From ayoung at redhat.com Sun Jan 2 02:02:05 2011 From: ayoung at redhat.com (Adam Young) Date: Sat, 01 Jan 2011 21:02:05 -0500 Subject: [Freeipa-devel] [PATCH] Disable action panel links when the selected entry is deleted. In-Reply-To: <4D1CB6F1.1050208@redhat.com> References: <4D1CB6F1.1050208@redhat.com> Message-ID: <4D1FDC9D.6040404@redhat.com> On 12/30/2010 11:44 AM, Pavel Z?na wrote: > Fix #685 > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Sun Jan 2 02:02:39 2011 From: ayoung at redhat.com (Adam Young) Date: Sat, 01 Jan 2011 21:02:39 -0500 Subject: [Freeipa-devel] [PATCH] Fix 'ipa help permissions'; add 'dns' in allowed types. In-Reply-To: <4D1C5107.7050404@redhat.com> References: <4D1C5107.7050404@redhat.com> Message-ID: <4D1FDCBF.20003@redhat.com> On 12/30/2010 04:29 AM, Pavel Z?na wrote: > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Sun Jan 2 02:04:51 2011 From: ayoung at redhat.com (Adam Young) Date: Sat, 01 Jan 2011 21:04:51 -0500 Subject: [Freeipa-devel] [PATCH] Translate IA5Str paramaters the editable text fields in the webUI. In-Reply-To: <4D1CB2F4.9090704@redhat.com> References: <4D1C50DE.6050705@redhat.com> <4D1CB2F4.9090704@redhat.com> Message-ID: <4D1FDD43.7090002@redhat.com> On 12/30/2010 11:27 AM, Pavel Z?na wrote: > On 2010-12-30 10:29, Pavel Z?na wrote: >> Fix #684 >> >> Pavel >> > > Left some debugging output in the original patch. Fixed version attached. > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Mon Jan 3 09:39:05 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 3 Jan 2011 04:39:05 -0500 (EST) Subject: [Freeipa-devel] [PATCH 21/21] fixes CA install problem in trac ticket 682 In-Reply-To: <201012291455.oBTEtVZt020993@int-mx01.intmail.prod.int.phx2.redhat.com> Message-ID: <266302585.91157.1294047545790.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > Do not call status after pkisilent, it will return non-zero. > Instead restart server after pkisilent so configuration > changes take effect, the check the status. Ack. Simo. -- Simo Sorce * Red Hat, Inc. * New York From ssorce at redhat.com Mon Jan 3 09:41:53 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 3 Jan 2011 04:41:53 -0500 (EST) Subject: [Freeipa-devel] [krb5kdc] LDAP handle unavailable: Can't contact LDAP server on kinit In-Reply-To: <4D17A0FE.60307@inet.hr> Message-ID: <1121640566.91206.1294047713621.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Hi Zoran, the logs you attached seem to tell that the connection failed. Does ldapsearch with the same conf options and credentials used in krb5.conf actually work ? Simo. ----- Original Message ----- > Hi, > > I have strange problem with krb5 krb5-server-ldap and FC14. Tried to > resolve it my self, but i'am stuck. Stangest thing is that all of this > work perfectly with fc13 so it's no config issue. I could not find any > major difference in krb5 from fc13 to fc14. Only thing is that libldap > from openldap-clients is compiled with mozilla nss (fc14) instead of > OpenSSL (fc13) but krb5kdc is connected to ldap servers which I > confirmed in ldap server logs, so it should not be TLS related > problem. > > krb5kdc bind for first time and get realm related stuff. But when I > run > kinit it returns "kinit: Generic error (see e-text) while getting > initial credentials". > > Strangest this is that all works perfectly if I manually run krb5kdc > "/usr/sbin/krb5kdc -r ST -P /var/run/krb5kdc.pid" instead of using > initscripts. > > Attached krb5.conf, patch to enhance krb5kdc debugging and log file > created with this patch included. > > This may not be right list but I think that freeipa should have same > bug. Feel free to ask for more debugging or probing new patches. > > Best regards, > Zoran Pericic > > > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Simo Sorce * Red Hat, Inc. * New York From roland.kaeser at intersoft-networks.ch Sun Jan 2 16:46:04 2011 From: roland.kaeser at intersoft-networks.ch (Roland Kaeser) Date: Sun, 2 Jan 2011 17:46:04 +0100 (CET) Subject: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <4465210.12.1293961394648.JavaMail.javamailuser@localhost> Message-ID: <1568241.14.1293986764914.JavaMail.javamailuser@localhost> Hello Great, I just tested it on F-13 and it runs fine so far. But I'm missing a very important feature (to me) which is: Samba Support. Are there any plans to build samba support into freeipa 2? It would be very great to have on single authentication authority without the need of installing active directory. Regards Roland Kaeser ----- Urspr?ngliche Mail ----- Von: "Dmitri Pal" An: "freeipa-devel" , "." , freeipa-interest at redhat.com Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Beta 1 release of freeIPA 2.0 server [1]. - Binaries are available for F-13 and F-14. - With this beta freeIPA is feature complete. - Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-users at redhat.com Main Highlights of the Beta - This beta is the first attempt to show all planned capabilities of the upcoming release. - For the first time the new UI is mostly operational and can be used to perform management of the system. - Some areas are still very rough and we will appreciate your help with those. Focus of the Beta Testing - Please take a moment and look at the new Web UI. Any feedback about the general approaches, work flows, and usability is appreciated. It is still very rough but one can hopefully get a good understanding of how we plan the final UI to function and look like. - Replication management was significantly improved. Testing of multi replica configurations should be easier. - We are looking for a feedback about the DNS integration and networking issues you find in your environment configuring and using IPA with the embedded DNS enabled. Significant Changes Since Alpha 5 - FreeIPA has changed its license to GPLv3+ - Having IPA manage the reverse zone is optional. - The access control subsystem was re-written to be more understandable. For details see [2] - Support for SUDO rules - There is now a distinction between replicas and their replication agreements in the ipa-replica-manage command. It is now much easier to manage the replication topology. - Renaming entries is easier with the --rename option of the mod commands. - Fix special character handling in passwords, ensure that passwords are not logged. - Certificates can be saved as PEM files in service-show and host-show commands. - All IPA services are now started/stopped using the ipactl command. This gives us better control over the start/stop order during reboot/shutdown. - Set up ntpd first so the time is sane. - Better multi-valued value handle with --setattr and --addattr. - Add support for both RFC2307 and RFC2307bis to migration. - UID ranges were reduced by default from 1M to 200k. - Add ability to add/remove DNS records when adding/removing a host entry. - A number of i18n issues have been addressed. - Updated a lot of man pages. What is not Complete - We are still using older version of the Dogtag. New version of the Dogtag Certificate System will be based on tomcat6 and is forthcoming. - We plan to take advantage of Kerberos 1.9 that was released today but we have not finished the integration effort yet. Known Issues - IPV6 works in the installer but not the server itself - Make sure you machine can properly resolve its name before installing the server. Edit /etc/hosts to remove host name from the localhost and localhost6 lines if needed. - The UI is still rough in places
Use the following query [3] to see the tickets currently open against UI. - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for the time being run: # ln -s /usr/share/java/xalan-j2-serializer.jar /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar - Instead of Dogtag on F14 you can also try the self-signed CA which is similar to the CA that was provided in IPA v1. This was designed for testing and development and not recommended for deployment. - Make sure you enable updates-testing repository on your fedora machine. Thank you, FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] http://freeipa.org/page/Permissions [3] https://fedorahosted.org/freeipa/report/12 _______________________________________________ Freeipa-interest mailing list Freeipa-interest at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest -- InterSoft Networks Roland K?ser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ From dpal at redhat.com Mon Jan 3 13:56:03 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 03 Jan 2011 08:56:03 -0500 Subject: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <1568241.14.1293986764914.JavaMail.javamailuser@localhost> References: <1568241.14.1293986764914.JavaMail.javamailuser@localhost> Message-ID: <4D21D573.7090306@redhat.com> Roland Kaeser wrote: > Hello > > Great, I just tested it on F-13 and it runs fine so far. > But I'm missing a very important feature (to me) which is: Samba Support. > > Are there any plans to build samba support into freeipa 2? It would be very great to have on single > authentication authority without the need of installing active directory. > > Regards > > Roland Kaeser > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). Thank you Dmitri > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "freeipa-devel" , "." , freeipa-interest at redhat.com > Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 > Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of the > Beta 1 release of freeIPA 2.0 server [1]. > - Binaries are available for F-13 and F-14. > - With this beta freeIPA is feature complete. > - Please do not hesitate to share feedback, criticism or bugs with us on > our mailing list: freeipa-users at redhat.com > > Main Highlights of the Beta > - This beta is the first attempt to show all planned capabilities of the > upcoming release. > - For the first time the new UI is mostly operational and can be used to > perform management of the system. > - Some areas are still very rough and we will appreciate your help with > those. > > Focus of the Beta Testing > - Please take a moment and look at the new Web UI. Any feedback about > the general approaches, work flows, and usability is appreciated. It is > still very rough but one can hopefully get a good understanding of how > we plan the final UI to function and look like. > - Replication management was significantly improved. Testing of multi > replica configurations should be easier. > - We are looking for a feedback about the DNS integration and networking > issues you find in your environment configuring and using IPA with the > embedded DNS enabled. > > Significant Changes Since Alpha 5 > - FreeIPA has changed its license to GPLv3+ > - Having IPA manage the reverse zone is optional. > - The access control subsystem was re-written to be more understandable. > For details see [2] > - Support for SUDO rules > - There is now a distinction between replicas and their replication > agreements in the ipa-replica-manage command. It is now much easier to > manage the replication topology. > - Renaming entries is easier with the --rename option of the mod commands. > - Fix special character handling in passwords, ensure that passwords are > not logged. > - Certificates can be saved as PEM files in service-show and host-show > commands. > - All IPA services are now started/stopped using the ipactl command. > This gives us better control over the start/stop order during > reboot/shutdown. > - Set up ntpd first so the time is sane. > - Better multi-valued value handle with --setattr and --addattr. > - Add support for both RFC2307 and RFC2307bis to migration. > - UID ranges were reduced by default from 1M to 200k. > - Add ability to add/remove DNS records when adding/removing a host entry. > - A number of i18n issues have been addressed. > - Updated a lot of man pages. > > What is not Complete > - We are still using older version of the Dogtag. New version of the > Dogtag Certificate System will be based on tomcat6 and is forthcoming. > - We plan to take advantage of Kerberos 1.9 that was released today but > we have not finished the integration effort yet. > > Known Issues > - IPV6 works in the installer but not the server itself > - Make sure you machine can properly resolve its name before installing > the server. Edit /etc/hosts to remove host name from the localhost and > localhost6 lines if needed. > - The UI is still rough in places
Use the following query [3] to see > the tickets currently open against UI. > - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for > the time being run: > # ln -s /usr/share/java/xalan-j2-serializer.jar > /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar > - Instead of Dogtag on F14 you can also try the self-signed CA which is > similar to the CA that was provided in IPA v1. This was designed for > testing and development and not recommended for deployment. > - Make sure you enable updates-testing repository on your fedora machine. > > Thank you, > FreeIPA development team > > [1] http://www.freeipa.org/page/Downloads > [2] http://freeipa.org/page/Permissions > [3] https://fedorahosted.org/freeipa/report/12 > > _______________________________________________ > Freeipa-interest mailing list > Freeipa-interest at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-interest > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From atkac at redhat.com Mon Jan 3 14:05:23 2011 From: atkac at redhat.com (Adam Tkac) Date: Mon, 3 Jan 2011 15:05:23 +0100 Subject: [Freeipa-devel] [PATCH] bynd-dyndb-ldap: Add separate keytab principal option In-Reply-To: <20101221203617.43921218@willson.li.ssimo.org> References: <4D0A5ECD.5050409@inet.hr> <20101216142547.26cd39c0@willson.li.ssimo.org> <4D0B9AAA.4040805@inet.hr> <20101221203617.43921218@willson.li.ssimo.org> Message-ID: <20110103140523.GA27203@evileye.atkac.brq.redhat.com> On Tue, Dec 21, 2010 at 08:36:17PM -0500, Simo Sorce wrote: > > Attached find a patch in the proper git format. > > Adam can you push it if you think it is ok ? I added "#include " into the ldap_helper.c to fix following warning: ldap_helper.c: In function 'new_ldap_instance': ldap_helper.c:394:5: warning: implicit declaration of function 'gethostname' Now patch looks fine for me, thank you. I've pushed it. Regards, Adam > From fa819bc901963bdb2ab5a1da2841f809598c28a3 Mon Sep 17 00:00:00 2001 > From: Zoran Pericic > Date: Tue, 21 Dec 2010 20:12:10 -0500 > Subject: [PATCH] Use separate variables for sasl_user and krb5_principal > > --- > src/ldap_helper.c | 31 +++++++++++++++++++++++++------ > 1 files changed, 25 insertions(+), 6 deletions(-) > > diff --git a/src/ldap_helper.c b/src/ldap_helper.c > index 5eed8afba7a275a6ebb3a28c707639516ba9af41..134a3e899bd413a8146dd19a68ab30fc26cec269 100644 > --- a/src/ldap_helper.c > +++ b/src/ldap_helper.c > @@ -128,6 +128,7 @@ struct ldap_instance { > ldap_auth_t auth_method; > ld_string_t *bind_dn; > ld_string_t *password; > + ld_string_t *krb5_principal; > ld_string_t *sasl_mech; > ld_string_t *sasl_user; > ld_string_t *sasl_auth_name; > @@ -293,6 +294,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, > { "auth_method", default_string("none") }, > { "bind_dn", default_string("") }, > { "password", default_string("") }, > + { "krb5_principal", default_string("") }, > { "sasl_mech", default_string("GSSAPI") }, > { "sasl_user", default_string("") }, > { "sasl_auth_name", default_string("") }, > @@ -330,6 +332,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, > CHECK(str_new(mctx, &ldap_inst->base)); > CHECK(str_new(mctx, &ldap_inst->bind_dn)); > CHECK(str_new(mctx, &ldap_inst->password)); > + CHECK(str_new(mctx, &ldap_inst->krb5_principal)); > CHECK(str_new(mctx, &ldap_inst->sasl_mech)); > CHECK(str_new(mctx, &ldap_inst->sasl_user)); > CHECK(str_new(mctx, &ldap_inst->sasl_auth_name)); > @@ -346,6 +349,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, > ldap_settings[i++].target = auth_method_str; > ldap_settings[i++].target = ldap_inst->bind_dn; > ldap_settings[i++].target = ldap_inst->password; > + ldap_settings[i++].target = ldap_inst->krb5_principal; > ldap_settings[i++].target = ldap_inst->sasl_mech; > ldap_settings[i++].target = ldap_inst->sasl_user; > ldap_settings[i++].target = ldap_inst->sasl_auth_name; > @@ -382,11 +386,25 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, > /* check we have the right data when SASL/GSSAPI is selected */ > if ((ldap_inst->auth_method == AUTH_SASL) && > (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) { > - if ((ldap_inst->sasl_user == NULL) || > - (str_len(ldap_inst->sasl_user) == 0)) { > - log_error("Sasl mech GSSAPI defined but sasl_user is empty"); > - result = ISC_R_FAILURE; > - goto cleanup; > + if ((ldap_inst->krb5_principal == NULL) || > + (str_len(ldap_inst->krb5_principal) == 0)) { > + if ((ldap_inst->sasl_user == NULL) || > + (str_len(ldap_inst->sasl_user) == 0)) { > + char hostname[255]; > + if (gethostname(hostname, 255) != 0) { > + log_error("SASL mech GSSAPI defined but krb5_principal" > + "and sasl_user are empty. Could not get hostname"); > + result = ISC_R_FAILURE; > + goto cleanup; > + } else { > + str_sprintf(ldap_inst->krb5_principal, "DNS/%s", hostname); > + log_debug(2, "SASL mech GSSAPI defined but krb5_principal" > + "and sasl_user are empty, using default %s", > + str_buf(ldap_inst->krb5_principal)); > + } > + } else { > + str_copy(ldap_inst->krb5_principal, ldap_inst->sasl_user); > + } > } > } > > @@ -447,6 +465,7 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp) > str_destroy(&ldap_inst->base); > str_destroy(&ldap_inst->bind_dn); > str_destroy(&ldap_inst->password); > + str_destroy(&ldap_inst->krb5_principal); > str_destroy(&ldap_inst->sasl_mech); > str_destroy(&ldap_inst->sasl_user); > str_destroy(&ldap_inst->sasl_auth_name); > @@ -1618,7 +1637,7 @@ ldap_reconnect(ldap_connection_t *ldap_conn) > isc_result_t result; > LOCK(&ldap_inst->kinit_lock); > result = get_krb5_tgt(ldap_inst->mctx, > - str_buf(ldap_inst->sasl_user), > + str_buf(ldap_inst->krb5_principal), > str_buf(ldap_inst->krb5_keytab)); > UNLOCK(&ldap_inst->kinit_lock); > if (result != ISC_R_SUCCESS) > -- > 1.7.3.3 > -- Adam Tkac, Red Hat, Inc. From atkac at redhat.com Mon Jan 3 15:21:04 2011 From: atkac at redhat.com (Adam Tkac) Date: Mon, 3 Jan 2011 16:21:04 +0100 Subject: [Freeipa-devel] [PATCH] Fix handling of ANY queries in bind-dyndb-ldap Message-ID: <20110103152104.GA32252@evileye.atkac.brq.redhat.com> >> attached patches fix handling of ANY queries in bind-dyndb-ldap >> backend. >> >> The first patch implements dns_rdatasetiter interface which is >> needed >> by allrdatasets() DB method (implemented in the second patch). >> The allrdatasets() database method is used by the named daemon to >> handle ANY queries. >> >> The third patch fixes the find() DB method to correctly return the >> complete database node for a certain DNS name. Details are below. >> >> If there are no objections I will push the patches. > > Patches look good. > But I haven't had a chance to test them. > > Do you happen to have a scratch build handy ? Yes, I have Fedora 14 test machine with bind-dyndb-ldap & OpenLDAP and I verified the patch works well. Feel free to ask me off-list if you need access to the machine. Regards, Adam -- Adam Tkac, Red Hat, Inc. From rcritten at redhat.com Mon Jan 3 15:23:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 03 Jan 2011 10:23:10 -0500 Subject: [Freeipa-devel] [PATCH] netgroups created by hostgroups lacked info In-Reply-To: References: Message-ID: <4D21E9DE.3030408@redhat.com> JR Aquino wrote: > Fix for ticket #653 > https://fedorahosted.org/freeipa/ticket/653 > > The managed netgroup was missing the ipaObject objectclass and the > nisDomain attribute when created from a hostgroup. > > Please review and ack. > ack, pushed to master From rcritten at redhat.com Mon Jan 3 16:30:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 03 Jan 2011 11:30:03 -0500 Subject: [Freeipa-devel] [PATCH 21/21] fixes CA install problem in trac ticket 682 In-Reply-To: <266302585.91157.1294047545790.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <266302585.91157.1294047545790.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D21F98B.3030608@redhat.com> Simo Sorce wrote: > ----- Original Message ----- >> Do not call status after pkisilent, it will return non-zero. >> Instead restart server after pkisilent so configuration >> changes take effect, the check the status. > > Ack. > > Simo. > My question is: will this still work on F-13 (I don't think it will) and does it matter? rob From ayoung at redhat.com Mon Jan 3 16:56:32 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 03 Jan 2011 11:56:32 -0500 Subject: [Freeipa-devel] [PATCH] fail clean add and edit Message-ID: <4D21FFC0.3020103@redhat.com> Pushed under the one-line rule commit c2a243365764df94f4be666eb1e39e8e82f13be0 Author: Adam Young Date: Mon Jan 3 11:40:54 2011 -0500 fail clean add and edit Don't close the dialog if the add fails and the user clickes add and edit fixes. https://fedorahosted.org/freeipa/ticket/663 diff --git a/install/static/add.js b/install/static/add.js index 22914bb..0acf785 100644 --- a/install/static/add.js +++ b/install/static/add.js @@ -77,7 +77,7 @@ function ipa_add_dialog(spec) { state[that.entity_name + '-pkey'] = pkey; $.bbq.pushState(state); }, - function() { that.close(); } + function() { } ); }); From dpal at redhat.com Mon Jan 3 17:23:29 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 03 Jan 2011 12:23:29 -0500 Subject: [Freeipa-devel] [PATCH 21/21] fixes CA install problem in trac ticket 682 In-Reply-To: <4D21F98B.3030608@redhat.com> References: <266302585.91157.1294047545790.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4D21F98B.3030608@redhat.com> Message-ID: <4D220611.1030300@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> ----- Original Message ----- >>> Do not call status after pkisilent, it will return non-zero. >>> Instead restart server after pkisilent so configuration >>> changes take effect, the check the status. >> >> Ack. >> >> Simo. >> > > My question is: will this still work on F-13 (I don't think it will) > and does it matter? > I think we need to drop F13 since: * Kerberos 1.9 will not be ported back to F13. * Dogtag relies on tomcat6. * The entitlements library is only in F14 AFAIU. All components seem to align cleanly on F14. I doubt we would be able to do the same on F13 without a significant effort. > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Mon Jan 3 18:15:58 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 03 Jan 2011 13:15:58 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0124-fix-krbtpolicy-update Message-ID: <4D22125E.8010407@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0124-fix-krbtpolicy-update.patch Type: text/x-patch Size: 1681 bytes Desc: not available URL: From ayoung at redhat.com Mon Jan 3 18:16:52 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 03 Jan 2011 13:16:52 -0500 Subject: [Freeipa-devel] [PATCH] one liner to hide automount Message-ID: <4D221294.8000403@redhat.com> Pushed under the one line rule. commit eb6f21524653a674dd16c34c9a4df9d7a351d9f8 Author: Adam Young Date: Thu Dec 23 09:40:15 2010 -0500 hide autommount since automount is not yet implemented, remove it from the menu diff --git a/install/static/webui.js b/install/static/webui.js index de90b72..f17db8b 100644 --- a/install/static/webui.js +++ b/install/static/webui.js @@ -42,7 +42,6 @@ var admin_tab_set = [ {name:'sudocmd', entity:'sudocmd'}, {name:'sudocmdgroup', entity:'sudocmdgroup'} ]}, - {name:'automountlocation', entity:'automountlocation'}, {name:'pwpolicy', entity:'pwpolicy'}, {name:'krbtpolicy', entity:'krbtpolicy'} ]}, From roland.kaeser at intersoft-networks.ch Mon Jan 3 18:37:51 2011 From: roland.kaeser at intersoft-networks.ch (Roland Kaeser) Date: Mon, 3 Jan 2011 19:37:51 +0100 (CET) Subject: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <4D21D573.7090306@redhat.com> Message-ID: <465055.24.1294079871281.JavaMail.javamailuser@localhost> Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. If not its completly unusable to me, and verisimilar also to the most other potential users. Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. Regards Roland ----- Urspr?ngliche Mail ----- Von: "Dmitri Pal" An: "Roland K?ser" CC: freeipa-devel at redhat.com, freeipa-users at redhat.com Gesendet: Montag, 3. Januar 2011 14:56:03 Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Roland Kaeser wrote: > Hello > > Great, I just tested it on F-13 and it runs fine so far. > But I'm missing a very important feature (to me) which is: Samba Support. > > Are there any plans to build samba support into freeipa 2? It would be very great to have on single > authentication authority without the need of installing active directory. > > Regards > > Roland Kaeser > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). Thank you Dmitri > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "freeipa-devel" , "." , freeipa-interest at redhat.com > Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 > Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of the > Beta 1 release of freeIPA 2.0 server [1]. > - Binaries are available for F-13 and F-14. > - With this beta freeIPA is feature complete. > - Please do not hesitate to share feedback, criticism or bugs with us on > our mailing list: freeipa-users at redhat.com > > Main Highlights of the Beta > - This beta is the first attempt to show all planned capabilities of the > upcoming release. > - For the first time the new UI is mostly operational and can be used to > perform management of the system. > - Some areas are still very rough and we will appreciate your help with > those. > > Focus of the Beta Testing > - Please take a moment and look at the new Web UI. Any feedback about > the general approaches, work flows, and usability is appreciated. It is > still very rough but one can hopefully get a good understanding of how > we plan the final UI to function and look like. > - Replication management was significantly improved. Testing of multi > replica configurations should be easier. > - We are looking for a feedback about the DNS integration and networking > issues you find in your environment configuring and using IPA with the > embedded DNS enabled. > > Significant Changes Since Alpha 5 > - FreeIPA has changed its license to GPLv3+ > - Having IPA manage the reverse zone is optional. > - The access control subsystem was re-written to be more understandable. > For details see [2] > - Support for SUDO rules > - There is now a distinction between replicas and their replication > agreements in the ipa-replica-manage command. It is now much easier to > manage the replication topology. > - Renaming entries is easier with the --rename option of the mod commands. > - Fix special character handling in passwords, ensure that passwords are > not logged. > - Certificates can be saved as PEM files in service-show and host-show > commands. > - All IPA services are now started/stopped using the ipactl command. > This gives us better control over the start/stop order during > reboot/shutdown. > - Set up ntpd first so the time is sane. > - Better multi-valued value handle with --setattr and --addattr. > - Add support for both RFC2307 and RFC2307bis to migration. > - UID ranges were reduced by default from 1M to 200k. > - Add ability to add/remove DNS records when adding/removing a host entry. > - A number of i18n issues have been addressed. > - Updated a lot of man pages. > > What is not Complete > - We are still using older version of the Dogtag. New version of the > Dogtag Certificate System will be based on tomcat6 and is forthcoming. > - We plan to take advantage of Kerberos 1.9 that was released today but > we have not finished the integration effort yet. > > Known Issues > - IPV6 works in the installer but not the server itself > - Make sure you machine can properly resolve its name before installing > the server. Edit /etc/hosts to remove host name from the localhost and > localhost6 lines if needed. > - The UI is still rough in places
Use the following query [3] to see > the tickets currently open against UI. > - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for > the time being run: > # ln -s /usr/share/java/xalan-j2-serializer.jar > /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar > - Instead of Dogtag on F14 you can also try the self-signed CA which is > similar to the CA that was provided in IPA v1. This was designed for > testing and development and not recommended for deployment. > - Make sure you enable updates-testing repository on your fedora machine. > > Thank you, > FreeIPA development team > > [1] http://www.freeipa.org/page/Downloads > [2] http://freeipa.org/page/Permissions > [3] https://fedorahosted.org/freeipa/report/12 > > _______________________________________________ > Freeipa-interest mailing list > Freeipa-interest at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-interest > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- InterSoft Networks Roland K?ser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ From dpal at redhat.com Mon Jan 3 19:20:30 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 03 Jan 2011 14:20:30 -0500 Subject: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <465055.24.1294079871281.JavaMail.javamailuser@localhost> References: <465055.24.1294079871281.JavaMail.javamailuser@localhost> Message-ID: <4D22217E.5020105@redhat.com> Roland Kaeser wrote: > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. I guess there is some misinterpretation. Samba 3 does not provide a way to integrate contemporary Windows clients. The Samba 3 integration mentioned in the outline is the integration of Samba 3 as a CIFS server. > If not its completly unusable to me, and verisimilar also to the most other potential users. It is assumed that most of the current users currently have AD in their environment anyways. We are not putting a goal of taking over the world and replacing AD altogether. Rather we plan to inter operate with it. > Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). Samba 4 is the alternative to AD. > FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together It will connect by allowing cross kerberos trust with AD/Samba 4 but its goal is not to replace AD as a primary identity server for Windows clients. It is just not possible to do other than re-implement AD which Samba 4 already does. So if you want to move away from AD you might take advantage of Samba 4 as a replacement for your AD and using cross kerberos trusts allow SSO with IPA environment. At some point we might make this integration more automatic but this is not on the road map for now. > Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. Absolutely! RHEV environment is something we definitely have in mind and the cross kerberos trust solution we plan for v3 should address this use case. It is the question of how complete will be the implementation of the trusts. Depending on time we might go for the higher priority use cases (IPA is a resource domain ) than the full trust required for VDI to work the way you envision. But still VDI is a significant use case we have in mind. > But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. > > The intention is to be realistic and not require drastic changes to existing environments where AD is dominating. > Regards > > Roland > > > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "Roland K?ser" > CC: freeipa-devel at redhat.com, freeipa-users at redhat.com > Gesendet: Montag, 3. Januar 2011 14:56:03 > Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Roland Kaeser wrote: > >> Hello >> >> Great, I just tested it on F-13 and it runs fine so far. >> But I'm missing a very important feature (to me) which is: Samba Support. >> >> Are there any plans to build samba support into freeipa 2? It would be very great to have on single >> authentication authority without the need of installing active directory. >> >> Regards >> >> Roland Kaeser >> >> >> > > There are no plans to integrate Samba in a way you describe. Our next > goal on this path is to allow cross Kerberos trusts (IPA v3) but > supporting Windows clients natively is not something we have in mind. > The intent however to pretend that IPA is yet another AD domain. If your > main domain is going to be Samba 4 instead of AD it might work without > installing AD. But we do not plan to carry install and configure Samba 4 > ourselves at least in the near future (read couple years). > > Thank you > Dmitri > > > > > >> ----- Urspr?ngliche Mail ----- >> Von: "Dmitri Pal" >> An: "freeipa-devel" , "." , freeipa-interest at redhat.com >> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 >> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release >> >> To all freeipa-interest, freeipa-users and freeipa-devel list members, >> >> The FreeIPA project team is pleased to announce the availability of the >> Beta 1 release of freeIPA 2.0 server [1]. >> - Binaries are available for F-13 and F-14. >> - With this beta freeIPA is feature complete. >> - Please do not hesitate to share feedback, criticism or bugs with us on >> our mailing list: freeipa-users at redhat.com >> >> Main Highlights of the Beta >> - This beta is the first attempt to show all planned capabilities of the >> upcoming release. >> - For the first time the new UI is mostly operational and can be used to >> perform management of the system. >> - Some areas are still very rough and we will appreciate your help with >> those. >> >> Focus of the Beta Testing >> - Please take a moment and look at the new Web UI. Any feedback about >> the general approaches, work flows, and usability is appreciated. It is >> still very rough but one can hopefully get a good understanding of how >> we plan the final UI to function and look like. >> - Replication management was significantly improved. Testing of multi >> replica configurations should be easier. >> - We are looking for a feedback about the DNS integration and networking >> issues you find in your environment configuring and using IPA with the >> embedded DNS enabled. >> >> Significant Changes Since Alpha 5 >> - FreeIPA has changed its license to GPLv3+ >> - Having IPA manage the reverse zone is optional. >> - The access control subsystem was re-written to be more understandable. >> For details see [2] >> - Support for SUDO rules >> - There is now a distinction between replicas and their replication >> agreements in the ipa-replica-manage command. It is now much easier to >> manage the replication topology. >> - Renaming entries is easier with the --rename option of the mod commands. >> - Fix special character handling in passwords, ensure that passwords are >> not logged. >> - Certificates can be saved as PEM files in service-show and host-show >> commands. >> - All IPA services are now started/stopped using the ipactl command. >> This gives us better control over the start/stop order during >> reboot/shutdown. >> - Set up ntpd first so the time is sane. >> - Better multi-valued value handle with --setattr and --addattr. >> - Add support for both RFC2307 and RFC2307bis to migration. >> - UID ranges were reduced by default from 1M to 200k. >> - Add ability to add/remove DNS records when adding/removing a host entry. >> - A number of i18n issues have been addressed. >> - Updated a lot of man pages. >> >> What is not Complete >> - We are still using older version of the Dogtag. New version of the >> Dogtag Certificate System will be based on tomcat6 and is forthcoming. >> - We plan to take advantage of Kerberos 1.9 that was released today but >> we have not finished the integration effort yet. >> >> Known Issues >> - IPV6 works in the installer but not the server itself >> - Make sure you machine can properly resolve its name before installing >> the server. Edit /etc/hosts to remove host name from the localhost and >> localhost6 lines if needed. >> - The UI is still rough in places
Use the following query [3] to see >> the tickets currently open against UI. >> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for >> the time being run: >> # ln -s /usr/share/java/xalan-j2-serializer.jar >> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar >> - Instead of Dogtag on F14 you can also try the self-signed CA which is >> similar to the CA that was provided in IPA v1. This was designed for >> testing and development and not recommended for deployment. >> - Make sure you enable updates-testing repository on your fedora machine. >> >> Thank you, >> FreeIPA development team >> >> [1] http://www.freeipa.org/page/Downloads >> [2] http://freeipa.org/page/Permissions >> [3] https://fedorahosted.org/freeipa/report/12 >> >> _______________________________________________ >> Freeipa-interest mailing list >> Freeipa-interest at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-interest >> >> >> > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Mon Jan 3 19:34:34 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 03 Jan 2011 14:34:34 -0500 Subject: [Freeipa-devel] [PATCH] Disable action panel links when the selected entry is deleted. In-Reply-To: <4D1FDC9D.6040404@redhat.com> References: <4D1CB6F1.1050208@redhat.com> <4D1FDC9D.6040404@redhat.com> Message-ID: <4D2224CA.7050908@redhat.com> On 01/01/2011 09:02 PM, Adam Young wrote: > On 12/30/2010 11:44 AM, Pavel Z?na wrote: >> Fix #685 >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jan 3 20:07:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 03 Jan 2011 15:07:21 -0500 Subject: [Freeipa-devel] [PATCH] 659 drop CoS for activation Message-ID: <4D222C79.4080000@redhat.com> Drop using a Class of Service for account activation. It added a lot of unnecessary complexity. Instead just update the nsaccountlock attribute directly. ticket 568 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-659-lock.patch Type: text/x-patch Size: 5859 bytes Desc: not available URL: From rcritten at redhat.com Mon Jan 3 20:13:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 03 Jan 2011 15:13:43 -0500 Subject: [Freeipa-devel] [PATCH] 660 set minimum uidnumber to 1 Message-ID: <4D222DF7.9070604@redhat.com> Don't allow a user's uid (uidnumber) be set to 0. The set/addattr routines call the validator rules so this is sufficient to cover both: ipa user-add --first=tim --last=user --uid=0 tuser1 and ipa user-mod --setattr uidnumber=0 tuser1 ticket 578 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-660-uid.patch Type: text/x-patch Size: 742 bytes Desc: not available URL: From ayoung at redhat.com Mon Jan 3 20:31:51 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 03 Jan 2011 15:31:51 -0500 Subject: [Freeipa-devel] [PATCH] 660 set minimum uidnumber to 1 In-Reply-To: <4D222DF7.9070604@redhat.com> References: <4D222DF7.9070604@redhat.com> Message-ID: <4D223237.6090600@redhat.com> On 01/03/2011 03:13 PM, Rob Crittenden wrote: > Don't allow a user's uid (uidnumber) be set to 0. > > The set/addattr routines call the validator rules so this is > sufficient to cover both: > > ipa user-add --first=tim --last=user --uid=0 tuser1 > > and > > ipa user-mod --setattr uidnumber=0 tuser1 > > ticket 578 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jan 3 21:05:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 03 Jan 2011 16:05:15 -0500 Subject: [Freeipa-devel] [PATCH] 661 use correct options in host-del Message-ID: <4D223A0B.2080607@redhat.com> It was inheriting from LDAPCreate so had add and setattr!? ticket 652. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-661-host.patch Type: text/x-patch Size: 845 bytes Desc: not available URL: From ayoung at redhat.com Mon Jan 3 21:23:16 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 03 Jan 2011 16:23:16 -0500 Subject: [Freeipa-devel] [PATCH] 661 use correct options in host-del In-Reply-To: <4D223A0B.2080607@redhat.com> References: <4D223A0B.2080607@redhat.com> Message-ID: <4D223E44.70702@redhat.com> On 01/03/2011 04:05 PM, Rob Crittenden wrote: > It was inheriting from LDAPCreate so had add and setattr!? > > ticket 652. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From benjamin.vogt at serv24.biz Mon Jan 3 20:17:48 2011 From: benjamin.vogt at serv24.biz (Benjamin Vogt) Date: Mon, 3 Jan 2011 21:17:48 +0100 Subject: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <465055.24.1294079871281.JavaMail.javamailuser@localhost> References: <4D21D573.7090306@redhat.com> <465055.24.1294079871281.JavaMail.javamailuser@localhost> Message-ID: <000001cbab83$4b278de0$e176a9a0$@serv24.biz> I have to agree with Roland. Linux is lacking a complete solution that acts as a "central authentication and identity management platform". I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. The reality is that Windows clients are too widespread in most enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. As for reimplementing AD, is there any reason we could not use Samba 4 as a backend? There are other interesting projects that build on it, such as openchange which could be a viable Exchange replacement. Regards, - Ben -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Roland Kaeser Sent: Monday, January 03, 2011 19:38 To: freeipa-devel at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. If not its completly unusable to me, and verisimilar also to the most other potential users. Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. Regards Roland ----- Urspr?ngliche Mail ----- Von: "Dmitri Pal" An: "Roland K?ser" CC: freeipa-devel at redhat.com, freeipa-users at redhat.com Gesendet: Montag, 3. Januar 2011 14:56:03 Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Roland Kaeser wrote: > Hello > > Great, I just tested it on F-13 and it runs fine so far. > But I'm missing a very important feature (to me) which is: Samba Support. > > Are there any plans to build samba support into freeipa 2? It would be > very great to have on single authentication authority without the need of installing active directory. > > Regards > > Roland Kaeser > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). Thank you Dmitri > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "freeipa-devel" , "." > , freeipa-interest at redhat.com > Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 > Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 > Release > > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of > the Beta 1 release of freeIPA 2.0 server [1]. > - Binaries are available for F-13 and F-14. > - With this beta freeIPA is feature complete. > - Please do not hesitate to share feedback, criticism or bugs with us > on our mailing list: freeipa-users at redhat.com > > Main Highlights of the Beta > - This beta is the first attempt to show all planned capabilities of > the upcoming release. > - For the first time the new UI is mostly operational and can be used > to perform management of the system. > - Some areas are still very rough and we will appreciate your help > with those. > > Focus of the Beta Testing > - Please take a moment and look at the new Web UI. Any feedback about > the general approaches, work flows, and usability is appreciated. It > is still very rough but one can hopefully get a good understanding of > how we plan the final UI to function and look like. > - Replication management was significantly improved. Testing of multi > replica configurations should be easier. > - We are looking for a feedback about the DNS integration and > networking issues you find in your environment configuring and using > IPA with the embedded DNS enabled. > > Significant Changes Since Alpha 5 > - FreeIPA has changed its license to GPLv3+ > - Having IPA manage the reverse zone is optional. > - The access control subsystem was re-written to be more understandable. > For details see [2] > - Support for SUDO rules > - There is now a distinction between replicas and their replication > agreements in the ipa-replica-manage command. It is now much easier to > manage the replication topology. > - Renaming entries is easier with the --rename option of the mod commands. > - Fix special character handling in passwords, ensure that passwords > are not logged. > - Certificates can be saved as PEM files in service-show and host-show > commands. > - All IPA services are now started/stopped using the ipactl command. > This gives us better control over the start/stop order during > reboot/shutdown. > - Set up ntpd first so the time is sane. > - Better multi-valued value handle with --setattr and --addattr. > - Add support for both RFC2307 and RFC2307bis to migration. > - UID ranges were reduced by default from 1M to 200k. > - Add ability to add/remove DNS records when adding/removing a host entry. > - A number of i18n issues have been addressed. > - Updated a lot of man pages. > > What is not Complete > - We are still using older version of the Dogtag. New version of the > Dogtag Certificate System will be based on tomcat6 and is forthcoming. > - We plan to take advantage of Kerberos 1.9 that was released today > but we have not finished the integration effort yet. > > Known Issues > - IPV6 works in the installer but not the server itself > - Make sure you machine can properly resolve its name before > installing the server. Edit /etc/hosts to remove host name from the > localhost and > localhost6 lines if needed. > - The UI is still rough in places
Use the following query [3] to > see the tickets currently open against UI. > - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for > the time being run: > # ln -s /usr/share/java/xalan-j2-serializer.jar > /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar > - Instead of Dogtag on F14 you can also try the self-signed CA which > is similar to the CA that was provided in IPA v1. This was designed > for testing and development and not recommended for deployment. > - Make sure you enable updates-testing repository on your fedora machine. > > Thank you, > FreeIPA development team > > [1] http://www.freeipa.org/page/Downloads > [2] http://freeipa.org/page/Permissions > [3] https://fedorahosted.org/freeipa/report/12 > > _______________________________________________ > Freeipa-interest mailing list > Freeipa-interest at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-interest > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- InterSoft Networks Roland K?ser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From chorn at fluxcoil.net Mon Jan 3 19:38:52 2011 From: chorn at fluxcoil.net (Christian Horn) Date: Mon, 3 Jan 2011 20:38:52 +0100 Subject: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <465055.24.1294079871281.JavaMail.javamailuser@localhost> References: <4D21D573.7090306@redhat.com> <465055.24.1294079871281.JavaMail.javamailuser@localhost> Message-ID: <20110103193851.GA11575@fluxcoil.net> On Mon, Jan 03, 2011 at 07:37:51PM +0100, Roland Kaeser wrote: > Its sad, but in the most cases, sysadmins have to deal with > windows machines in their network. True, but IMHO the strategy FreeIPA is currently following in doing interop with crossrealm-trusts is the ony longterm way to go. Spending efforts to make FreeIPA behave like another exact-AD-clone is wasting resources; samba4 is already good in doing this special task. Yet its interesting to see how stable samba4-operation in windows-AD-environments will be since one cannot be sure the samba4-project will be notified of protocol-changes etc. Crossrealm is used in some environments and Microsoft did also help with debugging of problems. FreeIPA could be base for a linux/unix-worlds AD, bringing in all the good things about opensource software. Christian From dpal at redhat.com Mon Jan 3 21:42:59 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 03 Jan 2011 16:42:59 -0500 Subject: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <000001cbab83$4b278de0$e176a9a0$@serv24.biz> References: <4D21D573.7090306@redhat.com> <465055.24.1294079871281.JavaMail.javamailuser@localhost> <000001cbab83$4b278de0$e176a9a0$@serv24.biz> Message-ID: <4D2242E3.8090007@redhat.com> Benjamin Vogt wrote: > I have to agree with Roland. Linux is lacking a complete solution that acts as a "central authentication and identity management platform". I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. The reality is that Windows clients are too widespread in most enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. As for reimplementing AD, is there any reason we could not use Samba 4 as a backend? There are other interesting projects that build on it, such as openchange which could be a viable Exchange replacement. > We return to this discussion once in a while... Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. It is not nice to UNIX/Linux in the same way as AD is not. This was one of the reasons we decided not to use Samba 4 as our back end though we did a lot of research and analysis. You can search archives from 2007/2008 for more details. What you are asking for is a very appealing goal but unfortunately not something that can be easily accomplished. Serving Windows clients by a non Windows server is a challenge. Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it sufficiently ready but this is not a priority for 2011. Thanks Dmitri > Regards, > - Ben > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Roland Kaeser > Sent: Monday, January 03, 2011 19:38 > To: freeipa-devel at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. If not its completly unusable to me, and verisimilar also to the most other potential users. Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. > > Regards > > Roland > > > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "Roland K?ser" > CC: freeipa-devel at redhat.com, freeipa-users at redhat.com > Gesendet: Montag, 3. Januar 2011 14:56:03 > Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Roland Kaeser wrote: > >> Hello >> >> Great, I just tested it on F-13 and it runs fine so far. >> But I'm missing a very important feature (to me) which is: Samba Support. >> >> Are there any plans to build samba support into freeipa 2? It would be >> very great to have on single authentication authority without the need of installing active directory. >> >> Regards >> >> Roland Kaeser >> >> >> > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. > The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). > > Thank you > Dmitri > > > > > >> ----- Urspr?ngliche Mail ----- >> Von: "Dmitri Pal" >> An: "freeipa-devel" , "." >> , freeipa-interest at redhat.com >> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 >> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 >> Release >> >> To all freeipa-interest, freeipa-users and freeipa-devel list members, >> >> The FreeIPA project team is pleased to announce the availability of >> the Beta 1 release of freeIPA 2.0 server [1]. >> - Binaries are available for F-13 and F-14. >> - With this beta freeIPA is feature complete. >> - Please do not hesitate to share feedback, criticism or bugs with us >> on our mailing list: freeipa-users at redhat.com >> >> Main Highlights of the Beta >> - This beta is the first attempt to show all planned capabilities of >> the upcoming release. >> - For the first time the new UI is mostly operational and can be used >> to perform management of the system. >> - Some areas are still very rough and we will appreciate your help >> with those. >> >> Focus of the Beta Testing >> - Please take a moment and look at the new Web UI. Any feedback about >> the general approaches, work flows, and usability is appreciated. It >> is still very rough but one can hopefully get a good understanding of >> how we plan the final UI to function and look like. >> - Replication management was significantly improved. Testing of multi >> replica configurations should be easier. >> - We are looking for a feedback about the DNS integration and >> networking issues you find in your environment configuring and using >> IPA with the embedded DNS enabled. >> >> Significant Changes Since Alpha 5 >> - FreeIPA has changed its license to GPLv3+ >> - Having IPA manage the reverse zone is optional. >> - The access control subsystem was re-written to be more understandable. >> For details see [2] >> - Support for SUDO rules >> - There is now a distinction between replicas and their replication >> agreements in the ipa-replica-manage command. It is now much easier to >> manage the replication topology. >> - Renaming entries is easier with the --rename option of the mod commands. >> - Fix special character handling in passwords, ensure that passwords >> are not logged. >> - Certificates can be saved as PEM files in service-show and host-show >> commands. >> - All IPA services are now started/stopped using the ipactl command. >> This gives us better control over the start/stop order during >> reboot/shutdown. >> - Set up ntpd first so the time is sane. >> - Better multi-valued value handle with --setattr and --addattr. >> - Add support for both RFC2307 and RFC2307bis to migration. >> - UID ranges were reduced by default from 1M to 200k. >> - Add ability to add/remove DNS records when adding/removing a host entry. >> - A number of i18n issues have been addressed. >> - Updated a lot of man pages. >> >> What is not Complete >> - We are still using older version of the Dogtag. New version of the >> Dogtag Certificate System will be based on tomcat6 and is forthcoming. >> - We plan to take advantage of Kerberos 1.9 that was released today >> but we have not finished the integration effort yet. >> >> Known Issues >> - IPV6 works in the installer but not the server itself >> - Make sure you machine can properly resolve its name before >> installing the server. Edit /etc/hosts to remove host name from the >> localhost and >> localhost6 lines if needed. >> - The UI is still rough in places
Use the following query [3] to >> see the tickets currently open against UI. >> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for >> the time being run: >> # ln -s /usr/share/java/xalan-j2-serializer.jar >> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar >> - Instead of Dogtag on F14 you can also try the self-signed CA which >> is similar to the CA that was provided in IPA v1. This was designed >> for testing and development and not recommended for deployment. >> - Make sure you enable updates-testing repository on your fedora machine. >> >> Thank you, >> FreeIPA development team >> >> [1] http://www.freeipa.org/page/Downloads >> [2] http://freeipa.org/page/Permissions >> [3] https://fedorahosted.org/freeipa/report/12 >> >> _______________________________________________ >> Freeipa-interest mailing list >> Freeipa-interest at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-interest >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Jan 3 21:43:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 03 Jan 2011 16:43:56 -0500 Subject: [Freeipa-devel] [PATCH] 662 start messagebus service Message-ID: <4D22431C.8090000@redhat.com> Always start the messagebus service so that certmonger will work properly. There have been reports from some very minimal install that this service isn't started. ticket 528 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-662-bus.patch Type: text/x-patch Size: 894 bytes Desc: not available URL: From ssorce at redhat.com Tue Jan 4 12:13:05 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 04 Jan 2011 07:13:05 -0500 Subject: [Freeipa-devel] [PATCH 21/21] fixes CA install problem in trac ticket 682 In-Reply-To: <4D220611.1030300@redhat.com> References: <266302585.91157.1294047545790.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4D21F98B.3030608@redhat.com> <4D220611.1030300@redhat.com> Message-ID: <1294143185.2930.0.camel@localhost.localdomain> On Mon, 2011-01-03 at 12:23 -0500, Dmitri Pal wrote: > Rob Crittenden wrote: > > Simo Sorce wrote: > >> ----- Original Message ----- > >>> Do not call status after pkisilent, it will return non-zero. > >>> Instead restart server after pkisilent so configuration > >>> changes take effect, the check the status. > >> > >> Ack. > >> > >> Simo. > >> > > > > My question is: will this still work on F-13 (I don't think it will) > > and does it matter? > > > I think we need to drop F13 since: > * Kerberos 1.9 will not be ported back to F13. > * Dogtag relies on tomcat6. > * The entitlements library is only in F14 AFAIU. > > All components seem to align cleanly on F14. I doubt we would be able to > do the same on F13 without a significant effort. I agree, besides F13 will be obsoleted as soon as F15 is out, so we would make a significant effort for less than a couple of months worth. Simo. From ssorce at redhat.com Tue Jan 4 12:34:04 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 04 Jan 2011 07:34:04 -0500 Subject: [Freeipa-devel] [PATCH] 659 drop CoS for activation In-Reply-To: <4D222C79.4080000@redhat.com> References: <4D222C79.4080000@redhat.com> Message-ID: <1294144444.2930.13.camel@localhost.localdomain> On Mon, 2011-01-03 at 15:07 -0500, Rob Crittenden wrote: > Drop using a Class of Service for account activation. It added a lot > of > unnecessary complexity. Instead just update the nsaccountlock > attribute > directly. > > ticket 568 ACK, glad to see this one to go, although we spent a lot of time getting it right... Simo. From ssorce at redhat.com Tue Jan 4 12:38:00 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 04 Jan 2011 07:38:00 -0500 Subject: [Freeipa-devel] [PATCH] 662 start messagebus service In-Reply-To: <4D22431C.8090000@redhat.com> References: <4D22431C.8090000@redhat.com> Message-ID: <1294144680.2930.15.camel@localhost.localdomain> On Mon, 2011-01-03 at 16:43 -0500, Rob Crittenden wrote: > Always start the messagebus service so that certmonger will work > properly. There have been reports from some very minimal install that > this service isn't started. > > ticket 528 ACK! Simo. From ssorce at redhat.com Tue Jan 4 14:39:27 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 04 Jan 2011 09:39:27 -0500 Subject: [Freeipa-devel] [PATCH] 0042 Fix dns install on replicas Message-ID: <1294151967.2930.19.camel@localhost.localdomain> DNS installation on replicas was broken. This patch fixes both the --setup-dns switch of ipa-replica-install as well as running ipa-dns-install on an existing replica. Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0042-Allow-ipa-dns-install-to-configure-DNS-on-a-replica.patch Type: application/mbox Size: 6155 bytes Desc: not available URL: From roland.kaeser at intersoft-networks.ch Tue Jan 4 09:04:14 2011 From: roland.kaeser at intersoft-networks.ch (Roland Kaeser) Date: Tue, 4 Jan 2011 10:04:14 +0100 (CET) Subject: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <4D2242E3.8090007@redhat.com> Message-ID: <16231773.32.1294131854733.JavaMail.javamailuser@localhost> >We return to this discussion once in a while... >.... >Samba 4 tries to do it and still struggles after many years >of development. We definitely would look at Samba 4 again when we see it >Sufficiently ready but this is not a priority for 2011. Maybe this is the reason why freeipa has that less users and nearly no echo in the linux community. >Samba 4 is intended to be a duplicate of AD this is how it is designed >and implemented. The problem here is that samba 4 is still alpha. >I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. This also our most implemented scenario. Only in last year we migrated a half a dozend companies away from microsoft and AD (on the server side). This year a lot of companies are already planned for migration. Specially with the knowledge in mind that (based on the change of microsofts licensing model for hosters) around 1000 companies only in switzerland will switch their abacus (www.abacus.ch, large erp for switzerland) platform to linux so its REALLY, REALLY (I cannot write how much I would like to accentuate this) important to have a network wide authentication and identity management software to build up large linux server environments with windows frontents. So, having windows clients in the network is the reality we cannot close our eyes to this only because its challenge to implement it. >Linux is lacking a complete solution that acts as a "central authentication and identity >management platform" I think also this is the only huge area in linux which is really missing. Just think about the huge potential of users and implementations if freeipa acts also as authentication instance for windows environments. Just we only (as small company with 8 persons) whould have the possibility for around 20 migrations this year. It just wage to dream a bit but from my point of view the authentication lack is the only remaining one which prevents the rest of the world (or even europe and switzerland) to massivly migrate to linux and opensource (at least on the server side). Regards Roland ----- Urspr?ngliche Mail ----- Von: "Dmitri Pal" An: "Benjamin Vogt" CC: "Roland Kaeser" , freeipa-devel at redhat.com, freeipa-users at redhat.com Gesendet: Montag, 3. Januar 2011 22:42:59 Betreff: Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Benjamin Vogt wrote: > I have to agree with Roland. Linux is lacking a complete solution that acts as a "central authentication and identity management platform". I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. The reality is that Windows clients are too widespread in most enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. As for reimplementing AD, is there any reason we could not use Samba 4 as a backend? There are other interesting projects that build on it, such as openchange which could be a viable Exchange replacement. > We return to this discussion once in a while... Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. It is not nice to UNIX/Linux in the same way as AD is not. This was one of the reasons we decided not to use Samba 4 as our back end though we did a lot of research and analysis. You can search archives from 2007/2008 for more details. What you are asking for is a very appealing goal but unfortunately not something that can be easily accomplished. Serving Windows clients by a non Windows server is a challenge. Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it sufficiently ready but this is not a priority for 2011. Thanks Dmitri > Regards, > - Ben > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Roland Kaeser > Sent: Monday, January 03, 2011 19:38 > To: freeipa-devel at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. If not its completly unusable to me, and verisimilar also to the most other potential users. Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. > > Regards > > Roland > > > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "Roland K?ser" > CC: freeipa-devel at redhat.com, freeipa-users at redhat.com > Gesendet: Montag, 3. Januar 2011 14:56:03 > Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Roland Kaeser wrote: > >> Hello >> >> Great, I just tested it on F-13 and it runs fine so far. >> But I'm missing a very important feature (to me) which is: Samba Support. >> >> Are there any plans to build samba support into freeipa 2? It would be >> very great to have on single authentication authority without the need of installing active directory. >> >> Regards >> >> Roland Kaeser >> >> >> > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. > The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). > > Thank you > Dmitri > > > > > >> ----- Urspr?ngliche Mail ----- >> Von: "Dmitri Pal" >> An: "freeipa-devel" , "." >> , freeipa-interest at redhat.com >> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 >> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 >> Release >> >> To all freeipa-interest, freeipa-users and freeipa-devel list members, >> >> The FreeIPA project team is pleased to announce the availability of >> the Beta 1 release of freeIPA 2.0 server [1]. >> - Binaries are available for F-13 and F-14. >> - With this beta freeIPA is feature complete. >> - Please do not hesitate to share feedback, criticism or bugs with us >> on our mailing list: freeipa-users at redhat.com >> >> Main Highlights of the Beta >> - This beta is the first attempt to show all planned capabilities of >> the upcoming release. >> - For the first time the new UI is mostly operational and can be used >> to perform management of the system. >> - Some areas are still very rough and we will appreciate your help >> with those. >> >> Focus of the Beta Testing >> - Please take a moment and look at the new Web UI. Any feedback about >> the general approaches, work flows, and usability is appreciated. It >> is still very rough but one can hopefully get a good understanding of >> how we plan the final UI to function and look like. >> - Replication management was significantly improved. Testing of multi >> replica configurations should be easier. >> - We are looking for a feedback about the DNS integration and >> networking issues you find in your environment configuring and using >> IPA with the embedded DNS enabled. >> >> Significant Changes Since Alpha 5 >> - FreeIPA has changed its license to GPLv3+ >> - Having IPA manage the reverse zone is optional. >> - The access control subsystem was re-written to be more understandable. >> For details see [2] >> - Support for SUDO rules >> - There is now a distinction between replicas and their replication >> agreements in the ipa-replica-manage command. It is now much easier to >> manage the replication topology. >> - Renaming entries is easier with the --rename option of the mod commands. >> - Fix special character handling in passwords, ensure that passwords >> are not logged. >> - Certificates can be saved as PEM files in service-show and host-show >> commands. >> - All IPA services are now started/stopped using the ipactl command. >> This gives us better control over the start/stop order during >> reboot/shutdown. >> - Set up ntpd first so the time is sane. >> - Better multi-valued value handle with --setattr and --addattr. >> - Add support for both RFC2307 and RFC2307bis to migration. >> - UID ranges were reduced by default from 1M to 200k. >> - Add ability to add/remove DNS records when adding/removing a host entry. >> - A number of i18n issues have been addressed. >> - Updated a lot of man pages. >> >> What is not Complete >> - We are still using older version of the Dogtag. New version of the >> Dogtag Certificate System will be based on tomcat6 and is forthcoming. >> - We plan to take advantage of Kerberos 1.9 that was released today >> but we have not finished the integration effort yet. >> >> Known Issues >> - IPV6 works in the installer but not the server itself >> - Make sure you machine can properly resolve its name before >> installing the server. Edit /etc/hosts to remove host name from the >> localhost and >> localhost6 lines if needed. >> - The UI is still rough in places
Use the following query [3] to >> see the tickets currently open against UI. >> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for >> the time being run: >> # ln -s /usr/share/java/xalan-j2-serializer.jar >> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar >> - Instead of Dogtag on F14 you can also try the self-signed CA which >> is similar to the CA that was provided in IPA v1. This was designed >> for testing and development and not recommended for deployment. >> - Make sure you enable updates-testing repository on your fedora machine. >> >> Thank you, >> FreeIPA development team >> >> [1] http://www.freeipa.org/page/Downloads >> [2] http://freeipa.org/page/Permissions >> [3] https://fedorahosted.org/freeipa/report/12 >> >> _______________________________________________ >> Freeipa-interest mailing list >> Freeipa-interest at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-interest >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- InterSoft Networks Roland K?ser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ From roland.kaeser at intersoft-networks.ch Tue Jan 4 09:18:46 2011 From: roland.kaeser at intersoft-networks.ch (Roland Kaeser) Date: Tue, 4 Jan 2011 10:18:46 +0100 (CET) Subject: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <4D2242E3.8090007@redhat.com> Message-ID: <28044184.36.1294132726351.JavaMail.javamailuser@localhost> Sorry forgot last note: >From my point of view, for the moment its not that much which is required. It would only be supporting the samba ldap attributes in the ldap server and extension of the management framework to create samba domains, users, groups and machine accounts until samba 4 is stable (already hope for end of this year). As far as I understand the problematics in windows kerberos and samba, it should possible to connect the windows machines directly to the kerberos server but have the windows related informations such as sid's etc. also available though samba so login scripts and network wide security and single sign on should be possible. Roland ----- Urspr?ngliche Mail ----- Von: "Dmitri Pal" An: "Benjamin Vogt" CC: "Roland Kaeser" , freeipa-devel at redhat.com, freeipa-users at redhat.com Gesendet: Montag, 3. Januar 2011 22:42:59 Betreff: Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Benjamin Vogt wrote: > I have to agree with Roland. Linux is lacking a complete solution that acts as a "central authentication and identity management platform". I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. The reality is that Windows clients are too widespread in most enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. As for reimplementing AD, is there any reason we could not use Samba 4 as a backend? There are other interesting projects that build on it, such as openchange which could be a viable Exchange replacement. > We return to this discussion once in a while... Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. It is not nice to UNIX/Linux in the same way as AD is not. This was one of the reasons we decided not to use Samba 4 as our back end though we did a lot of research and analysis. You can search archives from 2007/2008 for more details. What you are asking for is a very appealing goal but unfortunately not something that can be easily accomplished. Serving Windows clients by a non Windows server is a challenge. Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it sufficiently ready but this is not a priority for 2011. Thanks Dmitri > Regards, > - Ben > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Roland Kaeser > Sent: Monday, January 03, 2011 19:38 > To: freeipa-devel at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. If not its completly unusable to me, and verisimilar also to the most other potential users. Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. > > Regards > > Roland > > > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "Roland K?ser" > CC: freeipa-devel at redhat.com, freeipa-users at redhat.com > Gesendet: Montag, 3. Januar 2011 14:56:03 > Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Roland Kaeser wrote: > >> Hello >> >> Great, I just tested it on F-13 and it runs fine so far. >> But I'm missing a very important feature (to me) which is: Samba Support. >> >> Are there any plans to build samba support into freeipa 2? It would be >> very great to have on single authentication authority without the need of installing active directory. >> >> Regards >> >> Roland Kaeser >> >> >> > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. > The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). > > Thank you > Dmitri > > > > > >> ----- Urspr?ngliche Mail ----- >> Von: "Dmitri Pal" >> An: "freeipa-devel" , "." >> , freeipa-interest at redhat.com >> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 >> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 >> Release >> >> To all freeipa-interest, freeipa-users and freeipa-devel list members, >> >> The FreeIPA project team is pleased to announce the availability of >> the Beta 1 release of freeIPA 2.0 server [1]. >> - Binaries are available for F-13 and F-14. >> - With this beta freeIPA is feature complete. >> - Please do not hesitate to share feedback, criticism or bugs with us >> on our mailing list: freeipa-users at redhat.com >> >> Main Highlights of the Beta >> - This beta is the first attempt to show all planned capabilities of >> the upcoming release. >> - For the first time the new UI is mostly operational and can be used >> to perform management of the system. >> - Some areas are still very rough and we will appreciate your help >> with those. >> >> Focus of the Beta Testing >> - Please take a moment and look at the new Web UI. Any feedback about >> the general approaches, work flows, and usability is appreciated. It >> is still very rough but one can hopefully get a good understanding of >> how we plan the final UI to function and look like. >> - Replication management was significantly improved. Testing of multi >> replica configurations should be easier. >> - We are looking for a feedback about the DNS integration and >> networking issues you find in your environment configuring and using >> IPA with the embedded DNS enabled. >> >> Significant Changes Since Alpha 5 >> - FreeIPA has changed its license to GPLv3+ >> - Having IPA manage the reverse zone is optional. >> - The access control subsystem was re-written to be more understandable. >> For details see [2] >> - Support for SUDO rules >> - There is now a distinction between replicas and their replication >> agreements in the ipa-replica-manage command. It is now much easier to >> manage the replication topology. >> - Renaming entries is easier with the --rename option of the mod commands. >> - Fix special character handling in passwords, ensure that passwords >> are not logged. >> - Certificates can be saved as PEM files in service-show and host-show >> commands. >> - All IPA services are now started/stopped using the ipactl command. >> This gives us better control over the start/stop order during >> reboot/shutdown. >> - Set up ntpd first so the time is sane. >> - Better multi-valued value handle with --setattr and --addattr. >> - Add support for both RFC2307 and RFC2307bis to migration. >> - UID ranges were reduced by default from 1M to 200k. >> - Add ability to add/remove DNS records when adding/removing a host entry. >> - A number of i18n issues have been addressed. >> - Updated a lot of man pages. >> >> What is not Complete >> - We are still using older version of the Dogtag. New version of the >> Dogtag Certificate System will be based on tomcat6 and is forthcoming. >> - We plan to take advantage of Kerberos 1.9 that was released today >> but we have not finished the integration effort yet. >> >> Known Issues >> - IPV6 works in the installer but not the server itself >> - Make sure you machine can properly resolve its name before >> installing the server. Edit /etc/hosts to remove host name from the >> localhost and >> localhost6 lines if needed. >> - The UI is still rough in places
Use the following query [3] to >> see the tickets currently open against UI. >> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for >> the time being run: >> # ln -s /usr/share/java/xalan-j2-serializer.jar >> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar >> - Instead of Dogtag on F14 you can also try the self-signed CA which >> is similar to the CA that was provided in IPA v1. This was designed >> for testing and development and not recommended for deployment. >> - Make sure you enable updates-testing repository on your fedora machine. >> >> Thank you, >> FreeIPA development team >> >> [1] http://www.freeipa.org/page/Downloads >> [2] http://freeipa.org/page/Permissions >> [3] https://fedorahosted.org/freeipa/report/12 >> >> _______________________________________________ >> Freeipa-interest mailing list >> Freeipa-interest at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-interest >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- InterSoft Networks Roland K?ser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ From pzuna at redhat.com Tue Jan 4 15:30:41 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 04 Jan 2011 16:30:41 +0100 Subject: [Freeipa-devel] [PATCH] Improve filtering of enrollments search results. Message-ID: <4D233D21.6040900@redhat.com> This is required for effective filtering of enrollments search results in the webUI and also gives an edge to the CLI. After this patch, each LDAPObject can define its relationships to other LDAPObjects. For now, this is used only for filtering search results by enrollments, but there are probably more benefits to come. You can do this for example: # search for all users not enrolled in group admins ipa user-find --not-in-groups=admins # search for all groups not enrolled in group global with user Pavel ipa group-find --users=Pavel --not-in-groups=global # more examples: ipa group-find --users=Pavel,Jakub --no-users=Honza ipa hostgroup-find --hosts=webui.pzuna Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-54-filterenroll.patch Type: text/x-patch Size: 9281 bytes Desc: not available URL: From pzuna at redhat.com Tue Jan 4 15:34:46 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 04 Jan 2011 16:34:46 +0100 Subject: [Freeipa-devel] [PATCH] Improvements to enrollments in the webUI. Message-ID: <4D233E16.6000709@redhat.com> The patch is a bit bigger and more complex, so I expect this to be the first shot at it. There are some places where we need to handle localization better and be more generic when it comes to non-standard relationships like 'enrolledby' etc., but that can be done later. (I put a few TODOs in the code.) Anyway, here's the changelog for this patch: - Enrollement links in the action panel are now sorted by relationships. - You can only enroll members. (The webUI made the impression you can enroll parents as well, but it was broken.) - When enrolling new members, you can choose not to display already enrolled ones. (On by default.) - Couple cosmetic changes. IT DEPENDS ON MY PATCH NUMBER 54 (Improve filtering of enrollments search results.) Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-55-webuienroll.patch Type: text/x-patch Size: 12610 bytes Desc: not available URL: From jzeleny at redhat.com Tue Jan 4 15:35:27 2011 From: jzeleny at redhat.com (Jan =?utf-8?q?Zelen=C3=BD?=) Date: Tue, 4 Jan 2011 16:35:27 +0100 Subject: [Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights. In-Reply-To: <4D1C502A.8050409@redhat.com> References: <4D1C502A.8050409@redhat.com> Message-ID: <201101041635.27965.jzeleny@redhat.com> Pavel Z?na wrote: > LDAPObject sub-classes can define a custom list of attributes for > effective rights retrieval. > > Fix #677 > > Pavel ack Jan From JR.Aquino at citrix.com Tue Jan 4 16:25:31 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 4 Jan 2011 16:25:31 +0000 Subject: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <16231773.32.1294131854733.JavaMail.javamailuser@localhost> Message-ID: On 1/4/11 1:04 AM, "Roland Kaeser" wrote: >>We return to this discussion once in a while... >>.... >>Samba 4 tries to do it and still struggles after many years >>of development. We definitely would look at Samba 4 again when we see it >>Sufficiently ready but this is not a priority for 2011. > >Maybe this is the reason why freeipa has that less users and nearly no >echo in the linux community. I disagree Roland. The linux community at large, is generally living in the dark ages of authorization management. There are no comparative comprehensive linux solutions in the community thus far which actually address scalable authentication and authorization from linux systems by a linux solution. My observation of the quiet in the community is due to lack of solutions out there. /etc/access.conf, pam_ldap, Certify, hosts.allow are very primitive means to control access with to linux client. Regardless of how complex you make your authentication database, to this day, you are still limited to: pam_ldap, access.conf, Certify, hosts.allow... These are very primitive means to control access with to linux client. With FreeIPA and SSSD, the first means of providing real RBAC/HBAC is available to the Open Source community. We cannot and should not attempt to explain the quiet with answers of disinterest or lack of Microsoft support. The fact is, there has not yet been a competent linux solution and as a result the utilization of pure Linux environments has been stunted with people settling for things like, /etc/passwd, /etc/access.conf, pam_ldap, and NIS... What you are describing is the reinventing of the wheel. Which has previously been answered: If the goal is to provide an alternative linux authentication/authorization method for Microsoft Windows, then there are already existing solutions out there: Samba4, Novell eDirectory + Directory Services for Windows... FreeIPA serves to facilitate some of the most basic authentication/authorization interactions that other OS's have taken for granted for years. > >>Samba 4 is intended to be a duplicate of AD this is how it is designed >>and implemented. >The problem here is that samba 4 is still alpha. > >>I would like to be able to use Linux as the IT backbone without having >>to resort to Microsoft. >This also our most implemented scenario. Only in last year we migrated a >half a dozend companies away from microsoft and AD (on the server side). >This year a lot of companies are already planned for migration. Specially >with the knowledge in mind that (based on the change of microsofts >licensing model for hosters) around 1000 companies only in switzerland >will switch their abacus (www.abacus.ch, large erp for switzerland) >platform to linux so its REALLY, REALLY (I cannot write how much I would >like to accentuate this) important to have a network wide authentication >and identity management software to build up large linux server >environments with windows frontents. >So, having windows clients in the network is the reality we cannot close >our eyes to this only because its challenge to implement it. Microsoft has designed a complete ecosystem to surround its client, server, email, and productivity solutions. It's not just a challenge to implement a successful means of replacing the backend, it is directly opposed to the goals of its creator: Microsoft. The various components within Microsoft's (and most commercial) solutions are designed at their core to be proprietary with the effort of drawing in consumers to more pieces of their puzzle. It is entirely likely that it will be necessary to have both solutions in place and working together, rather than attempting to circumvent Microsoft's solution. > >>Linux is lacking a complete solution that acts as a "central >>authentication and identity >management platform" >I think also this is the only huge area in linux which is really missing. > Just think about the huge potential of users and implementations if >freeipa acts also as authentication instance for windows environments. >Just we only (as small company with 8 persons) whould have the >possibility for around 20 migrations this year. It just wage to dream a >bit but from my point of view the authentication lack is the only >remaining one which prevents the rest of the world (or even europe and >switzerland) to massivly migrate to linux and opensource (at least on the >server side). While I agree that a truly unified solution which answers all clients authentication needs is a worthwhile concept, in practice, throughout my entire career, I've learned that the commercial design of this ecosystem conflicts with this ambitious ideal. I have had a great deal of experience in highly dense and distributed (world wide) native Linux installations which service Windows Clients. All tools are best used by their intended design. If the only tool you have is a Hammer, you may approach all of your problems as if they are nails. ~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino Information Security Specialist Citrix Online GCIH, CCNA From ayoung at redhat.com Tue Jan 4 17:41:16 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 04 Jan 2011 12:41:16 -0500 Subject: [Freeipa-devel] [PATCH] Improve filtering of enrollments search results. In-Reply-To: <4D233D21.6040900@redhat.com> References: <4D233D21.6040900@redhat.com> Message-ID: <4D235BBC.5060200@redhat.com> On 01/04/2011 10:30 AM, Pavel Zuna wrote: > This is required for effective filtering of enrollments search > results in the webUI and also gives an edge to the CLI. > > After this patch, each LDAPObject can define its relationships > to other LDAPObjects. For now, this is used only for filtering > search results by enrollments, but there are probably more > benefits to come. > > You can do this for example: > > # search for all users not enrolled in group admins > ipa user-find --not-in-groups=admins > > # search for all groups not enrolled in group global with user Pavel > ipa group-find --users=Pavel --not-in-groups=global > > # more examples: > ipa group-find --users=Pavel,Jakub --no-users=Honza > ipa hostgroup-find --hosts=webui.pzuna > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack, as is we lose all of the associations for users. I suspect the changes to baseldap are safe, but can you explain why that is the case? Haven't noticed any other shortcomings. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jan 4 17:45:03 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 04 Jan 2011 12:45:03 -0500 Subject: [Freeipa-devel] [PATCH] Improvements to enrollments in the webUI. In-Reply-To: <4D233E16.6000709@redhat.com> References: <4D233E16.6000709@redhat.com> Message-ID: <4D235C9F.1030601@redhat.com> On 01/04/2011 10:34 AM, Pavel Zuna wrote: > The patch is a bit bigger and more complex, so I expect this to be the > first shot at it. > > There are some places where we need to handle localization better and > be more generic when it comes to non-standard relationships like > 'enrolledby' etc., but that can be done later. (I put a few TODOs in > the code.) > > Anyway, here's the changelog for this patch: > > - Enrollement links in the action panel are now sorted by relationships. > - You can only enroll members. > (The webUI made the impression you can enroll parents as well, but > it was > broken.) > - When enrolling new members, you can choose not to display already > enrolled > ones. (On by default.) > - Couple cosmetic changes. > > IT DEPENDS ON MY PATCH NUMBER 54 (Improve filtering of enrollments > search results.) > > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack, Make sure you fiter out the object itselt, so you can't enroll, for example, a group in itself. For verbage, Use "Members" for ojects enrolled in this object, and "Member of:" inplace of parent. Other than that, it looks good. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jan 4 19:57:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Jan 2011 14:57:28 -0500 Subject: [Freeipa-devel] [PATCH] 663 better keytab detection Message-ID: <4D237BA8.1070602@redhat.com> Make sure the file we're operating on is really a keytab in ipa-rmkeytab. Do this by creating a cursor into the keytab. The krb lib will return a failure if this can't be done. ticket 654 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-663-keytab.patch Type: text/x-patch Size: 1620 bytes Desc: not available URL: From ayoung at redhat.com Tue Jan 4 20:24:57 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 04 Jan 2011 15:24:57 -0500 Subject: [Freeipa-devel] [PATCH] Improve filtering of enrollments search results. In-Reply-To: <4D235BBC.5060200@redhat.com> References: <4D233D21.6040900@redhat.com> <4D235BBC.5060200@redhat.com> Message-ID: <4D238219.8050703@redhat.com> On 01/04/2011 12:41 PM, Adam Young wrote: > On 01/04/2011 10:30 AM, Pavel Zuna wrote: >> This is required for effective filtering of enrollments search >> results in the webUI and also gives an edge to the CLI. >> >> After this patch, each LDAPObject can define its relationships >> to other LDAPObjects. For now, this is used only for filtering >> search results by enrollments, but there are probably more >> benefits to come. >> >> You can do this for example: >> >> # search for all users not enrolled in group admins >> ipa user-find --not-in-groups=admins >> >> # search for all groups not enrolled in group global with user Pavel >> ipa group-find --users=Pavel --not-in-groups=global >> >> # more examples: >> ipa group-find --users=Pavel,Jakub --no-users=Honza >> ipa hostgroup-find --hosts=webui.pzuna >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Nack, as is we lose all of the associations for users. > > I suspect the changes to baseldap are safe, but can you explain why > that is the case? > > Haven't noticed any other shortcomings. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel OK, Looks like this patch is not responsible for the missing associations. So ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Tue Jan 4 20:41:12 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 04 Jan 2011 15:41:12 -0500 Subject: [Freeipa-devel] [PATCHES] [bind-dyndb-ldap] Two patches for minor Coverity issues Message-ID: <4D2385E8.1090209@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patch 0001: Fix missing varargs cleanup The CHECK() macro may cause execution to skip down to the cleanup tag. If this happens, it would mean that we never called va_end() on "backup". This patch reorganizes the code slightly to ensure that va_end() is always called. Patch 0002: Fix potential out-of-bounds write If there are exactly LD_MAX_SPLITS entries resulting from this split, the mandatory trailing NULL entry will be written to one entry past the end of the static arrayof LD_MAX_SPLITS size. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0jhegACgkQeiVVYja6o6PGlwCgnO1jSmW1VhO3kJh3C818655M DaEAoK5b0f4VLiRkkKgMaJnGrjRoHv9+ =XJeu -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-missing-varargs-cleanup.patch Type: text/x-patch Size: 1063 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Fix-potential-out-of-bounds-write.patch Type: text/x-patch Size: 1032 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-missing-varargs-cleanup.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Fix-potential-out-of-bounds-write.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From rcritten at redhat.com Tue Jan 4 21:54:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Jan 2011 16:54:10 -0500 Subject: [Freeipa-devel] [PATCH] 660 set minimum uidnumber to 1 In-Reply-To: <4D223237.6090600@redhat.com> References: <4D222DF7.9070604@redhat.com> <4D223237.6090600@redhat.com> Message-ID: <4D239702.2040706@redhat.com> Adam Young wrote: > On 01/03/2011 03:13 PM, Rob Crittenden wrote: >> Don't allow a user's uid (uidnumber) be set to 0. >> >> The set/addattr routines call the validator rules so this is >> sufficient to cover both: >> >> ipa user-add --first=tim --last=user --uid=0 tuser1 >> >> and >> >> ipa user-mod --setattr uidnumber=0 tuser1 >> >> ticket 578 >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK. pushed to master From rcritten at redhat.com Tue Jan 4 21:55:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Jan 2011 16:55:28 -0500 Subject: [Freeipa-devel] [PATCH] 661 use correct options in host-del In-Reply-To: <4D223E44.70702@redhat.com> References: <4D223A0B.2080607@redhat.com> <4D223E44.70702@redhat.com> Message-ID: <4D239750.5050003@redhat.com> Adam Young wrote: > On 01/03/2011 04:05 PM, Rob Crittenden wrote: >> It was inheriting from LDAPCreate so had add and setattr!? >> >> ticket 652. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK pushed to master From rcritten at redhat.com Tue Jan 4 21:56:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Jan 2011 16:56:31 -0500 Subject: [Freeipa-devel] [PATCH] 662 start messagebus service In-Reply-To: <1294144680.2930.15.camel@localhost.localdomain> References: <4D22431C.8090000@redhat.com> <1294144680.2930.15.camel@localhost.localdomain> Message-ID: <4D23978F.5040104@redhat.com> Simo Sorce wrote: > On Mon, 2011-01-03 at 16:43 -0500, Rob Crittenden wrote: >> Always start the messagebus service so that certmonger will work >> properly. There have been reports from some very minimal install that >> this service isn't started. >> >> ticket 528 > > ACK! > > Simo. pushed to master From rcritten at redhat.com Tue Jan 4 22:10:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Jan 2011 17:10:10 -0500 Subject: [Freeipa-devel] [PATCH] 659 drop CoS for activation In-Reply-To: <1294144444.2930.13.camel@localhost.localdomain> References: <4D222C79.4080000@redhat.com> <1294144444.2930.13.camel@localhost.localdomain> Message-ID: <4D239AC2.6010708@redhat.com> Simo Sorce wrote: > On Mon, 2011-01-03 at 15:07 -0500, Rob Crittenden wrote: >> Drop using a Class of Service for account activation. It added a lot >> of >> unnecessary complexity. Instead just update the nsaccountlock >> attribute >> directly. >> >> ticket 568 > > ACK, glad to see this one to go, although we spent a lot of time getting > it right... > > Simo. pushed to master From ayoung at redhat.com Wed Jan 5 02:55:41 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 04 Jan 2011 21:55:41 -0500 Subject: [Freeipa-devel] [PATCH] Improvements to enrollments in the webUI. In-Reply-To: <4D235C9F.1030601@redhat.com> References: <4D233E16.6000709@redhat.com> <4D235C9F.1030601@redhat.com> Message-ID: <4D23DDAD.6020704@redhat.com> On 01/04/2011 12:45 PM, Adam Young wrote: > On 01/04/2011 10:34 AM, Pavel Zuna wrote: >> The patch is a bit bigger and more complex, so I expect this to be >> the first shot at it. >> >> There are some places where we need to handle localization better and >> be more generic when it comes to non-standard relationships like >> 'enrolledby' etc., but that can be done later. (I put a few TODOs in >> the code.) >> >> Anyway, here's the changelog for this patch: >> >> - Enrollement links in the action panel are now sorted by relationships. >> - You can only enroll members. >> (The webUI made the impression you can enroll parents as well, but >> it was >> broken.) >> - When enrolling new members, you can choose not to display already >> enrolled >> ones. (On by default.) >> - Couple cosmetic changes. >> >> IT DEPENDS ON MY PATCH NUMBER 54 (Improve filtering of enrollments >> search results.) >> >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Nack, > > Make sure you fiter out the object itselt, so you can't enroll, for > example, a group in itself. > For verbage, Use "Members" fo Actually, we can do those as follow on work. I think this should be pushed, as it is a significant improvement over what we have now. > r ojects enrolled in this object, and "Member of:" inplace of parent. > > Other than that, it looks good. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jan 5 02:57:02 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 04 Jan 2011 21:57:02 -0500 Subject: [Freeipa-devel] [PATCH] Improvements to enrollments in the webUI. In-Reply-To: <4D235C9F.1030601@redhat.com> References: <4D233E16.6000709@redhat.com> <4D235C9F.1030601@redhat.com> Message-ID: <4D23DDFE.9060405@redhat.com> On 01/04/2011 12:45 PM, Adam Young wrote: > On 01/04/2011 10:34 AM, Pavel Zuna wrote: >> The patch is a bit bigger and more complex, so I expect this to be >> the first shot at it. >> >> There are some places where we need to handle localization better and >> be more generic when it comes to non-standard relationships like >> 'enrolledby' etc., but that can be done later. (I put a few TODOs in >> the code.) >> >> Anyway, here's the changelog for this patch: >> >> - Enrollement links in the action panel are now sorted by relationships. >> - You can only enroll members. >> (The webUI made the impression you can enroll parents as well, but >> it was >> broken.) >> - When enrolling new members, you can choose not to display already >> enrolled >> ones. (On by default.) >> - Couple cosmetic changes. >> >> IT DEPENDS ON MY PATCH NUMBER 54 (Improve filtering of enrollments >> search results.) >> >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Nack, > > Make sure you fiter out the object itselt, so you can't enroll, for > example, a group in itself. > For verbage, Use "Members" for ojects enrolled in this object, and > "Member of:" inplace of parent. > > Other than that, it looks good. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jan 5 02:57:26 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 04 Jan 2011 21:57:26 -0500 Subject: [Freeipa-devel] [PATCH] Improve filtering of enrollments search results. In-Reply-To: <4D238219.8050703@redhat.com> References: <4D233D21.6040900@redhat.com> <4D235BBC.5060200@redhat.com> <4D238219.8050703@redhat.com> Message-ID: <4D23DE16.2020807@redhat.com> On 01/04/2011 03:24 PM, Adam Young wrote: > On 01/04/2011 12:41 PM, Adam Young wrote: >> On 01/04/2011 10:30 AM, Pavel Zuna wrote: >>> This is required for effective filtering of enrollments search >>> results in the webUI and also gives an edge to the CLI. >>> >>> After this patch, each LDAPObject can define its relationships >>> to other LDAPObjects. For now, this is used only for filtering >>> search results by enrollments, but there are probably more >>> benefits to come. >>> >>> You can do this for example: >>> >>> # search for all users not enrolled in group admins >>> ipa user-find --not-in-groups=admins >>> >>> # search for all groups not enrolled in group global with user Pavel >>> ipa group-find --users=Pavel --not-in-groups=global >>> >>> # more examples: >>> ipa group-find --users=Pavel,Jakub --no-users=Honza >>> ipa hostgroup-find --hosts=webui.pzuna >>> >>> Pavel >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Nack, as is we lose all of the associations for users. >> >> I suspect the changes to baseldap are safe, but can you explain why >> that is the case? >> >> Haven't noticed any other shortcomings. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > OK, Looks like this patch is not responsible for the missing > associations. So ACK > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jan 5 03:52:31 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 04 Jan 2011 22:52:31 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0126-update-metadata Message-ID: <4D23EAFF.7040805@redhat.com> We've gotten behind on the meta data with many of the recent changes. This makes the webui work via the file: protocol again. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0126-update-metadata.patch Type: text/x-patch Size: 177285 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 5 04:02:23 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 04 Jan 2011 23:02:23 -0500 Subject: [Freeipa-devel] [PATCH] one liner to re-add in user associations Message-ID: <4D23ED4F.8080702@redhat.com> commit 3390319f4c79564ab579bfbc1e341defb5299e50 Author: Adam Young Date: Tue Jan 4 22:58:27 2011 -0500 user associations user associations had been removed. This adds them back in. diff --git a/install/static/user.js b/install/static/user.js index 1a2ab44..c0e6fae 100644 --- a/install/static/user.js +++ b/install/static/user.js @@ -69,7 +69,7 @@ function ipa_user(){ entity.create_association_facets(); but we are currently defining the associator using the global function after the registration of the entity */ - + that.create_association_facets(); that.entity_init(); }; From pzuna at redhat.com Wed Jan 5 09:34:22 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 05 Jan 2011 10:34:22 +0100 Subject: [Freeipa-devel] [PATCH] Make it impossible to add an object as a member of itself in webUI. Message-ID: <4D243B1E.3050601@redhat.com> Ticket #700 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-56-membitself.patch Type: text/x-patch Size: 1036 bytes Desc: not available URL: From atkac at redhat.com Wed Jan 5 10:00:44 2011 From: atkac at redhat.com (Adam Tkac) Date: Wed, 5 Jan 2011 11:00:44 +0100 Subject: [Freeipa-devel] [PATCHES] [bind-dyndb-ldap] Two patches for minor Coverity issues In-Reply-To: <4D2385E8.1090209@redhat.com> References: <4D2385E8.1090209@redhat.com> Message-ID: <20110105100044.GA3833@evileye.atkac.brq.redhat.com> On Tue, Jan 04, 2011 at 03:41:12PM -0500, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Patch 0001: Fix missing varargs cleanup > > The CHECK() macro may cause execution to skip down to the cleanup > tag. If this happens, it would mean that we never called va_end() > on "backup". > > This patch reorganizes the code slightly to ensure that va_end() > is always called. > > > Patch 0002: Fix potential out-of-bounds write > > If there are exactly LD_MAX_SPLITS entries resulting from this > split, the mandatory trailing NULL entry will be written to one > entry past the end of the static arrayof LD_MAX_SPLITS size. Both patches look fine for me, ack. Please push them. Regards, Adam > - -- > Stephen Gallagher > RHCE 804006346421761 > > Delivering value year after year. > Red Hat ranks #1 in value among software vendors. > http://www.redhat.com/promo/vendor/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk0jhegACgkQeiVVYja6o6PGlwCgnO1jSmW1VhO3kJh3C818655M > DaEAoK5b0f4VLiRkkKgMaJnGrjRoHv9+ > =XJeu > -----END PGP SIGNATURE----- > From 4cc3a923c1e26ac4c286afd47df1d823920ef56b Mon Sep 17 00:00:00 2001 > From: Stephen Gallagher > Date: Tue, 4 Jan 2011 15:28:46 -0500 > Subject: [PATCH 1/2] Fix missing varargs cleanup > > The CHECK() macro may cause execution to skip down to the cleanup > tag. If this happens, it would mean that we never called va_end() > on "backup". > > This patch reorganizes the code slightly to ensure that va_end() > is always called. > --- > src/str.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/src/str.c b/src/str.c > index b975aac7ba8c1028a71ac499dfe39530aba4e61f..611ae2028ec06d2e8e9e270eb6a6e0eaa37adcae 100644 > --- a/src/str.c > +++ b/src/str.c > @@ -431,16 +431,16 @@ str_vsprintf(ld_string_t *dest, const char *format, va_list ap) > CHECK(str_alloc(dest, len)); > len = vsnprintf(dest->data, dest->allocated, format, backup); > } > - va_end(backup); > > if (len < 0) { > result = ISC_R_FAILURE; > goto cleanup; > } > > - return ISC_R_SUCCESS; > + result = ISC_R_SUCCESS; > > cleanup: > + va_end(backup); > return result; > } > > -- > 1.7.3.4 > > From 93d709e47444ba38c314b4cece980a829c4f23b9 Mon Sep 17 00:00:00 2001 > From: Stephen Gallagher > Date: Tue, 4 Jan 2011 15:33:02 -0500 > Subject: [PATCH 2/2] Fix potential out-of-bounds write > > If there are exactly LD_MAX_SPLITS entries resulting from this > split, the mandatory trailing NULL entry will be written to one > entry past the end of the static arrayof LD_MAX_SPLITS size. > --- > src/str.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/src/str.c b/src/str.c > index 611ae2028ec06d2e8e9e270eb6a6e0eaa37adcae..56faa12dce3c7c7bde59d947b69907b9f63d315d 100644 > --- a/src/str.c > +++ b/src/str.c > @@ -570,7 +570,7 @@ str_split(const ld_string_t *src, const char delimiter, ld_split_t *split) > current_pos = 0; > save = 1; > for (unsigned int i = 0; > - i < split->allocated && current_pos < LD_MAX_SPLITS; > + i < split->allocated && current_pos < LD_MAX_SPLITS - 1; > i++) { > if (save && split->data[i] != '\0') { > split->splits[current_pos] = split->data + i; > -- > 1.7.3.4 > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Adam Tkac, Red Hat, Inc. From edewata at redhat.com Wed Jan 5 10:03:37 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 5 Jan 2011 05:03:37 -0500 (EST) Subject: [Freeipa-devel] [PATCH] Fixed SUDO dialog boxes. In-Reply-To: <1667826439.124121.1294221631327.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1810705238.124144.1294221817604.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Hi, This patch should fix the following bug: https://fedorahosted.org/freeipa/ticket/656 The dialog boxes for SUDO details page have been modified to generate the HTML code by default. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0056-Fixed-SUDO-dialog-boxes.patch Type: text/x-patch Size: 5814 bytes Desc: not available URL: From edewata at redhat.com Wed Jan 5 10:05:31 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 5 Jan 2011 05:05:31 -0500 (EST) Subject: [Freeipa-devel] [PATCH] SUDO run-as adjustments. Message-ID: <1924360463.124160.1294221931367.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Hi, This patch partially fix this bug: https://fedorahosted.org/freeipa/ticket/534 The SUDO details page has been modified to match the attribute names for run-as attributes. -- Endi S. Dewata From edewata at redhat.com Wed Jan 5 10:07:33 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 5 Jan 2011 05:07:33 -0500 (EST) Subject: [Freeipa-devel] [PATCH] SUDO run-as adjustments. In-Reply-To: <1924360463.124160.1294221931367.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <863942515.124178.1294222053577.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Added the missing attachment. -- Endi S. Dewata ----- Original Message ----- > Hi, > > This patch partially fix this bug: > https://fedorahosted.org/freeipa/ticket/534 > > The SUDO details page has been modified to match the attribute > names for run-as attributes. > > -- > Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0057-SUDO-run-as-adjustments.patch Type: text/x-patch Size: 7451 bytes Desc: not available URL: From edewata at redhat.com Wed Jan 5 10:09:29 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 5 Jan 2011 05:09:29 -0500 (EST) Subject: [Freeipa-devel] [PATCH] Support for external SUDO users and hosts. In-Reply-To: <1709253378.124210.1294222123476.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1639057444.124223.1294222169231.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Hi, This patch partially fix this bug: https://fedorahosted.org/freeipa/ticket/534 The SUDO details page has been modified to support external users and hosts. In the backend, the internal and external users are kept in separate attributes, but in the UI they will be displayed as a single list. The same thing is done for hosts. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0058-Support-for-external-SUDO-users-and-hosts.patch Type: text/x-patch Size: 3672 bytes Desc: not available URL: From pzuna at redhat.com Wed Jan 5 10:32:49 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 05 Jan 2011 11:32:49 +0100 Subject: [Freeipa-devel] [PATCH] Retype (when cloning) Flag parameters to Bool for search commands. Message-ID: <4D2448D1.4040001@redhat.com> Flag parameters are always autofill by definition, causing unexpected search results. This patch retypes them to Bool for search commands, so that users have to/can enter the desired value manually. A good example of the Flag parameters causing problems in search commands is `dnszone-find` (ticket #689). Ticket #689 Ticket #701 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: pzuna-freeipa-57-flagsearch.patch Type: text/x-patch Size: 2296 bytes Desc: not available URL: From jzeleny at redhat.com Wed Jan 5 10:55:58 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 5 Jan 2011 11:55:58 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <4D1096B6.7020703@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201012201616.15519.jzeleny@redhat.com> <4D1096B6.7020703@redhat.com> Message-ID: <201101051155.58911.jzeleny@redhat.com> Jakub Hrozek wrote: > Nack, > > the hbac->hbacrule rename is still not complete. There is still > "from ipalib.plugins.hbac import is_all" in ipalib/plugins/netgroup.py > and "api.register(hbac)" in ipalib/plugins/hbacrule.py and also "ret = > self.failsafe_add(api.Object.hbac," in > tests/test_xmlrpc/test_hbac_plugin.py This is final version, all issues have been solved. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0013-04-Rename-hbac-module-to-hbacrule.patch Type: text/x-patch Size: 28246 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0014-03-Changed-concept-of-ipa-help.patch Type: text/x-patch Size: 8424 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0015-02-Initial-grouping-of-ipalib-plugins-for-ipa-help.patch Type: text/x-patch Size: 3054 bytes Desc: not available URL: From jhrozek at redhat.com Wed Jan 5 10:58:57 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 05 Jan 2011 11:58:57 +0100 Subject: [Freeipa-devel] [PATCH] 033 Add new installer option for reverse zone creation Message-ID: <4D244EF1.8050502@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ticket #678 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0kTvAACgkQHsardTLnvCV1ewCgpACp3hukxps6/GpmK62OKkxQ eUcAnR/6tM90xvjPWuy3XOPkoqVs3DcF =/ko+ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-033-reverse-zone-option.patch Type: text/x-patch Size: 6192 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-033-reverse-zone-option.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Wed Jan 5 12:05:41 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 05 Jan 2011 13:05:41 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <201101051155.58911.jzeleny@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201012201616.15519.jzeleny@redhat.com> <4D1096B6.7020703@redhat.com> <201101051155.58911.jzeleny@redhat.com> Message-ID: <4D245E95.8060003@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/05/2011 11:55 AM, Jan Zelen? wrote: > Jakub Hrozek wrote: >> Nack, >> >> the hbac->hbacrule rename is still not complete. There is still >> "from ipalib.plugins.hbac import is_all" in ipalib/plugins/netgroup.py >> and "api.register(hbac)" in ipalib/plugins/hbacrule.py and also "ret = >> self.failsafe_add(api.Object.hbac," in >> tests/test_xmlrpc/test_hbac_plugin.py > > This is final version, all issues have been solved. > > Jan > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0kXpUACgkQHsardTLnvCVP2ACgld4eoNAKeiB07mTql63Lx0C0 kyMAoKl2ruUkNYQbAPXKsY5qEFY5Dl1v =Lrkm -----END PGP SIGNATURE----- From jzeleny at redhat.com Wed Jan 5 12:09:41 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 5 Jan 2011 13:09:41 +0100 Subject: [Freeipa-devel] [PATCH] 033 Add new installer option for reverse zone creation In-Reply-To: <4D244EF1.8050502@redhat.com> References: <4D244EF1.8050502@redhat.com> Message-ID: <201101051309.41814.jzeleny@redhat.com> Jakub Hrozek wrote: > ticket #678 Nack, the unattended option given to the create_reverse function is redundant, please remove it. Jan From jzeleny at redhat.com Wed Jan 5 12:13:57 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 5 Jan 2011 13:13:57 +0100 Subject: [Freeipa-devel] [PATCH] Retype (when cloning) Flag parameters to Bool for search commands. In-Reply-To: <4D2448D1.4040001@redhat.com> References: <4D2448D1.4040001@redhat.com> Message-ID: <201101051313.57709.jzeleny@redhat.com> Pavel Zuna wrote: > Flag parameters are always autofill by definition, causing unexpected > search results. This patch retypes them to Bool for search commands, so > that users have to/can enter the desired value manually. > > A good example of the Flag parameters causing problems in search commands > is `dnszone-find` (ticket #689). > > Ticket #689 > Ticket #701 > > Pavel ack Jan From jzeleny at redhat.com Wed Jan 5 12:22:39 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 5 Jan 2011 13:22:39 +0100 Subject: [Freeipa-devel] [PATCH] 663 better keytab detection In-Reply-To: <4D237BA8.1070602@redhat.com> References: <4D237BA8.1070602@redhat.com> Message-ID: <201101051322.39596.jzeleny@redhat.com> Rob Crittenden wrote: > Make sure the file we're operating on is really a keytab in > ipa-rmkeytab. Do this by creating a cursor into the keytab. The krb lib > will return a failure if this can't be done. > > ticket 654 > > rob ack Jan From sgallagh at redhat.com Wed Jan 5 12:32:00 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 05 Jan 2011 07:32:00 -0500 Subject: [Freeipa-devel] [PATCHES] [bind-dyndb-ldap] Two patches for minor Coverity issues In-Reply-To: <20110105100044.GA3833@evileye.atkac.brq.redhat.com> References: <4D2385E8.1090209@redhat.com> <20110105100044.GA3833@evileye.atkac.brq.redhat.com> Message-ID: <4D2464C0.9020501@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/05/2011 05:00 AM, Adam Tkac wrote: > On Tue, Jan 04, 2011 at 03:41:12PM -0500, Stephen Gallagher wrote: > Patch 0001: Fix missing varargs cleanup > > The CHECK() macro may cause execution to skip down to the cleanup > tag. If this happens, it would mean that we never called va_end() > on "backup". > > This patch reorganizes the code slightly to ensure that va_end() > is always called. > > > Patch 0002: Fix potential out-of-bounds write > > If there are exactly LD_MAX_SPLITS entries resulting from this > split, the mandatory trailing NULL entry will be written to one > entry past the end of the static arrayof LD_MAX_SPLITS size. > >> Both patches look fine for me, ack. Please push them. > Pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0kZL8ACgkQeiVVYja6o6O+YgCdFny0PHIvy/14UeMcRwzVaXOX Gt8AniwOyMt8oSZEEMTnJ9QRwsEJp+yW =ttzH -----END PGP SIGNATURE----- From jhrozek at redhat.com Wed Jan 5 12:38:53 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 05 Jan 2011 13:38:53 +0100 Subject: [Freeipa-devel] [PATCH] 033 Add new installer option for reverse zone creation In-Reply-To: <201101051309.41814.jzeleny@redhat.com> References: <4D244EF1.8050502@redhat.com> <201101051309.41814.jzeleny@redhat.com> Message-ID: <4D24665D.5090309@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/05/2011 01:09 PM, Jan Zelen? wrote: > Jakub Hrozek wrote: >> ticket #678 > > Nack, the unattended option given to the create_reverse function is redundant, > please remove it. > > Jan > OK, new patch attached. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0kZl0ACgkQHsardTLnvCWjbwCePhwqcQ0opDRodSbzJuz9jMOg /swAnjfjPSwC+tOTzjl8E/kxjovUzMFE =az5d -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-033-02-reverse-zone-option.patch Type: text/x-patch Size: 6669 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-033-02-reverse-zone-option.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jzeleny at redhat.com Wed Jan 5 12:44:08 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 5 Jan 2011 13:44:08 +0100 Subject: [Freeipa-devel] =?iso-8859-15?q?=5BPATCH=5D_033_Add_new_installer?= =?iso-8859-15?q?_option_for=09reverse_zone_creation?= In-Reply-To: <4D24665D.5090309@redhat.com> References: <4D244EF1.8050502@redhat.com> <201101051309.41814.jzeleny@redhat.com> <4D24665D.5090309@redhat.com> Message-ID: <201101051344.08579.jzeleny@redhat.com> Jakub Hrozek wrote: > On 01/05/2011 01:09 PM, Jan Zelen? wrote: > > Jakub Hrozek wrote: > >> ticket #678 > > > > Nack, the unattended option given to the create_reverse function is > > redundant, please remove it. > > > > Jan > > OK, new patch attached. ack Jan From edewata at redhat.com Wed Jan 5 15:11:49 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 05 Jan 2011 22:11:49 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0124-fix-krbtpolicy-update In-Reply-To: <4D22125E.8010407@redhat.com> References: <4D22125E.8010407@redhat.com> Message-ID: <4D248A35.6080000@redhat.com> On 1/4/2011 1:15 AM, Adam Young wrote: > ACK with note that in the Kerberos Ticket Policy page there's a 'User name' label without a text field next to it. -- Endi S. Dewata From edewata at redhat.com Wed Jan 5 15:22:51 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 05 Jan 2011 22:22:51 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0126-update-metadata In-Reply-To: <4D23EAFF.7040805@redhat.com> References: <4D23EAFF.7040805@redhat.com> Message-ID: <4D248CCB.1090009@redhat.com> On 1/5/2011 10:52 AM, Adam Young wrote: > We've gotten behind on the meta data with many of the recent changes. > This makes the webui work via the file: protocol again. The file pwpolicy_mod.json~ should be removed. Otherwise it's ACKed. -- Endi S. Dewata From edewata at redhat.com Wed Jan 5 15:32:29 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 05 Jan 2011 22:32:29 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0121-posix-checked In-Reply-To: <4D13A2AD.8010902@redhat.com> References: <4D13A2AD.8010902@redhat.com> Message-ID: <4D248F0D.4040602@redhat.com> On 12/24/2010 2:27 AM, Adam Young wrote: > fixes https://fedorahosted.org/freeipa/ticket/661 ACK. -- Endi S. Dewata From ayoung at redhat.com Wed Jan 5 15:37:20 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 05 Jan 2011 10:37:20 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0126-update-metadata In-Reply-To: <4D248CCB.1090009@redhat.com> References: <4D23EAFF.7040805@redhat.com> <4D248CCB.1090009@redhat.com> Message-ID: <4D249030.3050208@redhat.com> On 01/05/2011 10:22 AM, Endi Sukma Dewata wrote: > On 1/5/2011 10:52 AM, Adam Young wrote: >> We've gotten behind on the meta data with many of the recent changes. >> This makes the webui work via the file: protocol again. > > The file pwpolicy_mod.json~ should be removed. Otherwise it's ACKed. > fixed and pushed to master From ayoung at redhat.com Wed Jan 5 15:40:15 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 05 Jan 2011 10:40:15 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0121-posix-checked In-Reply-To: <4D248F0D.4040602@redhat.com> References: <4D13A2AD.8010902@redhat.com> <4D248F0D.4040602@redhat.com> Message-ID: <4D2490DF.90400@redhat.com> On 01/05/2011 10:32 AM, Endi Sukma Dewata wrote: > On 12/24/2010 2:27 AM, Adam Young wrote: >> fixes https://fedorahosted.org/freeipa/ticket/661 > > ACK. > pushed to master From rcritten at redhat.com Wed Jan 5 15:38:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Jan 2011 10:38:18 -0500 Subject: [Freeipa-devel] [PATCH] 664 entitlement support Message-ID: <4D24906A.2060604@redhat.com> This patch adds a plugin and tools for managing entitlements for host machines. Testing is rather complex so I've attached a script to help set up the Candlepin server. You'll need to ping me out of band for the backend data. This configures the Candlepin server with an in-memory database so any time tomcat6 is restarted you'll need to reload the data. You have to run candlepin.setup as root. This will configure your Fedora tomcat6 instance. Once your candlepin server is setup and IPA is installed do something like: $ ipa entitle-register admin (password is admin) $ ipa entitle-consume 25 $ ipa entitle-status (verify that it is 25) # ipa-compliance (should be 1 of 50) Our tools can consume only, not return entitlements. tickets 28, 79 and 278. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-664-entitle.patch Type: text/x-patch Size: 50093 bytes Desc: not available URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: candlepin.setup URL: From jzeleny at redhat.com Wed Jan 5 15:44:06 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 5 Jan 2011 16:44:06 +0100 Subject: [Freeipa-devel] [PATCH] Rename --ipaddr option of host-add command Message-ID: <201101051644.06649.jzeleny@redhat.com> The option is renamed to --ip-address to be consistent with ipa-replica-prepare. https://fedorahosted.org/freeipa/ticket/655 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0019-Rename-ipaddr-option-to-host-add-command.patch Type: text/x-patch Size: 957 bytes Desc: not available URL: From dpal at redhat.com Wed Jan 5 16:36:03 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 05 Jan 2011 11:36:03 -0500 Subject: [Freeipa-devel] [Fwd: [freeipa] #703: krbtpolicy needs list page] Message-ID: <4D249DF3.9090902@redhat.com> IMO it should just be a section on the user details page rather than a separate screen. -------- Original Message -------- Subject: [freeipa] #703: krbtpolicy needs list page Date: Wed, 05 Jan 2011 14:56:42 -0000 From: freeipa Reply-To: nobody at fedoraproject.org To: undisclosed-recipients:; #703: krbtpolicy needs list page -----------------------------+---------------------------------------------- Reporter: admiyo | Owner: admiyo Type: defect | Status: new Priority: major | Milestone: 0.0 NEEDS_TRIAGE Component: Web UI | Version: Keywords: | Tests: 0 Testsupdated: 0 | Affects_cli: 0 Candidate_to_defer: 0 | Affects_doc: 0 Estimate: | -----------------------------+---------------------------------------------- Since there can be one krbtpolicy per user, supported by the CLI, the WebUI needs a way to list the alternatives. If there is is a policy for a user, there should be a link to it from the user details. -- Ticket URL: freeipa FreeIPA -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Jan 5 16:52:57 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 05 Jan 2011 11:52:57 -0500 Subject: [Freeipa-devel] [PATCH] 033 Add new installer option for reverse zone creation In-Reply-To: <201101051344.08579.jzeleny@redhat.com> References: <4D244EF1.8050502@redhat.com> <201101051309.41814.jzeleny@redhat.com> <4D24665D.5090309@redhat.com> <201101051344.08579.jzeleny@redhat.com> Message-ID: <4D24A1E9.6010207@redhat.com> Jan Zelen? wrote: > Jakub Hrozek wrote: > >> On 01/05/2011 01:09 PM, Jan Zelen? wrote: >> >>> Jakub Hrozek wrote: >>> >>>> ticket #678 >>>> >>> Nack, the unattended option given to the create_reverse function is >>> redundant, please remove it. >>> >>> Jan >>> >> OK, new patch attached. >> > > ack > > Jenny had some questions about the default value. Please hold off pushing before you reconcile with her. > Jan > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From adam at younglogic.com Wed Jan 5 03:59:53 2011 From: adam at younglogic.com (Adam Young) Date: Tue, 04 Jan 2011 22:59:53 -0500 Subject: [Freeipa-devel] [PATCH] one liner to re-add in user associations Message-ID: <4D23ECB9.9010304@younglogic.com> commit 3390319f4c79564ab579bfbc1e341defb5299e50 Author: Adam Young Date: Tue Jan 4 22:58:27 2011 -0500 user associations user associations had been removed. This adds them back in. diff --git a/install/static/user.js b/install/static/user.js index 1a2ab44..c0e6fae 100644 --- a/install/static/user.js +++ b/install/static/user.js @@ -69,7 +69,7 @@ function ipa_user(){ entity.create_association_facets(); but we are currently defining the associator using the global function after the registration of the entity */ - + that.create_association_facets(); that.entity_init(); }; From dpal at redhat.com Wed Jan 5 17:18:57 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 05 Jan 2011 12:18:57 -0500 Subject: [Freeipa-devel] [PATCH] 664 entitlement support In-Reply-To: <4D24906A.2060604@redhat.com> References: <4D24906A.2060604@redhat.com> Message-ID: <4D24A801.9060605@redhat.com> Rob Crittenden wrote: > This patch adds a plugin and tools for managing entitlements for host > machines. > > Testing is rather complex so I've attached a script to help set up the > Candlepin server. You'll need to ping me out of band for the backend > data. This configures the Candlepin server with an in-memory database > so any time tomcat6 is restarted you'll need to reload the data. > > You have to run candlepin.setup as root. This will configure your > Fedora tomcat6 instance. > > Once your candlepin server is setup and IPA is installed do something > like: > > $ ipa entitle-register admin > (password is admin) > > $ ipa entitle-consume 25 > > $ ipa entitle-status > (verify that it is 25) > > # ipa-compliance > (should be 1 of 50) > > Our tools can consume only, not return entitlements. > > tickets 28, 79 and 278. > > rob Does the patch include all items from ticket 79? Should we split the ticket, especially third bullet and treat it separately? Is it addressed, do we still plan to provide a quesry in the docs? Once Nalin created something like this: Date comparisons in LDAP search filters compare using the ISO representation of the time, given in YYYYMMDDHHMMSSZ form, which is more or less what they look like on the wire. For example, search for people hired at Red Hat since Sunday: ldapsearch -x -h ldap.corp.redhat.com -b dc=redhat,dc=com \ "(rhathiredate>=201004110000Z)" cn The KDC (in 1.8 and later) will update krbLastSuccessfulAuth, krbLastFailedAuth, and krbLoginFailedCount when a client attempts to authenticate, so I expect that the search filter would look something like this: "(&(|(krbLastFailedAuth>=201004110000Z)(krbLastSuccessfulAuth>=201004110000Z))(krbPrincipalName=*))" Keep in mind that we probably don't index either "krbLastFailedAuth" or "krbLastSuccessfulAuth" for searching, so the search would probably take a while to run. ====================================== Does the patch include cron job to run license check and log into the syslog the results if you are out of compliance? Does it count the servers and the clients i.e all the entries that have a host principal and a keytab? I have seen a FIXME comment in one of the patches below. Is this intended or omission? > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Wed Jan 5 17:21:19 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 05 Jan 2011 12:21:19 -0500 Subject: [Freeipa-devel] [PATCH] Rename --ipaddr option of host-add command In-Reply-To: <201101051644.06649.jzeleny@redhat.com> References: <201101051644.06649.jzeleny@redhat.com> Message-ID: <1294248079.2908.0.camel@localhost.localdomain> On Wed, 2011-01-05 at 16:44 +0100, Jan Zelen? wrote: > The option is renamed to --ip-address to be consistent with > ipa-replica-prepare. > > https://fedorahosted.org/freeipa/ticket/655 ACK, Simo. From edewata at redhat.com Wed Jan 5 17:27:28 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 06 Jan 2011 00:27:28 +0700 Subject: [Freeipa-devel] [PATCH] Support for external SUDO users and hosts. In-Reply-To: <1639057444.124223.1294222169231.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1639057444.124223.1294222169231.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D24AA00.4050408@redhat.com> On 1/5/2011 5:09 PM, Endi Sukma Dewata wrote: > This patch partially fix this bug: > https://fedorahosted.org/freeipa/ticket/534 > > The SUDO details page has been modified to support external users > and hosts. In the backend, the internal and external users are kept > in separate attributes, but in the UI they will be displayed as a > single list. The same thing is done for hosts. I updated the patch to match the correct spec: The ipa_sudorule_association_adder_dialog() has been modified such that it only displays the external field if there is an external attribute for that field. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0058-2-Support-for-external-SUDO-users-and-hosts.patch Type: text/x-patch Size: 6909 bytes Desc: not available URL: From ssorce at redhat.com Wed Jan 5 17:49:52 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 05 Jan 2011 12:49:52 -0500 Subject: [Freeipa-devel] [PATCH] 0043 fix ipa-dns-install to not require DM password Message-ID: <1294249792.2908.6.camel@localhost.localdomain> This patch makes it possible to run ipa-dns-install and use the admin kerberos credentials. Fixes #686. Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0043-Allow-ipa-dns-install-to-install-with-just-admin-cre.patch Type: application/mbox Size: 17192 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 5 17:53:23 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 05 Jan 2011 12:53:23 -0500 Subject: [Freeipa-devel] [PATCH] Fixed SUDO dialog boxes. In-Reply-To: <1810705238.124144.1294221817604.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1810705238.124144.1294221817604.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D24B013.2000602@redhat.com> On 01/05/2011 05:03 AM, Endi Sukma Dewata wrote: > Hi, > > This patch should fix the following bug: > https://fedorahosted.org/freeipa/ticket/656 > > The dialog boxes for SUDO details page have been modified > to generate the HTML code by default. > > -- > Endi S. Dewata > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jan 5 18:14:14 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 05 Jan 2011 13:14:14 -0500 Subject: [Freeipa-devel] [PATCH] SUDO run-as adjustments. In-Reply-To: <863942515.124178.1294222053577.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <863942515.124178.1294222053577.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D24B4F6.2030102@redhat.com> On 01/05/2011 05:07 AM, Endi Sukma Dewata wrote: > Added the missing attachment. > > -- > Endi S. Dewata > > ----- Original Message ----- >> Hi, >> >> This patch partially fix this bug: >> https://fedorahosted.org/freeipa/ticket/534 >> >> The SUDO details page has been modified to match the attribute >> names for run-as attributes. >> >> -- >> Endi S. Dewata >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jan 5 18:12:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Jan 2011 13:12:12 -0500 Subject: [Freeipa-devel] [PATCH 21/21] fixes CA install problem in trac ticket 682 In-Reply-To: <266302585.91157.1294047545790.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <266302585.91157.1294047545790.