -51,6 +51,7 @@ BuildRequires: libcurl-devel BuildRequires: gettext BuildRequires: authconfig BuildRequires: libuuid-devel +BuildRequires: pyOpenSSL %endif %description From rcritten at redhat.com Fri Feb 11 14:51:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 09:51:57 -0500 Subject: [Freeipa-devel] [PATCH] 714 fix dogtag installation In-Reply-To: <20110211100020.GA9354@zeppelin.brq.redhat.com> References: <4D54AA3E.8010803@redhat.com> <20110211100020.GA9354@zeppelin.brq.redhat.com> Message-ID: <4D554D0D.1010700@redhat.com> Jakub Hrozek wrote: > On Thu, Feb 10, 2011 at 10:17:18PM -0500, Rob Crittenden wrote: >> Reset file ownership after calling update_file() and >> set_preference() in installutils. Out of the blue these would change >> file ownership to root:root which was breaking a dogtag profile. >> >> This fixes the error from cert-request: FAILURE (Profile >> caIPAserviceCert Not Found) >> >> ticket 928 >> >> rob > > Ack pushed to master From rcritten at redhat.com Fri Feb 11 15:12:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 10:12:38 -0500 Subject: [Freeipa-devel] Help define the roles IPA has by default In-Reply-To: <4D554721.7040809@redhat.com> References: <4D540E6F.5090303@redhat.com> <4D5444F5.5020604@redhat.com> <4D545887.7080204@redhat.com> <4D548215.7090906@redhat.com> <4D554721.7040809@redhat.com> Message-ID: <4D5551E6.9040801@redhat.com> Dmitri Pal wrote: > On 02/10/2011 07:25 PM, David O'Brien wrote: >> Dmitri Pal wrote: >>> On 02/10/2011 03:05 PM, Jakub Hrozek wrote: >>>> On 02/10/2011 05:12 PM, Rob Crittenden wrote: >>>>> But what other roles do we need? The mind boggles and rather than >>>>> dictating what the initial ones will be I'm looking for some >>>>> guidance/suggestions. >>>>> >>>>> thanks >>>>> >>>>> rob >>>> I'm actually wondering if we need to define many default roles in the >>>> upstream project. I'm thinking that every organization will have >>>> different needs and different ways of role delegation anyway, so I >>>> would rather make sure this feature is well documented with examples >>>> and use cases. >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> I think that a reasonble set of 3 -5 roles and documentation how to >>> change them should be sufficient. >>> >> I agree. On top of what Dmitri has already sent out, this thread is a >> really good continuation of documenting delegation, permissions, >> roles, etc., especially because this area is so different from v1. If >> we look at it from two perspectives, one being What does IPA need to >> function?, and the other being What do customers need?, then we can >> probably come up with a short list and provide some basic use cases, >> descriptions, and examples. >> >> Dmitri's list of 5 is good, although I would suggest settling on a >> naming format, by which I mean rather than a combination of >> person-based and role-based names, use a consistent format. Security >> Architect& IPA Administrator are people (faiap), while Helpdesk is a >> department. Anyway, you get the idea. >> >> We've already started with Name, Description, Goals; with a few use >> cases I can put together short sections with links to existing docs on >> how to use the relevant commands, or write them as needed. >> >> cheers > Sounds like a good idea. > Well, some of these roles don't really match what we are shipping in v2. There is no place for Application Administrator at all and End User is implicit. So that leaves 3 roles. If we go with these we'll need to add some additional permissions/privileges to support it. If we go with this, here is what we're looking at. Also note that the role "IPA Administrator" is distinct from the group cn=admins which gives pretty much global access. Those that need additional permissions/privileges are marked with the ticket number. * Security Architect * IPA config (950) * Replication * Define delegation of roles to other, lower-level administrators * IPA Administrator * Define and create groups (and delete?) * Define the relationships between groups (what does this mean?) * Define and create roles for users and groups (what does this mean?) * Create nested groups (I don't know if we can have an aci for this) * Help Desk * Review what groups are enabled on what hosts (what does this mean, all groups are enabled on all hosts, right?) * Set up/manage a user's attributes * Place a user in a specific group * Reset a user password This is a good start but it completely leaves out the following: * Users (helpdesk can modify & reset password, nobody can add/delete) * Host management * Service management * Hostgroups * SUDO * HBAC * netgroups * DNS * Automount rob From rcritten at redhat.com Fri Feb 11 15:30:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 10:30:09 -0500 Subject: [Freeipa-devel] [PATCH] 028 Extend API validator In-Reply-To: <1297339315.3003.14.camel@dhcp-25-52.brq.redhat.com> References: <1297339315.3003.14.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D555601.8090600@redhat.com> Martin Kosek wrote: > makeapi script is used to check if ipalib API is consistent with the > known state in API.txt. When the API is changed, major API version > should be updated. However, when new options/arguments/outputs were > added to an ipalib command, `makeapi --validate' call did not capture > this. > > This patch fixes this issue and ensures that also the last command > in API.txt is checked (it was not before this patch). > > https://fedorahosted.org/freeipa/ticket/868 ack, pushed to master rob From rcritten at redhat.com Fri Feb 11 15:34:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 10:34:47 -0500 Subject: [Freeipa-devel] [PATCH] 029 ipa-dns-install does not exit on error In-Reply-To: <1297410323.2984.8.camel@dhcp-25-52.brq.redhat.com> References: <1297344269.3003.15.camel@dhcp-25-52.brq.redhat.com> <4D543546.1030904@redhat.com> <1297410323.2984.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D555717.7010707@redhat.com> Martin Kosek wrote: > On Thu, 2011-02-10 at 13:58 -0500, Rob Crittenden wrote: >> Martin Kosek wrote: >>> This patch fixes behavior of ipa-dns-install, which does not >>> exit when an invalid configuration of /etc/hosts is detected. >>> >>> https://fedorahosted.org/freeipa/ticket/736 >> >> I'm not positive but was the address info checking done within the try >> to catch any possible exception? >> >> This code dates back to very early IPA code (say 4 years old or so) when >> we were pretty new to python and somethings catching things in a very >> broad way. >> >> Is it possible that running through the addresses could raise an >> unhandled exception? >> >> rob > > Rob, thanks for the review. Well, I think the unhandled code should not > raise any exception - we are not calling any external function, just > going through an array. But to bulletproof it, I have added a check just > to be sure that we do it right even when socket.getaddrinfo would return > empty result and did not raise an exception. Patch is attached. > > I moved the exception handling closer to the socket.getaddrinfo to > actually be able to easily call sys.exit(). > > Martin I modified your patch very slightly to add a period to the end of "Please fix your /etc/hosts file" as requested in the ticket. Ack, pushed to master rob From rcritten at redhat.com Fri Feb 11 15:36:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 10:36:29 -0500 Subject: [Freeipa-devel] [PATCH] 708 move nscd disablement code In-Reply-To: <20110210100142.GC27864@zeppelin.brq.redhat.com> References: <4D52E3AA.50506@redhat.com> <20110210100142.GC27864@zeppelin.brq.redhat.com> Message-ID: <4D55577D.7000204@redhat.com> Jakub Hrozek wrote: > On Wed, Feb 09, 2011 at 01:57:46PM -0500, Rob Crittenden wrote: >> Disable nscd before starting sssd. We used to disable it after >> configuring sssd which would cause a warning message to appear in >> /var/log/messages from sssd. This was in effect bogus because we >> killed nscd as the very next step after starting sssd but lets not >> confuse our users. >> >> ticket 743 >> >> rob > > Ack pushed to master From rcritten at redhat.com Fri Feb 11 15:36:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 10:36:46 -0500 Subject: [Freeipa-devel] [PATCH] 709 set minimum version of sssd to 1.5.1. In-Reply-To: <20110210095507.GA27864@zeppelin.brq.redhat.com> References: <4D52EABA.2080608@redhat.com> <20110210095507.GA27864@zeppelin.brq.redhat.com> Message-ID: <4D55578E.6020803@redhat.com> Jakub Hrozek wrote: > On Wed, Feb 09, 2011 at 02:27:54PM -0500, Rob Crittenden wrote: >> Title says it all. >> >> ticket 926 >> >> rob > > Ack pushed to master From rcritten at redhat.com Fri Feb 11 15:37:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 10:37:32 -0500 Subject: [Freeipa-devel] [PATCH] 712 drop kw from JSON error In-Reply-To: <20110211100509.GB9354@zeppelin.brq.redhat.com> References: <4D5430EC.4060502@redhat.com> <20110211100509.GB9354@zeppelin.brq.redhat.com> Message-ID: <4D5557BC.6040906@redhat.com> Jakub Hrozek wrote: > On Thu, Feb 10, 2011 at 01:39:40PM -0500, Rob Crittenden wrote: >> The kw could contain another exception which was blowing up the >> marshalling. It doesn't seem to be used anywhere and contains >> information we've already saved in error as far as I can tell. >> >> ticket 905 >> >> rob > > Ack pushed to master From rcritten at redhat.com Fri Feb 11 15:55:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 10:55:44 -0500 Subject: [Freeipa-devel] [PATCH] 716 ignore case when removing members Message-ID: <4D555C00.1000904@redhat.com> Ignore case when removing members from a group. ticket 944 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-716-member.patch Type: application/mbox Size: 7170 bytes Desc: not available URL: From dpal at redhat.com Fri Feb 11 16:00:31 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 11 Feb 2011 11:00:31 -0500 Subject: [Freeipa-devel] Help define the roles IPA has by default In-Reply-To: <4D5551E6.9040801@redhat.com> References: <4D540E6F.5090303@redhat.com> <4D5444F5.5020604@redhat.com> <4D545887.7080204@redhat.com> <4D548215.7090906@redhat.com> <4D554721.7040809@redhat.com> <4D5551E6.9040801@redhat.com> Message-ID: <4D555D1F.9000208@redhat.com> On 02/11/2011 10:12 AM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 02/10/2011 07:25 PM, David O'Brien wrote: >>> Dmitri Pal wrote: >>>> On 02/10/2011 03:05 PM, Jakub Hrozek wrote: >>>>> On 02/10/2011 05:12 PM, Rob Crittenden wrote: >>>>>> But what other roles do we need? The mind boggles and rather than >>>>>> dictating what the initial ones will be I'm looking for some >>>>>> guidance/suggestions. >>>>>> >>>>>> thanks >>>>>> >>>>>> rob >>>>> I'm actually wondering if we need to define many default roles in the >>>>> upstream project. I'm thinking that every organization will have >>>>> different needs and different ways of role delegation anyway, so I >>>>> would rather make sure this feature is well documented with examples >>>>> and use cases. >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>>> I think that a reasonble set of 3 -5 roles and documentation how to >>>> change them should be sufficient. >>>> >>> I agree. On top of what Dmitri has already sent out, this thread is a >>> really good continuation of documenting delegation, permissions, >>> roles, etc., especially because this area is so different from v1. If >>> we look at it from two perspectives, one being What does IPA need to >>> function?, and the other being What do customers need?, then we can >>> probably come up with a short list and provide some basic use cases, >>> descriptions, and examples. >>> >>> Dmitri's list of 5 is good, although I would suggest settling on a >>> naming format, by which I mean rather than a combination of >>> person-based and role-based names, use a consistent format. Security >>> Architect& IPA Administrator are people (faiap), while Helpdesk is a >>> department. Anyway, you get the idea. >>> >>> We've already started with Name, Description, Goals; with a few use >>> cases I can put together short sections with links to existing docs on >>> how to use the relevant commands, or write them as needed. >>> >>> cheers >> Sounds like a good idea. >> > > Well, some of these roles don't really match what we are shipping in > v2. There is no place for Application Administrator at all and End > User is implicit. So that leaves 3 roles. If we go with these we'll > need to add some additional permissions/privileges to support it. > > If we go with this, here is what we're looking at. Also note that the > role "IPA Administrator" is distinct from the group cn=admins which > gives pretty much global access. Those that need additional > permissions/privileges are marked with the ticket number. > > * Security Architect > * IPA config (950) > * Replication > * Define delegation of roles to other, lower-level administrators > > * IPA Administrator > * Define and create groups (and delete?) > * Define the relationships between groups (what does this mean?) > * Define and create roles for users and groups (what does this mean?) > * Create nested groups (I don't know if we can have an aci for this) > > * Help Desk > * Review what groups are enabled on what hosts (what does this mean, > all groups are enabled on all hosts, right?) This mean he can read HBAC rules > * Set up/manage a user's attributes > * Place a user in a specific group > * Reset a user password > > This is a good start but it completely leaves out the following: > > * Users (helpdesk can modify & reset password, nobody can add/delete) > * Host management > * Service management > * Hostgroups > * SUDO > * HBAC > * netgroups > * DNS > * Automount > > rob > How about this layout Helpdesk Engineer * Edit users * Reset passwords * Add/remove group membership * Troubleshoot the HBAC (in future but not modify the HBAC rules themselves) User administrator - the person who is responsible for creating users and groups. This is instead IPA administrator above. * Users - full control * Groups - full control IT Specialist * Hosts full control * Hostgroups full control * Services full control * DNS full control * Automount IT Security Specialist - includes all of the above + * Netgroups * SUDO * HBAC Security Architect * IPA config * Password policies * Kerberos config * Replication * Define delegation of roles to other, lower-level administrators Did I miss anything? > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Fri Feb 11 17:50:52 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 11 Feb 2011 12:50:52 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0192-column-formatting In-Reply-To: <4D54764A.4010104@redhat.com> References: <4D545DD8.9070708@redhat.com> <4D546461.6050503@redhat.com> <4D546E2B.90309@redhat.com> <4D54764A.4010104@redhat.com> Message-ID: <4D5576FC.2080302@redhat.com> On 02/10/2011 06:35 PM, Endi Sukma Dewata wrote: > On 2/10/2011 5:00 PM, Adam Young wrote: >>> Should we use one of these functions? >>> http://www.w3schools.com/jsref/jsref_tostring_date.asp >>> http://www.w3schools.com/jsref/jsref_tolocalestring.asp >>> http://www.w3schools.com/jsref/jsref_toutcstring.asp > >> Our dates are not conisdered valid dates, so we can't just use them. > > Isn't it a valid UTC time? We can parse it like what you're doing now > using substring(), then use the values to construct a Date object in > JS. Then we can invoke one of the above methods to display a properly > formatted date. > Using Date format, but only for GMT -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0192-2-column-formatting.patch Type: text/x-patch Size: 4367 bytes Desc: not available URL: From ayoung at redhat.com Fri Feb 11 17:52:23 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 11 Feb 2011 12:52:23 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons In-Reply-To: <4D5478D4.6090106@redhat.com> References: <4D533A31.6060607@redhat.com> <4D538209.8080301@redhat.com> <4D544443.3090201@redhat.com> <4D54460F.2020304@redhat.com> <4D545857.90307@redhat.com> <4D545BB8.3010505@redhat.com> <4D546E6C.9070000@redhat.com> <4D5478D4.6090106@redhat.com> Message-ID: <4D557757.6060108@redhat.com> On 02/10/2011 06:46 PM, Endi Sukma Dewata wrote: > On 2/10/2011 5:02 PM, Adam Young wrote: >> On 02/10/2011 04:42 PM, Endi Sukma Dewata wrote: >>> On 2/10/2011 3:27 PM, Adam Young wrote: >>>> >>> >>> NACK. As discussed over IRC, the "is_dirty" functionality is not >>> working for permissions that have an "object by type" target. >>> >> Was worse than that, load was broken. > > It still has some problems: > > 1. Updating a permission with a filter doesn't work. Clicking the > update button didn't execute anything, the undo button didn't disappear. > > 2. Resetting the user details page is not working properly, some > fields did not get reset. I think the addition of undo_span in > widgets.js is not needed and causing a problem because not all > (custom) widgets will call create_undo(). > Filter not set was due to incomplete filter_text attribute-rights work around undo_span is now wrapped in jquery select, so that it there is no undo, it works correctly. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0191-target-section-without-radio-buttons.patch Type: text/x-patch Size: 20917 bytes Desc: not available URL: From rcritten at redhat.com Fri Feb 11 18:27:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 13:27:40 -0500 Subject: [Freeipa-devel] [PATCH] 76 Fallback to default locale (en_US) if env. setting is corrupt. In-Reply-To: <4D4FF421.2020100@redhat.com> References: <4D4FF421.2020100@redhat.com> Message-ID: <4D557F9C.4010508@redhat.com> Pavel Zuna wrote: > This is a follow-up to my patches 69 and 71 (70 is garbage). > > It prevents a crash when user misconfigures his locale settings. > > Pavel The trio of patches work great but some of the unit tests break, can you take a look at those? rob From rcritten at redhat.com Fri Feb 11 18:28:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 13:28:37 -0500 Subject: [Freeipa-devel] [PATCH] 050 Fix migration page In-Reply-To: <4D529323.30708@redhat.com> References: <4D5291FF.2020503@redhat.com> <4D529323.30708@redhat.com> Message-ID: <4D557FD5.6060307@redhat.com> Pavel Zuna wrote: > On 02/09/2011 02:09 PM, Jakub Hrozek wrote: >> During some UI rewrite, the password migration form completely lost the >> action= field and defaulted to GET instead of POST. > > ACK. > > Pavel pushed to master From rcritten at redhat.com Fri Feb 11 18:34:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 13:34:39 -0500 Subject: [Freeipa-devel] [PATCH] 717 Add replace to ipa-ldap-updater Message-ID: <4D55813F.8040307@redhat.com> Add a replace verb to ipa-ldap-updater so an existing value can be replaced, but only if the value matches the old value in the update. This would be used for us to replace default values that the end-user hasn't already updated. The first one of these would be for the kerberos password policy where our default values are on the low side. We don't want to interfere with anything already set. The update file would look like: dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdLockoutDuration: 10: 600 dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdMaxFailure: 3: 6 This patch would obsolete Jan's patch titled 'Updated default Kerberos password policy". Simo and I had discussed doing something like this in IRC and hadn't communicated our intentions to the rest of the team, sorry about that. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-717-update.patch Type: application/mbox Size: 2057 bytes Desc: not available URL: From edewata at redhat.com Fri Feb 11 18:37:35 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 11 Feb 2011 12:37:35 -0600 Subject: [Freeipa-devel] [PATCH] 711 Convert json strings to unicode In-Reply-To: <4D542FD1.5020409@redhat.com> References: <4D542FD1.5020409@redhat.com> Message-ID: <4D5581EF.60306@redhat.com> On 2/10/2011 12:34 PM, Rob Crittenden wrote: > Convert json strings to unicode when they are unmarshalled. > > This patch removes some individual work-arounds of converting strings to > unicode, they only masked the problem. String values are not passed to > the validator or normalizers so things like adding the realm > automatically to services weren't happening. > > ticket 941 ACK and pushed to master. -- Endi S. Dewata From rcritten at redhat.com Fri Feb 11 19:08:51 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 14:08:51 -0500 Subject: [Freeipa-devel] [PATCH] 718 move files in packages Message-ID: <4D558943.2020800@redhat.com> Move a bunch of utilities that really only make sense to be run on the server from the admintools package to the server package. ticket 947 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-718-spec.patch Type: application/mbox Size: 1844 bytes Desc: not available URL: From edewata at redhat.com Fri Feb 11 19:28:53 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 11 Feb 2011 13:28:53 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons In-Reply-To: <4D557757.6060108@redhat.com> References: <4D533A31.6060607@redhat.com> <4D538209.8080301@redhat.com> <4D544443.3090201@redhat.com> <4D54460F.2020304@redhat.com> <4D545857.90307@redhat.com> <4D545BB8.3010505@redhat.com> <4D546E6C.9070000@redhat.com> <4D5478D4.6090106@redhat.com> <4D557757.6060108@redhat.com> Message-ID: <4D558DF5.3030608@redhat.com> On 2/11/2011 11:52 AM, Adam Young wrote: > Filter not set was due to incomplete filter_text attribute-rights work > around > undo_span is now wrapped in jquery select, so that it there is no undo, > it works correctly. ACK. The filter problem is fixed in 192. -- Endi S. Dewata From edewata at redhat.com Fri Feb 11 19:29:31 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 11 Feb 2011 13:29:31 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0192-column-formatting In-Reply-To: <4D5576FC.2080302@redhat.com> References: <4D545DD8.9070708@redhat.com> <4D546461.6050503@redhat.com> <4D546E2B.90309@redhat.com> <4D54764A.4010104@redhat.com> <4D5576FC.2080302@redhat.com> Message-ID: <4D558E1B.2050104@redhat.com> On 2/11/2011 11:50 AM, Adam Young wrote: > Using Date format, but only for GMT ACK. There's one jslint warning. -- Endi S. Dewata From ayoung at redhat.com Fri Feb 11 20:05:06 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 11 Feb 2011 15:05:06 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0192-column-formatting In-Reply-To: <4D558E1B.2050104@redhat.com> References: <4D545DD8.9070708@redhat.com> <4D546461.6050503@redhat.com> <4D546E2B.90309@redhat.com> <4D54764A.4010104@redhat.com> <4D5576FC.2080302@redhat.com> <4D558E1B.2050104@redhat.com> Message-ID: <4D559672.9000005@redhat.com> On 02/11/2011 02:29 PM, Endi Sukma Dewata wrote: > On 2/11/2011 11:50 AM, Adam Young wrote: >> Using Date format, but only for GMT > > ACK. There's one jslint warning. > jslint warning fixed. Pushed to master From ayoung at redhat.com Fri Feb 11 20:05:16 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 11 Feb 2011 15:05:16 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons In-Reply-To: <4D558DF5.3030608@redhat.com> References: <4D533A31.6060607@redhat.com> <4D538209.8080301@redhat.com> <4D544443.3090201@redhat.com> <4D54460F.2020304@redhat.com> <4D545857.90307@redhat.com> <4D545BB8.3010505@redhat.com> <4D546E6C.9070000@redhat.com> <4D5478D4.6090106@redhat.com> <4D557757.6060108@redhat.com> <4D558DF5.3030608@redhat.com> Message-ID: <4D55967C.3060609@redhat.com> On 02/11/2011 02:28 PM, Endi Sukma Dewata wrote: > On 2/11/2011 11:52 AM, Adam Young wrote: >> Filter not set was due to incomplete filter_text attribute-rights work >> around >> undo_span is now wrapped in jquery select, so that it there is no undo, >> it works correctly. > > ACK. The filter problem is fixed in 192. > Pushed to master From ayoung at redhat.com Fri Feb 11 20:32:36 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 11 Feb 2011 15:32:36 -0500 Subject: [Freeipa-devel] [PATCH] Added expand/collapse all. In-Reply-To: <4D54B3BC.90905@redhat.com> References: <4D54B3BC.90905@redhat.com> Message-ID: <4D559CE4.7060402@redhat.com> On 02/10/2011 10:57 PM, Endi Sukma Dewata wrote: > Hi Kyle, > > I added the expand/collapse all link into the details page. > See the following demo: > > http://edewata.fedorapeople.org/freeipa/install/ui/index.html#navigation=0&identity=0&user-facet=details&user-pkey=kfrog > > > Please let me know if this is sufficient for this ticket: > https://fedorahosted.org/freeipa/ticket/737 > > Thanks! > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK on the implementation. But the link certainly can't stay there, so hold until UXD looks at it. You can view the implementation here: http://admiyo.fedorapeople.org/ipa/ui/#navigation=0&identity=0&user-facet=details&user-pkey=kfrog -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Feb 11 20:38:16 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 11 Feb 2011 15:38:16 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0193- allow-null-keys-for-show Message-ID: <4D559E38.8050206@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0193-1-allow-null-keys-for-show.patch Type: text/x-patch Size: 1242 bytes Desc: not available URL: From edewata at redhat.com Fri Feb 11 20:50:26 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 11 Feb 2011 14:50:26 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0193- allow-null-keys-for-show In-Reply-To: <4D559E38.8050206@redhat.com> References: <4D559E38.8050206@redhat.com> Message-ID: <4D55A112.4070104@redhat.com> On 2/11/2011 2:38 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Fri Feb 11 20:53:49 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 11 Feb 2011 15:53:49 -0500 Subject: [Freeipa-devel] [PATCH 195/195] remove deprecated record types Message-ID: <201102112053.p1BKrnGV011844@int-mx09.intmail.prod.int.phx2.redhat.com> -- Adam Young www.redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0195-remove-deprecated-record-types.patch Type: text/x-patch Size: 1145 bytes Desc: not available URL: From ssorce at redhat.com Fri Feb 11 21:01:05 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 11 Feb 2011 16:01:05 -0500 Subject: [Freeipa-devel] [PATCH] 0082 - fix per/post operation with krb password change Message-ID: <20110211160105.5098b68f@willson.li.ssimo.org> We weren't setting the kerberos metadata when modifying userPassword for a kerberos enabled record. Fixes #949 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0082-Correctly-report-if-this-is-a-krb-related-password-o.patch Type: text/x-patch Size: 1027 bytes Desc: not available URL: From ssorce at redhat.com Fri Feb 11 21:10:20 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 11 Feb 2011 16:10:20 -0500 Subject: [Freeipa-devel] [PATCH 195/195] remove deprecated record types In-Reply-To: <201102112053.p1BKrnGV011844@int-mx09.intmail.prod.int.phx2.redhat.com> References: <201102112053.p1BKrnGV011844@int-mx09.intmail.prod.int.phx2.redhat.com> Message-ID: <20110211161020.00fad218@willson.li.ssimo.org> On Fri, 11 Feb 2011 15:53:49 -0500 Adam Young wrote: ACK -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Fri Feb 11 21:26:54 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 11 Feb 2011 16:26:54 -0500 Subject: [Freeipa-devel] [PATCH 195/195] remove deprecated record types In-Reply-To: <20110211161020.00fad218@willson.li.ssimo.org> References: <201102112053.p1BKrnGV011844@int-mx09.intmail.prod.int.phx2.redhat.com> <20110211161020.00fad218@willson.li.ssimo.org> Message-ID: <4D55A99E.8010901@redhat.com> On 02/11/2011 04:10 PM, Simo Sorce wrote: > On Fri, 11 Feb 2011 15:53:49 -0500 > Adam Young wrote: > > ACK > Pushed to master From jhrozek at redhat.com Fri Feb 11 21:32:19 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 11 Feb 2011 22:32:19 +0100 Subject: [Freeipa-devel] [PATCH] 052 Fine tuning DNS options Message-ID: <20110211213218.GA11709@zeppelin.brq.redhat.com> Simo did a nice writeup of the changes in https://fedorahosted.org/freeipa/ticket/931 -------------- next part -------------- >From d27c228160b5bfc460055392389e2ba966263709 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 10 Feb 2011 21:47:45 +0100 Subject: [PATCH] Fine tuning DNS options Add pointer to self to /etc/hosts to avoid chicken/egg problems when restarting DNS. On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't attempt to do any resolving. Leave it to true on clients. Set rdns to false on both server and client. https://fedorahosted.org/freeipa/ticket/931 --- install/share/krb5.conf.template | 5 +++-- ipa-client/ipa-install/ipa-client-install | 1 + ipaserver/install/bindinstance.py | 3 +++ ipaserver/install/installutils.py | 24 ++++++++++++++++++++---- 4 files changed, 27 insertions(+), 6 deletions(-) diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template index 9cf4ee8..93d88db 100644 --- a/install/share/krb5.conf.template +++ b/install/share/krb5.conf.template @@ -5,8 +5,9 @@ [libdefaults] default_realm = $REALM - dns_lookup_realm = true - dns_lookup_kdc = true + dns_lookup_realm = false + dns_lookup_kdc = false + rdns = false ticket_lifetime = 24h forwardable = yes diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index a32564d..9211a86 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -408,6 +408,7 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d else: libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'true'}) libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'}) + libopts.append({'name':'rdns', 'type':'option', 'value':'false'}) libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'}) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 8790427..ea9280b 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -297,6 +297,9 @@ class BindInstance(service.Service): # get a connection to the DS self.ldap_connect() + if not installutils.record_in_hosts(self.ip_address, self.fqdn): + installutils.add_record_to_hosts(self.ip_address, self.fqdn) + if not dns_container_exists(self.fqdn, self.suffix): self.step("adding DNS container", self.__setup_dns_container) if not dns_zone_exists(self.domain): diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 99d1582..563333b 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -156,6 +156,25 @@ def verify_ip_address(ip): is_ok = False return is_ok +def record_in_hosts(ip, host_name, file="/etc/hosts"): + hosts = open(file, 'r').readlines() + for line in hosts: + hosts_ip = line.split()[0] + if hosts_ip != ip: + continue + + names = line.split()[1:] + if host_name in names: + return True + + return False + +def add_record_to_hosts(ip, host_name, file="/etc/hosts"): + hosts_fd = open(file, 'r+') + hosts_fd.seek(0, 2) + hosts_fd.write(ip+'\t'+host_name+' '+host_name.split('.')[0]+'\n') + hosts_fd.close() + def read_ip_address(host_name, fstore): while True: ip = ipautil.user_input("Please provide the IP address to be used for this host name", allow_empty = False) @@ -169,10 +188,7 @@ def read_ip_address(host_name, fstore): print "Adding ["+ip+" "+host_name+"] to your /etc/hosts file" fstore.backup_file("/etc/hosts") - hosts_fd = open('/etc/hosts', 'r+') - hosts_fd.seek(0, 2) - hosts_fd.write(ip+'\t'+host_name+' '+host_name.split('.')[0]+'\n') - hosts_fd.close() + add_record_to_hosts(ip, host_name) return ip -- 1.7.4 From ayoung at redhat.com Fri Feb 11 21:34:06 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 11 Feb 2011 16:34:06 -0500 Subject: [Freeipa-devel] [PATCH] Fixed add service dialog box. In-Reply-To: <4D545C6B.9050307@redhat.com> References: <4D545C6B.9050307@redhat.com> Message-ID: <4D55AB4E.6070703@redhat.com> On 02/10/2011 04:45 PM, Endi Sukma Dewata wrote: > Previously the add service dialog box shows a 'Principal:' label with > no text field next to it. It now has been removed. The dialog box > has been widened to avoid line wrapping of the buttons. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Feb 11 21:51:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 16:51:02 -0500 Subject: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig Message-ID: <4D55AF46.9010108@redhat.com> Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-719-permission.patch Type: application/mbox Size: 2125 bytes Desc: not available URL: From rcritten at redhat.com Fri Feb 11 22:26:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 17:26:37 -0500 Subject: [Freeipa-devel] [PATCH] 720 provide some logging by default Message-ID: <4D55B79D.3010805@redhat.com> If neither verbose nor debug were set (and they aren't by default) then we logged absolutely nothing about framework requests. This adds a default of who, what, result in the Apache error log. This is a first-step for ticket 873 just to get something logged by default. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-720-log.patch Type: application/mbox Size: 7329 bytes Desc: not available URL: From rcritten at redhat.com Fri Feb 11 23:13:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Feb 2011 18:13:47 -0500 Subject: [Freeipa-devel] [PATCH] 721 fix cert-show Message-ID: <4D55C2AB.6060700@redhat.com> The --out option wasn't working at all with cert-show. Also fix some related problems in write_certificate(), handle either a DER or base64-formatted incoming certificate and don't explode if the filename is None. ticket 954 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-721-cert.patch Type: application/mbox Size: 3401 bytes Desc: not available URL: From ayoung at redhat.com Sat Feb 12 02:21:44 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 11 Feb 2011 21:21:44 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0196-DNS-record-search. Message-ID: <4D55EEB8.3020900@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0196-DNS-record-search.patch Type: text/x-patch Size: 2525 bytes Desc: not available URL: From ayoung at redhat.com Sat Feb 12 03:41:03 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 11 Feb 2011 22:41:03 -0500 Subject: [Freeipa-devel] [PATCH] 712 drop kw from JSON error In-Reply-To: <4D5557BC.6040906@redhat.com> References: <4D5430EC.4060502@redhat.com> <20110211100509.GB9354@zeppelin.brq.redhat.com> <4D5557BC.6040906@redhat.com> Message-ID: <4D56014F.60008@redhat.com> On 02/11/2011 10:37 AM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> On Thu, Feb 10, 2011 at 01:39:40PM -0500, Rob Crittenden wrote: >>> The kw could contain another exception which was blowing up the >>> marshalling. It doesn't seem to be used anywhere and contains >>> information we've already saved in error as far as I can tell. >>> >>> ticket 905 >>> >>> rob >> >> Ack > > pushed to master > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This might have been premature. See ticket https://fedorahosted.org/freeipa/ticket/956 From jhrozek at redhat.com Sat Feb 12 20:01:03 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sat, 12 Feb 2011 21:01:03 +0100 Subject: [Freeipa-devel] [PATCH] 053 Make sure only root can run ipa-client-install Message-ID: <20110212200102.GA21715@zeppelin.brq.redhat.com> https://fedorahosted.org/freeipa/ticket/957 -------------- next part -------------- >From 20974e900dc062be3dbe527c2a6b7cddb7a0a641 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Sat, 12 Feb 2011 10:28:06 +0100 Subject: [PATCH 1/2] Make sure only root can run ipa-client-install https://fedorahosted.org/freeipa/ticket/957 --- ipa-client/ipa-install/ipa-client-install | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index a32564d..5012c65 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -810,6 +810,9 @@ def main(): try: if __name__ == "__main__": + if not os.getegid() == 0: + sys.exit("\nYou must be root to run ipa-client-install.\n") + sys.exit(main()) except SystemExit, e: sys.exit(e) -- 1.7.4 From jhrozek at redhat.com Sat Feb 12 20:45:46 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sat, 12 Feb 2011 21:45:46 +0100 Subject: [Freeipa-devel] [PATCH] 054 Fix checking for arguments in DNS plugins Message-ID: <20110212204545.GA21917@zeppelin.brq.redhat.com> I couldn't reproduce the traceback, but the code shows where the error most probably is. http://fedorahosted.org/freeipa/ticket/956 -------------- next part -------------- >From c9a9bc8c316c0c921a2865d600aaedc8135c8552 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Sat, 12 Feb 2011 15:36:19 -0500 Subject: [PATCH] Fix checking for arguments in DNS plugins https://fedorahosted.org/freeipa/ticket/956 --- ipalib/plugins/dns.py | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index fea48db..1437011 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -146,7 +146,7 @@ _record_validators = { def has_cli_options(entry, no_option_msg): entry = dict((t, entry.get(t, [])) for t in _record_attributes) numattr = reduce(lambda x,y: x+y, - map(lambda x: len(x), entry.values())) + map(lambda x: len(x), [ v for v in entry.values() if v is not None ])) if numattr == 0: raise errors.OptionError(no_option_msg) return entry -- 1.7.4 From JR.Aquino at citrix.com Sun Feb 13 15:37:28 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Sun, 13 Feb 2011 15:37:28 +0000 Subject: [Freeipa-devel] [PATCH] 720 provide some logging by default In-Reply-To: <4D55B79D.3010805@redhat.com> Message-ID: On 2/11/11 2:26 PM, "Rob Crittenden" wrote: >If neither verbose nor debug were set (and they aren't by default) then >we logged absolutely nothing about framework requests. This adds a >default of who, what, result in the Apache error log. > >This is a first-step for ticket 873 just to get something logged by >default. > >rob >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel ACK From jhrozek at redhat.com Sun Feb 13 17:07:36 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 13 Feb 2011 18:07:36 +0100 Subject: [Freeipa-devel] [PATCH] 055 Set ldap_netgroup_search_base for in ipa-client-install Message-ID: <20110213170735.GA30604@zeppelin.brq.redhat.com> https://fedorahosted.org/freeipa/ticket/932 -------------- next part -------------- >From 82787ce02ada90c17593e96d32faab45efce9a90 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Sat, 12 Feb 2011 11:00:51 +0100 Subject: [PATCH] Set ldap_netgroup_search_base for in ipa-client-install https://fedorahosted.org/freeipa/ticket/932 --- ipa-client/ipa-install/ipa-client-install | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 32a9aef..244e63b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -473,7 +473,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, options): except: print "certmonger request for host certificate failed" -def configure_sssd_conf(fstore, cli_domain, cli_server, options): +def configure_sssd_conf(fstore, cli_basedn, cli_domain, cli_server, options): fstore.backup_file("/etc/sssd/sssd.conf") sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.new_config() @@ -495,6 +495,8 @@ def configure_sssd_conf(fstore, cli_domain, cli_server, options): domain.add_provider('permit', 'access') domain.set_option('cache_credentials', True) + domain.set_option('ldap_netgroup_search_base', + "%s,%s" % ('cn=ng,cn=compat', cli_basedn)) domain.set_active(True) @@ -709,7 +711,7 @@ def main(): print "Created /etc/ipa/default.conf" if options.sssd: - if configure_sssd_conf(fstore, cli_domain, cli_server, options): + if configure_sssd_conf(fstore, cli_basedn, cli_domain, cli_server, options): return 1 print "Configured /etc/sssd/sssd.conf" else: -- 1.7.4 From jzeleny at redhat.com Mon Feb 14 12:08:06 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 14 Feb 2011 13:08:06 +0100 Subject: [Freeipa-devel] [PATCH] 713 handle failed passwords in tools In-Reply-To: <4D544215.4010400@redhat.com> References: <4D544215.4010400@redhat.com> Message-ID: <201102141308.06865.jzeleny@redhat.com> Rob Crittenden wrote: > Handle bad DM password in ipa-host-net-manage & ipa-copmat-manage. > > This was resulting in a traceback because while conn was not None it > wasn't connected either. > > ticket 920 > > rob ack jan From jzeleny at redhat.com Mon Feb 14 12:21:50 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 14 Feb 2011 13:21:50 +0100 Subject: [Freeipa-devel] [PATCH] Code cleanup Message-ID: <201102141321.50762.jzeleny@redhat.com> Hi, I'd like to propose this cleanup patch. I just noticed that the code in these two files is most likely not used any more (at least I didn't find a place where it is used). What do you think? Is it safe to throw it out? Or are there some places which are still using it? I'd be more than happy to move parts that are used somewhere else and delete the rest. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0040-Code-cleanup.patch Type: text/x-patch Size: 31666 bytes Desc: not available URL: From jzeleny at redhat.com Mon Feb 14 12:46:52 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 14 Feb 2011 13:46:52 +0100 Subject: [Freeipa-devel] [PATCH] 715 ensure required variables are required In-Reply-To: <4D54B141.7020900@redhat.com> References: <4D54B141.7020900@redhat.com> Message-ID: <201102141346.52504.jzeleny@redhat.com> Rob Crittenden wrote: > Yi found a tricky way to remove required attributes that aren't required > in the schema. The problem was we weren't enforcing parameter.required > in mods (because it was enforcing that every variable with required be > provided). > > I added a new check routine that is executed after setattr/addattr does > its work and verifies that no required parameters get skipped. > > ticket 852 > > rob Looks fine, works as expected. ACK I'm just not sure whether is is necessary to call the function twice - once on self.params and once on self.obj.params (I get the latter one, but I'm not sure whether the former one is necessary). Jan From jzeleny at redhat.com Mon Feb 14 12:59:48 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 14 Feb 2011 13:59:48 +0100 Subject: [Freeipa-devel] [PATCH] 715 ensure required variables are required In-Reply-To: <201102141346.52504.jzeleny@redhat.com> References: <4D54B141.7020900@redhat.com> <201102141346.52504.jzeleny@redhat.com> Message-ID: <201102141359.48371.jzeleny@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: > > Yi found a tricky way to remove required attributes that aren't required > > in the schema. The problem was we weren't enforcing parameter.required > > in mods (because it was enforcing that every variable with required be > > provided). > > > > I added a new check routine that is executed after setattr/addattr does > > its work and verifies that no required parameters get skipped. > > > > ticket 852 > > > > rob > > Looks fine, works as expected. ACK > > I'm just not sure whether is is necessary to call the function twice - once > on self.params and once on self.obj.params (I get the latter one, but I'm > not sure whether the former one is necessary). > > Jan One more thing - I'm not sure whether it is necessary to add the check to LDAPCreate - I tried to create role with empty description and it failed as expected. Jan From jzeleny at redhat.com Mon Feb 14 13:10:08 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 14 Feb 2011 14:10:08 +0100 Subject: [Freeipa-devel] [PATCH] 051 Remove obsolete record types from DNS In-Reply-To: <20110211102217.GC9354@zeppelin.brq.redhat.com> References: <20110211102217.GC9354@zeppelin.brq.redhat.com> Message-ID: <201102141410.08222.jzeleny@redhat.com> Jakub Hrozek wrote: > https://fedorahosted.org/freeipa/ticket/923 Patch looks good. I'm running some test. Unless they fail, ACK Jan From jzeleny at redhat.com Mon Feb 14 13:31:43 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 14 Feb 2011 14:31:43 +0100 Subject: [Freeipa-devel] [PATCH] 718 move files in packages In-Reply-To: <4D558943.2020800@redhat.com> References: <4D558943.2020800@redhat.com> Message-ID: <201102141431.43909.jzeleny@redhat.com> Rob Crittenden wrote: > Move a bunch of utilities that really only make sense to be run on the > server from the admintools package to the server package. > > ticket 947 > > rob ack Jan From jzeleny at redhat.com Mon Feb 14 13:37:28 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 14 Feb 2011 14:37:28 +0100 Subject: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig In-Reply-To: <4D55AF46.9010108@redhat.com> References: <4D55AF46.9010108@redhat.com> Message-ID: <201102141437.28952.jzeleny@redhat.com> Rob Crittenden wrote: > Add permission and privilege for updating the IPA configuration in > cn=ipaconfig. > > ticket 950 > > rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan From jzeleny at redhat.com Mon Feb 14 13:41:34 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 14 Feb 2011 14:41:34 +0100 Subject: [Freeipa-devel] [PATCH] 716 ignore case when removing members In-Reply-To: <4D555C00.1000904@redhat.com> References: <4D555C00.1000904@redhat.com> Message-ID: <201102141441.34395.jzeleny@redhat.com> Rob Crittenden wrote: > Ignore case when removing members from a group. > > ticket 944 > > rob ack Jan From mkosek at redhat.com Mon Feb 14 13:45:17 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 14 Feb 2011 14:45:17 +0100 Subject: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig In-Reply-To: <201102141437.28952.jzeleny@redhat.com> References: <4D55AF46.9010108@redhat.com> <201102141437.28952.jzeleny@redhat.com> Message-ID: <1297691117.3123.5.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-02-14 at 14:37 +0100, Jan Zelen? wrote: > Rob Crittenden wrote: > > Add permission and privilege for updating the IPA configuration in > > cn=ipaconfig. > > > > ticket 950 > > > > rob > > I'm not quite sure how does the patch work. In particular, I wonder about > these two blocks: > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: nestedgroup > +default:cn: Write IPA Configuration > + > +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: ipapermission > +default:cn: Write IPA Configuration > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > Can't they be specified in one block like: > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: nestedgroup > +default:objectClass: ipapermission > +default:cn: Write IPA Configuration > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > Thanks in advance > > Otherwise the patch looks good, so if this is not an issue, I give it ACK. > > Jan I think this is OK. We are adding 2 objects - one permission called "Write IPA Configuration" (with an underlying ACI) and one priviledge also called "Write IPA Configuration". Therefore they cannot be merged to one LDAP object. Martin From jzeleny at redhat.com Mon Feb 14 13:50:59 2011 From: jzeleny at redhat.com (Jan =?utf-8?q?Zelen=C3=BD?=) Date: Mon, 14 Feb 2011 14:50:59 +0100 Subject: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig In-Reply-To: <1297691117.3123.5.camel@dhcp-25-52.brq.redhat.com> References: <4D55AF46.9010108@redhat.com> <201102141437.28952.jzeleny@redhat.com> <1297691117.3123.5.camel@dhcp-25-52.brq.redhat.com> Message-ID: <201102141450.59955.jzeleny@redhat.com> Martin Kosek wrote: > On Mon, 2011-02-14 at 14:37 +0100, Jan Zelen? wrote: > > Rob Crittenden wrote: > > > Add permission and privilege for updating the IPA configuration in > > > cn=ipaconfig. > > > > > > ticket 950 > > > > > > rob > > > > I'm not quite sure how does the patch work. In particular, I wonder about > > these two blocks: > > > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > +default:objectClass: top > > +default:objectClass: groupofnames > > +default:objectClass: nestedgroup > > +default:cn: Write IPA Configuration > > + > > +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX > > +default:objectClass: top > > +default:objectClass: groupofnames > > +default:objectClass: ipapermission > > +default:cn: Write IPA Configuration > > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > > > Can't they be specified in one block like: > > > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > +default:objectClass: top > > +default:objectClass: groupofnames > > +default:objectClass: nestedgroup > > +default:objectClass: ipapermission > > +default:cn: Write IPA Configuration > > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > > > Thanks in advance > > > > Otherwise the patch looks good, so if this is not an issue, I give it > > ACK. > > > > Jan > > I think this is OK. We are adding 2 objects - one permission called > "Write IPA Configuration" (with an underlying ACI) and one priviledge > also called "Write IPA Configuration". Therefore they cannot be merged > to one LDAP object. Oh, sorry, I didn't see that one object is privilege and another one is permission. Jan From rcritten at redhat.com Mon Feb 14 14:12:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 09:12:19 -0500 Subject: [Freeipa-devel] [PATCH] 712 drop kw from JSON error In-Reply-To: <4D56014F.60008@redhat.com> References: <4D5430EC.4060502@redhat.com> <20110211100509.GB9354@zeppelin.brq.redhat.com> <4D5557BC.6040906@redhat.com> <4D56014F.60008@redhat.com> Message-ID: <4D593843.8010909@redhat.com> Adam Young wrote: > On 02/11/2011 10:37 AM, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> On Thu, Feb 10, 2011 at 01:39:40PM -0500, Rob Crittenden wrote: >>>> The kw could contain another exception which was blowing up the >>>> marshalling. It doesn't seem to be used anywhere and contains >>>> information we've already saved in error as far as I can tell. >>>> >>>> ticket 905 >>>> >>>> rob >>> >>> Ack >> >> pushed to master >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > This might have been premature. See ticket > https://fedorahosted.org/freeipa/ticket/956 Looks unrelated. Did you actually get the TypeError exception in the UI? That would be a recent improvement if you did. This looks like a bug in the dns plugin at first glance to me. rob From rcritten at redhat.com Mon Feb 14 14:28:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 09:28:01 -0500 Subject: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig In-Reply-To: <201102141437.28952.jzeleny@redhat.com> References: <4D55AF46.9010108@redhat.com> <201102141437.28952.jzeleny@redhat.com> Message-ID: <4D593BF1.6020709@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Add permission and privilege for updating the IPA configuration in >> cn=ipaconfig. >> >> ticket 950 >> >> rob > > I'm not quite sure how does the patch work. In particular, I wonder about > these two blocks: > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: nestedgroup > +default:cn: Write IPA Configuration > + > +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: ipapermission > +default:cn: Write IPA Configuration > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > Can't they be specified in one block like: > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: nestedgroup > +default:objectClass: ipapermission > +default:cn: Write IPA Configuration > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > Thanks in advance > > Otherwise the patch looks good, so if this is not an issue, I give it ACK. > > Jan Yeah, I know it's redundant looking but these need to be 2 separate records. Privileges are for the most part a 1-1 relationship to permissions but not always. We wanted to have this intermediate object to make things easier for the end-user when assigning them to roles. rob From JR.Aquino at citrix.com Mon Feb 14 14:42:40 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 14 Feb 2011 14:42:40 +0000 Subject: [Freeipa-devel] [PATCH] 16 Bugfix for ipa-client-install echo's password in cleartext to stdout Message-ID: During the ipa-client-install, when prompted for the principal password, it is possible to start typing and have the password echoed back. This patch corrects this behavior and addresses bug #959 https://fedorahosted.org/freeipa/ticket/959 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0016-Bugfix-for-ipa-client-install-echo-s-password-in-cle.patch Type: application/octet-stream Size: 1217 bytes Desc: freeipa-jraquino-0016-Bugfix-for-ipa-client-install-echo-s-password-in-cle.patch URL: From rcritten at redhat.com Mon Feb 14 14:52:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 09:52:24 -0500 Subject: [Freeipa-devel] [PATCH] 715 ensure required variables are required In-Reply-To: <201102141359.48371.jzeleny@redhat.com> References: <4D54B141.7020900@redhat.com> <201102141346.52504.jzeleny@redhat.com> <201102141359.48371.jzeleny@redhat.com> Message-ID: <4D5941A8.5050002@redhat.com> Jan Zelen? wrote: > Jan Zelen? wrote: >> Rob Crittenden wrote: >>> Yi found a tricky way to remove required attributes that aren't required >>> in the schema. The problem was we weren't enforcing parameter.required >>> in mods (because it was enforcing that every variable with required be >>> provided). >>> >>> I added a new check routine that is executed after setattr/addattr does >>> its work and verifies that no required parameters get skipped. >>> >>> ticket 852 >>> >>> rob >> >> Looks fine, works as expected. ACK >> >> I'm just not sure whether is is necessary to call the function twice - once >> on self.params and once on self.obj.params (I get the latter one, but I'm >> not sure whether the former one is necessary). Hmm, you may be right. I did it in case any of self.params had a requires on it, but since this is a mod operation then I think by definition it can't. >> >> Jan > > One more thing - I'm not sure whether it is necessary to add the check to > LDAPCreate - I tried to create role with empty description and it failed as > expected. I think you're. I did it to prevent something like this: # ipa group-add --desc='foo' --setattr description='' foo but it is already handled. I'll work up a new patch. rob From rcritten at redhat.com Mon Feb 14 15:14:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:14:09 -0500 Subject: [Freeipa-devel] [PATCH] 713 handle failed passwords in tools In-Reply-To: <201102141308.06865.jzeleny@redhat.com> References: <4D544215.4010400@redhat.com> <201102141308.06865.jzeleny@redhat.com> Message-ID: <4D5946C1.9080203@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Handle bad DM password in ipa-host-net-manage& ipa-copmat-manage. >> >> This was resulting in a traceback because while conn was not None it >> wasn't connected either. >> >> ticket 920 >> >> rob > > ack > > jan pushed to master From ayoung at redhat.com Mon Feb 14 15:21:41 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 14 Feb 2011 10:21:41 -0500 Subject: [Freeipa-devel] [PATCH] 054 Fix checking for arguments in DNS plugins In-Reply-To: <20110212204545.GA21917@zeppelin.brq.redhat.com> References: <20110212204545.GA21917@zeppelin.brq.redhat.com> Message-ID: <4D594885.20504@redhat.com> On 02/12/2011 03:45 PM, Jakub Hrozek wrote: > I couldn't reproduce the traceback, but the code shows where the error > most probably is. > > http://fedorahosted.org/freeipa/ticket/956 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Feb 14 15:19:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:19:37 -0500 Subject: [Freeipa-devel] [PATCH] 715 ensure required variables are required In-Reply-To: <4D5941A8.5050002@redhat.com> References: <4D54B141.7020900@redhat.com> <201102141346.52504.jzeleny@redhat.com> <201102141359.48371.jzeleny@redhat.com> <4D5941A8.5050002@redhat.com> Message-ID: <4D594809.7090307@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: >> Jan Zelen? wrote: >>> Rob Crittenden wrote: >>>> Yi found a tricky way to remove required attributes that aren't >>>> required >>>> in the schema. The problem was we weren't enforcing parameter.required >>>> in mods (because it was enforcing that every variable with required be >>>> provided). >>>> >>>> I added a new check routine that is executed after setattr/addattr does >>>> its work and verifies that no required parameters get skipped. >>>> >>>> ticket 852 >>>> >>>> rob >>> >>> Looks fine, works as expected. ACK >>> >>> I'm just not sure whether is is necessary to call the function twice >>> - once >>> on self.params and once on self.obj.params (I get the latter one, but >>> I'm >>> not sure whether the former one is necessary). > > Hmm, you may be right. I did it in case any of self.params had a > requires on it, but since this is a mod operation then I think by > definition it can't. > >>> >>> Jan >> >> One more thing - I'm not sure whether it is necessary to add the check to >> LDAPCreate - I tried to create role with empty description and it >> failed as >> expected. > > I think you're. I did it to prevent something like this: > > # ipa group-add --desc='foo' --setattr description='' foo > > but it is already handled. > > I'll work up a new patch. > > rob Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-715-2-required.patch Type: application/mbox Size: 4498 bytes Desc: not available URL: From rcritten at redhat.com Mon Feb 14 15:20:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:20:06 -0500 Subject: [Freeipa-devel] [PATCH] 716 ignore case when removing members In-Reply-To: <201102141441.34395.jzeleny@redhat.com> References: <4D555C00.1000904@redhat.com> <201102141441.34395.jzeleny@redhat.com> Message-ID: <4D594826.7020100@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Ignore case when removing members from a group. >> >> ticket 944 >> >> rob > > ack > > Jan pushed to master From rcritten at redhat.com Mon Feb 14 15:21:30 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:21:30 -0500 Subject: [Freeipa-devel] [PATCH] 718 move files in packages In-Reply-To: <201102141431.43909.jzeleny@redhat.com> References: <4D558943.2020800@redhat.com> <201102141431.43909.jzeleny@redhat.com> Message-ID: <4D59487A.8000801@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Move a bunch of utilities that really only make sense to be run on the >> server from the admintools package to the server package. >> >> ticket 947 >> >> rob > > ack > > Jan pushed to master From rcritten at redhat.com Mon Feb 14 15:23:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:23:08 -0500 Subject: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig In-Reply-To: <201102141450.59955.jzeleny@redhat.com> References: <4D55AF46.9010108@redhat.com> <201102141437.28952.jzeleny@redhat.com> <1297691117.3123.5.camel@dhcp-25-52.brq.redhat.com> <201102141450.59955.jzeleny@redhat.com> Message-ID: <4D5948DC.7080100@redhat.com> Jan Zelen? wrote: > Martin Kosek wrote: >> On Mon, 2011-02-14 at 14:37 +0100, Jan Zelen? wrote: >>> Rob Crittenden wrote: >>>> Add permission and privilege for updating the IPA configuration in >>>> cn=ipaconfig. >>>> >>>> ticket 950 >>>> >>>> rob >>> >>> I'm not quite sure how does the patch work. In particular, I wonder about >>> these two blocks: >>> >>> +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX >>> +default:objectClass: top >>> +default:objectClass: groupofnames >>> +default:objectClass: nestedgroup >>> +default:cn: Write IPA Configuration >>> + >>> +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX >>> +default:objectClass: top >>> +default:objectClass: groupofnames >>> +default:objectClass: ipapermission >>> +default:cn: Write IPA Configuration >>> +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX >>> >>> Can't they be specified in one block like: >>> >>> +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX >>> +default:objectClass: top >>> +default:objectClass: groupofnames >>> +default:objectClass: nestedgroup >>> +default:objectClass: ipapermission >>> +default:cn: Write IPA Configuration >>> +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX >>> >>> Thanks in advance >>> >>> Otherwise the patch looks good, so if this is not an issue, I give it >>> ACK. >>> >>> Jan >> >> I think this is OK. We are adding 2 objects - one permission called >> "Write IPA Configuration" (with an underlying ACI) and one priviledge >> also called "Write IPA Configuration". Therefore they cannot be merged >> to one LDAP object. > > > Oh, sorry, I didn't see that one object is privilege and another one is > permission. > > Jan pushed to master From rcritten at redhat.com Mon Feb 14 15:24:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:24:03 -0500 Subject: [Freeipa-devel] [PATCH] 720 provide some logging by default In-Reply-To: References: Message-ID: <4D594913.40306@redhat.com> JR Aquino wrote: > On 2/11/11 2:26 PM, "Rob Crittenden" wrote: > >> If neither verbose nor debug were set (and they aren't by default) then >> we logged absolutely nothing about framework requests. This adds a >> default of who, what, result in the Apache error log. >> >> This is a first-step for ticket 873 just to get something logged by >> default. >> >> rob >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > ACK > pushed to master From rcritten at redhat.com Mon Feb 14 15:30:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:30:25 -0500 Subject: [Freeipa-devel] [PATCH] 027 Support of user default email domain In-Reply-To: <20110207112859.GD31284@zeppelin.brq.redhat.com> References: <1296829255.7595.9.camel@dhcp-25-52.brq.redhat.com> <20110207112859.GD31284@zeppelin.brq.redhat.com> Message-ID: <4D594A91.6030003@redhat.com> Jakub Hrozek wrote: > On Fri, Feb 04, 2011 at 03:20:55PM +0100, Martin Kosek wrote: >> This patch fixes the default domain functionality for user email(s). >> This setting may be configured via: >> >> ipa config-mod --emaildomain=example.com >> >> Then, when user is added/modified and --mail option is passed, >> the default domain is appended if the passed attribute does not >> contain another domain already. >> >> https://fedorahosted.org/freeipa/ticket/598 >> > > Ack pushed to master From rcritten at redhat.com Mon Feb 14 15:33:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:33:01 -0500 Subject: [Freeipa-devel] [PATCH] Fixed type of argument in class help In-Reply-To: <4D4FE54B.7000602@redhat.com> References: <201102020854.47812.jzeleny@redhat.com> <20110207094602.GA31284@zeppelin.brq.redhat.com> <201102071054.46730.jzeleny@redhat.com> <4D4FE54B.7000602@redhat.com> Message-ID: <4D594B2D.1000202@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/07/2011 10:54 AM, Jan Zelen? wrote: >> Jakub Hrozek wrote: >>> On Wed, Feb 02, 2011 at 08:54:47AM +0100, Jan Zelen? wrote: >>>> At Rob's suggestion I changed the argument type in class help, this is >>>> only oneliner, I think it can be pushed directly. >>>> >>>> Jan >>>> >>>> - takes_args = (Bytes('command?'),) >>>> + takes_args = (Str('command?'),) >>> >>> Nack, you also need to import Str from parameters. >> >> Sorry, could have give you headsup: this patch should be pushed along with my >> 30-3 patch from last wednesday which still waits to be re-reviewed. The import >> is in that patch. >> >> Jan > > OK, in that case ack on top of patch #30 (or simply squash the change > into 30-4, there's no separate ticket anyway) Pushed to master From rcritten at redhat.com Mon Feb 14 15:37:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:37:25 -0500 Subject: [Freeipa-devel] [PATCH] 026 HBAC plugin inconsistent output In-Reply-To: <201102091236.45877.jzeleny@redhat.com> References: <1296824925.7595.8.camel@dhcp-25-52.brq.redhat.com> <201102071038.07391.jzeleny@redhat.com> <1297245646.3003.12.camel@dhcp-25-52.brq.redhat.com> <201102091236.45877.jzeleny@redhat.com> Message-ID: <4D594C35.4060102@redhat.com> Jan Zelen? wrote: > Martin Kosek wrote: >> On Mon, 2011-02-07 at 10:38 +0100, Jan Zelen? wrote: >>> Martin Kosek wrote: >>>> This patch adds a proper summary text to HBAC command which is >>>> then printed out in CLI. Now, HBAC plugin output is consistent >>>> with other plugins. >>>> >>>> https://fedorahosted.org/freeipa/ticket/596 >>> >>> I believe API.txt should be updated (you change hbacrule_enable and >>> hbacrule_disable return values), so NACK for now. >>> >>> Jan >> >> Patch has been rebased, API.txt updated along with some minor changes to >> achieve consistency between HBAC plugins. All tests pass. >> >> Martin > > Looks good now, ack > > Jan pushed to master From rcritten at redhat.com Mon Feb 14 15:40:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:40:03 -0500 Subject: [Freeipa-devel] [PATCH] Append realm name to service principal name. In-Reply-To: <4D52CAF6.1050200@redhat.com> References: <4D52CAF6.1050200@redhat.com> Message-ID: <4D594CD3.10606@redhat.com> Endi Sukma Dewata wrote: > The realm name is necessary to create the correct service. This was fixed by ticket 941, right? From rcritten at redhat.com Mon Feb 14 15:40:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:40:32 -0500 Subject: [Freeipa-devel] [PATCH] 707 fix wrapping prompt In-Reply-To: <20110210095533.GB27864@zeppelin.brq.redhat.com> References: <4D52E28C.3090506@redhat.com> <20110210095533.GB27864@zeppelin.brq.redhat.com> Message-ID: <4D594CF0.4060100@redhat.com> Jakub Hrozek wrote: > On Wed, Feb 09, 2011 at 01:53:00PM -0500, Rob Crittenden wrote: >> At least in my xterm the prompt for "Do you want to proceed and >> configure the system with fixed values with no DNS discovery?" wraps >> around over itself. >> >> This patch shortens the message. >> >> ticket 940 >> >> rob > > Ack I pushed this to master last week. From rcritten at redhat.com Mon Feb 14 15:44:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:44:17 -0500 Subject: [Freeipa-devel] [PATCH] 053 Make sure only root can run ipa-client-install In-Reply-To: <20110212200102.GA21715@zeppelin.brq.redhat.com> References: <20110212200102.GA21715@zeppelin.brq.redhat.com> Message-ID: <4D594DD1.3040900@redhat.com> Jakub Hrozek wrote: > https://fedorahosted.org/freeipa/ticket/957 > > > > ack, pushed to master From rcritten at redhat.com Mon Feb 14 15:48:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:48:10 -0500 Subject: [Freeipa-devel] [PATCH] 706 remove certificate from service-find In-Reply-To: <201102101059.23662.jzeleny@redhat.com> References: <4D52DC51.5080505@redhat.com> <201102101059.23662.jzeleny@redhat.com> Message-ID: <4D594EBA.1080001@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Remove certificate as service a search option. There is no point on >> searching on binary objects. >> >> ticket 912 >> >> rob > > ack > > Jan I pushed this to master last week. From rcritten at redhat.com Mon Feb 14 15:53:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 10:53:16 -0500 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <4D53C124.30800@redhat.com> References: <4D5131BB.6080400@redhat.com> <4D53C124.30800@redhat.com> Message-ID: <4D594FEC.3050407@redhat.com> Pavel Zuna wrote: > On 02/08/2011 01:06 PM, Pavel Zuna wrote: >> The patch also corrects exception handling in some of the tools. >> >> Fix #874 >> >> Pavel >> > > Updated patch attached. Forgot to rename an identifier in exception > handling. > > Pavel This isn't applying cleanly to master, can you rebase it? rob From JR.Aquino at citrix.com Mon Feb 14 15:56:30 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 14 Feb 2011 15:56:30 +0000 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <4D53C124.30800@redhat.com> Message-ID: On 2/10/11 2:42 AM, "Pavel Zuna" wrote: >On 02/08/2011 01:06 PM, Pavel Zuna wrote: >> The patch also corrects exception handling in some of the tools. >> >> Fix #874 >> >> Pavel >> > >Updated patch attached. Forgot to rename an identifier in exception >handling. > >Pavel >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel NACK It looks like LDAPUpdate calls may want to include ldapi=True? -=- # ipa-nis-manage enable Directory Manager password: Enabling plugin Traceback (most recent call last): File "/usr/sbin/ipa-nis-manage", line 211, in sys.exit(main()) File "/usr/sbin/ipa-nis-manage", line 151, in main ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 101, in __init__ conn.do_simple_bind(bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 350, in do_simple_bind self.simple_bind_s(binddn, bindpw) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner return f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 207, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 181, in inner objtype, data = f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 436, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner return f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 440, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner return f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 446, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, in inner return f(*args, **kargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs) ldap.UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'} From rcritten at redhat.com Mon Feb 14 16:04:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 11:04:32 -0500 Subject: [Freeipa-devel] [PATCH] 698 Translate exception messages In-Reply-To: <4D4978B6.5070209@redhat.com> References: <4D488B04.30604@redhat.com> <4D4978B6.5070209@redhat.com> Message-ID: <4D595290.9060205@redhat.com> Pavel Zuna wrote: > On 02/01/2011 11:36 PM, Rob Crittenden wrote: >> Pavel mentioned this morning that translations didn't seem to be >> working. I remembered that I did some things on the cli so I re-tested. >> Turned out that exceptions aren't being translated. >> >> I'm not at all sure this patch does the right thing, so take it with a >> grain of salt. What it does is translates the message before stuffing it >> into the exception. >> >> Note that this will also translate messages returned via XML-RPC so I >> wonder if we need to force LANG to en_US.UTF-8 there. >> >> In any case, this seems to fix the client side anyway. I'm open to >> criticism on this one. >> >> To test do something like: >> >> $ kinit admin >> $ export LANG=es_US.UTF-8 >> $ ipa user-add --first=Kermit --last=Frog kfrog >> $ ipa user-add --first=Kermit --last=Frog kfrog >> >> You should get a DuplicateEntry() response in Spanish. >> >> rob >> > > nack. > > While this patch works, it doesn't solve the problem at its root. > > After some investigation I figured out, that functions initializing > translations in ipalib/request.py are not called from anywhere. All the > translation code in ipalib/request.py is currently deprecated in favor > of ipalib/text.py. I'm preparing a patch, that removes the unused code > and replaces references to it. > > Pavel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Patch withdrawn, Pavel is working on a better approach. From rcritten at redhat.com Mon Feb 14 16:32:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 11:32:22 -0500 Subject: [Freeipa-devel] [PATCH] Changed dns permission types In-Reply-To: <201102020824.13446.jzeleny@redhat.com> References: <201101071805.18499.jzeleny@redhat.com> <201101251335.13954.jzeleny@redhat.com> <4D483F03.1010709@redhat.com> <201102020824.13446.jzeleny@redhat.com> Message-ID: <4D595916.2010009@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> Jan Zelen? wrote: >>>> Rob Crittenden wrote: >>>>> Jan Zelen? wrote: >>>>>> Rob Crittenden wrote: >>>>>>> Jan Zelen? wrote: >>>>>>>> Recent change of DNS module to version caused that dns object type >>>>>>>> was replaced by dnszone and dnsrecord. This patch corrects dns types >>>>>>>> in permissions class. >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/646 >>>>>>> >>>>>>> Nack. These values need to be added as valid types to the aci plugin >>>>>>> and the _type_map needs to be updated. >>>>>>> >>>>>>> rob >>>>>> >>>>>> I'm sending an updated patch. >>>>>> >>>>>> Jan >>>>> >>>>> Since dnszone and dnsrecord point to the same kind of entry what is the >>>>> point of having two separate names for them? When we read the entry we >>>>> aren't going to be able to differentiate between the two. >>>> >>>> I didn't take a look how the type thing works, so I'm kinda guessing >>>> here (please ignore the comment if it is wrong): >>>> Sure, object with idnszone class is always also in dnsrecord class, but >>>> that's not the case backwards (idnsrecord object isn't always idnszone) >>>> - so I think it is possible to set different ACIs for these two types. >>>> >>>>> Can the type be made more specific? >>>> >>>> If the mapping doesn't distinguish object classes and it can, maybe >>>> that's the answer. Will investagate further. But if not, I still think >>>> this is the way to go considering the underline issue which we tried to >>>> solve by this change. >>>> >>> From what I found I think that making changes necessary to distinguish >>> >>> dnsrecord and dnszone are not worth it, especially that user can use >>> "filter" for that purpose. Since having both of them doesn't have any >>> additional value, I'm sending new version of the patch, which is only >>> adding dnsrecord type. >>> >>> Jan >> >> Ack but this patch needs a rebase. >> >> rob > > Rebased patch in attachment > > Jan pushed to master From rcritten at redhat.com Mon Feb 14 16:35:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 11:35:24 -0500 Subject: [Freeipa-devel] [PATCH] drop the group.upg NIS map In-Reply-To: <20110208221549.GC31444@redhat.com> References: <20110208221549.GC31444@redhat.com> Message-ID: <4D5959CC.3040402@redhat.com> Nalin Dahyabhai wrote: > The group.upg NIS map was an experiment in providing UPG groups > dynamically, and is not one of the maps that I'd ever expect a NIS > client to "know" to search. We should probably just drop it. > > --- > install/share/nis.uldif | 12 ------------ > 1 files changed, 0 insertions(+), 12 deletions(-) > > diff --git a/install/share/nis.uldif b/install/share/nis.uldif > index f23b49e..639c88a 100644 > --- a/install/share/nis.uldif > +++ b/install/share/nis.uldif > @@ -45,18 +45,6 @@ default:nis-map: group.bygid > default:nis-base: cn=groups, cn=accounts, $SUFFIX > default:nis-secure: no > > -dn: nis-domain=$DOMAIN+nis-map=group.upg, cn=NIS Server, cn=plugins, cn=config > -default:objectclass: top > -default:objectclass: extensibleObject > -default:nis-domain: $DOMAIN > -default:nis-map: group.upg > -default:nis-base: cn=users, cn=accounts, $SUFFIX > -default:nis-filter: (objectclass=posixAccount) > -default:nis-key-format: %{uid} > -default:nis-value-format: %{uid}:*:%{gidNumber}:%{uid} > -default:nis-secure: no > -default:nis-disallowed-chars: :, > - > dn: nis-domain=$DOMAIN+nis-map=netid.byname, cn=NIS Server, cn=plugins, cn=config > default:objectclass: top > default:objectclass: extensibleObject ack, pushed to master From rcritten at redhat.com Mon Feb 14 17:00:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 12:00:13 -0500 Subject: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install In-Reply-To: <1297243407.3003.9.camel@dhcp-25-52.brq.redhat.com> References: <1296750811.6407.0.camel@dhcp-25-52.brq.redhat.com> <201102040905.32981.jzeleny@redhat.com> <1297243407.3003.9.