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D24B47C.6080808@redhat.com> Simo Sorce wrote: > ----- Original Message ----- >> Do not call status after pkisilent, it will return non-zero. >> Instead restart server after pkisilent so configuration >> changes take effect, the check the status. > > Ack. > > Simo. > Working for me with the newer dogtag packages in the ipa-devel repo. Pushed to master rob From ayoung at redhat.com Wed Jan 5 18:14:49 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 05 Jan 2011 13:14:49 -0500 Subject: [Freeipa-devel] [PATCH] Fixed SUDO dialog boxes. In-Reply-To: <4D24B013.2000602@redhat.com> References: <1810705238.124144.1294221817604.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4D24B013.2000602@redhat.com> Message-ID: <4D24B519.6080102@redhat.com> On 01/05/2011 12:53 PM, Adam Young wrote: > On 01/05/2011 05:03 AM, Endi Sukma Dewata wrote: >> Hi, >> >> This patch should fix the following bug: >> https://fedorahosted.org/freeipa/ticket/656 >> >> The dialog boxes for SUDO details page have been modified >> to generate the HTML code by default. >> >> -- >> Endi S. Dewata >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK and pushed to master > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jan 5 18:35:32 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 05 Jan 2011 13:35:32 -0500 Subject: [Freeipa-devel] [PATCH] One liner to remove UID from krbtpolicy page Message-ID: <4D24B9F4.5080700@redhat.com> pushed under the one line rule. commit 69de8b317adbf9836819e4a5f6e87018d4a6520d Author: Adam Young Date: Wed Jan 5 13:31:21 2011 -0500 remove UID field we are only doing global policy on the krbtpolicy page diff --git a/install/static/policy.js b/install/static/policy.js index d8cfbec..038b630 100644 --- a/install/static/policy.js +++ b/install/static/policy.js @@ -589,7 +589,7 @@ IPA.add_entity(function (){ ipa_entity_set_details_definition('krbtpolicy', [ ipa_stanza({name:'identity', label:'Kerberos ticket policy'}). - input({name:'uid'}). + //input({name:'uid',label:' '}). input({name:'krbmaxrenewableage'}). input({name:'krbmaxticketlife'}) ]); From edewata at redhat.com Wed Jan 5 19:22:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 06 Jan 2011 02:22:57 +0700 Subject: [Freeipa-devel] [PATCH] Use AJAX status text as default error message. Message-ID: <4D24C511.9040803@redhat.com> Hi, The attached patch should fix the following bug: https://fedorahosted.org/freeipa/ticket/669 It now shows the server's actual response: "Internal Server Error". Additional improvements can be done by validating the input on client side and/or server side. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0059-Use-AJAX-status-text-as-default-error-message.patch Type: text/x-patch Size: 2306 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 5 19:50:17 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 05 Jan 2011 14:50:17 -0500 Subject: [Freeipa-devel] [PATCH] Use AJAX status text as default error message. In-Reply-To: <4D24C511.9040803@redhat.com> References: <4D24C511.9040803@redhat.com> Message-ID: <4D24CB79.1070606@redhat.com> On 01/05/2011 02:22 PM, Endi Sukma Dewata wrote: > Hi, > > The attached patch should fix the following bug: > https://fedorahosted.org/freeipa/ticket/669 > It now shows the server's actual response: "Internal Server Error". > > Additional improvements can be done by validating the input on client > side and/or server side. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jan 5 19:57:13 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 05 Jan 2011 14:57:13 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0127-add-missing-files-in-rpm Message-ID: <4D24CD19.8000503@redhat.com> Had to move some files around, and added to both Makefile.am and ipa.spec -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0127-add-missing-files-in-rpm.patch Type: text/x-patch Size: 3074 bytes Desc: not available URL: From rcritten at redhat.com Wed Jan 5 20:05:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Jan 2011 15:05:34 -0500 Subject: [Freeipa-devel] [PATCH] 665 simple build instructions Message-ID: <4D24CF0E.9010201@redhat.com> Here are some simple instructions to get a new IPA developer pointed in the right direction. ticket 314 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-665-build.patch Type: text/x-patch Size: 3047 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 5 20:12:43 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 05 Jan 2011 15:12:43 -0500 Subject: [Freeipa-devel] [PATCH] Translate IA5Str paramaters the editable text fields in the webUI. In-Reply-To: <4D1FDD43.7090002@redhat.com> References: <4D1C50DE.6050705@redhat.com> <4D1CB2F4.9090704@redhat.com> <4D1FDD43.7090002@redhat.com> Message-ID: <4D24D0BB.90803@redhat.com> On 01/01/2011 09:04 PM, Adam Young wrote: > On 12/30/2010 11:27 AM, Pavel Z?na wrote: >> On 2010-12-30 10:29, Pavel Z?na wrote: >>> Fix #684 >>> >>> Pavel >>> >> >> Left some debugging output in the original patch. Fixed version >> attached. >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jan 5 20:34:20 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 05 Jan 2011 15:34:20 -0500 Subject: [Freeipa-devel] [PATCH] Use AJAX status text as default error message. In-Reply-To: <4D24CB79.1070606@redhat.com> References: <4D24C511.9040803@redhat.com> <4D24CB79.1070606@redhat.com> Message-ID: <4D24D5CC.7060700@redhat.com> On 01/05/2011 02:50 PM, Adam Young wrote: > On 01/05/2011 02:22 PM, Endi Sukma Dewata wrote: >> Hi, >> >> The attached patch should fix the following bug: >> https://fedorahosted.org/freeipa/ticket/669 >> It now shows the server's actual response: "Internal Server Error". >> >> Additional improvements can be done by validating the input on client >> side and/or server side. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jan 5 21:08:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Jan 2011 16:08:19 -0500 Subject: [Freeipa-devel] [PATCH] 664 entitlement support In-Reply-To: <4D24A801.9060605@redhat.com> References: <4D24906A.2060604@redhat.com> <4D24A801.9060605@redhat.com> Message-ID: <4D24DDC3.2040202@redhat.com> Dmitri Pal wrote: > Rob Crittenden wrote: >> This patch adds a plugin and tools for managing entitlements for host >> machines. >> >> Testing is rather complex so I've attached a script to help set up the >> Candlepin server. You'll need to ping me out of band for the backend >> data. This configures the Candlepin server with an in-memory database >> so any time tomcat6 is restarted you'll need to reload the data. >> >> You have to run candlepin.setup as root. This will configure your >> Fedora tomcat6 instance. >> >> Once your candlepin server is setup and IPA is installed do something >> like: >> >> $ ipa entitle-register admin >> (password is admin) >> >> $ ipa entitle-consume 25 >> >> $ ipa entitle-status >> (verify that it is 25) >> >> # ipa-compliance >> (should be 1 of 50) >> >> Our tools can consume only, not return entitlements. >> >> tickets 28, 79 and 278. >> >> rob > Does the patch include all items from ticket 79? Should we split the > ticket, especially third bullet and treat it separately? Is it > addressed, do we still plan to provide a quesry in the docs? > Once Nalin created something like this: > > Date comparisons in LDAP search filters compare using the ISO > representation of the time, given in YYYYMMDDHHMMSSZ form, which is more > or less what they look like on the wire. For example, search for people > hired at Red Hat since Sunday: > > ldapsearch -x -h ldap.corp.redhat.com -b dc=redhat,dc=com \ > "(rhathiredate>=201004110000Z)" cn > > The KDC (in 1.8 and later) will update krbLastSuccessfulAuth, > krbLastFailedAuth, and krbLoginFailedCount when a client attempts to > authenticate, so I expect that the search filter would look something > like this: > > "(&(|(krbLastFailedAuth>=201004110000Z)(krbLastSuccessfulAuth>=201004110000Z))(krbPrincipalName=*))" > > Keep in mind that we probably don't index either "krbLastFailedAuth" or > "krbLastSuccessfulAuth" for searching, so the search would probably take > a while to run. No, the patch does not have the "find old hosts" part in it. I was planning to only test for krbLastSuccessfulAuth. Since this is a keytab I seriously doubt it will ever have a failed auth. I was going to update the ticket with the query and provide it to David for documentation. > Does the patch include cron job to run license check and log into the > syslog the results if you are out of compliance? Yes. > Does it count the servers and the clients i.e all the entries that have > a host principal and a keytab? Yes. > I have seen a FIXME comment in one of the patches below. Is this > intended or omission? Unrelated to this feature and not show-stoppers, just recognizing some limitations. rob From dpal at redhat.com Wed Jan 5 21:11:27 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 05 Jan 2011 16:11:27 -0500 Subject: [Freeipa-devel] [PATCH] 664 entitlement support In-Reply-To: <4D24DDC3.2040202@redhat.com> References: <4D24906A.2060604@redhat.com> <4D24A801.9060605@redhat.com> <4D24DDC3.2040202@redhat.com> Message-ID: <4D24DE7F.2010903@redhat.com> Rob Crittenden wrote: > Dmitri Pal wrote: >> Rob Crittenden wrote: >>> This patch adds a plugin and tools for managing entitlements for host >>> machines. >>> >>> Testing is rather complex so I've attached a script to help set up the >>> Candlepin server. You'll need to ping me out of band for the backend >>> data. This configures the Candlepin server with an in-memory database >>> so any time tomcat6 is restarted you'll need to reload the data. >>> >>> You have to run candlepin.setup as root. This will configure your >>> Fedora tomcat6 instance. >>> >>> Once your candlepin server is setup and IPA is installed do something >>> like: >>> >>> $ ipa entitle-register admin >>> (password is admin) >>> >>> $ ipa entitle-consume 25 >>> >>> $ ipa entitle-status >>> (verify that it is 25) >>> >>> # ipa-compliance >>> (should be 1 of 50) >>> >>> Our tools can consume only, not return entitlements. >>> >>> tickets 28, 79 and 278. >>> >>> rob >> Does the patch include all items from ticket 79? Should we split the >> ticket, especially third bullet and treat it separately? Is it >> addressed, do we still plan to provide a quesry in the docs? >> Once Nalin created something like this: >> >> Date comparisons in LDAP search filters compare using the ISO >> representation of the time, given in YYYYMMDDHHMMSSZ form, which is more >> or less what they look like on the wire. For example, search for people >> hired at Red Hat since Sunday: >> >> ldapsearch -x -h ldap.corp.redhat.com -b dc=redhat,dc=com \ >> "(rhathiredate>=201004110000Z)" cn >> >> The KDC (in 1.8 and later) will update krbLastSuccessfulAuth, >> krbLastFailedAuth, and krbLoginFailedCount when a client attempts to >> authenticate, so I expect that the search filter would look something >> like this: >> >> >> "(&(|(krbLastFailedAuth>=201004110000Z)(krbLastSuccessfulAuth>=201004110000Z))(krbPrincipalName=*))" >> >> >> Keep in mind that we probably don't index either "krbLastFailedAuth" or >> "krbLastSuccessfulAuth" for searching, so the search would probably take >> a while to run. > > No, the patch does not have the "find old hosts" part in it. > > I was planning to only test for krbLastSuccessfulAuth. Since this is a > keytab I seriously doubt it will ever have a failed auth. I was going > to update the ticket with the query and provide it to David for > documentation. > This is sufficient. >> Does the patch include cron job to run license check and log into the >> syslog the results if you are out of compliance? > > Yes. > >> Does it count the servers and the clients i.e all the entries that have >> a host principal and a keytab? > > Yes. > >> I have seen a FIXME comment in one of the patches below. Is this >> intended or omission? > > Unrelated to this feature and not show-stoppers, just recognizing some > limitations. > > rob > Thanks! > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jzeleny at redhat.com Thu Jan 6 07:58:56 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Thu, 6 Jan 2011 08:58:56 +0100 Subject: [Freeipa-devel] [PATCH] Include some directories in spec file Message-ID: <201101060858.56995.jzeleny@redhat.com> Two directories were left out from package file list: ..../site-packages/ipalib ..../site-packages/ipaserver http://fedorahosted.org/freeipa/ticket/688 -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0020-Include-some-directories-in-spec-file.patch Type: text/x-patch Size: 1138 bytes Desc: not available URL: From jzeleny at redhat.com Thu Jan 6 08:13:44 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 6 Jan 2011 09:13:44 +0100 Subject: [Freeipa-devel] [PATCH] 0043 fix ipa-dns-install to not require DM password In-Reply-To: <1294249792.2908.6.camel@localhost.localdomain> References: <1294249792.2908.6.camel@localhost.localdomain> Message-ID: <201101060913.45011.jzeleny@redhat.com> Simo Sorce wrote: > This patch makes it possible to run ipa-dns-install and use the admin > kerberos credentials. > > Fixes #686. > > Simo. The patch doesn't apply on current master - does it depend on some other patch or just a small glitch? Jan From jzeleny at redhat.com Thu Jan 6 08:54:48 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 6 Jan 2011 09:54:48 +0100 Subject: [Freeipa-devel] [PATCH] 665 simple build instructions In-Reply-To: <4D24CF0E.9010201@redhat.com> References: <4D24CF0E.9010201@redhat.com> Message-ID: <201101060954.48588.jzeleny@redhat.com> Rob Crittenden wrote: > Here are some simple instructions to get a new IPA developer pointed in > the right direction. > > ticket 314 > > rob Nack: I think using rpm -Uvh dist/rpms/* is not a good option. Using yum -- nogpgcheck localinstall dist/rpms/* is much better, because it also installs runtime dependencies, which might not be included by previous installation of build dependencies. One suggestion: I'd recommend users installation with --selfsign option. Installation without it takes much longer and (currently) it often ends with an error. You have a typo on line 64: develping -> developing Jan From ssorce at redhat.com Thu Jan 6 09:01:15 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 06 Jan 2011 04:01:15 -0500 Subject: [Freeipa-devel] [PATCH] 0043 fix ipa-dns-install to not require DM password In-Reply-To: <201101060913.45011.jzeleny@redhat.com> References: <1294249792.2908.6.camel@localhost.localdomain> <201101060913.45011.jzeleny@redhat.com> Message-ID: <1294304475.2883.6.camel@localhost.localdomain> On Thu, 2011-01-06 at 09:13 +0100, Jan Zelen? wrote: > Simo Sorce wrote: > > This patch makes it possible to run ipa-dns-install and use the admin > > kerberos credentials. > > > > Fixes #686. > > > > Simo. > > The patch doesn't apply on current master - does it depend on some other patch > or just a small glitch? Almost certainly depends on 0042 as I am touching the same files. I will rebase on top of master locally though, so if it still doesn't apply after 0042 let me know and I'll send updated patches. Simo. From pzuna at redhat.com Thu Jan 6 09:13:52 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Thu, 06 Jan 2011 10:13:52 +0100 Subject: [Freeipa-devel] [PATCH] admiyo-0127-add-missing-files-in-rpm In-Reply-To: <4D24CD19.8000503@redhat.com> References: <4D24CD19.8000503@redhat.com> Message-ID: <4D2587D0.9030502@redhat.com> On 2011-01-05 20:57, Adam Young wrote: > Had to move some files around, and added to both Makefile.am and ipa.spec > > ACK. Pavel From jzeleny at redhat.com Thu Jan 6 09:35:18 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 6 Jan 2011 10:35:18 +0100 Subject: [Freeipa-devel] [PATCH] 0043 fix ipa-dns-install to not require DM password In-Reply-To: <1294249792.2908.6.camel@localhost.localdomain> References: <1294249792.2908.6.camel@localhost.localdomain> Message-ID: <201101061035.18545.jzeleny@redhat.com> Simo Sorce wrote: > This patch makes it possible to run ipa-dns-install and use the admin > kerberos credentials. > > Fixes #686. > > Simo. Nack, I have some comments: Exception handling (chunk #4): Those prints should go away. But the main thing: that particular part of code doesn't seem to produce any exceptions, which should be handled Function ldap_disconnect isn't used anywhere. That makes me wonder - is it redundant or should it be somewhere in the code. I guess this is a policy issue - either we want the connection to stay as long as possible or we want to use it only for a certain set of commands and then disconnect it. Jan From ssorce at redhat.com Thu Jan 6 11:06:24 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 06 Jan 2011 06:06:24 -0500 Subject: [Freeipa-devel] [PATCH] 0043 fix ipa-dns-install to not require DM password In-Reply-To: <201101061035.18545.jzeleny@redhat.com> References: <1294249792.2908.6.camel@localhost.localdomain> <201101061035.18545.jzeleny@redhat.com> Message-ID: <1294311984.2883.14.camel@localhost.localdomain> On Thu, 2011-01-06 at 10:35 +0100, Jan Zelen? wrote: > Simo Sorce wrote: > > This patch makes it possible to run ipa-dns-install and use the admin > > kerberos credentials. > > > > Fixes #686. > > > > Simo. > > Nack, I have some comments: > > Exception handling (chunk #4): > Those prints should go away. But the main thing: that particular part of code > doesn't seem to produce any exceptions, which should be handled Ok I will remove that part, it was half debugging code and half to handle code that has been later changed. > Function ldap_disconnect isn't used anywhere. That makes me wonder - is it > redundant or should it be somewhere in the code. I guess this is a policy > issue - either we want the connection to stay as long as possible or we want > to use it only for a certain set of commands and then disconnect it. I initially used it to do connect,op,disconnect, but later decided it was better to let connection live as long as the instance was around. In a future patch we may even move admin_conn to be a global handler so that multiple instances will use just one connection instead of having one pending per-instance type, but I didn't want to go that far. However I didn't remove ldap_disconnect because it will be useful if later on someone needs to change the code to have a temporary connection. I think I may want to use it in the next patch I am working on. I can remove it though and re-add it later if needed, I am ok either way. Simo. From jzeleny at redhat.com Thu Jan 6 11:17:36 2011 From: jzeleny at redhat.com (Jan =?utf-8?q?Zelen=C3=BD?=) Date: Thu, 6 Jan 2011 12:17:36 +0100 Subject: [Freeipa-devel] [PATCH] 0043 fix ipa-dns-install to not require DM password In-Reply-To: <1294311984.2883.14.camel@localhost.localdomain> References: <1294249792.2908.6.camel@localhost.localdomain> <201101061035.18545.jzeleny@redhat.com> <1294311984.2883.14.camel@localhost.localdomain> Message-ID: <201101061217.36091.jzeleny@redhat.com> Simo Sorce wrote: > On Thu, 2011-01-06 at 10:35 +0100, Jan Zelen? wrote: > > Simo Sorce wrote: > > > This patch makes it possible to run ipa-dns-install and use the admin > > > kerberos credentials. > > > > > > Fixes #686. > > > > > > Simo. > > > > Nack, I have some comments: > > > > Exception handling (chunk #4): > > Those prints should go away. But the main thing: that particular part of > > code doesn't seem to produce any exceptions, which should be handled > > Ok I will remove that part, it was half debugging code and half to > handle code that has been later changed. > > > Function ldap_disconnect isn't used anywhere. That makes me wonder - is > > it redundant or should it be somewhere in the code. I guess this is a > > policy issue - either we want the connection to stay as long as possible > > or we want to use it only for a certain set of commands and then > > disconnect it. > > I initially used it to do connect,op,disconnect, but later decided it > was better to let connection live as long as the instance was around. > > In a future patch we may even move admin_conn to be a global handler so > that multiple instances will use just one connection instead of having > one pending per-instance type, but I didn't want to go that far. > > However I didn't remove ldap_disconnect because it will be useful if > later on someone needs to change the code to have a temporary > connection. I think I may want to use it in the next patch I am working > on. I can remove it though and re-add it later if needed, I am ok either > way. No problem, if there is a potential usage in future patches, we can keep it for later. Thanks for explanation Jan From jhrozek at redhat.com Thu Jan 6 11:28:25 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 06 Jan 2011 12:28:25 +0100 Subject: [Freeipa-devel] [PATCH] 034 Do not use LDAP_DEPRECATED in plugins and client Message-ID: <4D25A759.40001@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Remove the LDAP_DEPRECATED constant and do not use functions that are marked as deprecated in recent OpenLDAP releases. Also always define WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that depend on that constant. A related question - since we only support Fedora 14 now and we always compile with --with-openldap on that platform, should we remove the mozldap code altogether? I don't think it would cause any harm, realistically, there should be no users. https://fedorahosted.org/freeipa/ticket/576 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0lp1gACgkQHsardTLnvCXCxwCgvsea3YRxufYCk3jMsqRjWBvC rwcAoK+UE2vqbyplGptEU/5ucmGH5S11 =Knnx -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-034-remove-LDAP-DEPRECATED.patch Type: text/x-patch Size: 11949 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-034-remove-LDAP-DEPRECATED.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jzeleny at redhat.com Thu Jan 6 12:00:14 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 6 Jan 2011 13:00:14 +0100 Subject: [Freeipa-devel] [PATCH] 0042 Fix dns install on replicas In-Reply-To: <1294151967.2930.19.camel@localhost.localdomain> References: <1294151967.2930.19.camel@localhost.localdomain> Message-ID: <201101061300.14776.jzeleny@redhat.com> Simo Sorce wrote: > DNS installation on replicas was broken. > This patch fixes both the --setup-dns switch of ipa-replica-install as > well as running ipa-dns-install on an existing replica. > > Simo. ack Jan From jzeleny at redhat.com Thu Jan 6 12:27:50 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 6 Jan 2011 13:27:50 +0100 Subject: [Freeipa-devel] [PATCH] 034 Do not use LDAP_DEPRECATED in plugins and client In-Reply-To: <4D25A759.40001@redhat.com> References: <4D25A759.40001@redhat.com> Message-ID: <201101061327.50912.jzeleny@redhat.com> Jakub Hrozek wrote: > Remove the LDAP_DEPRECATED constant and do not use functions that are > marked as deprecated in recent OpenLDAP releases. Also always define > WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that > depend on that constant. > > A related question - since we only support Fedora 14 now and we always > compile with --with-openldap on that platform, should we remove the > mozldap code altogether? I don't think it would cause any harm, > realistically, there should be no users. > > https://fedorahosted.org/freeipa/ticket/576 Nack, please unify whitespaces in indentation. Also I'm curious about adding those includes in ipapwd.h - does this have any (positive/or negative) impact? They seem a little redundant. Note: I think another patch changing whitespaces to correspond with our coding policy is in order after this one is pushed. Jan From mkosek at redhat.com Thu Jan 6 13:47:26 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 06 Jan 2011 14:47:26 +0100 Subject: [Freeipa-devel] [PATCH] Handle error messages during Host operations Message-ID: <1294321646.19990.17.camel@dhcp-25-52.brq.redhat.com> Only a generic error message were displayed when a non-existing host was passed to host-del or host-disable operations. This patch adds catching these generic exceptions and raising new exceptions with the correct error message. https://fedorahosted.org/freeipa/ticket/303 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-001-host-operation-error-messages.patch Type: text/x-patch Size: 1820 bytes Desc: not available URL: From JR.Aquino at citrix.com Thu Jan 6 15:28:54 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 6 Jan 2011 15:28:54 +0000 Subject: [Freeipa-devel] [PATCH] fixed typo for description usage example Message-ID: There was a typo in the example for cli usage of sudocmd This is a 1 liner patch to correct the usage syntax and addresses ticket #704: https://fedorahosted.org/freeipa/ticket/704 -JR -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0012-fixed-typo-for-description-usage.patch Type: application/octet-stream Size: 809 bytes Desc: freeipa-jraquino-0012-fixed-typo-for-description-usage.patch URL: From edewata at redhat.com Thu Jan 6 15:32:25 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 06 Jan 2011 22:32:25 +0700 Subject: [Freeipa-devel] [PATCH] Fixed tooltips in SUDO details page. Message-ID: <4D25E089.7090403@redhat.com> Hi, The attached patch should fix item #1 in the following ticket: https://fedorahosted.org/freeipa/ticket/671 The title attribute in various HTML elements in SUDO details page has been set to show the proper tooltips. Most of the values are taken from the 'doc' attribute of sudorule parameters. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0060-Fixed-tooltips-in-SUDO-details-page.patch Type: text/x-patch Size: 11372 bytes Desc: not available URL: From rcritten at redhat.com Thu Jan 6 15:53:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 Jan 2011 10:53:58 -0500 Subject: [Freeipa-devel] [PATCH] Include some directories in spec file In-Reply-To: <201101060858.56995.jzeleny@redhat.com> References: <201101060858.56995.jzeleny@redhat.com> Message-ID: <4D25E596.9070001@redhat.com> Jan Zelen? wrote: > ipa.spec.in | 2 ++ ack, pushed to master From rcritten at redhat.com Thu Jan 6 16:10:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 Jan 2011 11:10:53 -0500 Subject: [Freeipa-devel] [PATCH] Handle error messages during Host operations In-Reply-To: <1294321646.19990.17.camel@dhcp-25-52.brq.redhat.com> References: <1294321646.19990.17.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D25E98D.1080208@redhat.com> Martin Kosek wrote: > Only a generic error message were displayed when a non-existing > host was passed to host-del or host-disable operations. > > This patch adds catching these generic exceptions and raising > new exceptions with the correct error message. > > https://fedorahosted.org/freeipa/ticket/303 > > ack, pushed to master From rcritten at redhat.com Thu Jan 6 16:13:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 Jan 2011 11:13:36 -0500 Subject: [Freeipa-devel] [PATCH] fixed typo for description usage example In-Reply-To: References: Message-ID: <4D25EA30.8030906@redhat.com> JR Aquino wrote: > There was a typo in the example for cli usage of sudocmd > > This is a 1 liner patch to correct the usage syntax and addresses ticket > #704: > https://fedorahosted.org/freeipa/ticket/704 > > -JR ack, pushed to master From ayoung at redhat.com Thu Jan 6 16:49:31 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 06 Jan 2011 11:49:31 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0128-action-panel-style Message-ID: <4D25F29B.6080301@redhat.com> Some of the changes necessary for the actions panel. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0128-action-panel-style.patch Type: text/x-patch Size: 11646 bytes Desc: not available URL: From atkac at redhat.com Thu Jan 6 17:23:21 2011 From: atkac at redhat.com (Adam Tkac) Date: Thu, 6 Jan 2011 18:23:21 +0100 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: new parameter "timeout" Message-ID: <20110106172321.GA18045@evileye.atkac.brq.redhat.com> Hello, attached patch introduces new bind-dyndb-ldap parameter called "timeout". It controls timeout of the LDAP queries and by default is set to 10 seconds. The patch solves https://fedorahosted.org/bind-dyndb-ldap/ticket/3. Regards, Adam -- Adam Tkac, Red Hat, Inc. -------------- next part -------------- >From ab991832581345bf40372fe7e1c488edb1567c1a Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Thu, 6 Jan 2011 18:17:14 +0100 Subject: [PATCH] Add new parameter - "timeout". This parameter controls timeout of the LDAP queries. Generally timeout of resolvers is 5 seconds so 10 seconds by default should be enough. Solves ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/3. Signed-off-by: Adam Tkac --- README | 5 +++++ src/ldap_helper.c | 11 ++++++++++- 2 files changed, 15 insertions(+), 1 deletions(-) diff --git a/README b/README index 758f141..5c80344 100644 --- a/README +++ b/README @@ -139,6 +139,11 @@ zone_refresh (default 0) a zone. If this option is set to 0, the LDAP driver will never refresh the settings. +timeout (default 10) + Timeout (in seconds) of the queries to the LDAP server. If the LDAP + server don't respond before this timeout then lookup is aborted and + BIND returns SERVFAIL. Value "0" means infinite timeout (no timeout). + 5.2 Sample configuration ------------------------ diff --git a/src/ldap_helper.c b/src/ldap_helper.c index fbe9f9e..9659b9d 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -126,6 +126,7 @@ struct ldap_instance { ld_string_t *base; unsigned int connections; unsigned int reconnect_interval; + unsigned int timeout; ldap_auth_t auth_method; ld_string_t *bind_dn; ld_string_t *password; @@ -291,6 +292,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, { "uri", no_default_string }, { "connections", default_uint(2) }, { "reconnect_interval", default_uint(60) }, + { "timeout", default_uint(10) }, { "base", no_default_string }, { "auth_method", default_string("none") }, { "bind_dn", default_string("") }, @@ -346,6 +348,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, ldap_settings[i++].target = ldap_inst->uri; ldap_settings[i++].target = &ldap_inst->connections; ldap_settings[i++].target = &ldap_inst->reconnect_interval; + ldap_settings[i++].target = &ldap_inst->timeout; ldap_settings[i++].target = ldap_inst->base; ldap_settings[i++].target = auth_method_str; ldap_settings[i++].target = ldap_inst->bind_dn; @@ -1258,6 +1261,7 @@ ldap_query(ldap_connection_t *ldap_conn, const char *base, int scope, char **att { va_list ap; isc_result_t result; + struct timeval timeout; REQUIRE(ldap_conn != NULL); @@ -1273,12 +1277,15 @@ ldap_query(ldap_connection_t *ldap_conn, const char *base, int scope, char **att return ISC_R_FAILURE; } + timeout.tv_sec = ldap_conn->database->timeout; + timeout.tv_usec = 0; + do { int ret; ret = ldap_search_ext_s(ldap_conn->handle, base, scope, str_buf(ldap_conn->query_string), - attrs, attrsonly, NULL, NULL, NULL, + attrs, attrsonly, NULL, NULL, &timeout, LDAP_NO_LIMIT, &ldap_conn->result); if (ret == 0) { @@ -1697,6 +1704,8 @@ handle_connection_error(ldap_connection_t *ldap_conn, isc_result_t *result) log_error("connection to the LDAP server was lost"); if (ldap_connect(ldap_conn) == ISC_R_SUCCESS) return 1; + } else if (err_code == LDAP_TIMEOUT) { + log_error("LDAP query timed out. Try to adjust \"timeout\" parameter"); } else { err_string = ldap_err2string(err_code); } -- 1.7.3.4 From jhrozek at redhat.com Thu Jan 6 17:31:53 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 06 Jan 2011 18:31:53 +0100 Subject: [Freeipa-devel] [PATCH] 033 Add new installer option for reverse zone creation In-Reply-To: <4D24A1E9.6010207@redhat.com> References: <4D244EF1.8050502@redhat.com> <201101051309.41814.jzeleny@redhat.com> <4D24665D.5090309@redhat.com> <201101051344.08579.jzeleny@redhat.com> <4D24A1E9.6010207@redhat.com> Message-ID: <4D25FC89.2040909@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/05/2011 05:52 PM, Dmitri Pal wrote: > Jan Zelen? wrote: >> Jakub Hrozek wrote: >> >>> On 01/05/2011 01:09 PM, Jan Zelen? wrote: >>> >>>> Jakub Hrozek wrote: >>>> >>>>> ticket #678 >>>>> >>>> Nack, the unattended option given to the create_reverse function is >>>> redundant, please remove it. >>>> >>>> Jan >>>> >>> OK, new patch attached. >>> >> >> ack >> >> > Jenny had some questions about the default value. Please hold off > pushing before you reconcile with her. > > Based on recent discussion, I am withdrawing this patch and will prepare a new one that will set up DNS by default, introduce a new option - --no-dns instead and also introduce --uninstall to ipa-dns-install. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0l/IgACgkQHsardTLnvCUqSwCgyplUxrEcokgFzzDQS4zVhh8x zIoAn0YTNxO4DS/Mcd9PALDWnpVpcDZB =k3e/ -----END PGP SIGNATURE----- From ayoung at redhat.com Thu Jan 6 17:40:10 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 06 Jan 2011 12:40:10 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0128-action-panel-style In-Reply-To: <1750801283.145492.1294335391695.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1750801283.145492.1294335391695.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D25FE7A.1090103@redhat.com> On 01/06/2011 12:36 PM, Kyle Baker wrote: > ACK, but change the font size to 11px. > > ----- Original Message ----- >> Some of the changes necessary for the actions panel. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Changed font size and pushed to master From ayoung at redhat.com Thu Jan 6 17:53:30 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 06 Jan 2011 12:53:30 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0129-remove-list-header Message-ID: <4D26019A.4040009@redhat.com> Makes list pages look like the spec -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0129-remove-list-header.patch Type: text/x-patch Size: 825 bytes Desc: not available URL: From kybaker at redhat.com Thu Jan 6 17:54:46 2011 From: kybaker at redhat.com (Kyle Baker) Date: Thu, 6 Jan 2011 12:54:46 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0129-remove-list-header In-Reply-To: <4D26019A.4040009@redhat.com> Message-ID: <1615890094.145715.1294336486209.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK, push it. ----- Original Message ----- > Makes list pages look like the spec > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0129-remove-list-header.patch Type: text/x-patch Size: 825 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 6 18:00:43 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 06 Jan 2011 13:00:43 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0129-remove-list-header In-Reply-To: <1615890094.145715.1294336486209.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1615890094.145715.1294336486209.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D26034B.3020407@redhat.com> On 01/06/2011 12:54 PM, Kyle Baker wrote: > ACK, push it. > > ----- Original Message ----- >> Makes list pages look like the spec >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel pushed to master From ssorce at redhat.com Thu Jan 6 18:13:48 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 06 Jan 2011 13:13:48 -0500 Subject: [Freeipa-devel] [PATCH] 0043 fix ipa-dns-install to not require DM password In-Reply-To: <201101061035.18545.jzeleny@redhat.com> References: <1294249792.2908.6.camel@localhost.localdomain> <201101061035.18545.jzeleny@redhat.com> Message-ID: <1294337628.3156.30.camel@localhost.localdomain> On Thu, 2011-01-06 at 10:35 +0100, Jan Zelen? wrote: > Simo Sorce wrote: > > This patch makes it possible to run ipa-dns-install and use the admin > > kerberos credentials. > > > > Fixes #686. > > > > Simo. > > Nack, I have some comments: > > Exception handling (chunk #4): > Those prints should go away. But the main thing: that particular part of code > doesn't seem to produce any exceptions, which should be handled > > Function ldap_disconnect isn't used anywhere. That makes me wonder - is it > redundant or should it be somewhere in the code. I guess this is a policy > issue - either we want the connection to stay as long as possible or we want > to use it only for a certain set of commands and then disconnect it. Attached new patch that fixes hunk #4. Actually I ended up using ldap_disconnect() here as we need to test the ldap connection anyway. I also had to do minor changes to Bindinstance() as the code was clearing self.fqdn after Service.__init__ set it. Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0043-2-Allow-ipa-dns-install-to-install-with-just-admin-cre.patch Type: application/mbox Size: 17961 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 6 18:16:40 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 06 Jan 2011 13:16:40 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0130-dns-record-style Message-ID: <4D260708.9060508@redhat.com> Fixes https://fedorahosted.org/freeipa/ticket/693 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0130-dns-record-style.patch Type: text/x-patch Size: 920 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 6 18:27:23 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 06 Jan 2011 13:27:23 -0500 Subject: [Freeipa-devel] [PATCH] Fixed tooltips in SUDO details page. In-Reply-To: <4D25E089.7090403@redhat.com> References: <4D25E089.7090403@redhat.com> Message-ID: <4D26098B.3000009@redhat.com> On 01/06/2011 10:32 AM, Endi Sukma Dewata wrote: > Hi, > > The attached patch should fix item #1 in the following ticket: > https://fedorahosted.org/freeipa/ticket/671 > > The title attribute in various HTML elements in SUDO details page > has been set to show the proper tooltips. Most of the values are > taken from the 'doc' attribute of sudorule parameters. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Jan 6 18:43:02 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 06 Jan 2011 19:43:02 +0100 Subject: [Freeipa-devel] [PATCH] 033 Add new installer option for reverse zone creation In-Reply-To: <4D25FC89.2040909@redhat.com> References: <4D244EF1.8050502@redhat.com> <201101051309.41814.jzeleny@redhat.com> <4D24665D.5090309@redhat.com> <201101051344.08579.jzeleny@redhat.com> <4D24A1E9.6010207@redhat.com> <4D25FC89.2040909@redhat.com> Message-ID: <4D260D36.8020306@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/06/2011 06:31 PM, Jakub Hrozek wrote: > On 01/05/2011 05:52 PM, Dmitri Pal wrote: >> Jan Zelen? wrote: >>> Jakub Hrozek wrote: >>> >>>> On 01/05/2011 01:09 PM, Jan Zelen? wrote: >>>> >>>>> Jakub Hrozek wrote: >>>>> >>>>>> ticket #678 >>>>>> >>>>> Nack, the unattended option given to the create_reverse function is >>>>> redundant, please remove it. >>>>> >>>>> Jan >>>>> >>>> OK, new patch attached. >>>> >>> >>> ack >>> >>> >> Jenny had some questions about the default value. Please hold off >> pushing before you reconcile with her. > > > > Based on recent discussion, I am withdrawing this patch and will prepare > a new one that will set up DNS by default, introduce a new option > --no-dns instead and also introduce --uninstall to ipa-dns-install. > > Jakub On reading the complete discussion (thanks for reminding me, Dmitri), we only flip the default for the reverse zone creation to True. Attached is a patch that has a --no-reverse option instead of --create-reverse and reverts the default in the installer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0mDTYACgkQHsardTLnvCUMWQCeNYao4fZ83QHBsmZYnP7C67R7 3NIAoJlJQZbkaZADzo19iOnLKxo+ilfz =71kA -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-033-03-reverse-zone-option.patch Type: text/x-patch Size: 7632 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-033-03-reverse-zone-option.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 6 22:25:21 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 06 Jan 2011 17:25:21 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0131-facet-nesting Message-ID: <4D264151.5070901@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0131-facet-nesting.patch Type: text/x-patch Size: 5968 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 6 22:54:51 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 06 Jan 2011 17:54:51 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0131-facet-nesting In-Reply-To: <4D264151.5070901@redhat.com> References: <4D264151.5070901@redhat.com> Message-ID: <4D26483B.1000700@redhat.com> Use this patch to see the changes in the meta data. Depends on 131 On 01/06/2011 05:25 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0132-metatdata-for-facet_groups.patch Type: text/x-patch Size: 11052 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 6 23:10:41 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 06 Jan 2011 18:10:41 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0133-bad-request-workaround Message-ID: <4D264BF1.503@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0133-bad-request-workaround.patch Type: text/x-patch Size: 920 bytes Desc: not available URL: From edewata at redhat.com Fri Jan 7 01:40:24 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 07 Jan 2011 08:40:24 +0700 Subject: [Freeipa-devel] [PATCH] Move undo button next to selected radio button. Message-ID: <4D266F08.6090807@redhat.com> Hi, The attached patch should fix item #2 in this bug: https://fedorahosted.org/freeipa/ticket/671 Thanks! -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0061-Move-undo-button-next-to-selected-radio-button.patch Type: text/x-patch Size: 2995 bytes Desc: not available URL: From ayoung at redhat.com Fri Jan 7 02:33:05 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 06 Jan 2011 21:33:05 -0500 Subject: [Freeipa-devel] [PATCH] Move undo button next to selected radio button. In-Reply-To: <4D266F08.6090807@redhat.com> References: <4D266F08.6090807@redhat.com> Message-ID: <4D267B61.4000007@redhat.com> On 01/06/2011 08:40 PM, Endi Sukma Dewata wrote: > Hi, > > The attached patch should fix item #2 in this bug: > https://fedorahosted.org/freeipa/ticket/671 > > Thanks! > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Jan 7 03:50:58 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 07 Jan 2011 10:50:58 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0130-dns-record-style In-Reply-To: <4D260708.9060508@redhat.com> References: <4D260708.9060508@redhat.com> Message-ID: <4D268DA2.5070602@redhat.com> On 1/7/2011 1:16 AM, Adam Young wrote: > Fixes https://fedorahosted.org/freeipa/ticket/693 ACK and pushed. -- Endi S. Dewata From edewata at redhat.com Fri Jan 7 04:47:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 07 Jan 2011 11:47:12 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0131-facet-nesting In-Reply-To: <4D26483B.1000700@redhat.com> References: <4D264151.5070901@redhat.com> <4D26483B.1000700@redhat.com> Message-ID: <4D269AD0.6030800@redhat.com> On 1/7/2011 5:54 AM, Adam Young wrote: > Use this patch to see the changes in the meta data. Depends on 131 ACK and pushed 131 & 132. -- Endi S. Dewata From jhrozek at redhat.com Fri Jan 7 05:26:52 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 7 Jan 2011 06:26:52 +0100 Subject: [Freeipa-devel] [PATCH] 034 Do not use LDAP_DEPRECATED in plugins and client In-Reply-To: <201101061327.50912.jzeleny@redhat.com> References: <4D25A759.40001@redhat.com> <201101061327.50912.jzeleny@redhat.com> Message-ID: <20110107052651.GA16270@zeppelin.brq.redhat.com> On Thu, Jan 06, 2011 at 01:27:50PM +0100, Jan Zelen? wrote: > Jakub Hrozek wrote: > > Remove the LDAP_DEPRECATED constant and do not use functions that are > > marked as deprecated in recent OpenLDAP releases. Also always define > > WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that > > depend on that constant. > > > > A related question - since we only support Fedora 14 now and we always > > compile with --with-openldap on that platform, should we remove the > > mozldap code altogether? I don't think it would cause any harm, > > realistically, there should be no users. > > > > https://fedorahosted.org/freeipa/ticket/576 > > Nack, > > please unify whitespaces in indentation. Done. In this version, the whitespaces are the the same as in the original file (mostly spaces, one of them tabs). > Also I'm curious about adding those > includes in ipapwd.h - does this have any (positive/or negative) impact? They > seem a little redundant. > Harmless, but no positive effect, so I removed them. They were probably a result of refactoring or testing.. > Note: I think another patch changing whitespaces to correspond with our coding > policy is in order after this one is pushed. > Agreed that we should unify the code w.r.t. whitespace used (die tabs, die..) This could be a cleanup task later on. -------------- next part -------------- >From 29fc8d7c5785c25b838751767c307cb7bc3ad14c Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 3 Jan 2011 16:16:57 +0100 Subject: [PATCH] Do not use LDAP_DEPRECATED in plugins Remove the LDAP_DEPRECATED constant and do not use functions that are marked as deprecated in recent OpenLDAP releases. Also always define WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that depend on that constant. https://fedorahosted.org/freeipa/ticket/576 --- daemons/configure.ac | 2 + daemons/ipa-kpasswd/ipa_kpasswd.c | 18 +++++-- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 2 - .../ipa-pwd-extop/ipapwd_common.c | 50 +++++++++++++++---- .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.c | 24 ++++++++- ipa-client/ipa-client-common.h | 4 ++ ipa-client/ipa-getkeytab.c | 4 -- ipa-client/ipa-join.c | 31 +++++++++++-- 8 files changed, 106 insertions(+), 29 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index 221a63a..370c5d6 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -199,9 +199,11 @@ AC_ARG_WITH([openldap], if test "x$with_openldap" == xyes; then LDAP_CFLAGS="${OPENLDAP_CFLAGS} $NSPR4 $NSS3 -DUSE_OPENLDAP" LDAP_LIBS="${OPENLDAP_LIBS}" + AC_DEFINE_UNQUOTED(WITH_OPENLDAP, 1, [Use OpenLDAP libraries]) else LDAP_CFLAGS="${MOZLDAP_CFLAGS}" LDAP_LIBS="${MOZLDAP_LIBS}" + AC_DEFINE_UNQUOTED(WITH_MOZLDAP, 1, [Use Mozilla LDAP libraries]) fi AC_SUBST(LDAP_CFLAGS) AC_SUBST(LDAP_LIBS) diff --git a/daemons/ipa-kpasswd/ipa_kpasswd.c b/daemons/ipa-kpasswd/ipa_kpasswd.c index 9b4c2dd..a506cec 100644 --- a/daemons/ipa-kpasswd/ipa_kpasswd.c +++ b/daemons/ipa-kpasswd/ipa_kpasswd.c @@ -42,7 +42,6 @@ #ifdef WITH_MOZLDAP #include #else -#define LDAP_DEPRECATED 1 #include #endif #include @@ -331,6 +330,7 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e struct berval *control = NULL; struct berval newpw; char hostname[1024]; + char *uri; struct berval **ncvals; char *ldap_base = NULL; char *filter; @@ -386,11 +386,19 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e goto done; } + ret = asprintf(&uri, "ldap://%s:389", hostname); + if (ret == -1) { + syslog(LOG_ERR, "Out of memory!"); + goto done; + } + /* connect to ldap server */ /* TODO: support referrals ? */ - ld = ldap_init(hostname, 389); - if(ld == NULL) { - syslog(LOG_ERR, "Unable to connect to ldap server"); + ret = ldap_initialize(&ld, uri); + free(uri); + if(ret != LDAP_SUCCESS) { + syslog(LOG_ERR, "Unable to connect to ldap server: %s", + ldap_err2string(ret)); goto done; } @@ -414,7 +422,7 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e /* find base dn */ /* TODO: address the case where we have multiple naming contexts */ tv.tv_sec = 10; - tv.tv_usec = 0; + tv.tv_usec = 0; ret = ldap_search_ext_s(ld, "", LDAP_SCOPE_BASE, "objectclass=*", root_attrs, 0, diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index 4f8764f..aaaeeb7 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -49,8 +49,6 @@ #include #include -#define LDAP_DEPRECATED 1 - #include #include #include diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index cf6b3fc..2bc36c0 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -373,6 +373,40 @@ static void pwd_values_free(Slapi_ValueSet** results, slapi_vattr_values_free(results, actual_type_name, buffer_flags); } +static int ipapwd_rdn_count(const char *dn) +{ + int rdnc = 0; + +#ifdef WITH_MOZLDAP + char **edn; + + edn = ldap_explode_dn(dn, 0); + if (!edn) { + LOG_TRACE("ldap_explode_dn(dn) failed ?!"); + return -1; + } + + for (rdnc = 0; edn != NULL && edn[rdnc]; rdnc++) /* count */ ; + ldap_value_free(edn); +#else + /* both ldap_explode_dn and ldap_value_free are deprecated + * in OpenLDAP */ + LDAPDN ldn; + int ret; + + ret = ldap_str2dn(dn, &ldn, LDAP_DN_FORMAT_LDAPV3); + if (ret != LDAP_SUCCESS) { + LOG_TRACE("ldap_str2dn(dn) failed ?!"); + return -1; + } + + for (rdnc = 0; ldn != NULL && ldn[rdnc]; rdnc++) /* count */ ; + ldap_dnfree(ldn); +#endif + + return rdnc; +} + static int ipapwd_getPolicy(const char *dn, Slapi_Entry *target, Slapi_Entry **e) { @@ -386,7 +420,6 @@ static int ipapwd_getPolicy(const char *dn, "krbPwdHistoryLength", NULL}; Slapi_Entry **es = NULL; Slapi_Entry *pe = NULL; - char **edn; int ret, res, dist, rdnc, scope, i; Slapi_DN *sdn = NULL; int buffer_flags=0; @@ -465,14 +498,12 @@ static int ipapwd_getPolicy(const char *dn, } /* count number of RDNs in DN */ - edn = ldap_explode_dn(dn, 0); - if (!edn) { - LOG_TRACE("ldap_explode_dn(dn) failed ?!"); + rdnc = ipapwd_rdn_count(dn); + if (rdnc == -1) { + LOG_TRACE("ipapwd_rdn_count(dn) failed"); ret = -1; goto done; } - for (rdnc = 0; edn[rdnc]; rdnc++) /* count */ ; - ldap_value_free(edn); pe = NULL; dist = -1; @@ -490,15 +521,12 @@ static int ipapwd_getPolicy(const char *dn, } if (slapi_sdn_issuffix(sdn, esdn)) { const char *dn1; - char **e1; int c1; dn1 = slapi_sdn_get_dn(esdn); if (!dn1) continue; - e1 = ldap_explode_dn(dn1, 0); - if (!e1) continue; - for (c1 = 0; e1[c1]; c1++) /* count */ ; - ldap_value_free(e1); + c1 = ipapwd_rdn_count(dn1); + if (c1 == -1) continue; if ((dist == -1) || ((rdnc - c1) < dist)) { dist = rdnc - c1; diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c index 10aa188..bfad0cf 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c @@ -41,8 +41,6 @@ # include #endif -#define LDAP_DEPRECATED 1 - /* * Windows Synchronization Plug-in for IPA * This plugin allows IPA to intercept operations sent from @@ -375,7 +373,6 @@ ipa_winsync_get_new_ds_user_dn_cb(void *cbdata, const Slapi_Entry *rawentry, Slapi_Entry *ad_entry, char **new_dn_string, const Slapi_DN *ds_suffix, const Slapi_DN *ad_suffix) { - char **rdns = NULL; PRBool flatten = PR_TRUE; IPA_WinSync_Config *ipaconfig = ipa_winsync_get_config(); @@ -390,6 +387,9 @@ ipa_winsync_get_new_ds_user_dn_cb(void *cbdata, const Slapi_Entry *rawentry, return; } +#ifdef WITH_MOZLDAP + char **rdns = NULL; + rdns = ldap_explode_dn(*new_dn_string, 0); if (!rdns || !rdns[0]) { ldap_value_free(rdns); @@ -399,6 +399,24 @@ ipa_winsync_get_new_ds_user_dn_cb(void *cbdata, const Slapi_Entry *rawentry, slapi_ch_free_string(new_dn_string); *new_dn_string = slapi_ch_smprintf("%s,%s", rdns[0], slapi_sdn_get_dn(ds_suffix)); ldap_value_free(rdns); +#else + /* both ldap_explode_dn and ldap_value_free are deprecated + * in OpenLDAP */ + LDAPDN ldn; + int ret; + char *rdn; + + ret = ldap_str2dn(*new_dn_string, &ldn, LDAP_DN_FORMAT_LDAPV3); + if (ret != LDAP_SUCCESS) { + LOG_TRACE("ldap_str2dn(dn) failed ?!"); + return; + } + + ldap_rdn2str(ldn[0], &rdn, LDAP_DN_FORMAT_UFN); + *new_dn_string = slapi_ch_smprintf("%s,%s", rdn, slapi_sdn_get_dn(ds_suffix)); + ldap_dnfree(ldn); + ldap_memfree(rdn); +#endif LOG("<-- ipa_winsync_get_new_ds_user_dn_cb -- new dn [%s] -- end\n", *new_dn_string); diff --git a/ipa-client/ipa-client-common.h b/ipa-client/ipa-client-common.h index 863b805..b738fb4 100644 --- a/ipa-client/ipa-client-common.h +++ b/ipa-client/ipa-client-common.h @@ -23,6 +23,10 @@ #include #define _(STRING) gettext(STRING) +#ifndef discard_const +#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) +#endif + int init_gettext(void); #endif /* __IPA_CLIENT_COMMON_H */ diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index 96747a8..8f108de 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -57,10 +57,6 @@ #define KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1" #define KEYTAB_RET_OID "2.16.840.1.113730.3.8.3.2" -#ifndef discard_const -#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) -#endif - struct krb_key_salt { krb5_enctype enctype; krb5_int32 salttype; diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c index 5c3d140..ff0fed9 100644 --- a/ipa-client/ipa-join.c +++ b/ipa-client/ipa-join.c @@ -18,7 +18,6 @@ */ #define _GNU_SOURCE -#define LDAP_DEPRECATED 1 #include #include @@ -178,6 +177,9 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) { int version = LDAP_VERSION3; int ret; int ldapdebug = 0; + char *uri; + struct berval bindpw_bv; + if (debug) { ldapdebug=2; ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug); @@ -186,7 +188,20 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) { if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, CAFILE) != LDAP_OPT_SUCCESS) goto fail; - ld = (LDAP *)ldap_init(hostname, 636); + ret = asprintf(&uri, "ldaps://%s:636", hostname); + if (ret == -1) { + fprintf(stderr, _("Out of memory!")); + goto fail; + } + + ret = ldap_initialize(&ld, uri); + free(uri); + if(ret != LDAP_SUCCESS) { + fprintf(stderr, _("Unable to initialize connection to ldap server: %s"), + ldap_err2string(ret)); + goto fail; + } + if (ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl) != LDAP_OPT_SUCCESS) { fprintf(stderr, _("Unable to enable SSL in LDAP\n")); goto fail; @@ -198,7 +213,12 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) { goto fail; } - ret = ldap_bind_s(ld, binddn, bindpw, LDAP_AUTH_SIMPLE); + bindpw_bv.bv_val = discard_const(bindpw); + bindpw_bv.bv_len = strlen(bindpw); + + ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv, + NULL, NULL, NULL); + if (ret != LDAP_SUCCESS) { int err; @@ -446,7 +466,10 @@ join_ldap(const char *ipaserver, char *hostname, const char ** binddn, const cha if ((rc = ldap_extended_operation_s(ld, JOIN_OID, &valrequest, NULL, NULL, &oidresult, &valresult)) != LDAP_SUCCESS) { if (!quiet) fprintf(stderr, _("principal not found in host entry\n")); - if (debug) ldap_perror(ld, "ldap_extended_operation_s"); + if (debug) { + fprintf(stderr, "ldap_extended_operation_s failed: %s", + ldap_err2string(rc)); + } rval = 18; goto ldap_done; } -- 1.7.3.4 From edewata at redhat.com Fri Jan 7 06:16:01 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 07 Jan 2011 13:16:01 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0133-bad-request-workaround In-Reply-To: <4D264BF1.503@redhat.com> References: <4D264BF1.503@redhat.com> Message-ID: <4D26AFA1.5080309@redhat.com> On 1/7/2011 6:10 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From jzeleny at redhat.com Fri Jan 7 08:53:15 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Fri, 7 Jan 2011 09:53:15 +0100 Subject: [Freeipa-devel] [PATCH] 0043 fix ipa-dns-install to not require DM password In-Reply-To: <1294337628.3156.30.camel@localhost.localdomain> References: <1294249792.2908.6.camel@localhost.localdomain> <201101061035.18545.jzeleny@redhat.com> <1294337628.3156.30.camel@localhost.localdomain> Message-ID: <201101070953.15570.jzeleny@redhat.com> Simo Sorce wrote: > On Thu, 2011-01-06 at 10:35 +0100, Jan Zelen? wrote: > > Simo Sorce wrote: > > > This patch makes it possible to run ipa-dns-install and use the admin > > > kerberos credentials. > > > > > > Fixes #686. > > > > > > Simo. > > > > Nack, I have some comments: > > > > Exception handling (chunk #4): > > Those prints should go away. But the main thing: that particular part of > > code doesn't seem to produce any exceptions, which should be handled > > > > Function ldap_disconnect isn't used anywhere. That makes me wonder - is > > it redundant or should it be somewhere in the code. I guess this is a > > policy issue - either we want the connection to stay as long as possible > > or we want to use it only for a certain set of commands and then > > disconnect it. > > Attached new patch that fixes hunk #4. > Actually I ended up using ldap_disconnect() here as we need to test the > ldap connection anyway. > I also had to do minor changes to Bindinstance() as the code was > clearing self.fqdn after Service.__init__ set it. > > Simo. Nack, IMO in case invalid credentials are given and the script runs in unattended mode, the script should exit and not ask for the password. Jan From jzeleny at redhat.com Fri Jan 7 09:00:06 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Fri, 7 Jan 2011 10:00:06 +0100 Subject: [Freeipa-devel] [PATCH] 034 Do not use LDAP_DEPRECATED in plugins and client In-Reply-To: <20110107052651.GA16270@zeppelin.brq.redhat.com> References: <4D25A759.40001@redhat.com> <201101061327.50912.jzeleny@redhat.com> <20110107052651.GA16270@zeppelin.brq.redhat.com> Message-ID: <201101071000.06893.jzeleny@redhat.com> Jakub Hrozek wrote: > On Thu, Jan 06, 2011 at 01:27:50PM +0100, Jan Zelen? wrote: > > Jakub Hrozek wrote: > > > Remove the LDAP_DEPRECATED constant and do not use functions that are > > > marked as deprecated in recent OpenLDAP releases. Also always define > > > WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes > > > that depend on that constant. > > > > > > A related question - since we only support Fedora 14 now and we always > > > compile with --with-openldap on that platform, should we remove the > > > mozldap code altogether? I don't think it would cause any harm, > > > realistically, there should be no users. > > > > > > https://fedorahosted.org/freeipa/ticket/576 > > > > Nack, > > > > please unify whitespaces in indentation. > > Done. In this version, the whitespaces are the the same as in the > original file (mostly spaces, one of them tabs). > > > Also I'm curious about adding those > > includes in ipapwd.h - does this have any (positive/or negative) impact? > > They seem a little redundant. > > Harmless, but no positive effect, so I removed them. They were probably > a result of refactoring or testing.. > > > Note: I think another patch changing whitespaces to correspond with our > > coding policy is in order after this one is pushed. > > Agreed that we should unify the code w.r.t. whitespace used (die > tabs, die..) This could be a cleanup task later on. Please file the ticket. The patch is ok now. ACK Jan From ssorce at redhat.com Fri Jan 7 09:37:37 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 07 Jan 2011 04:37:37 -0500 Subject: [Freeipa-devel] [PATCH] 0043 fix ipa-dns-install to not require DM password In-Reply-To: <201101070953.15570.jzeleny@redhat.com> References: <1294249792.2908.6.camel@localhost.localdomain> <201101061035.18545.jzeleny@redhat.com> <1294337628.3156.30.camel@localhost.localdomain> <201101070953.15570.jzeleny@redhat.com> Message-ID: <1294393057.2894.0.camel@localhost.localdomain> On Fri, 2011-01-07 at 09:53 +0100, Jan Zelen? wrote: > Simo Sorce wrote: > > On Thu, 2011-01-06 at 10:35 +0100, Jan Zelen? wrote: > > > Simo Sorce wrote: > > > > This patch makes it possible to run ipa-dns-install and use the admin > > > > kerberos credentials. > > > > > > > > Fixes #686. > > > > > > > > Simo. > > > > > > Nack, I have some comments: > > > > > > Exception handling (chunk #4): > > > Those prints should go away. But the main thing: that particular part of > > > code doesn't seem to produce any exceptions, which should be handled > > > > > > Function ldap_disconnect isn't used anywhere. That makes me wonder - is > > > it redundant or should it be somewhere in the code. I guess this is a > > > policy issue - either we want the connection to stay as long as possible > > > or we want to use it only for a certain set of commands and then > > > disconnect it. > > > > Attached new patch that fixes hunk #4. > > Actually I ended up using ldap_disconnect() here as we need to test the > > ldap connection anyway. > > I also had to do minor changes to Bindinstance() as the code was > > clearing self.fqdn after Service.__init__ set it. > > > > Simo. > > Nack, > IMO in case invalid credentials are given and the script runs in unattended > mode, the script should exit and not ask for the password. Good catch! New patch attached. Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0043-3-Allow-ipa-dns-install-to-install-with-just-admin-cre.patch Type: application/mbox Size: 18008 bytes Desc: not available URL: From jzeleny at redhat.com Fri Jan 7 09:44:25 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Fri, 7 Jan 2011 10:44:25 +0100 Subject: [Freeipa-devel] [PATCH] 0043 fix ipa-dns-install to not require DM password In-Reply-To: <1294393057.2894.0.camel@localhost.localdomain> References: <1294249792.2908.6.camel@localhost.localdomain> <201101070953.15570.jzeleny@redhat.com> <1294393057.2894.0.camel@localhost.localdomain> Message-ID: <201101071044.25977.jzeleny@redhat.com> Simo Sorce wrote: > On Fri, 2011-01-07 at 09:53 +0100, Jan Zelen? wrote: > > Simo Sorce wrote: > > > On Thu, 2011-01-06 at 10:35 +0100, Jan Zelen? wrote: > > > > Simo Sorce wrote: > > > > > This patch makes it possible to run ipa-dns-install and use the > > > > > admin kerberos credentials. > > > > > > > > > > Fixes #686. > > > > > > > > > > Simo. > > > > > > > > Nack, I have some comments: > > > > > > > > Exception handling (chunk #4): > > > > Those prints should go away. But the main thing: that particular part > > > > of code doesn't seem to produce any exceptions, which should be > > > > handled > > > > > > > > Function ldap_disconnect isn't used anywhere. That makes me wonder - > > > > is it redundant or should it be somewhere in the code. I guess this > > > > is a policy issue - either we want the connection to stay as long as > > > > possible or we want to use it only for a certain set of commands and > > > > then disconnect it. > > > > > > Attached new patch that fixes hunk #4. > > > Actually I ended up using ldap_disconnect() here as we need to test the > > > ldap connection anyway. > > > I also had to do minor changes to Bindinstance() as the code was > > > clearing self.fqdn after Service.__init__ set it. > > > > > > Simo. > > > > Nack, > > IMO in case invalid credentials are given and the script runs in > > unattended mode, the script should exit and not ask for the password. > > Good catch! > > New patch attached. > > Simo. ack Jan From ssorce at redhat.com Fri Jan 7 09:52:29 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 07 Jan 2011 04:52:29 -0500 Subject: [Freeipa-devel] [PATCH] 033 Add new installer option for reverse zone creation In-Reply-To: <4D260D36.8020306@redhat.com> References: <4D244EF1.8050502@redhat.com> <201101051309.41814.jzeleny@redhat.com> <4D24665D.5090309@redhat.com> <201101051344.08579.jzeleny@redhat.com> <4D24A1E9.6010207@redhat.com> <4D25FC89.2040909@redhat.com> <4D260D36.8020306@redhat.com> Message-ID: <1294393949.2894.5.camel@localhost.localdomain> On Thu, 2011-01-06 at 19:43 +0100, Jakub Hrozek wrote: > > On reading the complete discussion (thanks for reminding me, Dmitri), > we > only flip the default for the reverse zone creation to True. Attached > is > a patch that has a --no-reverse option instead of --create-reverse and > reverts the default in the installer. ACK. Simo. From ssorce at redhat.com Fri Jan 7 09:55:04 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 07 Jan 2011 04:55:04 -0500 Subject: [Freeipa-devel] [PATCH] 0042 Fix dns install on replicas In-Reply-To: <201101061300.14776.jzeleny@redhat.com> References: <1294151967.2930.19.camel@localhost.localdomain> <201101061300.14776.jzeleny@redhat.com> Message-ID: <1294394105.2894.7.camel@localhost.localdomain> On Thu, 2011-01-06 at 13:00 +0100, Jan Zelen? wrote: > Simo Sorce wrote: > > DNS installation on replicas was broken. > > This patch fixes both the --setup-dns switch of ipa-replica-install as > > well as running ipa-dns-install on an existing replica. > > > > Simo. > > ack Pushed to master. Simo. From ssorce at redhat.com Fri Jan 7 09:55:34 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 07 Jan 2011 04:55:34 -0500 Subject: [Freeipa-devel] [PATCH] 0043 fix ipa-dns-install to not require DM password In-Reply-To: <201101071044.25977.jzeleny@redhat.com> References: <1294249792.2908.6.camel@localhost.localdomain> <201101070953.15570.jzeleny@redhat.com> <1294393057.2894.0.camel@localhost.localdomain> <201101071044.25977.jzeleny@redhat.com> Message-ID: <1294394134.2894.9.camel@localhost.localdomain> On Fri, 2011-01-07 at 10:44 +0100, Jan Zelen? wrote: > Simo Sorce wrote: > > On Fri, 2011-01-07 at 09:53 +0100, Jan Zelen? wrote: > > > Simo Sorce wrote: > > > > On Thu, 2011-01-06 at 10:35 +0100, Jan Zelen? wrote: > > > > > Simo Sorce wrote: > > > > > > This patch makes it possible to run ipa-dns-install and use the > > > > > > admin kerberos credentials. > > > > > > > > > > > > Fixes #686. > > > > > > > > > > > > Simo. > > > > > > > > > > Nack, I have some comments: > > > > > > > > > > Exception handling (chunk #4): > > > > > Those prints should go away. But the main thing: that particular part > > > > > of code doesn't seem to produce any exceptions, which should be > > > > > handled > > > > > > > > > > Function ldap_disconnect isn't used anywhere. That makes me wonder - > > > > > is it redundant or should it be somewhere in the code. I guess this > > > > > is a policy issue - either we want the connection to stay as long as > > > > > possible or we want to use it only for a certain set of commands and > > > > > then disconnect it. > > > > > > > > Attached new patch that fixes hunk #4. > > > > Actually I ended up using ldap_disconnect() here as we need to test the > > > > ldap connection anyway. > > > > I also had to do minor changes to Bindinstance() as the code was > > > > clearing self.fqdn after Service.__init__ set it. > > > > > > > > Simo. > > > > > > Nack, > > > IMO in case invalid credentials are given and the script runs in > > > unattended mode, the script should exit and not ask for the password. > > > > Good catch! > > > > New patch attached. > > > > Simo. > > ack > > Jan Thanks, pushed to master. Simo. From ssorce at redhat.com Fri Jan 7 10:01:39 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 07 Jan 2011 05:01:39 -0500 Subject: [Freeipa-devel] [PATCH] 034 Do not use LDAP_DEPRECATED in plugins and client In-Reply-To: <201101071000.06893.jzeleny@redhat.com> References: <4D25A759.40001@redhat.com> <201101061327.50912.jzeleny@redhat.com> <20110107052651.GA16270@zeppelin.brq.redhat.com> <201101071000.06893.jzeleny@redhat.com> Message-ID: <1294394499.2894.11.camel@localhost.localdomain> On Fri, 2011-01-07 at 10:00 +0100, Jan Zelen? wrote: > > The patch is ok now. ACK Pushed to master. Simo. From ssorce at redhat.com Fri Jan 7 10:08:15 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 07 Jan 2011 05:08:15 -0500 Subject: [Freeipa-devel] [PATCH] 033 Add new installer option for reverse zone creation In-Reply-To: <1294393949.2894.5.camel@localhost.localdomain> References: <4D244EF1.8050502@redhat.com> <201101051309.41814.jzeleny@redhat.com> <4D24665D.5090309@redhat.com> <201101051344.08579.jzeleny@redhat.com> <4D24A1E9.6010207@redhat.com> <4D25FC89.2040909@redhat.com> <4D260D36.8020306@redhat.com> <1294393949.2894.5.camel@localhost.localdomain> Message-ID: <1294394895.2894.13.camel@localhost.localdomain> On Fri, 2011-01-07 at 04:52 -0500, Simo Sorce wrote: > On Thu, 2011-01-06 at 19:43 +0100, Jakub Hrozek wrote: > > > > On reading the complete discussion (thanks for reminding me, Dmitri), > > we > > only flip the default for the reverse zone creation to True. Attached > > is > > a patch that has a --no-reverse option instead of --create-reverse and > > reverts the default in the installer. > > ACK. I've fixed a simple conflict in ipa-dns-install that was generated by one of my patches and pushed to master. Simo. From ssorce at redhat.com Fri Jan 7 10:09:42 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 07 Jan 2011 05:09:42 -0500 Subject: [Freeipa-devel] [PATCH] Rename --ipaddr option of host-add command In-Reply-To: <1294248079.2908.0.camel@localhost.localdomain> References: <201101051644.06649.jzeleny@redhat.com> <1294248079.2908.0.camel@localhost.localdomain> Message-ID: <1294394982.2894.15.camel@localhost.localdomain> On Wed, 2011-01-05 at 12:21 -0500, Simo Sorce wrote: > On Wed, 2011-01-05 at 16:44 +0100, Jan Zelen? wrote: > > The option is renamed to --ip-address to be consistent with > > ipa-replica-prepare. > > > > https://fedorahosted.org/freeipa/ticket/655 > > ACK, Pushed to master. Simo. From ssorce at redhat.com Fri Jan 7 10:16:32 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 07 Jan 2011 05:16:32 -0500 Subject: [Freeipa-devel] [PATCH] 663 better keytab detection In-Reply-To: <201101051322.39596.jzeleny@redhat.com> References: <4D237BA8.1070602@redhat.com> <201101051322.39596.jzeleny@redhat.com> Message-ID: <1294395392.2894.19.camel@localhost.localdomain> On Wed, 2011-01-05 at 13:22 +0100, Jan Zelen? wrote: > Rob Crittenden wrote: > > Make sure the file we're operating on is really a keytab in > > ipa-rmkeytab. Do this by creating a cursor into the keytab. The krb lib > > will return a failure if this can't be done. > > > > ticket 654 > > > > rob > > ack > > Jan Pushed to master. Simo. From jzeleny at redhat.com Fri Jan 7 11:21:34 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Fri, 7 Jan 2011 12:21:34 +0100 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <4D245E95.8060003@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201101051155.58911.jzeleny@redhat.com> <4D245E95.8060003@redhat.com> Message-ID: <201101071221.34075.jzeleny@redhat.com> Jakub Hrozek wrote: > On 01/05/2011 11:55 AM, Jan Zelen? wrote: > > Jakub Hrozek wrote: > >> Nack, > >> > >> the hbac->hbacrule rename is still not complete. There is still > >> "from ipalib.plugins.hbac import is_all" in ipalib/plugins/netgroup.py > >> and "api.register(hbac)" in ipalib/plugins/hbacrule.py and also "ret = > >> self.failsafe_add(api.Object.hbac," in > >> tests/test_xmlrpc/test_hbac_plugin.py > > > > This is final version, all issues have been solved. > > > > Jan > > Ack Can someone please push this? Jan From mkosek at redhat.com Fri Jan 7 14:21:47 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 07 Jan 2011 15:21:47 +0100 Subject: [Freeipa-devel] [PATCH] Use of pointer after free in ipa-join Message-ID: <1294410107.2970.4.camel@dhcp-25-52.brq.redhat.com> In some cases recently freed memory was used/freed again. This patch introduces more consistency between functions join_ldap/join_krb5 when dealing with affected variables. https://fedorahosted.org/freeipa/ticket/709 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-002-use-of-pointer-after-free-in-ipa-join.patch Type: text/x-patch Size: 2528 bytes Desc: not available URL: From rcritten at redhat.com Fri Jan 7 14:43:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Jan 2011 09:43:02 -0500 Subject: [Freeipa-devel] [PATCH] Modified ipa help behavior In-Reply-To: <201101071221.34075.jzeleny@redhat.com> References: <201011080926.12248.jzeleny@redhat.com> <201101051155.58911.jzeleny@redhat.com> <4D245E95.8060003@redhat.com> <201101071221.34075.jzeleny@redhat.com> Message-ID: <4D272676.1030304@redhat.com> Jan Zelen? wrote: > Jakub Hrozek wrote: >> On 01/05/2011 11:55 AM, Jan Zelen? wrote: >>> Jakub Hrozek wrote: >>>> Nack, >>>> >>>> the hbac->hbacrule rename is still not complete. There is still >>>> "from ipalib.plugins.hbac import is_all" in ipalib/plugins/netgroup.py >>>> and "api.register(hbac)" in ipalib/plugins/hbacrule.py and also "ret = >>>> self.failsafe_add(api.Object.hbac," in >>>> tests/test_xmlrpc/test_hbac_plugin.py >>> >>> This is final version, all issues have been solved. >>> >>> Jan >> >> Ack > > Can someone please push this? Done, pushed to master rob From jhrozek at redhat.com Fri Jan 7 15:54:49 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 7 Jan 2011 16:54:49 +0100 Subject: [Freeipa-devel] [PATCH] 035 Fixes for the DNS plugin Message-ID: <20110107155449.GA16406@zeppelin.brq.redhat.com> The attached patch fixes ticket #730 as well as a couple of typos in the module help. To test: $ ipa dnszone-add barzone.com --name-server ns.idm.lab.bos.redhat.com --admin-email admin at idm.lab.bos.redhat.com (there must be an A or AAAA record for the nameserver) $ ipa dnsrecord-add barzone.com foo --a-rec 1.2.3.4 $ host foo.barzone.com foo.barzone.com has address 1.2.3.4 From jhrozek at redhat.com Fri Jan 7 15:58:06 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 7 Jan 2011 16:58:06 +0100 Subject: [Freeipa-devel] [PATCH] 035 Fixes for the DNS plugin In-Reply-To: <20110107155449.GA16406@zeppelin.brq.redhat.com> References: <20110107155449.GA16406@zeppelin.brq.redhat.com> Message-ID: <20110107155805.GB16406@zeppelin.brq.redhat.com> On Fri, Jan 07, 2011 at 04:54:49PM +0100, Jakub Hrozek wrote: > The attached patch fixes ticket #730 as well as a couple of typos in the > module help. > > To test: > > $ ipa dnszone-add barzone.com --name-server ns.idm.lab.bos.redhat.com > --admin-email admin at idm.lab.bos.redhat.com > (there must be an A or AAAA record for the nameserver) > $ ipa dnsrecord-add barzone.com foo --a-rec 1.2.3.4 > $ host foo.barzone.com > foo.barzone.com has address 1.2.3.4 > Sorry, I forgot to attach the patch. -------------- next part -------------- >From cd4f99babea1d54f3b3bbcc5a447a580cd050b5a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 7 Jan 2011 10:29:16 +0100 Subject: [PATCH] Fixes for the DNS plugin https://fedorahosted.org/freeipa/ticket/730 --- ipalib/plugins/dns2.py | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/dns2.py b/ipalib/plugins/dns2.py index e434309..57b4dbe 100644 --- a/ipalib/plugins/dns2.py +++ b/ipalib/plugins/dns2.py @@ -24,10 +24,10 @@ Manage DNS zone and resource records. EXAMPLES: Add new zone: - ipa dnszone-add example.com --name_server nameserver.example.com - --admin_email admin at example.com + ipa dnszone-add example.com --name-server nameserver.example.com + --admin-email admin at example.com - edd second nameserver for example.com: + Add second nameserver for example.com: ipa dnsrecord-add example.com @ --ns-rec nameserver2.example.com Delete previously added nameserver from example.com: @@ -246,6 +246,11 @@ class dnszone_add(LDAPCreate): entry_attrs['idnsallowdynupdate'] = str( entry_attrs.get('idnsallowdynupdate', False) ).upper() + + nameserver = entry_attrs['idnssoamname'] + nameserver = nameserver[-1] == '.' and nameserver or nameserver + '.' + entry_attrs['nsrecord'] = nameserver + entry_attrs['idnssoamname'] = nameserver return dn api.register(dnszone_add) -- 1.7.3.4 From ayoung at redhat.com Fri Jan 7 16:15:38 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 07 Jan 2011 11:15:38 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0134-Validate-add-dialog-text-fields Message-ID: <4D273C2A.9020805@redhat.com> While this does not solve https://fedorahosted.org/freeipa/ticket/470, it is a necessary precursor. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0134-Validate-add-dialog-text-fields.patch Type: text/x-patch Size: 4016 bytes Desc: not available URL: From rcritten at redhat.com Fri Jan 7 16:16:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Jan 2011 11:16:08 -0500 Subject: [Freeipa-devel] [PATCH] one-liner Message-ID: <4D273C48.2010902@redhat.com> While doing some aci debugging I noticed that the kdc wasn't allowed to write krbExtraData. I pushed a one-liner to allow that. rob From ayoung at redhat.com Fri Jan 7 16:24:11 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 07 Jan 2011 11:24:11 -0500 Subject: [Freeipa-devel] [Fwd: [PATCH] admiyo-0122-cancel-on-failure] In-Reply-To: <1294395127.2894.17.camel@localhost.localdomain> References: <1294395127.2894.17.camel@localhost.localdomain> Message-ID: <4D273E2B.8050207@redhat.com> Withdrawn. It has been superceeded by a one liner. On 01/07/2011 05:12 AM, Simo Sorce wrote: > This one looks unpushed, is it still valid ? > > Simo. > > -------- Forwarded Message -------- >> From: Adam Young >> To: freeipa-devel >> Subject: [Freeipa-devel] [PATCH] admiyo-0122-cancel-on-failure >> Date: Thu, 23 Dec 2010 14:36:41 -0500 >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel From ayoung at redhat.com Fri Jan 7 16:26:47 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 07 Jan 2011 11:26:47 -0500 Subject: [Freeipa-devel] [PATCH] Use of pointer after free in ipa-join In-Reply-To: <1294410107.2970.4.camel@dhcp-25-52.brq.redhat.com> References: <1294410107.2970.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D273EC7.1030505@redhat.com> On 01/07/2011 09:21 AM, Martin Kosek wrote: > In some cases recently freed memory was used/freed again. This > patch introduces more consistency between functions > join_ldap/join_krb5 when dealing with affected variables. > > https://fedorahosted.org/freeipa/ticket/709 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Is there any chance that the point-to-a-pointer parameters will have valid values other than null passed in? Almost seems that by initializing them to null, you might be masking a memory leak. If not, then ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jan 7 16:28:39 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 07 Jan 2011 11:28:39 -0500 Subject: [Freeipa-devel] [PATCH] 035 Fixes for the DNS plugin In-Reply-To: <20110107155805.GB16406@zeppelin.brq.redhat.com> References: <20110107155449.GA16406@zeppelin.brq.redhat.com> <20110107155805.GB16406@zeppelin.brq.redhat.com> Message-ID: <4D273F37.9080706@redhat.com> I'm Not a pythonista. What is this line doing? On 01/07/2011 10:58 AM, Jakub Hrozek wrote: > + nameserver = nameserver[-1] == '.' and nameserver or nameserver + '.' From jhrozek at redhat.com Fri Jan 7 16:59:19 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 07 Jan 2011 17:59:19 +0100 Subject: [Freeipa-devel] [PATCH] 035 Fixes for the DNS plugin In-Reply-To: <4D273F37.9080706@redhat.com> References: <20110107155449.GA16406@zeppelin.brq.redhat.com> <20110107155805.GB16406@zeppelin.brq.redhat.com> <4D273F37.9080706@redhat.com> Message-ID: <4D274667.10808@redhat.com> On 01/07/2011 05:28 PM, Adam Young wrote: > I'm Not a pythonista. What is this line doing? > > > On 01/07/2011 10:58 AM, Jakub Hrozek wrote: >> + nameserver = nameserver[-1] == '.' and nameserver or nameserver + '.' > This construct is called the 'and-or trick' and somewhat resembles ternary operator (which was added to python in 2.7 IIRC, so I'm not sure if it's old enough to use) from C and other languages. See http://diveintopython.org/power_of_introspection/and_or.html#d0e9975 for details. But yeah, a simple if would be more readable. A new patch is attached, thanks for bringing it up. -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-035-02-dnszone-fix.patch Type: text/x-patch Size: 1500 bytes Desc: not available URL: From ayoung at redhat.com Fri Jan 7 17:05:22 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 07 Jan 2011 12:05:22 -0500 Subject: [Freeipa-devel] [PATCH] 035 Fixes for the DNS plugin In-Reply-To: <4D274667.10808@redhat.com> References: <20110107155449.GA16406@zeppelin.brq.redhat.com> <20110107155805.GB16406@zeppelin.brq.redhat.com> <4D273F37.9080706@redhat.com> <4D274667.10808@redhat.com> Message-ID: <4D2747D2.4020709@redhat.com> On 01/07/2011 11:59 AM, Jakub Hrozek wrote: > On 01/07/2011 05:28 PM, Adam Young wrote: >> I'm Not a pythonista. What is this line doing? >> >> >> On 01/07/2011 10:58 AM, Jakub Hrozek wrote: >>> + nameserver = nameserver[-1] == '.' and nameserver or nameserver + '.' >> > > This construct is called the 'and-or trick' and somewhat resembles > ternary operator (which was added to python in 2.7 IIRC, so I'm not > sure if it's old enough to use) from C and other languages. See > http://diveintopython.org/power_of_introspection/and_or.html#d0e9975 > for details. > > But yeah, a simple if would be more readable. A new patch is attached, > thanks for bringing it up. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From jzeleny at redhat.com Fri Jan 7 17:05:18 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Fri, 7 Jan 2011 18:05:18 +0100 Subject: [Freeipa-devel] [PATCH] Changed dns permission types Message-ID: <201101071805.18499.jzeleny@redhat.com> Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0021-Changed-dns-permission-types.patch Type: text/x-patch Size: 1231 bytes Desc: not available URL: From ayoung at redhat.com Fri Jan 7 17:09:10 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 07 Jan 2011 12:09:10 -0500 Subject: [Freeipa-devel] [PATCH] Changed dns permission types In-Reply-To: <201101071805.18499.jzeleny@redhat.com> References: <201101071805.18499.jzeleny@redhat.com> Message-ID: <4D2748B6.90708@redhat.com> On 01/07/2011 12:05 PM, Jan Zelen? wrote: > Recent change of DNS module to version caused that dns object type > was replaced by dnszone and dnsrecord. This patch corrects dns types > in permissions class. > > https://fedorahosted.org/freeipa/ticket/646 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jan 7 17:53:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Jan 2011 12:53:33 -0500 Subject: [Freeipa-devel] [PATCH] 667 display failures when deleting with --continue Message-ID: <4D27531D.1030605@redhat.com> If you deleted a bunch of entries with --continue and some would fail you would get no notification of the ones that did. I had to change the return type of the baseldap LDAPDelete function to return a dict instead of a boolean. So now it returns a string of the failures. I also added a new Parameter flag, suppress_empty. If this is set then empty values won't be displayed. This is so if you delete a bunch with --continue and none fail you won't get a label with no values. ticket 687 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-667-delete.patch Type: text/x-patch Size: 24055 bytes Desc: not available URL: From ayoung at redhat.com Fri Jan 7 18:05:33 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 07 Jan 2011 13:05:33 -0500 Subject: [Freeipa-devel] admiyo-0135-fix-entity-unit-tests Message-ID: <4D2755ED.6000605@redhat.com> Minor unit test breakage due to a change in the action panel. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0135-fix-entity-unit-tests.patch Type: text/x-patch Size: 1326 bytes Desc: not available URL: From ayoung at redhat.com Fri Jan 7 19:43:14 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 07 Jan 2011 14:43:14 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0136-remove-permissions-checkbox Message-ID: <4D276CD2.2090309@redhat.com> https://fedorahosted.org/freeipa/ticket/679 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0136-remove-permissions-checkbox.patch Type: text/x-patch Size: 1400 bytes Desc: not available URL: From rcritten at redhat.com Fri Jan 7 19:49:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Jan 2011 14:49:24 -0500 Subject: [Freeipa-devel] [PATCH] 665 simple build instructions In-Reply-To: <201101060954.48588.jzeleny@redhat.com> References: <4D24CF0E.9010201@redhat.com> <201101060954.48588.jzeleny@redhat.com> Message-ID: <4D276E44.7040207@redhat.com> Jan Zelen? wrote: > Nack: > > I think using rpm -Uvh dist/rpms/* is not a good option. Using yum -- > nogpgcheck localinstall dist/rpms/* is much better, because it also installs > runtime dependencies, which might not be included by previous installation of > build dependencies. > > One suggestion: I'd recommend users installation with --selfsign option. > Installation without it takes much longer and (currently) it often ends with > an error. > > You have a typo on line 64: > develping -> developing > Updated patch attached rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-665-2-build.patch Type: text/x-patch Size: 3214 bytes Desc: not available URL: From rcritten at redhat.com Fri Jan 7 19:57:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Jan 2011 14:57:48 -0500 Subject: [Freeipa-devel] [PATCH] Fix 'ipa help permissions'; add 'dns' in allowed types. In-Reply-To: <4D1FDCBF.20003@redhat.com> References: <4D1C5107.7050404@redhat.com> <4D1FDCBF.20003@redhat.com> Message-ID: <4D27703C.8070906@redhat.com> Adam Young wrote: > On 12/30/2010 04:29 AM, Pavel Z?na wrote: >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK pushed to master From rcritten at redhat.com Fri Jan 7 19:59:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Jan 2011 14:59:58 -0500 Subject: [Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights. In-Reply-To: <4D1C502A.8050409@redhat.com> References: <4D1C502A.8050409@redhat.com> Message-ID: <4D2770BE.3010509@redhat.com> Pavel Z?na wrote: > LDAPObject sub-classes can define a custom list of attributes for > effective rights retrieval. > > Fix #677 > > Pavel > Nack. --rights should only return data when --all is also included. Otherwise it looks ok. rob From rcritten at redhat.com Fri Jan 7 23:11:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Jan 2011 18:11:39 -0500 Subject: [Freeipa-devel] [PATCH] fix installer issue Message-ID: <4D279DAB.40201@redhat.com> The installation was failing during the KDC install with an error about being unable to connect to the LDAP server. I tracked this down to using SSL but I haven't yet figured out why (or where) it is breaking. I pushed this under the 1-liner rule. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-668-install.patch Type: text/x-patch Size: 1092 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri Jan 7 23:34:58 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 7 Jan 2011 23:34:58 +0000 Subject: [Freeipa-devel] [PATCH] Fix SudoRule RunAs users/groups Message-ID: Attached is the patch to fix the following: (Per ticket 570: https://fedorahosted.org/freeipa/ticket/570 Issue #5) * Runas users to support groups * Runas users to support external users * runasgroup to support external groups * compat fix to account for the runas users to support %groups * xml_rpc Tests to verify these are in working order (Further discussion needs to confirm that we cannot completely support runas by numerical uid/gid at this point. The Sudo Spec needs to be updated to reflect that) Please review and push. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0013-fix-sudorule-runas-user-groups.patch Type: application/octet-stream Size: 11609 bytes Desc: freeipa-jraquino-0013-fix-sudorule-runas-user-groups.patch URL: From edewata at redhat.com Sat Jan 8 04:48:23 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 08 Jan 2011 11:48:23 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0134-Validate-add-dialog-text-fields In-Reply-To: <4D273C2A.9020805@redhat.com> References: <4D273C2A.9020805@redhat.com> Message-ID: <4D27EC97.50907@redhat.com> On 1/7/2011 11:15 PM, Adam Young wrote: > While this does not solve https://fedorahosted.org/freeipa/ticket/470, > it is a necessary precursor. ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Sat Jan 8 04:55:33 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 08 Jan 2011 11:55:33 +0700 Subject: [Freeipa-devel] admiyo-0135-fix-entity-unit-tests In-Reply-To: <4D2755ED.6000605@redhat.com> References: <4D2755ED.6000605@redhat.com> Message-ID: <4D27EE45.6010603@redhat.com> On 1/8/2011 1:05 AM, Adam Young wrote: > Minor unit test breakage due to a change in the action panel. ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Sat Jan 8 04:56:22 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 08 Jan 2011 11:56:22 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0136-remove-permissions-checkbox In-Reply-To: <4D276CD2.2090309@redhat.com> References: <4D276CD2.2090309@redhat.com> Message-ID: <4D27EE76.4050401@redhat.com> On 1/8/2011 2:43 AM, Adam Young wrote: > https://fedorahosted.org/freeipa/ticket/679 ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Sat Jan 8 20:27:42 2011 From: ayoung at redhat.com (Adam Young) Date: Sat, 08 Jan 2011 15:27:42 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0137-action-panel-adjustments Message-ID: <4D28C8BE.10806@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0137-action-panel-adjustments.patch Type: text/x-patch Size: 1379 bytes Desc: not available URL: From ayoung at redhat.com Sat Jan 8 20:28:14 2011 From: ayoung at redhat.com (Adam Young) Date: Sat, 08 Jan 2011 15:28:14 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0138-center-page Message-ID: <4D28C8DE.2020701@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0138-center-page.patch Type: text/x-patch Size: 5398 bytes Desc: not available URL: From jzeleny at redhat.com Mon Jan 10 07:28:54 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 10 Jan 2011 08:28:54 +0100 Subject: [Freeipa-devel] [PATCH] 665 simple build instructions In-Reply-To: <4D276E44.7040207@redhat.com> References: <4D24CF0E.9010201@redhat.com> <201101060954.48588.jzeleny@redhat.com> <4D276E44.7040207@redhat.com> Message-ID: <201101100828.54170.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Nack: > > > > I think using rpm -Uvh dist/rpms/* is not a good option. Using yum -- > > nogpgcheck localinstall dist/rpms/* is much better, because it also > > installs runtime dependencies, which might not be included by previous > > installation of build dependencies. > > > > One suggestion: I'd recommend users installation with --selfsign option. > > Installation without it takes much longer and (currently) it often ends > > with an error. > > > > You have a typo on line 64: > > develping -> developing > > Updated patch attached > > rob Ack Jan From mkosek at redhat.com Mon Jan 10 08:40:26 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 10 Jan 2011 09:40:26 +0100 Subject: [Freeipa-devel] [PATCH] Use of pointer after free in ipa-join In-Reply-To: <4D273EC7.1030505@redhat.com> References: <1294410107.2970.4.camel@dhcp-25-52.brq.redhat.com> <4D273EC7.1030505@redhat.com> Message-ID: <1294648826.5765.11.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-01-07 at 11:26 -0500, Adam Young wrote: > Is there any chance that the point-to-a-pointer parameters will have > valid values other than null passed in? Almost seems that by > initializing them to null, you might be masking a memory leak. > > If not, then ACK Hello Adam, it is safe as these pointers are initialized to NULL in function join(...) and then passed without any change to functions join_ldap() or join_krb5(). If these pointers did held some allocated memory we would have had a leak anyway - xmlrpc_read_string() function overwrites the pointers with own allocated memory holding the desired output. Martin From mkosek at redhat.com Mon Jan 10 09:54:26 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 10 Jan 2011 10:54:26 +0100 Subject: [Freeipa-devel] [PATCH] Uninitialized pointer read in ipa-rmkeytab Message-ID: <1294653266.5765.14.camel@dhcp-25-52.brq.redhat.com> Fix "--realm" parameter processing in ipa-rmkeytab. Also make sure that memory allocated in this process is freed. https://fedorahosted.org/freeipa/ticket/711 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-003-uninitialized-pointer-read-in-ipa-rmkeytab.patch Type: text/x-patch Size: 1751 bytes Desc: not available URL: From atkac at redhat.com Mon Jan 10 11:28:51 2011 From: atkac at redhat.com (Adam Tkac) Date: Mon, 10 Jan 2011 12:28:51 +0100 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: New idnsAllowQuery and idnsAllowTransfer zone attributes Message-ID: <20110110112851.GA4877@evileye.atkac.brq.redhat.com> Hello, the attached patch adds new attributes, idnsAllowQuery and idnsAllowTransfer, for the idnsZone. With those attributes it is now possible to set ACLs for the zone directly in LDAP. Example of ACL setting: idnsAllowQuery: 127.0.0.1 idnsAllowQuery: ::1 idnsAllowQuery: 192.168.1.0/24 With this setting clients with 127.0.0.1 and ::1 IP addresses and clients from 192.168.1.0/24 network are allowed to obtain resource records from the zone. Comments are welcomed. Regards, Adam -- Adam Tkac, Red Hat, Inc. -------------- next part -------------- >From bd14752e94a8d72d1c4d57167b3ad8e4be1e6e00 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Mon, 10 Jan 2011 12:22:48 +0100 Subject: [PATCH] Add new idnsAllowQuery and idnsAllowTransfer zone attributes. The new attributes allows to set query and transfer ACLs for the zone. Signed-off-by: Adam Tkac --- README | 28 ++++++++++++ doc/schema | 14 ++++++- src/acl.c | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++ src/acl.h | 17 +++++++ src/ldap_helper.c | 40 ++++++++++++----- src/ldap_helper.h | 9 ++++ 6 files changed, 218 insertions(+), 13 deletions(-) diff --git a/README b/README index 5c80344..66d198f 100644 --- a/README +++ b/README @@ -46,6 +46,34 @@ This will install the file ldap.so into the /bind/ directory. You can find the complete LDAP schema in the documentation directory. An example zone ldif is available in the doc directory. +4.1 Zone (idnsZone) attributes +------------------------------ + +* idnsAllowQuery + Specifies BIND9 zone ACL element. This attribute can be set multiple + times and are merged together to the one ACL. + + Example: + idnsAllowQuery: 127.0.0.1 + idnsAllowQuery: ::1 + idnsAllowQuery: 192.168.1.0/24 + + In the example above clients with 127.0.0.1 and ::1 IP addresses and + clients from the 192.168.1.0/24 network are allowed to obtain records + from the zone. + + You can specify IPv4/IPv6 address, IPv4/IPv6 network address in CIDR + format and "any" or "none" keywords. The "!" prefix (for example + !192.168.1.0/24) means negation of the ACL element. + + If not set then zone inherits global allow-query from named.conf. + +* idnsAllowTransfer + Uses same format as idnsAllowQuery. Allows zone transfers for matching + clients. + + If not set then zone inherits global allow-transfer from named.conf. + 5. Configuration ================ diff --git a/doc/schema b/doc/schema index a5dacb4..b959f76 100644 --- a/doc/schema +++ b/doc/schema @@ -231,6 +231,18 @@ attributetype ( 2.16.840.1.113730.3.8.5.10 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +attributetype ( 2.16.840.1.113730.3.8.5.11 + NAME 'idnsAllowQuery' + DESC 'BIND9 allow-query ACL element' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 2.16.840.1.113730.3.8.5.12 + NAME 'idnsAllowTransfer' + DESC 'BIND9 allow-transfer ACL element' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + objectclass ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' @@ -254,4 +266,4 @@ objectclass ( 2.16.840.1.113730.3.8.6.1 idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) - MAY idnsUpdatePolicy ) + MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer ) ) diff --git a/src/acl.c b/src/acl.c index ccd9ff4..07286f3 100644 --- a/src/acl.c +++ b/src/acl.c @@ -59,6 +59,7 @@ #include #include +#include "acl.h" #include "str.h" #include "util.h" #include "log.h" @@ -393,3 +394,125 @@ acl_configure_zone_ssutable(const char *policy_str, dns_zone_t *zone) return result; } + +static isc_result_t +inaddr_fromtext(const char *addr, struct in_addr *in) +{ + if (inet_pton(AF_INET, addr, in) == 1) + return ISC_R_SUCCESS; + + return ISC_R_FAILURE; +} + +static isc_result_t +in6addr_fromtext(const char *addr, struct in6_addr *in6) +{ + if (inet_pton(AF_INET6, addr, in6) == 1) + return ISC_R_SUCCESS; + + return ISC_R_FAILURE; +} + +isc_result_t +acl_from_ldap(isc_mem_t *mctx, const ldap_value_list_t *vals, dns_acl_t **aclp) +{ + dns_acl_t *acl = NULL; + ldap_value_t *val; + int count = 0; + isc_result_t result = ISC_R_FAILURE; + + /* *aclp != NULL means nested ACL which is not allowed */ + REQUIRE(aclp != NULL && *aclp == NULL); + + CHECK(dns_acl_create(mctx, count, &acl)); + + /* Process ACL elements */ + for (val = HEAD(*vals); val != NULL; val = NEXT(val, link)) { + char *addr = val->value; + char *prefix; + isc_boolean_t neg = ISC_FALSE; + unsigned int bitlen; + struct in_addr in; + struct in6_addr in6; + isc_netaddr_t na; + + if (*addr == '!') { + neg = ISC_TRUE; + addr++; + acl->has_negatives = ISC_TRUE; + } + + if ((prefix = strchr(addr, '/')) != NULL) { + /* Net prefix */ + char *err; + + *prefix = '\0'; + prefix++; + + bitlen = strtol(prefix, &err, 10); + if (*err != '\0') { + log_error("Invalid network prefix"); + result = ISC_R_FAILURE; + goto cleanup; + } + + /* Convert IPv4/IPv6 address and add it to iptable */ + if (inaddr_fromtext(addr, &in) == ISC_R_SUCCESS) { + if (bitlen > 32) { + log_error("Too long network prefix"); + result = ISC_R_FAILURE; + goto cleanup; + } + isc_netaddr_fromin(&na, &in); + } else if (in6addr_fromtext(addr, &in6) == ISC_R_SUCCESS) { + if (bitlen > 128) { + log_error("Too long network prefix"); + result = ISC_R_FAILURE; + goto cleanup; + } + isc_netaddr_fromin6(&na, &in6); + } else { + log_error("Invalid network address"); + result = ISC_R_FAILURE; + goto cleanup; + } + + CHECK(dns_iptable_addprefix(acl->iptable, &na, bitlen, + !neg)); + } else { + /* It is IP address or "none" or "any" or invalid value */ + if (inaddr_fromtext(addr, &in) == ISC_R_SUCCESS) { + isc_netaddr_fromin(&na, &in); + bitlen = 32; + CHECK(dns_iptable_addprefix(acl->iptable, &na, bitlen, + !neg)); + } else if (in6addr_fromtext(addr, &in6) == ISC_R_SUCCESS) { + isc_netaddr_fromin6(&na, &in6); + bitlen = 128; + CHECK(dns_iptable_addprefix(acl->iptable, &na, bitlen, + !neg)); + } else if (strcasecmp(addr, "none") == 0) { + CHECK(dns_iptable_addprefix(acl->iptable, NULL, 0, + neg)); + } else if (strcasecmp(addr, "any") == 0) { + CHECK(dns_iptable_addprefix(acl->iptable, NULL, 0, + !neg)); + } else { + log_error("Invalid ACL element: %s", val->value); + result = ISC_R_FAILURE; + goto cleanup; + } + } + } + + *aclp = acl; + + return ISC_R_SUCCESS; + +cleanup: + if (acl != NULL) + dns_acl_detach(&acl); + + return result; +} + diff --git a/src/acl.h b/src/acl.h index 6298703..9933ac3 100644 --- a/src/acl.h +++ b/src/acl.h @@ -21,7 +21,24 @@ #ifndef _LD_ACL_H_ #define _LD_ACL_H_ +#include "ldap_helper.h" + +#include + isc_result_t acl_configure_zone_ssutable(const char *policy_str, dns_zone_t *zone); +isc_result_t +acl_from_ldap(isc_mem_t *mctx, const ldap_value_list_t *vals, dns_acl_t **aclp); +/* + * Converts multiple ACL elements to the zone ACL. + * + * Allowed elements are: + * + * IPv4/IPv6 net prefix - 192.168.1.0/24 + * IPv4/IPv6 address - 192.168.1.1 + * any and none keywords + * "!" prefix means negation + */ + #endif /* !_LD_ACL_H_ */ diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 9659b9d..f83cc30 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -82,10 +82,8 @@ typedef struct ldap_connection ldap_connection_t; typedef struct ldap_auth_pair ldap_auth_pair_t; typedef struct settings settings_t; -typedef struct ldap_value ldap_value_t; typedef struct ldap_attribute ldap_attribute_t; typedef struct ldap_entry ldap_entry_t; -typedef LIST(ldap_value_t) ldap_value_list_t; typedef LIST(ldap_attribute_t) ldap_attribute_list_t; typedef LIST(ldap_entry_t) ldap_entry_list_t; @@ -187,11 +185,6 @@ struct ldap_attribute { LINK(ldap_attribute_t) link; }; -struct ldap_value { - char *value; - LINK(ldap_value_t) link; -}; - /* * Constants. */ @@ -603,8 +596,9 @@ cleanup: return result; } +/* In BIND9 terminology "ssu" means "Simple Secure Update" */ static isc_result_t -modify_zone(dns_zone_t *zone, const char *update_str) +configure_zone_ssutable(dns_zone_t *zone, const char *update_str) { REQUIRE(zone != NULL); @@ -644,7 +638,8 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t create) int zone_count = 0; ldap_entry_t *entry; char *attrs[] = { - "idnsName", "idnsUpdatePolicy", NULL + "idnsName", "idnsUpdatePolicy", "idnsAllowQuery", + "idnsAllowTransfer", NULL }; REQUIRE(ldap_inst != NULL); @@ -686,13 +681,34 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t create) &name, &zone)); } - log_debug(2, "modifying zone %p: %s", zone, dn); + log_debug(2, "Setting SSU table for %p: %s", zone, dn); /* Get the update policy and update the zone with it. */ result = get_values(entry, "idnsUpdatePolicy", &values); if (result == ISC_R_SUCCESS) - CHECK_NEXT(modify_zone(zone, HEAD(values)->value)); + CHECK_NEXT(configure_zone_ssutable(zone, HEAD(values)->value)); else - CHECK_NEXT(modify_zone(zone, NULL)); + CHECK_NEXT(configure_zone_ssutable(zone, NULL)); + + /* Fetch allow-query and allow-transfer ACLs */ + log_debug(2, "Setting allow-query for %p: %s", zone, dn); + result = get_values(entry, "idnsAllowQuery", &values); + if (result == ISC_R_SUCCESS) { + dns_acl_t *queryacl = NULL; + CHECK_NEXT(acl_from_ldap(ldap_inst->mctx, &values, &queryacl)); + dns_zone_setqueryacl(zone, queryacl); + dns_acl_detach(&queryacl); + } else + log_debug(2, "allow-query not set"); + + log_debug(2, "Setting allow-transfer for %p: %s", zone, dn); + result = get_values(entry, "idnsAllowTransfer", &values); + if (result == ISC_R_SUCCESS) { + dns_acl_t *transferacl = NULL; + CHECK_NEXT(acl_from_ldap(ldap_inst->mctx, &values, &transferacl)); + dns_zone_setxfracl(zone, transferacl); + dns_acl_detach(&transferacl); + } else + log_debug(2, "allow-transfer not set"); zone_count++; next: diff --git a/src/ldap_helper.h b/src/ldap_helper.h index 7070556..594af43 100644 --- a/src/ldap_helper.h +++ b/src/ldap_helper.h @@ -22,10 +22,19 @@ #ifndef _LD_LDAP_HELPER_H_ #define _LD_LDAP_HELPER_H_ +#include "ldap_helper.h" + #include typedef struct ldap_instance ldap_instance_t; +typedef struct ldap_value ldap_value_t; +typedef LIST(ldap_value_t) ldap_value_list_t; +struct ldap_value { + char *value; + LINK(ldap_value_t) link; +}; + /* * some nice words about ldapdb_rdatalist_t: * - it is list of all RRs which have same owner name -- 1.7.3.4 From jhrozek at redhat.com Mon Jan 10 12:04:39 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 10 Jan 2011 13:04:39 +0100 Subject: [Freeipa-devel] [PATCH] Use of pointer after free in ipa-join In-Reply-To: <1294648826.5765.11.camel@dhcp-25-52.brq.redhat.com> References: <1294410107.2970.4.camel@dhcp-25-52.brq.redhat.com> <4D273EC7.1030505@redhat.com> <1294648826.5765.11.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D2AF5D7.1040405@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/10/2011 09:40 AM, Martin Kosek wrote: > On Fri, 2011-01-07 at 11:26 -0500, Adam Young wrote: >> Is there any chance that the point-to-a-pointer parameters will have >> valid values other than null passed in? Almost seems that by >> initializing them to null, you might be masking a memory leak. >> >> If not, then ACK > > Hello Adam, > > it is safe as these pointers are initialized to NULL in function > join(...) and then passed without any change to functions join_ldap() or > join_krb5(). > > If these pointers did held some allocated memory we would have had a > leak anyway - xmlrpc_read_string() function overwrites the pointers with > own allocated memory holding the desired output. > > Martin > Nack, if(ptr) free(ptr); is redundant, freeing a NULL pointer is a no-op. Other that that, looks fine. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0q9dcACgkQHsardTLnvCWf4wCgxy9LKqZzwuUaXMOD1agggkLq 8MIAnAqTxX2CZhate0kp4HAcUOcNyQc6 =uBSK -----END PGP SIGNATURE----- From jzeleny at redhat.com Mon Jan 10 12:03:54 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Mon, 10 Jan 2011 13:03:54 +0100 Subject: [Freeipa-devel] [PATCH] 667 display failures when deleting with --continue In-Reply-To: <4D27531D.1030605@redhat.com> References: <4D27531D.1030605@redhat.com> Message-ID: <201101101303.54253.jzeleny@redhat.com> Rob Crittenden wrote: > If you deleted a bunch of entries with --continue and some would fail > you would get no notification of the ones that did. > > I had to change the return type of the baseldap LDAPDelete function to > return a dict instead of a boolean. So now it returns a string of the > failures. > > I also added a new Parameter flag, suppress_empty. If this is set then > empty values won't be displayed. This is so if you delete a bunch with > --continue and none fail you won't get a label with no values. > > ticket 687 > > rob Ack Jan From jhrozek at redhat.com Mon Jan 10 12:06:42 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 10 Jan 2011 13:06:42 +0100 Subject: [Freeipa-devel] [PATCH] Uninitialized pointer read in ipa-rmkeytab In-Reply-To: <1294653266.5765.14.camel@dhcp-25-52.brq.redhat.com> References: <1294653266.5765.14.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D2AF652.3000509@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/10/2011 10:54 AM, Martin Kosek wrote: > Fix "--realm" parameter processing in ipa-rmkeytab. Also make sure > that memory allocated in this process is freed. > > https://fedorahosted.org/freeipa/ticket/711 > > Nack, same comment as the previous patch, don't use if(ptr) free(ptr); Also one very minor style issue - please use: if(cond) { foo(); } else { bar(); } rather than: if (cond) { foo(); } else { bar(); } -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0q9lIACgkQHsardTLnvCUk6wCdFyjOz+fy0e7OPcQHdZQBu4xa leoAoOSVMLJE9X6+TO2R9CN8iZaWqY+3 =Ni7/ -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Jan 10 12:28:24 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 10 Jan 2011 13:28:24 +0100 Subject: [Freeipa-devel] [PATCH] 658 don't allow attrs=None In-Reply-To: <4D1217A4.7070403@redhat.com> References: <4D1173B4.1000504@redhat.com> <4D1211BE.20401@redhat.com> <4D1217A4.7070403@redhat.com> Message-ID: <4D2AFB68.3020601@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/22/2010 04:22 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Setting an empty set of target attributes should raise an exception. >>> >>> It is possible to create an ACI with attributes and then try to set that >>> to None via a mod command later. We need to catch this and raise an >>> exception. >>> >>> ticket 647 >>> >>> rob >> >> I'm going to withdraw this patch to work on it some more. There needs to >> be some mechanism to completely remove attributes from an aci (in >> ipalib/aci.py). >> >> rob >> > > Updated patch attached. If None is set as the list of attributes then > the target is dropped. > > Note that no attributes is never legal for a delegation plugin. > > rob > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0q+2gACgkQHsardTLnvCVwJgCdEnX4NPaPavTDM6a8iWRgSIeN RY8AniXvF6kGLJ7Rj8we4r9CUT8gECHO =Zvzt -----END PGP SIGNATURE----- From edewata at redhat.com Mon Jan 10 12:52:30 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 10 Jan 2011 07:52:30 -0500 (EST) Subject: [Freeipa-devel] [PATCH] Fixed command category value. Message-ID: <1095133835.20905.1294663950401.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Pushed under one liner rule. diff --git a/install/static/sudorule.js b/install/static/sudorule.js index 23135c00b8dc2734db976cf06f7e5473aa38ea17..934131c1efc34819e546bffe3621cff60b93a d25 100755 --- a/install/static/sudorule.js +++ b/install/static/sudorule.js @@ -1063,7 +1063,7 @@ function ipa_sudorule_command_table_widget(spec) { var command; - if (that.category.save() == 'all') { + if (that.category.save() == 'allow') { command = ipa_command({ 'method': that.entity_name+'_mod', 'args': [pkey], -- Endi S. Dewata From edewata at redhat.com Mon Jan 10 13:02:42 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 10 Jan 2011 20:02:42 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0137-action-panel-adjustments In-Reply-To: <4D28C8BE.10806@redhat.com> References: <4D28C8BE.10806@redhat.com> Message-ID: <4D2B0372.7000401@redhat.com> On 1/9/2011 3:27 AM, Adam Young wrote: > ACK and pushed. -- Endi S. Dewata From edewata at redhat.com Mon Jan 10 13:05:08 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 10 Jan 2011 20:05:08 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0138-center-page In-Reply-To: <4D28C8DE.2020701@redhat.com> References: <4D28C8DE.2020701@redhat.com> Message-ID: <4D2B0404.4030401@redhat.com> On 1/9/2011 3:28 AM, Adam Young wrote: > This patch includes test.html and test.html~. Are they supposed to be included? Everything else is fine. -- Endi S. Dewata From mkosek at redhat.com Mon Jan 10 13:25:37 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 10 Jan 2011 14:25:37 +0100 Subject: [Freeipa-devel] [PATCH] Uninitialized pointer read in ipa-rmkeytab In-Reply-To: <4D2AF652.3000509@redhat.com> References: <1294653266.5765.14.camel@dhcp-25-52.brq.redhat.com> <4D2AF652.3000509@redhat.com> Message-ID: <1294665937.5765.17.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-01-10 at 13:06 +0100, Jakub Hrozek wrote: > Nack, > > same comment as the previous patch, don't use if(ptr) free(ptr); > > Also one very minor style issue - please use: > > if(cond) { > foo(); > } else { > bar(); > } > > rather than: > > if (cond) { > foo(); > } > else { > bar(); > } Good point with the free method. Sending second patch with these issues fixed. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-003-02-uninitialized-pointer-read-in-ipa-rmkeytab.patch Type: text/x-patch Size: 1715 bytes Desc: not available URL: From jhrozek at redhat.com Mon Jan 10 13:32:35 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 10 Jan 2011 14:32:35 +0100 Subject: [Freeipa-devel] [PATCH] Uninitialized pointer read in ipa-rmkeytab In-Reply-To: <1294665937.5765.17.camel@dhcp-25-52.brq.redhat.com> References: <1294653266.5765.14.camel@dhcp-25-52.brq.redhat.com> <4D2AF652.3000509@redhat.com> <1294665937.5765.17.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D2B0A73.6070802@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/10/2011 02:25 PM, Martin Kosek wrote: > Good point with the free method. Sending second patch with these issues > fixed. > > Martin Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0rCnMACgkQHsardTLnvCXbjwCgnKfgxWQAA4ZmIWe7jgDwN1mY 8fgAn1t/H+NidqC4I7lCaOJqCjrCPTUt =4hRA -----END PGP SIGNATURE----- From ayoung at redhat.com Mon Jan 10 14:21:53 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 10 Jan 2011 09:21:53 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0138-center-page In-Reply-To: <4D2B0404.4030401@redhat.com> References: <4D28C8DE.2020701@redhat.com> <4D2B0404.4030401@redhat.com> Message-ID: <4D2B1601.1030601@redhat.com> On 01/10/2011 08:05 AM, Endi Sukma Dewata wrote: > On 1/9/2011 3:28 AM, Adam Young wrote: >> > > This patch includes test.html and test.html~. Are they supposed to be > included? Everything else is fine. > Nope. I'll remove. From ssorce at redhat.com Mon Jan 10 14:24:40 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 10 Jan 2011 09:24:40 -0500 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: New idnsAllowQuery and idnsAllowTransfer zone attributes In-Reply-To: <20110110112851.GA4877@evileye.atkac.brq.redhat.com> References: <20110110112851.GA4877@evileye.atkac.brq.redhat.com> Message-ID: <20110110092440.46b699ef@willson.li.ssimo.org> On Mon, 10 Jan 2011 12:28:51 +0100 Adam Tkac wrote: > the attached patch adds new attributes, idnsAllowQuery and > idnsAllowTransfer, for the idnsZone. With those attributes > it is now possible to set ACLs for the zone directly in LDAP. > > Example of ACL setting: > > idnsAllowQuery: 127.0.0.1 > idnsAllowQuery: ::1 > idnsAllowQuery: 192.168.1.0/24 > > With this setting clients with 127.0.0.1 and ::1 IP addresses and > clients from 192.168.1.0/24 network are allowed to obtain resource > records from the zone. > > Comments are welcomed. Patch looks good, and very useful. I have already reserved the 2 new OIDs you used in our internal registry and it is an ACK from my pov. If I read the patch correctly, a zone missing these attributes will have no issues (thinking of upgrades), can you confirm ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Mon Jan 10 14:29:02 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 10 Jan 2011 09:29:02 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0138-center-page In-Reply-To: <4D2B1601.1030601@redhat.com> References: <4D28C8DE.2020701@redhat.com> <4D2B0404.4030401@redhat.com> <4D2B1601.1030601@redhat.com> Message-ID: <4D2B17AE.6010507@redhat.com> On 01/10/2011 09:21 AM, Adam Young wrote: > On 01/10/2011 08:05 AM, Endi Sukma Dewata wrote: >> On 1/9/2011 3:28 AM, Adam Young wrote: >>> >> >> This patch includes test.html and test.html~. Are they supposed to be >> included? Everything else is fine. >> > Nope. I'll remove. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rrmoved the test.html files and pushed to master From atkac at redhat.com Mon Jan 10 14:32:52 2011 From: atkac at redhat.com (Adam Tkac) Date: Mon, 10 Jan 2011 15:32:52 +0100 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: New idnsAllowQuery and idnsAllowTransfer zone attributes In-Reply-To: <20110110092440.46b699ef@willson.li.ssimo.org> References: <20110110112851.GA4877@evileye.atkac.brq.redhat.com> <20110110092440.46b699ef@willson.li.ssimo.org> Message-ID: <20110110143252.GA9784@evileye.atkac.brq.redhat.com> On Mon, Jan 10, 2011 at 09:24:40AM -0500, Simo Sorce wrote: > On Mon, 10 Jan 2011 12:28:51 +0100 > Adam Tkac wrote: > > > the attached patch adds new attributes, idnsAllowQuery and > > idnsAllowTransfer, for the idnsZone. With those attributes > > it is now possible to set ACLs for the zone directly in LDAP. > > > > Example of ACL setting: > > > > idnsAllowQuery: 127.0.0.1 > > idnsAllowQuery: ::1 > > idnsAllowQuery: 192.168.1.0/24 > > > > With this setting clients with 127.0.0.1 and ::1 IP addresses and > > clients from 192.168.1.0/24 network are allowed to obtain resource > > records from the zone. > > > > Comments are welcomed. > > Patch looks good, and very useful. > I have already reserved the 2 new OIDs you used in our internal > registry and it is an ACK from my pov. > > If I read the patch correctly, a zone missing these attributes will > have no issues (thinking of upgrades), can you confirm ? Right you are, patch has no effect for existing zones without those attributes. Regards, Adam -- Adam Tkac, Red Hat, Inc. From jhrozek at redhat.com Mon Jan 10 15:04:17 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 10 Jan 2011 16:04:17 +0100 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: new parameter "timeout" In-Reply-To: <20110106172321.GA18045@evileye.atkac.brq.redhat.com> References: <20110106172321.GA18045@evileye.atkac.brq.redhat.com> Message-ID: <4D2B1FF1.3060408@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/06/2011 06:23 PM, Adam Tkac wrote: > Hello, > > attached patch introduces new bind-dyndb-ldap parameter called > "timeout". It controls timeout of the LDAP queries and by default is > set to 10 seconds. > > The patch solves https://fedorahosted.org/bind-dyndb-ldap/ticket/3. > > Regards, Adam > The code looks OK but I'm wondering whether it would make more sense to set it globally using ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT) rather that for the single ldap_search() call. That way, any other ldap_* calls and also the LDAP bind operation would be controlled from a single place. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0rH/EACgkQHsardTLnvCXMOwCfS6l4xMnZr+IomhJj0fgUAzvx f7UAn0yD5YGXJlOZkC6SjWp9YeMIDkyM =Cw6M -----END PGP SIGNATURE----- From mkosek at redhat.com Mon Jan 10 15:15:55 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 10 Jan 2011 16:15:55 +0100 Subject: [Freeipa-devel] [PATCH] Use of pointer after free in ipa-join In-Reply-To: <4D2AF5D7.1040405@redhat.com> References: <1294410107.2970.4.camel@dhcp-25-52.brq.redhat.com> <4D273EC7.1030505@redhat.com> <1294648826.5765.11.camel@dhcp-25-52.brq.redhat.com> <4D2AF5D7.1040405@redhat.com> Message-ID: <1294672555.5765.19.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-01-10 at 13:04 +0100, Jakub Hrozek wrote: > Nack, > > if(ptr) free(ptr); > > is redundant, freeing a NULL pointer is a no-op. Other that that, looks > fine. Attaching fixed version of patch. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-002-02-use-of-pointer-after-free-in-ipa-join.patch Type: text/x-patch Size: 2291 bytes Desc: not available URL: From rcritten at redhat.com Mon Jan 10 15:27:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Jan 2011 10:27:40 -0500 Subject: [Freeipa-devel] [PATCH] 658 don't allow attrs=None In-Reply-To: <4D2AFB68.3020601@redhat.com> References: <4D1173B4.1000504@redhat.com> <4D1211BE.20401@redhat.com> <4D1217A4.7070403@redhat.com> <4D2AFB68.3020601@redhat.com> Message-ID: <4D2B256C.4030100@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/22/2010 04:22 PM, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Setting an empty set of target attributes should raise an exception. >>>> >>>> It is possible to create an ACI with attributes and then try to set that >>>> to None via a mod command later. We need to catch this and raise an >>>> exception. >>>> >>>> ticket 647 >>>> >>>> rob >>> >>> I'm going to withdraw this patch to work on it some more. There needs to >>> be some mechanism to completely remove attributes from an aci (in >>> ipalib/aci.py). >>> >>> rob >>> >> >> Updated patch attached. If None is set as the list of attributes then >> the target is dropped. >> >> Note that no attributes is never legal for a delegation plugin. >> >> rob >> > > Ack pushed to master From rcritten at redhat.com Mon Jan 10 15:32:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Jan 2011 10:32:22 -0500 Subject: [Freeipa-devel] [PATCH] 667 display failures when deleting with --continue In-Reply-To: <201101101303.54253.jzeleny@redhat.com> References: <4D27531D.1030605@redhat.com> <201101101303.54253.jzeleny@redhat.com> Message-ID: <4D2B2686.7040701@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> If you deleted a bunch of entries with --continue and some would fail >> you would get no notification of the ones that did. >> >> I had to change the return type of the baseldap LDAPDelete function to >> return a dict instead of a boolean. So now it returns a string of the >> failures. >> >> I also added a new Parameter flag, suppress_empty. If this is set then >> empty values won't be displayed. This is so if you delete a bunch with >> --continue and none fail you won't get a label with no values. >> >> ticket 687 >> >> rob > > Ack > > Jan pushed to master From jhrozek at redhat.com Mon Jan 10 15:37:06 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 10 Jan 2011 16:37:06 +0100 Subject: [Freeipa-devel] [PATCH] Use of pointer after free in ipa-join In-Reply-To: <1294672555.5765.19.camel@dhcp-25-52.brq.redhat.com> References: <1294410107.2970.4.camel@dhcp-25-52.brq.redhat.com> <4D273EC7.1030505@redhat.com> <1294648826.5765.11.camel@dhcp-25-52.brq.redhat.com> <4D2AF5D7.1040405@redhat.com> <1294672555.5765.19.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D2B27A2.4040700@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/10/2011 04:15 PM, Martin Kosek wrote: > On Mon, 2011-01-10 at 13:04 +0100, Jakub Hrozek wrote: > >> Nack, >> >> if(ptr) free(ptr); >> >> is redundant, freeing a NULL pointer is a no-op. Other that that, looks >> fine. > > Attaching fixed version of patch. > > Martin Sorry, there's one more thing I haven't noticed before - please check the return value if strdup(); in the else branch. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0rJ6IACgkQHsardTLnvCVSVgCggTR3r3Q70AJflJAy28qk1qfR qdsAn3F1QEiYFdMePVmHEiWqq49jWiPp =KPf/ -----END PGP SIGNATURE----- From atkac at redhat.com Mon Jan 10 15:36:45 2011 From: atkac at redhat.com (Adam Tkac) Date: Mon, 10 Jan 2011 16:36:45 +0100 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: new parameter "timeout" In-Reply-To: <4D2B1FF1.3060408@redhat.com> References: <20110106172321.GA18045@evileye.atkac.brq.redhat.com> <4D2B1FF1.3060408@redhat.com> Message-ID: <20110110153645.GA12067@evileye.atkac.brq.redhat.com> On Mon, Jan 10, 2011 at 04:04:17PM +0100, Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/06/2011 06:23 PM, Adam Tkac wrote: > > Hello, > > > > attached patch introduces new bind-dyndb-ldap parameter called > > "timeout". It controls timeout of the LDAP queries and by default is > > set to 10 seconds. > > > > The patch solves https://fedorahosted.org/bind-dyndb-ldap/ticket/3. > > > > Regards, Adam > > > > The code looks OK but I'm wondering whether it would make more sense to > set it globally using ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT) rather > that for the single ldap_search() call. That way, any other ldap_* calls > and also the LDAP bind operation would be controlled from a single place. Good idea. However I would rather use LDAP_OPT_TIMEOUT. Improved patch is attached. Regards, Adam -- Adam Tkac, Red Hat, Inc. -------------- next part -------------- >From 26a1f34d7a3bf8ee8ab9b8ce2d9280d77c0e82ce Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Thu, 6 Jan 2011 18:17:14 +0100 Subject: [PATCH] Add new parameter - "timeout". This parameter controls timeout of the LDAP queries. Generally timeout of resolvers is 5 seconds so 10 seconds by default should be enough. Solves ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/3. Signed-off-by: Adam Tkac --- README | 5 +++++ src/ldap_helper.c | 15 +++++++++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/README b/README index 758f141..5c80344 100644 --- a/README +++ b/README @@ -139,6 +139,11 @@ zone_refresh (default 0) a zone. If this option is set to 0, the LDAP driver will never refresh the settings. +timeout (default 10) + Timeout (in seconds) of the queries to the LDAP server. If the LDAP + server don't respond before this timeout then lookup is aborted and + BIND returns SERVFAIL. Value "0" means infinite timeout (no timeout). + 5.2 Sample configuration ------------------------ diff --git a/src/ldap_helper.c b/src/ldap_helper.c index fbe9f9e..ece2f19 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -126,6 +126,7 @@ struct ldap_instance { ld_string_t *base; unsigned int connections; unsigned int reconnect_interval; + unsigned int timeout; ldap_auth_t auth_method; ld_string_t *bind_dn; ld_string_t *password; @@ -291,6 +292,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, { "uri", no_default_string }, { "connections", default_uint(2) }, { "reconnect_interval", default_uint(60) }, + { "timeout", default_uint(10) }, { "base", no_default_string }, { "auth_method", default_string("none") }, { "bind_dn", default_string("") }, @@ -346,6 +348,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, ldap_settings[i++].target = ldap_inst->uri; ldap_settings[i++].target = &ldap_inst->connections; ldap_settings[i++].target = &ldap_inst->reconnect_interval; + ldap_settings[i++].target = &ldap_inst->timeout; ldap_settings[i++].target = ldap_inst->base; ldap_settings[i++].target = auth_method_str; ldap_settings[i++].target = ldap_inst->bind_dn; @@ -1545,6 +1548,7 @@ ldap_connect(ldap_connection_t *ldap_conn) int ret; int version; ldap_instance_t *ldap_inst; + struct timeval timeout; REQUIRE(ldap_conn != NULL); @@ -1561,10 +1565,11 @@ ldap_connect(ldap_connection_t *ldap_conn) ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); LDAP_OPT_CHECK(ret, "failed to set LDAP version"); - /* - ret = ldap_set_option(ld, LDAP_OPT_TIMELIMIT, (void *)&ldap_inst->timeout); - LDAP_OPT_CHECK(ret, "failed to set timeout: %s", ldap_err2string(ret)); - */ + timeout.tv_sec = ldap_conn->database->timeout; + timeout.tv_usec = 0; + + ret = ldap_set_option(ld, LDAP_OPT_TIMEOUT, &timeout); + LDAP_OPT_CHECK(ret, "failed to set timeout"); if (ldap_conn->handle != NULL) ldap_unbind_ext_s(ldap_conn->handle, NULL, NULL); @@ -1697,6 +1702,8 @@ handle_connection_error(ldap_connection_t *ldap_conn, isc_result_t *result) log_error("connection to the LDAP server was lost"); if (ldap_connect(ldap_conn) == ISC_R_SUCCESS) return 1; + } else if (err_code == LDAP_TIMEOUT) { + log_error("LDAP query timed out. Try to adjust \"timeout\" parameter"); } else { err_string = ldap_err2string(err_code); } -- 1.7.3.4 From rcritten at redhat.com Mon Jan 10 15:39:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Jan 2011 10:39:57 -0500 Subject: [Freeipa-devel] [PATCH] ship ipa-dns-install man page Message-ID: <4D2B284D.9090805@redhat.com> The man page was written but not installed. I pushed this out as a one-liner. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-669-man.patch Type: text/x-patch Size: 1150 bytes Desc: not available URL: From jhrozek at redhat.com Mon Jan 10 15:41:13 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 10 Jan 2011 16:41:13 +0100 Subject: [Freeipa-devel] [PATCH] Use of pointer after free in ipa-join In-Reply-To: <4D2B27A2.4040700@redhat.com> References: <1294410107.2970.4.camel@dhcp-25-52.brq.redhat.com> <4D273EC7.1030505@redhat.com> <1294648826.5765.11.camel@dhcp-25-52.brq.redhat.com> <4D2AF5D7.1040405@redhat.com> <1294672555.5765.19.camel@dhcp-25-52.brq.redhat.com> <4D2B27A2.4040700@redhat.com> Message-ID: <4D2B2899.3050304@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/10/2011 04:37 PM, Jakub Hrozek wrote: > Sorry, there's one more thing I haven't noticed before - please check > the return value if strdup(); in the else branch. > This comment was applicable to the ipa-rmkeytab patch. Ack to this one. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0rKJkACgkQHsardTLnvCVOvwCfYthWcdtUdaOsNlYpZEJktIz5 taIAni5B5CfgOtW/kQV4LDnfb+jnONBp =VZ7m -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Jan 10 15:41:46 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 10 Jan 2011 16:41:46 +0100 Subject: [Freeipa-devel] [PATCH] Uninitialized pointer read in ipa-rmkeytab In-Reply-To: <4D2B0A73.6070802@redhat.com> References: <1294653266.5765.14.camel@dhcp-25-52.brq.redhat.com> <4D2AF652.3000509@redhat.com> <1294665937.5765.17.camel@dhcp-25-52.brq.redhat.com> <4D2B0A73.6070802@redhat.com> Message-ID: <4D2B28BA.7010601@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/10/2011 02:32 PM, Jakub Hrozek wrote: > On 01/10/2011 02:25 PM, Martin Kosek wrote: >> Good point with the free method. Sending second patch with these issues >> fixed. > >> Martin > > Ack Hopefully replying to the correct patch now.. There's one more thing I haven't noticed before - please check the return value if strdup(); in the else branch. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0rKLoACgkQHsardTLnvCXOLQCgle7E6MdflCDH4++SrqDiElqT 0f0An23pzerUjOqtkoDyjzDO+1medL8t =jrZF -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Jan 10 15:41:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Jan 2011 10:41:08 -0500 Subject: [Freeipa-devel] [PATCH] 665 simple build instructions In-Reply-To: <201101100828.54170.jzeleny@redhat.com> References: <4D24CF0E.9010201@redhat.com> <201101060954.48588.jzeleny@redhat.com> <4D276E44.7040207@redhat.com> <201101100828.54170.jzeleny@redhat.com> Message-ID: <4D2B2894.1070305@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> Nack: >>> >>> I think using rpm -Uvh dist/rpms/* is not a good option. Using yum -- >>> nogpgcheck localinstall dist/rpms/* is much better, because it also >>> installs runtime dependencies, which might not be included by previous >>> installation of build dependencies. >>> >>> One suggestion: I'd recommend users installation with --selfsign option. >>> Installation without it takes much longer and (currently) it often ends >>> with an error. >>> >>> You have a typo on line 64: >>> develping -> developing >> >> Updated patch attached >> >> rob > > Ack > > Jan pushed to master From mkosek at redhat.com Mon Jan 10 15:54:33 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 10 Jan 2011 16:54:33 +0100 Subject: [Freeipa-devel] [PATCH] Uninitialized pointer read in ipa-rmkeytab In-Reply-To: <4D2B28BA.7010601@redhat.com> References: <1294653266.5765.14.camel@dhcp-25-52.brq.redhat.com> <4D2AF652.3000509@redhat.com> <1294665937.5765.17.camel@dhcp-25-52.brq.redhat.com> <4D2B0A73.6070802@redhat.com> <4D2B28BA.7010601@redhat.com> Message-ID: <1294674873.5765.21.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-01-10 at 16:41 +0100, Jakub Hrozek wrote: > Hopefully replying to the correct patch now.. > > There's one more thing I haven't noticed before - please check > the return value if strdup(); in the else branch. Obviously, I missed that too. Should be fixed in attached patch. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-003-03-uninitialized-pointer-read-in-ipa-rmkeytab.patch Type: text/x-patch Size: 1832 bytes Desc: not available URL: From jhrozek at redhat.com Mon Jan 10 16:15:29 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 10 Jan 2011 17:15:29 +0100 Subject: [Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys In-Reply-To: <4D0F6949.4020504@redhat.com> References: <4D0F5ED8.5000403@redhat.com> <4D0F6949.4020504@redhat.com> Message-ID: <4D2B30A1.5030303@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/20/2010 03:33 PM, Jakub Hrozek wrote: > On 12/20/2010 02:49 PM, Jakub Hrozek wrote: >> Attached is a patch that changes the uniqueness constraint of automount >> keys from (key) to (key,info) pairs. The patch is not really standard >> baseldap style. The reason is that during development, I found that >> baseldap is really dependent on having a single primary key and also >> during many operations accessing it as keys[-1]. > >> Please note that the ipa automountkey-* commands used to have three >> args, now its two args and two required options (that compose the tuple >> that is primary key). I know next to nothing about UI, but I assume this >> has consequences as the JSON marshalled call needs to be different now. >> Can someone point me to the place in code that I need to fix now? > >> Fixes: >> https://fedorahosted.org/freeipa/ticket/293 > > Sorry, I left some debugging statements in. Attached is a new patch. Attached is a patch that applies cleanly on top of origin/master. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0rMKEACgkQHsardTLnvCUwyACfV2eIX/+c0hjKsLyRkGLnBH3r sesAn2xpp8dXdZMuRQ4SICupUDP9EbwR =JhYQ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-029-03-automount-keys-uniqueness.patch Type: text/x-patch Size: 19041 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-029-03-automount-keys-uniqueness.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Mon Jan 10 16:17:00 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 10 Jan 2011 17:17:00 +0100 Subject: [Freeipa-devel] [PATCH] Uninitialized pointer read in ipa-rmkeytab In-Reply-To: <1294674873.5765.21.camel@dhcp-25-52.brq.redhat.com> References: <1294653266.5765.14.camel@dhcp-25-52.brq.redhat.com> <4D2AF652.3000509@redhat.com> <1294665937.5765.17.camel@dhcp-25-52.brq.redhat.com> <4D2B0A73.6070802@redhat.com> <4D2B28BA.7010601@redhat.com> <1294674873.5765.21.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D2B30FC.8020303@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/10/2011 04:54 PM, Martin Kosek wrote: > On Mon, 2011-01-10 at 16:41 +0100, Jakub Hrozek wrote: >> Hopefully replying to the correct patch now.. >> >> There's one more thing I haven't noticed before - please check >> the return value if strdup(); in the else branch. > > Obviously, I missed that too. Should be fixed in attached patch. > > Martin > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0rMPwACgkQHsardTLnvCVB/wCcC9BKwuEQVmxgPjTEsDJSVezu 8HkAnjz/OlFcnVmQF6Sx+4BFPso3PAOg =vyWD -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Jan 10 16:18:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Jan 2011 11:18:32 -0500 Subject: [Freeipa-devel] [PATCH] 670 ldap debugging Message-ID: <4D2B3158.4050602@redhat.com> There was an option for debug level in the ldap2 module but it wasn't used at all. This enables it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-670-debug.patch Type: text/x-patch Size: 1187 bytes Desc: not available URL: From ayoung at redhat.com Mon Jan 10 16:22:36 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 10 Jan 2011 11:22:36 -0500 Subject: [Freeipa-devel] [PATCH] 670 ldap debugging In-Reply-To: <4D2B3158.4050602@redhat.com> References: <4D2B3158.4050602@redhat.com> Message-ID: <4D2B324C.4080903@redhat.com> On 01/10/2011 11:18 AM, Rob Crittenden wrote: > There was an option for debug level in the ldap2 module but it wasn't > used at all. This enables it. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Jan 10 16:25:50 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 10 Jan 2011 11:25:50 -0500 Subject: [Freeipa-devel] admiyo-0139-header-style-fix. Message-ID: <4D2B330E.8080805@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0139-header-style-fix.patch Type: text/x-patch Size: 941 bytes Desc: not available URL: From jhrozek at redhat.com Mon Jan 10 16:26:04 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 10 Jan 2011 17:26:04 +0100 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: new parameter "timeout" In-Reply-To: <20110110153645.GA12067@evileye.atkac.brq.redhat.com> References: <20110106172321.GA18045@evileye.atkac.brq.redhat.com> <4D2B1FF1.3060408@redhat.com> <20110110153645.GA12067@evileye.atkac.brq.redhat.com> Message-ID: <4D2B331C.8010606@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/10/2011 04:36 PM, Adam Tkac wrote: > On Mon, Jan 10, 2011 at 04:04:17PM +0100, Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/06/2011 06:23 PM, Adam Tkac wrote: >>> Hello, >>> >>> attached patch introduces new bind-dyndb-ldap parameter called >>> "timeout". It controls timeout of the LDAP queries and by default is >>> set to 10 seconds. >>> >>> The patch solves https://fedorahosted.org/bind-dyndb-ldap/ticket/3. >>> >>> Regards, Adam >>> >> >> The code looks OK but I'm wondering whether it would make more sense to >> set it globally using ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT) rather >> that for the single ldap_search() call. That way, any other ldap_* calls >> and also the LDAP bind operation would be controlled from a single place. > > Good idea. However I would rather use LDAP_OPT_TIMEOUT. Improved patch > is attached. > > Regards, Adam > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0rMxsACgkQHsardTLnvCW7mwCgvhCW0Lf+18JfPXaYqAoW/O5V 2KsAn1aNJ8NYGvfcFd6eTEnUvFOLI2hJ =uFNT -----END PGP SIGNATURE----- From kybaker at redhat.com Mon Jan 10 16:25:12 2011 From: kybaker at redhat.com (Kyle Baker) Date: Mon, 10 Jan 2011 11:25:12 -0500 (EST) Subject: [Freeipa-devel] admiyo-0139-header-style-fix. In-Reply-To: <4D2B330E.8080805@redhat.com> Message-ID: <1362896228.25997.1294676712873.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK, Good to go. ----- Original Message ----- > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0139-header-style-fix.patch Type: text/x-patch Size: 941 bytes Desc: not available URL: From ayoung at redhat.com Mon Jan 10 16:28:05 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 10 Jan 2011 11:28:05 -0500 Subject: [Freeipa-devel] admiyo-0139-header-style-fix. In-Reply-To: <1362896228.25997.1294676712873.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1362896228.25997.1294676712873.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D2B3395.3010101@redhat.com> On 01/10/2011 11:25 AM, Kyle Baker wrote: > ACK, Good to go. > > ----- Original Message ----- >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From atkac at redhat.com Mon Jan 10 16:35:59 2011 From: atkac at redhat.com (Adam Tkac) Date: Mon, 10 Jan 2011 17:35:59 +0100 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: new parameter "timeout" In-Reply-To: <4D2B331C.8010606@redhat.com> References: <20110106172321.GA18045@evileye.atkac.brq.redhat.com> <4D2B1FF1.3060408@redhat.com> <20110110153645.GA12067@evileye.atkac.brq.redhat.com> <4D2B331C.8010606@redhat.com> Message-ID: <20110110163559.GA12948@evileye.atkac.brq.redhat.com> On Mon, Jan 10, 2011 at 05:26:04PM +0100, Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/10/2011 04:36 PM, Adam Tkac wrote: > > On Mon, Jan 10, 2011 at 04:04:17PM +0100, Jakub Hrozek wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> On 01/06/2011 06:23 PM, Adam Tkac wrote: > >>> Hello, > >>> > >>> attached patch introduces new bind-dyndb-ldap parameter called > >>> "timeout". It controls timeout of the LDAP queries and by default is > >>> set to 10 seconds. > >>> > >>> The patch solves https://fedorahosted.org/bind-dyndb-ldap/ticket/3. > >>> > >>> Regards, Adam > >>> > >> > >> The code looks OK but I'm wondering whether it would make more sense to > >> set it globally using ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT) rather > >> that for the single ldap_search() call. That way, any other ldap_* calls > >> and also the LDAP bind operation would be controlled from a single place. > > > > Good idea. However I would rather use LDAP_OPT_TIMEOUT. Improved patch > > is attached. > > > > Regards, Adam > > > > Ack Pushed to master. -- Adam Tkac, Red Hat, Inc. From ayoung at redhat.com Mon Jan 10 17:07:42 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 10 Jan 2011 12:07:42 -0500 Subject: [Freeipa-devel] [PATCH] Retype (when cloning) Flag parameters to Bool for search commands. In-Reply-To: <4D2448D1.4040001@redhat.com> References: <4D2448D1.4040001@redhat.com> Message-ID: <4D2B3CDE.5080400@redhat.com> On 01/05/2011 05:32 AM, Pavel Zuna wrote: > Flag parameters are always autofill by definition, causing unexpected > search results. This patch retypes them to Bool for search commands, > so that users have to/can enter the desired value manually. > > A good example of the Flag parameters causing problems in search > commands is `dnszone-find` (ticket #689). > > Ticket #689 > Ticket #701 > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jan 10 18:49:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Jan 2011 13:49:59 -0500 Subject: [Freeipa-devel] [PATCH] 671 ensure replica server exists in DNS Message-ID: <4D2B54D7.3000101@redhat.com> Before allowing ipa-replica-prepare to proceed ensure that the target server exists in DNS. This can add the entry if you include the --ip-address option. The result if the DNS entry doesn't exist is the replication agreement will fail because the master can't connect to the replica. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-671-dns.patch Type: text/x-patch Size: 2337 bytes Desc: not available URL: From rcritten at redhat.com Mon Jan 10 19:25:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Jan 2011 14:25:18 -0500 Subject: [Freeipa-devel] [PATCH] 672 allow hosts to be in own managedby Message-ID: <4D2B5D1E.2010801@redhat.com> This 3 problems related to ipa host-add-managedby: 1. Add a label for failed managedby 2. Fix a call to print_entry() where the new flags argument was missing 3. Add a flag to allow a group to be a member of itself (default is no) ticket 708 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-672-host.patch Type: text/x-patch Size: 4344 bytes Desc: not available URL: From ssorce at redhat.com Mon Jan 10 19:32:53 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 10 Jan 2011 14:32:53 -0500 Subject: [Freeipa-devel] [PATCH] 671 ensure replica server exists in DNS In-Reply-To: <4D2B54D7.3000101@redhat.com> References: <4D2B54D7.3000101@redhat.com> Message-ID: <20110110143253.13f34dce@willson.li.ssimo.org> On Mon, 10 Jan 2011 13:49:59 -0500 Rob Crittenden wrote: > Before allowing ipa-replica-prepare to proceed ensure that the target > server exists in DNS. This can add the entry if you include the > --ip-address option. > > The result if the DNS entry doesn't exist is the replication > agreement will fail because the master can't connect to the replica. Nack, if you pass --ip-address you are going to test for existence of the DNS record before actually creating it therefore always failing the check. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Jan 10 22:19:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Jan 2011 17:19:01 -0500 Subject: [Freeipa-devel] [PATCH] 671 ensure replica server exists in DNS In-Reply-To: <20110110143253.13f34dce@willson.li.ssimo.org> References: <4D2B54D7.3000101@redhat.com> <20110110143253.13f34dce@willson.li.ssimo.org> Message-ID: <4D2B85D5.2080605@redhat.com> Simo Sorce wrote: > On Mon, 10 Jan 2011 13:49:59 -0500 > Rob Crittenden wrote: > >> Before allowing ipa-replica-prepare to proceed ensure that the target >> server exists in DNS. This can add the entry if you include the >> --ip-address option. >> >> The result if the DNS entry doesn't exist is the replication >> agreement will fail because the master can't connect to the replica. > > Nack, > if you pass --ip-address you are going to test for existence of the DNS > record before actually creating it therefore always failing the check. > > Simo. > Ok, use the existing verify_fqdn() method instead of calling the API. I left the dns_resolve() change so it isn't IPv4-specific. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-671-2-dns.patch Type: text/x-patch Size: 4507 bytes Desc: not available URL: From ssorce at redhat.com Mon Jan 10 22:25:22 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 10 Jan 2011 17:25:22 -0500 Subject: [Freeipa-devel] [PATCH] 671 ensure replica server exists in DNS In-Reply-To: <4D2B85D5.2080605@redhat.com> References: <4D2B54D7.3000101@redhat.com> <20110110143253.13f34dce@willson.li.ssimo.org> <4D2B85D5.2080605@redhat.com> Message-ID: <20110110172522.4f3f122c@willson.li.ssimo.org> On Mon, 10 Jan 2011 17:19:01 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > Nack, > > if you pass --ip-address you are going to test for existence of the > > DNS record before actually creating it therefore always failing the > > check. > > > > Simo. > > > > Ok, use the existing verify_fqdn() method instead of calling the API. > > I left the dns_resolve() change so it isn't IPv4-specific. Ok, ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Jan 10 22:44:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Jan 2011 17:44:09 -0500 Subject: [Freeipa-devel] [PATCH] 673 make ipaDefaultLoginShell a IA5Str Message-ID: <4D2B8BB9.8080509@redhat.com> Make the config setting ipaDefaultLoginShell an IA5Str to match the POSIX schema for loginShell. ticket 739 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-673-schema.patch Type: text/x-patch Size: 1579 bytes Desc: not available URL: From JR.Aquino at citrix.com Mon Jan 10 23:11:51 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 10 Jan 2011 23:11:51 +0000 Subject: [Freeipa-devel] [PATCH 14] Bugfix for sudo compat cmdcat and deny commands Message-ID: Attached is a patch to fix the sudo compat plugin. Ticket# 742: https://fedorahosted.org/freeipa/ticket/742 The sudo compat plugin should allow for the presence of: Command Category: ALL AND sudoCommand: !/usr/bin/less Currently the plugin is set to overwrite any other sudoCommand attribute in favor of just 'ALL' The plugin should continue to supersede 'permit' commands, but it should not override 'deny' commands. Ticket updated with the attached patch. Please ack and push. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0014-bugfix-for-sudo-compat-cmdcat-and-deny-commands.patch Type: application/octet-stream Size: 2148 bytes Desc: freeipa-jraquino-0014-bugfix-for-sudo-compat-cmdcat-and-deny-commands.patch URL: From edewata at redhat.com Tue Jan 11 02:17:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 11 Jan 2011 09:17:57 +0700 Subject: [Freeipa-devel] [PATCH] Fixed SUDO command category. Message-ID: <4D2BBDD5.50903@redhat.com> Hi, This patch fixes the UI part of this bug: https://fedorahosted.org/freeipa/ticket/742 The radio buttons under the Run Commands section in the SUDO details page have been changed from allow/deny/specified into all/specified, and moved under the Allow commands subsection, matching the correct usage of the cmdcategory attribute. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0063-Fixed-SUDO-command-category.patch Type: text/x-patch Size: 11227 bytes Desc: not available URL: From edewata at redhat.com Tue Jan 11 06:28:30 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 11 Jan 2011 13:28:30 +0700 Subject: [Freeipa-devel] [PATCH] Support for enabling/disabling table widget. Message-ID: <4D2BF88E.4070402@redhat.com> Hi, The attached patch fixes item #3 of the following bug: https://fedorahosted.org/freeipa/ticket/671 The table widget now can be enabled/disabled. When disabled, the checkboxes and links/buttons are grayed out and non functional. The radio buttons in HBAC and SUDO details page have been modified to enable/disable the corresponding tables. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0064-Support-for-enabling-disabling-table-widget.patch Type: text/x-patch Size: 9973 bytes Desc: not available URL: From mkosek at redhat.com Tue Jan 11 09:49:34 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Jan 2011 10:49:34 +0100 Subject: [Freeipa-devel] [PATCH] Unchecked return value in ipa-getkeytab Message-ID: <1294739374.5765.22.camel@dhcp-25-52.brq.redhat.com> krb5_init_context return value was not checked. This could lead to unhandled error issues. This patch moves the Kerberos context initialization to the branch where it is needed and handles the error value in a way that allows program exit in a standard way deallocating all resources. https://fedorahosted.org/freeipa/ticket/721 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-004-unchecked-return-value-in-ipa-getkeytab.patch Type: text/x-patch Size: 2060 bytes Desc: not available URL: From mkosek at redhat.com Tue Jan 11 09:57:16 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Jan 2011 10:57:16 +0100 Subject: [Freeipa-devel] [PATCH] Unchecked return value in ipa-getkeytab In-Reply-To: <1294739374.5765.22.camel@dhcp-25-52.brq.redhat.com> References: <1294739374.5765.22.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1294739836.5765.25.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-01-11 at 10:49 +0100, Martin Kosek wrote: > krb5_init_context return value was not checked. This could lead > to unhandled error issues. > > This patch moves the Kerberos context initialization to the > branch where it is needed and handles the error value in a way > that allows program exit in a standard way deallocating all > resources. > > https://fedorahosted.org/freeipa/ticket/721 > Now I noticed that the tabs are used instead of spaces in the affected function. Attaching re-formatted patch to keep it pretty. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-004-02-unchecked-return-value-in-ipa-getkeytab.patch Type: text/x-patch Size: 1931 bytes Desc: not available URL: From mkosek at redhat.com Tue Jan 11 11:46:29 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Jan 2011 12:46:29 +0100 Subject: [Freeipa-devel] [PATCH] Unchecked return values in ipa-join Message-ID: <1294746389.5765.26.camel@dhcp-25-52.brq.redhat.com> krb5_get_default_realm() and asprintf() return values were ignored. This could lead to unhandled error issues or memory access issues. This patch adds return value checks to all such functions. As a consequence, one new return value has been added to man page. https://fedorahosted.org/freeipa/ticket/720 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-005-unchecked-return-values-in-ipa-join.patch Type: text/x-patch Size: 5025 bytes Desc: not available URL: From jhrozek at redhat.com Tue Jan 11 11:51:30 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 11 Jan 2011 12:51:30 +0100 Subject: [Freeipa-devel] [PATCH] Unchecked return value in ipa-getkeytab In-Reply-To: <1294739836.5765.25.camel@dhcp-25-52.brq.redhat.com> References: <1294739374.5765.22.camel@dhcp-25-52.brq.redhat.com> <1294739836.5765.25.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D2C4442.4080405@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/11/2011 10:57 AM, Martin Kosek wrote: > On Tue, 2011-01-11 at 10:49 +0100, Martin Kosek wrote: >> krb5_init_context return value was not checked. This could lead >> to unhandled error issues. >> >> This patch moves the Kerberos context initialization to the >> branch where it is needed and handles the error value in a way >> that allows program exit in a standard way deallocating all >> resources. >> >> https://fedorahosted.org/freeipa/ticket/721 >> > > Now I noticed that the tabs are used instead of spaces in the affected > function. Attaching re-formatted patch to keep it pretty. > > Martin > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0sREIACgkQHsardTLnvCWNEgCfbspAI2OEOPumENCqG3FvpUwm WxoAoJT3Uy41SmMeslPBZRtkmOGvcx8N =YXgO -----END PGP SIGNATURE----- From jhrozek at redhat.com Tue Jan 11 12:11:38 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 11 Jan 2011 13:11:38 +0100 Subject: [Freeipa-devel] [PATCH] Unchecked return values in ipa-join In-Reply-To: <1294746389.5765.26.camel@dhcp-25-52.brq.redhat.com> References: <1294746389.5765.26.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110111121137.GA3507@zeppelin.brq.redhat.com> On Tue, Jan 11, 2011 at 12:46:29PM +0100, Martin Kosek wrote: > krb5_get_default_realm() and asprintf() return values were ignored. > This could lead to unhandled error issues or memory access > issues. > > This patch adds return value checks to all such functions. > As a consequence, one new return value has been added to man page. > > https://fedorahosted.org/freeipa/ticket/720 > Ack From jhrozek at redhat.com Tue Jan 11 12:33:34 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 11 Jan 2011 13:33:34 +0100 Subject: [Freeipa-devel] [PATCH] 673 make ipaDefaultLoginShell a IA5Str In-Reply-To: <4D2B8BB9.8080509@redhat.com> References: <4D2B8BB9.8080509@redhat.com> Message-ID: <20110111123332.GB3507@zeppelin.brq.redhat.com> On Mon, Jan 10, 2011 at 05:44:09PM -0500, Rob Crittenden wrote: > Make the config setting ipaDefaultLoginShell an IA5Str to match the > POSIX schema for loginShell. > > ticket 739 > > rob > -attributetypes: ( 2.16.840.1.113730.3.8.1.7 NAME 'ipaDefaultLoginShell' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) > +attributetypes: ( 2.16.840.1.113730.3.8.1.7 NAME 'ipaDefaultLoginShell' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) Should EQUALITY say 'caseExactIA5Match' here? From jhrozek at redhat.com Tue Jan 11 13:04:15 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 11 Jan 2011 14:04:15 +0100 Subject: [Freeipa-devel] [PATCH] 672 allow hosts to be in own managedby In-Reply-To: <4D2B5D1E.2010801@redhat.com> References: <4D2B5D1E.2010801@redhat.com> Message-ID: <20110111130414.GC3507@zeppelin.brq.redhat.com> On Mon, Jan 10, 2011 at 02:25:18PM -0500, Rob Crittenden wrote: > This 3 problems related to ipa host-add-managedby: > > 1. Add a label for failed managedby > 2. Fix a call to print_entry() where the new flags argument was missing > 3. Add a flag to allow a group to be a member of itself (default is no) > > ticket 708 > > rob Ack From jzeleny at redhat.com Tue Jan 11 13:45:13 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Tue, 11 Jan 2011 14:45:13 +0100 Subject: [Freeipa-devel] [PATCH] Fix SudoRule RunAs users/groups In-Reply-To: References: Message-ID: <201101111445.13605.jzeleny@redhat.com> JR Aquino wrote: > Attached is the patch to fix the following: > (Per ticket 570: https://fedorahosted.org/freeipa/ticket/570 Issue #5) > > * Runas users to support groups > * Runas users to support external users > * runasgroup to support external groups > * compat fix to account for the runas users to support %groups > * xml_rpc Tests to verify these are in working order > > (Further discussion needs to confirm that we cannot completely support > runas by numerical uid/gid at this point. The Sudo Spec needs to be > updated to reflect that) > > Please review and push. Wow, it took me quite a while to try this functionality. It seems to work fine, so ACK, but only under one condition - I tried to run test suite and your tests failed, but I'm not sure if that was fault on your side, because nearly every test failed in that run, so please confirm once that tests run fine. Jan From edewata at redhat.com Tue Jan 11 14:08:46 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 11 Jan 2011 21:08:46 +0700 Subject: [Freeipa-devel] [PATCH] Renamed hbac to hbacrule. Message-ID: <4D2C646E.4090705@redhat.com> Hi, Please review the attached patch. Thanks! All references to hbac in the UI have been replaced with hbacrule. This is to match the hbacrule plugin. The test data and templates have been renamed as well. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0065-Renamed-hbac-to-hbacrule.patch Type: text/x-patch Size: 19290 bytes Desc: not available URL: From edewata at redhat.com Tue Jan 11 14:25:40 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 11 Jan 2011 21:25:40 +0700 Subject: [Freeipa-devel] [PATCH] Added group association table for SUDO command. Message-ID: <4D2C6864.1040100@redhat.com> Hi, The attached patch should fix the following bug: https://fedorahosted.org/freeipa/ticket/672 A section has been added to the SUDO command details page for managing the association with SUDO command groups. New test data has been added as well. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0066-Added-group-association-table-for-SUDO-command.patch Type: text/x-patch Size: 12868 bytes Desc: not available URL: From rcritten at redhat.com Tue Jan 11 14:53:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Jan 2011 09:53:19 -0500 Subject: [Freeipa-devel] [PATCH] 673 make ipaDefaultLoginShell a IA5Str In-Reply-To: <20110111123332.GB3507@zeppelin.brq.redhat.com> References: <4D2B8BB9.8080509@redhat.com> <20110111123332.GB3507@zeppelin.brq.redhat.com> Message-ID: <4D2C6EDF.5030802@redhat.com> Jakub Hrozek wrote: > On Mon, Jan 10, 2011 at 05:44:09PM -0500, Rob Crittenden wrote: >> Make the config setting ipaDefaultLoginShell an IA5Str to match the >> POSIX schema for loginShell. >> >> ticket 739 >> >> rob > >> -attributetypes: ( 2.16.840.1.113730.3.8.1.7 NAME 'ipaDefaultLoginShell' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) >> +attributetypes: ( 2.16.840.1.113730.3.8.1.7 NAME 'ipaDefaultLoginShell' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) > > Should EQUALITY say 'caseExactIA5Match' here? > Good catch, yes it should! Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-673-2-schema.patch Type: text/x-patch Size: 1582 bytes Desc: not available URL: From ayoung at redhat.com Tue Jan 11 14:56:16 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 11 Jan 2011 09:56:16 -0500 Subject: [Freeipa-devel] Fwd: [Adam Young's Web Log] Please moderate: "Announcing FreeIPA v2 Server Beta 1 Release" Message-ID: <4D2C6F90.8060807@redhat.com> Aravind, I've posted your question on the FreeIPA Devel list. Could you please "reply to all" with the following information? 1. What was the origianal problem you were seeing when you googled and found the --passsync option 2. Is there anything in in any of the logs that seems relevant? For logs. please look in /var/log/http/error.log for the IPA server, /var/log/DirSrv for Directory server /var/log/messages for general machine issues as well. -------- Original Message -------- Subject: [Adam Young's Web Log] Please moderate: "Announcing FreeIPA v2 Server Beta 1 Release" Date: Tue, 11 Jan 2011 05:38:07 +0000 From: WordPress To: adam at younglogic.com A new comment on the post "Announcing FreeIPA v2 Server Beta 1 Release" is waiting for your approval http://adam.younglogic.com/2010/12/announcing-freeipa-v2-server-beta-1-release/ Author : Aravind G V (IP: 122.166.39.227 , gw-bg.dchoc.com) E-mail : aravind.gv at gmail.com URL : Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=122.166.39.227 Comment: Hi Adam, ipa-replica-manage command for creating a Creating Synchronization Agreements is not working as documented in Installation_Deployment_Guide after googling i found out to add --passsync option. Now command runs successfully but it brings down Directory Server. Can you please help me how to fix this issue. I am running freeipa V2 on FC14. ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=bgkerb,dc=test02,dc=com --bindpw asdQWE123 --cacert /root/bgkerb.cer 10.0.65.28 --passsync asdQWE123 -v Approve it: http://adam.younglogic.com/wp-admin/comment.php?action=approve&c=11343 Trash it: http://adam.younglogic.com/wp-admin/comment.php?action=trash&c=11343 Spam it: http://adam.younglogic.com/wp-admin/comment.php?action=spam&c=11343 Currently 117 comments are waiting for approval. Please visit the moderation panel: http://adam.younglogic.com/wp-admin/edit-comments.php?comment_status=moderated -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jan 11 14:56:27 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 11 Jan 2011 07:56:27 -0700 Subject: [Freeipa-devel] Fwd: [Adam Young's Web Log] Please moderate: "Announcing FreeIPA v2 Server Beta 1 Release" In-Reply-To: <4D2C6F90.8060807@redhat.com> References: <4D2C6F90.8060807@redhat.com> Message-ID: <4D2C6F9B.7060504@redhat.com> On 01/11/2011 07:56 AM, Adam Young wrote: > Aravind, > > I've posted your question on the FreeIPA Devel list. Could you please > "reply to all" with the following information? > > > 1. What was the origianal problem you were seeing when you googled > and found the --passsync option > 2. Is there anything in in any of the logs that seems relevant? For > logs. please look in > /var/log/http/error.log for the IPA server, > /var/log/DirSrv for Directory server > /var/log/messages for general machine issues as well. What version of 389-ds-base? rpm -qi 389-ds-base > > > > > -------- Original Message -------- > Subject: [Adam Young's Web Log] Please moderate: "Announcing FreeIPA > v2 Server Beta 1 Release" > Date: Tue, 11 Jan 2011 05:38:07 +0000 > From: WordPress > To: adam at younglogic.com > > > > A new comment on the post "Announcing FreeIPA v2 Server Beta 1 Release" is waiting for your approval > http://adam.younglogic.com/2010/12/announcing-freeipa-v2-server-beta-1-release/ > > Author : Aravind G V (IP: 122.166.39.227 , gw-bg.dchoc.com) > E-mail :aravind.gv at gmail.com > URL : > Whois :http://ws.arin.net/cgi-bin/whois.pl?queryinput=122.166.39.227 > Comment: > Hi Adam, > > ipa-replica-manage command for creating a Creating Synchronization Agreements is not working as documented in Installation_Deployment_Guide after googling i found out to add --passsync option. Now command runs successfully but it brings down Directory Server. Can you please help me how to fix this issue. I am running freeipa V2 on FC14. > > > ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=bgkerb,dc=test02,dc=com --bindpw asdQWE123 --cacert /root/bgkerb.cer 10.0.65.28 --passsync asdQWE123 -v > > Approve it:http://adam.younglogic.com/wp-admin/comment.php?action=approve&c=11343 > Trash it:http://adam.younglogic.com/wp-admin/comment.php?action=trash&c=11343 > Spam it:http://adam.younglogic.com/wp-admin/comment.php?action=spam&c=11343 > Currently 117 comments are waiting for approval. Please visit the moderation panel: > http://adam.younglogic.com/wp-admin/edit-comments.php?comment_status=moderated > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Jan 11 15:13:08 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 11 Jan 2011 16:13:08 +0100 Subject: [Freeipa-devel] [PATCH] 673 make ipaDefaultLoginShell a IA5Str In-Reply-To: <4D2C6EDF.5030802@redhat.com> References: <4D2B8BB9.8080509@redhat.com> <20110111123332.GB3507@zeppelin.brq.redhat.com> <4D2C6EDF.5030802@redhat.com> Message-ID: <4D2C7384.30602@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/11/2011 03:53 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> On Mon, Jan 10, 2011 at 05:44:09PM -0500, Rob Crittenden wrote: >>> Make the config setting ipaDefaultLoginShell an IA5Str to match the >>> POSIX schema for loginShell. >>> >>> ticket 739 >>> >>> rob >> >>> -attributetypes: ( 2.16.840.1.113730.3.8.1.7 NAME >>> 'ipaDefaultLoginShell' EQUALITY caseExactMatch SYNTAX >>> 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) >>> +attributetypes: ( 2.16.840.1.113730.3.8.1.7 NAME >>> 'ipaDefaultLoginShell' EQUALITY caseExactMatch SYNTAX >>> 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) >> >> Should EQUALITY say 'caseExactIA5Match' here? >> > > Good catch, yes it should! Updated patch attached. > > rob > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0sc4QACgkQHsardTLnvCWvdACg2xLldybm3vKZ2D0ZjBHa2y7Z DqsAoOP1URKqy38pASbDUtSjbjd7QRgI =71KR -----END PGP SIGNATURE----- From mkosek at redhat.com Tue Jan 11 15:21:38 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Jan 2011 16:21:38 +0100 Subject: [Freeipa-devel] [PATCH] Uninitialized pointer read in ipa-enrollment Message-ID: <1294759298.5765.27.camel@dhcp-25-52.brq.redhat.com> This patch fixes a situation where an uninitialized pointer is passed to free(). https://fedorahosted.org/freeipa/ticket/713 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-006-uninitialized-pointer-read-in-ipa-enrollment.patch Type: text/x-patch Size: 1033 bytes Desc: not available URL: From rcritten at redhat.com Tue Jan 11 15:21:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Jan 2011 10:21:49 -0500 Subject: [Freeipa-devel] [PATCH] 673 make ipaDefaultLoginShell a IA5Str In-Reply-To: <4D2C7384.30602@redhat.com> References: <4D2B8BB9.8080509@redhat.com> <20110111123332.GB3507@zeppelin.brq.redhat.com> <4D2C6EDF.5030802@redhat.com> <4D2C7384.30602@redhat.com> Message-ID: <4D2C758D.4020403@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/11/2011 03:53 PM, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> On Mon, Jan 10, 2011 at 05:44:09PM -0500, Rob Crittenden wrote: >>>> Make the config setting ipaDefaultLoginShell an IA5Str to match the >>>> POSIX schema for loginShell. >>>> >>>> ticket 739 >>>> >>>> rob >>> >>>> -attributetypes: ( 2.16.840.1.113730.3.8.1.7 NAME >>>> 'ipaDefaultLoginShell' EQUALITY caseExactMatch SYNTAX >>>> 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) >>>> +attributetypes: ( 2.16.840.1.113730.3.8.1.7 NAME >>>> 'ipaDefaultLoginShell' EQUALITY caseExactMatch SYNTAX >>>> 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) >>> >>> Should EQUALITY say 'caseExactIA5Match' here? >>> >> >> Good catch, yes it should! Updated patch attached. >> >> rob >> > > Ack pushed to master From rcritten at redhat.com Tue Jan 11 15:22:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Jan 2011 10:22:20 -0500 Subject: [Freeipa-devel] [PATCH] 670 ldap debugging In-Reply-To: <4D2B324C.4080903@redhat.com> References: <4D2B3158.4050602@redhat.com> <4D2B324C.4080903@redhat.com> Message-ID: <4D2C75AC.1020702@redhat.com> Adam Young wrote: > On 01/10/2011 11:18 AM, Rob Crittenden wrote: >> There was an option for debug level in the ldap2 module but it wasn't >> used at all. This enables it. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK pushed to master From rcritten at redhat.com Tue Jan 11 15:23:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Jan 2011 10:23:43 -0500 Subject: [Freeipa-devel] [PATCH] 672 allow hosts to be in own managedby In-Reply-To: <20110111130414.GC3507@zeppelin.brq.redhat.com> References: <4D2B5D1E.2010801@redhat.com> <20110111130414.GC3507@zeppelin.brq.redhat.com> Message-ID: <4D2C75FF.7080202@redhat.com> Jakub Hrozek wrote: > On Mon, Jan 10, 2011 at 02:25:18PM -0500, Rob Crittenden wrote: >> This 3 problems related to ipa host-add-managedby: >> >> 1. Add a label for failed managedby >> 2. Fix a call to print_entry() where the new flags argument was missing >> 3. Add a flag to allow a group to be a member of itself (default is no) >> >> ticket 708 >> >> rob > > Ack pushed to master From ssorce at redhat.com Tue Jan 11 15:33:15 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 11 Jan 2011 10:33:15 -0500 Subject: [Freeipa-devel] [PATCH] Uninitialized pointer read in ipa-enrollment In-Reply-To: <1294759298.5765.27.camel@dhcp-25-52.brq.redhat.com> References: <1294759298.5765.27.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110111103315.1db85cfc@willson.li.ssimo.org> On Tue, 11 Jan 2011 16:21:38 +0100 Martin Kosek wrote: > This patch fixes a situation where an uninitialized pointer > is passed to free(). ACK SImo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Tue Jan 11 15:36:23 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 11 Jan 2011 15:36:23 +0000 Subject: [Freeipa-devel] [PATCH] 14-2 Bugfix for sudo compat cmdcat and deny commands In-Reply-To: Message-ID: Correction to patch. The previous patch inherited a line for patch #13 This has been corrected in the attached patch. On 1/10/11 3:11 PM, "JR Aquino" wrote: >Attached is a patch to fix the sudo compat plugin. > >Ticket# 742: https://fedorahosted.org/freeipa/ticket/742 > >The sudo compat plugin should allow for the presence of: >Command Category: ALL >AND >sudoCommand: !/usr/bin/less > >Currently the plugin is set to overwrite any other sudoCommand attribute >in favor of just 'ALL' >The plugin should continue to supersede 'permit' commands, but it should >not override 'deny' commands. > > >Ticket updated with the attached patch. > >Please ack and push. > >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0014-2-bugfix-for-sudo-compat-cmdcat-and-deny-commands.patch Type: application/octet-stream Size: 1843 bytes Desc: freeipa-jraquino-0014-2-bugfix-for-sudo-compat-cmdcat-and-deny-commands.patch URL: From mkosek at redhat.com Tue Jan 11 15:39:57 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Jan 2011 16:39:57 +0100 Subject: [Freeipa-devel] [PATCH] Unchecked return value of calloc Message-ID: <1294760397.5765.28.camel@dhcp-25-52.brq.redhat.com> Omitting return value of calloc in ipa_pwd_extop.c could lead to memory access issues when memory is full. This patch adds return value check. https://fedorahosted.org/freeipa/ticket/717 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-007-unchecked-return-value-of-calloc.patch Type: text/x-patch Size: 1373 bytes Desc: not available URL: From ssorce at redhat.com Tue Jan 11 15:44:34 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 11 Jan 2011 10:44:34 -0500 Subject: [Freeipa-devel] [PATCH] Unchecked return value of calloc In-Reply-To: <1294760397.5765.28.camel@dhcp-25-52.brq.redhat.com> References: <1294760397.5765.28.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110111104434.4ac14dcc@willson.li.ssimo.org> On Tue, 11 Jan 2011 16:39:57 +0100 Martin Kosek wrote: > Omitting return value of calloc in ipa_pwd_extop.c could lead to > memory access issues when memory is full. This patch adds return > value check. > > https://fedorahosted.org/freeipa/ticket/717 ACK, Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Jan 12 04:21:28 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 11 Jan 2011 23:21:28 -0500 Subject: [Freeipa-devel] [PATCH] Added group association table for SUDO command. In-Reply-To: <4D2C6864.1040100@redhat.com> References: <4D2C6864.1040100@redhat.com> Message-ID: <4D2D2C48.20309@redhat.com> On 01/11/2011 09:25 AM, Endi Sukma Dewata wrote: > Hi, > > The attached patch should fix the following bug: > https://fedorahosted.org/freeipa/ticket/672 > > A section has been added to the SUDO command details page for managing > the association with SUDO command groups. New test data has been added > as well. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jan 12 04:21:31 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 11 Jan 2011 23:21:31 -0500 Subject: [Freeipa-devel] [PATCH] Renamed hbac to hbacrule. In-Reply-To: <4D2C646E.4090705@redhat.com> References: <4D2C646E.4090705@redhat.com> Message-ID: <4D2D2C4B.3000901@redhat.com> On 01/11/2011 09:08 AM, Endi Sukma Dewata wrote: > Hi, > > Please review the attached patch. Thanks! > > All references to hbac in the UI have been replaced with hbacrule. > This is to match the hbacrule plugin. The test data and templates > have been renamed as well. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jan 12 04:21:34 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 11 Jan 2011 23:21:34 -0500 Subject: [Freeipa-devel] [PATCH] Fixed SUDO command category. In-Reply-To: <4D2BBDD5.50903@redhat.com> References: <4D2BBDD5.50903@redhat.com> Message-ID: <4D2D2C4E.8010600@redhat.com> On 01/10/2011 09:17 PM, Endi Sukma Dewata wrote: > Hi, > > This patch fixes the UI part of this bug: > https://fedorahosted.org/freeipa/ticket/742 > > The radio buttons under the Run Commands section in the SUDO details > page have been changed from allow/deny/specified into all/specified, > and moved under the Allow commands subsection, matching the correct > usage of the cmdcategory attribute. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jan 12 04:21:37 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 11 Jan 2011 23:21:37 -0500 Subject: [Freeipa-devel] [PATCH] Support for enabling/disabling table widget. In-Reply-To: <4D2BF88E.4070402@redhat.com> References: <4D2BF88E.4070402@redhat.com> Message-ID: <4D2D2C51.6010509@redhat.com> On 01/11/2011 01:28 AM, Endi Sukma Dewata wrote: > Hi, > > The attached patch fixes item #3 of the following bug: > https://fedorahosted.org/freeipa/ticket/671 > > The table widget now can be enabled/disabled. When disabled, the > checkboxes and links/buttons are grayed out and non functional. > > The radio buttons in HBAC and SUDO details page have been modified > to enable/disable the corresponding tables. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jan 12 04:22:43 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 11 Jan 2011 23:22:43 -0500 Subject: [Freeipa-devel] [PATCH] one liner to re-enable enroll buttons for associations Message-ID: <4D2D2C93.2030904@redhat.com> pushed under the one line rule commit 380fed3bb1c08e1d02c442007fdfc64ca56078ca Author: Adam Young Date: Tue Jan 11 23:04:38 2011 -0500 enroll button This was removed in several places where it should still be visible diff --git a/install/static/associate.js b/install/static/associate.js index 12b5fab..6173dda 100644 --- a/install/static/associate.js +++ b/install/static/associate.js @@ -721,7 +721,7 @@ function ipa_association_facet(spec) { }).appendTo(li); /* TODO: genering handling of different relationships */ - if (relationship[0] == 'Member') { + if ((relationship[0] == 'Member')||(relationship[0] == 'Member Of')) { $('', { 'type': 'button', 'name': 'add', From jeffb.list at gmail.com Wed Jan 12 04:22:08 2011 From: jeffb.list at gmail.com (Jeff B) Date: Tue, 11 Jan 2011 23:22:08 -0500 Subject: [Freeipa-devel] Can't get the web UI to work on ipa-server-2.0-0.2011011115gitc778919 Message-ID: I don't know if this is a real bug or if I have a mis-configuration. Any advice is appreciated. I'm setting up a FreeIPA evaluation and I can't get the Web ui show much of anything. It updates the top right to show the Username of the user that I kinitted with but nothing else other than the logo and the green header background. The following logs are from loading the front page once. notice the requests that return HTTP 400 Bad Request for the status. 10.0.1.162 - - [11/Jan/2011:23:05:29 -0500] "GET /ipa/ui/ HTTP/1.1" 200 2650 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/json2.js HTTP/1.1" 200 14540 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/ipa.js HTTP/1.1" 200 12755 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/jquery.js HTTP/1.1" 200 163855 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/jquery.cookie.js HTTP/1.1" 200 4246 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/search.js HTTP/1.1" 200 13173 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/jquery-ui.js HTTP/1.1" 200 202203 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/jquery.ba-bbq.js HTTP/1.1" 200 4119 [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] request failed: error reading the headers 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/add.js HTTP/1.1" 400 380 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/associate.js HTTP/1.1" 200 26413 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/details.js HTTP/1.1" 200 25653 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/navigation.js HTTP/1.1" 200 3462 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/widget.js HTTP/1.1" 200 32369 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/rule.js HTTP/1.1" 200 3951 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/user.js HTTP/1.1" 200 9065 [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] request failed: error reading the headers 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/group.js HTTP/1.1" 400 380 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/certificate.js HTTP/1.1" 200 20984 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/entity.js HTTP/1.1" 200 17710 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/hbacsvcgroup.js HTTP/1.1" 200 4761 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/hbacsvc.js HTTP/1.1" 200 2669 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/host.js HTTP/1.1" 200 12452 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/hostgroup.js HTTP/1.1" 200 2044 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/add.js HTTP/1.1" 200 3463 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/hbac.js HTTP/1.1" 200 30095 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/service.js HTTP/1.1" 200 11516 [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] request failed: error reading the headers 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/netgroup.js HTTP/1.1" 400 380 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/serverconfig.js HTTP/1.1" 200 1534 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/sudocmd.js HTTP/1.1" 200 2684 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/sudocmdgroup.js HTTP/1.1" 200 4771 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/aci.js HTTP/1.1" 200 24261 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/sudorule.js HTTP/1.1" 200 35857 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/policy.js HTTP/1.1" 200 17247 [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] File does not exist: /usr/share/ipa/static/develop.js, referer: https://ipa0.xxxxxx.com/ipa/ui/ 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/develop.js HTTP/1.1" 404 299 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/ipa.css HTTP/1.1" 200 12449 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/group.js HTTP/1.1" 200 4914 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/jquery-ui.css HTTP/1.1" 200 33914 [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] request failed: error reading the headers 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/webui.js HTTP/1.1" 400 380 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/ipalogo.png HTTP/1.1" 200 2492 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/netgroup.js HTTP/1.1" 200 2093 [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] File does not exist: /usr/share/ipa/static/develop.js, referer: https://ipa0.xxxxxxx.com/ipa/ui/ 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/develop.js HTTP/1.1" 404 299 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/webui.js HTTP/1.1" 200 5614 [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] File does not exist: /usr/share/ipa/static/outer-bg.png, referer: https://ipa0.xxxxxx.com/ipa/ui/ipa.css 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/outer-bg.png HTTP/1.1" 404 301 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "POST /ipa/json HTTP/1.1" 401 1164 [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] File does not exist: /var/www/html/favicon.ico 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /favicon.ico HTTP/1.1" 404 293 10.0.1.162 - admin at XXXXXX.COM [11/Jan/2011:23:05:30 -0500] "POST /ipa/json HTTP/1.1" 200 377553 [Tue Jan 11 23:05:33 2011] [error] [client 10.0.1.162] File does not exist: /var/www/html/favicon.ico 10.0.1.162 - - [11/Jan/2011:23:05:33 -0500] "GET /favicon.ico HTTP/1.1" 404 293 This is a fresh minimal install of F14 with updates and ipa-server from the 'bleeding edge' repository. When I mentioned this on IRC today one of the developers told me to set up an IPA client and make sure that it can do XML RPC to the server. I set up a F14 client with X and It can do an ipa user-find but when I load firefox on that host it gives me the problems I'm identifying above. I made the directed about:config changes in firefox. Thanks. -Jeff From ayoung at redhat.com Wed Jan 12 04:28:49 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 11 Jan 2011 23:28:49 -0500 Subject: [Freeipa-devel] Can't get the web UI to work on ipa-server-2.0-0.2011011115gitc778919 In-Reply-To: References: Message-ID: <4D2D2E01.3030800@redhat.com> Jeff, Known issue, and we are searching for the root cause. The workaround is to crank up logging on mod-rewrite. Edit the file /etc/httpd/conf.d/ipa-rewrite.conf and change RewriteLogLevel 0 to RewriteLogLevel 9 For some reason, enabling logging hides the problem. On 01/11/2011 11:22 PM, Jeff B wrote: > I don't know if this is a real bug or if I have a mis-configuration. > Any advice is appreciated. > > I'm setting up a FreeIPA evaluation and I can't get the Web ui show > much of anything. It updates the top right to show the Username of > the user that I kinitted with but nothing else other than the logo and > the green header background. > > The following logs are from loading the front page once. notice the > requests that return HTTP 400 Bad Request for the status. > > 10.0.1.162 - - [11/Jan/2011:23:05:29 -0500] "GET /ipa/ui/ HTTP/1.1" 200 2650 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/json2.js > HTTP/1.1" 200 14540 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/ipa.js > HTTP/1.1" 200 12755 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/jquery.js > HTTP/1.1" 200 163855 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET > /ipa/ui/jquery.cookie.js HTTP/1.1" 200 4246 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/search.js > HTTP/1.1" 200 13173 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/jquery-ui.js > HTTP/1.1" 200 202203 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET > /ipa/ui/jquery.ba-bbq.js HTTP/1.1" 200 4119 > [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] request failed: > error reading the headers > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/add.js > HTTP/1.1" 400 380 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/associate.js > HTTP/1.1" 200 26413 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/details.js > HTTP/1.1" 200 25653 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/navigation.js > HTTP/1.1" 200 3462 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/widget.js > HTTP/1.1" 200 32369 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/rule.js > HTTP/1.1" 200 3951 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/user.js > HTTP/1.1" 200 9065 > [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] request failed: > error reading the headers > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/group.js > HTTP/1.1" 400 380 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET > /ipa/ui/certificate.js HTTP/1.1" 200 20984 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/entity.js > HTTP/1.1" 200 17710 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET > /ipa/ui/hbacsvcgroup.js HTTP/1.1" 200 4761 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/hbacsvc.js > HTTP/1.1" 200 2669 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/host.js > HTTP/1.1" 200 12452 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/hostgroup.js > HTTP/1.1" 200 2044 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/add.js > HTTP/1.1" 200 3463 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/hbac.js > HTTP/1.1" 200 30095 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/service.js > HTTP/1.1" 200 11516 > [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] request failed: > error reading the headers > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/netgroup.js > HTTP/1.1" 400 380 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET > /ipa/ui/serverconfig.js HTTP/1.1" 200 1534 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/sudocmd.js > HTTP/1.1" 200 2684 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET > /ipa/ui/sudocmdgroup.js HTTP/1.1" 200 4771 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/aci.js > HTTP/1.1" 200 24261 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/sudorule.js > HTTP/1.1" 200 35857 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/policy.js > HTTP/1.1" 200 17247 > [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] File does not > exist: /usr/share/ipa/static/develop.js, referer: > https://ipa0.xxxxxx.com/ipa/ui/ > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/develop.js > HTTP/1.1" 404 299 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/ipa.css > HTTP/1.1" 200 12449 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/group.js > HTTP/1.1" 200 4914 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/jquery-ui.css > HTTP/1.1" 200 33914 > [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] request failed: > error reading the headers > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/webui.js > HTTP/1.1" 400 380 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/ipalogo.png > HTTP/1.1" 200 2492 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/netgroup.js > HTTP/1.1" 200 2093 > [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] File does not > exist: /usr/share/ipa/static/develop.js, referer: > https://ipa0.xxxxxxx.com/ipa/ui/ > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/develop.js > HTTP/1.1" 404 299 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/webui.js > HTTP/1.1" 200 5614 > [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] File does not > exist: /usr/share/ipa/static/outer-bg.png, referer: > https://ipa0.xxxxxx.com/ipa/ui/ipa.css > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/outer-bg.png > HTTP/1.1" 404 301 > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "POST /ipa/json HTTP/1.1" 401 1164 > [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] File does not > exist: /var/www/html/favicon.ico > 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /favicon.ico HTTP/1.1" 404 293 > 10.0.1.162 - admin at XXXXXX.COM [11/Jan/2011:23:05:30 -0500] "POST > /ipa/json HTTP/1.1" 200 377553 > [Tue Jan 11 23:05:33 2011] [error] [client 10.0.1.162] File does not > exist: /var/www/html/favicon.ico > 10.0.1.162 - - [11/Jan/2011:23:05:33 -0500] "GET /favicon.ico HTTP/1.1" 404 293 > > This is a fresh minimal install of F14 with updates and ipa-server > from the 'bleeding edge' repository. > > When I mentioned this on IRC today one of the developers told me to > set up an IPA client and make sure that it can do XML RPC to the > server. I set up a F14 client with X and It can do an ipa user-find > but when I load firefox on that host it gives me the problems I'm > identifying above. I made the directed about:config changes in > firefox. > > Thanks. > -Jeff > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From jeffb.list at gmail.com Wed Jan 12 04:37:10 2011 From: jeffb.list at gmail.com (Jeff B) Date: Tue, 11 Jan 2011 23:37:10 -0500 Subject: [Freeipa-devel] Can't get the web UI to work on ipa-server-2.0-0.2011011115gitc778919 In-Reply-To: <4D2D2E01.3030800@redhat.com> References: <4D2D2E01.3030800@redhat.com> Message-ID: The verbose logging does not seem to be a full proof workaround I'm actually seeing more 400 errors on more files now. However on one of my browsers I got an AJAX Error: Bad Request I did see it fleetingly earlier I couldn't reproduce it on command so I didn't mention it. But now I get that apache is being very finicky on this 400 Bad Request stuff. I can't even get the user at FREEIP.ORG to switch to display my initialized user now that I restarted apache. On Tue, Jan 11, 2011 at 11:28 PM, Adam Young wrote: > Jeff, > ?Known issue, and we are searching for the root cause. ?The workaround is to > crank up logging on mod-rewrite. > > Edit the file /etc/httpd/conf.d/ipa-rewrite.conf > > and change > RewriteLogLevel 0 > to > RewriteLogLevel 9 > > For some reason, enabling logging hides the problem. > > > On 01/11/2011 11:22 PM, Jeff B wrote: >> >> I don't know if this is a real bug or if I have a mis-configuration. >> Any advice is appreciated. >> >> I'm setting up a FreeIPA evaluation and I can't get the Web ui show >> much of anything. ?It updates the top right to show the Username of >> the user that I kinitted with but nothing else other than the logo and >> the green header background. >> >> The following logs are from loading the front page once. ?notice the >> requests that return HTTP 400 Bad Request for the status. >> >> 10.0.1.162 - - [11/Jan/2011:23:05:29 -0500] "GET /ipa/ui/ HTTP/1.1" 200 >> 2650 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/json2.js >> HTTP/1.1" 200 14540 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/ipa.js >> HTTP/1.1" 200 12755 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/jquery.js >> HTTP/1.1" 200 163855 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET >> /ipa/ui/jquery.cookie.js HTTP/1.1" 200 4246 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/search.js >> HTTP/1.1" 200 13173 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/jquery-ui.js >> HTTP/1.1" 200 202203 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET >> /ipa/ui/jquery.ba-bbq.js HTTP/1.1" 200 4119 >> [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] request failed: >> error reading the headers >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/add.js >> HTTP/1.1" 400 380 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/associate.js >> HTTP/1.1" 200 26413 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/details.js >> HTTP/1.1" 200 25653 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/navigation.js >> HTTP/1.1" 200 3462 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/widget.js >> HTTP/1.1" 200 32369 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/rule.js >> HTTP/1.1" 200 3951 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/user.js >> HTTP/1.1" 200 9065 >> [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] request failed: >> error reading the headers >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/group.js >> HTTP/1.1" 400 380 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET >> /ipa/ui/certificate.js HTTP/1.1" 200 20984 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/entity.js >> HTTP/1.1" 200 17710 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET >> /ipa/ui/hbacsvcgroup.js HTTP/1.1" 200 4761 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/hbacsvc.js >> HTTP/1.1" 200 2669 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/host.js >> HTTP/1.1" 200 12452 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/hostgroup.js >> HTTP/1.1" 200 2044 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/add.js >> HTTP/1.1" 200 3463 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/hbac.js >> HTTP/1.1" 200 30095 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/service.js >> HTTP/1.1" 200 11516 >> [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] request failed: >> error reading the headers >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/netgroup.js >> HTTP/1.1" 400 380 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET >> /ipa/ui/serverconfig.js HTTP/1.1" 200 1534 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/sudocmd.js >> HTTP/1.1" 200 2684 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET >> /ipa/ui/sudocmdgroup.js HTTP/1.1" 200 4771 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/aci.js >> HTTP/1.1" 200 24261 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/sudorule.js >> HTTP/1.1" 200 35857 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/policy.js >> HTTP/1.1" 200 17247 >> [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] File does not >> exist: /usr/share/ipa/static/develop.js, referer: >> https://ipa0.xxxxxx.com/ipa/ui/ >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/develop.js >> HTTP/1.1" 404 299 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/ipa.css >> HTTP/1.1" 200 12449 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/group.js >> HTTP/1.1" 200 4914 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/jquery-ui.css >> HTTP/1.1" 200 33914 >> [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] request failed: >> error reading the headers >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/webui.js >> HTTP/1.1" 400 380 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/ipalogo.png >> HTTP/1.1" 200 2492 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/netgroup.js >> HTTP/1.1" 200 2093 >> [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] File does not >> exist: /usr/share/ipa/static/develop.js, referer: >> https://ipa0.xxxxxxx.com/ipa/ui/ >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/develop.js >> HTTP/1.1" 404 299 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/webui.js >> HTTP/1.1" 200 5614 >> [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] File does not >> exist: /usr/share/ipa/static/outer-bg.png, referer: >> https://ipa0.xxxxxx.com/ipa/ui/ipa.css >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /ipa/ui/outer-bg.png >> HTTP/1.1" 404 301 >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "POST /ipa/json HTTP/1.1" 401 >> 1164 >> [Tue Jan 11 23:05:30 2011] [error] [client 10.0.1.162] File does not >> exist: /var/www/html/favicon.ico >> 10.0.1.162 - - [11/Jan/2011:23:05:30 -0500] "GET /favicon.ico HTTP/1.1" >> 404 293 >> 10.0.1.162 - admin at XXXXXX.COM [11/Jan/2011:23:05:30 -0500] "POST >> /ipa/json HTTP/1.1" 200 377553 >> [Tue Jan 11 23:05:33 2011] [error] [client 10.0.1.162] File does not >> exist: /var/www/html/favicon.ico >> 10.0.1.162 - - [11/Jan/2011:23:05:33 -0500] "GET /favicon.ico HTTP/1.1" >> 404 293 >> >> This is a fresh minimal install of F14 with updates and ipa-server >> from the 'bleeding edge' repository. >> >> When I mentioned this on IRC today one of the developers told me to >> set up an IPA client and make sure that it can do XML RPC to the >> server. I set up a F14 client with X and It can do an ipa user-find >> but when I load firefox on that host it gives me the problems I'm >> identifying above. ?I made the directed about:config changes in >> firefox. >> >> Thanks. >> -Jeff >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > From mkosek at redhat.com Wed Jan 12 09:41:14 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 12 Jan 2011 10:41:14 +0100 Subject: [Freeipa-devel] [PATCH] Potential NULL dereference in ipapwd_prepost Message-ID: <1294825274.5765.29.camel@dhcp-25-52.brq.redhat.com> This patch increases robustness in PRE MOD password SLAPI module by ensuring that an uninitialized pointer is not dereferenced. https://fedorahosted.org/freeipa/ticket/719 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-008-potential-null-dereference-in-ipapwd_prepost.patch Type: text/x-patch Size: 1427 bytes Desc: not available URL: From jhrozek at redhat.com Wed Jan 12 09:57:16 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 12 Jan 2011 10:57:16 +0100 Subject: [Freeipa-devel] [PATCH] Potential NULL dereference in ipapwd_prepost In-Reply-To: <1294825274.5765.29.camel@dhcp-25-52.brq.redhat.com> References: <1294825274.5765.29.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D2D7AFC.4080203@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/12/2011 10:41 AM, Martin Kosek wrote: > This patch increases robustness in PRE MOD password SLAPI module > by ensuring that an uninitialized pointer is not dereferenced. > > https://fedorahosted.org/freeipa/ticket/719 > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0tevwACgkQHsardTLnvCWbGwCgmTY2HXgk+pzgbAWVsdQFOrmT 6vgAoJS9nEmgfxnssxW7L9hmqtBE+ajK =eb20 -----END PGP SIGNATURE----- From edewata at redhat.com Wed Jan 12 10:42:50 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 12 Jan 2011 17:42:50 +0700 Subject: [Freeipa-devel] Can't get the web UI to work on ipa-server-2.0-0.2011011115gitc778919 In-Reply-To: References: Message-ID: <4D2D85AA.8060601@redhat.com> On 1/12/2011 11:22 AM, Jeff B wrote: > I'm setting up a FreeIPA evaluation and I can't get the Web ui show > much of anything. It updates the top right to show the Username of > the user that I kinitted with but nothing else other than the logo and > the green header background. Hi Jeff, could you try again using the latest code? It might be related to this problem. The hbac plugin was renamed to hbacrule recently, so the metadata is changed too. However, the UI was still searching for hbac in the metadata, and for some reason it failed silently. This revision should fix the problem: https://fedorahosted.org/freeipa/changeset/9d0dc89b03d4e3f50d54d1189a119016b2c805c3 -- Endi S. Dewata From mkosek at redhat.com Wed Jan 12 12:22:38 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 12 Jan 2011 13:22:38 +0100 Subject: [Freeipa-devel] [PATCH] Potential memory leaks in ipa-kpasswd Message-ID: <1294834958.5765.30.camel@dhcp-25-52.brq.redhat.com> This patch fixes 2 situations where a pointer to allocated error string could be overwritten - which could have resulted in a memory leak. https://fedorahosted.org/freeipa/ticket/716 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-009-potential-memory-leaks-in-ipa-kpasswd.patch Type: text/x-patch Size: 1447 bytes Desc: not available URL: From mkosek at redhat.com Wed Jan 12 12:33:08 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 12 Jan 2011 13:33:08 +0100 Subject: [Freeipa-devel] [PATCH] Potential memory leaks in ipa-kpasswd In-Reply-To: <1294834958.5765.30.camel@dhcp-25-52.brq.redhat.com> References: <1294834958.5765.30.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1294835588.5765.32.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-01-12 at 13:22 +0100, Martin Kosek wrote: > This patch fixes 2 situations where a pointer to allocated error > string could be overwritten - which could have resulted in > a memory leak. > Again, I did not notice that the source file uses tabs instead of spaces. Attaching prettier patch. I have to add a check for this in my scripts :-) Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-009-02-potential-memory-leaks-in-ipa-kpasswd.patch Type: text/x-patch Size: 1428 bytes Desc: not available URL: From atkac at redhat.com Wed Jan 12 12:37:12 2011 From: atkac at redhat.com (Adam Tkac) Date: Wed, 12 Jan 2011 13:37:12 +0100 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: Don't leave empty nodes in LDAP after DDNS update Message-ID: <20110112123712.GA9635@evileye.atkac.brq.redhat.com> Hello, bind-dyndb-ldap currently leaves empty nodes in LDAP when the last DNS resource record associated with the node was removed: Before DDNS update: dn: idnsName=test,idnsName=example.com,ou=dns,dc=example,dc=com aRecord: 1.1.1.1 dNSTTL: 1111 objectClass: idnsRecord idnsName: test After DDNS update (removal of "test.example.com A 1.1.1.1" record): dn: idnsName=test,idnsName=example.com,ou=dns,dc=example,dc=com dNSTTL: 1111 objectClass: idnsRecord idnsName: test As you can see this node is empty and useless. With the patch the whole node is removed. Comments are welcomed. Regards, Adam -- Adam Tkac, Red Hat, Inc. -------------- next part -------------- >From 03f770ee1fa781092395c06f48888f7dd2059e90 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Mon, 10 Jan 2011 15:25:40 +0100 Subject: [PATCH] Delete node from LDAP if there is no RR associated with the name. If the last DNS resource record associated with the name is removed then remove the whole node from LDAP. Solves https://fedorahosted.org/bind-dyndb-ldap/ticket/1. Signed-off-by: Adam Tkac --- src/ldap_driver.c | 14 +++++++++++++- src/ldap_helper.c | 29 ++++++++++++++++++----------- src/ldap_helper.h | 2 +- 3 files changed, 32 insertions(+), 13 deletions(-) diff --git a/src/ldap_driver.c b/src/ldap_driver.c index 965877c..9c1da40 100644 --- a/src/ldap_driver.c +++ b/src/ldap_driver.c @@ -787,6 +787,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdatalist_t *rdlist; dns_rdatalist_t diff; isc_result_t result; + isc_boolean_t delete_node = ISC_FALSE; REQUIRE(version == ldapdb_version); @@ -822,7 +823,18 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, goto cleanup; } - CHECK(remove_from_ldap(&ldapdbnode->owner, ldapdb->ldap_inst, &diff)); + /* + * If there is only one rdatalist in the node with no rdata + * it means all resource records associated with the node's DNS + * name (owner) was deleted. So delete the whole node from the + * LDAP. + */ + if (HEAD(ldapdbnode->rdatalist) == TAIL(ldapdbnode->rdatalist) && + HEAD((HEAD(ldapdbnode->rdatalist))->rdata) == NULL) + delete_node = ISC_TRUE; + + CHECK(remove_from_ldap(&ldapdbnode->owner, ldapdb->ldap_inst, &diff, + delete_node)); CHECK(discard_from_cache(ldapdb->ldap_cache, &ldapdbnode->owner)); if (newrdataset != NULL) { diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 67f6567..a6235b3 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -259,7 +259,7 @@ static isc_result_t ldap_query(ldap_connection_t *ldap_conn, const char *base, /* Functions for writing to LDAP. */ static isc_result_t ldap_modify_do(ldap_connection_t *ldap_conn, const char *dn, - LDAPMod **mods); + LDAPMod **mods, isc_result_t delete_node); static isc_result_t ldap_rdttl_to_ldapmod(isc_mem_t *mctx, dns_rdatalist_t *rdlist, LDAPMod **changep); static isc_result_t ldap_rdatalist_to_ldapmod(isc_mem_t *mctx, @@ -269,7 +269,7 @@ static isc_result_t ldap_rdata_to_char_array(isc_mem_t *mctx, dns_rdata_t *rdata_head, char ***valsp); static void free_char_array(isc_mem_t *mctx, char ***valsp); static isc_result_t modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst, - dns_rdatalist_t *rdlist, int mod_op); + dns_rdatalist_t *rdlist, int mod_op, isc_boolean_t delete_node); isc_result_t new_ldap_instance(isc_mem_t *mctx, const char *db_name, @@ -1732,7 +1732,8 @@ handle_connection_error(ldap_connection_t *ldap_conn, isc_result_t *result) /* FIXME: Handle the case where the LDAP handle is NULL -> try to reconnect. */ static isc_result_t -ldap_modify_do(ldap_connection_t *ldap_conn, const char *dn, LDAPMod **mods) +ldap_modify_do(ldap_connection_t *ldap_conn, const char *dn, LDAPMod **mods, + isc_boolean_t delete_node) { int ret; int err_code; @@ -1742,9 +1743,14 @@ ldap_modify_do(ldap_connection_t *ldap_conn, const char *dn, LDAPMod **mods) REQUIRE(dn != NULL); REQUIRE(mods != NULL); - log_debug(2, "writing to '%s'", dn); + if (delete_node) { + log_debug(2, "deleting whole node: '%s'", dn); + ret = ldap_delete_ext_s(ldap_conn->handle, dn, NULL, NULL); + } else { + log_debug(2, "writing to '%s'", dn); + ret = ldap_modify_ext_s(ldap_conn->handle, dn, mods, NULL, NULL); + } - ret = ldap_modify_ext_s(ldap_conn->handle, dn, mods, NULL, NULL); if (ret == LDAP_SUCCESS) return ISC_R_SUCCESS; @@ -1990,14 +1996,14 @@ modify_soa_record(ldap_connection_t *ldap_conn, const char *zone_dn, dns_rdata_freestruct((void *)&soa); - return ldap_modify_do(ldap_conn, zone_dn, changep); + return ldap_modify_do(ldap_conn, zone_dn, changep, ISC_FALSE); #undef SET_LDAP_MOD } static isc_result_t modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst, - dns_rdatalist_t *rdlist, int mod_op) + dns_rdatalist_t *rdlist, int mod_op, isc_boolean_t delete_node) { isc_result_t result; isc_mem_t *mctx = ldap_inst->mctx; @@ -2025,7 +2031,7 @@ modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst, CHECK(ldap_rdttl_to_ldapmod(mctx, rdlist, &change[1])); } - CHECK(ldap_modify_do(ldap_conn, str_buf(owner_dn), change)); + CHECK(ldap_modify_do(ldap_conn, str_buf(owner_dn), change, delete_node)); cleanup: put_connection(ldap_conn); @@ -2039,12 +2045,13 @@ cleanup: isc_result_t write_to_ldap(dns_name_t *owner, ldap_instance_t *ldap_inst, dns_rdatalist_t *rdlist) { - return modify_ldap_common(owner, ldap_inst, rdlist, LDAP_MOD_ADD); + return modify_ldap_common(owner, ldap_inst, rdlist, LDAP_MOD_ADD, ISC_FALSE); } isc_result_t remove_from_ldap(dns_name_t *owner, ldap_instance_t *ldap_inst, - dns_rdatalist_t *rdlist) + dns_rdatalist_t *rdlist, isc_boolean_t delete_node) { - return modify_ldap_common(owner, ldap_inst, rdlist, LDAP_MOD_DELETE); + return modify_ldap_common(owner, ldap_inst, rdlist, LDAP_MOD_DELETE, + delete_node); } diff --git a/src/ldap_helper.h b/src/ldap_helper.h index 594af43..887a059 100644 --- a/src/ldap_helper.h +++ b/src/ldap_helper.h @@ -105,6 +105,6 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t create); isc_result_t write_to_ldap(dns_name_t *owner, ldap_instance_t *ldap_inst, dns_rdatalist_t *rdlist); isc_result_t remove_from_ldap(dns_name_t *owner, ldap_instance_t *ldap_inst, - dns_rdatalist_t *rdlist); + dns_rdatalist_t *rdlist, isc_boolean_t delete_node); #endif /* !_LD_LDAP_HELPER_H_ */ -- 1.7.3.4 From mkosek at redhat.com Wed Jan 12 13:25:11 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 12 Jan 2011 14:25:11 +0100 Subject: [Freeipa-devel] [PATCH] Potential memory leaks in ipa-getkeytab Message-ID: <1294838711.5765.33.camel@dhcp-25-52.brq.redhat.com> This patch fixes 2 situations where a pointer to allocated error string could be overwritten - which could have resulted in a memory leak. https://fedorahosted.org/freeipa/ticket/714 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-010-potential-memory-leaks-in-ipa-getkeytab.patch Type: text/x-patch Size: 1283 bytes Desc: not available URL: From jhrozek at redhat.com Wed Jan 12 13:40:55 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 12 Jan 2011 14:40:55 +0100 Subject: [Freeipa-devel] [PATCH] Potential memory leaks in ipa-getkeytab In-Reply-To: <1294838711.5765.33.camel@dhcp-25-52.brq.redhat.com> References: <1294838711.5765.33.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D2DAF67.8070505@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/12/2011 02:25 PM, Martin Kosek wrote: > This patch fixes 2 situations where a pointer to allocated error > string could be overwritten - which could have resulted in > a memory leak. > > https://fedorahosted.org/freeipa/ticket/714 > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0tr2cACgkQHsardTLnvCXpyQCfV0vlZrSjy4R9pcpA6i9cyZZV Yb4AoI1G72BIAfliQjn+EtH+upMk98bv =YT7W -----END PGP SIGNATURE----- From aravind.gv at gmail.com Wed Jan 12 05:15:24 2011 From: aravind.gv at gmail.com (Aravind GV) Date: Wed, 12 Jan 2011 00:15:24 -0500 Subject: [Freeipa-devel] Fwd: [Adam Young's Web Log] Please moderate: "Announcing FreeIPA v2 Server Beta 1 Release" In-Reply-To: <4D2C6F9B.7060504@redhat.com> References: <4D2C6F90.8060807@redhat.com> <4D2C6F9B.7060504@redhat.com> Message-ID: Hi All, Adam first of all thanks for responding to my email. I get the below error when i run ipa-replica-manage command. I am following Installation_Deployment_Guide V2 ( http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/ ) in that *4.4. Creating Synchronization Agreements* section example command given as ipa-replica-manage connect add but add option is no more there after goggling in some of the webside they told to give connect option and also --passsync now command syntext is fine but it stops DIRSRV. There is not much in logs. Please help me to resolve this issue. OS=fc14 ipa v2 *[root at agvdir ~]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=bgkerb,dc=test02,dc=com --bindpw xxx --cacert /root/bgkerb.cer 10.0.65.28 --passsync xxx -v Directory Manager password: INFO:root:args=/sbin/service dirsrv stop INFO:root:stdout=Shutting down dirsrv: AGV-COM...[ OK ] INFO:root:stderr= unexpected error: DsInstance instance has no attribute 'subject_base' * Regards, Aravind G V On Tue, Jan 11, 2011 at 9:56 AM, Rich Megginson wrote: > On 01/11/2011 07:56 AM, Adam Young wrote: > > Aravind, > > I've posted your question on the FreeIPA Devel list. Could you please > "reply to all" with the following information? > > > 1. What was the origianal problem you were seeing when you googled and > found the --passsync option > 2. Is there anything in in any of the logs that seems relevant? For logs. > please look in > /var/log/http/error.log for the IPA server, > /var/log/DirSrv for Directory server > /var/log/messages for general machine issues as well. > > What version of 389-ds-base? rpm -qi 389-ds-base > > > > > > -------- Original Message -------- Subject: [Adam Young's Web Log] Please > moderate: "Announcing FreeIPA v2 Server Beta 1 Release" Date: Tue, 11 Jan > 2011 05:38:07 +0000 From: WordPress To: > adam at younglogic.com > > A new comment on the post "Announcing FreeIPA v2 Server Beta 1 Release" is waiting for your approvalhttp://adam.younglogic.com/2010/12/announcing-freeipa-v2-server-beta-1-release/ > > Author : Aravind G V (IP: 122.166.39.227 , gw-bg.dchoc.com) > E-mail : aravind.gv at gmail.com > URL : > Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=122.166.39.227 > Comment: > Hi Adam, > > ipa-replica-manage command for creating a Creating Synchronization Agreements is not working as documented in Installation_Deployment_Guide after googling i found out to add --passsync option. Now command runs successfully but it brings down Directory Server. Can you please help me how to fix this issue. I am running freeipa V2 on FC14. > > > ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=bgkerb,dc=test02,dc=com --bindpw asdQWE123 --cacert /root/bgkerb.cer 10.0.65.28 --passsync asdQWE123 -v > > Approve it: http://adam.younglogic.com/wp-admin/comment.php?action=approve&c=11343 > Trash it: http://adam.younglogic.com/wp-admin/comment.php?action=trash&c=11343 > Spam it: http://adam.younglogic.com/wp-admin/comment.php?action=spam&c=11343 > Currently 117 comments are waiting for approval. Please visit the moderation panel:http://adam.younglogic.com/wp-admin/edit-comments.php?comment_status=moderated > > > _______________________________________________ > Freeipa-devel mailing listFreeipa-devel at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- ---------------------------- With Best Regards Aravind G V Ph-9880346065 "I want it all, That's why I strive for it, I know that it's coming" - Drake from "Successful" -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jan 12 15:20:46 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 12 Jan 2011 08:20:46 -0700 Subject: [Freeipa-devel] Fwd: [Adam Young's Web Log] Please moderate: "Announcing FreeIPA v2 Server Beta 1 Release" In-Reply-To: References: <4D2C6F90.8060807@redhat.com> <4D2C6F9B.7060504@redhat.com> Message-ID: <4D2DC6CE.7070304@redhat.com> On 01/11/2011 10:15 PM, Aravind GV wrote: > Hi All, > > Adam first of all thanks for responding to my email. > > I get the below error when i run ipa-replica-manage command. I am > following Installation_Deployment_Guide V2 ( > http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/ ) > in that *4.4. Creating Synchronization Agreements* section example > command given as ipa-replica-manage connect add but add option is no > more there after goggling in some of the webside they told to give > connect option and also --passsync now command syntext is fine but it > stops DIRSRV. This is a known bug that was fixed. What version of 389-ds-base are you using? rpm -qi 389-ds-base > There is not much in logs. Please help me to resolve this issue. > OS=fc14 ipa v2 > > *[root at agvdir ~]# ipa-replica-manage connect --winsync --binddn > cn=administrator,cn=users,dc=bgkerb,dc=test02,dc=com --bindpw xxx > --cacert /root/bgkerb.cer 10.0.65.28 --passsync xxx -v > Directory Manager password: > INFO:root:args=/sbin/service dirsrv stop > INFO:root:stdout=Shutting down dirsrv: > AGV-COM...[ OK ] > > INFO:root:stderr= > unexpected error: DsInstance instance has no attribute 'subject_base' > * > Regards, > Aravind G V > > > > On Tue, Jan 11, 2011 at 9:56 AM, Rich Megginson > wrote: > > On 01/11/2011 07:56 AM, Adam Young wrote: >> Aravind, >> >> I've posted your question on the FreeIPA Devel list. Could you >> please "reply to all" with the following information? >> >> >> 1. What was the origianal problem you were seeing when you >> googled and found the --passsync option >> 2. Is there anything in in any of the logs that seems relevant? >> For logs. please look in >> /var/log/http/error.log for the IPA server, >> /var/log/DirSrv for Directory server >> /var/log/messages for general machine issues as well. > What version of 389-ds-base? rpm -qi 389-ds-base >> >> >> >> >> -------- Original Message -------- >> Subject: [Adam Young's Web Log] Please moderate: "Announcing >> FreeIPA v2 Server Beta 1 Release" >> Date: Tue, 11 Jan 2011 05:38:07 +0000 >> From: WordPress >> >> To: adam at younglogic.com >> >> >> >> A new comment on the post "Announcing FreeIPA v2 Server Beta 1 Release" is waiting for your approval >> http://adam.younglogic.com/2010/12/announcing-freeipa-v2-server-beta-1-release/ >> >> Author : Aravind G V (IP: 122.166.39.227 ,gw-bg.dchoc.com ) >> E-mail :aravind.gv at gmail.com >> URL : >> Whois :http://ws.arin.net/cgi-bin/whois.pl?queryinput=122.166.39.227 >> Comment: >> Hi Adam, >> >> ipa-replica-manage command for creating a Creating Synchronization Agreements is not working as documented in Installation_Deployment_Guide after googling i found out to add --passsync option. Now command runs successfully but it brings down Directory Server. Can you please help me how to fix this issue. I am running freeipa V2 on FC14. >> >> >> ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=bgkerb,dc=test02,dc=com --bindpw asdQWE123 --cacert /root/bgkerb.cer 10.0.65.28 --passsync asdQWE123 -v >> >> Approve it:http://adam.younglogic.com/wp-admin/comment.php?action=approve&c=11343 >> Trash it:http://adam.younglogic.com/wp-admin/comment.php?action=trash&c=11343 >> Spam it:http://adam.younglogic.com/wp-admin/comment.php?action=spam&c=11343 >> Currently 117 comments are waiting for approval. Please visit the moderation panel: >> http://adam.younglogic.com/wp-admin/edit-comments.php?comment_status=moderated >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > -- > ---------------------------- > With Best Regards > Aravind G V > Ph-9880346065 > "I want it all, > That's why I strive for it, > I know that it's coming" - Drake from "Successful" -------------- next part -------------- An HTML attachment was scrubbed... URL: From atkac at redhat.com Wed Jan 12 15:24:06 2011 From: atkac at redhat.com (Adam Tkac) Date: Wed, 12 Jan 2011 16:24:06 +0100 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: Don't quit when initial connection to LDAP fails Message-ID: <20110112152406.GA16422@evileye.atkac.brq.redhat.com> Hello, as written in https://bugzilla.redhat.com/show_bug.cgi?id=662930 some people use OpenLDAP & BIND running on one machine. In this case BIND is started before OpenLDAP so initial connection fails. This patch allows BIND to run but admin must call "rndc reload" after LDAP is started to fetch zones stored in LDAP. Comments are welcomed. Regards, Adam -- Adam Tkac, Red Hat, Inc. -------------- next part -------------- >From 42e1c6218ced6678ff7266a937108c058e3531bd Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Wed, 12 Jan 2011 16:19:10 +0100 Subject: [PATCH] Don't quit when initial connection to LDAP fails. As written in https://bugzilla.redhat.com/show_bug.cgi?id=662930 some people use OpenLDAP & BIND running on one machine. In this case BIND is started before OpenLDAP so initial connection fails. This patch allows BIND to run but admin must call "rndc reload" after LDAP is started to fetch zones stored in LDAP. Signed-off-by: Adam Tkac --- src/ldap_helper.c | 16 ++++++++++++---- 1 files changed, 12 insertions(+), 4 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index a6235b3..e5c5aa9 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -422,6 +422,9 @@ retry: ldap_inst->auth_method = AUTH_NONE; log_debug(2, "falling back to password-less login"); goto retry; + } else if (result == ISC_R_NOTCONNECTED) { + /* LDAP server is down which can happen, continue */ + result = ISC_R_SUCCESS; } else if (result != ISC_R_SUCCESS) { goto cleanup; } @@ -1683,12 +1686,17 @@ ldap_reconnect(ldap_connection_t *ldap_conn) if (ret != LDAP_SUCCESS) { log_error("bind to LDAP server failed: %s", ldap_err2string(ret)); - if (ret == LDAP_INVALID_CREDENTIALS) + + switch (ret) { + case LDAP_INVALID_CREDENTIALS: return ISC_R_NOPERM; - return ISC_R_FAILURE; - } else { + case LDAP_SERVER_DOWN: + return ISC_R_NOTCONNECTED; + default: + return ISC_R_FAILURE; + } + } else log_debug(2, "bind to LDAP server successful"); - } ldap_conn->tries = 0; -- 1.7.3.4 From rcritten at redhat.com Wed Jan 12 16:03:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 11:03:31 -0500 Subject: [Freeipa-devel] [PATCH] 674 add API version Message-ID: <4D2DD0D3.1050206@redhat.com> Add an API version that is enforced both when the server is built (to disallow unexpected API changes) and when clients talk to the server. See the patch for further details. ticket 584 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-674-version.patch Type: text/x-patch Size: 30821 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 12 16:11:41 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 12 Jan 2011 11:11:41 -0500 Subject: [Freeipa-devel] [PATCH] Make it impossible to add an object as a member of itself in webUI. In-Reply-To: <4D243B1E.3050601@redhat.com> References: <4D243B1E.3050601@redhat.com> Message-ID: <4D2DD2BD.9080502@redhat.com> On 01/05/2011 04:34 AM, Pavel Zuna wrote: > Ticket #700 > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jan 12 16:18:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 11:18:28 -0500 Subject: [Freeipa-devel] [PATCH] Changed dns permission types In-Reply-To: <201101071805.18499.jzeleny@redhat.com> References: <201101071805.18499.jzeleny@redhat.com> Message-ID: <4D2DD454.9060901@redhat.com> Jan Zelen? wrote: > Recent change of DNS module to version caused that dns object type > was replaced by dnszone and dnsrecord. This patch corrects dns types > in permissions class. > > https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob From rcritten at redhat.com Wed Jan 12 16:21:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 11:21:03 -0500 Subject: [Freeipa-devel] [PATCH] Use of pointer after free in ipa-join In-Reply-To: <4D2B2899.3050304@redhat.com> References: <1294410107.2970.4.camel@dhcp-25-52.brq.redhat.com> <4D273EC7.1030505@redhat.com> <1294648826.5765.11.camel@dhcp-25-52.brq.redhat.com> <4D2AF5D7.1040405@redhat.com> <1294672555.5765.19.camel@dhcp-25-52.brq.redhat.com> <4D2B27A2.4040700@redhat.com> <4D2B2899.3050304@redhat.com> Message-ID: <4D2DD4EF.7070204@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/10/2011 04:37 PM, Jakub Hrozek wrote: >> Sorry, there's one more thing I haven't noticed before - please check >> the return value if strdup(); in the else branch. >> > > This comment was applicable to the ipa-rmkeytab patch. > > Ack to this one. pushed to master From rcritten at redhat.com Wed Jan 12 16:28:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 11:28:39 -0500 Subject: [Freeipa-devel] [PATCH] Uninitialized pointer read in ipa-rmkeytab In-Reply-To: <4D2B30FC.8020303@redhat.com> References: <1294653266.5765.14.camel@dhcp-25-52.brq.redhat.com> <4D2AF652.3000509@redhat.com> <1294665937.5765.17.camel@dhcp-25-52.brq.redhat.com> <4D2B0A73.6070802@redhat.com> <4D2B28BA.7010601@redhat.com> <1294674873.5765.21.camel@dhcp-25-52.brq.redhat.com> <4D2B30FC.8020303@redhat.com> Message-ID: <4D2DD6B7.6020009@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/10/2011 04:54 PM, Martin Kosek wrote: >> On Mon, 2011-01-10 at 16:41 +0100, Jakub Hrozek wrote: >>> Hopefully replying to the correct patch now.. >>> >>> There's one more thing I haven't noticed before - please check >>> the return value if strdup(); in the else branch. >> >> Obviously, I missed that too. Should be fixed in attached patch. >> >> Martin >> > > Ack > pushed to master From rcritten at redhat.com Wed Jan 12 16:29:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 11:29:33 -0500 Subject: [Freeipa-devel] [PATCH] Unchecked return value in ipa-getkeytab In-Reply-To: <4D2C4442.4080405@redhat.com> References: <1294739374.5765.22.camel@dhcp-25-52.brq.redhat.com> <1294739836.5765.25.camel@dhcp-25-52.brq.redhat.com> <4D2C4442.4080405@redhat.com> Message-ID: <4D2DD6ED.7060200@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/11/2011 10:57 AM, Martin Kosek wrote: >> On Tue, 2011-01-11 at 10:49 +0100, Martin Kosek wrote: >>> krb5_init_context return value was not checked. This could lead >>> to unhandled error issues. >>> >>> This patch moves the Kerberos context initialization to the >>> branch where it is needed and handles the error value in a way >>> that allows program exit in a standard way deallocating all >>> resources. >>> >>> https://fedorahosted.org/freeipa/ticket/721 >>> >> >> Now I noticed that the tabs are used instead of spaces in the affected >> function. Attaching re-formatted patch to keep it pretty. >> >> Martin >> > > Ack pushed to master From rcritten at redhat.com Wed Jan 12 16:32:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 11:32:18 -0500 Subject: [Freeipa-devel] [PATCH] Unchecked return values in ipa-join In-Reply-To: <20110111121137.GA3507@zeppelin.brq.redhat.com> References: <1294746389.5765.26.camel@dhcp-25-52.brq.redhat.com> <20110111121137.GA3507@zeppelin.brq.redhat.com> Message-ID: <4D2DD792.10203@redhat.com> Jakub Hrozek wrote: > On Tue, Jan 11, 2011 at 12:46:29PM +0100, Martin Kosek wrote: >> krb5_get_default_realm() and asprintf() return values were ignored. >> This could lead to unhandled error issues or memory access >> issues. >> >> This patch adds return value checks to all such functions. >> As a consequence, one new return value has been added to man page. >> >> https://fedorahosted.org/freeipa/ticket/720 >> > > Ack Pushed to master. Martin, I had to do a 3-way merge to get this applied. Can you double-check that it applied ok? thanks rob From rcritten at redhat.com Wed Jan 12 16:41:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 11:41:10 -0500 Subject: [Freeipa-devel] [PATCH] Fix SudoRule RunAs users/groups In-Reply-To: <201101111445.13605.jzeleny@redhat.com> References: <201101111445.13605.jzeleny@redhat.com> Message-ID: <4D2DD9A6.6030407@redhat.com> Jan Zelen? wrote: > JR Aquino wrote: >> Attached is the patch to fix the following: >> (Per ticket 570: https://fedorahosted.org/freeipa/ticket/570 Issue #5) >> >> * Runas users to support groups >> * Runas users to support external users >> * runasgroup to support external groups >> * compat fix to account for the runas users to support %groups >> * xml_rpc Tests to verify these are in working order >> >> (Further discussion needs to confirm that we cannot completely support >> runas by numerical uid/gid at this point. The Sudo Spec needs to be >> updated to reflect that) >> >> Please review and push. > > Wow, it took me quite a while to try this functionality. It seems to work fine, > so ACK, but only under one condition - I tried to run test suite and your > tests failed, but I'm not sure if that was fault on your side, because nearly > every test failed in that run, so please confirm once that tests run fine. > > Jan The tests work ok for me, pushed to master. rob From rcritten at redhat.com Wed Jan 12 16:41:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 11:41:55 -0500 Subject: [Freeipa-devel] [PATCH] Uninitialized pointer read in ipa-enrollment In-Reply-To: <20110111103315.1db85cfc@willson.li.ssimo.org> References: <1294759298.5765.27.camel@dhcp-25-52.brq.redhat.com> <20110111103315.1db85cfc@willson.li.ssimo.org> Message-ID: <4D2DD9D3.5080707@redhat.com> Simo Sorce wrote: > On Tue, 11 Jan 2011 16:21:38 +0100 > Martin Kosek wrote: > >> This patch fixes a situation where an uninitialized pointer >> is passed to free(). > > ACK > SImo. > pushed to master From rcritten at redhat.com Wed Jan 12 16:43:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 11:43:29 -0500 Subject: [Freeipa-devel] [PATCH] 14-2 Bugfix for sudo compat cmdcat and deny commands In-Reply-To: References: Message-ID: <4D2DDA31.40506@redhat.com> JR Aquino wrote: > Correction to patch. > The previous patch inherited a line for patch #13 > > This has been corrected in the attached patch. ack, pushed to master. > > On 1/10/11 3:11 PM, "JR Aquino" wrote: > >> Attached is a patch to fix the sudo compat plugin. >> >> Ticket# 742: https://fedorahosted.org/freeipa/ticket/742 >> >> The sudo compat plugin should allow for the presence of: >> Command Category: ALL >> AND >> sudoCommand: !/usr/bin/less >> >> Currently the plugin is set to overwrite any other sudoCommand attribute >> in favor of just 'ALL' >> The plugin should continue to supersede 'permit' commands, but it should >> not override 'deny' commands. >> >> >> Ticket updated with the attached patch. >> >> Please ack and push. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From rcritten at redhat.com Wed Jan 12 16:44:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 11:44:20 -0500 Subject: [Freeipa-devel] [PATCH] Unchecked return value of calloc In-Reply-To: <20110111104434.4ac14dcc@willson.li.ssimo.org> References: <1294760397.5765.28.camel@dhcp-25-52.brq.redhat.com> <20110111104434.4ac14dcc@willson.li.ssimo.org> Message-ID: <4D2DDA64.7050809@redhat.com> Simo Sorce wrote: > On Tue, 11 Jan 2011 16:39:57 +0100 > Martin Kosek wrote: > >> Omitting return value of calloc in ipa_pwd_extop.c could lead to >> memory access issues when memory is full. This patch adds return >> value check. >> >> https://fedorahosted.org/freeipa/ticket/717 > > ACK, > Simo. > pushed to master From rcritten at redhat.com Wed Jan 12 16:46:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 11:46:46 -0500 Subject: [Freeipa-devel] [PATCH] Potential NULL dereference in ipapwd_prepost In-Reply-To: <4D2D7AFC.4080203@redhat.com> References: <1294825274.5765.29.camel@dhcp-25-52.brq.redhat.com> <4D2D7AFC.4080203@redhat.com> Message-ID: <4D2DDAF6.4040104@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/12/2011 10:41 AM, Martin Kosek wrote: >> This patch increases robustness in PRE MOD password SLAPI module >> by ensuring that an uninitialized pointer is not dereferenced. >> >> https://fedorahosted.org/freeipa/ticket/719 >> > > Ack pushed to master From ssorce at redhat.com Wed Jan 12 17:17:51 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Jan 2011 12:17:51 -0500 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: Don't quit when initial connection to LDAP fails In-Reply-To: <20110112152406.GA16422@evileye.atkac.brq.redhat.com> References: <20110112152406.GA16422@evileye.atkac.brq.redhat.com> Message-ID: <20110112121751.26f56cc3@willson.li.ssimo.org> On Wed, 12 Jan 2011 16:24:06 +0100 Adam Tkac wrote: > as written in https://bugzilla.redhat.com/show_bug.cgi?id=662930 > some people use OpenLDAP & BIND running on one machine. In this case > BIND is started before OpenLDAP so initial connection fails. This > patch allows BIND to run but admin must call "rndc reload" after > LDAP is started to fetch zones stored in LDAP. > > Comments are welcomed. It would be even nicer if you could set a timer to retry after some time. But as a first step this is better than what was available before. ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From atkac at redhat.com Wed Jan 12 17:58:36 2011 From: atkac at redhat.com (Adam Tkac) Date: Wed, 12 Jan 2011 18:58:36 +0100 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: Don't quit when initial connection to LDAP fails In-Reply-To: <20110112121751.26f56cc3@willson.li.ssimo.org> References: <20110112152406.GA16422@evileye.atkac.brq.redhat.com> <20110112121751.26f56cc3@willson.li.ssimo.org> Message-ID: <20110112175836.GA22479@evileye.atkac.brq.redhat.com> On Wed, Jan 12, 2011 at 12:17:51PM -0500, Simo Sorce wrote: > On Wed, 12 Jan 2011 16:24:06 +0100 > Adam Tkac wrote: > > > as written in https://bugzilla.redhat.com/show_bug.cgi?id=662930 > > some people use OpenLDAP & BIND running on one machine. In this case > > BIND is started before OpenLDAP so initial connection fails. This > > patch allows BIND to run but admin must call "rndc reload" after > > LDAP is started to fetch zones stored in LDAP. > > > > Comments are welcomed. > > It would be even nicer if you could set a timer to retry after some > time. > > But as a first step this is better than what was available before. Right you are, current version of the patch can be called "get it working without pain". I opened a ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/30 to improve it in the future. > > ACK. Pushed to master. Regards, Adam -- Adam Tkac, Red Hat, Inc. From sgallagh at redhat.com Wed Jan 12 18:15:36 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 12 Jan 2011 13:15:36 -0500 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: Don't leave empty nodes in LDAP after DDNS update In-Reply-To: <20110112123712.GA9635@evileye.atkac.brq.redhat.com> References: <20110112123712.GA9635@evileye.atkac.brq.redhat.com> Message-ID: <4D2DEFC8.10604@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/12/2011 07:37 AM, Adam Tkac wrote: > Hello, > > bind-dyndb-ldap currently leaves empty nodes in LDAP when the last > DNS resource record associated with the node was removed: > > Before DDNS update: > > dn: idnsName=test,idnsName=example.com,ou=dns,dc=example,dc=com > aRecord: 1.1.1.1 > dNSTTL: 1111 > objectClass: idnsRecord > idnsName: test > > After DDNS update (removal of "test.example.com A 1.1.1.1" record): > > dn: idnsName=test,idnsName=example.com,ou=dns,dc=example,dc=com > dNSTTL: 1111 > objectClass: idnsRecord > idnsName: test > > As you can see this node is empty and useless. > > With the patch the whole node is removed. > > Comments are welcomed. > > Regards, Adam Nack. Your prototype for ldap_modify_do() includes 'isc_result_t delete_node', but the actual implementation expects 'isc_boolean_t delete_node'. I'm guessing that by coincidence these typedefs are the same primitive type, but I'd rather they both use isc_boolean_t which is more correct. Otherwise it looks good to me. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0t78gACgkQeiVVYja6o6M3rQCeI8y2pRMVjfaXJ8atOCByQIE/ CVIAoKIFVdTy0DFe6Du2Q3SsXMGHUV7O =ZlI/ -----END PGP SIGNATURE----- From atkac at redhat.com Wed Jan 12 18:25:49 2011 From: atkac at redhat.com (Adam Tkac) Date: Wed, 12 Jan 2011 19:25:49 +0100 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: Don't leave empty nodes in LDAP after DDNS update In-Reply-To: <4D2DEFC8.10604@redhat.com> References: <20110112123712.GA9635@evileye.atkac.brq.redhat.com> <4D2DEFC8.10604@redhat.com> Message-ID: <20110112182549.GA28677@evileye.atkac.brq.redhat.com> On Wed, Jan 12, 2011 at 01:15:36PM -0500, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/12/2011 07:37 AM, Adam Tkac wrote: > > Hello, > > > > bind-dyndb-ldap currently leaves empty nodes in LDAP when the last > > DNS resource record associated with the node was removed: > > > > Before DDNS update: > > > > dn: idnsName=test,idnsName=example.com,ou=dns,dc=example,dc=com > > aRecord: 1.1.1.1 > > dNSTTL: 1111 > > objectClass: idnsRecord > > idnsName: test > > > > After DDNS update (removal of "test.example.com A 1.1.1.1" record): > > > > dn: idnsName=test,idnsName=example.com,ou=dns,dc=example,dc=com > > dNSTTL: 1111 > > objectClass: idnsRecord > > idnsName: test > > > > As you can see this node is empty and useless. > > > > With the patch the whole node is removed. > > > > Comments are welcomed. > > > > Regards, Adam > > > > Nack. > > Your prototype for ldap_modify_do() includes 'isc_result_t delete_node', > but the actual implementation expects 'isc_boolean_t delete_node'. I'm > guessing that by coincidence these typedefs are the same primitive type, > but I'd rather they both use isc_boolean_t which is more correct. > > Otherwise it looks good to me. Good catch! Fixed patch is attached. Regards, Adam -- Adam Tkac, Red Hat, Inc. -------------- next part -------------- >From 5a1ddebaa55d5fcf97e4a10401d4339adcd29aab Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Mon, 10 Jan 2011 15:25:40 +0100 Subject: [PATCH] Delete node from LDAP if there is no RR associated with the name. If the last DNS resource record associated with the name is removed then remove the whole node from LDAP. Solves https://fedorahosted.org/bind-dyndb-ldap/ticket/1. Signed-off-by: Adam Tkac --- src/ldap_driver.c | 14 +++++++++++++- src/ldap_helper.c | 29 ++++++++++++++++++----------- src/ldap_helper.h | 2 +- 3 files changed, 32 insertions(+), 13 deletions(-) diff --git a/src/ldap_driver.c b/src/ldap_driver.c index 965877c..9c1da40 100644 --- a/src/ldap_driver.c +++ b/src/ldap_driver.c @@ -787,6 +787,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdatalist_t *rdlist; dns_rdatalist_t diff; isc_result_t result; + isc_boolean_t delete_node = ISC_FALSE; REQUIRE(version == ldapdb_version); @@ -822,7 +823,18 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, goto cleanup; } - CHECK(remove_from_ldap(&ldapdbnode->owner, ldapdb->ldap_inst, &diff)); + /* + * If there is only one rdatalist in the node with no rdata + * it means all resource records associated with the node's DNS + * name (owner) was deleted. So delete the whole node from the + * LDAP. + */ + if (HEAD(ldapdbnode->rdatalist) == TAIL(ldapdbnode->rdatalist) && + HEAD((HEAD(ldapdbnode->rdatalist))->rdata) == NULL) + delete_node = ISC_TRUE; + + CHECK(remove_from_ldap(&ldapdbnode->owner, ldapdb->ldap_inst, &diff, + delete_node)); CHECK(discard_from_cache(ldapdb->ldap_cache, &ldapdbnode->owner)); if (newrdataset != NULL) { diff --git a/src/ldap_helper.c b/src/ldap_helper.c index e29bd04..aee3f52 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -259,7 +259,7 @@ static isc_result_t ldap_query(ldap_connection_t *ldap_conn, const char *base, /* Functions for writing to LDAP. */ static isc_result_t ldap_modify_do(ldap_connection_t *ldap_conn, const char *dn, - LDAPMod **mods); + LDAPMod **mods, isc_boolean_t delete_node); static isc_result_t ldap_rdttl_to_ldapmod(isc_mem_t *mctx, dns_rdatalist_t *rdlist, LDAPMod **changep); static isc_result_t ldap_rdatalist_to_ldapmod(isc_mem_t *mctx, @@ -269,7 +269,7 @@ static isc_result_t ldap_rdata_to_char_array(isc_mem_t *mctx, dns_rdata_t *rdata_head, char ***valsp); static void free_char_array(isc_mem_t *mctx, char ***valsp); static isc_result_t modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst, - dns_rdatalist_t *rdlist, int mod_op); + dns_rdatalist_t *rdlist, int mod_op, isc_boolean_t delete_node); isc_result_t new_ldap_instance(isc_mem_t *mctx, const char *db_name, @@ -1740,7 +1740,8 @@ handle_connection_error(ldap_connection_t *ldap_conn, isc_result_t *result) /* FIXME: Handle the case where the LDAP handle is NULL -> try to reconnect. */ static isc_result_t -ldap_modify_do(ldap_connection_t *ldap_conn, const char *dn, LDAPMod **mods) +ldap_modify_do(ldap_connection_t *ldap_conn, const char *dn, LDAPMod **mods, + isc_boolean_t delete_node) { int ret; int err_code; @@ -1750,9 +1751,14 @@ ldap_modify_do(ldap_connection_t *ldap_conn, const char *dn, LDAPMod **mods) REQUIRE(dn != NULL); REQUIRE(mods != NULL); - log_debug(2, "writing to '%s'", dn); + if (delete_node) { + log_debug(2, "deleting whole node: '%s'", dn); + ret = ldap_delete_ext_s(ldap_conn->handle, dn, NULL, NULL); + } else { + log_debug(2, "writing to '%s'", dn); + ret = ldap_modify_ext_s(ldap_conn->handle, dn, mods, NULL, NULL); + } - ret = ldap_modify_ext_s(ldap_conn->handle, dn, mods, NULL, NULL); if (ret == LDAP_SUCCESS) return ISC_R_SUCCESS; @@ -1998,14 +2004,14 @@ modify_soa_record(ldap_connection_t *ldap_conn, const char *zone_dn, dns_rdata_freestruct((void *)&soa); - return ldap_modify_do(ldap_conn, zone_dn, changep); + return ldap_modify_do(ldap_conn, zone_dn, changep, ISC_FALSE); #undef SET_LDAP_MOD } static isc_result_t modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst, - dns_rdatalist_t *rdlist, int mod_op) + dns_rdatalist_t *rdlist, int mod_op, isc_boolean_t delete_node) { isc_result_t result; isc_mem_t *mctx = ldap_inst->mctx; @@ -2033,7 +2039,7 @@ modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst, CHECK(ldap_rdttl_to_ldapmod(mctx, rdlist, &change[1])); } - CHECK(ldap_modify_do(ldap_conn, str_buf(owner_dn), change)); + CHECK(ldap_modify_do(ldap_conn, str_buf(owner_dn), change, delete_node)); cleanup: put_connection(ldap_conn); @@ -2047,12 +2053,13 @@ cleanup: isc_result_t write_to_ldap(dns_name_t *owner, ldap_instance_t *ldap_inst, dns_rdatalist_t *rdlist) { - return modify_ldap_common(owner, ldap_inst, rdlist, LDAP_MOD_ADD); + return modify_ldap_common(owner, ldap_inst, rdlist, LDAP_MOD_ADD, ISC_FALSE); } isc_result_t remove_from_ldap(dns_name_t *owner, ldap_instance_t *ldap_inst, - dns_rdatalist_t *rdlist) + dns_rdatalist_t *rdlist, isc_boolean_t delete_node) { - return modify_ldap_common(owner, ldap_inst, rdlist, LDAP_MOD_DELETE); + return modify_ldap_common(owner, ldap_inst, rdlist, LDAP_MOD_DELETE, + delete_node); } diff --git a/src/ldap_helper.h b/src/ldap_helper.h index 594af43..887a059 100644 --- a/src/ldap_helper.h +++ b/src/ldap_helper.h @@ -105,6 +105,6 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t create); isc_result_t write_to_ldap(dns_name_t *owner, ldap_instance_t *ldap_inst, dns_rdatalist_t *rdlist); isc_result_t remove_from_ldap(dns_name_t *owner, ldap_instance_t *ldap_inst, - dns_rdatalist_t *rdlist); + dns_rdatalist_t *rdlist, isc_boolean_t delete_node); #endif /* !_LD_LDAP_HELPER_H_ */ -- 1.7.3.4 From sgallagh at redhat.com Wed Jan 12 18:27:24 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 12 Jan 2011 13:27:24 -0500 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: Don't leave empty nodes in LDAP after DDNS update In-Reply-To: <20110112182549.GA28677@evileye.atkac.brq.redhat.com> References: <20110112123712.GA9635@evileye.atkac.brq.redhat.com> <4D2DEFC8.10604@redhat.com> <20110112182549.GA28677@evileye.atkac.brq.redhat.com> Message-ID: <4D2DF28C.80701@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/12/2011 01:25 PM, Adam Tkac wrote: > On Wed, Jan 12, 2011 at 01:15:36PM -0500, Stephen Gallagher wrote: >> Nack. >> >> Your prototype for ldap_modify_do() includes 'isc_result_t delete_node', >> but the actual implementation expects 'isc_boolean_t delete_node'. I'm >> guessing that by coincidence these typedefs are the same primitive type, >> but I'd rather they both use isc_boolean_t which is more correct. >> >> Otherwise it looks good to me. > > Good catch! Fixed patch is attached. > > Regards, Adam > Ack - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0t8owACgkQeiVVYja6o6MMYQCcDkN3rfHWqPFd6EbyaK04HVL/ M10Ani4631Mf21ZPdAqKINf1N7wLCZQ9 =HNiC -----END PGP SIGNATURE----- From ssorce at redhat.com Wed Jan 12 19:19:20 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Jan 2011 14:19:20 -0500 Subject: [Freeipa-devel] [PATCH] 674 add API version In-Reply-To: <4D2DD0D3.1050206@redhat.com> References: <4D2DD0D3.1050206@redhat.com> Message-ID: <20110112141920.062b5002@willson.li.ssimo.org> On Wed, 12 Jan 2011 11:03:31 -0500 Rob Crittenden wrote: > Add an API version that is enforced both when the server is built (to > disallow unexpected API changes) and when clients talk to the server. > See the patch for further details. > > ticket 584 > > rob Technical nack, API.txt is missing. Also it would be really nice if we could test the API on build. Id the utf8 plugin thing really needed in order to test the api, or could we use PYTHON_PATHY and a fake python module by the same name just to get through the import w/o getting an exception out ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Jan 12 19:45:32 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Jan 2011 14:45:32 -0500 Subject: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements Message-ID: <20110112144532.2535bec0@willson.li.ssimo.org> The exisitng code sets up replication agreements by recycling the Directory Manager password for the Replication Manager user. This causes 2 issues: - If you change the DM password newer replicas will fail to access the older masters as they will have a different passwor don their Replication Manager user. And conversely if you change this password when you set up a new replica we risk of kicking off unrelated replicas. The main issue is the use of a single user for all replication agreements. This is but #690 - Because you need to know the DM password to set up a new agreement you can't change the replication topology w/o using the Directory Manager user. (the connect command of ipa-replica-manage requires it) This is bug #644 The following patchset comprises 5 patches: - 0044 Simply refactors some code to make the following patches smaller and more readable. - 0045 Remove unused stuff in ipa-replica-install - 0046 Removes the ability to use alternative ports, we can't use non-standard ports anyway we are pretty much hardwired on std. ones all over the place. - 0047 Change the replica setup so that the final replication agreement can use SASL/GSSAPI for authentication using the server own ldap service principal to log into the other replicas for replication. To resolve the chicken/egg problem of needing kerberos credentials before kerberos principals are created, the replication setup process is split in 2 phases. A first phase uses the classic Simple auth over SSL to prime the replica. Once that's done the replication agreement is changed to use SASL/GSSAPI instead and the temporary replication manager user is removed. This patch also works around a DS bug in changing agreements by using 389/TLS instead of 636/SSL for the initial replica synchronization. This fixes #690 - 0048 Adds code to directly setup GSSAPI agreements between existing replicas (no chicken/egg problem here wrt kerberos) and uses it in ipa-replica-manage when a link needs to be added. This fixes #644 This patch set requires a full resinstall of all servers as some acis in cn=config had to be changed. Happy testing :) Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0044-Refactor-some-replication-code.patch Type: text/x-patch Size: 26876 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0045-Remove-unused-random-password-in-replica-install-scr.patch Type: text/x-patch Size: 1066 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0046-Remove-port-argument-for-ipa-replica-manage.patch Type: text/x-patch Size: 2036 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0047-Use-GSSAPI-for-replication.patch Type: text/x-patch Size: 14578 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0048-Allow-using-Kerberos-credentials-with-the-connect-co.patch Type: text/x-patch Size: 1995 bytes Desc: not available URL: From jhrozek at redhat.com Wed Jan 12 19:54:22 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 12 Jan 2011 20:54:22 +0100 Subject: [Freeipa-devel] [PATCH] 036 Use correct option name in host plugin Message-ID: <4D2E06EE.5010306@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Managing DNS records when adding/deleting hosts with the host plugin was broken because we used a wrong attribute name (ipaddr, should be ip_address) Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0uBu4ACgkQHsardTLnvCXH8ACfWBse5MUz9kLnj0uMzAv6+egB 4YgAn3iDMIGhzJVeJQfuXy4FQ5fKfHAM =XtGn -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-036-option-name.patch Type: text/x-patch Size: 3682 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-036-option-name.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Wed Jan 12 19:56:01 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 12 Jan 2011 20:56:01 +0100 Subject: [Freeipa-devel] [PATCH] 037 Remove the original DNS plugin Message-ID: <4D2E0751.7050108@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I didn't find a related ticket, but I think this needs to be done. At the very least it caused confusion for QA. This patch - - removes the obsolete DNS plugin - - renames the new plugin to dns - - moves ipa dns-resolve to the new plugin - - ports the installer and the host plugin to the new interface I didn't touch the UI at all. Adam, Endi, do I need to tweak it somehow (esp. because the plugin is renamed). Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0uB1EACgkQHsardTLnvCXFrACdHHyZPm9U0Q0qAYTwsMWTWD8q aXIAn3K3lNWPweZmZguC1a45sF+hyeb0 =wF8i -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-037-remove-legacy-dns.patch Type: text/x-patch Size: 68791 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-037-remove-legacy-dns.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Wed Jan 12 19:58:15 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 12 Jan 2011 20:58:15 +0100 Subject: [Freeipa-devel] [PATCH] 037 Remove the original DNS plugin In-Reply-To: <4D2E0751.7050108@redhat.com> References: <4D2E0751.7050108@redhat.com> Message-ID: <4D2E07D7.5090408@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/12/2011 08:56 PM, Jakub Hrozek wrote: > I didn't find a related ticket, but I think this needs to be done. At > the very least it caused confusion for QA. > > This patch > - removes the obsolete DNS plugin > - renames the new plugin to dns > - moves ipa dns-resolve to the new plugin > - ports the installer and the host plugin to the new interface > > I didn't touch the UI at all. Adam, Endi, do I need to tweak it somehow > (esp. because the plugin is renamed). > > Jakub Attached is another version of the same patch, just formatted with -M - -C, so it should hopefully look better. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0uB9cACgkQHsardTLnvCVuQACgshbecaqEMcQWJdcT1KzvIux0 AXQAniYDLCKLyXJb27+JJuP3fGroq/ae =teWS -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-037-02-remove-legacy-dns.patch Type: text/x-patch Size: 69092 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-037-02-remove-legacy-dns.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From ssorce at redhat.com Wed Jan 12 19:58:56 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Jan 2011 14:58:56 -0500 Subject: [Freeipa-devel] [PATCH] 036 Use correct option name in host plugin In-Reply-To: <4D2E06EE.5010306@redhat.com> References: <4D2E06EE.5010306@redhat.com> Message-ID: <20110112145856.347cbd0e@willson.li.ssimo.org> On Wed, 12 Jan 2011 20:54:22 +0100 Jakub Hrozek wrote: > Add new PTR record for www.example.com > - ipa dns-add-rr 15.142.80.in-addr.arpa 2 PTR www.example.com. > + ipa dnsrecord 15.142.80.in-addr.arpa 2 --ptr-rec www.example.com. > Shouldn't this be dnsrecord-add ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Jan 12 20:04:43 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Jan 2011 15:04:43 -0500 Subject: [Freeipa-devel] [PATCH] 036 Use correct option name in host plugin In-Reply-To: <4D2E06EE.5010306@redhat.com> References: <4D2E06EE.5010306@redhat.com> Message-ID: <20110112150443.2717f8f6@willson.li.ssimo.org> On Wed, 12 Jan 2011 20:54:22 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Managing DNS records when adding/deleting hosts with the host plugin > was broken because we used a wrong attribute name (ipaddr, should be > ip_address) ACK, Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Jan 12 20:26:07 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 12 Jan 2011 15:26:07 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0140-javascript-lint-cleanup Message-ID: <4D2E0E5F.10106@redhat.com> Now if you run jsl this way, you get no warnings. jsl `ls *js | grep -v jquery | grep -v json | sed 's!^!process !g' ` -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0140-javascript-lint-cleanup.patch Type: text/x-patch Size: 43501 bytes Desc: not available URL: From rcritten at redhat.com Wed Jan 12 21:39:30 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 16:39:30 -0500 Subject: [Freeipa-devel] [PATCH] 674 add API version In-Reply-To: <20110112141920.062b5002@willson.li.ssimo.org> References: <4D2DD0D3.1050206@redhat.com> <20110112141920.062b5002@willson.li.ssimo.org> Message-ID: <4D2E1F92.8060200@redhat.com> Simo Sorce wrote: > On Wed, 12 Jan 2011 11:03:31 -0500 > Rob Crittenden wrote: > >> Add an API version that is enforced both when the server is built (to >> disallow unexpected API changes) and when clients talk to the server. >> See the patch for further details. >> >> ticket 584 >> >> rob > > Technical nack, API.txt is missing. > > Also it would be really nice if we could test the API on build. > Id the utf8 plugin thing really needed in order to test the api, or > could we use PYTHON_PATHY and a fake python module by the same name > just to get through the import w/o getting an exception out ? > > Simo. > Updated patch attached. I worked around requiring the utf8 plugin so this should be executable from a fresh git pull and will always validate the api when building. I also made a separate patch for the mozldap dependency change (675). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-674-3-version.patch Type: text/x-patch Size: 358660 bytes Desc: not available URL: From jhrozek at redhat.com Wed Jan 12 21:40:40 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 12 Jan 2011 22:40:40 +0100 Subject: [Freeipa-devel] [PATCH] 037 Remove the original DNS plugin In-Reply-To: <4D2E07D7.5090408@redhat.com> References: <4D2E0751.7050108@redhat.com> <4D2E07D7.5090408@redhat.com> Message-ID: <20110112214038.GA4505@zeppelin.brq.redhat.com> On Wed, Jan 12, 2011 at 08:58:15PM +0100, Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/12/2011 08:56 PM, Jakub Hrozek wrote: > > I didn't find a related ticket, but I think this needs to be done. At > > the very least it caused confusion for QA. > > > > This patch > > - removes the obsolete DNS plugin > > - renames the new plugin to dns > > - moves ipa dns-resolve to the new plugin > > - ports the installer and the host plugin to the new interface > > > > I didn't touch the UI at all. Adam, Endi, do I need to tweak it somehow > > (esp. because the plugin is renamed). > > > > Jakub > > Attached is another version of the same patch, just formatted with -M > - -C, so it should hopefully look better. > OK, that was still not very readable so I splitted the patches into two to ease the review: 1) jhrozek-freeipa-037-03-dont-use-legacy-dns.patch: Port installer and host plugin to the new DNS plugin * moves ipa dns-resolve to the new plugin * ports the installer and the host plugin to the new interface 2) jhrozek-freeipa-038-rename-dns2-to-dns.patch No functionality change, just renames the old plugin to the new one. I used "git format-patch -M -C --patience --full-index" to format the patch but git still didn't detect the replace, it seems. Is there anything else I can do in order to get a prettier patch? I created the patch with "git rm ipalib/plugins/dns.py" and then "git mv ipalib/plugins/dns2.py ipalib/plugins/dns.py" -- without performing rm first, git would complain about renaming file to another which is tracked. -------------- next part -------------- >From a244add5fcfd74415c537074f456bce2adb1160e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 12 Jan 2011 21:02:05 +0100 Subject: [PATCH 1/2] Port installer and host plugin to the new DNS plugin * move ipa dns-resolve to the new plugin * port the installer and the host plugin to the new interface --- ipalib/plugins/dns2.py | 52 ++++++++++++++++++++++++++++++++----- ipalib/plugins/host.py | 35 ++++++++++++++---------- ipaserver/install/bindinstance.py | 30 ++++++++++---------- 3 files changed, 80 insertions(+), 37 deletions(-) diff --git a/ipalib/plugins/dns2.py b/ipalib/plugins/dns2.py index 9254f1df9184a04fd5b6940eb3c2198b092b0c1d..d8e0ad657ef45085258cfec018647d83455eb94c 100644 --- a/ipalib/plugins/dns2.py +++ b/ipalib/plugins/dns2.py @@ -121,6 +121,13 @@ _record_validators = { } +def dns_container_exists(ldap): + try: + ldap.get_entry(api.env.container_dns, []) + except errors.NotFound: + return False + return True + class dnszone(LDAPObject): """ DNS Zone, container for resource records. @@ -227,12 +234,6 @@ class dnszone(LDAPObject): ), ) - def check_container_exists(self): - try: - self.backend.get_entry(self.container_dn, []) - except errors.NotFound: - raise errors.NotFound(reason=_('DNS is not configured')) - api.register(dnszone) @@ -241,7 +242,9 @@ class dnszone_add(LDAPCreate): Create new DNS zone (SOA record). """ def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): - self.obj.check_container_exists() + if not dns_container_exists(self.api.Backend.ldap2): + raise errors.NotFound(reason=_('DNS is not configured')) + entry_attrs['idnszoneactive'] = 'TRUE' entry_attrs['idnsallowdynupdate'] = str( entry_attrs.get('idnsallowdynupdate', False) @@ -583,3 +586,38 @@ class dnsrecord_find(LDAPSearch, dnsrecord_cmd_w_record_options): api.register(dnsrecord_find) +class dns_resolve(Command): + """ + Resolve a host name in DNS + """ + has_output = output.standard_value + msg_summary = _('Found \'%(value)s\'') + + takes_args = ( + Str('hostname', + label=_('Hostname'), + ), + ) + + def execute(self, *args, **options): + query=args[0] + if query.find(api.env.domain) == -1 and query.find('.') == -1: + query = '%s.%s.' % (query, api.env.domain) + if query[-1] != '.': + query = query + '.' + reca = dnsclient.query(query, dnsclient.DNS_C_IN, dnsclient.DNS_T_A) + rec6 = dnsclient.query(query, dnsclient.DNS_C_IN, dnsclient.DNS_T_AAAA) + records = reca + rec6 + found = False + for rec in records: + if rec.dns_type == dnsclient.DNS_T_A or \ + rec.dns_type == dnsclient.DNS_T_AAAA: + found = True + break + + if not found: + raise errors.NotFound(reason=_('Host \'%(host)s\' not found' % {'host':query})) + + return dict(result=True, value=query) + +api.register(dns_resolve) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 88ac0bcb780d44d1619d3eb2d91c74a3b2ed3a25..d60f63776714689e754c3f1c18e972e062304edc 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -84,7 +84,7 @@ from ipalib.plugins.service import normalize_certificate from ipalib.plugins.service import set_certificate_attrs from ipalib.plugins.service import make_pem, check_writable_file from ipalib.plugins.service import write_certificate -from ipalib.plugins.dns import dns_container_exists, _attribute_types +from ipalib.plugins.dns2 import dns_container_exists, _record_types from ipalib import _, ngettext from ipalib import x509 from ipapython.ipautil import ipa_generate_password @@ -282,7 +282,7 @@ class host_add(LDAPCreate): if 'ip_address' in options and dns_container_exists(ldap): parts = keys[-1].split('.') domain = unicode('.'.join(parts[1:])) - result = api.Command['dns_find']()['result'] + result = api.Command['dnszone_find']()['result'] match = False for zone in result: if domain == zone['idnsname'][0]: @@ -290,7 +290,7 @@ class host_add(LDAPCreate): break if not match: raise errors.NotFound(reason=_('DNS zone %(zone)s not found' % dict(zone=domain))) - if not options.get('no_reverse',False): + if not options.get('no_reverse', False): # we prefer lookup of the IP through the reverse zone revzone, revname = get_reverse_zone(options['ip_address']) # Verify that our reverse zone exists @@ -302,7 +302,7 @@ class host_add(LDAPCreate): if not match: raise errors.NotFound(reason=_('Reverse DNS zone %(zone)s not found' % dict(zone=revzone))) try: - reverse = api.Command['dns_find_rr'](revzone, revname) + reverse = api.Command['dnsrecord_find'](revzone, idnsname=revname) if reverse['count'] > 0: raise errors.DuplicateEntry(message=u'This IP address is already assigned.') except errors.NotFound: @@ -344,17 +344,18 @@ class host_add(LDAPCreate): parts = keys[-1].split('.') domain = unicode('.'.join(parts[1:])) if ':' in options['ip_address']: - type = u'AAAA' + addkw = { u'aaaarecord' : options['ip_address'] } else: - type = u'A' + addkw = { u'arecord' : options['ip_address'] } try: - api.Command['dns_add_rr'](domain, parts[0], type, options['ip_address']) + api.Command['dnsrecord_add'](domain, parts[0], **addkw) except errors.EmptyModlist: # the entry already exists and matches pass revzone, revname = get_reverse_zone(options['ip_address']) try: - api.Command['dns_add_rr'](revzone, revname, u'PTR', keys[-1]+'.') + addkw = { u'ptrrecord' : keys[-1]+'.' } + api.Command['dnsrecord_add'](revzone, revname, **addkw) except errors.EmptyModlist: # the entry already exists and matches pass @@ -424,7 +425,7 @@ class host_del(LDAPDelete): # Remove DNS entries parts = fqdn.split('.') domain = unicode('.'.join(parts[1:])) - result = api.Command['dns_find']()['result'] + result = api.Command['dnszone_find']()['result'] match = False for zone in result: if domain == zone['idnsname'][0]: @@ -434,30 +435,34 @@ class host_del(LDAPDelete): raise errors.NotFound(reason=_('DNS zone %(zone)s not found' % dict(zone=domain))) raise e # Get all forward resources for this host - records = api.Command['dns_find_rr'](domain, parts[0])['result'] + records = api.Command['dnsrecord_find'](domain, idnsname=parts[0])['result'] for record in records: if 'arecord' in record: ipaddr = record['arecord'][0] self.debug('deleting ipaddr %s' % ipaddr) revzone, revname = get_reverse_zone(ipaddr) try: - api.Command['dns_del_rr'](revzone, revname, u'PTR', fqdn+'.') + delkw = { u'ptrrecord' : fqdn+'.' } + api.Command['dnsrecord_del'](revzone, revname, **delkw) except errors.NotFound: pass try: - api.Command['dns_del_rr'](domain, parts[0], u'A', ipaddr) + delkw = { u'arecord' : ipaddr } + api.Command['dnsrecord_del'](domain, parts[0], **delkw) except errors.NotFound: pass else: # Try to delete all other record types too + _attribute_types = [str('%srecord' % t.lower()) for t in _record_types] for attr in _attribute_types: if attr != 'arecord' and attr in record: for i in xrange(len(record[attr])): if (record[attr][i].endswith(parts[0]) or record[attr][i].endswith(fqdn+'.')): - api.Command['dns_del_rr'](domain, - record['idnsname'][0], - _attribute_types[attr], record[attr][i]) + delkw = { unicode(attr) : record[attr][i] } + api.Command['dnsrecord_del'](domain, + record['idnsname'][0], + **delkw) break try: diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index e1a5810f44d342fd1031efaf40da55684e833825..976b69541588d4dc157ae42fc69a9c2f09f3b71c 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -107,8 +107,8 @@ def get_reverse_zone(ip_address): def dns_zone_exists(name): try: - zone = api.Command.dns_show(unicode(name)) - except Exception: + zone = api.Command.dnszone_show(unicode(name)) + except ipalib.errors.NotFound: return False if len(zone) == 0: @@ -121,11 +121,11 @@ def add_zone(name, update_policy=None, zonemgr=None, dns_backup=None): update_policy = "grant %s krb5-self * A;" % api.env.realm try: - api.Command.dns_add(unicode(name), - idnssoamname=unicode(api.env.host+"."), - idnssoarname=unicode(zonemgr), - idnsallowdynupdate=True, - idnsupdatepolicy=unicode(update_policy)) + api.Command.dnszone_add(unicode(name), + idnssoamname=unicode(api.env.host+"."), + idnssoarname=unicode(zonemgr), + idnsallowdynupdate=True, + idnsupdatepolicy=unicode(update_policy)) except (errors.DuplicateEntry, errors.EmptyModlist): pass @@ -138,10 +138,10 @@ def add_reverze_zone(ip_address, update_policy=None, dns_backup=None): if not update_policy: update_policy = "grant %s krb5-subdomain %s. PTR;" % (api.env.realm, zone) try: - api.Command.dns_add(unicode(zone), - idnssoamname=unicode(api.env.host+"."), - idnsallowdynupdate=True, - idnsupdatepolicy=unicode(update_policy)) + api.Command.dnszone_add(unicode(zone), + idnssoamname=unicode(api.env.host+"."), + idnsallowdynupdate=True, + idnsupdatepolicy=unicode(update_policy)) except (errors.DuplicateEntry, errors.EmptyModlist): pass @@ -150,9 +150,9 @@ def add_reverze_zone(ip_address, update_policy=None, dns_backup=None): return zone def add_rr(zone, name, type, rdata, dns_backup=None): + addkw = { '%srecord' % unicode(type.lower()) : unicode(rdata) } try: - api.Command.dns_add_rr(unicode(zone), unicode(name), - unicode(type), unicode(rdata)) + api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw) except (errors.DuplicateEntry, errors.EmptyModlist): pass if dns_backup: @@ -201,8 +201,8 @@ class DnsBackup(object): if have_ldap: type, host, rdata = dns_record.split(" ", 2) try: - api.Command.dns_del_rr(unicode(zone), unicode(host), - unicode(type), unicode(rdata)) + delkw = { '%srecord' % unicode(type) : unicode(rdata) } + api.Command.dnsrecord_del(unicode(zone), unicode(host), **delkw) except: pass j += 1 -- 1.7.3.4 -------------- next part -------------- >From 4257cc21718380674bd1f0c20b44f16984afe316 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 12 Jan 2011 22:09:02 +0100 Subject: [PATCH 2/2] Rename dns2 to dns --- ipalib/plugins/dns.py | 1032 +++++++++++++++++------------------------------- ipalib/plugins/dns2.py | 623 ----------------------------- ipalib/plugins/host.py | 2 +- 3 files changed, 358 insertions(+), 1299 deletions(-) delete mode 100644 ipalib/plugins/dns2.py diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index ced13efc92b2480bbe15675233903edd8387fa16..cf58098036f7056d20337b4d3b5f02b158b41360 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -1,7 +1,7 @@ # Authors: # Pavel Zuna # -# Copyright (C) 2009 Red Hat +# Copyright (C) 2010 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -17,45 +17,45 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . """ -Domain Name System (DNS) plug-in +Domain Name System (DNS) -Implements a set of commands useful for manipulating DNS records used by -the BIND LDAP plug-in. +Manage DNS zone and resource records. EXAMPLES: Add new zone: - ipa dns-add example.com nameserver.example.com admin at example.com + ipa dnszone-add example.com --name-server nameserver.example.com + --admin-email admin at example.com Add second nameserver for example.com: - ipa dns-add-rr example.com @ NS nameserver2.example.com + ipa dnsrecord-add example.com @ --ns-rec nameserver2.example.com Delete previously added nameserver from example.com: - ipa dns-del-rr example.com @ NS nameserver2.example.com + ipa dnsrecord-del example.com @ --ns-rec nameserver2.example.com Add new A record for www.example.com: (random IP) - ipa dns-add-rr example.com www A 80.142.15.2 + ipa dnsrecord-add example.com www --a-rec 80.142.15.2 Add new PTR record for www.example.com - ipa dns-add-rr 15.142.80.in-addr.arpa 2 PTR www.example.com. + ipa dnsrecord-add 15.142.80.in-addr.arpa 2 --ptr-rec www.example.com. Show zone example.com: - ipa dns-show example.com + ipa dnszone-show example.com Find zone with "example" in it's domain name: - ipa dns-find example + ipa dnszone-find example Find records for resources with "www" in their name in zone example.com: - ipa dns-find-rr example.com www + ipa dnsrecord-find example.com www - Find A records for resource www in zone example.com - ipa dns-find-rr example.com --resource www --type A + Find A records with value 10.10.0.1 in zone example.com + ipa dnsrecord-find example.com --a-rec 10.10.0.1 Show records for resource www in zone example.com - ipa dns-show-rr example.com www + ipa dnsrecord-show example.com www Delete zone example.com with all resource records: - ipa dns-delete example.com + ipa dnszone-del example.com Resolve a host name to see if it exists (will add default IPA domain if one is not included): @@ -64,59 +64,31 @@ EXAMPLES: """ -# A few notes about the LDAP schema to make this plugin more understandable: -# - idnsRecord object is a HOSTNAME with one or more resource records -# - idnsZone object is a idnsRecord object with mandatory SOA record -# it basically makes the assumption that ZONE == DOMAINNAME + SOA record -# resource records can be stored in both idnsZone and idnsRecord objects - +import netaddr import time -from ipalib import api, crud, errors, output -from ipalib import Object, Command -from ipalib import Flag, Int, Str, StrEnum +from ipalib import api, errors, output +from ipalib import Command +from ipalib import Flag, Int, List, Str, StrEnum +from ipalib.plugins.baseldap import * from ipalib import _, ngettext -from ipalib.output import Output, standard_entry, standard_list_of_entries from ipapython import dnsclient -# parent DN -_zone_container_dn = api.env.container_dns - # supported resource record types _record_types = ( - u'A', u'AAAA', u'A6', u'AFSDB', u'CERT', u'CNAME', u'DNAME', - u'DS', u'HINFO', u'KEY', u'KX', u'LOC', u'MD', u'MINFO', u'MX', - u'NAPTR', u'NS', u'NSEC', u'NXT', u'PTR', u'RRSIG', u'SSHFP', - u'SRV', u'TXT', + u'A', u'AAAA', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV', + u'DNAME', u'DNSKEY', u'DS', u'HINFO', u'HIP', u'IPSECKEY', u'KEY', u'KX', + u'LOC', u'MD', u'MINFO', u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3', + u'NSEC3PARAM', u'NXT', u'PTR', u'RRSIG', u'RP', u'SIG', u'SPF', u'SRV', + u'SSHFP', u'TA', u'TKEY', u'TSIG', u'TXT', ) -# mapping from attribute to resource record type -_attribute_types = dict( - arecord=u'A', aaaarecord=u'AAAA', a6record=u'A6', - afsdbrecord=u'AFSDB', certrecord=u'CERT', cnamerecord=u'CNAME', - dnamerecord=u'DNAME', dsrecord=u'DS', hinforecord=u'HINFO', - keyrecord=u'KEY', kxrecord=u'KX', locrecord='LOC', - mdrecord=u'MD', minforecord=u'MINFO', mxrecord=u'MX', - naptrrecord=u'NAPTR', nsrecord=u'NS', nsecrecord=u'NSEC', - ntxtrecord=u'NTXT', ptrrecord=u'PTR', rrsigrecord=u'RRSIG', - sshfprecord=u'SSHFP', srvrecord=u'SRV', txtrecord=u'TXT', -) +# attributes derived from record types +_record_attributes = [str('%srecord' % t.lower()) for t in _record_types] # supported DNS classes, IN = internet, rest is almost never used _record_classes = (u'IN', u'CS', u'CH', u'HS') -# attributes displayed by default for resource records -_record_default_attributes = ['%srecord' % r for r in _record_types] -_record_default_attributes.append('idnsname') - -# attributes displayed by default for zones -_zone_default_attributes = [ - 'idnsname', 'idnszoneactive', 'idnssoamname', 'idnssoarname', - 'idnssoaserial', 'idnssoarefresh', 'idnssoaretry', 'idnssoaexpire', - 'idnssoaminimum' -] - - # normalizer for admin email def _rname_normalizer(value): value = value.replace('@', '.') @@ -124,41 +96,57 @@ def _rname_normalizer(value): value += '.' return value -# build zone dn -def _get_zone_dn(ldap, idnsname): - rdn = ldap.make_rdn_from_attr('idnsname', idnsname) - return ldap.make_dn_from_rdn(rdn, _zone_container_dn) +def _create_zone_serial(**kwargs): + """Generate serial number for zones.""" + return int('%s01' % time.strftime('%Y%d%m')) -# build dn for entry with record -def _get_record_dn(ldap, zone, idnsname): - parent_dn = _get_zone_dn(ldap, zone) - if idnsname == '@' or idnsname == zone: - return parent_dn - rdn = ldap.make_rdn_from_attr('idnsname', idnsname) - return ldap.make_dn_from_rdn(rdn, parent_dn) +def _validate_ipaddr(ugettext, ipaddr): + try: + ip = netaddr.IPAddress(ipaddr) + except netaddr.AddrFormatError: + return u'invalid address format' + return None + +def _validate_ipnet(ugettext, ipnet): + try: + net = netaddr.IPNetwork(ipnet) + except (UnboundLocalError, ValueError): + return u'invalid format' + return None + +_record_validators = { + u'A': _validate_ipaddr, + u'AAAA': _validate_ipaddr, + u'APL': _validate_ipnet, +} def dns_container_exists(ldap): - """ - See if the dns container exists. If not raise an exception. - """ - basedn = 'cn=dns,%s' % api.env.basedn try: - ret = ldap.find_entries('(objectclass=*)', None, basedn, - ldap.SCOPE_BASE) + ldap.get_entry(api.env.container_dns, []) except errors.NotFound: - raise errors.NotFound(reason=_('DNS is not configured')) - + return False return True -class dns(Object): - """DNS zone/SOA record object.""" +class dnszone(LDAPObject): + """ + DNS Zone, container for resource records. + """ + container_dn = api.env.container_dns + object_name = 'DNS zone' + object_name_plural = 'DNS zones' + object_class = ['top', 'idnsrecord', 'idnszone'] + default_attributes = [ + 'idnsname', 'idnszoneactive', 'idnssoamname', 'idnssoarname', + 'idnssoaserial', 'idnssoarefresh', 'idnssoaretry', 'idnssoaexpire', + 'idnssoaminimum' + ] + _record_attributes label = _('DNS') takes_params = ( Str('idnsname', cli_name='name', - label=_('Zone'), + label=_('Zone name'), doc=_('Zone name (FQDN)'), normalizer=lambda value: value.lower(), primary_key=True, @@ -166,743 +154,437 @@ class dns(Object): Str('idnssoamname', cli_name='name_server', label=_('Authoritative name server'), + doc=_('Authoritative name server'), ), Str('idnssoarname', cli_name='admin_email', - label=_('administrator e-mail address'), + label=_('Administrator e-mail address'), + doc=_('Administrator e-mail address'), default_from=lambda idnsname: 'root.%s' % idnsname, normalizer=_rname_normalizer, ), Int('idnssoaserial?', cli_name='serial', label=_('SOA serial'), + doc=_('SOA record serial number'), + create_default=_create_zone_serial, + autofill=True, ), Int('idnssoarefresh?', cli_name='refresh', label=_('SOA refresh'), + doc=_('SOA record refresh time'), + default=3600, + autofill=True, ), Int('idnssoaretry?', cli_name='retry', label=_('SOA retry'), + doc=_('SOA record retry time'), + default=900, + autofill=True, ), Int('idnssoaexpire?', cli_name='expire', label=_('SOA expire'), + doc=_('SOA record expire time'), + default=1209600, + autofill=True, ), Int('idnssoaminimum?', cli_name='minimum', label=_('SOA minimum'), + doc=_('SOA record minimum value'), + default=3600, + autofill=True, + ), + Int('idnssoamaximum?', + cli_name='maximum', + label=_('SOA maximum'), + doc=_('SOA record maximum value'), ), Int('dnsttl?', cli_name='ttl', label=_('SOA time to live'), + doc=_('SOA record time to live'), ), StrEnum('dnsclass?', cli_name='class', label=_('SOA class'), + doc=_('SOA record class'), values=_record_classes, ), - Flag('idnsallowdynupdate', - cli_name='allow_dynupdate', - label=_('allow dynamic update?'), - ), Str('idnsupdatepolicy?', cli_name='update_policy', label=_('BIND update policy'), + doc=_('BIND update policy'), + ), + Flag('idnszoneactive?', + cli_name='zone_active', + label=_('Active zone'), + doc=_('Is zone active?'), + flags=['no_create', 'no_update'], + attribute=True, + ), + Flag('idnsallowdynupdate', + cli_name='allow_dynupdate', + label=_('Dynamic update'), + doc=_('Allow dynamic update?'), + attribute=True, ), ) - default_attributes = _zone_default_attributes +api.register(dnszone) - json_friendly_attributes = ( - 'default_attributes', 'label', 'name', 'takes_params' ) - def __json__(self): - json_dict = dict( - (a, getattr(self, a)) for a in self.json_friendly_attributes - ) - if self.primary_key: - json_dict['primary_key'] = self.primary_key.name - json_dict['methods'] = [m for m in self.methods] - return json_dict - - -api.register(dns) - - -class dns_add(crud.Create): +class dnszone_add(LDAPCreate): """ - Create new DNS zone/SOA record. + Create new DNS zone (SOA record). """ - def execute(self, *args, **options): - ldap = self.Backend.ldap2 - idnsname = args[0] - - dns_container_exists(ldap) - - # build entry attributes - entry_attrs = self.args_options_2_entry(*args, **options) - - # build entry DN - dn = _get_zone_dn(ldap, idnsname) + def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + if not dns_container_exists(self.api.Backend.ldap2): + raise errors.NotFound(reason=_('DNS is not configured')) - # fill in required attributes - entry_attrs['objectclass'] = ['top', 'idnsrecord', 'idnszone'] entry_attrs['idnszoneactive'] = 'TRUE' entry_attrs['idnsallowdynupdate'] = str( - entry_attrs['idnsallowdynupdate'] + entry_attrs.get('idnsallowdynupdate', False) ).upper() - # fill default values, build SOA serial from current date - soa_serial = int('%s01' % time.strftime('%Y%d%m')) - entry_attrs.setdefault('idnssoaserial', soa_serial) - entry_attrs.setdefault('idnssoarefresh', 3600) - entry_attrs.setdefault('idnssoaretry', 900) - entry_attrs.setdefault('idnssoaexpire', 1209600) - entry_attrs.setdefault('idnssoaminimum', 3600) + nameserver = entry_attrs['idnssoamname'] + if nameserver[-1] != '.': + nameserver += '.' + entry_attrs['nsrecord'] = nameserver + entry_attrs['idnssoamname'] = nameserver + return dn - # create zone entry - ldap.add_entry(dn, entry_attrs) +api.register(dnszone_add) - # get zone entry with created attributes for output - (dn, entry_attrs) = ldap.get_entry(dn, entry_attrs.keys()) - entry_attrs['dn'] = dn - return dict(result=entry_attrs, value=idnsname) - - def output_for_cli(self, textui, result, *args, **options): - entry_attrs = result['result'] - idnsname = result['value'] - - textui.print_name(self.name) - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - textui.print_dashed('Created DNS zone "%s".' % idnsname) - -api.register(dns_add) - - -class dns_del(crud.Delete): +class dnszone_del(LDAPDelete): """ - Delete existing DNS zone/SOA record. + Delete DNS zone (SOA record). """ - def execute(self, *args, **options): - ldap = self.api.Backend.ldap2 - idnsname = args[0] - - dns_container_exists(ldap) - - # build zone entry DN - dn = _get_zone_dn(ldap, idnsname) - # just check if zone exists for now - ldap.get_entry(dn, ['']) - # retrieve all subentries of zone - records - try: - (entries, truncated) = ldap.find_entries( - None, [''], dn, ldap.SCOPE_ONELEVEL - ) - except errors.NotFound: - (entries, truncated) = (tuple(), False) +api.register(dnszone_del) - # kill'em all, records first - for e in entries: - ldap.delete_entry(e[0]) - ldap.delete_entry(dn) - return dict(result=True, value=u'') - - def output_for_cli(self, textui, result, *args, **options): - textui.print_name(self.name) - textui.print_dashed('Deleted DNS zone "%s".' % args[0]) - -api.register(dns_del) - - -class dns_mod(crud.Update): +class dnszone_mod(LDAPUpdate): """ - Modify DNS zone/SOA record. + Modify DNS zone (SOA record). """ - def execute(self, *args, **options): - ldap = self.api.Backend.ldap2 - idnsname = args[0] - - dns_container_exists(ldap) - - # build entry attributes, don't include idnsname! - entry_attrs = self.args_options_2_entry(*tuple(), **options) + def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): entry_attrs['idnsallowdynupdate'] = str( - entry_attrs['idnsallowdynupdate'] + entry_attrs.get('idnsallowdynupdate', False) ).upper() + return dn - # build entry DN - dn = _get_zone_dn(ldap, idnsname) +api.register(dnszone_mod) - # update zone entry - ldap.update_entry(dn, entry_attrs) - # get zone entry with modified + default attributes for output - (dn, entry_attrs) = ldap.get_entry( - dn, (entry_attrs.keys() + _zone_default_attributes) - ) - entry_attrs['dn'] = dn - - return dict(result=entry_attrs, value=idnsname) - - def output_for_cli(self, textui, result, *args, **options): - entry_attrs = result['result'] - idnsname = result['value'] - - textui.print_name(self.name) - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - textui.print_dashed('Modified DNS zone "%s".' % idnsname) - -api.register(dns_mod) - - -class dns_find(crud.Search): - """ - Search for DNS zones/SOA records. - """ - def execute(self, term, **options): - ldap = self.api.Backend.ldap2 - - dns_container_exists(ldap) - - # build search filter - filter = ldap.make_filter_from_attr('idnsname', term, exact=False) - - # select attributes we want to retrieve - if options.get('all', False): - attrs_list = ['*'] - else: - attrs_list = _zone_default_attributes - - # get matching entries - try: - (entries, truncated) = ldap.find_entries( - filter, attrs_list, _zone_container_dn, ldap.SCOPE_ONELEVEL - ) - except errors.NotFound: - (entries, truncated) = (tuple(), False) - - for e in entries: - e[1]['dn'] = e[0] - entries = tuple(e for (dn, e) in entries) - - return dict(result=entries, count=len(entries), truncated=truncated) - - def output_for_cli(self, textui, result, term, **options): - entries = result['result'] - truncated = result['truncated'] - - textui.print_name(self.name) - for entry_attrs in entries: - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - textui.print_plain('') - textui.print_count( - len(entries), '%i DNS zone matched.', '%i DNS zones matched.' - ) - if truncated: - textui.print_dashed('These results are truncated.', below=False) - textui.print_dashed( - 'Please refine your search and try again.', above=False - ) - -api.register(dns_find) - - -class dns_show(crud.Retrieve): +class dnszone_find(LDAPSearch): """ - Display DNS zone/SOA record. + Search for DNS zones (SOA records). """ - def execute(self, idnsname, **options): - ldap = self.api.Backend.ldap2 - - dns_container_exists(ldap) - - # build entry DN - dn = _get_zone_dn(ldap, idnsname) - - # select attributes we want to retrieve - if options.get('all', False): - attrs_list = ['*'] - else: - attrs_list = _zone_default_attributes - - (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) - entry_attrs['dn'] = dn - return dict(result=entry_attrs, value=idnsname) +api.register(dnszone_find) - def output_for_cli(self, textui, result, *args, **options): - entry_attrs = result['result'] - textui.print_name(self.name) - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - -api.register(dns_show) - - -class dns_enable(Command): +class dnszone_show(LDAPRetrieve): """ - Activate DNS zone. + Display information about a DNS zone (SOA record). """ - takes_args = ( - Str('zone', - cli_name='zone', - label=_('Zone name'), - normalizer=lambda value: value.lower(), - ), - ) - - has_output = output.standard_value - - def execute(self, zone): - ldap = self.api.Backend.ldap2 - - dns_container_exists(ldap) - - # build entry DN - dn = _get_zone_dn(ldap, zone) - - # activate! - try: - ldap.update_entry(dn, {'idnszoneactive': 'TRUE'}) - except errors.EmptyModlist: - pass - return dict(result=True, value=zone) +api.register(dnszone_show) - def output_for_cli(self, textui, result, zone): - textui.print_name(self.name) - textui.print_dashed('Activated DNS zone "%s".' % zone) -api.register(dns_enable) - - -class dns_disable(Command): +class dnszone_disable(LDAPQuery): """ - Deactivate DNS zone. + Disable DNS Zone. """ - takes_args = ( - Str('zone', - label=_('Zone name'), - normalizer=lambda value: value.lower(), - ), - ) - has_output = output.standard_value + msg_summary = _('Disabled DNS zone "%(value)s"') - def execute(self, zone): - ldap = self.api.Backend.ldap2 - - dns_container_exists(ldap) + def execute(self, *keys, **options): + ldap = self.obj.backend - # build entry DN - dn = _get_zone_dn(ldap, zone) + dn = self.obj.get_dn(*keys, **options) - # deactivate! try: ldap.update_entry(dn, {'idnszoneactive': 'FALSE'}) except errors.EmptyModlist: pass - return dict(result=True, value=zone) + return dict(result=True, value=keys[-1]) - def output_for_cli(self, textui, result, zone): - textui.print_name(self.name) - textui.print_dashed('Deactivated DNS zone "%s".' % zone) +api.register(dnszone_disable) -api.register(dns_disable) +class dnszone_enable(LDAPQuery): + """ + Enable DNS Zone. + """ + has_output = output.standard_value + msg_summary = _('Enabled DNS zone "%(value)s"') + + def execute(self, *keys, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(*keys, **options) + + try: + ldap.update_entry(dn, {'idnszoneactive': 'TRUE'}) + except errors.EmptyModlist: + pass -class dns_add_rr(Command): + return dict(result=True, value=keys[-1]) + +api.register(dnszone_enable) + + +class dnsrecord(LDAPObject): """ - Add new DNS resource record. + DNS record. """ + parent_object = 'dnszone' + container_dn = api.env.container_dns + object_name = 'DNS resource record' + object_name_plural = 'DNS resource records' + object_class = ['top', 'idnsrecord'] + default_attributes = _record_attributes + ['idnsname'] + + label = _('DNS resource record') - takes_args = ( - Str('zone', - label=_('Zone name'), - normalizer=lambda value: value.lower(), - ), + takes_params = ( Str('idnsname', - cli_name='resource', - label=_('resource name'), - default_from=lambda zone: zone.lower(), - attribute=True, + cli_name='name', + label=_('Record name'), + doc=_('Record name'), + primary_key=True, ), - StrEnum('type', - label=_('Record type'), - values=_record_types, - ), - Str('data', - label=_('Data'), - doc=_('Type-specific data'), - ), - ) - - takes_options = ( Int('dnsttl?', cli_name='ttl', label=_('Time to live'), - attribute=True, + doc=_('Time to live'), ), StrEnum('dnsclass?', cli_name='class', label=_('Class'), + doc=_('DNS class'), values=_record_classes, - attribute=True, ), ) - has_output = standard_entry + def is_pkey_zone_record(*keys): + idnsname = keys[-1] + if idnsname == '@' or idnsname == ('%s.' % keys[-2]): + return True + return False + + def get_dn(self, *keys, **options): + if self.is_pkey_zone_record(*keys): + return self.api.Object[self.parent_object].get_dn(*keys[:-1], **options) + return super(dnsrecord, self).get_dn(*keys, **options) + +api.register(dnsrecord) + + +class dnsrecord_cmd_w_record_options(Command): + """ + Base class for DNS record commands with record options. + """ + record_param_doc = 'comma-separated list of %s records' + + def get_record_options(self): + for t in _record_types: + t = t.encode('utf-8') + doc = self.record_param_doc % t + validator = _record_validators.get(t) + if validator: + yield List( + '%srecord?' % t.lower(), validator, + cli_name='%s_rec' % t.lower(), doc=doc, + label='%s record' % t, attribute=True + ) + else: + yield List( + '%srecord?' % t.lower(), cli_name='%s_rec' % t.lower(), + doc=doc, label='%s record' % t, attribute=True + ) + + def record_options_2_entry(self, **options): + return dict((t, options.get(t, [])) for t in _record_attributes) + + +class dnsrecord_mod_record(LDAPQuery, dnsrecord_cmd_w_record_options): + """ + Base class for adding/removing records from DNS resource entries. + """ + has_output = output.standard_entry - def execute(self, zone, idnsname, type, data, **options): - ldap = self.api.Backend.ldap2 - attr = ('%srecord' % type).lower() + def get_options(self): + for option in super(dnsrecord_mod_record, self).get_options(): + yield option + for option in self.get_record_options(): + yield option - dns_container_exists(ldap) + def execute(self, *keys, **options): + ldap = self.obj.backend - # build entry DN - dn = _get_record_dn(ldap, zone, idnsname) + dn = self.obj.get_dn(*keys, **options) + + entry_attrs = self.record_options_2_entry(**options) - # get resource entry where to store the new record try: - (dn, entry_attrs) = ldap.get_entry(dn, [attr]) + (dn, old_entry_attrs) = ldap.get_entry(dn, entry_attrs.keys()) except errors.NotFound: - if idnsname != '@' and idnsname != zone: - # resource entry doesn't exist, check if zone exists - zone_dn = _get_zone_dn(ldap, zone) - ldap.get_entry(zone_dn, ['']) - # it does, create new resource entry - - # build entry attributes - entry_attrs = self.args_options_2_entry( - (idnsname, ), **options - ) + self.obj.handle_not_found(*keys) + + self.update_old_entry_callback(entry_attrs, old_entry_attrs) + + try: + ldap.update_entry(dn, old_entry_attrs) + except errors.EmptyModlist: + pass + + if options.get('all', False): + attrs_list = ['*'] + else: + attrs_list = list( + set(self.obj.default_attributes + entry_attrs.keys()) + ) + + try: + (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) + except errors.NotFound: + self.obj.handle_not_found(*keys) - # fill in required attributes - entry_attrs['objectclass'] = ['top', 'idnsrecord'] + if self.obj.is_pkey_zone_record(*keys): + entry_attrs[self.obj.primary_key.name] = [u'@'] - # fill in the record - entry_attrs[attr] = data + self.post_callback(keys, entry_attrs) - # create the entry - ldap.add_entry(dn, entry_attrs) + return dict(result=entry_attrs, value=keys[-1]) - # get entry with created attributes for output - (dn, entry_attrs) = ldap.get_entry(dn, entry_attrs.keys()) - entry_attrs['dn'] = dn + def update_old_entry_callback(self, entry_attrs, old_entry_attrs): + pass - return dict(result=entry_attrs, value=idnsname) + def post_callback(self, keys, entry_attrs): + pass - # zone doesn't exist - raise - # resource entry already exists, create a modlist for the new record - # convert entry_attrs keys to lowercase - #entry_attrs = dict( - # (k.lower(), v) for (k, v) in entry_attrs.iteritems() - #) +class dnsrecord_add_record(dnsrecord_mod_record): + """ + Add records to DNS resource. + """ + INTERNAL = True - # get new value for record attribute - attr_value = entry_attrs.get(attr, []) - attr_value.append(data) + def update_old_entry_callback(self, entry_attrs, old_entry_attrs): + for (a, v) in entry_attrs.iteritems(): + if not isinstance(v, (list, tuple)): + v = [v] + old_entry_attrs.setdefault(a, []) + old_entry_attrs[a] += v - ldap.update_entry(dn, {attr: attr_value}) - # get entry with updated attribute for output - (dn, entry_attrs) = ldap.get_entry(dn, ['idnsname', attr]) - entry_attrs['dn'] = dn +api.register(dnsrecord_add_record) + + +class dnsrecord_add(LDAPCreate, dnsrecord_cmd_w_record_options): + """ + Add new DNS resource record. + """ + def get_options(self): + for option in super(dnsrecord_add, self).get_options(): + yield option + for option in self.get_record_options(): + yield option + + def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): + if call_func.func_name == 'add_entry': + if isinstance(exc, errors.DuplicateEntry): + self.obj.methods.add_record( + *keys, **self.record_options_2_entry(**options) + ) + return + raise exc - return dict(result=entry_attrs, value=idnsname) +api.register(dnsrecord_add) - def output_for_cli(self, textui, result, zone, idnsname, type, data, - **options): - entry_attrs = result['result'] - output = '"%s %s %s" to zone "%s"' % ( - idnsname, type, data, zone, - ) - textui.print_name(self.name) - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - textui.print_dashed('Added DNS resource record %s.' % output) +class dnsrecord_delentry(LDAPDelete): + """ + Delete DNS record entry. + """ + INTERNAL = True -api.register(dns_add_rr) +api.register(dnsrecord_delentry) -class dns_del_rr(Command): +class dnsrecord_del(dnsrecord_mod_record): """ Delete DNS resource record. """ - - takes_args = ( - Str('zone', - label=_('Zone name'), - normalizer=lambda value: value.lower(), - ), - Str('idnsname', - cli_name='resource', - label=_('Resource name'), - default_from=lambda zone: zone.lower(), - attribute=True, - ), - StrEnum('type', - label=_('Record type'), - values=_record_types, - ), - Str('data', - label=_('Data'), - doc=_('Type-specific data'), - ), - ) - - has_output = standard_entry - - def execute(self, zone, idnsname, type, data, **options): - ldap = self.api.Backend.ldap2 - attr = ('%srecord' % type).lower() - - dns_container_exists(ldap) - - # build entry DN - dn = _get_record_dn(ldap, zone, idnsname) - - # get resource entry with the record we're trying to delete - (dn, entry_attrs) = ldap.get_entry(dn) - - # convert entry_attrs keys to lowercase - entry_attrs = dict( - (k.lower(), v) for (k, v) in entry_attrs.iteritems() - ) - - # get new value for record attribute - attr_value = entry_attrs.get(attr.lower(), []) - try: - attr_value.remove(data) - except ValueError: - raise errors.NotFound(reason=u'resource record not found') - - # check if it's worth to keep this entry in LDAP - if 'idnszone' not in entry_attrs['objectclass']: - # get a list of all meaningful record attributes - record_attrs = [] - for (k, v) in entry_attrs.iteritems(): - if k.endswith('record') and v: - record_attrs.append(k) - # check if the list is empty - if not record_attrs: - # it's not - ldap.delete_entry(dn) - return dict(result={}, value=idnsname) - - ldap.update_entry(dn, {attr: attr_value}) - # get entry with updated attribute for output - (dn, entry_attrs) = ldap.get_entry(dn, ['idnsname', attr]) - entry_attrs['dn'] = dn - - return dict(result=entry_attrs, value=idnsname) - - def output_for_cli(self, textui, result, zone, idnsname, type, data, **options): - output = '"%s %s %s" from zone "%s"' % ( - idnsname, type, data, zone, - ) - entry_attrs = result['result'] - - textui.print_name(self.name) - if entry_attrs: - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - textui.print_dashed('Deleted DNS resource record %s' % output) - -api.register(dns_del_rr) - - -class dns_find_rr(Command): + def update_old_entry_callback(self, entry_attrs, old_entry_attrs): + for (a, v) in entry_attrs.iteritems(): + if not isinstance(v, (list, tuple)): + v = [v] + for val in v: + try: + old_entry_attrs[a].remove(val) + except (KeyError, ValueError): + pass + + def post_callback(self, keys, entry_attrs): + if not self.obj.is_pkey_zone_record(*keys): + for a in _record_attributes: + if a in entry_attrs and entry_attrs[a]: + return + self.obj.methods.delentry(*keys) + +api.register(dnsrecord_del) + + +class dnsrecord_show(LDAPRetrieve, dnsrecord_cmd_w_record_options): """ - Search for DNS resource records. + Display DNS resource. """ - takes_args = ( - Str('zone', - label=_('Zone name'), - normalizer=lambda value: value.lower(), - ), - Str('criteria?', - cli_name='criteria', - label=_('Search criteria'), - ), - ) - - takes_options = ( - Str('idnsname?', - cli_name='resource', - label=_('Resource name'), - default_from=lambda zone: zone.lower(), - ), - StrEnum('type?', - label=_('Record type'), - values=_record_types, - ), - Str('data?', - label=_('type-specific data'), - ), - ) - - has_output = standard_list_of_entries - - def execute(self, zone, term, **options): - ldap = self.api.Backend.ldap2 - if 'type' in options: - attr = ('%srecord' % options['type']).lower() - else: - attr = None - - dns_container_exists(ldap) + def has_output_params(self): + for option in self.get_record_options(): + yield option - # build base dn for search - base_dn = _get_zone_dn(ldap, zone) + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + if self.obj.is_pkey_zone_record(*keys): + entry_attrs[self.obj.primary_key.name] = [u'@'] + return dn - # build search keywords - search_kw = {} - if 'data' in options: - if attr is not None: - # user is looking for a certain record type - search_kw[attr] = options['data'] - else: - # search in all record types - for a in _record_default_attributes: - search_kw[a] = term - if 'idnsname' in options: - idnsname = options['idnsname'] - if idnsname == '@': - search_kw['idnsname'] = zone - else: - search_kw['idnsname'] = idnsname +api.register(dnsrecord_show) - # build search filter - filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL) - if term: - search_kw = {} - for a in _record_default_attributes: - search_kw[a] = term - term_filter = ldap.make_filter(search_kw, exact=False) - filter = ldap.combine_filters((filter, term_filter), ldap.MATCH_ALL) - # select attributes we want to retrieve - if options.get('all', False): - attrs_list = ['*'] - elif attr is not None: - attrs_list = [attr] - else: - attrs_list = _record_default_attributes - - # get matching entries - try: - (entries, truncated) = ldap.find_entries( - filter, attrs_list, base_dn - ) - except errors.NotFound: - (entries, truncated) = (tuple(), False) - - # if the user is looking for a certain record type, don't display - # entries that do not contain it - if attr is not None: - related_entries = [] - for e in entries: - entry_attrs = e[1] - if attr in entry_attrs: - related_entries.append(e) - entries = related_entries - - for e in entries: - e[1]['dn'] = e[0] - entries = tuple(e for (dn, e) in entries) - - return dict(result=entries, count=len(entries), truncated=truncated) - - def output_for_cli(self, textui, result, zone, term, **options): - entries = result['result'] - truncated = result['truncated'] - - textui.print_name(self.name) - for entry_attrs in entries: - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - textui.print_plain('') - textui.print_count( - len(entries), '%i DNS resource record matched.', - '%i DNS resource records matched.' - ) - if truncated: - textui.print_dashed('These results are truncated.', below=False) - textui.print_dashed( - 'Please refine your search and try again.', above=False - ) - -api.register(dns_find_rr) - - -class dns_show_rr(Command): +class dnsrecord_find(LDAPSearch, dnsrecord_cmd_w_record_options): """ - Show existing DNS resource records. + Search for DNS resources. """ + def get_options(self): + for option in super(dnsrecord_find, self).get_options(): + yield option + for option in self.get_record_options(): + yield option.clone(query=True) + + def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): + record_attrs = self.record_options_2_entry(**options) + record_filter = ldap.make_filter(record_attrs, rules=ldap.MATCH_ALL) + filter = ldap.combine_filters( + (filter, record_filter), rules=ldap.MATCH_ALL + ) + return (filter, base_dn, ldap.SCOPE_SUBTREE) - takes_args = ( - Str('zone', - label=_('Zone name'), - normalizer=lambda value: value.lower(), - ), - Str('idnsname', - cli_name='resource', - label=_('Resource name'), - normalizer=lambda value: value.lower(), - ), - ) - - has_output = standard_entry - - def execute(self, zone, idnsname, **options): - # shows all records associated with resource - ldap = self.api.Backend.ldap2 - - dns_container_exists(ldap) - - # build entry DN - dn = _get_record_dn(ldap, zone, idnsname) - - # select attributes we want to retrieve - if options.get('all', False): - attrs_list = ['*'] - else: - attrs_list = _record_default_attributes - - (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) - entry_attrs['dn'] = dn - - return dict(result=entry_attrs, value=idnsname) - - def output_for_cli(self, textui, result, zone, idnsname, **options): - entry_attrs = result['result'] - - textui.print_name(self.name) - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - -api.register(dns_show_rr) + def post_callback(self, ldap, entries, truncated, *args, **options): + if entries: + zone_obj = self.api.Object[self.obj.parent_object] + zone_dn = zone_obj.get_dn(args[0]) + if entries[0][0] == zone_dn: + entries[0][1][zone_obj.primary_key.name] = [u'@'] +api.register(dnsrecord_find) class dns_resolve(Command): """ diff --git a/ipalib/plugins/dns2.py b/ipalib/plugins/dns2.py deleted file mode 100644 index d8e0ad657ef45085258cfec018647d83455eb94c..0000000000000000000000000000000000000000 --- a/ipalib/plugins/dns2.py +++ /dev/null @@ -1,623 +0,0 @@ -# Authors: -# Pavel Zuna -# -# Copyright (C) 2010 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -""" -Domain Name System (DNS) - -Manage DNS zone and resource records. - -EXAMPLES: - - Add new zone: - ipa dnszone-add example.com --name-server nameserver.example.com - --admin-email admin at example.com - - Add second nameserver for example.com: - ipa dnsrecord-add example.com @ --ns-rec nameserver2.example.com - - Delete previously added nameserver from example.com: - ipa dnsrecord-del example.com @ --ns-rec nameserver2.example.com - - Add new A record for www.example.com: (random IP) - ipa dnsrecord-add example.com www --a-rec 80.142.15.2 - - Add new PTR record for www.example.com - ipa dnsrecord 15.142.80.in-addr.arpa 2 --ptr-rec www.example.com. - - Show zone example.com: - ipa dnszone-show example.com - - Find zone with "example" in it's domain name: - ipa dnszone-find example - - Find records for resources with "www" in their name in zone example.com: - ipa dnsrecord-find example.com www - - Find A records with value 10.10.0.1 in zone example.com - ipa dnsrecord-find example.com --a-rec 10.10.0.1 - - Show records for resource www in zone example.com - ipa dnsrecord-show example.com www - - Delete zone example.com with all resource records: - ipa dnszone-del example.com - - Resolve a host name to see if it exists (will add default IPA domain - if one is not included): - ipa dns-resolve www.example.com - ipa dns-resolve www - -""" - -import netaddr -import time - -from ipalib import api, errors, output -from ipalib import Command -from ipalib import Flag, Int, List, Str, StrEnum -from ipalib.plugins.baseldap import * -from ipalib import _, ngettext -from ipapython import dnsclient - -# supported resource record types -_record_types = ( - u'A', u'AAAA', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV', - u'DNAME', u'DNSKEY', u'DS', u'HINFO', u'HIP', u'IPSECKEY', u'KEY', u'KX', - u'LOC', u'MD', u'MINFO', u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3', - u'NSEC3PARAM', u'NXT', u'PTR', u'RRSIG', u'RP', u'SIG', u'SPF', u'SRV', - u'SSHFP', u'TA', u'TKEY', u'TSIG', u'TXT', -) - -# attributes derived from record types -_record_attributes = [str('%srecord' % t.lower()) for t in _record_types] - -# supported DNS classes, IN = internet, rest is almost never used -_record_classes = (u'IN', u'CS', u'CH', u'HS') - -# normalizer for admin email -def _rname_normalizer(value): - value = value.replace('@', '.') - if not value.endswith('.'): - value += '.' - return value - -def _create_zone_serial(**kwargs): - """Generate serial number for zones.""" - return int('%s01' % time.strftime('%Y%d%m')) - -def _validate_ipaddr(ugettext, ipaddr): - try: - ip = netaddr.IPAddress(ipaddr) - except netaddr.AddrFormatError: - return u'invalid address format' - return None - -def _validate_ipnet(ugettext, ipnet): - try: - net = netaddr.IPNetwork(ipnet) - except (UnboundLocalError, ValueError): - return u'invalid format' - return None - -_record_validators = { - u'A': _validate_ipaddr, - u'AAAA': _validate_ipaddr, - u'APL': _validate_ipnet, -} - - -def dns_container_exists(ldap): - try: - ldap.get_entry(api.env.container_dns, []) - except errors.NotFound: - return False - return True - -class dnszone(LDAPObject): - """ - DNS Zone, container for resource records. - """ - container_dn = api.env.container_dns - object_name = 'DNS zone' - object_name_plural = 'DNS zones' - object_class = ['top', 'idnsrecord', 'idnszone'] - default_attributes = [ - 'idnsname', 'idnszoneactive', 'idnssoamname', 'idnssoarname', - 'idnssoaserial', 'idnssoarefresh', 'idnssoaretry', 'idnssoaexpire', - 'idnssoaminimum' - ] + _record_attributes - label = _('DNS') - - takes_params = ( - Str('idnsname', - cli_name='name', - label=_('Zone name'), - doc=_('Zone name (FQDN)'), - normalizer=lambda value: value.lower(), - primary_key=True, - ), - Str('idnssoamname', - cli_name='name_server', - label=_('Authoritative name server'), - doc=_('Authoritative name server'), - ), - Str('idnssoarname', - cli_name='admin_email', - label=_('Administrator e-mail address'), - doc=_('Administrator e-mail address'), - default_from=lambda idnsname: 'root.%s' % idnsname, - normalizer=_rname_normalizer, - ), - Int('idnssoaserial?', - cli_name='serial', - label=_('SOA serial'), - doc=_('SOA record serial number'), - create_default=_create_zone_serial, - autofill=True, - ), - Int('idnssoarefresh?', - cli_name='refresh', - label=_('SOA refresh'), - doc=_('SOA record refresh time'), - default=3600, - autofill=True, - ), - Int('idnssoaretry?', - cli_name='retry', - label=_('SOA retry'), - doc=_('SOA record retry time'), - default=900, - autofill=True, - ), - Int('idnssoaexpire?', - cli_name='expire', - label=_('SOA expire'), - doc=_('SOA record expire time'), - default=1209600, - autofill=True, - ), - Int('idnssoaminimum?', - cli_name='minimum', - label=_('SOA minimum'), - doc=_('SOA record minimum value'), - default=3600, - autofill=True, - ), - Int('idnssoamaximum?', - cli_name='maximum', - label=_('SOA maximum'), - doc=_('SOA record maximum value'), - ), - Int('dnsttl?', - cli_name='ttl', - label=_('SOA time to live'), - doc=_('SOA record time to live'), - ), - StrEnum('dnsclass?', - cli_name='class', - label=_('SOA class'), - doc=_('SOA record class'), - values=_record_classes, - ), - Str('idnsupdatepolicy?', - cli_name='update_policy', - label=_('BIND update policy'), - doc=_('BIND update policy'), - ), - Flag('idnszoneactive?', - cli_name='zone_active', - label=_('Active zone'), - doc=_('Is zone active?'), - flags=['no_create', 'no_update'], - attribute=True, - ), - Flag('idnsallowdynupdate', - cli_name='allow_dynupdate', - label=_('Dynamic update'), - doc=_('Allow dynamic update?'), - attribute=True, - ), - ) - -api.register(dnszone) - - -class dnszone_add(LDAPCreate): - """ - Create new DNS zone (SOA record). - """ - def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): - if not dns_container_exists(self.api.Backend.ldap2): - raise errors.NotFound(reason=_('DNS is not configured')) - - entry_attrs['idnszoneactive'] = 'TRUE' - entry_attrs['idnsallowdynupdate'] = str( - entry_attrs.get('idnsallowdynupdate', False) - ).upper() - - nameserver = entry_attrs['idnssoamname'] - if nameserver[-1] != '.': - nameserver += '.' - entry_attrs['nsrecord'] = nameserver - entry_attrs['idnssoamname'] = nameserver - return dn - -api.register(dnszone_add) - - -class dnszone_del(LDAPDelete): - """ - Delete DNS zone (SOA record). - """ - -api.register(dnszone_del) - - -class dnszone_mod(LDAPUpdate): - """ - Modify DNS zone (SOA record). - """ - def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): - entry_attrs['idnsallowdynupdate'] = str( - entry_attrs.get('idnsallowdynupdate', False) - ).upper() - return dn - -api.register(dnszone_mod) - - -class dnszone_find(LDAPSearch): - """ - Search for DNS zones (SOA records). - """ - -api.register(dnszone_find) - - -class dnszone_show(LDAPRetrieve): - """ - Display information about a DNS zone (SOA record). - """ - -api.register(dnszone_show) - - -class dnszone_disable(LDAPQuery): - """ - Disable DNS Zone. - """ - has_output = output.standard_value - msg_summary = _('Disabled DNS zone "%(value)s"') - - def execute(self, *keys, **options): - ldap = self.obj.backend - - dn = self.obj.get_dn(*keys, **options) - - try: - ldap.update_entry(dn, {'idnszoneactive': 'FALSE'}) - except errors.EmptyModlist: - pass - - return dict(result=True, value=keys[-1]) - -api.register(dnszone_disable) - - -class dnszone_enable(LDAPQuery): - """ - Enable DNS Zone. - """ - has_output = output.standard_value - msg_summary = _('Enabled DNS zone "%(value)s"') - - def execute(self, *keys, **options): - ldap = self.obj.backend - - dn = self.obj.get_dn(*keys, **options) - - try: - ldap.update_entry(dn, {'idnszoneactive': 'TRUE'}) - except errors.EmptyModlist: - pass - - return dict(result=True, value=keys[-1]) - -api.register(dnszone_enable) - - -class dnsrecord(LDAPObject): - """ - DNS record. - """ - parent_object = 'dnszone' - container_dn = api.env.container_dns - object_name = 'DNS resource record' - object_name_plural = 'DNS resource records' - object_class = ['top', 'idnsrecord'] - default_attributes = _record_attributes + ['idnsname'] - - label = _('DNS resource record') - - takes_params = ( - Str('idnsname', - cli_name='name', - label=_('Record name'), - doc=_('Record name'), - primary_key=True, - ), - Int('dnsttl?', - cli_name='ttl', - label=_('Time to live'), - doc=_('Time to live'), - ), - StrEnum('dnsclass?', - cli_name='class', - label=_('Class'), - doc=_('DNS class'), - values=_record_classes, - ), - ) - - def is_pkey_zone_record(*keys): - idnsname = keys[-1] - if idnsname == '@' or idnsname == ('%s.' % keys[-2]): - return True - return False - - def get_dn(self, *keys, **options): - if self.is_pkey_zone_record(*keys): - return self.api.Object[self.parent_object].get_dn(*keys[:-1], **options) - return super(dnsrecord, self).get_dn(*keys, **options) - -api.register(dnsrecord) - - -class dnsrecord_cmd_w_record_options(Command): - """ - Base class for DNS record commands with record options. - """ - record_param_doc = 'comma-separated list of %s records' - - def get_record_options(self): - for t in _record_types: - t = t.encode('utf-8') - doc = self.record_param_doc % t - validator = _record_validators.get(t) - if validator: - yield List( - '%srecord?' % t.lower(), validator, - cli_name='%s_rec' % t.lower(), doc=doc, - label='%s record' % t, attribute=True - ) - else: - yield List( - '%srecord?' % t.lower(), cli_name='%s_rec' % t.lower(), - doc=doc, label='%s record' % t, attribute=True - ) - - def record_options_2_entry(self, **options): - return dict((t, options.get(t, [])) for t in _record_attributes) - - -class dnsrecord_mod_record(LDAPQuery, dnsrecord_cmd_w_record_options): - """ - Base class for adding/removing records from DNS resource entries. - """ - has_output = output.standard_entry - - def get_options(self): - for option in super(dnsrecord_mod_record, self).get_options(): - yield option - for option in self.get_record_options(): - yield option - - def execute(self, *keys, **options): - ldap = self.obj.backend - - dn = self.obj.get_dn(*keys, **options) - - entry_attrs = self.record_options_2_entry(**options) - - try: - (dn, old_entry_attrs) = ldap.get_entry(dn, entry_attrs.keys()) - except errors.NotFound: - self.obj.handle_not_found(*keys) - - self.update_old_entry_callback(entry_attrs, old_entry_attrs) - - try: - ldap.update_entry(dn, old_entry_attrs) - except errors.EmptyModlist: - pass - - if options.get('all', False): - attrs_list = ['*'] - else: - attrs_list = list( - set(self.obj.default_attributes + entry_attrs.keys()) - ) - - try: - (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) - except errors.NotFound: - self.obj.handle_not_found(*keys) - - if self.obj.is_pkey_zone_record(*keys): - entry_attrs[self.obj.primary_key.name] = [u'@'] - - self.post_callback(keys, entry_attrs) - - return dict(result=entry_attrs, value=keys[-1]) - - def update_old_entry_callback(self, entry_attrs, old_entry_attrs): - pass - - def post_callback(self, keys, entry_attrs): - pass - - -class dnsrecord_add_record(dnsrecord_mod_record): - """ - Add records to DNS resource. - """ - INTERNAL = True - - def update_old_entry_callback(self, entry_attrs, old_entry_attrs): - for (a, v) in entry_attrs.iteritems(): - if not isinstance(v, (list, tuple)): - v = [v] - old_entry_attrs.setdefault(a, []) - old_entry_attrs[a] += v - -api.register(dnsrecord_add_record) - - -class dnsrecord_add(LDAPCreate, dnsrecord_cmd_w_record_options): - """ - Add new DNS resource record. - """ - def get_options(self): - for option in super(dnsrecord_add, self).get_options(): - yield option - for option in self.get_record_options(): - yield option - - def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): - if call_func.func_name == 'add_entry': - if isinstance(exc, errors.DuplicateEntry): - self.obj.methods.add_record( - *keys, **self.record_options_2_entry(**options) - ) - return - raise exc - -api.register(dnsrecord_add) - - -class dnsrecord_delentry(LDAPDelete): - """ - Delete DNS record entry. - """ - INTERNAL = True - -api.register(dnsrecord_delentry) - - -class dnsrecord_del(dnsrecord_mod_record): - """ - Delete DNS resource record. - """ - def update_old_entry_callback(self, entry_attrs, old_entry_attrs): - for (a, v) in entry_attrs.iteritems(): - if not isinstance(v, (list, tuple)): - v = [v] - for val in v: - try: - old_entry_attrs[a].remove(val) - except (KeyError, ValueError): - pass - - def post_callback(self, keys, entry_attrs): - if not self.obj.is_pkey_zone_record(*keys): - for a in _record_attributes: - if a in entry_attrs and entry_attrs[a]: - return - self.obj.methods.delentry(*keys) - -api.register(dnsrecord_del) - - -class dnsrecord_show(LDAPRetrieve, dnsrecord_cmd_w_record_options): - """ - Display DNS resource. - """ - def has_output_params(self): - for option in self.get_record_options(): - yield option - - def post_callback(self, ldap, dn, entry_attrs, *keys, **options): - if self.obj.is_pkey_zone_record(*keys): - entry_attrs[self.obj.primary_key.name] = [u'@'] - return dn - -api.register(dnsrecord_show) - - -class dnsrecord_find(LDAPSearch, dnsrecord_cmd_w_record_options): - """ - Search for DNS resources. - """ - def get_options(self): - for option in super(dnsrecord_find, self).get_options(): - yield option - for option in self.get_record_options(): - yield option.clone(query=True) - - def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): - record_attrs = self.record_options_2_entry(**options) - record_filter = ldap.make_filter(record_attrs, rules=ldap.MATCH_ALL) - filter = ldap.combine_filters( - (filter, record_filter), rules=ldap.MATCH_ALL - ) - return (filter, base_dn, ldap.SCOPE_SUBTREE) - - def post_callback(self, ldap, entries, truncated, *args, **options): - if entries: - zone_obj = self.api.Object[self.obj.parent_object] - zone_dn = zone_obj.get_dn(args[0]) - if entries[0][0] == zone_dn: - entries[0][1][zone_obj.primary_key.name] = [u'@'] - -api.register(dnsrecord_find) - -class dns_resolve(Command): - """ - Resolve a host name in DNS - """ - has_output = output.standard_value - msg_summary = _('Found \'%(value)s\'') - - takes_args = ( - Str('hostname', - label=_('Hostname'), - ), - ) - - def execute(self, *args, **options): - query=args[0] - if query.find(api.env.domain) == -1 and query.find('.') == -1: - query = '%s.%s.' % (query, api.env.domain) - if query[-1] != '.': - query = query + '.' - reca = dnsclient.query(query, dnsclient.DNS_C_IN, dnsclient.DNS_T_A) - rec6 = dnsclient.query(query, dnsclient.DNS_C_IN, dnsclient.DNS_T_AAAA) - records = reca + rec6 - found = False - for rec in records: - if rec.dns_type == dnsclient.DNS_T_A or \ - rec.dns_type == dnsclient.DNS_T_AAAA: - found = True - break - - if not found: - raise errors.NotFound(reason=_('Host \'%(host)s\' not found' % {'host':query})) - - return dict(result=True, value=query) - -api.register(dns_resolve) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index d60f63776714689e754c3f1c18e972e062304edc..8639ce5a07e1b0d8f3707633ba184a7bee3ad51c 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -84,7 +84,7 @@ from ipalib.plugins.service import normalize_certificate from ipalib.plugins.service import set_certificate_attrs from ipalib.plugins.service import make_pem, check_writable_file from ipalib.plugins.service import write_certificate -from ipalib.plugins.dns2 import dns_container_exists, _record_types +from ipalib.plugins.dns import dns_container_exists, _record_types from ipalib import _, ngettext from ipalib import x509 from ipapython.ipautil import ipa_generate_password -- 1.7.3.4 From rcritten at redhat.com Wed Jan 12 21:40:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 16:40:17 -0500 Subject: [Freeipa-devel] [PATCH] 675 drop build dep on mozldap Message-ID: <4D2E1FC1.40702@redhat.com> We now build using just openldap so drop the build dependency on mozldap. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-675-mozldap.patch Type: text/x-patch Size: 1597 bytes Desc: not available URL: From jhrozek at redhat.com Wed Jan 12 21:45:07 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 12 Jan 2011 22:45:07 +0100 Subject: [Freeipa-devel] [PATCH] 675 drop build dep on mozldap In-Reply-To: <4D2E1FC1.40702@redhat.com> References: <4D2E1FC1.40702@redhat.com> Message-ID: <20110112214506.GB4505@zeppelin.brq.redhat.com> On Wed, Jan 12, 2011 at 04:40:17PM -0500, Rob Crittenden wrote: > We now build using just openldap so drop the build dependency on mozldap. > > rob Related question: we have a couple of #ifdef WITH_MOZLDAP preprocessor directives in the SLAPI plugin code, should we get rid of them and only support OpenLDAP, too? Jakub From ssorce at redhat.com Wed Jan 12 21:46:29 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Jan 2011 16:46:29 -0500 Subject: [Freeipa-devel] [PATCH] 0049 Restrict anonymous tickets to get only tgts Message-ID: <20110112164629.1bd08d6d@willson.li.ssimo.org> If pkinit is configured anonymous tickets can be obtained. To avoid impacting badly written applications that consider successful authentication also implicit authorization, by default restrict anonymous ticket to only be able to the TGTs. This is sufficient to make FAST working with pkinit but will block any other usage unless the admin explicitly decides to allow it by changing the kdc.conf file. Ticket #432 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0049-Restrict-anonymous-tgts.patch Type: text/x-patch Size: 730 bytes Desc: not available URL: From rcritten at redhat.com Wed Jan 12 21:49:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 16:49:05 -0500 Subject: [Freeipa-devel] [PATCH] 675 drop build dep on mozldap In-Reply-To: <20110112214506.GB4505@zeppelin.brq.redhat.com> References: <4D2E1FC1.40702@redhat.com> <20110112214506.GB4505@zeppelin.brq.redhat.com> Message-ID: <4D2E21D1.30608@redhat.com> Jakub Hrozek wrote: > On Wed, Jan 12, 2011 at 04:40:17PM -0500, Rob Crittenden wrote: >> We now build using just openldap so drop the build dependency on mozldap. >> >> rob > > Related question: we have a couple of #ifdef WITH_MOZLDAP preprocessor > directives in the SLAPI plugin code, should we get rid of them and only > support OpenLDAP, too? I think probably so. I was narrowly focused on getting to build without the dep. rob From rcritten at redhat.com Wed Jan 12 21:55:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 16:55:04 -0500 Subject: [Freeipa-devel] [PATCH] 0049 Restrict anonymous tickets to get only tgts In-Reply-To: <20110112164629.1bd08d6d@willson.li.ssimo.org> References: <20110112164629.1bd08d6d@willson.li.ssimo.org> Message-ID: <4D2E2338.2040806@redhat.com> Simo Sorce wrote: > > If pkinit is configured anonymous tickets can be obtained. > To avoid impacting badly written applications that consider successful > authentication also implicit authorization, by default restrict > anonymous ticket to only be able to the TGTs. This is sufficient to > make FAST working with pkinit but will block any other usage unless the > admin explicitly decides to allow it by changing the kdc.conf file. > > Ticket #432 > > Simo. ack From ssorce at redhat.com Wed Jan 12 22:06:16 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Jan 2011 17:06:16 -0500 Subject: [Freeipa-devel] [PATCH] 675 drop build dep on mozldap In-Reply-To: <4D2E21D1.30608@redhat.com> References: <4D2E1FC1.40702@redhat.com> <20110112214506.GB4505@zeppelin.brq.redhat.com> <4D2E21D1.30608@redhat.com> Message-ID: <20110112170616.326fd5a7@willson.li.ssimo.org> On Wed, 12 Jan 2011 16:49:05 -0500 Rob Crittenden wrote: > Jakub Hrozek wrote: > > On Wed, Jan 12, 2011 at 04:40:17PM -0500, Rob Crittenden wrote: > >> We now build using just openldap so drop the build dependency on > >> mozldap. > >> > >> rob > > > > Related question: we have a couple of #ifdef WITH_MOZLDAP > > preprocessor directives in the SLAPI plugin code, should we get rid > > of them and only support OpenLDAP, too? > > I think probably so. I was narrowly focused on getting to build > without the dep. Please open a deferred ticket to do it later. Or we will forget. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Jan 12 22:10:51 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Jan 2011 17:10:51 -0500 Subject: [Freeipa-devel] [PATCH] 675 drop build dep on mozldap In-Reply-To: <4D2E1FC1.40702@redhat.com> References: <4D2E1FC1.40702@redhat.com> Message-ID: <20110112171051.0b233782@willson.li.ssimo.org> On Wed, 12 Jan 2011 16:40:17 -0500 Rob Crittenden wrote: > We now build using just openldap so drop the build dependency on > mozldap. > > rob Nack, you forgot the configure.ac change Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Jan 12 22:16:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 17:16:35 -0500 Subject: [Freeipa-devel] [PATCH] 675 drop build dep on mozldap In-Reply-To: <20110112171051.0b233782@willson.li.ssimo.org> References: <4D2E1FC1.40702@redhat.com> <20110112171051.0b233782@willson.li.ssimo.org> Message-ID: <4D2E2843.3020005@redhat.com> Simo Sorce wrote: > On Wed, 12 Jan 2011 16:40:17 -0500 > Rob Crittenden wrote: > >> We now build using just openldap so drop the build dependency on >> mozldap. >> >> rob > > Nack, > you forgot the configure.ac change > > Simo. > It was in patch 674. Redid both of them, updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-675-2-mozldap.patch Type: text/x-patch Size: 2385 bytes Desc: not available URL: From rcritten at redhat.com Wed Jan 12 22:17:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 17:17:12 -0500 Subject: [Freeipa-devel] [PATCH] 674 add API version In-Reply-To: <4D2E1F92.8060200@redhat.com> References: <4D2DD0D3.1050206@redhat.com> <20110112141920.062b5002@willson.li.ssimo.org> <4D2E1F92.8060200@redhat.com> Message-ID: <4D2E2868.2050808@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Wed, 12 Jan 2011 11:03:31 -0500 >> Rob Crittenden wrote: >> >>> Add an API version that is enforced both when the server is built (to >>> disallow unexpected API changes) and when clients talk to the server. >>> See the patch for further details. >>> >>> ticket 584 >>> >>> rob >> >> Technical nack, API.txt is missing. >> >> Also it would be really nice if we could test the API on build. >> Id the utf8 plugin thing really needed in order to test the api, or >> could we use PYTHON_PATHY and a fake python module by the same name >> just to get through the import w/o getting an exception out ? >> >> Simo. >> > > Updated patch attached. > > I worked around requiring the utf8 plugin so this should be executable > from a fresh git pull and will always validate the api when building. > > I also made a separate patch for the mozldap dependency change (675). > > rob Moved the changes to daemons/configure.ac to patch 675. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-674-4-version.patch Type: text/x-patch Size: 357873 bytes Desc: not available URL: From ssorce at redhat.com Wed Jan 12 22:22:24 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Jan 2011 17:22:24 -0500 Subject: [Freeipa-devel] [PATCH] 035 Fixes for the DNS plugin In-Reply-To: <4D2747D2.4020709@redhat.com> References: <20110107155449.GA16406@zeppelin.brq.redhat.com> <20110107155805.GB16406@zeppelin.brq.redhat.com> <4D273F37.9080706@redhat.com> <4D274667.10808@redhat.com> <4D2747D2.4020709@redhat.com> Message-ID: <20110112172224.1c42a8ba@willson.li.ssimo.org> On Fri, 07 Jan 2011 12:05:22 -0500 Adam Young wrote: > ACK Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Jan 12 22:22:47 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Jan 2011 17:22:47 -0500 Subject: [Freeipa-devel] [PATCH] 036 Use correct option name in host plugin In-Reply-To: <20110112150443.2717f8f6@willson.li.ssimo.org> References: <4D2E06EE.5010306@redhat.com> <20110112150443.2717f8f6@willson.li.ssimo.org> Message-ID: <20110112172247.620df595@willson.li.ssimo.org> On Wed, 12 Jan 2011 15:04:43 -0500 Simo Sorce wrote: > On Wed, 12 Jan 2011 20:54:22 +0100 > Jakub Hrozek wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Managing DNS records when adding/deleting hosts with the host plugin > > was broken because we used a wrong attribute name (ipaddr, should be > > ip_address) > > ACK, > Simo. > Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Jan 12 22:49:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 17:49:42 -0500 Subject: [Freeipa-devel] Dropping support for Fedora 13 Message-ID: <4D2E3006.2020808@redhat.com> With the patch titled '674 drop build dep on mozlap' freeipa v2 will no longer build on Fedora 13. Newer versions of 389-ds build against an NSS-based openldap rather than mozldap. Supporting both libraries has been challenging so we are just going to drop Fedora 13 support. This is merely a build issue for now. I suspect that if you wanted to revert this patch in your Fedora 13 source tree it would still build fine for quite a while. regards rob From nalin at redhat.com Wed Jan 12 23:06:57 2011 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 12 Jan 2011 18:06:57 -0500 Subject: [Freeipa-devel] Dropping support for Fedora 13 In-Reply-To: <4D2E3006.2020808@redhat.com> References: <4D2E3006.2020808@redhat.com> Message-ID: <20110112230657.GA30044@redhat.com> On Wed, Jan 12, 2011 at 05:49:42PM -0500, Rob Crittenden wrote: > With the patch titled '674 drop build dep on mozlap' freeipa v2 will > no longer build on Fedora 13. So just to be clear, we should stop trying to build git snapshot builds on f13? If so, is this for everything, just the freeipa package, or something in between? Nalin From edewata at redhat.com Thu Jan 13 02:11:29 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 13 Jan 2011 09:11:29 +0700 Subject: [Freeipa-devel] [PATCH] Host details adjustments. Message-ID: <4D2E5F51.5080301@redhat.com> Hi, The attached patch should address issue #1 and #2 in this bug: https://fedorahosted.org/freeipa/ticket/670 The labels for the following fields in Host details page have been changed: - fqdn: Fully Qualified Host Name - serverhostname: Host Name The ipa_details_field_create_input() and _ipa_create_text_input() has been converted into methods in ipa_details_field class. The code has been modified to display read-only fields as labels instead of disabled text fields. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0067-Host-details-adjustments.patch Type: text/x-patch Size: 23861 bytes Desc: not available URL: From rcritten at redhat.com Thu Jan 13 02:32:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 21:32:09 -0500 Subject: [Freeipa-devel] Dropping support for Fedora 13 In-Reply-To: <20110112230657.GA30044@redhat.com> References: <4D2E3006.2020808@redhat.com> <20110112230657.GA30044@redhat.com> Message-ID: <4D2E6429.80400@redhat.com> Nalin Dahyabhai wrote: > On Wed, Jan 12, 2011 at 05:49:42PM -0500, Rob Crittenden wrote: >> With the patch titled '674 drop build dep on mozlap' freeipa v2 will >> no longer build on Fedora 13. > > So just to be clear, we should stop trying to build git snapshot builds > on f13? If so, is this for everything, just the freeipa package, or > something in between? > > Nalin I believe everything for F13 assuming nobody else is using our devel repo for other things. rob From edewata at redhat.com Thu Jan 13 02:49:24 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 13 Jan 2011 09:49:24 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0140-javascript-lint-cleanup In-Reply-To: <4D2E0E5F.10106@redhat.com> References: <4D2E0E5F.10106@redhat.com> Message-ID: <4D2E6834.7090207@redhat.com> On 1/13/2011 3:26 AM, Adam Young wrote: > Now if you run jsl this way, you get no warnings. > > jsl `ls *js | grep -v jquery | grep -v json | sed 's!^!process !g' ` ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Jan 13 03:07:09 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 13 Jan 2011 10:07:09 +0700 Subject: [Freeipa-devel] [PATCH] Host details adjustments. In-Reply-To: <4D2E5F51.5080301@redhat.com> References: <4D2E5F51.5080301@redhat.com> Message-ID: <4D2E6C5D.2050004@redhat.com> On 1/13/2011 9:11 AM, Endi Sukma Dewata wrote: > The attached patch should address issue #1 and #2 in this bug: > https://fedorahosted.org/freeipa/ticket/670 > > The labels for the following fields in Host details page have been > changed: > - fqdn: Fully Qualified Host Name > - serverhostname: Host Name > > The ipa_details_field_create_input() and _ipa_create_text_input() > has been converted into methods in ipa_details_field class. The code > has been modified to display read-only fields as labels instead > of disabled text fields. Rebased against the latest. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0067-2-Host-details-adjustments.patch Type: text/x-patch Size: 24075 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 13 03:52:22 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 12 Jan 2011 22:52:22 -0500 Subject: [Freeipa-devel] [PATCH] 674 add API version In-Reply-To: <4D2E2868.2050808@redhat.com> References: <4D2DD0D3.1050206@redhat.com> <20110112141920.062b5002@willson.li.ssimo.org> <4D2E1F92.8060200@redhat.com> <4D2E2868.2050808@redhat.com> Message-ID: <4D2E76F6.4030802@redhat.com> On 01/12/2011 05:17 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Wed, 12 Jan 2011 11:03:31 -0500 >>> Rob Crittenden wrote: >>> >>>> Add an API version that is enforced both when the server is built (to >>>> disallow unexpected API changes) and when clients talk to the server. >>>> See the patch for further details. >>>> >>>> ticket 584 >>>> >>>> rob >>> >>> Technical nack, API.txt is missing. >>> >>> Also it would be really nice if we could test the API on build. >>> Id the utf8 plugin thing really needed in order to test the api, or >>> could we use PYTHON_PATHY and a fake python module by the same name >>> just to get through the import w/o getting an exception out ? >>> >>> Simo. >>> >> >> Updated patch attached. >> >> I worked around requiring the utf8 plugin so this should be executable >> from a fresh git pull and will always validate the api when building. >> >> I also made a separate patch for the mozldap dependency change (675). >> >> rob > > Moved the changes to daemons/configure.ac to patch 675. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Am I correct in understanding that this patch is going to break the webUI? We need to put an API version into the JSON RPC as well. This would involve a minor change to install/static/ipa.js in the ipa_cmd function, but I am not quite sure what to put there. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Jan 13 04:12:34 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 12 Jan 2011 23:12:34 -0500 Subject: [Freeipa-devel] [PATCH] Host details adjustments. In-Reply-To: <4D2E6C5D.2050004@redhat.com> References: <4D2E5F51.5080301@redhat.com> <4D2E6C5D.2050004@redhat.com> Message-ID: <4D2E7BB2.4040304@redhat.com> On 01/12/2011 10:07 PM, Endi Sukma Dewata wrote: > On 1/13/2011 9:11 AM, Endi Sukma Dewata wrote: >> The attached patch should address issue #1 and #2 in this bug: >> https://fedorahosted.org/freeipa/ticket/670 >> >> The labels for the following fields in Host details page have been >> changed: >> - fqdn: Fully Qualified Host Name >> - serverhostname: Host Name >> >> The ipa_details_field_create_input() and _ipa_create_text_input() >> has been converted into methods in ipa_details_field class. The code >> has been modified to display read-only fields as labels instead >> of disabled text fields. > > Rebased against the latest. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel can you replace the huge if-else block in details.js line 282? You cna leave the comment about class-specific implementation, but the code does nothing of use as is. Other than that, ACK. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aravind.gv at gmail.com Thu Jan 13 04:14:25 2011 From: aravind.gv at gmail.com (Aravind GV) Date: Thu, 13 Jan 2011 09:44:25 +0530 Subject: [Freeipa-devel] Fwd: [Adam Young's Web Log] Please moderate: "Announcing FreeIPA v2 Server Beta 1 Release" In-Reply-To: <4D2DC6CE.7070304@redhat.com> References: <4D2C6F90.8060807@redhat.com> <4D2C6F9B.7060504@redhat.com> <4D2DC6CE.7070304@redhat.com> Message-ID: Hi Rich, The version of 389-ds-base. I installed this package with fedora testing repo which is documented in installation steps. [root at agvdir ~]# rpm -qi 389-ds-base Name : 389-ds-base Relocations: (not relocatable) Version : 1.2.7.5 Vendor: Fedora Project Release : 1.fc14 Build Date: Thu 16 Dec 2010 12:24:22 PM EST Install Date: Sun 09 Jan 2011 11:48:36 PM EST Build Host: x86-02.phx2.fedoraproject.org Group : System Environment/Daemons Source RPM: 389-ds-base-1.2.7.5-1.fc14.src.rpm Size : 5567433 License: GPLv2 with exceptions Signature : RSA/SHA256, Thu 16 Dec 2010 10:20:09 PM EST, Key ID 421caddb97a1071f Packager : Fedora Project URL : http://port389.org/ Summary : 389 Directory Server (base) Description : 389 Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration. Regards, Aravind G V On Wed, Jan 12, 2011 at 8:50 PM, Rich Megginson wrote: > On 01/11/2011 10:15 PM, Aravind GV wrote: > > Hi All, > > Adam first of all thanks for responding to my email. > > I get the below error when i run ipa-replica-manage command. I am > following Installation_Deployment_Guide V2 ( > http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/ ) > in that *4.4. Creating Synchronization Agreements* section example > command given as ipa-replica-manage connect add but add option is no more > there after goggling in some of the webside they told to give connect option > and also --passsync now command syntext is fine but it stops DIRSRV. > > > This is a known bug that was fixed. What version of 389-ds-base are you > using? rpm -qi 389-ds-base > > There is not much in logs. Please help me to resolve this issue. OS=fc14 > ipa v2 > > *[root at agvdir ~]# ipa-replica-manage connect --winsync --binddn > cn=administrator,cn=users,dc=bgkerb,dc=test02,dc=com --bindpw xxx --cacert > /root/bgkerb.cer 10.0.65.28 --passsync xxx -v > Directory Manager password: > INFO:root:args=/sbin/service dirsrv stop > INFO:root:stdout=Shutting down dirsrv: > AGV-COM...[ OK ] > > INFO:root:stderr= > unexpected error: DsInstance instance has no attribute 'subject_base' > * > Regards, > Aravind G V > > > > On Tue, Jan 11, 2011 at 9:56 AM, Rich Megginson wrote: > >> On 01/11/2011 07:56 AM, Adam Young wrote: >> >> Aravind, >> >> I've posted your question on the FreeIPA Devel list. Could you please >> "reply to all" with the following information? >> >> >> 1. What was the origianal problem you were seeing when you googled and >> found the --passsync option >> 2. Is there anything in in any of the logs that seems relevant? For >> logs. please look in >> /var/log/http/error.log for the IPA server, >> /var/log/DirSrv for Directory server >> /var/log/messages for general machine issues as well. >> >> What version of 389-ds-base? rpm -qi 389-ds-base >> >> >> >> >> >> -------- Original Message -------- Subject: [Adam Young's Web Log] >> Please moderate: "Announcing FreeIPA v2 Server Beta 1 Release" Date: Tue, >> 11 Jan 2011 05:38:07 +0000 From: WordPress >> To: >> adam at younglogic.com >> >> A new comment on the post "Announcing FreeIPA v2 Server Beta 1 Release" is waiting for your approvalhttp://adam.younglogic.com/2010/12/announcing-freeipa-v2-server-beta-1-release/ >> >> Author : Aravind G V (IP: 122.166.39.227 , gw-bg.dchoc.com) >> E-mail : aravind.gv at gmail.com >> URL : >> Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=122.166.39.227 >> Comment: >> Hi Adam, >> >> ipa-replica-manage command for creating a Creating Synchronization Agreements is not working as documented in Installation_Deployment_Guide after googling i found out to add --passsync option. Now command runs successfully but it brings down Directory Server. Can you please help me how to fix this issue. I am running freeipa V2 on FC14. >> >> >> ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=bgkerb,dc=test02,dc=com --bindpw asdQWE123 --cacert /root/bgkerb.cer 10.0.65.28 --passsync asdQWE123 -v >> >> Approve it: http://adam.younglogic.com/wp-admin/comment.php?action=approve&c=11343 >> Trash it: http://adam.younglogic.com/wp-admin/comment.php?action=trash&c=11343 >> Spam it: http://adam.younglogic.com/wp-admin/comment.php?action=spam&c=11343 >> Currently 117 comments are waiting for approval. Please visit the moderation panel:http://adam.younglogic.com/wp-admin/edit-comments.php?comment_status=moderated >> >> >> _______________________________________________ >> Freeipa-devel mailing listFreeipa-devel at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> > > > -- > ---------------------------- > With Best Regards > Aravind G V > Ph-9880346065 > "I want it all, > That's why I strive for it, > I know that it's coming" - Drake from "Successful" > > > -- ---------------------------- With Best Regards Aravind G V Ph-9880346065 "I want it all, That's why I strive for it, I know that it's coming" - Drake from "Successful" -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Jan 13 07:19:13 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 13 Jan 2011 14:19:13 +0700 Subject: [Freeipa-devel] [PATCH] Host details adjustments. In-Reply-To: <4D2E7BB2.4040304@redhat.com> References: <4D2E5F51.5080301@redhat.com> <4D2E6C5D.2050004@redhat.com> <4D2E7BB2.4040304@redhat.com> Message-ID: <4D2EA771.9@redhat.com> On 1/13/2011 11:12 AM, Adam Young wrote: > can you replace the huge if-else block in details.js line 282? You cna > leave the comment about class-specific implementation, but the code does > nothing of use as is. Other than that, ACK. I removed the if-else block but kept the list of class names in the comment. I pushed this to master. Thanks. -- Endi S. Dewata From mkosek at redhat.com Thu Jan 13 07:48:20 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 13 Jan 2011 08:48:20 +0100 Subject: [Freeipa-devel] [PATCH] Unchecked return values in ipa-join In-Reply-To: <4D2DD792.10203@redhat.com> References: <1294746389.5765.26.camel@dhcp-25-52.brq.redhat.com> <20110111121137.GA3507@zeppelin.brq.redhat.com> <4D2DD792.10203@redhat.com> Message-ID: <1294904900.5765.35.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-01-12 at 11:32 -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > > On Tue, Jan 11, 2011 at 12:46:29PM +0100, Martin Kosek wrote: > >> krb5_get_default_realm() and asprintf() return values were ignored. > >> This could lead to unhandled error issues or memory access > >> issues. > >> > >> This patch adds return value checks to all such functions. > >> As a consequence, one new return value has been added to man page. > >> > >> https://fedorahosted.org/freeipa/ticket/720 > >> > > > > Ack > > Pushed to master. > > Martin, I had to do a 3-way merge to get this applied. Can you > double-check that it applied ok? > > thanks > > rob Rob, I checked it and it's ok. Thanks, Martin From edewata at redhat.com Thu Jan 13 07:55:10 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 13 Jan 2011 14:55:10 +0700 Subject: [Freeipa-devel] [PATCH] Increased icon size for certificate and Kerberos key status. Message-ID: <4D2EAFDE.5040105@redhat.com> Hi, The attached patch should fix item #3 of this bug: https://fedorahosted.org/freeipa/ticket/670 The
  • tag used for status icon has been replaced with
    tag shaped like a circle. The size can be adjusted using CSS. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0068-Increased-icon-size-for-certificate-and-Kerberos-key.patch Type: text/x-patch Size: 9270 bytes Desc: not available URL: From jhrozek at redhat.com Thu Jan 13 08:04:06 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 13 Jan 2011 09:04:06 +0100 Subject: [Freeipa-devel] [PATCH] 675 drop build dep on mozldap In-Reply-To: <20110112170616.326fd5a7@willson.li.ssimo.org> References: <4D2E1FC1.40702@redhat.com> <20110112214506.GB4505@zeppelin.brq.redhat.com> <4D2E21D1.30608@redhat.com> <20110112170616.326fd5a7@willson.li.ssimo.org> Message-ID: <4D2EB1F6.50705@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/12/2011 11:06 PM, Simo Sorce wrote: > On Wed, 12 Jan 2011 16:49:05 -0500 > Rob Crittenden wrote: > >> Jakub Hrozek wrote: >>> On Wed, Jan 12, 2011 at 04:40:17PM -0500, Rob Crittenden wrote: >>>> We now build using just openldap so drop the build dependency on >>>> mozldap. >>>> >>>> rob >>> >>> Related question: we have a couple of #ifdef WITH_MOZLDAP >>> preprocessor directives in the SLAPI plugin code, should we get rid >>> of them and only support OpenLDAP, too? >> >> I think probably so. I was narrowly focused on getting to build >> without the dep. > > Please open a deferred ticket to do it later. Or we will forget. > > Simo. > > https://fedorahosted.org/freeipa/ticket/756 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0usfUACgkQHsardTLnvCWGlwCeJvI9u5mpPrGJTvuy3eniv6TL rQcAnjlxdeDJDPjqpD1ZcDfIadtuBH5m =GYvm -----END PGP SIGNATURE----- From vic_1980 at bk.ru Thu Jan 13 08:59:47 2011 From: vic_1980 at bk.ru (=?UTF-8?B?0JLQuNC60YLQvtGAINCh0LXRgNCz0LXQtdCy0LjRhw==?=) Date: Thu, 13 Jan 2011 11:59:47 +0300 Subject: [Freeipa-devel] problem with install (Configuration of CA failed) Message-ID: <4D2EBF03.1080806@bk.ru> hI! I'am have analogic problem, like Geerten Schram Install FreeIPA v2 on Fedora Core 14 x86 on install have error: ***************************************************************************** Configuring certificate server: Estimated time 6 minutes [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: restarting certificate server [4/16]: configuring certificate server instance root : CRITICAL failed to restart ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ldap.titan.ru -cs_port 9445 -client_certdb_dir /tmp/tmp-ajuHla -client_certdb_pwd 'XXXXXXXX' -preop_pin YNks43pJ6xZWyxgf5N2r -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=TITAN.RU" -ldap_host ldap.titan.ru -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=TITAN.RU" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=TITAN.RU" -ca_server_cert_subject_name "CN=ldap.titan.ru,O=TITAN.RU" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=TITAN.RU" -ca_sign_cert_subject_name "CN=Certificate Authority,O=TITAN.RU" -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed *************************************************************************************** Vers PKI: pki-ca-1.3.6-1.fc14 pki-silent-1.3.4-1.fc14 debug in attach -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: debug pki-ca URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ipaserver-install.log URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: log_ipa URL: From mkosek at redhat.com Thu Jan 13 09:42:21 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 13 Jan 2011 10:42:21 +0100 Subject: [Freeipa-devel] [PATCH] Potential memory leaks in ipa-getkeytab In-Reply-To: <4D2DAF67.8070505@redhat.com> References: <1294838711.5765.33.camel@dhcp-25-52.brq.redhat.com> <4D2DAF67.8070505@redhat.com> Message-ID: <1294911741.5765.43.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-01-12 at 14:40 +0100, Jakub Hrozek wrote: > Hash: SHA1 > > On 01/12/2011 02:25 PM, Martin Kosek wrote: > > This patch fixes 2 situations where a pointer to allocated error > > string could be overwritten - which could have resulted in > > a memory leak. > > > > https://fedorahosted.org/freeipa/ticket/714 > > > > Ack Just sending a remainder for this acked patch - it might have got lost in yesterday push-spree. Thanks, Martin From jhrozek at redhat.com Thu Jan 13 09:59:20 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 13 Jan 2011 10:59:20 +0100 Subject: [Freeipa-devel] [PATCH] 037,038 Remove the original DNS plugin In-Reply-To: <20110112214038.GA4505@zeppelin.brq.redhat.com> References: <4D2E0751.7050108@redhat.com> <4D2E07D7.5090408@redhat.com> <20110112214038.GA4505@zeppelin.brq.redhat.com> Message-ID: <4D2ECCF8.9000309@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/12/2011 10:40 PM, Jakub Hrozek wrote: > On Wed, Jan 12, 2011 at 08:58:15PM +0100, Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/12/2011 08:56 PM, Jakub Hrozek wrote: >>> I didn't find a related ticket, but I think this needs to be done. At >>> the very least it caused confusion for QA. >>> >>> This patch >>> - removes the obsolete DNS plugin >>> - renames the new plugin to dns >>> - moves ipa dns-resolve to the new plugin >>> - ports the installer and the host plugin to the new interface >>> >>> I didn't touch the UI at all. Adam, Endi, do I need to tweak it somehow >>> (esp. because the plugin is renamed). >>> >>> Jakub >> >> Attached is another version of the same patch, just formatted with -M >> - -C, so it should hopefully look better. >> > > OK, that was still not very readable so I splitted the patches into two > to ease the review: > > 1) jhrozek-freeipa-037-03-dont-use-legacy-dns.patch: > Port installer and host plugin to the new DNS plugin > > * moves ipa dns-resolve to the new plugin > * ports the installer and the host plugin to the new interface > > 2) jhrozek-freeipa-038-rename-dns2-to-dns.patch > No functionality change, just renames the old plugin to the new one. > > I used "git format-patch -M -C --patience --full-index" to format the > patch but git still didn't detect the replace, it seems. Is there > anything else I can do in order to get a prettier patch? I created the > patch with "git rm ipalib/plugins/dns.py" and then "git mv > ipalib/plugins/dns2.py ipalib/plugins/dns.py" -- without performing rm > first, git would complain about renaming file to another which is > tracked. > > Per Simo's advice, I deleted the old plugin in the first patch, now the second one is just the rename. Looks much better now. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0uzPgACgkQHsardTLnvCWJywCcD1/wdm07l/8y9CFVDi+lg1nx NtYAoJk3Vf6MPUcWF0zStIkE1b+K5AVV =w775 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-038-02-rename-dns2-to-dns.patch Type: text/x-patch Size: 39133 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-037-04-dont-use-legacy-dns.patch Type: text/x-patch Size: 42096 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-038-02-rename-dns2-to-dns.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-037-04-dont-use-legacy-dns.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Thu Jan 13 10:08:57 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 13 Jan 2011 11:08:57 +0100 Subject: [Freeipa-devel] [PATCH] 037,038 Remove the original DNS plugin In-Reply-To: <4D2ECCF8.9000309@redhat.com> References: <4D2E0751.7050108@redhat.com> <4D2E07D7.5090408@redhat.com> <20110112214038.GA4505@zeppelin.brq.redhat.com> <4D2ECCF8.9000309@redhat.com> Message-ID: <20110113100855.GA3889@zeppelin.brq.redhat.com> > Per Simo's advice, I deleted the old plugin in the first patch, now the > second one is just the rename. Looks much better now. And one more time, now with the correct patches attached. Sorry for all the noise on the list.. -------------- next part -------------- >From 517532b1d3065d64a6a28bb5a237d6e4a069ae7a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 12 Jan 2011 21:02:05 +0100 Subject: [PATCH 1/2] Port installer and host plugin to the new DNS plugin * move ipa dns-resolve to the new plugin * port the installer and the host plugin to the new interface * remove the old plugin --- ipalib/plugins/dns.py | 941 ------------------------------------- ipalib/plugins/dns2.py | 54 ++- ipalib/plugins/host.py | 35 +- ipaserver/install/bindinstance.py | 30 +- 4 files changed, 81 insertions(+), 979 deletions(-) delete mode 100644 ipalib/plugins/dns.py diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py deleted file mode 100644 index ced13efc92b2480bbe15675233903edd8387fa16..0000000000000000000000000000000000000000 --- a/ipalib/plugins/dns.py +++ /dev/null @@ -1,941 +0,0 @@ -# Authors: -# Pavel Zuna -# -# Copyright (C) 2009 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -""" -Domain Name System (DNS) plug-in - -Implements a set of commands useful for manipulating DNS records used by -the BIND LDAP plug-in. - -EXAMPLES: - - Add new zone: - ipa dns-add example.com nameserver.example.com admin at example.com - - Add second nameserver for example.com: - ipa dns-add-rr example.com @ NS nameserver2.example.com - - Delete previously added nameserver from example.com: - ipa dns-del-rr example.com @ NS nameserver2.example.com - - Add new A record for www.example.com: (random IP) - ipa dns-add-rr example.com www A 80.142.15.2 - - Add new PTR record for www.example.com - ipa dns-add-rr 15.142.80.in-addr.arpa 2 PTR www.example.com. - - Show zone example.com: - ipa dns-show example.com - - Find zone with "example" in it's domain name: - ipa dns-find example - - Find records for resources with "www" in their name in zone example.com: - ipa dns-find-rr example.com www - - Find A records for resource www in zone example.com - ipa dns-find-rr example.com --resource www --type A - - Show records for resource www in zone example.com - ipa dns-show-rr example.com www - - Delete zone example.com with all resource records: - ipa dns-delete example.com - - Resolve a host name to see if it exists (will add default IPA domain - if one is not included): - ipa dns-resolve www.example.com - ipa dns-resolve www - -""" - -# A few notes about the LDAP schema to make this plugin more understandable: -# - idnsRecord object is a HOSTNAME with one or more resource records -# - idnsZone object is a idnsRecord object with mandatory SOA record -# it basically makes the assumption that ZONE == DOMAINNAME + SOA record -# resource records can be stored in both idnsZone and idnsRecord objects - -import time - -from ipalib import api, crud, errors, output -from ipalib import Object, Command -from ipalib import Flag, Int, Str, StrEnum -from ipalib import _, ngettext -from ipalib.output import Output, standard_entry, standard_list_of_entries -from ipapython import dnsclient - -# parent DN -_zone_container_dn = api.env.container_dns - -# supported resource record types -_record_types = ( - u'A', u'AAAA', u'A6', u'AFSDB', u'CERT', u'CNAME', u'DNAME', - u'DS', u'HINFO', u'KEY', u'KX', u'LOC', u'MD', u'MINFO', u'MX', - u'NAPTR', u'NS', u'NSEC', u'NXT', u'PTR', u'RRSIG', u'SSHFP', - u'SRV', u'TXT', -) - -# mapping from attribute to resource record type -_attribute_types = dict( - arecord=u'A', aaaarecord=u'AAAA', a6record=u'A6', - afsdbrecord=u'AFSDB', certrecord=u'CERT', cnamerecord=u'CNAME', - dnamerecord=u'DNAME', dsrecord=u'DS', hinforecord=u'HINFO', - keyrecord=u'KEY', kxrecord=u'KX', locrecord='LOC', - mdrecord=u'MD', minforecord=u'MINFO', mxrecord=u'MX', - naptrrecord=u'NAPTR', nsrecord=u'NS', nsecrecord=u'NSEC', - ntxtrecord=u'NTXT', ptrrecord=u'PTR', rrsigrecord=u'RRSIG', - sshfprecord=u'SSHFP', srvrecord=u'SRV', txtrecord=u'TXT', -) - -# supported DNS classes, IN = internet, rest is almost never used -_record_classes = (u'IN', u'CS', u'CH', u'HS') - -# attributes displayed by default for resource records -_record_default_attributes = ['%srecord' % r for r in _record_types] -_record_default_attributes.append('idnsname') - -# attributes displayed by default for zones -_zone_default_attributes = [ - 'idnsname', 'idnszoneactive', 'idnssoamname', 'idnssoarname', - 'idnssoaserial', 'idnssoarefresh', 'idnssoaretry', 'idnssoaexpire', - 'idnssoaminimum' -] - - -# normalizer for admin email -def _rname_normalizer(value): - value = value.replace('@', '.') - if not value.endswith('.'): - value += '.' - return value - -# build zone dn -def _get_zone_dn(ldap, idnsname): - rdn = ldap.make_rdn_from_attr('idnsname', idnsname) - return ldap.make_dn_from_rdn(rdn, _zone_container_dn) - -# build dn for entry with record -def _get_record_dn(ldap, zone, idnsname): - parent_dn = _get_zone_dn(ldap, zone) - if idnsname == '@' or idnsname == zone: - return parent_dn - rdn = ldap.make_rdn_from_attr('idnsname', idnsname) - return ldap.make_dn_from_rdn(rdn, parent_dn) - - -def dns_container_exists(ldap): - """ - See if the dns container exists. If not raise an exception. - """ - basedn = 'cn=dns,%s' % api.env.basedn - try: - ret = ldap.find_entries('(objectclass=*)', None, basedn, - ldap.SCOPE_BASE) - except errors.NotFound: - raise errors.NotFound(reason=_('DNS is not configured')) - - return True - -class dns(Object): - """DNS zone/SOA record object.""" - label = _('DNS') - - takes_params = ( - Str('idnsname', - cli_name='name', - label=_('Zone'), - doc=_('Zone name (FQDN)'), - normalizer=lambda value: value.lower(), - primary_key=True, - ), - Str('idnssoamname', - cli_name='name_server', - label=_('Authoritative name server'), - ), - Str('idnssoarname', - cli_name='admin_email', - label=_('administrator e-mail address'), - default_from=lambda idnsname: 'root.%s' % idnsname, - normalizer=_rname_normalizer, - ), - Int('idnssoaserial?', - cli_name='serial', - label=_('SOA serial'), - ), - Int('idnssoarefresh?', - cli_name='refresh', - label=_('SOA refresh'), - ), - Int('idnssoaretry?', - cli_name='retry', - label=_('SOA retry'), - ), - Int('idnssoaexpire?', - cli_name='expire', - label=_('SOA expire'), - ), - Int('idnssoaminimum?', - cli_name='minimum', - label=_('SOA minimum'), - ), - Int('dnsttl?', - cli_name='ttl', - label=_('SOA time to live'), - ), - StrEnum('dnsclass?', - cli_name='class', - label=_('SOA class'), - values=_record_classes, - ), - Flag('idnsallowdynupdate', - cli_name='allow_dynupdate', - label=_('allow dynamic update?'), - ), - Str('idnsupdatepolicy?', - cli_name='update_policy', - label=_('BIND update policy'), - ), - ) - - default_attributes = _zone_default_attributes - - json_friendly_attributes = ( - 'default_attributes', 'label', 'name', 'takes_params' ) - - def __json__(self): - json_dict = dict( - (a, getattr(self, a)) for a in self.json_friendly_attributes - ) - if self.primary_key: - json_dict['primary_key'] = self.primary_key.name - json_dict['methods'] = [m for m in self.methods] - return json_dict - - -api.register(dns) - - -class dns_add(crud.Create): - """ - Create new DNS zone/SOA record. - """ - def execute(self, *args, **options): - ldap = self.Backend.ldap2 - idnsname = args[0] - - dns_container_exists(ldap) - - # build entry attributes - entry_attrs = self.args_options_2_entry(*args, **options) - - # build entry DN - dn = _get_zone_dn(ldap, idnsname) - - # fill in required attributes - entry_attrs['objectclass'] = ['top', 'idnsrecord', 'idnszone'] - entry_attrs['idnszoneactive'] = 'TRUE' - entry_attrs['idnsallowdynupdate'] = str( - entry_attrs['idnsallowdynupdate'] - ).upper() - - # fill default values, build SOA serial from current date - soa_serial = int('%s01' % time.strftime('%Y%d%m')) - entry_attrs.setdefault('idnssoaserial', soa_serial) - entry_attrs.setdefault('idnssoarefresh', 3600) - entry_attrs.setdefault('idnssoaretry', 900) - entry_attrs.setdefault('idnssoaexpire', 1209600) - entry_attrs.setdefault('idnssoaminimum', 3600) - - # create zone entry - ldap.add_entry(dn, entry_attrs) - - # get zone entry with created attributes for output - (dn, entry_attrs) = ldap.get_entry(dn, entry_attrs.keys()) - entry_attrs['dn'] = dn - - return dict(result=entry_attrs, value=idnsname) - - def output_for_cli(self, textui, result, *args, **options): - entry_attrs = result['result'] - idnsname = result['value'] - - textui.print_name(self.name) - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - textui.print_dashed('Created DNS zone "%s".' % idnsname) - -api.register(dns_add) - - -class dns_del(crud.Delete): - """ - Delete existing DNS zone/SOA record. - """ - def execute(self, *args, **options): - ldap = self.api.Backend.ldap2 - idnsname = args[0] - - dns_container_exists(ldap) - - # build zone entry DN - dn = _get_zone_dn(ldap, idnsname) - # just check if zone exists for now - ldap.get_entry(dn, ['']) - - # retrieve all subentries of zone - records - try: - (entries, truncated) = ldap.find_entries( - None, [''], dn, ldap.SCOPE_ONELEVEL - ) - except errors.NotFound: - (entries, truncated) = (tuple(), False) - - # kill'em all, records first - for e in entries: - ldap.delete_entry(e[0]) - ldap.delete_entry(dn) - - return dict(result=True, value=u'') - - def output_for_cli(self, textui, result, *args, **options): - textui.print_name(self.name) - textui.print_dashed('Deleted DNS zone "%s".' % args[0]) - -api.register(dns_del) - - -class dns_mod(crud.Update): - """ - Modify DNS zone/SOA record. - """ - def execute(self, *args, **options): - ldap = self.api.Backend.ldap2 - idnsname = args[0] - - dns_container_exists(ldap) - - # build entry attributes, don't include idnsname! - entry_attrs = self.args_options_2_entry(*tuple(), **options) - entry_attrs['idnsallowdynupdate'] = str( - entry_attrs['idnsallowdynupdate'] - ).upper() - - # build entry DN - dn = _get_zone_dn(ldap, idnsname) - - # update zone entry - ldap.update_entry(dn, entry_attrs) - - # get zone entry with modified + default attributes for output - (dn, entry_attrs) = ldap.get_entry( - dn, (entry_attrs.keys() + _zone_default_attributes) - ) - entry_attrs['dn'] = dn - - return dict(result=entry_attrs, value=idnsname) - - def output_for_cli(self, textui, result, *args, **options): - entry_attrs = result['result'] - idnsname = result['value'] - - textui.print_name(self.name) - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - textui.print_dashed('Modified DNS zone "%s".' % idnsname) - -api.register(dns_mod) - - -class dns_find(crud.Search): - """ - Search for DNS zones/SOA records. - """ - def execute(self, term, **options): - ldap = self.api.Backend.ldap2 - - dns_container_exists(ldap) - - # build search filter - filter = ldap.make_filter_from_attr('idnsname', term, exact=False) - - # select attributes we want to retrieve - if options.get('all', False): - attrs_list = ['*'] - else: - attrs_list = _zone_default_attributes - - # get matching entries - try: - (entries, truncated) = ldap.find_entries( - filter, attrs_list, _zone_container_dn, ldap.SCOPE_ONELEVEL - ) - except errors.NotFound: - (entries, truncated) = (tuple(), False) - - for e in entries: - e[1]['dn'] = e[0] - entries = tuple(e for (dn, e) in entries) - - return dict(result=entries, count=len(entries), truncated=truncated) - - def output_for_cli(self, textui, result, term, **options): - entries = result['result'] - truncated = result['truncated'] - - textui.print_name(self.name) - for entry_attrs in entries: - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - textui.print_plain('') - textui.print_count( - len(entries), '%i DNS zone matched.', '%i DNS zones matched.' - ) - if truncated: - textui.print_dashed('These results are truncated.', below=False) - textui.print_dashed( - 'Please refine your search and try again.', above=False - ) - -api.register(dns_find) - - -class dns_show(crud.Retrieve): - """ - Display DNS zone/SOA record. - """ - def execute(self, idnsname, **options): - ldap = self.api.Backend.ldap2 - - dns_container_exists(ldap) - - # build entry DN - dn = _get_zone_dn(ldap, idnsname) - - # select attributes we want to retrieve - if options.get('all', False): - attrs_list = ['*'] - else: - attrs_list = _zone_default_attributes - - (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) - entry_attrs['dn'] = dn - - return dict(result=entry_attrs, value=idnsname) - - def output_for_cli(self, textui, result, *args, **options): - entry_attrs = result['result'] - - textui.print_name(self.name) - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - -api.register(dns_show) - - -class dns_enable(Command): - """ - Activate DNS zone. - """ - takes_args = ( - Str('zone', - cli_name='zone', - label=_('Zone name'), - normalizer=lambda value: value.lower(), - ), - ) - - has_output = output.standard_value - - def execute(self, zone): - ldap = self.api.Backend.ldap2 - - dns_container_exists(ldap) - - # build entry DN - dn = _get_zone_dn(ldap, zone) - - # activate! - try: - ldap.update_entry(dn, {'idnszoneactive': 'TRUE'}) - except errors.EmptyModlist: - pass - - return dict(result=True, value=zone) - - def output_for_cli(self, textui, result, zone): - textui.print_name(self.name) - textui.print_dashed('Activated DNS zone "%s".' % zone) - -api.register(dns_enable) - - -class dns_disable(Command): - """ - Deactivate DNS zone. - """ - takes_args = ( - Str('zone', - label=_('Zone name'), - normalizer=lambda value: value.lower(), - ), - ) - - has_output = output.standard_value - - def execute(self, zone): - ldap = self.api.Backend.ldap2 - - dns_container_exists(ldap) - - # build entry DN - dn = _get_zone_dn(ldap, zone) - - # deactivate! - try: - ldap.update_entry(dn, {'idnszoneactive': 'FALSE'}) - except errors.EmptyModlist: - pass - - return dict(result=True, value=zone) - - def output_for_cli(self, textui, result, zone): - textui.print_name(self.name) - textui.print_dashed('Deactivated DNS zone "%s".' % zone) - -api.register(dns_disable) - - -class dns_add_rr(Command): - """ - Add new DNS resource record. - """ - - takes_args = ( - Str('zone', - label=_('Zone name'), - normalizer=lambda value: value.lower(), - ), - Str('idnsname', - cli_name='resource', - label=_('resource name'), - default_from=lambda zone: zone.lower(), - attribute=True, - ), - StrEnum('type', - label=_('Record type'), - values=_record_types, - ), - Str('data', - label=_('Data'), - doc=_('Type-specific data'), - ), - ) - - takes_options = ( - Int('dnsttl?', - cli_name='ttl', - label=_('Time to live'), - attribute=True, - ), - StrEnum('dnsclass?', - cli_name='class', - label=_('Class'), - values=_record_classes, - attribute=True, - ), - ) - - has_output = standard_entry - - def execute(self, zone, idnsname, type, data, **options): - ldap = self.api.Backend.ldap2 - attr = ('%srecord' % type).lower() - - dns_container_exists(ldap) - - # build entry DN - dn = _get_record_dn(ldap, zone, idnsname) - - # get resource entry where to store the new record - try: - (dn, entry_attrs) = ldap.get_entry(dn, [attr]) - except errors.NotFound: - if idnsname != '@' and idnsname != zone: - # resource entry doesn't exist, check if zone exists - zone_dn = _get_zone_dn(ldap, zone) - ldap.get_entry(zone_dn, ['']) - # it does, create new resource entry - - # build entry attributes - entry_attrs = self.args_options_2_entry( - (idnsname, ), **options - ) - - # fill in required attributes - entry_attrs['objectclass'] = ['top', 'idnsrecord'] - - # fill in the record - entry_attrs[attr] = data - - # create the entry - ldap.add_entry(dn, entry_attrs) - - # get entry with created attributes for output - (dn, entry_attrs) = ldap.get_entry(dn, entry_attrs.keys()) - entry_attrs['dn'] = dn - - return dict(result=entry_attrs, value=idnsname) - - # zone doesn't exist - raise - # resource entry already exists, create a modlist for the new record - - # convert entry_attrs keys to lowercase - #entry_attrs = dict( - # (k.lower(), v) for (k, v) in entry_attrs.iteritems() - #) - - # get new value for record attribute - attr_value = entry_attrs.get(attr, []) - attr_value.append(data) - - ldap.update_entry(dn, {attr: attr_value}) - # get entry with updated attribute for output - (dn, entry_attrs) = ldap.get_entry(dn, ['idnsname', attr]) - entry_attrs['dn'] = dn - - return dict(result=entry_attrs, value=idnsname) - - def output_for_cli(self, textui, result, zone, idnsname, type, data, - **options): - entry_attrs = result['result'] - output = '"%s %s %s" to zone "%s"' % ( - idnsname, type, data, zone, - ) - - textui.print_name(self.name) - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - textui.print_dashed('Added DNS resource record %s.' % output) - -api.register(dns_add_rr) - - -class dns_del_rr(Command): - """ - Delete DNS resource record. - """ - - takes_args = ( - Str('zone', - label=_('Zone name'), - normalizer=lambda value: value.lower(), - ), - Str('idnsname', - cli_name='resource', - label=_('Resource name'), - default_from=lambda zone: zone.lower(), - attribute=True, - ), - StrEnum('type', - label=_('Record type'), - values=_record_types, - ), - Str('data', - label=_('Data'), - doc=_('Type-specific data'), - ), - ) - - has_output = standard_entry - - def execute(self, zone, idnsname, type, data, **options): - ldap = self.api.Backend.ldap2 - attr = ('%srecord' % type).lower() - - dns_container_exists(ldap) - - # build entry DN - dn = _get_record_dn(ldap, zone, idnsname) - - # get resource entry with the record we're trying to delete - (dn, entry_attrs) = ldap.get_entry(dn) - - # convert entry_attrs keys to lowercase - entry_attrs = dict( - (k.lower(), v) for (k, v) in entry_attrs.iteritems() - ) - - # get new value for record attribute - attr_value = entry_attrs.get(attr.lower(), []) - try: - attr_value.remove(data) - except ValueError: - raise errors.NotFound(reason=u'resource record not found') - - # check if it's worth to keep this entry in LDAP - if 'idnszone' not in entry_attrs['objectclass']: - # get a list of all meaningful record attributes - record_attrs = [] - for (k, v) in entry_attrs.iteritems(): - if k.endswith('record') and v: - record_attrs.append(k) - # check if the list is empty - if not record_attrs: - # it's not - ldap.delete_entry(dn) - return dict(result={}, value=idnsname) - - ldap.update_entry(dn, {attr: attr_value}) - # get entry with updated attribute for output - (dn, entry_attrs) = ldap.get_entry(dn, ['idnsname', attr]) - entry_attrs['dn'] = dn - - return dict(result=entry_attrs, value=idnsname) - - def output_for_cli(self, textui, result, zone, idnsname, type, data, **options): - output = '"%s %s %s" from zone "%s"' % ( - idnsname, type, data, zone, - ) - entry_attrs = result['result'] - - textui.print_name(self.name) - if entry_attrs: - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - textui.print_dashed('Deleted DNS resource record %s' % output) - -api.register(dns_del_rr) - - -class dns_find_rr(Command): - """ - Search for DNS resource records. - """ - takes_args = ( - Str('zone', - label=_('Zone name'), - normalizer=lambda value: value.lower(), - ), - Str('criteria?', - cli_name='criteria', - label=_('Search criteria'), - ), - ) - - takes_options = ( - Str('idnsname?', - cli_name='resource', - label=_('Resource name'), - default_from=lambda zone: zone.lower(), - ), - StrEnum('type?', - label=_('Record type'), - values=_record_types, - ), - Str('data?', - label=_('type-specific data'), - ), - ) - - has_output = standard_list_of_entries - - def execute(self, zone, term, **options): - ldap = self.api.Backend.ldap2 - if 'type' in options: - attr = ('%srecord' % options['type']).lower() - else: - attr = None - - dns_container_exists(ldap) - - # build base dn for search - base_dn = _get_zone_dn(ldap, zone) - - # build search keywords - search_kw = {} - if 'data' in options: - if attr is not None: - # user is looking for a certain record type - search_kw[attr] = options['data'] - else: - # search in all record types - for a in _record_default_attributes: - search_kw[a] = term - if 'idnsname' in options: - idnsname = options['idnsname'] - if idnsname == '@': - search_kw['idnsname'] = zone - else: - search_kw['idnsname'] = idnsname - - # build search filter - filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL) - if term: - search_kw = {} - for a in _record_default_attributes: - search_kw[a] = term - term_filter = ldap.make_filter(search_kw, exact=False) - filter = ldap.combine_filters((filter, term_filter), ldap.MATCH_ALL) - - # select attributes we want to retrieve - if options.get('all', False): - attrs_list = ['*'] - elif attr is not None: - attrs_list = [attr] - else: - attrs_list = _record_default_attributes - - # get matching entries - try: - (entries, truncated) = ldap.find_entries( - filter, attrs_list, base_dn - ) - except errors.NotFound: - (entries, truncated) = (tuple(), False) - - # if the user is looking for a certain record type, don't display - # entries that do not contain it - if attr is not None: - related_entries = [] - for e in entries: - entry_attrs = e[1] - if attr in entry_attrs: - related_entries.append(e) - entries = related_entries - - for e in entries: - e[1]['dn'] = e[0] - entries = tuple(e for (dn, e) in entries) - - return dict(result=entries, count=len(entries), truncated=truncated) - - def output_for_cli(self, textui, result, zone, term, **options): - entries = result['result'] - truncated = result['truncated'] - - textui.print_name(self.name) - for entry_attrs in entries: - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - textui.print_plain('') - textui.print_count( - len(entries), '%i DNS resource record matched.', - '%i DNS resource records matched.' - ) - if truncated: - textui.print_dashed('These results are truncated.', below=False) - textui.print_dashed( - 'Please refine your search and try again.', above=False - ) - -api.register(dns_find_rr) - - -class dns_show_rr(Command): - """ - Show existing DNS resource records. - """ - - takes_args = ( - Str('zone', - label=_('Zone name'), - normalizer=lambda value: value.lower(), - ), - Str('idnsname', - cli_name='resource', - label=_('Resource name'), - normalizer=lambda value: value.lower(), - ), - ) - - has_output = standard_entry - - def execute(self, zone, idnsname, **options): - # shows all records associated with resource - ldap = self.api.Backend.ldap2 - - dns_container_exists(ldap) - - # build entry DN - dn = _get_record_dn(ldap, zone, idnsname) - - # select attributes we want to retrieve - if options.get('all', False): - attrs_list = ['*'] - else: - attrs_list = _record_default_attributes - - (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) - entry_attrs['dn'] = dn - - return dict(result=entry_attrs, value=idnsname) - - def output_for_cli(self, textui, result, zone, idnsname, **options): - entry_attrs = result['result'] - - textui.print_name(self.name) - textui.print_attribute('dn', entry_attrs['dn']) - del entry_attrs['dn'] - textui.print_entry(entry_attrs) - -api.register(dns_show_rr) - - -class dns_resolve(Command): - """ - Resolve a host name in DNS - """ - has_output = output.standard_value - msg_summary = _('Found \'%(value)s\'') - - takes_args = ( - Str('hostname', - label=_('Hostname'), - ), - ) - - def execute(self, *args, **options): - query=args[0] - if query.find(api.env.domain) == -1 and query.find('.') == -1: - query = '%s.%s.' % (query, api.env.domain) - if query[-1] != '.': - query = query + '.' - reca = dnsclient.query(query, dnsclient.DNS_C_IN, dnsclient.DNS_T_A) - rec6 = dnsclient.query(query, dnsclient.DNS_C_IN, dnsclient.DNS_T_AAAA) - records = reca + rec6 - found = False - for rec in records: - if rec.dns_type == dnsclient.DNS_T_A or \ - rec.dns_type == dnsclient.DNS_T_AAAA: - found = True - break - - if not found: - raise errors.NotFound(reason=_('Host \'%(host)s\' not found' % {'host':query})) - - return dict(result=True, value=query) - -api.register(dns_resolve) diff --git a/ipalib/plugins/dns2.py b/ipalib/plugins/dns2.py index 9254f1df9184a04fd5b6940eb3c2198b092b0c1d..cf58098036f7056d20337b4d3b5f02b158b41360 100644 --- a/ipalib/plugins/dns2.py +++ b/ipalib/plugins/dns2.py @@ -37,7 +37,7 @@ EXAMPLES: ipa dnsrecord-add example.com www --a-rec 80.142.15.2 Add new PTR record for www.example.com - ipa dnsrecord 15.142.80.in-addr.arpa 2 --ptr-rec www.example.com. + ipa dnsrecord-add 15.142.80.in-addr.arpa 2 --ptr-rec www.example.com. Show zone example.com: ipa dnszone-show example.com @@ -121,6 +121,13 @@ _record_validators = { } +def dns_container_exists(ldap): + try: + ldap.get_entry(api.env.container_dns, []) + except errors.NotFound: + return False + return True + class dnszone(LDAPObject): """ DNS Zone, container for resource records. @@ -227,12 +234,6 @@ class dnszone(LDAPObject): ), ) - def check_container_exists(self): - try: - self.backend.get_entry(self.container_dn, []) - except errors.NotFound: - raise errors.NotFound(reason=_('DNS is not configured')) - api.register(dnszone) @@ -241,7 +242,9 @@ class dnszone_add(LDAPCreate): Create new DNS zone (SOA record). """ def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): - self.obj.check_container_exists() + if not dns_container_exists(self.api.Backend.ldap2): + raise errors.NotFound(reason=_('DNS is not configured')) + entry_attrs['idnszoneactive'] = 'TRUE' entry_attrs['idnsallowdynupdate'] = str( entry_attrs.get('idnsallowdynupdate', False) @@ -583,3 +586,38 @@ class dnsrecord_find(LDAPSearch, dnsrecord_cmd_w_record_options): api.register(dnsrecord_find) +class dns_resolve(Command): + """ + Resolve a host name in DNS + """ + has_output = output.standard_value + msg_summary = _('Found \'%(value)s\'') + + takes_args = ( + Str('hostname', + label=_('Hostname'), + ), + ) + + def execute(self, *args, **options): + query=args[0] + if query.find(api.env.domain) == -1 and query.find('.') == -1: + query = '%s.%s.' % (query, api.env.domain) + if query[-1] != '.': + query = query + '.' + reca = dnsclient.query(query, dnsclient.DNS_C_IN, dnsclient.DNS_T_A) + rec6 = dnsclient.query(query, dnsclient.DNS_C_IN, dnsclient.DNS_T_AAAA) + records = reca + rec6 + found = False + for rec in records: + if rec.dns_type == dnsclient.DNS_T_A or \ + rec.dns_type == dnsclient.DNS_T_AAAA: + found = True + break + + if not found: + raise errors.NotFound(reason=_('Host \'%(host)s\' not found' % {'host':query})) + + return dict(result=True, value=query) + +api.register(dns_resolve) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 88ac0bcb780d44d1619d3eb2d91c74a3b2ed3a25..d60f63776714689e754c3f1c18e972e062304edc 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -84,7 +84,7 @@ from ipalib.plugins.service import normalize_certificate from ipalib.plugins.service import set_certificate_attrs from ipalib.plugins.service import make_pem, check_writable_file from ipalib.plugins.service import write_certificate -from ipalib.plugins.dns import dns_container_exists, _attribute_types +from ipalib.plugins.dns2 import dns_container_exists, _record_types from ipalib import _, ngettext from ipalib import x509 from ipapython.ipautil import ipa_generate_password @@ -282,7 +282,7 @@ class host_add(LDAPCreate): if 'ip_address' in options and dns_container_exists(ldap): parts = keys[-1].split('.') domain = unicode('.'.join(parts[1:])) - result = api.Command['dns_find']()['result'] + result = api.Command['dnszone_find']()['result'] match = False for zone in result: if domain == zone['idnsname'][0]: @@ -290,7 +290,7 @@ class host_add(LDAPCreate): break if not match: raise errors.NotFound(reason=_('DNS zone %(zone)s not found' % dict(zone=domain))) - if not options.get('no_reverse',False): + if not options.get('no_reverse', False): # we prefer lookup of the IP through the reverse zone revzone, revname = get_reverse_zone(options['ip_address']) # Verify that our reverse zone exists @@ -302,7 +302,7 @@ class host_add(LDAPCreate): if not match: raise errors.NotFound(reason=_('Reverse DNS zone %(zone)s not found' % dict(zone=revzone))) try: - reverse = api.Command['dns_find_rr'](revzone, revname) + reverse = api.Command['dnsrecord_find'](revzone, idnsname=revname) if reverse['count'] > 0: raise errors.DuplicateEntry(message=u'This IP address is already assigned.') except errors.NotFound: @@ -344,17 +344,18 @@ class host_add(LDAPCreate): parts = keys[-1].split('.') domain = unicode('.'.join(parts[1:])) if ':' in options['ip_address']: - type = u'AAAA' + addkw = { u'aaaarecord' : options['ip_address'] } else: - type = u'A' + addkw = { u'arecord' : options['ip_address'] } try: - api.Command['dns_add_rr'](domain, parts[0], type, options['ip_address']) + api.Command['dnsrecord_add'](domain, parts[0], **addkw) except errors.EmptyModlist: # the entry already exists and matches pass revzone, revname = get_reverse_zone(options['ip_address']) try: - api.Command['dns_add_rr'](revzone, revname, u'PTR', keys[-1]+'.') + addkw = { u'ptrrecord' : keys[-1]+'.' } + api.Command['dnsrecord_add'](revzone, revname, **addkw) except errors.EmptyModlist: # the entry already exists and matches pass @@ -424,7 +425,7 @@ class host_del(LDAPDelete): # Remove DNS entries parts = fqdn.split('.') domain = unicode('.'.join(parts[1:])) - result = api.Command['dns_find']()['result'] + result = api.Command['dnszone_find']()['result'] match = False for zone in result: if domain == zone['idnsname'][0]: @@ -434,30 +435,34 @@ class host_del(LDAPDelete): raise errors.NotFound(reason=_('DNS zone %(zone)s not found' % dict(zone=domain))) raise e # Get all forward resources for this host - records = api.Command['dns_find_rr'](domain, parts[0])['result'] + records = api.Command['dnsrecord_find'](domain, idnsname=parts[0])['result'] for record in records: if 'arecord' in record: ipaddr = record['arecord'][0] self.debug('deleting ipaddr %s' % ipaddr) revzone, revname = get_reverse_zone(ipaddr) try: - api.Command['dns_del_rr'](revzone, revname, u'PTR', fqdn+'.') + delkw = { u'ptrrecord' : fqdn+'.' } + api.Command['dnsrecord_del'](revzone, revname, **delkw) except errors.NotFound: pass try: - api.Command['dns_del_rr'](domain, parts[0], u'A', ipaddr) + delkw = { u'arecord' : ipaddr } + api.Command['dnsrecord_del'](domain, parts[0], **delkw) except errors.NotFound: pass else: # Try to delete all other record types too + _attribute_types = [str('%srecord' % t.lower()) for t in _record_types] for attr in _attribute_types: if attr != 'arecord' and attr in record: for i in xrange(len(record[attr])): if (record[attr][i].endswith(parts[0]) or record[attr][i].endswith(fqdn+'.')): - api.Command['dns_del_rr'](domain, - record['idnsname'][0], - _attribute_types[attr], record[attr][i]) + delkw = { unicode(attr) : record[attr][i] } + api.Command['dnsrecord_del'](domain, + record['idnsname'][0], + **delkw) break try: diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index e1a5810f44d342fd1031efaf40da55684e833825..4cf9f94c30858d404622f9bd7466ea42778d76cc 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -107,8 +107,8 @@ def get_reverse_zone(ip_address): def dns_zone_exists(name): try: - zone = api.Command.dns_show(unicode(name)) - except Exception: + zone = api.Command.dnszone_show(unicode(name)) + except ipalib.errors.NotFound: return False if len(zone) == 0: @@ -121,11 +121,11 @@ def add_zone(name, update_policy=None, zonemgr=None, dns_backup=None): update_policy = "grant %s krb5-self * A;" % api.env.realm try: - api.Command.dns_add(unicode(name), - idnssoamname=unicode(api.env.host+"."), - idnssoarname=unicode(zonemgr), - idnsallowdynupdate=True, - idnsupdatepolicy=unicode(update_policy)) + api.Command.dnszone_add(unicode(name), + idnssoamname=unicode(api.env.host+"."), + idnssoarname=unicode(zonemgr), + idnsallowdynupdate=True, + idnsupdatepolicy=unicode(update_policy)) except (errors.DuplicateEntry, errors.EmptyModlist): pass @@ -138,10 +138,10 @@ def add_reverze_zone(ip_address, update_policy=None, dns_backup=None): if not update_policy: update_policy = "grant %s krb5-subdomain %s. PTR;" % (api.env.realm, zone) try: - api.Command.dns_add(unicode(zone), - idnssoamname=unicode(api.env.host+"."), - idnsallowdynupdate=True, - idnsupdatepolicy=unicode(update_policy)) + api.Command.dnszone_add(unicode(zone), + idnssoamname=unicode(api.env.host+"."), + idnsallowdynupdate=True, + idnsupdatepolicy=unicode(update_policy)) except (errors.DuplicateEntry, errors.EmptyModlist): pass @@ -150,9 +150,9 @@ def add_reverze_zone(ip_address, update_policy=None, dns_backup=None): return zone def add_rr(zone, name, type, rdata, dns_backup=None): + addkw = { '%srecord' % unicode(type.lower()) : unicode(rdata) } try: - api.Command.dns_add_rr(unicode(zone), unicode(name), - unicode(type), unicode(rdata)) + api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw) except (errors.DuplicateEntry, errors.EmptyModlist): pass if dns_backup: @@ -201,8 +201,8 @@ class DnsBackup(object): if have_ldap: type, host, rdata = dns_record.split(" ", 2) try: - api.Command.dns_del_rr(unicode(zone), unicode(host), - unicode(type), unicode(rdata)) + delkw = { '%srecord' % unicode(type.lower()) : unicode(rdata) } + api.Command.dnsrecord_del(unicode(zone), unicode(host), **delkw) except: pass j += 1 -- 1.7.3.4 -------------- next part -------------- >From 4dd0e676960c4a836e88c21f2836ef980d317a04 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 13 Jan 2011 10:23:28 +0100 Subject: [PATCH 2/2] Rename DNS2 to DNS --- ipalib/plugins/{dns2.py => dns.py} | 0 ipalib/plugins/host.py | 2 +- 2 files changed, 1 insertions(+), 1 deletions(-) rename ipalib/plugins/{dns2.py => dns.py} (100%) diff --git a/ipalib/plugins/dns2.py b/ipalib/plugins/dns.py similarity index 100% rename from ipalib/plugins/dns2.py rename to ipalib/plugins/dns.py diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index d60f63776714689e754c3f1c18e972e062304edc..8639ce5a07e1b0d8f3707633ba184a7bee3ad51c 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -84,7 +84,7 @@ from ipalib.plugins.service import normalize_certificate from ipalib.plugins.service import set_certificate_attrs from ipalib.plugins.service import make_pem, check_writable_file from ipalib.plugins.service import write_certificate -from ipalib.plugins.dns2 import dns_container_exists, _record_types +from ipalib.plugins.dns import dns_container_exists, _record_types from ipalib import _, ngettext from ipalib import x509 from ipapython.ipautil import ipa_generate_password -- 1.7.3.4 From jhrozek at redhat.com Thu Jan 13 10:09:41 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 13 Jan 2011 11:09:41 +0100 Subject: [Freeipa-devel] [PATCH] Potential memory leaks in ipa-kpasswd In-Reply-To: <1294835588.5765.32.camel@dhcp-25-52.brq.redhat.com> References: <1294834958.5765.30.camel@dhcp-25-52.brq.redhat.com> <1294835588.5765.32.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110113100940.GB3889@zeppelin.brq.redhat.com> > This patch fixes 2 situations where a pointer to allocated error > string could be overwritten - which could have resulted in > a memory leak. > > https://fedorahosted.org/freeipa/ticket/716 Ack From mkosek at redhat.com Thu Jan 13 10:19:47 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 13 Jan 2011 11:19:47 +0100 Subject: [Freeipa-devel] [PATCH] Potential memory leaks in ipa-pwd-extop Message-ID: <1294913987.5765.44.camel@dhcp-25-52.brq.redhat.com> This patch fixes several potential memory leaks in ipa-pwd-extop SLAPI plugin. Common function ipapwd_gen_hashes() now cleans after itself when it fails. Other changes are local and self-explanatory. https://fedorahosted.org/freeipa/ticket/715 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-011-potential-memory-leaks-in-ipa-pwd-extop.patch Type: text/x-patch Size: 3411 bytes Desc: not available URL: From mkosek at redhat.com Thu Jan 13 10:50:09 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 13 Jan 2011 11:50:09 +0100 Subject: [Freeipa-devel] [PATCH] Unitialized pointer read in ipa-join Message-ID: <1294915809.5765.45.camel@dhcp-25-52.brq.redhat.com> This patch fixes a possible situation when krb5_kt_close() function is called with uninitialized keytab parameter. https://fedorahosted.org/freeipa/ticket/712 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-012-unitialized-pointer-read-in-ipa-join.patch Type: text/x-patch Size: 1300 bytes Desc: not available URL: From edewata at redhat.com Thu Jan 13 11:30:01 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 13 Jan 2011 18:30:01 +0700 Subject: [Freeipa-devel] [PATCH] Certificate and Kerberos key status adjustments. Message-ID: <4D2EE239.3050409@redhat.com> Hi, The attached patch should fix item #4 and #5 of this bug: https://fedorahosted.org/freeipa/ticket/670 The OTP field has been moved into a separate row to avoid line wrapping. The line height inside tables has been increased to avoid overlapping buttons in certificate status panel. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0069-Certificate-and-Kerberos-key-status-adjustments.patch Type: text/x-patch Size: 2566 bytes Desc: not available URL: From ssorce at redhat.com Thu Jan 13 13:33:25 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 08:33:25 -0500 Subject: [Freeipa-devel] [PATCH] Potential memory leaks in ipa-pwd-extop In-Reply-To: <1294913987.5765.44.camel@dhcp-25-52.brq.redhat.com> References: <1294913987.5765.44.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110113083325.279dcc79@willson.li.ssimo.org> On Thu, 13 Jan 2011 11:19:47 +0100 Martin Kosek wrote: > This patch fixes several potential memory leaks in ipa-pwd-extop > SLAPI plugin. > > Common function ipapwd_gen_hashes() now cleans after itself when > it fails. Other changes are local and self-explanatory. > > https://fedorahosted.org/freeipa/ticket/715 > ACK, Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jan 13 13:33:48 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 08:33:48 -0500 Subject: [Freeipa-devel] [PATCH] Unitialized pointer read in ipa-join In-Reply-To: <1294915809.5765.45.camel@dhcp-25-52.brq.redhat.com> References: <1294915809.5765.45.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110113083348.57c3c330@willson.li.ssimo.org> On Thu, 13 Jan 2011 11:50:09 +0100 Martin Kosek wrote: > This patch fixes a possible situation when krb5_kt_close() > function is called with uninitialized keytab parameter. > > https://fedorahosted.org/freeipa/ticket/712 > ACK, Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Thu Jan 13 13:52:24 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 13 Jan 2011 14:52:24 +0100 Subject: [Freeipa-devel] LUMA - LDAP browser and more Message-ID: <1294926744.5765.54.camel@dhcp-25-52.brq.redhat.com> Hi there, I guess you all have your own ways, but I have found a useful GUI tool for browsing LDAP tree, schemas etc.: LUMA: http://luma.sourceforge.net It is much more effective for me when browsing IPA internal LDAP data structure than using classic ldapsearch CLI utility. Martin From jdennis at redhat.com Thu Jan 13 14:07:17 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 13 Jan 2011 09:07:17 -0500 Subject: [Freeipa-devel] problem with install (Configuration of CA failed) In-Reply-To: <4D2EBF03.1080806@bk.ru> References: <4D2EBF03.1080806@bk.ru> Message-ID: <4D2F0715.4040900@redhat.com> On 01/13/2011 03:59 AM, ?????? ????????? wrote: > hI! > > I'am have analogic problem, like Geerten Schram > > Install FreeIPA v2 on Fedora Core 14 x86 I suspect you're running old versions of the certificate server, i.e. dogtag. Do you have pki-core installed? If so what version? What version is pki-ca? Try updating from the development repo: The repository is located at: http://jdennis.fedorapeople.org/ipa-devel The Fedora repo config file can be downloaded here: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jdennis at redhat.com Thu Jan 13 14:42:16 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 13 Jan 2011 09:42:16 -0500 Subject: [Freeipa-devel] Installation failures due to old pki requires Message-ID: <4D2F0F48.1050803@redhat.com> I think the reason why some folks are having CA problems is we're now dependent on dogtag being >= 9.0, specifically IPA is now dependent on pki-core, a new package, but the spec files seems to be only requiring pki-ca 1.3. The good news is these packages are available in our development repo. The bad news is none of the new 9.0 packages have been pushed into fedora yet. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Thu Jan 13 14:45:55 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 09:45:55 -0500 Subject: [Freeipa-devel] LUMA - LDAP browser and more In-Reply-To: <1294926744.5765.54.camel@dhcp-25-52.brq.redhat.com> References: <1294926744.5765.54.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110113094555.4b8b3f44@willson.li.ssimo.org> On Thu, 13 Jan 2011 14:52:24 +0100 Martin Kosek wrote: > Hi there, > > I guess you all have your own ways, but I have found a useful GUI tool > for browsing LDAP tree, schemas etc.: > > LUMA: http://luma.sourceforge.net > > It is much more effective for me when browsing IPA internal LDAP data > structure than using classic ldapsearch CLI utility. I use GQ from time to itme. It's a bit fragile, but works and is available by default in fedora. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jan 13 14:58:59 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 09:58:59 -0500 Subject: [Freeipa-devel] Installation failures due to old pki requires In-Reply-To: <4D2F0F48.1050803@redhat.com> References: <4D2F0F48.1050803@redhat.com> Message-ID: <20110113095859.270bc98f@willson.li.ssimo.org> On Thu, 13 Jan 2011 09:42:16 -0500 John Dennis wrote: > I think the reason why some folks are having CA problems is we're now > dependent on dogtag being >= 9.0, specifically IPA is now dependent > on pki-core, a new package, but the spec files seems to be only > requiring pki-ca 1.3. > > The good news is these packages are available in our development > repo. The bad news is none of the new 9.0 packages have been pushed > into fedora yet. Can we have them pushed in rawhide/f15 ? I don't think it is fair to push them to stable versions unless they would work flawlessly after upgrade w/o needing manual intervention. Simo. -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Thu Jan 13 15:20:26 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Jan 2011 08:20:26 -0700 Subject: [Freeipa-devel] Fwd: [Adam Young's Web Log] Please moderate: "Announcing FreeIPA v2 Server Beta 1 Release" In-Reply-To: References: <4D2C6F90.8060807@redhat.com> <4D2C6F9B.7060504@redhat.com> <4D2DC6CE.7070304@redhat.com> Message-ID: <4D2F183A.5090603@redhat.com> On 01/12/2011 09:14 PM, Aravind GV wrote: > Hi Rich, > > The version of 389-ds-base. I installed this package with fedora > testing repo which is documented in installation steps. > > [root at agvdir ~]# rpm -qi 389-ds-base > Name : 389-ds-base Relocations: (not relocatable) > Version : 1.2.7.5 Vendor: Fedora Project > Release : 1.fc14 Build Date: Thu 16 Dec > 2010 12:24:22 PM EST > Install Date: Sun 09 Jan 2011 11:48:36 PM EST Build Host: > x86-02.phx2.fedoraproject.org > Group : System Environment/Daemons Source RPM: > 389-ds-base-1.2.7.5-1.fc14.src.rpm > Size : 5567433 License: GPLv2 with > exceptions > Signature : RSA/SHA256, Thu 16 Dec 2010 10:20:09 PM EST, Key ID > 421caddb97a1071f > Packager : Fedora Project > URL : http://port389.org/ > Summary : 389 Directory Server (base) > Description : > 389 Directory Server is an LDAPv3 compliant server. The base package > includes > the LDAP server and command line utilities for server administration. Is there a slapd segfault message in /var/log/messages? If so, try this: 1) edit /etc/sysconfig/dirsrv - add the line ulimit -c unlimited 2) allow setuid processes to produce core files: sysctl -w fs.suid_dumpable=1 3) install the 389-ds-base-debuginfo package debuginfo-install 389-ds-base[-debuginfo] 4) service dirsrv restart Then try to reproduce the problem. If there is a core file, it will be in /var/log/dirsrv/slapd-YOURINSTANCENAME Once you have a core file, do this: gdb /usr/sbin/ns-slapd /var/log/dirsrv/slapd-YOURINSTANCENAME/core.PID (gdb) thread apply all bt full Then post the output. Or, just open a bug at https://bugzilla.redhat.com/enter_bug.cgi?product=389 and attach the gdb output as an attachment. > > > Regards, > Aravind G V > > On Wed, Jan 12, 2011 at 8:50 PM, Rich Megginson > wrote: > > On 01/11/2011 10:15 PM, Aravind GV wrote: >> Hi All, >> >> Adam first of all thanks for responding to my email. >> >> I get the below error when i run ipa-replica-manage command. I am >> following Installation_Deployment_Guide V2 ( >> http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/ >> ) in that *4.4. Creating Synchronization Agreements* section >> example command given as ipa-replica-manage connect add but add >> option is no more there after goggling in some of the webside >> they told to give connect option and also --passsync now command >> syntext is fine but it stops DIRSRV. > > This is a known bug that was fixed. What version of 389-ds-base > are you using? rpm -qi 389-ds-base > >> There is not much in logs. Please help me to resolve this >> issue. OS=fc14 ipa v2 >> >> *[root at agvdir ~]# ipa-replica-manage connect --winsync --binddn >> cn=administrator,cn=users,dc=bgkerb,dc=test02,dc=com --bindpw xxx >> --cacert /root/bgkerb.cer 10.0.65.28 --passsync xxx -v >> Directory Manager password: >> INFO:root:args=/sbin/service dirsrv stop >> INFO:root:stdout=Shutting down dirsrv: >> AGV-COM...[ OK ] >> >> INFO:root:stderr= >> unexpected error: DsInstance instance has no attribute 'subject_base' >> * >> Regards, >> Aravind G V >> >> >> >> On Tue, Jan 11, 2011 at 9:56 AM, Rich Megginson >> > wrote: >> >> On 01/11/2011 07:56 AM, Adam Young wrote: >>> Aravind, >>> >>> I've posted your question on the FreeIPA Devel list. Could >>> you please "reply to all" with the following information? >>> >>> >>> 1. What was the origianal problem you were seeing when you >>> googled and found the --passsync option >>> 2. Is there anything in in any of the logs that seems >>> relevant? For logs. please look in >>> /var/log/http/error.log for the IPA server, >>> /var/log/DirSrv for Directory server >>> /var/log/messages for general machine issues as well. >> What version of 389-ds-base? rpm -qi 389-ds-base >>> >>> >>> >>> >>> -------- Original Message -------- >>> Subject: [Adam Young's Web Log] Please moderate: >>> "Announcing FreeIPA v2 Server Beta 1 Release" >>> Date: Tue, 11 Jan 2011 05:38:07 +0000 >>> From: WordPress >>> >>> To: adam at younglogic.com >>> >>> >>> >>> A new comment on the post "Announcing FreeIPA v2 Server Beta 1 Release" is waiting for your approval >>> http://adam.younglogic.com/2010/12/announcing-freeipa-v2-server-beta-1-release/ >>> >>> Author : Aravind G V (IP: 122.166.39.227 ,gw-bg.dchoc.com ) >>> E-mail :aravind.gv at gmail.com >>> URL : >>> Whois :http://ws.arin.net/cgi-bin/whois.pl?queryinput=122.166.39.227 >>> Comment: >>> Hi Adam, >>> >>> ipa-replica-manage command for creating a Creating Synchronization Agreements is not working as documented in Installation_Deployment_Guide after googling i found out to add --passsync option. Now command runs successfully but it brings down Directory Server. Can you please help me how to fix this issue. I am running freeipa V2 on FC14. >>> >>> >>> ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=bgkerb,dc=test02,dc=com --bindpw asdQWE123 --cacert /root/bgkerb.cer 10.0.65.28 --passsync asdQWE123 -v >>> >>> Approve it:http://adam.younglogic.com/wp-admin/comment.php?action=approve&c=11343 >>> Trash it:http://adam.younglogic.com/wp-admin/comment.php?action=trash&c=11343 >>> Spam it:http://adam.younglogic.com/wp-admin/comment.php?action=spam&c=11343 >>> Currently 117 comments are waiting for approval. Please visit the moderation panel: >>> http://adam.younglogic.com/wp-admin/edit-comments.php?comment_status=moderated >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> >> >> -- >> ---------------------------- >> With Best Regards >> Aravind G V >> Ph-9880346065 >> "I want it all, >> That's why I strive for it, >> I know that it's coming" - Drake from "Successful" > > > > > -- > ---------------------------- > With Best Regards > Aravind G V > Ph-9880346065 > "I want it all, > That's why I strive for it, > I know that it's coming" - Drake from "Successful" -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jan 13 16:24:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Jan 2011 11:24:46 -0500 Subject: [Freeipa-devel] Installation failures due to old pki requires In-Reply-To: <4D2F0F48.1050803@redhat.com> References: <4D2F0F48.1050803@redhat.com> Message-ID: <4D2F274E.9080204@redhat.com> John Dennis wrote: > I think the reason why some folks are having CA problems is we're now > dependent on dogtag being >= 9.0, specifically IPA is now dependent on > pki-core, a new package, but the spec files seems to be only requiring > pki-ca 1.3. > > The good news is these packages are available in our development repo. > The bad news is none of the new 9.0 packages have been pushed into > fedora yet. That is part of it but some people are using beta 1 which still uses the old packages. I think the big problem is they aren't applying the symbolic link work-around. rob From rcritten at redhat.com Thu Jan 13 16:50:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Jan 2011 11:50:08 -0500 Subject: [Freeipa-devel] [PATCH] 674 add API version In-Reply-To: <4D2E2868.2050808@redhat.com> References: <4D2DD0D3.1050206@redhat.com> <20110112141920.062b5002@willson.li.ssimo.org> <4D2E1F92.8060200@redhat.com> <4D2E2868.2050808@redhat.com> Message-ID: <4D2F2D40.8040208@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Wed, 12 Jan 2011 11:03:31 -0500 >>> Rob Crittenden wrote: >>> >>>> Add an API version that is enforced both when the server is built (to >>>> disallow unexpected API changes) and when clients talk to the server. >>>> See the patch for further details. >>>> >>>> ticket 584 >>>> >>>> rob >>> >>> Technical nack, API.txt is missing. >>> >>> Also it would be really nice if we could test the API on build. >>> Id the utf8 plugin thing really needed in order to test the api, or >>> could we use PYTHON_PATHY and a fake python module by the same name >>> just to get through the import w/o getting an exception out ? >>> >>> Simo. >>> >> >> Updated patch attached. >> >> I worked around requiring the utf8 plugin so this should be executable >> from a fresh git pull and will always validate the api when building. >> >> I also made a separate patch for the mozldap dependency change (675). >> >> rob > > Moved the changes to daemons/configure.ac to patch 675. > > rob > Yet another new version. There are some new build deps since we fire up ipalib during the build. These are the changes in ipa.spec.in. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-674-5-version.patch Type: text/x-patch Size: 362112 bytes Desc: not available URL: From rcritten at redhat.com Thu Jan 13 16:50:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Jan 2011 11:50:46 -0500 Subject: [Freeipa-devel] [PATCH] 674 add API version In-Reply-To: <4D2E76F6.4030802@redhat.com> References: <4D2DD0D3.1050206@redhat.com> <20110112141920.062b5002@willson.li.ssimo.org> <4D2E1F92.8060200@redhat.com> <4D2E2868.2050808@redhat.com> <4D2E76F6.4030802@redhat.com> Message-ID: <4D2F2D66.9070202@redhat.com> Adam Young wrote: > On 01/12/2011 05:17 PM, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Simo Sorce wrote: >>>> On Wed, 12 Jan 2011 11:03:31 -0500 >>>> Rob Crittenden wrote: >>>> >>>>> Add an API version that is enforced both when the server is built (to >>>>> disallow unexpected API changes) and when clients talk to the server. >>>>> See the patch for further details. >>>>> >>>>> ticket 584 >>>>> >>>>> rob >>>> >>>> Technical nack, API.txt is missing. >>>> >>>> Also it would be really nice if we could test the API on build. >>>> Id the utf8 plugin thing really needed in order to test the api, or >>>> could we use PYTHON_PATHY and a fake python module by the same name >>>> just to get through the import w/o getting an exception out ? >>>> >>>> Simo. >>>> >>> >>> Updated patch attached. >>> >>> I worked around requiring the utf8 plugin so this should be executable >>> from a fresh git pull and will always validate the api when building. >>> >>> I also made a separate patch for the mozldap dependency change (675). >>> >>> rob >> >> Moved the changes to daemons/configure.ac to patch 675. >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Am I correct in understanding that this patch is going to break the > webUI? We need to put an API version into the JSON RPC as well. This > would involve a minor change to install/static/ipa.js in the ipa_cmd > function, but I am not quite sure what to put there. I think it will be ok. The version isn't mandatory right now. rob From rcritten at redhat.com Thu Jan 13 17:28:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Jan 2011 12:28:45 -0500 Subject: [Freeipa-devel] [PATCH] 676 drop /usr/bin/env from our scripts Message-ID: <4D2F364D.7000605@redhat.com> Execute /usr/bin/python directly instead of calling /usr/bin/env python. ticket 608 This depends on ticket 674 to be applied first. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-676-shebang.patch Type: text/x-patch Size: 4244 bytes Desc: not available URL: From edewata at redhat.com Thu Jan 13 17:59:53 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 14 Jan 2011 00:59:53 +0700 Subject: [Freeipa-devel] [PATCH] Support for str in StrEnum. Message-ID: <4D2F3D99.10708@redhat.com> Hi, The attached patch should fix this bug: https://fedorahosted.org/freeipa/ticket/657 The StrEnum class has been modified to accept str value and convert it into unicode. This is to fix encoding issue on F14. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0070-Support-for-str-in-StrEnum.patch Type: text/x-patch Size: 1343 bytes Desc: not available URL: From edewata at redhat.com Thu Jan 13 18:14:06 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 14 Jan 2011 01:14:06 +0700 Subject: [Freeipa-devel] [PATCH] Fixed incorrect loop variable and removed debugging message Message-ID: <4D2F40EE.7010508@redhat.com> Hi, I pushed 2 trivial patches under one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0071-Fixed-incorrect-loop-variable.patch Type: text/x-patch Size: 853 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0072-Removed-debugging-message.patch Type: text/x-patch Size: 767 bytes Desc: not available URL: From rcritten at redhat.com Thu Jan 13 18:14:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Jan 2011 13:14:53 -0500 Subject: [Freeipa-devel] [PATCH] 677 don't allow search time limit of 0 Message-ID: <4D2F411D.4030204@redhat.com> python-ldap fails gloriously if the search time limit is 0. Don't allow it. Don't allow the time limit to be set in the API. Also add a failsafe in the ldap driver because such bad things happen if this value is 0. I think it literally spends 0 time on the request and just returns immediately. ticket 752 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-677-limit.patch Type: text/x-patch Size: 2253 bytes Desc: not available URL: From rcritten at redhat.com Thu Jan 13 19:04:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Jan 2011 14:04:52 -0500 Subject: [Freeipa-devel] [PATCH] 678 set min version of dogtag Message-ID: <4D2F4CD4.1080102@redhat.com> Bump minimum required version of dogtag up to 9. ticket 763 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-678-dogtag.patch Type: text/x-patch Size: 1024 bytes Desc: not available URL: From jhrozek at redhat.com Thu Jan 13 19:19:13 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 13 Jan 2011 20:19:13 +0100 Subject: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements In-Reply-To: <20110112144532.2535bec0@willson.li.ssimo.org> References: <20110112144532.2535bec0@willson.li.ssimo.org> Message-ID: <4D2F5031.2080606@redhat.com> On 01/12/2011 08:45 PM, Simo Sorce wrote: > > The exisitng code sets up replication agreements by recycling the > Directory Manager password for the Replication Manager user. > > This causes 2 issues: > - If you change the DM password newer replicas will fail to access the > older masters as they will have a different passwor don their > Replication Manager user. And conversely if you change this password > when you set up a new replica we risk of kicking off unrelated > replicas. > The main issue is the use of a single user for all replication > agreements. > > This is but #690 > > - Because you need to know the DM password to set up a new agreement > you can't change the replication topology w/o using the Directory > Manager user. (the connect command of ipa-replica-manage requires it) > > This is bug #644 > > > The following patchset comprises 5 patches: > > - 0044 Simply refactors some code to make the following patches smaller > and more readable. > I only found two issues in the winsync codepatch (which I didn't test): + ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636, cacert=cacert) + ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd) I think the second line should say ad_conn.do_simple_bind() and: + self.basic_replication_setup(self.conn, replica_id) basic_replication_setup() takes 4 parameters now. > - 0045 Remove unused stuff in ipa-replica-install > Ack > - 0046 Removes the ability to use alternative ports, we can't use > non-standard ports anyway we are pretty much hardwired on std. ones > all over the place. > Ack > - 0047 Change the replica setup so that the final replication agreement > can use SASL/GSSAPI for authentication using the server own ldap > service principal to log into the other replicas for replication. > To resolve the chicken/egg problem of needing kerberos credentials > before kerberos principals are created, the replication setup process > is split in 2 phases. A first phase uses the classic Simple auth over > SSL to prime the replica. Once that's done the replication agreement > is changed to use SASL/GSSAPI instead and the temporary replication > manager user is removed. > This patch also works around a DS bug in changing agreements by using > 389/TLS instead of 636/SSL for the initial replica synchronization. > > This fixes #690 > Ack > - 0048 Adds code to directly setup GSSAPI agreements between existing > replicas (no chicken/egg problem here wrt kerberos) and uses it in > ipa-replica-manage when a link needs to be added. > > This fixes #644 > Ack From ayoung at redhat.com Thu Jan 13 19:27:25 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 13 Jan 2011 14:27:25 -0500 Subject: [Freeipa-devel] [PATCH] 676 drop /usr/bin/env from our scripts In-Reply-To: <4D2F364D.7000605@redhat.com> References: <4D2F364D.7000605@redhat.com> Message-ID: <4D2F521D.6030505@redhat.com> On 01/13/2011 12:28 PM, Rob Crittenden wrote: > Execute /usr/bin/python directly instead of calling /usr/bin/env python. > > ticket 608 > > This depends on ticket 674 to be applied first. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Thu Jan 13 19:25:31 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 14:25:31 -0500 Subject: [Freeipa-devel] [PATCH] 674 add API version In-Reply-To: <4D2F2D40.8040208@redhat.com> References: <4D2DD0D3.1050206@redhat.com> <20110112141920.062b5002@willson.li.ssimo.org> <4D2E1F92.8060200@redhat.com> <4D2E2868.2050808@redhat.com> <4D2F2D40.8040208@redhat.com> Message-ID: <20110113142531.0e47fa82@willson.li.ssimo.org> On Thu, 13 Jan 2011 11:50:08 -0500 Rob Crittenden wrote: > Yet another new version. There are some new build deps since we fire > up ipalib during the build. These are the changes in ipa.spec.in. > Sorry I have to NACK, it seem you squashed in a patch to change the python shebang into this one. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jan 13 19:27:41 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 14:27:41 -0500 Subject: [Freeipa-devel] LUMA - LDAP browser and more In-Reply-To: <20110113094555.4b8b3f44@willson.li.ssimo.org> References: <1294926744.5765.54.camel@dhcp-25-52.brq.redhat.com> <20110113094555.4b8b3f44@willson.li.ssimo.org> Message-ID: <20110113142741.38a2a3ab@willson.li.ssimo.org> On Thu, 13 Jan 2011 09:45:55 -0500 Simo Sorce wrote: > On Thu, 13 Jan 2011 14:52:24 +0100 > Martin Kosek wrote: > > > Hi there, > > > > I guess you all have your own ways, but I have found a useful GUI > > tool for browsing LDAP tree, schemas etc.: > > > > LUMA: http://luma.sourceforge.net > > > > It is much more effective for me when browsing IPA internal LDAP > > data structure than using classic ldapsearch CLI utility. > > I use GQ from time to itme. It's a bit fragile, but works and is > available by default in fedora. I just tried luma too (also available in fedora repos apparently). Looks nice! Thanks Martin. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Thu Jan 13 19:35:11 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 13 Jan 2011 14:35:11 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0141-spinning-wheel. Message-ID: <4D2F53EF.5000307@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0141-spinning-wheel.patch Type: text/x-patch Size: 23961 bytes Desc: not available URL: From rcritten at redhat.com Thu Jan 13 19:34:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Jan 2011 14:34:45 -0500 Subject: [Freeipa-devel] [PATCH] 674 add API version In-Reply-To: <20110113142531.0e47fa82@willson.li.ssimo.org> References: <4D2DD0D3.1050206@redhat.com> <20110112141920.062b5002@willson.li.ssimo.org> <4D2E1F92.8060200@redhat.com> <4D2E2868.2050808@redhat.com> <4D2F2D40.8040208@redhat.com> <20110113142531.0e47fa82@willson.li.ssimo.org> Message-ID: <4D2F53D5.5@redhat.com> Simo Sorce wrote: > On Thu, 13 Jan 2011 11:50:08 -0500 > Rob Crittenden wrote: > >> Yet another new version. There are some new build deps since we fire >> up ipalib during the build. These are the changes in ipa.spec.in. >> > > Sorry I have to NACK, it seem you squashed in a patch to change the > python shebang into this one. > > Simo. > Yeah, a git oops on my part. Updated patch attached. I diffed this with the previous "good" patch, -4, and the only diff is a slightly reformatted commit message and the additional of some buildrequires. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-674-6-version.patch Type: text/x-patch Size: 358427 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 13 19:38:02 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 13 Jan 2011 14:38:02 -0500 Subject: [Freeipa-devel] [PATCH] 678 set min version of dogtag In-Reply-To: <4D2F4CD4.1080102@redhat.com> References: <4D2F4CD4.1080102@redhat.com> Message-ID: <4D2F549A.5030803@redhat.com> On 01/13/2011 02:04 PM, Rob Crittenden wrote: > Bump minimum required version of dogtag up to 9. > > ticket 763 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Thu Jan 13 19:40:36 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 14:40:36 -0500 Subject: [Freeipa-devel] [PATCH] 677 don't allow search time limit of 0 In-Reply-To: <4D2F411D.4030204@redhat.com> References: <4D2F411D.4030204@redhat.com> Message-ID: <20110113144036.38fc8ebc@willson.li.ssimo.org> On Thu, 13 Jan 2011 13:14:53 -0500 Rob Crittenden wrote: > python-ldap fails gloriously if the search time limit is 0. Don't > allow it. > > Don't allow the time limit to be set in the API. Also add a failsafe > in the ldap driver because such bad things happen if this value is 0. > I think it literally spends 0 time on the request and just returns > immediately. > > ticket 752 ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From grajaiya at redhat.com Thu Jan 13 19:45:06 2011 From: grajaiya at redhat.com (Gowrishankar Rajaiyan) Date: Fri, 14 Jan 2011 01:15:06 +0530 Subject: [Freeipa-devel] [PATCH] Fixed typo in ipa help service command. Message-ID: <4D2F5642.4030308@redhat.com> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fixed-typo-in-ipa-help-service.patch URL: From ayoung at redhat.com Thu Jan 13 19:51:46 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 13 Jan 2011 14:51:46 -0500 Subject: [Freeipa-devel] [PATCH] metadata update Message-ID: <4D2F57D2.7050208@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0142-metadata-update.patch Type: text/x-patch Size: 7033 bytes Desc: not available URL: From ssorce at redhat.com Thu Jan 13 20:11:18 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 15:11:18 -0500 Subject: [Freeipa-devel] [PATCH] Fixed typo in ipa help service command. In-Reply-To: <4D2F5642.4030308@redhat.com> References: <4D2F5642.4030308@redhat.com> Message-ID: <20110113151118.6b8070f5@willson.li.ssimo.org> On Fri, 14 Jan 2011 01:15:06 +0530 Gowrishankar Rajaiyan wrote: ACK, Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jan 13 20:12:35 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 15:12:35 -0500 Subject: [Freeipa-devel] [PATCH] metadata update In-Reply-To: <4D2F57D2.7050208@redhat.com> References: <4D2F57D2.7050208@redhat.com> Message-ID: <20110113151235.2ca41741@willson.li.ssimo.org> On Thu, 13 Jan 2011 14:51:46 -0500 Adam Young wrote: ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jan 13 20:19:56 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 15:19:56 -0500 Subject: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements In-Reply-To: <4D2F5031.2080606@redhat.com> References: <20110112144532.2535bec0@willson.li.ssimo.org> <4D2F5031.2080606@redhat.com> Message-ID: <20110113151956.6b2bf626@willson.li.ssimo.org> On Thu, 13 Jan 2011 20:19:13 +0100 Jakub Hrozek wrote: > I only found two issues in the winsync codepatch (which I didn't > test): > > + ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636, > cacert=cacert) > + ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd) > > I think the second line should say ad_conn.do_simple_bind() > > and: > > + self.basic_replication_setup(self.conn, replica_id) > > basic_replication_setup() takes 4 parameters now. Fixed both, thanks for catching these ones! Attched 0044-2 patch, the others rebase on top cleanly, so I'll keep those acks :-) Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0044-2-Refactor-some-replication-code.patch Type: text/x-patch Size: 26949 bytes Desc: not available URL: From ssorce at redhat.com Thu Jan 13 20:23:28 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 15:23:28 -0500 Subject: [Freeipa-devel] [PATCH] 674 add API version In-Reply-To: <4D2F53D5.5@redhat.com> References: <4D2DD0D3.1050206@redhat.com> <20110112141920.062b5002@willson.li.ssimo.org> <4D2E1F92.8060200@redhat.com> <4D2E2868.2050808@redhat.com> <4D2F2D40.8040208@redhat.com> <20110113142531.0e47fa82@willson.li.ssimo.org> <4D2F53D5.5@redhat.com> Message-ID: <20110113152328.085431e5@willson.li.ssimo.org> On Thu, 13 Jan 2011 14:34:45 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 13 Jan 2011 11:50:08 -0500 > > Rob Crittenden wrote: > > > >> Yet another new version. There are some new build deps since we > >> fire up ipalib during the build. These are the changes in > >> ipa.spec.in. > >> > > > > Sorry I have to NACK, it seem you squashed in a patch to change the > > python shebang into this one. > > > > Simo. > > > > Yeah, a git oops on my part. Updated patch attached. I diffed this > with the previous "good" patch, -4, and the only diff is a slightly > reformatted commit message and the additional of some buildrequires. > > rob ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Thu Jan 13 20:56:12 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 13 Jan 2011 15:56:12 -0500 Subject: [Freeipa-devel] [PATCH] metadata update In-Reply-To: <20110113151235.2ca41741@willson.li.ssimo.org> References: <4D2F57D2.7050208@redhat.com> <20110113151235.2ca41741@willson.li.ssimo.org> Message-ID: <4D2F66EC.3060500@redhat.com> On 01/13/2011 03:12 PM, Simo Sorce wrote: > On Thu, 13 Jan 2011 14:51:46 -0500 > Adam Young wrote: > > ACK. > > Simo. > pushed to master From ayoung at redhat.com Thu Jan 13 22:32:26 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 13 Jan 2011 17:32:26 -0500 Subject: [Freeipa-devel] Fixed mod_nss In-Reply-To: <4D2F6936.8050607@redhat.com> References: <4D2DFE94.6080309@redhat.com> <4D2F6936.8050607@redhat.com> Message-ID: <4D2F7D7A.6070200@redhat.com> On 01/13/2011 04:05 PM, Jenny Galipeau wrote: > Adam Young wrote: >> http://koji.fedoraproject.org/koji/buildinfo?buildID=213857 >> >> See spec change log. This should deal with the mod-rewrite issue. > Adam: > Is this fix in ... I am not seeing the issue today? > Thanks > Jenny > No idea. Rob? From ssorce at redhat.com Thu Jan 13 23:51:51 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 18:51:51 -0500 Subject: [Freeipa-devel] [PATCH] 0050 Move virtual operations container Message-ID: <20110113185151.1d1a3d0e@willson.li.ssimo.org> See ticket #759 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0050-Move-Virtual-Operations-container-under-cn-etc.patch Type: text/x-patch Size: 23302 bytes Desc: not available URL: From rmeggins at redhat.com Thu Jan 13 23:51:27 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Jan 2011 16:51:27 -0700 Subject: [Freeipa-devel] Where is the code that generates the initial CA and server cert? Message-ID: <4D2F8FFF.8080105@redhat.com> For bug https://bugzilla.redhat.com/show_bug.cgi?id=668899 Where is the code that generates the initial CA and server cert? If I have to do a full ipa install to reproduce I will (btw, is the 2.0 install guide on freeipa.org correct?), but I'd rather have a smaller, easily reproducible test case. From ssorce at redhat.com Thu Jan 13 23:52:22 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 18:52:22 -0500 Subject: [Freeipa-devel] [PATCH] 0051 Move mep template under cn=etc Message-ID: <20110113185222.27e6cddd@willson.li.ssimo.org> Ticket #760 -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0051-Move-mep-templates-under-cn-etc.patch Type: text/x-patch Size: 2490 bytes Desc: not available URL: From ssorce at redhat.com Thu Jan 13 23:53:04 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 18:53:04 -0500 Subject: [Freeipa-devel] [PATCH] 0052 Remove obsolete radius stuff Message-ID: <20110113185304.4ff380c5@willson.li.ssimo.org> Ticket #761 -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0052-Remove-radius-options-completely.patch Type: text/x-patch Size: 130484 bytes Desc: not available URL: From ssorce at redhat.com Thu Jan 13 23:53:37 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Jan 2011 18:53:37 -0500 Subject: [Freeipa-devel] [PATCH] Remove dependency on nss_ldap Message-ID: <20110113185337.3af092fb@willson.li.ssimo.org> Ticket #757 -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0053-Remove-dependency-on-nss_ldap-nss-pam-ldapd.patch Type: text/x-patch Size: 1179 bytes Desc: not available URL: From ayoung at redhat.com Fri Jan 14 00:45:56 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 13 Jan 2011 19:45:56 -0500 Subject: [Freeipa-devel] [PATCH] Remove dependency on nss_ldap In-Reply-To: <20110113185337.3af092fb@willson.li.ssimo.org> References: <20110113185337.3af092fb@willson.li.ssimo.org> Message-ID: <4D2F9CC4.40308@redhat.com> On 01/13/2011 06:53 PM, Simo Sorce wrote: > Ticket #757 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jan 14 01:35:28 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 13 Jan 2011 20:35:28 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0143-scoping-functions Message-ID: <4D2FA860.9050507@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0143-scoping-functions.patch Type: text/x-patch Size: 170456 bytes Desc: not available URL: From ayoung at redhat.com Fri Jan 14 01:40:05 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 13 Jan 2011 20:40:05 -0500 Subject: [Freeipa-devel] [PATCH] Certificate and Kerberos key status adjustments. In-Reply-To: <4D2EE239.3050409@redhat.com> References: <4D2EE239.3050409@redhat.com> Message-ID: <4D2FA975.7040904@redhat.com> On 01/13/2011 06:30 AM, Endi Sukma Dewata wrote: > Hi, > > The attached patch should fix item #4 and #5 of this bug: > https://fedorahosted.org/freeipa/ticket/670 > > The OTP field has been moved into a separate row to avoid line > wrapping. The line height inside tables has been increased to > avoid overlapping buttons in certificate status panel. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK THe CSS Line height will affect all tables, not just the ones in SUDO and HBAC -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jan 14 01:44:50 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 13 Jan 2011 20:44:50 -0500 Subject: [Freeipa-devel] [PATCH] Increased icon size for certificate and Kerberos key status. In-Reply-To: <4D2EAFDE.5040105@redhat.com> References: <4D2EAFDE.5040105@redhat.com> Message-ID: <4D2FAA92.6070901@redhat.com> On 01/13/2011 02:55 AM, Endi Sukma Dewata wrote: > Hi, > > The attached patch should fix item #3 of this bug: > https://fedorahosted.org/freeipa/ticket/670 > > The
  • tag used for status icon has been replaced with
    > tag shaped like a circle. The size can be adjusted using CSS. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK. The indicators are still pretty small, and I see both the green and yellow images on the page at the same time. Don't think that is what we want. Talk to UXD -------------- next part -------------- An HTML attachment was scrubbed... URL: From davido at redhat.com Fri Jan 14 01:58:20 2011 From: davido at redhat.com (David O'Brien) Date: Fri, 14 Jan 2011 11:58:20 +1000 Subject: [Freeipa-devel] Where is the code that generates the initial CA and server cert? In-Reply-To: <4D2F8FFF.8080105@redhat.com> References: <4D2F8FFF.8080105@redhat.com> Message-ID: <4D2FADBC.6010108@redhat.com> Rich Megginson wrote: > For bug https://bugzilla.redhat.com/show_bug.cgi?id=668899 > Where is the code that generates the initial CA and server cert? > If I have to do a full ipa install to reproduce I will (btw, is the 2.0 > install guide on freeipa.org correct?), but I'd rather have a smaller, > easily reproducible test case. > Rich, the Install Guide on that page is due to be updated as soon as we get through some doc reviews. It's mostly a copy of the 1.2 version as it is. -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From ayoung at redhat.com Fri Jan 14 02:22:58 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 13 Jan 2011 21:22:58 -0500 Subject: [Freeipa-devel] [PATCH] Increased icon size for certificate and Kerberos key status. In-Reply-To: <4D2EAFDE.5040105@redhat.com> References: <4D2EAFDE.5040105@redhat.com> Message-ID: <4D2FB382.3040106@redhat.com> On 01/13/2011 02:55 AM, Endi Sukma Dewata wrote: > Hi, > > The attached patch should fix item #3 of this bug: > https://fedorahosted.org/freeipa/ticket/670 > > The
  • tag used for status icon has been replaced with
    > tag shaped like a circle. The size can be adjusted using CSS. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, based on our discussion in IRC. Ticket is not closed. Follow on work includes resizing the icon even larger, as well as only showing one of the icons -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jan 14 02:28:58 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 13 Jan 2011 21:28:58 -0500 Subject: [Freeipa-devel] [PATCH] Support for str in StrEnum. In-Reply-To: <4D2F3D99.10708@redhat.com> References: <4D2F3D99.10708@redhat.com> Message-ID: <4D2FB4EA.2080809@redhat.com> On 01/13/2011 12:59 PM, Endi Sukma Dewata wrote: > Hi, > > The attached patch should fix this bug: > https://fedorahosted.org/freeipa/ticket/657 > > The StrEnum class has been modified to accept str value and convert > it into unicode. This is to fix encoding issue on F14. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Jan 14 02:45:29 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 14 Jan 2011 09:45:29 +0700 Subject: [Freeipa-devel] [PATCH] Certificate and Kerberos key status adjustments. In-Reply-To: <4D2FA975.7040904@redhat.com> References: <4D2EE239.3050409@redhat.com> <4D2FA975.7040904@redhat.com> Message-ID: <4D2FB8C9.2020104@redhat.com> On 1/14/2011 8:40 AM, Adam Young wrote: >> The attached patch should fix item #4 and #5 of this bug: >> https://fedorahosted.org/freeipa/ticket/670 >> >> The OTP field has been moved into a separate row to avoid line >> wrapping. The line height inside tables has been increased to >> avoid overlapping buttons in certificate status panel. > NACK THe CSS Line height will affect all tables, not just the ones in > SUDO and HBAC I changed the code to limit the CSS line height to certificate and Kerberos key status tables only. Thanks. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0069-2-Certificate-and-Kerberos-key-status-adjustments.patch Type: text/x-patch Size: 3930 bytes Desc: not available URL: From rcritten at redhat.com Fri Jan 14 02:50:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Jan 2011 21:50:07 -0500 Subject: [Freeipa-devel] Where is the code that generates the initial CA and server cert? In-Reply-To: <4D2F8FFF.8080105@redhat.com> References: <4D2F8FFF.8080105@redhat.com> Message-ID: <4D2FB9DF.6000401@redhat.com> Rich Megginson wrote: > For bug https://bugzilla.redhat.com/show_bug.cgi?id=668899 > Where is the code that generates the initial CA and server cert? > If I have to do a full ipa install to reproduce I will (btw, is the 2.0 > install guide on freeipa.org correct?), but I'd rather have a smaller, > easily reproducible test case. > I assume you mean the self-signed CA. If that's the case then the CA is generated in ipaserver/install/certs.py:create_ca_cert() Server certs are generated in ipaserver/install/certs.py:request_cert() and issue_server_cert() rob From edewata at redhat.com Fri Jan 14 02:54:45 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 14 Jan 2011 09:54:45 +0700 Subject: [Freeipa-devel] [PATCH] Increased icon size for certificate and Kerberos key status. In-Reply-To: <4D2FB382.3040106@redhat.com> References: <4D2EAFDE.5040105@redhat.com> <4D2FB382.3040106@redhat.com> Message-ID: <4D2FBAF5.40607@redhat.com> On 1/14/2011 9:22 AM, Adam Young wrote: >> The attached patch should fix item #3 of this bug: >> https://fedorahosted.org/freeipa/ticket/670 >> >> The
  • tag used for status icon has been replaced with
    >> tag shaped like a circle. The size can be adjusted using CSS. > ACK, based on our discussion in IRC. Ticket is not closed. Follow on > work includes resizing the icon even larger, as well as only showing one > of the icons Pushed to master. I'll set up a fedorapeople site for review. -- Endi S. Dewata From edewata at redhat.com Fri Jan 14 02:55:30 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 14 Jan 2011 09:55:30 +0700 Subject: [Freeipa-devel] [PATCH] Support for str in StrEnum. In-Reply-To: <4D2FB4EA.2080809@redhat.com> References: <4D2F3D99.10708@redhat.com> <4D2FB4EA.2080809@redhat.com> Message-ID: <4D2FBB22.6060502@redhat.com> On 1/14/2011 9:28 AM, Adam Young wrote: >> The attached patch should fix this bug: >> https://fedorahosted.org/freeipa/ticket/657 >> >> The StrEnum class has been modified to accept str value and convert >> it into unicode. This is to fix encoding issue on F14. > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Jan 14 08:12:29 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 14 Jan 2011 15:12:29 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0141-spinning-wheel. In-Reply-To: <4D2F53EF.5000307@redhat.com> References: <4D2F53EF.5000307@redhat.com> Message-ID: <4D30056D.5020708@redhat.com> On 1/14/2011 2:35 AM, Adam Young wrote: > Mostly fine except these minor things: 1. Everytime you click Update on details facet the primary key will be prepended to the header. See details.js:664: $('h1',that.container).prepend(that.pkey); 2. The hide_activity_icon() invocations in the following methods: - ajax_error_handler() - http_error_handler() - ipa_error_handler() are unnecessary because it's been invoked earlier by success_handler or error_handler. -- Endi S. Dewata From edewata at redhat.com Fri Jan 14 09:07:31 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 14 Jan 2011 16:07:31 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0143-scoping-functions In-Reply-To: <4D2FA860.9050507@redhat.com> References: <4D2FA860.9050507@redhat.com> Message-ID: <4D301253.1020209@redhat.com> On 1/14/2011 8:35 AM, Adam Young wrote: > ACK. Merged and pushed to master. -- Endi S. Dewata From mkosek at redhat.com Fri Jan 14 09:33:40 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 14 Jan 2011 10:33:40 +0100 Subject: [Freeipa-devel] [PATCH] Unchecked return values in SLAPI plugins Message-ID: <1294997620.22946.0.camel@dhcp-25-52.brq.redhat.com> Return values weren't checked in several cases which could have lead to unhandled errors. https://fedorahosted.org/freeipa/ticket/722 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-013-unchecked-return-values-in-slapi-plugins.patch Type: text/x-patch Size: 4575 bytes Desc: not available URL: From jzeleny at redhat.com Fri Jan 14 09:56:34 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Fri, 14 Jan 2011 10:56:34 +0100 Subject: [Freeipa-devel] [PATCH] Unchecked return values in SLAPI plugins In-Reply-To: <1294997620.22946.0.camel@dhcp-25-52.brq.redhat.com> References: <1294997620.22946.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <201101141056.34771.jzeleny@redhat.com> Martin Kosek wrote: > Return values weren't checked in several cases which could > have lead to unhandled errors. > > https://fedorahosted.org/freeipa/ticket/722 Ack Jan From jhrozek at redhat.com Fri Jan 14 11:52:45 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 14 Jan 2011 12:52:45 +0100 Subject: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements In-Reply-To: <20110113151956.6b2bf626@willson.li.ssimo.org> References: <20110112144532.2535bec0@willson.li.ssimo.org> <4D2F5031.2080606@redhat.com> <20110113151956.6b2bf626@willson.li.ssimo.org> Message-ID: <4D30390D.6000504@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/13/2011 09:19 PM, Simo Sorce wrote: > On Thu, 13 Jan 2011 20:19:13 +0100 > Jakub Hrozek wrote: > >> I only found two issues in the winsync codepatch (which I didn't >> test): >> >> + ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636, >> cacert=cacert) >> + ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd) >> >> I think the second line should say ad_conn.do_simple_bind() >> >> and: >> >> + self.basic_replication_setup(self.conn, replica_id) >> >> basic_replication_setup() takes 4 parameters now. > > Fixed both, thanks for catching these ones! > > Attched 0044-2 patch, the others rebase on top cleanly, so I'll keep > those acks :-) > > Simo. > Ack Although probably after yesterday's patches I had to do a 3-way merge on patch #47, so please check it merges OK. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0wOQwACgkQHsardTLnvCUxegCgui95tx8lwLxufH3SujMBewLI 9lkAoN74s6/QAw4PoASujmSLtf/yoXjw =BN95 -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Jan 14 11:59:58 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 14 Jan 2011 12:59:58 +0100 Subject: [Freeipa-devel] [PATCH] 0051 Move mep template under cn=etc In-Reply-To: <20110113185222.27e6cddd@willson.li.ssimo.org> References: <20110113185222.27e6cddd@willson.li.ssimo.org> Message-ID: <4D303ABE.2080802@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/14/2011 12:52 AM, Simo Sorce wrote: > > Ticket #760 > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0wOr4ACgkQHsardTLnvCVHkQCggRGVFhNPrdwjYJg94GAMt6tm kRUAoOL8p0FbfiGJ9nj2zBhy8GBgiV1j =1ds/ -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Jan 14 12:30:18 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 14 Jan 2011 13:30:18 +0100 Subject: [Freeipa-devel] [PATCH] 0051 Move mep template under cn=etc In-Reply-To: <4D303ABE.2080802@redhat.com> References: <20110113185222.27e6cddd@willson.li.ssimo.org> <4D303ABE.2080802@redhat.com> Message-ID: <4D3041DA.2030508@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/14/2011 12:59 PM, Jakub Hrozek wrote: > On 01/14/2011 12:52 AM, Simo Sorce wrote: > >> Ticket #760 > > > Ack Sorry, I have to witdhdraw my ack. I'm getting an installation error with this patch: - ----------------------------------------------------------------- 2011-01-14 07:25:13,490 INFO stdout=add objectclass: mepTemplateEntry add cn: NGP HGP Template add mepRDNAttr: cn add mepStaticAttr: ipaUniqueId: autogenerate objectclass: ipanisnetgroup objectclass: ipaobject nisDomainName: idm.lab.bos.redhat.com add mepMappedAttr: cn: $cn memberHost: $dn description: ipaNetgroup $cn adding new entry "cn=NGP HGP Template,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" 2011-01-14 07:25:13,490 INFO stderr=ldap_initialize( ldap://vm-061.idm.lab.bos.redhat.com ) ldap_add: No such object (32) matched DN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com 2011-01-14 07:25:13,490 CRITICAL Failed to load host_nis_groups.ldif: Command '/usr/bin/ldapmodify -h vm-061.idm.lab.bos.redhat.com -v -f /tmp/tmpQdQTOE -x -D cn=Directory Manager -y /tmp/tmpoMHTnX' returned non-zero exit status 32 - ----------------------------------------------------------------- Since it didn't even match cn=etc, it looks like this step was run before the bootstrapping step? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0wQdoACgkQHsardTLnvCXy/ACfZAZb2t/zIs4sTBCOIo0lmDZr LdYAoLDjbPjrry9N4l1vsZV0Lj6bBdv+ =OORV -----END PGP SIGNATURE----- From mkosek at redhat.com Fri Jan 14 12:56:10 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 14 Jan 2011 13:56:10 +0100 Subject: [Freeipa-devel] [PATCH] Mozldap-specific code removed Message-ID: <1295009770.22946.3.camel@dhcp-25-52.brq.redhat.com> IPA installation failed when mozldap-devel package was not installed. This patch solves this: Mozldap code removed from all sources and configure source script. Now, IPA will compile even when package mozldap-devel is not installed on the system. https://fedorahosted.org/freeipa/ticket/756 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-014-mozldap-specific-code-removed.patch Type: text/x-patch Size: 6632 bytes Desc: not available URL: From jzeleny at redhat.com Fri Jan 14 12:58:55 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Fri, 14 Jan 2011 13:58:55 +0100 Subject: [Freeipa-devel] [PATCH] Changed dns permission types In-Reply-To: <4D2DD454.9060901@redhat.com> References: <201101071805.18499.jzeleny@redhat.com> <4D2DD454.9060901@redhat.com> Message-ID: <201101141358.55418.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Recent change of DNS module to version caused that dns object type > > was replaced by dnszone and dnsrecord. This patch corrects dns types > > in permissions class. > > > > https://fedorahosted.org/freeipa/ticket/646 > > Nack. These values need to be added as valid types to the aci plugin and > the _type_map needs to be updated. > > rob I'm sending an updated patch. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0021-2-Changed-dns-permission-types.patch Type: text/x-patch Size: 2574 bytes Desc: not available URL: From sgallagh at redhat.com Fri Jan 14 13:00:40 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 14 Jan 2011 08:00:40 -0500 Subject: [Freeipa-devel] Dropping support for Fedora 13 In-Reply-To: <4D2E6429.80400@redhat.com> References: <4D2E3006.2020808@redhat.com> <20110112230657.GA30044@redhat.com> <4D2E6429.80400@redhat.com> Message-ID: <4D3048F8.1040203@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/12/2011 09:32 PM, Rob Crittenden wrote: > Nalin Dahyabhai wrote: >> On Wed, Jan 12, 2011 at 05:49:42PM -0500, Rob Crittenden wrote: >>> With the patch titled '674 drop build dep on mozlap' freeipa v2 will >>> no longer build on Fedora 13. >> >> So just to be clear, we should stop trying to build git snapshot builds >> on f13? If so, is this for everything, just the freeipa package, or >> something in between? >> >> Nalin > > I believe everything for F13 assuming nobody else is using our devel > repo for other things. > Please leave the SSSD building for F13 for a while yet. We do have users playing with it there. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0wSPQACgkQeiVVYja6o6NNHACfYQxApPBFxszp41wH60QJQwdg YAEAnRQSfLq4u9tl5BF+C+SgObEO/HBz =pAXr -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Jan 14 13:03:12 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 14 Jan 2011 14:03:12 +0100 Subject: [Freeipa-devel] [PATCH] 0052 Remove obsolete radius stuff In-Reply-To: <20110113185304.4ff380c5@willson.li.ssimo.org> References: <20110113185304.4ff380c5@willson.li.ssimo.org> Message-ID: <4D304990.4060906@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/14/2011 12:53 AM, Simo Sorce wrote: > > Ticket #761 > I tested that the patch applies, builds, and the server installs. - -> Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0wSZAACgkQHsardTLnvCVBLACg4MZIkfXtSkhm3pyGDWhvtyo+ X5AAn2+TTCvVOzPD4tiPhfPeYHweSaG2 =M7Aq -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Jan 14 13:59:22 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 14 Jan 2011 14:59:22 +0100 Subject: [Freeipa-devel] [PATCH] Mozldap-specific code removed In-Reply-To: <1295009770.22946.3.camel@dhcp-25-52.brq.redhat.com> References: <1295009770.22946.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D3056BA.5030907@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/14/2011 01:56 PM, Martin Kosek wrote: > IPA installation failed when mozldap-devel package was not installed. > This patch solves this: > > Mozldap code removed from all sources and configure source script. > Now, IPA will compile even when package mozldap-devel is not > installed on the system. > > https://fedorahosted.org/freeipa/ticket/756 > Martin, I could not reproduce your build failure with the current master without the mozldap-devel package and I tried even in mock. But the patch looks good to me. I tested it with a scratch koji build: http://koji.fedoraproject.org/koji/taskinfo?taskID=2721123 So even though the mozldap code removal ticket is not targeted for January, I think I can safely Ack it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0wVroACgkQHsardTLnvCVOWQCgnQ+khSSInVknCBnTJg84B4ab sP4AnicrIeRr4XTPx8Usk3zqivbZX/mD =AXQS -----END PGP SIGNATURE----- From ayoung at redhat.com Fri Jan 14 14:14:15 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 14 Jan 2011 09:14:15 -0500 Subject: [Freeipa-devel] [PATCH] Certificate and Kerberos key status adjustments. In-Reply-To: <4D2FB8C9.2020104@redhat.com> References: <4D2EE239.3050409@redhat.com> <4D2FA975.7040904@redhat.com> <4D2FB8C9.2020104@redhat.com> Message-ID: <4D305A37.9010009@redhat.com> On 01/13/2011 09:45 PM, Endi Sukma Dewata wrote: > On 1/14/2011 8:40 AM, Adam Young wrote: >>> The attached patch should fix item #4 and #5 of this bug: >>> https://fedorahosted.org/freeipa/ticket/670 >>> >>> The OTP field has been moved into a separate row to avoid line >>> wrapping. The line height inside tables has been increased to >>> avoid overlapping buttons in certificate status panel. > >> NACK THe CSS Line height will affect all tables, not just the ones in >> SUDO and HBAC > > I changed the code to limit the CSS line height to certificate and > Kerberos key status tables only. Thanks. > ACK From nalin at redhat.com Fri Jan 14 14:40:53 2011 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 14 Jan 2011 09:40:53 -0500 Subject: [Freeipa-devel] Dropping support for Fedora 13 In-Reply-To: <4D3048F8.1040203@redhat.com> References: <4D2E3006.2020808@redhat.com> <20110112230657.GA30044@redhat.com> <4D2E6429.80400@redhat.com> <4D3048F8.1040203@redhat.com> Message-ID: <20110114144053.GA8524@redhat.com> On Fri, Jan 14, 2011 at 08:00:40AM -0500, Stephen Gallagher wrote: > Please leave the SSSD building for F13 for a while yet. We do have users > playing with it there. Ok. Just ipa itself, then. Nalin From ssorce at redhat.com Fri Jan 14 14:49:51 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 09:49:51 -0500 Subject: [Freeipa-devel] [PATCH] 0051 Move mep template under cn=etc In-Reply-To: <4D3041DA.2030508@redhat.com> References: <20110113185222.27e6cddd@willson.li.ssimo.org> <4D303ABE.2080802@redhat.com> <4D3041DA.2030508@redhat.com> Message-ID: <20110114094951.2c4acbbc@willson.li.ssimo.org> On Fri, 14 Jan 2011 13:30:18 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/14/2011 12:59 PM, Jakub Hrozek wrote: > > On 01/14/2011 12:52 AM, Simo Sorce wrote: > > > >> Ticket #760 > > > > > > Ack > > Sorry, I have to witdhdraw my ack. I'm getting an installation error > with this patch: > > - ----------------------------------------------------------------- > 2011-01-14 07:25:13,490 INFO stdout=add objectclass: > mepTemplateEntry > add cn: > NGP HGP Template > add mepRDNAttr: > cn > add mepStaticAttr: > ipaUniqueId: autogenerate > objectclass: ipanisnetgroup > objectclass: ipaobject > nisDomainName: idm.lab.bos.redhat.com > add mepMappedAttr: > cn: $cn > memberHost: $dn > description: ipaNetgroup $cn > adding new entry "cn=NGP HGP > Template,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" > > > 2011-01-14 07:25:13,490 INFO stderr=ldap_initialize( > ldap://vm-061.idm.lab.bos.redhat.com ) > ldap_add: No such object (32) > matched DN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > 2011-01-14 07:25:13,490 CRITICAL Failed to load host_nis_groups.ldif: > Command '/usr/bin/ldapmodify -h vm-061.idm.lab.bos.redhat.com -v -f > /tmp/tmpQdQTOE -x -D cn=Directory Manager -y /tmp/tmpoMHTnX' returned > non-zero exit status 32 > - ----------------------------------------------------------------- > > Since it didn't even match cn=etc, it looks like this step was run > before the bootstrapping step? Thanks for catching this one. Attached a patch that moves templates creation after we bootstrap and create cn=etc. As a nice side effect the mep entry for admin is not created (we want it that way as we already have the admins group). Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0051-2-Move-mep-templates-under-cn-etc.patch Type: text/x-patch Size: 3502 bytes Desc: not available URL: From rcritten at redhat.com Fri Jan 14 14:51:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 Jan 2011 09:51:23 -0500 Subject: [Freeipa-devel] [PATCH] 677 don't allow search time limit of 0 In-Reply-To: <20110113144036.38fc8ebc@willson.li.ssimo.org> References: <4D2F411D.4030204@redhat.com> <20110113144036.38fc8ebc@willson.li.ssimo.org> Message-ID: <4D3062EB.8040700@redhat.com> Simo Sorce wrote: > On Thu, 13 Jan 2011 13:14:53 -0500 > Rob Crittenden wrote: > >> python-ldap fails gloriously if the search time limit is 0. Don't >> allow it. >> >> Don't allow the time limit to be set in the API. Also add a failsafe >> in the ldap driver because such bad things happen if this value is 0. >> I think it literally spends 0 time on the request and just returns >> immediately. >> >> ticket 752 > > ACK. > > Simo. > pushed to master From rcritten at redhat.com Fri Jan 14 14:51:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 Jan 2011 09:51:31 -0500 Subject: [Freeipa-devel] [PATCH] 678 set min version of dogtag In-Reply-To: <4D2F549A.5030803@redhat.com> References: <4D2F4CD4.1080102@redhat.com> <4D2F549A.5030803@redhat.com> Message-ID: <4D3062F3.1000100@redhat.com> Adam Young wrote: > On 01/13/2011 02:04 PM, Rob Crittenden wrote: >> Bump minimum required version of dogtag up to 9. >> >> ticket 763 >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK pushed to master From rcritten at redhat.com Fri Jan 14 14:53:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 Jan 2011 09:53:33 -0500 Subject: [Freeipa-devel] [PATCH] Fixed typo in ipa help service command. In-Reply-To: <20110113151118.6b8070f5@willson.li.ssimo.org> References: <4D2F5642.4030308@redhat.com> <20110113151118.6b8070f5@willson.li.ssimo.org> Message-ID: <4D30636D.7010808@redhat.com> Simo Sorce wrote: > On Fri, 14 Jan 2011 01:15:06 +0530 > Gowrishankar Rajaiyan wrote: > > ACK, > Simo. > pushed to master From rcritten at redhat.com Fri Jan 14 14:56:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 Jan 2011 09:56:35 -0500 Subject: [Freeipa-devel] Fixed mod_nss In-Reply-To: <4D2F7D7A.6070200@redhat.com> References: <4D2DFE94.6080309@redhat.com> <4D2F6936.8050607@redhat.com> <4D2F7D7A.6070200@redhat.com> Message-ID: <4D306423.9040503@redhat.com> Adam Young wrote: > On 01/13/2011 04:05 PM, Jenny Galipeau wrote: >> Adam Young wrote: >>> http://koji.fedoraproject.org/koji/buildinfo?buildID=213857 >>> >>> See spec change log. This should deal with the mod-rewrite issue. >> Adam: >> Is this fix in ... I am not seeing the issue today? >> Thanks >> Jenny >> > > No idea. Rob? It is fixed in mod_nss-1.0.8-10 which is in updates-testing. rob From jhrozek at redhat.com Fri Jan 14 15:01:28 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 14 Jan 2011 16:01:28 +0100 Subject: [Freeipa-devel] [PATCH] 0051 Move mep template under cn=etc In-Reply-To: <20110114094951.2c4acbbc@willson.li.ssimo.org> References: <20110113185222.27e6cddd@willson.li.ssimo.org> <4D303ABE.2080802@redhat.com> <4D3041DA.2030508@redhat.com> <20110114094951.2c4acbbc@willson.li.ssimo.org> Message-ID: <4D306548.5060609@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/14/2011 03:49 PM, Simo Sorce wrote: > On Fri, 14 Jan 2011 13:30:18 +0100 > Jakub Hrozek wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/14/2011 12:59 PM, Jakub Hrozek wrote: >>> On 01/14/2011 12:52 AM, Simo Sorce wrote: >>> >>>> Ticket #760 >>> >>> >>> Ack >> >> Sorry, I have to witdhdraw my ack. I'm getting an installation error >> with this patch: >> >> - ----------------------------------------------------------------- >> 2011-01-14 07:25:13,490 INFO stdout=add objectclass: >> mepTemplateEntry >> add cn: >> NGP HGP Template >> add mepRDNAttr: >> cn >> add mepStaticAttr: >> ipaUniqueId: autogenerate >> objectclass: ipanisnetgroup >> objectclass: ipaobject >> nisDomainName: idm.lab.bos.redhat.com >> add mepMappedAttr: >> cn: $cn >> memberHost: $dn >> description: ipaNetgroup $cn >> adding new entry "cn=NGP HGP >> Template,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" >> >> >> 2011-01-14 07:25:13,490 INFO stderr=ldap_initialize( >> ldap://vm-061.idm.lab.bos.redhat.com ) >> ldap_add: No such object (32) >> matched DN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com >> >> 2011-01-14 07:25:13,490 CRITICAL Failed to load host_nis_groups.ldif: >> Command '/usr/bin/ldapmodify -h vm-061.idm.lab.bos.redhat.com -v -f >> /tmp/tmpQdQTOE -x -D cn=Directory Manager -y /tmp/tmpoMHTnX' returned >> non-zero exit status 32 >> - ----------------------------------------------------------------- >> >> Since it didn't even match cn=etc, it looks like this step was run >> before the bootstrapping step? > > Thanks for catching this one. > Attached a patch that moves templates creation after we bootstrap and > create cn=etc. > > As a nice side effect the mep entry for admin is not created (we want > it that way as we already have the admins group). > > Simo. > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0wZUgACgkQHsardTLnvCVk/wCgnX0e35bJxBzxQ1PWvTFXGPg7 aAAAoKsrgbcPx6DVfiyqa840mbtEPH1L =Od25 -----END PGP SIGNATURE----- From ayoung at redhat.com Fri Jan 14 16:26:34 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 14 Jan 2011 11:26:34 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0141-spinning-wheel. In-Reply-To: <4D30056D.5020708@redhat.com> References: <4D2F53EF.5000307@redhat.com> <4D30056D.5020708@redhat.com> Message-ID: <4D30793A.7070600@redhat.com> On 01/14/2011 03:12 AM, Endi Sukma Dewata wrote: > On 1/14/2011 2:35 AM, Adam Young wrote: >> > > Mostly fine except these minor things: > > 1. Everytime you click Update on details facet the primary key will > be prepended to the header. See details.js:664: > > $('h1',that.container).prepend(that.pkey); > > 2. The hide_activity_icon() invocations in the following methods: > - ajax_error_handler() > - http_error_handler() > - ipa_error_handler() > are unnecessary because it's been invoked earlier by success_handler > or error_handler. > Updated -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0141-2-spinning-wheel.patch Type: text/x-patch Size: 24646 bytes Desc: not available URL: From edewata at redhat.com Fri Jan 14 16:47:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 14 Jan 2011 23:47:57 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0141-spinning-wheel. In-Reply-To: <4D30793A.7070600@redhat.com> References: <4D2F53EF.5000307@redhat.com> <4D30056D.5020708@redhat.com> <4D30793A.7070600@redhat.com> Message-ID: <4D307E3D.4040104@redhat.com> On 1/14/2011 11:26 PM, Adam Young wrote: > Updated ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Fri Jan 14 17:49:01 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 14 Jan 2011 12:49:01 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0144-lint-clean Message-ID: <4D308C8D.8060203@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0144-lint-clean.patch Type: text/x-patch Size: 40649 bytes Desc: not available URL: From ayoung at redhat.com Fri Jan 14 17:54:59 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 14 Jan 2011 12:54:59 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0144-lint-clean In-Reply-To: <4D308C8D.8060203@redhat.com> References: <4D308C8D.8060203@redhat.com> Message-ID: <4D308DF3.8090801@redhat.com> On 01/14/2011 12:49 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0144-2-lint-clean.patch Type: text/x-patch Size: 40426 bytes Desc: not available URL: From ayoung at redhat.com Fri Jan 14 18:21:29 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 14 Jan 2011 13:21:29 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0145-null-pkey Message-ID: <4D309429.2080200@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0145-null-pkey.patch Type: text/x-patch Size: 1789 bytes Desc: not available URL: From rcritten at redhat.com Fri Jan 14 18:35:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 Jan 2011 13:35:04 -0500 Subject: [Freeipa-devel] [PATCH] 0050 Move virtual operations container In-Reply-To: <20110113185151.1d1a3d0e@willson.li.ssimo.org> References: <20110113185151.1d1a3d0e@willson.li.ssimo.org> Message-ID: <4D309758.9020800@redhat.com> Simo Sorce wrote: > > See ticket #759 > > Simo. > ack From adam at younglogic.com Fri Jan 14 18:38:43 2011 From: adam at younglogic.com (Adam Young) Date: Fri, 14 Jan 2011 13:38:43 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0146-hide-unselectable-option Message-ID: <4D309833.70203@younglogic.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0146-hide-unselectable-options.patch Type: text/x-patch Size: 1767 bytes Desc: not available URL: From kybaker at redhat.com Fri Jan 14 18:39:15 2011 From: kybaker at redhat.com (Kyle Baker) Date: Fri, 14 Jan 2011 13:39:15 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0146-hide-unselectable-option In-Reply-To: <4D309833.70203@younglogic.com> Message-ID: <423939200.94268.1295030355345.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK, Run it. ----- Original Message ----- > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0146-hide-unselectable-options.patch Type: text/x-patch Size: 1767 bytes Desc: not available URL: From ayoung at redhat.com Fri Jan 14 18:57:55 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 14 Jan 2011 13:57:55 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0146-hide-unselectable-option In-Reply-To: <423939200.94268.1295030355345.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <423939200.94268.1295030355345.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D309CB3.1040704@redhat.com> On 01/14/2011 01:39 PM, Kyle Baker wrote: > ACK, Run it. > > ----- Original Message ----- >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Fri Jan 14 19:08:00 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 14:08:00 -0500 Subject: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements In-Reply-To: <4D30390D.6000504@redhat.com> References: <20110112144532.2535bec0@willson.li.ssimo.org> <4D2F5031.2080606@redhat.com> <20110113151956.6b2bf626@willson.li.ssimo.org> <4D30390D.6000504@redhat.com> Message-ID: <20110114140800.645df746@willson.li.ssimo.org> On Fri, 14 Jan 2011 12:52:45 +0100 Jakub Hrozek wrote: > Ack > > Although probably after yesterday's patches I had to do a 3-way merge > on patch #47, so please check it merges OK. Rebase and pushed to master all 5 patches. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 19:08:29 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 14:08:29 -0500 Subject: [Freeipa-devel] [PATCH] 0051 Move mep template under cn=etc In-Reply-To: <4D306548.5060609@redhat.com> References: <20110113185222.27e6cddd@willson.li.ssimo.org> <4D303ABE.2080802@redhat.com> <4D3041DA.2030508@redhat.com> <20110114094951.2c4acbbc@willson.li.ssimo.org> <4D306548.5060609@redhat.com> Message-ID: <20110114140829.78186bf3@willson.li.ssimo.org> On Fri, 14 Jan 2011 16:01:28 +0100 Jakub Hrozek wrote: > > Thanks for catching this one. > > Attached a patch that moves templates creation after we bootstrap > > and create cn=etc. > > > > As a nice side effect the mep entry for admin is not created (we > > want it that way as we already have the admins group). > > > > Simo. > > > > Ack Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 19:08:46 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 14:08:46 -0500 Subject: [Freeipa-devel] [PATCH] 0052 Remove obsolete radius stuff In-Reply-To: <4D304990.4060906@redhat.com> References: <20110113185304.4ff380c5@willson.li.ssimo.org> <4D304990.4060906@redhat.com> Message-ID: <20110114140846.31caa9a7@willson.li.ssimo.org> On Fri, 14 Jan 2011 14:03:12 +0100 Jakub Hrozek wrote: > On 01/14/2011 12:53 AM, Simo Sorce wrote: > > > > Ticket #761 > > > > I tested that the patch applies, builds, and the server installs. > > - -> Ack > Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 19:09:05 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 14:09:05 -0500 Subject: [Freeipa-devel] [PATCH] Remove dependency on nss_ldap In-Reply-To: <4D2F9CC4.40308@redhat.com> References: <20110113185337.3af092fb@willson.li.ssimo.org> <4D2F9CC4.40308@redhat.com> Message-ID: <20110114140905.025993eb@willson.li.ssimo.org> On Thu, 13 Jan 2011 19:45:56 -0500 Adam Young wrote: > On 01/13/2011 06:53 PM, Simo Sorce wrote: > > Ticket #757 > > > ACK Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 19:17:06 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 14:17:06 -0500 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: Don't leave empty nodes in LDAP after DDNS update In-Reply-To: <4D2DF28C.80701@redhat.com> References: <20110112123712.GA9635@evileye.atkac.brq.redhat.com> <4D2DEFC8.10604@redhat.com> <20110112182549.GA28677@evileye.atkac.brq.redhat.com> <4D2DF28C.80701@redhat.com> Message-ID: <20110114141706.5ed95eb9@willson.li.ssimo.org> On Wed, 12 Jan 2011 13:27:24 -0500 Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/12/2011 01:25 PM, Adam Tkac wrote: > > On Wed, Jan 12, 2011 at 01:15:36PM -0500, Stephen Gallagher wrote: > >> Nack. > >> > >> Your prototype for ldap_modify_do() includes 'isc_result_t > >> delete_node', but the actual implementation expects 'isc_boolean_t > >> delete_node'. I'm guessing that by coincidence these typedefs are > >> the same primitive type, but I'd rather they both use > >> isc_boolean_t which is more correct. > >> > >> Otherwise it looks good to me. > > > > Good catch! Fixed patch is attached. > > > > Regards, Adam > > > > Ack This one was pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Fri Jan 14 19:20:07 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 14 Jan 2011 14:20:07 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0127-add-missing-files-in-rpm In-Reply-To: <4D2587D0.9030502@redhat.com> References: <4D24CD19.8000503@redhat.com> <4D2587D0.9030502@redhat.com> Message-ID: <4D30A1E7.3060803@redhat.com> On 01/06/2011 04:13 AM, Pavel Z?na wrote: > On 2011-01-05 20:57, Adam Young wrote: >> Had to move some files around, and added to both Makefile.am and >> ipa.spec >> >> > > ACK. > > Pavel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From ssorce at redhat.com Fri Jan 14 19:28:05 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 14:28:05 -0500 Subject: [Freeipa-devel] [PATCH] 671 ensure replica server exists in DNS In-Reply-To: <20110110172522.4f3f122c@willson.li.ssimo.org> References: <4D2B54D7.3000101@redhat.com> <20110110143253.13f34dce@willson.li.ssimo.org> <4D2B85D5.2080605@redhat.com> <20110110172522.4f3f122c@willson.li.ssimo.org> Message-ID: <20110114142805.76e416bf@willson.li.ssimo.org> On Mon, 10 Jan 2011 17:25:22 -0500 Simo Sorce wrote: > On Mon, 10 Jan 2011 17:19:01 -0500 > Rob Crittenden wrote: > > > Simo Sorce wrote: > > > Nack, > > > if you pass --ip-address you are going to test for existence of > > > the DNS record before actually creating it therefore always > > > failing the check. > > > > > > Simo. > > > > > > > Ok, use the existing verify_fqdn() method instead of calling the > > API. > > > > I left the dns_resolve() change so it isn't IPv4-specific. > > Ok, ACK. Sorry this one needs a rebase now, and I wonder if you should coordinate with Jakub and his 037/038 patches. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 19:30:13 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 14:30:13 -0500 Subject: [Freeipa-devel] [PATCH] 676 drop /usr/bin/env from our scripts In-Reply-To: <4D2F521D.6030505@redhat.com> References: <4D2F364D.7000605@redhat.com> <4D2F521D.6030505@redhat.com> Message-ID: <20110114143013.289a303c@willson.li.ssimo.org> On Thu, 13 Jan 2011 14:27:25 -0500 Adam Young wrote: > On 01/13/2011 12:28 PM, Rob Crittenden wrote: > > Execute /usr/bin/python directly instead of calling /usr/bin/env > > python. > > > > ticket 608 > > > > This depends on ticket 674 to be applied first. > > > ACK pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 19:30:29 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 14:30:29 -0500 Subject: [Freeipa-devel] [PATCH] 674 add API version In-Reply-To: <20110113152328.085431e5@willson.li.ssimo.org> References: <4D2DD0D3.1050206@redhat.com> <20110112141920.062b5002@willson.li.ssimo.org> <4D2E1F92.8060200@redhat.com> <4D2E2868.2050808@redhat.com> <4D2F2D40.8040208@redhat.com> <20110113142531.0e47fa82@willson.li.ssimo.org> <4D2F53D5.5@redhat.com> <20110113152328.085431e5@willson.li.ssimo.org> Message-ID: <20110114143029.2be06a7a@willson.li.ssimo.org> On Thu, 13 Jan 2011 15:23:28 -0500 Simo Sorce wrote: > On Thu, 13 Jan 2011 14:34:45 -0500 > Rob Crittenden wrote: > > > Simo Sorce wrote: > > > On Thu, 13 Jan 2011 11:50:08 -0500 > > > Rob Crittenden wrote: > > > > > >> Yet another new version. There are some new build deps since we > > >> fire up ipalib during the build. These are the changes in > > >> ipa.spec.in. > > >> > > > > > > Sorry I have to NACK, it seem you squashed in a patch to change > > > the python shebang into this one. > > > > > > Simo. > > > > > > > Yeah, a git oops on my part. Updated patch attached. I diffed this > > with the previous "good" patch, -4, and the only diff is a slightly > > reformatted commit message and the additional of some buildrequires. > > > > rob > > ACK. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 19:31:28 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 14:31:28 -0500 Subject: [Freeipa-devel] [PATCH] Unchecked return values in SLAPI plugins In-Reply-To: <201101141056.34771.jzeleny@redhat.com> References: <1294997620.22946.0.camel@dhcp-25-52.brq.redhat.com> <201101141056.34771.jzeleny@redhat.com> Message-ID: <20110114143128.284e1ee2@willson.li.ssimo.org> On Fri, 14 Jan 2011 10:56:34 +0100 Jan Zelen? wrote: > Martin Kosek wrote: > > Return values weren't checked in several cases which could > > have lead to unhandled errors. > > > > https://fedorahosted.org/freeipa/ticket/722 > > Ack > > Jan Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 19:31:46 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 14:31:46 -0500 Subject: [Freeipa-devel] [PATCH] Potential memory leaks in ipa-kpasswd In-Reply-To: <20110113100940.GB3889@zeppelin.brq.redhat.com> References: <1294834958.5765.30.camel@dhcp-25-52.brq.redhat.com> <1294835588.5765.32.camel@dhcp-25-52.brq.redhat.com> <20110113100940.GB3889@zeppelin.brq.redhat.com> Message-ID: <20110114143146.7a3e1315@willson.li.ssimo.org> On Thu, 13 Jan 2011 11:09:41 +0100 Jakub Hrozek wrote: > > This patch fixes 2 situations where a pointer to allocated error > > string could be overwritten - which could have resulted in > > a memory leak. > > > > https://fedorahosted.org/freeipa/ticket/716 > > Ack Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 19:31:59 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 14:31:59 -0500 Subject: [Freeipa-devel] [PATCH] Potential memory leaks in ipa-pwd-extop In-Reply-To: <20110113083325.279dcc79@willson.li.ssimo.org> References: <1294913987.5765.44.camel@dhcp-25-52.brq.redhat.com> <20110113083325.279dcc79@willson.li.ssimo.org> Message-ID: <20110114143159.46df312c@willson.li.ssimo.org> On Thu, 13 Jan 2011 08:33:25 -0500 Simo Sorce wrote: > On Thu, 13 Jan 2011 11:19:47 +0100 > Martin Kosek wrote: > > > This patch fixes several potential memory leaks in ipa-pwd-extop > > SLAPI plugin. > > > > Common function ipapwd_gen_hashes() now cleans after itself when > > it fails. Other changes are local and self-explanatory. > > > > https://fedorahosted.org/freeipa/ticket/715 > > > > ACK, > Simo. > Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 19:32:17 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 14:32:17 -0500 Subject: [Freeipa-devel] [PATCH] Unitialized pointer read in ipa-join In-Reply-To: <20110113083348.57c3c330@willson.li.ssimo.org> References: <1294915809.5765.45.camel@dhcp-25-52.brq.redhat.com> <20110113083348.57c3c330@willson.li.ssimo.org> Message-ID: <20110114143217.24257702@willson.li.ssimo.org> On Thu, 13 Jan 2011 08:33:48 -0500 Simo Sorce wrote: > On Thu, 13 Jan 2011 11:50:09 +0100 > Martin Kosek wrote: > > > This patch fixes a possible situation when krb5_kt_close() > > function is called with uninitialized keytab parameter. > > > > https://fedorahosted.org/freeipa/ticket/712 > > > > ACK, > Simo. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 19:32:56 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 14:32:56 -0500 Subject: [Freeipa-devel] [PATCH] Potential memory leaks in ipa-getkeytab In-Reply-To: <1294911741.5765.43.camel@dhcp-25-52.brq.redhat.com> References: <1294838711.5765.33.camel@dhcp-25-52.brq.redhat.com> <4D2DAF67.8070505@redhat.com> <1294911741.5765.43.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110114143256.1a469c3d@willson.li.ssimo.org> On Thu, 13 Jan 2011 10:42:21 +0100 Martin Kosek wrote: > On Wed, 2011-01-12 at 14:40 +0100, Jakub Hrozek wrote: > > Hash: SHA1 > > > > On 01/12/2011 02:25 PM, Martin Kosek wrote: > > > This patch fixes 2 situations where a pointer to allocated error > > > string could be overwritten - which could have resulted in > > > a memory leak. > > > > > > https://fedorahosted.org/freeipa/ticket/714 > > > > > > > Ack > > Just sending a remainder for this acked patch - it might have got lost > in yesterday push-spree. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 21:21:47 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 16:21:47 -0500 Subject: [Freeipa-devel] [PATCH] 671 ensure replica server exists in DNS In-Reply-To: <20110114142805.76e416bf@willson.li.ssimo.org> References: <4D2B54D7.3000101@redhat.com> <20110110143253.13f34dce@willson.li.ssimo.org> <4D2B85D5.2080605@redhat.com> <20110110172522.4f3f122c@willson.li.ssimo.org> <20110114142805.76e416bf@willson.li.ssimo.org> Message-ID: <20110114162147.03042a99@willson.li.ssimo.org> On Fri, 14 Jan 2011 14:28:05 -0500 Simo Sorce wrote: > On Mon, 10 Jan 2011 17:25:22 -0500 > Simo Sorce wrote: > > > On Mon, 10 Jan 2011 17:19:01 -0500 > > Rob Crittenden wrote: > > > > > Simo Sorce wrote: > > > > Nack, > > > > if you pass --ip-address you are going to test for existence of > > > > the DNS record before actually creating it therefore always > > > > failing the check. > > > > > > > > Simo. > > > > > > > > > > Ok, use the existing verify_fqdn() method instead of calling the > > > API. > > > > > > I left the dns_resolve() change so it isn't IPv4-specific. > > > > Ok, ACK. > > Sorry this one needs a rebase now, and I wonder if you should > coordinate with Jakub and his 037/038 patches. > > Simo. > Ok apparently this was already pushed and that's why git am failed on me :-) Case closed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Fri Jan 14 21:48:37 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 14 Jan 2011 16:48:37 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0147-Details-to-Settings Message-ID: <4D30C4B5.7090806@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0147-Details-to-Settings.patch Type: text/x-patch Size: 19903 bytes Desc: not available URL: From rcritten at redhat.com Fri Jan 14 22:04:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 Jan 2011 17:04:38 -0500 Subject: [Freeipa-devel] [PATCH] 679 don't create ~./ipa when validating API Message-ID: <4D30C876.9090702@redhat.com> Loading the framework creates ~/.ipa to store logs, per-user config, etc. We don't want this happening during a make, it's kinda creepy. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-679-make.patch Type: text/x-patch Size: 913 bytes Desc: not available URL: From ssorce at redhat.com Fri Jan 14 22:11:29 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 17:11:29 -0500 Subject: [Freeipa-devel] [PATCH] 0054 Fix warnings during replica install Message-ID: <20110114171129.532c15e7@willson.li.ssimo.org> A recent patch of mine made warnings appear in replica installs. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0054-Fix-replica-installation-warnings.patch Type: text/x-patch Size: 1786 bytes Desc: not available URL: From rcritten at redhat.com Fri Jan 14 22:24:30 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 Jan 2011 17:24:30 -0500 Subject: [Freeipa-devel] [PATCH] 0054 Fix warnings during replica install In-Reply-To: <20110114171129.532c15e7@willson.li.ssimo.org> References: <20110114171129.532c15e7@willson.li.ssimo.org> Message-ID: <4D30CD1E.5050906@redhat.com> Simo Sorce wrote: > > A recent patch of mine made warnings appear in replica installs. > > Simo. > ack From ssorce at redhat.com Fri Jan 14 22:28:39 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 17:28:39 -0500 Subject: [Freeipa-devel] [PATCH] 037,038 Remove the original DNS plugin In-Reply-To: <20110113100855.GA3889@zeppelin.brq.redhat.com> References: <4D2E0751.7050108@redhat.com> <4D2E07D7.5090408@redhat.com> <20110112214038.GA4505@zeppelin.brq.redhat.com> <4D2ECCF8.9000309@redhat.com> <20110113100855.GA3889@zeppelin.brq.redhat.com> Message-ID: <20110114172839.7e3c737c@willson.li.ssimo.org> On Thu, 13 Jan 2011 11:08:57 +0100 Jakub Hrozek wrote: > > Per Simo's advice, I deleted the old plugin in the first patch, now > > the second one is just the rename. Looks much better now. > > And one more time, now with the correct patches attached. > > Sorry for all the noise on the list.. Ack and pushed to master together with the attached patch to fix the API validation. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Remove-old-DNS-plugin-commands-from-API-validation.patch Type: text/x-patch Size: 17935 bytes Desc: not available URL: From ssorce at redhat.com Fri Jan 14 22:28:59 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 17:28:59 -0500 Subject: [Freeipa-devel] [PATCH] 679 don't create ~./ipa when validating API In-Reply-To: <4D30C876.9090702@redhat.com> References: <4D30C876.9090702@redhat.com> Message-ID: <20110114172859.71fcf542@willson.li.ssimo.org> On Fri, 14 Jan 2011 17:04:38 -0500 Rob Crittenden wrote: > Loading the framework creates ~/.ipa to store logs, per-user config, > etc. > > We don't want this happening during a make, it's kinda creepy. > > rob Ack, pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 22:29:17 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 17:29:17 -0500 Subject: [Freeipa-devel] [PATCH] 0054 Fix warnings during replica install In-Reply-To: <4D30CD1E.5050906@redhat.com> References: <20110114171129.532c15e7@willson.li.ssimo.org> <4D30CD1E.5050906@redhat.com> Message-ID: <20110114172917.2939dbb4@willson.li.ssimo.org> On Fri, 14 Jan 2011 17:24:30 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > > > A recent patch of mine made warnings appear in replica installs. > > > > Simo. > > > > ack Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 22:30:23 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 17:30:23 -0500 Subject: [Freeipa-devel] [PATCH] 0055 Consolidate sudo data in one subtree Message-ID: <20110114173023.5a3bd366@willson.li.ssimo.org> Put all sudo data except the legacy ou=SUDOers into the cn=sudo subtree. Ticket: #773 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0055-Move-sudo-related-data-all-under-cn-sudo.patch Type: text/x-patch Size: 31073 bytes Desc: not available URL: From dpal at redhat.com Fri Jan 14 22:33:31 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 14 Jan 2011 17:33:31 -0500 Subject: [Freeipa-devel] [PATCH] 0055 Consolidate sudo data in one subtree In-Reply-To: <20110114173023.5a3bd366@willson.li.ssimo.org> References: <20110114173023.5a3bd366@willson.li.ssimo.org> Message-ID: <4D30CF3B.5060806@redhat.com> Simo Sorce wrote: > Put all sudo data except the legacy ou=SUDOers into the cn=sudo subtree. > > Ticket: #773 > > Simo. > Does it include the compat plugin configuration? > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Fri Jan 14 22:35:20 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 17:35:20 -0500 Subject: [Freeipa-devel] [PATCH] Mozldap-specific code removed In-Reply-To: <4D3056BA.5030907@redhat.com> References: <1295009770.22946.3.camel@dhcp-25-52.brq.redhat.com> <4D3056BA.5030907@redhat.com> Message-ID: <20110114173520.20699c3f@willson.li.ssimo.org> On Fri, 14 Jan 2011 14:59:22 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/14/2011 01:56 PM, Martin Kosek wrote: > > IPA installation failed when mozldap-devel package was not > > installed. This patch solves this: > > > > Mozldap code removed from all sources and configure source script. > > Now, IPA will compile even when package mozldap-devel is not > > installed on the system. > > > > https://fedorahosted.org/freeipa/ticket/756 > > > > Martin, I could not reproduce your build failure with the current > master without the mozldap-devel package and I tried even in mock. > > But the patch looks good to me. I tested it with a scratch koji build: > http://koji.fedoraproject.org/koji/taskinfo?taskID=2721123 > > So even though the mozldap code removal ticket is not targeted for > January, I think I can safely Ack it. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jan 14 23:03:43 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Jan 2011 18:03:43 -0500 Subject: [Freeipa-devel] [PATCH] 0055 Consolidate sudo data in one subtree In-Reply-To: <4D30CF3B.5060806@redhat.com> References: <20110114173023.5a3bd366@willson.li.ssimo.org> <4D30CF3B.5060806@redhat.com> Message-ID: <20110114180343.3e4ab7c0@willson.li.ssimo.org> On Fri, 14 Jan 2011 17:33:31 -0500 Dmitri Pal wrote: > Simo Sorce wrote: > > Put all sudo data except the legacy ou=SUDOers into the cn=sudo > > subtree. > > > > Ticket: #773 > > > > Simo. > > > > Does it include the compat plugin configuration? Everything I could find is included (compat plugin configuration was found). Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri Jan 14 23:34:22 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 14 Jan 2011 18:34:22 -0500 Subject: [Freeipa-devel] [PATCH] 0055 Consolidate sudo data in one subtree In-Reply-To: <20110114180343.3e4ab7c0@willson.li.ssimo.org> References: <20110114173023.5a3bd366@willson.li.ssimo.org> <4D30CF3B.5060806@redhat.com> <20110114180343.3e4ab7c0@willson.li.ssimo.org> Message-ID: <4D30DD7E.5010304@redhat.com> Simo Sorce wrote: > On Fri, 14 Jan 2011 17:33:31 -0500 > Dmitri Pal wrote: > > >> Simo Sorce wrote: >> >>> Put all sudo data except the legacy ou=SUDOers into the cn=sudo >>> subtree. >>> >>> Ticket: #773 >>> >>> Simo. >>> >>> >> Does it include the compat plugin configuration? >> > > Everything I could find is included (compat plugin configuration was > found). > > Simo. > > Great! -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Sat Jan 15 01:19:05 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 14 Jan 2011 20:19:05 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0148-no-entry-for-search. Message-ID: <4D30F609.6010401@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0148-no-entry-for-search.patch Type: text/x-patch Size: 1655 bytes Desc: not available URL: From ayoung at redhat.com Sat Jan 15 01:20:57 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 14 Jan 2011 20:20:57 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0148-no-entry-for-search. In-Reply-To: <4D30F609.6010401@redhat.com> References: <4D30F609.6010401@redhat.com> Message-ID: <4D30F679.4030801@redhat.com> On 01/14/2011 08:19 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This addresses https://fedorahosted.org/freeipa/ticket/774 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Sat Jan 15 03:25:34 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 14 Jan 2011 22:25:34 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0144-lint-clean In-Reply-To: <4D308DF3.8090801@redhat.com> References: <4D308C8D.8060203@redhat.com> <4D308DF3.8090801@redhat.com> Message-ID: <4D3113AE.4050703@redhat.com> On 01/14/2011 12:54 PM, Adam Young wrote: > On 01/14/2011 12:49 PM, Adam Young wrote: >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Rebased. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0144-3-lint-clean.patch Type: text/x-patch Size: 40211 bytes Desc: not available URL: From ayoung at redhat.com Sat Jan 15 03:29:56 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 14 Jan 2011 22:29:56 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0144-lint-clean In-Reply-To: <4D308DF3.8090801@redhat.com> References: <4D308C8D.8060203@redhat.com> <4D308DF3.8090801@redhat.com> Message-ID: <4D3114B4.5020809@redhat.com> On 01/14/2011 12:54 PM, Adam Young wrote: > On 01/14/2011 12:49 PM, Adam Young wrote: >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Rebased. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased again -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0144-3-lint-clean.patch Type: text/x-patch Size: 40211 bytes Desc: not available URL: From edewata at redhat.com Sat Jan 15 04:51:11 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 15 Jan 2011 11:51:11 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0144-lint-clean In-Reply-To: <4D3114B4.5020809@redhat.com> References: <4D308C8D.8060203@redhat.com> <4D308DF3.8090801@redhat.com> <4D3114B4.5020809@redhat.com> Message-ID: <4D3127BF.6030908@redhat.com> On 1/15/2011 10:29 AM, Adam Young wrote: > Rebased again ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Sat Jan 15 04:51:39 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 15 Jan 2011 11:51:39 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0145-null-pkey In-Reply-To: <4D309429.2080200@redhat.com> References: <4D309429.2080200@redhat.com> Message-ID: <4D3127DB.8060605@redhat.com> On 1/15/2011 1:21 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Sat Jan 15 04:52:26 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 15 Jan 2011 11:52:26 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0147-Details-to-Settings In-Reply-To: <4D30C4B5.7090806@redhat.com> References: <4D30C4B5.7090806@redhat.com> Message-ID: <4D31280A.3050202@redhat.com> On 1/15/2011 4:48 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Sat Jan 15 04:53:15 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 15 Jan 2011 11:53:15 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0148-no-entry-for-search. In-Reply-To: <4D30F609.6010401@redhat.com> References: <4D30F609.6010401@redhat.com> Message-ID: <4D31283B.1040803@redhat.com> On 1/15/2011 8:19 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Sat Jan 15 04:55:56 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 15 Jan 2011 11:55:56 +0700 Subject: [Freeipa-devel] [PATCH] Certificate and Kerberos key status adjustments. In-Reply-To: <4D305A37.9010009@redhat.com> References: <4D2EE239.3050409@redhat.com> <4D2FA975.7040904@redhat.com> <4D2FB8C9.2020104@redhat.com> <4D305A37.9010009@redhat.com> Message-ID: <4D3128DC.5080503@redhat.com> On 1/14/2011 9:14 PM, Adam Young wrote: > ACK Pushed to master. -- Endi S. Dewata From vic_1980 at bk.ru Mon Jan 17 08:33:47 2011 From: vic_1980 at bk.ru (=?UTF-8?B?0JLQuNC60YLQvtGAINCh0LXRgNCz0LXQtdCy0LjRhw==?=) Date: Mon, 17 Jan 2011 11:33:47 +0300 Subject: [Freeipa-devel] error - Configuration of CA failed Message-ID: <4D33FEEB.5050908@bk.ru> Hi ALL!! After added repo ipa-devel i'am have error: The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: restarting certificate server [4/16]: configuring certificate server instance root : CRITICAL failed to restart ca instance Command '/sbin/service pki-cad status' returned non-zero exit status 4 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Where I'am wrong? Thanks -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: debug URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ipaserver-install.log URL: From mkosek at redhat.com Mon Jan 17 08:46:52 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 17 Jan 2011 09:46:52 +0100 Subject: [Freeipa-devel] [PATCH] Mozldap-specific code removed In-Reply-To: <4D3056BA.5030907@redhat.com> References: <1295009770.22946.3.camel@dhcp-25-52.brq.redhat.com> <4D3056BA.5030907@redhat.com> Message-ID: <1295254012.3020.2.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-01-14 at 14:59 +0100, Jakub Hrozek wrote: > On 01/14/2011 01:56 PM, Martin Kosek wrote: > > IPA installation failed when mozldap-devel package was not installed. > > This patch solves this: > > > > Mozldap code removed from all sources and configure source script. > > Now, IPA will compile even when package mozldap-devel is not > > installed on the system. > > > > https://fedorahosted.org/freeipa/ticket/756 > > > > Martin, I could not reproduce your build failure with the current master > without the mozldap-devel package and I tried even in mock. > > But the patch looks good to me. I tested it with a scratch koji build: > http://koji.fedoraproject.org/koji/taskinfo?taskID=2721123 > > So even though the mozldap code removal ticket is not targeted for > January, I think I can safely Ack it. Hmm... When I tested the build with a clean repository I could compile without mozldap-devel too. Anyway, as you said - the patch remains valid. Martin From jzeleny at redhat.com Mon Jan 17 09:36:47 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 17 Jan 2011 10:36:47 +0100 Subject: [Freeipa-devel] [PATCH] Rename package to freeipa Message-ID: <201101171036.47311.jzeleny@redhat.com> Ok, so here is the first version of patch which will rename the package in Fedora from ipa to freeipa. I've tried to keep it as minimal as possible, but my concern is whether it doesn't break any Fedora rules. I tried to remember them from time I was maintainer and no particular rule we might be breaking came to my mind, so hopefully we are ok. The package builds fine using `make rpms` and it installs fine as well. I also tested that installation fails in case ipa-* packages are installed. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0022-Rename-package-to-freeipa.patch Type: text/x-patch Size: 5270 bytes Desc: not available URL: From mkosek at redhat.com Mon Jan 17 12:00:12 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 17 Jan 2011 13:00:12 +0100 Subject: [Freeipa-devel] [PATCH] Unused value in initdefault_encoding_utf8 Message-ID: <1295265612.8622.0.camel@dhcp-25-52.brq.redhat.com> There is no use for return value of Py_InitModule3. Removing it in this patch. https://fedorahosted.org/freeipa/ticket/710 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-015-unused-value-in-initdefault_encoding_utf8.patch Type: text/x-patch Size: 1169 bytes Desc: not available URL: From jhrozek at redhat.com Mon Jan 17 12:13:53 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 17 Jan 2011 13:13:53 +0100 Subject: [Freeipa-devel] [PATCH] Unused value in initdefault_encoding_utf8 In-Reply-To: <1295265612.8622.0.camel@dhcp-25-52.brq.redhat.com> References: <1295265612.8622.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D343281.3050409@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/17/2011 01:00 PM, Martin Kosek wrote: > There is no use for return value of Py_InitModule3. Removing it > in this patch. > > https://fedorahosted.org/freeipa/ticket/710 > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk00MoEACgkQHsardTLnvCUHMwCfQ/KnbJTKNJKx69vM7aa6STuT lkwAni4d+Pl6s3kgmYCiroXbLAhric+1 =DG+k -----END PGP SIGNATURE----- From dpal at redhat.com Mon Jan 17 14:23:21 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 17 Jan 2011 09:23:21 -0500 Subject: [Freeipa-devel] error - Configuration of CA failed In-Reply-To: <4D33FEEB.5050908@bk.ru> References: <4D33FEEB.5050908@bk.ru> Message-ID: <4D3450D9.4010508@redhat.com> ?????? ????????? wrote: > Hi ALL!! > > After added repo ipa-devel i'am have error: > > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > done configuring ntpd. > Configuring directory server for the CA: Estimated time 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > [3/3]: restarting directory server > done configuring pkids. > Configuring certificate server: Estimated time 6 minutes > [1/16]: creating certificate server user > [2/16]: creating pki-ca instance > [3/16]: restarting certificate server > [4/16]: configuring certificate server instance > root : CRITICAL failed to restart ca instance Command > '/sbin/service pki-cad status' returned non-zero exit status 4 > Unexpected error - see ipaserver-install.log for details: > Configuration of CA failed > > Where I'am wrong? > Hello, It seems that you are still hitting the CA issue. This issue indicates that the CA packages that you are installing are not from the ipa-devel. You need to manually remove the certificate system (pki-*) packages that come from Fedora and use the ones that come from ipa-devel. The packages that come from ipa-devel have this issue addressed. Alternatively you can use beta repo with the pki packages that come from Fedora but in this case you need to implement the workaround (create a link) as described in the beta readme. Thank you Dmitri > Thanks > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jdennis at redhat.com Mon Jan 17 14:27:31 2011 From: jdennis at redhat.com (John Dennis) Date: Mon, 17 Jan 2011 09:27:31 -0500 Subject: [Freeipa-devel] error - Configuration of CA failed In-Reply-To: <4D33FEEB.5050908@bk.ru> References: <4D33FEEB.5050908@bk.ru> Message-ID: <4D3451D3.2060306@redhat.com> On 01/17/2011 03:33 AM, ?????? ????????? wrote: > Hi ALL!! > > After added repo ipa-devel i'am have error: > > 2011-01-17 11:04:10,374 CRITICAL failed to restart ca instance Command '/sbin/service pki-cad status' returned non-zero exit status 4 Did you do a yum upgrade and pull in the packages from the repo? It looks like you're running an old version because this issue has been fixed in the current repo. If you have done that then please provide us with the versions of ipa-server and pki-core currently installed on your system. $ rpm -q ipa-server pki-core -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Mon Jan 17 15:12:12 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 17 Jan 2011 10:12:12 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0149-jslint-cleanup Message-ID: <4D345C4C.70909@redhat.com> After this patch is applied running, jsl -conf jsl.conf Will report no errors. Running clean is then a requirement for committing patches to the javascript code base -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0149-jslint-cleanup.patch Type: text/x-patch Size: 2231 bytes Desc: not available URL: From rcritten at redhat.com Mon Jan 17 15:52:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 17 Jan 2011 10:52:27 -0500 Subject: [Freeipa-devel] [PATCH] 680 ldap lockout Message-ID: <4D3465BB.9090604@redhat.com> Update kerberos password policy values on LDAP binds. This is so locked-out accounts in kerberos don't try things using LDAP instead. On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-680-lockout.patch Type: text/x-patch Size: 25312 bytes Desc: not available URL: From JR.Aquino at citrix.com Mon Jan 17 16:28:52 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 17 Jan 2011 16:28:52 +0000 Subject: [Freeipa-devel] [PATCH] 0055 Consolidate sudo data in one subtree In-Reply-To: <20110114180343.3e4ab7c0@willson.li.ssimo.org> Message-ID: ACK. Please push. On 1/14/11 3:03 PM, "Simo Sorce" wrote: >On Fri, 14 Jan 2011 17:33:31 -0500 >Dmitri Pal wrote: > >> Simo Sorce wrote: >> > Put all sudo data except the legacy ou=SUDOers into the cn=sudo >> > subtree. >> > >> > Ticket: #773 >> > >> > Simo. >> > >> >> Does it include the compat plugin configuration? > >Everything I could find is included (compat plugin configuration was >found). > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York > >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel From ssorce at redhat.com Mon Jan 17 16:49:40 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 17 Jan 2011 11:49:40 -0500 Subject: [Freeipa-devel] [PATCH] Better output from ipactl command Message-ID: <20110117114940.1bd66bcb@willson.li.ssimo.org> The following 2 patches enhance the ipactl command output (also used in the ipa init script). The first patch fixes ticket #765, the second nis just for coherency with other scripts like this. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0056-Add-a-way-to-print-output-from-commands.patch Type: text/x-patch Size: 9663 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0057-Let-ipactl-output-errors-to-stderr.patch Type: text/x-patch Size: 1607 bytes Desc: not available URL: From ssorce at redhat.com Mon Jan 17 16:50:08 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 17 Jan 2011 11:50:08 -0500 Subject: [Freeipa-devel] [PATCH] 0055 Consolidate sudo data in one subtree In-Reply-To: References: <20110114180343.3e4ab7c0@willson.li.ssimo.org> Message-ID: <20110117115008.5cfe779d@willson.li.ssimo.org> On Mon, 17 Jan 2011 16:28:52 +0000 JR Aquino wrote: > ACK. > > Please push. > > On 1/14/11 3:03 PM, "Simo Sorce" wrote: > > >On Fri, 14 Jan 2011 17:33:31 -0500 > >Dmitri Pal wrote: > > > >> Simo Sorce wrote: > >> > Put all sudo data except the legacy ou=SUDOers into the cn=sudo > >> > subtree. > >> > > >> > Ticket: #773 Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Jan 17 16:53:22 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 17 Jan 2011 11:53:22 -0500 Subject: [Freeipa-devel] [PATCH] fix selinux policies for ipa_kpasswd Message-ID: <20110117115322.45b3e515@willson.li.ssimo.org> The ipa_kpasswd daemon apparently can't listyend on udp due to an error in the selinux policies. The attached patch fixes it. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0058-Fix-selinux-policies-for-ipa_kpasswd.patch Type: text/x-patch Size: 848 bytes Desc: not available URL: From ayoung at redhat.com Mon Jan 17 17:32:52 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 17 Jan 2011 12:32:52 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0150-search-unit-tests Message-ID: <4D347D44.9000403@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0150-search-unit-tests.patch Type: text/x-patch Size: 1957 bytes Desc: not available URL: From ssorce at redhat.com Mon Jan 17 18:11:41 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 17 Jan 2011 13:11:41 -0500 Subject: [Freeipa-devel] [PATCH] 0059 Add command to test if DNS is active Message-ID: <20110117131141.488c23a1@willson.li.ssimo.org> This patch implements the feature requested in ticket #600 The internal dns_is_enabled command returns whether the DNS service is enable on at least one of the server in the domain. The UI can use this command to determine whether to show the DNS related configuration options. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0059-Provide-API-to-check-if-IPA-DNS-is-enabled-on-some-s.patch Type: text/x-patch Size: 2507 bytes Desc: not available URL: From ayoung at redhat.com Mon Jan 17 18:47:13 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 17 Jan 2011 13:47:13 -0500 Subject: [Freeipa-devel] [PATCH] 0059 Add command to test if DNS is active In-Reply-To: <20110117131141.488c23a1@willson.li.ssimo.org> References: <20110117131141.488c23a1@willson.li.ssimo.org> Message-ID: <4D348EB1.4050909@redhat.com> On 01/17/2011 01:11 PM, Simo Sorce wrote: > This patch implements the feature requested in ticket #600 > > The internal dns_is_enabled command returns whether the DNS service is > enable on at least one of the server in the domain. > > The UI can use this command to determine whether to show the DNS > related configuration options. > > Simo. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Will this show up in the metadata call? If not, it can't be used by the webUI yet. Not reason for a NACK, but indicates more work to be done afterwards. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jzeleny at redhat.com Mon Jan 17 19:41:46 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Mon, 17 Jan 2011 20:41:46 +0100 Subject: [Freeipa-devel] [PATCH] 680 ldap lockout In-Reply-To: <4D3465BB.9090604@redhat.com> References: <4D3465BB.9090604@redhat.com> Message-ID: <201101172041.46836.jzeleny@redhat.com> Rob Crittenden wrote: > Update kerberos password policy values on LDAP binds. This is so > locked-out accounts in kerberos don't try things using LDAP instead. > > On a failed bind this will update krbLoginFailedCount and > krbLastFailedAuth and will potentially fail the bind altogether. > > On a successful bind it will zero krbLoginFailedCount and set > krbLastSuccessfulAuth. > > This will also enforce locked-out accounts. > > See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on > kerberos lockout. > > ticket 343 Ack, good job Jan From rcritten at redhat.com Mon Jan 17 21:28:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 17 Jan 2011 16:28:02 -0500 Subject: [Freeipa-devel] [PATCH] 681 set default maxint Message-ID: <4D34B462.5050704@redhat.com> Set a default for maxint that matches what xmlrpclib can handle. Also handle marshalling errors from xmlrpclib so users don't get a backtrace. This was discovered by a typo in a dns serial number which exceeded 4 bytes. To test try something like: $ ipa dnszone-add --name-server=192.168.122.214 --admin-email=test at example.com --serial=20100101010 --refresh=300 --retry=300 --expire=1200000 --minimum=3000 --maximum=9200 --ttl=100 newzone ticket 770 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-681-maxint.patch Type: text/x-patch Size: 2827 bytes Desc: not available URL: From ssorce at redhat.com Tue Jan 18 00:48:48 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 17 Jan 2011 19:48:48 -0500 Subject: [Freeipa-devel] [PATCH] 0060 fix ipa-join, prevent it crashing Message-ID: <20110117194848.326a097c@willson.li.ssimo.org> Fix a ipa-join segfault due to improper handling of NULL credentials. Fixes ticket #783. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0060-Do-not-try-to-dereference-bindpw-if-it-is-null.patch Type: text/x-patch Size: 1115 bytes Desc: not available URL: From edewata at redhat.com Tue Jan 18 07:04:36 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 18 Jan 2011 14:04:36 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0149-jslint-cleanup In-Reply-To: <4D345C4C.70909@redhat.com> References: <4D345C4C.70909@redhat.com> Message-ID: <4D353B84.9040805@redhat.com> On 1/17/2011 10:12 PM, Adam Young wrote: > After this patch is applied running, > > jsl -conf jsl.conf > > Will report no errors. Running clean is then a requirement for > committing patches to the javascript code base ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Jan 18 07:05:11 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 18 Jan 2011 14:05:11 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0150-search-unit-tests In-Reply-To: <4D347D44.9000403@redhat.com> References: <4D347D44.9000403@redhat.com> Message-ID: <4D353BA7.5090100@redhat.com> On 1/18/2011 12:32 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Jan 18 07:07:59 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 18 Jan 2011 14:07:59 +0700 Subject: [Freeipa-devel] [PATCH] New certificate and Kerberos key status behavior. Message-ID: <4D353C4F.8000503@redhat.com> Hi, The attached patch is a further adjustment for item #3 of this bug: https://fedorahosted.org/freeipa/ticket/670 The status panel for certificates and Kerberos keys has been modified to display only the current status with the relevant buttons. New icons have been added to replace the red/yellow/green bullets. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0073-New-certificate-and-Kerberos-key-status-behavior.patch Type: text/x-patch Size: 22498 bytes Desc: not available URL: From edewata at redhat.com Tue Jan 18 07:10:43 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 18 Jan 2011 14:10:43 +0700 Subject: [Freeipa-devel] [PATCH] CSS class for buttons without icons. Message-ID: <4D353CF3.8030203@redhat.com> Hi, The attached patch addresses item #5 of this bug: https://fedorahosted.org/freeipa/ticket/670 A new CSS class has been added for buttons without icons. The IPA.button() has been modified to use this class if there is no icons specified. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0074-CSS-class-for-buttons-without-icons.patch Type: text/x-patch Size: 1889 bytes Desc: not available URL: From edewata at redhat.com Tue Jan 18 07:38:08 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 18 Jan 2011 14:38:08 +0700 Subject: [Freeipa-devel] [PATCH] Unprovision message and buttons adjustments. Message-ID: <4D354360.70202@redhat.com> Hi, The message and buttons in the unprovision dialog box have been updated according to the latest spec. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0075-Unprovision-message-and-buttons-adjustments.patch Type: text/x-patch Size: 2293 bytes Desc: not available URL: From jzeleny at redhat.com Tue Jan 18 09:00:33 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 18 Jan 2011 10:00:33 +0100 Subject: [Freeipa-devel] [PATCH] Modified description of nsaccountlock attribute Message-ID: <201101181000.33620.jzeleny@redhat.com> The original one was misleading, giving the value exactly opposite meaning than it actually was. https://fedorahosted.org/freeipa/ticket/741 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0023-Modified-description-of-nsaccountlock-attribute.patch Type: text/x-patch Size: 969 bytes Desc: not available URL: From jzeleny at redhat.com Tue Jan 18 09:32:36 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Tue, 18 Jan 2011 10:32:36 +0100 Subject: [Freeipa-devel] [PATCH] Better output from ipactl command In-Reply-To: <20110117114940.1bd66bcb@willson.li.ssimo.org> References: <20110117114940.1bd66bcb@willson.li.ssimo.org> Message-ID: <201101181032.36625.jzeleny@redhat.com> Simo Sorce wrote: > The following 2 patches enhance the ipactl command output (also used in > the ipa init script). > > The first patch fixes ticket #765, the second nis just for coherency > with other scripts like this. > > Simo. Ack for the 0056 Conditional ACK for 0057 - I believe there shouldn't be print on line 31 of the patch. Otherwise the patch is good, so if you remove the print, then ACK. Jan From jzeleny at redhat.com Tue Jan 18 09:36:19 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Tue, 18 Jan 2011 10:36:19 +0100 Subject: [Freeipa-devel] [PATCH] fix selinux policies for ipa_kpasswd In-Reply-To: <20110117115322.45b3e515@willson.li.ssimo.org> References: <20110117115322.45b3e515@willson.li.ssimo.org> Message-ID: <201101181036.19038.jzeleny@redhat.com> Simo Sorce wrote: > The ipa_kpasswd daemon apparently can't listyend on udp due to an error > in the selinux policies. > > The attached patch fixes it. > > Simo. ack Jan From jzeleny at redhat.com Tue Jan 18 09:54:14 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Tue, 18 Jan 2011 10:54:14 +0100 Subject: [Freeipa-devel] [PATCH] 681 set default maxint In-Reply-To: <4D34B462.5050704@redhat.com> References: <4D34B462.5050704@redhat.com> Message-ID: <201101181054.14120.jzeleny@redhat.com> Rob Crittenden wrote: > Set a default for maxint that matches what xmlrpclib can handle. Also > handle marshalling errors from xmlrpclib so users don't get a backtrace. > > This was discovered by a typo in a dns serial number which exceeded 4 > bytes. To test try something like: > > $ ipa dnszone-add --name-server=192.168.122.214 > --admin-email=test at example.com --serial=20100101010 --refresh=300 > --retry=300 --expire=1200000 --minimum=3000 --maximum=9200 --ttl=100 > newzone > > ticket 770 > > rob ack Jan From jzeleny at redhat.com Tue Jan 18 10:15:08 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 18 Jan 2011 11:15:08 +0100 Subject: [Freeipa-devel] [PATCH] Move HBAC services and service groups to cn=hbac Message-ID: <201101181115.08663.jzeleny@redhat.com> I've already posted a patch to SSSD to keep up with this change. https://fedorahosted.org/freeipa/ticket/762 -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0024-Move-HBAC-services-and-service-groups-to-cn-hbac.patch Type: text/x-patch Size: 19904 bytes Desc: not available URL: From mkosek at redhat.com Tue Jan 18 11:49:22 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 18 Jan 2011 12:49:22 +0100 Subject: [Freeipa-devel] [PATCH] Password generation and logging in ipa-server-install Message-ID: <1295351362.14272.0.camel@dhcp-25-52.brq.redhat.com> When a randomly generated password contains a space character as the first or the last character, installation fails on kdb5_ldap_util calling, which does not accept that. This patch fixes the generator to generate space only on allowed position. This patch also ensures that no password is printed to server install log. https://fedorahosted.org/freeipa/ticket/731 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-016-password-generation-and-logging-in-ipa-server-instal.patch Type: text/x-patch Size: 3693 bytes Desc: not available URL: From pzuna at redhat.com Tue Jan 18 12:25:28 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 18 Jan 2011 13:25:28 +0100 Subject: [Freeipa-devel] [PATCH] Enable custom list of attributes to retrieve effective rights. In-Reply-To: <4D2770BE.3010509@redhat.com> References: <4D1C502A.8050409@redhat.com> <4D2770BE.3010509@redhat.com> Message-ID: <4D3586B8.2080405@redhat.com> On 01/07/2011 08:59 PM, Rob Crittenden wrote: > Pavel Z?na wrote: >> LDAPObject sub-classes can define a custom list of attributes for >> effective rights retrieval. >> >> Fix #677 >> >> Pavel >> > > Nack. --rights should only return data when --all is also included. > > Otherwise it looks ok. > > rob Fixed version attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-50-2-customrights.patch Type: text/x-patch Size: 3884 bytes Desc: not available URL: From pzuna at redhat.com Tue Jan 18 12:40:59 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 18 Jan 2011 13:40:59 +0100 Subject: [Freeipa-devel] [PATCH] Fix import API_VERSION import error. Message-ID: <4D358A5B.4040504@redhat.com> Fixes import errors in the framework cause by recent API version changes. Fix #796 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-58-importversion.patch Type: text/x-patch Size: 2188 bytes Desc: not available URL: From pzuna at redhat.com Tue Jan 18 13:25:58 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 18 Jan 2011 14:25:58 +0100 Subject: [Freeipa-devel] [PATCH] Fix import API_VERSION import error. In-Reply-To: <4D358A5B.4040504@redhat.com> References: <4D358A5B.4040504@redhat.com> Message-ID: <4D3594E6.4030805@redhat.com> On 01/18/2011 01:40 PM, Pavel Zuna wrote: > Fixes import errors in the framework cause by recent API version changes. > > Fix #796 > > Pavel self-NACK. Ignore this patch, didn't realize the API_VERSION constant is auto-generated. Pavel From pzuna at redhat.com Tue Jan 18 13:37:48 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 18 Jan 2011 14:37:48 +0100 Subject: [Freeipa-devel] [PATCH] Fix crash when building DN of host with name ending with period. Message-ID: <4D3597AC.3040906@redhat.com> Fix #797 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-59-hostnamecrash.patch Type: text/x-patch Size: 1314 bytes Desc: not available URL: From pzuna at redhat.com Tue Jan 18 13:38:59 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 18 Jan 2011 14:38:59 +0100 Subject: [Freeipa-devel] [PATCH] Remove SOA maximum parameter from DNS zone. Message-ID: <4D3597F3.2060704@redhat.com> There's no such thing as "maximum" in SOA record RDATA format according to RFC 1035 and there's also no such attribute in the schema. Fix #788 https://bugzilla.redhat.com/show_bug.cgi?id=670343 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-60-soamaximum.patch Type: text/x-patch Size: 978 bytes Desc: not available URL: From rcritten at redhat.com Tue Jan 18 13:52:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Jan 2011 08:52:28 -0500 Subject: [Freeipa-devel] [PATCH] Fix import API_VERSION import error. In-Reply-To: <4D358A5B.4040504@redhat.com> References: <4D358A5B.4040504@redhat.com> Message-ID: <4D359B1C.5080806@redhat.com> Pavel Zuna wrote: > Fixes import errors in the framework cause by recent API version changes. > > Fix #796 > > Pavel nack, VERSION != API_VERSION What error are you seeing? rob From rcritten at redhat.com Tue Jan 18 14:29:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Jan 2011 09:29:17 -0500 Subject: [Freeipa-devel] [PATCH] 680 ldap lockout In-Reply-To: <201101172041.46836.jzeleny@redhat.com> References: <4D3465BB.9090604@redhat.com> <201101172041.46836.jzeleny@redhat.com> Message-ID: <4D35A3BD.3070300@redhat.com> Jan Zeleny wrote: > Rob Crittenden wrote: >> Update kerberos password policy values on LDAP binds. This is so >> locked-out accounts in kerberos don't try things using LDAP instead. >> >> On a failed bind this will update krbLoginFailedCount and >> krbLastFailedAuth and will potentially fail the bind altogether. >> >> On a successful bind it will zero krbLoginFailedCount and set >> krbLastSuccessfulAuth. >> >> This will also enforce locked-out accounts. >> >> See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on >> kerberos lockout. >> >> ticket 343 > > Ack, good job > > Jan Simo and Nathan pointed out that the update model I'm using is vulnerable to multi-threaded attack and suggested that rather than using REPLACE I do a DELETE/ADD to be sure that I'm updating the counter appropriately. I've got the basics done, need to re-run through valgrind. Will submit another patch shortly. rob From rcritten at redhat.com Tue Jan 18 15:01:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Jan 2011 10:01:59 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0149-jslint-cleanup In-Reply-To: <4D353B84.9040805@redhat.com> References: <4D345C4C.70909@redhat.com> <4D353B84.9040805@redhat.com> Message-ID: <4D35AB67.8050508@redhat.com> Endi Sukma Dewata wrote: > On 1/17/2011 10:12 PM, Adam Young wrote: >> After this patch is applied running, >> >> jsl -conf jsl.conf >> >> Will report no errors. Running clean is then a requirement for >> committing patches to the javascript code base > > ACK and pushed to master. > Should this be done as part of the build process or are we going to make individual developers responsible for running it? rob From ssorce at redhat.com Tue Jan 18 15:06:25 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 18 Jan 2011 10:06:25 -0500 Subject: [Freeipa-devel] [PATCH] Modified description of nsaccountlock attribute In-Reply-To: <201101181000.33620.jzeleny@redhat.com> References: <201101181000.33620.jzeleny@redhat.com> Message-ID: <20110118100625.31e36482@willson.li.ssimo.org> On Tue, 18 Jan 2011 10:00:33 +0100 Jan Zelen? wrote: > The original one was misleading, giving the value exactly opposite > meaning than it actually was. > > https://fedorahosted.org/freeipa/ticket/741 > > Jan Ack, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 18 15:07:29 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 18 Jan 2011 10:07:29 -0500 Subject: [Freeipa-devel] [PATCH] Better output from ipactl command In-Reply-To: <201101181032.36625.jzeleny@redhat.com> References: <20110117114940.1bd66bcb@willson.li.ssimo.org> <201101181032.36625.jzeleny@redhat.com> Message-ID: <20110118100729.0234d548@willson.li.ssimo.org> On Tue, 18 Jan 2011 10:32:36 +0100 Jan Zelen? wrote: > Simo Sorce wrote: > > The following 2 patches enhance the ipactl command output (also > > used in the ipa init script). > > > > The first patch fixes ticket #765, the second nis just for coherency > > with other scripts like this. > > > > Simo. > > Ack for the 0056 > > Conditional ACK for 0057 - I believe there shouldn't be print on line > 31 of the patch. Otherwise the patch is good, so if you remove the > print, then ACK. Fixed this and the double import of sys and pushed both to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 18 15:07:38 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 18 Jan 2011 10:07:38 -0500 Subject: [Freeipa-devel] [PATCH] fix selinux policies for ipa_kpasswd In-Reply-To: <201101181036.19038.jzeleny@redhat.com> References: <20110117115322.45b3e515@willson.li.ssimo.org> <201101181036.19038.jzeleny@redhat.com> Message-ID: <20110118100738.6bb352cd@willson.li.ssimo.org> On Tue, 18 Jan 2011 10:36:19 +0100 Jan Zelen? wrote: > Simo Sorce wrote: > > The ipa_kpasswd daemon apparently can't listyend on udp due to an > > error in the selinux policies. > > > > The attached patch fixes it. > > > > Simo. > > ack Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 18 15:08:17 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 18 Jan 2011 10:08:17 -0500 Subject: [Freeipa-devel] [PATCH] 681 set default maxint In-Reply-To: <201101181054.14120.jzeleny@redhat.com> References: <4D34B462.5050704@redhat.com> <201101181054.14120.jzeleny@redhat.com> Message-ID: <20110118100817.6e82d1fb@willson.li.ssimo.org> On Tue, 18 Jan 2011 10:54:14 +0100 Jan Zelen? wrote: > Rob Crittenden wrote: > > Set a default for maxint that matches what xmlrpclib can handle. > > Also handle marshalling errors from xmlrpclib so users don't get a > > backtrace. > > > > This was discovered by a typo in a dns serial number which exceeded > > 4 bytes. To test try something like: > > > > $ ipa dnszone-add --name-server=192.168.122.214 > > --admin-email=test at example.com --serial=20100101010 --refresh=300 > > --retry=300 --expire=1200000 --minimum=3000 --maximum=9200 --ttl=100 > > newzone > > > > ticket 770 > > > > rob > > ack Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 18 15:08:32 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 18 Jan 2011 10:08:32 -0500 Subject: [Freeipa-devel] [PATCH] Password generation and logging in ipa-server-install In-Reply-To: <1295351362.14272.0.camel@dhcp-25-52.brq.redhat.com> References: <1295351362.14272.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110118100832.1e8b255a@willson.li.ssimo.org> On Tue, 18 Jan 2011 12:49:22 +0100 Martin Kosek wrote: > When a randomly generated password contains a space character > as the first or the last character, installation fails on > kdb5_ldap_util calling, which does not accept that. This patch > fixes the generator to generate space only on allowed position. > > This patch also ensures that no password is printed to > server install log. > > https://fedorahosted.org/freeipa/ticket/731 > Ack, and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Tue Jan 18 15:31:21 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 18 Jan 2011 16:31:21 +0100 Subject: [Freeipa-devel] [PATCH] Move HBAC services and service groups to cn=hbac In-Reply-To: <201101181115.08663.jzeleny@redhat.com> References: <201101181115.08663.jzeleny@redhat.com> Message-ID: <4D35B249.4030403@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/18/2011 11:15 AM, Jan Zelen? wrote: > I've already posted a patch to SSSD to keep up with this change. > > https://fedorahosted.org/freeipa/ticket/762 > Nack, breaks the installation: [18/29]: adding default layout root : CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h vm-122.idm.lab.bos.redhat.com -v -f /tmp/tmpc5sGli -x -D cn=Directory Manager -y /tmp/tmpWGDQtv' returned non-zero exit status 32 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk01skkACgkQHsardTLnvCWd3ACbBAQ/995XRfv+oLyGdlij91qg LEMAnisZBhn8RzSHxwu7FK6afFlJk/C/ =2stD -----END PGP SIGNATURE----- From ayoung at redhat.com Tue Jan 18 15:33:18 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 10:33:18 -0500 Subject: [Freeipa-devel] [PATCH] dns action controls (one liner) Message-ID: <4D35B2BE.9020308@redhat.com> Pushed under the one line rule commit c596b92591fe18d9fab924e4e34ab595ed574ca4 Author: Adam Young Date: Tue Jan 18 08:50:23 2011 -0500 dns action controls was adding the action controls to multiple lines. Now only one diff --git a/install/static/policy.js b/install/static/policy.js index 36222c6..eeec44e 100644 --- a/install/static/policy.js +++ b/install/static/policy.js @@ -326,7 +326,8 @@ IPA.records_facet = function (spec){ 'click': function(){refresh();} }).appendTo(control_span); - var action_panel_ul = $('.action-panel ul', that.container); + var action_panel_ul = $('.action-panel .entity-facet', that.container). + last(); var action_controls = $('