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D595F9D.9070309@redhat.com> Martin Kosek wrote: > On Fri, 2011-02-04 at 09:05 +0100, Jan Zelen? wrote: >> Martin Kosek wrote: >>> When v2 IPA client is trying to join an IPA v1 server >>> a strange exception is printed out to the user. This patch >>> detects this by catching an XML-RPC error reported by ipa-join >>> binary called in the process which fails on unexisting IPA server >>> 'join' method. >>> >>> wget call had to be changed so that IPA client may get to the >>> ipa-join step. --no-check-certificate had to be added as V1 >>> server automatically redirects the request to self-signed secure >>> connection. >>> >>> https://fedorahosted.org/freeipa/ticket/553 >> >> The patch is ok and applies correctly. My only thought was to download the >> certificate directly from https://..../ca.crt instead of plain http, but there >> is probably no real benefit. >> >> ack >> >> Jan > > Jan, thanks for the review. And yes, I could not see a benefit too. > Since the IPA sever certificate is not a confidential information the > secure connection is not needed. And since we do not trust the server's > certificate in this step of installation and --no-check-certificate is > used, a secure connection would be used for server identity validation > either. > > Therefore, I would ask for the patch to be pushed. > > Martin I can't duplicate the behavior of it redirecting to the SSL port. The /ipa/config directory is purposely excluded from the SSL redirect for this purpose, even on v1 servers. Can we drop that part of the patch? rob From jhrozek at redhat.com Mon Feb 14 17:39:49 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 14 Feb 2011 18:39:49 +0100 Subject: [Freeipa-devel] [PATCH] 703 389-ds startup with krb config In-Reply-To: <4D54ACAF.9080309@redhat.com> References: <4D515D5B.9080800@redhat.com> <20110210124112.GB28156@zeppelin.brq.redhat.com> <4D545980.3080701@redhat.com> <4D54ACAF.9080309@redhat.com> Message-ID: <20110214173948.GA10851@zeppelin.brq.redhat.com> On Thu, Feb 10, 2011 at 10:27:43PM -0500, Rob Crittenden wrote: > Rob Crittenden wrote: > >Jakub Hrozek wrote: > >>On Tue, Feb 08, 2011 at 10:12:27AM -0500, Rob Crittenden wrote: > >>>If /etc/krb5.conf doesn't exist or contains no default kerberos > >>>realm then 389-ds won't start at all. This is a problem during > >>>installation because we configure 389 first. > >>> > >>>This patch will let the server come up, you just won't be able to do > >>>any joins or password changes until you configure kerberos. > >>> > >>>ticket 606 > >>> > >>>rob > >> > >> > >>I wasn't able to install with this patch when I had no /etc/krb5.conf at > >>all. > >> > >>Here's what the DS error log said: > >>--- > >>10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file > >>ipa_enrollment.c, line 389]: Failed to get default realm?! > >>[10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin > >>ipa_enrollment_extop > >>[10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file > >>ipa_enrollment.c, line 389]: Failed to get default realm?! > >>[10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin > >>ipa_enrollment_extop > >>[10/Feb/2011:07:30:36 -0500] ipaenrollment_start - [file > >>ipa_enrollment.c, line 389]: Failed to get default realm?! > >>[10/Feb/2011:07:30:36 -0500] - Failed to start extendedop plugin > >>ipa_enrollment_extop > >>--- > >> > >>Looking at ipaenrollment_start(), it looks like the culprit is that when > >>krb5_get_default_realm() fails, ret is set to an error code and > >>returned. It should be either reset to LDAP_SUCCESS or maybe rc should > >>be used instead. > >> > >>Also one nitpick. This: > >> > >>-static char *realm; > >>-static const char *ipa_realm_dn; > >>+static char *realm = NULL; > >>+static const char *ipa_realm_dn = NULL; > >> > >>Is not neccessary, global variables are initialized to NULL > >>automatically. > > > >Updated patch attached. I was able to do full install with this one. > > > >rob > > Found another problem, new patch. > > rob Ack From edewata at redhat.com Mon Feb 14 18:31:48 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 14 Feb 2011 12:31:48 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0196-DNS-record-search. In-Reply-To: <4D55EEB8.3020900@redhat.com> References: <4D55EEB8.3020900@redhat.com> Message-ID: <4D597514.9080404@redhat.com> On 2/11/2011 8:21 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From rcritten at redhat.com Mon Feb 14 18:36:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 13:36:42 -0500 Subject: [Freeipa-devel] [PATCH] 0081 Set KrbExtraData when changing passwords In-Reply-To: <20110210165606.38be6c36@willson.li.ssimo.org> References: <20110210165606.38be6c36@willson.li.ssimo.org> Message-ID: <4D59763A.9050005@redhat.com> Simo Sorce wrote: > > Fixes ticket #937 > > Simo. ack, pushed to master rob From jhrozek at redhat.com Mon Feb 14 18:49:40 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 14 Feb 2011 19:49:40 +0100 Subject: [Freeipa-devel] [PATCH] 717 Add replace to ipa-ldap-updater In-Reply-To: <4D55813F.8040307@redhat.com> References: <4D55813F.8040307@redhat.com> Message-ID: <20110214184940.GA11686@zeppelin.brq.redhat.com> On Fri, Feb 11, 2011 at 01:34:39PM -0500, Rob Crittenden wrote: > Add a replace verb to ipa-ldap-updater so an existing value can be > replaced, but only if the value matches the old value in the update. > > This would be used for us to replace default values that the > end-user hasn't already updated. The first one of these would be for > the kerberos password policy where our default values are on the low > side. We don't want to interfere with anything already set. > > The update file would look like: > > dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX > replace:krbPwdLockoutDuration: 10: 600 > > dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX > replace:krbPwdMaxFailure: 3: 6 > > This patch would obsolete Jan's patch titled 'Updated default > Kerberos password policy". Simo and I had discussed doing something > like this in IRC and hadn't communicated our intentions to the rest > of the team, sorry about that. > > rob Ack From rcritten at redhat.com Mon Feb 14 18:57:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 13:57:49 -0500 Subject: [Freeipa-devel] [PATCH] 0082 - fix per/post operation with krb password change In-Reply-To: <20110211160105.5098b68f@willson.li.ssimo.org> References: <20110211160105.5098b68f@willson.li.ssimo.org> Message-ID: <4D597B2D.7030005@redhat.com> Simo Sorce wrote: > > We weren't setting the kerberos metadata when modifying userPassword > for a kerberos enabled record. > > Fixes #949 > > Simo. ack, pushed to master From rcritten at redhat.com Mon Feb 14 18:59:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 13:59:10 -0500 Subject: [Freeipa-devel] [PATCH] 717 Add replace to ipa-ldap-updater In-Reply-To: <20110214184940.GA11686@zeppelin.brq.redhat.com> References: <4D55813F.8040307@redhat.com> <20110214184940.GA11686@zeppelin.brq.redhat.com> Message-ID: <4D597B7E.5080900@redhat.com> Jakub Hrozek wrote: > On Fri, Feb 11, 2011 at 01:34:39PM -0500, Rob Crittenden wrote: >> Add a replace verb to ipa-ldap-updater so an existing value can be >> replaced, but only if the value matches the old value in the update. >> >> This would be used for us to replace default values that the >> end-user hasn't already updated. The first one of these would be for >> the kerberos password policy where our default values are on the low >> side. We don't want to interfere with anything already set. >> >> The update file would look like: >> >> dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX >> replace:krbPwdLockoutDuration: 10: 600 >> >> dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX >> replace:krbPwdMaxFailure: 3: 6 >> >> This patch would obsolete Jan's patch titled 'Updated default >> Kerberos password policy". Simo and I had discussed doing something >> like this in IRC and hadn't communicated our intentions to the rest >> of the team, sorry about that. >> >> rob > > Ack pushe to master From rcritten at redhat.com Mon Feb 14 19:07:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 14:07:37 -0500 Subject: [Freeipa-devel] [PATCH] 703 389-ds startup with krb config In-Reply-To: <20110214173948.GA10851@zeppelin.brq.redhat.com> References: <4D515D5B.9080800@redhat.com> <20110210124112.GB28156@zeppelin.brq.redhat.com> <4D545980.3080701@redhat.com> <4D54ACAF.9080309@redhat.com> <20110214173948.GA10851@zeppelin.brq.redhat.com> Message-ID: <4D597D79.8060801@redhat.com> Jakub Hrozek wrote: > On Thu, Feb 10, 2011 at 10:27:43PM -0500, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> On Tue, Feb 08, 2011 at 10:12:27AM -0500, Rob Crittenden wrote: >>>>> If /etc/krb5.conf doesn't exist or contains no default kerberos >>>>> realm then 389-ds won't start at all. This is a problem during >>>>> installation because we configure 389 first. >>>>> >>>>> This patch will let the server come up, you just won't be able to do >>>>> any joins or password changes until you configure kerberos. >>>>> >>>>> ticket 606 >>>>> >>>>> rob >>>> >>>> >>>> I wasn't able to install with this patch when I had no /etc/krb5.conf at >>>> all. >>>> >>>> Here's what the DS error log said: >>>> --- >>>> 10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file >>>> ipa_enrollment.c, line 389]: Failed to get default realm?! >>>> [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin >>>> ipa_enrollment_extop >>>> [10/Feb/2011:07:30:35 -0500] ipaenrollment_start - [file >>>> ipa_enrollment.c, line 389]: Failed to get default realm?! >>>> [10/Feb/2011:07:30:35 -0500] - Failed to start extendedop plugin >>>> ipa_enrollment_extop >>>> [10/Feb/2011:07:30:36 -0500] ipaenrollment_start - [file >>>> ipa_enrollment.c, line 389]: Failed to get default realm?! >>>> [10/Feb/2011:07:30:36 -0500] - Failed to start extendedop plugin >>>> ipa_enrollment_extop >>>> --- >>>> >>>> Looking at ipaenrollment_start(), it looks like the culprit is that when >>>> krb5_get_default_realm() fails, ret is set to an error code and >>>> returned. It should be either reset to LDAP_SUCCESS or maybe rc should >>>> be used instead. >>>> >>>> Also one nitpick. This: >>>> >>>> -static char *realm; >>>> -static const char *ipa_realm_dn; >>>> +static char *realm = NULL; >>>> +static const char *ipa_realm_dn = NULL; >>>> >>>> Is not neccessary, global variables are initialized to NULL >>>> automatically. >>> >>> Updated patch attached. I was able to do full install with this one. >>> >>> rob >> >> Found another problem, new patch. >> >> rob > > Ack pushed to master From mkosek at redhat.com Mon Feb 14 19:26:12 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 14 Feb 2011 20:26:12 +0100 Subject: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install In-Reply-To: <4D595F9D.9070309@redhat.com> References: <1296750811.6407.0.camel@dhcp-25-52.brq.redhat.com> <201102040905.32981.jzeleny@redhat.com> <1297243407.3003.9.camel@dhcp-25-52.brq.redhat.com> <4D595F9D.9070309@redhat.com> Message-ID: <1297711572.3123.16.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-02-14 at 12:00 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-02-04 at 09:05 +0100, Jan Zelen? wrote: > >> Martin Kosek wrote: > >>> When v2 IPA client is trying to join an IPA v1 server > >>> a strange exception is printed out to the user. This patch > >>> detects this by catching an XML-RPC error reported by ipa-join > >>> binary called in the process which fails on unexisting IPA server > >>> 'join' method. > >>> > >>> wget call had to be changed so that IPA client may get to the > >>> ipa-join step. --no-check-certificate had to be added as V1 > >>> server automatically redirects the request to self-signed secure > >>> connection. > >>> > >>> https://fedorahosted.org/freeipa/ticket/553 > >> > >> The patch is ok and applies correctly. My only thought was to download the > >> certificate directly from https://..../ca.crt instead of plain http, but there > >> is probably no real benefit. > >> > >> ack > >> > >> Jan > > > > Jan, thanks for the review. And yes, I could not see a benefit too. > > Since the IPA sever certificate is not a confidential information the > > secure connection is not needed. And since we do not trust the server's > > certificate in this step of installation and --no-check-certificate is > > used, a secure connection would be used for server identity validation > > either. > > > > Therefore, I would ask for the patch to be pushed. > > > > Martin > > I can't duplicate the behavior of it redirecting to the SSL port. The > /ipa/config directory is purposely excluded from the SSL redirect for > this purpose, even on v1 servers. Can we drop that part of the patch? > > rob I experience this behavior on IPA v1 running on RHEL 5.5 with the following IPA version: $ rpm -q ipa-server ipa-server-1.0.0-15.el5ipa It may have been changed in higher IPA v1 version, like 1.2x. In this case you may drop this part of the patch. Martin From jzeleny at redhat.com Mon Feb 14 19:31:56 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Mon, 14 Feb 2011 20:31:56 +0100 Subject: [Freeipa-devel] =?iso-8859-15?q?=5BPATCH=5D_715_ensure_required_v?= =?iso-8859-15?q?ariables=09are=09required?= In-Reply-To: <4D594809.7090307@redhat.com> References: <4D54B141.7020900@redhat.com> <4D5941A8.5050002@redhat.com> <4D594809.7090307@redhat.com> Message-ID: <201102142031.57064.jzeleny@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: > > Jan Zelen? wrote: > >> Jan Zelen? wrote: > >>> Rob Crittenden wrote: > >>>> Yi found a tricky way to remove required attributes that aren't > >>>> required > >>>> in the schema. The problem was we weren't enforcing parameter.required > >>>> in mods (because it was enforcing that every variable with required be > >>>> provided). > >>>> > >>>> I added a new check routine that is executed after setattr/addattr > >>>> does its work and verifies that no required parameters get skipped. > >>>> > >>>> ticket 852 > >>>> > >>>> rob > >>> > >>> Looks fine, works as expected. ACK > >>> > >>> I'm just not sure whether is is necessary to call the function twice > >>> - once > >>> on self.params and once on self.obj.params (I get the latter one, but > >>> I'm > >>> not sure whether the former one is necessary). > > > > Hmm, you may be right. I did it in case any of self.params had a > > requires on it, but since this is a mod operation then I think by > > definition it can't. > > > >>> Jan > >> > >> One more thing - I'm not sure whether it is necessary to add the check > >> to LDAPCreate - I tried to create role with empty description and it > >> failed as > >> expected. > > > > I think you're. I did it to prevent something like this: > > > > # ipa group-add --desc='foo' --setattr description='' foo > > > > but it is already handled. > > > > I'll work up a new patch. > > > > rob > > Updated patch attached. > > rob ack Jan From rcritten at redhat.com Mon Feb 14 19:45:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 14:45:53 -0500 Subject: [Freeipa-devel] [PATCH] 052 Fine tuning DNS options In-Reply-To: <20110211213218.GA11709@zeppelin.brq.redhat.com> References: <20110211213218.GA11709@zeppelin.brq.redhat.com> Message-ID: <4D598671.1080204@redhat.com> Jakub Hrozek wrote: > Simo did a nice writeup of the changes in > https://fedorahosted.org/freeipa/ticket/931 ack. Simo also acked this in irc. pushed to master From rcritten at redhat.com Mon Feb 14 19:46:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 14:46:41 -0500 Subject: [Freeipa-devel] [PATCH] 715 ensure required variables are required In-Reply-To: <201102142031.57064.jzeleny@redhat.com> References: <4D54B141.7020900@redhat.com> <4D5941A8.5050002@redhat.com> <4D594809.7090307@redhat.com> <201102142031.57064.jzeleny@redhat.com> Message-ID: <4D5986A1.1070804@redhat.com> Jan Zeleny wrote: > Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Jan Zelen? wrote: >>>> Jan Zelen? wrote: >>>>> Rob Crittenden wrote: >>>>>> Yi found a tricky way to remove required attributes that aren't >>>>>> required >>>>>> in the schema. The problem was we weren't enforcing parameter.required >>>>>> in mods (because it was enforcing that every variable with required be >>>>>> provided). >>>>>> >>>>>> I added a new check routine that is executed after setattr/addattr >>>>>> does its work and verifies that no required parameters get skipped. >>>>>> >>>>>> ticket 852 >>>>>> >>>>>> rob >>>>> >>>>> Looks fine, works as expected. ACK >>>>> >>>>> I'm just not sure whether is is necessary to call the function twice >>>>> - once >>>>> on self.params and once on self.obj.params (I get the latter one, but >>>>> I'm >>>>> not sure whether the former one is necessary). >>> >>> Hmm, you may be right. I did it in case any of self.params had a >>> requires on it, but since this is a mod operation then I think by >>> definition it can't. >>> >>>>> Jan >>>> >>>> One more thing - I'm not sure whether it is necessary to add the check >>>> to LDAPCreate - I tried to create role with empty description and it >>>> failed as >>>> expected. >>> >>> I think you're. I did it to prevent something like this: >>> >>> # ipa group-add --desc='foo' --setattr description='' foo >>> >>> but it is already handled. >>> >>> I'll work up a new patch. >>> >>> rob >> >> Updated patch attached. >> >> rob > > ack > > Jan pushed to master From rcritten at redhat.com Mon Feb 14 19:54:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 14:54:13 -0500 Subject: [Freeipa-devel] [PATCH] 051 Remove obsolete record types from DNS In-Reply-To: <201102141410.08222.jzeleny@redhat.com> References: <20110211102217.GC9354@zeppelin.brq.redhat.com> <201102141410.08222.jzeleny@redhat.com> Message-ID: <4D598865.4070400@redhat.com> Jan Zelen? wrote: > Jakub Hrozek wrote: >> https://fedorahosted.org/freeipa/ticket/923 > > Patch looks good. I'm running some test. Unless they fail, ACK > > Jan pushed to master From jzeleny at redhat.com Mon Feb 14 20:00:55 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Mon, 14 Feb 2011 21:00:55 +0100 Subject: [Freeipa-devel] [PATCH] 055 Set ldap_netgroup_search_base for in ipa-client-install In-Reply-To: <20110213170735.GA30604@zeppelin.brq.redhat.com> References: <20110213170735.GA30604@zeppelin.brq.redhat.com> Message-ID: <201102142100.55721.jzeleny@redhat.com> Jakub Hrozek wrote: > https://fedorahosted.org/freeipa/ticket/932 ack Jan From rcritten at redhat.com Mon Feb 14 20:04:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 15:04:02 -0500 Subject: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install In-Reply-To: <1297711572.3123.16.camel@dhcp-25-52.brq.redhat.com> References: <1296750811.6407.0.camel@dhcp-25-52.brq.redhat.com> <201102040905.32981.jzeleny@redhat.com> <1297243407.3003.9.camel@dhcp-25-52.brq.redhat.com> <4D595F9D.9070309@redhat.com> <1297711572.3123.16.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D598AB2.5090606@redhat.com> Martin Kosek wrote: > On Mon, 2011-02-14 at 12:00 -0500, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Fri, 2011-02-04 at 09:05 +0100, Jan Zelen? wrote: >>>> Martin Kosek wrote: >>>>> When v2 IPA client is trying to join an IPA v1 server >>>>> a strange exception is printed out to the user. This patch >>>>> detects this by catching an XML-RPC error reported by ipa-join >>>>> binary called in the process which fails on unexisting IPA server >>>>> 'join' method. >>>>> >>>>> wget call had to be changed so that IPA client may get to the >>>>> ipa-join step. --no-check-certificate had to be added as V1 >>>>> server automatically redirects the request to self-signed secure >>>>> connection. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/553 >>>> >>>> The patch is ok and applies correctly. My only thought was to download the >>>> certificate directly from https://..../ca.crt instead of plain http, but there >>>> is probably no real benefit. >>>> >>>> ack >>>> >>>> Jan >>> >>> Jan, thanks for the review. And yes, I could not see a benefit too. >>> Since the IPA sever certificate is not a confidential information the >>> secure connection is not needed. And since we do not trust the server's >>> certificate in this step of installation and --no-check-certificate is >>> used, a secure connection would be used for server identity validation >>> either. >>> >>> Therefore, I would ask for the patch to be pushed. >>> >>> Martin >> >> I can't duplicate the behavior of it redirecting to the SSL port. The >> /ipa/config directory is purposely excluded from the SSL redirect for >> this purpose, even on v1 servers. Can we drop that part of the patch? >> >> rob > > I experience this behavior on IPA v1 running on RHEL 5.5 with the > following IPA version: > > $ rpm -q ipa-server > ipa-server-1.0.0-15.el5ipa > > It may have been changed in higher IPA v1 version, like 1.2x. In this > case you may drop this part of the patch. > > Martin > Ok, pushed to master without the wget change. rob From rcritten at redhat.com Mon Feb 14 20:06:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 15:06:15 -0500 Subject: [Freeipa-devel] [PATCH] 16 Bugfix for ipa-client-install echo's password in cleartext to stdout In-Reply-To: References: Message-ID: <4D598B37.9090005@redhat.com> JR Aquino wrote: > During the ipa-client-install, when prompted for the principal password, it is possible to start typing and have the password echoed back. > > This patch corrects this behavior and addresses bug #959 > https://fedorahosted.org/freeipa/ticket/959 > It works well if you provide a password but if you just hit ENTER you end up in no-man's land waiting for something to happen. What is happening under the hood is kinit has also prompted but stdout/stderr is not being displayed. So nack, we should catch that empty password and error out or re-prompt or something. rob From JR.Aquino at citrix.com Mon Feb 14 20:08:37 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 14 Feb 2011 20:08:37 +0000 Subject: [Freeipa-devel] [PATCH] 16-1 Bugfix for ipa-client-install echo's password in cleartext to stdout In-Reply-To: <4D598B37.9090005@redhat.com> Message-ID: Patch 16-1 submitted to exit if no password is given. On 2/14/11 12:06 PM, "Rob Crittenden" wrote: >JR Aquino wrote: >> During the ipa-client-install, when prompted for the principal >>password, it is possible to start typing and have the password echoed >>back. >> >> This patch corrects this behavior and addresses bug #959 >> https://fedorahosted.org/freeipa/ticket/959 >> > >It works well if you provide a password but if you just hit ENTER you >end up in no-man's land waiting for something to happen. What is >happening under the hood is kinit has also prompted but stdout/stderr is >not being displayed. > >So nack, we should catch that empty password and error out or re-prompt >or something. > >rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0016-2-Bugfix-for-ipa-client-install-echo-s-password-in-cle.patch Type: application/octet-stream Size: 1383 bytes Desc: freeipa-jraquino-0016-2-Bugfix-for-ipa-client-install-echo-s-password-in-cle.patch URL: From rcritten at redhat.com Mon Feb 14 20:44:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 15:44:03 -0500 Subject: [Freeipa-devel] [PATCH] 16-1 Bugfix for ipa-client-install echo's password in cleartext to stdout In-Reply-To: References: Message-ID: <4D599413.3030401@redhat.com> JR Aquino wrote: > Patch 16-1 submitted to exit if no password is given. > > On 2/14/11 12:06 PM, "Rob Crittenden" wrote: > >> JR Aquino wrote: >>> During the ipa-client-install, when prompted for the principal >>> password, it is possible to start typing and have the password echoed >>> back. >>> >>> This patch corrects this behavior and addresses bug #959 >>> https://fedorahosted.org/freeipa/ticket/959 >>> >> >> It works well if you provide a password but if you just hit ENTER you >> end up in no-man's land waiting for something to happen. What is >> happening under the hood is kinit has also prompted but stdout/stderr is >> not being displayed. >> >> So nack, we should catch that empty password and error out or re-prompt >> or something. >> >> rob > Pushed to master rob From jhrozek at redhat.com Mon Feb 14 21:15:59 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 14 Feb 2011 22:15:59 +0100 Subject: [Freeipa-devel] [PATCH] 721 fix cert-show In-Reply-To: <4D55C2AB.6060700@redhat.com> References: <4D55C2AB.6060700@redhat.com> Message-ID: <4D599B8F.6020307@redhat.com> On 02/12/2011 12:13 AM, Rob Crittenden wrote: > The --out option wasn't working at all with cert-show. > > Also fix some related problems in write_certificate(), handle either a > DER or base64-formatted incoming certificate and don't explode if the > filename is None. > > ticket 954 > > rob --out now works fine. Ack. From rcritten at redhat.com Mon Feb 14 21:24:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 16:24:02 -0500 Subject: [Freeipa-devel] [PATCH] 722 add missing import to host.py Message-ID: <4D599D72.2060001@redhat.com> host.py was missing an import for netaddr. Pushed under the 1-liner rule. ticket 964 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-722-netaddr.patch Type: application/mbox Size: 681 bytes Desc: not available URL: From rcritten at redhat.com Mon Feb 14 21:44:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 16:44:08 -0500 Subject: [Freeipa-devel] [PATCH] 721 fix cert-show In-Reply-To: <4D599B8F.6020307@redhat.com> References: <4D55C2AB.6060700@redhat.com> <4D599B8F.6020307@redhat.com> Message-ID: <4D59A228.9020701@redhat.com> Jakub Hrozek wrote: > On 02/12/2011 12:13 AM, Rob Crittenden wrote: >> The --out option wasn't working at all with cert-show. >> >> Also fix some related problems in write_certificate(), handle either a >> DER or base64-formatted incoming certificate and don't explode if the >> filename is None. >> >> ticket 954 >> >> rob > > --out now works fine. Ack. pushed to master From rcritten at redhat.com Mon Feb 14 23:19:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 18:19:22 -0500 Subject: [Freeipa-devel] [PATCH] 723 fix ipa-replica-prepare Message-ID: <4D59B87A.3060701@redhat.com> Pushed under a liberal view of the 1-liner rule. ipa-replica-prepare was failing due to a unicode problem creating the DNS entries. This is the first one-liner. The second related to pre-generating the server certificates for dogtag. It was failing in python-nss when trying to shut down the NSS database. It failed whether we had initialized it or not so I basically am passing on errrors right now. I opened ticket 965 for further investigate. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-723-replica.patch Type: application/mbox Size: 2048 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 15 04:08:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Feb 2011 23:08:42 -0500 Subject: [Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 1 Release Message-ID: <4D59FC4A.5050603@redhat.com> To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Release Candidate 1 release of freeIPA 2.0 server [1]. * Binaries are available for F-14 and F-15 [2]. * Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-users at redhat.com Main Highlights of the Release Candidate. This release consists primarily of bug fixes and polish across all areas ofthe project. Modifications include but are not limited to: * Installation fixes. * DNS improvements. * WebUI improvements. Focus of the Release Candidate Testing * There is a Fedora test day for FreeIPA on Feb 15th [3]. Please join us in testing FreeIPA. The exact instructions will be provided later and will be available off the link on the page. * The following section outlines the areas that we are mostly interested to test [4]. Significant Changes Since Beta 2 To see all the tickets addressed since the beta 2 release see [6]. Repositories and Installation * Use the following link to install the beta 2 packages [5]. * On Fedora-14 FreeIPA relies on the latest versions of the packages currently available from the updates-testing repository. Please make sure to enable this repository before you proceed with installation. Known Issues: * There are known issues that currently prevent FreeIPA from successfully installing with dogtag on F-15 [2]. We will send a separate message when this issue is resolved. The FreeIPA server is installable with the --selfsign option on F-15, or with dogtag on F-14. * Server-generated error messages are not translated yet. * IPv6 support is not complete. * The 'ipa help' command does not support localization. We plan to address all the outstanding tickets before the final 2.0 release. For the complete list see [7]. Thank you, The FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] dogtag is having issues with systemd: https://bugzilla.redhat.com/show_bug.cgi?id=676330 [3] https://fedoraproject.org/wiki/QA/Fedora_15_test_days [4] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test [5] http://freeipa.org/downloads/freeipa-devel.repo [6] https://fedorahosted.org/freeipa/query?status=closed&milestone=2.0.1+Bug+fixing+(RC) [7] https://fedorahosted.org/freeipa/milestone/2.0.2%20Bug%20fixing%20%28RC2%29 From jzeleny at redhat.com Tue Feb 15 10:06:05 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 15 Feb 2011 11:06:05 +0100 Subject: [Freeipa-devel] [PATCH] 42 Add group members to default output of sudorule-show Message-ID: <201102151106.05168.jzeleny@redhat.com> https://fedorahosted.org/freeipa/ticket/915 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0042-Add-group-members-to-default-output-of-sudorule-show.patch Type: text/x-patch Size: 1013 bytes Desc: not available URL: From jzeleny at redhat.com Tue Feb 15 10:59:04 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 15 Feb 2011 11:59:04 +0100 Subject: [Freeipa-devel] [PATCH] Fix a typo in ipa-client-install man page Message-ID: <201102151159.04748.jzeleny@redhat.com> https://fedorahosted.org/freeipa/ticket/782 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0043-Fix-a-typo-in-man-pages.patch Type: text/x-patch Size: 917 bytes Desc: not available URL: From jhrozek at redhat.com Tue Feb 15 11:04:25 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 15 Feb 2011 12:04:25 +0100 Subject: [Freeipa-devel] [PATCH] 056 Note --ip-address parameter of ipa-replica-prepare in man page Message-ID: <4D5A5DB9.6090505@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/615 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1aXbkACgkQHsardTLnvCVNgACZAYcYdlDnLXxzdjmbZRf70cgt 4J0An2OtxBPcUaTXZ/4/ZugkyQk/gvDx =JE8k -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-056-replica-prepare-man.patch Type: text/x-patch Size: 1399 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-056-replica-prepare-man.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Tue Feb 15 11:09:11 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 15 Feb 2011 12:09:11 +0100 Subject: [Freeipa-devel] [PATCH] 057 Validate MX records Message-ID: <4D5A5ED7.6070607@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/967 I'm wondering whether to extend the patch - if the mail server name does not end with a dot, BIND treats it as relative to the zone. So if you do: ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com" dig would then return mail.example.com.example.com The correct way of adding it is (note the trailing dot): ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com." This is in line with how nsupdate works, so should we just document it? A smarter way might be to check if the hostname ends with the zone name and append a dot, but I'm not sure if that perhaps /too/ smart.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1aXtcACgkQHsardTLnvCXY0wCgtkc0kBdPorCgd9oyh4AazDy0 8hoAn0vgX5xQYJv2D9gjjTgnu0mgUMbp =nzLT -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-057-mx-record.patch Type: text/x-patch Size: 8586 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-057-mx-record.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From mkosek at redhat.com Tue Feb 15 13:25:32 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 15 Feb 2011 14:25:32 +0100 Subject: [Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace Message-ID: <1297776332.3047.3.camel@dhcp-25-52.brq.redhat.com> Many WebUI identifiers were defined in a global namespace. This is not a good programming practice and may result in name clashes, for example with other libraries. This patch moves these variables to IPA namespace or its sub-namespaces, if required. https://fedorahosted.org/freeipa/ticket/212 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-031-remove-webui-identifiers-from-global-namespace.patch Type: text/x-patch Size: 35625 bytes Desc: not available URL: From pzuna at redhat.com Tue Feb 15 14:18:40 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 15 Feb 2011 15:18:40 +0100 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <4D594FEC.3050407@redhat.com> References: <4D5131BB.6080400@redhat.com> <4D53C124.30800@redhat.com> <4D594FEC.3050407@redhat.com> Message-ID: <4D5A8B40.50204@redhat.com> On 02/14/2011 04:53 PM, Rob Crittenden wrote: > Pavel Zuna wrote: >> On 02/08/2011 01:06 PM, Pavel Zuna wrote: >>> The patch also corrects exception handling in some of the tools. >>> >>> Fix #874 >>> >>> Pavel >>> >> >> Updated patch attached. Forgot to rename an identifier in exception >> handling. >> >> Pavel > > This isn't applying cleanly to master, can you rebase it? > > rob Rebased patch attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-78-3-toolsldapi.patch Type: application/mbox Size: 11583 bytes Desc: not available URL: From pzuna at redhat.com Tue Feb 15 14:19:50 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 15 Feb 2011 15:19:50 +0100 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: References: Message-ID: <4D5A8B86.3050105@redhat.com> On 02/14/2011 04:56 PM, JR Aquino wrote: > On 2/10/11 2:42 AM, "Pavel Zuna" wrote: > >> On 02/08/2011 01:06 PM, Pavel Zuna wrote: >>> The patch also corrects exception handling in some of the tools. >>> >>> Fix #874 >>> >>> Pavel >>> >> >> Updated patch attached. Forgot to rename an identifier in exception >> handling. >> >> Pavel >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > NACK > > It looks like LDAPUpdate calls may want to include ldapi=True? > > -=- > # ipa-nis-manage enable > Directory Manager password: > > Enabling plugin > Traceback (most recent call last): > File "/usr/sbin/ipa-nis-manage", line 211, in > sys.exit(main()) > File "/usr/sbin/ipa-nis-manage", line 151, in main > ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 101, in __init__ > conn.do_simple_bind(bindpw=self.dm_password) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 350, > in do_simple_bind > self.simple_bind_s(binddn, bindpw) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, > in inner > return f(*args, **kargs) > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 207, > in simple_bind_s > return self.result(msgid,all=1,timeout=self.timeout) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 181, > in inner > objtype, data = f(*args, **kargs) > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 436, > in result > res_type,res_data,res_msgid = self.result2(msgid,all,timeout) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, > in inner > return f(*args, **kargs) > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 440, > in result2 > res_type, res_data, res_msgid, srv_ctrls = > self.result3(msgid,all,timeout) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, > in inner > return f(*args, **kargs) > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 446, > in result3 > ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 204, > in inner > return f(*args, **kargs) > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96, > in _ldap_call > result = func(*args,**kwargs) > ldap.UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': > 'Server is unwilling to perform'} > I can't reproduce this. :-/ For me it goes fine: [root at ipadev tools]# ./ipa-nis-manage enable Directory Manager password: Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. Pavel From jzeleny at redhat.com Tue Feb 15 14:24:58 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 15 Feb 2011 15:24:58 +0100 Subject: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup Message-ID: <201102151524.59018.jzeleny@redhat.com> Loading of the schema is now performed in the first request that requires it. https://fedorahosted.org/freeipa/ticket/583 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0041-Don-t-load-the-LDAP-schema-during-startup.patch Type: text/x-patch Size: 5668 bytes Desc: not available URL: From JR.Aquino at citrix.com Tue Feb 15 14:51:36 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 15 Feb 2011 14:51:36 +0000 Subject: [Freeipa-devel] [PATCH] 42 Add group members to default output of sudorule-show In-Reply-To: <201102151106.05168.jzeleny@redhat.com> Message-ID: On 2/15/11 2:06 AM, "Jan Zelen?" wrote: >https://fedorahosted.org/freeipa/ticket/915 > >Jan >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel ACK I don't know how I missed that! Thank you for cleaning that up Jan! From ssorce at redhat.com Tue Feb 15 14:52:38 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 15 Feb 2011 09:52:38 -0500 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <4D5A8B86.3050105@redhat.com> References: <4D5A8B86.3050105@redhat.com> Message-ID: <20110215095238.336b904a@willson.li.ssimo.org> On Tue, 15 Feb 2011 15:19:50 +0100 Pavel Zuna wrote: > I can't reproduce this. :-/ > > For me it goes fine: > > [root at ipadev tools]# ./ipa-nis-manage enable > Directory Manager password: > > Enabling plugin > This setting will not take effect until you restart Directory Server. > The rpcbind service may need to be started. > Pavel, Jr has set the minimum ssf to a non default value to test a configuration in which all communications are required to be encrypted. That's why you can't reproduce with the vanilla configuration. We want to support that mode although it won't be the default, so we need to fix any issue that causes that configuration to break (ie all non-encrypted/non-ldapi connections). Simo. -- Simo Sorce * Red Hat, Inc * New York From pzuna at redhat.com Tue Feb 15 15:18:10 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 15 Feb 2011 16:18:10 +0100 Subject: [Freeipa-devel] [PATCH] Fix setattr mail bug in user plugin. Message-ID: <4D5A9932.3080505@redhat.com> The email normalizer expects a list or tuple, but when using setattr it gets a string and interates on it as if it was a list/tuple. Before patch: [root at ipadev freeipa]# ./ipa user-mod testuser --setattr mail=testuser at example.com ------------------------ Modified user "testuser" ------------------------ User login: testuser First name: f Last name: l Home directory: /home/testuser Login shell: /bin/sh Email address: c at pzuna, @, x at pzuna, o at pzuna, . at pzuna, t at pzuna, e at pzuna, s at pzuna, r at pzuna, a at pzuna, m at pzuna, p at pzuna, u at pzuna, l at pzuna Account disabled: False Member of groups: ipausers Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-79-normemail.patch Type: application/mbox Size: 1012 bytes Desc: not available URL: From JR.Aquino at citrix.com Tue Feb 15 15:36:23 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 15 Feb 2011 15:36:23 +0000 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <20110215095238.336b904a@willson.li.ssimo.org> Message-ID: On 2/15/11 6:52 AM, "Simo Sorce" wrote: >On Tue, 15 Feb 2011 15:19:50 +0100 >Pavel Zuna wrote: > >> I can't reproduce this. :-/ >> >> For me it goes fine: >> >> [root at ipadev tools]# ./ipa-nis-manage enable >> Directory Manager password: >> >> Enabling plugin >> This setting will not take effect until you restart Directory Server. >> The rpcbind service may need to be started. >> > >Pavel, >Jr has set the minimum ssf to a non default value to test a >configuration in which all communications are required to be encrypted. >That's why you can't reproduce with the vanilla configuration. > >We want to support that mode although it won't be the default, so we >need to fix any issue that causes that configuration to break (ie all >non-encrypted/non-ldapi connections). > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York > >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel The best way to do this is: -=- service ipa stop Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif Change: nsslapd-minssf: 0 To: nsslapd-minssf: 56 <- 56 is chosen because SASL communicates a 56bit handshake even though we utilize a much strong cipher... (It is a known bug/feature) service ipa start From mkosek at redhat.com Tue Feb 15 15:56:47 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 15 Feb 2011 16:56:47 +0100 Subject: [Freeipa-devel] [PATCH] Fix setattr mail bug in user plugin. In-Reply-To: <4D5A9932.3080505@redhat.com> References: <4D5A9932.3080505@redhat.com> Message-ID: <1297785407.3047.5.camel@dhcp-25-52.brq.redhat.com> ACK. Martin On Tue, 2011-02-15 at 16:18 +0100, Pavel Zuna wrote: > The email normalizer expects a list or tuple, but when using setattr it gets a > string and interates on it as if it was a list/tuple. > > Before patch: > > [root at ipadev freeipa]# ./ipa user-mod testuser --setattr mail=testuser at example.com > ------------------------ > Modified user "testuser" > ------------------------ > User login: testuser > First name: f > Last name: l > Home directory: /home/testuser > Login shell: /bin/sh > Email address: c at pzuna, @, x at pzuna, o at pzuna, . at pzuna, t at pzuna, e at pzuna, > s at pzuna, r at pzuna, a at pzuna, m at pzuna, p at pzuna, u at pzuna, l at pzuna > Account disabled: False > Member of groups: ipausers > > > Pavel From jzeleny at redhat.com Tue Feb 15 15:59:15 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 15 Feb 2011 16:59:15 +0100 Subject: [Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page Message-ID: <201102151659.16032.jzeleny@redhat.com> https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0044-Fixes-in-ipa-join-man-page.patch Type: text/x-patch Size: 4331 bytes Desc: not available URL: From jcholast at redhat.com Tue Feb 15 16:59:33 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 15 Feb 2011 17:59:33 +0100 Subject: [Freeipa-devel] [PATCH] 2 Fix handling of /etc/hosts Message-ID: <4D5AB0F5.60009@redhat.com> Fixes handling of empty lines, erroneous lines and comments in /etc/hosts. https://fedorahosted.org/freeipa/ticket/971 Honza -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-2-hosts.patch Type: text/x-patch Size: 1385 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 15 17:14:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Feb 2011 12:14:49 -0500 Subject: [Freeipa-devel] [PATCH] 2 Fix handling of /etc/hosts In-Reply-To: <4D5AB0F5.60009@redhat.com> References: <4D5AB0F5.60009@redhat.com> Message-ID: <4D5AB489.6010904@redhat.com> Jan Cholasta wrote: > Fixes handling of empty lines, erroneous lines and comments in /etc/hosts. > > https://fedorahosted.org/freeipa/ticket/971 > nack. Would using line.rstrip() be better than the conditional checking explicitly for \n? I don't think we can use format this way, isn't it new to python 2.7? I think you have to use {0} and {1}. We need to support python 2.6 as well. rob From rcritten at redhat.com Tue Feb 15 17:19:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Feb 2011 12:19:47 -0500 Subject: [Freeipa-devel] [PATCH] 724 remove permission as possible member of privilege Message-ID: <4D5AB5B3.7050806@redhat.com> A permission can't be a member of a privilege, remove the attribute from metadata. ticket 970 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-724-privilege.patch Type: application/mbox Size: 4049 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 15 17:39:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Feb 2011 12:39:09 -0500 Subject: [Freeipa-devel] [PATCH] 725 fix service validator Message-ID: <4D5ABA3D.7020706@redhat.com> The kerberos service validator wasn't enforcing that the server name be not blank. ticket 961. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-725-service.patch Type: application/mbox Size: 874 bytes Desc: not available URL: From jcholast at redhat.com Tue Feb 15 17:47:00 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 15 Feb 2011 18:47:00 +0100 Subject: [Freeipa-devel] [PATCH] 2 Fix handling of /etc/hosts In-Reply-To: <4D5AB489.6010904@redhat.com> References: <4D5AB0F5.60009@redhat.com> <4D5AB489.6010904@redhat.com> Message-ID: <4D5ABC14.5020204@redhat.com> D'oh! Fixed. Honza Dne 15.2.2011 18:14, Rob Crittenden napsal(a): > Jan Cholasta wrote: >> Fixes handling of empty lines, erroneous lines and comments in >> /etc/hosts. >> >> https://fedorahosted.org/freeipa/ticket/971 >> > > nack. > > Would using line.rstrip() be better than the conditional checking > explicitly for \n? > > I don't think we can use format this way, isn't it new to python 2.7? I > think you have to use {0} and {1}. We need to support python 2.6 as well. > > rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-2-hosts.patch Type: text/x-patch Size: 1351 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 15 18:23:38 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 15 Feb 2011 13:23:38 -0500 Subject: [Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace In-Reply-To: <1297776332.3047.3.camel@dhcp-25-52.brq.redhat.com> References: <1297776332.3047.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D5AC4AA.8000504@redhat.com> On 02/15/2011 08:25 AM, Martin Kosek wrote: > Many WebUI identifiers were defined in a global namespace. This is > not a good programming practice and may result in name clashes, > for example with other libraries. > > This patch moves these variables to IPA namespace or its > sub-namespaces, if required. > > https://fedorahosted.org/freeipa/ticket/212 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nice work. One thing I think we should make heppen before we push this is to scope down the number of IPA.functions. For example, the certificate widget should be the only thing that needs to access most of the functions in certificate.js. We can avoid making them publicly accessible. The certificate_status_widget should probably be directly under IPA, not under IPA.certificates. Perhaps in the future we will make an IPA.widget namespace and stick all of the widgets creators in there. IPA.search_generate_checkbox_td should be a method on the search table. The one place where we use that outside of search.js (in policy.js for dns) is a hack...I should know, I wrote it. I suspect much of the code in navigation can be scoped down. If you are going to add the navigation subnamesapce in navigation.js, you should do the same with the certificate namespace in certificate.js. You are currently adding it in ipa.js Lets drop the _ separating namespaces: For example nav_push_state should become IPA.nav.push_state, certificates_revoke_dialog should become IPA.certificates.revoke_dialog and so on -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Feb 15 18:26:11 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 15 Feb 2011 13:26:11 -0500 Subject: [Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace In-Reply-To: <1297776332.3047.3.camel@dhcp-25-52.brq.redhat.com> References: <1297776332.3047.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D5AC543.1090001@redhat.com> On 02/15/2011 08:25 AM, Martin Kosek wrote: > Many WebUI identifiers were defined in a global namespace. This is > not a good programming practice and may result in name clashes, > for example with other libraries. > > This patch moves these variables to IPA namespace or its > sub-namespaces, if required. > > https://fedorahosted.org/freeipa/ticket/212 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Martin, he is the patch I did for the cert portion. I'll toss it, but you can see what I was thinking as far as hoe to shorten the names: BTW, you should reverse the names of your patch so that they start with freeipa, and then your user id. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0197-certificate-into-IPA-namespace.patch Type: text/x-patch Size: 30972 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 15 19:05:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Feb 2011 14:05:02 -0500 Subject: [Freeipa-devel] [PATCH] 726 require root to run ipactl Message-ID: <4D5ACE5E.60103@redhat.com> Trying to run ipactl as non-root results in a slew of bogus error messages, some of which come because dirsrv can't read certain files as the wrong user, some based on our handling of that fact. ticket 936 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-726-ipactl.patch Type: application/mbox Size: 1121 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 15 19:20:23 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 15 Feb 2011 14:20:23 -0500 Subject: [Freeipa-devel] [PATCH] 724 remove permission as possible member of privilege In-Reply-To: <4D5AB5B3.7050806@redhat.com> References: <4D5AB5B3.7050806@redhat.com> Message-ID: <4D5AD1F7.5000901@redhat.com> On 02/15/2011 12:19 PM, Rob Crittenden wrote: > A permission can't be a member of a privilege, remove the attribute > from metadata. > > ticket 970 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Feb 15 19:32:19 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 15 Feb 2011 14:32:19 -0500 Subject: [Freeipa-devel] [PATCH] 726 require root to run ipactl In-Reply-To: <4D5ACE5E.60103@redhat.com> References: <4D5ACE5E.60103@redhat.com> Message-ID: <4D5AD4C3.2090606@redhat.com> On 02/15/2011 02:05 PM, Rob Crittenden wrote: > Trying to run ipactl as non-root results in a slew of bogus error > messages, some of which come because dirsrv can't read certain files > as the wrong user, some based on our handling of that fact. > > ticket 936 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Feb 15 19:39:43 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 15 Feb 2011 13:39:43 -0600 Subject: [Freeipa-devel] [PATCH] 102 Fixed association facets. Message-ID: <4D5AD67F.1000404@redhat.com> The association config has been removed because it incorrectly assumes there is only one association between two entities. Now each association is defined separately using association facets. The service.py has been modified to specify the correct relationships. The API.txt has been updated. https://fedorahosted.org/freeipa/ticket/960 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0102-Fixed-association-facets.patch Type: text/x-patch Size: 35103 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 15 19:43:37 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 15 Feb 2011 14:43:37 -0500 Subject: [Freeipa-devel] [PATCH] Fix setattr mail bug in user plugin. In-Reply-To: <1297785407.3047.5.camel@dhcp-25-52.brq.redhat.com> References: <4D5A9932.3080505@redhat.com> <1297785407.3047.5.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D5AD769.6020804@redhat.com> On 02/15/2011 10:56 AM, Martin Kosek wrote: > ACK. > > Martin > > On Tue, 2011-02-15 at 16:18 +0100, Pavel Zuna wrote: >> The email normalizer expects a list or tuple, but when using setattr it gets a >> string and interates on it as if it was a list/tuple. >> >> Before patch: >> >> [root at ipadev freeipa]# ./ipa user-mod testuser --setattr mail=testuser at example.com >> ------------------------ >> Modified user "testuser" >> ------------------------ >> User login: testuser >> First name: f >> Last name: l >> Home directory: /home/testuser >> Login shell: /bin/sh >> Email address: c at pzuna, @, x at pzuna, o at pzuna, . at pzuna, t at pzuna, e at pzuna, >> s at pzuna, r at pzuna, a at pzuna, m at pzuna, p at pzuna, u at pzuna, l at pzuna >> Account disabled: False >> Member of groups: ipausers >> >> >> Pavel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From ayoung at redhat.com Tue Feb 15 19:44:55 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 15 Feb 2011 14:44:55 -0500 Subject: [Freeipa-devel] [PATCH] 42 Add group members to default output of sudorule-show In-Reply-To: References: Message-ID: <4D5AD7B7.1010105@redhat.com> On 02/15/2011 09:51 AM, JR Aquino wrote: > On 2/15/11 2:06 AM, "Jan Zelen?" wrote: > >> https://fedorahosted.org/freeipa/ticket/915 >> >> Jan >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > > I don't know how I missed that! Thank you for cleaning that up Jan! > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From rcritten at redhat.com Tue Feb 15 20:06:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Feb 2011 15:06:38 -0500 Subject: [Freeipa-devel] [PATCH] 727 don't allow host cn to be updated Message-ID: <4D5ADCCE.4060001@redhat.com> We are required by LDAP schema to have a cn value in a host record. Don't let a user modify it, it will just cause confusion. tickets 706 and 707 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-727-host.patch Type: application/mbox Size: 1042 bytes Desc: not available URL: From mkosek at redhat.com Tue Feb 15 20:25:13 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 15 Feb 2011 21:25:13 +0100 Subject: [Freeipa-devel] [PATCH] 725 fix service validator In-Reply-To: <4D5ABA3D.7020706@redhat.com> References: <4D5ABA3D.7020706@redhat.com> Message-ID: <1297801513.18411.4.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-02-15 at 12:39 -0500, Rob Crittenden wrote: > The kerberos service validator wasn't enforcing that the server name be > not blank. > > ticket 961. > > rob ACK. All service tests pass. Martin From rcritten at redhat.com Tue Feb 15 20:33:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Feb 2011 15:33:44 -0500 Subject: [Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page In-Reply-To: <201102151659.16032.jzeleny@redhat.com> References: <201102151659.16032.jzeleny@redhat.com> Message-ID: <4D5AE328.20202@redhat.com> Jan Zelen? wrote: > https://fedorahosted.org/freeipa/ticket/784 > https://fedorahosted.org/freeipa/ticket/786 > https://fedorahosted.org/freeipa/ticket/787 > > Jan nack, there are a couple of minor problems. - _("IPA Server to use"), _("IPA Server Name") }, + _("IPA Server to use"), _("hostame") }, Typo in hostname. -The hostname of this server (FQDN). By default of nodename from uname(2) is used. +The hostname of IPA server (FQDN). By default it is read from /etc/ipa/default.conf. I think this should be: The hostname of the IPA server (FQDN). Note that by default there is no /etc/ipa/default.conf, in most cases it needs to be supplied. rob From rcritten at redhat.com Tue Feb 15 20:39:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Feb 2011 15:39:53 -0500 Subject: [Freeipa-devel] [PATCH] 2 Fix handling of /etc/hosts In-Reply-To: <4D5ABC14.5020204@redhat.com> References: <4D5AB0F5.60009@redhat.com> <4D5AB489.6010904@redhat.com> <4D5ABC14.5020204@redhat.com> Message-ID: <4D5AE499.60503@redhat.com> Jan Cholasta wrote: > D'oh! > > Fixed. > > Honza > > Dne 15.2.2011 18:14, Rob Crittenden napsal(a): >> Jan Cholasta wrote: >>> Fixes handling of empty lines, erroneous lines and comments in >>> /etc/hosts. >>> >>> https://fedorahosted.org/freeipa/ticket/971 >>> >> >> nack. >> >> Would using line.rstrip() be better than the conditional checking >> explicitly for \n? >> >> I don't think we can use format this way, isn't it new to python 2.7? I >> think you have to use {0} and {1}. We need to support python 2.6 as well. >> >> rob > ack, pushed to master From rcritten at redhat.com Tue Feb 15 20:41:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Feb 2011 15:41:39 -0500 Subject: [Freeipa-devel] [PATCH] Fix a typo in ipa-client-install man page In-Reply-To: <201102151159.04748.jzeleny@redhat.com> References: <201102151159.04748.jzeleny@redhat.com> Message-ID: <4D5AE503.4080208@redhat.com> Jan Zelen? wrote: > https://fedorahosted.org/freeipa/ticket/782 > > Jan > ack, pushed to master From rcritten at redhat.com Tue Feb 15 20:42:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Feb 2011 15:42:49 -0500 Subject: [Freeipa-devel] [PATCH] 056 Note --ip-address parameter of ipa-replica-prepare in man page In-Reply-To: <4D5A5DB9.6090505@redhat.com> References: <4D5A5DB9.6090505@redhat.com> Message-ID: <4D5AE549.8050804@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > https://fedorahosted.org/freeipa/ticket/615 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk1aXbkACgkQHsardTLnvCVNgACZAYcYdlDnLXxzdjmbZRf70cgt > 4J0An2OtxBPcUaTXZ/4/ZugkyQk/gvDx > =JE8k > -----END PGP SIGNATURE----- ack, pushed to master From rcritten at redhat.com Tue Feb 15 20:45:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Feb 2011 15:45:12 -0500 Subject: [Freeipa-devel] [PATCH] 057 Validate MX records In-Reply-To: <4D5A5ED7.6070607@redhat.com> References: <4D5A5ED7.6070607@redhat.com> Message-ID: <4D5AE5D8.4010700@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > https://fedorahosted.org/freeipa/ticket/967 > > I'm wondering whether to extend the patch - if the mail server name does > not end with a dot, BIND treats it as relative to the zone. > > So if you do: > ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com" > > dig would then return mail.example.com.example.com > > The correct way of adding it is (note the trailing dot): > ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com." > > This is in line with how nsupdate works, so should we just document it? > A smarter way might be to check if the hostname ends with the zone name > and append a dot, but I'm not sure if that perhaps /too/ smart.. While we're at this should we enforce that prio is >= 0 and < MAXINT ? You can import MAXINT with: from xmlrpclib import MAXINT rob From JR.Aquino at citrix.com Tue Feb 15 20:45:28 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 15 Feb 2011 20:45:28 +0000 Subject: [Freeipa-devel] [PATCH] 17 Managed netgroups should be invisible Message-ID: This patch provides ipa netgroup-find a default filter which prevents the displaying of mepManageEntry Netgroups by default. It also introduces a ?private flag similar to the group.py to allow for displaying them if necessary. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0017-Managed-netgroups-should-be-invisible.patch Type: application/octet-stream Size: 1483 bytes Desc: freeipa-jraquino-0017-Managed-netgroups-should-be-invisible.patch URL: From rcritten at redhat.com Tue Feb 15 20:46:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Feb 2011 15:46:31 -0500 Subject: [Freeipa-devel] [PATCH] 725 fix service validator In-Reply-To: <1297801513.18411.4.camel@dhcp-25-52.brq.redhat.com> References: <4D5ABA3D.7020706@redhat.com> <1297801513.18411.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D5AE627.4020503@redhat.com> Martin Kosek wrote: > On Tue, 2011-02-15 at 12:39 -0500, Rob Crittenden wrote: >> The kerberos service validator wasn't enforcing that the server name be >> not blank. >> >> ticket 961. >> >> rob > > ACK. > > All service tests pass. > > Martin pushed to master From rcritten at redhat.com Tue Feb 15 20:50:54 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Feb 2011 15:50:54 -0500 Subject: [Freeipa-devel] [PATCH] Code cleanup In-Reply-To: <201102141321.50762.jzeleny@redhat.com> References: <201102141321.50762.jzeleny@redhat.com> Message-ID: <4D5AE72E.5070408@redhat.com> Jan Zelen? wrote: > Hi, > > I'd like to propose this cleanup patch. I just noticed that the code in these > two files is most likely not used any more (at least I didn't find a place where > it is used). > > What do you think? Is it safe to throw it out? Or are there some places which > are still using it? I'd be more than happy to move parts that are used > somewhere else and delete the rest. > I can't find uses of it either, ack, pushed to master. rob From edewata at redhat.com Tue Feb 15 21:23:52 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 15 Feb 2011 15:23:52 -0600 Subject: [Freeipa-devel] [PATCH] 102 Fixed association facets. In-Reply-To: <4D5AD67F.1000404@redhat.com> References: <4D5AD67F.1000404@redhat.com> Message-ID: <4D5AEEE8.5060501@redhat.com> On 2/15/2011 1:39 PM, Endi Sukma Dewata wrote: > The association config has been removed because it incorrectly assumes > there is only one association between two entities. Now each association > is defined separately using association facets. > > The service.py has been modified to specify the correct relationships. > The API.txt has been updated. > > https://fedorahosted.org/freeipa/ticket/960 Attached is an updated patch. Redundant facet definitions have been removed. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0102-2-Fixed-association-facets.patch Type: text/x-patch Size: 32650 bytes Desc: not available URL: From ssorce at redhat.com Tue Feb 15 21:52:41 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 15 Feb 2011 16:52:41 -0500 Subject: [Freeipa-devel] [PATCH] temp fix for init script on f15 Message-ID: <20110215165241.4ad193ae@willson.li.ssimo.org> This fixes a hangup issue when a init script calls another within systemctl, by preventing calling systemctl on initscripts. Will need to work with fedora folks to find an appropriate long term solution, but this will make things work for now. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Temporary-workaround-for-systemd-brokeness-on-fedora.patch Type: text/x-patch Size: 652 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 15 22:46:11 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 15 Feb 2011 17:46:11 -0500 Subject: [Freeipa-devel] [PATCH] 102 Fixed association facets. In-Reply-To: <4D5AEEE8.5060501@redhat.com> References: <4D5AD67F.1000404@redhat.com> <4D5AEEE8.5060501@redhat.com> Message-ID: <4D5B0233.7000605@redhat.com> On 02/15/2011 04:23 PM, Endi Sukma Dewata wrote: > On 2/15/2011 1:39 PM, Endi Sukma Dewata wrote: >> The association config has been removed because it incorrectly assumes >> there is only one association between two entities. Now each association >> is defined separately using association facets. >> >> The service.py has been modified to specify the correct relationships. >> The API.txt has been updated. >> >> https://fedorahosted.org/freeipa/ticket/960 > > Attached is an updated patch. Redundant facet definitions have been > removed. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Feb 15 22:55:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Feb 2011 17:55:34 -0500 Subject: [Freeipa-devel] [PATCH] temp fix for init script on f15 In-Reply-To: <20110215165241.4ad193ae@willson.li.ssimo.org> References: <20110215165241.4ad193ae@willson.li.ssimo.org> Message-ID: <4D5B0466.5060005@redhat.com> Simo Sorce wrote: > > This fixes a hangup issue when a init script calls another within > systemctl, by preventing calling systemctl on initscripts. > > Will need to work with fedora folks to find an appropriate long term > solution, but this will make things work for now. > > Simo. ack, tested on F-14 and F-15 and works fine. pushed to master rob From davido at redhat.com Tue Feb 15 23:45:37 2011 From: davido at redhat.com (David O'Brien) Date: Wed, 16 Feb 2011 09:45:37 +1000 Subject: [Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page In-Reply-To: <201102151659.16032.jzeleny@redhat.com> References: <201102151659.16032.jzeleny@redhat.com> Message-ID: <4D5B1021.6030904@redhat.com> Jan Zelen? wrote: > https://fedorahosted.org/freeipa/ticket/784 > https://fedorahosted.org/freeipa/ticket/786 > https://fedorahosted.org/freeipa/ticket/787 > > Jan > nack A few typos and style issues: - _("File were to store the keytab information"), _("Keytab File Name") }, + _("File were to store the keytab information"), _("filename") }, s/were/where I would actually reword it: "Specifies where to store keytab information." s/kerberos/Kerberos/g (unless lowercase is required for some reason.) +The hostname of IPA server (FQDN). "The hostname of the IPA server (FQDN)." Join IPA domain and retrieve a keytab with kerberos credentials. "Join an IPA domain and retrieve a keytab using Kerberos credentials." -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From jzeleny at redhat.com Wed Feb 16 07:45:14 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 16 Feb 2011 08:45:14 +0100 Subject: [Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page In-Reply-To: <4D5B1021.6030904@redhat.com> References: <201102151659.16032.jzeleny@redhat.com> <4D5B1021.6030904@redhat.com> Message-ID: <201102160845.14482.jzeleny@redhat.com> "David O'Brien" wrote: > Jan Zelen? wrote: > > https://fedorahosted.org/freeipa/ticket/784 > > https://fedorahosted.org/freeipa/ticket/786 > > https://fedorahosted.org/freeipa/ticket/787 > > > > Jan > > nack > > A few typos and style issues: > > - _("File were to store the keytab information"), _("Keytab File Name") }, > + _("File were to store the keytab information"), _("filename") }, > > s/were/where > I would actually reword it: > "Specifies where to store keytab information." > > s/kerberos/Kerberos/g > (unless lowercase is required for some reason.) > > +The hostname of IPA server (FQDN). > "The hostname of the IPA server (FQDN)." > > Join IPA domain and retrieve a keytab with kerberos credentials. > "Join an IPA domain and retrieve a keytab using Kerberos credentials." Ok, here is the second version of the patch. David, not all changes you proposed are in the patch, I believe they are out of its scope. If we go this way, I think a review should be done for all man pages, so we don't fix just a couple of mistakes in this page and leave the same mistakes in other man pages. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0044-2-Fixes-in-ipa-join-man-page.patch Type: text/x-patch Size: 4384 bytes Desc: not available URL: From jzeleny at redhat.com Wed Feb 16 07:53:35 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 16 Feb 2011 08:53:35 +0100 Subject: [Freeipa-devel] [PATCH] Updated default Kerberos password policy In-Reply-To: <201102101725.54656.jzeleny@redhat.com> References: <201102101409.30118.jzeleny@redhat.com> <4D53EB9F.3020500@redhat.com> <201102101725.54656.jzeleny@redhat.com> Message-ID: <201102160853.35132.jzeleny@redhat.com> Jan Zeleny wrote: > Rob Crittenden wrote: > > Jan Zelen? wrote: > > > https://fedorahosted.org/freeipa/ticket/930 > > > > > > I put there a value Dmitri suggested. Feel free to change it before > > > pushing if you think there should be the originally suggested 10 login > > > attempts. > > > > We want to increase krbPwdLockoutDuration too, to 600. > > > > rob > > Sorry, I didn't realize it was in seconds. I just saw 10 and figured it's > ok it's already there. Anyway, I'm sending the updated patch. Just a reminder that this patch needs to be re-reviewed. Thanks Jan From jzeleny at redhat.com Wed Feb 16 08:13:06 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 16 Feb 2011 09:13:06 +0100 Subject: [Freeipa-devel] [PATCH] Reword help for the user module Message-ID: <201102160913.07037.jzeleny@redhat.com> The first part of the ticket has already been solved, hence it is not a part of this patch. https://fedorahosted.org/freeipa/ticket/351 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0045-Reword-of-help-for-the-user-module.patch Type: text/x-patch Size: 892 bytes Desc: not available URL: From jzeleny at redhat.com Wed Feb 16 08:21:42 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 16 Feb 2011 09:21:42 +0100 Subject: [Freeipa-devel] [PATCH] Fixed in ipa-server-install help and man page Message-ID: <201102160921.42462.jzeleny@redhat.com> https://fedorahosted.org/freeipa/ticket/831 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0046-Fixed-in-ipa-server-install-help-and-man-page.patch Type: text/x-patch Size: 2426 bytes Desc: not available URL: From jzeleny at redhat.com Wed Feb 16 08:28:46 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 16 Feb 2011 09:28:46 +0100 Subject: [Freeipa-devel] [PATCH] 057 Validate MX records In-Reply-To: <4D5A5ED7.6070607@redhat.com> References: <4D5A5ED7.6070607@redhat.com> Message-ID: <201102160928.46250.jzeleny@redhat.com> Jakub Hrozek wrote: > https://fedorahosted.org/freeipa/ticket/967 > > I'm wondering whether to extend the patch - if the mail server name does > not end with a dot, BIND treats it as relative to the zone. > > So if you do: > ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com" > > dig would then return mail.example.com.example.com > > The correct way of adding it is (note the trailing dot): > ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com." > > This is in line with how nsupdate works, so should we just document it? > A smarter way might be to check if the hostname ends with the zone name > and append a dot, but I'm not sure if that perhaps /too/ smart.. Just a nitpicking here, but shouldn't the second arg of the function be called mx or something like that? Jan From mkosek at redhat.com Wed Feb 16 08:33:45 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 16 Feb 2011 09:33:45 +0100 Subject: [Freeipa-devel] [PATCH] Reword help for the user module In-Reply-To: <201102160913.07037.jzeleny@redhat.com> References: <201102160913.07037.jzeleny@redhat.com> Message-ID: <1297845226.18411.15.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-02-16 at 09:13 +0100, Jan Zelen? wrote: > The first part of the ticket has already been solved, hence it is not a part of > this patch. > > https://fedorahosted.org/freeipa/ticket/351 > > Jan NACK Just a minor issue - s/this modules/this module/ Martin From jzeleny at redhat.com Wed Feb 16 08:43:51 2011 From: jzeleny at redhat.com (Jan =?utf-8?q?Zelen=C3=BD?=) Date: Wed, 16 Feb 2011 09:43:51 +0100 Subject: [Freeipa-devel] [PATCH] Reword help for the user module In-Reply-To: <1297845226.18411.15.camel@dhcp-25-52.brq.redhat.com> References: <201102160913.07037.jzeleny@redhat.com> <1297845226.18411.15.camel@dhcp-25-52.brq.redhat.com> Message-ID: <201102160943.51699.jzeleny@redhat.com> Martin Kosek wrote: > On Wed, 2011-02-16 at 09:13 +0100, Jan Zelen? wrote: > > The first part of the ticket has already been solved, hence it is not a > > part of this patch. > > > > https://fedorahosted.org/freeipa/ticket/351 > > > > Jan > > NACK > > Just a minor issue - s/this modules/this module/ Thanks, the second version is in attachment. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0045-2-Reword-of-help-for-the-user-module.patch Type: text/x-patch Size: 891 bytes Desc: not available URL: From mkosek at redhat.com Wed Feb 16 08:54:49 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 16 Feb 2011 09:54:49 +0100 Subject: [Freeipa-devel] [PATCH] Reword help for the user module In-Reply-To: <201102160943.51699.jzeleny@redhat.com> References: <201102160913.07037.jzeleny@redhat.com> <1297845226.18411.15.camel@dhcp-25-52.brq.redhat.com> <201102160943.51699.jzeleny@redhat.com> Message-ID: <1297846489.18411.18.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-02-16 at 09:43 +0100, Jan Zelen? wrote: > Martin Kosek wrote: > > On Wed, 2011-02-16 at 09:13 +0100, Jan Zelen? wrote: > > > The first part of the ticket has already been solved, hence it is not a > > > part of this patch. > > > > > > https://fedorahosted.org/freeipa/ticket/351 > > > > > > Jan > > > > NACK > > > > Just a minor issue - s/this modules/this module/ > > Thanks, the second version is in attachment. > > Jan Now it looks good to me. Except I have a feeling that there should be a colon before "please": ... about this topic, please see 'ipa help passwd'. I will let the final ack for a native speaker. Martin From mkosek at redhat.com Wed Feb 16 09:51:11 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 16 Feb 2011 10:51:11 +0100 Subject: [Freeipa-devel] [PATCH] 032 Service/Host disable command output clarification Message-ID: <1297849871.18411.19.camel@dhcp-25-52.brq.redhat.com> When a service/host is disabled, the resulting summary message states that a Kerberos key was disabled. However, Kerberos key may not have been enabled before this command at all, which makes this information confusing for some users. Also, the summary message didn't state that an SSL certificate was disabled too. This patch rather changes the summary message to a standard phrase known from other plugins disable command and states all disable command steps in a respective command help. https://fedorahosted.org/freeipa/ticket/872 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-032-service-host-disable-command-output-clarification.patch Type: text/x-patch Size: 2884 bytes Desc: not available URL: From jzeleny at redhat.com Wed Feb 16 09:53:14 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 16 Feb 2011 10:53:14 +0100 Subject: [Freeipa-devel] [PATCH] 47 Validate that the reverse DNS record is correct Message-ID: <201102161053.14986.jzeleny@redhat.com> This patch ensures that PTR records added by FreeIPA are compliant with RFC. https://fedorahosted.org/freeipa/ticket/839 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0047-Validate-that-the-reverse-DNS-record-is-correct.patch Type: text/x-patch Size: 1395 bytes Desc: not available URL: From atkac at redhat.com Wed Feb 16 12:33:09 2011 From: atkac at redhat.com (Adam Tkac) Date: Wed, 16 Feb 2011 13:33:09 +0100 Subject: [Freeipa-devel] [PATCH] 057 Validate MX records In-Reply-To: <4D5A5ED7.6070607@redhat.com> References: <4D5A5ED7.6070607@redhat.com> Message-ID: <20110216123309.GA8083@evileye.atkac.brq.redhat.com> On Tue, Feb 15, 2011 at 12:09:11PM +0100, Jakub Hrozek wrote: > https://fedorahosted.org/freeipa/ticket/967 > > I'm wondering whether to extend the patch - if the mail server name does > not end with a dot, BIND treats it as relative to the zone. > > So if you do: > ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com" > > dig would then return mail.example.com.example.com > > The correct way of adding it is (note the trailing dot): > ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com." > > This is in line with how nsupdate works, so should we just document it? > A smarter way might be to check if the hostname ends with the zone name > and append a dot, but I'm not sure if that perhaps /too/ smart.. Hello, I would rather not include this logic. DNS traditionally allows such flexibility; admins must modify zones (in text form or in LDAP) carefully. Regards, Adam -- Adam Tkac, Red Hat, Inc. From atkac at redhat.com Wed Feb 16 12:52:02 2011 From: atkac at redhat.com (Adam Tkac) Date: Wed, 16 Feb 2011 13:52:02 +0100 Subject: [Freeipa-devel] [PATCH] 47 Validate that the reverse DNS record is correct In-Reply-To: <201102161053.14986.jzeleny@redhat.com> References: <201102161053.14986.jzeleny@redhat.com> Message-ID: <20110216125202.GA8161@evileye.atkac.brq.redhat.com> On Wed, Feb 16, 2011 at 10:53:14AM +0100, Jan Zelen? wrote: > This patch ensures that PTR records added by FreeIPA are compliant with > RFC. Nack. In my opinion the _ptrrecord_pre_callback should also handle PTR records for IPv6 addresses. You can check validity of IPv6 PTR record this way (pseudocode): zone.replace(.ip6.arpa., '') if (len(addr.split('.')) + len(zone.split('.')) != 32) raise_error Regards, Adam > From 4d2b3200920c90884ddf5a2d5ae784bbe35b41d1 Mon Sep 17 00:00:00 2001 > From: Jan Zeleny > Date: Wed, 16 Feb 2011 04:47:36 -0500 > Subject: [PATCH] Validate that the reverse DNS record is correct > > This patch ensures that PTR records added by FreeIPA are compliant with > RFC. > > https://fedorahosted.org/freeipa/ticket/839 > --- > ipalib/plugins/dns.py | 10 ++++++++++ > 1 files changed, 10 insertions(+), 0 deletions(-) > > diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py > index 592945f78c59877fada5fa6c40eee3b1acb564b2..e764d6f558a6ecb0d7b732a1e51b1755beb4f7f4 100644 > --- a/ipalib/plugins/dns.py > +++ b/ipalib/plugins/dns.py > @@ -619,6 +619,16 @@ class dnsrecord_add(LDAPCreate, dnsrecord_cmd_w_record_options): > is_ns_rec_resolvable(ns) > return dn > > + def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): > + components = dn.split(',',2) > + addr = components[0].split('=')[1] > + zone = components[1].split('=')[1].replace('.in-addr.arpa.','') > + > + if len(addr.split('.'))+len(zone.split('.')) != 4: > + raise errors.ValidationError(name='idnsname', error=u'reversed IP address must have exactly four components') > + > + return dn > + > def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): > for rtype in options: > rtype_cb = '_%s_pre_callback' % rtype > -- > 1.7.4 > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Adam Tkac, Red Hat, Inc. From rcritten at redhat.com Wed Feb 16 13:38:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 08:38:02 -0500 Subject: [Freeipa-devel] [PATCH] Updated default Kerberos password policy In-Reply-To: <201102160853.35132.jzeleny@redhat.com> References: <201102101409.30118.jzeleny@redhat.com> <4D53EB9F.3020500@redhat.com> <201102101725.54656.jzeleny@redhat.com> <201102160853.35132.jzeleny@redhat.com> Message-ID: <4D5BD33A.1020802@redhat.com> Jan Zelen? wrote: > Jan Zeleny wrote: >> Rob Crittenden wrote: >>> Jan Zelen? wrote: >>>> https://fedorahosted.org/freeipa/ticket/930 >>>> >>>> I put there a value Dmitri suggested. Feel free to change it before >>>> pushing if you think there should be the originally suggested 10 login >>>> attempts. >>> >>> We want to increase krbPwdLockoutDuration too, to 600. >>> >>> rob >> >> Sorry, I didn't realize it was in seconds. I just saw 10 and figured it's >> ok it's already there. Anyway, I'm sending the updated patch. > > Just a reminder that this patch needs to be re-reviewed. > > Thanks > Jan I think we need to fix this as an update file rather than changing the default install. It would look something like: dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdLockoutDuration: 10: 600 replace: krbPwdMaxFailure: 3: 6 I'm ok with fixing it in both places. rob From rcritten at redhat.com Wed Feb 16 13:41:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 08:41:12 -0500 Subject: [Freeipa-devel] [PATCH] Reword help for the user module In-Reply-To: <201102160913.07037.jzeleny@redhat.com> References: <201102160913.07037.jzeleny@redhat.com> Message-ID: <4D5BD3F8.7060602@redhat.com> Jan Zelen? wrote: > The first part of the ticket has already been solved, hence it is not a part of > this patch. > > https://fedorahosted.org/freeipa/ticket/351 > > Jan ack, pushed to master From rcritten at redhat.com Wed Feb 16 13:44:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 08:44:12 -0500 Subject: [Freeipa-devel] [PATCH] Fixed in ipa-server-install help and man page In-Reply-To: <201102160921.42462.jzeleny@redhat.com> References: <201102160921.42462.jzeleny@redhat.com> Message-ID: <4D5BD4AC.5030401@redhat.com> Jan Zelen? wrote: > https://fedorahosted.org/freeipa/ticket/831 > > Jan I think I'd like David's take on this, but my initial reaction is I'd prefer the word maximum to maximal. rob From rcritten at redhat.com Wed Feb 16 13:49:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 08:49:07 -0500 Subject: [Freeipa-devel] [PATCH] Reword help for the user module In-Reply-To: <1297846489.18411.18.camel@dhcp-25-52.brq.redhat.com> References: <201102160913.07037.jzeleny@redhat.com> <1297845226.18411.15.camel@dhcp-25-52.brq.redhat.com> <201102160943.51699.jzeleny@redhat.com> <1297846489.18411.18.