  • ',{ "class":"action-controls"}).appendTo(action_panel_ul); From ayoung at redhat.com Tue Jan 18 15:34:54 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 10:34:54 -0500 Subject: [Freeipa-devel] [PATCH] Fix crash when building DN of host with name ending with period. In-Reply-To: <4D3597AC.3040906@redhat.com> References: <4D3597AC.3040906@redhat.com> Message-ID: <4D35B31E.1010300@redhat.com> On 01/18/2011 08:37 AM, Pavel Zuna wrote: > Fix #797 > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jan 18 15:35:13 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 10:35:13 -0500 Subject: [Freeipa-devel] [PATCH] Remove SOA maximum parameter from DNS zone. In-Reply-To: <4D3597F3.2060704@redhat.com> References: <4D3597F3.2060704@redhat.com> Message-ID: <4D35B331.5010201@redhat.com> On 01/18/2011 08:38 AM, Pavel Zuna wrote: > There's no such thing as "maximum" in SOA record RDATA format > according to RFC 1035 and there's also no such attribute in the schema. > > Fix #788 > > https://bugzilla.redhat.com/show_bug.cgi?id=670343 > > Pavel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Jan 18 15:36:18 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 18 Jan 2011 22:36:18 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0149-jslint-cleanup In-Reply-To: <4D35AB67.8050508@redhat.com> References: <4D345C4C.70909@redhat.com> <4D353B84.9040805@redhat.com> <4D35AB67.8050508@redhat.com> Message-ID: <4D35B372.2050701@redhat.com> On 1/18/2011 10:01 PM, Rob Crittenden wrote: >>> After this patch is applied running, >>> >>> jsl -conf jsl.conf >>> >>> Will report no errors. Running clean is then a requirement for >>> committing patches to the javascript code base > Should this be done as part of the build process or are we going to make > individual developers responsible for running it? The tool doesn't produce any artifacts that needs to be included in the distribution. I'd say it should be done by anyone modifying javascript code, but the build process can also run it for reporting purposes. -- Endi S. Dewata From jhrozek at redhat.com Tue Jan 18 15:37:58 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 18 Jan 2011 16:37:58 +0100 Subject: [Freeipa-devel] [PATCH] 0060 fix ipa-join, prevent it crashing In-Reply-To: <20110117194848.326a097c@willson.li.ssimo.org> References: <20110117194848.326a097c@willson.li.ssimo.org> Message-ID: <4D35B3D6.8090909@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/18/2011 01:48 AM, Simo Sorce wrote: > > Fix a ipa-join segfault due to improper handling of NULL credentials. > > Fixes ticket #783. > > Simo. > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk01s9UACgkQHsardTLnvCXzXQCgigh3XptWSgclQdNy9Rjdc8N6 JxIAoOqz0NnrR1yA/IEEwC7yN5VfkT5z =bgoM -----END PGP SIGNATURE----- From ayoung at redhat.com Tue Jan 18 15:43:07 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 10:43:07 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0149-jslint-cleanup In-Reply-To: <4D35B372.2050701@redhat.com> References: <4D345C4C.70909@redhat.com> <4D353B84.9040805@redhat.com> <4D35AB67.8050508@redhat.com> <4D35B372.2050701@redhat.com> Message-ID: <4D35B50B.5050703@redhat.com> On 01/18/2011 10:36 AM, Endi Sukma Dewata wrote: > On 1/18/2011 10:01 PM, Rob Crittenden wrote: >>>> After this patch is applied running, >>>> >>>> jsl -conf jsl.conf >>>> >>>> Will report no errors. Running clean is then a requirement for >>>> committing patches to the javascript code base > >> Should this be done as part of the build process or are we going to make >> individual developers responsible for running it? I'm mixed. We can do a lot of web development without running the build, so we are unlikely to see the build failures for minor tweaks, and it will add yet another step in to slow down the build. I vote for it being part of the code review process for now. > > The tool doesn't produce any artifacts that needs to be included in > the distribution. I'd say it should be done by anyone modifying > javascript code, but the build process can also run it for reporting > purposes. > From edewata at redhat.com Tue Jan 18 15:42:36 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 18 Jan 2011 22:42:36 +0700 Subject: [Freeipa-devel] [PATCH] Force flag for Hosts and Services. Message-ID: <4D35B4EC.4070108@redhat.com> Hi, The attached patch addresses this bug: https://fedorahosted.org/freeipa/ticket/639 The add dialogs for Hosts and Services have been updated to include a checkbox to force adding hosts/services that are not in DNS. The widgets has been updated to support tooltips. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0076-Force-flag-for-Hosts-and-Services.patch Type: text/x-patch Size: 9257 bytes Desc: not available URL: From ayoung at redhat.com Tue Jan 18 16:50:02 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 11:50:02 -0500 Subject: [Freeipa-devel] [PATCH] Unprovision message and buttons adjustments. In-Reply-To: <4D354360.70202@redhat.com> References: <4D354360.70202@redhat.com> Message-ID: <4D35C4BA.8060504@redhat.com> On 01/18/2011 02:38 AM, Endi Sukma Dewata wrote: > Hi, > > The message and buttons in the unprovision dialog box have been > updated according to the latest spec. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, but fix the jsl warnings before pushing. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jan 18 16:51:12 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 11:51:12 -0500 Subject: [Freeipa-devel] [PATCH] CSS class for buttons without icons. In-Reply-To: <4D353CF3.8030203@redhat.com> References: <4D353CF3.8030203@redhat.com> Message-ID: <4D35C500.5000106@redhat.com> On 01/18/2011 02:10 AM, Endi Sukma Dewata wrote: > Hi, > > The attached patch addresses item #5 of this bug: > https://fedorahosted.org/freeipa/ticket/670 > > A new CSS class has been added for buttons without icons. The > IPA.button() has been modified to use this class if there is > no icons specified. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jan 18 16:51:24 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 11:51:24 -0500 Subject: [Freeipa-devel] [PATCH] New certificate and Kerberos key status behavior. In-Reply-To: <4D353C4F.8000503@redhat.com> References: <4D353C4F.8000503@redhat.com> Message-ID: <4D35C50C.5030601@redhat.com> On 01/18/2011 02:07 AM, Endi Sukma Dewata wrote: > Hi, > > The attached patch is a further adjustment for item #3 of this bug: > https://fedorahosted.org/freeipa/ticket/670 > > The status panel for certificates and Kerberos keys has been > modified to display only the current status with the relevant buttons. > New icons have been added to replace the red/yellow/green bullets. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Tue Jan 18 16:50:09 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 18 Jan 2011 11:50:09 -0500 Subject: [Freeipa-devel] [PATCH] Move HBAC services and service groups to cn=hbac In-Reply-To: <4D35B249.4030403@redhat.com> References: <201101181115.08663.jzeleny@redhat.com> <4D35B249.4030403@redhat.com> Message-ID: <20110118115009.6eab2487@willson.li.ssimo.org> On Tue, 18 Jan 2011 16:31:21 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/18/2011 11:15 AM, Jan Zelen? wrote: > > I've already posted a patch to SSSD to keep up with this change. > > > > https://fedorahosted.org/freeipa/ticket/762 > > > > Nack, breaks the installation: > > [18/29]: adding default layout > root : CRITICAL Failed to load bootstrap-template.ldif: Command > '/usr/bin/ldapmodify -h vm-122.idm.lab.bos.redhat.com -v -f > /tmp/tmpc5sGli -x -D cn=Directory Manager -y /tmp/tmpWGDQtv' returned > non-zero exit status 32 Ok I fixed this problem by squashing in the attached patch. With the patch it passed my tests so I acked and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-hbac-patch.patch Type: text/x-patch Size: 1083 bytes Desc: not available URL: From ssorce at redhat.com Tue Jan 18 17:06:38 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 18 Jan 2011 12:06:38 -0500 Subject: [Freeipa-devel] [PATCH] 0060 fix ipa-join, prevent it crashing In-Reply-To: <4D35B3D6.8090909@redhat.com> References: <20110117194848.326a097c@willson.li.ssimo.org> <4D35B3D6.8090909@redhat.com> Message-ID: <20110118120638.65bda87c@willson.li.ssimo.org> On Tue, 18 Jan 2011 16:37:58 +0100 Jakub Hrozek wrote: > On 01/18/2011 01:48 AM, Simo Sorce wrote: > > > > Fix a ipa-join segfault due to improper handling of NULL > > credentials. > > > > Fixes ticket #783. > > > > Simo. > > > > Ack Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Tue Jan 18 17:23:13 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 19 Jan 2011 00:23:13 +0700 Subject: [Freeipa-devel] [PATCH] Unprovision message and buttons adjustments. In-Reply-To: <4D35C4BA.8060504@redhat.com> References: <4D354360.70202@redhat.com> <4D35C4BA.8060504@redhat.com> Message-ID: <4D35CC81.3040500@redhat.com> On 1/18/2011 11:50 PM, Adam Young wrote: >> The message and buttons in the unprovision dialog box have been >> updated according to the latest spec. > ACK, but fix the jsl warnings before pushing. Fixed and pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Jan 18 17:24:59 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 19 Jan 2011 00:24:59 +0700 Subject: [Freeipa-devel] [PATCH] Force flag for Hosts and Services. In-Reply-To: <4D35B4EC.4070108@redhat.com> References: <4D35B4EC.4070108@redhat.com> Message-ID: <4D35CCEB.6020008@redhat.com> On 1/18/2011 10:42 PM, Endi Sukma Dewata wrote: > The attached patch addresses this bug: > https://fedorahosted.org/freeipa/ticket/639 > > The add dialogs for Hosts and Services have been updated to include > a checkbox to force adding hosts/services that are not in DNS. > > The widgets has been updated to support tooltips. Rebased against the latest. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0076-2-Force-flag-for-Hosts-and-Services.patch Type: text/x-patch Size: 8506 bytes Desc: not available URL: From pzuna at redhat.com Tue Jan 18 17:26:44 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 18 Jan 2011 18:26:44 +0100 Subject: [Freeipa-devel] [PATCH] Fix updating of DNS records by the host plugin. Message-ID: <4D35CD54.9090401@redhat.com> Fix #799 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-61-updatedns.patch Type: text/x-patch Size: 2376 bytes Desc: not available URL: From pzuna at redhat.com Tue Jan 18 17:27:16 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 18 Jan 2011 18:27:16 +0100 Subject: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin. Message-ID: <4D35CD74.6070402@redhat.com> Fix #798 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-62-hostlogic.patch Type: text/x-patch Size: 1921 bytes Desc: not available URL: From jhrozek at redhat.com Tue Jan 18 17:32:03 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 18 Jan 2011 18:32:03 +0100 Subject: [Freeipa-devel] [PATCH] Fix updating of DNS records by the host plugin. In-Reply-To: <4D35CD54.9090401@redhat.com> References: <4D35CD54.9090401@redhat.com> Message-ID: <4D35CE93.6000504@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/18/2011 06:26 PM, Pavel Zuna wrote: > Fix #799 > > Pavel > Ack (fast ack as I tested the patch off-list before Pavel sent it) I didn't see the bug during my testing as I only develop against real Apache installation where this works OK. Pavel found it with lite-server. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk01zpMACgkQHsardTLnvCUbiQCdEkzMAVRASzjP7PhPiL1V9yqa 5EYAn3aGfGB+tFzvPyw7p/fm1nm97/L0 =Hm87 -----END PGP SIGNATURE----- From jhrozek at redhat.com Tue Jan 18 17:32:30 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 18 Jan 2011 18:32:30 +0100 Subject: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin. In-Reply-To: <4D35CD74.6070402@redhat.com> References: <4D35CD74.6070402@redhat.com> Message-ID: <4D35CEAE.7060908@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/18/2011 06:27 PM, Pavel Zuna wrote: > Fix #798 > > Pavel > Ack (again, fast ack because I tested off-list before sending) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk01zq4ACgkQHsardTLnvCUkXACg4Se47znJxYjfaeGq2ViXWb+h XcQAoNSNzEzoqzDH8d/FaetU2qv+EPi/ =KpUx -----END PGP SIGNATURE----- From ayoung at redhat.com Tue Jan 18 17:37:03 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 12:37:03 -0500 Subject: [Freeipa-devel] [PATCH] Force flag for Hosts and Services. In-Reply-To: <4D35CCEB.6020008@redhat.com> References: <4D35B4EC.4070108@redhat.com> <4D35CCEB.6020008@redhat.com> Message-ID: <4D35CFBF.4060302@redhat.com> On 01/18/2011 12:24 PM, Endi Sukma Dewata wrote: > On 1/18/2011 10:42 PM, Endi Sukma Dewata wrote: >> The attached patch addresses this bug: >> https://fedorahosted.org/freeipa/ticket/639 >> >> The add dialogs for Hosts and Services have been updated to include >> a checkbox to force adding hosts/services that are not in DNS. >> >> The widgets has been updated to support tooltips. > > Rebased against the latest. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Jan 18 17:36:54 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 19 Jan 2011 00:36:54 +0700 Subject: [Freeipa-devel] [PATCH] Force flag for Hosts and Services. In-Reply-To: <4D35CFBF.4060302@redhat.com> References: <4D35B4EC.4070108@redhat.com> <4D35CCEB.6020008@redhat.com> <4D35CFBF.4060302@redhat.com> Message-ID: <4D35CFB6.40202@redhat.com> On 1/19/2011 12:37 AM, Adam Young wrote: > ACK Pushed to master. -- Endi S. Dewata From ayoung at redhat.com Tue Jan 18 17:47:15 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 12:47:15 -0500 Subject: [Freeipa-devel] [PATCH] Fix crash when building DN of host with name ending with period. In-Reply-To: <4D35B31E.1010300@redhat.com> References: <4D3597AC.3040906@redhat.com> <4D35B31E.1010300@redhat.com> Message-ID: <4D35D223.8020601@redhat.com> On 01/18/2011 10:34 AM, Adam Young wrote: > On 01/18/2011 08:37 AM, Pavel Zuna wrote: >> Fix #797 >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jan 18 17:47:25 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 12:47:25 -0500 Subject: [Freeipa-devel] [PATCH] Remove SOA maximum parameter from DNS zone. In-Reply-To: <4D35B331.5010201@redhat.com> References: <4D3597F3.2060704@redhat.com> <4D35B331.5010201@redhat.com> Message-ID: <4D35D22D.1050409@redhat.com> On 01/18/2011 10:35 AM, Adam Young wrote: > On 01/18/2011 08:38 AM, Pavel Zuna wrote: >> There's no such thing as "maximum" in SOA record RDATA format >> according to RFC 1035 and there's also no such attribute in the schema. >> >> Fix #788 >> >> https://bugzilla.redhat.com/show_bug.cgi?id=670343 >> >> Pavel >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jan 18 17:47:38 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 12:47:38 -0500 Subject: [Freeipa-devel] [PATCH] Fix updating of DNS records by the host plugin. In-Reply-To: <4D35CE93.6000504@redhat.com> References: <4D35CD54.9090401@redhat.com> <4D35CE93.6000504@redhat.com> Message-ID: <4D35D23A.7080303@redhat.com> On 01/18/2011 12:32 PM, Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/18/2011 06:26 PM, Pavel Zuna wrote: >> Fix #799 >> >> Pavel >> > Ack (fast ack as I tested the patch off-list before Pavel sent it) > > I didn't see the bug during my testing as I only develop against real > Apache installation where this works OK. Pavel found it with lite-server. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk01zpMACgkQHsardTLnvCUbiQCdEkzMAVRASzjP7PhPiL1V9yqa > 5EYAn3aGfGB+tFzvPyw7p/fm1nm97/L0 > =Hm87 > -----END PGP SIGNATURE----- > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From ayoung at redhat.com Tue Jan 18 17:47:49 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 12:47:49 -0500 Subject: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin. In-Reply-To: <4D35CEAE.7060908@redhat.com> References: <4D35CD74.6070402@redhat.com> <4D35CEAE.7060908@redhat.com> Message-ID: <4D35D245.7010201@redhat.com> On 01/18/2011 12:32 PM, Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/18/2011 06:27 PM, Pavel Zuna wrote: >> Fix #798 >> >> Pavel >> > Ack (again, fast ack because I tested off-list before sending) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk01zq4ACgkQHsardTLnvCUkXACg4Se47znJxYjfaeGq2ViXWb+h > XcQAoNSNzEzoqzDH8d/FaetU2qv+EPi/ > =KpUx > -----END PGP SIGNATURE----- > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From ayoung at redhat.com Tue Jan 18 18:32:04 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 13:32:04 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0151-enroll-dialog-layout. Message-ID: <4D35DCA4.8000004@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0151-enroll-dialog-layout.patch Type: text/x-patch Size: 1089 bytes Desc: not available URL: From ayoung at redhat.com Tue Jan 18 19:17:33 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 14:17:33 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0152-update-API Message-ID: <4D35E74D.8060706@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0152-update-API.patch Type: text/x-patch Size: 7506 bytes Desc: not available URL: From rcritten at redhat.com Tue Jan 18 19:43:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Jan 2011 14:43:33 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0152-update-API In-Reply-To: <4D35E74D.8060706@redhat.com> References: <4D35E74D.8060706@redhat.com> Message-ID: <4D35ED65.6060309@redhat.com> Adam Young wrote: > > > ack, pushed to master From rcritten at redhat.com Tue Jan 18 20:00:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Jan 2011 15:00:17 -0500 Subject: [Freeipa-devel] [PATCH] 680 ldap lockout In-Reply-To: <4D35A3BD.3070300@redhat.com> References: <4D3465BB.9090604@redhat.com> <201101172041.46836.jzeleny@redhat.com> <4D35A3BD.3070300@redhat.com> Message-ID: <4D35F151.8020202@redhat.com> Rob Crittenden wrote: > Jan Zeleny wrote: >> Rob Crittenden wrote: >>> Update kerberos password policy values on LDAP binds. This is so >>> locked-out accounts in kerberos don't try things using LDAP instead. >>> >>> On a failed bind this will update krbLoginFailedCount and >>> krbLastFailedAuth and will potentially fail the bind altogether. >>> >>> On a successful bind it will zero krbLoginFailedCount and set >>> krbLastSuccessfulAuth. >>> >>> This will also enforce locked-out accounts. >>> >>> See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on >>> kerberos lockout. >>> >>> ticket 343 >> >> Ack, good job >> >> Jan > > Simo and Nathan pointed out that the update model I'm using is > vulnerable to multi-threaded attack and suggested that rather than using > REPLACE I do a DELETE/ADD to be sure that I'm updating the counter > appropriately. I've got the basics done, need to re-run through > valgrind. Will submit another patch shortly. > > rob Updated patch attached. Be more careful when updating the failed count. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-680-2-lockout.patch Type: text/x-patch Size: 26562 bytes Desc: not available URL: From rcritten at redhat.com Tue Jan 18 22:30:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Jan 2011 17:30:52 -0500 Subject: [Freeipa-devel] [PATCH] test speedup patch Message-ID: <4D36149C.8090900@redhat.com> Attached is a rough cut of a patch to try to speed up the cli a little bit. Basically in production mode it will skip some things during initialization. My concept is that we develop in mode != production and release in mode == production. I managed to knock a second or so off time to do a user-show on average. There may be some other things we can do to speed things up, I'm still looking. Some feedback on the approach would be appreciated. Note that I've completely ruled out SSL/Negotiate. I did my testing on lite-server which doesn't use SSL or Negotiate and it was STILL taking on average 3-4+ seconds per command. The server side was consistently taking < 1 second to complete. rob From rcritten at redhat.com Tue Jan 18 22:35:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Jan 2011 17:35:10 -0500 Subject: [Freeipa-devel] [PATCH] test speedup patch In-Reply-To: <4D36149C.8090900@redhat.com> References: <4D36149C.8090900@redhat.com> Message-ID: <4D36159E.5060904@redhat.com> Rob Crittenden wrote: > Attached is a rough cut of a patch to try to speed up the cli a little > bit. Basically in production mode it will skip some things during > initialization. > > My concept is that we develop in mode != production and release in mode > == production. > > I managed to knock a second or so off time to do a user-show on average. > > There may be some other things we can do to speed things up, I'm still > looking. Some feedback on the approach would be appreciated. > > Note that I've completely ruled out SSL/Negotiate. I did my testing on > lite-server which doesn't use SSL or Negotiate and it was STILL taking > on average 3-4+ seconds per command. The server side was consistently > taking < 1 second to complete. > > rob oh, and the patch. -------------- next part -------------- A non-text attachment was scrubbed... Name: speedup.patch Type: text/x-patch Size: 1927 bytes Desc: not available URL: From ayoung at redhat.com Tue Jan 18 22:54:52 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 17:54:52 -0500 Subject: [Freeipa-devel] [PATCH] test speedup patch In-Reply-To: <4D36159E.5060904@redhat.com> References: <4D36149C.8090900@redhat.com> <4D36159E.5060904@redhat.com> Message-ID: <4D361A3C.6070601@redhat.com> On 01/18/2011 05:35 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Attached is a rough cut of a patch to try to speed up the cli a little >> bit. Basically in production mode it will skip some things during >> initialization. >> >> My concept is that we develop in mode != production and release in mode >> == production. >> >> I managed to knock a second or so off time to do a user-show on average. >> >> There may be some other things we can do to speed things up, I'm still >> looking. Some feedback on the approach would be appreciated. >> >> Note that I've completely ruled out SSL/Negotiate. I did my testing on >> lite-server which doesn't use SSL or Negotiate and it was STILL taking >> on average 3-4+ seconds per command. The server side was consistently >> taking < 1 second to complete. >> >> rob > > oh, and the patch. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I don't feel I understand the scope yet enough to ACK. What are the ramifications of the checks that you are bypassing? Do we really want to do them in development mode, or are they more appropriate to be run as part of a test suite? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Wed Jan 19 00:02:23 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 18 Jan 2011 19:02:23 -0500 Subject: [Freeipa-devel] [PATCH] 0061 Use authenticated binds in init scripts Message-ID: <20110118190223.5df86bbd@willson.li.ssimo.org> We need to use authenticated lda binds in init scripts as otherwise starting components fails when the option to restrict anonymous access to ldap is set. In order to do that we need to also start the KDC unconditionally, so it has been removed form the list of services retrieved from ldap and always started/stopped/restarted explicitly in the script. This is necessary so the script can obtain kerberos credentials to bind to ds using its keytab. Fixes ticket #795 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0061-Use-authenticated-connections-to-ldap.patch Type: text/x-patch Size: 7069 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 19 02:25:03 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 18 Jan 2011 21:25:03 -0500 Subject: [Freeipa-devel] [PATCH] add background image to Makefile Message-ID: <4D364B7F.9070000@redhat.com> Pushed under the one liner rule [ayoung at ayoung freeipa]$ git show HEAD commit bc27191db6c00a89ec7f8bd8a88389dd6fa9bb90 Author: Adam Young Date: Tue Jan 18 17:57:15 2011 -0500 background into Makefile diff --git a/install/static/Makefile.am b/install/static/Makefile.am index 998c4ff..d6a9274 100644 --- a/install/static/Makefile.am +++ b/install/static/Makefile.am @@ -51,6 +51,7 @@ app_DATA = \ Mainnav-offtab.png \ Mainnav-ontab.png \ modal-background.png \ + outer-bg.png \ panel-background.png \ Subnav-background.png \ Subnav-offbutton.png \ From rcritten at redhat.com Wed Jan 19 03:17:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Jan 2011 22:17:18 -0500 Subject: [Freeipa-devel] [PATCH] test speedup patch In-Reply-To: <4D36159E.5060904@redhat.com> References: <4D36149C.8090900@redhat.com> <4D36159E.5060904@redhat.com> Message-ID: <4D3657BE.9030900@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> Attached is a rough cut of a patch to try to speed up the cli a little >> bit. Basically in production mode it will skip some things during >> initialization. >> >> My concept is that we develop in mode != production and release in mode >> == production. >> >> I managed to knock a second or so off time to do a user-show on average. >> >> There may be some other things we can do to speed things up, I'm still >> looking. Some feedback on the approach would be appreciated. >> >> Note that I've completely ruled out SSL/Negotiate. I did my testing on >> lite-server which doesn't use SSL or Negotiate and it was STILL taking >> on average 3-4+ seconds per command. The server side was consistently >> taking < 1 second to complete. >> >> rob > > oh, and the patch. I ran a couple of moderate tests this evening that executed 42 separate operations like add, delete, and managing group membership. I ran this 10 times each on 2 identical VMs, one with a bit older code and one with this patch then averaged the times. With the patch the average was 1.3 seconds per operation, without 2.6. A 50% improvement is more than I expected, I saw a 33% improvement on individual runs. I'll keep at it but this seems promising. I was also a bit surprised that the average time without the patch was so low, I was expecting something over 3 seconds. Specifically what this patch does is it avoids doing some self-validation. There is some amount of risk that the framework could blow up but in a deployed situation I think the risk is rather low. A side-effect of the API tester makeapi is that it loads the framework. We can force it to be run in production mode so the product shouldn't be buildable if it has inconsistencies. rob From edewata at redhat.com Wed Jan 19 09:59:37 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 19 Jan 2011 16:59:37 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0151-enroll-dialog-layout. In-Reply-To: <4D35DCA4.8000004@redhat.com> References: <4D35DCA4.8000004@redhat.com> Message-ID: <4D36B609.7020103@redhat.com> On 1/19/2011 1:32 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From pzuna at redhat.com Wed Jan 19 11:34:29 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 19 Jan 2011 12:34:29 +0100 Subject: [Freeipa-devel] [PATCH] test speedup patch In-Reply-To: <4D3657BE.9030900@redhat.com> References: <4D36149C.8090900@redhat.com> <4D36159E.5060904@redhat.com> <4D3657BE.9030900@redhat.com> Message-ID: <4D36CC45.1080103@redhat.com> On 01/19/2011 04:17 AM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Attached is a rough cut of a patch to try to speed up the cli a little >>> bit. Basically in production mode it will skip some things during >>> initialization. >>> >>> My concept is that we develop in mode != production and release in mode >>> == production. >>> >>> I managed to knock a second or so off time to do a user-show on average. >>> >>> There may be some other things we can do to speed things up, I'm still >>> looking. Some feedback on the approach would be appreciated. >>> >>> Note that I've completely ruled out SSL/Negotiate. I did my testing on >>> lite-server which doesn't use SSL or Negotiate and it was STILL taking >>> on average 3-4+ seconds per command. The server side was consistently >>> taking < 1 second to complete. >>> >>> rob >> >> oh, and the patch. > > I ran a couple of moderate tests this evening that executed 42 separate > operations like add, delete, and managing group membership. I ran this > 10 times each on 2 identical VMs, one with a bit older code and one with > this patch then averaged the times. > > With the patch the average was 1.3 seconds per operation, without 2.6. A > 50% improvement is more than I expected, I saw a 33% improvement on > individual runs. I'll keep at it but this seems promising. I was also a > bit surprised that the average time without the patch was so low, I was > expecting something over 3 seconds. > > Specifically what this patch does is it avoids doing some > self-validation. There is some amount of risk that the framework could > blow up but in a deployed situation I think the risk is rather low. > > A side-effect of the API tester makeapi is that it loads the framework. > We can force it to be run in production mode so the product shouldn't be > buildable if it has inconsistencies. > > rob > I find it hard to believe this patch causes such a big improvement in performance. Especially the parts skipping asserts, that shouldn't be significantly slower than your average ifs. Instance locking shouldn't be a time consuming operation either. Bypassing check routines for parameter namespaces might provide a performance boost as it is called for every single plugin we have (~250). On the other hand, it is only used for positional arguments and most plugins only have 1 or 2 of those. Personally, I would do some more tests on a single machine, because there's no guarantee, that two VMs with an identical image have the same performance. If it really provides a significant improvement, than it's awesome, because I like the philosophy of this patch. It removes self-checking and instance locking, that is completely useless in a production environment and kind of limiting in non-production. I think there's more places likes this in the framework. Long story short: It's improbable, but not impossible, for the changes introduced by this patch to cause such a big performance improvement. Even if it doesn't, the patch is still good. Pavel From jzeleny at redhat.com Wed Jan 19 13:15:05 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 19 Jan 2011 14:15:05 +0100 Subject: [Freeipa-devel] [PATCH] 680 ldap lockout In-Reply-To: <4D35F151.8020202@redhat.com> References: <4D3465BB.9090604@redhat.com> <4D35A3BD.3070300@redhat.com> <4D35F151.8020202@redhat.com> Message-ID: <201101191415.05807.jzeleny@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: > > Jan Zeleny wrote: > >> Rob Crittenden wrote: > >>> Update kerberos password policy values on LDAP binds. This is so > >>> locked-out accounts in kerberos don't try things using LDAP instead. > >>> > >>> On a failed bind this will update krbLoginFailedCount and > >>> krbLastFailedAuth and will potentially fail the bind altogether. > >>> > >>> On a successful bind it will zero krbLoginFailedCount and set > >>> krbLastSuccessfulAuth. > >>> > >>> This will also enforce locked-out accounts. > >>> > >>> See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on > >>> kerberos lockout. > >>> > >>> ticket 343 > >> > >> Ack, good job > >> > >> Jan > > > > Simo and Nathan pointed out that the update model I'm using is > > vulnerable to multi-threaded attack and suggested that rather than using > > REPLACE I do a DELETE/ADD to be sure that I'm updating the counter > > appropriately. I've got the basics done, need to re-run through > > valgrind. Will submit another patch shortly. > > > > rob > > Updated patch attached. Be more careful when updating the failed count. > > rob The patch looks good and it works fine, if Simo doesn't have any more security comments: ACK. Jan From ssorce at redhat.com Wed Jan 19 13:54:50 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 08:54:50 -0500 Subject: [Freeipa-devel] [PATCH] 680 ldap lockout In-Reply-To: <201101191415.05807.jzeleny@redhat.com> References: <4D3465BB.9090604@redhat.com> <4D35A3BD.3070300@redhat.com> <4D35F151.8020202@redhat.com> <201101191415.05807.jzeleny@redhat.com> Message-ID: <20110119085450.2e07be97@willson.li.ssimo.org> On Wed, 19 Jan 2011 14:15:05 +0100 Jan Zelen? wrote: > Rob Crittenden wrote: > > Rob Crittenden wrote: > > > Jan Zeleny wrote: > > >> Rob Crittenden wrote: > > >>> Update kerberos password policy values on LDAP binds. This is so > > >>> locked-out accounts in kerberos don't try things using LDAP > > >>> instead. > > >>> > > >>> On a failed bind this will update krbLoginFailedCount and > > >>> krbLastFailedAuth and will potentially fail the bind altogether. > > >>> > > >>> On a successful bind it will zero krbLoginFailedCount and set > > >>> krbLastSuccessfulAuth. > > >>> > > >>> This will also enforce locked-out accounts. > > >>> > > >>> See http://k5wiki.kerberos.org/wiki/Projects/Lockout for > > >>> details on kerberos lockout. > > >>> > > >>> ticket 343 > > >> > > >> Ack, good job > > >> > > >> Jan > > > > > > Simo and Nathan pointed out that the update model I'm using is > > > vulnerable to multi-threaded attack and suggested that rather > > > than using REPLACE I do a DELETE/ADD to be sure that I'm updating > > > the counter appropriately. I've got the basics done, need to > > > re-run through valgrind. Will submit another patch shortly. > > > > > > rob > > > > Updated patch attached. Be more careful when updating the failed > > count. > > > > rob > > The patch looks good and it works fine, if Simo doesn't have any more > security comments: ACK. Patch looks good to me. I only wonder if it would make sense to try to cache the entry between the pre-op and the post-op, but given it is just fetched I guess DS caches it in memory anyways, so probably not a big deal in any case. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Jan 19 15:02:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Jan 2011 10:02:06 -0500 Subject: [Freeipa-devel] [PATCH] test speedup patch In-Reply-To: <4D36CC45.1080103@redhat.com> References: <4D36149C.8090900@redhat.com> <4D36159E.5060904@redhat.com> <4D3657BE.9030900@redhat.com> <4D36CC45.1080103@redhat.com> Message-ID: <4D36FCEE.7000702@redhat.com> Pavel Zuna wrote: > On 01/19/2011 04:17 AM, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Attached is a rough cut of a patch to try to speed up the cli a little >>>> bit. Basically in production mode it will skip some things during >>>> initialization. >>>> >>>> My concept is that we develop in mode != production and release in mode >>>> == production. >>>> >>>> I managed to knock a second or so off time to do a user-show on >>>> average. >>>> >>>> There may be some other things we can do to speed things up, I'm still >>>> looking. Some feedback on the approach would be appreciated. >>>> >>>> Note that I've completely ruled out SSL/Negotiate. I did my testing on >>>> lite-server which doesn't use SSL or Negotiate and it was STILL taking >>>> on average 3-4+ seconds per command. The server side was consistently >>>> taking < 1 second to complete. >>>> >>>> rob >>> >>> oh, and the patch. >> >> I ran a couple of moderate tests this evening that executed 42 separate >> operations like add, delete, and managing group membership. I ran this >> 10 times each on 2 identical VMs, one with a bit older code and one with >> this patch then averaged the times. >> >> With the patch the average was 1.3 seconds per operation, without 2.6. A >> 50% improvement is more than I expected, I saw a 33% improvement on >> individual runs. I'll keep at it but this seems promising. I was also a >> bit surprised that the average time without the patch was so low, I was >> expecting something over 3 seconds. >> >> Specifically what this patch does is it avoids doing some >> self-validation. There is some amount of risk that the framework could >> blow up but in a deployed situation I think the risk is rather low. >> >> A side-effect of the API tester makeapi is that it loads the framework. >> We can force it to be run in production mode so the product shouldn't be >> buildable if it has inconsistencies. >> >> rob >> > > I find it hard to believe this patch causes such a big improvement in > performance. Especially the parts skipping asserts, that shouldn't be > significantly slower than your average ifs. Instance locking shouldn't > be a time consuming operation either. I'm equally unbelieving! In my dev tree I was seeing 3.9 second+ times without the patch. With the patch I was still often seeing 3+ seconds but sometimes it would be significantly lower. This is a VM so who knows what other stuff is going on. I agree that locking shouldn't be that slow but cumulatively it is a bit of a drag. Similarly the "assert p.instance.api is self" is quite slow. > Bypassing check routines for parameter namespaces might provide a > performance boost as it is called for every single plugin we have > (~250). On the other hand, it is only used for positional arguments and > most plugins only have 1 or 2 of those. I believe that bypassing the check routines is where the biggest boost comes from. check_name() is also skipped and that does a regex match. > Personally, I would do some more tests on a single machine, because > there's no guarantee, that two VMs with an identical image have the same > performance. Using 2 machines lets me test code without having to constantly re-install the bits or apply patches. It is easier to track the state so I don't end up with meaningless data :-) I'll stick the meager tests I have into a while loop and let it run for longer than 10 iterations to get a better idea of what is going on. > > If it really provides a significant improvement, than it's awesome, > because I like the philosophy of this patch. It removes self-checking > and instance locking, that is completely useless in a production > environment and kind of limiting in non-production. I think there's more > places likes this in the framework. > > Long story short: > It's improbable, but not impossible, for the changes introduced by this > patch to cause such a big performance improvement. Even if it doesn't, > the patch is still good. Well, this is why I sent the patch out for a pre-review :-) rob From JR.Aquino at citrix.com Wed Jan 19 15:26:16 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 19 Jan 2011 15:26:16 +0000 Subject: [Freeipa-devel] [PATCH] test speedup patch In-Reply-To: <4D3657BE.9030900@redhat.com> Message-ID: Just tested. I do see a performance increase of ~30% time ipa user-find -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Account activation status: False Member of groups: admins ---------------------------- Number of entries returned 1 ---------------------------- real 0m1.558s user 0m0.810s sys 0m0.165s time ipa user-find -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Account disabled: False Member of groups: admins ---------------------------- Number of entries returned 1 ---------------------------- real 0m1.067s user 0m0.841s sys 0m0.157s On 1/18/11 7:17 PM, "Rob Crittenden" wrote: >Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Attached is a rough cut of a patch to try to speed up the cli a little >>> bit. Basically in production mode it will skip some things during >>> initialization. >>> >>> My concept is that we develop in mode != production and release in mode >>> == production. >>> >>> I managed to knock a second or so off time to do a user-show on >>>average. >>> >>> There may be some other things we can do to speed things up, I'm still >>> looking. Some feedback on the approach would be appreciated. >>> >>> Note that I've completely ruled out SSL/Negotiate. I did my testing on >>> lite-server which doesn't use SSL or Negotiate and it was STILL taking >>> on average 3-4+ seconds per command. The server side was consistently >>> taking < 1 second to complete. >>> >>> rob >> >> oh, and the patch. > >I ran a couple of moderate tests this evening that executed 42 separate >operations like add, delete, and managing group membership. I ran this >10 times each on 2 identical VMs, one with a bit older code and one with >this patch then averaged the times. > >With the patch the average was 1.3 seconds per operation, without 2.6. A >50% improvement is more than I expected, I saw a 33% improvement on >individual runs. I'll keep at it but this seems promising. I was also a >bit surprised that the average time without the patch was so low, I was >expecting something over 3 seconds. > >Specifically what this patch does is it avoids doing some >self-validation. There is some amount of risk that the framework could >blow up but in a deployed situation I think the risk is rather low. > >A side-effect of the API tester makeapi is that it loads the framework. >We can force it to be run in production mode so the product shouldn't be >buildable if it has inconsistencies. > >rob > >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel From ayoung at redhat.com Wed Jan 19 15:38:23 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 19 Jan 2011 10:38:23 -0500 Subject: [Freeipa-devel] [PATCH] test speedup patch In-Reply-To: References: Message-ID: <4D37056F.4000509@redhat.com> On 01/19/2011 10:26 AM, JR Aquino wrote: > Just tested. I do see a performance increase of ~30% > > > time ipa user-find > -------------- > 1 user matched > -------------- > User login: admin > Last name: Administrator > Home directory: /home/admin > Login shell: /bin/bash > Account activation status: False > Member of groups: admins > ---------------------------- > Number of entries returned 1 > ---------------------------- > > real 0m1.558s > user 0m0.810s > sys 0m0.165s > > > > time ipa user-find > -------------- > 1 user matched > -------------- > User login: admin > Last name: Administrator > Home directory: /home/admin > Login shell: /bin/bash > Account disabled: False > Member of groups: admins > ---------------------------- > Number of entries returned 1 > ---------------------------- > > real 0m1.067s > user 0m0.841s > sys 0m0.157s > > > > On 1/18/11 7:17 PM, "Rob Crittenden" wrote: > >> Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Attached is a rough cut of a patch to try to speed up the cli a little >>>> bit. Basically in production mode it will skip some things during >>>> initialization. >>>> >>>> My concept is that we develop in mode != production and release in mode >>>> == production. >>>> >>>> I managed to knock a second or so off time to do a user-show on >>>> average. >>>> >>>> There may be some other things we can do to speed things up, I'm still >>>> looking. Some feedback on the approach would be appreciated. >>>> >>>> Note that I've completely ruled out SSL/Negotiate. I did my testing on >>>> lite-server which doesn't use SSL or Negotiate and it was STILL taking >>>> on average 3-4+ seconds per command. The server side was consistently >>>> taking< 1 second to complete. >>>> >>>> rob >>> oh, and the patch. >> I ran a couple of moderate tests this evening that executed 42 separate >> operations like add, delete, and managing group membership. I ran this >> 10 times each on 2 identical VMs, one with a bit older code and one with >> this patch then averaged the times. >> >> With the patch the average was 1.3 seconds per operation, without 2.6. A >> 50% improvement is more than I expected, I saw a 33% improvement on >> individual runs. I'll keep at it but this seems promising. I was also a >> bit surprised that the average time without the patch was so low, I was >> expecting something over 3 seconds. >> >> Specifically what this patch does is it avoids doing some >> self-validation. There is some amount of risk that the framework could >> blow up but in a deployed situation I think the risk is rather low. >> >> A side-effect of the API tester makeapi is that it loads the framework. >> We can force it to be run in production mode so the product shouldn't be >> buildable if it has inconsistencies. >> >> rob >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK From jzeleny at redhat.com Wed Jan 19 15:53:26 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 19 Jan 2011 16:53:26 +0100 Subject: [Freeipa-devel] Mapping of CLI attributes to LDAP attributes Message-ID: <201101191653.26893.jzeleny@redhat.com> Hi, I've been thinking about the concept of mapping CLI attributes to LDAP attributes (ticket #447) and I'd like to get a second opinion. The most simple solution would be to add this functionality to existing help. For the sake of lucidity, it should be hidden by default. To achieve this a new parameter (e.g. --fullhelp) would be created. The question now is if this approach is suitable for WebUI and whether it is even needed for WebUI. Another approach might be to create new command, e.g. mapping-show, which would take one argument - either name of LDAP object for which we want to show all mappings or (better) directly a command. Here are examples how it could be invoked: ipa mapping-show user / ipa mapping-show user-add ipa mapping-show hbacrule / ipa mapping-show hbacrule-add So these are my ideas. Some questions? Comments? Other ideas? I welcome any input. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic From ayoung at redhat.com Wed Jan 19 16:05:10 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 19 Jan 2011 11:05:10 -0500 Subject: [Freeipa-devel] Mapping of CLI attributes to LDAP attributes In-Reply-To: <201101191653.26893.jzeleny@redhat.com> References: <201101191653.26893.jzeleny@redhat.com> Message-ID: <4D370BB6.1000104@redhat.com> On 01/19/2011 10:53 AM, Jan Zelen? wrote: > Hi, > I've been thinking about the concept of mapping CLI attributes to LDAP > attributes (ticket #447) and I'd like to get a second opinion. > > The most simple solution would be to add this functionality to existing help. > For the sake of lucidity, it should be hidden by default. To achieve this a > new parameter (e.g. --fullhelp) would be created. The question now is if this > approach is suitable for WebUI and whether it is even needed for WebUI. > > Another approach might be to create new command, e.g. mapping-show, which > would take one argument - either name of LDAP object for which we want to show > all mappings or (better) directly a command. Here are examples how it could be > invoked: > ipa mapping-show user / ipa mapping-show user-add > ipa mapping-show hbacrule / ipa mapping-show hbacrule-add > > So these are my ideas. Some questions? Comments? Other ideas? I welcome any > input. > The second is fairly similar to the metadata call we use for the WebUI From ayoung at redhat.com Wed Jan 19 16:13:51 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 19 Jan 2011 11:13:51 -0500 Subject: [Freeipa-devel] Rename insta//static to install/ui Message-ID: <4D370DBF.7060804@redhat.com> I've been working with Kyle Baker to implement the cleanup of the migration and the error reporting pages. One thing that is messing us up is the fact that the URL as exposed on the server is different than the file structure. I'd like to propose the folowing changes: First: rename install/static to install/ui. I wanted to use this name from the get go, but there was a conflict with the wsgi based ui. It has been gone for a long enough time now that the rename should cause no conflicts. Second: merge the html directory into the ui directory. We need them to be separate originally because the UI was getting authentication, but the error messages and so forth were not. NOw, none of the ui gets authenticated, only the JSON RPC. Third: make an RPC url that we can call without authentication. The migration page is the last thing we have that uses server side scripting. I'd like to complete the work of splitting UI from business logic. However, the migration code needs to make an RPC unauthenticated. Right now this is the only page that needs to do so, but we could potentially have others. If we made a parallel structure for xml rpc and json RPC that could be called unauthenticated, we could also perform the migration from the command line or other applications, which would support some new use cases. I think the order of execution should be the order I listed them above. Feedback? From JR.Aquino at citrix.com Wed Jan 19 16:18:09 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 19 Jan 2011 16:18:09 +0000 Subject: [Freeipa-devel] [PATCH] 0061 Use authenticated binds in init scripts In-Reply-To: <20110118190223.5df86bbd@willson.li.ssimo.org> Message-ID: On 1/18/11 4:02 PM, "Simo Sorce" wrote: > >We need to use authenticated lda binds in init scripts as otherwise >starting components fails when the option to restrict anonymous access >to ldap is set. > >In order to do that we need to also start the KDC unconditionally, so >it has been removed form the list of services retrieved from ldap and >always started/stopped/restarted explicitly in the script. >This is necessary so the script can obtain kerberos credentials to bind >to ds using its keytab. > >Fixes ticket #795 > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel ACK From dpal at redhat.com Wed Jan 19 16:24:54 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 19 Jan 2011 11:24:54 -0500 Subject: [Freeipa-devel] Mapping of CLI attributes to LDAP attributes In-Reply-To: <201101191653.26893.jzeleny@redhat.com> References: <201101191653.26893.jzeleny@redhat.com> Message-ID: <4D371056.40608@redhat.com> Jan Zelen? wrote: > Hi, > I've been thinking about the concept of mapping CLI attributes to LDAP > attributes (ticket #447) and I'd like to get a second opinion. > > The most simple solution would be to add this functionality to existing help. > For the sake of lucidity, it should be hidden by default. To achieve this a > new parameter (e.g. --fullhelp) would be created. The question now is if this > approach is suitable for WebUI and whether it is even needed for WebUI. > > Another approach might be to create new command, e.g. mapping-show, which > would take one argument - either name of LDAP object for which we want to show > all mappings or (better) directly a command. Here are examples how it could be > invoked: > ipa mapping-show user / ipa mapping-show user-add > ipa mapping-show hbacrule / ipa mapping-show hbacrule-add > > So these are my ideas. Some questions? Comments? Other ideas? I welcome any > input. > > How about this: ipa mapping-show [--ldapattr= | --cli=] ipa-command If the optional arguments are omitted the the output will show the remappings that the specified ipa-command implements. if the --ldapattr is provided then it will return the corresponding --cli name regardless whether it is same or not. If attr is not found in the context of the command then an error should be returned. The use of the --cli can be similar but for the cli name. I suggest doing it per command becuase some of the attributes make sense only in the context of the command so doing it per object might not be straightforward. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Jan 19 16:29:12 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 19 Jan 2011 11:29:12 -0500 Subject: [Freeipa-devel] Rename insta//static to install/ui In-Reply-To: <4D370DBF.7060804@redhat.com> References: <4D370DBF.7060804@redhat.com> Message-ID: <4D371158.4020502@redhat.com> Adam Young wrote: > I've been working with Kyle Baker to implement the cleanup of the > migration and the error reporting pages. One thing that is messing us > up is the fact that the URL as exposed on the server is different than > the file structure. I'd like to propose the folowing changes: > > > First: rename install/static to install/ui. > > I wanted to use this name from the get go, but there was a conflict > with the wsgi based ui. It has been gone for a long enough time now > that the rename should cause no conflicts. > > Second: merge the html directory into the ui directory. > > We need them to be separate originally because the UI was getting > authentication, but the error messages and so forth were not. NOw, > none of the ui gets authenticated, only the JSON RPC. > > Third: make an RPC url that we can call without authentication. > > The migration page is the last thing we have that uses server side > scripting. I'd like to complete the work of splitting UI from > business logic. However, the migration code needs to make an RPC > unauthenticated. Right now this is the only page that needs to do so, > but we could potentially have others. If we made a parallel structure > for xml rpc and json RPC that could be called unauthenticated, we > could also perform the migration from the command line or other > applications, which would support some new use cases. Is this really required. Can we use what is there now? I am not sure I want to spend any cycles on such a major shift at this stage of the project. Can we just polish what we have for migration page for now and address this in 2.1? > > > I think the order of execution should be the order I listed them > above. Feedback? > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Wed Jan 19 16:35:10 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 19 Jan 2011 11:35:10 -0500 Subject: [Freeipa-devel] Rename insta//static to install/ui In-Reply-To: <4D371158.4020502@redhat.com> References: <4D370DBF.7060804@redhat.com> <4D371158.4020502@redhat.com> Message-ID: <4D3712BE.6060709@redhat.com> On 01/19/2011 11:29 AM, Dmitri Pal wrote: > Adam Young wrote: >> I've been working with Kyle Baker to implement the cleanup of the >> migration and the error reporting pages. One thing that is messing us >> up is the fact that the URL as exposed on the server is different than >> the file structure. I'd like to propose the folowing changes: >> >> >> First: rename install/static to install/ui. >> >> I wanted to use this name from the get go, but there was a conflict >> with the wsgi based ui. It has been gone for a long enough time now >> that the rename should cause no conflicts. >> >> Second: merge the html directory into the ui directory. >> >> We need them to be separate originally because the UI was getting >> authentication, but the error messages and so forth were not. NOw, >> none of the ui gets authenticated, only the JSON RPC. >> >> Third: make an RPC url that we can call without authentication. >> >> The migration page is the last thing we have that uses server side >> scripting. I'd like to complete the work of splitting UI from >> business logic. However, the migration code needs to make an RPC >> unauthenticated. Right now this is the only page that needs to do so, >> but we could potentially have others. If we made a parallel structure >> for xml rpc and json RPC that could be called unauthenticated, we >> could also perform the migration from the command line or other >> applications, which would support some new use cases. > Is this really required. Can we use what is there now? > I am not sure I want to spend any cycles on such a major shift at this > stage of the project. > Can we just polish what we have for migration page for now and address > this in 2.1? Step one is not a major change, actually, as git supports renaming. It keeps us from duplicating the assets (ipa.css, images) in both directories) as we can't really develop the migration page without being able to see them. That is the only one needed. Steps two and three are just logical cleanup steps. >> >> I think the order of execution should be the order I listed them >> above. Feedback? >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> > From rcritten at redhat.com Wed Jan 19 16:43:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Jan 2011 11:43:32 -0500 Subject: [Freeipa-devel] Rename insta//static to install/ui In-Reply-To: <4D370DBF.7060804@redhat.com> References: <4D370DBF.7060804@redhat.com> Message-ID: <4D3714B4.7060703@redhat.com> Adam Young wrote: > I've been working with Kyle Baker to implement the cleanup of the > migration and the error reporting pages. One thing that is messing us up > is the fact that the URL as exposed on the server is different than the > file structure. I'd like to propose the folowing changes: > > > First: rename install/static to install/ui. You just want to rename the directory in the git tree? > I wanted to use this name from the get go, but there was a conflict with > the wsgi based ui. It has been gone for a long enough time now that the > rename should cause no conflicts. > > Second: merge the html directory into the ui directory. I'm ok with that, it's just 2 files. > We need them to be separate originally because the UI was getting > authentication, but the error messages and so forth were not. NOw, none > of the ui gets authenticated, only the JSON RPC. > > Third: make an RPC url that we can call without authentication. > > The migration page is the last thing we have that uses server side > scripting. I'd like to complete the work of splitting UI from business > logic. However, the migration code needs to make an RPC unauthenticated. > Right now this is the only page that needs to do so, but we could > potentially have others. If we made a parallel structure for xml rpc and > json RPC that could be called unauthenticated, we could also perform the > migration from the command line or other applications, which would > support some new use cases. > > > I think the order of execution should be the order I listed them above. > Feedback? I don't understand the need for the third one. The logic is stills server-side it just uses a separate python script. rob From rcritten at redhat.com Wed Jan 19 16:47:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Jan 2011 11:47:11 -0500 Subject: [Freeipa-devel] [PATCH] 682 performance patch Message-ID: <4D37158F.3060200@redhat.com> This patch skips some self-testing and locking done by the framework when in production mode. The assumption is that all development is done in mode != production so no inconsistencies can sneak in. While this patch doesn't seem to do much it improved command-line performance for me somewhere between 30 and 50% (so between 3-4 seconds per command to 1.5-3, on average, often much better). I explicitly set mode to production in the installation config files. I also explicitly set developer mode when running makeapi --validate so we can know at build time that the framework is consistent. ticket 751 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-682-perf.patch Type: text/x-patch Size: 4589 bytes Desc: not available URL: From dpal at redhat.com Wed Jan 19 17:06:38 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 19 Jan 2011 12:06:38 -0500 Subject: [Freeipa-devel] Rename insta//static to install/ui In-Reply-To: <4D3714B4.7060703@redhat.com> References: <4D370DBF.7060804@redhat.com> <4D3714B4.7060703@redhat.com> Message-ID: <4D371A1E.6090208@redhat.com> Rob Crittenden wrote: > Adam Young wrote: >> I've been working with Kyle Baker to implement the cleanup of the >> migration and the error reporting pages. One thing that is messing us up >> is the fact that the URL as exposed on the server is different than the >> file structure. I'd like to propose the folowing changes: >> >> >> First: rename install/static to install/ui. > > You just want to rename the directory in the git tree? > >> I wanted to use this name from the get go, but there was a conflict with >> the wsgi based ui. It has been gone for a long enough time now that the >> rename should cause no conflicts. >> >> Second: merge the html directory into the ui directory. > > I'm ok with that, it's just 2 files. > >> We need them to be separate originally because the UI was getting >> authentication, but the error messages and so forth were not. NOw, none >> of the ui gets authenticated, only the JSON RPC. >> >> Third: make an RPC url that we can call without authentication. >> >> The migration page is the last thing we have that uses server side >> scripting. I'd like to complete the work of splitting UI from business >> logic. However, the migration code needs to make an RPC unauthenticated. >> Right now this is the only page that needs to do so, but we could >> potentially have others. If we made a parallel structure for xml rpc and >> json RPC that could be called unauthenticated, we could also perform the >> migration from the command line or other applications, which would >> support some new use cases. >> >> >> I think the order of execution should be the order I listed them above. >> Feedback? > > I don't understand the need for the third one. The logic is stills > server-side it just uses a separate python script. > So far I am Ok with 1 & 2 but do not see need for 3. Please explain. > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Wed Jan 19 17:15:30 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 19 Jan 2011 12:15:30 -0500 Subject: [Freeipa-devel] Rename insta//static to install/ui In-Reply-To: <4D371A1E.6090208@redhat.com> References: <4D370DBF.7060804@redhat.com> <4D3714B4.7060703@redhat.com> <4D371A1E.6090208@redhat.com> Message-ID: <4D371C32.30203@redhat.com> On 01/19/2011 12:06 PM, Dmitri Pal wrote: > Rob Crittenden wrote: >> Adam Young wrote: >>> I've been working with Kyle Baker to implement the cleanup of the >>> migration and the error reporting pages. One thing that is messing us up >>> is the fact that the URL as exposed on the server is different than the >>> file structure. I'd like to propose the folowing changes: >>> >>> >>> First: rename install/static to install/ui. >> You just want to rename the directory in the git tree? >> >>> I wanted to use this name from the get go, but there was a conflict with >>> the wsgi based ui. It has been gone for a long enough time now that the >>> rename should cause no conflicts. >>> >>> Second: merge the html directory into the ui directory. >> I'm ok with that, it's just 2 files. >> >>> We need them to be separate originally because the UI was getting >>> authentication, but the error messages and so forth were not. NOw, none >>> of the ui gets authenticated, only the JSON RPC. >>> >>> Third: make an RPC url that we can call without authentication. >>> >>> The migration page is the last thing we have that uses server side >>> scripting. I'd like to complete the work of splitting UI from business >>> logic. However, the migration code needs to make an RPC unauthenticated. >>> Right now this is the only page that needs to do so, but we could >>> potentially have others. If we made a parallel structure for xml rpc and >>> json RPC that could be called unauthenticated, we could also perform the >>> migration from the command line or other applications, which would >>> support some new use cases. >>> >>> >>> I think the order of execution should be the order I listed them above. >>> Feedback? >> I don't understand the need for the third one. The logic is stills >> server-side it just uses a separate python script. >> > So far I am Ok with 1& 2 but do not see need for 3. Please explain. I think I can drop 3, as the existing migrate.py will work OK. > >> rob >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> > From dpal at redhat.com Wed Jan 19 17:20:02 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 19 Jan 2011 12:20:02 -0500 Subject: [Freeipa-devel] Rename insta//static to install/ui In-Reply-To: <4D371C32.30203@redhat.com> References: <4D370DBF.7060804@redhat.com> <4D3714B4.7060703@redhat.com> <4D371A1E.6090208@redhat.com> <4D371C32.30203@redhat.com> Message-ID: <4D371D42.3000108@redhat.com> Adam Young wrote: > On 01/19/2011 12:06 PM, Dmitri Pal wrote: >> Rob Crittenden wrote: >>> Adam Young wrote: >>>> I've been working with Kyle Baker to implement the cleanup of the >>>> migration and the error reporting pages. One thing that is messing >>>> us up >>>> is the fact that the URL as exposed on the server is different than >>>> the >>>> file structure. I'd like to propose the folowing changes: >>>> >>>> >>>> First: rename install/static to install/ui. >>> You just want to rename the directory in the git tree? >>> >>>> I wanted to use this name from the get go, but there was a conflict >>>> with >>>> the wsgi based ui. It has been gone for a long enough time now that >>>> the >>>> rename should cause no conflicts. >>>> >>>> Second: merge the html directory into the ui directory. >>> I'm ok with that, it's just 2 files. >>> >>>> We need them to be separate originally because the UI was getting >>>> authentication, but the error messages and so forth were not. NOw, >>>> none >>>> of the ui gets authenticated, only the JSON RPC. >>>> >>>> Third: make an RPC url that we can call without authentication. >>>> >>>> The migration page is the last thing we have that uses server side >>>> scripting. I'd like to complete the work of splitting UI from business >>>> logic. However, the migration code needs to make an RPC >>>> unauthenticated. >>>> Right now this is the only page that needs to do so, but we could >>>> potentially have others. If we made a parallel structure for xml >>>> rpc and >>>> json RPC that could be called unauthenticated, we could also >>>> perform the >>>> migration from the command line or other applications, which would >>>> support some new use cases. >>>> >>>> >>>> I think the order of execution should be the order I listed them >>>> above. >>>> Feedback? >>> I don't understand the need for the third one. The logic is stills >>> server-side it just uses a separate python script. >>> >> So far I am Ok with 1& 2 but do not see need for 3. Please explain. > > I think I can drop 3, as the existing migrate.py will work OK. > You can open a ticket and put it into the deferred bucket for future. >> >>> rob >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> >> > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Wed Jan 19 17:20:25 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 12:20:25 -0500 Subject: [Freeipa-devel] [PATCH] 0061 Use authenticated binds in init scripts In-Reply-To: References: <20110118190223.5df86bbd@willson.li.ssimo.org> Message-ID: <20110119122025.75dd7e1c@willson.li.ssimo.org> On Wed, 19 Jan 2011 16:18:09 +0000 JR Aquino wrote: > On 1/18/11 4:02 PM, "Simo Sorce" wrote: > > > > >We need to use authenticated lda binds in init scripts as otherwise > >starting components fails when the option to restrict anonymous > >access to ldap is set. > > > >In order to do that we need to also start the KDC unconditionally, so > >it has been removed form the list of services retrieved from ldap and > >always started/stopped/restarted explicitly in the script. > >This is necessary so the script can obtain kerberos credentials to > >bind to ds using its keytab. > > > >Fixes ticket #795 > > > >Simo. > > > >-- > >Simo Sorce * Red Hat, Inc * New York > >_______________________________________________ > >Freeipa-devel mailing list > >Freeipa-devel at redhat.com > >https://www.redhat.com/mailman/listinfo/freeipa-devel > > > ACK > Thanks but Rich pointed me to the docs I couldn't find earlier in order to use SASL/EXTERNL instead of actual credentials. So I'll hold on this patch and try to propose an alternative that does not require SASL/GSSAPI auth. If that will be possible and satisfactorily I will retire this patch an propose a new one, otherwise I'll push this one. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Jan 19 19:30:34 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 19 Jan 2011 14:30:34 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0153-rename-static-to-ui Message-ID: <4D373BDA.9040000@redhat.com> I've been having problems with my lite-server install setup even before this patch. Can someone please test against the list server? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0153-rename-static-to-ui.patch Type: text/x-patch Size: 87801 bytes Desc: not available URL: From ssorce at redhat.com Wed Jan 19 19:56:41 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 14:56:41 -0500 Subject: [Freeipa-devel] [PATCH] 0063 Fix ipa_uuid misbehavior Message-ID: <20110119145641.445f8f6b@willson.li.ssimo.org> ipa_uuid was returning an improper error if a modify operation was performed on an entry that doesn't exists. This was preventing the dna plugin from working correctly. Do not error on missing entries, let DS handle the case and report the proper error code. Ticket 813 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0063-Fix-ipa_uuid-to-not-interfer-with-proper-error-repor.patch Type: text/x-patch Size: 1187 bytes Desc: not available URL: From rcritten at redhat.com Wed Jan 19 20:12:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Jan 2011 15:12:03 -0500 Subject: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin. In-Reply-To: <4D35CD74.6070402@redhat.com> References: <4D35CD74.6070402@redhat.com> Message-ID: <4D374593.9080902@redhat.com> Pavel Zuna wrote: > Fix #798 > > Pavel I don't think this is the right fix. IIRC the idea was that pre-created hosts with a password (either provided or random) would not have a principal. The principal would be added once the host is enrolled. This will fix the plugin as far as adding entries but will cause ipa-join to report a warning that the principal already exists. I realize that this has already been pushed but the ticket should be re-opened and another look taken at this. rob From rcritten at redhat.com Wed Jan 19 20:15:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Jan 2011 15:15:53 -0500 Subject: [Freeipa-devel] [PATCH] 0063 Fix ipa_uuid misbehavior In-Reply-To: <20110119145641.445f8f6b@willson.li.ssimo.org> References: <20110119145641.445f8f6b@willson.li.ssimo.org> Message-ID: <4D374679.2010504@redhat.com> Simo Sorce wrote: > > ipa_uuid was returning an improper error if a modify operation was > performed on an entry that doesn't exists. > This was preventing the dna plugin from working correctly. > > Do not error on missing entries, let DS handle the case and report the > proper error code. > > Ticket 813 > > Simo. ack From dpal at redhat.com Wed Jan 19 20:22:22 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 19 Jan 2011 15:22:22 -0500 Subject: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin. In-Reply-To: <4D374593.9080902@redhat.com> References: <4D35CD74.6070402@redhat.com> <4D374593.9080902@redhat.com> Message-ID: <4D3747FE.5090602@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> Fix #798 >> >> Pavel > > > I don't think this is the right fix. > > IIRC the idea was that pre-created hosts with a password (either > provided or random) would not have a principal. The principal would be > added once the host is enrolled. I though that enrollment is based only on presence of the keytab. Since the the principal is not something that can be changed why it can't be created when the entry is created? Does the current logic delete the principal when the machine is un-enrolled from CLI or GUI. It seems logical to just check the presence of the keytab. If it is there enrolled. If not then does not. Am I missing something? > > This will fix the plugin as far as adding entries but will cause > ipa-join to report a warning that the principal already exists. > > I realize that this has already been pushed but the ticket should be > re-opened and another look taken at this. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Wed Jan 19 20:52:57 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 15:52:57 -0500 Subject: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin. In-Reply-To: <4D374593.9080902@redhat.com> References: <4D35CD74.6070402@redhat.com> <4D374593.9080902@redhat.com> Message-ID: <20110119155257.373ed986@willson.li.ssimo.org> On Wed, 19 Jan 2011 15:12:03 -0500 Rob Crittenden wrote: > Pavel Zuna wrote: > > Fix #798 > > > > Pavel > > > I don't think this is the right fix. > > IIRC the idea was that pre-created hosts with a password (either > provided or random) would not have a principal. The principal would > be added once the host is enrolled. > > This will fix the plugin as far as adding entries but will cause > ipa-join to report a warning that the principal already exists. > > I realize that this has already been pushed but the ticket should be > re-opened and another look taken at this. Should we revert in the meanwhile ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Jan 19 20:55:39 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 15:55:39 -0500 Subject: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin. In-Reply-To: <4D3747FE.5090602@redhat.com> References: <4D35CD74.6070402@redhat.com> <4D374593.9080902@redhat.com> <4D3747FE.5090602@redhat.com> Message-ID: <20110119155539.54cba7ec@willson.li.ssimo.org> On Wed, 19 Jan 2011 15:22:22 -0500 Dmitri Pal wrote: > I though that enrollment is based only on presence of the keytab. By keytab I guess you mean the krbPrincipalKey attribute. The presence of that attribute is unknown to all users except cn=Directory Manager and uid=kdc, so no user can check for it's presence as our aci prevent any access for reading (and rightly so). I think the krbPrincipalNAme attribute was used to check if kerberos credentials were assigned. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Jan 19 21:00:41 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 19 Jan 2011 16:00:41 -0500 Subject: [Freeipa-devel] New Font and I18N Message-ID: <4D3750F9.8050600@redhat.com> Ben, Since we are going to need Chinese and Japanese support in the font for IPA, I'm thinking that we should 1. Get the translations the site. 2. Identify the Glyphs requires 3. Identify the process for people to submit Glyphs to the font base from the FreeIPA website. I'm assuming that the Browser has the ability to fall back to a known complete Font for missing glyphs, but I haven't tested it. From rcritten at redhat.com Wed Jan 19 21:01:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Jan 2011 16:01:53 -0500 Subject: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin. In-Reply-To: <20110119155539.54cba7ec@willson.li.ssimo.org> References: <4D35CD74.6070402@redhat.com> <4D374593.9080902@redhat.com> <4D3747FE.5090602@redhat.com> <20110119155539.54cba7ec@willson.li.ssimo.org> Message-ID: <4D375141.5000102@redhat.com> Simo Sorce wrote: > On Wed, 19 Jan 2011 15:22:22 -0500 > Dmitri Pal wrote: > >> I though that enrollment is based only on presence of the keytab. > > By keytab I guess you mean the krbPrincipalKey attribute. > The presence of that attribute is unknown to all users except > cn=Directory Manager and uid=kdc, so no user can check for it's > presence as our aci prevent any access for reading (and rightly so). > > I think the krbPrincipalNAme attribute was used to check if kerberos > credentials were assigned. > > Simo. > Yes, that's right. We also use krbLastPwdChange for this purpose but the krbPrincipalName work predated this. We might need to revisit what I originally did which is why I think the patch is ok for now. For now, at least as far as I can tell, it just causes a strange message in ipa-join. rob From dpal at redhat.com Wed Jan 19 21:27:05 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 19 Jan 2011 16:27:05 -0500 Subject: [Freeipa-devel] [PATCH] Fix password/random logic in host plugin. In-Reply-To: <4D375141.5000102@redhat.com> References: <4D35CD74.6070402@redhat.com> <4D374593.9080902@redhat.com> <4D3747FE.5090602@redhat.com> <20110119155539.54cba7ec@willson.li.ssimo.org> <4D375141.5000102@redhat.com> Message-ID: <4D375729.6020609@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Wed, 19 Jan 2011 15:22:22 -0500 >> Dmitri Pal wrote: >> >>> I though that enrollment is based only on presence of the keytab. >> >> By keytab I guess you mean the krbPrincipalKey attribute. >> The presence of that attribute is unknown to all users except >> cn=Directory Manager and uid=kdc, so no user can check for it's >> presence as our aci prevent any access for reading (and rightly so). >> >> I think the krbPrincipalNAme attribute was used to check if kerberos >> credentials were assigned. >> >> Simo. >> > > Yes, that's right. We also use krbLastPwdChange for this purpose but > the krbPrincipalName work predated this. > > We might need to revisit what I originally did which is why I think > the patch is ok for now. For now, at least as far as I can tell, it > just causes a strange message in ipa-join. > Yes the one that I noticed yesterday stating that principal exists. Ok I am corrected let us reopen the ticket. > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Wed Jan 19 22:51:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Jan 2011 17:51:56 -0500 Subject: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info Message-ID: <4D376B0C.8050901@redhat.com> Add a couple of acis to block anonymous access to cn=hbac and to member attributes. This is so you can't hunt for what roles, groups, etc. a user might be in (so you can target an attack). ticket 811 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-683-aci.patch Type: text/x-patch Size: 2727 bytes Desc: not available URL: From ssorce at redhat.com Wed Jan 19 23:28:25 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 18:28:25 -0500 Subject: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info In-Reply-To: <4D376B0C.8050901@redhat.com> References: <4D376B0C.8050901@redhat.com> Message-ID: <20110119182825.2b5041ef@willson.li.ssimo.org> On Wed, 19 Jan 2011 17:51:56 -0500 Rob Crittenden wrote: > +aci: (targetattr = "member || memberOf || memberHost || > memberUser")(version 3.0; acl "No anonymous access to member > information"; deny (read,search,compare) userdn != "ldap:///all";) Nack, without 'member', nss_ldap will have no way to determine posixAccount group memberships using anonymous access (the default). Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Jan 19 23:30:14 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 18:30:14 -0500 Subject: [Freeipa-devel] [PATCH] 0061 Use authenticated binds in init scripts In-Reply-To: <20110119122025.75dd7e1c@willson.li.ssimo.org> References: <20110118190223.5df86bbd@willson.li.ssimo.org> <20110119122025.75dd7e1c@willson.li.ssimo.org> Message-ID: <20110119183014.31db0e3b@willson.li.ssimo.org> On Wed, 19 Jan 2011 12:20:25 -0500 Simo Sorce wrote: > On Wed, 19 Jan 2011 16:18:09 +0000 > JR Aquino wrote: > > > On 1/18/11 4:02 PM, "Simo Sorce" wrote: > > > > > > > >We need to use authenticated lda binds in init scripts as otherwise > > >starting components fails when the option to restrict anonymous > > >access to ldap is set. > > > > > >In order to do that we need to also start the KDC unconditionally, > > >so it has been removed form the list of services retrieved from > > >ldap and always started/stopped/restarted explicitly in the script. > > >This is necessary so the script can obtain kerberos credentials to > > >bind to ds using its keytab. > > > > > >Fixes ticket #795 > > > > > >Simo. > > > > > >-- > > >Simo Sorce * Red Hat, Inc * New York > > >_______________________________________________ > > >Freeipa-devel mailing list > > >Freeipa-devel at redhat.com > > >https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > > ACK > > > > Thanks but Rich pointed me to the docs I couldn't find earlier in > order to use SASL/EXTERNL instead of actual credentials. > > So I'll hold on this patch and try to propose an alternative that > does not require SASL/GSSAPI auth. If that will be possible and > satisfactorily I will retire this patch an propose a new one, > otherwise I'll push this one. > > Simo. > Ok I am retiring this patch and sending an alternative one. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Jan 19 23:31:42 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 18:31:42 -0500 Subject: [Freeipa-devel] [PATCH] 0064 Fix authentication for init scripts Message-ID: <20110119183142.5be596ce@willson.li.ssimo.org> In order for ipactl to function even when anonymous access is disabled we need to authenticate. Use sASL/EXTERNAL to let root get access as a very low privileged special user. Ticket #795 This patch is a replacement of 0061 where I was using SASL/GSSAPI Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0064-Allow-SASL-EXTERNAL-authentication-for-the-root-user.patch Type: text/x-patch Size: 3754 bytes Desc: not available URL: From ssorce at redhat.com Thu Jan 20 00:11:45 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 19:11:45 -0500 Subject: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc Message-ID: <20110119191145.07c4719b@willson.li.ssimo.org> Long ago we decided to use the ldapi socket to let the KDC access the ldap data in order to avoid comunication over the network (even if it is 127.0.0.1). This patch finally implements that. Although beware that this patch will need you to either create custom policy or to set selinux in permissive mode until the new policy lands in fedora land. Bugs have been opened and I think the policy has already landed in rawhide. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0065-Make-krb5kdc-use-the-ldapi-socket-to-talk-to-dirsrv.patch Type: text/x-patch Size: 1868 bytes Desc: not available URL: From ssorce at redhat.com Thu Jan 20 00:24:48 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 19:24:48 -0500 Subject: [Freeipa-devel] [PATCH] 0063 Fix ipa_uuid misbehavior In-Reply-To: <4D374679.2010504@redhat.com> References: <20110119145641.445f8f6b@willson.li.ssimo.org> <4D374679.2010504@redhat.com> Message-ID: <20110119192448.28674f5e@willson.li.ssimo.org> On Wed, 19 Jan 2011 15:15:53 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > > > ipa_uuid was returning an improper error if a modify operation was > > performed on an entry that doesn't exists. > > This was preventing the dna plugin from working correctly. > > > > Do not error on missing entries, let DS handle the case and report > > the proper error code. > > > > Ticket 813 > > > > Simo. > > ack Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jan 20 00:43:39 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 19:43:39 -0500 Subject: [Freeipa-devel] [PATCH] 0066 remove binddn when using GSSAPI for replication Message-ID: <20110119194339.5f83ddfc@willson.li.ssimo.org> See ticket #817 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0066-Do-not-set-a-replication-dn-when-using-SASL-GSSAPI-r.patch Type: text/x-patch Size: 4879 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 20 01:17:56 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 19 Jan 2011 20:17:56 -0500 Subject: [Freeipa-devel] [PATCH] 0059 Add command to test if DNS is active In-Reply-To: <20110117131141.488c23a1@willson.li.ssimo.org> References: <20110117131141.488c23a1@willson.li.ssimo.org> Message-ID: <4D378D44.1070906@redhat.com> On 01/17/2011 01:11 PM, Simo Sorce wrote: > This patch implements the feature requested in ticket #600 > > The internal dns_is_enabled command returns whether the DNS service is > enable on at least one of the server in the domain. > > The UI can use this command to determine whether to show the DNS > related configuration options. > > Simo. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, but be sure to rerun the makeapi command, as I think we have added a few new ones since this version was generated. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Thu Jan 20 01:24:58 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 20:24:58 -0500 Subject: [Freeipa-devel] [PATCH] 0059 Add command to test if DNS is active In-Reply-To: <4D378D44.1070906@redhat.com> References: <20110117131141.488c23a1@willson.li.ssimo.org> <4D378D44.1070906@redhat.com> Message-ID: <20110119202458.567c6739@willson.li.ssimo.org> On Wed, 19 Jan 2011 20:17:56 -0500 Adam Young wrote: > On 01/17/2011 01:11 PM, Simo Sorce wrote: > > This patch implements the feature requested in ticket #600 > > > > The internal dns_is_enabled command returns whether the DNS service > > is enable on at least one of the server in the domain. > > > > The UI can use this command to determine whether to show the DNS > > related configuration options. > ACK, but be sure to rerun the makeapi command, as I think we have > added a few new ones since this version was generated. I kept rebasing it on top of master in my tree, I saw no issues. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Thu Jan 20 09:23:53 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 20 Jan 2011 10:23:53 +0100 Subject: [Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys In-Reply-To: <4D2B30A1.5030303@redhat.com> References: <4D0F5ED8.5000403@redhat.com> <4D0F6949.4020504@redhat.com> <4D2B30A1.5030303@redhat.com> Message-ID: <4D37FF29.2000006@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/10/2011 05:15 PM, Jakub Hrozek wrote: > On 12/20/2010 03:33 PM, Jakub Hrozek wrote: >> On 12/20/2010 02:49 PM, Jakub Hrozek wrote: >>> Attached is a patch that changes the uniqueness constraint of automount >>> keys from (key) to (key,info) pairs. The patch is not really standard >>> baseldap style. The reason is that during development, I found that >>> baseldap is really dependent on having a single primary key and also >>> during many operations accessing it as keys[-1]. > >>> Please note that the ipa automountkey-* commands used to have three >>> args, now its two args and two required options (that compose the tuple >>> that is primary key). I know next to nothing about UI, but I assume this >>> has consequences as the JSON marshalled call needs to be different now. >>> Can someone point me to the place in code that I need to fix now? > >>> Fixes: >>> https://fedorahosted.org/freeipa/ticket/293 > >> Sorry, I left some debugging statements in. Attached is a new patch. > > Attached is a patch that applies cleanly on top of origin/master. Another rebase on top of the recent API changes. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk03/ykACgkQHsardTLnvCX8YACggTayFsJWvZX7mueh1D4jEnSQ fzgAoMv+zmQmY1bF9QeI3J+mmmWqoR0d =70CM -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-029-04-automount-keys-uniqueness.patch Type: text/x-patch Size: 27586 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-029-04-automount-keys-uniqueness.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Thu Jan 20 13:02:22 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 20 Jan 2011 14:02:22 +0100 Subject: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters Message-ID: <4D38325E.4060901@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 to delete a DNS RR one has to remove its record types one by one. This patch modifies the behaviour so that if the user runs dnsrecord-del with no other parameters, the whole record is removed. Alternative solutions might be to expose the internal command that is able to delete the record (although I think it is counterintuitive to have one command to remove record types and one for the whole record) or have a special flag (--del-all?) to remove the whole record. The patch also fixes the unit tests as they didn't reflect all the recent changes. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk04Ml4ACgkQHsardTLnvCWk3wCZAYEuhUBs3dX5RkBiCvsD/Iev VcgAoJzk5cCgzmhityA56g830wNnkaxE =f60L -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-039-dns-record-del.patch Type: text/x-patch Size: 6267 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-039-dns-record-del.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From edewata at redhat.com Thu Jan 20 14:30:46 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 20 Jan 2011 09:30:46 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0153-rename-static-to-ui In-Reply-To: <4D373BDA.9040000@redhat.com> Message-ID: <1754053723.67836.1295533846250.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > I've been having problems with my lite-server install setup even > before this patch. Can someone please test against the list server? I'm having a problem with the lite-server too, but it works fine with full server. Need to investigate further. ACK and pushed to master. -- Endi S. Dewata From JR.Aquino at citrix.com Thu Jan 20 15:03:33 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 20 Jan 2011 15:03:33 +0000 Subject: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info In-Reply-To: <20110119182825.2b5041ef@willson.li.ssimo.org> Message-ID: I think it is safe to give up member. It is necessary for nss_ldap and nis. If we remove member and add the role container I think that should cover the low hanging fruit that discloses authorization data. On 1/19/11 3:28 PM, "Simo Sorce" wrote: >On Wed, 19 Jan 2011 17:51:56 -0500 >Rob Crittenden wrote: > >> +aci: (targetattr = "member || memberOf || memberHost || >> memberUser")(version 3.0; acl "No anonymous access to member >> information"; deny (read,search,compare) userdn != "ldap:///all";) > >Nack, without 'member', nss_ldap will have no way to determine >posixAccount group memberships using anonymous access (the default). > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York > >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel From JR.Aquino at citrix.com Thu Jan 20 15:23:11 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 20 Jan 2011 15:23:11 +0000 Subject: [Freeipa-devel] [PATCH] 0064 Fix authentication for init scripts In-Reply-To: <20110119183142.5be596ce@willson.li.ssimo.org> Message-ID: On 1/19/11 3:31 PM, "Simo Sorce" wrote: > >In order for ipactl to function even when anonymous access is disabled >we need to authenticate. >Use sASL/EXTERNAL to let root get access as a very low privileged >special user. > >Ticket #795 > >This patch is a replacement of 0061 where I was using SASL/GSSAPI > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel ACK From ayoung at redhat.com Thu Jan 20 16:10:15 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 20 Jan 2011 11:10:15 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0154-declarative-defintions Message-ID: <4D385E67.8030507@redhat.com> If you ACK, please don't push, but let me do so, as it will likely conflict with other UI work. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0154-declarative-defintions.patch Type: text/x-patch Size: 35724 bytes Desc: not available URL: From rcritten at redhat.com Thu Jan 20 16:14:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Jan 2011 11:14:02 -0500 Subject: [Freeipa-devel] [PATCH] 0064 Fix authentication for init scripts In-Reply-To: <20110119183142.5be596ce@willson.li.ssimo.org> References: <20110119183142.5be596ce@willson.li.ssimo.org> Message-ID: <4D385F4A.9090605@redhat.com> Simo Sorce wrote: > > In order for ipactl to function even when anonymous access is disabled > we need to authenticate. > Use sASL/EXTERNAL to let root get access as a very low privileged > special user. > > Ticket #795 > > This patch is a replacement of 0061 where I was using SASL/GSSAPI > > Simo. ack From JR.Aquino at citrix.com Thu Jan 20 16:39:14 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 20 Jan 2011 16:39:14 +0000 Subject: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc In-Reply-To: <20110119191145.07c4719b@willson.li.ssimo.org> Message-ID: NACK. Please retest this... I'm not sure how it is related, but I receive an error during the make rpm process: Traceback (most recent call last): File "./makeapi", line 27, in from ipalib import * File "/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/__init__.py ", line 878, in from frontend import Command, LocalOrRemote File "/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/frontend.py ", line 36, in from ipapython.version import API_VERSION File "/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipapython/version. py", line 25, in NUM_VERSION=200 NameError: name '__NUM_VERSION__' is not defined make[1]: *** [version-update] Error 1 make[1]: Leaving directory `/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279' error: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) make: *** [rpms] Error 1 On 1/19/11 4:11 PM, "Simo Sorce" wrote: > >Long ago we decided to use the ldapi socket to let the KDC access the >ldap data in order to avoid comunication over the network (even if it >is 127.0.0.1). > >This patch finally implements that. Although beware that this patch >will need you to either create custom policy or to set selinux in >permissive mode until the new policy lands in fedora land. > >Bugs have been opened and I think the policy has already landed in >rawhide. > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel From rcritten at redhat.com Thu Jan 20 18:05:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Jan 2011 13:05:16 -0500 Subject: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info In-Reply-To: <20110119182825.2b5041ef@willson.li.ssimo.org> References: <4D376B0C.8050901@redhat.com> <20110119182825.2b5041ef@willson.li.ssimo.org> Message-ID: <4D38795C.1010906@redhat.com> Simo Sorce wrote: > On Wed, 19 Jan 2011 17:51:56 -0500 > Rob Crittenden wrote: > >> +aci: (targetattr = "member || memberOf || memberHost || >> memberUser")(version 3.0; acl "No anonymous access to member >> information"; deny (read,search,compare) userdn != "ldap:///all";) > > Nack, without 'member', nss_ldap will have no way to determine > posixAccount group memberships using anonymous access (the default). > > Simo. > Ok, dropped member and added an aci for cn=roles. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-683-2-aci.patch Type: text/x-patch Size: 3872 bytes Desc: not available URL: From rcritten at redhat.com Thu Jan 20 18:11:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Jan 2011 13:11:32 -0500 Subject: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc In-Reply-To: References: Message-ID: <4D387AD4.30901@redhat.com> JR Aquino wrote: > NACK. > > Please retest this... I'm not sure how it is related, but I receive an > error during the make rpm process: > > Traceback (most recent call last): > File "./makeapi", line 27, in > from ipalib import * > File > "/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/__init__.py > ", line 878, in > from frontend import Command, LocalOrRemote > File > "/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/frontend.py > ", line 36, in > from ipapython.version import API_VERSION > File > "/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipapython/version. > py", line 25, in > NUM_VERSION=200 > NameError: name '__NUM_VERSION__' is not defined > make[1]: *** [version-update] Error 1 > make[1]: Leaving directory > `/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279' > error: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) > > > RPM build errors: > Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) > make: *** [rpms] Error 1 This error is unrelated though I'm unsure what is broken. The first thing the build should do is run the version-update target which will do substitutions in ipapython/version.py.in into ipapython/version.py. It seems that didn't happen or is otherwise broke. Can you see if version-update is being called by make? rob From JR.Aquino at citrix.com Thu Jan 20 19:24:59 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 20 Jan 2011 19:24:59 +0000 Subject: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc In-Reply-To: <4D387AD4.30901@redhat.com> Message-ID: On 1/20/11 10:11 AM, "Rob Crittenden" wrote: >JR Aquino wrote: >> NACK. >> >> Please retest this... I'm not sure how it is related, but I receive an >> error during the make rpm process: >> >> Traceback (most recent call last): >> File "./makeapi", line 27, in >> from ipalib import * >> File >> >>"/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/__init__. >>py >> ", line 878, in >> from frontend import Command, LocalOrRemote >> File >> >>"/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/frontend. >>py >> ", line 36, in >> from ipapython.version import API_VERSION >> File >> >>"/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipapython/versio >>n. >> py", line 25, in >> NUM_VERSION=200 >> NameError: name '__NUM_VERSION__' is not defined >> make[1]: *** [version-update] Error 1 >> make[1]: Leaving directory >> `/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279' >> error: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) >> >> >> RPM build errors: >> Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) >> make: *** [rpms] Error 1 > >This error is unrelated though I'm unsure what is broken. The first >thing the build should do is run the version-update target which will do >substitutions in ipapython/version.py.in into ipapython/version.py. It >seems that didn't happen or is otherwise broke. Can you see if >version-update is being called by make? > >rob Thank you for catching that Rob! This was unrelated. Did a full remove and a new clone. Patch works correctly. ACK From edewata at redhat.com Thu Jan 20 19:48:28 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 21 Jan 2011 02:48:28 +0700 Subject: [Freeipa-devel] [PATCH] admiyo-0154-declarative-defintions In-Reply-To: <4D385E67.8030507@redhat.com> References: <4D385E67.8030507@redhat.com> Message-ID: <4D38918C.4060804@redhat.com> On 1/20/2011 11:10 PM, Adam Young wrote: > If you ACK, please don't push, but let me do so, as it will likely > conflict with other UI work. There is no major issues, just some comments: 1. The declarative definition is a bit inconsistent. Some methods like association() takes a spec, but other methods like facet() takes an object instance. association({ 'name': 'netgroup', 'associator': 'serial' }). facet( IPA.search_facet({ 'name': 'search', 'label': 'Search' }). 2. The diff tool uses the first line of the function to mark the chunks like this: @@ -593,10 +593,7 @@ IPA.permission = function () { Having a function name in the first line would make it easier to read. Compare this definition: IPA.permission = function () { with this definition: IPA.register_entity(function () { 3. The following lines (webui.js:128-133): IPA.start_entities(); for (var i=0; i If we don't want a command to be available on the command-line we need to set a flag in the command. The original was INTERNAL but this was a bit misleading because the command is still available to the XML-RPC listener. Rename it to NO_CLI instead. Also make i18n_messages and json_metadata NO_CLI. ticket 821 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-684-nocli.patch Type: text/x-patch Size: 8177 bytes Desc: not available URL: From ssorce at redhat.com Thu Jan 20 20:44:48 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Jan 2011 15:44:48 -0500 Subject: [Freeipa-devel] [PATCH] 0067 Fix dns_is_enabled command Message-ID: <20110120154448.0d9b42e1@willson.li.ssimo.org> Stupid typos broke it. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0067-Fix-dns_is_enabled-command.patch Type: text/x-patch Size: 1224 bytes Desc: not available URL: From ssorce at redhat.com Thu Jan 20 20:52:50 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Jan 2011 15:52:50 -0500 Subject: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc In-Reply-To: References: <4D387AD4.30901@redhat.com> Message-ID: <20110120155250.1b8bcec7@willson.li.ssimo.org> On Thu, 20 Jan 2011 19:24:59 +0000 JR Aquino wrote: > Patch works correctly. > > ACK thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jan 20 20:53:27 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Jan 2011 15:53:27 -0500 Subject: [Freeipa-devel] [PATCH] 0064 Fix authentication for init scripts In-Reply-To: References: <20110119183142.5be596ce@willson.li.ssimo.org> Message-ID: <20110120155327.3a3f5d15@willson.li.ssimo.org> On Thu, 20 Jan 2011 15:23:11 +0000 JR Aquino wrote: > ACK On Thu, 20 Jan 2011 11:14:02 -0500 Rob Crittenden wrote: > ack Thanks to the both of you :-) Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Thu Jan 20 21:08:52 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 20 Jan 2011 16:08:52 -0500 Subject: [Freeipa-devel] [PATCH] 0067 Fix dns_is_enabled command In-Reply-To: <20110120154448.0d9b42e1@willson.li.ssimo.org> References: <20110120154448.0d9b42e1@willson.li.ssimo.org> Message-ID: <4D38A464.3020501@redhat.com> On 01/20/2011 03:44 PM, Simo Sorce wrote: > Stupid typos broke it. > > Simo. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From kybaker at redhat.com Thu Jan 20 21:22:02 2011 From: kybaker at redhat.com (Kyle Baker) Date: Thu, 20 Jan 2011 16:22:02 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 0002-Main-UI-migration-and-html-Style-updates 0003-deleteing-migration-css In-Reply-To: <79488204.74617.1295558473977.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <523239977.74632.1295558522713.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> UI Style Changes -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-kylebaker-0002-Main-UI-migration-and-html-Style-updates.patch Type: text/x-patch Size: 348165 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-kylebaker-0003-deleteing-migration-css.patch Type: text/x-patch Size: 1656 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 20 21:28:22 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 20 Jan 2011 16:28:22 -0500 Subject: [Freeipa-devel] [PATCH] 0002-Main-UI-migration-and-html-Style-updates 0003-deleteing-migration-css In-Reply-To: <523239977.74632.1295558522713.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <523239977.74632.1295558522713.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D38A8F6.6000507@redhat.com> On 01/20/2011 04:22 PM, Kyle Baker wrote: > UI Style Changes > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK In general, with a couple minor caveats: This duplicates the Font files and the jquery-ui assets. We can fix that by using relative URLs. I can fix that, squash these two, and push. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mgregg at redhat.com Thu Jan 20 21:37:04 2011 From: mgregg at redhat.com (Michael Gregg) Date: Thu, 20 Jan 2011 13:37:04 -0800 Subject: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters In-Reply-To: <4D38325E.4060901@redhat.com> References: <4D38325E.4060901@redhat.com> Message-ID: <4D38AB00.3040701@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 to > delete a DNS RR one has to remove its record types one by one. > > This patch modifies the behaviour so that if the user runs dnsrecord-del > with no other parameters, the whole record is removed. > > Alternative solutions might be to expose the internal command that is > able to delete the record (although I think it is counterintuitive to > have one command to remove record types and one for the whole record) or > have a special flag (--del-all?) to remove the whole record. > > The patch also fixes the unit tests as they didn't reflect all the > recent changes. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk04Ml4ACgkQHsardTLnvCWk3wCZAYEuhUBs3dX5RkBiCvsD/Iev > VcgAoJzk5cCgzmhityA56g830wNnkaxE > =f60L > -----END PGP SIGNATURE----- > Going with this patch sounds good, but to make sure, I polled several people here, and they all seemed to think that having to add a --del-all or --del-record flag at the end would be better as it would be less prone to failure where admins would accidentally delete a entire record because they didn't specify anything after the " " So, maybe we do need a --del-all or --del-record operator. Michael- From rcritten at redhat.com Thu Jan 20 21:53:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Jan 2011 16:53:43 -0500 Subject: [Freeipa-devel] [PATCH] 685 basic filter tests for acis Message-ID: <4D38AEE7.9090703@redhat.com> An aci can take a filter as a target. This adds some bare minimum validation to it. It disallows empty filters and executes a search with the filter to see if it is at least well-formed (doesn't mean it will do what the user expects). Note that some odd looking things are actually valid search filters such as 'cn' and 'cn='. ticket 808 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-685-filter.patch Type: text/x-patch Size: 4016 bytes Desc: not available URL: From dpal at redhat.com Thu Jan 20 22:27:37 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 20 Jan 2011 17:27:37 -0500 Subject: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters In-Reply-To: <4D38AB00.3040701@redhat.com> References: <4D38325E.4060901@redhat.com> <4D38AB00.3040701@redhat.com> Message-ID: <4D38B6D9.9080408@redhat.com> Michael Gregg wrote: > Jakub Hrozek wrote: > Hi, > > as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 to > delete a DNS RR one has to remove its record types one by one. > > This patch modifies the behaviour so that if the user runs dnsrecord-del > with no other parameters, the whole record is > removed. > > Alternative solutions might be to expose the internal command that is > able to delete the record (although I think it is counterintuitive to > have one command to remove record types and one for the whole record) or > have a special flag (--del-all?) to remove the whole record. > > The patch also fixes the unit tests as they didn't reflect all the > recent changes. > Going with this patch sounds good, but to make sure, I polled several people here, and they all seemed to think that having to add a --del-all or --del-record flag at the end would be better as it would be less prone to failure where admins would accidentally delete a entire record because they didn't specify anything after the " " > So, maybe we do need a --del-all or --del-record operator. Agree. > Michael- > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Thu Jan 20 22:53:36 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Jan 2011 17:53:36 -0500 Subject: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters In-Reply-To: <4D38B6D9.9080408@redhat.com> References: <4D38325E.4060901@redhat.com> <4D38AB00.3040701@redhat.com> <4D38B6D9.9080408@redhat.com> Message-ID: <20110120175336.0eba6460@willson.li.ssimo.org> On Thu, 20 Jan 2011 17:27:37 -0500 Dmitri Pal wrote: > Michael Gregg wrote: > > Jakub Hrozek wrote: > > Hi, > > > > as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 > > to delete a DNS RR one has to remove its record types one by one. > > > > This patch modifies the behaviour so that if the user runs > > dnsrecord-del with no other parameters, the > > whole record is removed. > > > > Alternative solutions might be to expose the internal command that > > is able to delete the record (although I think it is > > counterintuitive to have one command to remove record types and one > > for the whole record) or have a special flag (--del-all?) to remove > > the whole record. > > > > The patch also fixes the unit tests as they didn't reflect all the > > recent changes. > > > Going with this patch sounds good, but to make sure, I polled > > several > people here, and they all seemed to think that having to add a > --del-all or --del-record flag at the end would be better as it would > be less prone to failure where admins would accidentally delete a > entire record because they didn't specify anything after the " > " > > > So, maybe we do need a --del-all or --del-record operator. > > Agree. +1 Someone may simply push enter accidentally while checking what to write after the command. It would be rather unfortunate. Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Thu Jan 20 23:07:03 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 20 Jan 2011 23:07:03 +0000 Subject: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info In-Reply-To: <4D38795C.1010906@redhat.com> Message-ID: On 1/20/11 10:05 AM, "Rob Crittenden" wrote: >Simo Sorce wrote: >> On Wed, 19 Jan 2011 17:51:56 -0500 >> Rob Crittenden wrote: >> >>> +aci: (targetattr = "member || memberOf || memberHost || >>> memberUser")(version 3.0; acl "No anonymous access to member >>> information"; deny (read,search,compare) userdn != "ldap:///all";) >> >> Nack, without 'member', nss_ldap will have no way to determine >> posixAccount group memberships using anonymous access (the default). >> >> Simo. >> > >Ok, dropped member and added an aci for cn=roles. > >rob >_______________________________________________ >Freeipa-devel mailing list >Freeipa-devel at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-devel ACK From jzeleny at redhat.com Fri Jan 21 08:15:48 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Fri, 21 Jan 2011 09:15:48 +0100 Subject: [Freeipa-devel] [PATCH] Add support for account unlocking Message-ID: <201101210915.48299.jzeleny@redhat.com> This patch adds command ipa user-unlock and some LDAP modifications which are required by Kerberos for unlocking to work. Ticket: https://fedorahosted.org/freeipa/ticket/344 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0025-Add-support-for-account-unlocking.patch Type: text/x-patch Size: 9366 bytes Desc: not available URL: From pzuna at redhat.com Fri Jan 21 09:35:17 2011 From: pzuna at redhat.com (=?UTF-8?B?UGF2ZWwgWsWvbmE=?=) Date: Fri, 21 Jan 2011 10:35:17 +0100 Subject: [Freeipa-devel] [PATCH] Fix crash when displaying values composed of white chars only in CLI. Message-ID: <4D395355.5050307@redhat.com> Fix #825 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-63-cliwhitechars.patch Type: text/x-patch Size: 846 bytes Desc: not available URL: From jhrozek at redhat.com Fri Jan 21 10:43:02 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 21 Jan 2011 11:43:02 +0100 Subject: [Freeipa-devel] [PATCH] 040 Assorted bugs found by pylint Message-ID: <4D396336.3090501@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/358 Another part of this effort is running pylint during build. I have started on this, but because we use python's dynamic features quite a lot, pylint produces a big number of false positives. I wrote a small pylint plugin that helps (so it allowed me to review the pylint results sanely), but it's still not complete - I'd like to resume that work during the 2.0.1 bug fixing as there are more pressing issues right now, I think. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk05YzYACgkQHsardTLnvCWB/wCeJ6iGxvPFf723ZkvIwklgTD00 47kAoJGxQdAVDdU2ezPC28pnd8+xVLlo =DnHR -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freipa-040-pylint-fixes.patch Type: text/x-patch Size: 12338 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freipa-040-pylint-fixes.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Fri Jan 21 15:06:33 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 21 Jan 2011 16:06:33 +0100 Subject: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters In-Reply-To: <20110120175336.0eba6460@willson.li.ssimo.org> References: <4D38325E.4060901@redhat.com> <4D38AB00.3040701@redhat.com> <4D38B6D9.9080408@redhat.com> <20110120175336.0eba6460@willson.li.ssimo.org> Message-ID: <4D39A0F9.4030502@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/20/2011 11:53 PM, Simo Sorce wrote: > On Thu, 20 Jan 2011 17:27:37 -0500 > Dmitri Pal wrote: > >> Michael Gregg wrote: >>> Jakub Hrozek wrote: >>> Hi, >>> >>> as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 >>> to delete a DNS RR one has to remove its record types one by one. >>> >>> This patch modifies the behaviour so that if the user runs >>> dnsrecord-del with no other parameters, the >>> whole record is removed. >>> >>> Alternative solutions might be to expose the internal command that >>> is able to delete the record (although I think it is >>> counterintuitive to have one command to remove record types and one >>> for the whole record) or have a special flag (--del-all?) to remove >>> the whole record. >>> >>> The patch also fixes the unit tests as they didn't reflect all the >>> recent changes. >> >>> Going with this patch sounds good, but to make sure, I polled >>> several >> people here, and they all seemed to think that having to add a >> --del-all or --del-record flag at the end would be better as it would >> be less prone to failure where admins would accidentally delete a >> entire record because they didn't specify anything after the " >> " >> >>> So, maybe we do need a --del-all or --del-record operator. >> >> Agree. > > +1 > Someone may simply push enter accidentally while checking what to write > after the command. It would be rather unfortunate. > > Simo. > > Attached is a new version of the patch that implements --del-all. It also reports failure when deleting a nonexistent RR (new ticket 829). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk05oPgACgkQHsardTLnvCUqNwCfQ1BOTgx7L2lVcG5a7a6oP8lW sX4AoIDw5xVidcKblzWueO5OwlzkZ6kZ =YkBR -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-039-02-dns-record-del.patch Type: text/x-patch Size: 7586 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-039-02-dns-record-del.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Fri Jan 21 15:18:10 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 21 Jan 2011 16:18:10 +0100 Subject: [Freeipa-devel] [PATCH] 684 rename INTERNAL to NO_CLI In-Reply-To: <4D3896C6.2080409@redhat.com> References: <4D3896C6.2080409@redhat.com> Message-ID: <4D39A3B2.2050107@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/20/2011 09:10 PM, Rob Crittenden wrote: > If we don't want a command to be available on the command-line we need > to set a flag in the command. The original was INTERNAL but this was a > bit misleading because the command is still available to the XML-RPC > listener. Rename it to NO_CLI instead. > > Also make i18n_messages and json_metadata NO_CLI. > > ticket 821 > > rob > There's still dns_is_enabled() marked as INTERNAL. Other that that, the patch is fine, so feel free to push after fixing that one place. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk05o7IACgkQHsardTLnvCUn9wCghjAPjl2fCpX9CV/Q9ROtETbq vDgAoLYKvYTiAdYJg6qRIn0Izk2v4c3Q =90sl -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Jan 21 15:20:18 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 21 Jan 2011 16:20:18 +0100 Subject: [Freeipa-devel] [PATCH] Fix crash when displaying values composed of white chars only in CLI. In-Reply-To: <4D395355.5050307@redhat.com> References: <4D395355.5050307@redhat.com> Message-ID: <4D39A432.1040504@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/21/2011 10:35 AM, Pavel Z?na wrote: > Fix #825 > > Pavel > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk05pDIACgkQHsardTLnvCUnmgCdEXblfAXHIj99KZByEhyRGzwC tuIAoIzn7eAWQyrCy6dZkmJGDTFuN8Vb =lGQ+ -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Jan 21 15:31:11 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 21 Jan 2011 16:31:11 +0100 Subject: [Freeipa-devel] [PATCH] 685 basic filter tests for acis In-Reply-To: <4D38AEE7.9090703@redhat.com> References: <4D38AEE7.9090703@redhat.com> Message-ID: <4D39A6BF.60908@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/20/2011 10:53 PM, Rob Crittenden wrote: > An aci can take a filter as a target. This adds some bare minimum > validation to it. It disallows empty filters and executes a search with > the filter to see if it is at least well-formed (doesn't mean it will do > what the user expects). > > Note that some odd looking things are actually valid search filters such > as 'cn' and 'cn='. > > ticket 808 > > rob > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk05pr8ACgkQHsardTLnvCWIiwCfY2UJ6Q9Qudu7RE/t5sZwft9j Cq8An167bXK2oPQ8D+BgcHlz63mYgpKW =L1U5 -----END PGP SIGNATURE----- From jzeleny at redhat.com Fri Jan 21 15:34:58 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Fri, 21 Jan 2011 16:34:58 +0100 Subject: [Freeipa-devel] [PATCH] Make command syntax less confusing in help Message-ID: <201101211634.59054.jzeleny@redhat.com> The patch adds [options] to the syntax line of ipa help https://fedorahosted.org/freeipa/ticket/733 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0026-Make-command-syntax-less-confusing-in-help.patch Type: text/x-patch Size: 814 bytes Desc: not available URL: From rcritten at redhat.com Fri Jan 21 15:42:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Jan 2011 10:42:52 -0500 Subject: [Freeipa-devel] [PATCH] 686 ipa-client-install output Message-ID: <4D39A97C.1080102@redhat.com> When running ipa-client-install in unattended mode there were some cases where there was no or not very helpful output describing what is missing. ticket 828 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-686-client.patch Type: text/x-patch Size: 1847 bytes Desc: not available URL: From rcritten at redhat.com Fri Jan 21 15:49:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Jan 2011 10:49:37 -0500 Subject: [Freeipa-devel] [PATCH] 685 basic filter tests for acis In-Reply-To: <4D39A6BF.60908@redhat.com> References: <4D38AEE7.9090703@redhat.com> <4D39A6BF.60908@redhat.com> Message-ID: <4D39AB11.9020100@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/20/2011 10:53 PM, Rob Crittenden wrote: >> An aci can take a filter as a target. This adds some bare minimum >> validation to it. It disallows empty filters and executes a search with >> the filter to see if it is at least well-formed (doesn't mean it will do >> what the user expects). >> >> Note that some odd looking things are actually valid search filters such >> as 'cn' and 'cn='. >> >> ticket 808 >> >> rob >> > > Ack pushed to master From rcritten at redhat.com Fri Jan 21 15:56:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Jan 2011 10:56:33 -0500 Subject: [Freeipa-devel] [PATCH] Make command syntax less confusing in help In-Reply-To: <201101211634.59054.jzeleny@redhat.com> References: <201101211634.59054.jzeleny@redhat.com> Message-ID: <4D39ACB1.7080806@redhat.com> Jan Zeleny wrote: > The patch adds [options] to the syntax line of ipa help > > https://fedorahosted.org/freeipa/ticket/733 > > Jan > ack, pushed to master From rcritten at redhat.com Fri Jan 21 16:54:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Jan 2011 11:54:32 -0500 Subject: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters In-Reply-To: <4D39A0F9.4030502@redhat.com> References: <4D38325E.4060901@redhat.com> <4D38AB00.3040701@redhat.com> <4D38B6D9.9080408@redhat.com> <20110120175336.0eba6460@willson.li.ssimo.org> <4D39A0F9.4030502@redhat.com> Message-ID: <4D39BA48.4000907@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/20/2011 11:53 PM, Simo Sorce wrote: >> On Thu, 20 Jan 2011 17:27:37 -0500 >> Dmitri Pal wrote: >> >>> Michael Gregg wrote: >>>> Jakub Hrozek wrote: >>>> Hi, >>>> >>>> as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 >>>> to delete a DNS RR one has to remove its record types one by one. >>>> >>>> This patch modifies the behaviour so that if the user runs >>>> dnsrecord-del with no other parameters, the >>>> whole record is removed. >>>> >>>> Alternative solutions might be to expose the internal command that >>>> is able to delete the record (although I think it is >>>> counterintuitive to have one command to remove record types and one >>>> for the whole record) or have a special flag (--del-all?) to remove >>>> the whole record. >>>> >>>> The patch also fixes the unit tests as they didn't reflect all the >>>> recent changes. >>> >>>> Going with this patch sounds good, but to make sure, I polled >>>> several >>> people here, and they all seemed to think that having to add a >>> --del-all or --del-record flag at the end would be better as it would >>> be less prone to failure where admins would accidentally delete a >>> entire record because they didn't specify anything after the " >>> " >>> >>>> So, maybe we do need a --del-all or --del-record operator. >>> >>> Agree. >> >> +1 >> Someone may simply push enter accidentally while checking what to write >> after the command. It would be rather unfortunate. >> >> Simo. >> >> > > Attached is a new version of the patch that implements --del-all. It > also reports failure when deleting a nonexistent RR (new ticket 829). nack, this isn't working properly for me. Here is how I tested: - add a new zone, newzone1 - ipa dnsrecord-add newzone1 as --a-rec 3.4.5.6 - ipa dnsrecord-add newzone1 as Record name: as A record: 3.4.5.6 - ipa dnsrecord-show newzone1 as Record name: as A record: 3.4.5.6 - ipa dnsrecord-del newzone1 as --del-all [ no output ] - ipa dnsrecord-show newzone1 as ipa: ERROR: as: DNS resource record not found So a couple of problems: 1. An error should have been thrown when I tried a delete without a specific record type. 2. Some output should be displayed when I delete all records, at least a summary. rob From ssorce at redhat.com Fri Jan 21 17:07:08 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 21 Jan 2011 12:07:08 -0500 Subject: [Freeipa-devel] [PATCH] 686 ipa-client-install output In-Reply-To: <4D39A97C.1080102@redhat.com> References: <4D39A97C.1080102@redhat.com> Message-ID: <20110121120708.71facb14@willson.li.ssimo.org> On Fri, 21 Jan 2011 10:42:52 -0500 Rob Crittenden wrote: > When running ipa-client-install in unattended mode there were some > cases where there was no or not very helpful output describing what > is missing. > > ticket 828 > > rob ACK Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Jan 21 18:48:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Jan 2011 13:48:11 -0500 Subject: [Freeipa-devel] [PATCH] 686 ipa-client-install output In-Reply-To: <20110121120708.71facb14@willson.li.ssimo.org> References: <4D39A97C.1080102@redhat.com> <20110121120708.71facb14@willson.li.ssimo.org> Message-ID: <4D39D4EB.7010709@redhat.com> Simo Sorce wrote: > On Fri, 21 Jan 2011 10:42:52 -0500 > Rob Crittenden wrote: > >> When running ipa-client-install in unattended mode there were some >> cases where there was no or not very helpful output describing what >> is missing. >> >> ticket 828 >> >> rob > > ACK > > Simo. > pushed to master From jzeleny at redhat.com Fri Jan 21 18:49:52 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Fri, 21 Jan 2011 19:49:52 +0100 Subject: [Freeipa-devel] [PATCH] Make ipa permission-add ask for optional attributes Message-ID: <201101211949.52795.jzeleny@redhat.com> Either one of type, filter, subtree, targetgroup, attrs or memberof is required. https://fedorahosted.org/freeipa/ticket/819 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0027-Make-ipa-permission-add-ask-for-optional-attributes.patch Type: text/x-patch Size: 2076 bytes Desc: not available URL: From rcritten at redhat.com Fri Jan 21 18:56:30 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Jan 2011 13:56:30 -0500 Subject: [Freeipa-devel] [PATCH] 684 rename INTERNAL to NO_CLI In-Reply-To: <4D39A3B2.2050107@redhat.com> References: <4D3896C6.2080409@redhat.com> <4D39A3B2.2050107@redhat.com> Message-ID: <4D39D6DE.7030003@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/20/2011 09:10 PM, Rob Crittenden wrote: >> If we don't want a command to be available on the command-line we need >> to set a flag in the command. The original was INTERNAL but this was a >> bit misleading because the command is still available to the XML-RPC >> listener. Rename it to NO_CLI instead. >> >> Also make i18n_messages and json_metadata NO_CLI. >> >> ticket 821 >> >> rob >> > > There's still dns_is_enabled() marked as INTERNAL. Other that that, the > patch is fine, so feel free to push after fixing that one place. > > Jakub re-based and pushed to master rob From rcritten at redhat.com Fri Jan 21 18:59:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Jan 2011 13:59:44 -0500 Subject: [Freeipa-devel] [PATCH] 680 ldap lockout In-Reply-To: <20110119085450.2e07be97@willson.li.ssimo.org> References: <4D3465BB.9090604@redhat.com> <4D35A3BD.3070300@redhat.com> <4D35F151.8020202@redhat.com> <201101191415.05807.jzeleny@redhat.com> <20110119085450.2e07be97@willson.li.ssimo.org> Message-ID: <4D39D7A0.5090508@redhat.com> Simo Sorce wrote: > On Wed, 19 Jan 2011 14:15:05 +0100 > Jan Zelen? wrote: > >> Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Jan Zeleny wrote: >>>>> Rob Crittenden wrote: >>>>>> Update kerberos password policy values on LDAP binds. This is so >>>>>> locked-out accounts in kerberos don't try things using LDAP >>>>>> instead. >>>>>> >>>>>> On a failed bind this will update krbLoginFailedCount and >>>>>> krbLastFailedAuth and will potentially fail the bind altogether. >>>>>> >>>>>> On a successful bind it will zero krbLoginFailedCount and set >>>>>> krbLastSuccessfulAuth. >>>>>> >>>>>> This will also enforce locked-out accounts. >>>>>> >>>>>> See http://k5wiki.kerberos.org/wiki/Projects/Lockout for >>>>>> details on kerberos lockout. >>>>>> >>>>>> ticket 343 >>>>> >>>>> Ack, good job >>>>> >>>>> Jan >>>> >>>> Simo and Nathan pointed out that the update model I'm using is >>>> vulnerable to multi-threaded attack and suggested that rather >>>> than using REPLACE I do a DELETE/ADD to be sure that I'm updating >>>> the counter appropriately. I've got the basics done, need to >>>> re-run through valgrind. Will submit another patch shortly. >>>> >>>> rob >>> >>> Updated patch attached. Be more careful when updating the failed >>> count. >>> >>> rob >> >> The patch looks good and it works fine, if Simo doesn't have any more >> security comments: ACK. > > Patch looks good to me. > I only wonder if it would make sense to try to cache the entry between > the pre-op and the post-op, but given it is just fetched I guess DS > caches it in memory anyways, so probably not a big deal in any case. > > Simo. > pushed to master From rcritten at redhat.com Fri Jan 21 19:27:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Jan 2011 14:27:14 -0500 Subject: [Freeipa-devel] [PATCH] Make ipa permission-add ask for optional attributes In-Reply-To: <201101211949.52795.jzeleny@redhat.com> References: <201101211949.52795.jzeleny@redhat.com> Message-ID: <4D39DE12.8080306@redhat.com> Jan Zeleny wrote: > Either one of type, filter, subtree, targetgroup, attrs or memberof is > required. > > https://fedorahosted.org/freeipa/ticket/819 > > Jan ack, pushed to master From rcritten at redhat.com Fri Jan 21 19:31:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Jan 2011 14:31:11 -0500 Subject: [Freeipa-devel] [PATCH] Fix crash when displaying values composed of white chars only in CLI. In-Reply-To: <4D395355.5050307@redhat.com> References: <4D395355.5050307@redhat.com> Message-ID: <4D39DEFF.1050706@redhat.com> Pavel Z?na wrote: > Fix #825 > > Pavel Should we instead prevent storing white space instead? On the cli someone would have to go through the trouble of quoting the space but in the UI I think it would be pretty easy to accidentally hit a space on a field and save it. rob From ssorce at redhat.com Fri Jan 21 19:53:17 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 21 Jan 2011 14:53:17 -0500 Subject: [Freeipa-devel] [PATCH] Fix crash when displaying values composed of white chars only in CLI. In-Reply-To: <4D39DEFF.1050706@redhat.com> References: <4D395355.5050307@redhat.com> <4D39DEFF.1050706@redhat.com> Message-ID: <20110121145317.04357681@willson.li.ssimo.org> On Fri, 21 Jan 2011 14:31:11 -0500 Rob Crittenden wrote: > Pavel Z?na wrote: > > Fix #825 > > > > Pavel > > Should we instead prevent storing white space instead? On the cli > someone would have to go through the trouble of quoting the space but > in the UI I think it would be pretty easy to accidentally hit a space > on a field and save it. Someone may want to store a space on purpose, or have some other program do it underneath the UI. So fixing the crash is necessary. Whether we also want to prevent storing whitespace is a separate question IMHO. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Jan 21 20:14:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Jan 2011 15:14:52 -0500 Subject: [Freeipa-devel] [PATCH] fix API.txt Message-ID: <4D39E93C.8000203@redhat.com> A couple of recent patches missed changes to API.txt. I pushed the attached under the 1-liner rule. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: api.patch Type: text/x-patch Size: 11178 bytes Desc: not available URL: From ssorce at redhat.com Fri Jan 21 20:48:22 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 21 Jan 2011 15:48:22 -0500 Subject: [Freeipa-devel] [PATCH] fix API.txt In-Reply-To: <4D39E93C.8000203@redhat.com> References: <4D39E93C.8000203@redhat.com> Message-ID: <20110121154822.38073e0a@willson.li.ssimo.org> On Fri, 21 Jan 2011 15:14:52 -0500 Rob Crittenden wrote: > A couple of recent patches missed changes to API.txt. I pushed the > attached under the 1-liner rule. > > rob This begs the question: how were they tested? why both the submitter and the reviewer didn't see the build failing ? Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Fri Jan 21 20:53:32 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 21 Jan 2011 21:53:32 +0100 Subject: [Freeipa-devel] [PATCH] fix API.txt In-Reply-To: <4D39E93C.8000203@redhat.com> References: <4D39E93C.8000203@redhat.com> Message-ID: <4D39F24C.50806@redhat.com> On 01/21/2011 09:14 PM, Rob Crittenden wrote: > +option: Flag('del_all', autofill=True, default=False, label=Gettext('Delete all associated records', domain='ipa', localedir=None)) I think you accidentally generated API.txt while still having my Nacked DNS patch in tree. From jhrozek at redhat.com Fri Jan 21 20:55:59 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 21 Jan 2011 21:55:59 +0100 Subject: [Freeipa-devel] [PATCH] fix API.txt In-Reply-To: <20110121154822.38073e0a@willson.li.ssimo.org> References: <4D39E93C.8000203@redhat.com> <20110121154822.38073e0a@willson.li.ssimo.org> Message-ID: <4D39F2DF.6070808@redhat.com> On 01/21/2011 09:48 PM, Simo Sorce wrote: > On Fri, 21 Jan 2011 15:14:52 -0500 > Rob Crittenden wrote: > >> A couple of recent patches missed changes to API.txt. I pushed the >> attached under the 1-liner rule. >> >> rob > > This begs the question: how were they tested? > why both the submitter and the reviewer didn't see the build failing ? > > Simo. > This is weird - my recent DNS plugin patch should have broken the API (it adds a new parameter --del-all) but I'm able to run make rpms just fine even without Rob's API additions. Also running ./makeapi --validate is OK. From rcritten at redhat.com Fri Jan 21 21:04:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Jan 2011 16:04:37 -0500 Subject: [Freeipa-devel] [PATCH] fix API.txt In-Reply-To: <4D39F24C.50806@redhat.com> References: <4D39E93C.8000203@redhat.com> <4D39F24C.50806@redhat.com> Message-ID: <4D39F4E5.6030602@redhat.com> Jakub Hrozek wrote: > On 01/21/2011 09:14 PM, Rob Crittenden wrote: >> +option: Flag('del_all', autofill=True, default=False, >> label=Gettext('Delete all associated records', domain='ipa', >> localedir=None)) > > I think you accidentally generated API.txt while still having my Nacked > DNS patch in tree. > Yup, I just pushed out a fix for that. rob From rcritten at redhat.com Fri Jan 21 21:05:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Jan 2011 16:05:06 -0500 Subject: [Freeipa-devel] [PATCH] fix API.txt In-Reply-To: <20110121154822.38073e0a@willson.li.ssimo.org> References: <4D39E93C.8000203@redhat.com> <20110121154822.38073e0a@willson.li.ssimo.org> Message-ID: <4D39F502.8090008@redhat.com> Simo Sorce wrote: > On Fri, 21 Jan 2011 15:14:52 -0500 > Rob Crittenden wrote: > >> A couple of recent patches missed changes to API.txt. I pushed the >> attached under the 1-liner rule. >> >> rob > > This begs the question: how were they tested? > why both the submitter and the reviewer didn't see the build failing ? > > Simo. > When I tested Jan's patch didn't do a build, I just did an in-tree test. rob From ayoung at redhat.com Sat Jan 22 01:28:24 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 21 Jan 2011 20:28:24 -0500 Subject: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters In-Reply-To: <4D39BA48.4000907@redhat.com> References: <4D38325E.4060901@redhat.com> <4D38AB00.3040701@redhat.com> <4D38B6D9.9080408@redhat.com> <20110120175336.0eba6460@willson.li.ssimo.org> <4D39A0F9.4030502@redhat.com> <4D39BA48.4000907@redhat.com> Message-ID: <4D3A32B8.4040805@redhat.com> On 01/21/2011 11:54 AM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/20/2011 11:53 PM, Simo Sorce wrote: >>> On Thu, 20 Jan 2011 17:27:37 -0500 >>> Dmitri Pal wrote: >>> >>>> Michael Gregg wrote: >>>>> Jakub Hrozek wrote: >>>>> Hi, >>>>> >>>>> as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 >>>>> to delete a DNS RR one has to remove its record types one by one. >>>>> >>>>> This patch modifies the behaviour so that if the user runs >>>>> dnsrecord-del with no other parameters, the >>>>> whole record is removed. >>>>> >>>>> Alternative solutions might be to expose the internal command that >>>>> is able to delete the record (although I think it is >>>>> counterintuitive to have one command to remove record types and one >>>>> for the whole record) or have a special flag (--del-all?) to remove >>>>> the whole record. >>>>> >>>>> The patch also fixes the unit tests as they didn't reflect all the >>>>> recent changes. >>>> >>>>> Going with this patch sounds good, but to make sure, I polled >>>>> several >>>> people here, and they all seemed to think that having to add a >>>> --del-all or --del-record flag at the end would be better as it would >>>> be less prone to failure where admins would accidentally delete a >>>> entire record because they didn't specify anything after the " >>>> " >>>> >>>>> So, maybe we do need a --del-all or --del-record operator. >>>> >>>> Agree. >>> >>> +1 >>> Someone may simply push enter accidentally while checking what to write >>> after the command. It would be rather unfortunate. >>> >>> Simo. >>> >>> >> >> Attached is a new version of the patch that implements --del-all. It >> also reports failure when deleting a nonexistent RR (new ticket 829). Does any of this imply that we shopuld change the WebUI handling of Zone or Record deletes? > > nack, this isn't working properly for me. > > Here is how I tested: > > - add a new zone, newzone1 > - ipa dnsrecord-add newzone1 as --a-rec 3.4.5.6 > - ipa dnsrecord-add newzone1 as > Record name: as > A record: 3.4.5.6 > - ipa dnsrecord-show newzone1 as > Record name: as > A record: 3.4.5.6 > - ipa dnsrecord-del newzone1 as --del-all > [ no output ] > - ipa dnsrecord-show newzone1 as > ipa: ERROR: as: DNS resource record not found > > So a couple of problems: > > 1. An error should have been thrown when I tried a delete without a > specific record type. > 2. Some output should be displayed when I delete all records, at least > a summary. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From edewata at redhat.com Sun Jan 23 00:45:03 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 23 Jan 2011 07:45:03 +0700 Subject: [Freeipa-devel] [PATCH] Added spaces around radio buttons. Message-ID: <4D3B7A0F.3060303@redhat.com> This is required by the latest spec. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0077-Added-spaces-around-radio-buttons.patch Type: text/x-patch Size: 4955 bytes Desc: not available URL: From edewata at redhat.com Sun Jan 23 00:46:04 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 23 Jan 2011 07:46:04 +0700 Subject: [Freeipa-devel] [PATCH] Added scrollable panel for delete dialog box. Message-ID: <4D3B7A4C.8030005@redhat.com> This is required by the latest spec. May need further revision. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0078-Added-scrollable-panel-for-delete-dialog-box.patch Type: text/x-patch Size: 4356 bytes Desc: not available URL: From edewata at redhat.com Sun Jan 23 00:46:54 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 23 Jan 2011 07:46:54 +0700 Subject: [Freeipa-devel] [PATCH] Removed 'name' from 'Sudo Command Group name' Message-ID: <4D3B7A7E.9040905@redhat.com> This is required by the latest spec. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0079-Removed-name-from-Sudo-Command-Group-name.patch Type: text/x-patch Size: 18271 bytes Desc: not available URL: From edewata at redhat.com Sun Jan 23 00:49:05 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 23 Jan 2011 07:49:05 +0700 Subject: [Freeipa-devel] [PATCH] Check field's validity before executing add Message-ID: <4D3B7B01.4050404@redhat.com> This should fix this bug: https://fedorahosted.org/freeipa/ticket/660 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0080-Check-field-s-validity-before-executing-add.patch Type: text/x-patch Size: 6857 bytes Desc: not available URL: From ssorce at redhat.com Sun Jan 23 01:08:23 2011 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 22 Jan 2011 20:08:23 -0500 Subject: [Freeipa-devel] [PATCH] 0068 populate dua profile Message-ID: <20110122200823.6fc9a460@willson.li.ssimo.org> Ticket #820 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0068-Populate-shared-tree-with-replica-related-values.patch Type: text/x-patch Size: 3879 bytes Desc: not available URL: From ssorce at redhat.com Sun Jan 23 01:09:38 2011 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 22 Jan 2011 20:09:38 -0500 Subject: [Freeipa-devel] [PATCH] 0069 Add/Remove DNS records for replicas Message-ID: <20110122200938.18cc2038@willson.li.ssimo.org> Do it always when the dns tree is available, even if the replica being installed doesn't provide dns service itself. Ticket #824 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0069-Always-add-DNS-records-when-installing-a-replica.patch Type: text/x-patch Size: 7114 bytes Desc: not available URL: From jhrozek at redhat.com Sun Jan 23 19:58:03 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 23 Jan 2011 20:58:03 +0100 Subject: [Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys In-Reply-To: <4D39BA72.8070205@redhat.com> References: <4D0F5ED8.5000403@redhat.com> <4D0F6949.4020504@redhat.com> <4D2B30A1.5030303@redhat.com> <4D37FF29.2000006@redhat.com> <4D39BA72.8070205@redhat.com> Message-ID: <4D3C884B.9060805@redhat.com> On 01/21/2011 05:55 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/10/2011 05:15 PM, Jakub Hrozek wrote: >>> On 12/20/2010 03:33 PM, Jakub Hrozek wrote: >>>> On 12/20/2010 02:49 PM, Jakub Hrozek wrote: >>>>> Attached is a patch that changes the uniqueness constraint of >>>>> automount >>>>> keys from (key) to (key,info) pairs. The patch is not really standard >>>>> baseldap style. The reason is that during development, I found that >>>>> baseldap is really dependent on having a single primary key and also >>>>> during many operations accessing it as keys[-1]. >>> >>>>> Please note that the ipa automountkey-* commands used to have three >>>>> args, now its two args and two required options (that compose the >>>>> tuple >>>>> that is primary key). I know next to nothing about UI, but I assume >>>>> this >>>>> has consequences as the JSON marshalled call needs to be different >>>>> now. >>>>> Can someone point me to the place in code that I need to fix now? >>> >>>>> Fixes: >>>>> https://fedorahosted.org/freeipa/ticket/293 >>> >>>> Sorry, I left some debugging statements in. Attached is a new patch. >>> >>> Attached is a patch that applies cleanly on top of origin/master. > > Can you provide some guidance on how to test this patch? > > thanks > > rob Sure: The main change to CLI is that both key and info must be provided. These are put into the description attribute, at the same time this (key,info) tuple is checked for uniqueness. The automount test is a good start for testing the patch. It also tests a duplicate direct map. To test the duplicates manually: ipa automountlocation-add baltimore ipa automountmap-add baltimore auto.direct2 ipa automountkey-add baltimore auto.master --key=/- --info=auto.direct2 ipa automountlocation-tofiles baltimore You should see something like: /etc/auto.master: /- /etc/auto.direct /- /etc/auto.direct2 --------------------------- /etc/auto.direct: --------------------------- /etc/auto.direct2: From jzeleny at redhat.com Mon Jan 24 07:35:56 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 24 Jan 2011 08:35:56 +0100 Subject: [Freeipa-devel] [PATCH] Make ipa permission-add ask for optional attributes In-Reply-To: <4D39DE86.4010609@redhat.com> References: <201101211949.52795.jzeleny@redhat.com> <4D39DE86.4010609@redhat.com> Message-ID: <201101240835.56948.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zeleny wrote: > > Either one of type, filter, subtree, targetgroup, attrs or memberof is > > required. > > > > https://fedorahosted.org/freeipa/ticket/819 > > > > Jan > > Do you think the prompt should be annotated somehow to indicate that the > optional attributes are optional? I've been wondering about this since I > added alwaysask for managing permissions, it isn't very clear that you > don't have to enter something. > > I'm not sure how we would do it, a *, or some other indicator? > > rob That's definitely a good idea, but if we will use *, I think it should be present for required arguments, otherwise it might be confusing - on the web * usually marks required fields. From this point of view square brackets are used to indicate something is optional, so about something like [Subtree]:? Jan From jzeleny at redhat.com Mon Jan 24 08:38:45 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Mon, 24 Jan 2011 09:38:45 +0100 Subject: [Freeipa-devel] [PATCH] Disable renaming to empty string Message-ID: <201101240938.45951.jzeleny@redhat.com> So far it was possible to rename any object using LDAPUpdate to a name with empty primary key. Since this can cause nasty problems, this patch disables empty string in --rename argument. https://fedorahosted.org/freeipa/ticket/827 Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0028-Disable-renaming-to-empty-string.patch Type: text/x-patch Size: 1201 bytes Desc: not available URL: From ssorce at redhat.com Mon Jan 24 13:39:29 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 24 Jan 2011 08:39:29 -0500 Subject: [Freeipa-devel] [PATCH] Disable renaming to empty string In-Reply-To: <201101240938.45951.jzeleny@redhat.com> References: <201101240938.45951.jzeleny@redhat.com> Message-ID: <20110124083929.20176e9d@willson.li.ssimo.org> On Mon, 24 Jan 2011 09:38:45 +0100 Jan Zelen? wrote: > So far it was possible to rename any object using LDAPUpdate to a name > with empty primary key. Since this can cause nasty problems, this > patch disables empty string in --rename argument. > > https://fedorahosted.org/freeipa/ticket/827 ack Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Mon Jan 24 14:51:30 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 24 Jan 2011 15:51:30 +0100 Subject: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters In-Reply-To: <4D39BA48.4000907@redhat.com> References: <4D38325E.4060901@redhat.com> <4D38AB00.3040701@redhat.com> <4D38B6D9.9080408@redhat.com> <20110120175336.0eba6460@willson.li.ssimo.org> <4D39A0F9.4030502@redhat.com> <4D39BA48.4000907@redhat.com> Message-ID: <4D3D91F2.6050002@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/21/2011 05:54 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/20/2011 11:53 PM, Simo Sorce wrote: >>> On Thu, 20 Jan 2011 17:27:37 -0500 >>> Dmitri Pal wrote: >>> >>>> Michael Gregg wrote: >>>>> Jakub Hrozek wrote: >>>>> Hi, >>>>> >>>>> as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 >>>>> to delete a DNS RR one has to remove its record types one by one. >>>>> >>>>> This patch modifies the behaviour so that if the user runs >>>>> dnsrecord-del with no other parameters, the >>>>> whole record is removed. >>>>> >>>>> Alternative solutions might be to expose the internal command that >>>>> is able to delete the record (although I think it is >>>>> counterintuitive to have one command to remove record types and one >>>>> for the whole record) or have a special flag (--del-all?) to remove >>>>> the whole record. >>>>> >>>>> The patch also fixes the unit tests as they didn't reflect all the >>>>> recent changes. >>>> >>>>> Going with this patch sounds good, but to make sure, I polled >>>>> several >>>> people here, and they all seemed to think that having to add a >>>> --del-all or --del-record flag at the end would be better as it would >>>> be less prone to failure where admins would accidentally delete a >>>> entire record because they didn't specify anything after the " >>>> " >>>> >>>>> So, maybe we do need a --del-all or --del-record operator. >>>> >>>> Agree. >>> >>> +1 >>> Someone may simply push enter accidentally while checking what to write >>> after the command. It would be rather unfortunate. >>> >>> Simo. >>> >>> >> >> Attached is a new version of the patch that implements --del-all. It >> also reports failure when deleting a nonexistent RR (new ticket 829). > > nack, this isn't working properly for me. > > Here is how I tested: > > - add a new zone, newzone1 > - ipa dnsrecord-add newzone1 as --a-rec 3.4.5.6 > - ipa dnsrecord-add newzone1 as > Record name: as > A record: 3.4.5.6 > - ipa dnsrecord-show newzone1 as > Record name: as > A record: 3.4.5.6 > - ipa dnsrecord-del newzone1 as --del-all > [ no output ] > - ipa dnsrecord-show newzone1 as > ipa: ERROR: as: DNS resource record not found > > So a couple of problems: > > 1. An error should have been thrown when I tried a delete without a > specific record type. I agree but I was reluctant to do this because it was perfectly OK to call "dnsrecord-add" with no options. That would create an empty DNS record. The interface was orthogonal so "dnsrecord-del" with no options would remove the record if it was empty. But I don't think an empty DNS record makes any sense. I changed the behaviour such that: * dnsrecord-add with no attributes is no longer allowed. You have to specify at least one RR type. * dnsrecord-del with no attributes is no longer allowed. You have to either specify a RR type or --del-all. > 2. Some output should be displayed when I delete all records, at least a > summary. > Agreed and fixed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09kfIACgkQHsardTLnvCWyBgCeIos2bWGps/FxL7of6BkuiU8U AzEAn1Bp/uuoNKB2Qlm2XGGwdDL4dAjl =I13I -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-039-03-dns-record-del.patch Type: text/x-patch Size: 12557 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-039-03-dns-record-del.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Mon Jan 24 14:51:35 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 24 Jan 2011 15:51:35 +0100 Subject: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters In-Reply-To: <4D3A32B8.4040805@redhat.com> References: <4D38325E.4060901@redhat.com> <4D38AB00.3040701@redhat.com> <4D38B6D9.9080408@redhat.com> <20110120175336.0eba6460@willson.li.ssimo.org> <4D39A0F9.4030502@redhat.com> <4D39BA48.4000907@redhat.com> <4D3A32B8.4040805@redhat.com> Message-ID: <4D3D91F7.30002@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/22/2011 02:28 AM, Adam Young wrote: > Does any of this imply that we shopuld change the WebUI handling of Zone > or Record deletes? Sorry, I don't know enough about the WebUI to give an authoritative answer. I'll try to summarize the changes I did, if it doesn't answer your question, please catch me on IRC :-) The only change to the API is a new option "del_all" that specifies that the caller wants to delete the whole DNS record. Calling dnsrecord-add and dnsrecord-del with no options is now disallowed. See my reply to Rob's email for more details. The return value of dnsrecord-del changed for the case the whole record is deleted - now it returns the same value other -del commands do, which in the Python CLI world is a dictionary that contains entries we failed to delete. Jakub -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09kfcACgkQHsardTLnvCXklgCg0qCPgt3RLKOjExvR0HcD/bgN Uo4AmgJkeLFBhKFfMV/2tnmjkrgGYtqY =uN9v -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Jan 24 14:53:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 09:53:08 -0500 Subject: [Freeipa-devel] [PATCH] Make ipa permission-add ask for optional attributes In-Reply-To: <201101240835.56948.jzeleny@redhat.com> References: <201101211949.52795.jzeleny@redhat.com> <4D39DE86.4010609@redhat.com> <201101240835.56948.jzeleny@redhat.com> Message-ID: <4D3D9254.6040903@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Jan Zeleny wrote: >>> Either one of type, filter, subtree, targetgroup, attrs or memberof is >>> required. >>> >>> https://fedorahosted.org/freeipa/ticket/819 >>> >>> Jan >> >> Do you think the prompt should be annotated somehow to indicate that the >> optional attributes are optional? I've been wondering about this since I >> added alwaysask for managing permissions, it isn't very clear that you >> don't have to enter something. >> >> I'm not sure how we would do it, a *, or some other indicator? >> >> rob > > That's definitely a good idea, but if we will use *, I think it should be > present for required arguments, otherwise it might be confusing - on the web * > usually marks required fields. From this point of view square brackets are used > to indicate something is optional, so about something like [Subtree]:? > > Jan Yes, that sounds perfect. I filed ticket https://fedorahosted.org/freeipa/ticket/832 rob From ayoung at redhat.com Mon Jan 24 14:59:53 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 24 Jan 2011 09:59:53 -0500 Subject: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters In-Reply-To: <4D3D91F7.30002@redhat.com> References: <4D38325E.4060901@redhat.com> <4D38AB00.3040701@redhat.com> <4D38B6D9.9080408@redhat.com> <20110120175336.0eba6460@willson.li.ssimo.org> <4D39A0F9.4030502@redhat.com> <4D39BA48.4000907@redhat.com> <4D3A32B8.4040805@redhat.com> <4D3D91F7.30002@redhat.com> Message-ID: <4D3D93E9.4020705@redhat.com> On 01/24/2011 09:51 AM, Jakub Hrozek wrote: > Sorry, I don't know enough about the WebUI to give an authoritative > answer. I'll try to summarize the changes I did, if it doesn't answer > your question, please catch me on IRC:-) > > The only change to the API is a new option "del_all" that specifies that > the caller wants to delete the whole DNS record. > > Calling dnsrecord-add and dnsrecord-del with no options is now > disallowed. See my reply to Rob's email for more details. > > The return value of dnsrecord-del changed for the case the whole record > is deleted - now it returns the same value other -del commands do, which > in the Python CLI world is a dictionary that contains entries we failed > to delete. I think that this won't change anything UI based. If you want to delete all of the records for a given Zone, you would just select all of them in the UI, so it would be an exhaustive list. To select them all, we have UI control that toggles all of the checkmarks. From jeffb.list at gmail.com Mon Jan 24 15:09:22 2011 From: jeffb.list at gmail.com (Jeff B) Date: Mon, 24 Jan 2011 10:09:22 -0500 Subject: [Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field. Message-ID: I'm not sure if this is a user error or a bug. I didn't see a way to tell OpenSSL to not require that Country be in the CSR. Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'MYREALM.COM' commonName :PRINTABLE:'Certificate Authority' The mandatory countryName field was missing I didn't see anything in Trac regarding this. From rcritten at redhat.com Mon Jan 24 15:26:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 10:26:36 -0500 Subject: [Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field. In-Reply-To: References: Message-ID: <4D3D9A2C.7060805@redhat.com> Jeff B wrote: > I'm not sure if this is a user error or a bug. I didn't see a way to > tell OpenSSL to not require that Country be in the CSR. > > Check that the request matches the signature > Signature ok > The Subject's Distinguished Name is as follows > organizationName :PRINTABLE:'MYREALM.COM' > commonName :PRINTABLE:'Certificate Authority' > The mandatory countryName field was missing > > I didn't see anything in Trac regarding this. > I don't know a ton about OpenSSL but I think it is because the default configuration file, /etc/pki/tls/openssl.cnf, requires country. You should be able to provide your own config file to the openssl commands. rob From jeffb.list at gmail.com Mon Jan 24 15:39:13 2011 From: jeffb.list at gmail.com (Jeff B) Date: Mon, 24 Jan 2011 10:39:13 -0500 Subject: [Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field. In-Reply-To: References: <4D3D9A2C.7060805@redhat.com> Message-ID: On Mon, Jan 24, 2011 at 10:38 AM, Jeff B wrote: > You are right. I changed: > > [ policy_match ] > countryName ? ? ? ? ? ? = match > stateOrProvinceName ? ? = match > organizationName ? ? ? ?= match > organizationalUnitName ?= optional > commonName ? ? ? ? ? ? ?= supplied > emailAddress ? ? ? ? ? ?= optional > > to > > [ policy_match ] > countryName ? ? ? ? ? ? = optional > stateOrProvinceName ? ? = optional > organizationName ? ? ? ?= supplied > organizationalUnitName ?= optional > commonName ? ? ? ? ? ? ?= supplied > emailAddress ? ? ? ? ? ?= optional > > > Aside from the Country and State missing It also complained that the > organizationName didn't match the org name of my CA so I had to change > the 3rd line from match to supplied. > > > > On Mon, Jan 24, 2011 at 10:26 AM, Rob Crittenden wrote: >> Jeff B wrote: >>> >>> I'm not sure if this is a user error or a bug. ?I didn't see a way to >>> tell OpenSSL to not require that Country be in the CSR. >>> >>> Check that the request matches the signature >>> Signature ok >>> The Subject's Distinguished Name is as follows >>> organizationName ? ? ?:PRINTABLE:'MYREALM.COM' >>> commonName ? ? ? ? ? ?:PRINTABLE:'Certificate Authority' >>> The mandatory countryName field was missing >>> >>> I didn't see anything in Trac regarding this. >>> >> >> I don't know a ton about OpenSSL but I think it is because the default >> configuration file, /etc/pki/tls/openssl.cnf, requires country. You should >> be able to provide your own config file to the openssl commands. >> >> rob >> > From rcritten at redhat.com Mon Jan 24 15:43:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 10:43:06 -0500 Subject: [Freeipa-devel] [PATCH] fix doctest Message-ID: <4D3D9E0A.3060209@redhat.com> I pushed this under the 1-liner rule, it fixes a doctest failure. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-687-doctest.patch Type: text/x-patch Size: 778 bytes Desc: not available URL: From rcritten at redhat.com Mon Jan 24 15:46:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 10:46:27 -0500 Subject: [Freeipa-devel] [PATCH] 688 fix some unit tests Message-ID: <4D3D9ED3.6070807@redhat.com> It looks like python 2.7 changed the API of time.utcoffset(), this should fix the tests. We have recently relaxed what input a Str will take, the tests need to be updated to accomodate. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-688-tests.patch Type: text/x-patch Size: 4063 bytes Desc: not available URL: From rcritten at redhat.com Mon Jan 24 15:50:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 10:50:19 -0500 Subject: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses Message-ID: <4D3D9FBB.6040308@redhat.com> In the host plugin we modify the default set of objectclasses depending on what kind of host we're creating. This was actually updating the objectclass of the object itself so that the objectclass variable was storing duplicate objectclasses (because we sometimes append values). Make a deepcopy instead. I also re-ordered some values in the host plugin to match what the unit tests expect. It was easier to change in one place than many and have the same result :-) rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-688-tests.patch Type: text/x-patch Size: 4063 bytes Desc: not available URL: From jhrozek at redhat.com Mon Jan 24 15:55:44 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 24 Jan 2011 16:55:44 +0100 Subject: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses In-Reply-To: <4D3D9FBB.6040308@redhat.com> References: <4D3D9FBB.6040308@redhat.com> Message-ID: <4D3DA100.90801@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2011 04:50 PM, Rob Crittenden wrote: > In the host plugin we modify the default set of objectclasses depending > on what kind of host we're creating. This was actually updating the > objectclass of the object itself so that the objectclass variable was > storing duplicate objectclasses (because we sometimes append values). > > Make a deepcopy instead. > > I also re-ordered some values in the host plugin to match what the unit > tests expect. It was easier to change in one place than many and have > the same result :-) > > rob > I think you sent a wrong patch (688, should have been 689) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09oP8ACgkQHsardTLnvCWNzQCgoWpYWVo4kq4vdRP1/XWqF+8S smgAoKFYRGzpAvCyrFwiiRE/uiL7X+6l =+FB/ -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Jan 24 15:58:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 10:58:07 -0500 Subject: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses In-Reply-To: <4D3DA100.90801@redhat.com> References: <4D3D9FBB.6040308@redhat.com> <4D3DA100.90801@redhat.com> Message-ID: <4D3DA18F.3030700@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/24/2011 04:50 PM, Rob Crittenden wrote: >> In the host plugin we modify the default set of objectclasses depending >> on what kind of host we're creating. This was actually updating the >> objectclass of the object itself so that the objectclass variable was >> storing duplicate objectclasses (because we sometimes append values). >> >> Make a deepcopy instead. >> >> I also re-ordered some values in the host plugin to match what the unit >> tests expect. It was easier to change in one place than many and have >> the same result :-) >> >> rob >> > > I think you sent a wrong patch (688, should have been 689) Ok, here goes. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-689-host.patch Type: text/x-patch Size: 2532 bytes Desc: not available URL: From jhrozek at redhat.com Mon Jan 24 16:41:42 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 24 Jan 2011 17:41:42 +0100 Subject: [Freeipa-devel] [PATCH] 688 fix some unit tests In-Reply-To: <4D3D9ED3.6070807@redhat.com> References: <4D3D9ED3.6070807@redhat.com> Message-ID: <4D3DABC6.5090604@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2011 04:46 PM, Rob Crittenden wrote: > It looks like python 2.7 changed the API of time.utcoffset(), this > should fix the tests. > > We have recently relaxed what input a Str will take, the tests need to > be updated to accomodate. > > rob > Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09q8YACgkQHsardTLnvCWXdgCgtTAcSusoWRQxDDtt33QaZFY9 irEAoKtxSLfaiTgGC1EfUdHgWbAyCQqw =FcPa -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Jan 24 16:43:44 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 24 Jan 2011 17:43:44 +0100 Subject: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses In-Reply-To: <4D3DA18F.3030700@redhat.com> References: <4D3D9FBB.6040308@redhat.com> <4D3DA100.90801@redhat.com> <4D3DA18F.3030700@redhat.com> Message-ID: <4D3DAC40.6040000@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2011 04:58 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/24/2011 04:50 PM, Rob Crittenden wrote: >>> In the host plugin we modify the default set of objectclasses depending >>> on what kind of host we're creating. This was actually updating the >>> objectclass of the object itself so that the objectclass variable was >>> storing duplicate objectclasses (because we sometimes append values). >>> >>> Make a deepcopy instead. >>> >>> I also re-ordered some values in the host plugin to match what the unit >>> tests expect. It was easier to change in one place than many and have >>> the same result :-) >>> >>> rob >>> >> >> I think you sent a wrong patch (688, should have been 689) > > Ok, here goes. > > rob Ack -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09rEAACgkQHsardTLnvCV5zACgih6krPeHUe4UzDEccDlYYV8n g9AAoN47pXdhXtVDimqi+OUX1d1whtmT =gYvF -----END PGP SIGNATURE----- From dpal at redhat.com Mon Jan 24 16:50:31 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 24 Jan 2011 11:50:31 -0500 Subject: [Freeipa-devel] Results of some testing Message-ID: <4D3DADD7.6020307@redhat.com> Hello, Here are some issues that I came across during my testing of the latest IPA version on Friday. Please take a look and file tickets as appropriate. 1) Can't bail out from the install Start IPA install without any command line parameters. It any prompt try to stop installation by pressing Ctrl+C. You are still at the prompt and there is no way to abort installation. This can be an ER. 2) For the unattended install with -U the -u is listed as required option -u, --user=DS_USER The user that the Directory Server will run as Why it is a required if the interactive install never asks for it. IMO a bug. 3) When adding service in UI via popup it does not automatically append realm to the host when it creates a service pricipal. IMO a bug. 4) The service status is all messed up and unclear. After just being added it should be in "not provisioned" state but this is not what you see. You see as if it is already provisioned. When the service screen is shown it blinks showing a lot of different buttons and statuses before it settles down on the following UI Please retry. May be it is already addressed with latest fixes. 5) The items in the action panel are now black The links in the action panel that you are supposed to click are now black which is not intuitive since they are clickable links. 6) [dpal at lenovo ~]$ ipa host-add foobar.home --ip-address=1.1.1.1 --no-reverse ipa: ERROR: The host was added but the DNS update failed with: 1.1.1.in-addr.arpa: DNS zone not found Should not fail since --no-reverse is specified. I checked. If the zone is there it is added automatically. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jeffb.list at gmail.com Mon Jan 24 16:47:01 2011 From: jeffb.list at gmail.com (Jeff B) Date: Mon, 24 Jan 2011 11:47:01 -0500 Subject: [Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured. Message-ID: I'm trying to do an ipa-server-install with an --external-ca but after it generates the .csr and I sign a .crt I can't run the followup ips-server-install to import the certificate. I don't think I'm supposed to run an --uninstall between the --external-ca and the --external_cert_file installations but I'm not sure. Here is what I'm getting: [root at ipa0 ~]# ipa-server-install --setup-dns --forwarder="10.0.0.53 10.0.1.53" -U -p xxxxxxxx -a xxxxxxxx -u dirsrv -r MYREALM.COM --external-ca The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: Hostname (ipa0.averesys.com) not found in DNS The domain name has been calculated based on the host name. The IPA Master Server will be configured with Hostname: ipa0.myrealm.com IP address: 10.0.0.11 Domain name: myrealm.com Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/4]: creating certificate server user [2/4]: creating pki-ca instance [3/4]: restarting certificate server [4/4]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as: ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate ... Signed the Certificate ... [root at ipa0 ~]# ipa-server-install --external_cert_file=/root/ipa.crt --external_ca_file=/root/ca.crt The log file for this installation can be found in /var/log/ipaserver-install.log IPA server is already configured on this system. [root at ipa0 ~]# cat /var/log/ipaserver-install.log 2011-01-24 11:36:14,214 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2011-01-24 11:36:14,309 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2011-01-24 11:36:14,336 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' From ssorce at redhat.com Mon Jan 24 16:59:03 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 24 Jan 2011 11:59:03 -0500 Subject: [Freeipa-devel] [PATCH] 0070 Create DNS entries early on Message-ID: <20110124115903.4131d627@willson.li.ssimo.org> See ticket #833 for a detailed explanation. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0070-Create-DNS-records-as-early-as-possible.patch Type: text/x-patch Size: 2536 bytes Desc: not available URL: From rcritten at redhat.com Mon Jan 24 17:02:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 12:02:34 -0500 Subject: [Freeipa-devel] Results of some testing In-Reply-To: <4D3DADD7.6020307@redhat.com> References: <4D3DADD7.6020307@redhat.com> Message-ID: <4D3DB0AA.3070007@redhat.com> Dmitri Pal wrote: > Hello, > > Here are some issues that I came across during my testing of the latest > IPA version on Friday. > Please take a look and file tickets as appropriate. > > 1) Can't bail out from the install > Start IPA install without any command line parameters. It any prompt try > to stop installation by pressing Ctrl+C. > You are still at the prompt and there is no way to abort installation. > This can be an ER. Was this in a password prompt? I'm thinking that python 2.7 changed their handling. > > 2) For the unattended install with -U the -u is listed as required option > -u, --user=DS_USER > The user that the Directory Server will run as > Why it is a required if the interactive install never asks for it. IMO a > bug. It seemed an unnecessary question to prompt for in the UI so we removed it. It should be optional in non-interactive. > > 3) When adding service in UI via popup it does not automatically append > realm to the host when it creates a service pricipal. > IMO a bug. The framework will add the realm automatically if it is not provided. Or are you actually seeing a service created with no realm? > 4) The service status is all messed up and unclear. After just being > added it should be in "not provisioned" > state but this is not what you see. You see as if it is already provisioned. > When the service screen is shown it blinks showing a lot of different > buttons and statuses before it settles down on the following UI > > Please retry. May be it is already addressed with latest fixes. > > > 5) The items in the action panel are now black > > The links in the action panel that you are supposed to click are now > black which is not intuitive since they are clickable links. > > 6) [dpal at lenovo ~]$ ipa host-add foobar.home --ip-address=1.1.1.1 > --no-reverse > ipa: ERROR: The host was added but the DNS update failed with: > 1.1.1.in-addr.arpa: DNS zone not found > > Should not fail since --no-reverse is specified. I checked. If the zone > is there it is added automatically. > From jzeleny at redhat.com Mon Jan 24 17:26:23 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Mon, 24 Jan 2011 18:26:23 +0100 Subject: [Freeipa-devel] [PATCH] Modified description of nsaccountlock attribute In-Reply-To: <201101181000.33620.jzeleny@redhat.com> References: <201101181000.33620.jzeleny@redhat.com> Message-ID: <201101241826.24041.jzeleny@redhat.com> Jan Zelen? wrote: > The original one was misleading, giving the value exactly opposite > meaning than it actually was. > > https://fedorahosted.org/freeipa/ticket/741 > > Jan Just a reminder that this patch still needs a review. Jan From jzeleny at redhat.com Mon Jan 24 17:31:26 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Mon, 24 Jan 2011 18:31:26 +0100 Subject: [Freeipa-devel] [PATCH] Modified description of nsaccountlock attribute In-Reply-To: <201101241826.24041.jzeleny@redhat.com> References: <201101181000.33620.jzeleny@redhat.com> <201101241826.24041.jzeleny@redhat.com> Message-ID: <201101241831.26623.jzeleny@redhat.com> Jan Zeleny wrote: > Jan Zelen? wrote: > > The original one was misleading, giving the value exactly opposite > > meaning than it actually was. > > > > https://fedorahosted.org/freeipa/ticket/741 > > > > Jan > > Just a reminder that this patch still needs a review. > > Jan Never mind, I missed the review from Simo. Sorry for the noise. Jan From jzeleny at redhat.com Mon Jan 24 17:34:48 2011 From: jzeleny at redhat.com (Jan Zeleny) Date: Mon, 24 Jan 2011 18:34:48 +0100 Subject: [Freeipa-devel] [PATCH] Changed dns permission types In-Reply-To: <201101141358.55418.jzeleny@redhat.com> References: <201101071805.18499.jzeleny@redhat.com> <4D2DD454.9060901@redhat.com> <201101141358.55418.jzeleny@redhat.com> Message-ID: <201101241834.48965.jzeleny@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: > > Jan Zelen? wrote: > > > Recent change of DNS module to version caused that dns object type > > > was replaced by dnszone and dnsrecord. This patch corrects dns types > > > in permissions class. > > > > > > https://fedorahosted.org/freeipa/ticket/646 > > > > Nack. These values need to be added as valid types to the aci plugin and > > the _type_map needs to be updated. > > > > rob > > I'm sending an updated patch. > > Jan Just a reminder that this patch needs to be reviewed. Thanks Jan From ayoung at redhat.com Mon Jan 24 18:11:28 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 24 Jan 2011 13:11:28 -0500 Subject: [Freeipa-devel] [PATCH] Check field's validity before executing add In-Reply-To: <4D3B7B01.4050404@redhat.com> References: <4D3B7B01.4050404@redhat.com> Message-ID: <4D3DC0D0.2040608@redhat.com> On 01/22/2011 07:49 PM, Endi Sukma Dewata wrote: > This should fix this bug: > https://fedorahosted.org/freeipa/ticket/660 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK: Too many false positives: Try adding a user group. Group name works as designed, others do not allow anything through. Ithink you are not accounting fro null validation. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Jan 24 18:29:22 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 24 Jan 2011 13:29:22 -0500 Subject: [Freeipa-devel] [PATCH] Added scrollable panel for delete dialog box. In-Reply-To: <4D3B7A4C.8030005@redhat.com> References: <4D3B7A4C.8030005@redhat.com> Message-ID: <4D3DC502.8050709@redhat.com> On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: > This is required by the latest spec. May need further revision. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. As follow on, we need to fix the max size of the delete dialog -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Jan 24 18:29:58 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 24 Jan 2011 13:29:58 -0500 Subject: [Freeipa-devel] [PATCH] Added spaces around radio buttons. In-Reply-To: <4D3B7A0F.3060303@redhat.com> References: <4D3B7A0F.3060303@redhat.com> Message-ID: <4D3DC526.4030408@redhat.com> On 01/22/2011 07:45 PM, Endi Sukma Dewata wrote: > This is required by the latest spec. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Jan 24 18:31:46 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 24 Jan 2011 13:31:46 -0500 Subject: [Freeipa-devel] [PATCH] Removed 'name' from 'Sudo Command Group name' In-Reply-To: <4D3B7A7E.9040905@redhat.com> References: <4D3B7A7E.9040905@redhat.com> Message-ID: <4D3DC592.7060102@redhat.com> On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: > This is required by the latest spec. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Jan 24 18:33:27 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 24 Jan 2011 13:33:27 -0500 Subject: [Freeipa-devel] [PATCH] Added scrollable panel for delete dialog box. In-Reply-To: <4D3DC502.8050709@redhat.com> References: <4D3B7A4C.8030005@redhat.com> <4D3DC502.8050709@redhat.com> Message-ID: <4D3DC5F7.6090300@redhat.com> On 01/24/2011 01:29 PM, Adam Young wrote: > On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: >> This is required by the latest spec. May need further revision. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK. As follow on, we need to fix the max size of the delete dialog > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Jan 24 18:33:43 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 24 Jan 2011 13:33:43 -0500 Subject: [Freeipa-devel] [PATCH] Added spaces around radio buttons. In-Reply-To: <4D3DC526.4030408@redhat.com> References: <4D3B7A0F.3060303@redhat.com> <4D3DC526.4030408@redhat.com> Message-ID: <4D3DC607.8030901@redhat.com> On 01/24/2011 01:29 PM, Adam Young wrote: > On 01/22/2011 07:45 PM, Endi Sukma Dewata wrote: >> This is required by the latest spec. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Jan 24 18:33:58 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 24 Jan 2011 13:33:58 -0500 Subject: [Freeipa-devel] [PATCH] Removed 'name' from 'Sudo Command Group name' In-Reply-To: <4D3DC592.7060102@redhat.com> References: <4D3B7A7E.9040905@redhat.com> <4D3DC592.7060102@redhat.com> Message-ID: <4D3DC616.7040105@redhat.com> On 01/24/2011 01:31 PM, Adam Young wrote: > On 01/22/2011 07:46 PM, Endi Sukma Dewata wrote: >> This is required by the latest spec. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jan 24 18:55:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 13:55:53 -0500 Subject: [Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured. In-Reply-To: References: Message-ID: <4D3DCB39.4060301@redhat.com> Jeff B wrote: > I'm trying to do an ipa-server-install with an --external-ca but after > it generates the .csr and I sign a .crt I can't run the followup > ips-server-install to import the certificate. > > I don't think I'm supposed to run an --uninstall between the > --external-ca and the --external_cert_file installations but I'm not > sure. > > Here is what I'm getting: > > > [root at ipa0 ~]# ipa-server-install --setup-dns --forwarder="10.0.0.53 > 10.0.1.53" -U -p xxxxxxxx -a xxxxxxxx -u dirsrv -r MYREALM.COM > --external-ca > > The log file for this installation can be found in > /var/log/ipaserver-install.log > ============================================================================== > This program will set up the FreeIPA Server. > > This includes: > * Configure the Network Time Daemon (ntpd) > * Create and configure an instance of Directory Server > * Create and configure a Kerberos Key Distribution Center (KDC) > * Configure Apache (httpd) > * Configure DNS (bind) > > To accept the default shown in brackets, press the Enter key. > > Warning: Hostname (ipa0.averesys.com) not found in DNS > The domain name has been calculated based on the host name. > > The IPA Master Server will be configured with > Hostname: ipa0.myrealm.com > IP address: 10.0.0.11 > Domain name: myrealm.com > > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > done configuring ntpd. > Configuring directory server for the CA: Estimated time 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > [3/3]: restarting directory server > done configuring pkids. > Configuring certificate server: Estimated time 6 minutes > [1/4]: creating certificate server user > [2/4]: creating pki-ca instance > [3/4]: restarting certificate server > [4/4]: configuring certificate server instance > The next step is to get /root/ipa.csr signed by your CA and re-run > ipa-server-install as: > ipa-server-install --external_cert_file=/path/to/signed_certificate > --external_ca_file=/path/to/external_ca_certificate > > ... Signed the Certificate ... > > [root at ipa0 ~]# ipa-server-install --external_cert_file=/root/ipa.crt > --external_ca_file=/root/ca.crt > > The log file for this installation can be found in > /var/log/ipaserver-install.log > IPA server is already configured on this system. > > > [root at ipa0 ~]# cat /var/log/ipaserver-install.log > 2011-01-24 11:36:14,214 DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-01-24 11:36:14,309 DEBUG Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > 2011-01-24 11:36:14,336 DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' Looks like a bug. You should be able to work around it by commenting out these lines in /usr/sbin/ipa-server-install: if dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured(): sys.exit("IPA server is already configured on this system.") The python comment is a hash (#). I opened ticket https://fedorahosted.org/freeipa/ticket/835 to track this. rob From dpal at redhat.com Mon Jan 24 19:16:58 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 24 Jan 2011 14:16:58 -0500 Subject: [Freeipa-devel] Results of some testing In-Reply-To: <4D3DB0AA.3070007@redhat.com> References: <4D3DADD7.6020307@redhat.com> <4D3DB0AA.3070007@redhat.com> Message-ID: <4D3DD02A.6060303@redhat.com> Rob Crittenden wrote: > Dmitri Pal wrote: >> Hello, >> >> Here are some issues that I came across during my testing of the latest >> IPA version on Friday. >> Please take a look and file tickets as appropriate. >> >> 1) Can't bail out from the install >> Start IPA install without any command line parameters. It any prompt try >> to stop installation by pressing Ctrl+C. >> You are still at the prompt and there is no way to abort installation. >> This can be an ER. > > Was this in a password prompt? I'm thinking that python 2.7 changed > their handling. Yes. But I think not only. The first prompt is the prompt for domain and you can't break from it either. > >> >> 2) For the unattended install with -U the -u is listed as required >> option >> -u, --user=DS_USER >> The user that the Directory Server will run as >> Why it is a required if the interactive install never asks for it. IMO a >> bug. > > It seemed an unnecessary question to prompt for in the UI so we > removed it. It should be optional in non-interactive. Please file a ticket. > >> >> 3) When adding service in UI via popup it does not automatically append >> realm to the host when it creates a service pricipal. >> IMO a bug. > > The framework will add the realm automatically if it is not provided. > Or are you actually seeing a service created with no realm? Created with no realm. > >> 4) The service status is all messed up and unclear. After just being >> added it should be in "not provisioned" >> state but this is not what you see. You see as if it is already >> provisioned. >> When the service screen is shown it blinks showing a lot of different >> buttons and statuses before it settles down on the following UI >> >> Please retry. May be it is already addressed with latest fixes. >> >> >> 5) The items in the action panel are now black >> >> The links in the action panel that you are supposed to click are now >> black which is not intuitive since they are clickable links. >> >> 6) [dpal at lenovo ~]$ ipa host-add foobar.home --ip-address=1.1.1.1 >> --no-reverse >> ipa: ERROR: The host was added but the DNS update failed with: >> 1.1.1.in-addr.arpa: DNS zone not found >> >> Should not fail since --no-reverse is specified. I checked. If the zone >> is there it is added automatically. >> > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Jan 24 19:24:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 14:24:15 -0500 Subject: [Freeipa-devel] Results of some testing In-Reply-To: <4D3DD02A.6060303@redhat.com> References: <4D3DADD7.6020307@redhat.com> <4D3DB0AA.3070007@redhat.com> <4D3DD02A.6060303@redhat.com> Message-ID: <4D3DD1DF.7060000@redhat.com> Dmitri Pal wrote: > Rob Crittenden wrote: >> Dmitri Pal wrote: >>> Hello, >>> >>> Here are some issues that I came across during my testing of the latest >>> IPA version on Friday. >>> Please take a look and file tickets as appropriate. >>> >>> 1) Can't bail out from the install >>> Start IPA install without any command line parameters. It any prompt try >>> to stop installation by pressing Ctrl+C. >>> You are still at the prompt and there is no way to abort installation. >>> This can be an ER. >> >> Was this in a password prompt? I'm thinking that python 2.7 changed >> their handling. > Yes. But I think not only. The first prompt is the prompt for domain and > you can't break from it either. It works for me. What distro are you using? > > >> >>> >>> 2) For the unattended install with -U the -u is listed as required >>> option >>> -u, --user=DS_USER >>> The user that the Directory Server will run as >>> Why it is a required if the interactive install never asks for it. IMO a >>> bug. >> >> It seemed an unnecessary question to prompt for in the UI so we >> removed it. It should be optional in non-interactive. > Please file a ticket. done > >> >>> >>> 3) When adding service in UI via popup it does not automatically append >>> realm to the host when it creates a service pricipal. >>> IMO a bug. >> >> The framework will add the realm automatically if it is not provided. >> Or are you actually seeing a service created with no realm? > Created with no realm. Can you do an ldapsearch to confirm this? I never include the realm when I add services, it gets automatically added. > >> >>> 4) The service status is all messed up and unclear. After just being >>> added it should be in "not provisioned" >>> state but this is not what you see. You see as if it is already >>> provisioned. >>> When the service screen is shown it blinks showing a lot of different >>> buttons and statuses before it settles down on the following UI >>> >>> Please retry. May be it is already addressed with latest fixes. >>> >>> >>> 5) The items in the action panel are now black >>> >>> The links in the action panel that you are supposed to click are now >>> black which is not intuitive since they are clickable links. >>> >>> 6) [dpal at lenovo ~]$ ipa host-add foobar.home --ip-address=1.1.1.1 >>> --no-reverse >>> ipa: ERROR: The host was added but the DNS update failed with: >>> 1.1.1.in-addr.arpa: DNS zone not found >>> >>> Should not fail since --no-reverse is specified. I checked. If the zone >>> is there it is added automatically. >>> >> > > From rcritten at redhat.com Mon Jan 24 19:33:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 14:33:34 -0500 Subject: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info In-Reply-To: References: Message-ID: <4D3DD40E.5040306@redhat.com> JR Aquino wrote: > On 1/20/11 10:05 AM, "Rob Crittenden" wrote: >> Simo Sorce wrote: >>> On Wed, 19 Jan 2011 17:51:56 -0500 >>> Rob Crittenden wrote: >>> >>>> +aci: (targetattr = "member || memberOf || memberHost || >>>> memberUser")(version 3.0; acl "No anonymous access to member >>>> information"; deny (read,search,compare) userdn != "ldap:///all";) >>> >>> Nack, without 'member', nss_ldap will have no way to determine >>> posixAccount group memberships using anonymous access (the default). >>> >>> Simo. >>> >> >> Ok, dropped member and added an aci for cn=roles. >> >> rob >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > ACK > pushed to master From rcritten at redhat.com Mon Jan 24 19:34:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 14:34:52 -0500 Subject: [Freeipa-devel] [PATCH] 688 fix some unit tests In-Reply-To: <4D3DABC6.5090604@redhat.com> References: <4D3D9ED3.6070807@redhat.com> <4D3DABC6.5090604@redhat.com> Message-ID: <4D3DD45C.1010101@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/24/2011 04:46 PM, Rob Crittenden wrote: >> It looks like python 2.7 changed the API of time.utcoffset(), this >> should fix the tests. >> >> We have recently relaxed what input a Str will take, the tests need to >> be updated to accomodate. >> >> rob >> > > Ack pushed to master From rcritten at redhat.com Mon Jan 24 19:35:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 14:35:23 -0500 Subject: [Freeipa-devel] [PATCH] 689 make deepcopy of objectclasses In-Reply-To: <4D3DAC40.6040000@redhat.com> References: <4D3D9FBB.6040308@redhat.com> <4D3DA100.90801@redhat.com> <4D3DA18F.3030700@redhat.com> <4D3DAC40.6040000@redhat.com> Message-ID: <4D3DD47B.6050404@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/24/2011 04:58 PM, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 01/24/2011 04:50 PM, Rob Crittenden wrote: >>>> In the host plugin we modify the default set of objectclasses depending >>>> on what kind of host we're creating. This was actually updating the >>>> objectclass of the object itself so that the objectclass variable was >>>> storing duplicate objectclasses (because we sometimes append values). >>>> >>>> Make a deepcopy instead. >>>> >>>> I also re-ordered some values in the host plugin to match what the unit >>>> tests expect. It was easier to change in one place than many and have >>>> the same result :-) >>>> >>>> rob >>>> >>> >>> I think you sent a wrong patch (688, should have been 689) >> >> Ok, here goes. >> >> rob > > Ack pushed to master From dpal at redhat.com Mon Jan 24 19:37:58 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 24 Jan 2011 14:37:58 -0500 Subject: [Freeipa-devel] Results of some testing In-Reply-To: <4D3DD1DF.7060000@redhat.com> References: <4D3DADD7.6020307@redhat.com> <4D3DB0AA.3070007@redhat.com> <4D3DD02A.6060303@redhat.com> <4D3DD1DF.7060000@redhat.com> Message-ID: <4D3DD516.5060500@redhat.com> Rob Crittenden wrote: > Dmitri Pal wrote: >> Rob Crittenden wrote: >>> Dmitri Pal wrote: >>>> Hello, >>>> >>>> Here are some issues that I came across during my testing of the >>>> latest >>>> IPA version on Friday. >>>> Please take a look and file tickets as appropriate. >>>> >>>> 1) Can't bail out from the install >>>> Start IPA install without any command line parameters. It any >>>> prompt try >>>> to stop installation by pressing Ctrl+C. >>>> You are still at the prompt and there is no way to abort installation. >>>> This can be an ER. >>> >>> Was this in a password prompt? I'm thinking that python 2.7 changed >>> their handling. >> Yes. But I think not only. The first prompt is the prompt for domain and >> you can't break from it either. > > It works for me. What distro are you using? F14. I will retest. > >> >> >>> >>>> >>>> 2) For the unattended install with -U the -u is listed as required >>>> option >>>> -u, --user=DS_USER >>>> The user that the Directory Server will run as >>>> Why it is a required if the interactive install never asks for it. >>>> IMO a >>>> bug. >>> >>> It seemed an unnecessary question to prompt for in the UI so we >>> removed it. It should be optional in non-interactive. >> Please file a ticket. > > done > >> >>> >>>> >>>> 3) When adding service in UI via popup it does not automatically >>>> append >>>> realm to the host when it creates a service pricipal. >>>> IMO a bug. >>> >>> The framework will add the realm automatically if it is not provided. >>> Or are you actually seeing a service created with no realm? >> Created with no realm. > > Can you do an ldapsearch to confirm this? I never include the realm > when I add services, it gets automatically added. I will retry. What about the rest below? > >> >>> >>>> 4) The service status is all messed up and unclear. After just being >>>> added it should be in "not provisioned" >>>> state but this is not what you see. You see as if it is already >>>> provisioned. >>>> When the service screen is shown it blinks showing a lot of different >>>> buttons and statuses before it settles down on the following UI >>>> >>>> Please retry. May be it is already addressed with latest fixes. >>>> >>>> >>>> 5) The items in the action panel are now black >>>> >>>> The links in the action panel that you are supposed to click are now >>>> black which is not intuitive since they are clickable links. >>>> >>>> 6) [dpal at lenovo ~]$ ipa host-add foobar.home --ip-address=1.1.1.1 >>>> --no-reverse >>>> ipa: ERROR: The host was added but the DNS update failed with: >>>> 1.1.1.in-addr.arpa: DNS zone not found >>>> >>>> Should not fail since --no-reverse is specified. I checked. If the >>>> zone >>>> is there it is added automatically. >>>> >>> >> >> > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jeffb.list at gmail.com Mon Jan 24 19:44:46 2011 From: jeffb.list at gmail.com (Jeff B) Date: Mon, 24 Jan 2011 14:44:46 -0500 Subject: [Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured. In-Reply-To: <4D3DCB39.4060301@redhat.com> References: <4D3DCB39.4060301@redhat.com> Message-ID: I don't want to start filing tickets since I'm not that familiar with the project but here is another similar one where the checks aren't necessarily doing what they are intended to be doing. Steps: 1. ran install with --external-ca 2. tried running with --external_cert_file but hit error in #835 3. Did workaround to commented out the configuration check and exit message like suggested by Rob 4. tried importing the cert again but got an error saying connection refused on "Attempting to connect to: ipa0.myrealm.com:9445" 5. I didn't know what service wasn't running so I rebooted (yeah, bad jeff) 6. I tried running --external_cert_file again but it looked like it had forgotten all my configs and looked like it was starting over. It prompted me: An existing Directory Server has been detected. Do you wish to remove it and create a new one? [no]: I chose 'no' and the installer exited. 7. Did an --uninstall 8. tried to start fresh but it failed with this error: You already have a CA signing request for this server (/root/ipa.csr), you need to include --external_cert_file and --external_ca_file Which is not right because since I uninstalled I can't just add the certs. Either the uninstall needs to clean up the .csr or the installer needs to not assume so much just from the existence of a .csr On Mon, Jan 24, 2011 at 1:55 PM, Rob Crittenden wrote: > Jeff B wrote: >> >> I'm trying to do an ipa-server-install with an --external-ca but after >> it generates the .csr and I sign a .crt I can't run the followup >> ips-server-install to import the certificate. >> >> I don't think I'm supposed to run an --uninstall between ?the >> --external-ca and the --external_cert_file installations but I'm not >> sure. >> >> Here is what I'm getting: >> >> >> [root at ipa0 ~]# ipa-server-install --setup-dns --forwarder="10.0.0.53 >> 10.0.1.53" -U -p xxxxxxxx -a xxxxxxxx -u dirsrv -r MYREALM.COM >> --external-ca >> >> The log file for this installation can be found in >> /var/log/ipaserver-install.log >> >> ============================================================================== >> This program will set up the FreeIPA Server. >> >> This includes: >> ? * Configure the Network Time Daemon (ntpd) >> ? * Create and configure an instance of Directory Server >> ? * Create and configure a Kerberos Key Distribution Center (KDC) >> ? * Configure Apache (httpd) >> ? * Configure DNS (bind) >> >> To accept the default shown in brackets, press the Enter key. >> >> Warning: Hostname (ipa0.averesys.com) not found in DNS >> The domain name has been calculated based on the host name. >> >> The IPA Master Server will be configured with >> Hostname: ? ?ipa0.myrealm.com >> IP address: ?10.0.0.11 >> Domain name: myrealm.com >> >> Configuring ntpd >> ? [1/4]: stopping ntpd >> ? [2/4]: writing configuration >> ? [3/4]: configuring ntpd to start on boot >> ? [4/4]: starting ntpd >> done configuring ntpd. >> Configuring directory server for the CA: Estimated time 30 seconds >> ? [1/3]: creating directory server user >> ? [2/3]: creating directory server instance >> ? [3/3]: restarting directory server >> done configuring pkids. >> Configuring certificate server: Estimated time 6 minutes >> ? [1/4]: creating certificate server user >> ? [2/4]: creating pki-ca instance >> ? [3/4]: restarting certificate server >> ? [4/4]: configuring certificate server instance >> The next step is to get /root/ipa.csr signed by your CA and re-run >> ipa-server-install as: >> ipa-server-install --external_cert_file=/path/to/signed_certificate >> --external_ca_file=/path/to/external_ca_certificate >> >> ... Signed the Certificate ... >> >> [root at ipa0 ~]# ipa-server-install --external_cert_file=/root/ipa.crt >> --external_ca_file=/root/ca.crt >> >> The log file for this installation can be found in >> /var/log/ipaserver-install.log >> IPA server is already configured on this system. >> >> >> [root at ipa0 ~]# cat /var/log/ipaserver-install.log >> 2011-01-24 11:36:14,214 DEBUG Loading StateFile from >> '/var/lib/ipa/sysrestore/sysrestore.state' >> 2011-01-24 11:36:14,309 DEBUG Loading Index file from >> '/var/lib/ipa/sysrestore/sysrestore.index' >> 2011-01-24 11:36:14,336 DEBUG Loading StateFile from >> '/var/lib/ipa/sysrestore/sysrestore.state' > > Looks like a bug. You should be able to work around it by commenting out > these lines in /usr/sbin/ipa-server-install: > > ? ? ? ?if dsinstance.DsInstance().is_configured() or > cainstance.CADSInstance().is_configured(): > ? ? ? ? ? ?sys.exit("IPA server is already configured on this system.") > > The python comment is a hash (#). > > I opened ticket https://fedorahosted.org/freeipa/ticket/835 to track this. > > rob > From ssorce at redhat.com Mon Jan 24 20:27:52 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 24 Jan 2011 15:27:52 -0500 Subject: [Freeipa-devel] [PATCH] 0071 Make -u optional in unattended mode Message-ID: <20110124152752.6e44fb45@willson.li.ssimo.org> We have a default user name, which is also the recommended one, it made no sense to force users to specify it at the command line for unattended installations. Just use the default if none is provided. Ticket #836 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0071-Make-the-u-option-optional-in-unattended-mode.patch Type: text/x-patch Size: 2718 bytes Desc: not available URL: From jhrozek at redhat.com Mon Jan 24 21:00:37 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 24 Jan 2011 22:00:37 +0100 Subject: [Freeipa-devel] [PATCH] 0071 Make -u optional in unattended mode In-Reply-To: <20110124152752.6e44fb45@willson.li.ssimo.org> References: <20110124152752.6e44fb45@willson.li.ssimo.org> Message-ID: <4D3DE875.8090502@redhat.com> On 01/24/2011 09:27 PM, Simo Sorce wrote: > > We have a default user name, which is also the recommended one, it made > no sense to force users to specify it at the command line for > unattended installations. Just use the default if none is provided. > > Ticket #836 > > Simo. > Ack From jhrozek at redhat.com Mon Jan 24 21:28:57 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 24 Jan 2011 22:28:57 +0100 Subject: [Freeipa-devel] [PATCH] 0066 remove binddn when using GSSAPI for replication In-Reply-To: <20110119194339.5f83ddfc@willson.li.ssimo.org> References: <20110119194339.5f83ddfc@willson.li.ssimo.org> Message-ID: <4D3DEF19.5010705@redhat.com> On 01/20/2011 01:43 AM, Simo Sorce wrote: > > See ticket #817 > > Simo. > Ack From ssorce at redhat.com Mon Jan 24 21:46:25 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 24 Jan 2011 16:46:25 -0500 Subject: [Freeipa-devel] [PATCH] 0066 remove binddn when using GSSAPI for replication In-Reply-To: <4D3DEF19.5010705@redhat.com> References: <20110119194339.5f83ddfc@willson.li.ssimo.org> <4D3DEF19.5010705@redhat.com> Message-ID: <20110124164625.6f11e5b8@willson.li.ssimo.org> On Mon, 24 Jan 2011 22:28:57 +0100 Jakub Hrozek wrote: > On 01/20/2011 01:43 AM, Simo Sorce wrote: > > > > See ticket #817 > > > > Simo. > > > > Ack Pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Jan 24 21:46:37 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 24 Jan 2011 16:46:37 -0500 Subject: [Freeipa-devel] [PATCH] 0071 Make -u optional in unattended mode In-Reply-To: <4D3DE875.8090502@redhat.com> References: <20110124152752.6e44fb45@willson.li.ssimo.org> <4D3DE875.8090502@redhat.com> Message-ID: <20110124164637.482c927e@willson.li.ssimo.org> On Mon, 24 Jan 2011 22:00:37 +0100 Jakub Hrozek wrote: > On 01/24/2011 09:27 PM, Simo Sorce wrote: > > > > We have a default user name, which is also the recommended one, it > > made no sense to force users to specify it at the command line for > > unattended installations. Just use the default if none is provided. > > > > Ticket #836 > > > > Simo. > > > > Ack Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Jan 24 22:02:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 17:02:10 -0500 Subject: [Freeipa-devel] [PATCH] 690 add brackets around optional prompts Message-ID: <4D3DF6E2.9090204@redhat.com> When prompting for arguments in the cli there is no way to tell what is optional and what is required. This sticks brackets around optional arguments. Ticket 832 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-690-optional.patch Type: text/x-patch Size: 1832 bytes Desc: not available URL: From jhrozek at redhat.com Mon Jan 24 22:06:17 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 24 Jan 2011 23:06:17 +0100 Subject: [Freeipa-devel] [PATCH] 0069 Add/Remove DNS records for replicas In-Reply-To: <20110122200938.18cc2038@willson.li.ssimo.org> References: <20110122200938.18cc2038@willson.li.ssimo.org> Message-ID: <4D3DF7D9.8080908@redhat.com> On 01/23/2011 02:09 AM, Simo Sorce wrote: > > Do it always when the dns tree is available, even if the replica being > installed doesn't provide dns service itself. > > Ticket #824 > > Simo. > I tried applying this on top of both origin/master and 068 but did not succeed. Can you rebase, please? From rcritten at redhat.com Mon Jan 24 22:35:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 17:35:16 -0500 Subject: [Freeipa-devel] [PATCH] 691 add --hostname option to ipa-client-install Message-ID: <4D3DFEA4.9010500@redhat.com> Let the installer override the detected hostname value with the --hostname flag. This is likely to lead to a non-working installation so let the buyer beware. ticket 834 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-691-hostname.patch Type: text/x-patch Size: 2127 bytes Desc: not available URL: From jeffb.list at gmail.com Mon Jan 24 22:42:42 2011 From: jeffb.list at gmail.com (Jeff B) Date: Mon, 24 Jan 2011 17:42:42 -0500 Subject: [Freeipa-devel] No luck using ds-migrate to import Apple Open Directory Message-ID: Apple Open Directory is as follows: cn=users,dc=host,dc=domain,dc=tld cn=groups,dc=host,dc=domain,dc=tld User records have the following object classes: - person - top - organizationalPerson - extensibleObject - apple-user - shadowAccount - posixAccount - inetOrgPerson Group records have the following object classes: - top - extensibleObject - apple-group - posixGroup The data is mostly what you would expect for posixAccount and the other common object classes. When I try to import data to IPA I get this error for every user and group like this: ----------- migrate-ds: ----------- Migrated: Failed user: : unknown object class "apple-user" : unknown object class "apple-user" : unknown object class "apple-user" ... And the rest Failed group: : unknown object class "apple-group" : unknown object class "apple-group" : unknown object class "apple-group" ... And the rest ---------- Here are some of the migrate options I've tried: ipa -d migrate-ds --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld" ldap://10.0.0.1:389 --user-objectclass="posixAccount" --group-objectclass="posixGroups" --user-container="cn=users" --group-container="cn=groups" ipa -d migrate-ds --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld" ldap://10.0.0.1:389 --user-objectclass="apple-user" --group-objectclass="apple-group" --user-container="cn=users" --group-container="cn=groups" I've tried combinations of the two. I've tried changing the --schema with no change in outcome. The only time the outcome is different is when I don't include the --group-objectclass or the --user-objectclass It fails before it even tries to import the data in the directory. I get this error: ipa: DEBUG: Caught fault 4001 from server https://ipa0.myrealm.com/ipa/xml: Container for group not found ipa: INFO: Destroyed connection context.xmlclient ipa: ERROR: Container for group not found If I add only the --group-objectclass it tries to migrate and gives me the list of errors for every user and group having an unknown object class as described at the top. Would one expect that I should be able to migrate this data, or would one it fail because it differs from the two supported schemas? I was hoping since it was based off of posixAccount and posixGroup that it was close enough to work. From dpal at redhat.com Mon Jan 24 23:21:28 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 24 Jan 2011 18:21:28 -0500 Subject: [Freeipa-devel] [PATCH] 691 add --hostname option to ipa-client-install In-Reply-To: <4D3DFEA4.9010500@redhat.com> References: <4D3DFEA4.9010500@redhat.com> Message-ID: <4D3E0978.4000109@redhat.com> Rob Crittenden wrote: > Let the installer override the detected hostname value with the > --hostname flag. This is likely to lead to a non-working installation > so let the buyer beware. > > ticket 834 I do not think this is enough. There is a part of the ipa-client-install other than ipa-join that assumes that host name will match. I saw that in the log. I do not have it in front of me now. It is on hame machine. If the -h option is provided this check/enforcement should be suppressed. Please try running ipa-client-install with the mismatching name you will see what I mean. Thanks Dmitri > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Jan 24 23:22:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 18:22:53 -0500 Subject: [Freeipa-devel] [PATCH] 691 add --hostname option to ipa-client-install In-Reply-To: <4D3E0978.4000109@redhat.com> References: <4D3DFEA4.9010500@redhat.com> <4D3E0978.4000109@redhat.com> Message-ID: <4D3E09CD.8040305@redhat.com> Dmitri Pal wrote: > Rob Crittenden wrote: >> Let the installer override the detected hostname value with the >> --hostname flag. This is likely to lead to a non-working installation >> so let the buyer beware. >> >> ticket 834 > > I do not think this is enough. There is a part of the ipa-client-install > other than ipa-join that assumes that host name will match. I saw that > in the log. I do not have it in front of me now. It is on hame machine. > > If the -h option is provided this check/enforcement should be suppressed. > Please try running ipa-client-install with the mismatching name you will > see what I mean. I did a successful install with the --hostname option, using another hostname in DNS. I verified that this hostname was used as the name in the host service principal in /etc/krb5.keytab. rob From rcritten at redhat.com Mon Jan 24 23:25:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 18:25:41 -0500 Subject: [Freeipa-devel] No luck using ds-migrate to import Apple Open Directory In-Reply-To: References: Message-ID: <4D3E0A75.4040603@redhat.com> Jeff B wrote: > Apple Open Directory is as follows: > > cn=users,dc=host,dc=domain,dc=tld > cn=groups,dc=host,dc=domain,dc=tld > > User records have the following object classes: > - person > - top > - organizationalPerson > - extensibleObject > - apple-user > - shadowAccount > - posixAccount > - inetOrgPerson > > Group records have the following object classes: > - top > - extensibleObject > - apple-group > - posixGroup > > The data is mostly what you would expect for posixAccount and the > other common object classes. When I try to import data to IPA I get > this error for every user and group like this: > > ----------- > migrate-ds: > ----------- > Migrated: > Failed user: > : unknown object class "apple-user" > : unknown object class "apple-user" > : unknown object class "apple-user" > ... And the rest > Failed group: > : unknown object class "apple-group" > : unknown object class "apple-group" > : unknown object class "apple-group" > ... And the rest > ---------- > > Here are some of the migrate options I've tried: > > ipa -d migrate-ds > --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld" > ldap://10.0.0.1:389 --user-objectclass="posixAccount" > --group-objectclass="posixGroups" --user-container="cn=users" > --group-container="cn=groups" > > ipa -d migrate-ds > --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld" > ldap://10.0.0.1:389 --user-objectclass="apple-user" > --group-objectclass="apple-group" --user-container="cn=users" > --group-container="cn=groups" > > I've tried combinations of the two. I've tried changing the --schema > with no change in outcome. The only time the outcome is different is > when I don't include the --group-objectclass or the --user-objectclass > It fails before it even tries to import the data in the directory. I > get this error: > > ipa: DEBUG: Caught fault 4001 from server > https://ipa0.myrealm.com/ipa/xml: Container for group not found > ipa: INFO: Destroyed connection context.xmlclient > ipa: ERROR: Container for group not found > > If I add only the --group-objectclass it tries to migrate and gives me > the list of errors for every user and group having an unknown object > class as described at the top. > > Would one expect that I should be able to migrate this data, or would > one it fail because it differs from the two supported schemas? I was > hoping since it was based off of posixAccount and posixGroup that it > was close enough to work. Hmm, interesting problem, I don't think we really thought about this. In the broadest sense apple-user could be just about any unknown objectclass. If we *just* aim at migrating over POSIX information we can simply target the attributes we want and migrate those and ignore the rest. This might not be so nice for some users. Or we can try to run through the schema for every entry and delete objectclasses and attributes we know nothing about. Or we could do both, with the default setting perhaps to migrate the minimum with an --aggressive option perhaps? Or we could have a --objectclass option to list all the objectclasses to migrate. Or even better, perhaps we should have a --test mode where you can test the migration before actually having to move users over. Basically try to migrate one user and if successful delete it from IPA when done and, if unsuccessful report whatever errors were raised. rob From ayoung at redhat.com Tue Jan 25 03:02:06 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 24 Jan 2011 22:02:06 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0156-remove-icons-from-association-buttons. Message-ID: <4D3E3D2E.7070707@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0156-remove-icons-from-association-buttons.patch Type: text/x-patch Size: 1133 bytes Desc: not available URL: From ayoung at redhat.com Tue Jan 25 03:22:22 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 24 Jan 2011 22:22:22 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0157-aci-attribute-table-two-columns.patc Message-ID: <4D3E41EE.1070401@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0157-aci-attribute-table-two-columns.patch Type: text/x-patch Size: 2937 bytes Desc: not available URL: From rcritten at redhat.com Tue Jan 25 03:26:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 22:26:11 -0500 Subject: [Freeipa-devel] [PATCH] Changed dns permission types In-Reply-To: <201101141358.55418.jzeleny@redhat.com> References: <201101071805.18499.jzeleny@redhat.com> <4D2DD454.9060901@redhat.com> <201101141358.55418.jzeleny@redhat.com> Message-ID: <4D3E42D3.2020604@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> Recent change of DNS module to version caused that dns object type >>> was replaced by dnszone and dnsrecord. This patch corrects dns types >>> in permissions class. >>> >>> https://fedorahosted.org/freeipa/ticket/646 >> >> Nack. These values need to be added as valid types to the aci plugin and >> the _type_map needs to be updated. >> >> rob > > I'm sending an updated patch. > > Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. Can the type be made more specific? rob From ayoung at redhat.com Tue Jan 25 03:31:02 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 24 Jan 2011 22:31:02 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0158-action-buttons-for-dns Message-ID: <4D3E43F6.1070102@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0158-action-buttons-for-dns.patch Type: text/x-patch Size: 1039 bytes Desc: not available URL: From rcritten at redhat.com Tue Jan 25 03:33:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 22:33:07 -0500 Subject: [Freeipa-devel] [PATCH] Disable renaming to empty string In-Reply-To: <20110124083929.20176e9d@willson.li.ssimo.org> References: <201101240938.45951.jzeleny@redhat.com> <20110124083929.20176e9d@willson.li.ssimo.org> Message-ID: <4D3E4473.1060002@redhat.com> Simo Sorce wrote: > On Mon, 24 Jan 2011 09:38:45 +0100 > Jan Zelen? wrote: > >> So far it was possible to rename any object using LDAPUpdate to a name >> with empty primary key. Since this can cause nasty problems, this >> patch disables empty string in --rename argument. >> >> https://fedorahosted.org/freeipa/ticket/827 > > ack > > Simo. > pushed to master From rcritten at redhat.com Tue Jan 25 03:42:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 22:42:06 -0500 Subject: [Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys In-Reply-To: <4D3C884B.9060805@redhat.com> References: <4D0F5ED8.5000403@redhat.com> <4D0F6949.4020504@redhat.com> <4D2B30A1.5030303@redhat.com> <4D37FF29.2000006@redhat.com> <4D39BA72.8070205@redhat.com> <4D3C884B.9060805@redhat.com> Message-ID: <4D3E468E.9020805@redhat.com> Jakub Hrozek wrote: > On 01/21/2011 05:55 PM, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 01/10/2011 05:15 PM, Jakub Hrozek wrote: >>>> On 12/20/2010 03:33 PM, Jakub Hrozek wrote: >>>>> On 12/20/2010 02:49 PM, Jakub Hrozek wrote: >>>>>> Attached is a patch that changes the uniqueness constraint of >>>>>> automount >>>>>> keys from (key) to (key,info) pairs. The patch is not really standard >>>>>> baseldap style. The reason is that during development, I found that >>>>>> baseldap is really dependent on having a single primary key and also >>>>>> during many operations accessing it as keys[-1]. >>>> >>>>>> Please note that the ipa automountkey-* commands used to have three >>>>>> args, now its two args and two required options (that compose the >>>>>> tuple >>>>>> that is primary key). I know next to nothing about UI, but I assume >>>>>> this >>>>>> has consequences as the JSON marshalled call needs to be different >>>>>> now. >>>>>> Can someone point me to the place in code that I need to fix now? >>>> >>>>>> Fixes: >>>>>> https://fedorahosted.org/freeipa/ticket/293 >>>> >>>>> Sorry, I left some debugging statements in. Attached is a new patch. >>>> >>>> Attached is a patch that applies cleanly on top of origin/master. >> >> Can you provide some guidance on how to test this patch? >> >> thanks >> >> rob > > Sure: > > The main change to CLI is that both key and info must be provided. These > are put into the description attribute, at the same time this (key,info) > tuple is checked for uniqueness. > > The automount test is a good start for testing the patch. It also tests > a duplicate direct map. To test the duplicates manually: > > ipa automountlocation-add baltimore > ipa automountmap-add baltimore auto.direct2 > ipa automountkey-add baltimore auto.master --key=/- --info=auto.direct2 > ipa automountlocation-tofiles baltimore > > You should see something like: > /etc/auto.master: > /- /etc/auto.direct > /- /etc/auto.direct2 > --------------------------- > /etc/auto.direct: > --------------------------- > /etc/auto.direct2: Ack with two conditions and a question: Conditions: 1. Check with qe to see if they already have tests for automount. If they do we'll need to coordinate getting their tests updated. 2. The samples in the command help don't use the --key argument, can you update them? Question: Can you import multiple direct maps? rob From rcritten at redhat.com Tue Jan 25 03:44:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 22:44:27 -0500 Subject: [Freeipa-devel] [PATCH] Fix crash when displaying values composed of white chars only in CLI. In-Reply-To: <20110121145317.04357681@willson.li.ssimo.org> References: <4D395355.5050307@redhat.com> <4D39DEFF.1050706@redhat.com> <20110121145317.04357681@willson.li.ssimo.org> Message-ID: <4D3E471B.9040306@redhat.com> Simo Sorce wrote: > On Fri, 21 Jan 2011 14:31:11 -0500 > Rob Crittenden wrote: > >> Pavel Z?na wrote: >>> Fix #825 >>> >>> Pavel >> >> Should we instead prevent storing white space instead? On the cli >> someone would have to go through the trouble of quoting the space but >> in the UI I think it would be pretty easy to accidentally hit a space >> on a field and save it. > > Someone may want to store a space on purpose, or have some other > program do it underneath the UI. So fixing the crash is necessary. > Whether we also want to prevent storing whitespace is a separate > question IMHO. > > Simo. > Ok, pushed to master. From mkosek at redhat.com Tue Jan 25 08:55:51 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 25 Jan 2011 09:55:51 +0100 Subject: [Freeipa-devel] [PATCH] Unused value in initdefault_encoding_utf8 In-Reply-To: <4D343281.3050409@redhat.com> References: <1295265612.8622.0.camel@dhcp-25-52.brq.redhat.com> <4D343281.3050409@redhat.com> Message-ID: <1295945751.6727.2.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-01-17 at 13:13 +0100, Jakub Hrozek wrote: > On 01/17/2011 01:00 PM, Martin Kosek wrote: > > There is no use for return value of Py_InitModule3. Removing it > > in this patch. > > > > https://fedorahosted.org/freeipa/ticket/710 > > > > Ack Just a reminder that this patch is ready for push. Thanks, Martin From jhrozek at redhat.com Tue Jan 25 09:41:39 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 25 Jan 2011 10:41:39 +0100 Subject: [Freeipa-devel] [PATCH] 0068 populate dua profile In-Reply-To: <20110122200823.6fc9a460@willson.li.ssimo.org> References: <20110122200823.6fc9a460@willson.li.ssimo.org> Message-ID: <4D3E9AD3.9090605@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/23/2011 02:08 AM, Simo Sorce wrote: > Ticket #820 > > Simo. > > I think there's a bug in how the defaultServerList attribute is cleaned up when a replica is deleted - it seems to remove the FQDN of the host ipa-replica-manage del is run. In ReplicationManager.replica_cleanup() you call srvlist.remove(self.hostname), should that be srvlist.remove(replica) ? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0+mtMACgkQHsardTLnvCX29ACfRLlUCZW+UmQXKY0dvOra7wQZ 9NgAn3otzd9NDIkqfX0eEpuaiGqC/8l9 =R9ak -----END PGP SIGNATURE----- From jzeleny at redhat.com Tue Jan 25 10:35:41 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 25 Jan 2011 11:35:41 +0100 Subject: [Freeipa-devel] [PATCH] Changed dns permission types In-Reply-To: <4D3E42D3.2020604@redhat.com> References: <201101071805.18499.jzeleny@redhat.com> <201101141358.55418.jzeleny@redhat.com> <4D3E42D3.2020604@redhat.com> Message-ID: <201101251135.41893.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Rob Crittenden wrote: > >> Jan Zelen? wrote: > >>> Recent change of DNS module to version caused that dns object type > >>> was replaced by dnszone and dnsrecord. This patch corrects dns types > >>> in permissions class. > >>> > >>> https://fedorahosted.org/freeipa/ticket/646 > >> > >> Nack. These values need to be added as valid types to the aci plugin and > >> the _type_map needs to be updated. > >> > >> rob > > > > I'm sending an updated patch. > > > > Jan > > Since dnszone and dnsrecord point to the same kind of entry what is the > point of having two separate names for them? When we read the entry we > aren't going to be able to differentiate between the two. I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. > Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. Jan From jhrozek at redhat.com Tue Jan 25 12:09:25 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 25 Jan 2011 13:09:25 +0100 Subject: [Freeipa-devel] [PATCH] 040 Assorted bugs found by pylint In-Reply-To: <4D396336.3090501@redhat.com> References: <4D396336.3090501@redhat.com> Message-ID: <4D3EBD75.7020308@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/21/2011 11:43 AM, Jakub Hrozek wrote: > https://fedorahosted.org/freeipa/ticket/358 > > Another part of this effort is running pylint during build. I have > started on this, but because we use python's dynamic features quite a > lot, pylint produces a big number of false positives. > > I wrote a small pylint plugin that helps (so it allowed me to review the > pylint results sanely), but it's still not complete - I'd like to resume > that work during the 2.0.1 bug fixing as there are more pressing issues > right now, I think. Attaching a new version that fixes one more bug and also changes one hunk so it does not exceed the recommended 80-chars limit. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0+vXUACgkQHsardTLnvCV1QACgvBDM/J+KotvGpodZ6eZ7qL4o Xs4An25x48Sir5YKk8/cqZLZMXXcH53Z =T0TP -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-040-02-pylint-fixes.patch Type: text/x-patch Size: 13716 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-040-02-pylint-fixes.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jzeleny at redhat.com Tue Jan 25 12:35:13 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 25 Jan 2011 13:35:13 +0100 Subject: [Freeipa-devel] [PATCH] Changed dns permission types In-Reply-To: <201101251135.41893.jzeleny@redhat.com> References: <201101071805.18499.jzeleny@redhat.com> <4D3E42D3.2020604@redhat.com> <201101251135.41893.jzeleny@redhat.com> Message-ID: <201101251335.13954.jzeleny@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: > > Jan Zelen? wrote: > > > Rob Crittenden wrote: > > >> Jan Zelen? wrote: > > >>> Recent change of DNS module to version caused that dns object type > > >>> was replaced by dnszone and dnsrecord. This patch corrects dns types > > >>> in permissions class. > > >>> > > >>> https://fedorahosted.org/freeipa/ticket/646 > > >> > > >> Nack. These values need to be added as valid types to the aci plugin > > >> and the _type_map needs to be updated. > > >> > > >> rob > > > > > > I'm sending an updated patch. > > > > > > Jan > > > > Since dnszone and dnsrecord point to the same kind of entry what is the > > point of having two separate names for them? When we read the entry we > > aren't going to be able to differentiate between the two. > > I didn't take a look how the type thing works, so I'm kinda guessing here > (please ignore the comment if it is wrong): > Sure, object with idnszone class is always also in dnsrecord class, but > that's not the case backwards (idnsrecord object isn't always idnszone) - > so I think it is possible to set different ACIs for these two types. > > > Can the type be made more specific? > > If the mapping doesn't distinguish object classes and it can, maybe that's > the answer. Will investagate further. But if not, I still think this is > the way to go considering the underline issue which we tried to solve by > this change. From what I found I think that making changes necessary to distinguish dnsrecord and dnszone are not worth it, especially that user can use "filter" for that purpose. Since having both of them doesn't have any additional value, I'm sending new version of the patch, which is only adding dnsrecord type. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0021-3-Changed-dns-permission-types.patch Type: text/x-patch Size: 2464 bytes Desc: not available URL: From jzeleny at redhat.com Tue Jan 25 12:41:12 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Tue, 25 Jan 2011 13:41:12 +0100 Subject: [Freeipa-devel] [PATCH] 690 add brackets around optional prompts In-Reply-To: <4D3DF6E2.9090204@redhat.com> References: <4D3DF6E2.9090204@redhat.com> Message-ID: <201101251341.12113.jzeleny@redhat.com> Rob Crittenden wrote: > When prompting for arguments in the cli there is no way to tell what is > optional and what is required. This sticks brackets around optional > arguments. > > Ticket 832 > > rob Ack Jan From jhrozek at redhat.com Tue Jan 25 13:19:18 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 25 Jan 2011 14:19:18 +0100 Subject: [Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys In-Reply-To: <4D3E468E.9020805@redhat.com> References: <4D0F5ED8.5000403@redhat.com> <4D0F6949.4020504@redhat.com> <4D2B30A1.5030303@redhat.com> <4D37FF29.2000006@redhat.com> <4D39BA72.8070205@redhat.com> <4D3C884B.9060805@redhat.com> <4D3E468E.9020805@redhat.com> Message-ID: <4D3ECDD6.1030402@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/25/2011 04:42 AM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> On 01/21/2011 05:55 PM, Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> On 01/10/2011 05:15 PM, Jakub Hrozek wrote: >>>>> On 12/20/2010 03:33 PM, Jakub Hrozek wrote: >>>>>> On 12/20/2010 02:49 PM, Jakub Hrozek wrote: >>>>>>> Attached is a patch that changes the uniqueness constraint of >>>>>>> automount >>>>>>> keys from (key) to (key,info) pairs. The patch is not really >>>>>>> standard >>>>>>> baseldap style. The reason is that during development, I found that >>>>>>> baseldap is really dependent on having a single primary key and also >>>>>>> during many operations accessing it as keys[-1]. >>>>> >>>>>>> Please note that the ipa automountkey-* commands used to have three >>>>>>> args, now its two args and two required options (that compose the >>>>>>> tuple >>>>>>> that is primary key). I know next to nothing about UI, but I assume >>>>>>> this >>>>>>> has consequences as the JSON marshalled call needs to be different >>>>>>> now. >>>>>>> Can someone point me to the place in code that I need to fix now? >>>>> >>>>>>> Fixes: >>>>>>> https://fedorahosted.org/freeipa/ticket/293 >>>>> >>>>>> Sorry, I left some debugging statements in. Attached is a new patch. >>>>> >>>>> Attached is a patch that applies cleanly on top of origin/master. >>> >>> Can you provide some guidance on how to test this patch? >>> >>> thanks >>> >>> rob >> >> Sure: >> >> The main change to CLI is that both key and info must be provided. These >> are put into the description attribute, at the same time this (key,info) >> tuple is checked for uniqueness. >> >> The automount test is a good start for testing the patch. It also tests >> a duplicate direct map. To test the duplicates manually: >> >> ipa automountlocation-add baltimore >> ipa automountmap-add baltimore auto.direct2 >> ipa automountkey-add baltimore auto.master --key=/- --info=auto.direct2 >> ipa automountlocation-tofiles baltimore >> >> You should see something like: >> /etc/auto.master: >> /- /etc/auto.direct >> /- /etc/auto.direct2 >> --------------------------- >> /etc/auto.direct: >> --------------------------- >> /etc/auto.direct2: > > Ack with two conditions and a question: > > Conditions: > > 1. Check with qe to see if they already have tests for automount. If > they do we'll need to coordinate getting their tests updated. Jenny, I see you are in the CC list. Do you know? > 2. The samples in the command help don't use the --key argument, can you > update them? Sorry, but I think the samples are OK. I just tried cut-n-pasting all of them into the terminal and found one glitch (new patch that fixes just that typo in help is attached), but all the ipa automountkey-* commands list the --key parameter in help. Or do you mean something else than the output of ipa help automount? > > Question: > > Can you import multiple direct maps? > Yes, just tested. If someone would like to test, please note that when you create a new automount location, a direct map is created for the new location by default. This is how I imported a /etc/auto.master file with multiple direct maps: # create a new location ipa automountlocation-add testimport # remove the reference to the direct map from the auto.master map ipa automountkey-del testimport auto.master --key=/- --info=auto.direct # remove the auto.direct location ipa automountmap-del testimport auto.direct # import the new maps ipa automountlocation-import testimport /etc/auto.master My /etc/auto.master looks something like this: - ----- /misc /etc/auto.misc /net -hosts /- /etc/auto.direct /- /etc/auto.direct2 /home /etc/auto.home - ----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0+zdYACgkQHsardTLnvCVL/ACghLxen44ZZv+qIFBm6Cz3cinM oMEAoLAAUtCKnxDlUHKtpyMvg75Zq/Iq =7MbL -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-029-05-automount-keys-uniqueness.patch Type: text/x-patch Size: 27533 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-029-05-automount-keys-uniqueness.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From ssorce at redhat.com Tue Jan 25 13:28:49 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 08:28:49 -0500 Subject: [Freeipa-devel] [PATCH] 0068 populate dua profile In-Reply-To: <4D3E9AD3.9090605@redhat.com> References: <20110122200823.6fc9a460@willson.li.ssimo.org> <4D3E9AD3.9090605@redhat.com> Message-ID: <20110125082849.2430c8f7@willson.li.ssimo.org> On Tue, 25 Jan 2011 10:41:39 +0100 Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/23/2011 02:08 AM, Simo Sorce wrote: > > Ticket #820 > > > > Simo. > > > > > > I think there's a bug in how the defaultServerList attribute is > cleaned up when a replica is deleted - it seems to remove the FQDN of > the host ipa-replica-manage del is run. In > ReplicationManager.replica_cleanup() you call > srvlist.remove(self.hostname), should that be > srvlist.remove(replica) ? Oh crap :-) Nice catch! Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Tue Jan 25 13:53:08 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 25 Jan 2011 08:53:08 -0500 Subject: [Freeipa-devel] No luck using ds-migrate to import Apple Open Directory In-Reply-To: <4D3E0A75.4040603@redhat.com> References: <4D3E0A75.4040603@redhat.com> Message-ID: <4D3ED5C4.5000208@redhat.com> Rob Crittenden wrote: > Jeff B wrote: >> Apple Open Directory is as follows: >> >> cn=users,dc=host,dc=domain,dc=tld >> cn=groups,dc=host,dc=domain,dc=tld >> >> User records have the following object classes: >> - person >> - top >> - organizationalPerson >> - extensibleObject >> - apple-user >> - shadowAccount >> - posixAccount >> - inetOrgPerson >> >> Group records have the following object classes: >> - top >> - extensibleObject >> - apple-group >> - posixGroup >> >> The data is mostly what you would expect for posixAccount and the >> other common object classes. When I try to import data to IPA I get >> this error for every user and group like this: >> >> ----------- >> migrate-ds: >> ----------- >> Migrated: >> Failed user: >> : unknown object class "apple-user" >> : unknown object class "apple-user" >> : unknown object class "apple-user" >> ... And the rest >> Failed group: >> : unknown object class "apple-group" >> : unknown object class "apple-group" >> : unknown object class "apple-group" >> ... And the rest >> ---------- >> >> Here are some of the migrate options I've tried: >> >> ipa -d migrate-ds >> --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld" >> ldap://10.0.0.1:389 --user-objectclass="posixAccount" >> --group-objectclass="posixGroups" --user-container="cn=users" >> --group-container="cn=groups" >> >> ipa -d migrate-ds >> --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld" >> ldap://10.0.0.1:389 --user-objectclass="apple-user" >> --group-objectclass="apple-group" --user-container="cn=users" >> --group-container="cn=groups" >> >> I've tried combinations of the two. I've tried changing the --schema >> with no change in outcome. The only time the outcome is different is >> when I don't include the --group-objectclass or the --user-objectclass >> It fails before it even tries to import the data in the directory. I >> get this error: >> >> ipa: DEBUG: Caught fault 4001 from server >> https://ipa0.myrealm.com/ipa/xml: Container for group not found >> ipa: INFO: Destroyed connection context.xmlclient >> ipa: ERROR: Container for group not found >> >> If I add only the --group-objectclass it tries to migrate and gives me >> the list of errors for every user and group having an unknown object >> class as described at the top. >> >> Would one expect that I should be able to migrate this data, or would >> one it fail because it differs from the two supported schemas? I was >> hoping since it was based off of posixAccount and posixGroup that it >> was close enough to work. > > Hmm, interesting problem, I don't think we really thought about this. > In the broadest sense apple-user could be just about any unknown > objectclass. > > If we *just* aim at migrating over POSIX information we can simply > target the attributes we want and migrate those and ignore the rest. > This might not be so nice for some users. > > Or we can try to run through the schema for every entry and delete > objectclasses and attributes we know nothing about. > > Or we could do both, with the default setting perhaps to migrate the > minimum with an --aggressive option perhaps? > > Or we could have a --objectclass option to list all the objectclasses > to migrate. > > Or even better, perhaps we should have a --test mode where you can > test the migration before actually having to move users over. > Basically try to migrate one user and if successful delete it from IPA > when done and, if unsuccessful report whatever errors were raised. I like --test option. But what is the problem? Do we not recognize the entries to pull in? I suggest then to have a map file option. The contents of the map file would then be: [Objectclass] userentryobjclass=... groupentryobjclass=... [UserMap] = ... [GroupMap] = ... This would allow to pull in even custom attributes if needed. It might require new schema provided by the customer but if it is provided and loaded then the migration of the custom attributes can happen. Of cause it is not something for 2.0. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Tue Jan 25 13:57:02 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 08:57:02 -0500 Subject: [Freeipa-devel] [PATCH] 0068 populate dua profile In-Reply-To: <20110125082849.2430c8f7@willson.li.ssimo.org> References: <20110122200823.6fc9a460@willson.li.ssimo.org> <4D3E9AD3.9090605@redhat.com> <20110125082849.2430c8f7@willson.li.ssimo.org> Message-ID: <20110125085702.6958d61d@willson.li.ssimo.org> On Tue, 25 Jan 2011 08:28:49 -0500 Simo Sorce wrote: > On Tue, 25 Jan 2011 10:41:39 +0100 > Jakub Hrozek wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 01/23/2011 02:08 AM, Simo Sorce wrote: > > > Ticket #820 > > > > > > Simo. > > > > > > > > > > I think there's a bug in how the defaultServerList attribute is > > cleaned up when a replica is deleted - it seems to remove the FQDN > > of the host ipa-replica-manage del is run. In > > ReplicationManager.replica_cleanup() you call > > srvlist.remove(self.hostname), should that be > > srvlist.remove(replica) ? > > Oh crap :-) > > Nice catch! > > Simo. > > Ok this new patch should fix that. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0068-2-Populate-shared-tree-with-replica-related-values.patch Type: text/x-patch Size: 3867 bytes Desc: not available URL: From ssorce at redhat.com Tue Jan 25 13:57:57 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 08:57:57 -0500 Subject: [Freeipa-devel] [PATCH] 0069 Add/Remove DNS records for replicas In-Reply-To: <4D3DF7D9.8080908@redhat.com> References: <20110122200938.18cc2038@willson.li.ssimo.org> <4D3DF7D9.8080908@redhat.com> Message-ID: <20110125085757.7c5d5307@willson.li.ssimo.org> On Mon, 24 Jan 2011 23:06:17 +0100 Jakub Hrozek wrote: > On 01/23/2011 02:09 AM, Simo Sorce wrote: > > > > Do it always when the dns tree is available, even if the replica > > being installed doesn't provide dns service itself. > > > > Ticket #824 > > > > Simo. > > > > I tried applying this on top of both origin/master and 068 but did > not succeed. Can you rebase, please? Rebased on top of the new 0068 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0068-2-Populate-shared-tree-with-replica-related-values.patch Type: text/x-patch Size: 3867 bytes Desc: not available URL: From ssorce at redhat.com Tue Jan 25 14:06:49 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 09:06:49 -0500 Subject: [Freeipa-devel] [PATCH] Unused value in initdefault_encoding_utf8 In-Reply-To: <1295945751.6727.2.camel@dhcp-25-52.brq.redhat.com> References: <1295265612.8622.0.camel@dhcp-25-52.brq.redhat.com> <4D343281.3050409@redhat.com> <1295945751.6727.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <20110125090649.09a3cc21@willson.li.ssimo.org> On Tue, 25 Jan 2011 09:55:51 +0100 Martin Kosek wrote: > On Mon, 2011-01-17 at 13:13 +0100, Jakub Hrozek wrote: > > On 01/17/2011 01:00 PM, Martin Kosek wrote: > > > There is no use for return value of Py_InitModule3. Removing it > > > in this patch. > > > > > > https://fedorahosted.org/freeipa/ticket/710 > > > > > > > Ack > > Just a reminder that this patch is ready for push. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From jzeleny at redhat.com Tue Jan 25 14:12:40 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 25 Jan 2011 15:12:40 +0100 Subject: [Freeipa-devel] [PATCH] Add flags to enforce asking for object attribute Message-ID: <201101251512.40922.jzeleny@redhat.com> So far the only way to enforce asking for parameter in interactive mode was the alwaysask attribute, which is not sufficient any more. This patch adds the ability to control during which actions the atrribute shall be asked for. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0029-Add-flags-to-enforce-asking-for-object-attribute.patch Type: text/x-patch Size: 4723 bytes Desc: not available URL: From jhrozek at redhat.com Tue Jan 25 14:40:26 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 25 Jan 2011 15:40:26 +0100 Subject: [Freeipa-devel] [PATCH] 0069 Add/Remove DNS records for replicas In-Reply-To: <20110125085757.7c5d5307@willson.li.ssimo.org> References: <20110122200938.18cc2038@willson.li.ssimo.org> <4D3DF7D9.8080908@redhat.com> <20110125085757.7c5d5307@willson.li.ssimo.org> Message-ID: <20110125144026.GA30498@zeppelin.brq.redhat.com> On Tue, Jan 25, 2011 at 08:57:57AM -0500, Simo Sorce wrote: > On Mon, 24 Jan 2011 23:06:17 +0100 > Jakub Hrozek wrote: > > > On 01/23/2011 02:09 AM, Simo Sorce wrote: > > > > > > Do it always when the dns tree is available, even if the replica > > > being installed doesn't provide dns service itself. > > > > > > Ticket #824 > > > > > > Simo. > > > > > > > I tried applying this on top of both origin/master and 068 but did > > not succeed. Can you rebase, please? > > Rebased on top of the new 0068 > > Simo. > I think you attached the wrong patch - the attachment is 68-02, not 69. Jakub From ayoung at redhat.com Tue Jan 25 14:52:44 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 09:52:44 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0159-unselected-facets Message-ID: <4D3EE3BC.1010408@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0159-unselected-facets.patch Type: text/x-patch Size: 1080 bytes Desc: not available URL: From kybaker at redhat.com Tue Jan 25 14:52:33 2011 From: kybaker at redhat.com (Kyle Baker) Date: Tue, 25 Jan 2011 09:52:33 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0158-action-buttons-for-dns In-Reply-To: <4D3E43F6.1070102@redhat.com> Message-ID: <1498915762.121484.1295967153265.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK Looks good. ----- Original Message ----- > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0158-action-buttons-for-dns.patch Type: text/x-patch Size: 1039 bytes Desc: not available URL: From rcritten at redhat.com Tue Jan 25 14:55:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Jan 2011 09:55:00 -0500 Subject: [Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys In-Reply-To: <4D3ECDD6.1030402@redhat.com> References: <4D0F5ED8.5000403@redhat.com> <4D0F6949.4020504@redhat.com> <4D2B30A1.5030303@redhat.com> <4D37FF29.2000006@redhat.com> <4D39BA72.8070205@redhat.com> <4D3C884B.9060805@redhat.com> <4D3E468E.9020805@redhat.com> <4D3ECDD6.1030402@redhat.com> Message-ID: <4D3EE444.7050403@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/25/2011 04:42 AM, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> On 01/21/2011 05:55 PM, Rob Crittenden wrote: >>>> Jakub Hrozek wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> On 01/10/2011 05:15 PM, Jakub Hrozek wrote: >>>>>> On 12/20/2010 03:33 PM, Jakub Hrozek wrote: >>>>>>> On 12/20/2010 02:49 PM, Jakub Hrozek wrote: >>>>>>>> Attached is a patch that changes the uniqueness constraint of >>>>>>>> automount >>>>>>>> keys from (key) to (key,info) pairs. The patch is not really >>>>>>>> standard >>>>>>>> baseldap style. The reason is that during development, I found that >>>>>>>> baseldap is really dependent on having a single primary key and also >>>>>>>> during many operations accessing it as keys[-1]. >>>>>> >>>>>>>> Please note that the ipa automountkey-* commands used to have three >>>>>>>> args, now its two args and two required options (that compose the >>>>>>>> tuple >>>>>>>> that is primary key). I know next to nothing about UI, but I assume >>>>>>>> this >>>>>>>> has consequences as the JSON marshalled call needs to be different >>>>>>>> now. >>>>>>>> Can someone point me to the place in code that I need to fix now? >>>>>> >>>>>>>> Fixes: >>>>>>>> https://fedorahosted.org/freeipa/ticket/293 >>>>>> >>>>>>> Sorry, I left some debugging statements in. Attached is a new patch. >>>>>> >>>>>> Attached is a patch that applies cleanly on top of origin/master. >>>> >>>> Can you provide some guidance on how to test this patch? >>>> >>>> thanks >>>> >>>> rob >>> >>> Sure: >>> >>> The main change to CLI is that both key and info must be provided. These >>> are put into the description attribute, at the same time this (key,info) >>> tuple is checked for uniqueness. >>> >>> The automount test is a good start for testing the patch. It also tests >>> a duplicate direct map. To test the duplicates manually: >>> >>> ipa automountlocation-add baltimore >>> ipa automountmap-add baltimore auto.direct2 >>> ipa automountkey-add baltimore auto.master --key=/- --info=auto.direct2 >>> ipa automountlocation-tofiles baltimore >>> >>> You should see something like: >>> /etc/auto.master: >>> /- /etc/auto.direct >>> /- /etc/auto.direct2 >>> --------------------------- >>> /etc/auto.direct: >>> --------------------------- >>> /etc/auto.direct2: >> >> Ack with two conditions and a question: >> >> Conditions: >> >> 1. Check with qe to see if they already have tests for automount. If >> they do we'll need to coordinate getting their tests updated. > > Jenny, I see you are in the CC list. Do you know? > >> 2. The samples in the command help don't use the --key argument, can you >> update them? > > Sorry, but I think the samples are OK. I just tried cut-n-pasting all of > them into the terminal and found one glitch (new patch that fixes just > that typo in help is attached), but all the ipa automountkey-* commands > list the --key parameter in help. > > Or do you mean something else than the output of ipa help automount? Ok, you're right. Time to get my eyes checked :-) If Jenny says ok then ack. rob > >> >> Question: >> >> Can you import multiple direct maps? >> > > Yes, just tested. If someone would like to test, please note that when > you create a new automount location, a direct map is created for the new > location by default. This is how I imported a /etc/auto.master file with > multiple direct maps: > > # create a new location > ipa automountlocation-add testimport > # remove the reference to the direct map from the auto.master map > ipa automountkey-del testimport auto.master --key=/- --info=auto.direct > # remove the auto.direct location > ipa automountmap-del testimport auto.direct > # import the new maps > ipa automountlocation-import testimport /etc/auto.master > > My /etc/auto.master looks something like this: > - ----- > /misc /etc/auto.misc > /net -hosts > /- /etc/auto.direct > /- /etc/auto.direct2 > /home /etc/auto.home > - ----- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk0+zdYACgkQHsardTLnvCVL/ACghLxen44ZZv+qIFBm6Cz3cinM > oMEAoLAAUtCKnxDlUHKtpyMvg75Zq/Iq > =7MbL > -----END PGP SIGNATURE----- From kybaker at redhat.com Tue Jan 25 14:57:06 2011 From: kybaker at redhat.com (Kyle Baker) Date: Tue, 25 Jan 2011 09:57:06 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0157-aci-attribute-table-two-columns.patc In-Reply-To: <4D3E41EE.1070401@redhat.com> Message-ID: <1105297153.121600.1295967426426.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK Looks good. ----- Original Message ----- > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0157-aci-attribute-table-two-columns.patch Type: text/x-patch Size: 2937 bytes Desc: not available URL: From kybaker at redhat.com Tue Jan 25 14:58:52 2011 From: kybaker at redhat.com (Kyle Baker) Date: Tue, 25 Jan 2011 09:58:52 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0156-remove-icons-from-association-buttons. In-Reply-To: <4D3E3D2E.7070707@redhat.com> Message-ID: <2047426513.121648.1295967532111.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK Looks good. ----- Original Message ----- > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0156-remove-icons-from-association-buttons.patch Type: text/x-patch Size: 1133 bytes Desc: not available URL: From rcritten at redhat.com Tue Jan 25 15:08:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Jan 2011 10:08:41 -0500 Subject: [Freeipa-devel] [PATCH] Add flags to enforce asking for object attribute In-Reply-To: <201101251512.40922.jzeleny@redhat.com> References: <201101251512.40922.jzeleny@redhat.com> Message-ID: <4D3EE779.9050508@redhat.com> Jan Zelen? wrote: > So far the only way to enforce asking for parameter in interactive mode was > the alwaysask attribute, which is not sufficient any more. This patch adds the > ability to control during which actions the atrribute shall be asked for. > > Jan nack, this doesn't address the interactive part in ipalib/cli.py. rob From jhrozek at redhat.com Tue Jan 25 15:19:56 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 25 Jan 2011 16:19:56 +0100 Subject: [Freeipa-devel] [PATCH] 0068 populate dua profile In-Reply-To: <20110125085702.6958d61d@willson.li.ssimo.org> References: <20110122200823.6fc9a460@willson.li.ssimo.org> <4D3E9AD3.9090605@redhat.com> <20110125082849.2430c8f7@willson.li.ssimo.org> <20110125085702.6958d61d@willson.li.ssimo.org> Message-ID: <20110125151956.GB30498@zeppelin.brq.redhat.com> On Tue, Jan 25, 2011 at 08:57:02AM -0500, Simo Sorce wrote: > On Tue, 25 Jan 2011 08:28:49 -0500 > Simo Sorce wrote: > > > On Tue, 25 Jan 2011 10:41:39 +0100 > > Jakub Hrozek wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > On 01/23/2011 02:08 AM, Simo Sorce wrote: > > > > Ticket #820 > > > > > > > > Simo. > > > > > > > > > > > > > > I think there's a bug in how the defaultServerList attribute is > > > cleaned up when a replica is deleted - it seems to remove the FQDN > > > of the host ipa-replica-manage del is run. In > > > ReplicationManager.replica_cleanup() you call > > > srvlist.remove(self.hostname), should that be > > > srvlist.remove(replica) ? > > > > Oh crap :-) > > > > Nice catch! > > > > Simo. > > > > > > Ok this new patch should fix that. > Ack From pzuna at redhat.com Tue Jan 25 15:31:18 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 25 Jan 2011 16:31:18 +0100 Subject: [Freeipa-devel] [PATCH] Add ldap2 method to retrieve allowed attributes for specified objectClasses. Message-ID: <4D3EECC6.4040807@redhat.com> ldap2.get_allowed_attributes(['posixuser']) returns a list of unicode all lower case attribute names allowed for the object class 'posixuser' You can enter as many object classes as you want. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-64-getallowattrs.patch Type: text/x-patch Size: 2464 bytes Desc: not available URL: From pzuna at redhat.com Tue Jan 25 15:32:36 2011 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 25 Jan 2011 16:32:36 +0100 Subject: [Freeipa-devel] [PATCH] Raise ValidationError when adding unallowed attribute to search fields. Message-ID: <4D3EED14.1000208@redhat.com> Depends on my previous patch number 64 (posted on the list 2 minutes ago). Ticket #845 Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pzuna-65-searchfields.patch Type: text/x-patch Size: 1561 bytes Desc: not available URL: From ssorce at redhat.com Tue Jan 25 15:36:49 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 10:36:49 -0500 Subject: [Freeipa-devel] [PATCH] 0069 Add/Remove DNS records for replicas In-Reply-To: <20110125144026.GA30498@zeppelin.brq.redhat.com> References: <20110122200938.18cc2038@willson.li.ssimo.org> <4D3DF7D9.8080908@redhat.com> <20110125085757.7c5d5307@willson.li.ssimo.org> <20110125144026.GA30498@zeppelin.brq.redhat.com> Message-ID: <20110125103649.15768503@willson.li.ssimo.org> On Tue, 25 Jan 2011 15:40:26 +0100 Jakub Hrozek wrote: > On Tue, Jan 25, 2011 at 08:57:57AM -0500, Simo Sorce wrote: > > On Mon, 24 Jan 2011 23:06:17 +0100 > > Jakub Hrozek wrote: > > > > > On 01/23/2011 02:09 AM, Simo Sorce wrote: > > > > > > > > Do it always when the dns tree is available, even if the replica > > > > being installed doesn't provide dns service itself. > > > > > > > > Ticket #824 > > > > > > > > Simo. > > > > > > > > > > I tried applying this on top of both origin/master and 068 but did > > > not succeed. Can you rebase, please? > > > > Rebased on top of the new 0068 > > > > Simo. > > > > I think you attached the wrong patch - the attachment is 68-02, not > 69. Sigh. Right one attached now. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0069-2-Always-add-DNS-records-when-installing-a-replica.patch Type: text/x-patch Size: 7114 bytes Desc: not available URL: From rcritten at redhat.com Tue Jan 25 16:06:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Jan 2011 11:06:01 -0500 Subject: [Freeipa-devel] [PATCH] 692 fix rpmlint warnings Message-ID: <4D3EF4E9.8030708@redhat.com> I did some specfile clean up in preparation of proposing this as a package for Fedora 15. ticket 804. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-692-spec.patch Type: text/x-patch Size: 6322 bytes Desc: not available URL: From ssorce at redhat.com Tue Jan 25 16:09:46 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 11:09:46 -0500 Subject: [Freeipa-devel] [PATCH] 0069 Add/Remove DNS records for replicas In-Reply-To: <20110125103649.15768503@willson.li.ssimo.org> References: <20110122200938.18cc2038@willson.li.ssimo.org> <4D3DF7D9.8080908@redhat.com> <20110125085757.7c5d5307@willson.li.ssimo.org> <20110125144026.GA30498@zeppelin.brq.redhat.com> <20110125103649.15768503@willson.li.ssimo.org> Message-ID: <20110125110946.392a9374@willson.li.ssimo.org> On Tue, 25 Jan 2011 10:36:49 -0500 Simo Sorce wrote: > On Tue, 25 Jan 2011 15:40:26 +0100 > Jakub Hrozek wrote: > > > On Tue, Jan 25, 2011 at 08:57:57AM -0500, Simo Sorce wrote: > > > On Mon, 24 Jan 2011 23:06:17 +0100 > > > Jakub Hrozek wrote: > > > > > > > On 01/23/2011 02:09 AM, Simo Sorce wrote: > > > > > > > > > > Do it always when the dns tree is available, even if the > > > > > replica being installed doesn't provide dns service itself. > > > > > > > > > > Ticket #824 > > > > > > > > > > Simo. > > > > > > > > > > > > > I tried applying this on top of both origin/master and 068 but > > > > did not succeed. Can you rebase, please? > > > > > > Rebased on top of the new 0068 > > > > > > Simo. > > > > > > > I think you attached the wrong patch - the attachment is 68-02, not > > 69. > > Sigh. > Right one attached now. > > Simo. > Rebased once again leaving only 0068 on top of master. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0069-3-Always-add-DNS-records-when-installing-a-replica.patch Type: text/x-patch Size: 7105 bytes Desc: not available URL: From rcritten at redhat.com Tue Jan 25 16:13:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Jan 2011 11:13:41 -0500 Subject: [Freeipa-devel] [PATCH] 029 Enforce uniqueness on (key, info) pairs in automount keys In-Reply-To: <4D3EE444.7050403@redhat.com> References: <4D0F5ED8.5000403@redhat.com> <4D0F6949.4020504@redhat.com> <4D2B30A1.5030303@redhat.com> <4D37FF29.2000006@redhat.com> <4D39BA72.8070205@redhat.com> <4D3C884B.9060805@redhat.com> <4D3E468E.9020805@redhat.com> <4D3ECDD6.1030402@redhat.com> <4D3EE444.7050403@redhat.com> Message-ID: <4D3EF6B5.7000005@redhat.com> Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/25/2011 04:42 AM, Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> On 01/21/2011 05:55 PM, Rob Crittenden wrote: >>>>> Jakub Hrozek wrote: >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> On 01/10/2011 05:15 PM, Jakub Hrozek wrote: >>>>>>> On 12/20/2010 03:33 PM, Jakub Hrozek wrote: >>>>>>>> On 12/20/2010 02:49 PM, Jakub Hrozek wrote: >>>>>>>>> Attached is a patch that changes the uniqueness constraint of >>>>>>>>> automount >>>>>>>>> keys from (key) to (key,info) pairs. The patch is not really >>>>>>>>> standard >>>>>>>>> baseldap style. The reason is that during development, I found >>>>>>>>> that >>>>>>>>> baseldap is really dependent on having a single primary key and >>>>>>>>> also >>>>>>>>> during many operations accessing it as keys[-1]. >>>>>>> >>>>>>>>> Please note that the ipa automountkey-* commands used to have >>>>>>>>> three >>>>>>>>> args, now its two args and two required options (that compose the >>>>>>>>> tuple >>>>>>>>> that is primary key). I know next to nothing about UI, but I >>>>>>>>> assume >>>>>>>>> this >>>>>>>>> has consequences as the JSON marshalled call needs to be different >>>>>>>>> now. >>>>>>>>> Can someone point me to the place in code that I need to fix now? >>>>>>> >>>>>>>>> Fixes: >>>>>>>>> https://fedorahosted.org/freeipa/ticket/293 >>>>>>> >>>>>>>> Sorry, I left some debugging statements in. Attached is a new >>>>>>>> patch. >>>>>>> >>>>>>> Attached is a patch that applies cleanly on top of origin/master. >>>>> >>>>> Can you provide some guidance on how to test this patch? >>>>> >>>>> thanks >>>>> >>>>> rob >>>> >>>> Sure: >>>> >>>> The main change to CLI is that both key and info must be provided. >>>> These >>>> are put into the description attribute, at the same time this >>>> (key,info) >>>> tuple is checked for uniqueness. >>>> >>>> The automount test is a good start for testing the patch. It also tests >>>> a duplicate direct map. To test the duplicates manually: >>>> >>>> ipa automountlocation-add baltimore >>>> ipa automountmap-add baltimore auto.direct2 >>>> ipa automountkey-add baltimore auto.master --key=/- --info=auto.direct2 >>>> ipa automountlocation-tofiles baltimore >>>> >>>> You should see something like: >>>> /etc/auto.master: >>>> /- /etc/auto.direct >>>> /- /etc/auto.direct2 >>>> --------------------------- >>>> /etc/auto.direct: >>>> --------------------------- >>>> /etc/auto.direct2: >>> >>> Ack with two conditions and a question: >>> >>> Conditions: >>> >>> 1. Check with qe to see if they already have tests for automount. If >>> they do we'll need to coordinate getting their tests updated. >> >> Jenny, I see you are in the CC list. Do you know? >> >>> 2. The samples in the command help don't use the --key argument, can you >>> update them? >> >> Sorry, but I think the samples are OK. I just tried cut-n-pasting all of >> them into the terminal and found one glitch (new patch that fixes just >> that typo in help is attached), but all the ipa automountkey-* commands >> list the --key parameter in help. >> >> Or do you mean something else than the output of ipa help automount? > > Ok, you're right. Time to get my eyes checked :-) > > If Jenny says ok then ack. > > rob > >> >>> >>> Question: >>> >>> Can you import multiple direct maps? >>> >> >> Yes, just tested. If someone would like to test, please note that when >> you create a new automount location, a direct map is created for the new >> location by default. This is how I imported a /etc/auto.master file with >> multiple direct maps: >> >> # create a new location >> ipa automountlocation-add testimport >> # remove the reference to the direct map from the auto.master map >> ipa automountkey-del testimport auto.master --key=/- --info=auto.direct >> # remove the auto.direct location >> ipa automountmap-del testimport auto.direct >> # import the new maps >> ipa automountlocation-import testimport /etc/auto.master >> >> My /etc/auto.master looks something like this: >> - ----- >> /misc /etc/auto.misc >> /net -hosts >> /- /etc/auto.direct >> /- /etc/auto.direct2 >> /home /etc/auto.home >> - ----- Jenny says ok, pushed to master rob From ayoung at redhat.com Tue Jan 25 16:38:34 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 11:38:34 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0160-action-panel-select-for-multiple-entities Message-ID: <4D3EFC8A.60606@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0160-action-panel-select-for-multiple-entities.patch Type: text/x-patch Size: 2880 bytes Desc: not available URL: From jhrozek at redhat.com Tue Jan 25 16:47:49 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 25 Jan 2011 17:47:49 +0100 Subject: [Freeipa-devel] [PATCH] 0069 Add/Remove DNS records for replicas In-Reply-To: <20110125110946.392a9374@willson.li.ssimo.org> References: <20110122200938.18cc2038@willson.li.ssimo.org> <4D3DF7D9.8080908@redhat.com> <20110125085757.7c5d5307@willson.li.ssimo.org> <20110125144026.GA30498@zeppelin.brq.redhat.com> <20110125103649.15768503@willson.li.ssimo.org> <20110125110946.392a9374@willson.li.ssimo.org> Message-ID: <20110125164749.GA20554@zeppelin.brq.redhat.com> On Tue, Jan 25, 2011 at 11:09:46AM -0500, Simo Sorce wrote: > On Tue, 25 Jan 2011 10:36:49 -0500 > Simo Sorce wrote: > > > On Tue, 25 Jan 2011 15:40:26 +0100 > > Jakub Hrozek wrote: > > > > > On Tue, Jan 25, 2011 at 08:57:57AM -0500, Simo Sorce wrote: > > > > On Mon, 24 Jan 2011 23:06:17 +0100 > > > > Jakub Hrozek wrote: > > > > > > > > > On 01/23/2011 02:09 AM, Simo Sorce wrote: > > > > > > > > > > > > Do it always when the dns tree is available, even if the > > > > > > replica being installed doesn't provide dns service itself. > > > > > > > > > > > > Ticket #824 > > > > > > > > > > > > Simo. > > > > > > > > > > > > > > > > I tried applying this on top of both origin/master and 068 but > > > > > did not succeed. Can you rebase, please? > > > > > > > > Rebased on top of the new 0068 > > > > > > > > Simo. > > > > > > > > > > I think you attached the wrong patch - the attachment is 68-02, not > > > 69. > > > > Sigh. > > Right one attached now. > > > > Simo. > > > > Rebased once again leaving only 0068 on top of master. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York Adding DNS records works fine with or without Bind, but removing does not work - you need to import api from ipalib - currently it's just undefined symbol in ipa-replica-manage. I suspect you'll also need to call api.bootstrap() and api.finalize() for the LDAP module to work. Jakub From ssorce at redhat.com Tue Jan 25 16:59:22 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 11:59:22 -0500 Subject: [Freeipa-devel] [PATCH] 0069 Add/Remove DNS records for replicas In-Reply-To: <20110125164749.GA20554@zeppelin.brq.redhat.com> References: <20110122200938.18cc2038@willson.li.ssimo.org> <4D3DF7D9.8080908@redhat.com> <20110125085757.7c5d5307@willson.li.ssimo.org> <20110125144026.GA30498@zeppelin.brq.redhat.com> <20110125103649.15768503@willson.li.ssimo.org> <20110125110946.392a9374@willson.li.ssimo.org> <20110125164749.GA20554@zeppelin.brq.redhat.com> Message-ID: <20110125115922.7372068a@willson.li.ssimo.org> On Tue, 25 Jan 2011 17:47:49 +0100 Jakub Hrozek wrote: > On Tue, Jan 25, 2011 at 11:09:46AM -0500, Simo Sorce wrote: > > On Tue, 25 Jan 2011 10:36:49 -0500 > > Simo Sorce wrote: > > > > > On Tue, 25 Jan 2011 15:40:26 +0100 > > > Jakub Hrozek wrote: > > > > > > > On Tue, Jan 25, 2011 at 08:57:57AM -0500, Simo Sorce wrote: > > > > > On Mon, 24 Jan 2011 23:06:17 +0100 > > > > > Jakub Hrozek wrote: > > > > > > > > > > > On 01/23/2011 02:09 AM, Simo Sorce wrote: > > > > > > > > > > > > > > Do it always when the dns tree is available, even if the > > > > > > > replica being installed doesn't provide dns service > > > > > > > itself. > > > > > > > > > > > > > > Ticket #824 > > > > > > > > > > > > > > Simo. > > > > > > > > > > > > > > > > > > > I tried applying this on top of both origin/master and 068 > > > > > > but did not succeed. Can you rebase, please? > > > > > > > > > > Rebased on top of the new 0068 > > > > > > > > > > Simo. > > > > > > > > > > > > > I think you attached the wrong patch - the attachment is 68-02, > > > > not 69. > > > > > > Sigh. > > > Right one attached now. > > > > > > Simo. > > > > > > > Rebased once again leaving only 0068 on top of master. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > Adding DNS records works fine with or without Bind, but removing does > not work - you need to import api from ipalib - currently it's just > undefined symbol in ipa-replica-manage. I suspect you'll also need to > call api.bootstrap() and api.finalize() for the LDAP module to work. Ha now, I know what happend, the other patch I had in the tree is what adds api and all, and that's why I guess you couldn't apply. All my tests about removal passed but I had that other patch in the tree too. Let me rebase and steal those changes from my other patch and resubmit. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 25 17:05:07 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 12:05:07 -0500 Subject: [Freeipa-devel] [PATCH] 0072 Fix regreasions in setting up winsync agreements Message-ID: <20110125120507.2dd11043@willson.li.ssimo.org> Some basic fixes to winsync replication setups. Depends on 0069-4 Ticket #807 -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 25 17:05:32 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 12:05:32 -0500 Subject: [Freeipa-devel] [PATCH] 0069 Add/Remove DNS records for replicas In-Reply-To: <20110125115922.7372068a@willson.li.ssimo.org> References: <20110122200938.18cc2038@willson.li.ssimo.org> <4D3DF7D9.8080908@redhat.com> <20110125085757.7c5d5307@willson.li.ssimo.org> <20110125144026.GA30498@zeppelin.brq.redhat.com> <20110125103649.15768503@willson.li.ssimo.org> <20110125110946.392a9374@willson.li.ssimo.org> <20110125164749.GA20554@zeppelin.brq.redhat.com> <20110125115922.7372068a@willson.li.ssimo.org> Message-ID: <20110125120532.76e6e3b0@willson.li.ssimo.org> On Tue, 25 Jan 2011 11:59:22 -0500 Simo Sorce wrote: > On Tue, 25 Jan 2011 17:47:49 +0100 > Jakub Hrozek wrote: > > > On Tue, Jan 25, 2011 at 11:09:46AM -0500, Simo Sorce wrote: > > > On Tue, 25 Jan 2011 10:36:49 -0500 > > > Simo Sorce wrote: > > > > > > > On Tue, 25 Jan 2011 15:40:26 +0100 > > > > Jakub Hrozek wrote: > > > > > > > > > On Tue, Jan 25, 2011 at 08:57:57AM -0500, Simo Sorce wrote: > > > > > > On Mon, 24 Jan 2011 23:06:17 +0100 > > > > > > Jakub Hrozek wrote: > > > > > > > > > > > > > On 01/23/2011 02:09 AM, Simo Sorce wrote: > > > > > > > > > > > > > > > > Do it always when the dns tree is available, even if the > > > > > > > > replica being installed doesn't provide dns service > > > > > > > > itself. > > > > > > > > > > > > > > > > Ticket #824 > > > > > > > > > > > > > > > > Simo. > > > > > > > > > > > > > > > > > > > > > > I tried applying this on top of both origin/master and 068 > > > > > > > but did not succeed. Can you rebase, please? > > > > > > > > > > > > Rebased on top of the new 0068 > > > > > > > > > > > > Simo. > > > > > > > > > > > > > > > > I think you attached the wrong patch - the attachment is > > > > > 68-02, not 69. > > > > > > > > Sigh. > > > > Right one attached now. > > > > > > > > Simo. > > > > > > > > > > Rebased once again leaving only 0068 on top of master. > > > > > > Simo. > > > > > > -- > > > Simo Sorce * Red Hat, Inc * New York > > > > Adding DNS records works fine with or without Bind, but removing > > does not work - you need to import api from ipalib - currently > > it's just undefined symbol in ipa-replica-manage. I suspect you'll > > also need to call api.bootstrap() and api.finalize() for the LDAP > > module to work. > > Ha now, I know what happend, the other patch I had in the tree is what > adds api and all, and that's why I guess you couldn't apply. > All my tests about removal passed but I had that other patch in the > tree too. > > Let me rebase and steal those changes from my other patch and > resubmit. > > Simo. > New patch attached. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0069-4-Always-add-DNS-records-when-installing-a-replica.patch Type: text/x-patch Size: 7562 bytes Desc: not available URL: From ssorce at redhat.com Tue Jan 25 17:10:05 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 12:10:05 -0500 Subject: [Freeipa-devel] [PATCH] 0068 populate dua profile In-Reply-To: <20110125151956.GB30498@zeppelin.brq.redhat.com> References: <20110122200823.6fc9a460@willson.li.ssimo.org> <4D3E9AD3.9090605@redhat.com> <20110125082849.2430c8f7@willson.li.ssimo.org> <20110125085702.6958d61d@willson.li.ssimo.org> <20110125151956.GB30498@zeppelin.brq.redhat.com> Message-ID: <20110125121005.384dc2f1@willson.li.ssimo.org> On Tue, 25 Jan 2011 16:19:56 +0100 Jakub Hrozek wrote: > On Tue, Jan 25, 2011 at 08:57:02AM -0500, Simo Sorce wrote: > > On Tue, 25 Jan 2011 08:28:49 -0500 > > Simo Sorce wrote: > > > > > On Tue, 25 Jan 2011 10:41:39 +0100 > > > Jakub Hrozek wrote: > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA1 > > > > > > > > On 01/23/2011 02:08 AM, Simo Sorce wrote: > > > > > Ticket #820 > > > > > > > > > > Simo. > > > > > > > > > > > > > > > > > > I think there's a bug in how the defaultServerList attribute is > > > > cleaned up when a replica is deleted - it seems to remove the > > > > FQDN of the host ipa-replica-manage del is run. In > > > > ReplicationManager.replica_cleanup() you call > > > > srvlist.remove(self.hostname), should that be > > > > srvlist.remove(replica) ? > > > > > > Oh crap :-) > > > > > > Nice catch! > > > > > > Simo. > > > > > > > > > > Ok this new patch should fix that. > > > > Ack Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 25 17:11:01 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 12:11:01 -0500 Subject: [Freeipa-devel] [PATCH] 0072 Fix regreasions in setting up winsync agreements In-Reply-To: <20110125120507.2dd11043@willson.li.ssimo.org> References: <20110125120507.2dd11043@willson.li.ssimo.org> Message-ID: <20110125121101.4525f5f1@willson.li.ssimo.org> On Tue, 25 Jan 2011 12:05:07 -0500 Simo Sorce wrote: > > Some basic fixes to winsync replication setups. > Depends on 0069-4 > > Ticket #807 With the actual patch :) -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0072-Fix-ipa-replica-manage-regressions-with-winsync.patch Type: text/x-patch Size: 2387 bytes Desc: not available URL: From jhrozek at redhat.com Tue Jan 25 17:28:15 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 25 Jan 2011 18:28:15 +0100 Subject: [Freeipa-devel] [PATCH] 692 fix rpmlint warnings In-Reply-To: <4D3EF4E9.8030708@redhat.com> References: <4D3EF4E9.8030708@redhat.com> Message-ID: <20110125172814.GA31077@zeppelin.brq.redhat.com> On Tue, Jan 25, 2011 at 11:06:01AM -0500, Rob Crittenden wrote: > I did some specfile clean up in preparation of proposing this as a > package for Fedora 15. > > ticket 804. > > rob Ack From ayoung at redhat.com Tue Jan 25 17:43:52 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 12:43:52 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0160-action-panel-select-for-multiple-entities In-Reply-To: <4D3EFC8A.60606@redhat.com> References: <4D3EFC8A.60606@redhat.com> Message-ID: <4D3F0BD8.2030905@redhat.com> On 01/25/2011 11:38 AM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Had left in a typo. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0160-1-action-panel-select-for-multiple-entities.patch Type: text/x-patch Size: 2779 bytes Desc: not available URL: From jhrozek at redhat.com Tue Jan 25 17:43:38 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 25 Jan 2011 18:43:38 +0100 Subject: [Freeipa-devel] [PATCH] 0069 Add/Remove DNS records for replicas In-Reply-To: <20110125120532.76e6e3b0@willson.li.ssimo.org> References: <20110122200938.18cc2038@willson.li.ssimo.org> <4D3DF7D9.8080908@redhat.com> <20110125085757.7c5d5307@willson.li.ssimo.org> <20110125144026.GA30498@zeppelin.brq.redhat.com> <20110125103649.15768503@willson.li.ssimo.org> <20110125110946.392a9374@willson.li.ssimo.org> <20110125164749.GA20554@zeppelin.brq.redhat.com> <20110125115922.7372068a@willson.li.ssimo.org> <20110125120532.76e6e3b0@willson.li.ssimo.org> Message-ID: <4D3F0BCA.5040806@redhat.com> On 01/25/2011 06:05 PM, Simo Sorce wrote: > On Tue, 25 Jan 2011 11:59:22 -0500 > Simo Sorce wrote: > >> On Tue, 25 Jan 2011 17:47:49 +0100 >> Jakub Hrozek wrote: >> >>> On Tue, Jan 25, 2011 at 11:09:46AM -0500, Simo Sorce wrote: >>>> On Tue, 25 Jan 2011 10:36:49 -0500 >>>> Simo Sorce wrote: >>>> >>>>> On Tue, 25 Jan 2011 15:40:26 +0100 >>>>> Jakub Hrozek wrote: >>>>> >>>>>> On Tue, Jan 25, 2011 at 08:57:57AM -0500, Simo Sorce wrote: >>>>>>> On Mon, 24 Jan 2011 23:06:17 +0100 >>>>>>> Jakub Hrozek wrote: >>>>>>> >>>>>>>> On 01/23/2011 02:09 AM, Simo Sorce wrote: >>>>>>>>> >>>>>>>>> Do it always when the dns tree is available, even if the >>>>>>>>> replica being installed doesn't provide dns service >>>>>>>>> itself. >>>>>>>>> >>>>>>>>> Ticket #824 >>>>>>>>> >>>>>>>>> Simo. >>>>>>>>> >>>>>>>> >>>>>>>> I tried applying this on top of both origin/master and 068 >>>>>>>> but did not succeed. Can you rebase, please? >>>>>>> >>>>>>> Rebased on top of the new 0068 >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>> >>>>>> I think you attached the wrong patch - the attachment is >>>>>> 68-02, not 69. >>>>> >>>>> Sigh. >>>>> Right one attached now. >>>>> >>>>> Simo. >>>>> >>>> >>>> Rebased once again leaving only 0068 on top of master. >>>> >>>> Simo. >>>> >>>> -- >>>> Simo Sorce * Red Hat, Inc * New York >>> >>> Adding DNS records works fine with or without Bind, but removing >>> does not work - you need to import api from ipalib - currently >>> it's just undefined symbol in ipa-replica-manage. I suspect you'll >>> also need to call api.bootstrap() and api.finalize() for the LDAP >>> module to work. >> >> Ha now, I know what happend, the other patch I had in the tree is what >> adds api and all, and that's why I guess you couldn't apply. >> All my tests about removal passed but I had that other patch in the >> tree too. >> >> Let me rebase and steal those changes from my other patch and >> resubmit. >> >> Simo. >> > > New patch attached. > > Simo. > Ack From jhrozek at redhat.com Tue Jan 25 17:44:02 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 25 Jan 2011 18:44:02 +0100 Subject: [Freeipa-devel] [PATCH] 0070 Create DNS entries early on In-Reply-To: <20110124115903.4131d627@willson.li.ssimo.org> References: <20110124115903.4131d627@willson.li.ssimo.org> Message-ID: <4D3F0BE2.2060101@redhat.com> On 01/24/2011 05:59 PM, Simo Sorce wrote: > > See ticket #833 for a detailed explanation. > > Simo. > Ack From jhrozek at redhat.com Tue Jan 25 17:50:38 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 25 Jan 2011 18:50:38 +0100 Subject: [Freeipa-devel] [PATCH] 0072 Fix regreasions in setting up winsync agreements In-Reply-To: <20110125121101.4525f5f1@willson.li.ssimo.org> References: <20110125120507.2dd11043@willson.li.ssimo.org> <20110125121101.4525f5f1@willson.li.ssimo.org> Message-ID: <20110125175038.GA20188@zeppelin.brq.redhat.com> On Tue, Jan 25, 2011 at 12:11:01PM -0500, Simo Sorce wrote: > On Tue, 25 Jan 2011 12:05:07 -0500 > Simo Sorce wrote: > > > > > Some basic fixes to winsync replication setups. > > Depends on 0069-4 > > > > Ticket #807 > > With the actual patch :) > Ack - I have found the same issue with pylint. From jhrozek at redhat.com Tue Jan 25 17:52:13 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 25 Jan 2011 18:52:13 +0100 Subject: [Freeipa-devel] [PATCH] 040 Assorted bugs found by pylint In-Reply-To: <4D3EBD75.7020308@redhat.com> References: <4D396336.3090501@redhat.com> <4D3EBD75.7020308@redhat.com> Message-ID: <20110125175212.GB20188@zeppelin.brq.redhat.com> On Tue, Jan 25, 2011 at 01:09:25PM +0100, Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/21/2011 11:43 AM, Jakub Hrozek wrote: > > https://fedorahosted.org/freeipa/ticket/358 > > > > Another part of this effort is running pylint during build. I have > > started on this, but because we use python's dynamic features quite a > > lot, pylint produces a big number of false positives. > > > > I wrote a small pylint plugin that helps (so it allowed me to review the > > pylint results sanely), but it's still not complete - I'd like to resume > > that work during the 2.0.1 bug fixing as there are more pressing issues > > right now, I think. > > Attaching a new version that fixes one more bug and also changes one > hunk so it does not exceed the recommended 80-chars limit. Attached is a new version that is rebased on top of Simo's patch 072. -------------- next part -------------- >From 77b338d07f16c548538ccdbc6f8fe55feaa7486b Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 25 Jan 2011 18:46:26 +0100 Subject: [PATCH] Fix assorted bugs found by pylint --- install/tools/ipa-replica-install | 4 ++-- install/tools/ipa-server-certinstall | 2 +- ipalib/cli.py | 11 ----------- ipalib/frontend.py | 2 +- ipalib/parameters.py | 7 +++++++ ipalib/pkcs10.py | 2 -- ipalib/plugins/dns.py | 2 +- ipalib/plugins/group.py | 2 +- ipalib/plugins/host.py | 1 - ipapython/ipautil.py | 4 +--- ipaserver/install/certs.py | 2 +- ipaserver/install/installutils.py | 4 ++-- ipaserver/ipaldap.py | 2 -- ipaserver/plugins/dogtag.py | 4 +--- ipaserver/plugins/ldap2.py | 2 +- ipaserver/plugins/ldapapi.py | 6 ------ ipaserver/servercore.py | 8 -------- 17 files changed, 19 insertions(+), 46 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 69c0e7e..ac8b299 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -407,8 +407,8 @@ def main(): # We ned to ldap_enable the CA now that DS is up and running if CA: - CA.ldap_enable('CA', host_name, dm_password, - util.realm_to_suffix(self.realm_name)) + CA.ldap_enable('CA', config.host_name, config.dirman_password, + util.realm_to_suffix(config.realm_name)) install_krb(config, setup_pkinit=options.setup_pkinit) install_http(config) diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall index 543c770..5fc5811 100755 --- a/install/tools/ipa-server-certinstall +++ b/install/tools/ipa-server-certinstall @@ -141,7 +141,7 @@ def main(): set_ds_cert_name(server_cert[0], dm_password) if options.http: - dirname = httpinstance.NSS_DIR + dirname = certs.NSS_DIR server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "") installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert[0]) diff --git a/ipalib/cli.py b/ipalib/cli.py index 2d219b7..9dda1c2 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -620,17 +620,6 @@ class help(frontend.Local): if module == __name__: return return module.split('.')[-1] - # get representation in the form of 'base_module.bare_module.command()' - r = repr(cmd_plugin_proxy) - # skip base module part and the following dot - start = r.find(self._PLUGIN_BASE_MODULE) - if start == -1: - # command module isn't a plugin module, it's a builtin - return None - start += len(self._PLUGIN_BASE_MODULE) + 1 - # parse bare module name - end = r.find('.', start) - return r[start:end] def _get_module_topic(self, module_name): if not sys.modules[module_name]: diff --git a/ipalib/frontend.py b/ipalib/frontend.py index 567edfd..58fd4d6 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -693,13 +693,13 @@ class Command(HasParam): If the client minor version is less than or equal to the server then let the request proceed. """ + server_ver = version.LooseVersion(API_VERSION) ver = version.LooseVersion(client_version) if len(ver.version) < 2: raise VersionError(cver=ver.version, sver=server_ver.version, server= self.env.xmlrpc_uri) client_major = ver.version[0] client_minor = ver.version[1] - server_ver = version.LooseVersion(API_VERSION) server_major = server_ver.version[0] server_minor = server_ver.version[1] diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 0d6c690..22b0321 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -1532,6 +1532,13 @@ class AccessTime(Str): if value < 1 or value > 52: raise ValueError('week of the year out of range') + def _check_doty(self, t): + if not t.isnumeric(): + raise ValueError('day of the year non-numeric') + value = int(t) + if value < 1 or value > 365: + raise ValueError('day of the year out of range') + def _check_month_num(self, t): if not t.isnumeric(): raise ValueError('month number non-numeric') diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py index 2565827..29f9b35 100644 --- a/ipalib/pkcs10.py +++ b/ipalib/pkcs10.py @@ -83,8 +83,6 @@ if __name__ == '__main__': # Read PEM request from stdin and print out its components csrlines = sys.stdin.readlines() - csrlines = fp.readlines() - fp.close() csr = ''.join(csrlines) csr = load_certificate_request(csr) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 81a8102..5b5411f 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -369,7 +369,7 @@ class dnsrecord(LDAPObject): ), ) - def is_pkey_zone_record(*keys): + def is_pkey_zone_record(self, *keys): idnsname = keys[-1] if idnsname == '@' or idnsname == ('%s.' % keys[-2]): return True diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index ecf5453..078d535 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -160,7 +160,7 @@ class group_del(LDAPDelete): def_primary_group = config.get('ipadefaultprimarygroup', '') def_primary_group_dn = group_dn = self.obj.get_dn(def_primary_group) if dn == def_primary_group_dn: - raise errors.DefaultGroup() + raise errors.DefaultGroupError() group_attrs = self.obj.methods.show( self.obj.get_primary_key_from_dn(dn), all=True )['result'] diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 3225a78..0bc7947 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -437,7 +437,6 @@ class host_del(LDAPDelete): break if not match: raise errors.NotFound(reason=_('DNS zone %(zone)s not found' % dict(zone=domain))) - raise e # Get all forward resources for this host records = api.Command['dnsrecord_find'](domain, idnsname=parts[0])['result'] for record in records: diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 69a410f..88d0836 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -41,9 +41,6 @@ import datetime from ipapython import config try: from subprocess import CalledProcessError - class CalledProcessError(subprocess.CalledProcessError): - def __init__(self, returncode, cmd): - super(CalledProcessError, self).