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D5BD5D3.1000103@redhat.com> Martin Kosek wrote: > On Wed, 2011-02-16 at 09:43 +0100, Jan Zelen? wrote: >> Martin Kosek wrote: >>> On Wed, 2011-02-16 at 09:13 +0100, Jan Zelen? wrote: >>>> The first part of the ticket has already been solved, hence it is not a >>>> part of this patch. >>>> >>>> https://fedorahosted.org/freeipa/ticket/351 >>>> >>>> Jan >>> >>> NACK >>> >>> Just a minor issue - s/this modules/this module/ >> >> Thanks, the second version is in attachment. >> >> Jan > > Now it looks good to me. Except I have a feeling that there should be a > colon before "please": ... about this topic, please see 'ipa help > passwd'. > > I will let the final ack for a native speaker. > > Martin Bah, I pushed the first patch. I've applied Jan's differences and made one minor tweak myself and pushed that out under the 1-liner rule. rob From jhrozek at redhat.com Wed Feb 16 14:28:58 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 16 Feb 2011 15:28:58 +0100 Subject: [Freeipa-devel] [PATCH] 057 Validate MX records In-Reply-To: <4D5AE5D8.4010700@redhat.com> References: <4D5A5ED7.6070607@redhat.com> <4D5AE5D8.4010700@redhat.com> Message-ID: <20110216142857.GA1298@zeppelin.brq.redhat.com> On Tue, Feb 15, 2011 at 03:45:12PM -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >https://fedorahosted.org/freeipa/ticket/967 > > > >I'm wondering whether to extend the patch - if the mail server name does > >not end with a dot, BIND treats it as relative to the zone. > > > >So if you do: > >ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com" > > > >dig would then return mail.example.com.example.com > > > >The correct way of adding it is (note the trailing dot): > >ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com." > > > >This is in line with how nsupdate works, so should we just document it? > >A smarter way might be to check if the hostname ends with the zone name > >and append a dot, but I'm not sure if that perhaps /too/ smart.. > > While we're at this should we enforce that prio is >= 0 and < MAXINT ? Good suggestion, thanks. As per the MX record documentation I found it should actually be between 0 and 65535, so this is what the patch enforces. Jan's suggestion to rename the parameter is also included. -------------- next part -------------- >From 329beb70070748ed108ecd528cd0fee2f9b1ee36 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 15 Feb 2011 10:40:27 +0100 Subject: [PATCH] Validate MX records https://fedorahosted.org/freeipa/ticket/967 diff --git a/API.txt b/API.txt index 6f0c32f..9e34647 100644 --- a/API.txt +++ b/API.txt @@ -514,7 +514,7 @@ option: List('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec',ist('ips option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', attribute=True, cli_name='key_rec', doc='comma-separated list of KEY records', label='KEY record', multivalue=True) option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) -option: List('mxrecord?', attribute=True, cli_name='mx_rec',ist('mxrecord?', attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) +option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) @@ -558,7 +558,7 @@ option: List('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec',ist('ips option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', attribute=True, cli_name='key_rec', doc='comma-separated list of KEY records', label='KEY record', multivalue=True) option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) -option: List('mxrecord?', attribute=True, cli_name='mx_rec',ist('mxrecord?', attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) +option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) @@ -603,7 +603,7 @@ option: List('ipseckeyrecord?', attribute=True, cli_name='ipseckey_rec',ist('ips option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', attribute=True, cli_name='key_rec', doc='comma-separated list of KEY records', label='KEY record', multivalue=True) option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) -option: List('mxrecord?', attribute=True, cli_name='mx_rec',ist('mxrecord?', attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) +option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) @@ -660,7 +660,7 @@ option: List('ipseckeyrecord', attribute=True, cli_name='ipseckey_rec',ist('ipse option: List('keyrecord', attribute=True, cli_name='key_rec',ist('keyrecord', attribute=True, cli_name='key_rec', doc='comma-separated list of KEY records', label='KEY record', multivalue=True, query=True, required=False) option: List('kxrecord', attribute=True, cli_name='kx_rec',ist('kxrecord', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True, query=True, required=False) option: List('locrecord', attribute=True, cli_name='loc_rec',ist('locrecord', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True, query=True, required=False) -option: List('mxrecord', attribute=True, cli_name='mx_rec',ist('mxrecord', attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True, query=True, required=False) +option: List('mxrecord', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True, query=True, required=False) option: List('naptrrecord', attribute=True, cli_name='naptr_rec',ist('naptrrecord', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True, query=True, required=False) option: List('nsrecord', attribute=True, cli_name='ns_rec',ist('nsrecord', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True, query=True, required=False) option: List('nsecrecord', attribute=True, cli_name='nsec_rec',ist('nsecrecord', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True, query=True, required=False) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 1437011..0bc9447 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -30,6 +30,9 @@ EXAMPLES: Add second nameserver for example.com: ipa dnsrecord-add example.com @ --ns-rec nameserver2.example.com + Add a mail server for example.com: + ipa dnsrecord-add example.com @ --mx-rec mail2 + Delete previously added nameserver from example.com: ipa dnsrecord-del example.com @ --ns-rec nameserver2.example.com @@ -136,11 +139,28 @@ def _validate_srv(ugettext, srv): return None +def _validate_mx(ugettext, mx): + try: + prio, host = mx.split() + except ValueError: + return u'format must be specified as "priority mailserver"' + + try: + prio = int(prio) + except ValueError: + return u'the value of priority must be integer' + + if prio < 0 or prio > 65535: + return u'the value of priority must be between 0 and 65535' + + return None + _record_validators = { u'A': _validate_ipaddr, u'AAAA': _validate_ipaddr, u'APL': _validate_ipnet, u'SRV': _validate_srv, + u'MX': _validate_mx, } def has_cli_options(entry, no_option_msg): -- 1.7.4 From jhrozek at redhat.com Wed Feb 16 14:32:03 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 16 Feb 2011 15:32:03 +0100 Subject: [Freeipa-devel] [PATCH] 058 Validate and convert certificate SN Message-ID: <20110216143202.GB1298@zeppelin.brq.redhat.com> The cert plugin only worked OK with decimal certificate serial numbers. This patch allows specifying the serial number in hexadecimal, too. The conversion now works such that: * with no explicit radix, a best-effort conversion is done using int(str, 0) in python. If the format is ambiguous, decimal takes precedence. * a hexadecimal radix can be specified explicitly using the traditional 0x prefix https://fedorahosted.org/freeipa/ticket/958 https://fedorahosted.org/freeipa/ticket/953 -------------- next part -------------- >From d1a37986652947215422302cc574a321c68a76b5 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 16 Feb 2011 13:07:13 +0100 Subject: [PATCH] Validate and convert certificate SN The cert plugin only worked OK with decimal certificate serial numbers. This patch allows specifying the serial number in hexadecimal, too. The conversion now works such that: * with no explicit radix, a best-effort conversion is done using int(str, 0) in python. If the format is ambiguous, decimal takes precedence. * a hexadecimal radix can be specified explicitly with the traditional 0x prefix https://fedorahosted.org/freeipa/ticket/958 https://fedorahosted.org/freeipa/ticket/953 --- API.txt | 6 +++--- ipalib/plugins/cert.py | 28 ++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/API.txt b/API.txt index 9e34647..4250113 100644 --- a/API.txt +++ b/API.txt @@ -303,7 +303,7 @@ output: Output('count', , Gettext('', domain='ipa', localedir=None)) output: Output('results', , Gettext('', domain='ipa', localedir=None)) command: cert_remove_hold args: 1,0,1 -arg: Str('serial_number', label=Gettext('Serial number', domain='ipa', localedir=None)) +arg: Str('serial_number', validate_serial_number, label=Gettext('Serial number', domain='ipa', localedir=None), normalizer=normalize_serial_number) output: Output('result', None, None) command: cert_request args: 1,3,1 @@ -314,12 +314,12 @@ option: Flag('add', autofill=True, default=False,lag('add', autofill=True, defau output: Output('result', , Gettext('Dictionary mapping variable name to value', domain='ipa', localedir=None)) command: cert_revoke args: 1,1,1 -arg: Str('serial_number', label=Gettext('Serial number', domain='ipa', localedir=None)) +arg: Str('serial_number', validate_serial_number, label=Gettext('Serial number', domain='ipa', localedir=None), normalizer=normalize_serial_number) option: Int('revocation_reason?', default=0, label=Gettext('Reason', domain='ipa', localedir=None), maxvalue=10, minvalue=0) output: Output('result', None, None) command: cert_show args: 1,1,1 -arg: Str('serial_number', label=Gettext('Serial number', domain='ipa', localedir=None)) +arg: Str('serial_number', validate_serial_number, label=Gettext('Serial number', domain='ipa', localedir=None), normalizer=normalize_serial_number) option: Str('out?', exclude='webui', label=Gettext('Output filename', domain='ipa', localedir=None)) output: Output('result', None, None) command: cert_status diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index f5ffd15..19e0780 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -141,6 +141,32 @@ def normalize_csr(csr): return csr +def _convert_serial_number(num): + """ + Convert a SN given in decimal or hexadecimal. + Returns the number or None if conversion fails. + """ + # plain decimal or hexa with radix prefix + try: + num = int(num, 0) + except ValueError: + try: + # hexa without prefix + num = int(num, 16) + except ValueError: + num = None + + return num + +def validate_serial_number(ugettext, num): + if _convert_serial_number(num) == None: + return u"Decimal or hexadecimal number is required for serial number" + return None + +def normalize_serial_number(num): + # It's been already validated + return unicode(_convert_serial_number(num)) + def get_host_from_principal(principal): """ Given a principal with or without a realm return the @@ -378,8 +404,10 @@ api.register(cert_status) _serial_number = Str('serial_number', + validate_serial_number, label=_('Serial number'), doc=_('Serial number in decimal or if prefixed with 0x in hexadecimal'), + normalizer=normalize_serial_number, ) class cert_show(VirtualCommand): -- 1.7.4 From jhrozek at redhat.com Wed Feb 16 14:54:12 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 16 Feb 2011 15:54:12 +0100 Subject: [Freeipa-devel] [PATCH] 057 Validate MX records In-Reply-To: <20110216142857.GA1298@zeppelin.brq.redhat.com> References: <4D5A5ED7.6070607@redhat.com> <4D5AE5D8.4010700@redhat.com> <20110216142857.GA1298@zeppelin.brq.redhat.com> Message-ID: <4D5BE514.7050202@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/16/2011 03:28 PM, Jakub Hrozek wrote: > On Tue, Feb 15, 2011 at 03:45:12PM -0500, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> https://fedorahosted.org/freeipa/ticket/967 >>> >>> I'm wondering whether to extend the patch - if the mail server name does >>> not end with a dot, BIND treats it as relative to the zone. >>> >>> So if you do: >>> ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com" >>> >>> dig would then return mail.example.com.example.com >>> >>> The correct way of adding it is (note the trailing dot): >>> ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com." >>> >>> This is in line with how nsupdate works, so should we just document it? >>> A smarter way might be to check if the hostname ends with the zone name >>> and append a dot, but I'm not sure if that perhaps /too/ smart.. >> >> While we're at this should we enforce that prio is >= 0 and < MAXINT ? > > Good suggestion, thanks. As per the MX record documentation I found it > should actually be between 0 and 65535, so this is what the patch > enforces. > > Jan's suggestion to rename the parameter is also included. > > Rob reminded me that the example included was actually wrong. New patch attached. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1b5RQACgkQHsardTLnvCVwngCfRoP9hv7lZQSwkLh5o2yt8etx m4oAoIPs6VnXpVxnmk70Y5wvfbvV9xun =05R/ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-057-03-mx-record.patch Type: text/x-patch Size: 8696 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 16 14:57:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 09:57:07 -0500 Subject: [Freeipa-devel] [PATCH] 057 Validate MX records In-Reply-To: <4D5BE514.7050202@redhat.com> References: <4D5A5ED7.6070607@redhat.com> <4D5AE5D8.4010700@redhat.com> <20110216142857.GA1298@zeppelin.brq.redhat.com> <4D5BE514.7050202@redhat.com> Message-ID: <4D5BE5C3.2090302@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/16/2011 03:28 PM, Jakub Hrozek wrote: >> On Tue, Feb 15, 2011 at 03:45:12PM -0500, Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> https://fedorahosted.org/freeipa/ticket/967 >>>> >>>> I'm wondering whether to extend the patch - if the mail server name does >>>> not end with a dot, BIND treats it as relative to the zone. >>>> >>>> So if you do: >>>> ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com" >>>> >>>> dig would then return mail.example.com.example.com >>>> >>>> The correct way of adding it is (note the trailing dot): >>>> ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com." >>>> >>>> This is in line with how nsupdate works, so should we just document it? >>>> A smarter way might be to check if the hostname ends with the zone name >>>> and append a dot, but I'm not sure if that perhaps /too/ smart.. >>> >>> While we're at this should we enforce that prio is>= 0 and< MAXINT ? >> >> Good suggestion, thanks. As per the MX record documentation I found it >> should actually be between 0 and 65535, so this is what the patch >> enforces. >> >> Jan's suggestion to rename the parameter is also included. >> >> > > Rob reminded me that the example included was actually wrong. New patch > attached. ack, pushed to master From jhrozek at redhat.com Wed Feb 16 15:02:46 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 16 Feb 2011 16:02:46 +0100 Subject: [Freeipa-devel] [PATCH] 727 don't allow host cn to be updated In-Reply-To: <4D5ADCCE.4060001@redhat.com> References: <4D5ADCCE.4060001@redhat.com> Message-ID: <4D5BE716.707@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/15/2011 09:06 PM, Rob Crittenden wrote: > We are required by LDAP schema to have a cn value in a host record. > Don't let a user modify it, it will just cause confusion. > > tickets 706 and 707 > > rob > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1b5xUACgkQHsardTLnvCVdnACg0ZuynejfBEryKS4br7E0Iq2m UdUAniHvTrYZlqTpsT2J21DSHDQYlMTN =+3RJ -----END PGP SIGNATURE----- From mkosek at redhat.com Wed Feb 16 15:16:51 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 16 Feb 2011 16:16:51 +0100 Subject: [Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace In-Reply-To: <4D5AC543.1090001@redhat.com> References: <1297776332.3047.3.camel@dhcp-25-52.brq.redhat.com> <4D5AC543.1090001@redhat.com> Message-ID: <1297869411.18411.25.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-02-15 at 13:26 -0500, Adam Young wrote: > On 02/15/2011 08:25 AM, Martin Kosek wrote: > > Many WebUI identifiers were defined in a global namespace. This is > > not a good programming practice and may result in name clashes, > > for example with other libraries. > > > > This patch moves these variables to IPA namespace or its > > sub-namespaces, if required. > > > > https://fedorahosted.org/freeipa/ticket/212 > > > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > Martin, he is the patch I did for the cert portion. I'll toss it, > but you can see what I was thinking as far as hoe to shorten the > names: > > BTW, you should reverse the names of your patch so that they start > with freeipa, and then your user id. Adam, thanks for all the remarks. Here is a second version of the patch based on your work on certificate module. I tried to keep the patch simple without too much changes. There are 3 new subnamespaces in this patch - sudo, cert and nav. I have removed a lot of unused code in search.js, you may want to check it closer. This enabled me to move search_generate_checkbox_td functionality just to a place where its needed. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-031-02-remove-webui-identifiers-from-global-namespace.patch Type: text/x-patch Size: 64985 bytes Desc: not available URL: From pzuna at redhat.com Wed Feb 16 15:20:37 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Wed, 16 Feb 2011 16:20:37 +0100 Subject: [Freeipa-devel] [PATCH] Send Accept-Language header over XML-RPC and translate on server. In-Reply-To: <4D4C38E7.5030507@redhat.com> References: <4D4C14B8.6060800@redhat.com> <4D4C19F5.2020602@redhat.com> <4D4C38E7.5030507@redhat.com> Message-ID: <4D5BEB45.4050408@redhat.com> On 2011-02-04 18:35, Pavel Z?na wrote: > On 2011-02-04 16:23, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> This patch makes the ipa client send the Accept-Language header, so that >>> the server can translate things like exceptions, that cannot be >>> translated on the client. >>> >>> It also fixes the language recognition for the webUI. The values in >>> Accept-Language header are a bit different than what is accepted by the >>> LANG variable as a valid locale - some additional parsing was needed. >>> For example: >>> >>> Accept-Language: es-es;q=1 >>> needs to translate to >>> >>> es_ES >>> otherwise it won't be recognized by gettext >>> >>> Fix #904 >>> Fix #917 >>> >>> Pavel >> >> nack. >> >> ast is imported but not used > > Leftover. Removed in the attached updated version. > >> Why are you calling locale.setlocale() instead of locale.getlocale()? > > Because that's how it should be done. setlocale() with an empty string > as second argument gets the current environment settings. getlocale() > without a previous call to setlocale returns (None, None). > >> If extra_headers is passed in as a string this will drop it: > > That's never going to happen. I checked the underlying implementation in > xmlrpclib and it can either be a list or dict. In this case, > LanguageAwareTransport is calling Transport.get_host_info() which always > returns extra_headers as a list or None if empty. > > The original implementation (before this patch) always dropped the whole > thing and used a new list instead. > >> + if not isinstance(extra_headers, list): >> + extra_headers = [] >> >> Multiple Authorization is actually legal though it may be a good idea to >> remove any others found, so I'll let this part go. I don't know that it >> is really needed though. > > Because the underlying Transport class can fill Authorization with > 'Basic ' and the original implementation was dropping it as well. > >> Some formatting is changed to make it less readable IMHO: >> >> - else: >> - scheme = "http" >> + else: scheme = "http" > > That's unintentional, sorry. > >> The code to break HTTP_ACCEPT_LANGUAGE into language and region is >> broken. Passing in en-gb returns en_EN. (I think you want [1] not [0]). > > Nice catch. I was probably thinking that since I'm using rsplit(), the > indexes will be the other way around. :) Fixed in attached version. > >> Ideally we would loop through all acceptable languages until we find one >> that we actually provide. >> >> So if we are passed in da, en-gb;q=0.8, en;q=0.7 we would first look for >> Danish but fall back to British English or any other English (preferring >> British English). > > That's a good idea! However I would keep it simple for now and do this > in a separate patch. > >> rob > > Pavel > > Rebased version attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-71-3-acceptlang.patch Type: application/mbox Size: 4103 bytes Desc: not available URL: From pzuna at redhat.com Wed Feb 16 15:23:33 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Wed, 16 Feb 2011 16:23:33 +0100 Subject: [Freeipa-devel] [PATCH] Translate docstrings. Message-ID: <4D5BEBF5.6080603@redhat.com> This patch prepares the built-in help system for localized docstrings. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-80-docstringloc.patch Type: application/mbox Size: 2365 bytes Desc: not available URL: From pzuna at redhat.com Wed Feb 16 15:25:04 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Wed, 16 Feb 2011 16:25:04 +0100 Subject: [Freeipa-devel] [PATCH] Fix translatable strings in ipalib plugins. Message-ID: <4D5BEC50.3060808@redhat.com> Some translatable strings were in a wrong format a there were some more related issues. This patch tries to fix all of them. Needed for xgettext/pygettext processing. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-81-fixlocstrings.patch Type: application/mbox Size: 17297 bytes Desc: not available URL: From pzuna at redhat.com Wed Feb 16 15:30:30 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Wed, 16 Feb 2011 16:30:30 +0100 Subject: [Freeipa-devel] [PATCH] Fix i18n related failures in unit tests. Message-ID: <4D5BED96.7000103@redhat.com> Fixes unit test failures cause by the changes introduced in my other localization related patches. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-82-fixlocutests.patch Type: application/mbox Size: 12762 bytes Desc: not available URL: From kybaker at redhat.com Wed Feb 16 15:33:25 2011 From: kybaker at redhat.com (Kyle Baker) Date: Wed, 16 Feb 2011 10:33:25 -0500 (EST) Subject: [Freeipa-devel] [PATCH] Remove-bright-green-from-the-tabs-and-subnav In-Reply-To: <2096020333.63932.1297870402369.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <699545027.63935.1297870405044.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Ayoung, check it out. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-kybaker-0010-Remove-bright-green-from-the-tabs-and-subnav.patch Type: text/x-patch Size: 46306 bytes Desc: not available URL: From pzuna at redhat.com Wed Feb 16 15:35:56 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Wed, 16 Feb 2011 16:35:56 +0100 Subject: [Freeipa-devel] Localization patches. Message-ID: <4D5BEEDC.5050902@redhat.com> My efforts in fixing localization all around the framework and preparing it for localizing docstrings have resulted in a lot of patches. Because I understand they have become a bit hard to track, I decided to post them all together in this thread to make review easier. After this is committed, there will be one more patch that switches xgettext for pygettext. Then hopefully, we'll be pretty much set when it comes to i18n. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-69-rmi18nrequest.patch Type: application/mbox Size: 8311 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-71-3-acceptlang.patch Type: application/mbox Size: 4103 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-76-deflocale.patch Type: application/mbox Size: 959 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-80-docstringloc.patch Type: application/mbox Size: 2365 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-81-fixlocstrings.patch Type: application/mbox Size: 17297 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-82-fixlocutests.patch Type: application/mbox Size: 12762 bytes Desc: not available URL: From mkosek at redhat.com Wed Feb 16 15:37:17 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 16 Feb 2011 16:37:17 +0100 Subject: [Freeipa-devel] [PATCH] 026 HBAC plugin inconsistent output In-Reply-To: <4D594C35.4060102@redhat.com> References: <1296824925.7595.8.camel@dhcp-25-52.brq.redhat.com> <201102071038.07391.jzeleny@redhat.com> <1297245646.3003.12.camel@dhcp-25-52.brq.redhat.com> <201102091236.45877.jzeleny@redhat.com> <4D594C35.4060102@redhat.com> Message-ID: <1297870637.18411.29.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-02-14 at 10:37 -0500, Rob Crittenden wrote: > Jan Zelen? wrote: > > Martin Kosek wrote: > >> On Mon, 2011-02-07 at 10:38 +0100, Jan Zelen? wrote: > >>> Martin Kosek wrote: > >>>> This patch adds a proper summary text to HBAC command which is > >>>> then printed out in CLI. Now, HBAC plugin output is consistent > >>>> with other plugins. > >>>> > >>>> https://fedorahosted.org/freeipa/ticket/596 > >>> > >>> I believe API.txt should be updated (you change hbacrule_enable and > >>> hbacrule_disable return values), so NACK for now. > >>> > >>> Jan > >> > >> Patch has been rebased, API.txt updated along with some minor changes to > >> achieve consistency between HBAC plugins. All tests pass. > >> > >> Martin > > > > Looks good now, ack > > > > Jan > > pushed to master I guess this patch still needs to be pushed. I cannot find it in the master. Martin From rcritten at redhat.com Wed Feb 16 15:40:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 10:40:21 -0500 Subject: [Freeipa-devel] [PATCH] 026 HBAC plugin inconsistent output In-Reply-To: <1297870637.18411.29.camel@dhcp-25-52.brq.redhat.com> References: <1296824925.7595.8.camel@dhcp-25-52.brq.redhat.com> <201102071038.07391.jzeleny@redhat.com> <1297245646.3003.12.camel@dhcp-25-52.brq.redhat.com> <201102091236.45877.jzeleny@redhat.com> <4D594C35.4060102@redhat.com> <1297870637.18411.29.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D5BEFE5.2050106@redhat.com> Martin Kosek wrote: > On Mon, 2011-02-14 at 10:37 -0500, Rob Crittenden wrote: >> Jan Zelen? wrote: >>> Martin Kosek wrote: >>>> On Mon, 2011-02-07 at 10:38 +0100, Jan Zelen? wrote: >>>>> Martin Kosek wrote: >>>>>> This patch adds a proper summary text to HBAC command which is >>>>>> then printed out in CLI. Now, HBAC plugin output is consistent >>>>>> with other plugins. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/596 >>>>> >>>>> I believe API.txt should be updated (you change hbacrule_enable and >>>>> hbacrule_disable return values), so NACK for now. >>>>> >>>>> Jan >>>> >>>> Patch has been rebased, API.txt updated along with some minor changes to >>>> achieve consistency between HBAC plugins. All tests pass. >>>> >>>> Martin >>> >>> Looks good now, ack >>> >>> Jan >> >> pushed to master > > I guess this patch still needs to be pushed. I cannot find it in the > master. > > Martin > Sorry, a push works better when you actually push it. It is upstream now. rob From ayoung at redhat.com Wed Feb 16 15:46:28 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 16 Feb 2011 10:46:28 -0500 Subject: [Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace In-Reply-To: <1297869411.18411.25.camel@dhcp-25-52.brq.redhat.com> References: <1297776332.3047.3.camel@dhcp-25-52.brq.redhat.com> <4D5AC543.1090001@redhat.com> <1297869411.18411.25.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D5BF154.4070909@redhat.com> On 02/16/2011 10:16 AM, Martin Kosek wrote: > On Tue, 2011-02-15 at 13:26 -0500, Adam Young wrote: >> On 02/15/2011 08:25 AM, Martin Kosek wrote: >>> Many WebUI identifiers were defined in a global namespace. This is >>> not a good programming practice and may result in name clashes, >>> for example with other libraries. >>> >>> This patch moves these variables to IPA namespace or its >>> sub-namespaces, if required. >>> >>> https://fedorahosted.org/freeipa/ticket/212 >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> Martin, he is the patch I did for the cert portion. I'll toss it, >> but you can see what I was thinking as far as hoe to shorten the >> names: >> >> BTW, you should reverse the names of your patch so that they start >> with freeipa, and then your user id. > Adam, thanks for all the remarks. Here is a second version of the patch > based on your work on certificate module. I tried to keep the patch > simple without too much changes. > > There are 3 new subnamespaces in this patch - sudo, cert and nav. I have > removed a lot of unused code in search.js, you may want to check it > closer. This enabled me to move search_generate_checkbox_td > functionality just to a place where its needed. Almost there. I'd like to pull the sudo namespace out of ipa.js and put it into sudorule.js, then indicate that the other sudo files depend on sudo rule. I guess I should have been clearer: stuff like facets and widgets don't need to go into a sub, namespace, just custom code called by them. I'm thinking that widgets and facets in the long term should become a sub-namespace of IPA themselseves: so IPA.widget.text, IPA.facet.details, and then the more specific ones. While I don't want to do that in this patch, keep that in mind when deciding which namespace to put something into. A good rul of thumb is that an entity name should not be repeated in a function name, so something like IPA.sudo.sudorule_details_facet should be IPA.sudorule_details_facet but any custom functions it calls should be in IPA.sudo. I'm being a bit picky here as this is probably the last major cleanup we'll get to do before GA, and this is the code that people will look at. I want it to be as understandable as possible. > Martin > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Wed Feb 16 15:44:37 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 16 Feb 2011 15:44:37 +0000 Subject: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install Message-ID: This patch addresses the need to utilize TLS when using the ipa-client-install tool. It addresses ticket: https://fedorahosted.org/freeipa/ticket/974 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client-install.patch Type: application/octet-stream Size: 2956 bytes Desc: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client-install.patch URL: From jhrozek at redhat.com Wed Feb 16 15:46:45 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 16 Feb 2011 16:46:45 +0100 Subject: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin Message-ID: <4D5BF165.1080807@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While reviewing Rob's latest patch I found out that we didn't convert to unicode on couple of places in the host plugin. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1b8WUACgkQHsardTLnvCWRjwCfZfOqAStP6exuq7oRlw9N4CuF YtkAnRHwT/In85pu3E+y/w0DetsumYBF =XUgJ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-059-unicode-host.patch Type: text/x-patch Size: 2485 bytes Desc: not available URL: From JR.Aquino at citrix.com Wed Feb 16 16:06:48 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 16 Feb 2011 16:06:48 +0000 Subject: [Freeipa-devel] [PATCH] 17-2 Managed netgroups should be invisible In-Reply-To: Message-ID: Removed whitespace from patch and added API.txt changes to reflect the --private option added to netgroup On 2/15/11 12:45 PM, "JR Aquino" wrote: >This patch provides ipa netgroup-find a default filter which prevents the >displaying of mepManageEntry Netgroups by default. >It also introduces a ?private flag similar to the group.py to allow for >displaying them if necessary. >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0017-2-Managed-netgroups-should-be-invisible.patch Type: application/octet-stream Size: 3449 bytes Desc: freeipa-jraquino-0017-2-Managed-netgroups-should-be-invisible.patch URL: From jzeleny at redhat.com Wed Feb 16 16:26:55 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Wed, 16 Feb 2011 17:26:55 +0100 Subject: [Freeipa-devel] [PATCH] 47 Validate that the reverse DNS record is correct In-Reply-To: <20110216125202.GA8161@evileye.atkac.brq.redhat.com> References: <201102161053.14986.jzeleny@redhat.com> <20110216125202.GA8161@evileye.atkac.brq.redhat.com> Message-ID: <201102161726.55995.jzeleny@redhat.com> Adam Tkac wrote: > On Wed, Feb 16, 2011 at 10:53:14AM +0100, Jan Zelen? wrote: > > This patch ensures that PTR records added by FreeIPA are compliant with > > RFC. > > Nack. > > In my opinion the _ptrrecord_pre_callback should also handle PTR records > for IPv6 addresses. > > You can check validity of IPv6 PTR record this way (pseudocode): > > zone.replace(.ip6.arpa., '') > if (len(addr.split('.')) + len(zone.split('.')) != 32) > raise_error > > Regards, Adam Thanks for the review, I made the changes you suggested. Second patch is in attachment. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0047-2-Validate-that-the-reverse-DNS-record-is-correct.patch Type: text/x-patch Size: 1593 bytes Desc: not available URL: From ssorce at redhat.com Wed Feb 16 16:30:16 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 16 Feb 2011 11:30:16 -0500 Subject: [Freeipa-devel] [PATCH] 0084 Fix duplicate OIDs Message-ID: <20110216113016.2316aad4@willson.li.ssimo.org> Apparently we forgot to check OID consistency between the schema and the extensions, and we got duplicates. Technically the schema was done later but it is easier to change the extensions OIDs then to change the schema of current beta2/rc1 installations. The only side effect is that older ipa-getkeytab and ipa-join binaries will fail. So the admin/client tools must be upgraded as well at the same time as well all the masters (as otherwise some will show/accept the new OID while others won't). Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0084-Fix-duplicate-OIDs.patch Type: text/x-patch Size: 2858 bytes Desc: not available URL: From edewata at redhat.com Wed Feb 16 17:59:15 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 16 Feb 2011 12:59:15 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 17-2 Managed netgroups should be invisible In-Reply-To: Message-ID: <1885034867.66626.1297879155812.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> > On 2/15/11 12:45 PM, "JR Aquino" wrote: > > >This patch provides ipa netgroup-find a default filter which prevents > >the > >displaying of mepManageEntry Netgroups by default. > >It also introduces a ?private flag similar to the group.py to allow > >for > >displaying them if necessary. > > Removed whitespace from patch and added API.txt changes to reflect the > --private option added to netgroup ACK and pushed to master. -- Endi S. Dewata From jzeleny at redhat.com Wed Feb 16 18:50:38 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Wed, 16 Feb 2011 19:50:38 +0100 Subject: [Freeipa-devel] [PATCH] Updated default Kerberos password policy In-Reply-To: <4D5BD33A.1020802@redhat.com> References: <201102101409.30118.jzeleny@redhat.com> <201102160853.35132.jzeleny@redhat.com> <4D5BD33A.1020802@redhat.com> Message-ID: <201102161950.38130.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Jan Zeleny wrote: > >> Rob Crittenden wrote: > >>> Jan Zelen? wrote: > >>>> https://fedorahosted.org/freeipa/ticket/930 > >>>> > >>>> I put there a value Dmitri suggested. Feel free to change it before > >>>> pushing if you think there should be the originally suggested 10 login > >>>> attempts. > >>> > >>> We want to increase krbPwdLockoutDuration too, to 600. > >>> > >>> rob > >> > >> Sorry, I didn't realize it was in seconds. I just saw 10 and figured > >> it's ok it's already there. Anyway, I'm sending the updated patch. > > > > Just a reminder that this patch needs to be re-reviewed. > > > > Thanks > > Jan > > I think we need to fix this as an update file rather than changing the > default install. It would look something like: > > dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX > replace:krbPwdLockoutDuration: 10: 600 > replace: krbPwdMaxFailure: 3: 6 > > I'm ok with fixing it in both places. > > rob Here it is, hopefully I got it right this time. I wasn't sure about the file number, but from guidelines in README I guess it's ok. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0039-3-Updated-default-Kerberos-password-policy.patch Type: text/x-patch Size: 1863 bytes Desc: not available URL: From jdennis at redhat.com Wed Feb 16 19:58:31 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 16 Feb 2011 14:58:31 -0500 Subject: [Freeipa-devel] [PATCH 22/22] Update Polish & Ukrainian translations Message-ID: <201102161958.p1GJwVQQ008203@int-mx01.intmail.prod.int.phx2.redhat.com> -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0022-Update-Polish-Ukrainian-translations.patch Type: text/x-patch Size: 5950 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 17 03:06:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 22:06:20 -0500 Subject: [Freeipa-devel] [PATCH] 058 Validate and convert certificate SN In-Reply-To: <20110216143202.GB1298@zeppelin.brq.redhat.com> References: <20110216143202.GB1298@zeppelin.brq.redhat.com> Message-ID: <4D5C90AC.7090705@redhat.com> Jakub Hrozek wrote: > The cert plugin only worked OK with decimal certificate serial numbers. > This patch allows specifying the serial number in hexadecimal, too. The > conversion now works such that: > * with no explicit radix, a best-effort conversion is done using > int(str, 0) in python. If the format is ambiguous, decimal takes precedence. > * a hexadecimal radix can be specified explicitly using the > traditional 0x prefix > > https://fedorahosted.org/freeipa/ticket/958 > https://fedorahosted.org/freeipa/ticket/953 ack, pushed to master From rcritten at redhat.com Thu Feb 17 03:15:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 22:15:17 -0500 Subject: [Freeipa-devel] [PATCH] 032 Service/Host disable command output clarification In-Reply-To: <1297849871.18411.19.camel@dhcp-25-52.brq.redhat.com> References: <1297849871.18411.19.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D5C92C5.7020707@redhat.com> Martin Kosek wrote: > When a service/host is disabled, the resulting summary message states > that a Kerberos key was disabled. However, Kerberos key may not have > been enabled before this command at all, which makes this information > confusing for some users. Also, the summary message didn't state > that an SSL certificate was disabled too. > > This patch rather changes the summary message to a standard phrase > known from other plugins disable command and states all disable > command steps in a respective command help. > > https://fedorahosted.org/freeipa/ticket/872 I made a minor change by adding SSL before every reference to certificate for consistency. pushed to master rob From rcritten at redhat.com Thu Feb 17 03:19:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 22:19:25 -0500 Subject: [Freeipa-devel] [PATCH] 727 don't allow host cn to be updated In-Reply-To: <4D5BE716.707@redhat.com> References: <4D5ADCCE.4060001@redhat.com> <4D5BE716.707@redhat.com> Message-ID: <4D5C93BD.3070106@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/15/2011 09:06 PM, Rob Crittenden wrote: >> We are required by LDAP schema to have a cn value in a host record. >> Don't let a user modify it, it will just cause confusion. >> >> tickets 706 and 707 >> >> rob >> > > Ack pushed to master From rcritten at redhat.com Thu Feb 17 03:29:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 22:29:22 -0500 Subject: [Freeipa-devel] [PATCH] Updated default Kerberos password policy In-Reply-To: <201102161950.38130.jzeleny@redhat.com> References: <201102101409.30118.jzeleny@redhat.com> <201102160853.35132.jzeleny@redhat.com> <4D5BD33A.1020802@redhat.com> <201102161950.38130.jzeleny@redhat.com> Message-ID: <4D5C9612.3020201@redhat.com> Jan Zeleny wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> Jan Zeleny wrote: >>>> Rob Crittenden wrote: >>>>> Jan Zelen? wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/930 >>>>>> >>>>>> I put there a value Dmitri suggested. Feel free to change it before >>>>>> pushing if you think there should be the originally suggested 10 login >>>>>> attempts. >>>>> >>>>> We want to increase krbPwdLockoutDuration too, to 600. >>>>> >>>>> rob >>>> >>>> Sorry, I didn't realize it was in seconds. I just saw 10 and figured >>>> it's ok it's already there. Anyway, I'm sending the updated patch. >>> >>> Just a reminder that this patch needs to be re-reviewed. >>> >>> Thanks >>> Jan >> >> I think we need to fix this as an update file rather than changing the >> default install. It would look something like: >> >> dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX >> replace:krbPwdLockoutDuration: 10: 600 >> replace: krbPwdMaxFailure: 3: 6 >> >> I'm ok with fixing it in both places. >> >> rob > > Here it is, hopefully I got it right this time. I wasn't sure about the file > number, but from guidelines in README I guess it's ok. > > Jan I removed the spaces before the integers, I guess the updater was sending ' 600' as the update instead of '600'. ack, pushed to master rob From rcritten at redhat.com Thu Feb 17 03:30:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 22:30:24 -0500 Subject: [Freeipa-devel] [PATCH] 0084 Fix duplicate OIDs In-Reply-To: <20110216113016.2316aad4@willson.li.ssimo.org> References: <20110216113016.2316aad4@willson.li.ssimo.org> Message-ID: <4D5C9650.8070907@redhat.com> Simo Sorce wrote: > > Apparently we forgot to check OID consistency between the schema and > the extensions, and we got duplicates. > > Technically the schema was done later but it is easier to change the > extensions OIDs then to change the schema of current beta2/rc1 > installations. > > The only side effect is that older ipa-getkeytab and ipa-join binaries > will fail. So the admin/client tools must be upgraded as well at the > same time as well all the masters (as otherwise some will show/accept > the new OID while others won't). > > Simo. > ack. Simo, when you push it can you include this description in the git commit message, it makes things very clear. rob From rcritten at redhat.com Thu Feb 17 03:35:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 22:35:24 -0500 Subject: [Freeipa-devel] [PATCH] 728 default roles Message-ID: <4D5C977C.1020408@redhat.com> Add default roles and permissions for HBAC, SUDO and pw policy Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-728-roles.patch Type: application/mbox Size: 20657 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 17 03:50:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 22:50:38 -0500 Subject: [Freeipa-devel] [PATCH] Fix i18n related failures in unit tests. In-Reply-To: <4D5BED96.7000103@redhat.com> References: <4D5BED96.7000103@redhat.com> Message-ID: <4D5C9B0E.9030302@redhat.com> Pavel Z?na wrote: > Fixes unit test failures cause by the changes introduced in my other > localization related patches. > > Pavel I don't understand this change, isn't the point to test other languages? - request.set_languages('en_US.UTF-8') + # request.set_languages('en_US.UTF-8') # Tell gettext that our domain is 'ipa', that locale_dir is # 'test_locale' (i.e. where to look for the message catalog) @@ -117,7 +117,6 @@ def test_gettext(): # Reset the language and assure we don't get the test values context.__dict__.clear() - request.set_languages('fr_FR') From rcritten at redhat.com Thu Feb 17 04:09:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Feb 2011 23:09:01 -0500 Subject: [Freeipa-devel] Localization patches. In-Reply-To: <4D5BEEDC.5050902@redhat.com> References: <4D5BEEDC.5050902@redhat.com> Message-ID: <4D5C9F5D.1090706@redhat.com> Pavel Z?na wrote: > My efforts in fixing localization all around the framework and preparing > it for localizing docstrings have resulted in a lot of patches. Because > I understand they have become a bit hard to track, I decided to post > them all together in this thread to make review easier. > > After this is committed, there will be one more patch that switches > xgettext for pygettext. Then hopefully, we'll be pretty much set when it > comes to i18n. > > Pavel Patch 81 isn't applying for me. Help is not working for me either, this is due to patch 80. $ ipa help user ipa: ERROR: NameError: global name '_' is not defined Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in run api.finalize() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619, in finalize plugin_iter(base, (magic[k] for k in magic)) File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in __init__ sorted(members, key=lambda m: getattr(m, name_attr)) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608, in plugin_iter plugins[klass] = PluginInstance(klass) File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585, in __init__ self.instance = klass() File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184, in __init__ self.doc = _(inspect.getdoc(cls)) NameError: global name '_' is not defined ipa: ERROR: an internal error has occurred Patches 69, 71 and 73 are still working fine. What is switching from xgettext to pygettext going to do? rob From JR.Aquino at citrix.com Thu Feb 17 04:11:00 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 17 Feb 2011 04:11:00 +0000 Subject: [Freeipa-devel] [PATCH] 19 prevent duplicate netgroup entries Message-ID: This patch fixes the netgroup plugin's behavior of adding duplicate entries when the managed entry plugin creates a netgroup with a mepManagedEntry This problem is documented in ticket: https://fedorahosted.org/freeipa/ticket/963 As noted by Endi for issue #3 in the History: "3. Just out of curiosity, I tried adding a netgroup with the same name as the hostgroup. I expected it to conflict with the managed netgroup, but it actually worked. Searching the directory will return 2 netgroups with the same name:" Historically the netgroup plugin had inappropriately defined: rdn_attribute = 'ipauniqueid' This caused the ability of duplication with the creation of native netgroups using the ipaUniqueId as the DN and as the Managed Entry netgroups utilizing the cn as the DN. Patch includes adjustments for the netgroup plugin and corresponding test_netgroup_plugin Please verify that the items requested in #963 are now complete and please confirm that the corresponding tests all pass. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0019-prevent-duplicate-netgroup-entries.patch Type: application/octet-stream Size: 13302 bytes Desc: freeipa-jraquino-0019-prevent-duplicate-netgroup-entries.patch URL: From jzeleny at redhat.com Thu Feb 17 07:27:39 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Thu, 17 Feb 2011 08:27:39 +0100 Subject: [Freeipa-devel] =?iso-8859-1?q?=5BPATCH=5D_Fixed_in_ipa-server-in?= =?iso-8859-1?q?stall_help_and_man=09page?= In-Reply-To: <4D5BD4AC.5030401@redhat.com> References: <201102160921.42462.jzeleny@redhat.com> <4D5BD4AC.5030401@redhat.com> Message-ID: <201102170827.39431.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > https://fedorahosted.org/freeipa/ticket/831 > > > > Jan > > I think I'd like David's take on this, but my initial reaction is I'd > prefer the word maximum to maximal. > > rob The second patch is in attachment. Based on David's recommendation you can pick and push the right one one. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0046-2-Fixed-in-ipa-server-install-help-and-man-page.patch Type: text/x-patch Size: 2426 bytes Desc: not available URL: From jzeleny at redhat.com Thu Feb 17 08:58:10 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Thu, 17 Feb 2011 09:58:10 +0100 Subject: [Freeipa-devel] [PATCH] 48 Document the --rights output format Message-ID: <201102170958.10900.jzeleny@redhat.com> https://fedorahosted.org/freeipa/ticket/563 https://fedorahosted.org/freeipa/ticket/588 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0048-Document-the-rights-output-format.patch Type: text/x-patch Size: 3288 bytes Desc: not available URL: From atkac at redhat.com Thu Feb 17 09:20:12 2011 From: atkac at redhat.com (Adam Tkac) Date: Thu, 17 Feb 2011 10:20:12 +0100 Subject: [Freeipa-devel] [PATCH] 47 Validate that the reverse DNS record is correct In-Reply-To: <201102161726.55995.jzeleny@redhat.com> References: <201102161053.14986.jzeleny@redhat.com> <20110216125202.GA8161@evileye.atkac.brq.redhat.com> <201102161726.55995.jzeleny@redhat.com> Message-ID: <20110217092012.GB4168@traged.englab.brq.redhat.com> On Wed, Feb 16, 2011 at 05:26:55PM +0100, Jan Zeleny wrote: > Adam Tkac wrote: > > On Wed, Feb 16, 2011 at 10:53:14AM +0100, Jan Zelen? wrote: > > > This patch ensures that PTR records added by FreeIPA are compliant with > > > RFC. > > > > Nack. > > > > In my opinion the _ptrrecord_pre_callback should also handle PTR records > > for IPv6 addresses. > > > > You can check validity of IPv6 PTR record this way (pseudocode): > > > > zone.replace(.ip6.arpa., '') > > if (len(addr.split('.')) + len(zone.split('.')) != 32) > > raise_error > > > > Regards, Adam > > Thanks for the review, I made the changes you suggested. Second patch is in > attachment. Thanks for improvement, now it looks fine for me. Ack. Regards, Adam > From a01180772ab9ce9409532892e81f03ea7fc2582a Mon Sep 17 00:00:00 2001 > From: Jan Zeleny > Date: Wed, 16 Feb 2011 04:47:36 -0500 > Subject: [PATCH] Validate that the reverse DNS record is correct > > This patch ensures that PTR records added by FreeIPA are compliant with > RFC. > > https://fedorahosted.org/freeipa/ticket/839 > --- > ipalib/plugins/dns.py | 16 ++++++++++++++++ > 1 files changed, 16 insertions(+), 0 deletions(-) > > diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py > index 592945f78c59877fada5fa6c40eee3b1acb564b2..f50dd51f28f0ff59c8d1fe84730de302d9855467 100644 > --- a/ipalib/plugins/dns.py > +++ b/ipalib/plugins/dns.py > @@ -619,6 +619,22 @@ class dnsrecord_add(LDAPCreate, dnsrecord_cmd_w_record_options): > is_ns_rec_resolvable(ns) > return dn > > + def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): > + components = dn.split(',',2) > + addr = components[0].split('=')[1] > + zone = components[1].split('=')[1] > + if zone.find('ip6') != -1: > + zone = zone.replace('.ip6.arpa.','') > + zone_len = 32 > + else: > + zone = zone.replace('.in-addr.arpa.','') > + zone_len = 4 > + > + if len(addr.split('.'))+len(zone.split('.')) != zone_len: > + raise errors.ValidationError(name='cn', error=unicode('IP address must have exactly '+str(zone_len)+' components')) > + > + return dn > + > def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): > for rtype in options: > rtype_cb = '_%s_pre_callback' % rtype > -- > 1.7.4 > -- Adam Tkac, Red Hat, Inc. From jzeleny at redhat.com Thu Feb 17 09:40:18 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 17 Feb 2011 10:40:18 +0100 Subject: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin In-Reply-To: <4D5BF165.1080807@redhat.com> References: <4D5BF165.1080807@redhat.com> Message-ID: <201102171040.18450.jzeleny@redhat.com> Jakub Hrozek wrote: > While reviewing Rob's latest patch I found out that we didn't convert to > unicode on couple of places in the host plugin. ack Jan From jzeleny at redhat.com Thu Feb 17 10:01:26 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 17 Feb 2011 11:01:26 +0100 Subject: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install In-Reply-To: References: Message-ID: <201102171101.26776.jzeleny@redhat.com> JR Aquino wrote: > This patch addresses the need to utilize TLS when using the > ipa-client-install tool. It addresses ticket: > https://fedorahosted.org/freeipa/ticket/974 Nack, running ipa-client-install returned this error: # ipa-client-install Retrieving CA from None failed. Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' returned non-zero exit status 4 One more question - shouldn't you use ldaps directly to connect to the server? Jan From jzeleny at redhat.com Thu Feb 17 10:06:35 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Thu, 17 Feb 2011 11:06:35 +0100 Subject: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin In-Reply-To: <201102171040.18450.jzeleny@redhat.com> References: <4D5BF165.1080807@redhat.com> <201102171040.18450.jzeleny@redhat.com> Message-ID: <201102171106.35887.jzeleny@redhat.com> Jan Zelen? wrote: > Jakub Hrozek wrote: > > While reviewing Rob's latest patch I found out that we didn't convert to > > unicode on couple of places in the host plugin. > > ack On a second thoughts - maybe the _get_unicode_reverse_zone isn't necessary at all - is it possible to do this change directly at the get_reverse_zone? Jan From jhrozek at redhat.com Thu Feb 17 10:10:52 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 17 Feb 2011 11:10:52 +0100 Subject: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin In-Reply-To: <201102171106.35887.jzeleny@redhat.com> References: <4D5BF165.1080807@redhat.com> <201102171040.18450.jzeleny@redhat.com> <201102171106.35887.jzeleny@redhat.com> Message-ID: <20110217101051.GA26896@zeppelin.brq.redhat.com> On Thu, Feb 17, 2011 at 11:06:35AM +0100, Jan Zelen? wrote: > Jan Zelen? wrote: > > Jakub Hrozek wrote: > > > While reviewing Rob's latest patch I found out that we didn't convert to > > > unicode on couple of places in the host plugin. > > > > ack > > On a second thoughts - maybe the _get_unicode_reverse_zone isn't necessary at > all - is it possible to do this change directly at the get_reverse_zone? > > Jan > attached. also removed a line of dead code. -------------- next part -------------- >From 96b1342c815435d505be246478f22f902cab6250 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 16 Feb 2011 10:33:24 -0500 Subject: [PATCH] Use unicode parameters in the host plugin https://fedorahosted.org/freeipa/ticket/977 --- ipaserver/install/bindinstance.py | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index ea9280b..e005653 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -108,7 +108,7 @@ def get_reverse_zone(ip_address_str): else: raise ValueError('Bad address format?') - return zone, name + return unicode(zone), unicode(name) def dns_zone_exists(name): try: @@ -276,8 +276,6 @@ class BindInstance(service.Service): else: self.zonemgr = 'root.%s.%s' % (self.host, self.domain) - self.reverse_subnet, self.reverse_host = get_reverse_zone(ip_address) - self.__setup_sub_dict() def create_sample_bind_zone(self): -- 1.7.4 From mkosek at redhat.com Thu Feb 17 10:21:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 17 Feb 2011 11:21:36 +0100 Subject: [Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace In-Reply-To: <4D5BF154.4070909@redhat.com> References: <1297776332.3047.3.camel@dhcp-25-52.brq.redhat.com> <4D5AC543.1090001@redhat.com> <1297869411.18411.25.camel@dhcp-25-52.brq.redhat.com> <4D5BF154.4070909@redhat.com> Message-ID: <1297938096.18411.48.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-02-16 at 10:46 -0500, Adam Young wrote: > > Almost there. > > I'd like to pull the sudo namespace out of ipa.js and put it into > sudorule.js, then indicate that the other sudo files depend on sudo > rule. > > > I guess I should have been clearer: stuff like facets and widgets > don't need to go into a sub, namespace, just custom code called by > them. I'm thinking that widgets and facets in the long term should > become a sub-namespace of IPA themselseves: so IPA.widget.text, > IPA.facet.details, and then the more specific ones. While I don't > want to do that in this patch, keep that in mind when deciding which > namespace to put something into. A good rul of thumb is that an > entity name should not be repeated in a function name, so something > like IPA.sudo.sudorule_details_facet should be > IPA.sudorule_details_facet but any custom functions it calls should > be in IPA.sudo. I have prepared a next version of patch with the above comments applied. Facets and widgets are in IPA namespace now. Still, I cannot do much of a renaming with sub-namespace custom methods that are called by *_widget or *_facet functions - they would collide. E.g. IPA.sudo.sudorule_add_dialog cannot be renamed to IPA.sudo.add_dialog because it would collide with renamed IPA.sudo.sudocmd_add_dialog. > > I'm being a bit picky here as this is probably the last major cleanup > we'll get to do before GA, and this is the code that people will look > at. I want it to be as understandable as possible. > I know that since you have worked on WebUI for a long time, you have a pretty clear picture what it should look like. I hope this patch version is consistent with the plan. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-031-03-remove-webui-identifiers-from-global-namespace.patch Type: text/x-patch Size: 56447 bytes Desc: not available URL: From jzeleny at redhat.com Thu Feb 17 10:30:03 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 17 Feb 2011 11:30:03 +0100 Subject: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin In-Reply-To: <20110217101051.GA26896@zeppelin.brq.redhat.com> References: <4D5BF165.1080807@redhat.com> <201102171106.35887.jzeleny@redhat.com> <20110217101051.GA26896@zeppelin.brq.redhat.com> Message-ID: <201102171130.03946.jzeleny@redhat.com> Jakub Hrozek wrote: > On Thu, Feb 17, 2011 at 11:06:35AM +0100, Jan Zelen? wrote: > > Jan Zelen? wrote: > > > Jakub Hrozek wrote: > > > > While reviewing Rob's latest patch I found out that we didn't convert > > > > to unicode on couple of places in the host plugin. > > > > > > ack > > > > On a second thoughts - maybe the _get_unicode_reverse_zone isn't > > necessary at all - is it possible to do this change directly at the > > get_reverse_zone? > > > > Jan > > attached. > > also removed a line of dead code. Better, thanks. I'd also like to change the code which is using this function, so the conversion doesn't take place twice. On the other hand that would be rather big change, which IMO shouldn't occur in RC. I think filing a cleanup ticket for this is the best option. Ack Jan From jhrozek at redhat.com Thu Feb 17 10:40:09 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 17 Feb 2011 11:40:09 +0100 Subject: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin In-Reply-To: <201102171130.03946.jzeleny@redhat.com> References: <4D5BF165.1080807@redhat.com> <201102171106.35887.jzeleny@redhat.com> <20110217101051.GA26896@zeppelin.brq.redhat.com> <201102171130.03946.jzeleny@redhat.com> Message-ID: <20110217104008.GB26896@zeppelin.brq.redhat.com> On Thu, Feb 17, 2011 at 11:30:03AM +0100, Jan Zelen? wrote: > Better, thanks. I'd also like to change the code which is using this function, > so the conversion doesn't take place twice. I think it's safe. The documentation on unicode() says: --- More precisely, if object is a Unicode string or subclass it will return that Unicode string without any additional decoding applied. ---- From jzeleny at redhat.com Thu Feb 17 11:23:32 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 17 Feb 2011 12:23:32 +0100 Subject: [Freeipa-devel] [PATCH] 19 prevent duplicate netgroup entries In-Reply-To: References: Message-ID: <201102171223.32563.jzeleny@redhat.com> JR Aquino wrote: > This patch fixes the netgroup plugin's behavior of adding duplicate entries > when the managed entry plugin creates a netgroup with a mepManagedEntry > This problem is documented in ticket: > https://fedorahosted.org/freeipa/ticket/963 > > As noted by Endi for issue #3 in the History: > "3. Just out of curiosity, I tried adding a netgroup with the same name as > the hostgroup. I expected it to conflict with the managed netgroup, but it > actually worked. Searching the directory will return 2 netgroups with the > same name:" > > Historically the netgroup plugin had inappropriately defined: rdn_attribute > = 'ipauniqueid' This caused the ability of duplication with the creation > of native netgroups using the ipaUniqueId as the DN and as the Managed > Entry netgroups utilizing the cn as the DN. > > Patch includes adjustments for the netgroup plugin and corresponding > test_netgroup_plugin > > Please verify that the items requested in #963 are now complete and please > confirm that the corresponding tests all pass. One test fails: FAIL: test_netgroup[30]: netgroup_remove_member: Remove netgroup u'netgroup2' from netgroup u'netgroup1' Command ipa host-show still shows: Member of netgroups: testhostgroup Also a little bit of nitpicking, I think the changed code in chunk 2 would better look something like this: search_kw = {} search_kw['objectclass'] = ['mepManagedEntry'] if not options['private']: local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE) else: local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL) filter = ldap.combine_filters((local_filter, filter), rules=ldap.MATCH_ALL) -- Jan From jzeleny at redhat.com Thu Feb 17 12:29:28 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Thu, 17 Feb 2011 13:29:28 +0100 Subject: [Freeipa-devel] [PATCH] 49 Fixed user-add help Message-ID: <201102171329.28929.jzeleny@redhat.com> https://fedorahosted.org/freeipa/ticket/735 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0049-Fixed-user-add-help.patch Type: text/x-patch Size: 828 bytes Desc: not available URL: From ssorce at redhat.com Thu Feb 17 13:39:33 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 17 Feb 2011 08:39:33 -0500 Subject: [Freeipa-devel] [PATCH] 0084 Fix duplicate OIDs In-Reply-To: <4D5C9650.8070907@redhat.com> References: <20110216113016.2316aad4@willson.li.ssimo.org> <4D5C9650.8070907@redhat.com> Message-ID: <20110217083933.771843e8@willson.li.ssimo.org> On Wed, 16 Feb 2011 22:30:24 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > > > Apparently we forgot to check OID consistency between the schema and > > the extensions, and we got duplicates. > > > > Technically the schema was done later but it is easier to change the > > extensions OIDs then to change the schema of current beta2/rc1 > > installations. > > > > The only side effect is that older ipa-getkeytab and ipa-join > > binaries will fail. So the admin/client tools must be upgraded as > > well at the same time as well all the masters (as otherwise some > > will show/accept the new OID while others won't). > > > > Simo. > > > > ack. Simo, when you push it can you include this description in the > git commit message, it makes things very clear. > > rob Ok, added text and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From jzeleny at redhat.com Thu Feb 17 13:55:05 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Thu, 17 Feb 2011 08:55:05 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 49 Fixed user-add help In-Reply-To: <201102171329.28929.jzeleny@redhat.com> Message-ID: <1263440814.80299.1297950905539.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Sending updated patch Jan ----- Original Message ----- From: "Jan Zelen?" To: freeipa-devel at redhat.com Sent: Thursday, February 17, 2011 1:29:28 PM Subject: [Freeipa-devel] [PATCH] 49 Fixed user-add help https://fedorahosted.org/freeipa/ticket/735 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0049-2-Fixed-user-add-help.patch Type: text/x-patch Size: 835 bytes Desc: not available URL: From jdennis at redhat.com Thu Feb 17 13:55:22 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 17 Feb 2011 08:55:22 -0500 Subject: [Freeipa-devel] Localization patches. In-Reply-To: <4D5C9F5D.1090706@redhat.com> References: <4D5BEEDC.5050902@redhat.com> <4D5C9F5D.1090706@redhat.com> Message-ID: <4D5D28CA.9020005@redhat.com> On 02/16/2011 11:09 PM, Rob Crittenden wrote: > What is switching from xgettext to pygettext going to do? It allows supports extracting Python doc strings in addition to strings marked with _(). We use doc strings for our help messages. You can't wrap a doc string in _(). Think of pygetext as a smarter version of xgettext tailored to Python. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Thu Feb 17 13:55:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 08:55:21 -0500 Subject: [Freeipa-devel] [PATCH] 48 Document the --rights output format In-Reply-To: <201102170958.10900.jzeleny@redhat.com> References: <201102170958.10900.jzeleny@redhat.com> Message-ID: <4D5D28C9.4020709@redhat.com> Jan Zelen? wrote: > https://fedorahosted.org/freeipa/ticket/563 > https://fedorahosted.org/freeipa/ticket/588 > > Jan This is a good start, I think we need to include some guidance on why this exists and why it exists where it does. It exists so a user interface can know in advance what the current user's rights are for a given entry so that the user experience is better (currently used by the Web UI to disable attributes that are not writable). It appears in the add and mod commands to avoid having to do a show after an entry is added or updated. rob From mkosek at redhat.com Thu Feb 17 15:24:59 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 17 Feb 2011 16:24:59 +0100 Subject: [Freeipa-devel] [PATCH] 49 Fixed user-add help In-Reply-To: <1263440814.80299.1297950905539.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> References: <1263440814.80299.1297950905539.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Message-ID: <1297956299.4638.1.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-02-17 at 08:55 -0500, Jan Zeleny wrote: > Sending updated patch > > Jan > > ----- Original Message ----- > From: "Jan Zelen?" > To: freeipa-devel at redhat.com > Sent: Thursday, February 17, 2011 1:29:28 PM > Subject: [Freeipa-devel] [PATCH] 49 Fixed user-add help > > https://fedorahosted.org/freeipa/ticket/735 > > Jan ACK. So extensive BZ description for such a short patch :-) Martin From JR.Aquino at citrix.com Thu Feb 17 15:27:48 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 17 Feb 2011 15:27:48 +0000 Subject: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install In-Reply-To: <201102171101.26776.jzeleny@redhat.com> Message-ID: Lets try now. Attached is the corrected patch. There were several spots in ipa-client-install where the server could be defined and it was getting missed. I have omitted any change to ipa-client-install and instead just focused on ipadiscovery.py ipadiscovery.py now performs its own fetch of the CACert just to be sure. Regarding TLS vs LDAPS. LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. LDAPS is still supported, but considered deprecated in favor of TLS as defined in RFC2830. On 2/17/11 2:01 AM, "Jan Zelen?" wrote: >JR Aquino wrote: >> This patch addresses the need to utilize TLS when using the >> ipa-client-install tool. It addresses ticket: >> https://fedorahosted.org/freeipa/ticket/974 > >Nack, running ipa-client-install returned this error: > ># ipa-client-install >Retrieving CA from None failed. >Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' >returned non-zero exit status 4 > > >One more question - shouldn't you use ldaps directly to connect to the >server? >Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0018-2-Use-TLS-for-ipadiscovery-during-ipa-client-inst.patch Type: application/octet-stream Size: 1409 bytes Desc: freeipa-jraquino-0018-2-Use-TLS-for-ipadiscovery-during-ipa-client-inst.patch URL: From rcritten at redhat.com Thu Feb 17 15:28:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 10:28:47 -0500 Subject: [Freeipa-devel] [PATCH] 49 Fixed user-add help In-Reply-To: <1297956299.4638.1.camel@dhcp-25-52.brq.redhat.com> References: <1263440814.80299.1297950905539.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> <1297956299.4638.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D5D3EAF.8010806@redhat.com> Martin Kosek wrote: > On Thu, 2011-02-17 at 08:55 -0500, Jan Zeleny wrote: >> Sending updated patch >> >> Jan >> >> ----- Original Message ----- >> From: "Jan Zelen?" >> To: freeipa-devel at redhat.com >> Sent: Thursday, February 17, 2011 1:29:28 PM >> Subject: [Freeipa-devel] [PATCH] 49 Fixed user-add help >> >> https://fedorahosted.org/freeipa/ticket/735 >> >> Jan > > ACK. > > So extensive BZ description for such a short patch :-) > > Martin pushed to master From jzeleny at redhat.com Thu Feb 17 15:34:49 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Thu, 17 Feb 2011 16:34:49 +0100 Subject: [Freeipa-devel] [PATCH] 48 Document the --rights output format In-Reply-To: <4D5D28C9.4020709@redhat.com> References: <201102170958.10900.jzeleny@redhat.com> <4D5D28C9.4020709@redhat.com> Message-ID: <201102171634.50007.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > https://fedorahosted.org/freeipa/ticket/563 > > https://fedorahosted.org/freeipa/ticket/588 > > > > Jan > > This is a good start, I think we need to include some guidance on why > this exists and why it exists where it does. > > It exists so a user interface can know in advance what the current > user's rights are for a given entry so that the user experience is > better (currently used by the Web UI to disable attributes that are not > writable). > > It appears in the add and mod commands to avoid having to do a show > after an entry is added or updated. > > rob I updated the patch with a note that it is primarily used for internal purposes of CLI and WebUI, I think this should be sufficient description. I also deleted the line converting unicode strings to str because it broke JSON-RPC communication. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0048-2-Document-the-rights-output-format.patch Type: text/x-patch Size: 3129 bytes Desc: not available URL: From kybaker at redhat.com Thu Feb 17 16:13:51 2011 From: kybaker at redhat.com (Kyle Baker) Date: Thu, 17 Feb 2011 11:13:51 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 0012-Remove-images-and-replace-with-css-color-in-dialogs.patch In-Reply-To: <1840602127.81889.1297959230253.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <2070805702.81895.1297959231968.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> A non-text attachment was scrubbed... Name: kybaker-freeipa-0012-Remove-images-and-replace-with-css-color-in-dialogs.patch Type: text/x-patch Size: 1103 bytes Desc: not available URL: From ssorce at redhat.com Thu Feb 17 16:34:30 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 17 Feb 2011 11:34:30 -0500 Subject: [Freeipa-devel] [PATCH] 0085 Register client into DNS on install Message-ID: <20110217113430.545cbdc1@willson.li.ssimo.org> If DNS Updates are available then try to register the ip address as determined by connecting to the ipa server. This allows also the creation of the DNS A record if none was available before, which means you can add clients without having to pre-register them in the DNS. Fixes #935 Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Feb 17 16:53:52 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 17 Feb 2011 11:53:52 -0500 Subject: [Freeipa-devel] [PATCH] 0085 Register client into DNS on install In-Reply-To: <20110217113430.545cbdc1@willson.li.ssimo.org> References: <20110217113430.545cbdc1@willson.li.ssimo.org> Message-ID: <20110217115352.44af250f@willson.li.ssimo.org> On Thu, 17 Feb 2011 11:34:30 -0500 Simo Sorce wrote: > > If DNS Updates are available then try to register the ip address as > determined by connecting to the ipa server. > > This allows also the creation of the DNS A record if none was > available before, which means you can add clients without having to > pre-register them in the DNS. > > Fixes #935 > > Simo. > Forgot to add rpm dependency on bind-utils for the client package. New patch attached. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0085-2-Try-to-register-DNS-name-through-a-DNS-Update-on-ins.patch Type: text/x-patch Size: 4894 bytes Desc: not available URL: From mkosek at redhat.com Thu Feb 17 16:56:32 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 17 Feb 2011 17:56:32 +0100 Subject: [Freeipa-devel] [PATCH] 033 Browser configuration support for Firefox 4 Message-ID: <1297961792.4638.2.camel@dhcp-25-52.brq.redhat.com> Support of navigator.preferences that is used to access browser configuration was dropped in Firefox 4. This disables automatic configuration of user preferences in this browser that is needed to use Kerberos single sign-on. This patch detectes a lack of this interface and tries to configure the browser using new Services module introduced in Gecko 2 (used in Firefox 4, SeaMonkey 2.1). https://fedorahosted.org/freeipa/ticket/975 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-033-browser-configuration-support-for-firefox-4.patch Type: text/x-patch Size: 3761 bytes Desc: not available URL: From ayoung at redhat.com Thu Feb 17 17:03:40 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 17 Feb 2011 12:03:40 -0500 Subject: [Freeipa-devel] [PATCH] 0012-Remove-images-and-replace-with-css-color-in-dialogs.patch In-Reply-To: <2070805702.81895.1297959231968.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <2070805702.81895.1297959231968.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D5D54EC.9060702@redhat.com> On 02/17/2011 11:13 AM, Kyle Baker wrote: > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel If we are going to make this change, please remove (git rm) the icons that are no longer used as part of the patch. From rcritten at redhat.com Thu Feb 17 17:01:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 12:01:05 -0500 Subject: [Freeipa-devel] [PATCH] 729 special handling for nsaccountlock Message-ID: <4D5D5451.5090700@redhat.com> nsaccountlock doesn't have a visible Param but we want do so some basic validation to be sure garbage doesn't get in there so do it in the pre_callback of add and mod. ticket 968 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-729-nsaccountlock.patch Type: application/mbox Size: 1972 bytes Desc: not available URL: From ayoung at redhat.com Thu Feb 17 17:09:41 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 17 Feb 2011 12:09:41 -0500 Subject: [Freeipa-devel] [PATCH] Remove-bright-green-from-the-tabs-and-subnav In-Reply-To: <699545027.63935.1297870405044.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <699545027.63935.1297870405044.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D5D5655.3060503@redhat.com> Several of the subtab text items are no longer visible: user, host, netgroups on the Identity tab, self service permissions on the Server TAb. On 02/16/2011 10:33 AM, Kyle Baker wrote: > Ayoung, check it out. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Feb 17 17:17:36 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 17 Feb 2011 12:17:36 -0500 Subject: [Freeipa-devel] [PATCH] 033 Browser configuration support for Firefox 4 In-Reply-To: <1297961792.4638.2.camel@dhcp-25-52.brq.redhat.com> References: <1297961792.4638.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D5D5830.9010300@redhat.com> On 02/17/2011 11:56 AM, Martin Kosek wrote: > Support of navigator.preferences that is used to access browser > configuration was dropped in Firefox 4. This disables automatic > configuration of user preferences in this browser that is needed > to use Kerberos single sign-on. > > This patch detectes a lack of this interface and tries to > configure the browser using new Services module introduced in > Gecko 2 (used in Firefox 4, SeaMonkey 2.1). > > https://fedorahosted.org/freeipa/ticket/975 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Feb 17 17:29:06 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 17 Feb 2011 12:29:06 -0500 Subject: [Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace In-Reply-To: <1297938096.18411.48.camel@dhcp-25-52.brq.redhat.com> References: <1297776332.3047.3.camel@dhcp-25-52.brq.redhat.com> <4D5AC543.1090001@redhat.com> <1297869411.18411.25.camel@dhcp-25-52.brq.redhat.com> <4D5BF154.4070909@redhat.com> <1297938096.18411.48.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D5D5AE2.5060808@redhat.com> On 02/17/2011 05:21 AM, Martin Kosek wrote: > On Wed, 2011-02-16 at 10:46 -0500, Adam Young wrote: >> Almost there. >> >> I'd like to pull the sudo namespace out of ipa.js and put it into >> sudorule.js, then indicate that the other sudo files depend on sudo >> rule. >> >> >> I guess I should have been clearer: stuff like facets and widgets >> don't need to go into a sub, namespace, just custom code called by >> them. I'm thinking that widgets and facets in the long term should >> become a sub-namespace of IPA themselseves: so IPA.widget.text, >> IPA.facet.details, and then the more specific ones. While I don't >> want to do that in this patch, keep that in mind when deciding which >> namespace to put something into. A good rul of thumb is that an >> entity name should not be repeated in a function name, so something >> like IPA.sudo.sudorule_details_facet should be >> IPA.sudorule_details_facet but any custom functions it calls should >> be in IPA.sudo. > I have prepared a next version of patch with the above comments applied. > Facets and widgets are in IPA namespace now. Still, I cannot do much of > a renaming with sub-namespace custom methods that are called by *_widget > or *_facet functions - they would collide. E.g. > IPA.sudo.sudorule_add_dialog cannot be renamed to IPA.sudo.add_dialog > because it would collide with renamed IPA.sudo.sudocmd_add_dialog. > >> I'm being a bit picky here as this is probably the last major cleanup >> we'll get to do before GA, and this is the code that people will look >> at. I want it to be as understandable as possible. >> > I know that since you have worked on WebUI for a long time, you have a > pretty clear picture what it should look like. I hope this patch version > is consistent with the plan. > > Martin > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Looks good. Only problem is on braces. we have a code standard that is like this IPA.something = function () { not IPA.something = function () { This is due to Javascript being ambiguous in certain circumstances about where it puts an implicit end of statement. https://fedorahosted.org/freeipa/wiki/Javascript_Coding_Standards For name shortening, sudo.sudorule_ should be sudo.rule_ On the patch I sent you as an example, I broke the "View Cert" button. I didn't test that here. Did you make sure that still works? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jzeleny at redhat.com Thu Feb 17 17:46:50 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Thu, 17 Feb 2011 18:46:50 +0100 Subject: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install In-Reply-To: References: Message-ID: <201102171846.51038.jzeleny@redhat.com> JR Aquino wrote: > Lets try now. Attached is the corrected patch. > > There were several spots in ipa-client-install where the server could be > defined and it was getting missed. > I have omitted any change to ipa-client-install and instead just focused > on ipadiscovery.py > > ipadiscovery.py now performs its own fetch of the CACert just to be sure. > > Regarding TLS vs LDAPS. > > LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never > standardized in any formal specification. This usage has been deprecated > along with LDAPv2, which was officially retired in 2003. > > LDAPS is still supported, but considered deprecated in favor of TLS as > defined in RFC2830. > > On 2/17/11 2:01 AM, "Jan Zelen?" wrote: > >JR Aquino wrote: > >> This patch addresses the need to utilize TLS when using the > >> ipa-client-install tool. It addresses ticket: > >> https://fedorahosted.org/freeipa/ticket/974 > > > >Nack, running ipa-client-install returned this error: > > > ># ipa-client-install > >Retrieving CA from None failed. > >Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt' > >returned non-zero exit status 4 > > > > > >One more question - shouldn't you use ldaps directly to connect to the > >server? > >Jan Sorry, I have to Nack it again, the patch seems incoplete, since it is only adding some cacert fetching code to IPADiscovery. Jan From JR.Aquino at citrix.com Thu Feb 17 18:12:45 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 17 Feb 2011 18:12:45 +0000 Subject: [Freeipa-devel] [PATCH] 19 Cleanup for netgroup search In-Reply-To: <201102171223.32563.jzeleny@redhat.com> Message-ID: On 2/17/11 3:23 AM, "Jan Zelen?" wrote: >JR Aquino wrote: >> This patch fixes the netgroup plugin's behavior of adding duplicate >>entries >> when the managed entry plugin creates a netgroup with a mepManagedEntry >> This problem is documented in ticket: >> https://fedorahosted.org/freeipa/ticket/963 >> >> As noted by Endi for issue #3 in the History: >> "3. Just out of curiosity, I tried adding a netgroup with the same name >>as >> the hostgroup. I expected it to conflict with the managed netgroup, but >>it >> actually worked. Searching the directory will return 2 netgroups with >>the >> same name:" >> >> Historically the netgroup plugin had inappropriately defined: >>rdn_attribute >> = 'ipauniqueid' This caused the ability of duplication with the creation >> of native netgroups using the ipaUniqueId as the DN and as the Managed >> Entry netgroups utilizing the cn as the DN. >> >> Patch includes adjustments for the netgroup plugin and corresponding >> test_netgroup_plugin >> >> Please verify that the items requested in #963 are now complete and >>please >> confirm that the corresponding tests all pass. > >One test fails: >FAIL: test_netgroup[30]: netgroup_remove_member: Remove netgroup >u'netgroup2' >from netgroup u'netgroup1' > >Command ipa host-show still shows: >Member of netgroups: testhostgroup > >Also a little bit of nitpicking, I think the changed code in chunk 2 >would >better look something like this: > >search_kw = {} >search_kw['objectclass'] = ['mepManagedEntry'] >if not options['private']: > local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE) >else: > local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL) >filter = ldap.combine_filters((local_filter, filter), >rules=ldap.MATCH_ALL) > >-- >Jan It was determined that the ipauniqueid is required for the DN on these objects. It's an ipaAssociation which uses it as the rdn, if we change the problems cascade This patch has now changed to reflect the optimization in the netgroup search instead. It provides a cleaner method of performing a netgroup search for native netgroups and allows for the --private search to only display the mepManagedEntry netgroups, rather than ALL netgroups. Previously --private would return ALL netgroups. This means there is no need to modify test_netgroup_plugin. Please verify that the optimization / bugfix passes the standard test_netgroup_plugin. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0019-Cleanup-for-netgroup-search.patch Type: application/octet-stream Size: 1445 bytes Desc: freeipa-jraquino-0019-Cleanup-for-netgroup-search.patch URL: From jzeleny at redhat.com Thu Feb 17 18:53:22 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Thu, 17 Feb 2011 19:53:22 +0100 Subject: [Freeipa-devel] [PATCH] 19 Cleanup for netgroup search In-Reply-To: References: Message-ID: <201102171953.22787.jzeleny@redhat.com> JR Aquino wrote: > On 2/17/11 3:23 AM, "Jan Zelen?" wrote: > >JR Aquino wrote: > >> This patch fixes the netgroup plugin's behavior of adding duplicate > >> > >>entries > >> > >> when the managed entry plugin creates a netgroup with a mepManagedEntry > >> This problem is documented in ticket: > >> https://fedorahosted.org/freeipa/ticket/963 > >> > >> As noted by Endi for issue #3 in the History: > >> "3. Just out of curiosity, I tried adding a netgroup with the same name > >> > >>as > >> > >> the hostgroup. I expected it to conflict with the managed netgroup, but > >> > >>it > >> > >> actually worked. Searching the directory will return 2 netgroups with > >> > >>the > >> > >> same name:" > >> > >> Historically the netgroup plugin had inappropriately defined: > >>rdn_attribute > >> > >> = 'ipauniqueid' This caused the ability of duplication with the creation > >> of native netgroups using the ipaUniqueId as the DN and as the Managed > >> Entry netgroups utilizing the cn as the DN. > >> > >> Patch includes adjustments for the netgroup plugin and corresponding > >> test_netgroup_plugin > >> > >> Please verify that the items requested in #963 are now complete and > >> > >>please > >> > >> confirm that the corresponding tests all pass. > > > >One test fails: > >FAIL: test_netgroup[30]: netgroup_remove_member: Remove netgroup > >u'netgroup2' > >from netgroup u'netgroup1' > > > >Command ipa host-show still shows: > >Member of netgroups: testhostgroup > > > >Also a little bit of nitpicking, I think the changed code in chunk 2 > >would > >better look something like this: > > > >search_kw = {} > >search_kw['objectclass'] = ['mepManagedEntry'] > > > >if not options['private']: > > local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE) > > > >else: > > local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL) > > > >filter = ldap.combine_filters((local_filter, filter), > >rules=ldap.MATCH_ALL) > > > >-- > >Jan > > It was determined that the ipauniqueid is required for the DN on these > objects. > It's an ipaAssociation which uses it as the rdn, if we change the problems > cascade > > This patch has now changed to reflect the optimization in the netgroup > search instead. > It provides a cleaner method of performing a netgroup search for native > netgroups and allows for the --private search to only display the > mepManagedEntry netgroups, rather than ALL netgroups. Previously --private > would return ALL netgroups. > > This means there is no need to modify test_netgroup_plugin. > > Please verify that the optimization / bugfix passes the standard > test_netgroup_plugin. Ack Jan From rcritten at redhat.com Thu Feb 17 19:02:30 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 14:02:30 -0500 Subject: [Freeipa-devel] [PATCH] 729 managed netgroups immutable Message-ID: <4D5D70C6.90805@redhat.com> Make managed netgroups (those created as a result of creating a hostgroup) should be immutable. This aci will deny writes to a managed netgroup. ticket 962 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-730-netgroup.patch Type: text/x-patch Size: 1379 bytes Desc: not available URL: From jhrozek at redhat.com Thu Feb 17 19:25:37 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 17 Feb 2011 20:25:37 +0100 Subject: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware In-Reply-To: <201102091023.27755.jzeleny@redhat.com> References: <20110202225932.GA28047@zeppelin.brq.redhat.com> <201102031423.11366.jzeleny@redhat.com> <20110208132805.GB16467@zeppelin.brq.redhat.com> <201102091023.27755.jzeleny@redhat.com> Message-ID: <20110217192537.GA8687@zeppelin.brq.redhat.com> On Wed, Feb 09, 2011 at 10:23:27AM +0100, Jan Zelen? wrote: > Jakub Hrozek wrote: > > On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelen? wrote: > > > Jakub Hrozek wrote: > > > > Hi, > > > > > > > > attached is a patch to nsslib.py that changes its semantics so > > > > it is able to work with different address families. It is the last > > > > piece of IPv6 support. > > > > > > > > Aside from the hunks in the patch, I still need to set Requires: in the > > > > patch (don't know the exact version yet). Also, the attached patch > > > > always tries IPv4 first and only falls back to IPv6. I think there > > > > should be a config option that tells IPA to prefer one of the address > > > > families or use it exclusively for performance reasons. > > > > > > > > Please note that the patch requires the latest changes to python-nss > > > > in order to work correctly. Since John is still working on python-nss > > > > packages, this patch should be treated as a preview and not pushed even > > > > if it is deemed OK. At this stage, I'd like to get at least the general > > > > approach and code reviewed so I can fix it tomorrow. > > > > > > > > Thank you, > > > > > > > > Jakub > > > > > > The patch looks ok, all my questions answered off-list. Also tested with > > > IPv4 (latest python-nss installed) and IPv6, both work fine. > > > > > > ACK > > > > > > Jan > > > > Thanks for the review. But attached is a new version of the patch that > > changes the semantics a little based on what's recommended by the new > > version of python-nss: don't construct the NetworkAddress object > > manually, but rather resolve the hostname using the AddrInfo object and > > then try connecting to the list of of NetworkAddress object manually. > > Changes consulted off-list, the patch looks good. Will do some more testing on > RHEL6. Unless I find some issues, this patch is ACKed. > > Jan > One more change - bumped the minimum required version of python-nss to 0.11 which is in the nightly devel repo now. From jhrozek at redhat.com Thu Feb 17 19:32:29 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 17 Feb 2011 20:32:29 +0100 Subject: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware In-Reply-To: <20110217192537.GA8687@zeppelin.brq.redhat.com> References: <20110202225932.GA28047@zeppelin.brq.redhat.com> <201102031423.11366.jzeleny@redhat.com> <20110208132805.GB16467@zeppelin.brq.redhat.com> <201102091023.27755.jzeleny@redhat.com> <20110217192537.GA8687@zeppelin.brq.redhat.com> Message-ID: <20110217193228.GB8687@zeppelin.brq.redhat.com> On Thu, Feb 17, 2011 at 08:25:37PM +0100, Jakub Hrozek wrote: > On Wed, Feb 09, 2011 at 10:23:27AM +0100, Jan Zelen? wrote: > > Jakub Hrozek wrote: > > > On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelen? wrote: > > > > Jakub Hrozek wrote: > > > > > Hi, > > > > > > > > > > attached is a patch to nsslib.py that changes its semantics so > > > > > it is able to work with different address families. It is the last > > > > > piece of IPv6 support. > > > > > > > > > > Aside from the hunks in the patch, I still need to set Requires: in the > > > > > patch (don't know the exact version yet). Also, the attached patch > > > > > always tries IPv4 first and only falls back to IPv6. I think there > > > > > should be a config option that tells IPA to prefer one of the address > > > > > families or use it exclusively for performance reasons. > > > > > > > > > > Please note that the patch requires the latest changes to python-nss > > > > > in order to work correctly. Since John is still working on python-nss > > > > > packages, this patch should be treated as a preview and not pushed even > > > > > if it is deemed OK. At this stage, I'd like to get at least the general > > > > > approach and code reviewed so I can fix it tomorrow. > > > > > > > > > > Thank you, > > > > > > > > > > Jakub > > > > > > > > The patch looks ok, all my questions answered off-list. Also tested with > > > > IPv4 (latest python-nss installed) and IPv6, both work fine. > > > > > > > > ACK > > > > > > > > Jan > > > > > > Thanks for the review. But attached is a new version of the patch that > > > changes the semantics a little based on what's recommended by the new > > > version of python-nss: don't construct the NetworkAddress object > > > manually, but rather resolve the hostname using the AddrInfo object and > > > then try connecting to the list of of NetworkAddress object manually. > > > > Changes consulted off-list, the patch looks good. Will do some more testing on > > RHEL6. Unless I find some issues, this patch is ACKed. > > > > Jan > > > > One more change - bumped the minimum required version of python-nss to > 0.11 which is in the nightly devel repo now. > and now with the patch attached. -------------- next part -------------- >From fd089113524c250c502eb2e4028affd29754dd77 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 2 Feb 2011 13:57:16 +0100 Subject: [PATCH] Make nsslib IPv6 aware --- freeipa.spec.in | 5 ++- ipapython/nsslib.py | 108 +++++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 96 insertions(+), 17 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index f301aa2..0e54caf 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -177,7 +177,7 @@ Requires: python-kerberos >= 1.1-3 Requires: authconfig Requires: gnupg Requires: pyOpenSSL -Requires: python-nss >= 0.9-8 +Requires: python-nss >= 0.11 Requires: python-lxml Requires: python-netaddr @@ -476,6 +476,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %changelog +* Thu Feb 17 2011 Jakub Hrozek - 1.99-45 +- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in + * Wed Feb 9 2011 Rob Crittenden - 1.99-44 - Set minimum version of sssd to 1.5.1 diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index fad65a3..8d77863 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -21,12 +21,14 @@ import sys import httplib import getpass +import socket import logging from nss.error import NSPRError import nss.io as io import nss.nss as nss import nss.ssl as ssl +import nss.error as error def auth_certificate_callback(sock, check_sig, is_server, certdb): cert_is_valid = False @@ -113,11 +115,84 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb): return False return False -class NSSConnection(httplib.HTTPConnection): +class NSSAddressFamilyFallback(object): + def __init__(self, family): + self.sock_family = family + self.family = self._get_nss_family(self.sock_family) + + def _get_nss_family(self, sock_family): + """ + Translate a family from python socket module to nss family. + """ + if sock_family in [ socket.AF_INET, socket.AF_UNSPEC ]: + return io.PR_AF_INET + elif sock_family == socket.AF_INET6: + return io.PR_AF_INET6 + else: + raise ValueError('Uknown socket family %d\n', sock_family) + + def _get_next_family(self): + if self.sock_family == socket.AF_UNSPEC and \ + self.family == io.PR_AF_INET: + return io.PR_AF_INET6 + + return None + + def _create_socket(self): + self.sock = io.Socket(family=self.family) + + def _connect_socket_family(self, host, port, family): + logging.debug("connect_socket_family: host=%s port=%s family=%s", + host, port, io.addr_family_name(family)) + try: + addr_info = [ ai for ai in io.AddrInfo(host) if ai.family == family ] + # No suitable families + if len(addr_info) == 0: + raise NSPRError(error.PR_ADDRESS_NOT_SUPPORTED_ERROR, + "Cannot resolve %s using family %s" % (host, io.addr_family_name(family))) + + # Try connecting to the NetworkAddresses + for net_addr in addr_info: + net_addr.port = port + logging.debug("connecting: %s", net_addr) + try: + self.sock.connect(net_addr, family) + except Exception, e: + logging.debug("Could not connect socket to %s, error: %s, retrying..", + net_addr, str(e)) + continue + else: + return + + # Could not connect with any of NetworkAddresses + raise NSPRError(error.PR_ADDRESS_NOT_SUPPORTED_ERROR, + "Could not connect to %s using any address" % host) + except ValueError, e: + raise NSPRError(error.PR_ADDRESS_NOT_SUPPORTED_ERROR, e.message) + + def connect_socket(self, host, port): + try: + self._connect_socket_family(host, port, self.family) + except NSPRError, e: + if e.errno == error.PR_ADDRESS_NOT_SUPPORTED_ERROR: + next_family = self._get_next_family() + if next_family: + self.family = next_family + self._create_socket() + self._connect_socket_family(host, port, self.family) + else: + logging.debug('No next family to try..') + raise e + else: + raise e + +class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): default_port = httplib.HTTPSConnection.default_port - def __init__(self, host, port=None, strict=None, dbdir=None): + def __init__(self, host, port=None, strict=None, + dbdir=None, family=socket.AF_UNSPEC): httplib.HTTPConnection.__init__(self, host, port, strict) + NSSAddressFamilyFallback.__init__(self, family) if not dbdir: raise RuntimeError("dbdir is required") @@ -134,10 +209,12 @@ class NSSConnection(httplib.HTTPConnection): nss.nss_init(dbdir) ssl.set_domestic_policy() nss.set_password_callback(self.password_callback) + self._create_socket() + def _create_socket(self): # Create the socket here so we can do things like let the caller # override the NSS callbacks - self.sock = ssl.SSLSocket() + self.sock = ssl.SSLSocket(family=self.family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) @@ -146,7 +223,8 @@ class NSSConnection(httplib.HTTPConnection): # Provide a callback to verify the servers certificate self.sock.set_auth_certificate_callback(auth_certificate_callback, - nss.get_default_certdb()) + nss.get_default_certdb()) + self.sock.set_hostname(self.host) def password_callback(self, slot, retry, password): if not retry and password: return password @@ -160,11 +238,7 @@ class NSSConnection(httplib.HTTPConnection): pass def connect(self): - logging.debug("connect: host=%s port=%s", self.host, self.port) - self.sock.set_hostname(self.host) - net_addr = io.NetworkAddress(self.host, self.port) - logging.debug("connect: %s", net_addr) - self.sock.connect(net_addr) + self.connect_socket(self.host, self.port) def endheaders(self, message=None): """ @@ -210,20 +284,22 @@ class NSSHTTPS(httplib.HTTP): port = None self._setup(self._connection_class(host, port, strict, dbdir=dbdir)) -class NSPRConnection(httplib.HTTPConnection): +class NSPRConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): default_port = httplib.HTTPConnection.default_port - def __init__(self, host, port=None, strict=None): + def __init__(self, host, port=None, strict=None, family=socket.AF_UNSPEC): httplib.HTTPConnection.__init__(self, host, port, strict) + NSSAddressFamilyFallback.__init__(self, family) logging.debug('%s init %s', self.__class__.__name__, host) + self._create_socket() + + def _create_socket(self): + super(NSPRConnection, self)._create_socket() + self.sock.set_hostname(self.host) - self.sock = io.Socket() def connect(self): - logging.debug("connect: host=%s port=%s", self.host, self.port) - net_addr = io.NetworkAddress(self.host, self.port) - logging.debug("connect: %s", net_addr) - self.sock.connect(net_addr) + self.connect_socket(self.host, self.port) class NSPRHTTP(httplib.HTTP): _http_vsn = 11 -- 1.7.4 From ayoung at redhat.com Thu Feb 17 19:36:33 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 17 Feb 2011 14:36:33 -0500 Subject: [Freeipa-devel] [PATCH] Remove-bright-green-from-the-tabs-and-subnav In-Reply-To: <4D5D5655.3060503@redhat.com> References: <699545027.63935.1297870405044.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4D5D5655.3060503@redhat.com> Message-ID: <4D5D78C1.2020606@redhat.com> On 02/17/2011 12:09 PM, Adam Young wrote: > Several of the subtab text items are no longer visible: user, host, > netgroups on the Identity tab, self service permissions on the Server TAb. > > > On 02/16/2011 10:33 AM, Kyle Baker wrote: >> Ayoung, check it out. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel OK, found the problem, fixed, and pushed: commit 1ea463eced90e25d353f8ff7c0012d9d0fc510b1 Author: Adam Young Date: Thu Feb 17 14:29:09 2011 -0500 tabs2 color from white diff --git a/install/ui/ipa.css b/install/ui/ipa.css index 289f19c..44643f7 100644 --- a/install/ui/ipa.css +++ b/install/ui/ipa.css @@ -566,7 +566,7 @@ span.ui-icon-search { -moz-border-radius: 2em !important; -webkit-border-radius: 2em !important; border-radius: 2em !important; - color: white; + color: #333333; font-size: 1em; font-family: "Liberation Sans", Arial, Sans; margin: 0 0.3em; -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Feb 17 19:37:07 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 17 Feb 2011 14:37:07 -0500 Subject: [Freeipa-devel] [PATCH] 0012-Remove-images-and-replace-with-css-color-in-dialogs.patch In-Reply-To: <4D5D54EC.9060702@redhat.com> References: <2070805702.81895.1297959231968.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4D5D54EC.9060702@redhat.com> Message-ID: <4D5D78E3.9080008@redhat.com> On 02/17/2011 12:03 PM, Adam Young wrote: > On 02/17/2011 11:13 AM, Kyle Baker wrote: >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > If we are going to make this change, please remove (git rm) the icons > that are no longer used as part of the patch. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel DOne in additional patch. ACK and pushed to master From ayoung at redhat.com Thu Feb 17 19:37:58 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 17 Feb 2011 14:37:58 -0500 Subject: [Freeipa-devel] Fwd: 0013-Under-shadow-on-h1-and-removed-images.patch Message-ID: <4D5D7916.5000400@redhat.com> ACK and pushed to master -------- Original Message -------- Subject: 0013-Under-shadow-on-h1-and-removed-images.patch Date: Thu, 17 Feb 2011 13:39:39 -0500 (EST) From: Kyle Baker To: Adam Young -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0013-Under-shadow-on-h1-and-removed-images.patch Type: text/x-patch Size: 1811 bytes Desc: not available URL: From jhrozek at redhat.com Thu Feb 17 19:38:15 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 17 Feb 2011 20:38:15 +0100 Subject: [Freeipa-devel] [PATCH] 060 Raise NotImplementedError for selfsigned cert-remove-hold Message-ID: <20110217193814.GC8687@zeppelin.brq.redhat.com> To test, try running "ipa cert-remove-hold 11" with a selfsigned install -------------- next part -------------- >From f06c082f00d2b6506a796cc6a4317a77ba16f2f4 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 17 Feb 2011 20:35:50 +0100 Subject: [PATCH] Raise NotImplementedError for selfsigned cert-remove-hold --- ipaserver/plugins/rabase.py | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py index 5f9ec77..369027b 100644 --- a/ipaserver/plugins/rabase.py +++ b/ipaserver/plugins/rabase.py @@ -109,5 +109,5 @@ class rabase(Backend): :param serial_number: Certificate serial number. """ - raise errors.NotImplementedError('%s.take_certificate_off_hold' % self.name) + raise errors.NotImplementedError(name='%s.take_certificate_off_hold' % self.name) -- 1.7.4 From pzuna at redhat.com Thu Feb 17 19:49:05 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Thu, 17 Feb 2011 20:49:05 +0100 Subject: [Freeipa-devel] [PATCH] Fix translatable strings in ipalib plugins. In-Reply-To: <4D5BEC50.3060808@redhat.com> References: <4D5BEC50.3060808@redhat.com> Message-ID: <4D5D7BB1.9010704@redhat.com> On 2011-02-16 16:25, Pavel Z?na wrote: > Some translatable strings were in a wrong format a there were some more > related issues. This patch tries to fix all of them. > > Needed for xgettext/pygettext processing. > > Pavel Rebased version attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-81-2-fixlocstrings.patch Type: application/mbox Size: 17314 bytes Desc: not available URL: From pzuna at redhat.com Thu Feb 17 19:51:05 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Thu, 17 Feb 2011 20:51:05 +0100 Subject: [Freeipa-devel] Localization patches. In-Reply-To: <4D5C9F5D.1090706@redhat.com> References: <4D5BEEDC.5050902@redhat.com> <4D5C9F5D.1090706@redhat.com> Message-ID: <4D5D7C29.2020102@redhat.com> On 2011-02-17 05:09, Rob Crittenden wrote: > Pavel Z?na wrote: >> My efforts in fixing localization all around the framework and preparing >> it for localizing docstrings have resulted in a lot of patches. Because >> I understand they have become a bit hard to track, I decided to post >> them all together in this thread to make review easier. >> >> After this is committed, there will be one more patch that switches >> xgettext for pygettext. Then hopefully, we'll be pretty much set when it >> comes to i18n. >> >> Pavel > > Patch 81 isn't applying for me. > > Help is not working for me either, this is due to patch 80. > > $ ipa help user > ipa: ERROR: NameError: global name '_' is not defined > Traceback (most recent call last): > File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in run > api.finalize() > File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619, > in finalize > plugin_iter(base, (magic[k] for k in magic)) > File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in > __init__ > sorted(members, key=lambda m: getattr(m, name_attr)) > File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608, > in plugin_iter > plugins[klass] = PluginInstance(klass) > File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585, > in __init__ > self.instance = klass() > File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184, > in __init__ > self.doc = _(inspect.getdoc(cls)) > NameError: global name '_' is not defined > ipa: ERROR: an internal error has occurred > > Patches 69, 71 and 73 are still working fine. > > What is switching from xgettext to pygettext going to do? This was answered by John Dennis: xgettext doesn't parse python docstrings. > > rob Rebased version of 81 attached. It should also fix the traceback you're getting. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-81-2-fixlocstrings.patch Type: application/mbox Size: 17314 bytes Desc: not available URL: From ayoung at redhat.com Thu Feb 17 20:06:31 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 17 Feb 2011 15:06:31 -0500 Subject: [Freeipa-devel] One liner to fix broken build Message-ID: <4D5D7FC7.6050304@redhat.com> Removed an image that is no longer used. Pushed under the one line rule. diff --git a/install/ui/Makefile.am b/install/ui/Makefile.am index 327225e..e6ffed1 100644 --- a/install/ui/Makefile.am +++ b/install/ui/Makefile.am @@ -52,7 +52,6 @@ app_DATA = \ Mainnav-background.png \ Mainnav-offtab.png \ Mainnav-ontab.png \ - modal-background.png \ outer-bg.png \ panel-background.png \ Subnav-background.png \ From jhrozek at redhat.com Thu Feb 17 20:22:07 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 17 Feb 2011 21:22:07 +0100 Subject: [Freeipa-devel] [PATCH] 729 special handling for nsaccountlock In-Reply-To: <4D5D5451.5090700@redhat.com> References: <4D5D5451.5090700@redhat.com> Message-ID: <20110217202206.GA8327@zeppelin.brq.redhat.com> On Thu, Feb 17, 2011 at 12:01:05PM -0500, Rob Crittenden wrote: > nsaccountlock doesn't have a visible Param but we want do so some > basic validation to be sure garbage doesn't get in there so do it in > the pre_callback of add and mod. > > ticket 968 > > rob Ack From rcritten at redhat.com Thu Feb 17 20:23:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 15:23:18 -0500 Subject: [Freeipa-devel] [PATCH] 731 configure sssd w/failover Message-ID: <4D5D83B6.4050100@redhat.com> Configure SSSD to look in DNS for the IPA servers first, then fall back to the server we configured against. ticket 980 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-731-sssd.patch Type: text/x-patch Size: 1038 bytes Desc: not available URL: From JR.Aquino at citrix.com Thu Feb 17 20:34:27 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 17 Feb 2011 20:34:27 +0000 Subject: [Freeipa-devel] [PATCH] 729 managed netgroups immutable In-Reply-To: <4D5D70C6.90805@redhat.com> Message-ID: On 2/17/11 11:02 AM, "Rob Crittenden" wrote: >Make managed netgroups (those created as a result of creating a >hostgroup) should be immutable. This aci will deny writes to a managed >netgroup. > >ticket 962 > >rob >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel nack Rebase? Patch does not apply cleanly. # git apply freeipa-rcrit-730-netgroup.patch freeipa-rcrit-730-netgroup.patch:18: new blank line at EOF. + error: patch failed: install/updates/Makefile.am:5 error: install/updates/Makefile.am: patch does not apply From jhrozek at redhat.com Thu Feb 17 20:44:58 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 17 Feb 2011 21:44:58 +0100 Subject: [Freeipa-devel] [PATCH] 731 configure sssd w/failover In-Reply-To: <4D5D83B6.4050100@redhat.com> References: <4D5D83B6.4050100@redhat.com> Message-ID: <20110217204458.GA28490@zeppelin.brq.redhat.com> On Thu, Feb 17, 2011 at 03:23:18PM -0500, Rob Crittenden wrote: > Configure SSSD to look in DNS for the IPA servers first, then fall > back to the server we configured against. > > ticket 980 > > rob Works fine (tested both service discovery and failover), ack From ssorce at redhat.com Thu Feb 17 20:46:14 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 17 Feb 2011 15:46:14 -0500 Subject: [Freeipa-devel] [PATCH] 0085 Register client into DNS on install In-Reply-To: <20110217115352.44af250f@willson.li.ssimo.org> References: <20110217113430.545cbdc1@willson.li.ssimo.org> <20110217115352.44af250f@willson.li.ssimo.org> Message-ID: <20110217154614.4389630c@willson.li.ssimo.org> On Thu, 17 Feb 2011 11:53:52 -0500 Simo Sorce wrote: > On Thu, 17 Feb 2011 11:34:30 -0500 > Simo Sorce wrote: > > > > > If DNS Updates are available then try to register the ip address as > > determined by connecting to the ipa server. > > > > This allows also the creation of the DNS A record if none was > > available before, which means you can add clients without having to > > pre-register them in the DNS. > > > > Fixes #935 > > > > Simo. > > > > Forgot to add rpm dependency on bind-utils for the client package. > > New patch attached. After discussing a bit dns updates with Rob and Stephen on IRC here it is a third patch that adds a --enable-dns-updates option. Dns updates are performed only if this options is enabled or no entry exists in DNS at all for the host. If the option is enabled sssd is also configured to keep updating the DNS during the life of the machine so that IP changes (laptops, dhcp, etc..) are recorded in DNS properly. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0085-3-Try-to-register-DNS-name-through-a-DNS-Update-on-ins.patch Type: text/x-patch Size: 6614 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 17 21:05:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 16:05:27 -0500 Subject: [Freeipa-devel] [PATCH] 48 Document the --rights output format In-Reply-To: <201102171634.50007.jzeleny@redhat.com> References: <201102170958.10900.jzeleny@redhat.com> <4D5D28C9.4020709@redhat.com> <201102171634.50007.jzeleny@redhat.com> Message-ID: <4D5D8D97.5040109@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> https://fedorahosted.org/freeipa/ticket/563 >>> https://fedorahosted.org/freeipa/ticket/588 >>> >>> Jan >> >> This is a good start, I think we need to include some guidance on why >> this exists and why it exists where it does. >> >> It exists so a user interface can know in advance what the current >> user's rights are for a given entry so that the user experience is >> better (currently used by the Web UI to disable attributes that are not >> writable). >> >> It appears in the add and mod commands to avoid having to do a show >> after an entry is added or updated. >> >> rob > > I updated the patch with a note that it is primarily used for internal > purposes of CLI and WebUI, I think this should be sufficient description. > > I also deleted the line converting unicode strings to str because it broke > JSON-RPC communication. > > Jan ack, pushed to master From rcritten at redhat.com Thu Feb 17 21:10:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 16:10:22 -0500 Subject: [Freeipa-devel] [PATCH] 47 Validate that the reverse DNS record is correct In-Reply-To: <20110217092012.GB4168@traged.englab.brq.redhat.com> References: <201102161053.14986.jzeleny@redhat.com> <20110216125202.GA8161@evileye.atkac.brq.redhat.com> <201102161726.55995.jzeleny@redhat.com> <20110217092012.GB4168@traged.englab.brq.redhat.com> Message-ID: <4D5D8EBE.4030000@redhat.com> Adam Tkac wrote: > On Wed, Feb 16, 2011 at 05:26:55PM +0100, Jan Zeleny wrote: >> Adam Tkac wrote: >>> On Wed, Feb 16, 2011 at 10:53:14AM +0100, Jan Zelen? wrote: >>>> This patch ensures that PTR records added by FreeIPA are compliant with >>>> RFC. >>> >>> Nack. >>> >>> In my opinion the _ptrrecord_pre_callback should also handle PTR records >>> for IPv6 addresses. >>> >>> You can check validity of IPv6 PTR record this way (pseudocode): >>> >>> zone.replace(.ip6.arpa., '') >>> if (len(addr.split('.')) + len(zone.split('.')) != 32) >>> raise_error >>> >>> Regards, Adam >> >> Thanks for the review, I made the changes you suggested. Second patch is in >> attachment. > > Thanks for improvement, now it looks fine for me. Ack. > > Regards, Adam > >> From a01180772ab9ce9409532892e81f03ea7fc2582a Mon Sep 17 00:00:00 2001 >> From: Jan Zeleny >> Date: Wed, 16 Feb 2011 04:47:36 -0500 >> Subject: [PATCH] Validate that the reverse DNS record is correct >> >> This patch ensures that PTR records added by FreeIPA are compliant with >> RFC. >> >> https://fedorahosted.org/freeipa/ticket/839 >> --- >> ipalib/plugins/dns.py | 16 ++++++++++++++++ >> 1 files changed, 16 insertions(+), 0 deletions(-) >> >> diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py >> index 592945f78c59877fada5fa6c40eee3b1acb564b2..f50dd51f28f0ff59c8d1fe84730de302d9855467 100644 >> --- a/ipalib/plugins/dns.py >> +++ b/ipalib/plugins/dns.py >> @@ -619,6 +619,22 @@ class dnsrecord_add(LDAPCreate, dnsrecord_cmd_w_record_options): >> is_ns_rec_resolvable(ns) >> return dn >> >> + def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): >> + components = dn.split(',',2) >> + addr = components[0].split('=')[1] >> + zone = components[1].split('=')[1] >> + if zone.find('ip6') != -1: >> + zone = zone.replace('.ip6.arpa.','') >> + zone_len = 32 >> + else: >> + zone = zone.replace('.in-addr.arpa.','') >> + zone_len = 4 >> + >> + if len(addr.split('.'))+len(zone.split('.')) != zone_len: >> + raise errors.ValidationError(name='cn', error=unicode('IP address must have exactly '+str(zone_len)+' components')) >> + >> + return dn >> + >> def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): >> for rtype in options: >> rtype_cb = '_%s_pre_callback' % rtype >> -- >> 1.7.4 >> > > ack as well pushed to master From rcritten at redhat.com Thu Feb 17 21:52:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 16:52:08 -0500 Subject: [Freeipa-devel] Localization patches. In-Reply-To: <4D5D7C29.2020102@redhat.com> References: <4D5BEEDC.5050902@redhat.com> <4D5C9F5D.1090706@redhat.com> <4D5D7C29.2020102@redhat.com> Message-ID: <4D5D9888.6010603@redhat.com> Pavel Z?na wrote: > On 2011-02-17 05:09, Rob Crittenden wrote: >> Pavel Z?na wrote: >>> My efforts in fixing localization all around the framework and preparing >>> it for localizing docstrings have resulted in a lot of patches. Because >>> I understand they have become a bit hard to track, I decided to post >>> them all together in this thread to make review easier. >>> >>> After this is committed, there will be one more patch that switches >>> xgettext for pygettext. Then hopefully, we'll be pretty much set when it >>> comes to i18n. >>> >>> Pavel >> >> Patch 81 isn't applying for me. >> >> Help is not working for me either, this is due to patch 80. >> >> $ ipa help user >> ipa: ERROR: NameError: global name '_' is not defined >> Traceback (most recent call last): >> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in >> run >> api.finalize() >> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619, >> in finalize >> plugin_iter(base, (magic[k] for k in magic)) >> File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in >> __init__ >> sorted(members, key=lambda m: getattr(m, name_attr)) >> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608, >> in plugin_iter >> plugins[klass] = PluginInstance(klass) >> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585, >> in __init__ >> self.instance = klass() >> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184, >> in __init__ >> self.doc = _(inspect.getdoc(cls)) >> NameError: global name '_' is not defined >> ipa: ERROR: an internal error has occurred >> >> Patches 69, 71 and 73 are still working fine. >> >> What is switching from xgettext to pygettext going to do? > > This was answered by John Dennis: xgettext doesn't parse python docstrings. > >> >> rob > > Rebased version of 81 attached. It should also fix the traceback you're > getting. > > Pavel Something is still not working. I'm having a hard time reproducing how I got this but with LANG=es_US.UTF-8 for a while I was getting this with every ipa user-* request: ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in run sys.exit(api.Backend.cli.run(argv)) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953, in output_for_cli textui.print_entries(result, order, labels, flags, print_all) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in print_entries self.print_entry(entry, order, labels, flags, print_all, format, indent) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in print_entry label, value, format, indent, one_value_per_line File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in print_attribute self.print_indented(format % (attr, text[0]), indent) File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in print_indented print (CLI_TAB * indent + text) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 20: ordinal not in range(128) ipa: ERROR: ha ocurrido un error interno I think it is blowing up on this user: User login: jose First name: Jose Last name: contrase?as Home directory: /home/jose Login shell: /bin/sh Account disabled: TRUE Member of groups: ipausers Then all of a sudden things started working fine, so I'm not sure what's going on. Is this traceback meaningful to you? rob From rcritten at redhat.com Thu Feb 17 22:11:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 17:11:26 -0500 Subject: [Freeipa-devel] [PATCH] 729 special handling for nsaccountlock In-Reply-To: <20110217202206.GA8327@zeppelin.brq.redhat.com> References: <4D5D5451.5090700@redhat.com> <20110217202206.GA8327@zeppelin.brq.redhat.com> Message-ID: <4D5D9D0E.5020403@redhat.com> Jakub Hrozek wrote: > On Thu, Feb 17, 2011 at 12:01:05PM -0500, Rob Crittenden wrote: >> nsaccountlock doesn't have a visible Param but we want do so some >> basic validation to be sure garbage doesn't get in there so do it in >> the pre_callback of add and mod. >> >> ticket 968 >> >> rob > > Ack pushed to master From rcritten at redhat.com Thu Feb 17 22:20:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 17:20:36 -0500 Subject: [Freeipa-devel] [PATCH] 730 managed netgroups immutable In-Reply-To: References: Message-ID: <4D5D9F34.90105@redhat.com> JR Aquino wrote: > On 2/17/11 11:02 AM, "Rob Crittenden" wrote: > >> Make managed netgroups (those created as a result of creating a >> hostgroup) should be immutable. This aci will deny writes to a managed >> netgroup. >> >> ticket 962 >> >> rob >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > nack > Rebase? > Patch does not apply cleanly. > > # git apply freeipa-rcrit-730-netgroup.patch > freeipa-rcrit-730-netgroup.patch:18: new blank line at EOF. > + > error: patch failed: install/updates/Makefile.am:5 > error: install/updates/Makefile.am: patch does not apply > Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-730-2-netgroup.patch Type: application/mbox Size: 1409 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 17 22:32:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 17:32:56 -0500 Subject: [Freeipa-devel] [PATCH] 731 configure sssd w/failover In-Reply-To: <20110217204458.GA28490@zeppelin.brq.redhat.com> References: <4D5D83B6.4050100@redhat.com> <20110217204458.GA28490@zeppelin.brq.redhat.com> Message-ID: <4D5DA218.5070206@redhat.com> Jakub Hrozek wrote: > On Thu, Feb 17, 2011 at 03:23:18PM -0500, Rob Crittenden wrote: >> Configure SSSD to look in DNS for the IPA servers first, then fall >> back to the server we configured against. >> >> ticket 980 >> >> rob > > Works fine (tested both service discovery and failover), ack pushed to master From rcritten at redhat.com Thu Feb 17 22:34:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 17:34:18 -0500 Subject: [Freeipa-devel] [PATCH] 060 Raise NotImplementedError for selfsigned cert-remove-hold In-Reply-To: <20110217193814.GC8687@zeppelin.brq.redhat.com> References: <20110217193814.GC8687@zeppelin.brq.redhat.com> Message-ID: <4D5DA26A.7080306@redhat.com> Jakub Hrozek wrote: > To test, try running "ipa cert-remove-hold 11" with a selfsigned install > ack, pushed to master From rcritten at redhat.com Thu Feb 17 23:12:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 18:12:56 -0500 Subject: [Freeipa-devel] [PATCH] 0085 Register client into DNS on install In-Reply-To: <20110217154614.4389630c@willson.li.ssimo.org> References: <20110217113430.545cbdc1@willson.li.ssimo.org> <20110217115352.44af250f@willson.li.ssimo.org> <20110217154614.4389630c@willson.li.ssimo.org> Message-ID: <4D5DAB78.8050507@redhat.com> Simo Sorce wrote: > On Thu, 17 Feb 2011 11:53:52 -0500 > Simo Sorce wrote: > >> On Thu, 17 Feb 2011 11:34:30 -0500 >> Simo Sorce wrote: >> >>> >>> If DNS Updates are available then try to register the ip address as >>> determined by connecting to the ipa server. >>> >>> This allows also the creation of the DNS A record if none was >>> available before, which means you can add clients without having to >>> pre-register them in the DNS. >>> >>> Fixes #935 >>> >>> Simo. >>> >> >> Forgot to add rpm dependency on bind-utils for the client package. >> >> New patch attached. > > After discussing a bit dns updates with Rob and Stephen on IRC here it > is a third patch that adds a --enable-dns-updates option. > > Dns updates are performed only if this options is enabled or no entry > exists in DNS at all for the host. > > If the option is enabled sssd is also configured to keep updating the > DNS during the life of the machine so that IP changes (laptops, dhcp, > etc..) are recorded in DNS properly. > > Simo. Ack, works for me. rob From JR.Aquino at citrix.com Fri Feb 18 00:14:58 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 18 Feb 2011 00:14:58 +0000 Subject: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install In-Reply-To: <201102171846.51038.jzeleny@redhat.com> Message-ID: On 2/17/11 9:46 AM, "Jan Zeleny" wrote: >JR Aquino wrote: >> Lets try now. Attached is the corrected patch. >> >> There were several spots in ipa-client-install where the server could be >> defined and it was getting missed. >> I have omitted any change to ipa-client-install and instead just focused >> on ipadiscovery.py >> >> ipadiscovery.py now performs its own fetch of the CACert just to be >>sure. >> >> Regarding TLS vs LDAPS. >> >> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never >> standardized in any formal specification. This usage has been deprecated >> along with LDAPv2, which was officially retired in 2003. >> >> LDAPS is still supported, but considered deprecated in favor of TLS as >> defined in RFC2830. >> >> On 2/17/11 2:01 AM, "Jan Zelen?" wrote: >> >JR Aquino wrote: >> >> This patch addresses the need to utilize TLS when using the >> >> ipa-client-install tool. It addresses ticket: >> >> https://fedorahosted.org/freeipa/ticket/974 >> > >> >Nack, running ipa-client-install returned this error: >> > >> ># ipa-client-install >> >Retrieving CA from None failed. >> >Command '/usr/bin/wget -O /etc/ipa/ca.crt >>http://None/ipa/config/ca.crt' >> >returned non-zero exit status 4 >> > >> > >> >One more question - shouldn't you use ldaps directly to connect to the >> >server? >> >Jan > > >Sorry, I have to Nack it again, the patch seems incoplete, since it is >only >adding some cacert fetching code to IPADiscovery. > >Jan Please ignore previous patches for #18. Attached is the replacement all inclusive patch for this ticket. Per Rob: ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it should populate a tempdir with the temp cert for the initial discovery bind. Attached is the full patch to provide both TLS and the safer wget of the ca.crt to a temporary directory created by tempfile.mkdtemp() Please verify that ipa-client-install from a separate machine functions as expected against a FreeIPA server who is set to "nsslapd-minssf: 56" -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client-install.patch Type: application/octet-stream Size: 2031 bytes Desc: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client-install.patch URL: From nkinder at redhat.com Fri Feb 18 00:44:56 2011 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 17 Feb 2011 16:44:56 -0800 Subject: [Freeipa-devel] [PATCH] Reset target DN when generated UUID is used as RDN Message-ID: <4D5DC108.7010602@redhat.com> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Reset-target-DN-when-generated-UUID-is-used-as-RDN.patch URL: From ssorce at redhat.com Fri Feb 18 00:47:47 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 17 Feb 2011 19:47:47 -0500 Subject: [Freeipa-devel] [PATCH] 0085 Register client into DNS on install In-Reply-To: <4D5DAB78.8050507@redhat.com> References: <20110217113430.545cbdc1@willson.li.ssimo.org> <20110217115352.44af250f@willson.li.ssimo.org> <20110217154614.4389630c@willson.li.ssimo.org> <4D5DAB78.8050507@redhat.com> Message-ID: <20110217194747.2d8dccca@willson.li.ssimo.org> On Thu, 17 Feb 2011 18:12:56 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 17 Feb 2011 11:53:52 -0500 > > Simo Sorce wrote: > > > >> On Thu, 17 Feb 2011 11:34:30 -0500 > >> Simo Sorce wrote: > >> > >>> > >>> If DNS Updates are available then try to register the ip address > >>> as determined by connecting to the ipa server. > >>> > >>> This allows also the creation of the DNS A record if none was > >>> available before, which means you can add clients without having > >>> to pre-register them in the DNS. > >>> > >>> Fixes #935 > >>> > >>> Simo. > >>> > >> > >> Forgot to add rpm dependency on bind-utils for the client package. > >> > >> New patch attached. > > > > After discussing a bit dns updates with Rob and Stephen on IRC here > > it is a third patch that adds a --enable-dns-updates option. > > > > Dns updates are performed only if this options is enabled or no > > entry exists in DNS at all for the host. > > > > If the option is enabled sssd is also configured to keep updating > > the DNS during the life of the machine so that IP changes (laptops, > > dhcp, etc..) are recorded in DNS properly. > > > > Simo. > > Ack, works for me. Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Feb 18 04:19:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Feb 2011 23:19:01 -0500 Subject: [Freeipa-devel] [PATCH] 732 don't ignore nss_shutdown errors Message-ID: <4D5DF335.1060209@redhat.com> Right before rc1 I discovered a problem in ipa-replica-prepare. It was crashign when trying to generate the SSL certificates. The first time it failed on nss_shutdown() claiming that NSS wasn't initialized. The second time because some object was still in use. I tracked this down to a change that enables replication. This happens using an SSL connection to the server. I'm thinking this is some interaction the openldap NSS connection. The fix is to use an ldapi connection instead. ticket 965 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-732-nss.patch Type: text/x-patch Size: 2010 bytes Desc: not available URL: From ayoung at redhat.com Fri Feb 18 04:40:27 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 17 Feb 2011 23:40:27 -0500 Subject: [Freeipa-devel] Scripting the SUDO setup for a client Message-ID: <4D5DF83B.7080302@redhat.com> I tried to follow the steps to setup Sudo on a client here: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_sudo Of course, since my serve wasn't example.com, I had to modify the LDAP fitlers. I got something wrong. What would I use to script this in keeping with the ipa server technoliges we use? I need to modify a bunch of config files. This seems like a task for something like augeas, and I know we use some library to do it. From JR.Aquino at citrix.com Fri Feb 18 05:06:34 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 18 Feb 2011 05:06:34 +0000 Subject: [Freeipa-devel] Scripting the SUDO setup for a client In-Reply-To: <4D5DF83B.7080302@redhat.com> References: <4D5DF83B.7080302@redhat.com> Message-ID: On Feb 17, 2011, at 8:38 PM, "Adam Young" wrote: > I tried to follow the steps to setup Sudo on a client here: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_sudo > > Of course, since my serve wasn't example.com, I had to modify the LDAP fitlers. I got something wrong. > > What would I use to script this in keeping with the ipa server technoliges we use? I need to modify a bunch of config files. This seems like a task for something like augeas, and I know we use some library to do it. I believe authconfig is used to populate ldap.conf and maybe even nsswitch.conf. Be aware though that Sudo needs to have an unprivileged binddn User and password configured in the ldap.conf file... That's the piece that I've been thinking most about. I'm not sure what to do except prompt the user during the install script. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From davido at redhat.com Fri Feb 18 06:41:23 2011 From: davido at redhat.com (David O'Brien) Date: Fri, 18 Feb 2011 16:41:23 +1000 Subject: [Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page In-Reply-To: <201102160845.14482.jzeleny@redhat.com> References: <201102151659.16032.jzeleny@redhat.com> <4D5B1021.6030904@redhat.com> <201102160845.14482.jzeleny@redhat.com> Message-ID: <4D5E1493.7020008@redhat.com> Jan Zelen? wrote: > "David O'Brien" wrote: >> Jan Zelen? wrote: >>> https://fedorahosted.org/freeipa/ticket/784 >>> https://fedorahosted.org/freeipa/ticket/786 >>> https://fedorahosted.org/freeipa/ticket/787 >>> >>> Jan >> nack >> >> A few typos and style issues: >> >> - _("File were to store the keytab information"), _("Keytab File Name") }, >> + _("File were to store the keytab information"), _("filename") }, >> >> s/were/where >> I would actually reword it: >> "Specifies where to store keytab information." >> >> s/kerberos/Kerberos/g >> (unless lowercase is required for some reason.) >> >> +The hostname of IPA server (FQDN). >> "The hostname of the IPA server (FQDN)." >> >> Join IPA domain and retrieve a keytab with kerberos credentials. >> "Join an IPA domain and retrieve a keytab using Kerberos credentials." > > Ok, here is the second version of the patch. David, not all changes you > proposed are in the patch, I believe they are out of its scope. If we go this > way, I think a review should be done for all man pages, so we don't fix just a > couple of mistakes in this page and leave the same mistakes in other man > pages. > > Jan Yes, this topic of "global fixes" has come up elsewhere, and resources are unavailable for a review of all man pages. ack -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From davido at redhat.com Fri Feb 18 06:45:04 2011 From: davido at redhat.com (David O'Brien) Date: Fri, 18 Feb 2011 16:45:04 +1000 Subject: [Freeipa-devel] [PATCH] Fixed in ipa-server-install help and man page In-Reply-To: <201102170827.39431.jzeleny@redhat.com> References: <201102160921.42462.jzeleny@redhat.com> <4D5BD4AC.5030401@redhat.com> <201102170827.39431.jzeleny@redhat.com> Message-ID: <4D5E1570.50304@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> https://fedorahosted.org/freeipa/ticket/831 >>> >>> Jan >> I think I'd like David's take on this, but my initial reaction is I'd >> prefer the word maximum to maximal. >> >> rob > > The second patch is in attachment. Based on David's recommendation you can > pick and push the right one one. > > Jan Yes, pick "maximum" -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From edewata at redhat.com Fri Feb 18 08:11:48 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Feb 2011 02:11:48 -0600 Subject: [Freeipa-devel] [PATCH] 104 Fixed parameter for user city. Message-ID: <4D5E29C4.7030600@redhat.com> Previously the user's city parameter is defined to use the 'locality' attribute. This was a problem because the attribute would be returned as 'l' by the directory server causing a mismatch. Now the parameter has been changed to use the 'l' attribute. https://fedorahosted.org/freeipa/ticket/985 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0104-Fixed-parameter-for-user-city.patch Type: text/x-patch Size: 8073 bytes Desc: not available URL: From edewata at redhat.com Fri Feb 18 08:13:25 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Feb 2011 02:13:25 -0600 Subject: [Freeipa-devel] [PATCH] 105 Updated json_metadata and i18n_messages. Message-ID: <4D5E2A25.8090103@redhat.com> The json_metadata() has been updated to return ipa.Objects and ipa.Methods. The i18n_messages() has been updated to include other messages that are not available from the metadata. https://fedorahosted.org/freeipa/ticket/899 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0105-Updated-json_metadata-and-i18n_messages.patch Type: text/x-patch Size: 21599 bytes Desc: not available URL: From edewata at redhat.com Fri Feb 18 08:14:26 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Feb 2011 02:14:26 -0600 Subject: [Freeipa-devel] [PATCH] 106 I18n update. Message-ID: <4D5E2A62.8000003@redhat.com> Hard-coded messages through out the code have been replaced by i18n messages obtained from json_metadata and i18n_messages. https://fedorahosted.org/freeipa/ticket/899 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0106-I18n-update.patch Type: text/x-patch Size: 145365 bytes Desc: not available URL: From edewata at redhat.com Fri Feb 18 08:15:38 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Feb 2011 02:15:38 -0600 Subject: [Freeipa-devel] [PATCH] 107 Updated test data files. Message-ID: <4D5E2AAA.30606@redhat.com> https://fedorahosted.org/freeipa/ticket/899 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0107-Updated-test-data-files.patch Type: text/x-patch Size: 1089815 bytes Desc: not available URL: From mkosek at redhat.com Fri Feb 18 09:10:08 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 18 Feb 2011 10:10:08 +0100 Subject: [Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace In-Reply-To: <4D5D5AE2.5060808@redhat.com> References: <1297776332.3047.3.camel@dhcp-25-52.brq.redhat.com> <4D5AC543.1090001@redhat.com> <1297869411.18411.25.camel@dhcp-25-52.brq.redhat.com> <4D5BF154.4070909@redhat.com> <1297938096.18411.48.camel@dhcp-25-52.brq.redhat.com> <4D5D5AE2.5060808@redhat.com> Message-ID: <1298020208.4638.13.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-02-17 at 12:29 -0500, Adam Young wrote: > Looks good. Only problem is on braces. we have a code standard that > is like this > > > IPA.something = function () { > > > not > > > IPA.something = function () > { > > > This is due to Javascript being ambiguous in certain circumstances > about where it puts an implicit end of statement. > > > https://fedorahosted.org/freeipa/wiki/Javascript_Coding_Standards Yes. The same convention is for C/Python code. All those functions violating a code standard were already in UI, I just moved them to sub-namespace in the preceding patch. Nevertheless, I went through all function definitions and I believe I fixed all occurrences of this issue. > For name shortening, sudo.sudorule_ should be sudo.rule_ Obviously :-) > > On the patch I sent you as an example, I broke the "View Cert" > button. I didn't test that here. Did you make sure that still > works? Yes, this was already fixed. It was also related to the JSLint warnings in your patch that you mentioned earlier. But just to be sure I double-checked this and its OK. Patch attached. JSLint, test suite OK. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-031-04-remove-webui-identifiers-from-global-namespace.patch Type: text/x-patch Size: 57554 bytes Desc: not available URL: From pzuna at redhat.com Fri Feb 18 10:34:30 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Fri, 18 Feb 2011 11:34:30 +0100 Subject: [Freeipa-devel] Localization patches. In-Reply-To: <4D5D9888.6010603@redhat.com> References: <4D5BEEDC.5050902@redhat.com> <4D5C9F5D.1090706@redhat.com> <4D5D7C29.2020102@redhat.com> <4D5D9888.6010603@redhat.com> Message-ID: <4D5E4B36.1010805@redhat.com> On 2011-02-17 22:52, Rob Crittenden wrote: > Pavel Z?na wrote: >> On 2011-02-17 05:09, Rob Crittenden wrote: >>> Pavel Z?na wrote: >>>> My efforts in fixing localization all around the framework and >>>> preparing >>>> it for localizing docstrings have resulted in a lot of patches. Because >>>> I understand they have become a bit hard to track, I decided to post >>>> them all together in this thread to make review easier. >>>> >>>> After this is committed, there will be one more patch that switches >>>> xgettext for pygettext. Then hopefully, we'll be pretty much set >>>> when it >>>> comes to i18n. >>>> >>>> Pavel >>> >>> Patch 81 isn't applying for me. >>> >>> Help is not working for me either, this is due to patch 80. >>> >>> $ ipa help user >>> ipa: ERROR: NameError: global name '_' is not defined >>> Traceback (most recent call last): >>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in >>> run >>> api.finalize() >>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619, >>> in finalize >>> plugin_iter(base, (magic[k] for k in magic)) >>> File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in >>> __init__ >>> sorted(members, key=lambda m: getattr(m, name_attr)) >>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608, >>> in plugin_iter >>> plugins[klass] = PluginInstance(klass) >>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585, >>> in __init__ >>> self.instance = klass() >>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184, >>> in __init__ >>> self.doc = _(inspect.getdoc(cls)) >>> NameError: global name '_' is not defined >>> ipa: ERROR: an internal error has occurred >>> >>> Patches 69, 71 and 73 are still working fine. >>> >>> What is switching from xgettext to pygettext going to do? >> >> This was answered by John Dennis: xgettext doesn't parse python >> docstrings. >> >>> >>> rob >> >> Rebased version of 81 attached. It should also fix the traceback you're >> getting. >> >> Pavel > > Something is still not working. I'm having a hard time reproducing how I > got this but with LANG=es_US.UTF-8 for a while I was getting this with > every ipa user-* request: > > ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character > u'\xf1' in position 20: ordinal not in range(128) > Traceback (most recent call last): > File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in run > sys.exit(api.Backend.cli.run(argv)) > File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in run > rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) > File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953, > in output_for_cli > textui.print_entries(result, order, labels, flags, print_all) > File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in > print_entries > self.print_entry(entry, order, labels, flags, print_all, format, indent) > File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in > print_entry > label, value, format, indent, one_value_per_line > File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in > print_attribute > self.print_indented(format % (attr, text[0]), indent) > File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in > print_indented > print (CLI_TAB * indent + text) > UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in > position 20: ordinal not in range(128) > ipa: ERROR: ha ocurrido un error interno > > I think it is blowing up on this user: > > User login: jose > First name: Jose > Last name: contrase?as > Home directory: /home/jose > Login shell: /bin/sh > Account disabled: TRUE > Member of groups: ipausers > > Then all of a sudden things started working fine, so I'm not sure what's > going on. > > Is this traceback meaningful to you? > > rob This looks like a bug in the textui backend. You get this error when you do something like this: >>> a = u'\xf1' >>> a.decode('utf-8') Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode return codecs.utf_8_decode(input, errors, True) UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 0: ordinal not in range(128) It means we're not handling encoding/decoding from/to the CLI right somewhere. The character \xf1 corresponds to the small N with tilde in Jose's last name. I'm going to look into it, but I don't think it's related to the localization patches. Pavel From jhrozek at redhat.com Fri Feb 18 12:14:52 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 18 Feb 2011 13:14:52 +0100 Subject: [Freeipa-devel] [PATCH] 732 don't ignore nss_shutdown errors In-Reply-To: <4D5DF335.1060209@redhat.com> References: <4D5DF335.1060209@redhat.com> Message-ID: <4D5E62BC.9090309@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/18/2011 05:19 AM, Rob Crittenden wrote: > Right before rc1 I discovered a problem in ipa-replica-prepare. It was > crashign when trying to generate the SSL certificates. The first time it > failed on nss_shutdown() claiming that NSS wasn't initialized. The > second time because some object was still in use. > > I tracked this down to a change that enables replication. This happens > using an SSL connection to the server. I'm thinking this is some > interaction the openldap NSS connection. > > The fix is to use an ldapi connection instead. > > ticket 965 > > rob > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1eYrsACgkQHsardTLnvCVrhACfbMgmrHYnpyT5ibnLcB/M7Sef It8AnRhxzl5Pteq18rcIg/L+rA+TDGtE =JEWp -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Feb 18 12:19:00 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 18 Feb 2011 13:19:00 +0100 Subject: [Freeipa-devel] [PATCH] 061 Validate NAPTR records Message-ID: <4D5E63B4.3080505@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not sure about checking the flags - this might be a little too much validation. https://fedorahosted.org/freeipa/ticket/840 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1eY7MACgkQHsardTLnvCUDvwCgipqeB9MLUJqm/LZnVhlmAxRi rQ8AnjzZLU41MqL8lahQhWUEFJurtvBI =7rSZ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-061-naptr.patch Type: text/x-patch Size: 9043 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-061-naptr.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Fri Feb 18 12:19:13 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 18 Feb 2011 13:19:13 +0100 Subject: [Freeipa-devel] [PATCH] 062 Set SRV discovery for clients only if it succeeded during installation Message-ID: <4D5E63C1.4050409@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is a minor optimization that didn't occur to me yesterday when I was reviewing Rob's patch - sorry. The patch only adds _srv_ as the first entry if service discovery succeeded during ipa-client-install. This gets rid of the DNS timeout for cases where Bind is not included. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1eY8EACgkQHsardTLnvCUjIwCgwGpPaONk8xp3TGdvE+CiMpvg IvYAoIWZStIoBd5JuMT+co88AwTNq18i =zA4P -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-062-discovery.patch Type: text/x-patch Size: 1796 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-062-discovery.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From ssorce at redhat.com Fri Feb 18 13:01:45 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 18 Feb 2011 08:01:45 -0500 Subject: [Freeipa-devel] Scripting the SUDO setup for a client In-Reply-To: References: <4D5DF83B.7080302@redhat.com> Message-ID: <20110218080145.61f5882f@willson.li.ssimo.org> On Fri, 18 Feb 2011 05:06:34 +0000 JR Aquino wrote: > On Feb 17, 2011, at 8:38 PM, "Adam Young" wrote: > > > I tried to follow the steps to setup Sudo on a client here: > > https://fedoraproject.org/wiki/QA:Testcase_freeipav2_sudo > > > > Of course, since my serve wasn't example.com, I had to modify the > > LDAP fitlers. I got something wrong. > > > > What would I use to script this in keeping with the ipa server > > technoliges we use? I need to modify a bunch of config files. > > This seems like a task for something like augeas, and I know we use > > some library to do it. > > I believe authconfig is used to populate ldap.conf and maybe even > nsswitch.conf. > > Be aware though that Sudo needs to have an unprivileged binddn User > and password configured in the ldap.conf file... That's the piece > that I've been thinking most about. I'm not sure what to do except > prompt the user during the install script. This is necessary only when you prevent anonymous binds, right ? Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Fri Feb 18 13:18:36 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 18 Feb 2011 13:18:36 +0000 Subject: [Freeipa-devel] Scripting the SUDO setup for a client In-Reply-To: <20110218080145.61f5882f@willson.li.ssimo.org> References: <4D5DF83B.7080302@redhat.com> <20110218080145.61f5882f@willson.li.ssimo.org> Message-ID: On Feb 18, 2011, at 5:01 AM, "Simo Sorce" wrote: > On Fri, 18 Feb 2011 05:06:34 +0000 > JR Aquino wrote: > >> On Feb 17, 2011, at 8:38 PM, "Adam Young" wrote: >> >>> I tried to follow the steps to setup Sudo on a client here: >>> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_sudo >>> >>> Of course, since my serve wasn't example.com, I had to modify the >>> LDAP fitlers. I got something wrong. >>> >>> What would I use to script this in keeping with the ipa server >>> technoliges we use? I need to modify a bunch of config files. >>> This seems like a task for something like augeas, and I know we use >>> some library to do it. >> >> I believe authconfig is used to populate ldap.conf and maybe even >> nsswitch.conf. >> >> Be aware though that Sudo needs to have an unprivileged binddn User >> and password configured in the ldap.conf file... That's the piece >> that I've been thinking most about. I'm not sure what to do except >> prompt the user during the install script. > > This is necessary only when you prevent anonymous binds, right ? > > Simo. I'm afraid not Simo. As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA are protected. There is a deliberate default aci which prevents anonymous users from enumerating everyones Sudo information. This means it is necessary for Sudo to initiate some form of authenticated bind. And as we discovered, the SUDO SASL implementation is suboptimal in that it seems to want a cronjob to sit around kinit'ing the /etc/krb5.keytab in order to use it's ccache. From jhrozek at redhat.com Fri Feb 18 13:35:20 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 18 Feb 2011 14:35:20 +0100 Subject: [Freeipa-devel] [PATCH] 063 Better doc for idnssoaminimum, minimum parameter values Message-ID: <4D5E7598.9070509@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The doc= value was misleading. The "minimum" value in SOA record defines how long should NXDOMAIN responses be cached. As per RFC 2308, the maximum allowed value should be 3 hours. Also, many parameters allowed negative values which really don't make sense there (and RFC 1035 disallows them). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1edZgACgkQHsardTLnvCW7lgCg1o7RSKtRH46f2ryGTjGqzmHW lMkAoNno3uzNROjetA5iXsqhAQNYBnQm =3j51 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-063-idnssoaminimum.patch Type: text/x-patch Size: 11912 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-063-idnssoaminimum.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From ssorce at redhat.com Fri Feb 18 13:49:25 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 18 Feb 2011 08:49:25 -0500 Subject: [Freeipa-devel] Scripting the SUDO setup for a client In-Reply-To: References: <4D5DF83B.7080302@redhat.com> <20110218080145.61f5882f@willson.li.ssimo.org> Message-ID: <20110218084925.11a72ac9@willson.li.ssimo.org> On Fri, 18 Feb 2011 13:18:36 +0000 JR Aquino wrote: > I'm afraid not Simo. > As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA > are protected. There is a deliberate default aci which prevents > anonymous users from enumerating everyones Sudo information. > > This means it is necessary for Sudo to initiate some form of > authenticated bind. > > And as we discovered, the SUDO SASL implementation is suboptimal in > that it seems to want a cronjob to sit around kinit'ing > the /etc/krb5.keytab in order to use it's ccache. Ouch, I forgot about the ACIs ... I guess we should document how to remove them as an alternative too ? Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Fri Feb 18 14:20:07 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 18 Feb 2011 14:20:07 +0000 Subject: [Freeipa-devel] Scripting the SUDO setup for a client In-Reply-To: <20110218084925.11a72ac9@willson.li.ssimo.org> Message-ID: On 2/18/11 5:49 AM, "Simo Sorce" wrote: >On Fri, 18 Feb 2011 13:18:36 +0000 >JR Aquino wrote: > >> I'm afraid not Simo. >> As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA >> are protected. There is a deliberate default aci which prevents >> anonymous users from enumerating everyones Sudo information. >> >> This means it is necessary for Sudo to initiate some form of >> authenticated bind. >> >> And as we discovered, the SUDO SASL implementation is suboptimal in >> that it seems to want a cronjob to sit around kinit'ing >> the /etc/krb5.keytab in order to use it's ccache. > >Ouch, I forgot about the ACIs ... I guess we should document how to >remove them as an alternative too ? > >Simo. There is indeed a ticket to create a 2.1 feature for opening the ACI. Documentation for opening the default ACI will be written in red for those who wish to ignore best security practices... By default the ACI's were decided to prohibit anonymous access. On a standalone system /etc/sudoers is set to root:root with 440. Sudo information is critically sensitive security information that should be treated at a similar level to passwords in terms of protections. A binduser is instead suggested as a means to accommodate sudo, and it is written into the beginnings of the documentation. From ayoung at redhat.com Fri Feb 18 14:53:01 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 18 Feb 2011 09:53:01 -0500 Subject: [Freeipa-devel] [PATCH] 031 Remove WebUI identifiers from global namespace In-Reply-To: <1298020208.4638.13.camel@dhcp-25-52.brq.redhat.com> References: <1297776332.3047.3.camel@dhcp-25-52.brq.redhat.com> <4D5AC543.1090001@redhat.com> <1297869411.18411.25.camel@dhcp-25-52.brq.redhat.com> <4D5BF154.4070909@redhat.com> <1297938096.18411.48.camel@dhcp-25-52.brq.redhat.com> <4D5D5AE2.5060808@redhat.com> <1298020208.4638.13.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D5E87CD.4040706@redhat.com> On 02/18/2011 04:10 AM, Martin Kosek wrote: > On Thu, 2011-02-17 at 12:29 -0500, Adam Young wrote: >> Looks good. Only problem is on braces. we have a code standard that >> is like this >> >> >> IPA.something = function () { >> >> >> not >> >> >> IPA.something = function () >> { >> >> >> This is due to Javascript being ambiguous in certain circumstances >> about where it puts an implicit end of statement. >> >> >> https://fedorahosted.org/freeipa/wiki/Javascript_Coding_Standards > Yes. The same convention is for C/Python code. All those functions > violating a code standard were already in UI, I just moved them to > sub-namespace in the preceding patch. > > Nevertheless, I went through all function definitions and I believe I > fixed all occurrences of this issue. > >> For name shortening, sudo.sudorule_ should be sudo.rule_ > Obviously :-) > >> On the patch I sent you as an example, I broke the "View Cert" >> button. I didn't test that here. Did you make sure that still >> works? > Yes, this was already fixed. It was also related to the JSLint warnings > in your patch that you mentioned earlier. But just to be sure I > double-checked this and its OK. > > Patch attached. JSLint, test suite OK. > > Martin > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Feb 18 15:02:52 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 18 Feb 2011 10:02:52 -0500 Subject: [Freeipa-devel] [PATCH] Added expand/collapse all. In-Reply-To: <4D559CE4.7060402@redhat.com> References: <4D54B3BC.90905@redhat.com> <4D559CE4.7060402@redhat.com> Message-ID: <4D5E8A1C.6080904@redhat.com> On 02/11/2011 03:32 PM, Adam Young wrote: > On 02/10/2011 10:57 PM, Endi Sukma Dewata wrote: >> Hi Kyle, >> >> I added the expand/collapse all link into the details page. >> See the following demo: >> >> http://edewata.fedorapeople.org/freeipa/install/ui/index.html#navigation=0&identity=0&user-facet=details&user-pkey=kfrog >> >> >> Please let me know if this is sufficient for this ticket: >> https://fedorahosted.org/freeipa/ticket/737 >> >> Thanks! >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK on the implementation. But the link certainly can't stay there, > so hold until UXD looks at it. > > You can view the implementation here: > > http://admiyo.fedorapeople.org/ipa/ui/#navigation=0&identity=0&user-facet=details&user-pkey=kfrog > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Feb 18 15:01:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 10:01:02 -0500 Subject: [Freeipa-devel] [PATCH] Fixed in ipa-server-install help and man page In-Reply-To: <4D5E1570.50304@redhat.com> References: <201102160921.42462.jzeleny@redhat.com> <4D5BD4AC.5030401@redhat.com> <201102170827.39431.jzeleny@redhat.com> <4D5E1570.50304@redhat.com> Message-ID: <4D5E89AE.8070502@redhat.com> David O'Brien wrote: > Jan Zelen? wrote: >> Rob Crittenden wrote: >>> Jan Zelen? wrote: >>>> https://fedorahosted.org/freeipa/ticket/831 >>>> >>>> Jan >>> I think I'd like David's take on this, but my initial reaction is I'd >>> prefer the word maximum to maximal. >>> >>> rob >> >> The second patch is in attachment. Based on David's recommendation you >> can pick and push the right one one. >> >> Jan > Yes, pick "maximum" > maximum it is, pushed to master From jhrozek at redhat.com Fri Feb 18 15:05:30 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 18 Feb 2011 16:05:30 +0100 Subject: [Freeipa-devel] [PATCH] 728 default roles In-Reply-To: <4D5C977C.1020408@redhat.com> References: <4D5C977C.1020408@redhat.com> Message-ID: <4D5E8ABA.5090306@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/17/2011 04:35 AM, Rob Crittenden wrote: > Add default roles and permissions for HBAC, SUDO and pw policy > > Created some default roles as examples. In doing so I realized that we > were completely missing default rules for HBAC, SUDO and password policy > so I added those as well. > > I ran into a problem when the updater has a default record and an add at > the same time, it should handle it better now. > > ticket 585 > > rob > I'm not sure about the HBAC rules ACIs. They are specified as: 'target = "ldap:///cn=*,cn=hbac,$SUFFIX"' while HBAC rules' DN is: 'ipauniqueid=*,cn=hbac,$SUFFIX'. But HBAC rules do have a cn: attribute, so maybe the ACIs would work? The patch also needs rebasing on top of recent changes to install/updates/Makefile.am Other than that, looks OK to me. btw when I was reviewing this patch, I noticed we add a "DNS Administrators" privilege in dns.ldif. Would it make sense to add DNS administration to "Security Architect" (replication management) and "IT Specialist" (hosts management)? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1eirkACgkQHsardTLnvCUSeACgzxH00FEw+065sYEji+hlOkZQ nBQAniLmDvUV24cnqw3bArlBckAl5gsL =O/zW -----END PGP SIGNATURE----- From ayoung at redhat.com Fri Feb 18 15:12:42 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 18 Feb 2011 10:12:42 -0500 Subject: [Freeipa-devel] [PATCH] 104 Fixed parameter for user city. In-Reply-To: <4D5E29C4.7030600@redhat.com> References: <4D5E29C4.7030600@redhat.com> Message-ID: <4D5E8C6A.5000706@redhat.com> On 02/18/2011 03:11 AM, Endi Sukma Dewata wrote: > Previously the user's city parameter is defined to use the 'locality' > attribute. This was a problem because the attribute would be returned > as 'l' by the directory server causing a mismatch. Now the parameter > has been changed to use the 'l' attribute. > > https://fedorahosted.org/freeipa/ticket/985 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Feb 18 15:12:53 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 18 Feb 2011 10:12:53 -0500 Subject: [Freeipa-devel] [PATCH] 105 Updated json_metadata and i18n_messages. In-Reply-To: <4D5E2A25.8090103@redhat.com> References: <4D5E2A25.8090103@redhat.com> Message-ID: <4D5E8C75.407@redhat.com> On 02/18/2011 03:13 AM, Endi Sukma Dewata wrote: > The json_metadata() has been updated to return ipa.Objects and > ipa.Methods. The i18n_messages() has been updated to include other > messages that are not available from the metadata. > > https://fedorahosted.org/freeipa/ticket/899 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Feb 18 15:13:12 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 18 Feb 2011 10:13:12 -0500 Subject: [Freeipa-devel] [PATCH] 106 I18n update. In-Reply-To: <4D5E2A62.8000003@redhat.com> References: <4D5E2A62.8000003@redhat.com> Message-ID: <4D5E8C88.3080400@redhat.com> On 02/18/2011 03:14 AM, Endi Sukma Dewata wrote: > Hard-coded messages through out the code have been replaced by i18n > messages obtained from json_metadata and i18n_messages. > > https://fedorahosted.org/freeipa/ticket/899 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Needs rebase, due to mkosek's big patch. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Feb 18 15:20:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 10:20:14 -0500 Subject: [Freeipa-devel] [PATCH] 732 don't ignore nss_shutdown errors In-Reply-To: <4D5E62BC.9090309@redhat.com> References: <4D5DF335.1060209@redhat.com> <4D5E62BC.9090309@redhat.com> Message-ID: <4D5E8E2E.9060206@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/18/2011 05:19 AM, Rob Crittenden wrote: >> Right before rc1 I discovered a problem in ipa-replica-prepare. It was >> crashign when trying to generate the SSL certificates. The first time it >> failed on nss_shutdown() claiming that NSS wasn't initialized. The >> second time because some object was still in use. >> >> I tracked this down to a change that enables replication. This happens >> using an SSL connection to the server. I'm thinking this is some >> interaction the openldap NSS connection. >> >> The fix is to use an ldapi connection instead. >> >> ticket 965 >> >> rob >> > > Ack pushed to master From rcritten at redhat.com Fri Feb 18 15:27:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 10:27:34 -0500 Subject: [Freeipa-devel] [PATCH] Reset target DN when generated UUID is used as RDN In-Reply-To: <4D5DC108.7010602@redhat.com> References: <4D5DC108.7010602@redhat.com> Message-ID: <4D5E8FE6.4080208@redhat.com> Nathan Kinder wrote: > Works for me, I thought I acked this last night. I guess not so ACK. pushed to master. rob From ayoung at redhat.com Fri Feb 18 15:31:11 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 18 Feb 2011 10:31:11 -0500 Subject: [Freeipa-devel] [PATCH] 107 Updated test data files. In-Reply-To: <4D5E2AAA.30606@redhat.com> References: <4D5E2AAA.30606@redhat.com> Message-ID: <4D5E90BF.5010102@redhat.com> On 02/18/2011 03:15 AM, Endi Sukma Dewata wrote: > https://fedorahosted.org/freeipa/ticket/899 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel If applied without 106 it breaks the unit tests, so hold on this until 106 is rebased -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Feb 18 15:29:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 10:29:42 -0500 Subject: [Freeipa-devel] [PATCH] 728 default roles In-Reply-To: <4D5E8ABA.5090306@redhat.com> References: <4D5C977C.1020408@redhat.com> <4D5E8ABA.5090306@redhat.com> Message-ID: <4D5E9066.7010102@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/17/2011 04:35 AM, Rob Crittenden wrote: >> Add default roles and permissions for HBAC, SUDO and pw policy >> >> Created some default roles as examples. In doing so I realized that we >> were completely missing default rules for HBAC, SUDO and password policy >> so I added those as well. >> >> I ran into a problem when the updater has a default record and an add at >> the same time, it should handle it better now. >> >> ticket 585 >> >> rob >> > > I'm not sure about the HBAC rules ACIs. They are specified as: > > 'target = "ldap:///cn=*,cn=hbac,$SUFFIX"' > > while HBAC rules' DN is: > > 'ipauniqueid=*,cn=hbac,$SUFFIX'. > > But HBAC rules do have a cn: attribute, so maybe the ACIs would work? No, you're right, this is wrong. I'll fix it up and resubmit. > > The patch also needs rebasing on top of recent changes to > install/updates/Makefile.am > > Other than that, looks OK to me. > > btw when I was reviewing this patch, I noticed we add a "DNS > Administrators" privilege in dns.ldif. Would it make sense to add DNS > administration to "Security Architect" (replication management) and "IT > Specialist" (hosts management)? The DNS stuff is added only if DNS is enabled on the server so I can't add them by default. rob From rcritten at redhat.com Fri Feb 18 15:30:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 10:30:46 -0500 Subject: [Freeipa-devel] [PATCH 22/22] Update Polish & Ukrainian translations In-Reply-To: <201102161958.p1GJwVQQ008203@int-mx01.intmail.prod.int.phx2.redhat.com> References: <201102161958.p1GJwVQQ008203@int-mx01.intmail.prod.int.phx2.redhat.com> Message-ID: <4D5E90A6.7090007@redhat.com> John Dennis wrote: > > pushed to master From rcritten at redhat.com Fri Feb 18 15:31:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 10:31:46 -0500 Subject: [Freeipa-devel] [PATCH] 059 Use unicode parameters in the host plugin In-Reply-To: <20110217104008.GB26896@zeppelin.brq.redhat.com> References: <4D5BF165.1080807@redhat.com> <201102171106.35887.jzeleny@redhat.com> <20110217101051.GA26896@zeppelin.brq.redhat.com> <201102171130.03946.jzeleny@redhat.com> <20110217104008.GB26896@zeppelin.brq.redhat.com> Message-ID: <4D5E90E2.6060300@redhat.com> Jakub Hrozek wrote: > On Thu, Feb 17, 2011 at 11:30:03AM +0100, Jan Zelen? wrote: >> Better, thanks. I'd also like to change the code which is using this function, >> so the conversion doesn't take place twice. > > I think it's safe. The documentation on unicode() says: > > --- > More precisely, if object is a Unicode string or subclass it > will return that Unicode string without any additional decoding applied. pushed to master From rcritten at redhat.com Fri Feb 18 15:32:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 10:32:49 -0500 Subject: [Freeipa-devel] [PATCH] 19 Cleanup for netgroup search In-Reply-To: <201102171953.22787.jzeleny@redhat.com> References: <201102171953.22787.jzeleny@redhat.com> Message-ID: <4D5E9121.9080109@redhat.com> Jan Zeleny wrote: > JR Aquino wrote: >> On 2/17/11 3:23 AM, "Jan Zelen?" wrote: >>> JR Aquino wrote: >>>> This patch fixes the netgroup plugin's behavior of adding duplicate >>>> >>>> entries >>>> >>>> when the managed entry plugin creates a netgroup with a mepManagedEntry >>>> This problem is documented in ticket: >>>> https://fedorahosted.org/freeipa/ticket/963 >>>> >>>> As noted by Endi for issue #3 in the History: >>>> "3. Just out of curiosity, I tried adding a netgroup with the same name >>>> >>>> as >>>> >>>> the hostgroup. I expected it to conflict with the managed netgroup, but >>>> >>>> it >>>> >>>> actually worked. Searching the directory will return 2 netgroups with >>>> >>>> the >>>> >>>> same name:" >>>> >>>> Historically the netgroup plugin had inappropriately defined: >>>> rdn_attribute >>>> >>>> = 'ipauniqueid' This caused the ability of duplication with the creation >>>> of native netgroups using the ipaUniqueId as the DN and as the Managed >>>> Entry netgroups utilizing the cn as the DN. >>>> >>>> Patch includes adjustments for the netgroup plugin and corresponding >>>> test_netgroup_plugin >>>> >>>> Please verify that the items requested in #963 are now complete and >>>> >>>> please >>>> >>>> confirm that the corresponding tests all pass. >>> >>> One test fails: >>> FAIL: test_netgroup[30]: netgroup_remove_member: Remove netgroup >>> u'netgroup2' >> >from netgroup u'netgroup1' >>> >>> Command ipa host-show still shows: >>> Member of netgroups: testhostgroup >>> >>> Also a little bit of nitpicking, I think the changed code in chunk 2 >>> would >>> better look something like this: >>> >>> search_kw = {} >>> search_kw['objectclass'] = ['mepManagedEntry'] >>> >>> if not options['private']: >>> local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE) >>> >>> else: >>> local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL) >>> >>> filter = ldap.combine_filters((local_filter, filter), >>> rules=ldap.MATCH_ALL) >>> >>> -- >>> Jan >> >> It was determined that the ipauniqueid is required for the DN on these >> objects. >> It's an ipaAssociation which uses it as the rdn, if we change the problems >> cascade >> >> This patch has now changed to reflect the optimization in the netgroup >> search instead. >> It provides a cleaner method of performing a netgroup search for native >> netgroups and allows for the --private search to only display the >> mepManagedEntry netgroups, rather than ALL netgroups. Previously --private >> would return ALL netgroups. >> >> This means there is no need to modify test_netgroup_plugin. >> >> Please verify that the optimization / bugfix passes the standard >> test_netgroup_plugin. > > Ack > > Jan pushed to master From rcritten at redhat.com Fri Feb 18 15:38:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 10:38:09 -0500 Subject: [Freeipa-devel] [PATCH] 44 Fixes in ipa-join man page In-Reply-To: <4D5E1493.7020008@redhat.com> References: <201102151659.16032.jzeleny@redhat.com> <4D5B1021.6030904@redhat.com> <201102160845.14482.jzeleny@redhat.com> <4D5E1493.7020008@redhat.com> Message-ID: <4D5E9261.4070909@redhat.com> David O'Brien wrote: > Jan Zelen? wrote: >> "David O'Brien" wrote: >>> Jan Zelen? wrote: >>>> https://fedorahosted.org/freeipa/ticket/784 >>>> https://fedorahosted.org/freeipa/ticket/786 >>>> https://fedorahosted.org/freeipa/ticket/787 >>>> >>>> Jan >>> nack >>> >>> A few typos and style issues: >>> >>> - _("File were to store the keytab information"), _("Keytab File >>> Name") }, >>> + _("File were to store the keytab information"), _("filename") }, >>> >>> s/were/where >>> I would actually reword it: >>> "Specifies where to store keytab information." >>> >>> s/kerberos/Kerberos/g >>> (unless lowercase is required for some reason.) >>> >>> +The hostname of IPA server (FQDN). >>> "The hostname of the IPA server (FQDN)." >>> >>> Join IPA domain and retrieve a keytab with kerberos credentials. >>> "Join an IPA domain and retrieve a keytab using Kerberos credentials." >> >> Ok, here is the second version of the patch. David, not all changes >> you proposed are in the patch, I believe they are out of its scope. If >> we go this way, I think a review should be done for all man pages, so >> we don't fix just a couple of mistakes in this page and leave the same >> mistakes in other man pages. >> >> Jan > Yes, this topic of "global fixes" has come up elsewhere, and resources > are unavailable for a review of all man pages. > > ack > pushed to master From rcritten at redhat.com Fri Feb 18 15:57:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 10:57:12 -0500 Subject: [Freeipa-devel] [PATCH] 055 Set ldap_netgroup_search_base for in ipa-client-install In-Reply-To: <201102142100.55721.jzeleny@redhat.com> References: <20110213170735.GA30604@zeppelin.brq.redhat.com> <201102142100.55721.jzeleny@redhat.com> Message-ID: <4D5E96D8.2050903@redhat.com> Jan Zeleny wrote: > Jakub Hrozek wrote: >> https://fedorahosted.org/freeipa/ticket/932 > > ack > > Jan The sssd project has added this for us so we no longer need to do this. rob From rcritten at redhat.com Fri Feb 18 16:11:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 11:11:25 -0500 Subject: [Freeipa-devel] [PATCH] 733 add exit code info to ipa man page Message-ID: <4D5E9A2D.9060804@redhat.com> Add exit code info to the ipa command man page. The tool I use, manedit, also escaped all dashes. Seems benign so I left it. ticket 803 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-733-man.patch Type: application/mbox Size: 2322 bytes Desc: not available URL: From jhrozek at redhat.com Fri Feb 18 17:39:16 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 18 Feb 2011 18:39:16 +0100 Subject: [Freeipa-devel] [PATCH] 733 add exit code info to ipa man page In-Reply-To: <4D5E9A2D.9060804@redhat.com> References: <4D5E9A2D.9060804@redhat.com> Message-ID: <20110218173915.GB15811@zeppelin.brq.redhat.com> On Fri, Feb 18, 2011 at 11:11:25AM -0500, Rob Crittenden wrote: > Add exit code info to the ipa command man page. > > The tool I use, manedit, also escaped all dashes. Seems benign so I left it. Yep, renders OK. > > ticket 803 > > rob Ack From JR.Aquino at citrix.com Fri Feb 18 17:54:01 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 18 Feb 2011 17:54:01 +0000 Subject: [Freeipa-devel] [PATCH] 730 managed netgroups immutable In-Reply-To: <4D5D9F34.90105@redhat.com> Message-ID: On 2/17/11 2:20 PM, "Rob Crittenden" wrote: >JR Aquino wrote: >> On 2/17/11 11:02 AM, "Rob Crittenden" wrote: >> >>> Make managed netgroups (those created as a result of creating a >>> hostgroup) should be immutable. This aci will deny writes to a managed >>> netgroup. >>> >>> ticket 962 >>> >>> rob >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> nack >> Rebase? >> Patch does not apply cleanly. >> >> # git apply freeipa-rcrit-730-netgroup.patch >> freeipa-rcrit-730-netgroup.patch:18: new blank line at EOF. >> + >> error: patch failed: install/updates/Makefile.am:5 >> error: install/updates/Makefile.am: patch does not apply >> > >Updated patch attached. > >Rob ACK # ipa hostgroup-add testing1 Description: test -------------------------- Added hostgroup "testing1" -------------------------- Host-group: testing1 Description: test [root at auth2 freeipa]# ipa netgroup-find ------------------- 0 netgroups matched ------------------- ---------------------------- Number of entries returned 0 ---------------------------- [root at auth2 freeipa]# ipa netgroup-find --private ------------------ 1 netgroup matched ------------------ Netgroup name: testing1 Description: ipaNetgroup testing1 NIS domain name: example.com Member Hostgroup: testing1 ---------------------------- Number of entries returned 1 ---------------------------- [root at auth2 freeipa]# ipa netgroup-add testing1 Description: test ipa: ERROR: Constraint violation: Another entry with the same attribute value already exists (attribute: "cn") [root at auth2 freeipa]# From edewata at redhat.com Fri Feb 18 19:08:35 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Feb 2011 13:08:35 -0600 Subject: [Freeipa-devel] [PATCH] 106 I18n update. In-Reply-To: <4D5E8C88.3080400@redhat.com> References: <4D5E2A62.8000003@redhat.com> <4D5E8C88.3080400@redhat.com> Message-ID: <4D5EC3B3.8030705@redhat.com> On 2/18/2011 9:13 AM, Adam Young wrote: >> Hard-coded messages through out the code have been replaced by i18n >> messages obtained from json_metadata and i18n_messages. >> >> https://fedorahosted.org/freeipa/ticket/899 >> > Needs rebase, due to mkosek's big patch. Attached is an updated version. I had to change IPA.cert into an entity because it has to be initialized after IPA.init() finishes loading the metadata & messages. We might want to introduce a concept of plugin for Web UI (similar to plugin for ipalib). The first step is to rename IPA.entity_factories into IPA.plugins, but most of the work will be splitting the IPA.entity into plugin and real entity. Patch #107 can be used without rebase. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0106-2-I18n-update.patch Type: text/x-patch Size: 145711 bytes Desc: not available URL: From rcritten at redhat.com Fri Feb 18 20:13:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 15:13:11 -0500 Subject: [Freeipa-devel] [PATCH] 733 add exit code info to ipa man page In-Reply-To: <20110218173915.GB15811@zeppelin.brq.redhat.com> References: <4D5E9A2D.9060804@redhat.com> <20110218173915.GB15811@zeppelin.brq.redhat.com> Message-ID: <4D5ED2D7.8040806@redhat.com> Jakub Hrozek wrote: > On Fri, Feb 18, 2011 at 11:11:25AM -0500, Rob Crittenden wrote: >> Add exit code info to the ipa command man page. >> >> The tool I use, manedit, also escaped all dashes. Seems benign so I left it. > > Yep, renders OK. > >> >> ticket 803 >> >> rob > > Ack pushed to master From rcritten at redhat.com Fri Feb 18 20:27:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 15:27:59 -0500 Subject: [Freeipa-devel] [PATCH] 062 Set SRV discovery for clients only if it succeeded during installation In-Reply-To: <4D5E63C1.4050409@redhat.com> References: <4D5E63C1.4050409@redhat.com> Message-ID: <4D5ED64F.4090004@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > This is a minor optimization that didn't occur to me yesterday when I > was reviewing Rob's patch - sorry. > > The patch only adds _srv_ as the first entry if service discovery > succeeded during ipa-client-install. This gets rid of the DNS timeout > for cases where Bind is not included. This seems like a good idea but I'm not seeing an extended delay right after sssd is restarted. The advantage of leaving this in there is if they end up adding SRV records later they will be automatically picked up. So not a nack, this is more of a policy question. rob From rcritten at redhat.com Fri Feb 18 20:30:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 15:30:05 -0500 Subject: [Freeipa-devel] [PATCH] 730 managed netgroups immutable In-Reply-To: References: Message-ID: <4D5ED6CD.3050004@redhat.com> JR Aquino wrote: > On 2/17/11 2:20 PM, "Rob Crittenden" wrote: > >> JR Aquino wrote: >>> On 2/17/11 11:02 AM, "Rob Crittenden" wrote: >>> >>>> Make managed netgroups (those created as a result of creating a >>>> hostgroup) should be immutable. This aci will deny writes to a managed >>>> netgroup. >>>> >>>> ticket 962 >>>> >>>> rob >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> nack >>> Rebase? >>> Patch does not apply cleanly. >>> >>> # git apply freeipa-rcrit-730-netgroup.patch >>> freeipa-rcrit-730-netgroup.patch:18: new blank line at EOF. >>> + >>> error: patch failed: install/updates/Makefile.am:5 >>> error: install/updates/Makefile.am: patch does not apply >>> >> >> Updated patch attached. >> >> Rob > > ACK > > # ipa hostgroup-add testing1 > Description: test > -------------------------- > Added hostgroup "testing1" > -------------------------- > Host-group: testing1 > Description: test > [root at auth2 freeipa]# ipa netgroup-find > ------------------- > 0 netgroups matched > ------------------- > ---------------------------- > Number of entries returned 0 > ---------------------------- > [root at auth2 freeipa]# ipa netgroup-find --private > ------------------ > 1 netgroup matched > ------------------ > Netgroup name: testing1 > Description: ipaNetgroup testing1 > NIS domain name: example.com > Member Hostgroup: testing1 > ---------------------------- > Number of entries returned 1 > ---------------------------- > [root at auth2 freeipa]# ipa netgroup-add testing1 > Description: test > ipa: ERROR: Constraint violation: Another entry with the same attribute > value already exists (attribute: "cn") > [root at auth2 freeipa]# > pushed to master From rcritten at redhat.com Fri Feb 18 20:36:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Feb 2011 15:36:44 -0500 Subject: [Freeipa-devel] [PATCH] 063 Better doc for idnssoaminimum, minimum parameter values In-Reply-To: <4D5E7598.9070509@redhat.com> References: <4D5E7598.9070509@redhat.com> Message-ID: <4D5ED85C.6080606@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The doc= value was misleading. The "minimum" value in SOA record defines > how long should NXDOMAIN responses be cached. As per RFC 2308, the > maximum allowed value should be 3 hours. > > Also, many parameters allowed negative values which really don't make > sense there (and RFC 1035 disallows them). ack, pushed to master From ssorce at redhat.com Fri Feb 18 20:53:52 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 18 Feb 2011 15:53:52 -0500 Subject: [Freeipa-devel] [PATCH] 062 Set SRV discovery for clients only if it succeeded during installation In-Reply-To: <4D5ED64F.4090004@redhat.com> References: <4D5E63C1.4050409@redhat.com> <4D5ED64F.4090004@redhat.com> Message-ID: <20110218155352.4f74a62a@willson.li.ssimo.org> On Fri, 18 Feb 2011 15:27:59 -0500 Rob Crittenden wrote: > Jakub Hrozek wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > This is a minor optimization that didn't occur to me yesterday when > > I was reviewing Rob's patch - sorry. > > > > The patch only adds _srv_ as the first entry if service discovery > > succeeded during ipa-client-install. This gets rid of the DNS > > timeout for cases where Bind is not included. > > This seems like a good idea but I'm not seeing an extended delay > right after sssd is restarted. > > The advantage of leaving this in there is if they end up adding SRV > records later they will be automatically picked up. > > So not a nack, this is more of a policy question. I would not add this patch for this reason. I don;t think it will add any substantial delay to SSSD as searching for SRV when they do not exists will get back an immediate response. I think the main issue we may face here is when someone installs an sssd client and there is also an AD domain around and SRV records point to it. Perhaps we should provide a manual flag to disable using dns records ... Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Feb 18 22:10:24 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 18 Feb 2011 17:10:24 -0500 Subject: [Freeipa-devel] [PATCH] 0086 add loginShell to winsynced users Message-ID: <20110218171024.04d3ee1b@willson.li.ssimo.org> Fixes #266 I haven't been able to test this as the Windows machine we have available decided to not behave today. I may try again next week assuming I have time. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0086-Set-the-loginShell-attribute-on-winsynced-entries-if.patch Type: text/x-patch Size: 10170 bytes Desc: not available URL: From edewata at redhat.com Fri Feb 18 22:12:19 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Feb 2011 16:12:19 -0600 Subject: [Freeipa-devel] [PATCH] 106 I18n update. In-Reply-To: <4D5EC3B3.8030705@redhat.com> References: <4D5E2A62.8000003@redhat.com> <4D5E8C88.3080400@redhat.com> <4D5EC3B3.8030705@redhat.com> Message-ID: <4D5EEEC3.1010404@redhat.com> On 2/18/2011 1:08 PM, Endi Sukma Dewata wrote: >>> Hard-coded messages through out the code have been replaced by i18n >>> messages obtained from json_metadata and i18n_messages. >>> >>> https://fedorahosted.org/freeipa/ticket/899 >>> >> Needs rebase, due to mkosek's big patch. > > Attached is an updated version. I had to change IPA.cert into an entity > because it has to be initialized after IPA.init() finishes loading the > metadata & messages. > > We might want to introduce a concept of plugin for Web UI (similar to > plugin for ipalib). The first step is to rename IPA.entity_factories > into IPA.plugins, but most of the work will be splitting the IPA.entity > into plugin and real entity. > > Patch #107 can be used without rebase. Attached is a new version using the plugin framework. Please see certificate.js. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0106-3-I18n-update.patch Type: text/x-patch Size: 159589 bytes Desc: not available URL: From rmeggins at redhat.com Fri Feb 18 22:13:25 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 18 Feb 2011 15:13:25 -0700 Subject: [Freeipa-devel] [PATCH] 0086 add loginShell to winsynced users In-Reply-To: <20110218171024.04d3ee1b@willson.li.ssimo.org> References: <20110218171024.04d3ee1b@willson.li.ssimo.org> Message-ID: <4D5EEF05.5080308@redhat.com> On 02/18/2011 03:10 PM, Simo Sorce wrote: > Fixes #266 > > I haven't been able to test this as the Windows machine we have > available decided to not behave today. > I may try again next week assuming I have time. ack > Simo. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Feb 18 23:48:11 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Feb 2011 17:48:11 -0600 Subject: [Freeipa-devel] [PATCH] 108 Applied plugin framework on user and group. Message-ID: <4D5F053B.3030209@redhat.com> This patch demonstrates how to use the plugin framework with the existing entities. The plugin framework provides a name space for the classes, functions and variables specific for the plugin. Any code executed inside the init() method will be 'safe' because at that point the metadata and i18n messages have been loaded. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0108-Applied-plugin-framework-on-user-and-group.patch Type: text/x-patch Size: 5169 bytes Desc: not available URL: From edewata at redhat.com Sat Feb 19 00:30:38 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Feb 2011 18:30:38 -0600 Subject: [Freeipa-devel] [PATCH] 109 Applied plugin framework on aci. Message-ID: <4D5F0F2E.4030309@redhat.com> -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0109-Applied-plugin-framework-on-aci.patch Type: text/x-patch Size: 8966 bytes Desc: not available URL: From ayoung at redhat.com Sat Feb 19 02:36:29 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 18 Feb 2011 21:36:29 -0500 Subject: [Freeipa-devel] [PATCH] 108 Applied plugin framework on user and group. In-Reply-To: <4D5F053B.3030209@redhat.com> References: <4D5F053B.3030209@redhat.com> Message-ID: <4D5F2CAD.8080409@redhat.com> On 02/18/2011 06:48 PM, Endi Sukma Dewata wrote: > This patch demonstrates how to use the plugin framework with the > existing entities. The plugin framework provides a name space for the > classes, functions and variables specific for the plugin. Any code > executed inside the init() method will be 'safe' because at that point > the metadata and i18n messages have been loaded. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK. The approach is close, but not the design we should go with for the long term. This is a decent proof of concept, but should not be implemented as is. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Sat Feb 19 04:09:21 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 18 Feb 2011 23:09:21 -0500 Subject: [Freeipa-devel] ipa-client-sudo Message-ID: <4D5F4271.1060104@redhat.com> Here's a rough hack. It follows the steps in the test script. I tested it out and it works. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ipa-client-sudo URL: From ayoung at redhat.com Sat Feb 19 04:35:25 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 18 Feb 2011 23:35:25 -0500 Subject: [Freeipa-devel] [PATCH] 106 I18n update. In-Reply-To: <4D5EEEC3.1010404@redhat.com> References: <4D5E2A62.8000003@redhat.com> <4D5E8C88.3080400@redhat.com> <4D5EC3B3.8030705@redhat.com> <4D5EEEC3.1010404@redhat.com> Message-ID: <4D5F488D.1020609@redhat.com> On 02/18/2011 05:12 PM, Endi Sukma Dewata wrote: > On 2/18/2011 1:08 PM, Endi Sukma Dewata wrote: >>>> Hard-coded messages through out the code have been replaced by i18n >>>> messages obtained from json_metadata and i18n_messages. >>>> >>>> https://fedorahosted.org/freeipa/ticket/899 >>>> >>> Needs rebase, due to mkosek's big patch. >> >> Attached is an updated version. I had to change IPA.cert into an entity >> because it has to be initialized after IPA.init() finishes loading the >> metadata & messages. >> >> We might want to introduce a concept of plugin for Web UI (similar to >> plugin for ipalib). The first step is to rename IPA.entity_factories >> into IPA.plugins, but most of the work will be splitting the IPA.entity >> into plugin and real entity. >> >> Patch #107 can be used without rebase. > > Attached is a new version using the plugin framework. Please see > certificate.js. > Every function is an Object. There is no reason to create an object, and then have an init method on it. From edewata at redhat.com Sat Feb 19 04:48:56 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Feb 2011 22:48:56 -0600 Subject: [Freeipa-devel] [PATCH] 106 I18n update. In-Reply-To: <4D5F488D.1020609@redhat.com> References: <4D5E2A62.8000003@redhat.com> <4D5E8C88.3080400@redhat.com> <4D5EC3B3.8030705@redhat.com> <4D5EEEC3.1010404@redhat.com> <4D5F488D.1020609@redhat.com> Message-ID: <4D5F4BB8.5080100@redhat.com> On 2/18/2011 10:35 PM, Adam Young wrote: >>>>> Hard-coded messages through out the code have been replaced by i18n >>>>> messages obtained from json_metadata and i18n_messages. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/899 >>>>> >>>> Needs rebase, due to mkosek's big patch. >>> >>> Attached is an updated version. I had to change IPA.cert into an entity >>> because it has to be initialized after IPA.init() finishes loading the >>> metadata & messages. >>> >>> We might want to introduce a concept of plugin for Web UI (similar to >>> plugin for ipalib). The first step is to rename IPA.entity_factories >>> into IPA.plugins, but most of the work will be splitting the IPA.entity >>> into plugin and real entity. >>> >>> Patch #107 can be used without rebase. >> >> Attached is a new version using the plugin framework. Please see >> certificate.js. >> > Every function is an Object. There is no reason to create an object, and > then have an init method on it. I haven't got a chance to provide a long explanation for this, but please try to apply all patches that I've submitted (until 109) and see the user.js, group.js and certificate.js. I think they are clearly structured and easy to understand. Try to think "plugins" as "modules", and "init()" as "start()" or "main()", or some other terms. Once all entity files are converted to use this framework, it maybe possible to remove init() from entity/facet/widget. The init() is not an unnecessary duplication of constructor, but it's a callback to indicate that the messages are loaded. -- Endi S. Dewata From ssorce at redhat.com Sat Feb 19 15:33:57 2011 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 19 Feb 2011 10:33:57 -0500 Subject: [Freeipa-devel] ipa-client-sudo In-Reply-To: <4D5F4271.1060104@redhat.com> References: <4D5F4271.1060104@redhat.com> Message-ID: <20110219103357.1b7f767a@willson.li.ssimo.org> On Fri, 18 Feb 2011 23:09:21 -0500 Adam Young wrote: > Here's a rough hack. It follows the steps in the test script. I > tested it out and it works. Truly a hack :) Just one thing, do not change rc.local, it's wrong, if you really need to set the NIS domain (what for ?) then you set it like this: NISDOMAIN=example.com in /etc/sysconfig.network Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Sat Feb 19 17:00:15 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Sat, 19 Feb 2011 17:00:15 +0000 Subject: [Freeipa-devel] ipa-client-sudo In-Reply-To: <20110219103357.1b7f767a@willson.li.ssimo.org> Message-ID: On 2/19/11 7:33 AM, "Simo Sorce" wrote: >On Fri, 18 Feb 2011 23:09:21 -0500 >Adam Young wrote: > >> Here's a rough hack. It follows the steps in the test script. I >> tested it out and it works. > >Truly a hack :) More specifically: The script looks like it will functionally address RHEL6 + Fedora 14/15. You'll want to be mindful of systems that need to use nss_ldap.conf due to incompatibility with SSSD. (I believe in RHEL5 ipa-client-install actually configures nss_ldap and not SSSD) The script as it is, will stomp on the contents of the nss_ldap.conf file. > >Just one thing, do not change rc.local, it's wrong, if you really need >to set the NIS domain (what for ?) The domain must be set because the netgroup (and compat pieces of FreeIPA) populate the nisDomain attribute in the nisNetgroupTriple. Thus when sudo does a netgroup look up to verify that the current host is part of a netgroup, it will fail the match because the nisdomain of the client must match that of this nisNetgroupTriple. > then you set it like this: >NISDOMAIN=example.com >in /etc/sysconfig.network There is actually a bug filed against fedora about /etc/sysconfig.network being broken. https://bugzilla.redhat.com/show_bug.cgi?id=665465 (I will be opening another against RHEL through support this morning as the fedora ticket has languished.) It only works if the system is utilizing the NIS Client as a whole (ypbind, portmap, yp.conf) ... Which is completely unnecessary. nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required to enumerate net groups in Linux. It only works if the system is utilizing the NIS Client as a whole (ypbind, portmap, yp.conf) ... Which is completely unnecessary. nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required to enumerate net groups in Linux. > >Simo. From ayoung at redhat.com Sat Feb 19 21:04:00 2011 From: ayoung at redhat.com (Adam Young) Date: Sat, 19 Feb 2011 16:04:00 -0500 Subject: [Freeipa-devel] ipa-client-sudo In-Reply-To: References: Message-ID: <4D603040.90808@redhat.com> On 02/19/2011 12:00 PM, JR Aquino wrote: > On 2/19/11 7:33 AM, "Simo Sorce" wrote: > >> On Fri, 18 Feb 2011 23:09:21 -0500 >> Adam Young wrote: >> >>> Here's a rough hack. It follows the steps in the test script. I >>> tested it out and it works. >> Truly a hack :) > More specifically: > > The script looks like it will functionally address RHEL6 + Fedora 14/15. > You'll want to be mindful of systems that need to use nss_ldap.conf due to > incompatibility with SSSD. (I believe in RHEL5 ipa-client-install actually > configures nss_ldap and not SSSD) > The script as it is, will stomp on the contents of the nss_ldap.conf file. > > >> Just one thing, do not change rc.local, it's wrong, if you really need >> to set the NIS domain (what for ?) > The domain must be set because the netgroup (and compat pieces of FreeIPA) > populate the nisDomain attribute in the nisNetgroupTriple. > > Thus when sudo does a netgroup look up to verify that the current host is > part of a netgroup, it will fail the match because the nisdomain of the > client must match that of this nisNetgroupTriple. > >> then you set it like this: >> NISDOMAIN=example.com >> in /etc/sysconfig.network Yeah, that is better. I think also that authconfig supports it, via: --nisdomain= default NIS domain But this was a direct translation of the SUDO test script. > There is actually a bug filed against fedora about /etc/sysconfig.network > being broken. > https://bugzilla.redhat.com/show_bug.cgi?id=665465 > > (I will be opening another against RHEL through support this morning as > the fedora ticket has languished.) > > It only works if the system is utilizing the NIS Client as a whole > (ypbind, portmap, yp.conf) ... Which is completely unnecessary. > nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required > to enumerate net groups in Linux. > > > It only works if the system is utilizing the NIS Client as a whole > (ypbind, portmap, yp.conf) ... Which is completely unnecessary. > nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required > to enumerate net groups in Linux. > > >> Simo. From ayoung at redhat.com Sat Feb 19 21:05:55 2011 From: ayoung at redhat.com (Adam Young) Date: Sat, 19 Feb 2011 16:05:55 -0500 Subject: [Freeipa-devel] ipa-client-sudo In-Reply-To: <20110219103357.1b7f767a@willson.li.ssimo.org> References: <4D5F4271.1060104@redhat.com> <20110219103357.1b7f767a@willson.li.ssimo.org> Message-ID: <4D6030B3.4030709@redhat.com> On 02/19/2011 10:33 AM, Simo Sorce wrote: > On Fri, 18 Feb 2011 23:09:21 -0500 > Adam Young wrote: > >> Here's a rough hack. It follows the steps in the test script. I >> tested it out and it works. > Truly a hack :) Yeah, I really just wanted something to make sure that SUDO was working for me, that was reproducable. Long term, SSSD should be the solution, and in the medium term (2.1) it should go into ipa-client-install. That said, I think it shows pretty clearly where the config values come from and where they need to go. But yeah, its a hack. > Just one thing, do not change rc.local, it's wrong, if you really need > to set the NIS domain (what for ?) then you set it like this: > NISDOMAIN=example.com > in /etc/sysconfig.network > > Simo. > From ayoung at redhat.com Sat Feb 19 21:28:16 2011 From: ayoung at redhat.com (Adam Young) Date: Sat, 19 Feb 2011 16:28:16 -0500 Subject: [Freeipa-devel] [PATCH] 106 I18n update. In-Reply-To: <4D5F4BB8.5080100@redhat.com> References: <4D5E2A62.8000003@redhat.com> <4D5E8C88.3080400@redhat.com> <4D5EC3B3.8030705@redhat.com> <4D5EEEC3.1010404@redhat.com> <4D5F488D.1020609@redhat.com> <4D5F4BB8.5080100@redhat.com> Message-ID: <4D6035F0.9020601@redhat.com> Here's what I was alluding to in the prior email and in chat. I wrote and tested it in Rhino, but it is standard javascript. -------------- next part -------------- A non-text attachment was scrubbed... Name: registry.js Type: text/javascript Size: 507 bytes Desc: not available URL: From ayoung at redhat.com Sat Feb 19 21:36:17 2011 From: ayoung at redhat.com (Adam Young) Date: Sat, 19 Feb 2011 16:36:17 -0500 Subject: [Freeipa-devel] [PATCH] 106 I18n update. In-Reply-To: <4D5F4BB8.5080100@redhat.com> References: <4D5E2A62.8000003@redhat.com> <4D5E8C88.3080400@redhat.com> <4D5EC3B3.8030705@redhat.com> <4D5EEEC3.1010404@redhat.com> <4D5F488D.1020609@redhat.com> <4D5F4BB8.5080100@redhat.com> Message-ID: <4D6037D1.3000909@redhat.com> Here's a better version, show the chaining of dependencies. -------------- next part -------------- A non-text attachment was scrubbed... Name: registry.js Type: text/javascript Size: 674 bytes Desc: not available URL: From rcritten at redhat.com Sun Feb 20 04:47:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 19 Feb 2011 23:47:45 -0500 Subject: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries. Message-ID: <4D609CF1.8050801@redhat.com> This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. The ticket has an excellent test case for this. Similar tests can be done for users/groups and hosts/hostgroups. ticket 966 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-734-indirect.patch Type: application/mbox Size: 18612 bytes Desc: not available URL: From jhrozek at redhat.com Mon Feb 21 10:56:39 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 21 Feb 2011 11:56:39 +0100 Subject: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries. In-Reply-To: <4D609CF1.8050801@redhat.com> References: <4D609CF1.8050801@redhat.com> Message-ID: <20110221105632.GA14509@zeppelin.brq.redhat.com> On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: > This creates a new custom attribute, memberofindirect_[plugin]. > Using this you can tell the difference between being an actual > memberof another entry and being a memberof as the result if > inheritence. This is particularly useful when trying to remove > members of an entry, you can only remove direct members. > > I had to add a couple of short sleep calls to make things work a > little better. The memberof plugin runs as a postop and we have no > way of knowing when it has done its work. If we don't pause we may > show some stale data that memberof hasn't updated yet. .3 seconds is > an arbitrary choice. > I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. > The ticket has an excellent test case for this. Similar tests can be > done for users/groups and hosts/hostgroups. > > ticket 966 > > rob > The testcase is failing for me: test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL It seems that the objectlasses should be updated: expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top'] got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', u'mepOriginEntry'] From ssorce at redhat.com Mon Feb 21 13:32:17 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 21 Feb 2011 08:32:17 -0500 Subject: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries. In-Reply-To: <20110221105632.GA14509@zeppelin.brq.redhat.com> References: <4D609CF1.8050801@redhat.com> <20110221105632.GA14509@zeppelin.brq.redhat.com> Message-ID: <20110221083217.541bef21@willson.li.ssimo.org> On Mon, 21 Feb 2011 11:56:39 +0100 Jakub Hrozek wrote: > On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: > > I had to add a couple of short sleep calls to make things work a > > little better. The memberof plugin runs as a postop and we have no > > way of knowing when it has done its work. If we don't pause we may > > show some stale data that memberof hasn't updated yet. .3 seconds is > > an arbitrary choice. > > > > I don't know the DS plugin architecture good enough but there's no > callback or anything we can hook to? If the machine swaps or > something, we might get incorrect data with the sleep anyway.. Unfortunately the way plugins are done, post-ops are pretty much impossible to catch from the outside. And I really don't like this either. I would definitely prefer for the reply to the modifying client to wait until the memberof plugin is done, even if this means the operations will be slow. But I don't know if this can be done easily with the current DS architecture ... The problem is that we cannot even enter a read loop to wait smaller amounts of time until we get back the right answer because a competing client may change the membership while we are waiting and causing us to loop forever ... Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Feb 21 13:52:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 08:52:09 -0500 Subject: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries. In-Reply-To: <20110221083217.541bef21@willson.li.ssimo.org> References: <4D609CF1.8050801@redhat.com> <20110221105632.GA14509@zeppelin.brq.redhat.com> <20110221083217.541bef21@willson.li.ssimo.org> Message-ID: <4D626E09.5040002@redhat.com> Simo Sorce wrote: > On Mon, 21 Feb 2011 11:56:39 +0100 > Jakub Hrozek wrote: > >> On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: >>> I had to add a couple of short sleep calls to make things work a >>> little better. The memberof plugin runs as a postop and we have no >>> way of knowing when it has done its work. If we don't pause we may >>> show some stale data that memberof hasn't updated yet. .3 seconds is >>> an arbitrary choice. >>> >> >> I don't know the DS plugin architecture good enough but there's no >> callback or anything we can hook to? If the machine swaps or >> something, we might get incorrect data with the sleep anyway.. > > Unfortunately the way plugins are done, post-ops are pretty much > impossible to catch from the outside. > > And I really don't like this either. > I would definitely prefer for the reply to the modifying client to wait > until the memberof plugin is done, even if this means the operations > will be slow. > But I don't know if this can be done easily with the current DS > architecture ... > > The problem is that we cannot even enter a read loop to wait smaller > amounts of time until we get back the right answer because a competing > client may change the membership while we are waiting and causing us to > loop forever ... > > Simo. > This is the same conclusion I came too and decided that a brief sleep is the lesser of evils. rob From rcritten at redhat.com Mon Feb 21 13:53:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 08:53:40 -0500 Subject: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries. In-Reply-To: <20110221105632.GA14509@zeppelin.brq.redhat.com> References: <4D609CF1.8050801@redhat.com> <20110221105632.GA14509@zeppelin.brq.redhat.com> Message-ID: <4D626E64.2080700@redhat.com> Jakub Hrozek wrote: > On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: >> This creates a new custom attribute, memberofindirect_[plugin]. >> Using this you can tell the difference between being an actual >> memberof another entry and being a memberof as the result if >> inheritence. This is particularly useful when trying to remove >> members of an entry, you can only remove direct members. >> >> I had to add a couple of short sleep calls to make things work a >> little better. The memberof plugin runs as a postop and we have no >> way of knowing when it has done its work. If we don't pause we may >> show some stale data that memberof hasn't updated yet. .3 seconds is >> an arbitrary choice. >> > > I don't know the DS plugin architecture good enough but there's no > callback or anything we can hook to? If the machine swaps or something, > we might get incorrect data with the sleep anyway.. > >> The ticket has an excellent test case for this. Similar tests can be >> done for users/groups and hosts/hostgroups. >> >> ticket 966 >> >> rob >> > > The testcase is failing for me: > test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL > test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL > > It seems that the objectlasses should be updated: > expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top'] > got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', u'mepOriginEntry'] Oh, that's because we create the netgroup now. Strange that I didn't see that, I just redid my base install on Thursday. I'll update that and give it another go. rob From dpal at redhat.com Mon Feb 21 14:24:58 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 21 Feb 2011 09:24:58 -0500 Subject: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries. In-Reply-To: <4D626E09.5040002@redhat.com> References: <4D609CF1.8050801@redhat.com> <20110221105632.GA14509@zeppelin.brq.redhat.com> <20110221083217.541bef21@willson.li.ssimo.org> <4D626E09.5040002@redhat.com> Message-ID: <4D6275BA.4090604@redhat.com> On 02/21/2011 08:52 AM, Rob Crittenden wrote: > Simo Sorce wrote: >> On Mon, 21 Feb 2011 11:56:39 +0100 >> Jakub Hrozek wrote: >> >>> On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: >>>> I had to add a couple of short sleep calls to make things work a >>>> little better. The memberof plugin runs as a postop and we have no >>>> way of knowing when it has done its work. If we don't pause we may >>>> show some stale data that memberof hasn't updated yet. .3 seconds is >>>> an arbitrary choice. >>>> >>> >>> I don't know the DS plugin architecture good enough but there's no >>> callback or anything we can hook to? If the machine swaps or >>> something, we might get incorrect data with the sleep anyway.. >> >> Unfortunately the way plugins are done, post-ops are pretty much >> impossible to catch from the outside. >> >> And I really don't like this either. >> I would definitely prefer for the reply to the modifying client to wait >> until the memberof plugin is done, even if this means the operations >> will be slow. >> But I don't know if this can be done easily with the current DS >> architecture ... >> >> The problem is that we cannot even enter a read loop to wait smaller >> amounts of time until we get back the right answer because a competing >> client may change the membership while we are waiting and causing us to >> loop forever ... >> >> Simo. >> > > This is the same conclusion I came too and decided that a brief sleep > is the lesser of evils. > Can this be fixed by the memberOf plugin? If the memberOf plugin is modified to also change/set the attribute there should not be a race condition. What is the recommendation from Rich and Nathan? I am fine with the temp fix but should we have a ticket to fix it in a better way in 2.1? > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Feb 21 14:33:27 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 21 Feb 2011 09:33:27 -0500 Subject: [Freeipa-devel] [PATCH] 0085 Register client into DNS on install In-Reply-To: <20110217154614.4389630c@willson.li.ssimo.org> References: <20110217113430.545cbdc1@willson.li.ssimo.org> <20110217115352.44af250f@willson.li.ssimo.org> <20110217154614.4389630c@willson.li.ssimo.org> Message-ID: <4D6277B7.6040403@redhat.com> On 02/17/2011 03:46 PM, Simo Sorce wrote: > On Thu, 17 Feb 2011 11:53:52 -0500 > Simo Sorce wrote: > >> On Thu, 17 Feb 2011 11:34:30 -0500 >> Simo Sorce wrote: >> >>> If DNS Updates are available then try to register the ip address as >>> determined by connecting to the ipa server. >>> >>> This allows also the creation of the DNS A record if none was >>> available before, which means you can add clients without having to >>> pre-register them in the DNS. >>> >>> Fixes #935 >>> >>> Simo. >>> >> Forgot to add rpm dependency on bind-utils for the client package. >> >> New patch attached. > After discussing a bit dns updates with Rob and Stephen on IRC here it > is a third patch that adds a --enable-dns-updates option. > > Dns updates are performed only if this options is enabled or no entry > exists in DNS at all for the host. > > If the option is enabled sssd is also configured to keep updating the > DNS during the life of the machine so that IP changes (laptops, dhcp, > etc..) are recorded in DNS properly. > > Simo. > I do not see a man page updated with the newly added flag. Please open a separate ticket for this effort since the patch has already been pushed. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Feb 21 14:43:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 09:43:25 -0500 Subject: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries. In-Reply-To: <4D6275BA.4090604@redhat.com> References: <4D609CF1.8050801@redhat.com> <20110221105632.GA14509@zeppelin.brq.redhat.com> <20110221083217.541bef21@willson.li.ssimo.org> <4D626E09.5040002@redhat.com> <4D6275BA.4090604@redhat.com> Message-ID: <4D627A0D.1000705@redhat.com> Dmitri Pal wrote: > On 02/21/2011 08:52 AM, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Mon, 21 Feb 2011 11:56:39 +0100 >>> Jakub Hrozek wrote: >>> >>>> On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: >>>>> I had to add a couple of short sleep calls to make things work a >>>>> little better. The memberof plugin runs as a postop and we have no >>>>> way of knowing when it has done its work. If we don't pause we may >>>>> show some stale data that memberof hasn't updated yet. .3 seconds is >>>>> an arbitrary choice. >>>>> >>>> >>>> I don't know the DS plugin architecture good enough but there's no >>>> callback or anything we can hook to? If the machine swaps or >>>> something, we might get incorrect data with the sleep anyway.. >>> >>> Unfortunately the way plugins are done, post-ops are pretty much >>> impossible to catch from the outside. >>> >>> And I really don't like this either. >>> I would definitely prefer for the reply to the modifying client to wait >>> until the memberof plugin is done, even if this means the operations >>> will be slow. >>> But I don't know if this can be done easily with the current DS >>> architecture ... >>> >>> The problem is that we cannot even enter a read loop to wait smaller >>> amounts of time until we get back the right answer because a competing >>> client may change the membership while we are waiting and causing us to >>> loop forever ... >>> >>> Simo. >>> >> >> This is the same conclusion I came too and decided that a brief sleep >> is the lesser of evils. >> > > Can this be fixed by the memberOf plugin? > If the memberOf plugin is modified to also change/set the attribute > there should not be a race condition. > What is the recommendation from Rich and Nathan? > I am fine with the temp fix but should we have a ticket to fix it in a > better way in 2.1? This is a race condition only in that we're racing against the memberOf plugin. Take the case of a group the a member user: If you remove the member attribute from the group then immediately do an ldap search for ("member=cn=group,...") you may very well get the user if the memberOf operation isn't completed yet. In this case it makes the user look like an indirect member of the group (because they are no long in the group's member attribute). I talked to Nathan about this on Friday. memberOf runs as a postop so only runs once the modification results have been sent. So from the IPA perspective the work is complete and we move along. We don't get any sort of ID that we can query on to see if memberOf is done, and at the point of our operation we have no idea what scope of work memberOf has to do, it could be extensive (think about a group of 1000 users and you delete the group, it has to remove memberOf from all those 1000 users). rob From rcritten at redhat.com Mon Feb 21 14:44:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 09:44:49 -0500 Subject: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries. In-Reply-To: <4D626E64.2080700@redhat.com> References: <4D609CF1.8050801@redhat.com> <20110221105632.GA14509@zeppelin.brq.redhat.com> <4D626E64.2080700@redhat.com> Message-ID: <4D627A61.3010603@redhat.com> Rob Crittenden wrote: > Jakub Hrozek wrote: >> On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: >>> This creates a new custom attribute, memberofindirect_[plugin]. >>> Using this you can tell the difference between being an actual >>> memberof another entry and being a memberof as the result if >>> inheritence. This is particularly useful when trying to remove >>> members of an entry, you can only remove direct members. >>> >>> I had to add a couple of short sleep calls to make things work a >>> little better. The memberof plugin runs as a postop and we have no >>> way of knowing when it has done its work. If we don't pause we may >>> show some stale data that memberof hasn't updated yet. .3 seconds is >>> an arbitrary choice. >>> >> >> I don't know the DS plugin architecture good enough but there's no >> callback or anything we can hook to? If the machine swaps or something, >> we might get incorrect data with the sleep anyway.. >> >>> The ticket has an excellent test case for this. Similar tests can be >>> done for users/groups and hosts/hostgroups. >>> >>> ticket 966 >>> >>> rob >>> >> >> The testcase is failing for me: >> test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL >> test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL >> >> It seems that the objectlasses should be updated: >> expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', >> u'groupOfNames', u'top'] >> got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', >> u'top', u'mepOriginEntry'] > > Oh, that's because we create the netgroup now. Strange that I didn't see > that, I just redid my base install on Thursday. I'll update that and > give it another go. > > rob Updated patch rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-734-2-indirect.patch Type: application/mbox Size: 18995 bytes Desc: not available URL: From rcritten at redhat.com Mon Feb 21 15:11:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 10:11:38 -0500 Subject: [Freeipa-devel] [PATCH] 728 default roles In-Reply-To: <4D5E9066.7010102@redhat.com> References: <4D5C977C.1020408@redhat.com> <4D5E8ABA.5090306@redhat.com> <4D5E9066.7010102@redhat.com> Message-ID: <4D6280AA.2050805@redhat.com> Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 02/17/2011 04:35 AM, Rob Crittenden wrote: >>> Add default roles and permissions for HBAC, SUDO and pw policy >>> >>> Created some default roles as examples. In doing so I realized that we >>> were completely missing default rules for HBAC, SUDO and password policy >>> so I added those as well. >>> >>> I ran into a problem when the updater has a default record and an add at >>> the same time, it should handle it better now. >>> >>> ticket 585 >>> >>> rob >>> >> >> I'm not sure about the HBAC rules ACIs. They are specified as: >> >> 'target = "ldap:///cn=*,cn=hbac,$SUFFIX"' >> >> while HBAC rules' DN is: >> >> 'ipauniqueid=*,cn=hbac,$SUFFIX'. >> >> But HBAC rules do have a cn: attribute, so maybe the ACIs would work? > > No, you're right, this is wrong. I'll fix it up and resubmit. > >> >> The patch also needs rebasing on top of recent changes to >> install/updates/Makefile.am >> >> Other than that, looks OK to me. >> >> btw when I was reviewing this patch, I noticed we add a "DNS >> Administrators" privilege in dns.ldif. Would it make sense to add DNS >> administration to "Security Architect" (replication management) and "IT >> Specialist" (hosts management)? > > The DNS stuff is added only if DNS is enabled on the server so I can't > add them by default. > > rob Updated patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-728-2-roles.patch Type: application/mbox Size: 20778 bytes Desc: not available URL: From pzuna at redhat.com Mon Feb 21 15:12:31 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Mon, 21 Feb 2011 16:12:31 +0100 Subject: [Freeipa-devel] [PATCH] Use pygettext to generate translatable strings from plugin files. Message-ID: <4D6280DF.7020005@redhat.com> This goes on top of my other localization patches! This patch replaces xgettext with a custom pygettext to generate translatable strings from plugin files in ipalib/plugins. pygettext was modified to handle plural forms (credit goes to Jan Hendrik Goellner) and had some bugs fixed by myself. We only use it for plugins, because it's the only place where we need to extract docstrings for the built-in help system. I also had to make some changes to the way the built-in documentation system gets docstrings from modules for this to work. How to test? ============ 1) First, apply all of the localization patches found in thread "Localization patches" on freeipa-devel. Then apply this patch. 2) Regenerate your install/po/Makefile: - delete install/po/Makefile - run `./configure` in install 3) Regenerate the pot and po files: - run `make update-pot` in install/po - run `make update-po` in install/po 4) Make a change to one of the translations: - example: add translation to the ACI docstring * find docstring for ACI in install/po/es.po * change the corresponding msgstr "" to msgstr "\nBuenos dias, amigos!\n" Note: if the translatable string begins with \n, the translation also needs to begin with \n. Same goes for ending. 5) Install the modified translations: - run `make install` in install/po Note: I had some problems with this and had to make rpms and install IPA from beginning for it to work. Looks like doing `make install` manually updates /usr/local/share/locale instead of /usr/share/locale, but maybe I just did something wrong. 6) Set language to Spanish or whatever translation you modified: - example: * # LANG="es_ES.utf8" # export LANG 7) Display the translated documentation: - example: * # ipa help aci Buenos dias, amigos! Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-83-pygettext.patch Type: application/mbox Size: 35344 bytes Desc: not available URL: From ayoung at redhat.com Mon Feb 21 15:25:28 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 21 Feb 2011 10:25:28 -0500 Subject: [Freeipa-devel] [PATCH] 106 I18n update. In-Reply-To: <4D5F4BB8.5080100@redhat.com> References: <4D5E2A62.8000003@redhat.com> <4D5E8C88.3080400@redhat.com> <4D5EC3B3.8030705@redhat.com> <4D5EEEC3.1010404@redhat.com> <4D5F488D.1020609@redhat.com> <4D5F4BB8.5080100@redhat.com> Message-ID: <4D6283E8.3010208@redhat.com> On 02/18/2011 11:48 PM, Endi Sukma Dewata wrote: > On 2/18/2011 10:35 PM, Adam Young wrote: >>>>>> Hard-coded messages through out the code have been replaced by i18n >>>>>> messages obtained from json_metadata and i18n_messages. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/899 >>>>>> >>>>> Needs rebase, due to mkosek's big patch. >>>> >>>> Attached is an updated version. I had to change IPA.cert into an >>>> entity >>>> because it has to be initialized after IPA.init() finishes loading the >>>> metadata & messages. >>>> >>>> We might want to introduce a concept of plugin for Web UI (similar to >>>> plugin for ipalib). The first step is to rename IPA.entity_factories >>>> into IPA.plugins, but most of the work will be splitting the >>>> IPA.entity >>>> into plugin and real entity. >>>> >>>> Patch #107 can be used without rebase. >>> >>> Attached is a new version using the plugin framework. Please see >>> certificate.js. >>> >> Every function is an Object. There is no reason to create an object, and >> then have an init method on it. > > I haven't got a chance to provide a long explanation for this, but > please try to apply all patches that I've submitted (until 109) and > see the user.js, group.js and certificate.js. I think they are clearly > structured and easy to understand. > > Try to think "plugins" as "modules", and "init()" as "start()" or > "main()", or some other terms. Once all entity files are converted to > use this framework, it maybe possible to remove init() from > entity/facet/widget. The init() is not an unnecessary duplication of > constructor, but it's a callback to indicate that the messages are > loaded. > OK, just completed a more in depth review. I stand by my origianl call. I don't want to make a change like this in the 2.0 timeframe. When we do make the change, it will incorporate some of these ideas, but we are not going to use the deliberate init() call. For now, just make the libraries for cert etc as lazy load accessors like I recommended earlier. It should be a pretty short addition to Patch 106-2. Hold on to the changes from patches 106-3 on and we will design a more complete refactoring target for the 2.1 release. From jhrozek at redhat.com Mon Feb 21 15:25:44 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 21 Feb 2011 16:25:44 +0100 Subject: [Freeipa-devel] [PATCH] 728 default roles In-Reply-To: <4D6280AA.2050805@redhat.com> References: <4D5C977C.1020408@redhat.com> <4D5E8ABA.5090306@redhat.com> <4D5E9066.7010102@redhat.com> <4D6280AA.2050805@redhat.com> Message-ID: <20110221152544.GA7298@zeppelin.brq.redhat.com> On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: > Rob Crittenden wrote: > >Jakub Hrozek wrote: > >>-----BEGIN PGP SIGNED MESSAGE----- > >>Hash: SHA1 > >> > >>On 02/17/2011 04:35 AM, Rob Crittenden wrote: > >>>Add default roles and permissions for HBAC, SUDO and pw policy > >>> > >>>Created some default roles as examples. In doing so I realized that we > >>>were completely missing default rules for HBAC, SUDO and password policy > >>>so I added those as well. > >>> > >>>I ran into a problem when the updater has a default record and an add at > >>>the same time, it should handle it better now. > >>> > >>>ticket 585 > >>> > >>>rob > >>> > >> > >>I'm not sure about the HBAC rules ACIs. They are specified as: > >> > >>'target = "ldap:///cn=*,cn=hbac,$SUFFIX"' > >> > >>while HBAC rules' DN is: > >> > >>'ipauniqueid=*,cn=hbac,$SUFFIX'. > >> > >>But HBAC rules do have a cn: attribute, so maybe the ACIs would work? > > > >No, you're right, this is wrong. I'll fix it up and resubmit. > > > >> > >>The patch also needs rebasing on top of recent changes to > >>install/updates/Makefile.am > >> > >>Other than that, looks OK to me. > >> > >>btw when I was reviewing this patch, I noticed we add a "DNS > >>Administrators" privilege in dns.ldif. Would it make sense to add DNS > >>administration to "Security Architect" (replication management) and "IT > >>Specialist" (hosts management)? > > > >The DNS stuff is added only if DNS is enabled on the server so I can't > >add them by default. > > > >rob > > Updated patch. > > rob Interdiff looks fine, but I'm not able to apply the patch (not even 3-way merge), can you rebase? From rcritten at redhat.com Mon Feb 21 15:27:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 10:27:26 -0500 Subject: [Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider Message-ID: <4D62845E.1020508@redhat.com> Set krb5_realm in sssd.conf in the ipa provider. ticket 925 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-735-sssd.patch Type: application/mbox Size: 1734 bytes Desc: not available URL: From dpal at redhat.com Mon Feb 21 15:41:24 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 21 Feb 2011 10:41:24 -0500 Subject: [Freeipa-devel] Long overdue review of the UI guide Message-ID: <4D6287A4.3050202@redhat.com> Hi, I finally got some time to review the UI spec. I found some minor and major issues. I do not have latest UI in front of me so please check that nothing is missing or incorrect based on the concerns below. 1) How many results we display in the facet list (like members of a goup)? What if there are many (thousands of group members)? Will we display them all? Or we provide a filter? But I do not see a filter for the facet lists in the spec so either the spec is wrong or we have a problem in UI. 2) Details pages header is the same as any other header not just "lis" pages. 3) After modal add dialog was used the spec says that the: "After the entity is added the modal closes returning to the list page". Does the list get refreshed automatically in this case or not? Is filter preserved or not? 4) Action panel description State 2. See notes section. The first bullet in notes is confusing. The delete button should be grayed when there is no selection while the link should be enabled only if there is a single selection. If there are multiple selections the links should be grayed. 5) Action Panels in state 3. Table includes reference to Kyle by name :-) 6) The UI in multiple places in the example of the action panel says "Net Groups" but in the text of document it is correct: "Netgroups". Please make sure that the correct wording is used in the actual UI, i.e. Netgroups - one word. 7) What is the status of the pages: "Hosts I Manage" "Hosts Managing me" "Service I Manage"? Are they a part of the UI? Do not remember them. Please double check. 8) Do we have the membership in the Netgroups as a facet for users, groups, host groups, hosts and netgroups. Please double check that in all 5 cases we have the correct facet in UI. 9) Do we have a facet "Hosts Managing Me" for the services? Do not remember them being there. Please double check. 10) Kyle, Ben in the action panel for the cases when we have several sub items as in HBAC for example the the ungrouped facet label (indented) has the same size and style as other (unindented) section labels. This is confusing. I suggest the ungrouped facet label should be of a different style. IMO it is confusing now. 11) I have not seen anything about DNS or automount in the spec. Is it intentional or omission? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Feb 21 15:50:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 10:50:02 -0500 Subject: [Freeipa-devel] [PATCH] 728 default roles In-Reply-To: <20110221152544.GA7298@zeppelin.brq.redhat.com> References: <4D5C977C.1020408@redhat.com> <4D5E8ABA.5090306@redhat.com> <4D5E9066.7010102@redhat.com> <4D6280AA.2050805@redhat.com> <20110221152544.GA7298@zeppelin.brq.redhat.com> Message-ID: <4D6289AA.8090500@redhat.com> Jakub Hrozek wrote: > On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> On 02/17/2011 04:35 AM, Rob Crittenden wrote: >>>>> Add default roles and permissions for HBAC, SUDO and pw policy >>>>> >>>>> Created some default roles as examples. In doing so I realized that we >>>>> were completely missing default rules for HBAC, SUDO and password policy >>>>> so I added those as well. >>>>> >>>>> I ran into a problem when the updater has a default record and an add at >>>>> the same time, it should handle it better now. >>>>> >>>>> ticket 585 >>>>> >>>>> rob >>>>> >>>> >>>> I'm not sure about the HBAC rules ACIs. They are specified as: >>>> >>>> 'target = "ldap:///cn=*,cn=hbac,$SUFFIX"' >>>> >>>> while HBAC rules' DN is: >>>> >>>> 'ipauniqueid=*,cn=hbac,$SUFFIX'. >>>> >>>> But HBAC rules do have a cn: attribute, so maybe the ACIs would work? >>> >>> No, you're right, this is wrong. I'll fix it up and resubmit. >>> >>>> >>>> The patch also needs rebasing on top of recent changes to >>>> install/updates/Makefile.am >>>> >>>> Other than that, looks OK to me. >>>> >>>> btw when I was reviewing this patch, I noticed we add a "DNS >>>> Administrators" privilege in dns.ldif. Would it make sense to add DNS >>>> administration to "Security Architect" (replication management) and "IT >>>> Specialist" (hosts management)? >>> >>> The DNS stuff is added only if DNS is enabled on the server so I can't >>> add them by default. >>> >>> rob >> >> Updated patch. >> >> rob > > Interdiff looks fine, but I'm not able to apply the patch (not even > 3-way merge), can you rebase? done -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-728-3-roles.patch Type: application/mbox Size: 20835 bytes Desc: not available URL: From jhrozek at redhat.com Mon Feb 21 15:59:43 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 21 Feb 2011 16:59:43 +0100 Subject: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries. In-Reply-To: <4D627A61.3010603@redhat.com> References: <4D609CF1.8050801@redhat.com> <20110221105632.GA14509@zeppelin.brq.redhat.com> <4D626E64.2080700@redhat.com> <4D627A61.3010603@redhat.com> Message-ID: <20110221155943.GB7298@zeppelin.brq.redhat.com> On Mon, Feb 21, 2011 at 09:44:49AM -0500, Rob Crittenden wrote: > Rob Crittenden wrote: > >Jakub Hrozek wrote: > >>On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: > >>>This creates a new custom attribute, memberofindirect_[plugin]. > >>>Using this you can tell the difference between being an actual > >>>memberof another entry and being a memberof as the result if > >>>inheritence. This is particularly useful when trying to remove > >>>members of an entry, you can only remove direct members. > >>> > >>>I had to add a couple of short sleep calls to make things work a > >>>little better. The memberof plugin runs as a postop and we have no > >>>way of knowing when it has done its work. If we don't pause we may > >>>show some stale data that memberof hasn't updated yet. .3 seconds is > >>>an arbitrary choice. > >>> > >> > >>I don't know the DS plugin architecture good enough but there's no > >>callback or anything we can hook to? If the machine swaps or something, > >>we might get incorrect data with the sleep anyway.. > >> > >>>The ticket has an excellent test case for this. Similar tests can be > >>>done for users/groups and hosts/hostgroups. > >>> > >>>ticket 966 > >>> > >>>rob > >>> > >> > >>The testcase is failing for me: > >>test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL > >>test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL > >> > >>It seems that the objectlasses should be updated: > >>expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', > >>u'groupOfNames', u'top'] > >>got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', > >>u'top', u'mepOriginEntry'] > > > >Oh, that's because we create the netgroup now. Strange that I didn't see > >that, I just redid my base install on Thursday. I'll update that and > >give it another go. > > > >rob > > Updated patch > > rob Strangely enough, I had to do a slight modification to make the test pass: hostgroup = [ - u'mepOriginEntry', u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', + u'mepOriginEntry', ] I thought that the comparison wouldn't take order into account.. Other than that, ack From ayoung at redhat.com Mon Feb 21 16:01:24 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 21 Feb 2011 11:01:24 -0500 Subject: [Freeipa-devel] Long overdue review of the UI guide In-Reply-To: <4D6287A4.3050202@redhat.com> References: <4D6287A4.3050202@redhat.com> Message-ID: <4D628C54.5010601@redhat.com> On 02/21/2011 10:41 AM, Dmitri Pal wrote: > Hi, > > I finally got some time to review the UI spec. > I found some minor and major issues. I do not have latest UI in front of > me so please check that nothing is missing or incorrect based on the > concerns below. > > 1) How many results we display in the facet list (like members of a > goup)? What if there are many (thousands of group members)? Will we > display them all? Or we provide a filter? But I do not see a filter for > the facet lists in the spec so either the spec is wrong or we have a > problem in UI. Problem in the UI. Noticed it late last week myself, when I uploaded a really large dataset to the server. For example, since all users go int othe ipausers (unix) group, that facet one will only show the first 100 I entered a ticket for this. Needs to get into the spec, too https://fedorahosted.org/freeipa/ticket/992 > 2) Details pages header is the same as any other header not just "lis" > pages. Not sop in the latest UI: You can see it here http://admiyo.fedorapeople.org/ipa/ui/ > 3) After modal add dialog was used the spec says that the: "After the > entity is added the modal closes returning to the list page". Does the > list get refreshed automatically in this case or not? Is filter > preserved or not? Filter is preserved, list gets refreshed. > 4) Action panel description State 2. See notes section. The first bullet > in notes is confusing. The delete button should be grayed when there is > no selection while the link should be enabled only if there is a single > selection. If there are multiple selections the links should be grayed. Yeah...haven't figured out a good way grey out the button, as we are currently using the JQuery UI button for that control. The greying out of links was accomplished a while back. > 5) Action Panels in state 3. Table includes reference to Kyle by name :-) Kyle Deserves it. Kyle Rocks! > 6) The UI in multiple places in the example of the action panel says > "Net Groups" but in the text of document it is correct: "Netgroups". > Please make sure that the correct wording is used in the actual UI, i.e. > Netgroups - one word. We are pretty consistantly using New Groups all over the place. We can make the change. > 7) What is the status of the pages: "Hosts I Manage" "Hosts Managing me" > "Service I Manage"? Are they a part of the UI? Do not remember them. > Please double check. Managed By is there, but I think we lost "Hosts Managing Me" there have been a lot of problems with the associations, and I would not be surprised if the LDAP relationship underneath it matches something that we deceded elsewhere we don't want to show. Added at ticket https://fedorahosted.org/freeipa/ticket/993 > 8) Do we have the membership in the Netgroups as a facet for > users, Check > groups, Check > host groups, CHeck > hosts check > and netgroups. check > Please double check that in > all 5 cases we have the correct facet in UI. > 9) Do we have a facet "Hosts Managing Me" for the services? Do not > remember them being there. Please double check. Yes. text is "Managed By" > 10) Kyle, Ben in the action panel for the cases when we have several sub > items as in HBAC for example the the ungrouped facet label (indented) > has the same size and style as other (unindented) section labels. This > is confusing. I suggest the ungrouped facet label should be of a > different style. IMO it is confusing now. > 11) I have not seen anything about DNS or automount in the spec. Is it > intentional or omission? Automount should not be there. DNS would have to be reverese engineered. From edewata at redhat.com Mon Feb 21 16:05:54 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 21 Feb 2011 10:05:54 -0600 Subject: [Freeipa-devel] [PATCH] 106 I18n update. In-Reply-To: <4D6283E8.3010208@redhat.com> References: <4D5E2A62.8000003@redhat.com> <4D5E8C88.3080400@redhat.com> <4D5EC3B3.8030705@redhat.com> <4D5EEEC3.1010404@redhat.com> <4D5F488D.1020609@redhat.com> <4D5F4BB8.5080100@redhat.com> <4D6283E8.3010208@redhat.com> Message-ID: <4D628D62.2020104@redhat.com> On 2/21/2011 9:25 AM, Adam Young wrote: >> I haven't got a chance to provide a long explanation for this, but >> please try to apply all patches that I've submitted (until 109) and >> see the user.js, group.js and certificate.js. I think they are clearly >> structured and easy to understand. >> >> Try to think "plugins" as "modules", and "init()" as "start()" or >> "main()", or some other terms. Once all entity files are converted to >> use this framework, it maybe possible to remove init() from >> entity/facet/widget. The init() is not an unnecessary duplication of >> constructor, but it's a callback to indicate that the messages are >> loaded. > > OK, just completed a more in depth review. I stand by my origianl call. > I don't want to make a change like this in the 2.0 timeframe. When we do > make the change, it will incorporate some of these ideas, but we are not > going to use the deliberate init() call. > > For now, just make the libraries for cert etc as lazy load accessors > like I recommended earlier. It should be a pretty short addition to > Patch 106-2. Hold on to the changes from patches 106-3 on and we will > design a more complete refactoring target for the 2.1 release. Attached is an updated patch with the IPA.plugin framework removed. For now I'm just using the same method used for IPA.sudo, using a plain hash table. The IPA.cert.CRL_REASON for now is hard-coded. Let's get this patch and 107 in first because they really should go together with patch 105 which is already pushed. Please submit your registry code as a separate patch, it shouldn't be combined with these i18n fixes. Thanks! -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0106-4-I18n-update.patch Type: text/x-patch Size: 158811 bytes Desc: not available URL: From ayoung at redhat.com Mon Feb 21 16:12:46 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 21 Feb 2011 11:12:46 -0500 Subject: [Freeipa-devel] [PATCH] 106 I18n update. In-Reply-To: <4D628D62.2020104@redhat.com> References: <4D5E2A62.8000003@redhat.com> <4D5E8C88.3080400@redhat.com> <4D5EC3B3.8030705@redhat.com> <4D5EEEC3.1010404@redhat.com> <4D5F488D.1020609@redhat.com> <4D5F4BB8.5080100@redhat.com> <4D6283E8.3010208@redhat.com> <4D628D62.2020104@redhat.com> Message-ID: <4D628EFE.5010704@redhat.com> On 02/21/2011 11:05 AM, Endi Sukma Dewata wrote: > On 2/21/2011 9:25 AM, Adam Young wrote: >>> I haven't got a chance to provide a long explanation for this, but >>> please try to apply all patches that I've submitted (until 109) and >>> see the user.js, group.js and certificate.js. I think they are clearly >>> structured and easy to understand. >>> >>> Try to think "plugins" as "modules", and "init()" as "start()" or >>> "main()", or some other terms. Once all entity files are converted to >>> use this framework, it maybe possible to remove init() from >>> entity/facet/widget. The init() is not an unnecessary duplication of >>> constructor, but it's a callback to indicate that the messages are >>> loaded. >> >> OK, just completed a more in depth review. I stand by my origianl call. >> I don't want to make a change like this in the 2.0 timeframe. When we do >> make the change, it will incorporate some of these ideas, but we are not >> going to use the deliberate init() call. >> >> For now, just make the libraries for cert etc as lazy load accessors >> like I recommended earlier. It should be a pretty short addition to >> Patch 106-2. Hold on to the changes from patches 106-3 on and we will >> design a more complete refactoring target for the 2.1 release. > > Attached is an updated patch with the IPA.plugin framework removed. > For now I'm just using the same method used for IPA.sudo, using a > plain hash table. The IPA.cert.CRL_REASON for now is hard-coded. Let's > get this patch and 107 in first because they really should go together > with patch 105 which is already pushed. Please submit your registry > code as a separate patch, it shouldn't be combined with these i18n > fixes. Thanks! > I'm not ready to submit the Registry code either. I promise you that it will get the same scruitny from you and the team as any other design decision. I'll test 106-4 and 107 together. From jhrozek at redhat.com Mon Feb 21 16:11:32 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 21 Feb 2011 17:11:32 +0100 Subject: [Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider In-Reply-To: <4D62845E.1020508@redhat.com> References: <4D62845E.1020508@redhat.com> Message-ID: <20110221161132.GC7298@zeppelin.brq.redhat.com> On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote: > Set krb5_realm in sssd.conf in the ipa provider. > > ticket 925 > > rob This works fine, so Ack. One question, though, why don't we add the realm only if ipa_domain.upper() != krb5_realm? It would make the config file a little more readable for the 99% case where the two are the same. From rcritten at redhat.com Mon Feb 21 16:22:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 11:22:11 -0500 Subject: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries. In-Reply-To: <20110221155943.GB7298@zeppelin.brq.redhat.com> References: <4D609CF1.8050801@redhat.com> <20110221105632.GA14509@zeppelin.brq.redhat.com> <4D626E64.2080700@redhat.com> <4D627A61.3010603@redhat.com> <20110221155943.GB7298@zeppelin.brq.redhat.com> Message-ID: <4D629133.5060202@redhat.com> Jakub Hrozek wrote: > On Mon, Feb 21, 2011 at 09:44:49AM -0500, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: >>>>> This creates a new custom attribute, memberofindirect_[plugin]. >>>>> Using this you can tell the difference between being an actual >>>>> memberof another entry and being a memberof as the result if >>>>> inheritence. This is particularly useful when trying to remove >>>>> members of an entry, you can only remove direct members. >>>>> >>>>> I had to add a couple of short sleep calls to make things work a >>>>> little better. The memberof plugin runs as a postop and we have no >>>>> way of knowing when it has done its work. If we don't pause we may >>>>> show some stale data that memberof hasn't updated yet. .3 seconds is >>>>> an arbitrary choice. >>>>> >>>> >>>> I don't know the DS plugin architecture good enough but there's no >>>> callback or anything we can hook to? If the machine swaps or something, >>>> we might get incorrect data with the sleep anyway.. >>>> >>>>> The ticket has an excellent test case for this. Similar tests can be >>>>> done for users/groups and hosts/hostgroups. >>>>> >>>>> ticket 966 >>>>> >>>>> rob >>>>> >>>> >>>> The testcase is failing for me: >>>> test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL >>>> test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL >>>> >>>> It seems that the objectlasses should be updated: >>>> expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', >>>> u'groupOfNames', u'top'] >>>> got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', >>>> u'top', u'mepOriginEntry'] >>> >>> Oh, that's because we create the netgroup now. Strange that I didn't see >>> that, I just redid my base install on Thursday. I'll update that and >>> give it another go. >>> >>> rob >> >> Updated patch >> >> rob > > Strangely enough, I had to do a slight modification to make the test > pass: > > hostgroup = [ > - u'mepOriginEntry', > u'ipaobject', > u'ipahostgroup', > u'nestedGroup', > u'groupOfNames', > u'top', > + u'mepOriginEntry', > ] > > I thought that the comparison wouldn't take order into account.. The list checking does currently assume the same order. > > Other than that, ack Ok, re-ordered and pushed. rob From jhrozek at redhat.com Mon Feb 21 16:30:21 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 21 Feb 2011 17:30:21 +0100 Subject: [Freeipa-devel] [PATCH] 064 Document --enable-dns-updates in ipa-client-install man page Message-ID: <20110221163020.GD7298@zeppelin.brq.redhat.com> https://fedorahosted.org/freeipa/ticket/991 -------------- next part -------------- >From b8d1fdcad3a6a23fbcb9aaf7cc7f332698fe5df5 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 21 Feb 2011 17:23:41 +0100 Subject: [PATCH] Document --enable-dns-updates in ipa-client-install man page https://fedorahosted.org/freeipa/ticket/991 --- ipa-client/man/ipa-client-install.1 | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 3ac5678..90a4f71 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -81,6 +81,9 @@ Configure pam to create a users home directory if it does not exist. .TP \fB\-\-uninstall\fR Remove the IPA client software and restore the configuration to the pre\-IPA state. +.TP +\fB\-\-enable\-dns\-updates\fR +This option tells SSSD to automatically update DNS with the IP address of this client. .SH "EXIT STATUS" 0 if the installation was successful -- 1.7.4 From rcritten at redhat.com Mon Feb 21 16:30:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 11:30:04 -0500 Subject: [Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider In-Reply-To: <20110221161132.GC7298@zeppelin.brq.redhat.com> References: <4D62845E.1020508@redhat.com> <20110221161132.GC7298@zeppelin.brq.redhat.com> Message-ID: <4D62930C.4060505@redhat.com> Jakub Hrozek wrote: > On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote: >> Set krb5_realm in sssd.conf in the ipa provider. >> >> ticket 925 >> >> rob > > This works fine, so Ack. > > One question, though, why don't we add the realm only if > ipa_domain.upper() != krb5_realm? It would make the config file a little > more readable for the 99% case where the two are the same. Sure. We can't assume that the realm is always upper case so I'll do a case insensitive match (I did lower by reflex). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-735-2-sssd.patch Type: application/mbox Size: 1788 bytes Desc: not available URL: From rcritten at redhat.com Mon Feb 21 16:48:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 11:48:53 -0500 Subject: [Freeipa-devel] [PATCH] 736 hard limit for # of batch requests Message-ID: <4D629775.3010602@redhat.com> Set a hard limit of 256 for the # of commands in a batch request we'll handle. ticket 984 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-736-limit.patch Type: application/mbox Size: 1598 bytes Desc: not available URL: From rcritten at redhat.com Mon Feb 21 16:56:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 11:56:23 -0500 Subject: [Freeipa-devel] [PATCH] 064 Document --enable-dns-updates in ipa-client-install man page In-Reply-To: <20110221163020.GD7298@zeppelin.brq.redhat.com> References: <20110221163020.GD7298@zeppelin.brq.redhat.com> Message-ID: <4D629937.6020704@redhat.com> Jakub Hrozek wrote: > https://fedorahosted.org/freeipa/ticket/991 > ack, pushed to master From dpal at redhat.com Mon Feb 21 17:56:07 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 21 Feb 2011 12:56:07 -0500 Subject: [Freeipa-devel] Long overdue review of the UI guide In-Reply-To: <4D628C54.5010601@redhat.com> References: <4D6287A4.3050202@redhat.com> <4D628C54.5010601@redhat.com> Message-ID: <4D62A737.7080705@redhat.com> On 02/21/2011 11:01 AM, Adam Young wrote: >> 6) The UI in multiple places in the example of the action panel says >> "Net Groups" but in the text of document it is correct: "Netgroups". >> Please make sure that the correct wording is used in the actual UI, i.e. >> Netgroups - one word. > We are pretty consistantly using New Groups all over the place. We > can make the change. We need to have a ticket for this. Please open. In all other places we use "netgroups" as one word. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Feb 21 18:07:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 13:07:04 -0500 Subject: [Freeipa-devel] [PATCH] 737 move BuildRequires Message-ID: <4D62A9C8.7010404@redhat.com> Move some BuildRequires so building with ONLY_CLIENT works. I tested with: $ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1' ./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-737-spec.patch Type: application/mbox Size: 2025 bytes Desc: not available URL: From rcritten at redhat.com Mon Feb 21 18:18:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 13:18:07 -0500 Subject: [Freeipa-devel] [PATCH] 061 Validate NAPTR records In-Reply-To: <4D5E63B4.3080505@redhat.com> References: <4D5E63B4.3080505@redhat.com> Message-ID: <4D62AC5F.9090803@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'm not sure about checking the flags - this might be a little too much > validation. > > https://fedorahosted.org/freeipa/ticket/840 I think the flags length check needs to change. I would do this instead: flags = flags.replace('"','') Otherwise someone might try to pass in the flags 'SAU' and all that would get set is A. rob From rcritten at redhat.com Mon Feb 21 18:35:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 13:35:24 -0500 Subject: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install In-Reply-To: References: Message-ID: <4D62B06C.4040102@redhat.com> JR Aquino wrote: > On 2/17/11 9:46 AM, "Jan Zeleny" wrote: > >> JR Aquino wrote: >>> Lets try now. Attached is the corrected patch. >>> >>> There were several spots in ipa-client-install where the server could be >>> defined and it was getting missed. >>> I have omitted any change to ipa-client-install and instead just focused >>> on ipadiscovery.py >>> >>> ipadiscovery.py now performs its own fetch of the CACert just to be >>> sure. >>> >>> Regarding TLS vs LDAPS. >>> >>> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never >>> standardized in any formal specification. This usage has been deprecated >>> along with LDAPv2, which was officially retired in 2003. >>> >>> LDAPS is still supported, but considered deprecated in favor of TLS as >>> defined in RFC2830. >>> >>> On 2/17/11 2:01 AM, "Jan Zelen?" wrote: >>>> JR Aquino wrote: >>>>> This patch addresses the need to utilize TLS when using the >>>>> ipa-client-install tool. It addresses ticket: >>>>> https://fedorahosted.org/freeipa/ticket/974 >>>> >>>> Nack, running ipa-client-install returned this error: >>>> >>>> # ipa-client-install >>>> Retrieving CA from None failed. >>>> Command '/usr/bin/wget -O /etc/ipa/ca.crt >>> http://None/ipa/config/ca.crt' >>>> returned non-zero exit status 4 >>>> >>>> >>>> One more question - shouldn't you use ldaps directly to connect to the >>>> server? >>>> Jan >> >> >> Sorry, I have to Nack it again, the patch seems incoplete, since it is >> only >> adding some cacert fetching code to IPADiscovery. >> >> Jan > > Please ignore previous patches for #18. Attached is the replacement all > inclusive patch for this ticket. > > > Per Rob: > ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it > should populate a tempdir with the temp cert for the initial discovery > bind. > > Attached is the full patch to provide both TLS and the safer wget of the > ca.crt to a temporary directory created by tempfile.mkdtemp() > > Please verify that ipa-client-install from a separate machine functions as > expected against a FreeIPA server who is set to "nsslapd-minssf: 56" > > It looks ok except for the try/except around the tempfile. If it fails all heck is gonna break loose. We should raise a RuntimeError in that case. rob From ayoung at redhat.com Mon Feb 21 18:48:55 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 21 Feb 2011 13:48:55 -0500 Subject: [Freeipa-devel] Long overdue review of the UI guide In-Reply-To: <4D62A737.7080705@redhat.com> References: <4D6287A4.3050202@redhat.com> <4D628C54.5010601@redhat.com> <4D62A737.7080705@redhat.com> Message-ID: <4D62B397.2050002@redhat.com> On 02/21/2011 12:56 PM, Dmitri Pal wrote: > In all other places we > use "netgroups" as one word. > > -- https://fedorahosted.org/freeipa/ticket/995 From jzeleny at redhat.com Mon Feb 21 18:46:47 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Mon, 21 Feb 2011 19:46:47 +0100 Subject: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install In-Reply-To: <4D62B06C.4040102@redhat.com> References: <4D62B06C.4040102@redhat.com> Message-ID: <201102211946.47668.jzeleny@redhat.com> Rob Crittenden wrote: > JR Aquino wrote: > > On 2/17/11 9:46 AM, "Jan Zeleny" wrote: > >> JR Aquino wrote: > >>> Lets try now. Attached is the corrected patch. > >>> > >>> There were several spots in ipa-client-install where the server could > >>> be defined and it was getting missed. > >>> I have omitted any change to ipa-client-install and instead just > >>> focused on ipadiscovery.py > >>> > >>> ipadiscovery.py now performs its own fetch of the CACert just to be > >>> sure. > >>> > >>> Regarding TLS vs LDAPS. > >>> > >>> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never > >>> standardized in any formal specification. This usage has been > >>> deprecated along with LDAPv2, which was officially retired in 2003. > >>> > >>> LDAPS is still supported, but considered deprecated in favor of TLS as > >>> defined in RFC2830. > >>> > >>> On 2/17/11 2:01 AM, "Jan Zelen?" wrote: > >>>> JR Aquino wrote: > >>>>> This patch addresses the need to utilize TLS when using the > >>>>> ipa-client-install tool. It addresses ticket: > >>>>> https://fedorahosted.org/freeipa/ticket/974 > >>>> > >>>> Nack, running ipa-client-install returned this error: > >>>> > >>>> # ipa-client-install > >>>> Retrieving CA from None failed. > >>>> Command '/usr/bin/wget -O /etc/ipa/ca.crt > >>> > >>> http://None/ipa/config/ca.crt' > >>> > >>>> returned non-zero exit status 4 > >>>> > >>>> > >>>> One more question - shouldn't you use ldaps directly to connect to the > >>>> server? > >>>> Jan > >> > >> Sorry, I have to Nack it again, the patch seems incoplete, since it is > >> only > >> adding some cacert fetching code to IPADiscovery. > >> > >> Jan > > > > Please ignore previous patches for #18. Attached is the replacement all > > inclusive patch for this ticket. > > > > > > Per Rob: > > ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it > > should populate a tempdir with the temp cert for the initial discovery > > bind. > > > > Attached is the full patch to provide both TLS and the safer wget of the > > ca.crt to a temporary directory created by tempfile.mkdtemp() > > > > Please verify that ipa-client-install from a separate machine functions > > as expected against a FreeIPA server who is set to "nsslapd-minssf: 56" > > It looks ok except for the try/except around the tempfile. If it fails > all heck is gonna break loose. We should raise a RuntimeError in that case. > > rob Agreed, I had moreless the same comment prepared. Jan From rcritten at redhat.com Mon Feb 21 18:59:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 13:59:15 -0500 Subject: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup In-Reply-To: <201102151524.59018.jzeleny@redhat.com> References: <201102151524.59018.jzeleny@redhat.com> Message-ID: <4D62B603.8080604@redhat.com> Jan Zelen? wrote: > Loading of the schema is now performed in the first request that requires it. > > https://fedorahosted.org/freeipa/ticket/583 > > Jan We still need to enforce that we get the schema, some low-level functions depend on it. Also, if the UI doesn't get its aciattrs (which are derived from the schema) then nothing will be editable. I'm getting this backtrace if I force no schema by disabling get_schema: [Mon Feb 21 13:57:33 2011] [error] ipa: ERROR: non-public: UnicodeDecodeError: 'utf8' codec can't decode byte 0xb3 in position 3: invalid start byte [Mon Feb 21 13:57:33 2011] [error] Traceback (most recent call last): [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 211, in wsgi_execute [Mon Feb 21 13:57:33 2011] [error] result = self.Command[name](*args, **options) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 422, in __call__ [Mon Feb 21 13:57:33 2011] [error] ret = self.run(*args, **options) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 728, in run [Mon Feb 21 13:57:33 2011] [error] return self.execute(*args, **options) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 720, in execute [Mon Feb 21 13:57:33 2011] [error] dn, attrs_list, normalize=self.obj.normalize_dn [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 629, in get_entry [Mon Feb 21 13:57:33 2011] [error] size_limit=size_limit, normalize=normalize [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f [Mon Feb 21 13:57:33 2011] [error] return f(*new_args, **kwargs) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 199, in new_f [Mon Feb 21 13:57:33 2011] [error] return args[0].decode(f(*args, **kwargs)) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 139, in decode [Mon Feb 21 13:57:33 2011] [error] return tuple(self.decode(m) for m in var) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 139, in [Mon Feb 21 13:57:33 2011] [error] return tuple(self.decode(m) for m in var) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 137, in decode [Mon Feb 21 13:57:33 2011] [error] return [self.decode(m) for m in var] [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 139, in decode [Mon Feb 21 13:57:33 2011] [error] return tuple(self.decode(m) for m in var) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 139, in [Mon Feb 21 13:57:33 2011] [error] return tuple(self.decode(m) for m in var) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 157, in decode [Mon Feb 21 13:57:33 2011] [error] dct[k] = self._decode_dict_val(k, v) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 64, in _decode_dict_val [Mon Feb 21 13:57:33 2011] [error] return self.decode(val) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 137, in decode [Mon Feb 21 13:57:33 2011] [error] return [self.decode(m) for m in var] [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 132, in decode [Mon Feb 21 13:57:33 2011] [error] var.decode(self.encoder_settings.decode_from) [Mon Feb 21 13:57:33 2011] [error] File "/usr/lib64/python2.7/encodings/utf_8.py", line 16, in decode [Mon Feb 21 13:57:33 2011] [error] return codecs.utf_8_decode(input, errors, True) [Mon Feb 21 13:57:33 2011] [error] UnicodeDecodeError: 'utf8' codec can't decode byte 0xb3 in position 3: invalid start byte [Mon Feb 21 13:57:33 2011] [error] ipa: INFO: admin at GREYOAK.COM: user_show(u'admin', rights=True, all=True, raw=False, version=u'2.0'): UnicodeDecodeError From JR.Aquino at citrix.com Mon Feb 21 19:18:55 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 21 Feb 2011 19:18:55 +0000 Subject: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install In-Reply-To: <201102211946.47668.jzeleny@redhat.com> Message-ID: On 2/21/11 10:46 AM, "Jan Zeleny" wrote: >Rob Crittenden wrote: >> JR Aquino wrote: >> > On 2/17/11 9:46 AM, "Jan Zeleny" wrote: >> >> JR Aquino wrote: >> >>> Lets try now. Attached is the corrected patch. >> >>> >> >>> There were several spots in ipa-client-install where the server >>could >> >>> be defined and it was getting missed. >> >>> I have omitted any change to ipa-client-install and instead just >> >>> focused on ipadiscovery.py >> >>> >> >>> ipadiscovery.py now performs its own fetch of the CACert just to be >> >>> sure. >> >>> >> >>> Regarding TLS vs LDAPS. >> >>> >> >>> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never >> >>> standardized in any formal specification. This usage has been >> >>> deprecated along with LDAPv2, which was officially retired in 2003. >> >>> >> >>> LDAPS is still supported, but considered deprecated in favor of TLS >>as >> >>> defined in RFC2830. >> >>> >> >>> On 2/17/11 2:01 AM, "Jan Zelen?" wrote: >> >>>> JR Aquino wrote: >> >>>>> This patch addresses the need to utilize TLS when using the >> >>>>> ipa-client-install tool. It addresses ticket: >> >>>>> https://fedorahosted.org/freeipa/ticket/974 >> >>>> >> >>>> Nack, running ipa-client-install returned this error: >> >>>> >> >>>> # ipa-client-install >> >>>> Retrieving CA from None failed. >> >>>> Command '/usr/bin/wget -O /etc/ipa/ca.crt >> >>> >> >>> http://None/ipa/config/ca.crt' >> >>> >> >>>> returned non-zero exit status 4 >> >>>> >> >>>> >> >>>> One more question - shouldn't you use ldaps directly to connect to >>the >> >>>> server? >> >>>> Jan >> >> >> >> Sorry, I have to Nack it again, the patch seems incoplete, since it >>is >> >> only >> >> adding some cacert fetching code to IPADiscovery. >> >> >> >> Jan >> > >> > Please ignore previous patches for #18. Attached is the replacement >>all >> > inclusive patch for this ticket. >> > >> > >> > Per Rob: >> > ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, >>it >> > should populate a tempdir with the temp cert for the initial discovery >> > bind. >> > >> > Attached is the full patch to provide both TLS and the safer wget of >>the >> > ca.crt to a temporary directory created by tempfile.mkdtemp() >> > >> > Please verify that ipa-client-install from a separate machine >>functions >> > as expected against a FreeIPA server who is set to "nsslapd-minssf: >>56" >> >> It looks ok except for the try/except around the tempfile. If it fails >> all heck is gonna break loose. We should raise a RuntimeError in that >>case. >> >> rob > >Agreed, I had moreless the same comment prepared. Correction made, patch attached. except OSError, e: raise RuntimeError("Creating temporary directory failed: %s" % str(e)) -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client.patch Type: application/octet-stream Size: 2108 bytes Desc: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client.patch URL: From rcritten at redhat.com Mon Feb 21 19:52:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 14:52:55 -0500 Subject: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware In-Reply-To: <20110217193228.GB8687@zeppelin.brq.redhat.com> References: <20110202225932.GA28047@zeppelin.brq.redhat.com> <201102031423.11366.jzeleny@redhat.com> <20110208132805.GB16467@zeppelin.brq.redhat.com> <201102091023.27755.jzeleny@redhat.com> <20110217192537.GA8687@zeppelin.brq.redhat.com> <20110217193228.GB8687@zeppelin.brq.redhat.com> Message-ID: <4D62C297.1090609@redhat.com> Jakub Hrozek wrote: > On Thu, Feb 17, 2011 at 08:25:37PM +0100, Jakub Hrozek wrote: >> On Wed, Feb 09, 2011 at 10:23:27AM +0100, Jan Zelen? wrote: >>> Jakub Hrozek wrote: >>>> On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelen? wrote: >>>>> Jakub Hrozek wrote: >>>>>> Hi, >>>>>> >>>>>> attached is a patch to nsslib.py that changes its semantics so >>>>>> it is able to work with different address families. It is the last >>>>>> piece of IPv6 support. >>>>>> >>>>>> Aside from the hunks in the patch, I still need to set Requires: in the >>>>>> patch (don't know the exact version yet). Also, the attached patch >>>>>> always tries IPv4 first and only falls back to IPv6. I think there >>>>>> should be a config option that tells IPA to prefer one of the address >>>>>> families or use it exclusively for performance reasons. >>>>>> >>>>>> Please note that the patch requires the latest changes to python-nss >>>>>> in order to work correctly. Since John is still working on python-nss >>>>>> packages, this patch should be treated as a preview and not pushed even >>>>>> if it is deemed OK. At this stage, I'd like to get at least the general >>>>>> approach and code reviewed so I can fix it tomorrow. >>>>>> >>>>>> Thank you, >>>>>> >>>>>> Jakub >>>>> >>>>> The patch looks ok, all my questions answered off-list. Also tested with >>>>> IPv4 (latest python-nss installed) and IPv6, both work fine. >>>>> >>>>> ACK >>>>> >>>>> Jan >>>> >>>> Thanks for the review. But attached is a new version of the patch that >>>> changes the semantics a little based on what's recommended by the new >>>> version of python-nss: don't construct the NetworkAddress object >>>> manually, but rather resolve the hostname using the AddrInfo object and >>>> then try connecting to the list of of NetworkAddress object manually. >>> >>> Changes consulted off-list, the patch looks good. Will do some more testing on >>> RHEL6. Unless I find some issues, this patch is ACKed. >>> >>> Jan >>> >> >> One more change - bumped the minimum required version of python-nss to >> 0.11 which is in the nightly devel repo now. >> > > and now with the patch attached. ack, pushed to master From ayoung at redhat.com Mon Feb 21 20:11:37 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 21 Feb 2011 15:11:37 -0500 Subject: [Freeipa-devel] [PATCH] 106 I18n update. In-Reply-To: <4D628D62.2020104@redhat.com> References: <4D5E2A62.8000003@redhat.com> <4D5E8C88.3080400@redhat.com> <4D5EC3B3.8030705@redhat.com> <4D5EEEC3.1010404@redhat.com> <4D5F488D.1020609@redhat.com> <4D5F4BB8.5080100@redhat.com> <4D6283E8.3010208@redhat.com> <4D628D62.2020104@redhat.com> Message-ID: <4D62C6F9.6030604@redhat.com> On 02/21/2011 11:05 AM, Endi Sukma Dewata wrote: > On 2/21/2011 9:25 AM, Adam Young wrote: >>> I haven't got a chance to provide a long explanation for this, but >>> please try to apply all patches that I've submitted (until 109) and >>> see the user.js, group.js and certificate.js. I think they are clearly >>> structured and easy to understand. >>> >>> Try to think "plugins" as "modules", and "init()" as "start()" or >>> "main()", or some other terms. Once all entity files are converted to >>> use this framework, it maybe possible to remove init() from >>> entity/facet/widget. The init() is not an unnecessary duplication of >>> constructor, but it's a callback to indicate that the messages are >>> loaded. >> >> OK, just completed a more in depth review. I stand by my origianl call. >> I don't want to make a change like this in the 2.0 timeframe. When we do >> make the change, it will incorporate some of these ideas, but we are not >> going to use the deliberate init() call. >> >> For now, just make the libraries for cert etc as lazy load accessors >> like I recommended earlier. It should be a pretty short addition to >> Patch 106-2. Hold on to the changes from patches 106-3 on and we will >> design a more complete refactoring target for the 2.1 release. > > Attached is an updated patch with the IPA.plugin framework removed. > For now I'm just using the same method used for IPA.sudo, using a > plain hash table. The IPA.cert.CRL_REASON for now is hard-coded. Let's > get this patch and 107 in first because they really should go together > with patch 105 which is already pushed. Please submit your registry > code as a separate patch, it shouldn't be combined with these i18n > fixes. Thanks! > ACK and pushed to master. From ayoung at redhat.com Mon Feb 21 20:11:57 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 21 Feb 2011 15:11:57 -0500 Subject: [Freeipa-devel] [PATCH] 107 Updated test data files. In-Reply-To: <4D5E90BF.5010102@redhat.com> References: <4D5E2AAA.30606@redhat.com> <4D5E90BF.5010102@redhat.com> Message-ID: <4D62C70D.8070209@redhat.com> On 02/18/2011 10:31 AM, Adam Young wrote: > On 02/18/2011 03:15 AM, Endi Sukma Dewata wrote: >> https://fedorahosted.org/freeipa/ticket/899 >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > If applied without 106 it breaks the unit tests, so hold on this until > 106 is rebased > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon Feb 21 20:23:32 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 21 Feb 2011 14:23:32 -0600 Subject: [Freeipa-devel] [PATCH] 110 Fixed error message for invalid Kerberos ticket. Message-ID: <4D62C9C4.4010803@redhat.com> https://fedorahosted.org/freeipa/ticket/490 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0110-Fixed-error-message-for-invalid-Kerberos-ticket.patch Type: text/x-patch Size: 3917 bytes Desc: not available URL: From ayoung at redhat.com Mon Feb 21 20:38:12 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 21 Feb 2011 15:38:12 -0500 Subject: [Freeipa-devel] [PATCH] 110 Fixed error message for invalid Kerberos ticket. In-Reply-To: <4D62C9C4.4010803@redhat.com> References: <4D62C9C4.4010803@redhat.com> Message-ID: <4D62CD34.2000005@redhat.com> On 02/21/2011 03:23 PM, Endi Sukma Dewata wrote: > https://fedorahosted.org/freeipa/ticket/490 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Mon Feb 21 20:40:17 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 21 Feb 2011 20:40:17 +0000 Subject: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install In-Reply-To: Message-ID: On 2/21/11 11:18 AM, "JR Aquino" wrote: >On 2/21/11 10:46 AM, "Jan Zeleny" wrote: > >>Rob Crittenden wrote: >>> JR Aquino wrote: >>> > On 2/17/11 9:46 AM, "Jan Zeleny" wrote: >>> >> JR Aquino wrote: >>> >>> Lets try now. Attached is the corrected patch. >>> >>> >>> >>> There were several spots in ipa-client-install where the server >>>could >>> >>> be defined and it was getting missed. >>> >>> I have omitted any change to ipa-client-install and instead just >>> >>> focused on ipadiscovery.py >>> >>> >>> >>> ipadiscovery.py now performs its own fetch of the CACert just to be >>> >>> sure. >>> >>> >>> >>> Regarding TLS vs LDAPS. >>> >>> >>> >>> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was >>>never >>> >>> standardized in any formal specification. This usage has been >>> >>> deprecated along with LDAPv2, which was officially retired in 2003. >>> >>> >>> >>> LDAPS is still supported, but considered deprecated in favor of TLS >>>as >>> >>> defined in RFC2830. >>> >>> >>> >>> On 2/17/11 2:01 AM, "Jan Zelen?" wrote: >>> >>>> JR Aquino wrote: >>> >>>>> This patch addresses the need to utilize TLS when using the >>> >>>>> ipa-client-install tool. It addresses ticket: >>> >>>>> https://fedorahosted.org/freeipa/ticket/974 >>> >>>> >>> >>>> Nack, running ipa-client-install returned this error: >>> >>>> >>> >>>> # ipa-client-install >>> >>>> Retrieving CA from None failed. >>> >>>> Command '/usr/bin/wget -O /etc/ipa/ca.crt >>> >>> >>> >>> http://None/ipa/config/ca.crt' >>> >>> >>> >>>> returned non-zero exit status 4 >>> >>>> >>> >>>> >>> >>>> One more question - shouldn't you use ldaps directly to connect to >>>the >>> >>>> server? >>> >>>> Jan >>> >> >>> >> Sorry, I have to Nack it again, the patch seems incoplete, since it >>>is >>> >> only >>> >> adding some cacert fetching code to IPADiscovery. >>> >> >>> >> Jan >>> > >>> > Please ignore previous patches for #18. Attached is the replacement >>>all >>> > inclusive patch for this ticket. >>> > >>> > >>> > Per Rob: >>> > ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, >>>it >>> > should populate a tempdir with the temp cert for the initial >>>discovery >>> > bind. >>> > >>> > Attached is the full patch to provide both TLS and the safer wget of >>>the >>> > ca.crt to a temporary directory created by tempfile.mkdtemp() >>> > >>> > Please verify that ipa-client-install from a separate machine >>>functions >>> > as expected against a FreeIPA server who is set to "nsslapd-minssf: >>>56" >>> >>> It looks ok except for the try/except around the tempfile. If it fails >>> all heck is gonna break loose. We should raise a RuntimeError in that >>>case. >>> >>> rob >> >>Agreed, I had moreless the same comment prepared. > >Correction made, patch attached. > > except OSError, e: > raise RuntimeError("Creating temporary directory failed: %s" % >str(e)) In the spirt of consistency, I have corrected a section further down where sys.exit is called instead of raising the exception. I have also broken out the removal of the temp files in a finally clause. Please review, and confirm that it meets with your approval. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client.patch Type: application/octet-stream Size: 2254 bytes Desc: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client.patch URL: From edewata at redhat.com Mon Feb 21 20:54:08 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 21 Feb 2011 14:54:08 -0600 Subject: [Freeipa-devel] [PATCH] 110 Fixed error message for invalid Kerberos ticket. In-Reply-To: <4D62CD34.2000005@redhat.com> References: <4D62C9C4.4010803@redhat.com> <4D62CD34.2000005@redhat.com> Message-ID: <4D62D0F0.4060302@redhat.com> On 2/21/2011 2:38 PM, Adam Young wrote: >> https://fedorahosted.org/freeipa/ticket/490 > ACK Pushed to master. -- Endi S. Dewata From rcritten at redhat.com Mon Feb 21 21:09:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 16:09:52 -0500 Subject: [Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install In-Reply-To: References: Message-ID: <4D62D4A0.3030205@redhat.com> JR Aquino wrote: > On 2/21/11 11:18 AM, "JR Aquino" wrote: > >> On 2/21/11 10:46 AM, "Jan Zeleny" wrote: >> >>> Rob Crittenden wrote: >>>> JR Aquino wrote: >>>>> On 2/17/11 9:46 AM, "Jan Zeleny" wrote: >>>>>> JR Aquino wrote: >>>>>>> Lets try now. Attached is the corrected patch. >>>>>>> >>>>>>> There were several spots in ipa-client-install where the server >>>> could >>>>>>> be defined and it was getting missed. >>>>>>> I have omitted any change to ipa-client-install and instead just >>>>>>> focused on ipadiscovery.py >>>>>>> >>>>>>> ipadiscovery.py now performs its own fetch of the CACert just to be >>>>>>> sure. >>>>>>> >>>>>>> Regarding TLS vs LDAPS. >>>>>>> >>>>>>> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was >>>> never >>>>>>> standardized in any formal specification. This usage has been >>>>>>> deprecated along with LDAPv2, which was officially retired in 2003. >>>>>>> >>>>>>> LDAPS is still supported, but considered deprecated in favor of TLS >>>> as >>>>>>> defined in RFC2830. >>>>>>> >>>>>>> On 2/17/11 2:01 AM, "Jan Zelen?" wrote: >>>>>>>> JR Aquino wrote: >>>>>>>>> This patch addresses the need to utilize TLS when using the >>>>>>>>> ipa-client-install tool. It addresses ticket: >>>>>>>>> https://fedorahosted.org/freeipa/ticket/974 >>>>>>>> >>>>>>>> Nack, running ipa-client-install returned this error: >>>>>>>> >>>>>>>> # ipa-client-install >>>>>>>> Retrieving CA from None failed. >>>>>>>> Command '/usr/bin/wget -O /etc/ipa/ca.crt >>>>>>> >>>>>>> http://None/ipa/config/ca.crt' >>>>>>> >>>>>>>> returned non-zero exit status 4 >>>>>>>> >>>>>>>> >>>>>>>> One more question - shouldn't you use ldaps directly to connect to >>>> the >>>>>>>> server? >>>>>>>> Jan >>>>>> >>>>>> Sorry, I have to Nack it again, the patch seems incoplete, since it >>>> is >>>>>> only >>>>>> adding some cacert fetching code to IPADiscovery. >>>>>> >>>>>> Jan >>>>> >>>>> Please ignore previous patches for #18. Attached is the replacement >>>> all >>>>> inclusive patch for this ticket. >>>>> >>>>> >>>>> Per Rob: >>>>> ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, >>>> it >>>>> should populate a tempdir with the temp cert for the initial >>>> discovery >>>>> bind. >>>>> >>>>> Attached is the full patch to provide both TLS and the safer wget of >>>> the >>>>> ca.crt to a temporary directory created by tempfile.mkdtemp() >>>>> >>>>> Please verify that ipa-client-install from a separate machine >>>> functions >>>>> as expected against a FreeIPA server who is set to "nsslapd-minssf: >>>> 56" >>>> >>>> It looks ok except for the try/except around the tempfile. If it fails >>>> all heck is gonna break loose. We should raise a RuntimeError in that >>>> case. >>>> >>>> rob >>> >>> Agreed, I had moreless the same comment prepared. >> >> Correction made, patch attached. >> >> except OSError, e: >> raise RuntimeError("Creating temporary directory failed: %s" % >> str(e)) > > In the spirt of consistency, I have corrected a section further down where > sys.exit is called instead of raising the exception. > > I have also broken out the removal of the temp files in a finally clause. > > Please review, and confirm that it meets with your approval. > > ack, pushed to master From rcritten at redhat.com Mon Feb 21 21:57:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 16:57:22 -0500 Subject: [Freeipa-devel] [PATCH] 738 default.conf man page Message-ID: <4D62DFC2.9070308@redhat.com> Add a man page for the IPA configuration file default.conf. ticket 969 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-738-man.patch Type: application/mbox Size: 10274 bytes Desc: not available URL: From edewata at redhat.com Mon Feb 21 22:29:13 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 21 Feb 2011 16:29:13 -0600 Subject: [Freeipa-devel] [PATCH] 111 Fixed error dialog box. Message-ID: <4D62E739.5070506@redhat.com> The IPA.cmd() has been modified to set the error dialog box's title properly. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0111-Fixed-error-dialog-box.patch Type: text/x-patch Size: 2533 bytes Desc: not available URL: From ayoung at redhat.com Mon Feb 21 22:32:29 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 21 Feb 2011 17:32:29 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0198-search-filter-focus Message-ID: <4D62E7FD.7090401@redhat.com> Not going to complete the whole tab-order aspect, but this covers the most important part, which is hitting enter and also focus for the filter field -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0198-search-filter-focus.patch Type: text/x-patch Size: 2302 bytes Desc: not available URL: From JR.Aquino at citrix.com Mon Feb 21 22:35:09 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 21 Feb 2011 22:35:09 +0000 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <4D5A8B86.3050105@redhat.com> Message-ID: On 2/15/11 6:19 AM, "Pavel Zuna" wrote: >On 02/14/2011 04:56 PM, JR Aquino wrote: >> On 2/10/11 2:42 AM, "Pavel Zuna" wrote: >> >>> On 02/08/2011 01:06 PM, Pavel Zuna wrote: >>>> The patch also corrects exception handling in some of the tools. >>>> >>>> Fix #874 >>>> >>>> Pavel >>>> >>> >>> Updated patch attached. Forgot to rename an identifier in exception >>> handling. >>> >>> Pavel >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> NACK >> >> It looks like LDAPUpdate calls may want to include ldapi=True? >> >> -=- >> # ipa-nis-manage enable >> Directory Manager password: >> >> Enabling plugin >> Traceback (most recent call last): >> File "/usr/sbin/ipa-nis-manage", line 211, in >> sys.exit(main()) >> File "/usr/sbin/ipa-nis-manage", line 151, in main >> ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) >> File >>"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >> line 101, in __init__ >> conn.do_simple_bind(bindpw=self.dm_password) >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line >>350, >> in do_simple_bind >> self.simple_bind_s(binddn, bindpw) >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line >>204, >> in inner >> return f(*args, **kargs) >> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line >>207, >> in simple_bind_s >> return self.result(msgid,all=1,timeout=self.timeout) >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line >>181, >> in inner >> objtype, data = f(*args, **kargs) >> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line >>436, >> in result >> res_type,res_data,res_msgid = self.result2(msgid,all,timeout) >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line >>204, >> in inner >> return f(*args, **kargs) >> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line >>440, >> in result2 >> res_type, res_data, res_msgid, srv_ctrls = >> self.result3(msgid,all,timeout) >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line >>204, >> in inner >> return f(*args, **kargs) >> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line >>446, >> in result3 >> ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line >>204, >> in inner >> return f(*args, **kargs) >> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line >>96, >> in _ldap_call >> result = func(*args,**kwargs) >> ldap.UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': >> 'Server is unwilling to perform'} >> > >I can't reproduce this. :-/ > >For me it goes fine: > >[root at ipadev tools]# ./ipa-nis-manage enable >Directory Manager password: > >Enabling plugin >This setting will not take effect until you restart Directory Server. >The rpcbind service may need to be started. > > >Pavel To reproduce this, you must have minssf set in the dse.ldif on the ipa server. The highest number you can put in is: 56 due to some oddities with how SASL communicates bit strength. > From rcritten at redhat.com Mon Feb 21 22:47:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Feb 2011 17:47:59 -0500 Subject: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware In-Reply-To: <20110217192537.GA8687@zeppelin.brq.redhat.com> References: <20110202225932.GA28047@zeppelin.brq.redhat.com> <201102031423.11366.jzeleny@redhat.com> <20110208132805.GB16467@zeppelin.brq.redhat.com> <201102091023.27755.jzeleny@redhat.com> <20110217192537.GA8687@zeppelin.brq.redhat.com> Message-ID: <4D62EB9F.7060205@redhat.com> Jakub Hrozek wrote: > On Wed, Feb 09, 2011 at 10:23:27AM +0100, Jan Zelen? wrote: >> Jakub Hrozek wrote: >>> On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelen? wrote: >>>> Jakub Hrozek wrote: >>>>> Hi, >>>>> >>>>> attached is a patch to nsslib.py that changes its semantics so >>>>> it is able to work with different address families. It is the last >>>>> piece of IPv6 support. >>>>> >>>>> Aside from the hunks in the patch, I still need to set Requires: in the >>>>> patch (don't know the exact version yet). Also, the attached patch >>>>> always tries IPv4 first and only falls back to IPv6. I think there >>>>> should be a config option that tells IPA to prefer one of the address >>>>> families or use it exclusively for performance reasons. >>>>> >>>>> Please note that the patch requires the latest changes to python-nss >>>>> in order to work correctly. Since John is still working on python-nss >>>>> packages, this patch should be treated as a preview and not pushed even >>>>> if it is deemed OK. At this stage, I'd like to get at least the general >>>>> approach and code reviewed so I can fix it tomorrow. >>>>> >>>>> Thank you, >>>>> >>>>> Jakub >>>> >>>> The patch looks ok, all my questions answered off-list. Also tested with >>>> IPv4 (latest python-nss installed) and IPv6, both work fine. >>>> >>>> ACK >>>> >>>> Jan >>> >>> Thanks for the review. But attached is a new version of the patch that >>> changes the semantics a little based on what's recommended by the new >>> version of python-nss: don't construct the NetworkAddress object >>> manually, but rather resolve the hostname using the AddrInfo object and >>> then try connecting to the list of of NetworkAddress object manually. >> >> Changes consulted off-list, the patch looks good. Will do some more testing on >> RHEL6. Unless I find some issues, this patch is ACKed. >> >> Jan >> > > One more change - bumped the minimum required version of python-nss to > 0.11 which is in the nightly devel repo now. pushed to master From edewata at redhat.com Mon Feb 21 23:35:39 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 21 Feb 2011 17:35:39 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0198-search-filter-focus In-Reply-To: <4D62E7FD.7090401@redhat.com> References: <4D62E7FD.7090401@redhat.com> Message-ID: <4D62F6CB.9020903@redhat.com> On 2/21/2011 4:32 PM, Adam Young wrote: > Not going to complete the whole tab-order aspect, but this covers the > most important part, which is hitting enter and also focus for the > filter field ACK and pushed to master. -- Endi S. Dewata From davido at redhat.com Tue Feb 22 05:54:58 2011 From: davido at redhat.com (David O'Brien) Date: Tue, 22 Feb 2011 15:54:58 +1000 Subject: [Freeipa-devel] Help define the roles IPA has by default In-Reply-To: <4D555D1F.9000208@redhat.com> References: <4D540E6F.5090303@redhat.com> <4D5444F5.5020604@redhat.com> <4D545887.7080204@redhat.com> <4D548215.7090906@redhat.com> <4D554721.7040809@redhat.com> <4D5551E6.9040801@redhat.com> <4D555D1F.9000208@redhat.com> Message-ID: <4D634FB2.4040509@redhat.com> Dmitri Pal wrote: > On 02/11/2011 10:12 AM, Rob Crittenden wrote: >> Dmitri Pal wrote: >>> On 02/10/2011 07:25 PM, David O'Brien wrote: >>>> Dmitri Pal wrote: >>>>> On 02/10/2011 03:05 PM, Jakub Hrozek wrote: >>>>>> On 02/10/2011 05:12 PM, Rob Crittenden wrote: >>>>>>> But what other roles do we need? The mind boggles and rather than >>>>>>> dictating what the initial ones will be I'm looking for some >>>>>>> guidance/suggestions. >>>>>>> >>>>>>> thanks >>>>>>> >>>>>>> rob >>>>>> I'm actually wondering if we need to define many default roles in the >>>>>> upstream project. I'm thinking that every organization will have >>>>>> different needs and different ways of role delegation anyway, so I >>>>>> would rather make sure this feature is well documented with examples >>>>>> and use cases. >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> I think that a reasonble set of 3 -5 roles and documentation how to >>>>> change them should be sufficient. >>>>> >>>> I agree. On top of what Dmitri has already sent out, this thread is a >>>> really good continuation of documenting delegation, permissions, >>>> roles, etc., especially because this area is so different from v1. If >>>> we look at it from two perspectives, one being What does IPA need to >>>> function?, and the other being What do customers need?, then we can >>>> probably come up with a short list and provide some basic use cases, >>>> descriptions, and examples. >>>> >>>> Dmitri's list of 5 is good, although I would suggest settling on a >>>> naming format, by which I mean rather than a combination of >>>> person-based and role-based names, use a consistent format. Security >>>> Architect& IPA Administrator are people (faiap), while Helpdesk is a >>>> department. Anyway, you get the idea. >>>> >>>> We've already started with Name, Description, Goals; with a few use >>>> cases I can put together short sections with links to existing docs on >>>> how to use the relevant commands, or write them as needed. >>>> >>>> cheers >>> Sounds like a good idea. >>> >> Well, some of these roles don't really match what we are shipping in >> v2. There is no place for Application Administrator at all and End >> User is implicit. So that leaves 3 roles. If we go with these we'll >> need to add some additional permissions/privileges to support it. >> >> If we go with this, here is what we're looking at. Also note that the >> role "IPA Administrator" is distinct from the group cn=admins which >> gives pretty much global access. Those that need additional >> permissions/privileges are marked with the ticket number. >> >> * Security Architect >> * IPA config (950) >> * Replication >> * Define delegation of roles to other, lower-level administrators >> >> * IPA Administrator >> * Define and create groups (and delete?) >> * Define the relationships between groups (what does this mean?) >> * Define and create roles for users and groups (what does this mean?) >> * Create nested groups (I don't know if we can have an aci for this) >> >> * Help Desk >> * Review what groups are enabled on what hosts (what does this mean, >> all groups are enabled on all hosts, right?) > > This mean he can read HBAC rules > >> * Set up/manage a user's attributes >> * Place a user in a specific group >> * Reset a user password >> >> This is a good start but it completely leaves out the following: >> >> * Users (helpdesk can modify & reset password, nobody can add/delete) >> * Host management >> * Service management >> * Hostgroups >> * SUDO >> * HBAC >> * netgroups >> * DNS >> * Automount >> >> rob >> > > > How about this layout > > Helpdesk Engineer > * Edit users > * Reset passwords > * Add/remove group membership > * Troubleshoot the HBAC (in future but not modify the HBAC rules themselves) > > User administrator - the person who is responsible for creating users > and groups. This is instead IPA administrator above. > * Users - full control > * Groups - full control > > IT Specialist > * Hosts full control > * Hostgroups full control > * Services full control > * DNS full control > * Automount > > IT Security Specialist - includes all of the above + > * Netgroups > * SUDO > * HBAC > > Security Architect > * IPA config > * Password policies > * Kerberos config > * Replication > * Define delegation of roles to other, lower-level administrators > > > > Did I miss anything? > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> > > Any updates on this? I'm up to my neck in Access Control doc at the moment and looking for any and all information, especially when it comes to what IPA provides by default. It gives me something to build on. thanks -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From mkosek at redhat.com Tue Feb 22 08:59:16 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 22 Feb 2011 09:59:16 +0100 Subject: [Freeipa-devel] [PATCH] 736 hard limit for # of batch requests In-Reply-To: <4D629775.3010602@redhat.com> References: <4D629775.3010602@redhat.com> Message-ID: <1298365156.23580.1.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-02-21 at 11:48 -0500, Rob Crittenden wrote: > Set a hard limit of 256 for the # of commands in a batch request we'll > handle. > > ticket 984 > > rob ACK. Works for me. Tested by custom JSON command via curl. Martin From jzeleny at redhat.com Tue Feb 22 09:34:35 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Tue, 22 Feb 2011 10:34:35 +0100 Subject: [Freeipa-devel] [PATCH] 737 move BuildRequires In-Reply-To: <4D62A9C8.7010404@redhat.com> References: <4D62A9C8.7010404@redhat.com> Message-ID: <201102221034.35497.jzeleny@redhat.com> Rob Crittenden wrote: > Move some BuildRequires so building with ONLY_CLIENT works. > > I tested with: > > $ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1' > ./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm > > rob I'm a little confused. Some of the lines are only moved a couple lines above their original location (like python-ldap for instance). Does this really have an impact on building? The only three lines I undestand are those first three. Thanks for explanation Jan From jhrozek at redhat.com Tue Feb 22 10:21:41 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 22 Feb 2011 11:21:41 +0100 Subject: [Freeipa-devel] [PATCH] 737 move BuildRequires In-Reply-To: <201102221034.35497.jzeleny@redhat.com> References: <4D62A9C8.7010404@redhat.com> <201102221034.35497.jzeleny@redhat.com> Message-ID: <20110222102141.GA25239@zeppelin.brq.redhat.com> On Tue, Feb 22, 2011 at 10:34:35AM +0100, Jan Zeleny wrote: > Rob Crittenden wrote: > > Move some BuildRequires so building with ONLY_CLIENT works. > > > > I tested with: > > > > $ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1' > > ./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm > > > > rob > > I'm a little confused. Some of the lines are only moved a couple lines above > their original location (like python-ldap for instance). > > Does this really have an impact on building? The only three lines I undestand > are those first three. > Note the %else. Koji scratch build of client worked fine: http://koji.fedoraproject.org/koji/taskinfo?taskID=2856864 Ack From jhrozek at redhat.com Tue Feb 22 10:33:32 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 22 Feb 2011 11:33:32 +0100 Subject: [Freeipa-devel] [PATCH] 737 move BuildRequires In-Reply-To: <20110222102141.GA25239@zeppelin.brq.redhat.com> References: <4D62A9C8.7010404@redhat.com> <201102221034.35497.jzeleny@redhat.com> <20110222102141.GA25239@zeppelin.brq.redhat.com> Message-ID: <20110222103331.GB25239@zeppelin.brq.redhat.com> On Tue, Feb 22, 2011 at 11:21:41AM +0100, Jakub Hrozek wrote: > Note the %else. > Sorry, %endif. That separates BRs for !ONLY_CLIENT from those that are needed in both cases. From jhrozek at redhat.com Tue Feb 22 10:41:57 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 22 Feb 2011 11:41:57 +0100 Subject: [Freeipa-devel] [PATCH] 061 Validate NAPTR records In-Reply-To: <4D62AC5F.9090803@redhat.com> References: <4D5E63B4.3080505@redhat.com> <4D62AC5F.9090803@redhat.com> Message-ID: <20110222104156.GC25239@zeppelin.brq.redhat.com> On Mon, Feb 21, 2011 at 01:18:07PM -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >I'm not sure about checking the flags - this might be a little too much > >validation. > > > >https://fedorahosted.org/freeipa/ticket/840 > > I think the flags length check needs to change. I would do this instead: > > flags = flags.replace('"','') > > Otherwise someone might try to pass in the flags 'SAU' and all that > would get set is A. > > rob OK, that's much better. New patch attached. -------------- next part -------------- >From aaeb347cfa015783606058a29b2009cf6306d578 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 18 Feb 2011 11:00:36 +0100 Subject: [PATCH] Validate NAPTR records https://fedorahosted.org/freeipa/ticket/840 --- API.txt | 8 ++++---- ipalib/plugins/dns.py | 26 ++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index b7ea174..56cbb8b 100644 --- a/API.txt +++ b/API.txt @@ -515,7 +515,7 @@ option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) -option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) +option: List('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec',ist('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True) @@ -559,7 +559,7 @@ option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) -option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) +option: List('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec',ist('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True) @@ -604,7 +604,7 @@ option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?', option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True) option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True) option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True) -option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) +option: List('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec',ist('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True) option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True) option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True) option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True) @@ -661,7 +661,7 @@ option: List('keyrecord', attribute=True, cli_name='key_rec',ist('keyrecord', at option: List('kxrecord', attribute=True, cli_name='kx_rec',ist('kxrecord', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True, query=True, required=False) option: List('locrecord', attribute=True, cli_name='loc_rec',ist('locrecord', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True, query=True, required=False) option: List('mxrecord', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True, query=True, required=False) -option: List('naptrrecord', attribute=True, cli_name='naptr_rec',ist('naptrrecord', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True, query=True, required=False) +option: List('naptrrecord', _validate_naptr, attribute=True, cli_name='naptr_rec',ist('naptrrecord', _validate_naptr, attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True, query=True, required=False) option: List('nsrecord', attribute=True, cli_name='ns_rec',ist('nsrecord', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True, query=True, required=False) option: List('nsecrecord', attribute=True, cli_name='nsec_rec',ist('nsecrecord', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True, query=True, required=False) option: List('nsec3record', attribute=True, cli_name='nsec3_rec',ist('nsec3record', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True, query=True, required=False) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index ed2f955..a18940b 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -155,12 +155,38 @@ def _validate_mx(ugettext, mx): return None +def _validate_naptr(ugettext, naptr): + "see RFC 2915 " + try: + order, pref, flags, svc, regexp, replacement = naptr.split() + except ValueError: + return u'format must be specified as "order preference flags service regexp replacement"' + + try: + order = int(order) + pref = int(pref) + except ValueError: + return u'order and preference must be integers' + + if order < 0 or order > 65535 or pref < 0 or pref > 65535: + return u'the value of order and preference must be between 0 and 65535' + + flags = flags.replace('"','') + flags = flags.replace('\'','') + if len(flags) != 1: + return u'flag must be a single character (quotation is allowed)' + if flags.upper() not in "SAUP": + return u'flag must be one of "S", "A", "U", or "P"' + + return None + _record_validators = { u'A': _validate_ipaddr, u'AAAA': _validate_ipaddr, u'APL': _validate_ipnet, u'SRV': _validate_srv, u'MX': _validate_mx, + u'NAPTR': _validate_naptr, } def has_cli_options(entry, no_option_msg): -- 1.7.4 From jhrozek at redhat.com Tue Feb 22 11:05:14 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 22 Feb 2011 12:05:14 +0100 Subject: [Freeipa-devel] [PATCH] 738 default.conf man page In-Reply-To: <4D62DFC2.9070308@redhat.com> References: <4D62DFC2.9070308@redhat.com> Message-ID: <20110222110513.GD25239@zeppelin.brq.redhat.com> On Mon, Feb 21, 2011 at 04:57:22PM -0500, Rob Crittenden wrote: > Add a man page for the IPA configuration file default.conf. > > ticket 969 > > rob Looks good to me, Ack. The options that are in constants.py but not documented in the manpage seem to be unused. I guess we can remove them in the future (webui_assets_dir, mount_jsonserver etc..) From jhrozek at redhat.com Tue Feb 22 11:21:51 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 22 Feb 2011 12:21:51 +0100 Subject: [Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider In-Reply-To: <4D62930C.4060505@redhat.com> References: <4D62845E.1020508@redhat.com> <20110221161132.GC7298@zeppelin.brq.redhat.com> <4D62930C.4060505@redhat.com> Message-ID: <20110222112150.GE25239@zeppelin.brq.redhat.com> On Mon, Feb 21, 2011 at 11:30:04AM -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > >On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote: > >>Set krb5_realm in sssd.conf in the ipa provider. > >> > >>ticket 925 > >> > >>rob > > > >This works fine, so Ack. > > > >One question, though, why don't we add the realm only if > >ipa_domain.upper() != krb5_realm? It would make the config file a little > >more readable for the 99% case where the two are the same. > > Sure. We can't assume that the realm is always upper case so I'll do > a case insensitive match (I did lower by reflex). > > rob My sssd.conf is nice and minimal again, thank you :-) Ack From jzeleny at redhat.com Tue Feb 22 12:04:17 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 22 Feb 2011 13:04:17 +0100 Subject: [Freeipa-devel] [PATCH] 737 move BuildRequires In-Reply-To: <20110222103331.GB25239@zeppelin.brq.redhat.com> References: <4D62A9C8.7010404@redhat.com> <20110222102141.GA25239@zeppelin.brq.redhat.com> <20110222103331.GB25239@zeppelin.brq.redhat.com> Message-ID: <201102221304.17403.jzeleny@redhat.com> Jakub Hrozek wrote: > On Tue, Feb 22, 2011 at 11:21:41AM +0100, Jakub Hrozek wrote: > > Note the %else. > > Sorry, %endif. That separates BRs for !ONLY_CLIENT from those that are > needed in both cases. Yes I noticed that and I understand that part. I meant the part after the %endif - there is no need to move those dependencies. On the other hand it's definitely not a patch-blocker or something, so I give this patch ACK. Jan From jzeleny at redhat.com Tue Feb 22 12:14:52 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Tue, 22 Feb 2011 13:14:52 +0100 Subject: [Freeipa-devel] [PATCH] 728 default roles In-Reply-To: <4D6289AA.8090500@redhat.com> References: <4D5C977C.1020408@redhat.com> <20110221152544.GA7298@zeppelin.brq.redhat.com> <4D6289AA.8090500@redhat.com> Message-ID: <201102221314.52378.jzeleny@redhat.com> Rob Crittenden wrote: > Jakub Hrozek wrote: > > On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> Jakub Hrozek wrote: > >>>> -----BEGIN PGP SIGNED MESSAGE----- > >>>> Hash: SHA1 > >>>> > >>>> On 02/17/2011 04:35 AM, Rob Crittenden wrote: > >>>>> Add default roles and permissions for HBAC, SUDO and pw policy > >>>>> > >>>>> Created some default roles as examples. In doing so I realized that > >>>>> we were completely missing default rules for HBAC, SUDO and password > >>>>> policy so I added those as well. > >>>>> > >>>>> I ran into a problem when the updater has a default record and an add > >>>>> at the same time, it should handle it better now. > >>>>> > >>>>> ticket 585 > >>>>> > >>>>> rob > >>>> > >>>> I'm not sure about the HBAC rules ACIs. They are specified as: > >>>> > >>>> 'target = "ldap:///cn=*,cn=hbac,$SUFFIX"' > >>>> > >>>> while HBAC rules' DN is: > >>>> > >>>> 'ipauniqueid=*,cn=hbac,$SUFFIX'. > >>>> > >>>> But HBAC rules do have a cn: attribute, so maybe the ACIs would work? > >>> > >>> No, you're right, this is wrong. I'll fix it up and resubmit. > >>> > >>>> The patch also needs rebasing on top of recent changes to > >>>> install/updates/Makefile.am > >>>> > >>>> Other than that, looks OK to me. > >>>> > >>>> btw when I was reviewing this patch, I noticed we add a "DNS > >>>> Administrators" privilege in dns.ldif. Would it make sense to add DNS > >>>> administration to "Security Architect" (replication management) and > >>>> "IT Specialist" (hosts management)? > >>> > >>> The DNS stuff is added only if DNS is enabled on the server so I can't > >>> add them by default. > >>> > >>> rob > >> > >> Updated patch. > >> > >> rob > > > > Interdiff looks fine, but I'm not able to apply the patch (not even > > 3-way merge), can you rebase? > > done The patch now applies ok (just one whitespace warning), ack Jan From mkosek at redhat.com Tue Feb 22 12:42:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 22 Feb 2011 13:42:46 +0100 Subject: [Freeipa-devel] [PATCH] 728 default roles In-Reply-To: <201102221314.52378.jzeleny@redhat.com> References: <4D5C977C.1020408@redhat.com> <20110221152544.GA7298@zeppelin.brq.redhat.com> <4D6289AA.8090500@redhat.com> <201102221314.52378.jzeleny@redhat.com> Message-ID: <1298378566.23580.13.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-02-22 at 13:14 +0100, Jan Zelen? wrote: > Rob Crittenden wrote: > > Jakub Hrozek wrote: > > > On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: > > >> Rob Crittenden wrote: > > >>> Jakub Hrozek wrote: > > >>>> -----BEGIN PGP SIGNED MESSAGE----- > > >>>> Hash: SHA1 > > >>>> > > >>>> On 02/17/2011 04:35 AM, Rob Crittenden wrote: > > >>>>> Add default roles and permissions for HBAC, SUDO and pw policy > > >>>>> > > >>>>> Created some default roles as examples. In doing so I realized that > > >>>>> we were completely missing default rules for HBAC, SUDO and password > > >>>>> policy so I added those as well. > > >>>>> > > >>>>> I ran into a problem when the updater has a default record and an add > > >>>>> at the same time, it should handle it better now. > > >>>>> > > >>>>> ticket 585 > > >>>>> > > >>>>> rob > > >>>> > > >>>> I'm not sure about the HBAC rules ACIs. They are specified as: > > >>>> > > >>>> 'target = "ldap:///cn=*,cn=hbac,$SUFFIX"' > > >>>> > > >>>> while HBAC rules' DN is: > > >>>> > > >>>> 'ipauniqueid=*,cn=hbac,$SUFFIX'. > > >>>> > > >>>> But HBAC rules do have a cn: attribute, so maybe the ACIs would work? > > >>> > > >>> No, you're right, this is wrong. I'll fix it up and resubmit. > > >>> > > >>>> The patch also needs rebasing on top of recent changes to > > >>>> install/updates/Makefile.am > > >>>> > > >>>> Other than that, looks OK to me. > > >>>> > > >>>> btw when I was reviewing this patch, I noticed we add a "DNS > > >>>> Administrators" privilege in dns.ldif. Would it make sense to add DNS > > >>>> administration to "Security Architect" (replication management) and > > >>>> "IT Specialist" (hosts management)? > > >>> > > >>> The DNS stuff is added only if DNS is enabled on the server so I can't > > >>> add them by default. > > >>> > > >>> rob > > >> > > >> Updated patch. > > >> > > >> rob > > > > > > Interdiff looks fine, but I'm not able to apply the patch (not even > > > 3-way merge), can you rebase? > > > > done > > The patch now applies ok (just one whitespace warning), ack > > Jan > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I have to NACK this. I have found some issues in the new LDAP records: 1) A wrong groupdn for the following ACI in 40-delegation.update: add:aci: '(target = "ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Add SUDO rule";allow (add) groupdn = "ldap:///cn=Add SUDOrule,cn=permissions,cn=pbac,$SUFFIX";)' It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX 2) Another wrong target for few ACIs: ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX is used instead of ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX 3) Missing Description for the following new privileges: Write IPA Configuration Modify Users and Reset passwords Modify Group membership Remainder looks good. Martin From davido at redhat.com Tue Feb 22 12:48:42 2011 From: davido at redhat.com (David O'Brien) Date: Tue, 22 Feb 2011 22:48:42 +1000 Subject: [Freeipa-devel] [PATCH] 738 default.conf man page In-Reply-To: <4D62DFC2.9070308@redhat.com> References: <4D62DFC2.9070308@redhat.com> Message-ID: <4D63B0AA.6000708@redhat.com> Rob Crittenden wrote: > Add a man page for the IPA configuration file default.conf. > > ticket 969 > > rob > > NACK A few too many typos and other errors. "Spaces between the equals sign are ignored." Do you mean, "Spaces surrounding equals signs are ignored."? +Specifies the base DN to use when performan LDAP operations. performing +Specfies the secure CA agent port. The defauilt is 9443. Specifies default +Specifies the unsecure CA end user port. The default is 9190. insecure "For example. if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server add the verbose option to \fI/etc/ipa/cli.conf\fR." comma after "example", not a period. add a comma after "enabled on the server" +Specifies whether the CA is acting is an RA agent, as an RA agent "+Specifies the name of the CA backend to use. The current options are \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. Changing this value is not recommended as the CA backend is only set up during ininitial installation." s/backend/back end/ s/selfsign/self-sign/ s/ininitial/initial/ +Specifies the kerberos realm. Kerberos "...and show the server(s) the client contacts." s/server(s)/servers/ +user IPA configurationf ile configuration file "+Optional configuration files used in a particular context are. The value of mode is used to attempt to load these files, if they exist:" I'm not sure what this means -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From rcritten at redhat.com Tue Feb 22 13:55:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 08:55:32 -0500 Subject: [Freeipa-devel] [PATCH] 737 move BuildRequires In-Reply-To: <201102221034.35497.jzeleny@redhat.com> References: <4D62A9C8.7010404@redhat.com> <201102221034.35497.jzeleny@redhat.com> Message-ID: <4D63C054.3070704@redhat.com> Jan Zeleny wrote: > Rob Crittenden wrote: >> Move some BuildRequires so building with ONLY_CLIENT works. >> >> I tested with: >> >> $ mock -r fedora-14-x86_64 --define='ONLY_CLIENT 1' >> ./dist/srpms/freeipa-2.0.0GIT055a668-0.fc14.src.rpm >> >> rob > > I'm a little confused. Some of the lines are only moved a couple lines above > their original location (like python-ldap for instance). > > Does this really have an impact on building? The only three lines I undestand > are those first three. > > Thanks for explanation > > Jan I had already sone a similar change in another spec I maintain and pull them out one at a time until it built properly, thus I didn't maintain order. What this does is it pulls most of the requires out of the ! ONLY_CLIENT conditional. rob From rcritten at redhat.com Tue Feb 22 14:06:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 09:06:08 -0500 Subject: [Freeipa-devel] [PATCH] 737 move BuildRequires In-Reply-To: <201102221304.17403.jzeleny@redhat.com> References: <4D62A9C8.7010404@redhat.com> <20110222102141.GA25239@zeppelin.brq.redhat.com> <20110222103331.GB25239@zeppelin.brq.redhat.com> <201102221304.17403.jzeleny@redhat.com> Message-ID: <4D63C2D0.80603@redhat.com> Jan Zelen? wrote: > Jakub Hrozek wrote: >> On Tue, Feb 22, 2011 at 11:21:41AM +0100, Jakub Hrozek wrote: >>> Note the %else. >> >> Sorry, %endif. That separates BRs for !ONLY_CLIENT from those that are >> needed in both cases. > > Yes I noticed that and I understand that part. I meant the part after the > %endif - there is no need to move those dependencies. On the other hand it's > definitely not a patch-blocker or something, so I give this patch ACK. > > Jan pushed to master From rcritten at redhat.com Tue Feb 22 14:07:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 09:07:34 -0500 Subject: [Freeipa-devel] [PATCH] 735 configure krb5_realm in sssd ipa provider In-Reply-To: <20110222112150.GE25239@zeppelin.brq.redhat.com> References: <4D62845E.1020508@redhat.com> <20110221161132.GC7298@zeppelin.brq.redhat.com> <4D62930C.4060505@redhat.com> <20110222112150.GE25239@zeppelin.brq.redhat.com> Message-ID: <4D63C326.9070803@redhat.com> Jakub Hrozek wrote: > On Mon, Feb 21, 2011 at 11:30:04AM -0500, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> On Mon, Feb 21, 2011 at 10:27:26AM -0500, Rob Crittenden wrote: >>>> Set krb5_realm in sssd.conf in the ipa provider. >>>> >>>> ticket 925 >>>> >>>> rob >>> >>> This works fine, so Ack. >>> >>> One question, though, why don't we add the realm only if >>> ipa_domain.upper() != krb5_realm? It would make the config file a little >>> more readable for the 99% case where the two are the same. >> >> Sure. We can't assume that the realm is always upper case so I'll do >> a case insensitive match (I did lower by reflex). >> >> rob > > My sssd.conf is nice and minimal again, thank you :-) > > Ack pushed to master From rcritten at redhat.com Tue Feb 22 14:09:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 09:09:29 -0500 Subject: [Freeipa-devel] [PATCH] 061 Validate NAPTR records In-Reply-To: <20110222104156.GC25239@zeppelin.brq.redhat.com> References: <4D5E63B4.3080505@redhat.com> <4D62AC5F.9090803@redhat.com> <20110222104156.GC25239@zeppelin.brq.redhat.com> Message-ID: <4D63C399.30008@redhat.com> Jakub Hrozek wrote: > On Mon, Feb 21, 2011 at 01:18:07PM -0500, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> I'm not sure about checking the flags - this might be a little too much >>> validation. >>> >>> https://fedorahosted.org/freeipa/ticket/840 >> >> I think the flags length check needs to change. I would do this instead: >> >> flags = flags.replace('"','') >> >> Otherwise someone might try to pass in the flags 'SAU' and all that >> would get set is A. >> >> rob > > OK, that's much better. New patch attached. ack, pushed to master From rcritten at redhat.com Tue Feb 22 14:11:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 09:11:08 -0500 Subject: [Freeipa-devel] [PATCH] 736 hard limit for # of batch requests In-Reply-To: <1298365156.23580.1.camel@dhcp-25-52.brq.redhat.com> References: <4D629775.3010602@redhat.com> <1298365156.23580.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D63C3FC.3090502@redhat.com> Martin Kosek wrote: > On Mon, 2011-02-21 at 11:48 -0500, Rob Crittenden wrote: >> Set a hard limit of 256 for the # of commands in a batch request we'll >> handle. >> >> ticket 984 >> >> rob > > ACK. > > Works for me. Tested by custom JSON command via curl. > > Martin pushed to master From rcritten at redhat.com Tue Feb 22 14:16:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 09:16:49 -0500 Subject: [Freeipa-devel] [PATCH] 738 default.conf man page In-Reply-To: <4D63B0AA.6000708@redhat.com> References: <4D62DFC2.9070308@redhat.com> <4D63B0AA.6000708@redhat.com> Message-ID: <4D63C551.6000509@redhat.com> David O'Brien wrote: > Rob Crittenden wrote: >> Add a man page for the IPA configuration file default.conf. >> >> ticket 969 >> >> rob >> >> > NACK > > A few too many typos and other errors. > > "Spaces between the equals sign are ignored." > Do you mean, "Spaces surrounding equals signs are ignored."? > > +Specifies the base DN to use when performan LDAP operations. > performing > > +Specfies the secure CA agent port. The defauilt is 9443. > Specifies > default > > +Specifies the unsecure CA end user port. The default is 9190. > insecure > > "For example. if you want to always perform client requests in verbose > mode but do not want to have verbose enabled on the server add the > verbose option to \fI/etc/ipa/cli.conf\fR." > comma after "example", not a period. > add a comma after "enabled on the server" > > +Specifies whether the CA is acting is an RA agent, > as an RA agent > > "+Specifies the name of the CA backend to use. The current options are > \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. > Changing this value is not recommended as the CA backend is only set up > during ininitial installation." > s/backend/back end/ > s/selfsign/self-sign/ > s/ininitial/initial/ > > +Specifies the kerberos realm. > Kerberos > > "...and show the server(s) the client contacts." > s/server(s)/servers/ > > +user IPA configurationf ile > configuration file > > "+Optional configuration files used in a particular context are. The > value of mode is used to attempt to load these files, if they exist:" > I'm not sure what this means > > Fixes applied. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-738-2-man.patch Type: application/mbox Size: 10326 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 22 14:22:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 09:22:07 -0500 Subject: [Freeipa-devel] [PATCH] 728 default roles In-Reply-To: <1298378566.23580.13.camel@dhcp-25-52.brq.redhat.com> References: <4D5C977C.1020408@redhat.com> <20110221152544.GA7298@zeppelin.brq.redhat.com> <4D6289AA.8090500@redhat.com> <201102221314.52378.jzeleny@redhat.com> <1298378566.23580.13.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D63C68F.2060805@redhat.com> Martin Kosek wrote: > On Tue, 2011-02-22 at 13:14 +0100, Jan Zelen? wrote: >> Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: >>>>> Rob Crittenden wrote: >>>>>> Jakub Hrozek wrote: >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>> Hash: SHA1 >>>>>>> >>>>>>> On 02/17/2011 04:35 AM, Rob Crittenden wrote: >>>>>>>> Add default roles and permissions for HBAC, SUDO and pw policy >>>>>>>> >>>>>>>> Created some default roles as examples. In doing so I realized that >>>>>>>> we were completely missing default rules for HBAC, SUDO and password >>>>>>>> policy so I added those as well. >>>>>>>> >>>>>>>> I ran into a problem when the updater has a default record and an add >>>>>>>> at the same time, it should handle it better now. >>>>>>>> >>>>>>>> ticket 585 >>>>>>>> >>>>>>>> rob >>>>>>> >>>>>>> I'm not sure about the HBAC rules ACIs. They are specified as: >>>>>>> >>>>>>> 'target = "ldap:///cn=*,cn=hbac,$SUFFIX"' >>>>>>> >>>>>>> while HBAC rules' DN is: >>>>>>> >>>>>>> 'ipauniqueid=*,cn=hbac,$SUFFIX'. >>>>>>> >>>>>>> But HBAC rules do have a cn: attribute, so maybe the ACIs would work? >>>>>> >>>>>> No, you're right, this is wrong. I'll fix it up and resubmit. >>>>>> >>>>>>> The patch also needs rebasing on top of recent changes to >>>>>>> install/updates/Makefile.am >>>>>>> >>>>>>> Other than that, looks OK to me. >>>>>>> >>>>>>> btw when I was reviewing this patch, I noticed we add a "DNS >>>>>>> Administrators" privilege in dns.ldif. Would it make sense to add DNS >>>>>>> administration to "Security Architect" (replication management) and >>>>>>> "IT Specialist" (hosts management)? >>>>>> >>>>>> The DNS stuff is added only if DNS is enabled on the server so I can't >>>>>> add them by default. >>>>>> >>>>>> rob >>>>> >>>>> Updated patch. >>>>> >>>>> rob >>>> >>>> Interdiff looks fine, but I'm not able to apply the patch (not even >>>> 3-way merge), can you rebase? >>> >>> done >> >> The patch now applies ok (just one whitespace warning), ack >> >> Jan >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > I have to NACK this. I have found some issues in the new LDAP records: > > 1) A wrong groupdn for the following ACI in 40-delegation.update: > add:aci: '(target = "ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX")(version > 3.0;acl "permission:Add SUDO rule";allow (add) groupdn = "ldap:///cn=Add > SUDOrule,cn=permissions,cn=pbac,$SUFFIX";)' > > It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX > > 2) Another wrong target for few ACIs: > ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX > is used instead of > ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX > > > 3) Missing Description for the following new privileges: > Write IPA Configuration > Modify Users and Reset passwords > Modify Group membership > > Remainder looks good. > > Martin Thanks for the careful review. Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-728-4-roles.patch Type: application/mbox Size: 21249 bytes Desc: not available URL: From mkosek at redhat.com Tue Feb 22 14:35:24 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 22 Feb 2011 15:35:24 +0100 Subject: [Freeipa-devel] [PATCH] 728 default roles In-Reply-To: <4D63C68F.2060805@redhat.com> References: <4D5C977C.1020408@redhat.com> <20110221152544.GA7298@zeppelin.brq.redhat.com> <4D6289AA.8090500@redhat.com> <201102221314.52378.jzeleny@redhat.com> <1298378566.23580.13.camel@dhcp-25-52.brq.redhat.com> <4D63C68F.2060805@redhat.com> Message-ID: <1298385324.23580.15.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-02-22 at 09:22 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > On Tue, 2011-02-22 at 13:14 +0100, Jan Zelen? wrote: > >> Rob Crittenden wrote: > >>> Jakub Hrozek wrote: > >>>> On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: > >>>>> Rob Crittenden wrote: > >>>>>> Jakub Hrozek wrote: > >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- > >>>>>>> Hash: SHA1 > >>>>>>> > >>>>>>> On 02/17/2011 04:35 AM, Rob Crittenden wrote: > >>>>>>>> Add default roles and permissions for HBAC, SUDO and pw policy > >>>>>>>> > >>>>>>>> Created some default roles as examples. In doing so I realized that > >>>>>>>> we were completely missing default rules for HBAC, SUDO and password > >>>>>>>> policy so I added those as well. > >>>>>>>> > >>>>>>>> I ran into a problem when the updater has a default record and an add > >>>>>>>> at the same time, it should handle it better now. > >>>>>>>> > >>>>>>>> ticket 585 > >>>>>>>> > >>>>>>>> rob > >>>>>>> > >>>>>>> I'm not sure about the HBAC rules ACIs. They are specified as: > >>>>>>> > >>>>>>> 'target = "ldap:///cn=*,cn=hbac,$SUFFIX"' > >>>>>>> > >>>>>>> while HBAC rules' DN is: > >>>>>>> > >>>>>>> 'ipauniqueid=*,cn=hbac,$SUFFIX'. > >>>>>>> > >>>>>>> But HBAC rules do have a cn: attribute, so maybe the ACIs would work? > >>>>>> > >>>>>> No, you're right, this is wrong. I'll fix it up and resubmit. > >>>>>> > >>>>>>> The patch also needs rebasing on top of recent changes to > >>>>>>> install/updates/Makefile.am > >>>>>>> > >>>>>>> Other than that, looks OK to me. > >>>>>>> > >>>>>>> btw when I was reviewing this patch, I noticed we add a "DNS > >>>>>>> Administrators" privilege in dns.ldif. Would it make sense to add DNS > >>>>>>> administration to "Security Architect" (replication management) and > >>>>>>> "IT Specialist" (hosts management)? > >>>>>> > >>>>>> The DNS stuff is added only if DNS is enabled on the server so I can't > >>>>>> add them by default. > >>>>>> > >>>>>> rob > >>>>> > >>>>> Updated patch. > >>>>> > >>>>> rob > >>>> > >>>> Interdiff looks fine, but I'm not able to apply the patch (not even > >>>> 3-way merge), can you rebase? > >>> > >>> done > >> > >> The patch now applies ok (just one whitespace warning), ack > >> > >> Jan > >> > >> _______________________________________________ > >> Freeipa-devel mailing list > >> Freeipa-devel at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > I have to NACK this. I have found some issues in the new LDAP records: > > > > 1) A wrong groupdn for the following ACI in 40-delegation.update: > > add:aci: '(target = "ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX")(version > > 3.0;acl "permission:Add SUDO rule";allow (add) groupdn = "ldap:///cn=Add > > SUDOrule,cn=permissions,cn=pbac,$SUFFIX";)' > > > > It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX > > > > 2) Another wrong target for few ACIs: > > ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX > > is used instead of > > ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX > > > > > > 3) Missing Description for the following new privileges: > > Write IPA Configuration > > Modify Users and Reset passwords > > Modify Group membership > > > > Remainder looks good. > > > > Martin > > Thanks for the careful review. Updated patch attached. > > rob Good job! Its OK now. ACK Martin From mkosek at redhat.com Tue Feb 22 14:46:15 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 22 Feb 2011 15:46:15 +0100 Subject: [Freeipa-devel] [PATCH] 034 Entitlements ACIs not visible to Permission plugin Message-ID: <1298385975.23580.16.camel@dhcp-25-52.brq.redhat.com> This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-034-entitlements-acis-not-visible-to-permission-plugin.patch Type: text/x-patch Size: 3348 bytes Desc: not available URL: From mkosek at redhat.com Tue Feb 22 14:50:57 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 22 Feb 2011 15:50:57 +0100 Subject: [Freeipa-devel] [PATCH] 034 Entitlements ACIs not visible to Permission plugin In-Reply-To: <1298385975.23580.16.camel@dhcp-25-52.brq.redhat.com> References: <1298385975.23580.16.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1298386257.23580.20.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-02-22 at 15:46 +0100, Martin Kosek wrote: > This patch fixes Entitlements privileges and ACIs. There were > missing descriptions or the ACIs could not be processed by > Permissino plugin because of missing prefix. > > https://fedorahosted.org/freeipa/ticket/997 > I just want to add that this patch is built on a top of Rob's patch "728 default roles". Attached a patch with fixed typo in commit message. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-034-02-entitlements-acis-not-visible-to-permission-plugin.patch Type: text/x-patch Size: 3348 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 22 15:02:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 10:02:37 -0500 Subject: [Freeipa-devel] [PATCH] 728 default roles In-Reply-To: <1298385324.23580.15.camel@dhcp-25-52.brq.redhat.com> References: <4D5C977C.1020408@redhat.com> <20110221152544.GA7298@zeppelin.brq.redhat.com> <4D6289AA.8090500@redhat.com> <201102221314.52378.jzeleny@redhat.com> <1298378566.23580.13.camel@dhcp-25-52.brq.redhat.com> <4D63C68F.2060805@redhat.com> <1298385324.23580.15.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D63D00D.8080608@redhat.com> Martin Kosek wrote: > On Tue, 2011-02-22 at 09:22 -0500, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Tue, 2011-02-22 at 13:14 +0100, Jan Zelen? wrote: >>>> Rob Crittenden wrote: >>>>> Jakub Hrozek wrote: >>>>>> On Mon, Feb 21, 2011 at 10:11:38AM -0500, Rob Crittenden wrote: >>>>>>> Rob Crittenden wrote: >>>>>>>> Jakub Hrozek wrote: >>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>> Hash: SHA1 >>>>>>>>> >>>>>>>>> On 02/17/2011 04:35 AM, Rob Crittenden wrote: >>>>>>>>>> Add default roles and permissions for HBAC, SUDO and pw policy >>>>>>>>>> >>>>>>>>>> Created some default roles as examples. In doing so I realized that >>>>>>>>>> we were completely missing default rules for HBAC, SUDO and password >>>>>>>>>> policy so I added those as well. >>>>>>>>>> >>>>>>>>>> I ran into a problem when the updater has a default record and an add >>>>>>>>>> at the same time, it should handle it better now. >>>>>>>>>> >>>>>>>>>> ticket 585 >>>>>>>>>> >>>>>>>>>> rob >>>>>>>>> >>>>>>>>> I'm not sure about the HBAC rules ACIs. They are specified as: >>>>>>>>> >>>>>>>>> 'target = "ldap:///cn=*,cn=hbac,$SUFFIX"' >>>>>>>>> >>>>>>>>> while HBAC rules' DN is: >>>>>>>>> >>>>>>>>> 'ipauniqueid=*,cn=hbac,$SUFFIX'. >>>>>>>>> >>>>>>>>> But HBAC rules do have a cn: attribute, so maybe the ACIs would work? >>>>>>>> >>>>>>>> No, you're right, this is wrong. I'll fix it up and resubmit. >>>>>>>> >>>>>>>>> The patch also needs rebasing on top of recent changes to >>>>>>>>> install/updates/Makefile.am >>>>>>>>> >>>>>>>>> Other than that, looks OK to me. >>>>>>>>> >>>>>>>>> btw when I was reviewing this patch, I noticed we add a "DNS >>>>>>>>> Administrators" privilege in dns.ldif. Would it make sense to add DNS >>>>>>>>> administration to "Security Architect" (replication management) and >>>>>>>>> "IT Specialist" (hosts management)? >>>>>>>> >>>>>>>> The DNS stuff is added only if DNS is enabled on the server so I can't >>>>>>>> add them by default. >>>>>>>> >>>>>>>> rob >>>>>>> >>>>>>> Updated patch. >>>>>>> >>>>>>> rob >>>>>> >>>>>> Interdiff looks fine, but I'm not able to apply the patch (not even >>>>>> 3-way merge), can you rebase? >>>>> >>>>> done >>>> >>>> The patch now applies ok (just one whitespace warning), ack >>>> >>>> Jan >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> I have to NACK this. I have found some issues in the new LDAP records: >>> >>> 1) A wrong groupdn for the following ACI in 40-delegation.update: >>> add:aci: '(target = "ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX")(version >>> 3.0;acl "permission:Add SUDO rule";allow (add) groupdn = "ldap:///cn=Add >>> SUDOrule,cn=permissions,cn=pbac,$SUFFIX";)' >>> >>> It should be dap:///cn=Add SUDO rule,cn=permissions,cn=pbac,$SUFFIX >>> >>> 2) Another wrong target for few ACIs: >>> ldap:///cn=*,cn=sudorules,cn=sudo,$SUFFIX >>> is used instead of >>> ldap:///ipaUniqueID=*,cn=sudorules,cn=sudo,$SUFFIX >>> >>> >>> 3) Missing Description for the following new privileges: >>> Write IPA Configuration >>> Modify Users and Reset passwords >>> Modify Group membership >>> >>> Remainder looks good. >>> >>> Martin >> >> Thanks for the careful review. Updated patch attached. >> >> rob > > Good job! Its OK now. ACK > > Martin > pushed to master From rcritten at redhat.com Tue Feb 22 15:04:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 10:04:35 -0500 Subject: [Freeipa-devel] [PATCH] 034 Entitlements ACIs not visible to Permission plugin In-Reply-To: <1298385975.23580.16.camel@dhcp-25-52.brq.redhat.com> References: <1298385975.23580.16.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D63D083.9030701@redhat.com> Martin Kosek wrote: > This patch fixes Entitlements privileges and ACIs. There were > missing descriptions or the ACIs could not be processed by > Permissino plugin because of missing prefix. > > https://fedorahosted.org/freeipa/ticket/997 ack, pushed to master From edewata at redhat.com Tue Feb 22 17:28:30 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 22 Feb 2011 11:28:30 -0600 Subject: [Freeipa-devel] [PATCH] 112 I18n update for dialog box buttons. Message-ID: <4D63F23E.1070900@redhat.com> https://fedorahosted.org/freeipa/ticket/899 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0112-I18n-update-for-dialog-box-buttons.patch Type: text/x-patch Size: 20208 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 22 18:20:01 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 22 Feb 2011 13:20:01 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0199-Net-group-to-Netgroup Message-ID: <4D63FE51.8090303@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0199-Net-group-to-Netgroup.patch Type: text/x-patch Size: 732 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 22 18:21:34 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 22 Feb 2011 13:21:34 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0200-adder-dialogs-with-external Message-ID: <4D63FEAE.6060807@redhat.com> https://fedorahosted.org/freeipa/ticket/986 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0200-adder-dialogs-with-external.patch Type: text/x-patch Size: 1096 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 22 18:22:02 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 22 Feb 2011 13:22:02 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0201-reorder-user-search-columns Message-ID: <4D63FECA.5080308@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0201-reorder-user-search-columns.patch Type: text/x-patch Size: 962 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 22 18:23:07 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 22 Feb 2011 13:23:07 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0202-move-expand-and-collapse-all-to-the-right-hand-side Message-ID: <4D63FF0B.1000209@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0202-move-expand-and-collpase-all-to-the-right-hand-side.patch Type: text/x-patch Size: 1504 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 22 18:23:48 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 22 Feb 2011 13:23:48 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0203-Space-above-line-in-table-footer. Message-ID: <4D63FF34.2000401@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0203-Space-above-line-in-table-footer.patch Type: text/x-patch Size: 694 bytes Desc: not available URL: From ayoung at redhat.com Tue Feb 22 18:25:44 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 22 Feb 2011 13:25:44 -0500 Subject: [Freeipa-devel] [PATCH] 111 Fixed error dialog box. In-Reply-To: <4D62E739.5070506@redhat.com> References: <4D62E739.5070506@redhat.com> Message-ID: <4D63FFA8.5070206@redhat.com> On 02/21/2011 05:29 PM, Endi Sukma Dewata wrote: > The IPA.cmd() has been modified to set the error dialog box's title > properly. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Feb 22 18:35:23 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 22 Feb 2011 13:35:23 -0500 Subject: [Freeipa-devel] [PATCH] 112 I18n update for dialog box buttons. In-Reply-To: <4D63F23E.1070900@redhat.com> References: <4D63F23E.1070900@redhat.com> Message-ID: <4D6401EB.6080207@redhat.com> On 02/22/2011 12:28 PM, Endi Sukma Dewata wrote: > https://fedorahosted.org/freeipa/ticket/899 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Feb 22 18:38:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 13:38:11 -0500 Subject: [Freeipa-devel] [PATCH] 739 update permission help text Message-ID: <4D640293.1080200@redhat.com> Based on feedback from David here is a hopefully clearer description of permissions. ticket 996 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-739-permission.patch Type: application/mbox Size: 10326 bytes Desc: not available URL: From jzeleny at redhat.com Tue Feb 22 18:59:10 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 22 Feb 2011 19:59:10 +0100 Subject: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup In-Reply-To: <4D62B603.8080604@redhat.com> References: <201102151524.59018.jzeleny@redhat.com> <4D62B603.8080604@redhat.com> Message-ID: <201102221959.10520.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Loading of the schema is now performed in the first request that requires > > it. > > > > https://fedorahosted.org/freeipa/ticket/583 > > > > Jan > > We still need to enforce that we get the schema, some low-level > functions depend on it. Also, if the UI doesn't get its aciattrs (which > are derived from the schema) then nothing will be editable. > > I'm getting this backtrace if I force no schema by disabling get_schema: Ok, I'm sending new version, it should handle these exceptions better and the operation should fail if it needs the schema and the schema is not available for some reason. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0041-2-Don-t-load-the-LDAP-schema-during-startup.patch Type: text/x-patch Size: 10758 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 22 19:16:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 14:16:01 -0500 Subject: [Freeipa-devel] Localization patches. In-Reply-To: <4D5E4B36.1010805@redhat.com> References: <4D5BEEDC.5050902@redhat.com> <4D5C9F5D.1090706@redhat.com> <4D5D7C29.2020102@redhat.com> <4D5D9888.6010603@redhat.com> <4D5E4B36.1010805@redhat.com> Message-ID: <4D640B71.7080304@redhat.com> Pavel Z?na wrote: > On 2011-02-17 22:52, Rob Crittenden wrote: >> Pavel Z?na wrote: >>> On 2011-02-17 05:09, Rob Crittenden wrote: >>>> Pavel Z?na wrote: >>>>> My efforts in fixing localization all around the framework and >>>>> preparing >>>>> it for localizing docstrings have resulted in a lot of patches. >>>>> Because >>>>> I understand they have become a bit hard to track, I decided to post >>>>> them all together in this thread to make review easier. >>>>> >>>>> After this is committed, there will be one more patch that switches >>>>> xgettext for pygettext. Then hopefully, we'll be pretty much set >>>>> when it >>>>> comes to i18n. >>>>> >>>>> Pavel >>>> >>>> Patch 81 isn't applying for me. >>>> >>>> Help is not working for me either, this is due to patch 80. >>>> >>>> $ ipa help user >>>> ipa: ERROR: NameError: global name '_' is not defined >>>> Traceback (most recent call last): >>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in >>>> run >>>> api.finalize() >>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619, >>>> in finalize >>>> plugin_iter(base, (magic[k] for k in magic)) >>>> File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in >>>> __init__ >>>> sorted(members, key=lambda m: getattr(m, name_attr)) >>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608, >>>> in plugin_iter >>>> plugins[klass] = PluginInstance(klass) >>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585, >>>> in __init__ >>>> self.instance = klass() >>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184, >>>> in __init__ >>>> self.doc = _(inspect.getdoc(cls)) >>>> NameError: global name '_' is not defined >>>> ipa: ERROR: an internal error has occurred >>>> >>>> Patches 69, 71 and 73 are still working fine. >>>> >>>> What is switching from xgettext to pygettext going to do? >>> >>> This was answered by John Dennis: xgettext doesn't parse python >>> docstrings. >>> >>>> >>>> rob >>> >>> Rebased version of 81 attached. It should also fix the traceback you're >>> getting. >>> >>> Pavel >> >> Something is still not working. I'm having a hard time reproducing how I >> got this but with LANG=es_US.UTF-8 for a while I was getting this with >> every ipa user-* request: >> >> ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character >> u'\xf1' in position 20: ordinal not in range(128) >> Traceback (most recent call last): >> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in >> run >> sys.exit(api.Backend.cli.run(argv)) >> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in run >> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, >> **options) >> File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953, >> in output_for_cli >> textui.print_entries(result, order, labels, flags, print_all) >> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in >> print_entries >> self.print_entry(entry, order, labels, flags, print_all, format, indent) >> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in >> print_entry >> label, value, format, indent, one_value_per_line >> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in >> print_attribute >> self.print_indented(format % (attr, text[0]), indent) >> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in >> print_indented >> print (CLI_TAB * indent + text) >> UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in >> position 20: ordinal not in range(128) >> ipa: ERROR: ha ocurrido un error interno >> >> I think it is blowing up on this user: >> >> User login: jose >> First name: Jose >> Last name: contrase?as >> Home directory: /home/jose >> Login shell: /bin/sh >> Account disabled: TRUE >> Member of groups: ipausers >> >> Then all of a sudden things started working fine, so I'm not sure what's >> going on. >> >> Is this traceback meaningful to you? >> >> rob > > This looks like a bug in the textui backend. > > You get this error when you do something like this: > > >>> a = u'\xf1' > >>> a.decode('utf-8') > Traceback (most recent call last): > File "", line 1, in > File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode > return codecs.utf_8_decode(input, errors, True) > UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in > position 0: ordinal not in range(128) > > It means we're not handling encoding/decoding from/to the CLI right > somewhere. > > The character \xf1 corresponds to the small N with tilde in Jose's last > name. > > I'm going to look into it, but I don't think it's related to the > localization patches. > > Pavel I'm seeing 2 test failures: ====================================================================== FAIL: Test the `ipalib.plugable.Plugin.__init__` method. ---------------------------------------------------------------------- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in runTest self.test(*self.arg) File "/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_plugable.py", line 237, in test_init assert o.summary == 'Do sub-classy things.' AssertionError ====================================================================== FAIL: Test gettext translation ---------------------------------------------------------------------- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in runTest self.test(*self.arg) File "/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_text.py", line 122, in test_gettext assert(translated[0] != prefix) AssertionError patch 81 is probably going to need a rebase. I was able to get it applied with a 3-way merge and one conflict in internal.py. rob From edewata at redhat.com Tue Feb 22 20:00:01 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 22 Feb 2011 14:00:01 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0199-Net-group-to-Netgroup In-Reply-To: <4D63FE51.8090303@redhat.com> References: <4D63FE51.8090303@redhat.com> Message-ID: <4D6415C1.8080906@redhat.com> On 2/22/2011 12:20 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Feb 22 20:00:48 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 22 Feb 2011 14:00:48 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0200-adder-dialogs-with-external In-Reply-To: <4D63FEAE.6060807@redhat.com> References: <4D63FEAE.6060807@redhat.com> Message-ID: <4D6415F0.4080208@redhat.com> On 2/22/2011 12:21 PM, Adam Young wrote: > https://fedorahosted.org/freeipa/ticket/986 ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Feb 22 20:01:06 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 22 Feb 2011 14:01:06 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0201-reorder-user-search-columns In-Reply-To: <4D63FECA.5080308@redhat.com> References: <4D63FECA.5080308@redhat.com> Message-ID: <4D641602.7030502@redhat.com> On 2/22/2011 12:22 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Feb 22 20:01:20 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 22 Feb 2011 14:01:20 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0202-move-expand-and-collapse-all-to-the-right-hand-side In-Reply-To: <4D63FF0B.1000209@redhat.com> References: <4D63FF0B.1000209@redhat.com> Message-ID: <4D641610.1070106@redhat.com> On 2/22/2011 12:23 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Feb 22 20:01:36 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 22 Feb 2011 14:01:36 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0203-Space-above-line-in-table-footer. In-Reply-To: <4D63FF34.2000401@redhat.com> References: <4D63FF34.2000401@redhat.com> Message-ID: <4D641620.9020106@redhat.com> On 2/22/2011 12:23 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From jhrozek at redhat.com Tue Feb 22 20:08:59 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 22 Feb 2011 21:08:59 +0100 Subject: [Freeipa-devel] [PATCH] 739 update permission help text In-Reply-To: <4D640293.1080200@redhat.com> References: <4D640293.1080200@redhat.com> Message-ID: <20110222200859.GA25025@zeppelin.brq.redhat.com> On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: > Based on feedback from David here is a hopefully clearer description > of permissions. > > ticket 996 > > rob I think you sent a wrong patch, this is the default.conf manpage one. From rcritten at redhat.com Tue Feb 22 20:14:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 15:14:56 -0500 Subject: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup In-Reply-To: <201102221959.10520.jzeleny@redhat.com> References: <201102151524.59018.jzeleny@redhat.com> <4D62B603.8080604@redhat.com> <201102221959.10520.jzeleny@redhat.com> Message-ID: <4D641940.5030504@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> Loading of the schema is now performed in the first request that requires >>> it. >>> >>> https://fedorahosted.org/freeipa/ticket/583 >>> >>> Jan >> >> We still need to enforce that we get the schema, some low-level >> functions depend on it. Also, if the UI doesn't get its aciattrs (which >> are derived from the schema) then nothing will be editable. >> >> I'm getting this backtrace if I force no schema by disabling get_schema: > > Ok, I'm sending new version, it should handle these exceptions better and the > operation should fail if it needs the schema and the schema is not available > for some reason. > This breaks the XML-RPC server. I fixed one problem: --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): def get_syntax(self, attr, value): if not self.schema: - self.schema = get_schema(self.ldap_uri, self.conn) - if not self.schema: + schema = get_schema(self.ldap_uri, self.conn) + if not schema: return None + object.__setattr__(self, 'schema', schema) obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is not None: return obj.syntax But simply things like get_entry() return an InternalError now. I'm not sure where you were going by adding this. rob From rcritten at redhat.com Tue Feb 22 20:24:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 15:24:01 -0500 Subject: [Freeipa-devel] [PATCH] 739 update permission help text In-Reply-To: <20110222200859.GA25025@zeppelin.brq.redhat.com> References: <4D640293.1080200@redhat.com> <20110222200859.GA25025@zeppelin.brq.redhat.com> Message-ID: <4D641B61.3050309@redhat.com> Jakub Hrozek wrote: > On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: >> Based on feedback from David here is a hopefully clearer description >> of permissions. >> >> ticket 996 >> >> rob > > I think you sent a wrong patch, this is the default.conf manpage one. D'oh, here you go. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-739-permission.patch Type: application/mbox Size: 1263 bytes Desc: not available URL: From jhrozek at redhat.com Tue Feb 22 21:04:59 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 22 Feb 2011 22:04:59 +0100 Subject: [Freeipa-devel] [PATCH] 739 update permission help text In-Reply-To: <4D641B61.3050309@redhat.com> References: <4D640293.1080200@redhat.com> <20110222200859.GA25025@zeppelin.brq.redhat.com> <4D641B61.3050309@redhat.com> Message-ID: <20110222210459.GB25025@zeppelin.brq.redhat.com> On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > >On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: > >>Based on feedback from David here is a hopefully clearer description > >>of permissions. > >> > >>ticket 996 > >> > >>rob > > > >I think you sent a wrong patch, this is the default.conf manpage one. > > D'oh, here you go. > > rob I agree with the changes, but now I realized that davido mentioned "privilege" not "permission". The privilege docstring contains the same errors as permission, can you also copy the changes into ipalib/plugins/privilege.py ? From jhrozek at redhat.com Tue Feb 22 21:22:03 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 22 Feb 2011 22:22:03 +0100 Subject: [Freeipa-devel] Localization patches. In-Reply-To: <4D640B71.7080304@redhat.com> References: <4D5BEEDC.5050902@redhat.com> <4D5C9F5D.1090706@redhat.com> <4D5D7C29.2020102@redhat.com> <4D5D9888.6010603@redhat.com> <4D5E4B36.1010805@redhat.com> <4D640B71.7080304@redhat.com> Message-ID: <20110222212203.GC25025@zeppelin.brq.redhat.com> On Tue, Feb 22, 2011 at 02:16:01PM -0500, Rob Crittenden wrote: > Pavel Z?na wrote: > >On 2011-02-17 22:52, Rob Crittenden wrote: > >>Pavel Z?na wrote: > >>>On 2011-02-17 05:09, Rob Crittenden wrote: > >>>>Pavel Z?na wrote: > >>>>>My efforts in fixing localization all around the framework and > >>>>>preparing > >>>>>it for localizing docstrings have resulted in a lot of patches. > >>>>>Because > >>>>>I understand they have become a bit hard to track, I decided to post > >>>>>them all together in this thread to make review easier. > >>>>> > >>>>>After this is committed, there will be one more patch that switches > >>>>>xgettext for pygettext. Then hopefully, we'll be pretty much set > >>>>>when it > >>>>>comes to i18n. > >>>>> > >>>>>Pavel > >>>> > >>>>Patch 81 isn't applying for me. > >>>> > >>>>Help is not working for me either, this is due to patch 80. > >>>> > >>>>$ ipa help user > >>>>ipa: ERROR: NameError: global name '_' is not defined > >>>>Traceback (most recent call last): > >>>>File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in > >>>>run > >>>>api.finalize() > >>>>File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 619, > >>>>in finalize > >>>>plugin_iter(base, (magic[k] for k in magic)) > >>>>File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in > >>>>__init__ > >>>>sorted(members, key=lambda m: getattr(m, name_attr)) > >>>>File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 608, > >>>>in plugin_iter > >>>>plugins[klass] = PluginInstance(klass) > >>>>File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 585, > >>>>in __init__ > >>>>self.instance = klass() > >>>>File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line 184, > >>>>in __init__ > >>>>self.doc = _(inspect.getdoc(cls)) > >>>>NameError: global name '_' is not defined > >>>>ipa: ERROR: an internal error has occurred > >>>> > >>>>Patches 69, 71 and 73 are still working fine. > >>>> > >>>>What is switching from xgettext to pygettext going to do? > >>> > >>>This was answered by John Dennis: xgettext doesn't parse python > >>>docstrings. > >>> > >>>> > >>>>rob > >>> > >>>Rebased version of 81 attached. It should also fix the traceback you're > >>>getting. > >>> > >>>Pavel > >> > >>Something is still not working. I'm having a hard time reproducing how I > >>got this but with LANG=es_US.UTF-8 for a while I was getting this with > >>every ipa user-* request: > >> > >>ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character > >>u'\xf1' in position 20: ordinal not in range(128) > >>Traceback (most recent call last): > >>File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in > >>run > >>sys.exit(api.Backend.cli.run(argv)) > >>File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in run > >>rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, > >>**options) > >>File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953, > >>in output_for_cli > >>textui.print_entries(result, order, labels, flags, print_all) > >>File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in > >>print_entries > >>self.print_entry(entry, order, labels, flags, print_all, format, indent) > >>File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in > >>print_entry > >>label, value, format, indent, one_value_per_line > >>File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in > >>print_attribute > >>self.print_indented(format % (attr, text[0]), indent) > >>File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in > >>print_indented > >>print (CLI_TAB * indent + text) > >>UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in > >>position 20: ordinal not in range(128) > >>ipa: ERROR: ha ocurrido un error interno > >> > >>I think it is blowing up on this user: > >> > >>User login: jose > >>First name: Jose > >>Last name: contrase?as > >>Home directory: /home/jose > >>Login shell: /bin/sh > >>Account disabled: TRUE > >>Member of groups: ipausers > >> > >>Then all of a sudden things started working fine, so I'm not sure what's > >>going on. > >> > >>Is this traceback meaningful to you? > >> > >>rob > > > >This looks like a bug in the textui backend. > > > >You get this error when you do something like this: > > > > >>> a = u'\xf1' > > >>> a.decode('utf-8') > >Traceback (most recent call last): > >File "", line 1, in > >File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode > >return codecs.utf_8_decode(input, errors, True) > >UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in > >position 0: ordinal not in range(128) > > > >It means we're not handling encoding/decoding from/to the CLI right > >somewhere. > > > >The character \xf1 corresponds to the small N with tilde in Jose's last > >name. > > > >I'm going to look into it, but I don't think it's related to the > >localization patches. > > > >Pavel > > I'm seeing 2 test failures: > > > ====================================================================== > FAIL: Test the `ipalib.plugable.Plugin.__init__` method. > ---------------------------------------------------------------------- > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in > runTest > self.test(*self.arg) > File "/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_plugable.py", > line 237, in test_init > assert o.summary == 'Do sub-classy things.' > AssertionError > > ====================================================================== > FAIL: Test gettext translation > ---------------------------------------------------------------------- > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in > runTest > self.test(*self.arg) > File > "/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_text.py", > line 122, in test_gettext > assert(translated[0] != prefix) > AssertionError > > patch 81 is probably going to need a rebase. I was able to get it > applied with a 3-way merge and one conflict in internal.py. > > rob > Also please update API.txt From rcritten at redhat.com Tue Feb 22 21:25:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Feb 2011 16:25:48 -0500 Subject: [Freeipa-devel] [PATCH] 739 update permission help text In-Reply-To: <20110222210459.GB25025@zeppelin.brq.redhat.com> References: <4D640293.1080200@redhat.com> <20110222200859.GA25025@zeppelin.brq.redhat.com> <4D641B61.3050309@redhat.com> <20110222210459.GB25025@zeppelin.brq.redhat.com> Message-ID: <4D6429DC.1060100@redhat.com> Jakub Hrozek wrote: > On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: >>>> Based on feedback from David here is a hopefully clearer description >>>> of permissions. >>>> >>>> ticket 996 >>>> >>>> rob >>> >>> I think you sent a wrong patch, this is the default.conf manpage one. >> >> D'oh, here you go. >> >> rob > > I agree with the changes, but now I realized that davido mentioned > "privilege" not "permission". The privilege docstring contains the same > errors as permission, can you also copy the changes into > ipalib/plugins/privilege.py ? Good idea, updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-739-2-permission.patch Type: application/mbox Size: 2505 bytes Desc: not available URL: From jhrozek at redhat.com Tue Feb 22 21:34:05 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 22 Feb 2011 22:34:05 +0100 Subject: [Freeipa-devel] [PATCH] Use pygettext to generate translatable strings from plugin files. In-Reply-To: <4D6280DF.7020005@redhat.com> References: <4D6280DF.7020005@redhat.com> Message-ID: <20110222213404.GD25025@zeppelin.brq.redhat.com> On Mon, Feb 21, 2011 at 04:12:31PM +0100, Pavel Z?na wrote: > This goes on top of my other localization patches! > > This patch replaces xgettext with a custom pygettext to generate > translatable strings from plugin files in ipalib/plugins. pygettext > was modified to handle plural forms (credit goes to Jan Hendrik > Goellner) and had some bugs fixed by myself. We only use it for > plugins, because it's the only place where we need to extract > docstrings for the built-in help system. > > I also had to make some changes to the way the built-in > documentation system gets docstrings from modules for this to work. > > How to test? > ============ > > 1) > First, apply all of the localization patches found in thread > "Localization patches" on freeipa-devel. Then apply this patch. > > 2) > Regenerate your install/po/Makefile: > - delete install/po/Makefile > - run `./configure` in install > > 3) > Regenerate the pot and po files: > - run `make update-pot` in install/po > - run `make update-po` in install/po I noticed that none of the .po files is regenerated when we run make dist. Is that intentional? I think that all the released tarballs should contain up-to-date translations. > > 4) > Make a change to one of the translations: > - example: add translation to the ACI docstring > * find docstring for ACI in install/po/es.po > * change the corresponding msgstr "" to > msgstr "\nBuenos dias, amigos!\n" > > Note: if the translatable string begins with \n, the translation > also needs to begin with \n. Same goes for ending. > > 5) > Install the modified translations: > - run `make install` in install/po > > Note: I had some problems with this and had to make rpms and install > IPA from beginning for it to work. Looks like doing `make install` > manually updates /usr/local/share/locale instead of > /usr/share/locale, but maybe I just did something wrong. > ./configure --datadir=/usr/share My buildscript contains a variation of "rpm -E %configure". From ayoung at redhat.com Tue Feb 22 21:48:21 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 22 Feb 2011 16:48:21 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0204-split-logo Message-ID: <4D642F25.7050006@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0204-split-logo.patch Type: text/x-patch Size: 8177 bytes Desc: not available URL: From edewata at redhat.com Tue Feb 22 22:13:38 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 22 Feb 2011 16:13:38 -0600 Subject: [Freeipa-devel] [PATCH] admiyo-0204-split-logo In-Reply-To: <4D642F25.7050006@redhat.com> References: <4D642F25.7050006@redhat.com> Message-ID: <4D643512.1040303@redhat.com> On 2/22/2011 3:48 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Feb 22 23:18:18 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 22 Feb 2011 17:18:18 -0600 Subject: [Freeipa-devel] [PATCH] 113 Fixed buttons for DNS records. Message-ID: <4D64443A.6060007@redhat.com> The order of the Add and Delete buttons has been reversed to be consistent with those in other facets. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0113-Fixed-buttons-for-DNS-records.patch Type: text/x-patch Size: 1417 bytes Desc: not available URL: From davido at redhat.com Wed Feb 23 01:23:59 2011 From: davido at redhat.com (David O'Brien) Date: Wed, 23 Feb 2011 11:23:59 +1000 Subject: [Freeipa-devel] [PATCH] 738 default.conf man page In-Reply-To: <4D63C551.6000509@redhat.com> References: <4D62DFC2.9070308@redhat.com> <4D63B0AA.6000708@redhat.com> <4D63C551.6000509@redhat.com> Message-ID: <4D6461AF.6030009@redhat.com> Rob Crittenden wrote: > David O'Brien wrote: >> Rob Crittenden wrote: >>> Add a man page for the IPA configuration file default.conf. >>> >>> ticket 969 >>> >>> rob >>> >>> >> NACK >> >> A few too many typos and other errors. >> >> "Spaces between the equals sign are ignored." >> Do you mean, "Spaces surrounding equals signs are ignored."? >> >> +Specifies the base DN to use when performan LDAP operations. >> performing >> >> +Specfies the secure CA agent port. The defauilt is 9443. >> Specifies >> default >> >> +Specifies the unsecure CA end user port. The default is 9190. >> insecure >> >> "For example. if you want to always perform client requests in verbose >> mode but do not want to have verbose enabled on the server add the >> verbose option to \fI/etc/ipa/cli.conf\fR." >> comma after "example", not a period. >> add a comma after "enabled on the server" >> >> +Specifies whether the CA is acting is an RA agent, >> as an RA agent >> >> "+Specifies the name of the CA backend to use. The current options are >> \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. >> Changing this value is not recommended as the CA backend is only set up >> during ininitial installation." >> s/backend/back end/ >> s/selfsign/self-sign/ >> s/ininitial/initial/ >> >> +Specifies the kerberos realm. >> Kerberos >> >> "...and show the server(s) the client contacts." >> s/server(s)/servers/ >> >> +user IPA configurationf ile >> configuration file >> >> "+Optional configuration files used in a particular context are. The >> value of mode is used to attempt to load these files, if they exist:" >> I'm not sure what this means >> >> > > Fixes applied. > > rob +Specfies the secure CA agent port. The default is 9443. Specifies "Changing this value is not recommended as the CA backend is only set up during initial installation." s/backend/back end/ "+Optional configuration files used in a particular context are. The value of the context setting (\fBcli\fR or \fBserver\fR) is used to attempt to load these files, if they exist:" I still don't understand this. Bear in mind that I'm reading the raw patch; I haven't applied it or tried to format this as a man page. Maybe that would help. Everything else is fine. ACK with those couple of fixes. /dob -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From davido at redhat.com Wed Feb 23 01:34:12 2011 From: davido at redhat.com (David O'Brien) Date: Wed, 23 Feb 2011 11:34:12 +1000 Subject: [Freeipa-devel] [PATCH] 739 update permission help text In-Reply-To: <4D6429DC.1060100@redhat.com> References: <4D640293.1080200@redhat.com> <20110222200859.GA25025@zeppelin.brq.redhat.com> <4D641B61.3050309@redhat.com> <20110222210459.GB25025@zeppelin.brq.redhat.com> <4D6429DC.1060100@redhat.com> Message-ID: <4D646414.1020803@redhat.com> Rob Crittenden wrote: > Jakub Hrozek wrote: >> On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: >>>>> Based on feedback from David here is a hopefully clearer description >>>>> of permissions. >>>>> >>>>> ticket 996 >>>>> >>>>> rob >>>> >>>> I think you sent a wrong patch, this is the default.conf manpage one. >>> >>> D'oh, here you go. >>> >>> rob >> >> I agree with the changes, but now I realized that davido mentioned >> "privilege" not "permission". The privilege docstring contains the same >> errors as permission, can you also copy the changes into >> ipalib/plugins/privilege.py ? > > Good idea, updated patch attached. > > rob > This is heaps better. ACK -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From JR.Aquino at citrix.com Wed Feb 23 03:45:11 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 23 Feb 2011 03:45:11 +0000 Subject: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user Message-ID: This patch addressees ticket #998 It adds: * ldif to create a default sudo bind user: dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX * modifications to dsinstance.py to add the ldif * modifications to dsinstance.py to add a call to ipautil.ipa_generate_password() for an random password. It is added to the sub_dict as 'RANDOM_PASSWORD' * addition to the Makefile.am in install/share to account for the new ldif file Documentation to follow will include: the method of enabling the user with: * LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com * Configuring nss_ldap.conf for using this user as the binddn * Help file for the ipa sudo command to reference the user and the written documentation. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch Type: application/octet-stream Size: 3414 bytes Desc: freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch URL: From jzeleny at redhat.com Wed Feb 23 08:02:26 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 23 Feb 2011 09:02:26 +0100 Subject: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup In-Reply-To: <4D641940.5030504@redhat.com> References: <201102151524.59018.jzeleny@redhat.com> <201102221959.10520.jzeleny@redhat.com> <4D641940.5030504@redhat.com> Message-ID: <201102230902.26969.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Rob Crittenden wrote: > >> Jan Zelen? wrote: > >>> Loading of the schema is now performed in the first request that > >>> requires it. > >>> > >>> https://fedorahosted.org/freeipa/ticket/583 > >>> > >>> Jan > >> > >> We still need to enforce that we get the schema, some low-level > >> functions depend on it. Also, if the UI doesn't get its aciattrs (which > >> are derived from the schema) then nothing will be editable. > > > >> I'm getting this backtrace if I force no schema by disabling get_schema: > > Ok, I'm sending new version, it should handle these exceptions better and > > the operation should fail if it needs the schema and the schema is not > > available for some reason. > > This breaks the XML-RPC server. I fixed one problem: > --- a/ipaserver/plugins/ldap2.py > +++ b/ipaserver/plugins/ldap2.py > @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): > > def get_syntax(self, attr, value): > if not self.schema: > - self.schema = get_schema(self.ldap_uri, self.conn) > - if not self.schema: > + schema = get_schema(self.ldap_uri, self.conn) > + if not schema: > return None > + object.__setattr__(self, 'schema', schema) > obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) > if obj is not None: > return obj.syntax > > But simply things like get_entry() return an InternalError now. I'm not > sure where you were going by adding this. > > rob Ok, no problem. It's possible that I simply did a mistake thinking I can do something in Python what is not really possible. About that InternalError: I think raising InternalError when we cannot load the schema to do the decoding is the right thing to do. Do you have a better solution? I thought about returning empty result, but that would mean we have to check the result in every funtction that is calling them and raising InternalError there. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From jzeleny at redhat.com Wed Feb 23 10:16:38 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 23 Feb 2011 11:16:38 +0100 Subject: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup In-Reply-To: <201102230902.26969.jzeleny@redhat.com> References: <201102151524.59018.jzeleny@redhat.com> <4D641940.5030504@redhat.com> <201102230902.26969.jzeleny@redhat.com> Message-ID: <201102231116.38989.jzeleny@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: > > Jan Zelen? wrote: > > > Rob Crittenden wrote: > > >> Jan Zelen? wrote: > > >>> Loading of the schema is now performed in the first request that > > >>> requires it. > > >>> > > >>> https://fedorahosted.org/freeipa/ticket/583 > > >>> > > >>> Jan > > >> > > >> We still need to enforce that we get the schema, some low-level > > >> functions depend on it. Also, if the UI doesn't get its aciattrs > > >> (which are derived from the schema) then nothing will be editable. > > > > > >> I'm getting this backtrace if I force no schema by disabling get_schema: > > > Ok, I'm sending new version, it should handle these exceptions better > > > and the operation should fail if it needs the schema and the schema is > > > not available for some reason. > > > > This breaks the XML-RPC server. I fixed one problem: > > --- a/ipaserver/plugins/ldap2.py > > +++ b/ipaserver/plugins/ldap2.py > > > > @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): > > def get_syntax(self, attr, value): > > if not self.schema: > > - self.schema = get_schema(self.ldap_uri, self.conn) > > - if not self.schema: > > + schema = get_schema(self.ldap_uri, self.conn) > > > > + if not schema: > > return None > > > > + object.__setattr__(self, 'schema', schema) > > > > obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) > > > > if obj is not None: > > return obj.syntax > > > > But simply things like get_entry() return an InternalError now. I'm not > > sure where you were going by adding this. > > > > rob > > Ok, no problem. It's possible that I simply did a mistake thinking I can do > something in Python what is not really possible. > > About that InternalError: I think raising InternalError when we cannot load > the schema to do the decoding is the right thing to do. Do you have a > better solution? I thought about returning empty result, but that would > mean we have to check the result in every funtction that is calling them > and raising InternalError there. I'm sending updated patch. I modified the get_syntax() as you suggested and I slightly modified raising that InternalError - currently it isn't raised when results from get_entry() are not required by calling method. Currently I'm running some tests, preliminary results looked ok. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0041-3-Don-t-load-the-LDAP-schema-during-startup.patch Type: text/x-patch Size: 17376 bytes Desc: not available URL: From jhrozek at redhat.com Wed Feb 23 11:50:33 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 23 Feb 2011 12:50:33 +0100 Subject: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common Message-ID: <4D64F489.7050305@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/1000 I hope this doesn't break anything..my testing went OK. I've seen some unit test failures (group tests, for instance), but they don't seem to be related. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1k9IkACgkQHsardTLnvCUh/ACfbV10+PZJiLfThJufBlxEB9Ww ZicAnj1wzu7JKQxUHjiopc753x5oog21 =LB3i -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-065-replace.patch Type: text/x-patch Size: 931 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-065-replace.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jzeleny at redhat.com Wed Feb 23 13:24:52 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Wed, 23 Feb 2011 14:24:52 +0100 Subject: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup In-Reply-To: <201102231116.38989.jzeleny@redhat.com> References: <201102151524.59018.jzeleny@redhat.com> <201102230902.26969.jzeleny@redhat.com> <201102231116.38989.jzeleny@redhat.com> Message-ID: <201102231424.52464.jzeleny@redhat.com> Jan Zelen? wrote: > Jan Zelen? wrote: > > Rob Crittenden wrote: > > > Jan Zelen? wrote: > > > > Rob Crittenden wrote: > > > >> Jan Zelen? wrote: > > > >>> Loading of the schema is now performed in the first request that > > > >>> requires it. > > > >>> > > > >>> https://fedorahosted.org/freeipa/ticket/583 > > > >>> > > > >>> Jan > > > >> > > > >> We still need to enforce that we get the schema, some low-level > > > >> functions depend on it. Also, if the UI doesn't get its aciattrs > > > >> (which are derived from the schema) then nothing will be editable. > > > >> > > > >> I'm getting this backtrace if I force no schema by disabling > > get_schema: > > > > Ok, I'm sending new version, it should handle these exceptions better > > > > and the operation should fail if it needs the schema and the schema > > > > is not available for some reason. > > > > > > This breaks the XML-RPC server. I fixed one problem: > > > --- a/ipaserver/plugins/ldap2.py > > > +++ b/ipaserver/plugins/ldap2.py > > > > > > @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): > > > def get_syntax(self, attr, value): > > > if not self.schema: > > > - self.schema = get_schema(self.ldap_uri, self.conn) > > > - if not self.schema: > > > + schema = get_schema(self.ldap_uri, self.conn) > > > > > > + if not schema: > > > return None > > > > > > + object.__setattr__(self, 'schema', schema) > > > > > > obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) > > > > > > if obj is not None: > > > return obj.syntax > > > > > > But simply things like get_entry() return an InternalError now. I'm not > > > sure where you were going by adding this. > > > > > > rob > > > > Ok, no problem. It's possible that I simply did a mistake thinking I can > > do something in Python what is not really possible. > > > > About that InternalError: I think raising InternalError when we cannot > > load the schema to do the decoding is the right thing to do. Do you have > > a better solution? I thought about returning empty result, but that > > would mean we have to check the result in every funtction that is > > calling them and raising InternalError there. > > I'm sending updated patch. I modified the get_syntax() as you suggested and > I slightly modified raising that InternalError - currently it isn't raised > when results from get_entry() are not required by calling method. > Currently I'm running some tests, preliminary results looked ok. self-nack I discovered some issues discovered by internal test suite, I'm working on them Jan From rcritten at redhat.com Wed Feb 23 15:47:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Feb 2011 10:47:27 -0500 Subject: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common In-Reply-To: <4D64F489.7050305@redhat.com> References: <4D64F489.7050305@redhat.com> Message-ID: <4D652C0F.8090606@redhat.com> Jakub Hrozek wrote: > Replace only if old and new have nothing in common > This has problems when removing the last member. There is no adds, rems has a single value (the member being removed). The intersection is 0 so force_replace gets set to True and nothing ends up getting done. I added a len(v) > 0 to this conditional and it seems to work. I also added a small test case based on Endi's initial report. I'm getting a 100% test pass rate. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-740-replace.patch Type: application/mbox Size: 8387 bytes Desc: not available URL: From ayoung at redhat.com Wed Feb 23 16:19:06 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 23 Feb 2011 11:19:06 -0500 Subject: [Freeipa-devel] [PATCH] 113 Fixed buttons for DNS records. In-Reply-To: <4D64443A.6060007@redhat.com> References: <4D64443A.6060007@redhat.com> Message-ID: <4D65337A.3000101@redhat.com> On 02/22/2011 06:18 PM, Endi Sukma Dewata wrote: > The order of the Add and Delete buttons has been reversed to be > consistent with those in other facets. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Feb 23 16:24:32 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 23 Feb 2011 11:24:32 -0500 Subject: [Freeipa-devel] [PATCH] one liner to add new image for banner text. Message-ID: <4D6534C0.3060806@redhat.com> pushed to master under the one line rule commit 49b2c0bb6203d23ff0c56945b447b7da8f2a3f84 Author: Adam Young Date: Wed Feb 23 11:23:16 2011 -0500 splitting banner requires new file in Makefile.am diff --git a/install/ui/Makefile.am b/install/ui/Makefile.am index e6ffed1..e8c11c2 100644 --- a/install/ui/Makefile.am +++ b/install/ui/Makefile.am @@ -48,6 +48,7 @@ app_DATA = \ widget.js \ user.js \ ipalogo.png \ + ipabanner.png \ gray-fade-line.png \ Mainnav-background.png \ Mainnav-offtab.png \ From ayoung at redhat.com Wed Feb 23 16:25:00 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 23 Feb 2011 11:25:00 -0500 Subject: [Freeipa-devel] [PATCH] 113 Fixed buttons for DNS records. In-Reply-To: <4D64443A.6060007@redhat.com> References: <4D64443A.6060007@redhat.com> Message-ID: <4D6534DC.5040200@redhat.com> On 02/22/2011 06:18 PM, Endi Sukma Dewata wrote: > The order of the Add and Delete buttons has been reversed to be > consistent with those in other facets. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Wed Feb 23 16:31:02 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 23 Feb 2011 16:31:02 +0000 Subject: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user In-Reply-To: Message-ID: On 2/22/11 7:45 PM, "JR Aquino" wrote: >This patch addressees ticket #998 > >It adds: > >* ldif to create a default sudo bind user: dn: >uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX >* modifications to dsinstance.py to add the ldif >* modifications to dsinstance.py to add a call to >ipautil.ipa_generate_password() for an random password. It is added to >the sub_dict as 'RANDOM_PASSWORD' >* addition to the Makefile.am in install/share to account for the new >ldif file Corrections / Additions: * Correction to dsinstance.py to remove the unnecessary sha1 call and library * Addition of docstring for the ipa help sudorule to explain usage of the sudo binddn -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch Type: application/octet-stream Size: 4210 bytes Desc: freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch URL: From rcritten at redhat.com Wed Feb 23 16:56:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Feb 2011 11:56:56 -0500 Subject: [Freeipa-devel] [PATCH] 738 default.conf man page In-Reply-To: <4D6461AF.6030009@redhat.com> References: <4D62DFC2.9070308@redhat.com> <4D63B0AA.6000708@redhat.com> <4D63C551.6000509@redhat.com> <4D6461AF.6030009@redhat.com> Message-ID: <4D653C58.9090406@redhat.com> David O'Brien wrote: > Rob Crittenden wrote: >> David O'Brien wrote: >>> Rob Crittenden wrote: >>>> Add a man page for the IPA configuration file default.conf. >>>> >>>> ticket 969 >>>> >>>> rob >>>> >>>> >>> NACK >>> >>> A few too many typos and other errors. >>> >>> "Spaces between the equals sign are ignored." >>> Do you mean, "Spaces surrounding equals signs are ignored."? >>> >>> +Specifies the base DN to use when performan LDAP operations. >>> performing >>> >>> +Specfies the secure CA agent port. The defauilt is 9443. >>> Specifies >>> default >>> >>> +Specifies the unsecure CA end user port. The default is 9190. >>> insecure >>> >>> "For example. if you want to always perform client requests in verbose >>> mode but do not want to have verbose enabled on the server add the >>> verbose option to \fI/etc/ipa/cli.conf\fR." >>> comma after "example", not a period. >>> add a comma after "enabled on the server" >>> >>> +Specifies whether the CA is acting is an RA agent, >>> as an RA agent >>> >>> "+Specifies the name of the CA backend to use. The current options are >>> \fBselfsign\fR and \fBdogtag\fR. This is a server\-side setting. >>> Changing this value is not recommended as the CA backend is only set up >>> during ininitial installation." >>> s/backend/back end/ >>> s/selfsign/self-sign/ >>> s/ininitial/initial/ >>> >>> +Specifies the kerberos realm. >>> Kerberos >>> >>> "...and show the server(s) the client contacts." >>> s/server(s)/servers/ >>> >>> +user IPA configurationf ile >>> configuration file >>> >>> "+Optional configuration files used in a particular context are. The >>> value of mode is used to attempt to load these files, if they exist:" >>> I'm not sure what this means >>> >>> >> >> Fixes applied. >> >> rob > > +Specfies the secure CA agent port. The default is 9443. > Specifies > > "Changing this value is not recommended as the CA backend is only set up > during initial installation." > s/backend/back end/ > > "+Optional configuration files used in a particular context are. The > value of the context setting (\fBcli\fR or \fBserver\fR) is used to > attempt to load these files, if they exist:" > > I still don't understand this. Bear in mind that I'm reading the raw > patch; I haven't applied it or tried to format this as a man page. Maybe > that would help. > > Everything else is fine. ACK with those couple of fixes. > > /dob Fixed, pushed to master. I added a bit more discussion about the context-specific files. I think it is clearer now. rob From rcritten at redhat.com Wed Feb 23 16:57:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Feb 2011 11:57:21 -0500 Subject: [Freeipa-devel] [PATCH] 739 update permission help text In-Reply-To: <4D646414.1020803@redhat.com> References: <4D640293.1080200@redhat.com> <20110222200859.GA25025@zeppelin.brq.redhat.com> <4D641B61.3050309@redhat.com> <20110222210459.GB25025@zeppelin.brq.redhat.com> <4D6429DC.1060100@redhat.com> <4D646414.1020803@redhat.com> Message-ID: <4D653C71.5050606@redhat.com> David O'Brien wrote: > Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> On Tue, Feb 22, 2011 at 03:24:01PM -0500, Rob Crittenden wrote: >>>> Jakub Hrozek wrote: >>>>> On Tue, Feb 22, 2011 at 01:38:11PM -0500, Rob Crittenden wrote: >>>>>> Based on feedback from David here is a hopefully clearer description >>>>>> of permissions. >>>>>> >>>>>> ticket 996 >>>>>> >>>>>> rob >>>>> >>>>> I think you sent a wrong patch, this is the default.conf manpage one. >>>> >>>> D'oh, here you go. >>>> >>>> rob >>> >>> I agree with the changes, but now I realized that davido mentioned >>> "privilege" not "permission". The privilege docstring contains the same >>> errors as permission, can you also copy the changes into >>> ipalib/plugins/privilege.py ? >> >> Good idea, updated patch attached. >> >> rob >> > > This is heaps better. ACK > pushed to master From jhrozek at redhat.com Wed Feb 23 17:13:57 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 23 Feb 2011 18:13:57 +0100 Subject: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common In-Reply-To: <4D652C0F.8090606@redhat.com> References: <4D64F489.7050305@redhat.com> <4D652C0F.8090606@redhat.com> Message-ID: <4D654055.9070409@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/23/2011 04:47 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> Replace only if old and new have nothing in common >> > > This has problems when removing the last member. There is no adds, rems > has a single value (the member being removed). The intersection is 0 so > force_replace gets set to True and nothing ends up getting done. > > I added a len(v) > 0 to this conditional and it seems to work. I also > added a small test case based on Endi's initial report. I'm getting a > 100% test pass rate. > > rob I hit one more problem with the patch, although I'm not entirely sure how is that possible - when a user is renamed, his memberof becomes indirect memberof: # ipa user-mod --rename test2 test - -------------------- Modified user "test" - -------------------- User login: test2 First name: Test Last name: User Home directory: /home/test Login shell: /bin/sh Account disabled: False Indirect Member of group: ipausers -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1lQFUACgkQHsardTLnvCUNDwCghhM7z5y0sZkYAd6LWbtpPsuY ua4AoJbugnFeCADOG91nm5PJcNfshCgQ =pHWV -----END PGP SIGNATURE----- From rcritten at redhat.com Wed Feb 23 17:36:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Feb 2011 12:36:06 -0500 Subject: [Freeipa-devel] [PATCH] 065 Replace only if old and new have nothing in common In-Reply-To: <4D654055.9070409@redhat.com> References: <4D64F489.7050305@redhat.com> <4D652C0F.8090606@redhat.com> <4D654055.9070409@redhat.com> Message-ID: <4D654586.3000906@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/23/2011 04:47 PM, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> Replace only if old and new have nothing in common >>> >> >> This has problems when removing the last member. There is no adds, rems >> has a single value (the member being removed). The intersection is 0 so >> force_replace gets set to True and nothing ends up getting done. >> >> I added a len(v)> 0 to this conditional and it seems to work. I also >> added a small test case based on Endi's initial report. I'm getting a >> 100% test pass rate. >> >> rob > > I hit one more problem with the patch, although I'm not entirely sure > how is that possible - when a user is renamed, his memberof becomes > indirect memberof: > > # ipa user-mod --rename test2 test > - -------------------- > Modified user "test" > - -------------------- > User login: test2 > First name: Test > Last name: User > Home directory: /home/test > Login shell: /bin/sh > Account disabled: False > Indirect Member of group: ipausers I think this is another timing issue with 389-ds postop plugins, this time the referential integrity plugin. I don't think this is related to this change. We start with: dn: uid=test, ... uid: test memberOf: ipausers dn: cn=ipausers, ... cn: ipausers member: uid=test,... When we we do the rename we immediately end up with: dn: uid=test2, .. uid: test2 memberOf: ipausers dn: cn=ipausers, ... cn: ipausers member: uid=test, ... We determine indirect membership by comparing the user's memberOf with the results of a query for member=uid=test2 If the refint plugin hasn't updated the ipausers group by the time we do the query the user will appear to be an indirect member. rob From pzuna at redhat.com Wed Feb 23 18:09:07 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Wed, 23 Feb 2011 19:09:07 +0100 Subject: [Freeipa-devel] Localization patches. In-Reply-To: <4D640B71.7080304@redhat.com> References: <4D5BEEDC.5050902@redhat.com> <4D5C9F5D.1090706@redhat.com> <4D5D7C29.2020102@redhat.com> <4D5D9888.6010603@redhat.com> <4D5E4B36.1010805@redhat.com> <4D640B71.7080304@redhat.com> Message-ID: <4D654D43.5030601@redhat.com> On 2011-02-22 20:16, Rob Crittenden wrote: > Pavel Z?na wrote: >> On 2011-02-17 22:52, Rob Crittenden wrote: >>> Pavel Z?na wrote: >>>> On 2011-02-17 05:09, Rob Crittenden wrote: >>>>> Pavel Z?na wrote: >>>>>> My efforts in fixing localization all around the framework and >>>>>> preparing >>>>>> it for localizing docstrings have resulted in a lot of patches. >>>>>> Because >>>>>> I understand they have become a bit hard to track, I decided to post >>>>>> them all together in this thread to make review easier. >>>>>> >>>>>> After this is committed, there will be one more patch that switches >>>>>> xgettext for pygettext. Then hopefully, we'll be pretty much set >>>>>> when it >>>>>> comes to i18n. >>>>>> >>>>>> Pavel >>>>> >>>>> Patch 81 isn't applying for me. >>>>> >>>>> Help is not working for me either, this is due to patch 80. >>>>> >>>>> $ ipa help user >>>>> ipa: ERROR: NameError: global name '_' is not defined >>>>> Traceback (most recent call last): >>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1087, in >>>>> run >>>>> api.finalize() >>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>> 619, >>>>> in finalize >>>>> plugin_iter(base, (magic[k] for k in magic)) >>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line 397, in >>>>> __init__ >>>>> sorted(members, key=lambda m: getattr(m, name_attr)) >>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>> 608, >>>>> in plugin_iter >>>>> plugins[klass] = PluginInstance(klass) >>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>> 585, >>>>> in __init__ >>>>> self.instance = klass() >>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>> 184, >>>>> in __init__ >>>>> self.doc = _(inspect.getdoc(cls)) >>>>> NameError: global name '_' is not defined >>>>> ipa: ERROR: an internal error has occurred >>>>> >>>>> Patches 69, 71 and 73 are still working fine. >>>>> >>>>> What is switching from xgettext to pygettext going to do? >>>> >>>> This was answered by John Dennis: xgettext doesn't parse python >>>> docstrings. >>>> >>>>> >>>>> rob >>>> >>>> Rebased version of 81 attached. It should also fix the traceback you're >>>> getting. >>>> >>>> Pavel >>> >>> Something is still not working. I'm having a hard time reproducing how I >>> got this but with LANG=es_US.UTF-8 for a while I was getting this with >>> every ipa user-* request: >>> >>> ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character >>> u'\xf1' in position 20: ordinal not in range(128) >>> Traceback (most recent call last): >>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in >>> run >>> sys.exit(api.Backend.cli.run(argv)) >>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in >>> run >>> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, >>> **options) >>> File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953, >>> in output_for_cli >>> textui.print_entries(result, order, labels, flags, print_all) >>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in >>> print_entries >>> self.print_entry(entry, order, labels, flags, print_all, format, indent) >>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in >>> print_entry >>> label, value, format, indent, one_value_per_line >>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in >>> print_attribute >>> self.print_indented(format % (attr, text[0]), indent) >>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in >>> print_indented >>> print (CLI_TAB * indent + text) >>> UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in >>> position 20: ordinal not in range(128) >>> ipa: ERROR: ha ocurrido un error interno >>> >>> I think it is blowing up on this user: >>> >>> User login: jose >>> First name: Jose >>> Last name: contrase?as >>> Home directory: /home/jose >>> Login shell: /bin/sh >>> Account disabled: TRUE >>> Member of groups: ipausers >>> >>> Then all of a sudden things started working fine, so I'm not sure what's >>> going on. >>> >>> Is this traceback meaningful to you? >>> >>> rob >> >> This looks like a bug in the textui backend. >> >> You get this error when you do something like this: >> >> >>> a = u'\xf1' >> >>> a.decode('utf-8') >> Traceback (most recent call last): >> File "", line 1, in >> File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode >> return codecs.utf_8_decode(input, errors, True) >> UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in >> position 0: ordinal not in range(128) >> >> It means we're not handling encoding/decoding from/to the CLI right >> somewhere. >> >> The character \xf1 corresponds to the small N with tilde in Jose's last >> name. >> >> I'm going to look into it, but I don't think it's related to the >> localization patches. >> >> Pavel > > I'm seeing 2 test failures: > > > ====================================================================== > FAIL: Test the `ipalib.plugable.Plugin.__init__` method. > ---------------------------------------------------------------------- > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in runTest > self.test(*self.arg) > File > "/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_plugable.py", > line 237, in test_init > assert o.summary == 'Do sub-classy things.' > AssertionError > > ====================================================================== > FAIL: Test gettext translation > ---------------------------------------------------------------------- > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in runTest > self.test(*self.arg) > File "/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_text.py", > line 122, in test_gettext > assert(translated[0] != prefix) > AssertionError > > patch 81 is probably going to need a rebase. I was able to get it > applied with a 3-way merge and one conflict in internal.py. > > rob Rebased patch 81 and 83 (pygettext). Created a new patch to fix these latest test failures - it was easier than doing a complex rebase. All latest versions of localization patches are attached to this email for review. I tried to apply them on a clean master clone, build RPMs, installed and run all unit tests. So hopefully, we're finally going to get this in. :) Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-69-rmi18nrequest.patch Type: application/mbox Size: 8311 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-71-3-acceptlang.patch Type: application/mbox Size: 4103 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-76-deflocale.patch Type: application/mbox Size: 959 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-80-docstringloc.patch Type: application/mbox Size: 2365 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-81-3-fixlocstrings.patch Type: application/mbox Size: 17317 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-82-fixlocutests.patch Type: application/mbox Size: 12762 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-83-2-pygettext.patch Type: application/mbox Size: 35348 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-84-finali18ntests.patch Type: application/mbox Size: 1778 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 23 18:50:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Feb 2011 13:50:37 -0500 Subject: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user In-Reply-To: References: Message-ID: <4D6556FD.1040805@redhat.com> JR Aquino wrote: > On 2/22/11 7:45 PM, "JR Aquino" wrote: > >> This patch addressees ticket #998 >> >> It adds: >> >> * ldif to create a default sudo bind user: dn: >> uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX >> * modifications to dsinstance.py to add the ldif >> * modifications to dsinstance.py to add a call to >> ipautil.ipa_generate_password() for an random password. It is added to >> the sub_dict as 'RANDOM_PASSWORD' >> * addition to the Makefile.am in install/share to account for the new >> ldif file > > Corrections / Additions: > > * Correction to dsinstance.py to remove the unnecessary sha1 call and > library > * Addition of docstring for the ipa help sudorule to explain usage of the > sudo binddn > We need to make sure we don't log random passwords. Can you add this to your patch? --- service.py 2011-02-14 20:18:23.000000000 -0500 +++ /tmp/service.py 2011-02-23 13:49:56.000000000 -0500 @@ -137,6 +137,8 @@ # do not log passwords if sub_dict.has_key('PASSWORD'): nologlist = sub_dict['PASSWORD'], + if sub_dict.has_key('RANDOM_PASSWORD'): + nologlist = sub_dict['RANDOM_PASSWORD'], if self.dm_password: [pw_fd, pw_name] = tempfile.mkstemp() From ssorce at redhat.com Wed Feb 23 19:23:35 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 23 Feb 2011 14:23:35 -0500 Subject: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user In-Reply-To: <4D6556FD.1040805@redhat.com> References: <4D6556FD.1040805@redhat.com> Message-ID: <20110223142335.5f2851d7@willson.li.ssimo.org> On Wed, 23 Feb 2011 13:50:37 -0500 Rob Crittenden wrote: > JR Aquino wrote: > > On 2/22/11 7:45 PM, "JR Aquino" wrote: > > > >> This patch addressees ticket #998 > >> > >> It adds: > >> > >> * ldif to create a default sudo bind user: dn: > >> uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX > >> * modifications to dsinstance.py to add the ldif > >> * modifications to dsinstance.py to add a call to > >> ipautil.ipa_generate_password() for an random password. It is > >> added to the sub_dict as 'RANDOM_PASSWORD' > >> * addition to the Makefile.am in install/share to account for the > >> new ldif file > > > > Corrections / Additions: > > > > * Correction to dsinstance.py to remove the unnecessary sha1 call > > and library > > * Addition of docstring for the ipa help sudorule to explain usage > > of the sudo binddn > > > > We need to make sure we don't log random passwords. Can you add this > to your patch? > > --- service.py 2011-02-14 20:18:23.000000000 -0500 > +++ /tmp/service.py 2011-02-23 13:49:56.000000000 -0500 > @@ -137,6 +137,8 @@ > # do not log passwords > if sub_dict.has_key('PASSWORD'): > nologlist = sub_dict['PASSWORD'], > + if sub_dict.has_key('RANDOM_PASSWORD'): > + nologlist = sub_dict['RANDOM_PASSWORD'], Should you append to nologlist ? If I read this right otherwise you'll replace the previous one. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Feb 23 19:26:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Feb 2011 14:26:05 -0500 Subject: [Freeipa-devel] Localization patches. In-Reply-To: <4D654D43.5030601@redhat.com> References: <4D5BEEDC.5050902@redhat.com> <4D5C9F5D.1090706@redhat.com> <4D5D7C29.2020102@redhat.com> <4D5D9888.6010603@redhat.com> <4D5E4B36.1010805@redhat.com> <4D640B71.7080304@redhat.com> <4D654D43.5030601@redhat.com> Message-ID: <4D655F4D.7070701@redhat.com> Pavel Z?na wrote: > > Rebased patch 81 and 83 (pygettext). > > Created a new patch to fix these latest test failures - it was easier > than doing a complex rebase. > > All latest versions of localization patches are attached to this email > for review. > > I tried to apply them on a clean master clone, build RPMs, installed and > run all unit tests. So hopefully, we're finally going to get this in. :) > > Pavel I don't understand some of these (and past changes): - Updated patch 83-2 just changes the commit message slightly - Patch 84 comments out several lines in the tests.There isn't any explaination what these changes do and why they are needed. It seems to be disabling a confirmation that changing locale works. - Patch 82 drops a bunch of the old ugettext code which is fine, but I think one of the purposes was to make sure that translation was occurring. - Patch 82 in test_text.py changing the languages is removed. Are we really exercising this code? rob From JR.Aquino at citrix.com Wed Feb 23 19:41:54 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 23 Feb 2011 19:41:54 +0000 Subject: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user In-Reply-To: <20110223142335.5f2851d7@willson.li.ssimo.org> Message-ID: On 2/23/11 11:23 AM, "Simo Sorce" wrote: >On Wed, 23 Feb 2011 13:50:37 -0500 >Rob Crittenden wrote: > >> JR Aquino wrote: >> > On 2/22/11 7:45 PM, "JR Aquino" wrote: >> > >> >> This patch addressees ticket #998 >> >> >> >> It adds: >> >> >> >> * ldif to create a default sudo bind user: dn: >> >> uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX >> >> * modifications to dsinstance.py to add the ldif >> >> * modifications to dsinstance.py to add a call to >> >> ipautil.ipa_generate_password() for an random password. It is >> >> added to the sub_dict as 'RANDOM_PASSWORD' >> >> * addition to the Makefile.am in install/share to account for the >> >> new ldif file >> > >> > Corrections / Additions: >> > >> > * Correction to dsinstance.py to remove the unnecessary sha1 call >> > and library >> > * Addition of docstring for the ipa help sudorule to explain usage >> > of the sudo binddn >> > >> >> We need to make sure we don't log random passwords. Can you add this >> to your patch? >> >> --- service.py 2011-02-14 20:18:23.000000000 -0500 >> +++ /tmp/service.py 2011-02-23 13:49:56.000000000 -0500 >> @@ -137,6 +137,8 @@ >> # do not log passwords >> if sub_dict.has_key('PASSWORD'): >> nologlist = sub_dict['PASSWORD'], >> + if sub_dict.has_key('RANDOM_PASSWORD'): >> + nologlist = sub_dict['RANDOM_PASSWORD'], > >Should you append to nologlist ? >If I read this right otherwise you'll replace the previous one. > >Simo. New corrections posted for the full patch. Adding a correction to nologlist to initialize it as a dict rather than a tuple. Then correctly appending the various sub_dict objects to the list. Also corrected 2 trailing whitespace bugs that were present in the previous patch. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch Type: application/octet-stream Size: 5129 bytes Desc: freeipa-jraquino-0020-Create-default-disabled-sudo-bind-user.patch URL: From rcritten at redhat.com Wed Feb 23 19:58:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Feb 2011 14:58:59 -0500 Subject: [Freeipa-devel] [PATCH] one-liner for krbtpolicy Message-ID: <4D656703.5030308@redhat.com> Pushed out this one-liner to fix a typo and add an example for when user ticket policy takes effect. diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py index 22ef161..c9d86ea 100644 --- a/ipalib/plugins/krbtpolicy.py +++ b/ipalib/plugins/krbtpolicy.py @@ -30,8 +30,8 @@ is required, which can be achieved using: service krb5kdc restart -Changes to per-user policies take effect immediatly for newly requested -tickets. +Changes to per-user policies take effect immediately for newly requested +tickets (e.g. when the user next runs kinit). EXAMPLES: From rcritten at redhat.com Wed Feb 23 20:33:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Feb 2011 15:33:10 -0500 Subject: [Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user In-Reply-To: References: Message-ID: <4D656F06.1010903@redhat.com> JR Aquino wrote: > On 2/23/11 11:23 AM, "Simo Sorce" wrote: > >> On Wed, 23 Feb 2011 13:50:37 -0500 >> Rob Crittenden wrote: >> >>> JR Aquino wrote: >>>> On 2/22/11 7:45 PM, "JR Aquino" wrote: >>>> >>>>> This patch addressees ticket #998 >>>>> >>>>> It adds: >>>>> >>>>> * ldif to create a default sudo bind user: dn: >>>>> uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX >>>>> * modifications to dsinstance.py to add the ldif >>>>> * modifications to dsinstance.py to add a call to >>>>> ipautil.ipa_generate_password() for an random password. It is >>>>> added to the sub_dict as 'RANDOM_PASSWORD' >>>>> * addition to the Makefile.am in install/share to account for the >>>>> new ldif file >>>> >>>> Corrections / Additions: >>>> >>>> * Correction to dsinstance.py to remove the unnecessary sha1 call >>>> and library >>>> * Addition of docstring for the ipa help sudorule to explain usage >>>> of the sudo binddn >>>> >>> >>> We need to make sure we don't log random passwords. Can you add this >>> to your patch? >>> >>> --- service.py 2011-02-14 20:18:23.000000000 -0500 >>> +++ /tmp/service.py 2011-02-23 13:49:56.000000000 -0500 >>> @@ -137,6 +137,8 @@ >>> # do not log passwords >>> if sub_dict.has_key('PASSWORD'): >>> nologlist = sub_dict['PASSWORD'], >>> + if sub_dict.has_key('RANDOM_PASSWORD'): >>> + nologlist = sub_dict['RANDOM_PASSWORD'], >> >> Should you append to nologlist ? >> If I read this right otherwise you'll replace the previous one. >> >> Simo. > > New corrections posted for the full patch. > > Adding a correction to nologlist to initialize it as a dict rather than a > tuple. Then correctly appending the various sub_dict objects to the list. > Also corrected 2 trailing whitespace bugs that were present in the > previous patch. ack, pushed to master. I just added a bit more info to the commit message. rob From edewata at redhat.com Wed Feb 23 22:11:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 23 Feb 2011 16:11:12 -0600 Subject: [Freeipa-devel] [PATCH] 114 Save changes before modifying association. Message-ID: <4D658600.9010105@redhat.com> In a details page, usually any changes done to the fields will not be applied until the user clicks the Update button. However, if the page contains an association table, any addition/deletion to the table will be applied immediately. To avoid any confusion, the user is now required to save or reset all changes to the page before modifying the association. A dialog box will appear if the page contains any unsaved changes. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0114-Save-changes-before-modifying-association.patch Type: text/x-patch Size: 7394 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 23 22:13:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Feb 2011 17:13:17 -0500 Subject: [Freeipa-devel] [PATCH] 741 fix sudocmd membership Message-ID: <4D65867D.2000303@redhat.com> We weren't searching the cn=sudo container so all members of a sudocmdgroup looked indirect. Add a label for sudo command groups. Update the tests to include verifying that membership is done properly. ticket 1003 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-741-sudocmd.patch Type: application/mbox Size: 4696 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 23 22:15:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Feb 2011 17:15:28 -0500 Subject: [Freeipa-devel] [PATCH] 742 Sudo command groups are not supposed to allow nesting Message-ID: <4D658700.1040806@redhat.com> It was a design decision to now allow nesting sudo command groups, remove it. ticket 1004 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-742-sudocmdgroup.patch Type: application/mbox Size: 1186 bytes Desc: not available URL: From dpal at redhat.com Wed Feb 23 22:27:11 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 23 Feb 2011 17:27:11 -0500 Subject: [Freeipa-devel] [PATCH] 742 Sudo command groups are not supposed to allow nesting In-Reply-To: <4D658700.1040806@redhat.com> References: <4D658700.1040806@redhat.com> Message-ID: <4D6589BF.7080801@redhat.com> On 02/23/2011 05:15 PM, Rob Crittenden wrote: > It was a design decision to now allow nesting sudo command groups, > remove it. > *Not* allow, right? > ticket 1004 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From pzuna at redhat.com Wed Feb 23 22:41:33 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Wed, 23 Feb 2011 23:41:33 +0100 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: References: Message-ID: <4D658D1D.6060107@redhat.com> On 2011-02-15 16:36, JR Aquino wrote: > On 2/15/11 6:52 AM, "Simo Sorce" wrote: > >> On Tue, 15 Feb 2011 15:19:50 +0100 >> Pavel Zuna wrote: >> >>> I can't reproduce this. :-/ >>> >>> For me it goes fine: >>> >>> [root at ipadev tools]# ./ipa-nis-manage enable >>> Directory Manager password: >>> >>> Enabling plugin >>> This setting will not take effect until you restart Directory Server. >>> The rpcbind service may need to be started. >>> >> >> Pavel, >> Jr has set the minimum ssf to a non default value to test a >> configuration in which all communications are required to be encrypted. >> That's why you can't reproduce with the vanilla configuration. >> >> We want to support that mode although it won't be the default, so we >> need to fix any issue that causes that configuration to break (ie all >> non-encrypted/non-ldapi connections). >> >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > The best way to do this is: > > -=- > service ipa stop > Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif > > Change: > nsslapd-minssf: 0 > > To: > nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit > handshake even though we utilize a much strong cipher... (It is a known > bug/feature) > > service ipa start > I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a NotFound exception when trying to call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This exception originates in IPAdmin.__lateinit() when trying to retrieve this cn=config,cn=ldbm database,cn=plugins,cn=config For some reason it looks like this entry is inaccessible when doing a SASL EXTERNAL bind as root. I can retrieve the entry as "cn=directory manager": [root at vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # default indexes, config, ldbm database, plugins, config dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: default indexes # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 but not as root: [root at vm-090 freeipa]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b "cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 I'm not sure what the problem is, I tried setting different SASL security properties, but nothing helped. :( Next step is to analyze DS logs, but before I do that, I wanted to ask if anyone has any tips on what the solution might be. Pavel From rcritten at redhat.com Wed Feb 23 22:50:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Feb 2011 17:50:15 -0500 Subject: [Freeipa-devel] [PATCH] 742 Sudo command groups are not supposed to allow nesting In-Reply-To: <4D658700.1040806@redhat.com> References: <4D658700.1040806@redhat.com> Message-ID: <4D658F27.1090709@redhat.com> Rob Crittenden wrote: > It was a design decision to now allow nesting sudo command groups, > remove it. > > ticket 1004 > > rob Updated patch attached. This is going to require an API change. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-742-2-sudocmdgroup.patch Type: application/mbox Size: 7404 bytes Desc: not available URL: From pzuna at redhat.com Wed Feb 23 22:50:24 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Wed, 23 Feb 2011 23:50:24 +0100 Subject: [Freeipa-devel] Localization patches. In-Reply-To: <4D655F4D.7070701@redhat.com> References: <4D5BEEDC.5050902@redhat.com> <4D5C9F5D.1090706@redhat.com> <4D5D7C29.2020102@redhat.com> <4D5D9888.6010603@redhat.com> <4D5E4B36.1010805@redhat.com> <4D640B71.7080304@redhat.com> <4D654D43.5030601@redhat.com> <4D655F4D.7070701@redhat.com> Message-ID: <4D658F30.4080802@redhat.com> On 2011-02-23 20:26, Rob Crittenden wrote: > Pavel Z?na wrote: >> >> Rebased patch 81 and 83 (pygettext). >> >> Created a new patch to fix these latest test failures - it was easier >> than doing a complex rebase. >> >> All latest versions of localization patches are attached to this email >> for review. >> >> I tried to apply them on a clean master clone, build RPMs, installed and >> run all unit tests. So hopefully, we're finally going to get this in. :) >> >> Pavel > > I don't understand some of these (and past changes): > > - Updated patch 83-2 just changes the commit message slightly I rebased everything and did, generated new patches and did a diff to see if anything has changed. This patch had differences in line numbers, so I decided to make a new one, just to make sure it applies cleanly on master. > - Patch 84 comments out several lines in the tests.There isn't any > explaination what these changes do and why they are needed. It seems to > be disabling a confirmation that changing locale works. It comments out parts that tests the deprecated code removed by patch 69. I probably should have removed the lines completely, but wanted to keep them for reference - guess there's no point really. We no longer setup languages in the code, but rather get them from what is passed from the terminal OR from what is requested over XML-RPC. All localization code that uses the context thread local variable doesn't work anyway - that's why the tests were failing. > - Patch 82 drops a bunch of the old ugettext code which is fine, but I > think one of the purposes was to make sure that translation was occurring. > - Patch 82 in test_text.py changing the languages is removed. Are we > really exercising this code? Same deal as 84. > rob Pavel From ssorce at redhat.com Wed Feb 23 22:53:40 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 23 Feb 2011 17:53:40 -0500 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <4D658D1D.6060107@redhat.com> References: <4D658D1D.6060107@redhat.com> Message-ID: <20110223175340.4358a1b1@willson.li.ssimo.org> On Wed, 23 Feb 2011 23:41:33 +0100 Pavel Z?na wrote: > On 2011-02-15 16:36, JR Aquino wrote: > > On 2/15/11 6:52 AM, "Simo Sorce" wrote: > > > >> On Tue, 15 Feb 2011 15:19:50 +0100 > >> Pavel Zuna wrote: > >> > >>> I can't reproduce this. :-/ > >>> > >>> For me it goes fine: > >>> > >>> [root at ipadev tools]# ./ipa-nis-manage enable > >>> Directory Manager password: > >>> > >>> Enabling plugin > >>> This setting will not take effect until you restart Directory > >>> Server. The rpcbind service may need to be started. > >>> > >> > >> Pavel, > >> Jr has set the minimum ssf to a non default value to test a > >> configuration in which all communications are required to be > >> encrypted. That's why you can't reproduce with the vanilla > >> configuration. > >> > >> We want to support that mode although it won't be the default, so > >> we need to fix any issue that causes that configuration to break > >> (ie all non-encrypted/non-ldapi connections). > >> > >> Simo. > >> > >> -- > >> Simo Sorce * Red Hat, Inc * New York > >> > >> _______________________________________________ > >> Freeipa-devel mailing list > >> Freeipa-devel at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > The best way to do this is: > > > > -=- > > service ipa stop > > Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif > > > > Change: > > nsslapd-minssf: 0 > > > > To: > > nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit > > handshake even though we utilize a much strong cipher... (It is a > > known bug/feature) > > > > service ipa start > > > > I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) > with ldapi=True, but it raises a NotFound exception when trying to > call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This > exception originates in IPAdmin.__lateinit() when trying to retrieve > this > > cn=config,cn=ldbm database,cn=plugins,cn=config > > For some reason it looks like this entry is inaccessible when doing a > SASL EXTERNAL bind as root. > > I can retrieve the entry as "cn=directory manager": > > > > [root at vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H > ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b > "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope > oneLevel # filter: (objectclass=*) > # requesting: ALL > # > > # default indexes, config, ldbm database, plugins, config > dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > cn: default indexes > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > > > but not as root: > > > > [root at vm-090 freeipa]# ldapsearch -Y EXTERNAL -H > ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b > "cn=config" SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # SNMP, config > dn: cn=SNMP,cn=config > objectClass: top > objectClass: nsSNMP > cn: SNMP > nsSNMPEnabled: on > > # 2.16.840.1.113730.3.4.9, features, config > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > objectClass: top > objectClass: directoryServerFeature > oid: 2.16.840.1.113730.3.4.9 > cn: VLV Request Control > > # search result > search: 2 > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > > > I'm not sure what the problem is, I tried setting different SASL > security properties, but nothing helped. :( Next step is to analyze > DS logs, but before I do that, I wanted to ask if anyone has any tips > on what the solution might be. We have very strict ACIs when using EXTERNAL SASL as root. Is there any reason you need to operate as root ? you can also authenticate with SIMPLE (Dir MGr credentials), or SASL/GSSAPI if you ahve credentials. If you need to run unattended as root then we may need to make root+SASL/EXTERNAL more powerful but I'd like to understand exactly why you need that and can't use regular authentication with DirMgr or GSSAPI credentials. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Wed Feb 23 23:51:06 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 23 Feb 2011 17:51:06 -0600 Subject: [Freeipa-devel] [PATCH] 115 Fixed attribute for SUDO command group membership. Message-ID: <4D659D6A.5000601@redhat.com> The correct attribute name for SUDO command group membership is memberof_sudocmdgroup and it contains the group name instead of dn. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0115-Fixed-attribute-for-SUDO-command-group-membership.patch Type: text/x-patch Size: 1510 bytes Desc: not available URL: From edewata at redhat.com Thu Feb 24 00:17:15 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 23 Feb 2011 18:17:15 -0600 Subject: [Freeipa-devel] [PATCH] 741 fix sudocmd membership In-Reply-To: <4D65867D.2000303@redhat.com> References: <4D65867D.2000303@redhat.com> Message-ID: <4D65A38B.7070000@redhat.com> On 2/23/2011 4:13 PM, Rob Crittenden wrote: > We weren't searching the cn=sudo container so all members of a > sudocmdgroup looked indirect. > > Add a label for sudo command groups. > > Update the tests to include verifying that membership is done properly. > > ticket 1003 ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Feb 24 00:17:38 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 23 Feb 2011 18:17:38 -0600 Subject: [Freeipa-devel] [PATCH] 742 Sudo command groups are not supposed to allow nesting In-Reply-To: <4D658F27.1090709@redhat.com> References: <4D658700.1040806@redhat.com> <4D658F27.1090709@redhat.com> Message-ID: <4D65A3A2.5030500@redhat.com> On 2/23/2011 4:50 PM, Rob Crittenden wrote: >> It was a design decision to now allow nesting sudo command groups, >> remove it. >> >> ticket 1004 > > Updated patch attached. This is going to require an API change. ACK and pushed to master. -- Endi S. Dewata From pzuna at redhat.com Thu Feb 24 09:38:50 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 24 Feb 2011 10:38:50 +0100 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <20110223175340.4358a1b1@willson.li.ssimo.org> References: <4D658D1D.6060107@redhat.com> <20110223175340.4358a1b1@willson.li.ssimo.org> Message-ID: <4D66272A.9080501@redhat.com> On 02/23/2011 11:53 PM, Simo Sorce wrote: > On Wed, 23 Feb 2011 23:41:33 +0100 > Pavel Z?na wrote: > >> On 2011-02-15 16:36, JR Aquino wrote: >>> On 2/15/11 6:52 AM, "Simo Sorce" wrote: >>> >>>> On Tue, 15 Feb 2011 15:19:50 +0100 >>>> Pavel Zuna wrote: >>>> >>>>> I can't reproduce this. :-/ >>>>> >>>>> For me it goes fine: >>>>> >>>>> [root at ipadev tools]# ./ipa-nis-manage enable >>>>> Directory Manager password: >>>>> >>>>> Enabling plugin >>>>> This setting will not take effect until you restart Directory >>>>> Server. The rpcbind service may need to be started. >>>>> >>>> >>>> Pavel, >>>> Jr has set the minimum ssf to a non default value to test a >>>> configuration in which all communications are required to be >>>> encrypted. That's why you can't reproduce with the vanilla >>>> configuration. >>>> >>>> We want to support that mode although it won't be the default, so >>>> we need to fix any issue that causes that configuration to break >>>> (ie all non-encrypted/non-ldapi connections). >>>> >>>> Simo. >>>> >>>> -- >>>> Simo Sorce * Red Hat, Inc * New York >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> The best way to do this is: >>> >>> -=- >>> service ipa stop >>> Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif >>> >>> Change: >>> nsslapd-minssf: 0 >>> >>> To: >>> nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit >>> handshake even though we utilize a much strong cipher... (It is a >>> known bug/feature) >>> >>> service ipa start >>> >> >> I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) >> with ldapi=True, but it raises a NotFound exception when trying to >> call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This >> exception originates in IPAdmin.__lateinit() when trying to retrieve >> this >> >> cn=config,cn=ldbm database,cn=plugins,cn=config >> >> For some reason it looks like this entry is inaccessible when doing a >> SASL EXTERNAL bind as root. >> >> I can retrieve the entry as "cn=directory manager": >> >> >> >> [root at vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H >> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b >> "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base with scope >> oneLevel # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # default indexes, config, ldbm database, plugins, config >> dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config >> objectClass: top >> objectClass: extensibleObject >> cn: default indexes >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> >> >> >> but not as root: >> >> >> >> [root at vm-090 freeipa]# ldapsearch -Y EXTERNAL -H >> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b >> "cn=config" SASL/EXTERNAL authentication started >> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >> SASL SSF: 0 >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # SNMP, config >> dn: cn=SNMP,cn=config >> objectClass: top >> objectClass: nsSNMP >> cn: SNMP >> nsSNMPEnabled: on >> >> # 2.16.840.1.113730.3.4.9, features, config >> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >> objectClass: top >> objectClass: directoryServerFeature >> oid: 2.16.840.1.113730.3.4.9 >> cn: VLV Request Control >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 3 >> # numEntries: 2 >> >> >> I'm not sure what the problem is, I tried setting different SASL >> security properties, but nothing helped. :( Next step is to analyze >> DS logs, but before I do that, I wanted to ask if anyone has any tips >> on what the solution might be. > > We have very strict ACIs when using EXTERNAL SASL as root. > Is there any reason you need to operate as root ? > you can also authenticate with SIMPLE (Dir MGr credentials), or > SASL/GSSAPI if you ahve credentials. > > If you need to run unattended as root then we may need to make > root+SASL/EXTERNAL more powerful but I'd like to understand exactly why > you need that and can't use regular authentication with DirMgr or > GSSAPI credentials. > > Simo. > I need it for IPA tools like ipa-nis-manage. SIMPLE bind is probably not good enough because of the SSF requirements and I'm not sure if it's OK to require a Kerberos ticket to run them. Pavel From mkosek at redhat.com Thu Feb 24 12:08:44 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 24 Feb 2011 13:08:44 +0100 Subject: [Freeipa-devel] [PATCH] 035 IPA replica/server install does not check for a client Message-ID: <1298549324.3540.1.camel@dhcp-25-52.brq.redhat.com> When IPA replica or server is configured it does not check for possibly installed client. This will cause the installation to fail in the very end. This patch adds a check for already configured client and suggests removing it before server/replica installation. https://fedorahosted.org/freeipa/ticket/1002 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-035-ipa-replica-server-install-client-check.patch Type: text/x-patch Size: 2391 bytes Desc: not available URL: From jzeleny at redhat.com Thu Feb 24 12:32:15 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 24 Feb 2011 13:32:15 +0100 Subject: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup In-Reply-To: <201102231424.52464.jzeleny@redhat.com> References: <201102151524.59018.jzeleny@redhat.com> <201102231116.38989.jzeleny@redhat.com> <201102231424.52464.jzeleny@redhat.com> Message-ID: <201102241332.15515.jzeleny@redhat.com> Jan Zeleny wrote: > Jan Zelen? wrote: > > Jan Zelen? wrote: > > > Rob Crittenden wrote: > > > > Jan Zelen? wrote: > > > > > Rob Crittenden wrote: > > > > >> Jan Zelen? wrote: > > > > >>> Loading of the schema is now performed in the first request that > > > > >>> requires it. > > > > >>> > > > > >>> https://fedorahosted.org/freeipa/ticket/583 > > > > >>> > > > > >>> Jan > > > > >> > > > > >> We still need to enforce that we get the schema, some low-level > > > > >> functions depend on it. Also, if the UI doesn't get its aciattrs > > > > >> (which are derived from the schema) then nothing will be editable. > > > > >> > > > > >> I'm getting this backtrace if I force no schema by disabling > > > > get_schema: > > > > > Ok, I'm sending new version, it should handle these exceptions > > > > > better and the operation should fail if it needs the schema and > > > > > the schema is not available for some reason. > > > > > > > > This breaks the XML-RPC server. I fixed one problem: > > > > --- a/ipaserver/plugins/ldap2.py > > > > +++ b/ipaserver/plugins/ldap2.py > > > > > > > > @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): > > > > def get_syntax(self, attr, value): > > > > if not self.schema: > > > > - self.schema = get_schema(self.ldap_uri, self.conn) > > > > - if not self.schema: > > > > + schema = get_schema(self.ldap_uri, self.conn) > > > > > > > > + if not schema: > > > > return None > > > > > > > > + object.__setattr__(self, 'schema', schema) > > > > > > > > obj = self.schema.get_obj(_ldap.schema.AttributeType, attr) > > > > > > > > if obj is not None: > > > > return obj.syntax > > > > > > > > But simply things like get_entry() return an InternalError now. I'm > > > > not sure where you were going by adding this. > > > > > > > > rob > > > > > > Ok, no problem. It's possible that I simply did a mistake thinking I > > > can do something in Python what is not really possible. > > > > > > About that InternalError: I think raising InternalError when we cannot > > > load the schema to do the decoding is the right thing to do. Do you > > > have a better solution? I thought about returning empty result, but > > > that would mean we have to check the result in every funtction that is > > > calling them and raising InternalError there. > > > > I'm sending updated patch. I modified the get_syntax() as you suggested > > and I slightly modified raising that InternalError - currently it isn't > > raised when results from get_entry() are not required by calling method. > > Currently I'm running some tests, preliminary results looked ok. > > self-nack > > I discovered some issues discovered by internal test suite, I'm working on > them > > Jan Ok, everything is solved, I'm sending final version of the patch in the attachment. But I still think this should go to 2.1, since it's quite extensive patch in the core of IPA server and it has potential to break many things. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0041-4-Don-t-load-the-LDAP-schema-during-startup.patch Type: text/x-patch Size: 17752 bytes Desc: not available URL: From ssorce at redhat.com Thu Feb 24 12:45:20 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 24 Feb 2011 07:45:20 -0500 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <4D66272A.9080501@redhat.com> References: <4D658D1D.6060107@redhat.com> <20110223175340.4358a1b1@willson.li.ssimo.org> <4D66272A.9080501@redhat.com> Message-ID: <20110224074520.71a680b9@willson.li.ssimo.org> On Thu, 24 Feb 2011 10:38:50 +0100 Pavel Zuna wrote: > On 02/23/2011 11:53 PM, Simo Sorce wrote: > > On Wed, 23 Feb 2011 23:41:33 +0100 > > Pavel Z?na wrote: > > > >> On 2011-02-15 16:36, JR Aquino wrote: > >>> On 2/15/11 6:52 AM, "Simo Sorce" wrote: > >>> > >>>> On Tue, 15 Feb 2011 15:19:50 +0100 > >>>> Pavel Zuna wrote: > >>>> > >>>>> I can't reproduce this. :-/ > >>>>> > >>>>> For me it goes fine: > >>>>> > >>>>> [root at ipadev tools]# ./ipa-nis-manage enable > >>>>> Directory Manager password: > >>>>> > >>>>> Enabling plugin > >>>>> This setting will not take effect until you restart Directory > >>>>> Server. The rpcbind service may need to be started. > >>>>> > >>>> > >>>> Pavel, > >>>> Jr has set the minimum ssf to a non default value to test a > >>>> configuration in which all communications are required to be > >>>> encrypted. That's why you can't reproduce with the vanilla > >>>> configuration. > >>>> > >>>> We want to support that mode although it won't be the default, so > >>>> we need to fix any issue that causes that configuration to break > >>>> (ie all non-encrypted/non-ldapi connections). > >>>> > >>>> Simo. > >>>> > >>>> -- > >>>> Simo Sorce * Red Hat, Inc * New York > >>>> > >>>> _______________________________________________ > >>>> Freeipa-devel mailing list > >>>> Freeipa-devel at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel > >>> > >>> The best way to do this is: > >>> > >>> -=- > >>> service ipa stop > >>> Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif > >>> > >>> Change: > >>> nsslapd-minssf: 0 > >>> > >>> To: > >>> nsslapd-minssf: 56<- 56 is chosen because SASL communicates a > >>> 56bit handshake even though we utilize a much strong cipher... > >>> (It is a known bug/feature) > >>> > >>> service ipa start > >>> > >> > >> I tried to use the LDAPUpdate class > >> (ipaserver/install/ldapupdate.py) with ldapi=True, but it raises a > >> NotFound exception when trying to call IPAdmin.do_external_bind() > >> (ipaserver/ipaldap.py). This exception originates in > >> IPAdmin.__lateinit() when trying to retrieve this > >> > >> cn=config,cn=ldbm database,cn=plugins,cn=config > >> > >> For some reason it looks like this entry is inaccessible when > >> doing a SASL EXTERNAL bind as root. > >> > >> I can retrieve the entry as "cn=directory manager": > >> > >> > >> > >> [root at vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H > >> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b > >> "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one > >> Enter LDAP Password: > >> # extended LDIF > >> # > >> # LDAPv3 > >> # base with scope > >> oneLevel # filter: (objectclass=*) > >> # requesting: ALL > >> # > >> > >> # default indexes, config, ldbm database, plugins, config > >> dn: cn=default indexes,cn=config,cn=ldbm > >> database,cn=plugins,cn=config objectClass: top > >> objectClass: extensibleObject > >> cn: default indexes > >> > >> # search result > >> search: 2 > >> result: 0 Success > >> > >> # numResponses: 2 > >> # numEntries: 1 > >> > >> > >> > >> > >> but not as root: > >> > >> > >> > >> [root at vm-090 freeipa]# ldapsearch -Y EXTERNAL -H > >> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b > >> "cn=config" SASL/EXTERNAL authentication started > >> SASL username: > >> gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 > >> # extended LDIF > >> # > >> # LDAPv3 > >> # base with scope subtree > >> # filter: (objectclass=*) > >> # requesting: ALL > >> # > >> > >> # SNMP, config > >> dn: cn=SNMP,cn=config > >> objectClass: top > >> objectClass: nsSNMP > >> cn: SNMP > >> nsSNMPEnabled: on > >> > >> # 2.16.840.1.113730.3.4.9, features, config > >> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > >> objectClass: top > >> objectClass: directoryServerFeature > >> oid: 2.16.840.1.113730.3.4.9 > >> cn: VLV Request Control > >> > >> # search result > >> search: 2 > >> result: 0 Success > >> > >> # numResponses: 3 > >> # numEntries: 2 > >> > >> > >> I'm not sure what the problem is, I tried setting different SASL > >> security properties, but nothing helped. :( Next step is to analyze > >> DS logs, but before I do that, I wanted to ask if anyone has any > >> tips on what the solution might be. > > > > We have very strict ACIs when using EXTERNAL SASL as root. > > Is there any reason you need to operate as root ? > > you can also authenticate with SIMPLE (Dir MGr credentials), or > > SASL/GSSAPI if you ahve credentials. > > > > If you need to run unattended as root then we may need to make > > root+SASL/EXTERNAL more powerful but I'd like to understand exactly > > why you need that and can't use regular authentication with DirMgr > > or GSSAPI credentials. > > > > Simo. > > > > I need it for IPA tools like ipa-nis-manage. SIMPLE bind is probably > not good enough because of the SSF requirements and I'm not sure if > it's OK to require a Kerberos ticket to run them. ldapi is considered safe and has a ssf of 72, so no problem there. Simo. -- Simo Sorce * Red Hat, Inc * New York From jzeleny at redhat.com Thu Feb 24 12:45:55 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 24 Feb 2011 13:45:55 +0100 Subject: [Freeipa-devel] [PATCH] Don't load the LDAP schema during startup In-Reply-To: <201102241332.15515.jzeleny@redhat.com> References: <201102151524.59018.jzeleny@redhat.com> <201102231424.52464.jzeleny@redhat.com> <201102241332.15515.jzeleny@redhat.com> Message-ID: <201102241345.55447.jzeleny@redhat.com> Jan Zelen? wrote: > Jan Zeleny wrote: > > Jan Zelen? wrote: > > > Jan Zelen? wrote: > > > > Rob Crittenden wrote: > > > > > Jan Zelen? wrote: > > > > > > Rob Crittenden wrote: > > > > > >> Jan Zelen? wrote: > > > > > >>> Loading of the schema is now performed in the first request > > > > > >>> that requires it. > > > > > >>> > > > > > >>> https://fedorahosted.org/freeipa/ticket/583 > > > > > >>> > > > > > >>> Jan > > > > > >> > > > > > >> We still need to enforce that we get the schema, some low-level > > > > > >> functions depend on it. Also, if the UI doesn't get its aciattrs > > > > > >> (which are derived from the schema) then nothing will be > > > > > >> editable. > > > > > >> > > > > > >> I'm getting this backtrace if I force no schema by disabling > > > > > > get_schema: > > > > > > Ok, I'm sending new version, it should handle these exceptions > > > > > > better and the operation should fail if it needs the schema and > > > > > > the schema is not available for some reason. > > > > > > > > > > This breaks the XML-RPC server. I fixed one problem: > > > > > --- a/ipaserver/plugins/ldap2.py > > > > > +++ b/ipaserver/plugins/ldap2.py > > > > > > > > > > @@ -253,9 +253,10 @@ class ldap2(CrudBackend, Encoder): > > > > > def get_syntax(self, attr, value): > > > > > if not self.schema: > > > > > - self.schema = get_schema(self.ldap_uri, self.conn) > > > > > - if not self.schema: > > > > > + schema = get_schema(self.ldap_uri, self.conn) > > > > > > > > > > + if not schema: > > > > > return None > > > > > > > > > > + object.__setattr__(self, 'schema', schema) > > > > > > > > > > obj = self.schema.get_obj(_ldap.schema.AttributeType, > > > > > attr) > > > > > > > > > > if obj is not None: > > > > > return obj.syntax > > > > > > > > > > But simply things like get_entry() return an InternalError now. I'm > > > > > not sure where you were going by adding this. > > > > > > > > > > rob > > > > > > > > Ok, no problem. It's possible that I simply did a mistake thinking I > > > > can do something in Python what is not really possible. > > > > > > > > About that InternalError: I think raising InternalError when we > > > > cannot load the schema to do the decoding is the right thing to do. > > > > Do you have a better solution? I thought about returning empty > > > > result, but that would mean we have to check the result in every > > > > funtction that is calling them and raising InternalError there. > > > > > > I'm sending updated patch. I modified the get_syntax() as you suggested > > > and I slightly modified raising that InternalError - currently it isn't > > > raised when results from get_entry() are not required by calling > > > method. Currently I'm running some tests, preliminary results looked > > > ok. > > > > self-nack > > > > I discovered some issues discovered by internal test suite, I'm working > > on them > > > > Jan > > Ok, everything is solved, I'm sending final version of the patch in the > attachment. But I still think this should go to 2.1, since it's quite > extensive patch in the core of IPA server and it has potential to break > many things. > > Jan Rebased against master Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0041-5-Don-t-load-the-LDAP-schema-during-startup.patch Type: text/x-patch Size: 18109 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 24 19:56:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 24 Feb 2011 14:56:26 -0500 Subject: [Freeipa-devel] [PATCH] 743 add SuitespotGroup to ds install Message-ID: <4D66B7EA.1000704@redhat.com> We should have been doing this all along but with 389-ds-base-1.2.8.a3 we need to supply the SuitespotGroup directive in the installation template. The 389-ds instance installation will fail otherwise, being unable to write to /var/run/dirsrv. ticket 1010 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-743-dsgroup.patch Type: application/mbox Size: 2278 bytes Desc: not available URL: From ayoung at redhat.com Thu Feb 24 20:23:54 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 24 Feb 2011 15:23:54 -0500 Subject: [Freeipa-devel] [PATCH] 743 add SuitespotGroup to ds install In-Reply-To: <4D66B7EA.1000704@redhat.com> References: <4D66B7EA.1000704@redhat.com> Message-ID: <4D66BE5A.5000908@redhat.com> On 02/24/2011 02:56 PM, Rob Crittenden wrote: > We should have been doing this all along but with 389-ds-base-1.2.8.a3 > we need to supply the SuitespotGroup directive in the installation > template. The 389-ds instance installation will fail otherwise, being > unable to write to /var/run/dirsrv. > > ticket 1010 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Feb 25 01:55:32 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 24 Feb 2011 20:55:32 -0500 Subject: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry Message-ID: <4D670C14.8040908@redhat.com> I updated the reolve.conf of the client machine to point to the server and ran: [root at vm-060 ~]# ipa-client-install --domain idm.lab.bos.redhat.com -p admin -w freeipa4all Discovery was successful! Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-051.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: yes Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM certmonger request for host certificate failed Warning: Hostname (vm-060.idm.lab.bos.redhat.com) not found in DNS Failed to obtain host TGT. Failed to update DNS A record. (Command 'x' returned non-zero exit status 1) SSSD enabled Kerberos 5 enabled NTP enabled Client configuration complete. Is this a sign of a cert server issue? THis is the first time running with dogtag. Here's the last couple of lines from the ipa-server-log/ They look fine to me. [Thu Feb 24 20:41:06 2011] [error] ipa: INFO: admin at IDM.LAB.BOS.REDHAT.COM: host_find(u'', all=True): SUCCESS [Thu Feb 24 20:41:14 2011] [error] ipa: INFO: admin at IDM.LAB.BOS.REDHAT.COM: batch(({u'params': [[u'vm-060.idm.lab.bos.redhat.com'], {}], u'method': u'host_del'},)): SUCCESS [Thu Feb 24 20:41:15 2011] [error] ipa: INFO: admin at IDM.LAB.BOS.REDHAT.COM: host_find(u'', all=True): SUCCESS [Thu Feb 24 20:46:04 2011] [error] ipa: INFO: admin at IDM.LAB.BOS.REDHAT.COM: join(u'vm-060.idm.lab.bos.redhat.com', nshardwareplatform=u'x86_64', nsosversion=u'2.6.32-114.0.1.el6.x86_64'): SUCCESS This machine had client installed before, but I've since uninstalled and reinstalled both the server and client, and rebooted the client as well. There is no file /etc/ipa/.dns_update.txt From ssorce at redhat.com Fri Feb 25 05:47:03 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 25 Feb 2011 00:47:03 -0500 Subject: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry In-Reply-To: <4D670C14.8040908@redhat.com> References: <4D670C14.8040908@redhat.com> Message-ID: <20110225004703.4667cf61@willson.li.ssimo.org> On Thu, 24 Feb 2011 20:55:32 -0500 Adam Young wrote: > I updated the reolve.conf of the client machine to point to the > server and ran: > > > [root at vm-060 ~]# ipa-client-install --domain idm.lab.bos.redhat.com > -p admin -w freeipa4all > Discovery was successful! > Realm: IDM.LAB.BOS.REDHAT.COM > DNS Domain: idm.lab.bos.redhat.com > IPA Server: vm-051.idm.lab.bos.redhat.com > BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > > Continue to configure the system with these values? [no]: yes > > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM > certmonger request for host certificate failed > Warning: Hostname (vm-060.idm.lab.bos.redhat.com) not found in DNS > Failed to obtain host TGT. > Failed to update DNS A record. (Command 'x' returned non-zero exit > status 1) SSSD enabled > Kerberos 5 enabled > NTP enabled > Client configuration complete. > > > Is this a sign of a cert server issue? THis is the first time > running with dogtag. We use TSIG-GSSAPI for DNS Updates, no certs involved. > Here's the last couple of lines from the ipa-server-log/ They look > fine to me. > > [Thu Feb 24 20:41:06 2011] [error] ipa: INFO: > admin at IDM.LAB.BOS.REDHAT.COM: host_find(u'', all=True): SUCCESS > [Thu Feb 24 20:41:14 2011] [error] ipa: INFO: > admin at IDM.LAB.BOS.REDHAT.COM: batch(({u'params': > [[u'vm-060.idm.lab.bos.redhat.com'], {}], u'method': u'host_del'},)): > SUCCESS > [Thu Feb 24 20:41:15 2011] [error] ipa: INFO: > admin at IDM.LAB.BOS.REDHAT.COM: host_find(u'', all=True): SUCCESS > [Thu Feb 24 20:46:04 2011] [error] ipa: INFO: > admin at IDM.LAB.BOS.REDHAT.COM: join(u'vm-060.idm.lab.bos.redhat.com', > nshardwareplatform=u'x86_64', > nsosversion=u'2.6.32-114.0.1.el6.x86_64'): SUCCESS Can you send the ipaclient-install.log file ? > This machine had client installed before, but I've since uninstalled > and reinstalled both the server and client, and rebooted the client > as well. Should make no difference at all, it seem nsupdate is failing. Do you have bind-utils installed ? > There is no file /etc/ipa/.dns_update.txt And there shouldn't, it is a temp file we delete as soon as we are done. Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Fri Feb 25 09:18:11 2011 From: sbose at redhat.com (Sumit Bose) Date: Fri, 25 Feb 2011 10:18:11 +0100 Subject: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry In-Reply-To: <20110225004703.4667cf61@willson.li.ssimo.org> References: <4D670C14.8040908@redhat.com> <20110225004703.4667cf61@willson.li.ssimo.org> Message-ID: <20110225091811.GC20520@localhost.localdomain> On Fri, Feb 25, 2011 at 12:47:03AM -0500, Simo Sorce wrote: > On Thu, 24 Feb 2011 20:55:32 -0500 > Adam Young wrote: > > > I updated the reolve.conf of the client machine to point to the > > server and ran: > > > > > > [root at vm-060 ~]# ipa-client-install --domain idm.lab.bos.redhat.com > > -p admin -w freeipa4all > > Discovery was successful! > > Realm: IDM.LAB.BOS.REDHAT.COM > > DNS Domain: idm.lab.bos.redhat.com > > IPA Server: vm-051.idm.lab.bos.redhat.com > > BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > > > > > Continue to configure the system with these values? [no]: yes > > > > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM > > Created /etc/ipa/default.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM > > certmonger request for host certificate failed > > Warning: Hostname (vm-060.idm.lab.bos.redhat.com) not found in DNS > > Failed to obtain host TGT. > > Failed to update DNS A record. (Command 'x' returned non-zero exit > > status 1) SSSD enabled > > Kerberos 5 enabled > > NTP enabled > > Client configuration complete. > > > > > > Is this a sign of a cert server issue? THis is the first time > > running with dogtag. > > We use TSIG-GSSAPI for DNS Updates, no certs involved. > > > Here's the last couple of lines from the ipa-server-log/ They look > > fine to me. > > > > [Thu Feb 24 20:41:06 2011] [error] ipa: INFO: > > admin at IDM.LAB.BOS.REDHAT.COM: host_find(u'', all=True): SUCCESS > > [Thu Feb 24 20:41:14 2011] [error] ipa: INFO: > > admin at IDM.LAB.BOS.REDHAT.COM: batch(({u'params': > > [[u'vm-060.idm.lab.bos.redhat.com'], {}], u'method': u'host_del'},)): > > SUCCESS > > [Thu Feb 24 20:41:15 2011] [error] ipa: INFO: > > admin at IDM.LAB.BOS.REDHAT.COM: host_find(u'', all=True): SUCCESS > > [Thu Feb 24 20:46:04 2011] [error] ipa: INFO: > > admin at IDM.LAB.BOS.REDHAT.COM: join(u'vm-060.idm.lab.bos.redhat.com', > > nshardwareplatform=u'x86_64', > > nsosversion=u'2.6.32-114.0.1.el6.x86_64'): SUCCESS > > Can you send the ipaclient-install.log file ? > > > This machine had client installed before, but I've since uninstalled > > and reinstalled both the server and client, and rebooted the client > > as well. > > Should make no difference at all, it seem nsupdate is failing. > Do you have bind-utils installed ? > > > There is no file /etc/ipa/.dns_update.txt > > And there shouldn't, it is a temp file we delete as soon as we are done. Maybe you need to specify the server explicitly in the message you send to nsupdate. The man page says it should work without, but then nsupdate must be able to read the SOA record for the zone. bye, Sumit > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ssorce at redhat.com Fri Feb 25 12:58:34 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 25 Feb 2011 07:58:34 -0500 Subject: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry In-Reply-To: <20110225091811.GC20520@localhost.localdomain> References: <4D670C14.8040908@redhat.com> <20110225004703.4667cf61@willson.li.ssimo.org> <20110225091811.GC20520@localhost.localdomain> Message-ID: <20110225075834.79ee8d8b@willson.li.ssimo.org> On Fri, 25 Feb 2011 10:18:11 +0100 Sumit Bose wrote: > Maybe you need to specify the server explicitly in the message you > send to nsupdate. The man page says it should work without, but then > nsupdate must be able to read the SOA record for the zone. Given that you can install the DNS server only on some IPA servers and not others, I omitted the server on purpose. When resolving the SOA record for the zone the client should get the right server automatically. Failure to resolve the SOA record means you have other (DNS) issues as well. Simo. -- Simo Sorce * Red Hat, Inc * New York From pzuna at redhat.com Fri Feb 25 13:58:24 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 25 Feb 2011 14:58:24 +0100 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <20110223175340.4358a1b1@willson.li.ssimo.org> References: <4D658D1D.6060107@redhat.com> <20110223175340.4358a1b1@willson.li.ssimo.org> Message-ID: <4D67B580.9060303@redhat.com> On 02/23/2011 11:53 PM, Simo Sorce wrote: > On Wed, 23 Feb 2011 23:41:33 +0100 > Pavel Z?na wrote: > >> On 2011-02-15 16:36, JR Aquino wrote: >>> On 2/15/11 6:52 AM, "Simo Sorce" wrote: >>> >>>> On Tue, 15 Feb 2011 15:19:50 +0100 >>>> Pavel Zuna wrote: >>>> >>>>> I can't reproduce this. :-/ >>>>> >>>>> For me it goes fine: >>>>> >>>>> [root at ipadev tools]# ./ipa-nis-manage enable >>>>> Directory Manager password: >>>>> >>>>> Enabling plugin >>>>> This setting will not take effect until you restart Directory >>>>> Server. The rpcbind service may need to be started. >>>>> >>>> >>>> Pavel, >>>> Jr has set the minimum ssf to a non default value to test a >>>> configuration in which all communications are required to be >>>> encrypted. That's why you can't reproduce with the vanilla >>>> configuration. >>>> >>>> We want to support that mode although it won't be the default, so >>>> we need to fix any issue that causes that configuration to break >>>> (ie all non-encrypted/non-ldapi connections). >>>> >>>> Simo. >>>> >>>> -- >>>> Simo Sorce * Red Hat, Inc * New York >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> The best way to do this is: >>> >>> -=- >>> service ipa stop >>> Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif >>> >>> Change: >>> nsslapd-minssf: 0 >>> >>> To: >>> nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit >>> handshake even though we utilize a much strong cipher... (It is a >>> known bug/feature) >>> >>> service ipa start >>> >> >> I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) >> with ldapi=True, but it raises a NotFound exception when trying to >> call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This >> exception originates in IPAdmin.__lateinit() when trying to retrieve >> this >> >> cn=config,cn=ldbm database,cn=plugins,cn=config >> >> For some reason it looks like this entry is inaccessible when doing a >> SASL EXTERNAL bind as root. >> >> I can retrieve the entry as "cn=directory manager": >> >> >> >> [root at vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H >> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b >> "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base with scope >> oneLevel # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # default indexes, config, ldbm database, plugins, config >> dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config >> objectClass: top >> objectClass: extensibleObject >> cn: default indexes >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> >> >> >> but not as root: >> >> >> >> [root at vm-090 freeipa]# ldapsearch -Y EXTERNAL -H >> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b >> "cn=config" SASL/EXTERNAL authentication started >> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >> SASL SSF: 0 >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # SNMP, config >> dn: cn=SNMP,cn=config >> objectClass: top >> objectClass: nsSNMP >> cn: SNMP >> nsSNMPEnabled: on >> >> # 2.16.840.1.113730.3.4.9, features, config >> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >> objectClass: top >> objectClass: directoryServerFeature >> oid: 2.16.840.1.113730.3.4.9 >> cn: VLV Request Control >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 3 >> # numEntries: 2 >> >> >> I'm not sure what the problem is, I tried setting different SASL >> security properties, but nothing helped. :( Next step is to analyze >> DS logs, but before I do that, I wanted to ask if anyone has any tips >> on what the solution might be. > > We have very strict ACIs when using EXTERNAL SASL as root. > Is there any reason you need to operate as root ? > you can also authenticate with SIMPLE (Dir MGr credentials), or > SASL/GSSAPI if you ahve credentials. > > If you need to run unattended as root then we may need to make > root+SASL/EXTERNAL more powerful but I'd like to understand exactly why > you need that and can't use regular authentication with DirMgr or > GSSAPI credentials. > > Simo. > Thanks for advice! New version of the patch attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-78-4-toolsldapi.patch Type: application/mbox Size: 15996 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri Feb 25 17:12:53 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 25 Feb 2011 17:12:53 +0000 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <4D67B580.9060303@redhat.com> Message-ID: On 2/25/11 5:58 AM, "Pavel Zuna" wrote: >On 02/23/2011 11:53 PM, Simo Sorce wrote: >> On Wed, 23 Feb 2011 23:41:33 +0100 >> Pavel Z?na wrote: >> >>> On 2011-02-15 16:36, JR Aquino wrote: >>>> On 2/15/11 6:52 AM, "Simo Sorce" wrote: >>>> >>>>> On Tue, 15 Feb 2011 15:19:50 +0100 >>>>> Pavel Zuna wrote: >>>>> >>>>>> I can't reproduce this. :-/ >>>>>> >>>>>> For me it goes fine: >>>>>> >>>>>> [root at ipadev tools]# ./ipa-nis-manage enable >>>>>> Directory Manager password: >>>>>> >>>>>> Enabling plugin >>>>>> This setting will not take effect until you restart Directory >>>>>> Server. The rpcbind service may need to be started. >>>>>> >>>>> >>>>> Pavel, >>>>> Jr has set the minimum ssf to a non default value to test a >>>>> configuration in which all communications are required to be >>>>> encrypted. That's why you can't reproduce with the vanilla >>>>> configuration. >>>>> >>>>> We want to support that mode although it won't be the default, so >>>>> we need to fix any issue that causes that configuration to break >>>>> (ie all non-encrypted/non-ldapi connections). >>>>> >>>>> Simo. >>>>> >>>>> -- >>>>> Simo Sorce * Red Hat, Inc * New York >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>>> The best way to do this is: >>>> >>>> -=- >>>> service ipa stop >>>> Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif >>>> >>>> Change: >>>> nsslapd-minssf: 0 >>>> >>>> To: >>>> nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit >>>> handshake even though we utilize a much strong cipher... (It is a >>>> known bug/feature) >>>> >>>> service ipa start >>>> >>> >>> I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) >>> with ldapi=True, but it raises a NotFound exception when trying to >>> call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This >>> exception originates in IPAdmin.__lateinit() when trying to retrieve >>> this >>> >>> cn=config,cn=ldbm database,cn=plugins,cn=config >>> >>> For some reason it looks like this entry is inaccessible when doing a >>> SASL EXTERNAL bind as root. >>> >>> I can retrieve the entry as "cn=directory manager": >>> >>> >>> >>> [root at vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H >>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b >>> "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope >>> oneLevel # filter: (objectclass=*) >>> # requesting: ALL >>> # >>> >>> # default indexes, config, ldbm database, plugins, config >>> dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config >>> objectClass: top >>> objectClass: extensibleObject >>> cn: default indexes >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> >>> >>> >>> >>> but not as root: >>> >>> >>> >>> [root at vm-090 freeipa]# ldapsearch -Y EXTERNAL -H >>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b >>> "cn=config" SASL/EXTERNAL authentication started >>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >>> SASL SSF: 0 >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree >>> # filter: (objectclass=*) >>> # requesting: ALL >>> # >>> >>> # SNMP, config >>> dn: cn=SNMP,cn=config >>> objectClass: top >>> objectClass: nsSNMP >>> cn: SNMP >>> nsSNMPEnabled: on >>> >>> # 2.16.840.1.113730.3.4.9, features, config >>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >>> objectClass: top >>> objectClass: directoryServerFeature >>> oid: 2.16.840.1.113730.3.4.9 >>> cn: VLV Request Control >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 3 >>> # numEntries: 2 >>> >>> >>> I'm not sure what the problem is, I tried setting different SASL >>> security properties, but nothing helped. :( Next step is to analyze >>> DS logs, but before I do that, I wanted to ask if anyone has any tips >>> on what the solution might be. >> >> We have very strict ACIs when using EXTERNAL SASL as root. >> Is there any reason you need to operate as root ? >> you can also authenticate with SIMPLE (Dir MGr credentials), or >> SASL/GSSAPI if you ahve credentials. >> >> If you need to run unattended as root then we may need to make >> root+SASL/EXTERNAL more powerful but I'd like to understand exactly why >> you need that and can't use regular authentication with DirMgr or >> GSSAPI credentials. >> >> Simo. >> > >Thanks for advice! New version of the patch attached. Sorry Pavel, I Have to NACK again: It looks like some comment info got left in the patch perhaps. [root at auth2 ~]# ipa-compat-manage status File "/usr/sbin/ipa-compat-manage", line 169 <<<<<<< HEAD [root at auth2 ~]# ipa-host-net-manage status File "/usr/sbin/ipa-host-net-manage", line 195 <<<<<<< HEAD ^ From pzuna at redhat.com Fri Feb 25 17:27:27 2011 From: pzuna at redhat.com (=?ISO-8859-2?Q?Pavel_Z=F9na?=) Date: Fri, 25 Feb 2011 18:27:27 +0100 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: References: Message-ID: <4D67E67F.9050806@redhat.com> On 2011-02-25 18:12, JR Aquino wrote: > > > On 2/25/11 5:58 AM, "Pavel Zuna" wrote: > >> On 02/23/2011 11:53 PM, Simo Sorce wrote: >>> On Wed, 23 Feb 2011 23:41:33 +0100 >>> Pavel Z?na wrote: >>> >>>> On 2011-02-15 16:36, JR Aquino wrote: >>>>> On 2/15/11 6:52 AM, "Simo Sorce" wrote: >>>>> >>>>>> On Tue, 15 Feb 2011 15:19:50 +0100 >>>>>> Pavel Zuna wrote: >>>>>> >>>>>>> I can't reproduce this. :-/ >>>>>>> >>>>>>> For me it goes fine: >>>>>>> >>>>>>> [root at ipadev tools]# ./ipa-nis-manage enable >>>>>>> Directory Manager password: >>>>>>> >>>>>>> Enabling plugin >>>>>>> This setting will not take effect until you restart Directory >>>>>>> Server. The rpcbind service may need to be started. >>>>>>> >>>>>> >>>>>> Pavel, >>>>>> Jr has set the minimum ssf to a non default value to test a >>>>>> configuration in which all communications are required to be >>>>>> encrypted. That's why you can't reproduce with the vanilla >>>>>> configuration. >>>>>> >>>>>> We want to support that mode although it won't be the default, so >>>>>> we need to fix any issue that causes that configuration to break >>>>>> (ie all non-encrypted/non-ldapi connections). >>>>>> >>>>>> Simo. >>>>>> >>>>>> -- >>>>>> Simo Sorce * Red Hat, Inc * New York >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> >>>>> The best way to do this is: >>>>> >>>>> -=- >>>>> service ipa stop >>>>> Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif >>>>> >>>>> Change: >>>>> nsslapd-minssf: 0 >>>>> >>>>> To: >>>>> nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit >>>>> handshake even though we utilize a much strong cipher... (It is a >>>>> known bug/feature) >>>>> >>>>> service ipa start >>>>> >>>> >>>> I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) >>>> with ldapi=True, but it raises a NotFound exception when trying to >>>> call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This >>>> exception originates in IPAdmin.__lateinit() when trying to retrieve >>>> this >>>> >>>> cn=config,cn=ldbm database,cn=plugins,cn=config >>>> >>>> For some reason it looks like this entry is inaccessible when doing a >>>> SASL EXTERNAL bind as root. >>>> >>>> I can retrieve the entry as "cn=directory manager": >>>> >>>> >>>> >>>> [root at vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H >>>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b >>>> "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one >>>> Enter LDAP Password: >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base with scope >>>> oneLevel # filter: (objectclass=*) >>>> # requesting: ALL >>>> # >>>> >>>> # default indexes, config, ldbm database, plugins, config >>>> dn: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config >>>> objectClass: top >>>> objectClass: extensibleObject >>>> cn: default indexes >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> # numResponses: 2 >>>> # numEntries: 1 >>>> >>>> >>>> >>>> >>>> but not as root: >>>> >>>> >>>> >>>> [root at vm-090 freeipa]# ldapsearch -Y EXTERNAL -H >>>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b >>>> "cn=config" SASL/EXTERNAL authentication started >>>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >>>> SASL SSF: 0 >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base with scope subtree >>>> # filter: (objectclass=*) >>>> # requesting: ALL >>>> # >>>> >>>> # SNMP, config >>>> dn: cn=SNMP,cn=config >>>> objectClass: top >>>> objectClass: nsSNMP >>>> cn: SNMP >>>> nsSNMPEnabled: on >>>> >>>> # 2.16.840.1.113730.3.4.9, features, config >>>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >>>> objectClass: top >>>> objectClass: directoryServerFeature >>>> oid: 2.16.840.1.113730.3.4.9 >>>> cn: VLV Request Control >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> # numResponses: 3 >>>> # numEntries: 2 >>>> >>>> >>>> I'm not sure what the problem is, I tried setting different SASL >>>> security properties, but nothing helped. :( Next step is to analyze >>>> DS logs, but before I do that, I wanted to ask if anyone has any tips >>>> on what the solution might be. >>> >>> We have very strict ACIs when using EXTERNAL SASL as root. >>> Is there any reason you need to operate as root ? >>> you can also authenticate with SIMPLE (Dir MGr credentials), or >>> SASL/GSSAPI if you ahve credentials. >>> >>> If you need to run unattended as root then we may need to make >>> root+SASL/EXTERNAL more powerful but I'd like to understand exactly why >>> you need that and can't use regular authentication with DirMgr or >>> GSSAPI credentials. >>> >>> Simo. >>> >> >> Thanks for advice! New version of the patch attached. > > Sorry Pavel, I Have to NACK again: > It looks like some comment info got left in the patch perhaps. > > > [root at auth2 ~]# ipa-compat-manage status > File "/usr/sbin/ipa-compat-manage", line 169 > <<<<<<< HEAD > > > [root at auth2 ~]# ipa-host-net-manage status > File "/usr/sbin/ipa-host-net-manage", line 195 > <<<<<<< HEAD > ^ > > > That's cool, I just wonder how it got there. :) Fixed version attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-78-5-toolsldapi.patch Type: application/mbox Size: 15790 bytes Desc: not available URL: From adam at younglogic.com Fri Feb 25 18:35:42 2011 From: adam at younglogic.com (Adam Young) Date: Fri, 25 Feb 2011 13:35:42 -0500 Subject: [Freeipa-devel] [PATCH] Revert-Set-hard-limit-on-number-of-commands-in-batch Message-ID: <4D67F67E.2050205@younglogic.com> I have not tested this, just ran: git revert 79d22f8341026450ba7ca564e24812c9351c7e70 Please test before ACKing. I will test as well now. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0205-Revert-Set-hard-limit-on-number-of-commands-in-batch.patch Type: text/x-patch Size: 1784 bytes Desc: not available URL: From ayoung at redhat.com Fri Feb 25 19:49:27 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 25 Feb 2011 14:49:27 -0500 Subject: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry In-Reply-To: <20110225004703.4667cf61@willson.li.ssimo.org> References: <4D670C14.8040908@redhat.com> <20110225004703.4667cf61@willson.li.ssimo.org> Message-ID: <4D6807C7.3070603@redhat.com> On 02/25/2011 12:47 AM, Simo Sorce wrote: > On Thu, 24 Feb 2011 20:55:32 -0500 > Adam Young wrote: > >> I updated the reolve.conf of the client machine to point to the >> server and ran: >> >> >> [root at vm-060 ~]# ipa-client-install --domain idm.lab.bos.redhat.com >> -p admin -w freeipa4all >> Discovery was successful! >> Realm: IDM.LAB.BOS.REDHAT.COM >> DNS Domain: idm.lab.bos.redhat.com >> IPA Server: vm-051.idm.lab.bos.redhat.com >> BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com >> >> >> Continue to configure the system with these values? [no]: yes >> >> Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM >> Created /etc/ipa/default.conf >> Configured /etc/sssd/sssd.conf >> Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM >> certmonger request for host certificate failed >> Warning: Hostname (vm-060.idm.lab.bos.redhat.com) not found in DNS >> Failed to obtain host TGT. >> Failed to update DNS A record. (Command 'x' returned non-zero exit >> status 1) SSSD enabled >> Kerberos 5 enabled >> NTP enabled >> Client configuration complete. >> >> >> Is this a sign of a cert server issue? THis is the first time >> running with dogtag. > We use TSIG-GSSAPI for DNS Updates, no certs involved. > >> Here's the last couple of lines from the ipa-server-log/ They look >> fine to me. >> >> [Thu Feb 24 20:41:06 2011] [error] ipa: INFO: >> admin at IDM.LAB.BOS.REDHAT.COM: host_find(u'', all=True): SUCCESS >> [Thu Feb 24 20:41:14 2011] [error] ipa: INFO: >> admin at IDM.LAB.BOS.REDHAT.COM: batch(({u'params': >> [[u'vm-060.idm.lab.bos.redhat.com'], {}], u'method': u'host_del'},)): >> SUCCESS >> [Thu Feb 24 20:41:15 2011] [error] ipa: INFO: >> admin at IDM.LAB.BOS.REDHAT.COM: host_find(u'', all=True): SUCCESS >> [Thu Feb 24 20:46:04 2011] [error] ipa: INFO: >> admin at IDM.LAB.BOS.REDHAT.COM: join(u'vm-060.idm.lab.bos.redhat.com', >> nshardwareplatform=u'x86_64', >> nsosversion=u'2.6.32-114.0.1.el6.x86_64'): SUCCESS > Can you send the ipaclient-install.log file ? Attached >> This machine had client installed before, but I've since uninstalled >> and reinstalled both the server and client, and rebooted the client >> as well. > Should make no difference at all, it seem nsupdate is failing. > Do you have bind-utils installed ? > Yes: bind-utils-9.7.2-8.P3.el6.x86_64 >> There is no file /etc/ipa/.dns_update.txt > And there shouldn't, it is a temp file we delete as soon as we are done. > > Simo. > -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ipaclient-install.log URL: From ssorce at redhat.com Fri Feb 25 20:19:25 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 25 Feb 2011 15:19:25 -0500 Subject: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry In-Reply-To: <4D6807C7.3070603@redhat.com> References: <4D670C14.8040908@redhat.com> <20110225004703.4667cf61@willson.li.ssimo.org> <4D6807C7.3070603@redhat.com> Message-ID: <20110225151925.17ca0d60@willson.li.ssimo.org> On Fri, 25 Feb 2011 14:49:27 -0500 Adam Young wrote: > 2011-02-24 20:46:06,851 DEBUG stderr= > 2011-02-24 20:46:06,878 DEBUG args=/usr/bin/kinit -k > -t /etc/krb5.keytab 2011-02-24 20:46:06,879 DEBUG stdout= > 2011-02-24 20:46:06,879 DEBUG stderr=kinit: Hostname cannot be > canonicalized when creating default server principal name ah no sorry this is the error, kinit failing ... now on why this happens ... Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Feb 25 22:04:10 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 25 Feb 2011 17:04:10 -0500 Subject: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry In-Reply-To: <20110225151925.17ca0d60@willson.li.ssimo.org> References: <4D670C14.8040908@redhat.com> <20110225004703.4667cf61@willson.li.ssimo.org> <4D6807C7.3070603@redhat.com> <20110225151925.17ca0d60@willson.li.ssimo.org> Message-ID: <20110225170410.0a90e191@willson.li.ssimo.org> On Fri, 25 Feb 2011 15:19:25 -0500 Simo Sorce wrote: > On Fri, 25 Feb 2011 14:49:27 -0500 > Adam Young wrote: > > > 2011-02-24 20:46:06,851 DEBUG stderr= > > 2011-02-24 20:46:06,878 DEBUG args=/usr/bin/kinit -k > > -t /etc/krb5.keytab 2011-02-24 20:46:06,879 DEBUG stdout= > > 2011-02-24 20:46:06,879 DEBUG stderr=kinit: Hostname cannot be > > canonicalized when creating default server principal name > > ah no sorry this is the error, kinit failing ... > now on why this happens ... > > Simo. > > Ok this happens becaue /etc/hosts doesn't have an entry for the hostname and DNS doesn't still resolve it (chicken/egg) Please open a ticket, the fix is to pass the principal name as argument of the kinit command so that it doesn't have to go thorugh name resolution to understand what name to use. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Sat Feb 26 17:24:15 2011 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 26 Feb 2011 12:24:15 -0500 Subject: [Freeipa-devel] [PATCH] 0087 Fix winsync agreements setup Message-ID: <20110226122415.4884cef0@willson.li.ssimo.org> Setting up a winsync agreement was broken. This patch fixes the code to allow setting up a winsync agreement that requires access to a non-IPA ldap server. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0087-Fix-winsync-agreements-setup.patch Type: text/x-patch Size: 7588 bytes Desc: not available URL: From ssorce at redhat.com Sat Feb 26 17:26:03 2011 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 26 Feb 2011 12:26:03 -0500 Subject: [Freeipa-devel] [PATCH] 0088 Fix ipa winsync plugin Message-ID: <20110226122603.6b95a6d5@willson.li.ssimo.org> When the plugin was adjusted to not use LDAP_DEPRECATED it was broken and DNs where generated withouth the RDN attribute name part. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0088-Unbreak-the-ipa-winsync-plugin.patch Type: text/x-patch Size: 1098 bytes Desc: not available URL: From ssorce at redhat.com Sat Feb 26 17:27:38 2011 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 26 Feb 2011 12:27:38 -0500 Subject: [Freeipa-devel] [PATCH] 0089 Fix user synchronization in ipa winsync Message-ID: <20110226122738.48d62108@willson.li.ssimo.org> Apparently synchronizing new users down from AD didn't work as the account didn't have uidNumber added, an attribute required by the posixAccount objectclass. This fixes new users synchronization. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0089-Fix-user-synchronization.patch Type: text/x-patch Size: 1262 bytes Desc: not available URL: From ssorce at redhat.com Sat Feb 26 17:28:57 2011 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 26 Feb 2011 12:28:57 -0500 Subject: [Freeipa-devel] [PATCH] 0090 Make use of (in)activate groups optional Message-ID: <20110226122857.4595f3f6@willson.li.ssimo.org> Since we remove the use of CoS for (in)active users, the ipa_winsync plugin was broken when configured to synchronize (in)active user status (the default). Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0090-Make-activated-inactivated-groups-optional.patch Type: text/x-patch Size: 8343 bytes Desc: not available URL: From ssorce at redhat.com Sat Feb 26 17:31:22 2011 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 26 Feb 2011 12:31:22 -0500 Subject: [Freeipa-devel] [PATCH] 0091 Make wrappers for sasl binds Message-ID: <20110226123122.0e0333a8@willson.li.ssimo.org> Sasl gssapi binds were done w/o a wrapper, this caused sasl binds to behave differently in some cases ad __lateinit() was never called on them. Unify sasl binds in ipaldap.py This is needed in conjuction with patch 0092 to fix managing replicas with krb credentials Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0091-Use-wrapper-for-sasl-gssapi-binds-so-it-behaves-like.patch Type: text/x-patch Size: 5981 bytes Desc: not available URL: From ssorce at redhat.com Sat Feb 26 17:34:09 2011 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 26 Feb 2011 12:34:09 -0500 Subject: [Freeipa-devel] [PATCH] 0092 Fix replica management with krb credentials Message-ID: <20110226123409.40148bcb@willson.li.ssimo.org> If no bind password is provided it is not possible to create the basic replication user. Creating this user is not necessary for winsync agreements or to create new replica connections that use gssapi auth so make it optional if krb credentials are used. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0092-Fix-replica-setup-using-replication-admin-kerberos-c.patch Type: text/x-patch Size: 1724 bytes Desc: not available URL: From ssorce at redhat.com Sat Feb 26 17:35:17 2011 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 26 Feb 2011 12:35:17 -0500 Subject: [Freeipa-devel] [PATCH] 0093, WAS: Re: Adding client on RHEL 6 fails to get DNS entry In-Reply-To: <20110225170410.0a90e191@willson.li.ssimo.org> References: <4D670C14.8040908@redhat.com> <20110225004703.4667cf61@willson.li.ssimo.org> <4D6807C7.3070603@redhat.com> <20110225151925.17ca0d60@willson.li.ssimo.org> <20110225170410.0a90e191@willson.li.ssimo.org> Message-ID: <20110226123517.0be3134b@willson.li.ssimo.org> On Fri, 25 Feb 2011 17:04:10 -0500 Simo Sorce wrote: > On Fri, 25 Feb 2011 15:19:25 -0500 > Simo Sorce wrote: > > > On Fri, 25 Feb 2011 14:49:27 -0500 > > Adam Young wrote: > > > > > 2011-02-24 20:46:06,851 DEBUG stderr= > > > 2011-02-24 20:46:06,878 DEBUG args=/usr/bin/kinit -k > > > -t /etc/krb5.keytab 2011-02-24 20:46:06,879 DEBUG stdout= > > > 2011-02-24 20:46:06,879 DEBUG stderr=kinit: Hostname cannot be > > > canonicalized when creating default server principal name > > > > ah no sorry this is the error, kinit failing ... > > now on why this happens ... > > > > Simo. > > > > > > Ok this happens becaue /etc/hosts doesn't have an entry for the > hostname and DNS doesn't still resolve it (chicken/egg) > > Please open a ticket, the fix is to pass the principal name as > argument of the kinit command so that it doesn't have to go thorugh > name resolution to understand what name to use. The attached patch should fix nsupdates on machines configured like this one. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0093-Fix-kinit-invocation-in-ipa-client-install.patch Type: text/x-patch Size: 1252 bytes Desc: not available URL: From jhrozek at redhat.com Mon Feb 28 09:42:48 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 28 Feb 2011 10:42:48 +0100 Subject: [Freeipa-devel] [PATCH] 0088 Fix ipa winsync plugin In-Reply-To: <20110226122603.6b95a6d5@willson.li.ssimo.org> References: <20110226122603.6b95a6d5@willson.li.ssimo.org> Message-ID: <4D6B6E18.1080606@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/26/2011 06:26 PM, Simo Sorce wrote: > > When the plugin was adjusted to not use LDAP_DEPRECATED it was broken > and DNs where generated withouth the RDN attribute name part. > > Simo. > I broke this one.. Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1rbhgACgkQHsardTLnvCWn/gCeJv3Hdh2/hQCqvO/NClz1B9NN kKUAn3jMzjhPETAdJQJsQPgE362ch1vY =wDHg -----END PGP SIGNATURE----- From rmeggins at redhat.com Mon Feb 28 15:33:44 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 28 Feb 2011 08:33:44 -0700 Subject: [Freeipa-devel] [PATCH] 0090 Make use of (in)activate groups optional In-Reply-To: <20110226122857.4595f3f6@willson.li.ssimo.org> References: <20110226122857.4595f3f6@willson.li.ssimo.org> Message-ID: <4D6BC058.2050209@redhat.com> On 02/26/2011 10:28 AM, Simo Sorce wrote: > Since we remove the use of CoS for (in)active users, the ipa_winsync > plugin was broken when configured to synchronize (in)active user status > (the default). ack > Simo. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Feb 28 15:34:15 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 28 Feb 2011 08:34:15 -0700 Subject: [Freeipa-devel] [PATCH] 0089 Fix user synchronization in ipa winsync In-Reply-To: <20110226122738.48d62108@willson.li.ssimo.org> References: <20110226122738.48d62108@willson.li.ssimo.org> Message-ID: <4D6BC077.1060603@redhat.com> On 02/26/2011 10:27 AM, Simo Sorce wrote: > Apparently synchronizing new users down from AD didn't work as the > account didn't have uidNumber added, an attribute required by the > posixAccount objectclass. ack > This fixes new users synchronization. > > Simo. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Feb 28 15:49:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Feb 2011 10:49:29 -0500 Subject: [Freeipa-devel] [PATCH] 0087 Fix winsync agreements setup In-Reply-To: <20110226122415.4884cef0@willson.li.ssimo.org> References: <20110226122415.4884cef0@willson.li.ssimo.org> Message-ID: <4D6BC409.1010505@redhat.com> Simo Sorce wrote: > > Setting up a winsync agreement was broken. > > This patch fixes the code to allow setting up a winsync agreement that > requires access to a non-IPA ldap server. > > Simo. This changes the side we initiate the replication startup on. I don't know a ton about the internals of 389-ds replication but is this necessary? It has been this way for years. rob From pzuna at redhat.com Mon Feb 28 16:02:57 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 28 Feb 2011 17:02:57 +0100 Subject: [Freeipa-devel] Localization patches. In-Reply-To: <4D654D43.5030601@redhat.com> References: <4D5BEEDC.5050902@redhat.com> <4D5C9F5D.1090706@redhat.com> <4D5D7C29.2020102@redhat.com> <4D5D9888.6010603@redhat.com> <4D5E4B36.1010805@redhat.com> <4D640B71.7080304@redhat.com> <4D654D43.5030601@redhat.com> Message-ID: <4D6BC731.3000901@redhat.com> On 02/23/2011 07:09 PM, Pavel Z?na wrote: > On 2011-02-22 20:16, Rob Crittenden wrote: >> Pavel Z?na wrote: >>> On 2011-02-17 22:52, Rob Crittenden wrote: >>>> Pavel Z?na wrote: >>>>> On 2011-02-17 05:09, Rob Crittenden wrote: >>>>>> Pavel Z?na wrote: >>>>>>> My efforts in fixing localization all around the framework and >>>>>>> preparing >>>>>>> it for localizing docstrings have resulted in a lot of patches. >>>>>>> Because >>>>>>> I understand they have become a bit hard to track, I decided to post >>>>>>> them all together in this thread to make review easier. >>>>>>> >>>>>>> After this is committed, there will be one more patch that switches >>>>>>> xgettext for pygettext. Then hopefully, we'll be pretty much set >>>>>>> when it >>>>>>> comes to i18n. >>>>>>> >>>>>>> Pavel >>>>>> >>>>>> Patch 81 isn't applying for me. >>>>>> >>>>>> Help is not working for me either, this is due to patch 80. >>>>>> >>>>>> $ ipa help user >>>>>> ipa: ERROR: NameError: global name '_' is not defined >>>>>> Traceback (most recent call last): >>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line >>>>>> 1087, in >>>>>> run >>>>>> api.finalize() >>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>>> 619, >>>>>> in finalize >>>>>> plugin_iter(base, (magic[k] for k in magic)) >>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/base.py", line >>>>>> 397, in >>>>>> __init__ >>>>>> sorted(members, key=lambda m: getattr(m, name_attr)) >>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>>> 608, >>>>>> in plugin_iter >>>>>> plugins[klass] = PluginInstance(klass) >>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>>> 585, >>>>>> in __init__ >>>>>> self.instance = klass() >>>>>> File "/home/rcrit/redhat/freeipa-version/ipalib/plugable.py", line >>>>>> 184, >>>>>> in __init__ >>>>>> self.doc = _(inspect.getdoc(cls)) >>>>>> NameError: global name '_' is not defined >>>>>> ipa: ERROR: an internal error has occurred >>>>>> >>>>>> Patches 69, 71 and 73 are still working fine. >>>>>> >>>>>> What is switching from xgettext to pygettext going to do? >>>>> >>>>> This was answered by John Dennis: xgettext doesn't parse python >>>>> docstrings. >>>>> >>>>>> >>>>>> rob >>>>> >>>>> Rebased version of 81 attached. It should also fix the traceback >>>>> you're >>>>> getting. >>>>> >>>>> Pavel >>>> >>>> Something is still not working. I'm having a hard time reproducing >>>> how I >>>> got this but with LANG=es_US.UTF-8 for a while I was getting this with >>>> every ipa user-* request: >>>> >>>> ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character >>>> u'\xf1' in position 20: ordinal not in range(128) >>>> Traceback (most recent call last): >>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 1090, in >>>> run >>>> sys.exit(api.Backend.cli.run(argv)) >>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 917, in >>>> run >>>> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, >>>> **options) >>>> File "/home/rcrit/redhat/freeipa-version/ipalib/frontend.py", line 953, >>>> in output_for_cli >>>> textui.print_entries(result, order, labels, flags, print_all) >>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 346, in >>>> print_entries >>>> self.print_entry(entry, order, labels, flags, print_all, format, >>>> indent) >>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 378, in >>>> print_entry >>>> label, value, format, indent, one_value_per_line >>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 309, in >>>> print_attribute >>>> self.print_indented(format % (attr, text[0]), indent) >>>> File "/home/rcrit/redhat/freeipa-version/ipalib/cli.py", line 232, in >>>> print_indented >>>> print (CLI_TAB * indent + text) >>>> UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in >>>> position 20: ordinal not in range(128) >>>> ipa: ERROR: ha ocurrido un error interno >>>> >>>> I think it is blowing up on this user: >>>> >>>> User login: jose >>>> First name: Jose >>>> Last name: contrase?as >>>> Home directory: /home/jose >>>> Login shell: /bin/sh >>>> Account disabled: TRUE >>>> Member of groups: ipausers >>>> >>>> Then all of a sudden things started working fine, so I'm not sure >>>> what's >>>> going on. >>>> >>>> Is this traceback meaningful to you? >>>> >>>> rob >>> >>> This looks like a bug in the textui backend. >>> >>> You get this error when you do something like this: >>> >>> >>> a = u'\xf1' >>> >>> a.decode('utf-8') >>> Traceback (most recent call last): >>> File "", line 1, in >>> File "/usr/lib/python2.6/encodings/utf_8.py", line 16, in decode >>> return codecs.utf_8_decode(input, errors, True) >>> UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in >>> position 0: ordinal not in range(128) >>> >>> It means we're not handling encoding/decoding from/to the CLI right >>> somewhere. >>> >>> The character \xf1 corresponds to the small N with tilde in Jose's last >>> name. >>> >>> I'm going to look into it, but I don't think it's related to the >>> localization patches. >>> >>> Pavel >> >> I'm seeing 2 test failures: >> >> >> ====================================================================== >> FAIL: Test the `ipalib.plugable.Plugin.__init__` method. >> ---------------------------------------------------------------------- >> Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in >> runTest >> self.test(*self.arg) >> File >> "/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_plugable.py", >> line 237, in test_init >> assert o.summary == 'Do sub-classy things.' >> AssertionError >> >> ====================================================================== >> FAIL: Test gettext translation >> ---------------------------------------------------------------------- >> Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/nose/case.py", line 186, in >> runTest >> self.test(*self.arg) >> File "/home/rcrit/redhat/freeipa-tests/tests/test_ipalib/test_text.py", >> line 122, in test_gettext >> assert(translated[0] != prefix) >> AssertionError >> >> patch 81 is probably going to need a rebase. I was able to get it >> applied with a 3-way merge and one conflict in internal.py. >> >> rob > > Rebased patch 81 and 83 (pygettext). > > Created a new patch to fix these latest test failures - it was easier > than doing a complex rebase. > > All latest versions of localization patches are attached to this email > for review. > > I tried to apply them on a clean master clone, build RPMs, installed and > run all unit tests. So hopefully, we're finally going to get this in. :) > > Pavel New version of the last patch (84) attached. It includes new tests for i18n like switching languages. Testing with install/po/test_i18n.py was also updated. I retested all the patches on a clean master again and everything seems to work great. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-84-2-finali18ntests.patch Type: application/mbox Size: 4503 bytes Desc: not available URL: From ssorce at redhat.com Mon Feb 28 16:11:05 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 28 Feb 2011 11:11:05 -0500 Subject: [Freeipa-devel] [PATCH] 0087 Fix winsync agreements setup In-Reply-To: <4D6BC409.1010505@redhat.com> References: <20110226122415.4884cef0@willson.li.ssimo.org> <4D6BC409.1010505@redhat.com> Message-ID: <20110228111105.6ec07325@willson.li.ssimo.org> On Mon, 28 Feb 2011 10:49:29 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > > > Setting up a winsync agreement was broken. > > > > This patch fixes the code to allow setting up a winsync agreement > > that requires access to a non-IPA ldap server. > > > > Simo. > > This changes the side we initiate the replication startup on. I don't > know a ton about the internals of 389-ds replication but is this > necessary? It has been this way for years. Sorry, I don't see that. Where am I doing that ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Feb 28 16:18:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Feb 2011 11:18:45 -0500 Subject: [Freeipa-devel] [PATCH] 0087 Fix winsync agreements setup In-Reply-To: <20110228111105.6ec07325@willson.li.ssimo.org> References: <20110226122415.4884cef0@willson.li.ssimo.org> <4D6BC409.1010505@redhat.com> <20110228111105.6ec07325@willson.li.ssimo.org> Message-ID: <4D6BCAE5.4030706@redhat.com> Simo Sorce wrote: > On Mon, 28 Feb 2011 10:49:29 -0500 > Rob Crittenden wrote: > >> Simo Sorce wrote: >>> >>> Setting up a winsync agreement was broken. >>> >>> This patch fixes the code to allow setting up a winsync agreement >>> that requires access to a non-IPA ldap server. >>> >>> Simo. >> >> This changes the side we initiate the replication startup on. I don't >> know a ton about the internals of 389-ds replication but is this >> necessary? It has been this way for years. > > Sorry, I don't see that. > Where am I doing that ? > > Simo. > This is what I saw: mod = [(ldap.MOD_ADD, 'nsds5BeginReplicaRefresh', 'start')] - other_conn.modify_s(dn, mod) + conn.modify_s(dn, mod) It looks like you renamed the variable from other_conn to to conn so this change is ok. rob From ssorce at redhat.com Mon Feb 28 16:41:07 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 28 Feb 2011 11:41:07 -0500 Subject: [Freeipa-devel] [PATCH] 0087 Fix winsync agreements setup In-Reply-To: <4D6BCAE5.4030706@redhat.com> References: <20110226122415.4884cef0@willson.li.ssimo.org> <4D6BC409.1010505@redhat.com> <20110228111105.6ec07325@willson.li.ssimo.org> <4D6BCAE5.4030706@redhat.com> Message-ID: <20110228114107.4ba83610@willson.li.ssimo.org> On Mon, 28 Feb 2011 11:18:45 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > On Mon, 28 Feb 2011 10:49:29 -0500 > > Rob Crittenden wrote: > > > >> Simo Sorce wrote: > >>> > >>> Setting up a winsync agreement was broken. > >>> > >>> This patch fixes the code to allow setting up a winsync agreement > >>> that requires access to a non-IPA ldap server. > >>> > >>> Simo. > >> > >> This changes the side we initiate the replication startup on. I > >> don't know a ton about the internals of 389-ds replication but is > >> this necessary? It has been this way for years. > > > > Sorry, I don't see that. > > Where am I doing that ? > > > > Simo. > > > > This is what I saw: > > mod = [(ldap.MOD_ADD, 'nsds5BeginReplicaRefresh', 'start')] > - other_conn.modify_s(dn, mod) > + conn.modify_s(dn, mod) > > It looks like you renamed the variable from other_conn to to conn so > this change is ok. Oh yes it is just a rename of the variable not an actual change. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Feb 28 16:47:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Feb 2011 11:47:05 -0500 Subject: [Freeipa-devel] [PATCH] 744 use Sudo rather than SUDO Message-ID: <4D6BD189.3030804@redhat.com> Use Sudo instead of SUDO in labels, descriptions, etc. ticket 1005 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-744-sudo.patch Type: application/mbox Size: 15646 bytes Desc: not available URL: From JR.Aquino at citrix.com Mon Feb 28 18:15:57 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 28 Feb 2011 18:15:57 +0000 Subject: [Freeipa-devel] [PATCH] 78 Use ldapi: instead of unsecured ldap: in ipa core tools. In-Reply-To: <4D67E67F.9050806@redhat.com> Message-ID: On 2/25/11 9:27 AM, "Pavel Z?na" wrote: >On 2011-02-25 18:12, JR Aquino wrote: >> >> >> On 2/25/11 5:58 AM, "Pavel Zuna" wrote: >> >>> On 02/23/2011 11:53 PM, Simo Sorce wrote: >>>> On Wed, 23 Feb 2011 23:41:33 +0100 >>>> Pavel Z?na wrote: >>>> >>>>> On 2011-02-15 16:36, JR Aquino wrote: >>>>>> On 2/15/11 6:52 AM, "Simo Sorce" wrote: >>>>>> >>>>>>> On Tue, 15 Feb 2011 15:19:50 +0100 >>>>>>> Pavel Zuna wrote: >>>>>>> >>>>>>>> I can't reproduce this. :-/ >>>>>>>> >>>>>>>> For me it goes fine: >>>>>>>> >>>>>>>> [root at ipadev tools]# ./ipa-nis-manage enable >>>>>>>> Directory Manager password: >>>>>>>> >>>>>>>> Enabling plugin >>>>>>>> This setting will not take effect until you restart Directory >>>>>>>> Server. The rpcbind service may need to be started. >>>>>>>> >>>>>>> >>>>>>> Pavel, >>>>>>> Jr has set the minimum ssf to a non default value to test a >>>>>>> configuration in which all communications are required to be >>>>>>> encrypted. That's why you can't reproduce with the vanilla >>>>>>> configuration. >>>>>>> >>>>>>> We want to support that mode although it won't be the default, so >>>>>>> we need to fix any issue that causes that configuration to break >>>>>>> (ie all non-encrypted/non-ldapi connections). >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>>> -- >>>>>>> Simo Sorce * Red Hat, Inc * New York >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Freeipa-devel mailing list >>>>>>> Freeipa-devel at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>> >>>>>> The best way to do this is: >>>>>> >>>>>> -=- >>>>>> service ipa stop >>>>>> Edit /etc/dirsrv/slapd-DOMAIN/dse.ldif >>>>>> >>>>>> Change: >>>>>> nsslapd-minssf: 0 >>>>>> >>>>>> To: >>>>>> nsslapd-minssf: 56<- 56 is chosen because SASL communicates a 56bit >>>>>> handshake even though we utilize a much strong cipher... (It is a >>>>>> known bug/feature) >>>>>> >>>>>> service ipa start >>>>>> >>>>> >>>>> I tried to use the LDAPUpdate class (ipaserver/install/ldapupdate.py) >>>>> with ldapi=True, but it raises a NotFound exception when trying to >>>>> call IPAdmin.do_external_bind() (ipaserver/ipaldap.py). This >>>>> exception originates in IPAdmin.__lateinit() when trying to retrieve >>>>> this >>>>> >>>>> cn=config,cn=ldbm database,cn=plugins,cn=config >>>>> >>>>> For some reason it looks like this entry is inaccessible when doing a >>>>> SASL EXTERNAL bind as root. >>>>> >>>>> I can retrieve the entry as "cn=directory manager": >>>>> >>>>> >>>>> >>>>> [root at vm-090 freeipa]# ldapsearch -D "cn=directory manager" -W -H >>>>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b >>>>> "cn=config,cn=ldbm database,cn=plugins,cn=config" -s one >>>>> Enter LDAP Password: >>>>> # extended LDIF >>>>> # >>>>> # LDAPv3 >>>>> # base with scope >>>>> oneLevel # filter: (objectclass=*) >>>>> # requesting: ALL >>>>> # >>>>> >>>>> # default indexes, config, ldbm database, plugins, config >>>>> dn: cn=default indexes,cn=config,cn=ldbm >>>>>database,cn=plugins,cn=config >>>>> objectClass: top >>>>> objectClass: extensibleObject >>>>> cn: default indexes >>>>> >>>>> # search result >>>>> search: 2 >>>>> result: 0 Success >>>>> >>>>> # numResponses: 2 >>>>> # numEntries: 1 >>>>> >>>>> >>>>> >>>>> >>>>> but not as root: >>>>> >>>>> >>>>> >>>>> [root at vm-090 freeipa]# ldapsearch -Y EXTERNAL -H >>>>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket -b >>>>> "cn=config" SASL/EXTERNAL authentication started >>>>> SASL username: >>>>>gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >>>>> SASL SSF: 0 >>>>> # extended LDIF >>>>> # >>>>> # LDAPv3 >>>>> # base with scope subtree >>>>> # filter: (objectclass=*) >>>>> # requesting: ALL >>>>> # >>>>> >>>>> # SNMP, config >>>>> dn: cn=SNMP,cn=config >>>>> objectClass: top >>>>> objectClass: nsSNMP >>>>> cn: SNMP >>>>> nsSNMPEnabled: on >>>>> >>>>> # 2.16.840.1.113730.3.4.9, features, config >>>>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >>>>> objectClass: top >>>>> objectClass: directoryServerFeature >>>>> oid: 2.16.840.1.113730.3.4.9 >>>>> cn: VLV Request Control >>>>> >>>>> # search result >>>>> search: 2 >>>>> result: 0 Success >>>>> >>>>> # numResponses: 3 >>>>> # numEntries: 2 >>>>> >>>>> >>>>> I'm not sure what the problem is, I tried setting different SASL >>>>> security properties, but nothing helped. :( Next step is to analyze >>>>> DS logs, but before I do that, I wanted to ask if anyone has any tips >>>>> on what the solution might be. >>>> >>>> We have very strict ACIs when using EXTERNAL SASL as root. >>>> Is there any reason you need to operate as root ? >>>> you can also authenticate with SIMPLE (Dir MGr credentials), or >>>> SASL/GSSAPI if you ahve credentials. >>>> >>>> If you need to run unattended as root then we may need to make >>>> root+SASL/EXTERNAL more powerful but I'd like to understand exactly >>>>why >>>> you need that and can't use regular authentication with DirMgr or >>>> GSSAPI credentials. >>>> >>>> Simo. >>>> >>> >>> Thanks for advice! New version of the patch attached. >> >> Sorry Pavel, I Have to NACK again: >> It looks like some comment info got left in the patch perhaps. >> >> >> [root at auth2 ~]# ipa-compat-manage status >> File "/usr/sbin/ipa-compat-manage", line 169 >> <<<<<<< HEAD >> >> >> [root at auth2 ~]# ipa-host-net-manage status >> File "/usr/sbin/ipa-host-net-manage", line 195 >> <<<<<<< HEAD >> ^ >> >> >> > >That's cool, I just wonder how it got there. :) > >Fixed version attached. > >Pavel I've verified the following: install/migration/migration.py install/tools/ipa-compat-manage install/tools/ipa-compliance install/tools/ipa-host-net-manage install/tools/ipa-nis-manage install/tools/ipa-replica-prepare install/tools/ipa-server-install ipaserver/install/ldapupdate.py ACK for everything except: install/tools/ipa-server-certinstall I'm not sure how best to test that particular tool. The rest were verified by setting:nsslapd-minssf: 56 Then testing each tool to verify functionality without an ssf error. ldapupdate.py was tested via running several different xml_rpc plugin tests that indirectly utilize ldapupdate.py: test_hbac_plugin.py, test_sudorule_plugin.py From edewata at redhat.com Mon Feb 28 18:51:19 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 28 Feb 2011 12:51:19 -0600 Subject: [Freeipa-devel] [PATCH] 744 use Sudo rather than SUDO In-Reply-To: <4D6BD189.3030804@redhat.com> References: <4D6BD189.3030804@redhat.com> Message-ID: <4D6BEEA7.2090205@redhat.com> On 2/28/2011 10:47 AM, Rob Crittenden wrote: > Use Sudo instead of SUDO in labels, descriptions, etc. > > ticket 1005 > > rob This patch is ACKed. The capitalization is now consistent in the CLI. However, the UI capitalizes the labels in the action panel and the title of association facets, so we still see a mix of Sudo and SUDO in the UI. There are still some SUDO leftover in the UI test data, but that can be fixed in a separate patch. -- Endi S. Dewata From edewata at redhat.com Mon Feb 28 20:28:32 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 28 Feb 2011 14:28:32 -0600 Subject: [Freeipa-devel] [PATCH] 744 use Sudo rather than SUDO In-Reply-To: <4D6BEEA7.2090205@redhat.com> References: <4D6BD189.3030804@redhat.com> <4D6BEEA7.2090205@redhat.com> Message-ID: <4D6C0570.1000101@redhat.com> On 2/28/2011 12:51 PM, Endi Sukma Dewata wrote: > On 2/28/2011 10:47 AM, Rob Crittenden wrote: >> Use Sudo instead of SUDO in labels, descriptions, etc. >> >> ticket 1005 >> >> rob > > This patch is ACKed. The capitalization is now consistent in the CLI. > However, the UI capitalizes the labels in the action panel and the title > of association facets, so we still see a mix of Sudo and SUDO in the UI. > > There are still some SUDO leftover in the UI test data, but that can be > fixed in a separate patch. The attached patch fixes the UI test data. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0116-Replaced-SUDO-with-Sudo-in-UI-test-data.patch Type: text/x-patch Size: 10670 bytes Desc: not available URL: From ayoung at redhat.com Mon Feb 28 21:02:05 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 28 Feb 2011 16:02:05 -0500 Subject: [Freeipa-devel] [PATCH] 744 use Sudo rather than SUDO In-Reply-To: <4D6C0570.1000101@redhat.com> References: <4D6BD189.3030804@redhat.com> <4D6BEEA7.2090205@redhat.com> <4D6C0570.1000101@redhat.com> Message-ID: <4D6C0D4D.8060802@redhat.com> On 02/28/2011 03:28 PM, Endi Sukma Dewata wrote: > On 2/28/2011 12:51 PM, Endi Sukma Dewata wrote: >> On 2/28/2011 10:47 AM, Rob Crittenden wrote: >>> Use Sudo instead of SUDO in labels, descriptions, etc. >>> >>> ticket 1005 >>> >>> rob >> >> This patch is ACKed. The capitalization is now consistent in the CLI. >> However, the UI capitalizes the labels in the action panel and the title >> of association facets, so we still see a mix of Sudo and SUDO in the UI. >> >> There are still some SUDO leftover in the UI test data, but that can be >> fixed in a separate patch. > > The attached patch fixes the UI test data. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Feb 28 21:07:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Feb 2011 16:07:49 -0500 Subject: [Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 2 Release Message-ID: <4D6C0EA5.3040708@redhat.com> To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Release Candidate 2 release of freeIPA 2.0 server [1]. * Binaries are available for F-14 and F-15 [2]. * Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-users at redhat.com Main Highlights of the Release Candidate. This release consists primarily of bug fixes and polish across all areas of the project. Modifications include but are not limited to * Make Indirect membership clearer. * Input validation fixes. * WebUI improvements. * Created default Roles. * IPv6 support * Documentation updates Focus of the Release Candidate Testing * There was a Fedora test day for FreeIPA on Feb 15th [3]. These tests are still relevant and feedback would be appreciated. * The following section outlines the areas that we are mostly interested to test [4]. Significant Changes Since RC 1 To see all the tickets addressed since the beta 2 release see [6]. Repositories and Installation * Use the following link to install the RC 2 packages [5]. * FreeIPA relies on the latest versions of the packages currently available from the updates-testing repository. Please make sure to enable this repository before you proceed with installation. Known Issues: * There are known issues that currently prevent FreeIPA from successfully installing with dogtag on F-15 [2]. We will send a separate message when this issue is resolved. The FreeIPA server is installable with the --selfsign option on F-15, or with dogtag on F-14. * Server-generated error messages are not translated yet. * The 'ipa help' command does not support localization. We plan to address all the outstanding tickets before the final 2.0 release. For the complete list see [7]. Thank you, The FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] dogtag is having issues with systemd: https://bugzilla.redhat.com/show_bug.cgi?id=676330 [3] https://fedoraproject.org/wiki/QA/Fedora_15_test_days [4] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test [5] http://freeipa.org/downloads/freeipa-devel.repo [6] https://fedorahosted.org/freeipa/query?status=closed&milestone=2.0.2+Bug+fixing+(RC2) [7] https://fedorahosted.org/freeipa/milestone/2.0.3.%20Bug%20Fixing%20%28GA%29