__init__(returncode, cmd) except ImportError: # Python 2.4 doesn't implement CalledProcessError class CalledProcessError(Exception): @@ -876,6 +873,7 @@ class ItemCompleter: self.items = items self.initial_input = None self.item_delims = ' \t,' + self.operator = '=' self.split_re = re.compile('[%s]+' % self.item_delims) def open(self): diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 209ed3e..da89370 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -602,7 +602,7 @@ class CertDB(object): dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) if http_status != 200: - raise CertificateOperationError(error=_('Unable to communicate with CMS (%s)') % \ + raise CertificateOperationError(error='Unable to communicate with CMS (%s)' % \ http_reason_phrase) # The result is an XML blob. Pull the certificate out of that diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index a5457e2..05d397e 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -82,7 +82,7 @@ def verify_dns_records(host_name, responses, resaddr, family): rs = dnsclient.query(dns_addr.reverse_dns, dnsclient.DNS_C_IN, dnsclient.DNS_T_PTR) if len(rs) == 0: - raise RuntimeError("Cannot find Reverse Address for %s (%s)" % (host_name, addr)) + raise RuntimeError("Cannot find Reverse Address for %s (%s)" % (host_name, dns_addr.format())) rev = None for rsn in rs: @@ -91,7 +91,7 @@ def verify_dns_records(host_name, responses, resaddr, family): break if rev == None: - raise RuntimeError("Cannot find Reverse Address for %s (%s)" % (host_name, addr)) + raise RuntimeError("Cannot find Reverse Address for %s (%s)" % (host_name, dns_addr.format())) if rec.dns_name != rev.rdata.ptrdname: raise RuntimeError("The DNS forward record %s does not match the reverse address %s" % (rec.dns_name, rev.rdata.ptrdname)) diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py index b1f9f40..d2d3d98 100644 --- a/ipaserver/ipaldap.py +++ b/ipaserver/ipaldap.py @@ -611,8 +611,6 @@ class IPAdmin(SimpleLDAPObject): while not entry and int(time.time()) < timeout: try: entry = self.getEntry(dn, scope, filter, attrlist) - except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): - pass # found entry, but no attr except ldap.NO_SUCH_OBJECT: pass # no entry yet except ldap.LDAPError, e: # badness diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 45c3c19..8563848 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1519,9 +1519,7 @@ class ra(rabase.rabase): """ self.debug('%s.revoke_certificate()', self.fullname) if type(revocation_reason) is not int: - raise TYPE_ERROR('revocation_reason', int, revocation_reason, - type(revocation_reason) - ) + raise TypeError(TYPE_ERROR % ('revocation_reason', int, revocation_reason, type(revocation_reason))) # Convert serial number to integral type from string to properly handle # radix issues. Note: the int object constructor will properly handle large diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 86ea3f8..c920d21 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -308,7 +308,7 @@ class ldap2(CrudBackend, Encoder): _ldap.set_option(_ldap.OPT_X_TLS_KEYFILE, tls_keyfile) if debug_level: - _ldap.set_option(_ldap.OPT_X_DEBUG_LEVEL, debug_level) + _ldap.set_option(_ldap.OPT_DEBUG_LEVEL, debug_level) try: conn = _ldap.initialize(self.ldap_uri) diff --git a/ipaserver/plugins/ldapapi.py b/ipaserver/plugins/ldapapi.py index 847e2d2..1ef8457 100644 --- a/ipaserver/plugins/ldapapi.py +++ b/ipaserver/plugins/ldapapi.py @@ -25,7 +25,6 @@ This wraps the python-ldap bindings. """ import ldap as _ldap -import ldap.dn from ipalib import api from ipalib import errors from ipalib.crud import CrudBackend @@ -443,9 +442,4 @@ class ldap(CrudBackend): return results - def get_effective_rights(self, dn, attrs=None): - binddn = self.find_entry_dn("krbprincipalname", self.conn.principal, "posixAccount") - - return servercore.get_effective_rights(binddn, dn, attrs) - api.register(ldap) diff --git a/ipaserver/servercore.py b/ipaserver/servercore.py index 38d4216..66af116 100644 --- a/ipaserver/servercore.py +++ b/ipaserver/servercore.py @@ -168,14 +168,6 @@ def get_entry_by_cn (cn, sattrs): searchfilter = "(cn=%s)" % cn return get_sub_entry("cn=accounts," + api.env.basedn, searchfilter, sattrs) -def get_user_by_uid(uid, sattrs): - """Get a specific user's entry.""" - # FIXME: should accept a container to look in -# uid = self.__safe_filter(uid) - searchfilter = "(&(uid=%s)(objectclass=posixAccount))" % uid - - return get_sub_entry("cn=accounts," + api.env.basedn, searchfilter, sattrs) - # User support def entry_exists(dn): -- 1.7.3.4 From ayoung at redhat.com Tue Jan 25 18:12:22 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 13:12:22 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0156-remove-icons-from-association-buttons. In-Reply-To: <2047426513.121648.1295967532111.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <2047426513.121648.1295967532111.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D3F1286.80809@redhat.com> On 01/25/2011 09:58 AM, Kyle Baker wrote: > ACK Looks good. > > ----- Original Message ----- >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel pushed to master From ayoung at redhat.com Tue Jan 25 18:12:34 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 13:12:34 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0157-aci-attribute-table-two-columns.patc In-Reply-To: <1105297153.121600.1295967426426.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1105297153.121600.1295967426426.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D3F1292.7050701@redhat.com> On 01/25/2011 09:57 AM, Kyle Baker wrote: > ACK Looks good. > > ----- Original Message ----- >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel pushed to master From ayoung at redhat.com Tue Jan 25 18:12:44 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 13:12:44 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0158-action-buttons-for-dns In-Reply-To: <1498915762.121484.1295967153265.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1498915762.121484.1295967153265.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D3F129C.3090100@redhat.com> On 01/25/2011 09:52 AM, Kyle Baker wrote: > ACK Looks good. > > ----- Original Message ----- >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel pushed to master From kybaker at redhat.com Tue Jan 25 18:51:31 2011 From: kybaker at redhat.com (Kyle Baker) Date: Tue, 25 Jan 2011 13:51:31 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0159-unselected-facets In-Reply-To: <4D3EE3BC.1010408@redhat.com> Message-ID: <1214132525.126227.1295981491064.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK looks good ----- Original Message ----- > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0159-unselected-facets.patch Type: text/x-patch Size: 1080 bytes Desc: not available URL: From kybaker at redhat.com Tue Jan 25 18:52:48 2011 From: kybaker at redhat.com (Kyle Baker) Date: Tue, 25 Jan 2011 13:52:48 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0160-action-panel-select-for-multiple-entities In-Reply-To: <4D3F0BD8.2030905@redhat.com> Message-ID: <1635676745.126235.1295981568837.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK looks good ----- Original Message ----- > On 01/25/2011 11:38 AM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Had left in a > typo. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0160-1-action-panel-select-for-multiple-entities.patch Type: text/x-patch Size: 2779 bytes Desc: not available URL: From ayoung at redhat.com Tue Jan 25 18:56:15 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 13:56:15 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0160-action-panel-select-for-multiple-entities In-Reply-To: <1635676745.126235.1295981568837.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1635676745.126235.1295981568837.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D3F1CCF.1070906@redhat.com> On 01/25/2011 01:52 PM, Kyle Baker wrote: > ACK looks good > > ----- Original Message ----- >> On 01/25/2011 11:38 AM, Adam Young wrote: >> >> >> _______________________________________________ >> Freeipa-devel mailing list Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Had left in a >> typo. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From ayoung at redhat.com Tue Jan 25 18:56:35 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 13:56:35 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0159-unselected-facets In-Reply-To: <1214132525.126227.1295981491064.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1214132525.126227.1295981491064.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D3F1CE3.2030307@redhat.com> On 01/25/2011 01:51 PM, Kyle Baker wrote: > ACK looks good > > ----- Original Message ----- >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From ssorce at redhat.com Tue Jan 25 19:02:11 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 14:02:11 -0500 Subject: [Freeipa-devel] [PATCH] 692 fix rpmlint warnings In-Reply-To: <20110125172814.GA31077@zeppelin.brq.redhat.com> References: <4D3EF4E9.8030708@redhat.com> <20110125172814.GA31077@zeppelin.brq.redhat.com> Message-ID: <20110125140211.5bd9c308@willson.li.ssimo.org> On Tue, 25 Jan 2011 18:28:15 +0100 Jakub Hrozek wrote: > On Tue, Jan 25, 2011 at 11:06:01AM -0500, Rob Crittenden wrote: > > I did some specfile clean up in preparation of proposing this as a > > package for Fedora 15. > > > > ticket 804. > > > > rob > > Ack Pushed to master Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 25 19:02:45 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 14:02:45 -0500 Subject: [Freeipa-devel] [PATCH] 040 Assorted bugs found by pylint In-Reply-To: <20110125175212.GB20188@zeppelin.brq.redhat.com> References: <4D396336.3090501@redhat.com> <4D3EBD75.7020308@redhat.com> <20110125175212.GB20188@zeppelin.brq.redhat.com> Message-ID: <20110125140245.111d26ed@willson.li.ssimo.org> On Tue, 25 Jan 2011 18:52:13 +0100 Jakub Hrozek wrote: > On Tue, Jan 25, 2011 at 01:09:25PM +0100, Jakub Hrozek wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 01/21/2011 11:43 AM, Jakub Hrozek wrote: > > > https://fedorahosted.org/freeipa/ticket/358 > > > > > > Another part of this effort is running pylint during build. I have > > > started on this, but because we use python's dynamic features > > > quite a lot, pylint produces a big number of false positives. > > > > > > I wrote a small pylint plugin that helps (so it allowed me to > > > review the pylint results sanely), but it's still not complete - > > > I'd like to resume that work during the 2.0.1 bug fixing as there > > > are more pressing issues right now, I think. > > > > Attaching a new version that fixes one more bug and also changes one > > hunk so it does not exceed the recommended 80-chars limit. > > Attached is a new version that is rebased on top of Simo's patch 072. Ack and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 25 19:03:01 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 14:03:01 -0500 Subject: [Freeipa-devel] [PATCH] 0069 Add/Remove DNS records for replicas In-Reply-To: <4D3F0BCA.5040806@redhat.com> References: <20110122200938.18cc2038@willson.li.ssimo.org> <4D3DF7D9.8080908@redhat.com> <20110125085757.7c5d5307@willson.li.ssimo.org> <20110125144026.GA30498@zeppelin.brq.redhat.com> <20110125103649.15768503@willson.li.ssimo.org> <20110125110946.392a9374@willson.li.ssimo.org> <20110125164749.GA20554@zeppelin.brq.redhat.com> <20110125115922.7372068a@willson.li.ssimo.org> <20110125120532.76e6e3b0@willson.li.ssimo.org> <4D3F0BCA.5040806@redhat.com> Message-ID: <20110125140301.2c13ca73@willson.li.ssimo.org> On Tue, 25 Jan 2011 18:43:38 +0100 Jakub Hrozek wrote: > >> Let me rebase and steal those changes from my other patch and > >> resubmit. > >> > >> Simo. > >> > > > > New patch attached. > > > > Simo. > > > > Ack Thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 25 19:03:12 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 14:03:12 -0500 Subject: [Freeipa-devel] [PATCH] 0070 Create DNS entries early on In-Reply-To: <4D3F0BE2.2060101@redhat.com> References: <20110124115903.4131d627@willson.li.ssimo.org> <4D3F0BE2.2060101@redhat.com> Message-ID: <20110125140312.123ee4c5@willson.li.ssimo.org> On Tue, 25 Jan 2011 18:44:02 +0100 Jakub Hrozek wrote: > On 01/24/2011 05:59 PM, Simo Sorce wrote: > > > > See ticket #833 for a detailed explanation. > > > > Simo. > > > > Ack Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 25 19:03:40 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 14:03:40 -0500 Subject: [Freeipa-devel] [PATCH] 0072 Fix regreasions in setting up winsync agreements In-Reply-To: <20110125175038.GA20188@zeppelin.brq.redhat.com> References: <20110125120507.2dd11043@willson.li.ssimo.org> <20110125121101.4525f5f1@willson.li.ssimo.org> <20110125175038.GA20188@zeppelin.brq.redhat.com> Message-ID: <20110125140340.5fe5f8eb@willson.li.ssimo.org> On Tue, 25 Jan 2011 18:50:38 +0100 Jakub Hrozek wrote: > On Tue, Jan 25, 2011 at 12:11:01PM -0500, Simo Sorce wrote: > > On Tue, 25 Jan 2011 12:05:07 -0500 > > Simo Sorce wrote: > > > > > > > > Some basic fixes to winsync replication setups. > > > Depends on 0069-4 > > > > > > Ticket #807 > > > > With the actual patch :) > > > > Ack - I have found the same issue with pylint. Yeah pretty easy to spot even for automated tools :) Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Jan 25 19:19:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Jan 2011 14:19:36 -0500 Subject: [Freeipa-devel] [PATCH] Rename package to freeipa In-Reply-To: <201101171036.47311.jzeleny@redhat.com> References: <201101171036.47311.jzeleny@redhat.com> Message-ID: <4D3F2248.9080704@redhat.com> Jan Zelen? wrote: > Ok, so here is the first version of patch which will rename the package in > Fedora from ipa to freeipa. I've tried to keep it as minimal as possible, but > my concern is whether it doesn't break any Fedora rules. I tried to remember > them from time I was maintainer and no particular rule we might be breaking > came to my mind, so hopefully we are ok. > > The package builds fine using `make rpms` and it installs fine as well. I also > tested that installation fails in case ipa-* packages are installed. > > Jan Ack, pushed to master. I made one minor change, I replaced the Conflicts with Obsoletes per the Fedora packaging guideines. rob From ayoung at redhat.com Tue Jan 25 21:20:32 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 16:20:32 -0500 Subject: [Freeipa-devel] [PATCH] Two for Style changes Message-ID: <4D3F3EA0.9080901@redhat.com> Apply the kylebaker patch first. These should be considered one patch, but I'd like to keep them separate to idntify authorship -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-kylebaker-0002-Main-UI-migration-and-html-Style-updates.patch Type: text/x-patch Size: 258888 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0161-error-handling-style.patch Type: text/x-patch Size: 18231 bytes Desc: not available URL: From kybaker at redhat.com Tue Jan 25 21:35:49 2011 From: kybaker at redhat.com (Kyle Baker) Date: Tue, 25 Jan 2011 16:35:49 -0500 (EST) Subject: [Freeipa-devel] [PATCH] Two for Style changes In-Reply-To: <4D3F3EA0.9080901@redhat.com> Message-ID: <1538621935.130059.1295991349507.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK Looks good. ----- Original Message ----- > Apply the kylebaker patch first. These should be considered one patch, > but I'd like to keep them separate to idntify authorship > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-kylebaker-0002-Main-UI-migration-and-html-Style-updates.patch Type: text/x-patch Size: 258888 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0161-error-handling-style.patch Type: text/x-patch Size: 18231 bytes Desc: not available URL: From ayoung at redhat.com Tue Jan 25 21:47:53 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 16:47:53 -0500 Subject: [Freeipa-devel] [PATCH] Two for Style changes In-Reply-To: <4D3F3EA0.9080901@redhat.com> References: <4D3F3EA0.9080901@redhat.com> Message-ID: <4D3F4509.9080302@redhat.com> On 01/25/2011 04:20 PM, Adam Young wrote: > Apply the kylebaker patch first. These should be considered one > patch, but I'd like to keep them separate to idntify authorship > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jan 25 21:57:10 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 16:57:10 -0500 Subject: [Freeipa-devel] {pATCH] kylebaker- 0006-Modal-Panel-Changes.patch Message-ID: <4D3F4736.60605@redhat.com> Sent direct to me From Kyle. ACK -------- Original Message -------- Subject: 0006-Modal-Panel-Changes.patch Date: Tue, 25 Jan 2011 16:41:56 -0500 (EST) From: Kyle Baker To: Adam Young -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0006-Modal-Panel-Changes.patch Type: text/x-patch Size: 2711 bytes Desc: not available URL: From ayoung at redhat.com Tue Jan 25 21:59:01 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 16:59:01 -0500 Subject: [Freeipa-devel] [PATCH] kylebaker- 0006-Modal-Panel-Changes.patch In-Reply-To: <4D3F4736.60605@redhat.com> References: <4D3F4736.60605@redhat.com> Message-ID: <4D3F47A5.1070204@redhat.com> Pushed to master On 01/25/2011 04:57 PM, Adam Young wrote: > Sent direct to me From Kyle. ACK > > -------- Original Message -------- > Subject: 0006-Modal-Panel-Changes.patch > Date: Tue, 25 Jan 2011 16:41:56 -0500 (EST) > From: Kyle Baker > To: Adam Young > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jan 25 22:09:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Jan 2011 17:09:13 -0500 Subject: [Freeipa-devel] [PATCH] 690 add brackets around optional prompts In-Reply-To: <201101251341.12113.jzeleny@redhat.com> References: <4D3DF6E2.9090204@redhat.com> <201101251341.12113.jzeleny@redhat.com> Message-ID: <4D3F4A09.5070402@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> When prompting for arguments in the cli there is no way to tell what is >> optional and what is required. This sticks brackets around optional >> arguments. >> >> Ticket 832 >> >> rob > > Ack > > Jan pushed to master From ayoung at redhat.com Wed Jan 26 01:04:13 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 20:04:13 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0162-1-Tab-I18N Message-ID: <4D3F730D.2050005@redhat.com> Fixes https://fedorahosted.org/freeipa/ticket/849 and https://fedorahosted.org/freeipa/ticket/745 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0162-1-Tab-I18N.patch Type: text/x-patch Size: 50591 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 26 02:12:45 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 21:12:45 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0162-1-Tab-I18N In-Reply-To: <4D3F730D.2050005@redhat.com> References: <4D3F730D.2050005@redhat.com> Message-ID: <4D3F831D.2060400@redhat.com> On 01/25/2011 08:04 PM, Adam Young wrote: > Fixes > https://fedorahosted.org/freeipa/ticket/849 > and > https://fedorahosted.org/freeipa/ticket/745 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Missed the file with the I18N messages -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0162-2-Tab-I18N.patch Type: text/x-patch Size: 50591 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 26 02:14:55 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 21:14:55 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0162-1-Tab-I18N In-Reply-To: <4D3F730D.2050005@redhat.com> References: <4D3F730D.2050005@redhat.com> Message-ID: <4D3F839F.1030005@redhat.com> On 01/25/2011 08:04 PM, Adam Young wrote: > Fixes > https://fedorahosted.org/freeipa/ticket/849 > and > https://fedorahosted.org/freeipa/ticket/745 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Third times the charm. This one has the internal.py file with messages in it. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0162-3-Tab-I18N.patch Type: text/x-patch Size: 51390 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 26 02:16:42 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 21:16:42 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0163-dns-container Message-ID: <4D3F840A.9010608@redhat.com> Kyle noticed that the DNS page was off. This fixes it. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0163-dns-container.patch Type: text/x-patch Size: 3339 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 26 02:20:20 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 21:20:20 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0163-dns-container In-Reply-To: <4D3F840A.9010608@redhat.com> References: <4D3F840A.9010608@redhat.com> Message-ID: <4D3F84E4.7070201@redhat.com> On 01/25/2011 09:16 PM, Adam Young wrote: > Kyle noticed that the DNS page was off. This fixes it. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Fixes the title. It had to be set after the entity was assigned. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0163-1-dns-container.patch Type: text/x-patch Size: 3372 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 26 03:01:50 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 25 Jan 2011 22:01:50 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0164-dns-visible-if-enabled. Message-ID: <4D3F8E9E.9000902@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0164-dns-visible-if-enabled.patch Type: text/x-patch Size: 3483 bytes Desc: not available URL: From jzeleny at redhat.com Wed Jan 26 07:52:40 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 26 Jan 2011 08:52:40 +0100 Subject: [Freeipa-devel] [PATCH] Add flags to enforce asking for object attribute In-Reply-To: <4D3EE779.9050508@redhat.com> References: <201101251512.40922.jzeleny@redhat.com> <4D3EE779.9050508@redhat.com> Message-ID: <201101260852.40104.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > So far the only way to enforce asking for parameter in interactive mode > > was the alwaysask attribute, which is not sufficient any more. This > > patch adds the ability to control during which actions the atrribute > > shall be asked for. > > > > Jan > > nack, this doesn't address the interactive part in ipalib/cli.py. > > rob I'm afraid I don't know what do you mean. Can you please give me a quick guidance what are you referring to? Thanks Jan From jzeleny at redhat.com Wed Jan 26 09:55:37 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 26 Jan 2011 10:55:37 +0100 Subject: [Freeipa-devel] [PATCH] Add ldap2 method to retrieve allowed attributes for specified objectClasses. In-Reply-To: <4D3EECC6.4040807@redhat.com> References: <4D3EECC6.4040807@redhat.com> Message-ID: <201101261055.37254.jzeleny@redhat.com> Pavel Zuna wrote: > ldap2.get_allowed_attributes(['posixuser']) > > returns a list of unicode all lower case attribute names allowed for the > object class 'posixuser' > > You can enter as many object classes as you want. > > Pavel ack Jan From jzeleny at redhat.com Wed Jan 26 09:55:45 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 26 Jan 2011 10:55:45 +0100 Subject: [Freeipa-devel] [PATCH] Raise ValidationError when adding unallowed attribute to search fields. In-Reply-To: <4D3EED14.1000208@redhat.com> References: <4D3EED14.1000208@redhat.com> Message-ID: <201101261055.46011.jzeleny@redhat.com> Pavel Zuna wrote: > Depends on my previous patch number 64 (posted on the list 2 minutes ago). > > Ticket #845 > > Pavel ack Jan From jzeleny at redhat.com Wed Jan 26 13:13:51 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 26 Jan 2011 14:13:51 +0100 Subject: [Freeipa-devel] [PATCH] Add support for account unlocking In-Reply-To: <201101210915.48299.jzeleny@redhat.com> References: <201101210915.48299.jzeleny@redhat.com> Message-ID: <201101261413.51668.jzeleny@redhat.com> Jan Zeleny wrote: > This patch adds command ipa user-unlock and some LDAP modifications > which are required by Kerberos for unlocking to work. > > Ticket: > https://fedorahosted.org/freeipa/ticket/344 > > Jan Just a reminder that this patch needs a review. Thanks Jan From jzeleny at redhat.com Wed Jan 26 13:39:24 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Wed, 26 Jan 2011 14:39:24 +0100 Subject: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation Message-ID: <201101261439.24085.jzeleny@redhat.com> Since some LDAP attributes have their cli_name value defined, so they can be more user friendly, it can be difficult for user to find out which attributes do the parameteres given to CLI really represent. This patch provides new command, which will take another IPA command as and argument and display attributes which given command takes and what LDAP attributes are they mapped to. https://fedorahosted.org/freeipa/ticket/447 When reviewing, please pay attention to line 39 of the patch (detection of the 'webui' in param.excludes). I think this is the right approach, but I'm not 100% sure. Thanks Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0030-Provide-a-way-to-display-CLI-LDAP-relation.patch Type: text/x-patch Size: 2056 bytes Desc: not available URL: From rcritten at redhat.com Wed Jan 26 14:30:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 26 Jan 2011 09:30:18 -0500 Subject: [Freeipa-devel] [PATCH] Add flags to enforce asking for object attribute In-Reply-To: <201101260852.40104.jzeleny@redhat.com> References: <201101251512.40922.jzeleny@redhat.com> <4D3EE779.9050508@redhat.com> <201101260852.40104.jzeleny@redhat.com> Message-ID: <4D402FFA.9010609@redhat.com> Jan Zelen? wrote: > Rob Crittenden wrote: >> Jan Zelen? wrote: >>> So far the only way to enforce asking for parameter in interactive mode >>> was the alwaysask attribute, which is not sufficient any more. This >>> patch adds the ability to control during which actions the atrribute >>> shall be asked for. >>> >>> Jan >> >> nack, this doesn't address the interactive part in ipalib/cli.py. >> >> rob > > I'm afraid I don't know what do you mean. Can you please give me a quick > guidance what are you referring to? > > Thanks > Jan Sorry, I misread the intention. This definitely makes the -find functions work a lot nicer, esp permission-find. ack, pushed to master rob From mkosek at redhat.com Wed Jan 26 14:33:27 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 26 Jan 2011 15:33:27 +0100 Subject: [Freeipa-devel] [PATCH] 017 ACI plugin supports prefixes Message-ID: <1296052408.17168.1.camel@dhcp-25-52.brq.redhat.com> When more than one plugin produce ACIs, they share common namespace of ACI name. This may lead to name collisions between the ACIs from different plugins. This patch introduces a mandatory "prefix" attribute for non-find ACI operations which allow plugins to use their own prefixes (i.e. namespaces) which is then used when a name of the ACI is generated. Permission, Delegation and Selfservice plugins has been updated to use their own prefixes thus avoiding name collisions by using their own namespaces. Default ACIs in LDIFs has been updated to follow this new policy. Permission plugin now uses its CN (=primary key) instead of description in ACI names as Description may not be unique. This change requires an IPA server reinstall since the default ACI set has been changed. https://fedorahosted.org/freeipa/ticket/764 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-017-aci-plugin-supports-prefixes.patch Type: text/x-patch Size: 52010 bytes Desc: not available URL: From jhrozek at redhat.com Wed Jan 26 14:38:52 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 26 Jan 2011 15:38:52 +0100 Subject: [Freeipa-devel] [PATCH] 041 Add example of DNS SRV record and a simple validator Message-ID: <4D4031FC.9070503@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/846 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1AMfwACgkQHsardTLnvCWbCwCff34Pr/Hy6s6VUSmlFr9+++V8 dJIAn3evO4cbgokA1+xfLBG5q1LhReKI =azjr -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-041-srv-validator.patch Type: text/x-patch Size: 1842 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-041-srv-validator.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Wed Jan 26 14:43:40 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 26 Jan 2011 15:43:40 +0100 Subject: [Freeipa-devel] [PATCH] 041 Add example of DNS SRV record and a simple validator In-Reply-To: <4D4031FC.9070503@redhat.com> References: <4D4031FC.9070503@redhat.com> Message-ID: <4D40331C.70003@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/26/2011 03:38 PM, Jakub Hrozek wrote: > https://fedorahosted.org/freeipa/ticket/846 This version contains a better example (consistent zone name). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1AMxwACgkQHsardTLnvCW8mwCeIik86wzgTkvaUxafulWzF872 LowAoMQKSKrQWW85ovg1wQobQSE1j+cf =XNLO -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-041-02-srv-validator.patch Type: text/x-patch Size: 1854 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-041-02-srv-validator.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From kybaker at redhat.com Wed Jan 26 14:50:11 2011 From: kybaker at redhat.com (Kyle Baker) Date: Wed, 26 Jan 2011 09:50:11 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0162-1-Tab-I18N In-Reply-To: <4D3F839F.1030005@redhat.com> Message-ID: <663806569.138175.1296053411716.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK Looks good. ----- Original Message ----- > On 01/25/2011 08:04 PM, Adam Young wrote: > > Fixes > https://fedorahosted.org/freeipa/ticket/849 > and > https://fedorahosted.org/freeipa/ticket/745 > _______________________________________________ > Freeipa-devel mailing list Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Third times the > charm. This one has the internal.py file with messages in it. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0162-3-Tab-I18N.patch Type: text/x-patch Size: 51390 bytes Desc: not available URL: From kybaker at redhat.com Wed Jan 26 14:50:46 2011 From: kybaker at redhat.com (Kyle Baker) Date: Wed, 26 Jan 2011 09:50:46 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0163-dns-container In-Reply-To: <4D3F84E4.7070201@redhat.com> Message-ID: <529215109.138192.1296053446211.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK Looks good. ----- Original Message ----- > On 01/25/2011 09:16 PM, Adam Young wrote: > > Kyle noticed that the DNS page was off. This fixes it. > _______________________________________________ > Freeipa-devel mailing list Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Fixes the title. > It had to be set after the entity was assigned. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0163-1-dns-container.patch Type: text/x-patch Size: 3372 bytes Desc: not available URL: From kybaker at redhat.com Wed Jan 26 14:51:09 2011 From: kybaker at redhat.com (Kyle Baker) Date: Wed, 26 Jan 2011 09:51:09 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0163-dns-container In-Reply-To: <4D3F840A.9010608@redhat.com> Message-ID: <1571917526.138205.1296053469745.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK Looks good. ----- Original Message ----- > Kyle noticed that the DNS page was off. This fixes it. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0163-dns-container.patch Type: text/x-patch Size: 3339 bytes Desc: not available URL: From kybaker at redhat.com Wed Jan 26 14:51:18 2011 From: kybaker at redhat.com (Kyle Baker) Date: Wed, 26 Jan 2011 09:51:18 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0164-dns-visible-if-enabled. In-Reply-To: <4D3F8E9E.9000902@redhat.com> Message-ID: <4729778.138208.1296053478151.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK Looks good. ----- Original Message ----- > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0164-dns-visible-if-enabled.patch Type: text/x-patch Size: 3483 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 26 15:19:32 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 10:19:32 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0165-api-version-update. Message-ID: <4D403B84.2020106@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0165-api-version-update.patch Type: text/x-patch Size: 11162 bytes Desc: not available URL: From rcritten at redhat.com Wed Jan 26 15:20:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 26 Jan 2011 10:20:15 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0165-api-version-update. In-Reply-To: <4D403B84.2020106@redhat.com> References: <4D403B84.2020106@redhat.com> Message-ID: <4D403BAF.1060509@redhat.com> Adam Young wrote: > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack From ayoung at redhat.com Wed Jan 26 15:23:33 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 10:23:33 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0165-api-version-update. In-Reply-To: <4D403BAF.1060509@redhat.com> References: <4D403B84.2020106@redhat.com> <4D403BAF.1060509@redhat.com> Message-ID: <4D403C75.2090505@redhat.com> On 01/26/2011 10:20 AM, Rob Crittenden wrote: > Adam Young wrote: >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > ack Pushed to master From dpal at redhat.com Wed Jan 26 15:20:47 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 26 Jan 2011 10:20:47 -0500 Subject: [Freeipa-devel] [PATCH] 017 ACI plugin supports prefixes In-Reply-To: <1296052408.17168.1.camel@dhcp-25-52.brq.redhat.com> References: <1296052408.17168.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D403BCF.6010907@redhat.com> Martin Kosek wrote: > When more than one plugin produce ACIs, they share common namespace > of ACI name. This may lead to name collisions between the ACIs > from different plugins. > > This patch introduces a mandatory "prefix" attribute for non-find > ACI operations which allow plugins to use their own prefixes > (i.e. namespaces) which is then used when a name of the ACI is > generated. > > Permission, Delegation and Selfservice plugins has been updated > to use their own prefixes thus avoiding name collisions by using > their own namespaces. Default ACIs in LDIFs has been updated to > follow this new policy. > > Permission plugin now uses its CN (=primary key) instead of > description in ACI names as Description may not be unique. > > This change requires an IPA server reinstall since the default ACI > set has been changed. > > https://fedorahosted.org/freeipa/ticket/764 > > I took a quick look. Rob, I thought that there are different APIs for self and delegation. Is this is the case? ipa permission-... functions should never deal with self service or delegation acis They are just for the permission ACIs connected to the target groups. I do not think this is the right approach. The prefix is need but it should be automatically added if you use this interface. > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jzeleny at redhat.com Wed Jan 26 15:25:26 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Wed, 26 Jan 2011 16:25:26 +0100 Subject: [Freeipa-devel] =?iso-8859-15?q?=5BPATCH=5D_041_Add_example_of_DN?= =?iso-8859-15?q?S_SRV_record_and_a=09simple_validator?= In-Reply-To: <4D40331C.70003@redhat.com> References: <4D4031FC.9070503@redhat.com> <4D40331C.70003@redhat.com> Message-ID: <201101261625.26634.jzeleny@redhat.com> Jakub Hrozek wrote: > On 01/26/2011 03:38 PM, Jakub Hrozek wrote: > > https://fedorahosted.org/freeipa/ticket/846 > > This version contains a better example (consistent zone name). ack Jan From mkosek at redhat.com Wed Jan 26 15:31:08 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 26 Jan 2011 16:31:08 +0100 Subject: [Freeipa-devel] [PATCH] 017 ACI plugin supports prefixes In-Reply-To: <4D403BCF.6010907@redhat.com> References: <1296052408.17168.1.camel@dhcp-25-52.brq.redhat.com> <4D403BCF.6010907@redhat.com> Message-ID: <1296055868.17168.8.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-01-26 at 10:20 -0500, Dmitri Pal wrote: > I took a quick look. > > Rob, I thought that there are different APIs for self and delegation. Is > this is the case? > ipa permission-... functions should never deal with self service or > delegation acis > They are just for the permission ACIs connected to the target groups. > I do not think this is the right approach. > The prefix is need but it should be automatically added if you use this > interface. Well, this patch ensures that permission-* functions will not deal with selfservice od delegation ACIs. Each of these plugins has its own prefix (e.g. "permission:" or "delegation:") which is added to the underlying ACI name. Because of this, the Permission, Selfservice and Delegation plugins work only with ACIs with "their" prefix. Prefix is not visible for user, it is passed to ACI functions automatically by Permission, Delegation and Selfservice plugins. Martin From dpal at redhat.com Wed Jan 26 15:36:54 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 26 Jan 2011 10:36:54 -0500 Subject: [Freeipa-devel] [PATCH] 017 ACI plugin supports prefixes In-Reply-To: <1296055868.17168.8.camel@dhcp-25-52.brq.redhat.com> References: <1296052408.17168.1.camel@dhcp-25-52.brq.redhat.com> <4D403BCF.6010907@redhat.com> <1296055868.17168.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D403F96.6070707@redhat.com> Martin Kosek wrote: > On Wed, 2011-01-26 at 10:20 -0500, Dmitri Pal wrote: > >> I took a quick look. >> >> Rob, I thought that there are different APIs for self and delegation. Is >> this is the case? >> ipa permission-... functions should never deal with self service or >> delegation acis >> They are just for the permission ACIs connected to the target groups. >> I do not think this is the right approach. >> The prefix is need but it should be automatically added if you use this >> interface. >> > > Well, this patch ensures that permission-* functions will not deal with > selfservice od delegation ACIs. Each of these plugins has its own prefix > (e.g. "permission:" or "delegation:") which is added to the underlying > ACI name. > > Because of this, the Permission, Selfservice and Delegation plugins work > only with ACIs with "their" prefix. Prefix is not visible for user, it > is passed to ACI functions automatically by Permission, Delegation and > Selfservice plugins. > > Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: - ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange + ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" --prefix=none add_orange This change exposes the prefix on the command line which means you can manage ACIs with different prefixes. Do i misread it? > Martin > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mkosek at redhat.com Wed Jan 26 15:46:18 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 26 Jan 2011 16:46:18 +0100 Subject: [Freeipa-devel] [PATCH] 017 ACI plugin supports prefixes In-Reply-To: <4D403F96.6070707@redhat.com> References: <1296052408.17168.1.camel@dhcp-25-52.brq.redhat.com> <4D403BCF.6010907@redhat.com> <1296055868.17168.8.camel@dhcp-25-52.brq.redhat.com> <4D403F96.6070707@redhat.com> Message-ID: <1296056778.17168.13.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-01-26 at 10:36 -0500, Dmitri Pal wrote: > Martin Kosek wrote: > > On Wed, 2011-01-26 at 10:20 -0500, Dmitri Pal wrote: > > > >> I took a quick look. > >> > >> Rob, I thought that there are different APIs for self and delegation. Is > >> this is the case? > >> ipa permission-... functions should never deal with self service or > >> delegation acis > >> They are just for the permission ACIs connected to the target groups. > >> I do not think this is the right approach. > >> The prefix is need but it should be automatically added if you use this > >> interface. > >> > > > > Well, this patch ensures that permission-* functions will not deal with > > selfservice od delegation ACIs. Each of these plugins has its own prefix > > (e.g. "permission:" or "delegation:") which is added to the underlying > > ACI name. > > > > Because of this, the Permission, Selfservice and Delegation plugins work > > only with ACIs with "their" prefix. Prefix is not visible for user, it > > is passed to ACI functions automatically by Permission, Delegation and > > Selfservice plugins. > > > > > > > Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: > - ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange > + ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" --prefix=none add_orange > > This change exposes the prefix on the command line which means you can > manage ACIs with different prefixes. > Do i misread it? In the patch, the --prefix option is allowed only for ACI plugin, which is hidden to user. This option shouldn't be allowed for permission, delegation or selfservice plugins: $ ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" --prefix=none add_orange Usage: ipa [global-options] permission-add NAME [options] ipa: error: no such option: --prefix When these plugins access ACI they fill --prefix attribute automatically (search for ACI_PREFIX constant in the patch). Martin From rcritten at redhat.com Wed Jan 26 15:56:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 26 Jan 2011 10:56:35 -0500 Subject: [Freeipa-devel] [PATCH] 017 ACI plugin supports prefixes In-Reply-To: <4D403F96.6070707@redhat.com> References: <1296052408.17168.1.camel@dhcp-25-52.brq.redhat.com> <4D403BCF.6010907@redhat.com> <1296055868.17168.8.camel@dhcp-25-52.brq.redhat.com> <4D403F96.6070707@redhat.com> Message-ID: <4D404433.7030707@redhat.com> Dmitri Pal wrote: > Martin Kosek wrote: >> On Wed, 2011-01-26 at 10:20 -0500, Dmitri Pal wrote: >> >>> I took a quick look. >>> >>> Rob, I thought that there are different APIs for self and delegation. Is >>> this is the case? >>> ipa permission-... functions should never deal with self service or >>> delegation acis >>> They are just for the permission ACIs connected to the target groups. >>> I do not think this is the right approach. >>> The prefix is need but it should be automatically added if you use this >>> interface. >>> >> >> Well, this patch ensures that permission-* functions will not deal with >> selfservice od delegation ACIs. Each of these plugins has its own prefix >> (e.g. "permission:" or "delegation:") which is added to the underlying >> ACI name. >> >> Because of this, the Permission, Selfservice and Delegation plugins work >> only with ACIs with "their" prefix. Prefix is not visible for user, it >> is passed to ACI functions automatically by Permission, Delegation and >> Selfservice plugins. >> >> > > > Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: > - ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange > + ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" --prefix=none add_orange > > This change exposes the prefix on the command line which means you can > manage ACIs with different prefixes. > Do i misread it? The help changes are unneeded. The prefix is not configurable by the user. rob From ayoung at redhat.com Wed Jan 26 16:05:12 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 11:05:12 -0500 Subject: [Freeipa-devel] Opinions on Interface Layout for FreeIPA Message-ID: <4D404638.4000206@redhat.com> Ben, thanks for the Feedback. I've taken the liberty of adding it to our mailing list so we can hqve an open discussion. If you are interested, please subscribe. On 01/25/2011 05:25 PM, JR Aquino wrote: > > On 1/25/11 2:22 PM, "Ben Hamilton" wrote: > >> Looks like a pretty straight forward interface. >> >> When clicking on a host group I expect to see host members. I get the >> need to look at the config also. Perhaps the description can be made (or >> an icon can be added) to take the user directly to the list of hosts >> rather than hiding it under another click. That is a general pattern that we've identified on several of the entities, and something we're thinking about incorporating in the future. For example, one open ticket is : "Put DNS records on the default page clicked off of search" https://fedorahosted.org/freeipa/ticket/592. I'd say the general concept is: if an entity is mostly used as a container, put the managed elements on the page you go to from search. We've had discussions on this, and we are choosing between a couple of approaches. >> The enrollment tabs for group membership (hosts and people) should >> leverage drag and drop rather than checkboxes and the assignment >> buttons, >> it's not just a nice to have - it's expected behavior. Interesting thought. Drag and Drop on the Web is tricky, as most browsers now support some aspect of dragging Icons around. Personally, I've been reluctant to use drag and drop for web apps, as people seem to have been trained no to do so. We'll keep this in mind, though. It isn't a case of being difficult to implement, but harder to get it right. >> Naturally the FreeIPA icon, color scheme and font faces should all be >> customized through an icon upload and config screen and/or css. Everything is themed through CSS. You can see it here: http://admiyo.fedorapeople.org/ipa/ui/ipa.css. We are using some aligned images to make the Tabs structure work clearly, and this would make customization a little tricky. We've had some discussions on customization, with look and feel being just one of the topics. >> Is there any direction to take the arbitrary ipaserver tab and >> incorporate it into the identity tab? After all, membership and >> authorization a natural extension of who someone is (identity and >> authorization). If not then renaming the tab to indicate what someone >> might be able to do with it would be a good idea. We were trying to separate out the management of entities in the organization from the access control for the server itself. Thus, the three tabs for Server Access control mechanisms were set next to the server config tab. However, your point is well taken, and we'll think about the Taxonomy. If I had to venture guess, I'd say that we could collapse the server tab into the policy tab...and possibly move DNS into the Identity Tab. >> Ben >> >> >> -----Original Message----- >> From: JR Aquino >> Sent: Tuesday, January 25, 2011 2:08 PM >> To: Opsec >> Cc: sysadmin (email) >> Subject: Opinions on Interface Layout for FreeIPA >> >> http://admiyo.fedorapeople.org/ipa/ui/ >> >> I have been asked to direct people to the static test page for >> FreeIPA to >> get feedback regarding its layout and design. >> >> Please let me know what you think, what doesn't make sense or looks >> ugly, >> etc... >> >> I'll be forwarding the comments back to the web developers. >> >> Thanks!!! >> >> -JR >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jan 26 16:25:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 26 Jan 2011 11:25:03 -0500 Subject: [Freeipa-devel] [PATCH] 041 Add example of DNS SRV record and a simple validator In-Reply-To: <4D40331C.70003@redhat.com> References: <4D4031FC.9070503@redhat.com> <4D40331C.70003@redhat.com> Message-ID: <4D404ADF.2000009@redhat.com> Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/26/2011 03:38 PM, Jakub Hrozek wrote: >> https://fedorahosted.org/freeipa/ticket/846 > > This version contains a better example (consistent zone name). This requires a change to API.txt too, otherwise the patch looks good. rob From mkosek at redhat.com Wed Jan 26 16:29:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 26 Jan 2011 17:29:36 +0100 Subject: [Freeipa-devel] [PATCH] 017 ACI plugin supports prefixes In-Reply-To: <4D404433.7030707@redhat.com> References: <1296052408.17168.1.camel@dhcp-25-52.brq.redhat.com> <4D403BCF.6010907@redhat.com> <1296055868.17168.8.camel@dhcp-25-52.brq.redhat.com> <4D403F96.6070707@redhat.com> <4D404433.7030707@redhat.com> Message-ID: <1296059376.17168.20.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-01-26 at 10:56 -0500, Rob Crittenden wrote: > Dmitri Pal wrote: > > Martin Kosek wrote: > >> On Wed, 2011-01-26 at 10:20 -0500, Dmitri Pal wrote: > >> > >>> I took a quick look. > >>> > >>> Rob, I thought that there are different APIs for self and delegation. Is > >>> this is the case? > >>> ipa permission-... functions should never deal with self service or > >>> delegation acis > >>> They are just for the permission ACIs connected to the target groups. > >>> I do not think this is the right approach. > >>> The prefix is need but it should be automatically added if you use this > >>> interface. > >>> > >> > >> Well, this patch ensures that permission-* functions will not deal with > >> selfservice od delegation ACIs. Each of these plugins has its own prefix > >> (e.g. "permission:" or "delegation:") which is added to the underlying > >> ACI name. > >> > >> Because of this, the Permission, Selfservice and Delegation plugins work > >> only with ACIs with "their" prefix. Prefix is not visible for user, it > >> is passed to ACI functions automatically by Permission, Delegation and > >> Selfservice plugins. > >> > >> > > > > > > Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: > > - ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange > > + ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" --prefix=none add_orange > > > > This change exposes the prefix on the command line which means you can > > manage ACIs with different prefixes. > > Do i misread it? > > The help changes are unneeded. The prefix is not configurable by the user. > > rob Ah, now I see the source of confusion. My bad. I fixed help in ACI plugin (even though this plugin is not visible for CLI). There were examples for using aci-add command and I wanted to add a new mandatory parameter here, so that user is not prompted for it. Unfortunately, I didn't notice there was one permission-add example - --prefix attribute is not valid for this command. A patch #2 with fixed permission-add example + rebase to current master is attached. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-017-02-aci-plugin-supports-prefixes.patch Type: text/x-patch Size: 52068 bytes Desc: not available URL: From rcritten at redhat.com Wed Jan 26 16:39:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 26 Jan 2011 11:39:37 -0500 Subject: [Freeipa-devel] [PATCH] Add ldap2 method to retrieve allowed attributes for specified objectClasses. In-Reply-To: <201101261055.37254.jzeleny@redhat.com> References: <4D3EECC6.4040807@redhat.com> <201101261055.37254.jzeleny@redhat.com> Message-ID: <4D404E49.7050902@redhat.com> Jan Zelen? wrote: > Pavel Zuna wrote: >> ldap2.get_allowed_attributes(['posixuser']) >> >> returns a list of unicode all lower case attribute names allowed for the >> object class 'posixuser' >> >> You can enter as many object classes as you want. >> >> Pavel > > ack > > Jan pushed to master From rcritten at redhat.com Wed Jan 26 16:39:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 26 Jan 2011 11:39:45 -0500 Subject: [Freeipa-devel] [PATCH] Raise ValidationError when adding unallowed attribute to search fields. In-Reply-To: <201101261055.46011.jzeleny@redhat.com> References: <4D3EED14.1000208@redhat.com> <201101261055.46011.jzeleny@redhat.com> Message-ID: <4D404E51.2090308@redhat.com> Jan Zelen? wrote: > Pavel Zuna wrote: >> Depends on my previous patch number 64 (posted on the list 2 minutes ago). >> >> Ticket #845 >> >> Pavel > > ack > > Jan pushed to master From ayoung at redhat.com Wed Jan 26 17:37:51 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 12:37:51 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0154-declarative-defintions In-Reply-To: <4D38918C.4060804@redhat.com> References: <4D385E67.8030507@redhat.com> <4D38918C.4060804@redhat.com> Message-ID: <4D405BEF.2030409@redhat.com> Rebased on top of origin/master, and made changes. See comments below. On 01/20/2011 02:48 PM, Endi Sukma Dewata wrote: > On 1/20/2011 11:10 PM, Adam Young wrote: >> If you ACK, please don't push, but let me do so, as it will likely >> conflict with other UI work. > > There is no major issues, just some comments: > > 1. The declarative definition is a bit inconsistent. Some methods like > association() takes a spec, but other methods like facet() takes an > object instance. > > association({ > 'name': 'netgroup', > 'associator': 'serial' > }). > facet( > IPA.search_facet({ > 'name': 'search', > 'label': 'Search' > }). The difference is for things that are created self contained, like association, and things like search and details facets that require additional declaration. We could change the association call to require creating the association, but not the other way around. Aside: there should be no need to speficy name or label for search and details. > > 2. The diff tool uses the first line of the function to mark the > chunks like this: > > @@ -593,10 +593,7 @@ IPA.permission = function () { > > Having a function name in the first line would make it easier to read. > Compare this definition: > > IPA.permission = function () { > > with this definition: > > IPA.register_entity(function () { Even better, we can use an associative array, and do the two at once. > > 3. The following lines (webui.js:128-133): > > IPA.start_entities(); > > for (var i=0; i var entity = IPA.entities[i]; > entity.init(); > } > > probably could be combined into a single method: > > IPA.init_entities(); Done > > I think this method name will make more sense. > > 4. Entity's init_dialogs() probably could be merged into entity.init(). Done > > 5. The entity_factories is probably better be named entity_classes. > Factory is usually an object that creates multiple other objects. The > entity 'factory' is really the entity class which is only instantiated > once. Nah, Factory can create only a singe instance. Classes is too loaded a term. > > 6. Typo on search.js:258: > > spec.label = spec.lable || IPA.messages.facets.search; Fixed -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0154-1-declarative-defintions.patch Type: text/x-patch Size: 42547 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 26 19:19:38 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 14:19:38 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0166-declarative-for-aci Message-ID: <4D4073CA.1050809@redhat.com> Fixes https://fedorahosted.org/freeipa/ticket/772 Depends on freeipa-admiyo-0154-1-declarative-defintions.patch -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0166-declarative-for-aci.patch Type: text/x-patch Size: 17230 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 26 19:53:52 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 14:53:52 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0167-adding-label-for-RBAC Message-ID: <4D407BD0.1080600@redhat.com> Role Based Access control is supposed to be spelled out in the tabs. An earlier patch also broke the Title for the RBAC Action Panel. This fixes both. Depends on all my previous patches -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0167-adding-label-for-RBAC.patch Type: text/x-patch Size: 9645 bytes Desc: not available URL: From ssorce at redhat.com Wed Jan 26 20:50:05 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 26 Jan 2011 15:50:05 -0500 Subject: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters In-Reply-To: <4D3D91F2.6050002@redhat.com> References: <4D38325E.4060901@redhat.com> <4D38AB00.3040701@redhat.com> <4D38B6D9.9080408@redhat.com> <20110120175336.0eba6460@willson.li.ssimo.org> <4D39A0F9.4030502@redhat.com> <4D39BA48.4000907@redhat.com> <4D3D91F2.6050002@redhat.com> Message-ID: <1296075005.20166.14.camel@willson.li.ssimo.org> On Mon, 2011-01-24 at 15:51 +0100, Jakub Hrozek wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/21/2011 05:54 PM, Rob Crittenden wrote: > > Jakub Hrozek wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> On 01/20/2011 11:53 PM, Simo Sorce wrote: > >>> On Thu, 20 Jan 2011 17:27:37 -0500 > >>> Dmitri Pal wrote: > >>> > >>>> Michael Gregg wrote: > >>>>> Jakub Hrozek wrote: > >>>>> Hi, > >>>>> > >>>>> as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 > >>>>> to delete a DNS RR one has to remove its record types one by one. > >>>>> > >>>>> This patch modifies the behaviour so that if the user runs > >>>>> dnsrecord-del with no other parameters, the > >>>>> whole record is removed. > >>>>> > >>>>> Alternative solutions might be to expose the internal command that > >>>>> is able to delete the record (although I think it is > >>>>> counterintuitive to have one command to remove record types and one > >>>>> for the whole record) or have a special flag (--del-all?) to remove > >>>>> the whole record. > >>>>> > >>>>> The patch also fixes the unit tests as they didn't reflect all the > >>>>> recent changes. > >>>> > >>>>> Going with this patch sounds good, but to make sure, I polled > >>>>> several > >>>> people here, and they all seemed to think that having to add a > >>>> --del-all or --del-record flag at the end would be better as it would > >>>> be less prone to failure where admins would accidentally delete a > >>>> entire record because they didn't specify anything after the " > >>>> " > >>>> > >>>>> So, maybe we do need a --del-all or --del-record operator. > >>>> > >>>> Agree. > >>> > >>> +1 > >>> Someone may simply push enter accidentally while checking what to write > >>> after the command. It would be rather unfortunate. > >>> > >>> Simo. > >>> > >>> > >> > >> Attached is a new version of the patch that implements --del-all. It > >> also reports failure when deleting a nonexistent RR (new ticket 829). > > > > nack, this isn't working properly for me. > > > > Here is how I tested: > > > > - add a new zone, newzone1 > > - ipa dnsrecord-add newzone1 as --a-rec 3.4.5.6 > > - ipa dnsrecord-add newzone1 as > > Record name: as > > A record: 3.4.5.6 > > - ipa dnsrecord-show newzone1 as > > Record name: as > > A record: 3.4.5.6 > > - ipa dnsrecord-del newzone1 as --del-all > > [ no output ] > > - ipa dnsrecord-show newzone1 as > > ipa: ERROR: as: DNS resource record not found > > > > So a couple of problems: > > > > 1. An error should have been thrown when I tried a delete without a > > specific record type. > > I agree but I was reluctant to do this because it was perfectly OK to > call "dnsrecord-add" with no options. That would create an empty DNS > record. The interface was orthogonal so "dnsrecord-del" with no options > would remove the record if it was empty. But I don't think an empty DNS > record makes any sense. > > I changed the behaviour such that: > * dnsrecord-add with no attributes is no longer allowed. You have to > specify at least one RR type. Apparently this is not effective, I was able to add an empty DNS record. > * dnsrecord-del with no attributes is no longer allowed. You have to > either specify a RR type or --del-all. This one tested right. > > 2. Some output should be displayed when I delete all records, at least a > > summary. > > > > Agreed and fixed. This also checks out. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Jan 26 20:57:32 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 26 Jan 2011 15:57:32 -0500 Subject: [Freeipa-devel] [PATCH] 691 add --hostname option to ipa-client-install In-Reply-To: <4D3DFEA4.9010500@redhat.com> References: <4D3DFEA4.9010500@redhat.com> Message-ID: <1296075452.20166.15.camel@willson.li.ssimo.org> On Mon, 2011-01-24 at 17:35 -0500, Rob Crittenden wrote: > Let the installer override the detected hostname value with the > --hostname flag. This is likely to lead to a non-working installation so > let the buyer beware. > > ticket 834 Works as expected. Ack and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Jan 26 21:16:04 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 16:16:04 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0168-target-style-cleanup Message-ID: <4D408F14.2060601@redhat.com> Does not depend on any previous patches. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0168-target-style-cleanup.patch Type: text/x-patch Size: 9936 bytes Desc: not available URL: From kybaker at redhat.com Wed Jan 26 21:14:15 2011 From: kybaker at redhat.com (Kyle Baker) Date: Wed, 26 Jan 2011 16:14:15 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0166-declarative-for-aci In-Reply-To: <4D4073CA.1050809@redhat.com> Message-ID: <212426146.146416.1296076455566.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK ----- Original Message ----- > Fixes https://fedorahosted.org/freeipa/ticket/772 > > Depends on freeipa-admiyo-0154-1-declarative-defintions.patch > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0166-declarative-for-aci.patch Type: text/x-patch Size: 17230 bytes Desc: not available URL: From kybaker at redhat.com Wed Jan 26 21:14:26 2011 From: kybaker at redhat.com (Kyle Baker) Date: Wed, 26 Jan 2011 16:14:26 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0167-adding-label-for-RBAC In-Reply-To: <4D407BD0.1080600@redhat.com> Message-ID: <1432619990.146423.1296076466075.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK ----- Original Message ----- > Role Based Access control is supposed to be spelled out in the tabs. > An > earlier patch also broke the Title for the RBAC Action Panel. This > fixes both. Depends on all my previous patches > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0167-adding-label-for-RBAC.patch Type: text/x-patch Size: 9645 bytes Desc: not available URL: From kybaker at redhat.com Wed Jan 26 21:14:42 2011 From: kybaker at redhat.com (Kyle Baker) Date: Wed, 26 Jan 2011 16:14:42 -0500 (EST) Subject: [Freeipa-devel] [PATCH] admiyo-0168-target-style-cleanup In-Reply-To: <4D408F14.2060601@redhat.com> Message-ID: <1311815328.146426.1296076482426.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ACK ----- Original Message ----- > Does not depend on any previous patches. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0168-target-style-cleanup.patch Type: text/x-patch Size: 9936 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 26 21:18:56 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 16:18:56 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0166-declarative-for-aci In-Reply-To: <212426146.146416.1296076455566.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <212426146.146416.1296076455566.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D408FC0.2060500@redhat.com> On 01/26/2011 04:14 PM, Kyle Baker wrote: > ACK > > ----- Original Message ----- >> Fixes https://fedorahosted.org/freeipa/ticket/772 >> >> Depends on freeipa-admiyo-0154-1-declarative-defintions.patch >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Hold on that...this requires edewata to sign off on. From ayoung at redhat.com Wed Jan 26 21:31:55 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 16:31:55 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0168-target-style-cleanup In-Reply-To: <1311815328.146426.1296076482426.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1311815328.146426.1296076482426.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D4092CB.70605@redhat.com> On 01/26/2011 04:14 PM, Kyle Baker wrote: > ACK > > ----- Original Message ----- >> Does not depend on any previous patches. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From ayoung at redhat.com Wed Jan 26 21:32:41 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 16:32:41 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0154-declarative-defintions In-Reply-To: <4D405BEF.2030409@redhat.com> References: <4D385E67.8030507@redhat.com> <4D38918C.4060804@redhat.com> <4D405BEF.2030409@redhat.com> Message-ID: <4D4092F9.9050700@redhat.com> On 01/26/2011 12:37 PM, Adam Young wrote: > Rebased on top of origin/master, and made changes. See comments below. > > > On 01/20/2011 02:48 PM, Endi Sukma Dewata wrote: >> On 1/20/2011 11:10 PM, Adam Young wrote: >>> If you ACK, please don't push, but let me do so, as it will likely >>> conflict with other UI work. >> >> There is no major issues, just some comments: >> >> 1. The declarative definition is a bit inconsistent. Some methods >> like association() takes a spec, but other methods like facet() takes >> an object instance. >> >> association({ >> 'name': 'netgroup', >> 'associator': 'serial' >> }). >> facet( >> IPA.search_facet({ >> 'name': 'search', >> 'label': 'Search' >> }). > > The difference is for things that are created self contained, like > association, and things like search and details facets that require > additional declaration. We could change the association call to > require creating the association, but not the other way around. > > Aside: there should be no need to speficy name or label for search and > details. > >> >> 2. The diff tool uses the first line of the function to mark the >> chunks like this: >> >> @@ -593,10 +593,7 @@ IPA.permission = function () { >> >> Having a function name in the first line would make it easier to >> read. Compare this definition: >> >> IPA.permission = function () { >> >> with this definition: >> >> IPA.register_entity(function () { > > Even better, we can use an associative array, and do the two at once. > > >> >> 3. The following lines (webui.js:128-133): >> >> IPA.start_entities(); >> >> for (var i=0; i> var entity = IPA.entities[i]; >> entity.init(); >> } >> >> probably could be combined into a single method: >> >> IPA.init_entities(); > Done > >> >> I think this method name will make more sense. >> >> 4. Entity's init_dialogs() probably could be merged into entity.init(). > > Done >> >> 5. The entity_factories is probably better be named entity_classes. >> Factory is usually an object that creates multiple other objects. The >> entity 'factory' is really the entity class which is only >> instantiated once. > > Nah, Factory can create only a singe instance. Classes is too loaded > a term. >> >> 6. Typo on search.js:258: >> >> spec.label = spec.lable || IPA.messages.facets.search; > > Fixed > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0154-2-declarative-defintions.patch Type: text/x-patch Size: 42497 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 26 21:44:55 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 16:44:55 -0500 Subject: [Freeipa-devel] [PATCH] Check field's validity before executing add In-Reply-To: <4D3DC0D0.2040608@redhat.com> References: <4D3B7B01.4050404@redhat.com> <4D3DC0D0.2040608@redhat.com> Message-ID: <4D4095D7.10002@redhat.com> On 01/24/2011 01:11 PM, Adam Young wrote: > On 01/22/2011 07:49 PM, Endi Sukma Dewata wrote: >> This should fix this bug: >> https://fedorahosted.org/freeipa/ticket/660 >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > NACK: Too many false positives: > > Try adding a user group. Group name works as designed, others do not > allow anything through. Ithink you are not accounting fro null > validation. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel With this change it works. ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0080-2-Check-field-s-validity-before-executing-add.patch Type: text/x-patch Size: 6901 bytes Desc: not available URL: From ayoung at redhat.com Wed Jan 26 21:52:00 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 16:52:00 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0169-reset-target-section Message-ID: <4D409780.4030206@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0169-reset-target-section.patch Type: text/x-patch Size: 1180 bytes Desc: not available URL: From rcritten at redhat.com Wed Jan 26 22:55:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 26 Jan 2011 17:55:53 -0500 Subject: [Freeipa-devel] [PATCH] 017 ACI plugin supports prefixes In-Reply-To: <1296059376.17168.20.camel@dhcp-25-52.brq.redhat.com> References: <1296052408.17168.1.camel@dhcp-25-52.brq.redhat.com> <4D403BCF.6010907@redhat.com> <1296055868.17168.8.camel@dhcp-25-52.brq.redhat.com> <4D403F96.6070707@redhat.com> <4D404433.7030707@redhat.com> <1296059376.17168.20.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D40A679.4040205@redhat.com> Martin Kosek wrote: > On Wed, 2011-01-26 at 10:56 -0500, Rob Crittenden wrote: >> Dmitri Pal wrote: >>> Martin Kosek wrote: >>>> On Wed, 2011-01-26 at 10:20 -0500, Dmitri Pal wrote: >>>> >>>>> I took a quick look. >>>>> >>>>> Rob, I thought that there are different APIs for self and delegation. Is >>>>> this is the case? >>>>> ipa permission-... functions should never deal with self service or >>>>> delegation acis >>>>> They are just for the permission ACIs connected to the target groups. >>>>> I do not think this is the right approach. >>>>> The prefix is need but it should be automatically added if you use this >>>>> interface. >>>>> >>>> >>>> Well, this patch ensures that permission-* functions will not deal with >>>> selfservice od delegation ACIs. Each of these plugins has its own prefix >>>> (e.g. "permission:" or "delegation:") which is added to the underlying >>>> ACI name. >>>> >>>> Because of this, the Permission, Selfservice and Delegation plugins work >>>> only with ACIs with "their" prefix. Prefix is not visible for user, it >>>> is passed to ACI functions automatically by Permission, Delegation and >>>> Selfservice plugins. >>>> >>>> >>> >>> >>> Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: >>> - ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange >>> + ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" --prefix=none add_orange >>> >>> This change exposes the prefix on the command line which means you can >>> manage ACIs with different prefixes. >>> Do i misread it? >> >> The help changes are unneeded. The prefix is not configurable by the user. >> >> rob > > Ah, now I see the source of confusion. My bad. I fixed help in ACI > plugin (even though this plugin is not visible for CLI). There were > examples for using aci-add command and I wanted to add a new mandatory > parameter here, so that user is not prompted for it. > > Unfortunately, I didn't notice there was one permission-add example - > --prefix attribute is not valid for this command. A patch #2 with fixed > permission-add example + rebase to current master is attached. > > Martin ack, pushed to master From ssorce at redhat.com Wed Jan 26 23:05:38 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 26 Jan 2011 18:05:38 -0500 Subject: [Freeipa-devel] [PATCH] 0073 properly handle entryusn on replica Message-ID: <1296083138.20166.24.camel@willson.li.ssimo.org> When re-initializing a replica it is better (for clients sake) to always increment entryusn values, so that no change will be missed aby a client querying the server. This patch configures the entryusn plugin to do the right thing. Requires ds 1.2.8 for testing (tested with the alpha in f14 updates-testing repo) Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0073-Address-entryusn-initialization-on-replica-installat.patch Type: text/x-patch Size: 924 bytes Desc: not available URL: From ssorce at redhat.com Wed Jan 26 23:06:40 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 26 Jan 2011 18:06:40 -0500 Subject: [Freeipa-devel] [PATCH] 0074 Add requires Message-ID: <1296083200.20166.25.camel@willson.li.ssimo.org> First part of ticket #855 Add the requires we will need on F15, tested against jdennis ipa-devel repo, works as expected. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0074-Add-requires-for-the-pki.patch Type: text/x-patch Size: 840 bytes Desc: not available URL: From ssorce at redhat.com Wed Jan 26 23:08:37 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 26 Jan 2011 18:08:37 -0500 Subject: [Freeipa-devel] [PATCH] 0075 handle weird values in nolog Message-ID: <1296083317.20166.27.camel@willson.li.ssimo.org> When using ipa-replica-manage re-initialize with GSSAPI credentials it turns out that the DN password may be set to None and this can end up in the nolog list. Add a check to skip any non-string object in the log substitution list, so that the code doesn't freak out on None objects. Ticket #856 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0075-Handle-nolog-list-containing-None-values.patch Type: text/x-patch Size: 948 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 27 00:26:02 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 19:26:02 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0162-1-Tab-I18N In-Reply-To: <663806569.138175.1296053411716.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <663806569.138175.1296053411716.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D40BB9A.6090904@redhat.com> On 01/26/2011 09:50 AM, Kyle Baker wrote: > ACK Looks good. > > ----- Original Message ----- >> On 01/25/2011 08:04 PM, Adam Young wrote: >> >> Fixes >> https://fedorahosted.org/freeipa/ticket/849 >> and >> https://fedorahosted.org/freeipa/ticket/745 >> _______________________________________________ >> Freeipa-devel mailing list Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Third times the >> charm. This one has the internal.py file with messages in it. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From ssorce at redhat.com Thu Jan 27 00:23:29 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 26 Jan 2011 19:23:29 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0162-1-Tab-I18N In-Reply-To: <663806569.138175.1296053411716.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <663806569.138175.1296053411716.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1296087809.20166.33.camel@willson.li.ssimo.org> On Wed, 2011-01-26 at 09:50 -0500, Kyle Baker wrote: > ACK Looks good. > > ----- Original Message ----- > > On 01/25/2011 08:04 PM, Adam Young wrote: > > > > Fixes > > https://fedorahosted.org/freeipa/ticket/849 > > and > > https://fedorahosted.org/freeipa/ticket/745 This was pushed to master. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Thu Jan 27 00:26:20 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 19:26:20 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0163-dns-container In-Reply-To: <1571917526.138205.1296053469745.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1571917526.138205.1296053469745.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D40BBAC.9010302@redhat.com> On 01/26/2011 09:51 AM, Kyle Baker wrote: > ACK Looks good. > > ----- Original Message ----- >> Kyle noticed that the DNS page was off. This fixes it. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master From ayoung at redhat.com Thu Jan 27 00:26:32 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 19:26:32 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0164-dns-visible-if-enabled. In-Reply-To: <4729778.138208.1296053478151.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <4729778.138208.1296053478151.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D40BBB8.5080605@redhat.com> On 01/26/2011 09:51 AM, Kyle Baker wrote: > ACK Looks good. > > ----- Original Message ----- >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel pushed to master From ssorce at redhat.com Thu Jan 27 00:23:53 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 26 Jan 2011 19:23:53 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0163-dns-container In-Reply-To: <529215109.138192.1296053446211.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <529215109.138192.1296053446211.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1296087833.20166.34.camel@willson.li.ssimo.org> On Wed, 2011-01-26 at 09:50 -0500, Kyle Baker wrote: > ACK Looks good. > > ----- Original Message ----- > > On 01/25/2011 09:16 PM, Adam Young wrote: > > > > Kyle noticed that the DNS page was off. This fixes it. This was pushed to master. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Thu Jan 27 00:32:59 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 19:32:59 -0500 Subject: [Freeipa-devel] [PATCH] 0002-Main-UI-migration-and-html-Style-updates 0003-deleteing-migration-css In-Reply-To: <4D38A8F6.6000507@redhat.com> References: <523239977.74632.1295558522713.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4D38A8F6.6000507@redhat.com> Message-ID: <4D40BD3B.6010800@redhat.com> On 01/20/2011 04:28 PM, Adam Young wrote: > On 01/20/2011 04:22 PM, Kyle Baker wrote: >> UI Style Changes >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK In general, with a couple minor caveats: > > This duplicates the Font files and the jquery-ui assets. We can fix > that by using relative URLs. I can fix that, squash these two, and push. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel A variation of this was pushed to master as a different patch -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Jan 27 03:03:06 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 26 Jan 2011 22:03:06 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0170-dirty Message-ID: <4D40E06A.2020208@redhat.com> Depends on 154, 154, 166, 167, 169 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0170-dirty.patch Type: text/x-patch Size: 10591 bytes Desc: not available URL: From jhrozek at redhat.com Thu Jan 27 06:22:27 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 27 Jan 2011 07:22:27 +0100 Subject: [Freeipa-devel] [PATCH] 041 Add example of DNS SRV record and a simple validator In-Reply-To: <4D404ADF.2000009@redhat.com> References: <4D4031FC.9070503@redhat.com> <4D40331C.70003@redhat.com> <4D404ADF.2000009@redhat.com> Message-ID: <20110127062226.GA21704@zeppelin.brq.redhat.com> On Wed, Jan 26, 2011 at 11:25:03AM -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >On 01/26/2011 03:38 PM, Jakub Hrozek wrote: > >>https://fedorahosted.org/freeipa/ticket/846 > > > >This version contains a better example (consistent zone name). > > This requires a change to API.txt too, otherwise the patch looks good. > > rob Thanks for catching this. I still wonder why I was able to run make rpms which in turn runs makeapi --validate. A new patch is attached. -------------- next part -------------- >From af17c43e77cab88ec001f4bd94c3002bd7a4494d Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 26 Jan 2011 09:31:50 -0500 Subject: [PATCH] Add example of DNS SRV record and a simple validator https://fedorahosted.org/freeipa/ticket/846 --- API.txt | 8 ++++---- ipalib/plugins/dns.py | 23 +++++++++++++++++++++++ 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index c9a56f6..8e30a7e 100644 --- a/API.txt +++ b/API.txt @@ -522,7 +522,7 @@ option: List('rrsigrecord?', attribute=True, cli_name='rrsig_rec',ist('rrsigreco option: List('rprecord?', attribute=True, cli_name='rp_rec',ist('rprecord?', attribute=True, cli_name='rp_rec', doc='comma-separated list of RP records', label='RP record', multivalue=True) option: List('sigrecord?', attribute=True, cli_name='sig_rec',ist('sigrecord?', attribute=True, cli_name='sig_rec', doc='comma-separated list of SIG records', label='SIG record', multivalue=True) option: List('spfrecord?', attribute=True, cli_name='spf_rec',ist('spfrecord?', attribute=True, cli_name='spf_rec', doc='comma-separated list of SPF records', label='SPF record', multivalue=True) -option: List('srvrecord?', attribute=True, cli_name='srv_rec',ist('srvrecord?', attribute=True, cli_name='srv_rec', doc='comma-separated list of SRV records', label='SRV record', multivalue=True) +option: List('srvrecord?', _validate_srv, attribute=True, cli_name='srv_rec',ist('srvrecord?', _validate_srv, attribute=True, cli_name='srv_rec', doc='comma-separated list of SRV records', label='SRV record', multivalue=True) option: List('sshfprecord?', attribute=True, cli_name='sshfp_rec',ist('sshfprecord?', attribute=True, cli_name='sshfp_rec', doc='comma-separated list of SSHFP records', label='SSHFP record', multivalue=True) option: List('tarecord?', attribute=True, cli_name='ta_rec',ist('tarecord?', attribute=True, cli_name='ta_rec', doc='comma-separated list of TA records', label='TA record', multivalue=True) option: List('tkeyrecord?', attribute=True, cli_name='tkey_rec',ist('tkeyrecord?', attribute=True, cli_name='tkey_rec', doc='comma-separated list of TKEY records', label='TKEY record', multivalue=True) @@ -570,7 +570,7 @@ option: List('rrsigrecord?', attribute=True, cli_name='rrsig_rec',ist('rrsigreco option: List('rprecord?', attribute=True, cli_name='rp_rec',ist('rprecord?', attribute=True, cli_name='rp_rec', doc='comma-separated list of RP records', label='RP record', multivalue=True) option: List('sigrecord?', attribute=True, cli_name='sig_rec',ist('sigrecord?', attribute=True, cli_name='sig_rec', doc='comma-separated list of SIG records', label='SIG record', multivalue=True) option: List('spfrecord?', attribute=True, cli_name='spf_rec',ist('spfrecord?', attribute=True, cli_name='spf_rec', doc='comma-separated list of SPF records', label='SPF record', multivalue=True) -option: List('srvrecord?', attribute=True, cli_name='srv_rec',ist('srvrecord?', attribute=True, cli_name='srv_rec', doc='comma-separated list of SRV records', label='SRV record', multivalue=True) +option: List('srvrecord?', _validate_srv, attribute=True, cli_name='srv_rec',ist('srvrecord?', _validate_srv, attribute=True, cli_name='srv_rec', doc='comma-separated list of SRV records', label='SRV record', multivalue=True) option: List('sshfprecord?', attribute=True, cli_name='sshfp_rec',ist('sshfprecord?', attribute=True, cli_name='sshfp_rec', doc='comma-separated list of SSHFP records', label='SSHFP record', multivalue=True) option: List('tarecord?', attribute=True, cli_name='ta_rec',ist('tarecord?', attribute=True, cli_name='ta_rec', doc='comma-separated list of TA records', label='TA record', multivalue=True) option: List('tkeyrecord?', attribute=True, cli_name='tkey_rec',ist('tkeyrecord?', attribute=True, cli_name='tkey_rec', doc='comma-separated list of TKEY records', label='TKEY record', multivalue=True) @@ -619,7 +619,7 @@ option: List('rrsigrecord?', attribute=True, cli_name='rrsig_rec',ist('rrsigreco option: List('rprecord?', attribute=True, cli_name='rp_rec',ist('rprecord?', attribute=True, cli_name='rp_rec', doc='comma-separated list of RP records', label='RP record', multivalue=True) option: List('sigrecord?', attribute=True, cli_name='sig_rec',ist('sigrecord?', attribute=True, cli_name='sig_rec', doc='comma-separated list of SIG records', label='SIG record', multivalue=True) option: List('spfrecord?', attribute=True, cli_name='spf_rec',ist('spfrecord?', attribute=True, cli_name='spf_rec', doc='comma-separated list of SPF records', label='SPF record', multivalue=True) -option: List('srvrecord?', attribute=True, cli_name='srv_rec',ist('srvrecord?', attribute=True, cli_name='srv_rec', doc='comma-separated list of SRV records', label='SRV record', multivalue=True) +option: List('srvrecord?', _validate_srv, attribute=True, cli_name='srv_rec',ist('srvrecord?', _validate_srv, attribute=True, cli_name='srv_rec', doc='comma-separated list of SRV records', label='SRV record', multivalue=True) option: List('sshfprecord?', attribute=True, cli_name='sshfp_rec',ist('sshfprecord?', attribute=True, cli_name='sshfp_rec', doc='comma-separated list of SSHFP records', label='SSHFP record', multivalue=True) option: List('tarecord?', attribute=True, cli_name='ta_rec',ist('tarecord?', attribute=True, cli_name='ta_rec', doc='comma-separated list of TA records', label='TA record', multivalue=True) option: List('tkeyrecord?', attribute=True, cli_name='tkey_rec',ist('tkeyrecord?', attribute=True, cli_name='tkey_rec', doc='comma-separated list of TKEY records', label='TKEY record', multivalue=True) @@ -680,7 +680,7 @@ option: List('rrsigrecord', attribute=True, cli_name='rrsig_rec',ist('rrsigrecor option: List('rprecord', attribute=True, cli_name='rp_rec',ist('rprecord', attribute=True, cli_name='rp_rec', doc='comma-separated list of RP records', label='RP record', multivalue=True, query=True, required=False) option: List('sigrecord', attribute=True, cli_name='sig_rec',ist('sigrecord', attribute=True, cli_name='sig_rec', doc='comma-separated list of SIG records', label='SIG record', multivalue=True, query=True, required=False) option: List('spfrecord', attribute=True, cli_name='spf_rec',ist('spfrecord', attribute=True, cli_name='spf_rec', doc='comma-separated list of SPF records', label='SPF record', multivalue=True, query=True, required=False) -option: List('srvrecord', attribute=True, cli_name='srv_rec',ist('srvrecord', attribute=True, cli_name='srv_rec', doc='comma-separated list of SRV records', label='SRV record', multivalue=True, query=True, required=False) +option: List('srvrecord', _validate_srv, attribute=True, cli_name='srv_rec',ist('srvrecord', _validate_srv, attribute=True, cli_name='srv_rec', doc='comma-separated list of SRV records', label='SRV record', multivalue=True, query=True, required=False) option: List('sshfprecord', attribute=True, cli_name='sshfp_rec',ist('sshfprecord', attribute=True, cli_name='sshfp_rec', doc='comma-separated list of SSHFP records', label='SSHFP record', multivalue=True, query=True, required=False) option: List('tarecord', attribute=True, cli_name='ta_rec',ist('tarecord', attribute=True, cli_name='ta_rec', doc='comma-separated list of TA records', label='TA record', multivalue=True, query=True, required=False) option: List('tkeyrecord', attribute=True, cli_name='tkey_rec',ist('tkeyrecord', attribute=True, cli_name='tkey_rec', doc='comma-separated list of TKEY records', label='TKEY record', multivalue=True, query=True, required=False) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 5b5411f..69ae1aa 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -39,6 +39,13 @@ EXAMPLES: Add new PTR record for www.example.com ipa dnsrecord-add 15.142.80.in-addr.arpa 2 --ptr-rec www.example.com. + Add new SRV records for LDAP servers. Three quarters of the requests + should go to fast.example.com, one quarter to slow.example.com. If neither + is available, switch to backup.example.com. + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com" + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com" + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com" + Show zone example.com: ipa dnszone-show example.com @@ -114,10 +121,26 @@ def _validate_ipnet(ugettext, ipnet): return u'invalid format' return None +def _validate_srv(ugettext, srv): + try: + prio, weight, port, host = srv.split() + except ValueError: + return u'format must be specified as "priority weight port target"' + + try: + prio = int(prio) + weight = int(weight) + port = int(port) + except ValueError: + return u'the values of priority, weight and port must be integers' + + return None + _record_validators = { u'A': _validate_ipaddr, u'AAAA': _validate_ipaddr, u'APL': _validate_ipnet, + u'SRV': _validate_srv, } -- 1.7.3.4 From jzeleny at redhat.com Thu Jan 27 07:28:31 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Thu, 27 Jan 2011 08:28:31 +0100 Subject: [Freeipa-devel] =?iso-8859-1?q?=5BPATCH=5D_041_Add_example_of_DNS?= =?iso-8859-1?q?_SRV_record_and_a=09simple_validator?= In-Reply-To: <4D404ADF.2000009@redhat.com> References: <4D4031FC.9070503@redhat.com> <4D40331C.70003@redhat.com> <4D404ADF.2000009@redhat.com> Message-ID: <201101270828.31114.jzeleny@redhat.com> Rob Crittenden wrote: > Jakub Hrozek wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 01/26/2011 03:38 PM, Jakub Hrozek wrote: > >> https://fedorahosted.org/freeipa/ticket/846 > > > > This version contains a better example (consistent zone name). > > This requires a change to API.txt too, otherwise the patch looks good. Sorry for not catching that. I have problems with API.txt on a regular basis, so I call makeapi before each compilation. I'm not sure why I have these problems, happens on a clean master. I recall seeing some information about it somewhere, but I don't know exactly what it was. Jan From jzeleny at redhat.com Thu Jan 27 10:15:30 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Thu, 27 Jan 2011 11:15:30 +0100 Subject: [Freeipa-devel] [PATCH] Fixed permission lookup Message-ID: <201101271115.30307.jzeleny@redhat.com> Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818 -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0031-Fixed-permission-lookup.patch Type: text/x-patch Size: 4476 bytes Desc: not available URL: From jzeleny at redhat.com Thu Jan 27 10:27:05 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 27 Jan 2011 11:27:05 +0100 Subject: [Freeipa-devel] [PATCH] 0074 Add requires In-Reply-To: <1296083200.20166.25.camel@willson.li.ssimo.org> References: <1296083200.20166.25.camel@willson.li.ssimo.org> Message-ID: <201101271127.05748.jzeleny@redhat.com> Simo Sorce wrote: > First part of ticket #855 > > Add the requires we will need on F15, tested against jdennis ipa-devel > repo, works as expected. > > Simo. The patch is obviously ok, so ack from this point of view. But I would just like to know if it is necessary. I just inspected F15 pki-ca package from nightly repo - it does Require pki-ca-theme >= 9.0.0 (which is provided by dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar situation will be for dogtag-pki-common-theme. So I don't see why we should explicitly Require both packages ourselves. Thanks in advance for explanation Jan From jzeleny at redhat.com Thu Jan 27 10:43:18 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 27 Jan 2011 11:43:18 +0100 Subject: [Freeipa-devel] [PATCH] 0075 handle weird values in nolog In-Reply-To: <1296083317.20166.27.camel@willson.li.ssimo.org> References: <1296083317.20166.27.camel@willson.li.ssimo.org> Message-ID: <201101271143.18244.jzeleny@redhat.com> Simo Sorce wrote: > When using ipa-replica-manage re-initialize with GSSAPI credentials it > turns out that the DN password may be set to None and this can end up in > the nolog list. > > Add a check to skip any non-string object in the log substitution list, > so that the code doesn't freak out on None objects. > > Ticket #856 > > Simo. Ack, but only a code inspection performed, since I'm not sure how to test it exactly. Jan From jzeleny at redhat.com Thu Jan 27 10:46:00 2011 From: jzeleny at redhat.com (Jan =?iso-8859-15?q?Zelen=FD?=) Date: Thu, 27 Jan 2011 11:46:00 +0100 Subject: [Freeipa-devel] [PATCH] Changed dns permission types In-Reply-To: <201101251335.13954.jzeleny@redhat.com> References: <201101071805.18499.jzeleny@redhat.com> <201101251135.41893.jzeleny@redhat.com> <201101251335.13954.jzeleny@redhat.com> Message-ID: <201101271146.00414.jzeleny@redhat.com> Jan Zelen? wrote: > Jan Zelen? wrote: > > Rob Crittenden wrote: > > > Jan Zelen? wrote: > > > > Rob Crittenden wrote: > > > >> Jan Zelen? wrote: > > > >>> Recent change of DNS module to version caused that dns object type > > > >>> was replaced by dnszone and dnsrecord. This patch corrects dns > > > >>> types in permissions class. > > > >>> > > > >>> https://fedorahosted.org/freeipa/ticket/646 > > > >> > > > >> Nack. These values need to be added as valid types to the aci plugin > > > >> and the _type_map needs to be updated. > > > >> > > > >> rob > > > > > > > > I'm sending an updated patch. > > > > > > > > Jan > > > > > > Since dnszone and dnsrecord point to the same kind of entry what is the > > > point of having two separate names for them? When we read the entry we > > > aren't going to be able to differentiate between the two. > > > > I didn't take a look how the type thing works, so I'm kinda guessing here > > (please ignore the comment if it is wrong): > > Sure, object with idnszone class is always also in dnsrecord class, but > > that's not the case backwards (idnsrecord object isn't always idnszone) - > > so I think it is possible to set different ACIs for these two types. > > > > > Can the type be made more specific? > > > > If the mapping doesn't distinguish object classes and it can, maybe > > that's the answer. Will investagate further. But if not, I still think > > this is the way to go considering the underline issue which we tried to > > solve by this change. > > From what I found I think that making changes necessary to distinguish > dnsrecord and dnszone are not worth it, especially that user can use > "filter" for that purpose. Since having both of them doesn't have any > additional value, I'm sending new version of the patch, which is only > adding dnsrecord type. > > Jan Just a small reminder that this patch is ready to be re-reviewed. Thanks Jan From mkosek at redhat.com Thu Jan 27 11:26:31 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 27 Jan 2011 12:26:31 +0100 Subject: [Freeipa-devel] [PATCH] 018 ipa permission-mod --rename does not work Message-ID: <1296127591.17168.21.camel@dhcp-25-52.brq.redhat.com> This patch fixes nonfunctional rename operation in permission plugin. Also makes sure, that no change is made to the underlying ACI in pre_callback() when the target permission already exists. Several tests for the rename operation have been created to ensure that the it won't break again unnoticed. https://fedorahosted.org/freeipa/ticket/814 -------------- next part -------------- A non-text attachment was scrubbed... Name: mkosek-freeipa-018-ipa-permission-mod-rename-does-not-work.patch Type: text/x-patch Size: 6615 bytes Desc: not available URL: From mkosek at redhat.com Thu Jan 27 11:45:19 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 27 Jan 2011 12:45:19 +0100 Subject: [Freeipa-devel] [PATCH] Fixed permission lookup In-Reply-To: <201101271115.30307.jzeleny@redhat.com> References: <201101271115.30307.jzeleny@redhat.com> Message-ID: <1296128719.17168.25.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-01-27 at 11:15 +0100, Jan Zelen? wrote: > Lookup based on --filter wasn't implemented at all. It did't show until > now, because of bug sitting on top of it which was resulting in internal > error. This patch fixes the bug and adds the filtering functionality. > > https://fedorahosted.org/freeipa/ticket/818 > NACK Did you build this patch on current master? Because in your patch, you removed changes in permission-find from my previous patch "017 ACI plugin supports prefixes". After your patch, permission-find fails: $ ipa permission-find ipa: ERROR: 'aciprefix' is required Martin From jzeleny at redhat.com Thu Jan 27 12:19:08 2011 From: jzeleny at redhat.com (Jan =?utf-8?q?Zelen=C3=BD?=) Date: Thu, 27 Jan 2011 13:19:08 +0100 Subject: [Freeipa-devel] [PATCH] Fixed permission lookup In-Reply-To: <1296128719.17168.25.camel@dhcp-25-52.brq.redhat.com> References: <201101271115.30307.jzeleny@redhat.com> <1296128719.17168.25.camel@dhcp-25-52.brq.redhat.com> Message-ID: <201101271319.08397.jzeleny@redhat.com> Martin Kosek wrote: > On Thu, 2011-01-27 at 11:15 +0100, Jan Zelen? wrote: > > Lookup based on --filter wasn't implemented at all. It did't show until > > now, because of bug sitting on top of it which was resulting in internal > > error. This patch fixes the bug and adds the filtering functionality. > > > > https://fedorahosted.org/freeipa/ticket/818 > > NACK > > Did you build this patch on current master? Because in your patch, you > removed changes in permission-find from my previous patch "017 ACI > plugin supports prefixes". After your patch, permission-find fails: > > $ ipa permission-find > ipa: ERROR: 'aciprefix' is required > > Martin Sorry, I accidentaly mixed the code with a part of the older one. Sending corrected patch. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: jzeleny-freeipa-0031-02-Fixed-permission-lookup.patch Type: text/x-patch Size: 3540 bytes Desc: not available URL: From jhrozek at redhat.com Thu Jan 27 12:31:11 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 27 Jan 2011 13:31:11 +0100 Subject: [Freeipa-devel] [PATCH] 039 Delete the whole DNS record with no parameters In-Reply-To: <1296075005.20166.14.camel@willson.li.ssimo.org> References: <4D38325E.4060901@redhat.com> <4D38AB00.3040701@redhat.com> <4D38B6D9.9080408@redhat.com> <20110120175336.0eba6460@willson.li.ssimo.org> <4D39A0F9.4030502@redhat.com> <4D39BA48.4000907@redhat.com> <4D3D91F2.6050002@redhat.com> <1296075005.20166.14.camel@willson.li.ssimo.org> Message-ID: <4D41658F.1020004@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/26/2011 09:50 PM, Simo Sorce wrote: > On Mon, 2011-01-24 at 15:51 +0100, Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/21/2011 05:54 PM, Rob Crittenden wrote: >>> Jakub Hrozek wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> On 01/20/2011 11:53 PM, Simo Sorce wrote: >>>>> On Thu, 20 Jan 2011 17:27:37 -0500 >>>>> Dmitri Pal wrote: >>>>> >>>>>> Michael Gregg wrote: >>>>>>> Jakub Hrozek wrote: >>>>>>> Hi, >>>>>>> >>>>>>> as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=671019 >>>>>>> to delete a DNS RR one has to remove its record types one by one. >>>>>>> >>>>>>> This patch modifies the behaviour so that if the user runs >>>>>>> dnsrecord-del with no other parameters, the >>>>>>> whole record is removed. >>>>>>> >>>>>>> Alternative solutions might be to expose the internal command that >>>>>>> is able to delete the record (although I think it is >>>>>>> counterintuitive to have one command to remove record types and one >>>>>>> for the whole record) or have a special flag (--del-all?) to remove >>>>>>> the whole record. >>>>>>> >>>>>>> The patch also fixes the unit tests as they didn't reflect all the >>>>>>> recent changes. >>>>>> >>>>>>> Going with this patch sounds good, but to make sure, I polled >>>>>>> several >>>>>> people here, and they all seemed to think that having to add a >>>>>> --del-all or --del-record flag at the end would be better as it would >>>>>> be less prone to failure where admins would accidentally delete a >>>>>> entire record because they didn't specify anything after the " >>>>>> " >>>>>> >>>>>>> So, maybe we do need a --del-all or --del-record operator. >>>>>> >>>>>> Agree. >>>>> >>>>> +1 >>>>> Someone may simply push enter accidentally while checking what to write >>>>> after the command. It would be rather unfortunate. >>>>> >>>>> Simo. >>>>> >>>>> >>>> >>>> Attached is a new version of the patch that implements --del-all. It >>>> also reports failure when deleting a nonexistent RR (new ticket 829). >>> >>> nack, this isn't working properly for me. >>> >>> Here is how I tested: >>> >>> - add a new zone, newzone1 >>> - ipa dnsrecord-add newzone1 as --a-rec 3.4.5.6 >>> - ipa dnsrecord-add newzone1 as >>> Record name: as >>> A record: 3.4.5.6 >>> - ipa dnsrecord-show newzone1 as >>> Record name: as >>> A record: 3.4.5.6 >>> - ipa dnsrecord-del newzone1 as --del-all >>> [ no output ] >>> - ipa dnsrecord-show newzone1 as >>> ipa: ERROR: as: DNS resource record not found >>> >>> So a couple of problems: >>> >>> 1. An error should have been thrown when I tried a delete without a >>> specific record type. >> >> I agree but I was reluctant to do this because it was perfectly OK to >> call "dnsrecord-add" with no options. That would create an empty DNS >> record. The interface was orthogonal so "dnsrecord-del" with no options >> would remove the record if it was empty. But I don't think an empty DNS >> record makes any sense. >> >> I changed the behaviour such that: >> * dnsrecord-add with no attributes is no longer allowed. You have to >> specify at least one RR type. > > Apparently this is not effective, I was able to add an empty DNS > record. > Thanks for catching this. A fixed patch is attached. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1BZY8ACgkQHsardTLnvCXfwwCgqQDrT6ZwZw20gNM+v+iT0QK5 1gIAoMyIS40UyS4X6VpqPB90U2PiNeLl =w7gG -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-039-04-dsn-record-del.patch Type: text/x-patch Size: 12347 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-039-04-dsn-record-del.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From ssorce at redhat.com Thu Jan 27 12:47:08 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 27 Jan 2011 07:47:08 -0500 Subject: [Freeipa-devel] [PATCH] 0074 Add requires In-Reply-To: <201101271127.05748.jzeleny@redhat.com> References: <1296083200.20166.25.camel@willson.li.ssimo.org> <201101271127.05748.jzeleny@redhat.com> Message-ID: <1296132428.8527.0.camel@willson.li.ssimo.org> On Thu, 2011-01-27 at 11:27 +0100, Jan Zelen? wrote: > Simo Sorce wrote: > > First part of ticket #855 > > > > Add the requires we will need on F15, tested against jdennis ipa-devel > > repo, works as expected. > > > > Simo. > > The patch is obviously ok, so ack from this point of view. But I would just > like to know if it is necessary. I just inspected F15 pki-ca package from > nightly repo - it does Require pki-ca-theme >= 9.0.0 (which is provided by > dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar > situation will be for dogtag-pki-common-theme. So I don't see why we should > explicitly Require both packages ourselves. > > Thanks in advance for explanation Sorry I don't know why they are needed I just implemented the ticket Rob opened. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jan 27 12:48:38 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 27 Jan 2011 07:48:38 -0500 Subject: [Freeipa-devel] [PATCH] 0075 handle weird values in nolog In-Reply-To: <201101271143.18244.jzeleny@redhat.com> References: <1296083317.20166.27.camel@willson.li.ssimo.org> <201101271143.18244.jzeleny@redhat.com> Message-ID: <1296132518.8527.2.camel@willson.li.ssimo.org> On Thu, 2011-01-27 at 11:43 +0100, Jan Zelen? wrote: > Simo Sorce wrote: > > When using ipa-replica-manage re-initialize with GSSAPI credentials it > > turns out that the DN password may be set to None and this can end up in > > the nolog list. > > > > Add a check to skip any non-string object in the log substitution list, > > so that the code doesn't freak out on None objects. > > > > Ticket #856 > > > > Simo. > > > Ack, > but only a code inspection performed, since I'm not sure how to test it > exactly. If you want to test: install replica, kinit admin, then run ipa-replica-manage re-initialize --from other.master.com W/o the patch it throws an error after it is done, w/ the patch it terminates w/o errors. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Jan 27 14:26:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 Jan 2011 09:26:46 -0500 Subject: [Freeipa-devel] [PATCH] 0074 Add requires In-Reply-To: <1296132428.8527.0.camel@willson.li.ssimo.org> References: <1296083200.20166.25.camel@willson.li.ssimo.org> <201101271127.05748.jzeleny@redhat.com> <1296132428.8527.0.camel@willson.li.ssimo.org> Message-ID: <4D4180A6.30602@redhat.com> Simo Sorce wrote: > On Thu, 2011-01-27 at 11:27 +0100, Jan Zelen? wrote: >> Simo Sorce wrote: >>> First part of ticket #855 >>> >>> Add the requires we will need on F15, tested against jdennis ipa-devel >>> repo, works as expected. >>> >>> Simo. >> >> The patch is obviously ok, so ack from this point of view. But I would just >> like to know if it is necessary. I just inspected F15 pki-ca package from >> nightly repo - it does Require pki-ca-theme>= 9.0.0 (which is provided by >> dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar >> situation will be for dogtag-pki-common-theme. So I don't see why we should >> explicitly Require both packages ourselves. >> >> Thanks in advance for explanation > > Sorry I don't know why they are needed I just implemented the ticket Rob > opened. > > Simo. > I asked the same question before filing the ticket, here is the response: Actually, all three theme packages contain the exact same "Provides:" statements (e. g. - ipa-pki-common-theme "Provides: pki-common-theme" and dogtag-pki-common-theme "Provides: pki-common-theme") while the actual package pki-common "Requires: pki-common-theme"). For this reason, it is up to the end-user (in this case, FreeIPA and IPA) to decide which theme package will be installed (regardless of platform), and that is why we are suggesting that FreeIPA specifically "Requires: dogtag-pki-common-theme" and "Requires: dogtag-pki-ca-theme" while IPA v2 specifically "Requires: ipa-pki-common-theme" and "Requires: ipa-pki-ca-theme". For Fedora, although neither ipa nor redhat theme packages will be available, all three will potentially be available on RHEL platforms. To address this issue from the CS view, the original intention has (and will continue to be) to eventually resolve this by supplying Meta packages which require specific themes (e. g. - dogtag-pki, dogtag-pki-ca, redhat-pki, redhat-pki-ca, etc.), as currently, unless the FreeIPA and IPA applications specifically require specific theme packages, there are no packages which explicitly require a specific PKI theme package. From rcritten at redhat.com Thu Jan 27 14:31:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 Jan 2011 09:31:05 -0500 Subject: [Freeipa-devel] [PATCH] Fixed permission lookup In-Reply-To: <201101271319.08397.jzeleny@redhat.com> References: <201101271115.30307.jzeleny@redhat.com> <1296128719.17168.25.camel@dhcp-25-52.brq.redhat.com> <201101271319.08397.jzeleny@redhat.com> Message-ID: <4D4181A9.8020502@redhat.com> Jan Zelen? wrote: > Martin Kosek wrote: >> On Thu, 2011-01-27 at 11:15 +0100, Jan Zelen? wrote: >>> Lookup based on --filter wasn't implemented at all. It did't show until >>> now, because of bug sitting on top of it which was resulting in internal >>> error. This patch fixes the bug and adds the filtering functionality. >>> >>> https://fedorahosted.org/freeipa/ticket/818 >> >> NACK >> >> Did you build this patch on current master? Because in your patch, you >> removed changes in permission-find from my previous patch "017 ACI >> plugin supports prefixes". After your patch, permission-find fails: >> >> $ ipa permission-find >> ipa: ERROR: 'aciprefix' is required >> >> Martin > > Sorry, I accidentaly mixed the code with a part of the older one. Sending > corrected patch. > > Jan I think the more stuff in baseldap.py:LDAPSearch() was there because adding entries in a post_callback wasn't working. It only let you reduce the number or modify what was already there IIRC. rob From ssorce at redhat.com Thu Jan 27 14:37:59 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 27 Jan 2011 09:37:59 -0500 Subject: [Freeipa-devel] [PATCH] 0074 Add requires In-Reply-To: <201101271127.05748.jzeleny@redhat.com> References: <1296083200.20166.25.camel@willson.li.ssimo.org> <201101271127.05748.jzeleny@redhat.com> Message-ID: <1296139079.8527.16.camel@willson.li.ssimo.org> On Thu, 2011-01-27 at 11:27 +0100, Jan Zelen? wrote: > The patch is obviously ok, so ack from this point of view. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jan 27 14:38:27 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 27 Jan 2011 09:38:27 -0500 Subject: [Freeipa-devel] [PATCH] 0075 handle weird values in nolog In-Reply-To: <201101271143.18244.jzeleny@redhat.com> References: <1296083317.20166.27.camel@willson.li.ssimo.org> <201101271143.18244.jzeleny@redhat.com> Message-ID: <1296139107.8527.17.camel@willson.li.ssimo.org> On Thu, 2011-01-27 at 11:43 +0100, Jan Zelen? wrote: > > Ack, > but only a code inspection performed, since I'm not sure how to test > it > exactly. Pushed to master (I tested it extensively). Simo. -- Simo Sorce * Red Hat, Inc * New York From jzeleny at redhat.com Thu Jan 27 14:41:34 2011 From: jzeleny at redhat.com (Jan =?utf-8?q?Zelen=C3=BD?=) Date: Thu, 27 Jan 2011 15:41:34 +0100 Subject: [Freeipa-devel] [PATCH] Fixed permission lookup In-Reply-To: <4D4181A9.8020502@redhat.com> References: <201101271115.30307.jzeleny@redhat.com> <201101271319.08397.jzeleny@redhat.com> <4D4181A9.8020502@redhat.com> Message-ID: <201101271541.34659.jzeleny@redhat.com> Rob Crittenden wrote: > Jan Zelen? wrote: > > Martin Kosek wrote: > >> On Thu, 2011-01-27 at 11:15 +0100, Jan Zelen? wrote: > >>> Lookup based on --filter wasn't implemented at all. It did't show until > >>> now, because of bug sitting on top of it which was resulting in > >>> internal error. This patch fixes the bug and adds the filtering > >>> functionality. > >>> > >>> https://fedorahosted.org/freeipa/ticket/818 > >> > >> NACK > >> > >> Did you build this patch on current master? Because in your patch, you > >> removed changes in permission-find from my previous patch "017 ACI > >> plugin supports prefixes". After your patch, permission-find fails: > >> > >> $ ipa permission-find > >> ipa: ERROR: 'aciprefix' is required > >> > >> Martin > > > > Sorry, I accidentaly mixed the code with a part of the older one. Sending > > corrected patch. > > > > Jan > > I think the more stuff in baseldap.py:LDAPSearch() was there because > adding entries in a post_callback wasn't working. It only let you reduce > the number or modify what was already there IIRC. >From what I know, lists should allow you to expand them without any problems (not sure how is the concept called in Python, Pavel told me about it). Also I didn't encounter any problems with this approach (and the post callback actually adds some entries), that's why I changed it the way I did. Jan From dpal at redhat.com Thu Jan 27 14:48:22 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 27 Jan 2011 09:48:22 -0500 Subject: [Freeipa-devel] [PATCH] 0074 Add requires In-Reply-To: <201101271127.05748.jzeleny@redhat.com> References: <1296083200.20166.25.camel@willson.li.ssimo.org> <201101271127.05748.jzeleny@redhat.com> Message-ID: <4D4185B6.6050507@redhat.com> On 01/27/2011 05:27 AM, Jan Zelen? wrote: > Simo Sorce wrote: >> First part of ticket #855 >> >> Add the requires we will need on F15, tested against jdennis ipa-devel >> repo, works as expected. >> >> Simo. > The patch is obviously ok, so ack from this point of view. But I would just > like to know if it is necessary. I just inspected F15 pki-ca package from > nightly repo - it does Require pki-ca-theme>= 9.0.0 (which is provided by > dogtag-pki-ca-theme) and we will be requiring pki-ca. I suspect similar > situation will be for dogtag-pki-common-theme. So I don't see why we should > explicitly Require both packages ourselves. > Have you seen the explanation that Matthew Harmsen put together about all the theme packages? I do not know if this would make things cleaner. I will send it off list. > Thanks in advance for explanation > Jan > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ssorce at redhat.com Thu Jan 27 16:42:43 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 27 Jan 2011 11:42:43 -0500 Subject: [Freeipa-devel] [PATCH] 0076 Fix ipa init script Message-ID: <1296146563.8527.25.camel@willson.li.ssimo.org> When I created ipa.init I did it initially by copying the dirsrv init script. Remove any remaining reference to the dirsrv stuff. Ticket: #857 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0076-Fix-ipa-init-script-to-not-depend-on-dirsrv-init-int.patch Type: text/x-patch Size: 1377 bytes Desc: not available URL: From rcritten at redhat.com Thu Jan 27 16:57:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 Jan 2011 11:57:04 -0500 Subject: [Freeipa-devel] [PATCH] 0076 Fix ipa init script In-Reply-To: <1296146563.8527.25.camel@willson.li.ssimo.org> References: <1296146563.8527.25.camel@willson.li.ssimo.org> Message-ID: <4D41A3E0.3000101@redhat.com> Simo Sorce wrote: > When I created ipa.init I did it initially by copying the dirsrv init > script. > Remove any remaining reference to the dirsrv stuff. > > Ticket: #857 > > Simo. ack, pushed to master From ayoung at redhat.com Thu Jan 27 17:12:59 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 27 Jan 2011 12:12:59 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0154-declarative-defintions In-Reply-To: <4D4092F9.9050700@redhat.com> References: <4D385E67.8030507@redhat.com> <4D38918C.4060804@redhat.com> <4D405BEF.2030409@redhat.com> <4D4092F9.9050700@redhat.com> Message-ID: <4D41A79B.9090801@redhat.com> On 01/26/2011 04:32 PM, Adam Young wrote: > On 01/26/2011 12:37 PM, Adam Young wrote: >> Rebased on top of origin/master, and made changes. See comments below. >> >> >> On 01/20/2011 02:48 PM, Endi Sukma Dewata wrote: >>> On 1/20/2011 11:10 PM, Adam Young wrote: >>>> If you ACK, please don't push, but let me do so, as it will likely >>>> conflict with other UI work. >>> >>> There is no major issues, just some comments: >>> >>> 1. The declarative definition is a bit inconsistent. Some methods >>> like association() takes a spec, but other methods like facet() >>> takes an object instance. >>> >>> association({ >>> 'name': 'netgroup', >>> 'associator': 'serial' >>> }). >>> facet( >>> IPA.search_facet({ >>> 'name': 'search', >>> 'label': 'Search' >>> }). >> >> The difference is for things that are created self contained, like >> association, and things like search and details facets that require >> additional declaration. We could change the association call to >> require creating the association, but not the other way around. >> >> Aside: there should be no need to speficy name or label for search >> and details. >> >>> >>> 2. The diff tool uses the first line of the function to mark the >>> chunks like this: >>> >>> @@ -593,10 +593,7 @@ IPA.permission = function () { >>> >>> Having a function name in the first line would make it easier to >>> read. Compare this definition: >>> >>> IPA.permission = function () { >>> >>> with this definition: >>> >>> IPA.register_entity(function () { >> >> Even better, we can use an associative array, and do the two at once. >> >> >>> >>> 3. The following lines (webui.js:128-133): >>> >>> IPA.start_entities(); >>> >>> for (var i=0; i>> var entity = IPA.entities[i]; >>> entity.init(); >>> } >>> >>> probably could be combined into a single method: >>> >>> IPA.init_entities(); >> Done >> >>> >>> I think this method name will make more sense. >>> >>> 4. Entity's init_dialogs() probably could be merged into entity.init(). >> >> Done >>> >>> 5. The entity_factories is probably better be named entity_classes. >>> Factory is usually an object that creates multiple other objects. >>> The entity 'factory' is really the entity class which is only >>> instantiated once. >> >> Nah, Factory can create only a singe instance. Classes is too loaded >> a term. >>> >>> 6. Typo on search.js:258: >>> >>> spec.label = spec.lable || IPA.messages.facets.search; >> >> Fixed >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Rebased > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0154-3-declarative-defintions.patch Type: text/x-patch Size: 41258 bytes Desc: not available URL: From jhrozek at redhat.com Thu Jan 27 18:02:51 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 27 Jan 2011 19:02:51 +0100 Subject: [Freeipa-devel] [PATCH] 042 Enforce that all NS records are resolvable Message-ID: <4D41B34B.3090607@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bind cannot load a zone if any of its name server records is not resolvable. https://fedorahosted.org/freeipa/ticket/838 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1Bs0sACgkQHsardTLnvCVgjACg4YojCm2ULsFZ2smpusWdJncp +mgAniOndaa4ILr9YpuIwW9i+X97Vid2 =KEtu -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-042-ns-records.patch Type: text/x-patch Size: 10531 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-042-ns-records.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From jhrozek at redhat.com Thu Jan 27 18:03:40 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 27 Jan 2011 19:03:40 +0100 Subject: [Freeipa-devel] [PATCH] 043 Fix API.txt Message-ID: <4D41B37C.6060200@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One of the recent API patches didn't update API.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1Bs3wACgkQHsardTLnvCVTmQCgy4fQy3n7x1XZuzZocyaNVfA3 3XIAoJqoSeuZvIHZqdf58EKWVVPbXQAu =xHUI -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-043-api-txt.patch Type: text/x-patch Size: 10650 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-043-api-txt.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 27 18:55:35 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 27 Jan 2011 13:55:35 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0166-declarative-for-aci In-Reply-To: <4D408FC0.2060500@redhat.com> References: <212426146.146416.1296076455566.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4D408FC0.2060500@redhat.com> Message-ID: <4D41BFA7.4040503@redhat.com> On 01/26/2011 04:18 PM, Adam Young wrote: > On 01/26/2011 04:14 PM, Kyle Baker wrote: >> ACK >> >> ----- Original Message ----- >>> Fixes https://fedorahosted.org/freeipa/ticket/772 >>> >>> Depends on freeipa-admiyo-0154-1-declarative-defintions.patch >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel > Hold on that...this requires edewata to sign off on. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased with changes from 154 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0166-2-declarative-for-aci.patch Type: text/x-patch Size: 17242 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 27 18:56:39 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 27 Jan 2011 13:56:39 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0167-adding-label-for-RBAC In-Reply-To: <1432619990.146423.1296076466075.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1432619990.146423.1296076466075.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D41BFE7.7080604@redhat.com> On 01/26/2011 04:14 PM, Kyle Baker wrote: > ACK > > ----- Original Message ----- >> Role Based Access control is supposed to be spelled out in the tabs. >> An >> earlier patch also broke the Title for the RBAC Action Panel. This >> fixes both. Depends on all my previous patches >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased ontop of 166 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0167-2-adding-label-for-RBAC.patch Type: text/x-patch Size: 9649 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 27 18:57:04 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 27 Jan 2011 13:57:04 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0169-reset-target-section In-Reply-To: <4D409780.4030206@redhat.com> References: <4D409780.4030206@redhat.com> Message-ID: <4D41C000.1070808@redhat.com> On 01/26/2011 04:52 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0169-1-reset-target-section.patch Type: text/x-patch Size: 1184 bytes Desc: not available URL: From rcritten at redhat.com Thu Jan 27 19:28:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 Jan 2011 14:28:31 -0500 Subject: [Freeipa-devel] [PATCH] Add support for account unlocking In-Reply-To: <201101261413.51668.jzeleny@redhat.com> References: <201101210915.48299.jzeleny@redhat.com> <201101261413.51668.jzeleny@redhat.com> Message-ID: <4D41C75F.4050300@redhat.com> Jan Zelen? wrote: > Jan Zeleny wrote: >> This patch adds command ipa user-unlock and some LDAP modifications >> which are required by Kerberos for unlocking to work. >> >> Ticket: >> https://fedorahosted.org/freeipa/ticket/344 >> >> Jan > > Just a reminder that this patch needs a review. > > Thanks > Jan This doesn't apply against master due to some changes to delegations. Can you rebase and set the aci name to 'permission:Unlock user accounts". I did manage to test this and it works as expected, I just don't want to mangle the rebase. rob From kybaker at redhat.com Thu Jan 27 20:18:46 2011 From: kybaker at redhat.com (Kyle Baker) Date: Thu, 27 Jan 2011 15:18:46 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 0008-Adjusted-aci-s-target-feilds-adjusted-action-panel-s In-Reply-To: <175566324.161621.1296159505509.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <840332811.161646.1296159526608.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> A non-text attachment was scrubbed... Name: kybaker-freeipa-0008-Adjusted-aci-s-target-feilds-adjusted-action-panel-s.patch Type: text/x-patch Size: 11808 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 27 21:40:10 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 27 Jan 2011 16:40:10 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0171-entity-filter-text Message-ID: <4D41E63A.2070706@redhat.com> Trivial patch, but want it to be reviewed. Just changes the text on the entity filter for select boxes -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0171-entity-filter-text.patch Type: text/x-patch Size: 811 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 27 21:41:19 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 27 Jan 2011 16:41:19 -0500 Subject: [Freeipa-devel] [PATCH]admiyo-0172-default-disable-delete Message-ID: <4D41E67F.1070209@redhat.com> For ticket https://fedorahosted.org/freeipa/ticket/668 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0172-default-disable-delete.patch Type: text/x-patch Size: 2426 bytes Desc: not available URL: From ayoung at redhat.com Thu Jan 27 21:50:40 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 27 Jan 2011 16:50:40 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0154-declarative-defintions In-Reply-To: <4D41A79B.9090801@redhat.com> References: <4D385E67.8030507@redhat.com> <4D38918C.4060804@redhat.com> <4D405BEF.2030409@redhat.com> <4D4092F9.9050700@redhat.com> <4D41A79B.9090801@redhat.com> Message-ID: <4D41E8B0.2040004@redhat.com> On 01/27/2011 12:12 PM, Adam Young wrote: > On 01/26/2011 04:32 PM, Adam Young wrote: >> On 01/26/2011 12:37 PM, Adam Young wrote: >>> Rebased on top of origin/master, and made changes. See comments below. >>> >>> >>> On 01/20/2011 02:48 PM, Endi Sukma Dewata wrote: >>>> On 1/20/2011 11:10 PM, Adam Young wrote: >>>>> If you ACK, please don't push, but let me do so, as it will likely >>>>> conflict with other UI work. >>>> >>>> There is no major issues, just some comments: >>>> >>>> 1. The declarative definition is a bit inconsistent. Some methods >>>> like association() takes a spec, but other methods like facet() >>>> takes an object instance. >>>> >>>> association({ >>>> 'name': 'netgroup', >>>> 'associator': 'serial' >>>> }). >>>> facet( >>>> IPA.search_facet({ >>>> 'name': 'search', >>>> 'label': 'Search' >>>> }). >>> >>> The difference is for things that are created self contained, like >>> association, and things like search and details facets that require >>> additional declaration. We could change the association call to >>> require creating the association, but not the other way around. >>> >>> Aside: there should be no need to speficy name or label for search >>> and details. >>> >>>> >>>> 2. The diff tool uses the first line of the function to mark the >>>> chunks like this: >>>> >>>> @@ -593,10 +593,7 @@ IPA.permission = function () { >>>> >>>> Having a function name in the first line would make it easier to >>>> read. Compare this definition: >>>> >>>> IPA.permission = function () { >>>> >>>> with this definition: >>>> >>>> IPA.register_entity(function () { >>> >>> Even better, we can use an associative array, and do the two at once. >>> >>> >>>> >>>> 3. The following lines (webui.js:128-133): >>>> >>>> IPA.start_entities(); >>>> >>>> for (var i=0; i>>> var entity = IPA.entities[i]; >>>> entity.init(); >>>> } >>>> >>>> probably could be combined into a single method: >>>> >>>> IPA.init_entities(); >>> Done >>> >>>> >>>> I think this method name will make more sense. >>>> >>>> 4. Entity's init_dialogs() probably could be merged into >>>> entity.init(). >>> >>> Done >>>> >>>> 5. The entity_factories is probably better be named entity_classes. >>>> Factory is usually an object that creates multiple other objects. >>>> The entity 'factory' is really the entity class which is only >>>> instantiated once. >>> >>> Nah, Factory can create only a singe instance. Classes is too >>> loaded a term. >>>> >>>> 6. Typo on search.js:258: >>>> >>>> spec.label = spec.lable || IPA.messages.facets.search; >>> >>> Fixed >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Rebased >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by Edewata. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Jan 27 21:51:06 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 27 Jan 2011 16:51:06 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0166-declarative-for-aci In-Reply-To: <4D41BFA7.4040503@redhat.com> References: <212426146.146416.1296076455566.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4D408FC0.2060500@redhat.com> <4D41BFA7.4040503@redhat.com> Message-ID: <4D41E8CA.5050906@redhat.com> On 01/27/2011 01:55 PM, Adam Young wrote: > On 01/26/2011 04:18 PM, Adam Young wrote: >> On 01/26/2011 04:14 PM, Kyle Baker wrote: >>> ACK >>> >>> ----- Original Message ----- >>>> Fixes https://fedorahosted.org/freeipa/ticket/772 >>>> >>>> Depends on freeipa-admiyo-0154-1-declarative-defintions.patch >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Hold on that...this requires edewata to sign off on. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Rebased with changes from 154 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Jan 27 21:59:53 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 27 Jan 2011 16:59:53 -0500 Subject: [Freeipa-devel] [PATCH] 0008-Adjusted-aci-s-target-feilds-adjusted-action-panel-s In-Reply-To: <840332811.161646.1296159526608.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <840332811.161646.1296159526608.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D41EAD9.1020307@redhat.com> On 01/27/2011 03:18 PM, Kyle Baker wrote: > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master From ayoung at redhat.com Thu Jan 27 22:00:50 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 27 Jan 2011 17:00:50 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0167-adding-label-for-RBAC In-Reply-To: <4D41BFE7.7080604@redhat.com> References: <1432619990.146423.1296076466075.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4D41BFE7.7080604@redhat.com> Message-ID: <4D41EB12.3080206@redhat.com> On 01/27/2011 01:56 PM, Adam Young wrote: > On 01/26/2011 04:14 PM, Kyle Baker wrote: >> ACK >> >> ----- Original Message ----- >>> Role Based Access control is supposed to be spelled out in the tabs. >>> An >>> earlier patch also broke the Title for the RBAC Action Panel. This >>> fixes both. Depends on all my previous patches >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel > Rebased ontop of 166 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Jan 27 22:01:20 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 27 Jan 2011 17:01:20 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0169-reset-target-section In-Reply-To: <4D41C000.1070808@redhat.com> References: <4D409780.4030206@redhat.com> <4D41C000.1070808@redhat.com> Message-ID: <4D41EB30.70703@redhat.com> On 01/27/2011 01:57 PM, Adam Young wrote: > On 01/26/2011 04:52 PM, Adam Young wrote: >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Rebased > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Jan 27 22:02:03 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 27 Jan 2011 17:02:03 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0170-dirty In-Reply-To: <4D40E06A.2020208@redhat.com> References: <4D40E06A.2020208@redhat.com> Message-ID: <4D41EB5B.1030809@redhat.com> On 01/26/2011 10:03 PM, Adam Young wrote: > Depends on 154, 154, 166, 167, 169 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jan 27 22:10:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 Jan 2011 17:10:02 -0500 Subject: [Freeipa-devel] [PATCH] 693 changes from Fedora review Message-ID: <4D41ED3A.3030708@redhat.com> I pushed this patch that contains specfile changes pointed out in the Fedora package review process. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-693-spec.patch Type: text/x-patch Size: 5146 bytes Desc: not available URL: From ssorce at redhat.com Thu Jan 27 22:12:47 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 27 Jan 2011 17:12:47 -0500 Subject: [Freeipa-devel] [PATCH] 0077 Fix ipactl script to manage all instances Message-ID: <20110127171247.6418b10b@willson.li.ssimo.org> Ticket #860 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0077-Make-sure-all-DS-instances-are-managed-by-ipactl.patch Type: text/x-patch Size: 4532 bytes Desc: not available URL: From rcritten at redhat.com Thu Jan 27 22:22:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 Jan 2011 17:22:05 -0500 Subject: [Freeipa-devel] [PATCH] 0077 Fix ipactl script to manage all instances In-Reply-To: <20110127171247.6418b10b@willson.li.ssimo.org> References: <20110127171247.6418b10b@willson.li.ssimo.org> Message-ID: <4D41F00D.2060203@redhat.com> Simo Sorce wrote: > > Ticket #860 > > Simo. > ack. From ssorce at redhat.com Thu Jan 27 22:24:20 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 27 Jan 2011 17:24:20 -0500 Subject: [Freeipa-devel] [PATCH] 0078 Safeguard kdc account against misconfigurations Message-ID: <20110127172420.0d6167cf@willson.li.ssimo.org> See ticket #862 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0078-Put-some-safeguards-against-misconfiguration-on-the-.patch Type: text/x-patch Size: 839 bytes Desc: not available URL: From ssorce at redhat.com Thu Jan 27 22:50:03 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 27 Jan 2011 17:50:03 -0500 Subject: [Freeipa-devel] [PATCH] 0077 Fix ipactl script to manage all instances In-Reply-To: <4D41F00D.2060203@redhat.com> References: <20110127171247.6418b10b@willson.li.ssimo.org> <4D41F00D.2060203@redhat.com> Message-ID: <20110127175003.2f221c05@willson.li.ssimo.org> On Thu, 27 Jan 2011 17:22:05 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > > > Ticket #860 > > > > Simo. > > > > ack. > pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Thu Jan 27 23:21:34 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 27 Jan 2011 23:21:34 +0000 Subject: [Freeipa-devel] [PATCH] 0015 block anonymous access to sudo info Message-ID: Aci patch to block anonymous access to sudo info https://fedorahosted.org/freeipa/ticket/865 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0015-block-anonymous-access-to-sudo-info.patch Type: application/octet-stream Size: 2300 bytes Desc: freeipa-jraquino-0015-block-anonymous-access-to-sudo-info.patch URL: From ayoung at redhat.com Fri Jan 28 01:39:01 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 27 Jan 2011 20:39:01 -0500 Subject: [Freeipa-devel] [PATCH] admiyo-0173-aci-rights-widget Message-ID: <4D421E35.7010909@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0173-aci-rights-widget.patch Type: text/x-patch Size: 3536 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri Jan 28 02:36:30 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 28 Jan 2011 02:36:30 +0000 Subject: [Freeipa-devel] FreeIPA Logging (Not Auditing... ) Message-ID: I have been working with the project for a while now and it has dawned on me that the FreeIPA ipalib plugins, don't really have a syslog library that they output with. So far I've really just been troubleshooting and getting around with: /var/log/httpd/access_log /var/log/httpd/error_log /var/log/dirsrv/slapd-DOMAIN/access /var/log/dirsrv/slapd-DOMAIN/error This is useful, but it is verbose and doesn't quite capture the cli/webui interactions in 1 line. [27/Jan/2011:17:46:59 -0800] conn=40 op=7 ADD dn="fqdn=test1.example.com,cn=computers,cn=accounts,dc=example,dc=com" [27/Jan/2011:17:46:59 -0800] conn=40 op=7 RESULT err=0 tag=105 nentries=0 etime=0 Etc, etc, etc? The cli does a good job of expressing itself to standard out when a command is successfully/unsuccessfully run. I am wondering what the group thinks about the idea of a library that can be loaded either by the api or the plugin itself, to pass the relevant bits of data that end up going to standard out, into a format that would be sane to send to a syslog stream. I'm thinking of something that shows: