From edewata at redhat.com Fri Jul 1 00:46:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2011 19:46:57 -0500 Subject: [Freeipa-devel] [PATCH] 0261-entity-link-for-password-policy In-Reply-To: <4E0CEDC9.8010001@redhat.com> References: <4E0CEDC9.8010001@redhat.com> Message-ID: <4E0D1901.9090005@redhat.com> On 6/30/2011 4:42 PM, Adam Young wrote: > Some issues: 1. Suppose initially you open an entry that contains a value that matches no_link_value, it will hide the link and show the label. Then suppose you open another entry that has no value, it will empty the link but leaving the label from the previous entry visible. This is not a problem for password policy because cn will always have a value, but it might be better to change the else-clause in reset() to hide both the link and the label: that.link.css('display','none'); that.label.css('display','none'); 2. Optional: The no_link_value seems to be limited to a single value only. While it works fine for password policy, I suppose in other cases we might want to match multiple values or use some other logic. One solution is to put the logic that checks the value inside a method that can be overriden by the subclass. -- Endi S. Dewata From edewata at redhat.com Fri Jul 1 01:03:08 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2011 20:03:08 -0500 Subject: [Freeipa-devel] [PATCH] 195 Added confirmation dialog for user activation. Message-ID: <4E0D1CCC.70908@redhat.com> The IPA.user_status_widget has been modified such that it checks the facet dirty status and asks the admin to either Update or Reset the changes. Then the widget shows a dialog to confirm whether the admin wants to activate/deactivate the user. Ticket #1395 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0195-Added-confirmation-dialog-for-user-activation.patch Type: text/x-patch Size: 11749 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 1 02:02:20 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 30 Jun 2011 22:02:20 -0400 Subject: [Freeipa-devel] [PATCH] 195 Added confirmation dialog for user activation. In-Reply-To: <4E0D1CCC.70908@redhat.com> References: <4E0D1CCC.70908@redhat.com> Message-ID: <4E0D2AAC.30605@redhat.com> On 06/30/2011 09:03 PM, Endi Sukma Dewata wrote: > The IPA.user_status_widget has been modified such that it checks > the facet dirty status and asks the admin to either Update or Reset > the changes. Then the widget shows a dialog to confirm whether > the admin wants to activate/deactivate the user. > > Ticket #1395 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Minor tweak, put the "take effect immediately " on its own line so it stands out. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jul 1 02:29:58 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 30 Jun 2011 22:29:58 -0400 Subject: [Freeipa-devel] [PATCH] 0260-config-widgets In-Reply-To: <4E0D0AF1.6020706@redhat.com> References: <4E0CB91B.7090305@redhat.com> <4E0D0AF1.6020706@redhat.com> Message-ID: <4E0D3126.2000706@redhat.com> On 06/30/2011 07:46 PM, Endi Sukma Dewata wrote: > On 6/30/2011 12:57 PM, Adam Young wrote: >> > > As mentioned in ticket #1409, the checkbox should have a label (i.e. > Enabled). Otherwise it's not clear what the checkbox means for > migration mode. > > Other than that it's ACKed. > Added 'Enabled' to label and pushed to master From edewata at redhat.com Fri Jul 1 02:52:27 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2011 21:52:27 -0500 Subject: [Freeipa-devel] [PATCH] 195 Added confirmation dialog for user activation. In-Reply-To: <4E0D2AAC.30605@redhat.com> References: <4E0D1CCC.70908@redhat.com> <4E0D2AAC.30605@redhat.com> Message-ID: <4E0D366B.8040100@redhat.com> On 6/30/2011 9:02 PM, Adam Young wrote: > ACK. > > Minor tweak, put the "take effect immediately " on its own line so it > stands out. Fixed and pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Jul 1 03:12:41 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2011 22:12:41 -0500 Subject: [Freeipa-devel] [PATCH] 196 Fixed button style in Entitlements Message-ID: <4E0D3B29.9010002@redhat.com> Pushed under one-liner rule. The entitlement buttons are located serveral levels underneath facet-controls, so the CSS selector has been fixed to extend beyond facet-controls' immediate children. Ticket #1419 -- Endi S. Dewata From jcholast at redhat.com Fri Jul 1 06:12:07 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 01 Jul 2011 08:12:07 +0200 Subject: [Freeipa-devel] [PATCH] 23 Add ability to specify DNS reverse zone name by IP network address In-Reply-To: <4E0CE293.1050109@redhat.com> References: <4E008B7B.6020404@redhat.com> <4E035324.4000607@redhat.com> <4E0A18AA.7040304@redhat.com> <4E0CE293.1050109@redhat.com> Message-ID: <4E0D6537.5080309@redhat.com> On 30.6.2011 22:54, Adam Young wrote: > On 06/28/2011 02:08 PM, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 21.6.2011 14:15, Jan Cholasta wrote: >>>> This patch adds a new option name_from_ip to dnszone commands. Default >>>> value of idnsname is created from this option. >>>> >>>> Honza >>>> >>> >>> Fixed the API version number, added usage example to dns plugin help. >>> >>> https://fedorahosted.org/freeipa/ticket/1045 >>> >>> Honza >> >> Had quickie code review in IRC this morning. I asked for a comment >> around the while loop, Honza suggested: This is to make chained >> default_from work - idnssoarname default is created from idnsname and >> idnsname default is created from name_from_ip - without this change, >> idnssoarname default value isn't created when only name_from_ip is >> specified. >> >> Would also be nice to have a test case for this new usage. >> >> rob >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > NACK > > Finally got the code to run, and I realize that it is completely a > client side operation. That won't work for the WebUI. What do you mean? I have tested it both in CLI and WebUI and both worked fine. > > The WebUI needs to use the same business logic as the CLI, but it cannot > execute client side Python. Thus the API needs to accept the IP address, > and calculate the reverse zone on it. The API does accept the IP address (through the name_from_net option) and does calculate the reverse zone name from it. I don't see where is the problem. Would you care to explain please? > > The reverse zone should honor the netmask. A discussion earlier today > decided that if no netmask is specifified, use an assumed netmask of /64 > for IPv6 and of /24 for IPv4. > Honza -- Jan Cholasta From abokovoy at redhat.com Fri Jul 1 09:24:16 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 01 Jul 2011 12:24:16 +0300 Subject: [Freeipa-devel] [PATCH] 3 ipa-client-install tries to start non-existing nscd Message-ID: <4E0D9240.7070001@redhat.com> -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0003-ticket-1373.patch URL: From abokovoy at redhat.com Fri Jul 1 09:24:55 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 01 Jul 2011 12:24:55 +0300 Subject: [Freeipa-devel] [PATCH] 4 ipa-client-install complains about non-existing nss_ldap Message-ID: <4E0D9267.4000107@redhat.com> -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0004-ticket-1369.patch URL: From abokovoy at redhat.com Fri Jul 1 09:44:31 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 01 Jul 2011 12:44:31 +0300 Subject: [Freeipa-devel] [PATCH] 4 (1) ipa-client-install complains about non-existing nss_ldap Message-ID: <4E0D96FF.2050406@redhat.com> New version: forgot to import package_installed_name from ipautil. Previous version can be ignored. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0004-1-ticket-1369.patch URL: From jcholast at redhat.com Fri Jul 1 10:35:19 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 01 Jul 2011 12:35:19 +0200 Subject: [Freeipa-devel] [PATCH] 25 Update minimum required version of python-netaddr In-Reply-To: <4E09E1B1.1070300@redhat.com> References: <4E09CE73.1000503@redhat.com> <4E09E1B1.1070300@redhat.com> Message-ID: <4E0DA2E7.8040903@redhat.com> On 28.6.2011 16:14, Jakub Hrozek wrote: > On 06/28/2011 08:52 AM, Jan Cholasta wrote: >> https://fedorahosted.org/freeipa/ticket/1288 >> >> Honza >> > > I gather this is done in order to get rid of the "try: except all" hack > in installer? > > This works fine with F15 and F16 in mind. However, if the specfile is > intended for being usable on RHEL as well (at least for development), > some %if magic is required -- the fix is not there yet. > Updated so that 0.7.5-3 is required on Fedora >= 15 and RHEL >= 6. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-25.1-require-python-netaddr.patch Type: text/x-patch Size: 1079 bytes Desc: not available URL: From jcholast at redhat.com Fri Jul 1 11:54:35 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 01 Jul 2011 13:54:35 +0200 Subject: [Freeipa-devel] [PATCH] 4 (1) ipa-client-install complains about non-existing nss_ldap In-Reply-To: <4E0D96FF.2050406@redhat.com> References: <4E0D96FF.2050406@redhat.com> Message-ID: <4E0DB57B.1070105@redhat.com> On 1.7.2011 11:44, Alexander Bokovoy wrote: > New version: forgot to import package_installed_name from ipautil. > Previous version can be ignored. > ipa-client-install should be usable on non-RH platforms (see https://fedorahosted.org/freeipa/ticket/1374), so you shouldn't use /bin/rpm, as that's platform-specific. Wouldn't just rephrasing the warning message (as suggested in the ticket) be sufficient? Honza -- Jan Cholasta From abokovoy at redhat.com Fri Jul 1 12:00:52 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 01 Jul 2011 15:00:52 +0300 Subject: [Freeipa-devel] [PATCH] 4 (1) ipa-client-install complains about non-existing nss_ldap In-Reply-To: <4E0DB57B.1070105@redhat.com> References: <4E0D96FF.2050406@redhat.com> <4E0DB57B.1070105@redhat.com> Message-ID: <4E0DB6F4.6040904@redhat.com> Hi, On 01.07.2011 14:54, Jan Cholasta wrote: > On 1.7.2011 11:44, Alexander Bokovoy wrote: >> New version: forgot to import package_installed_name from ipautil. >> Previous version can be ignored. >> > > ipa-client-install should be usable on non-RH platforms (see > https://fedorahosted.org/freeipa/ticket/1374), so you shouldn't use > /bin/rpm, as that's platform-specific. Wouldn't just rephrasing the > warning message (as suggested in the ticket) be sufficient? If you want to support non-rpm-based platforms, you'll need to do much greater work than not depend on rpm. For example, /sbin/service and chkconfig might not be there. All this is abstracted now in ipautil.py and right thing for those platforms would be to provide appropriate implementation of the ipautil.py. -- / Alexander Bokovoy From jcholast at redhat.com Fri Jul 1 12:18:58 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 01 Jul 2011 14:18:58 +0200 Subject: [Freeipa-devel] [PATCH] 4 (1) ipa-client-install complains about non-existing nss_ldap In-Reply-To: <4E0DB6F4.6040904@redhat.com> References: <4E0D96FF.2050406@redhat.com> <4E0DB57B.1070105@redhat.com> <4E0DB6F4.6040904@redhat.com> Message-ID: <4E0DBB32.9030804@redhat.com> On 1.7.2011 14:00, Alexander Bokovoy wrote: > Hi, > > On 01.07.2011 14:54, Jan Cholasta wrote: >> On 1.7.2011 11:44, Alexander Bokovoy wrote: >>> New version: forgot to import package_installed_name from ipautil. >>> Previous version can be ignored. >>> >> >> ipa-client-install should be usable on non-RH platforms (see >> https://fedorahosted.org/freeipa/ticket/1374), so you shouldn't use >> /bin/rpm, as that's platform-specific. Wouldn't just rephrasing the >> warning message (as suggested in the ticket) be sufficient? > If you want to support non-rpm-based platforms, you'll need to do much > greater work than not depend on rpm. For example, /sbin/service and > chkconfig might not be there. I'm not sure adding even more complexity is helpful, especially when it's used just to print a warning message. But I'd like a second opinion on this. > > All this is abstracted now in ipautil.py and right thing for those > platforms would be to provide appropriate implementation of the ipautil.py. > Honza -- Jan Cholasta From simo at redhat.com Fri Jul 1 12:40:27 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 01 Jul 2011 08:40:27 -0400 Subject: [Freeipa-devel] [PATCH] 4 (1) ipa-client-install complains about non-existing nss_ldap In-Reply-To: <4E0DBB32.9030804@redhat.com> References: <4E0D96FF.2050406@redhat.com> <4E0DB57B.1070105@redhat.com> <4E0DB6F4.6040904@redhat.com> <4E0DBB32.9030804@redhat.com> Message-ID: <1309524027.2681.143.camel@willson.li.ssimo.org> On Fri, 2011-07-01 at 14:18 +0200, Jan Cholasta wrote: > On 1.7.2011 14:00, Alexander Bokovoy wrote: > > Hi, > > > > On 01.07.2011 14:54, Jan Cholasta wrote: > >> On 1.7.2011 11:44, Alexander Bokovoy wrote: > >>> New version: forgot to import package_installed_name from ipautil. > >>> Previous version can be ignored. > >>> > >> > >> ipa-client-install should be usable on non-RH platforms (see > >> https://fedorahosted.org/freeipa/ticket/1374), so you shouldn't use > >> /bin/rpm, as that's platform-specific. Wouldn't just rephrasing the > >> warning message (as suggested in the ticket) be sufficient? > > If you want to support non-rpm-based platforms, you'll need to do much > > greater work than not depend on rpm. For example, /sbin/service and > > chkconfig might not be there. > > I'm not sure adding even more complexity is helpful, especially when > it's used just to print a warning message. But I'd like a second opinion > on this. I think it is time we start renaming ipautil.py to ipautil-rh.py and do ourselves, or invite someone to write ipautil-debian.py, then have code that loads the right module at runtime. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Fri Jul 1 14:28:54 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 01 Jul 2011 10:28:54 -0400 Subject: [Freeipa-devel] Proposal: drop DENY rules from HBAC In-Reply-To: <4E0B8A1D.6000505@redhat.com> References: <1309377629.6189.32.camel@sgallagh520.bos.redhat.com> <4E0B8A1D.6000505@redhat.com> Message-ID: <1309530534.2681.165.camel@willson.li.ssimo.org> On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote: > By removing the deny rules, do we break compatibility with anything else > than the IPA tech preview in RHEL and upstream FreeIPA 2.0? Ok we've had a somewhat heated discussion internally about how to deal with the transition phase for those admins that decided to use HBAC DENY rules. Hopefully very few did and so very few people will actually be impacted, but we need to handle those cases the best we can to avoid security issues for those users. Here is a rough plan I'd like to get both developers *AND* users feedback on if you care about it. The premise to the following plan is that very few administrators, unfortunately, carefully read release notes before upgrading, so simply dropping and ignoring DENY rules is felt as something we can't do. We split the solution in 2 parts, one on the SSSD side (the only client currently able to understand IPA HBAC rules), and one on the server side. SSSD: Inconveniencing clients is probably the easiest way to cause the least disruption and attracting the administrators attention. The idea here is to treat any DENY rule as actually a DENY-ALL rule. Basically causing any login attempt for any service to fail as soon as the new sssd package will be installed. Even though admins normally do not read release notes, they still do a few test upgrades before upgrading the whole set of clients they administer. By having SSSD deny logins if any DENY rule is found (and spamming the log with pointers at the same time) we hope to give admins a good enough "wake up something changed" call. This change will be prominently advertised in SSSD release notes. Also to ease the pain for those places where the Server and client admins are different groups, we plan to add a transitional configuration option. This option will allow admins to ignore DENY rules entirely. The option will default to the DENYALL behavior described above, but admins will be able to toggle it to ignore so they can keep testing the client, while they make sure to warn the Server admins that DENY rules support is going to be dropped. FreeIPA: On the server side instead we will add 2 visual cues to the WebUI and probably something to the CLI commands used to manage HBAC rules. In the WebUI, pending UXD and UI developers approval/feedback we will have a prominent error message in the main page only for administrators that are allowed to manage HBAC rules. This warning will be shown if any DENY rule exist on the server. In the HBAC pages, deny rules will be highlighted and text explaining they are not supported anymore and need to be removed will be shown. These warnings will be dropped down the road after 1 more point release. Of course Release notes will prominently highlight this change so that most admins will be prepared to handle this change. Hopefully people will have enough cues to properly handle the situation. Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Fri Jul 1 14:34:48 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 01 Jul 2011 10:34:48 -0400 Subject: [Freeipa-devel] [PATCH] 25 Update minimum required version of python-netaddr In-Reply-To: <4E0DA2E7.8040903@redhat.com> References: <4E09CE73.1000503@redhat.com> <4E09E1B1.1070300@redhat.com> <4E0DA2E7.8040903@redhat.com> Message-ID: <4E0DDB08.1010201@redhat.com> On 07/01/2011 06:35 AM, Jan Cholasta wrote: > On 28.6.2011 16:14, Jakub Hrozek wrote: >> On 06/28/2011 08:52 AM, Jan Cholasta wrote: >>> https://fedorahosted.org/freeipa/ticket/1288 >>> >>> Honza >>> >> >> I gather this is done in order to get rid of the "try: except all" hack >> in installer? >> >> This works fine with F15 and F16 in mind. However, if the specfile is >> intended for being usable on RHEL as well (at least for development), >> some %if magic is required -- the fix is not there yet. >> > > Updated so that 0.7.5-3 is required on Fedora >= 15 and RHEL >= 6. > > Honza > Sorry, I wasn't clear in the previous message. The fix so far is *only* in Fedora, not in any RHEL versions. So the versioned requires must apply only to Fedora until we release python-netaddr errata, be it in 6.2 or 6.3 From rcritten at redhat.com Fri Jul 1 15:40:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Jul 2011 11:40:16 -0400 Subject: [Freeipa-devel] [PATCH] 810 fix re-enrolling a host with a OTP In-Reply-To: <4E0CE134.8000809@redhat.com> References: <4E0A0B9F.9030402@redhat.com> <4E0CE134.8000809@redhat.com> Message-ID: <4E0DEA60.5020003@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> Don't set krbLastPwdChange when setting a host OTP password. >> >> We have no visibility into whether an entry has a keytab or not so >> krbLastPwdChange is used as a rough guide. >> >> If this value exists during enrollment then it fails because the host is >> considered already joined. This was getting set when a OTP was added to >> a host that had already been enrolled (e.g. you enroll a host, unenroll >> it, set a OTP, then try to re-enroll). The second enrollment was failing >> because the enrollment plugin thought it was still enrolled becaused >> krbLastPwdChange was set. >> >> https://fedorahosted.org/freeipa/ticket/1357 >> >> rob > > self-nack, found a corner case. Updated patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-810-2-enroll.patch Type: text/x-diff Size: 8910 bytes Desc: not available URL: From rcritten at redhat.com Fri Jul 1 15:41:50 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Jul 2011 11:41:50 -0400 Subject: [Freeipa-devel] [PATCH] 813 fix enrolledBy regression Message-ID: <4E0DEABE.7040804@redhat.com> enrolledBy represents the DN of the entry that enrolled a host. We don't want an admin to manipulate this but an aci allowed it. This was a regression. ticket 302 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-813-enrolledby.patch Type: text/x-diff Size: 1725 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 1 18:08:08 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Jul 2011 14:08:08 -0400 Subject: [Freeipa-devel] [PATCH] 0261-entity-link-for-password-policy In-Reply-To: <4E0D1901.9090005@redhat.com> References: <4E0CEDC9.8010001@redhat.com> <4E0D1901.9090005@redhat.com> Message-ID: <4E0E0D08.1000004@redhat.com> On 06/30/2011 08:46 PM, Endi Sukma Dewata wrote: > On 6/30/2011 4:42 PM, Adam Young wrote: >> > > Some issues: > > 1. Suppose initially you open an entry that contains a value that > matches no_link_value, it will hide the link and show the label. Then > suppose you open another entry that has no value, it will empty the > link but leaving the label from the previous entry visible. > > This is not a problem for password policy because cn will always have > a value, but it might be better to change the else-clause in reset() > to hide both the link and the label: > > that.link.css('display','none'); > that.label.css('display','none'); > > 2. Optional: The no_link_value seems to be limited to a single value > only. While it works fine for password policy, I suppose in other > cases we might want to match multiple values or use some other logic. > One solution is to put the logic that checks the value inside a method > that can be overriden by the subclass. > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0261-1-entity-link-for-password-policy.patch Type: text/x-patch Size: 3613 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 1 18:45:13 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 01 Jul 2011 13:45:13 -0500 Subject: [Freeipa-devel] [PATCH] 197 Added arrow icons for details sections. Message-ID: <4E0E15B9.8090108@redhat.com> New arrow icons have been added to replace the plus/minus sign icons for expanding/collapsing details sections. Ticket #1422 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0197-Added-arrow-icons-for-details-sections.patch Type: text/x-patch Size: 5816 bytes Desc: not available URL: From jcholast at redhat.com Fri Jul 1 19:04:02 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 01 Jul 2011 21:04:02 +0200 Subject: [Freeipa-devel] [PATCH] 25 Update minimum required version of python-netaddr In-Reply-To: <4E0DDB08.1010201@redhat.com> References: <4E09CE73.1000503@redhat.com> <4E09E1B1.1070300@redhat.com> <4E0DA2E7.8040903@redhat.com> <4E0DDB08.1010201@redhat.com> Message-ID: <4E0E1A22.7040905@redhat.com> On 1.7.2011 16:34, Jakub Hrozek wrote: > On 07/01/2011 06:35 AM, Jan Cholasta wrote: >> On 28.6.2011 16:14, Jakub Hrozek wrote: >>> On 06/28/2011 08:52 AM, Jan Cholasta wrote: >>>> https://fedorahosted.org/freeipa/ticket/1288 >>>> >>>> Honza >>>> >>> >>> I gather this is done in order to get rid of the "try: except all" hack >>> in installer? >>> >>> This works fine with F15 and F16 in mind. However, if the specfile is >>> intended for being usable on RHEL as well (at least for development), >>> some %if magic is required -- the fix is not there yet. >>> >> >> Updated so that 0.7.5-3 is required on Fedora >= 15 and RHEL >= 6. >> >> Honza >> > > Sorry, I wasn't clear in the previous message. > > The fix so far is *only* in Fedora, not in any RHEL versions. So the > versioned requires must apply only to Fedora until we release > python-netaddr errata, be it in 6.2 or 6.3 Thanks for the info. I really need to learn more about RHEL :-) Updated patch attached. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-25.2-require-python-netaddr.patch Type: text/x-patch Size: 1043 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 1 19:08:32 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 01 Jul 2011 14:08:32 -0500 Subject: [Freeipa-devel] [PATCH] 0261-entity-link-for-password-policy In-Reply-To: <4E0E0D08.1000004@redhat.com> References: <4E0CEDC9.8010001@redhat.com> <4E0D1901.9090005@redhat.com> <4E0E0D08.1000004@redhat.com> Message-ID: <4E0E1B30.30102@redhat.com> On 7/1/2011 1:08 PM, Adam Young wrote: > ACK but there's a jslint warning. -- Endi S. Dewata From rcritten at redhat.com Fri Jul 1 19:41:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Jul 2011 15:41:44 -0400 Subject: [Freeipa-devel] [PATCHES] 814, 815, 816 Fix test failures Message-ID: <4E0E22F8.7000000@redhat.com> I found a few test failures that have resulted from some recent commits. These got lost in the mix of "expected" failures when I did initial testing on them. This has inspired me to try to fix all the test failures (see patch 817 too). This fixes: - an error in a new exception example - the case of boolean values in nsAccountLock - a change in the updater code rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-814-exception.patch Type: text/x-diff Size: 935 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-815-updater.patch Type: text/x-diff Size: 1630 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-816-boolean.patch Type: text/x-diff Size: 12804 bytes Desc: not available URL: From rcritten at redhat.com Fri Jul 1 19:45:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Jul 2011 15:45:25 -0400 Subject: [Freeipa-devel] [PATCH] 817 Add option to wait for values Message-ID: <4E0E23D5.1070001@redhat.com> 389-ds postop plugins, such as the managed entry and memberof plugins, add values after the data has been returned to the client. In the case of the managed entry plugin this affects the parent entry as well (adds an objectclass value). This wreaks havoc on our tests as the values don't match what we expect. The solution is to wait for the postop plugins to finish their work, then return. I've added this as an option. The downside is it is going to naturally slow things down, so it is off by default. It is currently only used in the hostgroup plugin. The option is wait_for_attr. Add this to ~/.ipa/default.conf and set it to True and all the current tests will pass (assuming you apply patches 814-816 as well). So now we won't have any excuses for missing test failures in the unit tests... rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-817-wait.patch Type: text/x-diff Size: 4058 bytes Desc: not available URL: From rcritten at redhat.com Fri Jul 1 19:59:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Jul 2011 15:59:46 -0400 Subject: [Freeipa-devel] [PATCH] 190 Removed invalid associations. In-Reply-To: <4E04E474.4020005@redhat.com> References: <4E04E474.4020005@redhat.com> Message-ID: <4E0E2732.50000@redhat.com> Endi Sukma Dewata wrote: > The following invalid associations have been removed: > - group's memberindirect netgroup and role > - hostgroup's memberofindirect host > > Ticket #1366 > Ticket #1367 Ack, pushed to master From ayoung at redhat.com Fri Jul 1 20:50:06 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Jul 2011 16:50:06 -0400 Subject: [Freeipa-devel] [PATCH] 0261-entity-link-for-password-policy In-Reply-To: <4E0E1B30.30102@redhat.com> References: <4E0CEDC9.8010001@redhat.com> <4E0D1901.9090005@redhat.com> <4E0E0D08.1000004@redhat.com> <4E0E1B30.30102@redhat.com> Message-ID: <4E0E32FE.7080003@redhat.com> On 07/01/2011 03:08 PM, Endi Sukma Dewata wrote: > On 7/1/2011 1:08 PM, Adam Young wrote: >> > > ACK but there's a jslint warning. > Fixed and pushed to master From rcritten at redhat.com Fri Jul 1 21:32:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Jul 2011 17:32:11 -0400 Subject: [Freeipa-devel] [PATCH] 817 Add option to wait for values In-Reply-To: <4E0E23D5.1070001@redhat.com> References: <4E0E23D5.1070001@redhat.com> Message-ID: <4E0E3CDB.7070309@redhat.com> Rob Crittenden wrote: > 389-ds postop plugins, such as the managed entry and memberof plugins, > add values after the data has been returned to the client. In the case > of the managed entry plugin this affects the parent entry as well (adds > an objectclass value). > > This wreaks havoc on our tests as the values don't match what we expect. > > The solution is to wait for the postop plugins to finish their work, > then return. I've added this as an option. The downside is it is going > to naturally slow things down, so it is off by default. > > It is currently only used in the hostgroup plugin. > > The option is wait_for_attr. Add this to ~/.ipa/default.conf and set it > to True and all the current tests will pass (assuming you apply patches > 814-816 as well). > > So now we won't have any excuses for missing test failures in the unit > tests... > > rob Bah, found a small problem. Self-NACK. rob From ayoung at redhat.com Sat Jul 2 00:59:11 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Jul 2011 20:59:11 -0400 Subject: [Freeipa-devel] [PATCH] 197 Added arrow icons for details sections. In-Reply-To: <4E0E15B9.8090108@redhat.com> References: <4E0E15B9.8090108@redhat.com> Message-ID: <4E0E6D5F.8010605@redhat.com> On 07/01/2011 02:45 PM, Endi Sukma Dewata wrote: > New arrow icons have been added to replace the plus/minus sign icons > for expanding/collapsing details sections. > > Ticket #1422 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Sat Jul 2 01:01:52 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Jul 2011 21:01:52 -0400 Subject: [Freeipa-devel] [PATCH] 811 Set the client auth callback after creating the SSL connection. In-Reply-To: <4E0C8279.50702@redhat.com> References: <4E0B7838.7060200@redhat.com> <4E0B863C.6030501@redhat.com> <4E0B9210.6040603@redhat.com> <4E0C8279.50702@redhat.com> Message-ID: <4E0E6E00.907@redhat.com> On 06/30/2011 10:04 AM, John Dennis wrote: > On 06/29/2011 04:58 PM, Rob Crittenden wrote: >> John Dennis wrote: >>> On 06/29/2011 03:08 PM, Rob Crittenden wrote: >>>> If we set the callback before calling connect() then if the connection >>>> tries a network family type and fails, it will try other family types. >>>> If this happens then the callback set on the first socket will be lost >>>> when a new socket is created. There is no way to query for the >>>> callback >>>> in an existing socket. >>> >>> I'm tempted to NAK this. In part because I don't really understand why >>> it works, but more because nsslib.py doesn't seem to be handling >>> addresses, sockets and connections correctly. At first glance it >>> appears >>> to only create a new socket when switching families. I also don't >>> understand the logic behind the family code. >> >> It works like this: >> >> - We create an NSSConnection() with automatically gives us an SSL socket >> - We can add the callback here but if the connection fails a new socket >> will be created. There is no way I can see to find the callback call. I >> don't think this is even part of the C API so this isn't a deficiency in >> python-nss. >> - The connect() call just makes a network connection. NSS doesn't do >> anything until the first bit of data gets written to the socket so we >> can set the callback after the connection is completed. >> >> The default family is UNSPEC which is treated as IPv4. >> >>> But most importantly it seems to shutdown NSS every time you make a >>> connection. What happens when you want more than one simultaneous >>> connection? >> >> NSS is still very limited regarding having multiple NSS databases open >> at once. This code is meant to allow one to switch databases. Runnning >> within Apache (and our framework) the shutdown will fail because things >> in the database are in use, so this is a bit of a no-op. It is really >> just needed in the installer where things are done serially, so again no >> problem. >> >>> >>> Maybe we need to open a ticket to review nsslib.py. >>> >> >> A review of nsslib would't hurt, it has had a lot tacked on since >> inception, but we'd still have to deal with multiple databases, family >> failover, etc. I'd rather do that as a next step. >> >> rob > > O.K. agree with all above. > > ACK > Tested. It fixes the install on an IPv6 only system. Pushed to master. From ayoung at redhat.com Sat Jul 2 01:15:43 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Jul 2011 21:15:43 -0400 Subject: [Freeipa-devel] Future DNS UI Message-ID: <4E0E713F.7090001@redhat.com> I put this into the appropriate tickets, but I want to make sure it doesn't get lost in the barrage of emails sent by trac. What I want to do for 2.2 is to create a Details page for DNS records. Any of the records, A, AAAA, PTR, whatever, that have the same idnsname will have a link to the same page. This page will have: This is actually pretty easy to implement. I mostly have it done. See the attached screen shot. However. We need an additional API: dnsrecord-mod. This should basically follow the same rules as dnsrecord-add, but it should perform setattr and addattr for any values it gets. If a given value is not sent, it should be left unchanged. This is a complex enough change that I don't want to try to shoehorn it into the 2.1 schedule. The details page will also have a link to the host entity, provided one exists. On the host side, it will have a link to the dnsrecord-settings page affiliated with it, again, only if it exists. -------------- next part -------------- A non-text attachment was scrubbed... Name: dns-record-detail.png Type: image/png Size: 178633 bytes Desc: not available URL: From ayoung at redhat.com Tue Jul 5 14:37:59 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 05 Jul 2011 10:37:59 -0400 Subject: [Freeipa-devel] [PATCH] 0262-validate-ints Message-ID: <4E1321C7.10009@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0262-validate-ints.patch Type: text/x-patch Size: 3328 bytes Desc: not available URL: From dpal at redhat.com Tue Jul 5 14:53:39 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 05 Jul 2011 10:53:39 -0400 Subject: [Freeipa-devel] Proposal: drop DENY rules from HBAC In-Reply-To: <1309530534.2681.165.camel@willson.li.ssimo.org> References: <1309377629.6189.32.camel@sgallagh520.bos.redhat.com> <4E0B8A1D.6000505@redhat.com> <1309530534.2681.165.camel@willson.li.ssimo.org> Message-ID: <4E132573.3040109@redhat.com> On 07/01/2011 10:28 AM, Simo Sorce wrote: > On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote: > >> By removing the deny rules, do we break compatibility with anything else >> than the IPA tech preview in RHEL and upstream FreeIPA 2.0? > > Ok we've had a somewhat heated discussion internally about how to deal > with the transition phase for those admins that decided to use HBAC DENY > rules. Hopefully very few did and so very few people will actually be > impacted, but we need to handle those cases the best we can to avoid > security issues for those users. > > Here is a rough plan I'd like to get both developers *AND* users > feedback on if you care about it. > > The premise to the following plan is that very few administrators, > unfortunately, carefully read release notes before upgrading, so simply > dropping and ignoring DENY rules is felt as something we can't do. > > We split the solution in 2 parts, one on the SSSD side (the only client > currently able to understand IPA HBAC rules), and one on the server > side. > > SSSD: > Inconveniencing clients is probably the easiest way to cause the least > disruption and attracting the administrators attention. > The idea here is to treat any DENY rule as actually a DENY-ALL rule. > Basically causing any login attempt for any service to fail as soon as > the new sssd package will be installed. > Even though admins normally do not read release notes, they still do a > few test upgrades before upgrading the whole set of clients they > administer. > By having SSSD deny logins if any DENY rule is found (and spamming the > log with pointers at the same time) we hope to give admins a good enough > "wake up something changed" call. > > This change will be prominently advertised in SSSD release notes. > Also to ease the pain for those places where the Server and client > admins are different groups, we plan to add a transitional configuration > option. This option will allow admins to ignore DENY rules entirely. The > option will default to the DENYALL behavior described above, but admins > will be able to toggle it to ignore so they can keep testing the client, > while they make sure to warn the Server admins that DENY rules support > is going to be dropped. > > FreeIPA: > On the server side instead we will add 2 visual cues to the WebUI and > probably something to the CLI commands used to manage HBAC rules. > > In the WebUI, pending UXD and UI developers approval/feedback we will > have a prominent error message in the main page only for administrators > that are allowed to manage HBAC rules. This warning will be shown if any > DENY rule exist on the server. > In the HBAC pages, deny rules will be highlighted and text explaining > they are not supported anymore and need to be removed will be shown. > > These warnings will be dropped down the road after 1 more point release. > > Of course Release notes will prominently highlight this change so that > most admins will be prepared to handle this change. > > > Hopefully people will have enough cues to properly handle the situation. > > > Simo. > I disagree with the server side UI changes. IMO the IPA server should detect the DENY rules at the upgrade step and fail the upgrade asking administrator to remove the rules first. Carrying them forward in the UI means that we would allow IPA to have the rules but it would ignore them creating a security whole. Since some admins do not use UI it will be even worse. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Tue Jul 5 15:16:19 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 05 Jul 2011 11:16:19 -0400 Subject: [Freeipa-devel] Proposal: drop DENY rules from HBAC In-Reply-To: <4E132573.3040109@redhat.com> References: <1309377629.6189.32.camel@sgallagh520.bos.redhat.com> <4E0B8A1D.6000505@redhat.com> <1309530534.2681.165.camel@willson.li.ssimo.org> <4E132573.3040109@redhat.com> Message-ID: <1309878979.2681.195.camel@willson.li.ssimo.org> On Tue, 2011-07-05 at 10:53 -0400, Dmitri Pal wrote: > I disagree with the server side UI changes. > IMO the IPA server should detect the DENY rules at the upgrade step > and > fail the upgrade asking administrator to remove the rules first. No, upgrades time is the wrong time to ask for complex changes. > Carrying them forward in the UI means that we would allow IPA to have > the rules but it would ignore them creating a security whole. IPA does not do the enforcing so it does not observe/ignore them at all. The client (sssd) does the enforcing, so the only place to handle security issues is there. > Since some admins do not use UI it will be even worse. That's why we are dealing with the problem in the client. The UI is just to warn in advance those admins that stubbornly refuse to read release notes and test their clients. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Tue Jul 5 15:47:21 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 05 Jul 2011 11:47:21 -0400 Subject: [Freeipa-devel] [PATCH] 045 Add DNS record modification command In-Reply-To: <4D93981C.6010403@redhat.com> References: <1301498000.28351.11.camel@dhcp-25-52.brq.redhat.com> <4D93981C.6010403@redhat.com> Message-ID: <4E133209.8030903@redhat.com> On 03/30/2011 04:52 PM, Adam Young wrote: > On 03/30/2011 11:13 AM, Martin Kosek wrote: >> Since this is a new-feature type patch it should be pushed only to master. >> ------- >> The DNS record plugin does not support modification of a record. One >> can only add A type addresses to a DNS record or remove the current >> ones. To actually change a DNS record value it has to be removed and >> then added with a desired value. >> >> This patch adds a new DNS plugin command "dnsrecord-mod" which enables >> user to: >> - modify a DNS record value (note than DNS record can hold multiple values >> and those will be overwritten) >> - remove a DNS record when an empty value is passed >> >> New tests for this new command have been added to the CLI test suite. >> >> https://fedorahosted.org/freeipa/ticket/1137 >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > NACK, > > The problem is that if there are 10 A records, and I only want to > modify one, I have no way to specify which one. > > The API should be something like: > > ipa dnsrecord-mod ayoung.boston.devel.redhat.com testa 10.10.2.3 > --a-rec=,10.11.12.13 > > > Alternatively, we can decide that we are not going to do mod, and have > the WebUI do a delete and an add: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This objection is withdrawn. Going to retest this patch with a change to the ui. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 5 17:41:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jul 2011 13:41:29 -0400 Subject: [Freeipa-devel] [PATCH] 817 Add option to wait for values In-Reply-To: <4E0E3CDB.7070309@redhat.com> References: <4E0E23D5.1070001@redhat.com> <4E0E3CDB.7070309@redhat.com> Message-ID: <4E134CC9.307@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> 389-ds postop plugins, such as the managed entry and memberof plugins, >> add values after the data has been returned to the client. In the case >> of the managed entry plugin this affects the parent entry as well (adds >> an objectclass value). >> >> This wreaks havoc on our tests as the values don't match what we expect. >> >> The solution is to wait for the postop plugins to finish their work, >> then return. I've added this as an option. The downside is it is going >> to naturally slow things down, so it is off by default. >> >> It is currently only used in the hostgroup plugin. >> >> The option is wait_for_attr. Add this to ~/.ipa/default.conf and set it >> to True and all the current tests will pass (assuming you apply patches >> 814-816 as well). >> >> So now we won't have any excuses for missing test failures in the unit >> tests... >> >> rob > > Bah, found a small problem. Self-NACK. > > rob Updated patch attached. Note that I don't think there is a way for us to handle things like memberof_indirect. We wouldn't know to wait. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-817-2-wait.patch Type: text/x-diff Size: 3544 bytes Desc: not available URL: From rcritten at redhat.com Tue Jul 5 17:42:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jul 2011 13:42:20 -0400 Subject: [Freeipa-devel] [PATCH] 818 find_entry_by_attr() should fail if multiple entries are found Message-ID: <4E134CFC.1040707@redhat.com> It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-818-findbyattr.patch Type: text/x-diff Size: 4959 bytes Desc: not available URL: From edewata at redhat.com Tue Jul 5 18:27:51 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 05 Jul 2011 13:27:51 -0500 Subject: [Freeipa-devel] [PATCH] 0262-validate-ints In-Reply-To: <4E1321C7.10009@redhat.com> References: <4E1321C7.10009@redhat.com> Message-ID: <4E1357A7.7090107@redhat.com> On 7/5/2011 9:37 AM, Adam Young wrote: > Some issues: 1. The validation process should stop after finding the first problem. So the validate_integers() needs to return a value which is then checked by validate() to determine if it should continue. 2. This is actually an existing problem, so it can be addressed later. If a widget only has a metadata but not param_info (not sure if this ever happens) it will only execute integer validation but not the pattern validation. The metadata and param_info are actually the same thing so we should be able to merge them, but it might require significant changes. 3. There are jslint warnings. The 'message' variable declaration needs to be moved into validate_integers(). -- Endi S. Dewata From edewata at redhat.com Tue Jul 5 18:30:06 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 05 Jul 2011 13:30:06 -0500 Subject: [Freeipa-devel] [PATCH] 198 Fixed object_name usage. Message-ID: <4E13582E.5060306@redhat.com> The object_name attribute was used as both an identifier and a label which sometimes require different values (e.g. hbacrule vs. HBAC rule). The code that uses object_name as an identifier has been changed to use the 'name' attribute instead. The values of the object_name attribute have been fixed to become proper labels. Ticket #1217 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0198-Fixed-object_name-usage.patch Type: text/x-patch Size: 43089 bytes Desc: not available URL: From ayoung at redhat.com Tue Jul 5 18:45:12 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 05 Jul 2011 14:45:12 -0400 Subject: [Freeipa-devel] [PATCH] 198 Fixed object_name usage. In-Reply-To: <4E13582E.5060306@redhat.com> References: <4E13582E.5060306@redhat.com> Message-ID: <4E135BB8.2010703@redhat.com> On 07/05/2011 02:30 PM, Endi Sukma Dewata wrote: > The object_name attribute was used as both an identifier and a > label which sometimes require different values (e.g. hbacrule > vs. HBAC rule). The code that uses object_name as an identifier > has been changed to use the 'name' attribute instead. The values > of the object_name attribute have been fixed to become proper > labels. > > Ticket #1217 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I the strings in the plugins are supposed to be read by people, they should be internationalized. Is there any reason to not surround both object_name and object_name_plural with _( )? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 5 19:15:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Jul 2011 15:15:00 -0400 Subject: [Freeipa-devel] [PATCH] 818 add password expiration notify to default attr list Message-ID: <4E1362B4.80807@redhat.com> I pushed this as a one-liner. https://fedorahosted.org/freeipa/ticket/1416 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-819-config.patch Type: text/x-diff Size: 890 bytes Desc: not available URL: From edewata at redhat.com Tue Jul 5 19:22:02 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 05 Jul 2011 14:22:02 -0500 Subject: [Freeipa-devel] [PATCH] 198 Fixed object_name usage. In-Reply-To: <4E135BB8.2010703@redhat.com> References: <4E13582E.5060306@redhat.com> <4E135BB8.2010703@redhat.com> Message-ID: <4E13645A.7030301@redhat.com> On 7/5/2011 1:45 PM, Adam Young wrote: > On 07/05/2011 02:30 PM, Endi Sukma Dewata wrote: >> The object_name attribute was used as both an identifier and a >> label which sometimes require different values (e.g. hbacrule >> vs. HBAC rule). The code that uses object_name as an identifier >> has been changed to use the 'name' attribute instead. The values >> of the object_name attribute have been fixed to become proper >> labels. >> >> Ticket #1217 > I the strings in the plugins are supposed to be read by people, they > should be internationalized. Is there any reason to not surround both > object_name and object_name_plural with _( )? The original values were not internationalized and also sometimes they are used in a message that are not internationalized either. I think internationalizing the server messages should be done in a separate ticket. -- Endi S. Dewata From ayoung at redhat.com Tue Jul 5 20:00:17 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 05 Jul 2011 16:00:17 -0400 Subject: [Freeipa-devel] [PATCH] 0262-validate-ints In-Reply-To: <4E1357A7.7090107@redhat.com> References: <4E1321C7.10009@redhat.com> <4E1357A7.7090107@redhat.com> Message-ID: <4E136D51.1010801@redhat.com> On 07/05/2011 02:27 PM, Endi Sukma Dewata wrote: > On 7/5/2011 9:37 AM, Adam Young wrote: >> > > Some issues: > > 1. The validation process should stop after finding the first problem. > So the validate_integers() needs to return a value which is then > checked by validate() to determine if it should continue. Not really necessary. > > 2. This is actually an existing problem, so it can be addressed later. > If a widget only has a metadata but not param_info (not sure if this > ever happens) it will only execute integer validation but not the > pattern validation. The metadata and param_info are actually the same > thing so we should be able to merge them, but it might require > significant changes. Fixed > > 3. There are jslint warnings. The 'message' variable declaration needs > to be moved into validate_integers(). > Fixed -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0262-1-validate-ints.patch Type: text/x-patch Size: 4006 bytes Desc: not available URL: From ayoung at redhat.com Tue Jul 5 20:07:00 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 05 Jul 2011 16:07:00 -0400 Subject: [Freeipa-devel] [PATCH] 198 Fixed object_name usage. In-Reply-To: <4E13645A.7030301@redhat.com> References: <4E13582E.5060306@redhat.com> <4E135BB8.2010703@redhat.com> <4E13645A.7030301@redhat.com> Message-ID: <4E136EE4.9040607@redhat.com> On 07/05/2011 03:22 PM, Endi Sukma Dewata wrote: > On 7/5/2011 1:45 PM, Adam Young wrote: >> On 07/05/2011 02:30 PM, Endi Sukma Dewata wrote: >>> The object_name attribute was used as both an identifier and a >>> label which sometimes require different values (e.g. hbacrule >>> vs. HBAC rule). The code that uses object_name as an identifier >>> has been changed to use the 'name' attribute instead. The values >>> of the object_name attribute have been fixed to become proper >>> labels. >>> >>> Ticket #1217 > >> I the strings in the plugins are supposed to be read by people, they >> should be internationalized. Is there any reason to not surround both >> object_name and object_name_plural with _( )? > > The original values were not internationalized and also sometimes they > are used in a message that are not internationalized either. I think > internationalizing the server messages should be done in a separate > ticket. > ACK. Pushed to master. Please open a ticket for the I18N of server messages From edewata at redhat.com Tue Jul 5 20:10:42 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 05 Jul 2011 15:10:42 -0500 Subject: [Freeipa-devel] [PATCH] 198 Fixed object_name usage. In-Reply-To: <4E136EE4.9040607@redhat.com> References: <4E13582E.5060306@redhat.com> <4E135BB8.2010703@redhat.com> <4E13645A.7030301@redhat.com> <4E136EE4.9040607@redhat.com> Message-ID: <4E136FC2.3080402@redhat.com> On 7/5/2011 3:07 PM, Adam Young wrote: >>> I the strings in the plugins are supposed to be read by people, they >>> should be internationalized. Is there any reason to not surround both >>> object_name and object_name_plural with _( )? >> >> The original values were not internationalized and also sometimes they >> are used in a message that are not internationalized either. I think >> internationalizing the server messages should be done in a separate >> ticket. >> > ACK. Pushed to master. Please open a ticket for the I18N of server messages https://fedorahosted.org/freeipa/ticket/1435 -- Endi S. Dewata From ayoung at redhat.com Tue Jul 5 20:21:50 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 05 Jul 2011 16:21:50 -0400 Subject: [Freeipa-devel] [PATCH] 045 Add DNS record modification command In-Reply-To: <1301498000.28351.11.camel@dhcp-25-52.brq.redhat.com> References: <1301498000.28351.11.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E13725E.3000908@redhat.com> On 03/30/2011 11:13 AM, Martin Kosek wrote: > Since this is a new-feature type patch it should be pushed only to master. > ------- > The DNS record plugin does not support modification of a record. One > can only add A type addresses to a DNS record or remove the current > ones. To actually change a DNS record value it has to be removed and > then added with a desired value. > > This patch adds a new DNS plugin command "dnsrecord-mod" which enables > user to: > - modify a DNS record value (note than DNS record can hold multiple values > and those will be overwritten) > - remove a DNS record when an empty value is passed > > New tests for this new command have been added to the CLI test suite. > > https://fedorahosted.org/freeipa/ticket/1137 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel dns.py has changed enough that this needs a rebase, but from my visual inspection it looks correct. Can you post an updated patch? -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Jul 5 20:34:03 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 05 Jul 2011 15:34:03 -0500 Subject: [Freeipa-devel] [PATCH] 0262-validate-ints In-Reply-To: <4E136D51.1010801@redhat.com> References: <4E1321C7.10009@redhat.com> <4E1357A7.7090107@redhat.com> <4E136D51.1010801@redhat.com> Message-ID: <4E13753B.3090509@redhat.com> On 7/5/2011 3:00 PM, Adam Young wrote: >> 1. The validation process should stop after finding the first problem. >> So the validate_integers() needs to return a value which is then >> checked by validate() to determine if it should continue. > Not really necessary. The validation is still correct, but subsequent checking will be redundant. This is no longer an issue in this patch because the pattern checking is moved into meta_validate(). But suppose we have additional checkings after meta_validate() they could be redundant. We'll address that when that actually happens. >> 2. This is actually an existing problem, so it can be addressed later. >> If a widget only has a metadata but not param_info (not sure if this >> ever happens) it will only execute integer validation but not the >> pattern validation. The metadata and param_info are actually the same >> thing so we should be able to merge them, but it might require >> significant changes. > Fixed There is still an issue in validate(), the required flag is only checked if param_info is available (which is probably always the case). Ideally the param_info should be renamed into metadata, thus avoiding multiple validations as well. This can be addressed later. ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Tue Jul 5 20:38:48 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 05 Jul 2011 16:38:48 -0400 Subject: [Freeipa-devel] [PATCH] 0263-password-expiration-label Message-ID: <4E137658.1090702@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0263-password-expiration-label.patch Type: text/x-patch Size: 7900 bytes Desc: not available URL: From edewata at redhat.com Tue Jul 5 20:41:00 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 05 Jul 2011 15:41:00 -0500 Subject: [Freeipa-devel] [PATCH] 0263-password-expiration-label In-Reply-To: <4E137658.1090702@redhat.com> References: <4E137658.1090702@redhat.com> Message-ID: <4E1376DC.7030401@redhat.com> On 7/5/2011 3:38 PM, Adam Young wrote: > ACK but it needs a rebase. -- Endi S. Dewata From ayoung at redhat.com Tue Jul 5 22:00:44 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 05 Jul 2011 18:00:44 -0400 Subject: [Freeipa-devel] [PATCH] 0263-password-expiration-label In-Reply-To: <4E1376DC.7030401@redhat.com> References: <4E137658.1090702@redhat.com> <4E1376DC.7030401@redhat.com> Message-ID: <4E13898C.7090509@redhat.com> On 07/05/2011 04:41 PM, Endi Sukma Dewata wrote: > On 7/5/2011 3:38 PM, Adam Young wrote: >> > > ACK but it needs a rebase. > Rebased and pushed to master From rcritten at redhat.com Wed Jul 6 14:26:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Jul 2011 10:26:41 -0400 Subject: [Freeipa-devel] [PATCH] 4 (1) ipa-client-install complains about non-existing nss_ldap In-Reply-To: <1309524027.2681.143.camel@willson.li.ssimo.org> References: <4E0D96FF.2050406@redhat.com> <4E0DB57B.1070105@redhat.com> <4E0DB6F4.6040904@redhat.com> <4E0DBB32.9030804@redhat.com> <1309524027.2681.143.camel@willson.li.ssimo.org> Message-ID: <4E1470A1.9060306@redhat.com> Simo Sorce wrote: > On Fri, 2011-07-01 at 14:18 +0200, Jan Cholasta wrote: >> On 1.7.2011 14:00, Alexander Bokovoy wrote: >>> Hi, >>> >>> On 01.07.2011 14:54, Jan Cholasta wrote: >>>> On 1.7.2011 11:44, Alexander Bokovoy wrote: >>>>> New version: forgot to import package_installed_name from ipautil. >>>>> Previous version can be ignored. >>>>> >>>> >>>> ipa-client-install should be usable on non-RH platforms (see >>>> https://fedorahosted.org/freeipa/ticket/1374), so you shouldn't use >>>> /bin/rpm, as that's platform-specific. Wouldn't just rephrasing the >>>> warning message (as suggested in the ticket) be sufficient? >>> If you want to support non-rpm-based platforms, you'll need to do much >>> greater work than not depend on rpm. For example, /sbin/service and >>> chkconfig might not be there. >> >> I'm not sure adding even more complexity is helpful, especially when >> it's used just to print a warning message. But I'd like a second opinion >> on this. > > I think it is time we start renaming ipautil.py to ipautil-rh.py and do > ourselves, or invite someone to write ipautil-debian.py, then have code > that loads the right module at runtime. > > Simo. > I believe that nss-pam-ldapd uses a different configuration file than nss_ldap, I think I'd rather use the existence of that to determine what is being used. Calling out to rpm seems heavy-weight. rob From rcritten at redhat.com Wed Jul 6 14:27:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Jul 2011 10:27:44 -0400 Subject: [Freeipa-devel] [PATCH] 3 ipa-client-install tries to start non-existing nscd In-Reply-To: <4E0D9240.7070001@redhat.com> References: <4E0D9240.7070001@redhat.com> Message-ID: <4E1470E0.7080404@redhat.com> Alexander Bokovoy wrote: > Should we instead look to see if /usr/sbin/nscd exists before calling chkconfig? rob From abokovoy at redhat.com Wed Jul 6 14:30:05 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 06 Jul 2011 17:30:05 +0300 Subject: [Freeipa-devel] [PATCH] 4 (1) ipa-client-install complains about non-existing nss_ldap In-Reply-To: <4E1470A1.9060306@redhat.com> References: <4E0D96FF.2050406@redhat.com> <4E0DB57B.1070105@redhat.com> <4E0DB6F4.6040904@redhat.com> <4E0DBB32.9030804@redhat.com> <1309524027.2681.143.camel@willson.li.ssimo.org> <4E1470A1.9060306@redhat.com> Message-ID: <4E14716D.9050705@redhat.com> On 06.07.2011 17:26, Rob Crittenden wrote: >>> I'm not sure adding even more complexity is helpful, especially when >>> it's used just to print a warning message. But I'd like a second opinion >>> on this. >> >> I think it is time we start renaming ipautil.py to ipautil-rh.py and do >> ourselves, or invite someone to write ipautil-debian.py, then have code >> that loads the right module at runtime. > > I believe that nss-pam-ldapd uses a different configuration file than > nss_ldap, I think I'd rather use the existence of that to determine what > is being used. Calling out to rpm seems heavy-weight. Ok, I'll rework it. Do we have other cases where it is *not* enough to have check on the configuration files rather than package itself? For example, for cases where we would enforce installation of a required package to satisfy dependencies (like it was discussed for PackageKit on #freeipa)? -- / Alexander Bokovoy From abokovoy at redhat.com Wed Jul 6 14:32:01 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 06 Jul 2011 17:32:01 +0300 Subject: [Freeipa-devel] [PATCH] 3 ipa-client-install tries to start non-existing nscd In-Reply-To: <4E1470E0.7080404@redhat.com> References: <4E0D9240.7070001@redhat.com> <4E1470E0.7080404@redhat.com> Message-ID: <4E1471E1.8030509@redhat.com> On 06.07.2011 17:27, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> > > Should we instead look to see if /usr/sbin/nscd exists before calling > chkconfig? When you call chkconfig for non-existing service, it is correctly reporting that it does not exist and sets return code appropriately. I would rather continue using that as it allows also to have a single place to support other init systems. -- / Alexander Bokovoy From rcritten at redhat.com Wed Jul 6 15:03:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Jul 2011 11:03:49 -0400 Subject: [Freeipa-devel] [PATCH] 820 make client errors clearer Message-ID: <4E147955.5070401@redhat.com> Some client errors were rather generic or outright misleading. This cleans up some return values and displays output from the ipa-enrollment extended operation. ticket https://fedorahosted.org/freeipa/ticket/1417 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-820-client.patch Type: text/x-diff Size: 9339 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 6 15:13:22 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Jul 2011 11:13:22 -0400 Subject: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning. Message-ID: <4E147B92.6070406@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0264-HBAC-deny-warning.patch Type: text/x-patch Size: 16008 bytes Desc: not available URL: From edewata at redhat.com Wed Jul 6 15:32:50 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 Jul 2011 10:32:50 -0500 Subject: [Freeipa-devel] [PATCH] 199 Fixed HBAC/Sudo rules associations. Message-ID: <4E148022.20700@redhat.com> The HBAC/Sudo rules associations in users, groups, hosts and host groups have been fixed to use the correct associator and method names. Ticket #1438 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0199-Fixed-HBAC-Sudo-rules-associations.patch Type: text/x-patch Size: 4133 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 6 15:40:36 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Jul 2011 11:40:36 -0400 Subject: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning. In-Reply-To: <4E147B92.6070406@redhat.com> References: <4E147B92.6070406@redhat.com> Message-ID: <4E1481F4.8030400@redhat.com> On 07/06/2011 11:13 AM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased. Also, updated the hbacrule_find.json sample data to show to the deny rules in static view -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0264-1-HBAC-deny-warning.patch Type: text/x-patch Size: 17676 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 6 15:52:59 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Jul 2011 11:52:59 -0400 Subject: [Freeipa-devel] [PATCH] 199 Fixed HBAC/Sudo rules associations. In-Reply-To: <4E148022.20700@redhat.com> References: <4E148022.20700@redhat.com> Message-ID: <4E1484DB.9020007@redhat.com> On 07/06/2011 11:32 AM, Endi Sukma Dewata wrote: > The HBAC/Sudo rules associations in users, groups, hosts and host > groups have been fixed to use the correct associator and method > names. > > Ticket #1438 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jul 6 17:04:56 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Jul 2011 13:04:56 -0400 Subject: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning. In-Reply-To: <4E1481F4.8030400@redhat.com> References: <4E147B92.6070406@redhat.com> <4E1481F4.8030400@redhat.com> Message-ID: <4E1495B8.40605@redhat.com> On 07/06/2011 11:40 AM, Adam Young wrote: > On 07/06/2011 11:13 AM, Adam Young wrote: >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Rebased. Also, updated the hbacrule_find.json sample data to show to > the deny rules in static view > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Now has a page explaining why we are removing the deny rules, and a link to it that opens in a new window. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0264-2-HBAC-deny-warning.patch Type: text/x-patch Size: 21520 bytes Desc: not available URL: From edewata at redhat.com Wed Jul 6 19:24:43 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 Jul 2011 14:24:43 -0500 Subject: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning. In-Reply-To: <4E1481F4.8030400@redhat.com> References: <4E147B92.6070406@redhat.com> <4E1481F4.8030400@redhat.com> Message-ID: <4E14B67B.2060803@redhat.com> On 7/6/2011 10:40 AM, Adam Young wrote: > Rebased. Also, updated the hbacrule_find.json sample data to show to the > deny rules in static view Some issues: 1. The red 'deny' text doesn't line up with the colum header or 'allow' text. The padding-left in .hbac-deny-rule class should be removed. 2. The link to the hbac-deny-remove.html on live server is broken. On live server the file is located under /ipa/config path instead of /ipa/html. 3. There are untranslated messages in hbac.js lines 1016, 1021, 1025, 1032, 1037. Please mark them with 'I18n' for later clean up. 4. Optional: Ideally the setup() in the accessruletype column should call the superclass' setup() then just add the 'hbac-deny-rule' class to the container. For this particular case it's not a problem because the possible values are only 'allow' or 'deny'. However if the column is linked or uses some kind of formatting it will not be rendered correctly. -- Endi S. Dewata From ayoung at redhat.com Wed Jul 6 19:44:54 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Jul 2011 15:44:54 -0400 Subject: [Freeipa-devel] [PATCH] 0265-check-required-on-blur Message-ID: <4E14BB36.7070501@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0265-check-required-on-blur.patch Type: text/x-patch Size: 2096 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 6 19:54:42 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Jul 2011 15:54:42 -0400 Subject: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning. In-Reply-To: <4E14B67B.2060803@redhat.com> References: <4E147B92.6070406@redhat.com> <4E1481F4.8030400@redhat.com> <4E14B67B.2060803@redhat.com> Message-ID: <4E14BD82.8080201@redhat.com> On 07/06/2011 03:24 PM, Endi Sukma Dewata wrote: > On 7/6/2011 10:40 AM, Adam Young wrote: >> Rebased. Also, updated the hbacrule_find.json sample data to show to the >> deny rules in static view > > Some issues: > > 1. The red 'deny' text doesn't line up with the colum header or > 'allow' text. The padding-left in .hbac-deny-rule class should be > removed. Fixed > > 2. The link to the hbac-deny-remove.html on live server is broken. On > live server the file is located under /ipa/config path instead of > /ipa/html. Fixed. Now wokrs in both static and live server > > 3. There are untranslated messages in hbac.js lines 1016, 1021, 1025, > 1032, 1037. Please mark them with 'I18n' for later clean up. Not worth the effort for this > > 4. Optional: Ideally the setup() in the accessruletype column should > call the superclass' setup() then just add the 'hbac-deny-rule' class > to the container. For this particular case it's not a problem because > the possible values are only 'allow' or 'deny'. However if the column > is linked or uses some kind of formatting it will not be rendered > correctly. > Again, since this is a short term fix, not worth the effort. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0264-3-HBAC-deny-warning.patch Type: text/x-patch Size: 21607 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 6 20:27:19 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Jul 2011 16:27:19 -0400 Subject: [Freeipa-devel] [PATCH] 045 Add DNS record modification command In-Reply-To: <4E13725E.3000908@redhat.com> References: <1301498000.28351.11.camel@dhcp-25-52.brq.redhat.com> <4E13725E.3000908@redhat.com> Message-ID: <4E14C527.8000603@redhat.com> On 07/05/2011 04:21 PM, Adam Young wrote: > On 03/30/2011 11:13 AM, Martin Kosek wrote: >> Since this is a new-feature type patch it should be pushed only to master. >> ------- >> The DNS record plugin does not support modification of a record. One >> can only add A type addresses to a DNS record or remove the current >> ones. To actually change a DNS record value it has to be removed and >> then added with a desired value. >> >> This patch adds a new DNS plugin command "dnsrecord-mod" which enables >> user to: >> - modify a DNS record value (note than DNS record can hold multiple values >> and those will be overwritten) >> - remove a DNS record when an empty value is passed >> >> New tests for this new command have been added to the CLI test suite. >> >> https://fedorahosted.org/freeipa/ticket/1137 >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > dns.py has changed enough that this needs a rebase, but from my visual > inspection it looks correct. Can you post an updated patch? > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel OK, here is my attempt at updating the patch. Please review. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-0045-Add-DNS-record-modification-command.patch Type: text/x-patch Size: 11968 bytes Desc: not available URL: From rcritten at redhat.com Wed Jul 6 20:28:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Jul 2011 16:28:39 -0400 Subject: [Freeipa-devel] [PATCH] 821 reset failed count when password is reset by admin Message-ID: <4E14C577.9030702@redhat.com> Reset the login failed count to 0 when an admin (e.g. not the user) resets the password. Otherwise a newly reset password could fail too. ticket https://fedorahosted.org/freeipa/ticket/1441 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-821-reset.patch Type: text/x-diff Size: 1381 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 6 20:51:37 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Jul 2011 16:51:37 -0400 Subject: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning. In-Reply-To: <4E14BD82.8080201@redhat.com> References: <4E147B92.6070406@redhat.com> <4E1481F4.8030400@redhat.com> <4E14B67B.2060803@redhat.com> <4E14BD82.8080201@redhat.com> Message-ID: <4E14CAD9.5090207@redhat.com> On 07/06/2011 03:54 PM, Adam Young wrote: > On 07/06/2011 03:24 PM, Endi Sukma Dewata wrote: >> On 7/6/2011 10:40 AM, Adam Young wrote: >>> Rebased. Also, updated the hbacrule_find.json sample data to show to >>> the >>> deny rules in static view >> >> Some issues: >> >> 1. The red 'deny' text doesn't line up with the colum header or >> 'allow' text. The padding-left in .hbac-deny-rule class should be >> removed. > Fixed >> >> 2. The link to the hbac-deny-remove.html on live server is broken. On >> live server the file is located under /ipa/config path instead of >> /ipa/html. > Fixed. Now wokrs in both static and live server >> >> 3. There are untranslated messages in hbac.js lines 1016, 1021, 1025, >> 1032, 1037. Please mark them with 'I18n' for later clean up. > Not worth the effort for this >> >> 4. Optional: Ideally the setup() in the accessruletype column should >> call the superclass' setup() then just add the 'hbac-deny-rule' class >> to the container. For this particular case it's not a problem because >> the possible values are only 'allow' or 'deny'. However if the column >> is linked or uses some kind of formatting it will not be rendered >> correctly. >> > Again, since this is a short term fix, not worth the effort. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0264-4-HBAC-deny-warning.patch Type: text/x-patch Size: 22297 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 6 21:32:30 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Jul 2011 17:32:30 -0400 Subject: [Freeipa-devel] [PATCH] 0265-check-required-on-blur In-Reply-To: <4E14BB36.7070501@redhat.com> References: <4E14BB36.7070501@redhat.com> Message-ID: <4E14D46E.2080709@redhat.com> On 07/06/2011 03:44 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0265-1-check-required-on-blur.patch Type: text/x-patch Size: 4492 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 6 21:44:03 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Jul 2011 17:44:03 -0400 Subject: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning. In-Reply-To: <4E14CAD9.5090207@redhat.com> References: <4E147B92.6070406@redhat.com> <4E1481F4.8030400@redhat.com> <4E14B67B.2060803@redhat.com> <4E14BD82.8080201@redhat.com> <4E14CAD9.5090207@redhat.com> Message-ID: <4E14D723.5010109@redhat.com> On 07/06/2011 04:51 PM, Adam Young wrote: > On 07/06/2011 03:54 PM, Adam Young wrote: >> On 07/06/2011 03:24 PM, Endi Sukma Dewata wrote: >>> On 7/6/2011 10:40 AM, Adam Young wrote: >>>> Rebased. Also, updated the hbacrule_find.json sample data to show >>>> to the >>>> deny rules in static view >>> >>> Some issues: >>> >>> 1. The red 'deny' text doesn't line up with the colum header or >>> 'allow' text. The padding-left in .hbac-deny-rule class should be >>> removed. >> Fixed >>> >>> 2. The link to the hbac-deny-remove.html on live server is broken. >>> On live server the file is located under /ipa/config path instead of >>> /ipa/html. >> Fixed. Now wokrs in both static and live server >>> >>> 3. There are untranslated messages in hbac.js lines 1016, 1021, >>> 1025, 1032, 1037. Please mark them with 'I18n' for later clean up. >> Not worth the effort for this >>> >>> 4. Optional: Ideally the setup() in the accessruletype column should >>> call the superclass' setup() then just add the 'hbac-deny-rule' >>> class to the container. For this particular case it's not a problem >>> because the possible values are only 'allow' or 'deny'. However if >>> the column is linked or uses some kind of formatting it will not be >>> rendered correctly. >>> >> Again, since this is a short term fix, not worth the effort. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0264-5-HBAC-deny-warning.patch Type: text/x-patch Size: 21733 bytes Desc: not available URL: From rcritten at redhat.com Wed Jul 6 21:51:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Jul 2011 17:51:05 -0400 Subject: [Freeipa-devel] [PATCH] 822 remove deny hbac rule type Message-ID: <4E14D8C9.1000709@redhat.com> Remove deny from the available type options and prevent new ones from being created (either directly or via a mod). Type now defaults to allow and will autofill so on the cli the user won't be prompted for it in interactive mode. deny is still a valid type for searching, so hbacrule-find --type=deny works. ticket https://fedorahosted.org/freeipa/ticket/1432 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-822-hbacrule-deny.patch Type: text/x-diff Size: 3106 bytes Desc: not available URL: From edewata at redhat.com Wed Jul 6 21:54:06 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 Jul 2011 16:54:06 -0500 Subject: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning. In-Reply-To: <4E14D723.5010109@redhat.com> References: <4E147B92.6070406@redhat.com> <4E1481F4.8030400@redhat.com> <4E14B67B.2060803@redhat.com> <4E14BD82.8080201@redhat.com> <4E14CAD9.5090207@redhat.com> <4E14D723.5010109@redhat.com> Message-ID: <4E14D97E.40104@redhat.com> On 7/6/2011 4:44 PM, Adam Young wrote: > On 07/06/2011 04:51 PM, Adam Young wrote: >> On 07/06/2011 03:54 PM, Adam Young wrote: >>> On 07/06/2011 03:24 PM, Endi Sukma Dewata wrote: >>>> On 7/6/2011 10:40 AM, Adam Young wrote: >>>>> Rebased. Also, updated the hbacrule_find.json sample data to show >>>>> to the >>>>> deny rules in static view >>>> >>>> Some issues: >>>> >>>> 1. The red 'deny' text doesn't line up with the colum header or >>>> 'allow' text. The padding-left in .hbac-deny-rule class should be >>>> removed. >>> Fixed >>>> >>>> 2. The link to the hbac-deny-remove.html on live server is broken. >>>> On live server the file is located under /ipa/config path instead of >>>> /ipa/html. >>> Fixed. Now wokrs in both static and live server >>>> >>>> 3. There are untranslated messages in hbac.js lines 1016, 1021, >>>> 1025, 1032, 1037. Please mark them with 'I18n' for later clean up. >>> Not worth the effort for this >>>> >>>> 4. Optional: Ideally the setup() in the accessruletype column should >>>> call the superclass' setup() then just add the 'hbac-deny-rule' >>>> class to the container. For this particular case it's not a problem >>>> because the possible values are only 'allow' or 'deny'. However if >>>> the column is linked or uses some kind of formatting it will not be >>>> rendered correctly. >>>> >>> Again, since this is a short term fix, not worth the effort. ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Wed Jul 6 21:59:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 Jul 2011 16:59:12 -0500 Subject: [Freeipa-devel] [PATCH] 200 Fixed blank self-service page. Message-ID: <4E14DAB0.9060900@redhat.com> The self-service navigation has been fixed to include the root of the navigation path. Ticket #1445 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0200-Fixed-blank-self-service-page.patch Type: text/x-patch Size: 912 bytes Desc: not available URL: From edewata at redhat.com Thu Jul 7 00:12:14 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 Jul 2011 19:12:14 -0500 Subject: [Freeipa-devel] [PATCH] 0265-check-required-on-blur In-Reply-To: <4E14D46E.2080709@redhat.com> References: <4E14BB36.7070501@redhat.com> <4E14D46E.2080709@redhat.com> Message-ID: <4E14F9DE.8050407@redhat.com> On 7/6/2011 4:32 PM, Adam Young wrote: > Some issues: 1. The check_required() is only called in blur events. It's not called on Add/Update. To test, open user's adder dialog, don't enter anything, just click Add. The server will return an error (i.e. check_required() not called). Another test, edit an existing user, empty the first name, click somewhere else, an error will appear because it loses focus. Then click Update, the server will return an error (i.e. check_required() not called). 2. In IPA.entity_select_widget the check_required() is only called if the widget is editable. To test, open IPA Server -> Configuration, set the Default user group to empty, then click somewhere else. There's no validation error. 3. Also in IPA.entity_select_widget the check_required() is only called from the text input's blur event, not from the drop down list. This leads to strange behavior: Open the hosts' adder dialog, click the drop down list, the validation error will appear before the user has a chance to select a value. 4. For consistency, the multivalued_text and textarea widgets can be modified to call the create_error_link() to create the error_link element. 5. There's a jslint warning. -- Endi S. Dewata From ayoung at redhat.com Thu Jul 7 00:55:35 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Jul 2011 20:55:35 -0400 Subject: [Freeipa-devel] [PATCH] 0265-check-required-on-blur In-Reply-To: <4E14F9DE.8050407@redhat.com> References: <4E14BB36.7070501@redhat.com> <4E14D46E.2080709@redhat.com> <4E14F9DE.8050407@redhat.com> Message-ID: <4E150407.7000705@redhat.com> On 07/06/2011 08:12 PM, Endi Sukma Dewata wrote: > On 7/6/2011 4:32 PM, Adam Young wrote: >> > > Some issues: > > 1. The check_required() is only called in blur events. It's not called > on Add/Update. Fixed. Looks like this works even for checkboxes. > > To test, open user's adder dialog, don't enter anything, just click > Add. The server will return an error (i.e. check_required() not called). > > Another test, edit an existing user, empty the first name, click > somewhere else, an error will appear because it loses focus. Then > click Update, the server will return an error (i.e. check_required() > not called). > > 2. In IPA.entity_select_widget the check_required() is only called if > the widget is editable. > > To test, open IPA Server -> Configuration, set the Default user group > to empty, then click somewhere else. There's no validation error. Fixed, but I don't think that there is currently a testable case for this, as many things don't have required set. > > 3. Also in IPA.entity_select_widget the check_required() is only > called from the text input's blur event, not from the drop down list. > This leads to strange behavior: > > Open the hosts' adder dialog, click the drop down list, the validation > error will appear before the user has a chance to select a value. Again fixed ,but not sure it is verifiable. host and service add don't seem to have metadata for required. > > 4. For consistency, the multivalued_text and textarea widgets can be > modified to call the create_error_link() to create the error_link > element. done > > 5. There's a jslint warning. fixed. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0265-2-check-required-on-blur.patch Type: text/x-patch Size: 6530 bytes Desc: not available URL: From ayoung at redhat.com Thu Jul 7 00:56:38 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Jul 2011 20:56:38 -0400 Subject: [Freeipa-devel] [PATCH] 0265-check-required-on-blur In-Reply-To: <4E150407.7000705@redhat.com> References: <4E14BB36.7070501@redhat.com> <4E14D46E.2080709@redhat.com> <4E14F9DE.8050407@redhat.com> <4E150407.7000705@redhat.com> Message-ID: <4E150446.8040200@redhat.com> On 07/06/2011 08:55 PM, Adam Young wrote: > On 07/06/2011 08:12 PM, Endi Sukma Dewata wrote: >> On 7/6/2011 4:32 PM, Adam Young wrote: >>> >> >> Some issues: >> >> 1. The check_required() is only called in blur events. It's not >> called on Add/Update. > > Fixed. Looks like this works even for checkboxes. > >> >> To test, open user's adder dialog, don't enter anything, just click >> Add. The server will return an error (i.e. check_required() not called). >> >> Another test, edit an existing user, empty the first name, click >> somewhere else, an error will appear because it loses focus. Then >> click Update, the server will return an error (i.e. check_required() >> not called). >> >> 2. In IPA.entity_select_widget the check_required() is only called if >> the widget is editable. >> >> To test, open IPA Server -> Configuration, set the Default user group >> to empty, then click somewhere else. There's no validation error. > Fixed, but I don't think that there is currently a testable case for > this, as many things don't have required set. >> >> 3. Also in IPA.entity_select_widget the check_required() is only >> called from the text input's blur event, not from the drop down list. >> This leads to strange behavior: >> >> Open the hosts' adder dialog, click the drop down list, the >> validation error will appear before the user has a chance to select a >> value. > Again fixed ,but not sure it is verifiable. host and service add > don't seem to have metadata for required. > >> >> 4. For consistency, the multivalued_text and textarea widgets can be >> modified to call the create_error_link() to create the error_link >> element. > done >> >> 5. There's a jslint warning. > fixed. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0265-3-check-required-on-blur.patch Type: text/x-patch Size: 6530 bytes Desc: not available URL: From ayoung at redhat.com Thu Jul 7 01:00:32 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 06 Jul 2011 21:00:32 -0400 Subject: [Freeipa-devel] [PATCH] 200 Fixed blank self-service page. In-Reply-To: <4E14DAB0.9060900@redhat.com> References: <4E14DAB0.9060900@redhat.com> Message-ID: <4E150530.2060101@redhat.com> On 07/06/2011 05:59 PM, Endi Sukma Dewata wrote: > The self-service navigation has been fixed to include the root > of the navigation path. > > Ticket #1445 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Jul 7 04:05:48 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 Jul 2011 23:05:48 -0500 Subject: [Freeipa-devel] [PATCH] 0265-check-required-on-blur In-Reply-To: <4E150446.8040200@redhat.com> References: <4E14BB36.7070501@redhat.com> <4E14D46E.2080709@redhat.com> <4E14F9DE.8050407@redhat.com> <4E150407.7000705@redhat.com> <4E150446.8040200@redhat.com> Message-ID: <4E15309C.2010205@redhat.com> On 7/6/2011 7:56 PM, Adam Young wrote: >>> 1. The check_required() is only called in blur events. It's not >>> called on Add/Update. >> >> Fixed. Looks like this works even for checkboxes. There seems to be a race condition. Open the group adder dialog, then click Add. Sometimes only group name gets an error, sometimes the description too. It looks like there are 2 events happening at the same time: input blur and button click, and both are modifying the valid attribute and the error message. Another problem, open the group adder dialog, then click Cancel. You'll get an error and the dialog doesn't close. Is blur really a good place to check required? Which checkboxes are you referring to? The IPA.attribute_widget is a subclass of IPA.checkboxes_widget, but it doesn't seem to check required. >>> 2. In IPA.entity_select_widget the check_required() is only called if >>> the widget is editable. >>> To test, open IPA Server -> Configuration, set the Default user group >>> to empty, then click somewhere else. There's no validation error. >> Fixed, but I don't think that there is currently a testable case for >> this, as many things don't have required set. This can be verified with the above scenario by setting the ipadefaultprimarygroup to required in ipa_init.json (it should have been required anyway). There's a problem, the entity_link is only created when the widget is editable. >>> 3. Also in IPA.entity_select_widget the check_required() is only >>> called from the text input's blur event, not from the drop down list. >>> This leads to strange behavior: >>> Open the hosts' adder dialog, click the drop down list, the >>> validation error will appear before the user has a chance to select a >>> value. >> Again fixed ,but not sure it is verifiable. host and service add don't >> seem to have metadata for required. This can be verified with the above scenario. The host's fqdn is required. The problem still exists. >>> 4. For consistency, the multivalued_text and textarea widgets can be >>> modified to call the create_error_link() to create the error_link >>> element. >> done The IPA.multivalued_text_widget is still creating it's own error_link. -- Endi S. Dewata From rcritten at redhat.com Thu Jul 7 16:01:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jul 2011 12:01:38 -0400 Subject: [Freeipa-devel] [PATCH] 822 remove deny hbac rule type In-Reply-To: <4E14D8C9.1000709@redhat.com> References: <4E14D8C9.1000709@redhat.com> Message-ID: <4E15D862.6030609@redhat.com> Rob Crittenden wrote: > Remove deny from the available type options and prevent new ones from > being created (either directly or via a mod). > > Type now defaults to allow and will autofill so on the cli the user > won't be prompted for it in interactive mode. > > deny is still a valid type for searching, so hbacrule-find --type=deny > works. > > ticket https://fedorahosted.org/freeipa/ticket/1432 > > rob I forgot to include an updated API.txt in the change. I tested with an old client and it does the right thing if you try to create a deny rule. The API change affects only validation so I don't need to bump up the version. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-822-2-hbacrule-deny.patch Type: text/x-diff Size: 7347 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 7 16:02:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jul 2011 12:02:29 -0400 Subject: [Freeipa-devel] [PATCH] 823 validate certificate subject base Message-ID: <4E15D895.8090908@redhat.com> Use John's new DN class to verify that the subject base passed into ipa-server-install is valid. https://fedorahosted.org/freeipa/ticket/1176 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-823-subjectbase.patch Type: text/x-diff Size: 2222 bytes Desc: not available URL: From edewata at redhat.com Thu Jul 7 20:05:28 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 07 Jul 2011 15:05:28 -0500 Subject: [Freeipa-devel] [PATCH] 201 Fixed dirty dialog problems in HBAC/Sudo rules. Message-ID: <4E161188.2000103@redhat.com> The update() in HBAC/Sudo details facet has been fixed to call the callback function which will show the dirty dialog properly. Ticket #1439 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0201-Fixed-dirty-dialog-problems-in-HBAC-Sudo-rules.patch Type: text/x-patch Size: 17506 bytes Desc: not available URL: From ayoung at redhat.com Thu Jul 7 20:34:11 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 07 Jul 2011 16:34:11 -0400 Subject: [Freeipa-devel] [PATCH] 201 Fixed dirty dialog problems in HBAC/Sudo rules. In-Reply-To: <4E161188.2000103@redhat.com> References: <4E161188.2000103@redhat.com> Message-ID: <4E161843.5090308@redhat.com> On 07/07/2011 04:05 PM, Endi Sukma Dewata wrote: > The update() in HBAC/Sudo details facet has been fixed to call the > callback function which will show the dirty dialog properly. > > Ticket #1439 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Jul 7 20:35:22 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 07 Jul 2011 15:35:22 -0500 Subject: [Freeipa-devel] [PATCH] 202 Fixed test fixture file name. Message-ID: <4E16188A.4000406@redhat.com> Pushed under one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0202-Fixed-test-fixture-file-name.patch Type: text/x-patch Size: 614 bytes Desc: not available URL: From ayoung at redhat.com Thu Jul 7 20:46:46 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 07 Jul 2011 16:46:46 -0400 Subject: [Freeipa-devel] [PATCH] 0265-check-required-on-blur In-Reply-To: <4E15309C.2010205@redhat.com> References: <4E14BB36.7070501@redhat.com> <4E14D46E.2080709@redhat.com> <4E14F9DE.8050407@redhat.com> <4E150407.7000705@redhat.com> <4E150446.8040200@redhat.com> <4E15309C.2010205@redhat.com> Message-ID: <4E161B36.5060009@redhat.com> No longer testing on blur, as it was causing to many issues. Now checking upon click of the add button. On 07/07/2011 12:05 AM, Endi Sukma Dewata wrote: > On 7/6/2011 7:56 PM, Adam Young wrote: >>>> 1. The check_required() is only called in blur events. It's not >>>> called on Add/Update. >>> >>> Fixed. Looks like this works even for checkboxes. > > There seems to be a race condition. Open the group adder dialog, then > click Add. Sometimes only group name gets an error, sometimes the > description too. It looks like there are 2 events happening at the > same time: input blur and button click, and both are modifying the > valid attribute and the error message. > > Another problem, open the group adder dialog, then click Cancel. > You'll get an error and the dialog doesn't close. Is blur really a > good place to check required? > > Which checkboxes are you referring to? The IPA.attribute_widget is a > subclass of IPA.checkboxes_widget, but it doesn't seem to check required. > >>>> 2. In IPA.entity_select_widget the check_required() is only called if >>>> the widget is editable. > >>>> To test, open IPA Server -> Configuration, set the Default user group >>>> to empty, then click somewhere else. There's no validation error. > >>> Fixed, but I don't think that there is currently a testable case for >>> this, as many things don't have required set. > > This can be verified with the above scenario by setting the > ipadefaultprimarygroup to required in ipa_init.json (it should have > been required anyway). There's a problem, the entity_link is only > created when the widget is editable. > >>>> 3. Also in IPA.entity_select_widget the check_required() is only >>>> called from the text input's blur event, not from the drop down list. >>>> This leads to strange behavior: > >>>> Open the hosts' adder dialog, click the drop down list, the >>>> validation error will appear before the user has a chance to select a >>>> value. > >>> Again fixed ,but not sure it is verifiable. host and service add don't >>> seem to have metadata for required. > > This can be verified with the above scenario. The host's fqdn is > required. The problem still exists. > >>>> 4. For consistency, the multivalued_text and textarea widgets can be >>>> modified to call the create_error_link() to create the error_link >>>> element. > >>> done > > The IPA.multivalued_text_widget is still creating it's own error_link. > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0265-4-check-required-on-add.patch Type: text/x-patch Size: 6434 bytes Desc: not available URL: From abokovoy at redhat.com Thu Jul 7 20:47:02 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 07 Jul 2011 23:47:02 +0300 Subject: [Freeipa-devel] [PATCH] 0001 Convert nsaccountlock to always work as bool towards Python and JavaScript Message-ID: <4E161B46.6000701@redhat.com> Hi, this is refactoring of the patch for ticket 1259 (handling of boolean for nsaccountlock in LDAP). Now it is possible to just work with True/False on Python side and JavaScript side also gets true/false via JSON marshalling. At the same time, TRUE/FALSE is provided towards LDAP storage and correctly handled when returned back. Tested with command line tools, WebUI, and make-test. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0001-1-Convert-nsaccountlock-to-always-work-as-bool-towards.patch URL: From ayoung at redhat.com Thu Jul 7 21:29:01 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 07 Jul 2011 17:29:01 -0400 Subject: [Freeipa-devel] [PATCH] 0001 Convert nsaccountlock to always work as bool towards Python and JavaScript In-Reply-To: <4E161B46.6000701@redhat.com> References: <4E161B46.6000701@redhat.com> Message-ID: <4E16251D.20001@redhat.com> On 07/07/2011 04:47 PM, Alexander Bokovoy wrote: > Hi, > > this is refactoring of the patch for ticket 1259 (handling of boolean > for nsaccountlock in LDAP). > > Now it is possible to just work with True/False on Python side and > JavaScript side also gets true/false via JSON marshalling. At the same > time, TRUE/FALSE is provided towards LDAP storage and correctly > handled when returned back. > > Tested with command line tools, WebUI, and make-test. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Jul 7 21:40:51 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 08 Jul 2011 00:40:51 +0300 Subject: [Freeipa-devel] [PATCH] 0001 (2) Convert nsaccountlock to always work as bool towards Python and JavaScript In-Reply-To: <4E16251D.20001@redhat.com> References: <4E161B46.6000701@redhat.com> <4E16251D.20001@redhat.com> Message-ID: <4E1627E3.80901@redhat.com> On 08.07.2011 00:29, Adam Young wrote: > On 07/07/2011 04:47 PM, Alexander Bokovoy wrote: >> Hi, >> >> this is refactoring of the patch for ticket 1259 (handling of boolean >> for nsaccountlock in LDAP). >> >> Now it is possible to just work with True/False on Python side and >> JavaScript side also gets true/false via JSON marshalling. At the same >> time, TRUE/FALSE is provided towards LDAP storage and correctly >> handled when returned back. >> >> Tested with command line tools, WebUI, and make-test. > ACK. Updated to include all python tests. JavaScript-based tests are left in old format ("nsaccountlock": [ "False";], for example) to allow testing all accepted variations of the boolean values in JSON (boolean type, strings, strings in array). -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0001-2-Convert-nsaccountlock-to-always-work-as-bool-towards.patch URL: From ayoung at redhat.com Thu Jul 7 21:57:11 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 07 Jul 2011 17:57:11 -0400 Subject: [Freeipa-devel] [PATCH] 0265-check-required-on-blur In-Reply-To: <4E161B36.5060009@redhat.com> References: <4E14BB36.7070501@redhat.com> <4E14D46E.2080709@redhat.com> <4E14F9DE.8050407@redhat.com> <4E150407.7000705@redhat.com> <4E150446.8040200@redhat.com> <4E15309C.2010205@redhat.com> <4E161B36.5060009@redhat.com> Message-ID: <4E162BB7.1040608@redhat.com> On 07/07/2011 04:46 PM, Adam Young wrote: > No longer testing on blur, as it was causing to many issues. Now > checking upon click of the add button. > > > > > On 07/07/2011 12:05 AM, Endi Sukma Dewata wrote: >> On 7/6/2011 7:56 PM, Adam Young wrote: >>>>> 1. The check_required() is only called in blur events. It's not >>>>> called on Add/Update. >>>> >>>> Fixed. Looks like this works even for checkboxes. >> >> There seems to be a race condition. Open the group adder dialog, then >> click Add. Sometimes only group name gets an error, sometimes the >> description too. It looks like there are 2 events happening at the >> same time: input blur and button click, and both are modifying the >> valid attribute and the error message. >> >> Another problem, open the group adder dialog, then click Cancel. >> You'll get an error and the dialog doesn't close. Is blur really a >> good place to check required? >> >> Which checkboxes are you referring to? The IPA.attribute_widget is a >> subclass of IPA.checkboxes_widget, but it doesn't seem to check >> required. >> >>>>> 2. In IPA.entity_select_widget the check_required() is only called if >>>>> the widget is editable. >> >>>>> To test, open IPA Server -> Configuration, set the Default user group >>>>> to empty, then click somewhere else. There's no validation error. >> >>>> Fixed, but I don't think that there is currently a testable case for >>>> this, as many things don't have required set. >> >> This can be verified with the above scenario by setting the >> ipadefaultprimarygroup to required in ipa_init.json (it should have >> been required anyway). There's a problem, the entity_link is only >> created when the widget is editable. >> >>>>> 3. Also in IPA.entity_select_widget the check_required() is only >>>>> called from the text input's blur event, not from the drop down list. >>>>> This leads to strange behavior: >> >>>>> Open the hosts' adder dialog, click the drop down list, the >>>>> validation error will appear before the user has a chance to select a >>>>> value. >> >>>> Again fixed ,but not sure it is verifiable. host and service add don't >>>> seem to have metadata for required. >> >> This can be verified with the above scenario. The host's fqdn is >> required. The problem still exists. >> >>>>> 4. For consistency, the multivalued_text and textarea widgets can be >>>>> modified to call the create_error_link() to create the error_link >>>>> element. >> >>>> done >> >> The IPA.multivalued_text_widget is still creating it's own error_link. >> > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0265-6-check-required-on-add.patch Type: text/x-patch Size: 7143 bytes Desc: not available URL: From jdennis at redhat.com Thu Jul 7 23:01:46 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 07 Jul 2011 19:01:46 -0400 Subject: [Freeipa-devel] mod_wsgi global data Message-ID: <4E163ADA.9000904@redhat.com> Just a follow-up to yesterday's meeting on session support. We were pretty sure Python global data is local to the apache child process hosting the interpreter and will not be available to other request handlers. Stephen also suggested utilizing memcached. FYI both of these are validated in mod_wsgi documentation, which I've copied below. Also Adam has made a suggestion of using sqlite backed by a file in /dev/shm. ------------------------------------------------------------------------ Application Global Variables Because the Python sub interpreter which hosts a WSGI application is retained in memory between requests, any global data is effectively persistent and can be used to carry state forward from one request to the next. On UNIX systems however, Apache will normally use multiple processes to handle requests and each such process will have its own global data. This means that although global data can be used, it can only be used to cache data which can be safely reused within the context of that single process. You cannot use global data as a means of holding information that must be visible to any request handler no matter which process it runs in. If data must be visible to all request handlers across all Apache processes, then it will be necessary to store the data in the filesystem directly, or using a database. Alternatively, shared memory can be employed by using a package such as memcached. Because your WSGI application can be spread across multiple process, one must also be very careful in respect of local caching mechanisms employed by database connector objects. If such an adapter is quite agressive in its caching, it is possible that a specific process may end up with an out of date view of data from a database where one of the other processes has since changed the data. The result may be that requests handled in different processes may give different results. The problems described above can be alleviated to a degree by using daemon mode of mod_wsgi and restricting to one the number of daemon processes in the process group. This will ensure that all requests are serviced by the same process. If the data is only held in memory, it would however obviously be lost when Apache is restarted or the daemon process is restarted due to a maximum number of requests being reached. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu Jul 7 23:30:04 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 07 Jul 2011 19:30:04 -0400 Subject: [Freeipa-devel] mod_wsgi global data In-Reply-To: <4E163ADA.9000904@redhat.com> References: <4E163ADA.9000904@redhat.com> Message-ID: <4E16417C.3080309@redhat.com> On 07/07/2011 07:01 PM, John Dennis wrote: > Just a follow-up to yesterday's meeting on session support. We were > pretty sure Python global data is local to the apache child process > hosting the interpreter and will not be available to other request > handlers. Stephen also suggested utilizing memcached. FYI both of these > are validated in mod_wsgi documentation, which I've copied below. Also > Adam has made a suggestion of using sqlite backed by a file in /dev/shm. > > ------------------------------------------------------------------------ > > Application Global Variables > > Because the Python sub interpreter which hosts a WSGI application is > retained in memory between requests, any global data is effectively > persistent and can be used to carry state forward from one request to > the next. On UNIX systems however, Apache will normally use multiple > processes to handle requests and each such process will have its own > global data. > > This means that although global data can be used, it can only be used to > cache data which can be safely reused within the context of that single > process. You cannot use global data as a means of holding information > that must be visible to any request handler no matter which process it > runs in. > > If data must be visible to all request handlers across all Apache > processes, then it will be necessary to store the data in the filesystem > directly, or using a database. Alternatively, shared memory can be > employed by using a package such as memcached. > > Because your WSGI application can be spread across multiple process, one > must also be very careful in respect of local caching mechanisms > employed by database connector objects. If such an adapter is quite > agressive in its caching, it is possible that a specific process may end > up with an out of date view of data from a database where one of the > other processes has since changed the data. The result may be that > requests handled in different processes may give different results. > > The problems described above can be alleviated to a degree by using > daemon mode of mod_wsgi and restricting to one the number of daemon > processes in the process group. This will ensure that all requests are > serviced by the same process. If the data is only held in memory, it > would however obviously be lost when Apache is restarted or the daemon > process is restarted due to a maximum number of requests being reached. > After careful evaluation of the complexity of the issue it seems that it is impossible to address in the scope of 2.1 in the remaining time. Since this is a desirable but not required feature I suggest (following some private comments) we defer it till after 2.1. Let us focus on making other parts of 2.1 fully function in the remaining two weeks. John, please move the ticket into the "2.1 deferrable" bucket and pick up some other tasks that Rob has in the back log. We will get back to this issues as soon as we are done with 2.1. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Fri Jul 8 01:37:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 07 Jul 2011 20:37:57 -0500 Subject: [Freeipa-devel] [PATCH] 0265-check-required-on-blur In-Reply-To: <4E162BB7.1040608@redhat.com> References: <4E14BB36.7070501@redhat.com> <4E14D46E.2080709@redhat.com> <4E14F9DE.8050407@redhat.com> <4E150407.7000705@redhat.com> <4E150446.8040200@redhat.com> <4E15309C.2010205@redhat.com> <4E161B36.5060009@redhat.com> <4E162BB7.1040608@redhat.com> Message-ID: <4E165F75.9080706@redhat.com> On 7/7/2011 4:57 PM, Adam Young wrote: >> No longer testing on blur, as it was causing to many issues. Now >> checking upon click of the add button. ACK and pushed to master. -- Endi S. Dewata From rcritten at redhat.com Fri Jul 8 14:59:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Jul 2011 10:59:17 -0400 Subject: [Freeipa-devel] Analysis of 389-ds plugin precedence Message-ID: <4E171B45.9020802@redhat.com> Ticket https://fedorahosted.org/freeipa/ticket/1370 suggests that we check the plugin precedence for the IPA plugins. It notes that the modrdn plugin needs to run last, in any case. Here are the plugins we currently define: ipa-enrollment ipa-lockout ipa-modrdn ipa-pwd-extop ipa-uuid ipa-version ipa-winsync The ticket recommends setting ipa-modrdn to 60. I think the only other plugin we might want to change is ipa-uuid to be sure it always runs first, say at a level of 45. I think leaving the others alone is fine. Thoughts? rob From ayoung at redhat.com Fri Jul 8 15:06:27 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 08 Jul 2011 11:06:27 -0400 Subject: [Freeipa-devel] [PATCH] 0266-clear-errors-on-reset Message-ID: <4E171CF3.4080905@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0266-clear-errors-on-reset.patch Type: text/x-patch Size: 3001 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 8 16:40:49 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 08 Jul 2011 11:40:49 -0500 Subject: [Freeipa-devel] [PATCH] 0266-clear-errors-on-reset In-Reply-To: <4E171CF3.4080905@redhat.com> References: <4E171CF3.4080905@redhat.com> Message-ID: <4E173311.3080807@redhat.com> On 7/8/2011 10:06 AM, Adam Young wrote: > Some issues: 1. The new code in IPA.widget.test_dirty() seems to be redundant. if ((that.values.length === 0) && (values.length === 1) && values[0] === ""){ return false; } It's already covered by a similar code above it. 2. The commented code in details.js:167 can be removed (and 158 too). 3. Instead of returning empty array, the details_tests.js:173 should return the overridden method's return value. return widget.widget_save(); -- Endi S. Dewata From edewata at redhat.com Fri Jul 8 16:52:33 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 08 Jul 2011 11:52:33 -0500 Subject: [Freeipa-devel] [PATCH] 203 Fixed missing entitlement import button label Message-ID: <4E1735D1.3060907@redhat.com> Pushed under one-liner rule. Ticket #1456 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0203-Fixed-missing-entitlement-import-button-label.patch Type: text/x-patch Size: 890 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 8 17:00:04 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 08 Jul 2011 13:00:04 -0400 Subject: [Freeipa-devel] [PATCH] 0266-clear-errors-on-reset In-Reply-To: <4E173311.3080807@redhat.com> References: <4E171CF3.4080905@redhat.com> <4E173311.3080807@redhat.com> Message-ID: <4E173794.3080304@redhat.com> On 07/08/2011 12:40 PM, Endi Sukma Dewata wrote: > On 7/8/2011 10:06 AM, Adam Young wrote: >> > > Some issues: > > 1. The new code in IPA.widget.test_dirty() seems to be redundant. > > if ((that.values.length === 0) && > (values.length === 1) && > values[0] === ""){ > return false; > } > > It's already covered by a similar code above it. Not quite. This happens when the widget defaults a blank field to [""]. > > 2. The commented code in details.js:167 can be removed (and 158 too). Done > > 3. Instead of returning empty array, the details_tests.js:173 should > return the overridden method's return value. > > return widget.widget_save(); > Just keeps the test from breaking. Not really checking anything -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0266-1-clear-errors-on-reset.patch Type: text/x-patch Size: 3001 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 8 17:02:41 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 08 Jul 2011 13:02:41 -0400 Subject: [Freeipa-devel] [PATCH] 0266-clear-errors-on-reset In-Reply-To: <4E173794.3080304@redhat.com> References: <4E171CF3.4080905@redhat.com> <4E173311.3080807@redhat.com> <4E173794.3080304@redhat.com> Message-ID: <4E173831.9040307@redhat.com> On 07/08/2011 01:00 PM, Adam Young wrote: > On 07/08/2011 12:40 PM, Endi Sukma Dewata wrote: >> On 7/8/2011 10:06 AM, Adam Young wrote: >>> >> >> Some issues: >> >> 1. The new code in IPA.widget.test_dirty() seems to be redundant. >> >> if ((that.values.length === 0) && >> (values.length === 1) && >> values[0] === ""){ >> return false; >> } >> >> It's already covered by a similar code above it. > > Not quite. This happens when the widget defaults a blank field to [""]. >> >> 2. The commented code in details.js:167 can be removed (and 158 too). > Done >> >> 3. Instead of returning empty array, the details_tests.js:173 should >> return the overridden method's return value. >> >> return widget.widget_save(); >> > Just keeps the test from breaking. Not really checking anything But fixed anyway > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This time with a patch attached -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0266-2-clear-errors-on-reset.patch Type: text/x-patch Size: 3216 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 8 17:25:29 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 08 Jul 2011 13:25:29 -0400 Subject: [Freeipa-devel] [PATCH] 0266-clear-errors-on-reset In-Reply-To: <4E173831.9040307@redhat.com> References: <4E171CF3.4080905@redhat.com> <4E173311.3080807@redhat.com> <4E173794.3080304@redhat.com> <4E173831.9040307@redhat.com> Message-ID: <4E173D89.2020806@redhat.com> On 07/08/2011 01:02 PM, Adam Young wrote: > On 07/08/2011 01:00 PM, Adam Young wrote: >> On 07/08/2011 12:40 PM, Endi Sukma Dewata wrote: >>> On 7/8/2011 10:06 AM, Adam Young wrote: >>>> >>> >>> Some issues: >>> >>> 1. The new code in IPA.widget.test_dirty() seems to be redundant. >>> >>> if ((that.values.length === 0) && >>> (values.length === 1) && >>> values[0] === ""){ >>> return false; >>> } >>> >>> It's already covered by a similar code above it. >> >> Not quite. This happens when the widget defaults a blank field to [""]. >>> >>> 2. The commented code in details.js:167 can be removed (and 158 too). >> Done >>> >>> 3. Instead of returning empty array, the details_tests.js:173 should >>> return the overridden method's return value. >>> >>> return widget.widget_save(); >>> >> Just keeps the test from breaking. Not really checking anything > > But fixed anyway >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > This time with a patch attached > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Removed code in is_dirty check, as it deson't seem to get triggered now. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0266-3-clear-errors-on-reset.patch Type: text/x-patch Size: 3216 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 8 17:29:58 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 08 Jul 2011 13:29:58 -0400 Subject: [Freeipa-devel] [PATCH] 0266-clear-errors-on-reset In-Reply-To: <4E173D89.2020806@redhat.com> References: <4E171CF3.4080905@redhat.com> <4E173311.3080807@redhat.com> <4E173794.3080304@redhat.com> <4E173831.9040307@redhat.com> <4E173D89.2020806@redhat.com> Message-ID: <4E173E96.9070908@redhat.com> On 07/08/2011 01:25 PM, Adam Young wrote: > On 07/08/2011 01:02 PM, Adam Young wrote: >> On 07/08/2011 01:00 PM, Adam Young wrote: >>> On 07/08/2011 12:40 PM, Endi Sukma Dewata wrote: >>>> On 7/8/2011 10:06 AM, Adam Young wrote: >>>>> >>>> >>>> Some issues: >>>> >>>> 1. The new code in IPA.widget.test_dirty() seems to be redundant. >>>> >>>> if ((that.values.length === 0) && >>>> (values.length === 1) && >>>> values[0] === ""){ >>>> return false; >>>> } >>>> >>>> It's already covered by a similar code above it. >>> >>> Not quite. This happens when the widget defaults a blank field to >>> [""]. >>>> >>>> 2. The commented code in details.js:167 can be removed (and 158 too). >>> Done >>>> >>>> 3. Instead of returning empty array, the details_tests.js:173 >>>> should return the overridden method's return value. >>>> >>>> return widget.widget_save(); >>>> >>> Just keeps the test from breaking. Not really checking anything >> >> But fixed anyway >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> This time with a patch attached >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Removed code in is_dirty check, as it deson't seem to get triggered now. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0266-4-clear-errors-on-reset.patch Type: text/x-patch Size: 2878 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 8 17:40:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 08 Jul 2011 12:40:12 -0500 Subject: [Freeipa-devel] [PATCH] 0266-clear-errors-on-reset In-Reply-To: <4E173E96.9070908@redhat.com> References: <4E171CF3.4080905@redhat.com> <4E173311.3080807@redhat.com> <4E173794.3080304@redhat.com> <4E173831.9040307@redhat.com> <4E173D89.2020806@redhat.com> <4E173E96.9070908@redhat.com> Message-ID: <4E1740FC.2070403@redhat.com> On 7/8/2011 12:29 PM, Adam Young wrote: >> Removed code in is_dirty check, as it deson't seem to get triggered now. ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Sat Jul 9 00:33:08 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 08 Jul 2011 20:33:08 -0400 Subject: [Freeipa-devel] [PATCH] 0267-dnsrecord-mod-ui Message-ID: <4E17A1C4.8090501@redhat.com> Please do not push this yet. Is is merely posted to get an early code review. In order for this patch to be fully functional, it needs the dnsrecord_mod patch for the server to be pushed first. Additionally, it uses many string literals that need to be put into the messages file for translation. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0267-dnsrecord-mod-ui.patch Type: text/x-patch Size: 35998 bytes Desc: not available URL: From ayoung at redhat.com Mon Jul 11 15:10:41 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 11 Jul 2011 11:10:41 -0400 Subject: [Freeipa-devel] [PATCH] 0268-indirect-admins Message-ID: <4E1B1271.1010700@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0268-indirect-admins.patch Type: text/x-patch Size: 1294 bytes Desc: not available URL: From edewata at redhat.com Mon Jul 11 15:50:41 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 11 Jul 2011 10:50:41 -0500 Subject: [Freeipa-devel] [PATCH] 204 Added sudo options. Message-ID: <4E1B1BD1.5010005@redhat.com> A table has been added into sudo rule details page for managing sudo options. Ticket #1447 -- Endi S. Dewata From edewata at redhat.com Mon Jul 11 15:54:18 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 11 Jul 2011 10:54:18 -0500 Subject: [Freeipa-devel] [PATCH] 204 Added sudo options. In-Reply-To: <4E1B1BD1.5010005@redhat.com> References: <4E1B1BD1.5010005@redhat.com> Message-ID: <4E1B1CAA.3030409@redhat.com> On 7/11/2011 10:50 AM, Endi Sukma Dewata wrote: > A table has been added into sudo rule details page for managing > sudo options. > > Ticket #1447 Patch attached. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0204-Added-sudo-options.patch Type: text/x-patch Size: 18969 bytes Desc: not available URL: From mkosek at redhat.com Mon Jul 11 16:10:57 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 11 Jul 2011 18:10:57 +0200 Subject: [Freeipa-devel] [PATCH] 808 don't allow leading/trailing whitespace in strings In-Reply-To: <4E04F590.2030408@redhat.com> References: <4E04DA3E.1040600@redhat.com> <4E04E119.7080205@redhat.com> <4E04F590.2030408@redhat.com> Message-ID: <1310400659.19515.30.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-06-24 at 16:37 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Rob Crittenden wrote: > >> This started as a problem in allowing leading/trailing whitespaces on > >> primary keys. In nearly every command other than add query is True so > >> all rules were ignored on the primary key. This meant that to enforce > >> whitespace we would need to define a validator for each one. > >> > >> I decided instead to set self.all_rules to just the class rules if query > >> == True. So the minimum set of validators will be executed against each > >> type but param-specific validators will only run on add. > >> > >> I talked to Martin about this a bit this morning. My original intention > >> was to make some pretty invasive changes related to query and he talked > >> me out of them. He felt that in anything other than an add the > >> validators shouldn't be run. We compromised on letting Paramter-specific > >> validators be run. > >> > >> This has pretty big implications on primary keys so test carefully. > >> > >> https://fedorahosted.org/freeipa/ticket/1285 > >> https://fedorahosted.org/freeipa/ticket/1286 > >> https://fedorahosted.org/freeipa/ticket/1287 > >> > >> rob > > > > self-NACK, found a problem. > > > > rob > > Add only to Str class, fixed pylint error. > > rob Looks good to me, works as advertised. This will enforce entering valid data types in all parameters in both add and query-like commands. I tried to think about some corner case here, I actually found one. What if somebody want to search for a string with heading/trailing whitespace? E.g. this scenario: # ipa role-add "Foo Bar Baz" --desc=foo ------------------------ Added role "foo bar baz" ------------------------ Role name: foo bar baz Description: foo # ipa role-find " Bar " ipa: ERROR: invalid 'criteria': Leading and trailing spaces are not allowed Do we want to support this case? If yes, we would need to use different approach there. Martin From edewata at redhat.com Mon Jul 11 16:12:24 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 11 Jul 2011 11:12:24 -0500 Subject: [Freeipa-devel] [PATCH] 0268-indirect-admins In-Reply-To: <4E1B1271.1010700@redhat.com> References: <4E1B1271.1010700@redhat.com> Message-ID: <4E1B20E8.1000500@redhat.com> On 7/11/2011 10:10 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Mon Jul 11 17:41:50 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 11 Jul 2011 13:41:50 -0400 Subject: [Freeipa-devel] [PATCH] 204 Added sudo options. In-Reply-To: <4E1B1CAA.3030409@redhat.com> References: <4E1B1BD1.5010005@redhat.com> <4E1B1CAA.3030409@redhat.com> Message-ID: <4E1B35DE.9020102@redhat.com> On 07/11/2011 11:54 AM, Endi Sukma Dewata wrote: > On 7/11/2011 10:50 AM, Endi Sukma Dewata wrote: >> A table has been added into sudo rule details page for managing >> sudo options. >> >> Ticket #1447 > > Patch attached. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Tempted to ACK. Before I do, question: why did you make it a section as opposed to a widget? The only other place we have a custom section is for the permissions, where we are optionally showing a set of related widgets together, and we needed to reuse that logic between both the facet and the adder dialog. Neither case applies here. The only benefit I can see here is that it avoids the label. I suspect that the code should be written as a custom widget, not as a section. However, written this way is not such a major change from elsewhere that it is really going to confust people, so I won't NACK it on that alone. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Jul 11 18:32:27 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 11 Jul 2011 14:32:27 -0400 Subject: [Freeipa-devel] [PATCH] 0267-dnsrecord-mod-ui In-Reply-To: <4E17A1C4.8090501@redhat.com> References: <4E17A1C4.8090501@redhat.com> Message-ID: <4E1B41BB.5070705@redhat.com> On 07/08/2011 08:33 PM, Adam Young wrote: > Please do not push this yet. Is is merely posted to get an early code > review. In order for this patch to be fully functional, it needs the > dnsrecord_mod patch for the server to be pushed first. > > > Additionally, it uses many string literals that need to be put into > the messages file for translation. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Now with unit test for entity_link widget, and cleaner naming for the other_entity. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0267-1-dnsrecord-mod-ui.patch Type: text/x-patch Size: 38723 bytes Desc: not available URL: From edewata at redhat.com Mon Jul 11 18:46:14 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 11 Jul 2011 13:46:14 -0500 Subject: [Freeipa-devel] [PATCH] 204 Added sudo options. In-Reply-To: <4E1B35DE.9020102@redhat.com> References: <4E1B1BD1.5010005@redhat.com> <4E1B1CAA.3030409@redhat.com> <4E1B35DE.9020102@redhat.com> Message-ID: <4E1B44F6.4080905@redhat.com> On 7/11/2011 12:41 PM, Adam Young wrote: > Tempted to ACK. Before I do, question: why did you make it a section as > opposed to a widget? The only other place we have a custom section is > for the permissions, where we are optionally showing a set of related > widgets together, and we needed to reuse that logic between both the > facet and the adder dialog. Neither case applies here. The only benefit > I can see here is that it avoids the label. I suspect that the code > should be written as a custom widget, not as a section. However, written > this way is not such a major change from elsewhere that it is really > going to confust people, so I won't NACK it on that alone. The sudo options table is actually written using a custom widget, but instead of creating a subclass, it's done by customizing an instance of table widget. I'm trying to avoid creating single-use classes that are too low level. We actually have a number of custom sections in sudo and HBAC. They are mainly used for code organization. Without them the details facet will become too long or complex. Also for consistency, we usually use tables in their full width and without labels. One exception is the services table in HBAC service group, but the label is actually redundant. Tables in our UI usually have their own sections, they are never put in the same section with other text widgets. We can always change the layout if UXD has a different design. -- Endi S. Dewata From ayoung at redhat.com Mon Jul 11 21:03:44 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 11 Jul 2011 17:03:44 -0400 Subject: [Freeipa-devel] [PATCH] 204 Added sudo options. In-Reply-To: <4E1B44F6.4080905@redhat.com> References: <4E1B1BD1.5010005@redhat.com> <4E1B1CAA.3030409@redhat.com> <4E1B35DE.9020102@redhat.com> <4E1B44F6.4080905@redhat.com> Message-ID: <4E1B6530.2070500@redhat.com> On 07/11/2011 02:46 PM, Endi Sukma Dewata wrote: > On 7/11/2011 12:41 PM, Adam Young wrote: >> Tempted to ACK. Before I do, question: why did you make it a section as >> opposed to a widget? The only other place we have a custom section is >> for the permissions, where we are optionally showing a set of related >> widgets together, and we needed to reuse that logic between both the >> facet and the adder dialog. Neither case applies here. The only benefit >> I can see here is that it avoids the label. I suspect that the code >> should be written as a custom widget, not as a section. However, written >> this way is not such a major change from elsewhere that it is really >> going to confust people, so I won't NACK it on that alone. > > The sudo options table is actually written using a custom widget, but > instead of creating a subclass, it's done by customizing an instance > of table widget. I'm trying to avoid creating single-use classes that > are too low level. > > We actually have a number of custom sections in sudo and HBAC. They > are mainly used for code organization. Without them the details facet > will become too long or complex. > > Also for consistency, we usually use tables in their full width and > without labels. One exception is the services table in HBAC service > group, but the label is actually redundant. Tables in our UI usually > have their own sections, they are never put in the same section with > other text widgets. We can always change the layout if UXD has a > different design. > OK, that makes sense. ACK From rcritten at redhat.com Mon Jul 11 21:45:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Jul 2011 17:45:04 -0400 Subject: [Freeipa-devel] [PATCH] 808 don't allow leading/trailing whitespace in strings In-Reply-To: <1310400659.19515.30.camel@dhcp-25-52.brq.redhat.com> References: <4E04DA3E.1040600@redhat.com> <4E04E119.7080205@redhat.com> <4E04F590.2030408@redhat.com> <1310400659.19515.30.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E1B6EE0.2070704@redhat.com> Martin Kosek wrote: > On Fri, 2011-06-24 at 16:37 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> This started as a problem in allowing leading/trailing whitespaces on >>>> primary keys. In nearly every command other than add query is True so >>>> all rules were ignored on the primary key. This meant that to enforce >>>> whitespace we would need to define a validator for each one. >>>> >>>> I decided instead to set self.all_rules to just the class rules if query >>>> == True. So the minimum set of validators will be executed against each >>>> type but param-specific validators will only run on add. >>>> >>>> I talked to Martin about this a bit this morning. My original intention >>>> was to make some pretty invasive changes related to query and he talked >>>> me out of them. He felt that in anything other than an add the >>>> validators shouldn't be run. We compromised on letting Paramter-specific >>>> validators be run. >>>> >>>> This has pretty big implications on primary keys so test carefully. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1285 >>>> https://fedorahosted.org/freeipa/ticket/1286 >>>> https://fedorahosted.org/freeipa/ticket/1287 >>>> >>>> rob >>> >>> self-NACK, found a problem. >>> >>> rob >> >> Add only to Str class, fixed pylint error. >> >> rob > > Looks good to me, works as advertised. This will enforce entering valid > data types in all parameters in both add and query-like commands. > > I tried to think about some corner case here, I actually found one. What > if somebody want to search for a string with heading/trailing > whitespace? E.g. this scenario: > > # ipa role-add "Foo Bar Baz" --desc=foo > ------------------------ > Added role "foo bar baz" > ------------------------ > Role name: foo bar baz > Description: foo > # ipa role-find " Bar " > ipa: ERROR: invalid 'criteria': Leading and trailing spaces are not > allowed > > Do we want to support this case? If yes, we would need to use different > approach there. > > Martin > Ok, makes sense. I disabled the whitespace rule on criteria. This means a change to API.txt but it doesn't change the wire protocol so I'm not bumping the version. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-808-3-whitespace.patch Type: text/x-diff Size: 24167 bytes Desc: not available URL: From rcritten at redhat.com Mon Jul 11 21:48:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Jul 2011 17:48:36 -0400 Subject: [Freeipa-devel] [PATCH] 824 make more sensible nicknames Message-ID: <4E1B6FB4.5030801@redhat.com> When loading a chained CA from a PKCS#7 or PEM file we used to use very generic nicknames, sometimes as bad as "Imported CA" in the case of winsync. This will use the subject of the cert to get the nickname instead. I also extended the API of some of the x509 functions to optionally take in the NSS database dir. I had originally used this in the patch but did it another way but still thought the changes useful. ticket https://fedorahosted.org/freeipa/ticket/1141 Word of warning, this is going to require a fair bit of testing. The way to test it is to install with an external CA, then install a replica with a CA to be sure that works as well. Testing basic installs would be handy as well. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-824-nicknames.patch Type: text/x-diff Size: 7350 bytes Desc: not available URL: From edewata at redhat.com Mon Jul 11 22:19:09 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 11 Jul 2011 17:19:09 -0500 Subject: [Freeipa-devel] [PATCH] 204 Added sudo options. In-Reply-To: <4E1B6530.2070500@redhat.com> References: <4E1B1BD1.5010005@redhat.com> <4E1B1CAA.3030409@redhat.com> <4E1B35DE.9020102@redhat.com> <4E1B44F6.4080905@redhat.com> <4E1B6530.2070500@redhat.com> Message-ID: <4E1B76DD.3040707@redhat.com> On 7/11/2011 4:03 PM, Adam Young wrote: > OK, that makes sense. ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Jul 12 01:15:48 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 11 Jul 2011 20:15:48 -0500 Subject: [Freeipa-devel] [PATCH] 205 Fixed collapsed table in Chrome. Message-ID: <4E1BA044.1060906@redhat.com> The .content-table class has been modified to expand properly in Firefox and Chrome. Ticket #1450 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0205-Fixed-collapsed-table-in-Chrome.patch Type: text/x-patch Size: 860 bytes Desc: not available URL: From mkosek at redhat.com Tue Jul 12 07:29:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 12 Jul 2011 09:29:42 +0200 Subject: [Freeipa-devel] [PATCH] 808 don't allow leading/trailing whitespace in strings In-Reply-To: <4E1B6EE0.2070704@redhat.com> References: <4E04DA3E.1040600@redhat.com> <4E04E119.7080205@redhat.com> <4E04F590.2030408@redhat.com> <1310400659.19515.30.camel@dhcp-25-52.brq.redhat.com> <4E1B6EE0.2070704@redhat.com> Message-ID: <1310455785.12162.8.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-07-11 at 17:45 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-06-24 at 16:37 -0400, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> Rob Crittenden wrote: > >>>> This started as a problem in allowing leading/trailing whitespaces on > >>>> primary keys. In nearly every command other than add query is True so > >>>> all rules were ignored on the primary key. This meant that to enforce > >>>> whitespace we would need to define a validator for each one. > >>>> > >>>> I decided instead to set self.all_rules to just the class rules if query > >>>> == True. So the minimum set of validators will be executed against each > >>>> type but param-specific validators will only run on add. > >>>> > >>>> I talked to Martin about this a bit this morning. My original intention > >>>> was to make some pretty invasive changes related to query and he talked > >>>> me out of them. He felt that in anything other than an add the > >>>> validators shouldn't be run. We compromised on letting Paramter-specific > >>>> validators be run. > >>>> > >>>> This has pretty big implications on primary keys so test carefully. > >>>> > >>>> https://fedorahosted.org/freeipa/ticket/1285 > >>>> https://fedorahosted.org/freeipa/ticket/1286 > >>>> https://fedorahosted.org/freeipa/ticket/1287 > >>>> > >>>> rob > >>> > >>> self-NACK, found a problem. > >>> > >>> rob > >> > >> Add only to Str class, fixed pylint error. > >> > >> rob > > > > Looks good to me, works as advertised. This will enforce entering valid > > data types in all parameters in both add and query-like commands. > > > > I tried to think about some corner case here, I actually found one. What > > if somebody want to search for a string with heading/trailing > > whitespace? E.g. this scenario: > > > > # ipa role-add "Foo Bar Baz" --desc=foo > > ------------------------ > > Added role "foo bar baz" > > ------------------------ > > Role name: foo bar baz > > Description: foo > > # ipa role-find " Bar " > > ipa: ERROR: invalid 'criteria': Leading and trailing spaces are not > > allowed > > > > Do we want to support this case? If yes, we would need to use different > > approach there. > > > > Martin > > > > Ok, makes sense. I disabled the whitespace rule on criteria. This means > a change to API.txt but it doesn't change the wire protocol so I'm not > bumping the version. > > rob Works fine. ACK from me. Martin From mkosek at redhat.com Tue Jul 12 08:16:45 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 12 Jul 2011 10:16:45 +0200 Subject: [Freeipa-devel] [PATCH] 090 Remove sensitive information from logs Message-ID: <1310458608.12162.9.camel@dhcp-25-52.brq.redhat.com> When -w/--password option is passed to ipa-replica-install it is printed to ipareplica-install.log. Make sure that the value of this option is hidden. https://fedorahosted.org/freeipa/ticket/1378 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-090-remove-sensitive-information-from-logs.patch Type: text/x-patch Size: 3121 bytes Desc: not available URL: From mkosek at redhat.com Tue Jul 12 09:02:52 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 12 Jul 2011 11:02:52 +0200 Subject: [Freeipa-devel] [PATCH] 812 Use RunAs in labels, not Run As In-Reply-To: <4E0B7904.5060509@redhat.com> References: <4E0B7904.5060509@redhat.com> Message-ID: <1310461374.12162.10.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-06-29 at 15:12 -0400, Rob Crittenden wrote: > For consistency we should use RunAs in sudo labels and not Run As. > > The API changes don't affect the wire API, label is in there to make one > think twice about making changes :-) > > https://fedorahosted.org/freeipa/ticket/1328 ACK. Martin From mkosek at redhat.com Tue Jul 12 11:51:09 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 12 Jul 2011 13:51:09 +0200 Subject: [Freeipa-devel] [PATCHES] 814, 815, 816 Fix test failures In-Reply-To: <4E0E22F8.7000000@redhat.com> References: <4E0E22F8.7000000@redhat.com> Message-ID: <1310471472.12162.21.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-01 at 15:41 -0400, Rob Crittenden wrote: > I found a few test failures that have resulted from some recent commits. > These got lost in the mix of "expected" failures when I did initial > testing on them. This has inspired me to try to fix all the test > failures (see patch 817 too). > > This fixes: > - an error in a new exception example > - the case of boolean values in nsAccountLock > - a change in the updater code > > rob Patches 814 and 815 look OK but 816 will conflict with Alexander's patch 0001 (2) from Thursday which deals with nsaccoutlock too and fixes relevant tests. I got some nsaccountlock with master branch + 816 anyway. I would let all patch 0001 to handle all nsaccountlock test issues. Martin From abokovoy at redhat.com Tue Jul 12 12:05:07 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 12 Jul 2011 15:05:07 +0300 Subject: [Freeipa-devel] [PATCHES] 814, 815, 816 Fix test failures In-Reply-To: <1310471472.12162.21.camel@dhcp-25-52.brq.redhat.com> References: <4E0E22F8.7000000@redhat.com> <1310471472.12162.21.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E1C3873.7010201@redhat.com> On 12.07.2011 14:51, Martin Kosek wrote: > On Fri, 2011-07-01 at 15:41 -0400, Rob Crittenden wrote: >> I found a few test failures that have resulted from some recent commits. >> These got lost in the mix of "expected" failures when I did initial >> testing on them. This has inspired me to try to fix all the test >> failures (see patch 817 too). >> >> This fixes: >> - an error in a new exception example >> - the case of boolean values in nsAccountLock >> - a change in the updater code >> >> rob > > Patches 814 and 815 look OK but 816 will conflict with Alexander's patch > 0001 (2) from Thursday which deals with nsaccoutlock too and fixes > relevant tests. I got some nsaccountlock with master branch + 816 > anyway. > > I would let all patch 0001 to handle all nsaccountlock test issues. Yes, 0001 (2) was a follow up to fix all the issues noticed in 816. I would rather use that one as it also fixes UI parts. I checked by rebasing to current git that nothing has changed since Thursday and patch applies. -- / Alexander Bokovoy From mkosek at redhat.com Tue Jul 12 12:33:27 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 12 Jul 2011 14:33:27 +0200 Subject: [Freeipa-devel] [PATCH] 813 fix enrolledBy regression In-Reply-To: <4E0DEABE.7040804@redhat.com> References: <4E0DEABE.7040804@redhat.com> Message-ID: <1310474011.12162.25.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-01 at 11:41 -0400, Rob Crittenden wrote: > enrolledBy represents the DN of the entry that enrolled a host. We don't > want an admin to manipulate this but an aci allowed it. This was a > regression. > > ticket 302 > > rob Works fine with new IPA installation. Still, I have some concerns: 1) What about ACI in existing installations? This patch won't affect it. 2) There are 2 typos in comment in ldif (admini, --setaddr) Martin From mkosek at redhat.com Tue Jul 12 13:01:14 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 12 Jul 2011 15:01:14 +0200 Subject: [Freeipa-devel] [PATCH] 818 find_entry_by_attr() should fail if multiple entries are found In-Reply-To: <4E134CFC.1040707@redhat.com> References: <4E134CFC.1040707@redhat.com> Message-ID: <1310475676.12162.27.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-07-05 at 13:42 -0400, Rob Crittenden wrote: > It will only ever return one entry so if more than one are found then we > raise an exception. This is most easily seen in the host plugin where we > search on the server shortname which can be the same across sub-domains > (e.g. foo.example.com & foo.lab.example.com). > > https://fedorahosted.org/freeipa/ticket/1388 > > rob ACK. It's nice to have this inconvenience in host plugin fixed. Martin From rcritten at redhat.com Tue Jul 12 13:43:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Jul 2011 09:43:58 -0400 Subject: [Freeipa-devel] [PATCH] 808 don't allow leading/trailing whitespace in strings In-Reply-To: <1310455785.12162.8.camel@dhcp-25-52.brq.redhat.com> References: <4E04DA3E.1040600@redhat.com> <4E04E119.7080205@redhat.com> <4E04F590.2030408@redhat.com> <1310400659.19515.30.camel@dhcp-25-52.brq.redhat.com> <4E1B6EE0.2070704@redhat.com> <1310455785.12162.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E1C4F9E.2060302@redhat.com> Martin Kosek wrote: > On Mon, 2011-07-11 at 17:45 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Fri, 2011-06-24 at 16:37 -0400, Rob Crittenden wrote: >>>> Rob Crittenden wrote: >>>>> Rob Crittenden wrote: >>>>>> This started as a problem in allowing leading/trailing whitespaces on >>>>>> primary keys. In nearly every command other than add query is True so >>>>>> all rules were ignored on the primary key. This meant that to enforce >>>>>> whitespace we would need to define a validator for each one. >>>>>> >>>>>> I decided instead to set self.all_rules to just the class rules if query >>>>>> == True. So the minimum set of validators will be executed against each >>>>>> type but param-specific validators will only run on add. >>>>>> >>>>>> I talked to Martin about this a bit this morning. My original intention >>>>>> was to make some pretty invasive changes related to query and he talked >>>>>> me out of them. He felt that in anything other than an add the >>>>>> validators shouldn't be run. We compromised on letting Paramter-specific >>>>>> validators be run. >>>>>> >>>>>> This has pretty big implications on primary keys so test carefully. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/1285 >>>>>> https://fedorahosted.org/freeipa/ticket/1286 >>>>>> https://fedorahosted.org/freeipa/ticket/1287 >>>>>> >>>>>> rob >>>>> >>>>> self-NACK, found a problem. >>>>> >>>>> rob >>>> >>>> Add only to Str class, fixed pylint error. >>>> >>>> rob >>> >>> Looks good to me, works as advertised. This will enforce entering valid >>> data types in all parameters in both add and query-like commands. >>> >>> I tried to think about some corner case here, I actually found one. What >>> if somebody want to search for a string with heading/trailing >>> whitespace? E.g. this scenario: >>> >>> # ipa role-add "Foo Bar Baz" --desc=foo >>> ------------------------ >>> Added role "foo bar baz" >>> ------------------------ >>> Role name: foo bar baz >>> Description: foo >>> # ipa role-find " Bar " >>> ipa: ERROR: invalid 'criteria': Leading and trailing spaces are not >>> allowed >>> >>> Do we want to support this case? If yes, we would need to use different >>> approach there. >>> >>> Martin >>> >> >> Ok, makes sense. I disabled the whitespace rule on criteria. This means >> a change to API.txt but it doesn't change the wire protocol so I'm not >> bumping the version. >> >> rob > > Works fine. ACK from me. > > Martin > pushed to master From rcritten at redhat.com Tue Jul 12 13:48:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Jul 2011 09:48:33 -0400 Subject: [Freeipa-devel] [PATCH] 818 find_entry_by_attr() should fail if multiple entries are found In-Reply-To: <1310475676.12162.27.camel@dhcp-25-52.brq.redhat.com> References: <4E134CFC.1040707@redhat.com> <1310475676.12162.27.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E1C50B1.6010104@redhat.com> Martin Kosek wrote: > On Tue, 2011-07-05 at 13:42 -0400, Rob Crittenden wrote: >> It will only ever return one entry so if more than one are found then we >> raise an exception. This is most easily seen in the host plugin where we >> search on the server shortname which can be the same across sub-domains >> (e.g. foo.example.com& foo.lab.example.com). >> >> https://fedorahosted.org/freeipa/ticket/1388 >> >> rob > > ACK. It's nice to have this inconvenience in host plugin fixed. > > Martin > pushed to master From jcholast at redhat.com Tue Jul 12 13:49:30 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 12 Jul 2011 15:49:30 +0200 Subject: [Freeipa-devel] [PATCH] 28 Fix creation of reverse DNS zones Message-ID: <4E1C50EA.1040209@redhat.com> This patch fixes reverse DNS zone creation so that a /24 IPv4 and /64 IPv6 reverse zones are created by default. The reverse zone can be customized using new --reverse-zone option in ipa-server-install, ipa-replica-prepare, ipa-replica-install and ipa-dns-install, which replaces the old way of using the netmask part of the --ip-address option. The reverse zone name is printed to the user during the install. https://fedorahosted.org/freeipa/ticket/1398 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-28-reverse-zone-fix.patch Type: text/x-patch Size: 29950 bytes Desc: not available URL: From rcritten at redhat.com Tue Jul 12 13:52:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Jul 2011 09:52:27 -0400 Subject: [Freeipa-devel] [PATCHES] 814, 815, 816 Fix test failures In-Reply-To: <4E1C3873.7010201@redhat.com> References: <4E0E22F8.7000000@redhat.com> <1310471472.12162.21.camel@dhcp-25-52.brq.redhat.com> <4E1C3873.7010201@redhat.com> Message-ID: <4E1C519B.7040609@redhat.com> Alexander Bokovoy wrote: > On 12.07.2011 14:51, Martin Kosek wrote: >> On Fri, 2011-07-01 at 15:41 -0400, Rob Crittenden wrote: >>> I found a few test failures that have resulted from some recent commits. >>> These got lost in the mix of "expected" failures when I did initial >>> testing on them. This has inspired me to try to fix all the test >>> failures (see patch 817 too). >>> >>> This fixes: >>> - an error in a new exception example >>> - the case of boolean values in nsAccountLock >>> - a change in the updater code >>> >>> rob >> >> Patches 814 and 815 look OK but 816 will conflict with Alexander's patch >> 0001 (2) from Thursday which deals with nsaccoutlock too and fixes >> relevant tests. I got some nsaccountlock with master branch + 816 >> anyway. >> >> I would let all patch 0001 to handle all nsaccountlock test issues. > Yes, 0001 (2) was a follow up to fix all the issues noticed in 816. I > would rather use that one as it also fixes UI parts. > > I checked by rebasing to current git that nothing has changed since > Thursday and patch applies. Ok, I'm fine with that. Just to be clear, ACK on 814 and 815? rob From mkosek at redhat.com Tue Jul 12 13:58:37 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 12 Jul 2011 15:58:37 +0200 Subject: [Freeipa-devel] [PATCHES] 814, 815, 816 Fix test failures In-Reply-To: <4E1C519B.7040609@redhat.com> References: <4E0E22F8.7000000@redhat.com> <1310471472.12162.21.camel@dhcp-25-52.brq.redhat.com> <4E1C3873.7010201@redhat.com> <4E1C519B.7040609@redhat.com> Message-ID: <1310479120.12162.28.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-07-12 at 09:52 -0400, Rob Crittenden wrote: > Alexander Bokovoy wrote: > > On 12.07.2011 14:51, Martin Kosek wrote: > >> On Fri, 2011-07-01 at 15:41 -0400, Rob Crittenden wrote: > >>> I found a few test failures that have resulted from some recent commits. > >>> These got lost in the mix of "expected" failures when I did initial > >>> testing on them. This has inspired me to try to fix all the test > >>> failures (see patch 817 too). > >>> > >>> This fixes: > >>> - an error in a new exception example > >>> - the case of boolean values in nsAccountLock > >>> - a change in the updater code > >>> > >>> rob > >> > >> Patches 814 and 815 look OK but 816 will conflict with Alexander's patch > >> 0001 (2) from Thursday which deals with nsaccoutlock too and fixes > >> relevant tests. I got some nsaccountlock with master branch + 816 > >> anyway. > >> > >> I would let all patch 0001 to handle all nsaccountlock test issues. > > Yes, 0001 (2) was a follow up to fix all the issues noticed in 816. I > > would rather use that one as it also fixes UI parts. > > > > I checked by rebasing to current git that nothing has changed since > > Thursday and patch applies. > > Ok, I'm fine with that. Just to be clear, ACK on 814 and 815? > > rob > Correct. Martin From rcritten at redhat.com Tue Jul 12 14:22:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Jul 2011 10:22:13 -0400 Subject: [Freeipa-devel] [PATCHES] 814, 815, 816 Fix test failures In-Reply-To: <1310479120.12162.28.camel@dhcp-25-52.brq.redhat.com> References: <4E0E22F8.7000000@redhat.com> <1310471472.12162.21.camel@dhcp-25-52.brq.redhat.com> <4E1C3873.7010201@redhat.com> <4E1C519B.7040609@redhat.com> <1310479120.12162.28.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E1C5895.7050209@redhat.com> Martin Kosek wrote: > On Tue, 2011-07-12 at 09:52 -0400, Rob Crittenden wrote: >> Alexander Bokovoy wrote: >>> On 12.07.2011 14:51, Martin Kosek wrote: >>>> On Fri, 2011-07-01 at 15:41 -0400, Rob Crittenden wrote: >>>>> I found a few test failures that have resulted from some recent commits. >>>>> These got lost in the mix of "expected" failures when I did initial >>>>> testing on them. This has inspired me to try to fix all the test >>>>> failures (see patch 817 too). >>>>> >>>>> This fixes: >>>>> - an error in a new exception example >>>>> - the case of boolean values in nsAccountLock >>>>> - a change in the updater code >>>>> >>>>> rob >>>> >>>> Patches 814 and 815 look OK but 816 will conflict with Alexander's patch >>>> 0001 (2) from Thursday which deals with nsaccoutlock too and fixes >>>> relevant tests. I got some nsaccountlock with master branch + 816 >>>> anyway. >>>> >>>> I would let all patch 0001 to handle all nsaccountlock test issues. >>> Yes, 0001 (2) was a follow up to fix all the issues noticed in 816. I >>> would rather use that one as it also fixes UI parts. >>> >>> I checked by rebasing to current git that nothing has changed since >>> Thursday and patch applies. >> >> Ok, I'm fine with that. Just to be clear, ACK on 814 and 815? >> >> rob >> > > Correct. > > Martin > Ok, both pushed to master From ayoung at redhat.com Tue Jul 12 15:02:55 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 12 Jul 2011 11:02:55 -0400 Subject: [Freeipa-devel] [PATCH] entity_select naming Message-ID: <4E1C621F.8050101@redhat.com> pushed under the one line rule. commit e0238b5218d1c46bec3b0231db3bbef71a7403ef Author: Adam Young Date: Mon Jul 11 16:17:29 2011 -0400 entity_select naming http://fedorahosted.org/freeipa/ticket/1467 diff --git a/install/ui/widget.js b/install/ui/widget.js index 9a3ae1b..795fdaf 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -1653,6 +1653,7 @@ IPA.entity_select_widget = function(spec) { that.edit_box = $('',{ type: 'text', title: that.tooltip, + name: that.name, keyup:function(){ that.validate(); } From edewata at redhat.com Tue Jul 12 15:54:27 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 12 Jul 2011 10:54:27 -0500 Subject: [Freeipa-devel] [PATCH] 205 Fixed collapsed table in Chrome. In-Reply-To: <4E1BA044.1060906@redhat.com> References: <4E1BA044.1060906@redhat.com> Message-ID: <4E1C6E33.1010800@redhat.com> On 7/11/2011 8:15 PM, Endi Sukma Dewata wrote: > The .content-table class has been modified to expand properly in > Firefox and Chrome. > > Ticket #1450 ACKed and pushed by ayoung. -- Endi S. Dewata From mkosek at redhat.com Tue Jul 12 16:21:54 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 12 Jul 2011 18:21:54 +0200 Subject: [Freeipa-devel] [PATCH] 089 Add DNS record modification command Message-ID: <1310487716.4823.3.camel@dhcp-25-52.brq.redhat.com> Due to DNS plugin architecture --setattr and --addattr options are not available. DNS plugin does things in its own way and is based on LDAPQuery base class which cannot use --setattr and --addattr options. Hopefully the WebUI will be able to deal with it. --- The DNS record plugin does not support modification of a record. One can only add A type addresses to a DNS record or remove the current ones. To actually change a DNS record value it has to be removed and then added with a desired value. This patch adds a new DNS plugin command "dnsrecord-mod" which enables user to: - modify a DNS record value (note than DNS record can hold multiple values and those will be overwritten) - remove a DNS record when an empty value is passed New tests for this new command have been added to the CLI test suite. https://fedorahosted.org/freeipa/ticket/1137 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-089-add-dns-record-modification-command.patch Type: text/x-patch Size: 16640 bytes Desc: not available URL: From rcritten at redhat.com Tue Jul 12 19:11:54 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Jul 2011 15:11:54 -0400 Subject: [Freeipa-devel] [PATCH] 813 fix enrolledBy regression In-Reply-To: <1310474011.12162.25.camel@dhcp-25-52.brq.redhat.com> References: <4E0DEABE.7040804@redhat.com> <1310474011.12162.25.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E1C9C7A.4050502@redhat.com> Martin Kosek wrote: > On Fri, 2011-07-01 at 11:41 -0400, Rob Crittenden wrote: >> enrolledBy represents the DN of the entry that enrolled a host. We don't >> want an admin to manipulate this but an aci allowed it. This was a >> regression. >> >> ticket 302 >> >> rob > > Works fine with new IPA installation. > > Still, I have some concerns: > > 1) What about ACI in existing installations? This patch won't affect it. > > 2) There are 2 typos in comment in ldif (admini, --setaddr) > > Martin > Well, I didn't consider the lack of an update to be a huge problem originally. I went ahead and added one. This required changing the syntax of replace slightly, using two colons to distinguish between old and new. Typos fixed too. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-813-2-enrolledby.patch Type: text/x-diff Size: 24429 bytes Desc: not available URL: From edewata at redhat.com Tue Jul 12 19:42:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 12 Jul 2011 14:42:12 -0500 Subject: [Freeipa-devel] [PATCH] 206 Fixed object_name and object_name_plural, internationalization Message-ID: <4E1CA394.504@redhat.com> The object_name, object_name_plural and messages that use these attributes have been converted to support translation. The label attribute in the Param class has been modified to accept unicode string. Ticket #1435 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0206-Fixed-object_name-and-object_name_plural-internation.patch Type: text/x-patch Size: 23109 bytes Desc: not available URL: From ayoung at redhat.com Tue Jul 12 19:59:43 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 12 Jul 2011 15:59:43 -0400 Subject: [Freeipa-devel] [PATCH] 089 Add DNS record modification command In-Reply-To: <1310487716.4823.3.camel@dhcp-25-52.brq.redhat.com> References: <1310487716.4823.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E1CA7AF.5010306@redhat.com> On 07/12/2011 12:21 PM, Martin Kosek wrote: > Due to DNS plugin architecture --setattr and --addattr options are not > available. DNS plugin does things in its own way and is based on > LDAPQuery base class which cannot use --setattr and --addattr options. > > Hopefully the WebUI will be able to deal with it. > > --- > > The DNS record plugin does not support modification of a record. One > can only add A type addresses to a DNS record or remove the current > ones. To actually change a DNS record value it has to be removed and > then added with a desired value. > > This patch adds a new DNS plugin command "dnsrecord-mod" which enables > user to: > - modify a DNS record value (note than DNS record can hold multiple values > and those will be overwritten) > - remove a DNS record when an empty value is passed > > New tests for this new command have been added to the CLI test suite. > > https://fedorahosted.org/freeipa/ticket/1137 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Tested that it works as reported, and that the unit test runs. I should be able to make the UI work with it as is. I'd like a python-focused team member to look at it as well, but ACK from me. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jul 12 20:36:27 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 12 Jul 2011 16:36:27 -0400 Subject: [Freeipa-devel] [PATCH] 089 Add DNS record modification command In-Reply-To: <4E1CA7AF.5010306@redhat.com> References: <1310487716.4823.3.camel@dhcp-25-52.brq.redhat.com> <4E1CA7AF.5010306@redhat.com> Message-ID: <4E1CB04B.3000902@redhat.com> On 07/12/2011 03:59 PM, Adam Young wrote: > On 07/12/2011 12:21 PM, Martin Kosek wrote: >> Due to DNS plugin architecture --setattr and --addattr options are not >> available. DNS plugin does things in its own way and is based on >> LDAPQuery base class which cannot use --setattr and --addattr options. >> >> Hopefully the WebUI will be able to deal with it. >> >> --- >> >> The DNS record plugin does not support modification of a record. One >> can only add A type addresses to a DNS record or remove the current >> ones. To actually change a DNS record value it has to be removed and >> then added with a desired value. >> >> This patch adds a new DNS plugin command "dnsrecord-mod" which enables >> user to: >> - modify a DNS record value (note than DNS record can hold multiple values >> and those will be overwritten) >> - remove a DNS record when an empty value is passed >> >> New tests for this new command have been added to the CLI test suite. >> >> https://fedorahosted.org/freeipa/ticket/1137 >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Tested that it works as reported, and that the unit test runs. I > should be able to make the UI work with it as is. I'd like a > python-focused team member to look at it as well, but ACK from me. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jul 12 20:36:37 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 12 Jul 2011 16:36:37 -0400 Subject: [Freeipa-devel] [PATCH] 206 Fixed object_name and object_name_plural, internationalization In-Reply-To: <4E1CA394.504@redhat.com> References: <4E1CA394.504@redhat.com> Message-ID: <4E1CB055.7020504@redhat.com> On 07/12/2011 03:42 PM, Endi Sukma Dewata wrote: > The object_name, object_name_plural and messages that use these > attributes have been converted to support translation. The label > attribute in the Param class has been modified to accept unicode > string. > > Ticket #1435 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jul 12 21:17:31 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 12 Jul 2011 17:17:31 -0400 Subject: [Freeipa-devel] [PATCH] 0267-dnsrecord-mod-ui In-Reply-To: <4E1B41BB.5070705@redhat.com> References: <4E17A1C4.8090501@redhat.com> <4E1B41BB.5070705@redhat.com> Message-ID: <4E1CB9EB.2020606@redhat.com> On 07/11/2011 02:32 PM, Adam Young wrote: > On 07/08/2011 08:33 PM, Adam Young wrote: >> Please do not push this yet. Is is merely posted to get an early >> code review. In order for this patch to be fully functional, it >> needs the dnsrecord_mod patch for the server to be pushed first. >> >> >> Additionally, it uses many string literals that need to be put into >> the messages file for translation. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Now with unit test for entity_link widget, and cleaner naming for the > other_entity. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel DNS mod patch for backend has been pushed. THis patch can be pushed once it has been ACKed. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0267-2-dnsrecord-mod-ui.patch Type: text/x-patch Size: 41367 bytes Desc: not available URL: From ayoung at redhat.com Tue Jul 12 21:47:06 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 12 Jul 2011 17:47:06 -0400 Subject: [Freeipa-devel] [PATCH] 0267-dnsrecord-mod-ui In-Reply-To: <4E1CB9EB.2020606@redhat.com> References: <4E17A1C4.8090501@redhat.com> <4E1B41BB.5070705@redhat.com> <4E1CB9EB.2020606@redhat.com> Message-ID: <4E1CC0DA.1040403@redhat.com> On 07/12/2011 05:17 PM, Adam Young wrote: > On 07/11/2011 02:32 PM, Adam Young wrote: >> On 07/08/2011 08:33 PM, Adam Young wrote: >>> Please do not push this yet. Is is merely posted to get an early >>> code review. In order for this patch to be fully functional, it >>> needs the dnsrecord_mod patch for the server to be pushed first. >>> >>> >>> Additionally, it uses many string literals that need to be put into >>> the messages file for translation. >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Now with unit test for entity_link widget, and cleaner naming for the >> other_entity. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > DNS mod patch for backend has been pushed. THis patch can be pushed > once it has been ACKed. > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0267-4-dnsrecord-mod-ui.patch Type: text/x-patch Size: 41654 bytes Desc: not available URL: From mkosek at redhat.com Wed Jul 13 07:52:35 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Jul 2011 09:52:35 +0200 Subject: [Freeipa-devel] [PATCH] 813 fix enrolledBy regression In-Reply-To: <4E1C9C7A.4050502@redhat.com> References: <4E0DEABE.7040804@redhat.com> <1310474011.12162.25.camel@dhcp-25-52.brq.redhat.com> <4E1C9C7A.4050502@redhat.com> Message-ID: <1310543558.13088.1.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-07-12 at 15:11 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-07-01 at 11:41 -0400, Rob Crittenden wrote: > >> enrolledBy represents the DN of the entry that enrolled a host. We don't > >> want an admin to manipulate this but an aci allowed it. This was a > >> regression. > >> > >> ticket 302 > >> > >> rob > > > > Works fine with new IPA installation. > > > > Still, I have some concerns: > > > > 1) What about ACI in existing installations? This patch won't affect it. > > > > 2) There are 2 typos in comment in ldif (admini, --setaddr) > > > > Martin > > > > Well, I didn't consider the lack of an update to be a huge problem > originally. I went ahead and added one. This required changing the > syntax of replace slightly, using two colons to distinguish between old > and new. > > Typos fixed too. > > rob ACK. Works fine. Martin From mkosek at redhat.com Wed Jul 13 08:16:02 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Jul 2011 10:16:02 +0200 Subject: [Freeipa-devel] [PATCH] 823 validate certificate subject base In-Reply-To: <4E15D895.8090908@redhat.com> References: <4E15D895.8090908@redhat.com> Message-ID: <1310544964.13088.5.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote: > Use John's new DN class to verify that the subject base passed into > ipa-server-install is valid. > > https://fedorahosted.org/freeipa/ticket/1176 > > rob Works fine for basic errors. But what if the DN is syntactically valid, but it makes no sense for CA? For example: # ipa-server-install --subject="FOO=BAR" ... Configuring certificate server: Estimated time 6 minutes [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: restarting certificate server [4/16]: configuring certificate server instance root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname vm-099.idm.lab.bos.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd 'XXXXXXXX' -preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,FOO=BAR" -ldap_host vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,FOO=BAR" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,FOO=BAR" -ca_server_cert_subject_name "CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR" -ca_audit_signing_cert_subject_name "CN=CA Audit,FOO=BAR" -ca_sign_cert_subject_name "CN=Certificate Authority,FOO=BAR" -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Could we cover also these cases in the callback? Martin From mkosek at redhat.com Wed Jul 13 08:48:28 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Jul 2011 10:48:28 +0200 Subject: [Freeipa-devel] [PATCH] 821 reset failed count when password is reset by admin In-Reply-To: <4E14C577.9030702@redhat.com> References: <4E14C577.9030702@redhat.com> Message-ID: <1310546910.13088.6.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-06 at 16:28 -0400, Rob Crittenden wrote: > Reset the login failed count to 0 when an admin (e.g. not the user) > resets the password. Otherwise a newly reset password could fail too. > > ticket https://fedorahosted.org/freeipa/ticket/1441 > > rob ACK. Works like a charm. Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Wed Jul 13 10:05:50 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Jul 2011 12:05:50 +0200 Subject: [Freeipa-devel] [PATCH] 0001 (2) Convert nsaccountlock to always work as bool towards Python and JavaScript In-Reply-To: <4E1627E3.80901@redhat.com> References: <4E161B46.6000701@redhat.com> <4E16251D.20001@redhat.com> <4E1627E3.80901@redhat.com> Message-ID: <1310551553.13088.7.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-08 at 00:40 +0300, Alexander Bokovoy wrote: > On 08.07.2011 00:29, Adam Young wrote: > > On 07/07/2011 04:47 PM, Alexander Bokovoy wrote: > >> Hi, > >> > >> this is refactoring of the patch for ticket 1259 (handling of boolean > >> for nsaccountlock in LDAP). > >> > >> Now it is possible to just work with True/False on Python side and > >> JavaScript side also gets true/false via JSON marshalling. At the same > >> time, TRUE/FALSE is provided towards LDAP storage and correctly > >> handled when returned back. > >> > >> Tested with command line tools, WebUI, and make-test. > > ACK. > Updated to include all python tests. > > JavaScript-based tests are left in old format ("nsaccountlock": [ > "False";], for example) to allow testing all accepted variations of the > boolean values in JSON (boolean type, strings, strings in array). ACK for server part too. Tests are OK. Pushed to master. Martin From jcholast at redhat.com Wed Jul 13 11:05:03 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 13 Jul 2011 13:05:03 +0200 Subject: [Freeipa-devel] [PATCH] 29 Configure SSSD to store password if offline Message-ID: <4E1D7BDF.9050605@redhat.com> Enable the krb5_store_password_if_offline option in sssd.conf by default. To turn it off, use --no-krb5-offline-passwords option in ipa-client-install. https://fedorahosted.org/freeipa/ticket/1359 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-29-sssd-krb5-offline-passwords.patch Type: text/x-patch Size: 2231 bytes Desc: not available URL: From mkosek at redhat.com Wed Jul 13 12:08:01 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Jul 2011 14:08:01 +0200 Subject: [Freeipa-devel] [PATCH] 092 Filter reverse zones in dnszone-find Message-ID: <1310558883.13088.8.camel@dhcp-25-52.brq.redhat.com> Implements a new option to filter out reverse zones. This patch also do some clean up in dns plugin - debug prints were accidentally left here in the last dns patch. https://fedorahosted.org/freeipa/ticket/1471 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-092-filter-reverse-zones-in-dnszone-find.patch Type: text/x-patch Size: 9909 bytes Desc: not available URL: From jcholast at redhat.com Wed Jul 13 12:41:26 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 13 Jul 2011 14:41:26 +0200 Subject: [Freeipa-devel] [PATCH] 092 Filter reverse zones in dnszone-find In-Reply-To: <1310558883.13088.8.camel@dhcp-25-52.brq.redhat.com> References: <1310558883.13088.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E1D9276.80303@redhat.com> On 13.7.2011 14:08, Martin Kosek wrote: > Implements a new option to filter out reverse zones. > > This patch also do some clean up in dns plugin - debug prints were > accidentally left here in the last dns patch. > > https://fedorahosted.org/freeipa/ticket/1471 > ACK Honza -- Jan Cholasta From mkosek at redhat.com Wed Jul 13 13:09:39 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Jul 2011 15:09:39 +0200 Subject: [Freeipa-devel] [PATCH] 092 Filter reverse zones in dnszone-find In-Reply-To: <4E1D9276.80303@redhat.com> References: <1310558883.13088.8.camel@dhcp-25-52.brq.redhat.com> <4E1D9276.80303@redhat.com> Message-ID: <1310562581.13088.10.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-13 at 14:41 +0200, Jan Cholasta wrote: > On 13.7.2011 14:08, Martin Kosek wrote: > > Implements a new option to filter out reverse zones. > > > > This patch also do some clean up in dns plugin - debug prints were > > accidentally left here in the last dns patch. > > > > https://fedorahosted.org/freeipa/ticket/1471 > > > > ACK > > Honza > Pushed to master. As Rob advised, I changed wording of heading_wilcard parameter to "leading_wildcard". Martin From jcholast at redhat.com Wed Jul 13 13:13:42 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 13 Jul 2011 15:13:42 +0200 Subject: [Freeipa-devel] [PATCH] 090 Remove sensitive information from logs In-Reply-To: <1310458608.12162.9.camel@dhcp-25-52.brq.redhat.com> References: <1310458608.12162.9.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E1D9A06.70803@redhat.com> On 12.7.2011 10:16, Martin Kosek wrote: > When -w/--password option is passed to ipa-replica-install it is > printed to ipareplica-install.log. Make sure that the value of this > option is hidden. > > https://fedorahosted.org/freeipa/ticket/1378 > ACK Honza -- Jan Cholasta From mkosek at redhat.com Wed Jul 13 13:17:26 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 13 Jul 2011 15:17:26 +0200 Subject: [Freeipa-devel] [PATCH] 090 Remove sensitive information from logs In-Reply-To: <4E1D9A06.70803@redhat.com> References: <1310458608.12162.9.camel@dhcp-25-52.brq.redhat.com> <4E1D9A06.70803@redhat.com> Message-ID: <1310563048.13088.11.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-13 at 15:13 +0200, Jan Cholasta wrote: > On 12.7.2011 10:16, Martin Kosek wrote: > > When -w/--password option is passed to ipa-replica-install it is > > printed to ipareplica-install.log. Make sure that the value of this > > option is hidden. > > > > https://fedorahosted.org/freeipa/ticket/1378 > > > > ACK > > Honza > Pushed to master. Martin From edewata at redhat.com Wed Jul 13 13:51:26 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 13 Jul 2011 08:51:26 -0500 Subject: [Freeipa-devel] [PATCH] 0267-dnsrecord-mod-ui In-Reply-To: <4E1CC0DA.1040403@redhat.com> References: <4E17A1C4.8090501@redhat.com> <4E1B41BB.5070705@redhat.com> <4E1CB9EB.2020606@redhat.com> <4E1CC0DA.1040403@redhat.com> Message-ID: <4E1DA2DE.5000209@redhat.com> On 7/12/2011 4:47 PM, Adam Young wrote: > Some issues: 1. In DNS record adder dialog, the data field is required but it's not checked before submit. There is no param_info for this field, so the required flag may need to be specified explicitly in the field declaration. 2. Adding/deleting record data in DNS record details page doesn't work because the field.param_info is null. Although the default param_info is specified in the field declaration, the code in widget.js:166 will override it to null. We might want to merge the param_infos using $.extend(). 3. I cannot try this due to issue #2, but in CLI when the last data is removed using -mod the record itself will be deleted. The record has to be re-added before it can be modified again. A user might encounter this issue if he removes all existing data, click Update, then add new data without leaving the details page. The patch doesn't seem to handle this. 4. The interface might be a little confusing. If a DNS record contains multiple data, the search page will show them as separate entries. When a user opens one of the entries he would expect to edit only that particular data. However, the details page now shows all data under that DNS record name. One solution is to drop the data from the search page. Another solution is to change the details page to show only one data. 5. Deleting DNS records from the search page doesn't work because it doesn't specify the data to be deleted. 6. The FQDN field label is probably incorrect because not all DNS records are hostnames. Also, for records that are hostnames, the FQDN field only contains the host's short name, not the full name. 7. DNS records that are not hostnames will be linked to hosts if there happens to be hosts with matching names. The link probably should be limited to certain record types. Same issue from host to DNS record. 8. The IPA.entity_link_widget should use the -show command instead of -find to check the target entry. The -find command returns all entries that match the criteria, which might not be what we want. 9. The following statement in details.js:594 var param_info = field.param_info || IPA.get_entity_param(entity_name, field.name); can be simplified into var param_info = field.param_info; because the field.param_info is obtained using the same get_entity_param() in widget.js:166. 10. The following statement in details.js:594 if (param_info && param_info.primary_key) continue; can be simplified into if (param_info.primary_key) continue; because the param_info is already checked by the previous if-statement. 11. The fake_param in widget.js:43 and dns.js:143 is no longer needed. 12. It's not necessary to specify 'primary_key: false' in the param_info because by default it will be false. The param_info can be simplified into just { }. 13. The labels are still hard-coded. Is this going to be done in a separate patch? 14. Some field labels have 'Records' (e.g. A Records) some others don't (e.g. NS). I think they should be consistent. 15. It might be better to use 'other/Other Records' instead of using 'unusual/less common record types' for the third detail section. 16. The other_pkey() in host.js:132 seems to be unnecessary. 17. The show_page() in IPA.navigation can be modified to find the entity object and wrap the pkey then call show_entity_page(). This way we can avoid duplicating the function. 18. Optional: As mentioned over IRC, I think it's better to customize by creating a subclass and override the method (OO style) rather than supplying a callback function via constructor (functional style). So instead of creating a standalone IPA.dns_record_search_load we could create an IPA.dnsrecord_search_facet class and override the load() method. Instead of using 'this' in a function (which is not clear what it's pointing to), we would be using 'that' which points to the containing class. This is similar to IPA.dnsrecord_host_link_widget. -- Endi S. Dewata From ayoung at redhat.com Wed Jul 13 16:23:01 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 13 Jul 2011 12:23:01 -0400 Subject: [Freeipa-devel] [PATCH] 0267-dnsrecord-mod-ui In-Reply-To: <4E1DA2DE.5000209@redhat.com> References: <4E17A1C4.8090501@redhat.com> <4E1B41BB.5070705@redhat.com> <4E1CB9EB.2020606@redhat.com> <4E1CC0DA.1040403@redhat.com> <4E1DA2DE.5000209@redhat.com> Message-ID: <4E1DC665.3030509@redhat.com> On 07/13/2011 09:51 AM, Endi Sukma Dewata wrote: > On 7/12/2011 4:47 PM, Adam Young wrote: >> > > Some issues: > > 1. In DNS record adder dialog, the data field is required but it's not > checked before submit. There is no param_info for this field, so the > required flag may need to be specified explicitly in the field > declaration. widget.init was overwriting the param_info field. Fixed > > 2. Adding/deleting record data in DNS record details page doesn't work > because the field.param_info is null. Although the default param_info > is specified in the field declaration, the code in widget.js:166 will > override it to null. We might want to merge the param_infos using > $.extend(). Same as 1 > > 3. I cannot try this due to issue #2, but in CLI when the last data is > removed using -mod the record itself will be deleted. The record has > to be re-added before it can be modified again. A user might encounter > this issue if he removes all existing data, click Update, then add new > data without leaving the details page. The patch doesn't seem to > handle this. It works that way. Right now, there is an issue where the mod comand comes back, we use it to populate the page, but updates won't work because there is nothing there. We'll need code specific to the dnsrecord-mod command to handle this. Not done yet > > 4. The interface might be a little confusing. If a DNS record contains > multiple data, the search page will show them as separate entries. > When a user opens one of the entries he would expect to edit only that > particular data. However, the details page now shows all data under > that DNS record name. > > One solution is to drop the data from the search page. Another > solution is to change the details page to show only one data. I like having the individual records on the search page, and I think it is most intuitive, but it does make the UI hard. > > 5. Deleting DNS records from the search page doesn't work because it > doesn't specify the data to be deleted. Still not fixed > > 6. The FQDN field label is probably incorrect because not all DNS > records are hostnames. Also, for records that are hostnames, the FQDN > field only contains the host's short name, not the full name. Changed it to record name > > 7. DNS records that are not hostnames will be linked to hosts if there > happens to be hosts with matching names. The link probably should be > limited to certain record types. Same issue from host to DNS record. Going to leave this as is. If there is truly confusion around this, we can make the logic more complex, but I suspect that the current implementation is what people expect. > > 8. The IPA.entity_link_widget should use the -show command instead of > -find to check the target entry. The -find command returns all entries > that match the criteria, which might not be what we want. Partial matches specifically will be a problem, but the show command returns an error, which is hard-coded to give us a pop-up. Going to leave as is, and file a ticket for that issue > > 9. The following statement in details.js:594 > > var param_info = field.param_info || > IPA.get_entity_param(entity_name, field.name); > > can be simplified into > > var param_info = field.param_info; > > because the field.param_info is obtained using the same > get_entity_param() in widget.js:166. Fixed > > 10. The following statement in details.js:594 > > if (param_info && param_info.primary_key) continue; > > can be simplified into > > if (param_info.primary_key) continue; Fixed > > because the param_info is already checked by the previous if-statement. > > 11. The fake_param in widget.js:43 and dns.js:143 is no longer needed. > Removed > 12. It's not necessary to specify 'primary_key: false' in the > param_info because by default it will be false. The param_info can be > simplified into just { }. I like it to be explicit. > > 13. The labels are still hard-coded. Is this going to be done in a > separate patch? Yes. I won't close the main ticket until that is done. I want UXD and dpal etc to view the organization before we commit stuff for translation. > > 14. Some field labels have 'Records' (e.g. A Records) some others > don't (e.g. NS). I think they should be consistent. Removed the word Record as I think it is confusing > > 15. It might be better to use 'other/Other Records' instead of using > 'unusual/less common record types' for the third detail section. Done > > 16. The other_pkey() in host.js:132 seems to be unnecessary. removed > > 17. The show_page() in IPA.navigation can be modified to find the > entity object and wrap the pkey then call show_entity_page(). This way > we can avoid duplicating the function. With the exception of the defensive coding, most of these two functions are different. I am comfortable for now leaving them as separate functions. I'd like to remove the use of looking up the entity by its name in the long run, but that is outside the scope of this patch. > > 18. Optional: As mentioned over IRC, I think it's better to customize > by creating a subclass and override the method (OO style) rather than > supplying a callback function via constructor (functional style). Done in most places. > > So instead of creating a standalone IPA.dns_record_search_load we > could create an IPA.dnsrecord_search_facet class and override the > load() method. Instead of using 'this' in a function (which is not > clear what it's pointing to), we would be using 'that' which points to > the containing class. This is similar to IPA.dnsrecord_host_link_widget. > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0267-6-dnsrecord-mod-ui.patch Type: text/x-patch Size: 42479 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 13 17:00:56 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 13 Jul 2011 13:00:56 -0400 Subject: [Freeipa-devel] [PATCH] 0267-dnsrecord-mod-ui In-Reply-To: <4E1DC665.3030509@redhat.com> References: <4E17A1C4.8090501@redhat.com> <4E1B41BB.5070705@redhat.com> <4E1CB9EB.2020606@redhat.com> <4E1CC0DA.1040403@redhat.com> <4E1DA2DE.5000209@redhat.com> <4E1DC665.3030509@redhat.com> Message-ID: <4E1DCF48.70306@redhat.com> Fixes delete On 07/13/2011 12:23 PM, Adam Young wrote: > On 07/13/2011 09:51 AM, Endi Sukma Dewata wrote: >> On 7/12/2011 4:47 PM, Adam Young wrote: >>> >> >> Some issues: >> >> 1. In DNS record adder dialog, the data field is required but it's >> not checked before submit. There is no param_info for this field, so >> the required flag may need to be specified explicitly in the field >> declaration. > > widget.init was overwriting the param_info field. Fixed > >> >> 2. Adding/deleting record data in DNS record details page doesn't >> work because the field.param_info is null. Although the default >> param_info is specified in the field declaration, the code in >> widget.js:166 will override it to null. We might want to merge the >> param_infos using $.extend(). > Same as 1 >> >> 3. I cannot try this due to issue #2, but in CLI when the last data >> is removed using -mod the record itself will be deleted. The record >> has to be re-added before it can be modified again. A user might >> encounter this issue if he removes all existing data, click Update, >> then add new data without leaving the details page. The patch doesn't >> seem to handle this. > > It works that way. Right now, there is an issue where the mod comand > comes back, we use it to populate the page, but updates won't work > because there is nothing there. We'll need code specific to the > dnsrecord-mod command to handle this. Not done yet > >> >> 4. The interface might be a little confusing. If a DNS record >> contains multiple data, the search page will show them as separate >> entries. When a user opens one of the entries he would expect to edit >> only that particular data. However, the details page now shows all >> data under that DNS record name. >> >> One solution is to drop the data from the search page. Another >> solution is to change the details page to show only one data. > > I like having the individual records on the search page, and I think > it is most intuitive, but it does make the UI hard. > > >> >> 5. Deleting DNS records from the search page doesn't work because it >> doesn't specify the data to be deleted. > > Still not fixed >> >> 6. The FQDN field label is probably incorrect because not all DNS >> records are hostnames. Also, for records that are hostnames, the FQDN >> field only contains the host's short name, not the full name. > > Changed it to record name >> >> 7. DNS records that are not hostnames will be linked to hosts if >> there happens to be hosts with matching names. The link probably >> should be limited to certain record types. Same issue from host to >> DNS record. > > Going to leave this as is. If there is truly confusion around this, > we can make the logic more complex, but I suspect that the current > implementation is what people expect. > > >> >> 8. The IPA.entity_link_widget should use the -show command instead of >> -find to check the target entry. The -find command returns all >> entries that match the criteria, which might not be what we want. > Partial matches specifically will be a problem, but the show command > returns an error, which is hard-coded to give us a pop-up. Going to > leave as is, and file a ticket for that issue > >> >> 9. The following statement in details.js:594 >> >> var param_info = field.param_info || >> IPA.get_entity_param(entity_name, field.name); >> >> can be simplified into >> >> var param_info = field.param_info; >> >> because the field.param_info is obtained using the same >> get_entity_param() in widget.js:166. > Fixed >> >> 10. The following statement in details.js:594 >> >> if (param_info && param_info.primary_key) continue; >> >> can be simplified into >> >> if (param_info.primary_key) continue; > > Fixed >> >> because the param_info is already checked by the previous if-statement. >> >> 11. The fake_param in widget.js:43 and dns.js:143 is no longer needed. >> > Removed > >> 12. It's not necessary to specify 'primary_key: false' in the >> param_info because by default it will be false. The param_info can be >> simplified into just { }. > > I like it to be explicit. >> >> 13. The labels are still hard-coded. Is this going to be done in a >> separate patch? > Yes. I won't close the main ticket until that is done. I want UXD > and dpal etc to view the organization before we commit stuff for > translation. > >> >> 14. Some field labels have 'Records' (e.g. A Records) some others >> don't (e.g. NS). I think they should be consistent. > Removed the word Record as I think it is confusing >> >> 15. It might be better to use 'other/Other Records' instead of using >> 'unusual/less common record types' for the third detail section. > Done >> >> 16. The other_pkey() in host.js:132 seems to be unnecessary. > removed >> >> 17. The show_page() in IPA.navigation can be modified to find the >> entity object and wrap the pkey then call show_entity_page(). This >> way we can avoid duplicating the function. > With the exception of the defensive coding, most of these two > functions are different. I am comfortable for now leaving them as > separate functions. I'd like to remove the use of looking up the > entity by its name in the long run, but that is outside the scope of > this patch. > >> >> 18. Optional: As mentioned over IRC, I think it's better to customize >> by creating a subclass and override the method (OO style) rather than >> supplying a callback function via constructor (functional style). > Done in most places. >> >> So instead of creating a standalone IPA.dns_record_search_load we >> could create an IPA.dnsrecord_search_facet class and override the >> load() method. Instead of using 'this' in a function (which is not >> clear what it's pointing to), we would be using 'that' which points >> to the containing class. This is similar to >> IPA.dnsrecord_host_link_widget. >> > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0267-7-dnsrecord-mod-ui.patch Type: text/x-patch Size: 44127 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 13 19:02:19 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 13 Jul 2011 15:02:19 -0400 Subject: [Freeipa-devel] [PATCH]0269-remove-HBAC-warning-from-static-UI Message-ID: <4E1DEBBB.8090405@redhat.com> This patch only affects development. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0269-remove-HBAC-warning-from-static-UI.patch Type: text/x-patch Size: 4612 bytes Desc: not available URL: From edewata at redhat.com Wed Jul 13 20:16:10 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 13 Jul 2011 15:16:10 -0500 Subject: [Freeipa-devel] [PATCH]0269-remove-HBAC-warning-from-static-UI In-Reply-To: <4E1DEBBB.8090405@redhat.com> References: <4E1DEBBB.8090405@redhat.com> Message-ID: <4E1DFD0A.2000302@redhat.com> On 7/13/2011 2:02 PM, Adam Young wrote: > This patch only affects development. ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Wed Jul 13 21:03:33 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 13 Jul 2011 17:03:33 -0400 Subject: [Freeipa-devel] [PATCH] 0267-dnsrecord-mod-ui In-Reply-To: <4E1DCF48.70306@redhat.com> References: <4E17A1C4.8090501@redhat.com> <4E1B41BB.5070705@redhat.com> <4E1CB9EB.2020606@redhat.com> <4E1CC0DA.1040403@redhat.com> <4E1DA2DE.5000209@redhat.com> <4E1DC665.3030509@redhat.com> <4E1DCF48.70306@redhat.com> Message-ID: <4E1E0825.5010908@redhat.com> On 07/13/2011 01:00 PM, Adam Young wrote: > Fixes delete > > > On 07/13/2011 12:23 PM, Adam Young wrote: >> On 07/13/2011 09:51 AM, Endi Sukma Dewata wrote: >>> On 7/12/2011 4:47 PM, Adam Young wrote: >>>> >>> >>> Some issues: >>> >>> 1. In DNS record adder dialog, the data field is required but it's >>> not checked before submit. There is no param_info for this field, so >>> the required flag may need to be specified explicitly in the field >>> declaration. >> >> widget.init was overwriting the param_info field. Fixed >> >>> >>> 2. Adding/deleting record data in DNS record details page doesn't >>> work because the field.param_info is null. Although the default >>> param_info is specified in the field declaration, the code in >>> widget.js:166 will override it to null. We might want to merge the >>> param_infos using $.extend(). >> Same as 1 >>> >>> 3. I cannot try this due to issue #2, but in CLI when the last data >>> is removed using -mod the record itself will be deleted. The record >>> has to be re-added before it can be modified again. A user might >>> encounter this issue if he removes all existing data, click Update, >>> then add new data without leaving the details page. The patch >>> doesn't seem to handle this. >> >> It works that way. Right now, there is an issue where the mod comand >> comes back, we use it to populate the page, but updates won't work >> because there is nothing there. We'll need code specific to the >> dnsrecord-mod command to handle this. Not done yet >> >>> >>> 4. The interface might be a little confusing. If a DNS record >>> contains multiple data, the search page will show them as separate >>> entries. When a user opens one of the entries he would expect to >>> edit only that particular data. However, the details page now shows >>> all data under that DNS record name. >>> >>> One solution is to drop the data from the search page. Another >>> solution is to change the details page to show only one data. >> >> I like having the individual records on the search page, and I think >> it is most intuitive, but it does make the UI hard. >> >> >>> >>> 5. Deleting DNS records from the search page doesn't work because it >>> doesn't specify the data to be deleted. >> >> Still not fixed >>> >>> 6. The FQDN field label is probably incorrect because not all DNS >>> records are hostnames. Also, for records that are hostnames, the >>> FQDN field only contains the host's short name, not the full name. >> >> Changed it to record name >>> >>> 7. DNS records that are not hostnames will be linked to hosts if >>> there happens to be hosts with matching names. The link probably >>> should be limited to certain record types. Same issue from host to >>> DNS record. >> >> Going to leave this as is. If there is truly confusion around this, >> we can make the logic more complex, but I suspect that the current >> implementation is what people expect. >> >> >>> >>> 8. The IPA.entity_link_widget should use the -show command instead >>> of -find to check the target entry. The -find command returns all >>> entries that match the criteria, which might not be what we want. >> Partial matches specifically will be a problem, but the show command >> returns an error, which is hard-coded to give us a pop-up. Going to >> leave as is, and file a ticket for that issue >> >>> >>> 9. The following statement in details.js:594 >>> >>> var param_info = field.param_info || >>> IPA.get_entity_param(entity_name, field.name); >>> >>> can be simplified into >>> >>> var param_info = field.param_info; >>> >>> because the field.param_info is obtained using the same >>> get_entity_param() in widget.js:166. >> Fixed >>> >>> 10. The following statement in details.js:594 >>> >>> if (param_info && param_info.primary_key) continue; >>> >>> can be simplified into >>> >>> if (param_info.primary_key) continue; >> >> Fixed >>> >>> because the param_info is already checked by the previous if-statement. >>> >>> 11. The fake_param in widget.js:43 and dns.js:143 is no longer needed. >>> >> Removed >> >>> 12. It's not necessary to specify 'primary_key: false' in the >>> param_info because by default it will be false. The param_info can >>> be simplified into just { }. >> >> I like it to be explicit. >>> >>> 13. The labels are still hard-coded. Is this going to be done in a >>> separate patch? >> Yes. I won't close the main ticket until that is done. I want UXD >> and dpal etc to view the organization before we commit stuff for >> translation. >> >>> >>> 14. Some field labels have 'Records' (e.g. A Records) some others >>> don't (e.g. NS). I think they should be consistent. >> Removed the word Record as I think it is confusing >>> >>> 15. It might be better to use 'other/Other Records' instead of using >>> 'unusual/less common record types' for the third detail section. >> Done >>> >>> 16. The other_pkey() in host.js:132 seems to be unnecessary. >> removed >>> >>> 17. The show_page() in IPA.navigation can be modified to find the >>> entity object and wrap the pkey then call show_entity_page(). This >>> way we can avoid duplicating the function. >> With the exception of the defensive coding, most of these two >> functions are different. I am comfortable for now leaving them as >> separate functions. I'd like to remove the use of looking up the >> entity by its name in the long run, but that is outside the scope of >> this patch. >> >>> >>> 18. Optional: As mentioned over IRC, I think it's better to >>> customize by creating a subclass and override the method (OO style) >>> rather than supplying a callback function via constructor >>> (functional style). >> Done in most places. >>> >>> So instead of creating a standalone IPA.dns_record_search_load we >>> could create an IPA.dnsrecord_search_facet class and override the >>> load() method. Instead of using 'this' in a function (which is not >>> clear what it's pointing to), we would be using 'that' which points >>> to the containing class. This is similar to >>> IPA.dnsrecord_host_link_widget. >>> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0267-8-dnsrecord-mod-ui.patch Type: text/x-patch Size: 44192 bytes Desc: not available URL: From edewata at redhat.com Wed Jul 13 22:02:35 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 13 Jul 2011 17:02:35 -0500 Subject: [Freeipa-devel] [PATCH] 0267-dnsrecord-mod-ui In-Reply-To: <4E1E0825.5010908@redhat.com> References: <4E17A1C4.8090501@redhat.com> <4E1B41BB.5070705@redhat.com> <4E1CB9EB.2020606@redhat.com> <4E1CC0DA.1040403@redhat.com> <4E1DA2DE.5000209@redhat.com> <4E1DC665.3030509@redhat.com> <4E1DCF48.70306@redhat.com> <4E1E0825.5010908@redhat.com> Message-ID: <4E1E15FB.70908@redhat.com> On 7/13/2011 4:03 PM, Adam Young wrote: >>>> 3. I cannot try this due to issue #2, but in CLI when the last data >>>> is removed using -mod the record itself will be deleted. The record >>>> has to be re-added before it can be modified again. A user might >>>> encounter this issue if he removes all existing data, click Update, >>>> then add new data without leaving the details page. The patch >>>> doesn't seem to handle this. >>> >>> It works that way. Right now, there is an issue where the mod comand >>> comes back, we use it to populate the page, but updates won't work >>> because there is nothing there. We'll need code specific to the >>> dnsrecord-mod command to handle this. Not done yet As discussed over IRC, this will be fixed in a separate ticket. >>>> 4. The interface might be a little confusing. If a DNS record >>>> contains multiple data, the search page will show them as separate >>>> entries. When a user opens one of the entries he would expect to >>>> edit only that particular data. However, the details page now shows >>>> all data under that DNS record name. >>>> >>>> One solution is to drop the data from the search page. Another >>>> solution is to change the details page to show only one data. >>> >>> I like having the individual records on the search page, and I think >>> it is most intuitive, but it does make the UI hard. Separate ticket. >>>> 7. DNS records that are not hostnames will be linked to hosts if >>>> there happens to be hosts with matching names. The link probably >>>> should be limited to certain record types. Same issue from host to >>>> DNS record. >>> >>> Going to leave this as is. If there is truly confusion around this, >>> we can make the logic more complex, but I suspect that the current >>> implementation is what people expect. We'll wait for feedback before filing any ticket. 19. The IPA.dnsrecord_get_delete_values() is getting the column values from the displayed texts. While this is fine for this particular case, sometimes the value is formatted so the displayed text may not match the value stored on the server. We'll address that when that happens. ACK and pushed to master. -- Endi S. Dewata From mkosek at redhat.com Thu Jul 14 07:21:05 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 14 Jul 2011 09:21:05 +0200 Subject: [Freeipa-devel] [PATCH] 091 Improve long integer type validation Message-ID: <1310628067.31842.1.camel@dhcp-25-52.brq.redhat.com> Passing a number of "long" type to IPA Int parameter invokes user-unfriendly error message about incompatible types. This patch improves Int parameter with user understandable message along with maximum value he can pass. https://fedorahosted.org/freeipa/ticket/1346 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-091-improve-long-integer-type-validation.patch Type: text/x-patch Size: 2122 bytes Desc: not available URL: From jcholast at redhat.com Thu Jul 14 07:56:03 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 14 Jul 2011 09:56:03 +0200 Subject: [Freeipa-devel] [PATCH] 30 Fix exit status of ipa-nis-manage-enable Message-ID: <4E1EA113.6050508@redhat.com> https://fedorahosted.org/freeipa/ticket/1247 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-30-ipa-nis-manage-exit-status.patch Type: text/x-patch Size: 1734 bytes Desc: not available URL: From mkosek at redhat.com Thu Jul 14 09:18:21 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 14 Jul 2011 11:18:21 +0200 Subject: [Freeipa-devel] [PATCH] 093 Add new dnszone-find test Message-ID: <1310635103.31842.4.camel@dhcp-25-52.brq.redhat.com> Implement a test for new dnszone-find option --forward-only. Fix example for reverse zone (zone was not fully qualified and DNS plugin would forbid adding PTR records). https://fedorahosted.org/freeipa/ticket/1473 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-093-add-new-dnszone-find-test.patch Type: text/x-patch Size: 5671 bytes Desc: not available URL: From jcholast at redhat.com Thu Jul 14 10:05:36 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 14 Jul 2011 12:05:36 +0200 Subject: [Freeipa-devel] [PATCH] 23 Add ability to specify DNS reverse zone name by IP network address In-Reply-To: <4E0A18AA.7040304@redhat.com> References: <4E008B7B.6020404@redhat.com> <4E035324.4000607@redhat.com> <4E0A18AA.7040304@redhat.com> Message-ID: <4E1EBF70.80203@redhat.com> On 28.6.2011 20:08, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 21.6.2011 14:15, Jan Cholasta wrote: >>> This patch adds a new option name_from_ip to dnszone commands. Default >>> value of idnsname is created from this option. >>> >>> Honza >>> >> >> Fixed the API version number, added usage example to dns plugin help. >> >> https://fedorahosted.org/freeipa/ticket/1045 >> >> Honza > > Had quickie code review in IRC this morning. I asked for a comment > around the while loop, Honza suggested: This is to make chained > default_from work - idnssoarname default is created from idnsname and > idnsname default is created from name_from_ip - without this change, > idnssoarname default value isn't created when only name_from_ip is > specified. > > Would also be nice to have a test case for this new usage. > > rob Added the test case. The original ticket is now for the UI part, new ticket was opened for the server-side part: https://fedorahosted.org/freeipa/ticket/1474 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-23.3-dnszone-reverse-ip.patch Type: text/x-patch Size: 14607 bytes Desc: not available URL: From mkosek at redhat.com Thu Jul 14 12:11:34 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 14 Jul 2011 14:11:34 +0200 Subject: [Freeipa-devel] [PATCH] 094 Fix self-signed replica installation Message-ID: <1310645496.31842.5.camel@dhcp-25-52.brq.redhat.com> When a replica for self-signed server is being installed, the installer crashes with "Not a dogtag CA installation". Make sure that installation is handled correctly for both dogtag and self-signed replicas. https://fedorahosted.org/freeipa/ticket/1479 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-094-fix-self-signed-replica-installation.patch Type: text/x-patch Size: 1952 bytes Desc: not available URL: From jcholast at redhat.com Thu Jul 14 12:56:00 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 14 Jul 2011 14:56:00 +0200 Subject: [Freeipa-devel] [PATCH] 809 entitle_register using uuid unsupported In-Reply-To: <4E08CF08.9060504@redhat.com> References: <4E08CF08.9060504@redhat.com> Message-ID: <4E1EE760.6030704@redhat.com> On 27.6.2011 20:42, Rob Crittenden wrote: > Document registering to an entitlement server with a UUID as not > implemented. > > It was my understanding that we would be able to pass in an existing > UUID when registering to connect to an existing registration (for the > case where IPA is re-installed). This is supported in the REST API but > not python-rhsm. > > I've filed an RFE to get this added but for now this is a way to not do > major surgery to the API and still be at least somewhat user-friendly. > > https://fedorahosted.org/freeipa/ticket/1216 > > rob > ACK Honza -- Jan Cholasta From edewata at redhat.com Thu Jul 14 13:57:56 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 14 Jul 2011 08:57:56 -0500 Subject: [Freeipa-devel] [PATCH] 207 Fixed label capitalization Message-ID: <4E1EF5E4.3080506@redhat.com> The CSS text-transform sometimes produces incorrect capitalization, so the code has been modified to use translated labels that already contain the correct capitalization. Ticket #1424 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0207-Fixed-label-capitalization.patch Type: text/x-patch Size: 127830 bytes Desc: not available URL: From mkosek at redhat.com Thu Jul 14 15:41:50 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 14 Jul 2011 17:41:50 +0200 Subject: [Freeipa-devel] [PATCH] 28 Fix creation of reverse DNS zones In-Reply-To: <4E1C50EA.1040209@redhat.com> References: <4E1C50EA.1040209@redhat.com> Message-ID: <1310658113.20354.4.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-07-12 at 15:49 +0200, Jan Cholasta wrote: > This patch fixes reverse DNS zone creation so that a /24 IPv4 and /64 > IPv6 reverse zones are created by default. The reverse zone can be > customized using new --reverse-zone option in ipa-server-install, > ipa-replica-prepare, ipa-replica-install and ipa-dns-install, which > replaces the old way of using the netmask part of the --ip-address > option. The reverse zone name is printed to the user during the install. > > https://fedorahosted.org/freeipa/ticket/1398 > > Honza Actually, works pretty well. If nobody else run into any problem I am OK with pushing it. Martin From ayoung at redhat.com Thu Jul 14 16:18:25 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 14 Jul 2011 12:18:25 -0400 Subject: [Freeipa-devel] [PATCH] 207 Fixed label capitalization In-Reply-To: <4E1EF5E4.3080506@redhat.com> References: <4E1EF5E4.3080506@redhat.com> Message-ID: <4E1F16D1.7000307@redhat.com> On 07/14/2011 09:57 AM, Endi Sukma Dewata wrote: > The CSS text-transform sometimes produces incorrect capitalization, > so the code has been modified to use translated labels that already > contain the correct capitalization. > > Ticket #1424 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Thu Jul 14 16:24:56 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 14 Jul 2011 12:24:56 -0400 Subject: [Freeipa-devel] certificate DN's Message-ID: <4E1F1858.7020502@redhat.com> In the conference call this morning the issue came up as to what are valid DN's in certificates (used for subject names and issuer names). RFC 2459 says this: (note 'type' as it used below means the attribute name, e.g. cn is a type, I realize it's confusing, welcome to the world of RFC's :-) ------------------------------------------------------------- As noted above, distinguished names are composed of attributes. This specification does not restrict the set of attribute types that may appear in names. However, conforming implementations MUST be prepared to receive certificates with issuer names containing the set of attribute types defined below. This specification also recommends support for additional attribute types. Standard sets of attributes have been defined in the X.500 series of specifications.[X.520] Implementations of this specification MUST be prepared to receive the following standard attribute types in issuer names: country, organization, organizational-unit, distinguished name qualifier, state or province name, and common name (e.g., "Susan Housley"). In addition, implementations of this specification SHOULD be prepared to receive the following standard attribute types in issuer names: locality, title, surname, given name, initials, and generation qualifier (e.g., "Jr.", "3rd", or "IV"). The syntax and associated object identifiers (OIDs) for these attribute types are provided in the ASN.1 modules in Appendices A and B. In addition, implementations of this specification MUST be prepared to receive the domainComponent attribute, as defined in [RFC 2247]. The Domain (Nameserver) System (DNS) provides a hierarchical resource labeling system. This attribute provides is a convenient mechanism for organizations that wish to use DNs that parallel their DNS names. This is not a replacement for the dNSName component of the alternative name field. Implementations are not required to convert such names into DNS names. The syntax and associated OID for this attribute type is provided in the ASN.1 modules in Appendices A and B. ---------------------------------------------------------------- But for what it's worth this what NSS supports (from alg1485.c) and since we're mostly based on NSS we should enforce this: The columns are: name, max_length, format max_length is number of UTF-8 octests format DS is Directory String, e.g. UTF-8, other formats should be self obvious. "CN", 64, DS "ST", 128, DS "O", 64, DS "OU", 64, DS "dnQualifier", 32767, PRINTABLE_STRING "C", 2, PRINTABLE_STRING "serialNumber", 64, PRINTABLE_STRING "L", 128, DS "title", 64, DS "SN", 64, DS "givenName", 64, DS "initials", 64, DS "generationQualifier", 64, DS "DC", 128, IA5_STRING "MAIL", 256, IA5_STRING "UID", 256, DS "postalAddress", 128, DS "postalCode", 40, DS "postOfficeBox", 40, DS "houseIdentifier", 64, DS "E", 128, IA5_STRING "STREET", 128, DS "pseudonym", 64, DS "incorporationLocality", 128, DS "incorporationState", 128, DS "incorporationCountry", 2, PRINTABLE_STRING "businessCategory", 64, DS -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From JR.Aquino at citrix.com Thu Jul 14 18:55:20 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 14 Jul 2011 18:55:20 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin Message-ID: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> https://fedorahosted.org/freeipa/ticket/1272 * Added new container in etc to hold the automembership configs. * Modified constants to point to the new container * Modified dsinstance to create the container * Modified hostgroup.py to add the new commands * Added xmlrpc test to verify functionality -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch Type: application/octet-stream Size: 27120 bytes Desc: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT00001.txt URL: From JR.Aquino at citrix.com Thu Jul 14 23:05:03 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 14 Jul 2011 23:05:03 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> Message-ID: On Jul 14, 2011, at 11:55 AM, wrote: > https://fedorahosted.org/freeipa/ticket/1272 > > * Added new container in etc to hold the automembership configs. > * Modified constants to point to the new container > * Modified dsinstance to create the container > * Modified hostgroup.py to add the new commands > * Added xmlrpc test to verify functionality Minor adjustment: Auto Membership Plugin isn't available until 1.2.9-0.2+ Modified freeipa.spec.in: BuildRequires: 389-ds-base-devel >= 1.2.9-0.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch Type: application/octet-stream Size: 27699 bytes Desc: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch URL: From jdennis at redhat.com Fri Jul 15 01:02:53 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 14 Jul 2011 21:02:53 -0400 Subject: [Freeipa-devel] [PATCH 29/29] Remove sudorule_mod, ticket 1307 Message-ID: <201107150102.p6F12rpJ018284@int-mx02.intmail.prod.int.phx2.redhat.com> sudorule_mod was ill-conceived, it does not respect the logic surrounding external users. Suggested to use sudorule_add and sudorule_del for modification. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0029-Remove-sudorule_mod-ticket-1307.patch Type: text/x-patch Size: 2810 bytes Desc: not available URL: From rcritten at redhat.com Fri Jul 15 03:42:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Jul 2011 23:42:05 -0400 Subject: [Freeipa-devel] [PATCH] 825 add dogtag replication management Message-ID: <4E1FB70D.3000605@redhat.com> Add a separate tool for now to do dogtag replication agreement management. The syntax is the same for IPA agreements with the exception that the DM password is always required and it isn't possible to delegate the management of this. ticket https://fedorahosted.org/freeipa/ticket/1250 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-825-replicamanage.patch Type: text/x-diff Size: 33100 bytes Desc: not available URL: From mkosek at redhat.com Fri Jul 15 07:06:10 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 15 Jul 2011 09:06:10 +0200 Subject: [Freeipa-devel] [PATCH] 095 Fix ipa-dns-install Message-ID: <1310713573.32137.0.camel@dhcp-25-52.brq.redhat.com> When DNS plugin is installed via ipa-dns-install and user has a valid Kerberos ticket at the time, the DNS installation is corrupt and named won't start, reporting Preauthentication error. When the non-DM identity is used for authentication, krbprincipalkey attribute in DNS service LDAP record is not created, thus leading to the error. This patch makes sure that authentication with Directory Manager password is used every time. https://fedorahosted.org/freeipa/ticket/1483 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-095-fix-ipa-dns-install.patch Type: text/x-patch Size: 2575 bytes Desc: not available URL: From mkosek at redhat.com Fri Jul 15 11:50:10 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 15 Jul 2011 13:50:10 +0200 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> Message-ID: <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-14 at 23:05 +0000, JR Aquino wrote: > On Jul 14, 2011, at 11:55 AM, wrote: > > > https://fedorahosted.org/freeipa/ticket/1272 > > > > * Added new container in etc to hold the automembership configs. > > * Modified constants to point to the new container > > * Modified dsinstance to create the container > > * Modified hostgroup.py to add the new commands > > * Added xmlrpc test to verify functionality > > Minor adjustment: > Auto Membership Plugin isn't available until 1.2.9-0.2+ > > Modified freeipa.spec.in: > BuildRequires: 389-ds-base-devel >= 1.2.9-0.2 I have reviewed your patch. Basic functionality is OK but I have some concerns. 1) I am not sure with the command name, it is not really clear to me what this command does. But I know from my experience that inventing a cool name for something new may be the most difficult task at all :-) Maybe command name "hostgrouprule" or "hostgroupauto" would be more clear? 2) Overloading execute method in functions hostgroupclarity_add_condition and hostgroupclarity_remove_condition is an over-kill for me. I think we could just read current inclusive/exclusive regexes in pre_callback, modify them and let LDAPUpdate class do the standard LDAP operations. 3) I miss hostgroupclarity-mod module. What would I do if I want to update Description? 4) I didn't like this construct in the code, its error prone to potential future parameter changes. + if len(options) == 2: # 'all' and 'raw' are always sent + raise errors.EmptyModlist() I know it's in baseldap.py but I still wouldn't like to see this in plugins. 5) Test test_clarityrule_plugin.py: reference to inexistent python module: +Test the `ipalib/plugins/clarityrule.py` module. Then I did some real testing of the new command: 6) Invalid examples, fqdn is not supposed to be a part of regex $ ipa hostgroupclarity-add --inclusive-hostname-regex=fqdn=^www[1-9]+\.example\.com webservers Hostgroup Clarity Rule: webservers Inclusive Regex: fqdn=fqdn=^www[1-9]+.example.com 7) It does not make sense to have a rule with only an exclusive regex: $ ipa hostgroupclarity-add --exclusive-hostname-regex=^www5+\.example\.com webservers Hostgroup Clarity Rule: webservers $ ipa host-add --force foo.example.co $ ipa hostgroup-show webservers Host-group: webservers Description: Web Servers Member hosts: www1.example.com I think we should 1) hide exclusive regex option in hostgroupclarity-add and 2) check that there is at least one inclusive regex in the rule when running hostgroupclarity-add-condition and hostgroupclarity-remove-condition. 8) Plugin incorrectly handles a situation when both inclusive and exclusive regex-es are being added: $ ipa hostgroupclarity-add --inclusive-hostname-regex=^www[1-9]+\.example\.com webservers Hostgroup Clarity Rule: webservers Inclusive Regex: fqdn=^www[1-9]+.example.com $ ipa hostgroupclarity-add-condition --inclusive-hostname-regex=^web[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com webservers Inclusive Regex: fqdn=^web[1-9]+.example.com, fqdn=^www[1-9]+.example.com Exclusive Regex: www5.example.com Exclusive regex misses fqdn. 9) Removing multiple conditions also works incorrectly: $ ipa hostgroupclarity-show webservers Hostgroup Clarity Rule: webservers Inclusive Regex: fqdn=^www[1-9]+.example.com, fqdn=^web[1-9]+.example.com Exclusive Regex: fqdn=www5.example.com $ ipa hostgroupclarity-remove-condition webservers --inclusive-hostname-regex=^www[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com Inclusive Regex: fqdn=^web[1-9]+.example.com $ ipa hostgroupclarity-show webservers Hostgroup Clarity Rule: webservers Inclusive Regex: fqdn=^web[1-9]+.example.com Exclusive Regex: fqdn=www5.example.com 10) When removing nonexistent regex I would expect more explaining error message: $ ipa hostgroupclarity-show webservers Hostgroup Clarity Rule: webservers Inclusive Regex: fqdn=^web[1-9]+.example.com Exclusive Regex: fqdn=www5.example.com $ ipa hostgroupclarity-remove-condition webservers --inclusive-hostname-regex=foo ipa: ERROR: no modifications to be performed Martin From jcholast at redhat.com Fri Jul 15 12:43:28 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 15 Jul 2011 14:43:28 +0200 Subject: [Freeipa-devel] [PATCH] 825 add dogtag replication management In-Reply-To: <4E1FB70D.3000605@redhat.com> References: <4E1FB70D.3000605@redhat.com> Message-ID: <4E2035F0.5020400@redhat.com> On 15.7.2011 05:42, Rob Crittenden wrote: > Add a separate tool for now to do dogtag replication agreement > management. The syntax is the same for IPA agreements with the exception > that the DM password is always required and it isn't possible to > delegate the management of this. > > ticket https://fedorahosted.org/freeipa/ticket/1250 > > rob > NACK 'ipa-csreplica-manage list server' doesn't list the peers of the specified server, but the peers of localhost. Connecting already connected pair of replicas duplicates the replication information ('ipa-csreplica-manage list server' shows the same hostname twice). There is trailing whitespace on line 87 of the patch. BTW I don't understand why is it possible (or necessary?) to be able to have CS replication topology that is different from the main IPA replication topology (ipa-csreplica-manage allows you to do that). Is there a reason for this? Honza -- Jan Cholasta From mkosek at redhat.com Fri Jul 15 13:51:18 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 15 Jul 2011 15:51:18 +0200 Subject: [Freeipa-devel] [PATCH] 825 add dogtag replication management In-Reply-To: <4E2035F0.5020400@redhat.com> References: <4E1FB70D.3000605@redhat.com> <4E2035F0.5020400@redhat.com> Message-ID: <1310737881.32137.26.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: > On 15.7.2011 05:42, Rob Crittenden wrote: > > Add a separate tool for now to do dogtag replication agreement > > management. The syntax is the same for IPA agreements with the exception > > that the DM password is always required and it isn't possible to > > delegate the management of this. > > > > ticket https://fedorahosted.org/freeipa/ticket/1250 > > > > rob > > > > NACK > > 'ipa-csreplica-manage list server' doesn't list the peers of the > specified server, but the peers of localhost. > > Connecting already connected pair of replicas duplicates the replication > information ('ipa-csreplica-manage list server' shows the same hostname > twice). > > There is trailing whitespace on line 87 of the patch. > > BTW I don't understand why is it possible (or necessary?) to be able to > have CS replication topology that is different from the main IPA > replication topology (ipa-csreplica-manage allows you to do that). Is > there a reason for this? > > Honza > And some issues from me: 1) Unhelpful error message when force-syncing from a master without a replication agreement: # ipa-csreplica-manage force-sync --from=HOST Directory Manager password: ipa: ERROR: Unable to find replication agreement for vm-060.idm.lab.bos.redhat.com unexpected error: Unable to proceed 2) Minor stuff in man page: Unindented Exit statuses: EXIT STATUS 0 if the command was successful 1 if an error occurred Missing dot: The default is the machine on which the command is run Not honoured by the re-initialize command. Otherwise it looks good. Martin From rcritten at redhat.com Fri Jul 15 14:01:51 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 10:01:51 -0400 Subject: [Freeipa-devel] [PATCH] 825 add dogtag replication management In-Reply-To: <1310737881.32137.26.camel@dhcp-25-52.brq.redhat.com> References: <4E1FB70D.3000605@redhat.com> <4E2035F0.5020400@redhat.com> <1310737881.32137.26.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E20484F.5040900@redhat.com> Martin Kosek wrote: > On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: >> On 15.7.2011 05:42, Rob Crittenden wrote: >>> Add a separate tool for now to do dogtag replication agreement >>> management. The syntax is the same for IPA agreements with the exception >>> that the DM password is always required and it isn't possible to >>> delegate the management of this. >>> >>> ticket https://fedorahosted.org/freeipa/ticket/1250 >>> >>> rob >>> >> >> NACK >> >> 'ipa-csreplica-manage list server' doesn't list the peers of the >> specified server, but the peers of localhost. >> >> Connecting already connected pair of replicas duplicates the replication >> information ('ipa-csreplica-manage list server' shows the same hostname >> twice). >> >> There is trailing whitespace on line 87 of the patch. >> >> BTW I don't understand why is it possible (or necessary?) to be able to >> have CS replication topology that is different from the main IPA >> replication topology (ipa-csreplica-manage allows you to do that). Is >> there a reason for this? >> >> Honza >> > > And some issues from me: > > 1) Unhelpful error message when force-syncing from a master without a > replication agreement: > > # ipa-csreplica-manage force-sync --from=HOST > Directory Manager password: > ipa: ERROR: Unable to find replication agreement for vm-060.idm.lab.bos.redhat.com > unexpected error: Unable to proceed > > 2) Minor stuff in man page: > > Unindented Exit statuses: > EXIT STATUS > 0 if the command was successful > 1 if an error occurred > > Missing dot: The default is the machine on which the command is run Not > honoured by the re-initialize command. > > > Otherwise it looks good. > > Martin > This should address all the issues raised. The reason for different topology has several reasons: 1. A given IPA server may not have a CA installed 2. Some aspects of ipa-replica-manage can be delegated. We can't delegate CS replica management because it is in a different directory server. We don't have users stored there so can't map the GSSAPI credentials. So only Directory Manager can operate on it for now. 3. Flexibility. You may want way more connections for users than for the CA. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-825-2-replicamanage.patch Type: text/x-diff Size: 33390 bytes Desc: not available URL: From rcritten at redhat.com Fri Jul 15 14:11:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 10:11:49 -0400 Subject: [Freeipa-devel] [PATCH] 813 fix enrolledBy regression In-Reply-To: <1310543558.13088.1.camel@dhcp-25-52.brq.redhat.com> References: <4E0DEABE.7040804@redhat.com> <1310474011.12162.25.camel@dhcp-25-52.brq.redhat.com> <4E1C9C7A.4050502@redhat.com> <1310543558.13088.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E204AA5.70809@redhat.com> Martin Kosek wrote: > On Tue, 2011-07-12 at 15:11 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Fri, 2011-07-01 at 11:41 -0400, Rob Crittenden wrote: >>>> enrolledBy represents the DN of the entry that enrolled a host. We don't >>>> want an admin to manipulate this but an aci allowed it. This was a >>>> regression. >>>> >>>> ticket 302 >>>> >>>> rob >>> >>> Works fine with new IPA installation. >>> >>> Still, I have some concerns: >>> >>> 1) What about ACI in existing installations? This patch won't affect it. >>> >>> 2) There are 2 typos in comment in ldif (admini, --setaddr) >>> >>> Martin >>> >> >> Well, I didn't consider the lack of an update to be a huge problem >> originally. I went ahead and added one. This required changing the >> syntax of replace slightly, using two colons to distinguish between old >> and new. >> >> Typos fixed too. >> >> rob > > ACK. Works fine. > > Martin > pushed to master From rcritten at redhat.com Fri Jul 15 14:14:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 10:14:28 -0400 Subject: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools In-Reply-To: <1308825546.3951.9.camel@dhcp-25-52.brq.redhat.com> References: <1308741564.13562.17.camel@dhcp-25-52.brq.redhat.com> <4E026696.2030600@redhat.com> <1308825546.3951.9.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E204B44.6020405@redhat.com> Martin Kosek wrote: > On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> Install tools may fail with unexpected error when IPA server is not >>> installed on a system. Improve user experience by implementing >>> a check to affected tools. >>> >>> https://fedorahosted.org/freeipa/ticket/1327 >>> https://fedorahosted.org/freeipa/ticket/1347 >> >> Can you add a docstring to the check_server_configuration() function? >> >> Looking in each utility it isn't necessarily obvious what this does but >> my meager attempts at renaming it all failed. I considered >> is_server_installed() but that implies it would return True/False. Then >> I considered require_server_configured() but that didn't seem to fit >> either. We have lots of other check_* so I guess it is fine, but some >> docs on where/why it is used would be nice. >> >> rob > > I see you undertake the same function naming dilemma as I do. I improved > documentation for the function, it should help. > > Martin ACK From rcritten at redhat.com Fri Jul 15 14:15:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 10:15:17 -0400 Subject: [Freeipa-devel] [PATCH] 809 entitle_register using uuid unsupported In-Reply-To: <4E1EE760.6030704@redhat.com> References: <4E08CF08.9060504@redhat.com> <4E1EE760.6030704@redhat.com> Message-ID: <4E204B75.7000708@redhat.com> Jan Cholasta wrote: > On 27.6.2011 20:42, Rob Crittenden wrote: >> Document registering to an entitlement server with a UUID as not >> implemented. >> >> It was my understanding that we would be able to pass in an existing >> UUID when registering to connect to an existing registration (for the >> case where IPA is re-installed). This is supported in the REST API but >> not python-rhsm. >> >> I've filed an RFE to get this added but for now this is a way to not do >> major surgery to the API and still be at least somewhat user-friendly. >> >> https://fedorahosted.org/freeipa/ticket/1216 >> >> rob >> > > ACK > > Honza > pushed to master From mkosek at redhat.com Fri Jul 15 14:18:08 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 15 Jul 2011 16:18:08 +0200 Subject: [Freeipa-devel] [PATCH] 822 remove deny hbac rule type In-Reply-To: <4E15D862.6030609@redhat.com> References: <4E14D8C9.1000709@redhat.com> <4E15D862.6030609@redhat.com> Message-ID: <1310739490.32137.27.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-07 at 12:01 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Remove deny from the available type options and prevent new ones from > > being created (either directly or via a mod). > > > > Type now defaults to allow and will autofill so on the cli the user > > won't be prompted for it in interactive mode. > > > > deny is still a valid type for searching, so hbacrule-find --type=deny > > works. > > > > ticket https://fedorahosted.org/freeipa/ticket/1432 > > > > rob > > I forgot to include an updated API.txt in the change. > > I tested with an old client and it does the right thing if you try to > create a deny rule. The API change affects only validation so I don't > need to bump up the version. > > rob ACK, works fine. Martin From rcritten at redhat.com Fri Jul 15 14:19:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 10:19:07 -0400 Subject: [Freeipa-devel] [PATCH] 812 Use RunAs in labels, not Run As In-Reply-To: <1310461374.12162.10.camel@dhcp-25-52.brq.redhat.com> References: <4E0B7904.5060509@redhat.com> <1310461374.12162.10.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E204C5B.4030003@redhat.com> Martin Kosek wrote: > On Wed, 2011-06-29 at 15:12 -0400, Rob Crittenden wrote: >> For consistency we should use RunAs in sudo labels and not Run As. >> >> The API changes don't affect the wire API, label is in there to make one >> think twice about making changes :-) >> >> https://fedorahosted.org/freeipa/ticket/1328 > > ACK. > > Martin > pushed to master and ipa-2-0 From rcritten at redhat.com Fri Jul 15 14:23:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 10:23:39 -0400 Subject: [Freeipa-devel] [PATCH] 822 remove deny hbac rule type In-Reply-To: <1310739490.32137.27.camel@dhcp-25-52.brq.redhat.com> References: <4E14D8C9.1000709@redhat.com> <4E15D862.6030609@redhat.com> <1310739490.32137.27.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E204D6B.6060807@redhat.com> Martin Kosek wrote: > On Thu, 2011-07-07 at 12:01 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Remove deny from the available type options and prevent new ones from >>> being created (either directly or via a mod). >>> >>> Type now defaults to allow and will autofill so on the cli the user >>> won't be prompted for it in interactive mode. >>> >>> deny is still a valid type for searching, so hbacrule-find --type=deny >>> works. >>> >>> ticket https://fedorahosted.org/freeipa/ticket/1432 >>> >>> rob >> >> I forgot to include an updated API.txt in the change. >> >> I tested with an old client and it does the right thing if you try to >> create a deny rule. The API change affects only validation so I don't >> need to bump up the version. >> >> rob > > ACK, works fine. > > Martin > Rebased and pushed to master From rcritten at redhat.com Fri Jul 15 14:26:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 10:26:52 -0400 Subject: [Freeipa-devel] [PATCH] 29 Configure SSSD to store password if offline In-Reply-To: <4E1D7BDF.9050605@redhat.com> References: <4E1D7BDF.9050605@redhat.com> Message-ID: <4E204E2C.8020006@redhat.com> Jan Cholasta wrote: > Enable the krb5_store_password_if_offline option in sssd.conf by > default. To turn it off, use --no-krb5-offline-passwords option in > ipa-client-install. > > https://fedorahosted.org/freeipa/ticket/1359 > > Honza > ack, pushed to master From mkosek at redhat.com Fri Jul 15 14:44:31 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 15 Jul 2011 16:44:31 +0200 Subject: [Freeipa-devel] [PATCH] 28 Fix creation of reverse DNS zones In-Reply-To: <1310658113.20354.4.camel@dhcp-25-52.brq.redhat.com> References: <4E1C50EA.1040209@redhat.com> <1310658113.20354.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1310741074.32137.28.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-14 at 17:41 +0200, Martin Kosek wrote: > On Tue, 2011-07-12 at 15:49 +0200, Jan Cholasta wrote: > > This patch fixes reverse DNS zone creation so that a /24 IPv4 and /64 > > IPv6 reverse zones are created by default. The reverse zone can be > > customized using new --reverse-zone option in ipa-server-install, > > ipa-replica-prepare, ipa-replica-install and ipa-dns-install, which > > replaces the old way of using the netmask part of the --ip-address > > option. The reverse zone name is printed to the user during the install. > > > > https://fedorahosted.org/freeipa/ticket/1398 > > > > Honza > > Actually, works pretty well. If nobody else run into any problem I am OK > with pushing it. > > Martin > Pushed to master. Martin From rcritten at redhat.com Fri Jul 15 14:55:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 10:55:31 -0400 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E2054E3.5060306@redhat.com> Martin Kosek wrote: > On Thu, 2011-07-14 at 23:05 +0000, JR Aquino wrote: >> On Jul 14, 2011, at 11:55 AM, wrote: >> >>> https://fedorahosted.org/freeipa/ticket/1272 >>> >>> * Added new container in etc to hold the automembership configs. >>> * Modified constants to point to the new container >>> * Modified dsinstance to create the container >>> * Modified hostgroup.py to add the new commands >>> * Added xmlrpc test to verify functionality >> >> Minor adjustment: >> Auto Membership Plugin isn't available until 1.2.9-0.2+ >> >> Modified freeipa.spec.in: >> BuildRequires: 389-ds-base-devel>= 1.2.9-0.2 > > I have reviewed your patch. Basic functionality is OK but I have some > concerns. > > 1) I am not sure with the command name, it is not really clear to me > what this command does. But I know from my experience that inventing a > cool name for something new may be the most difficult task at all :-) > Maybe command name "hostgrouprule" or "hostgroupauto" would be more > clear? > > > 2) Overloading execute method in functions > hostgroupclarity_add_condition and hostgroupclarity_remove_condition is > an over-kill for me. I think we could just read current > inclusive/exclusive regexes in pre_callback, modify them and let > LDAPUpdate class do the standard LDAP operations. > > > 3) I miss hostgroupclarity-mod module. What would I do if I want to > update Description? > > > 4) I didn't like this construct in the code, its error prone to > potential future parameter changes. > + if len(options) == 2: # 'all' and 'raw' are always sent > + raise errors.EmptyModlist() > I know it's in baseldap.py but I still wouldn't like to see this in > plugins. > > > 5) Test test_clarityrule_plugin.py: reference to inexistent python > module: > +Test the `ipalib/plugins/clarityrule.py` module. > > > Then I did some real testing of the new command: > > 6) Invalid examples, fqdn is not supposed to be a part of regex > $ ipa hostgroupclarity-add --inclusive-hostname-regex=fqdn=^www[1-9]+\.example\.com webservers > Hostgroup Clarity Rule: webservers > Inclusive Regex: fqdn=fqdn=^www[1-9]+.example.com > > > 7) It does not make sense to have a rule with only an exclusive regex: > $ ipa hostgroupclarity-add --exclusive-hostname-regex=^www5+\.example\.com webservers > Hostgroup Clarity Rule: webservers > $ ipa host-add --force foo.example.co > $ ipa hostgroup-show webservers > Host-group: webservers > Description: Web Servers > Member hosts: www1.example.com > > I think we should 1) hide exclusive regex option in hostgroupclarity-add > and 2) check that there is at least one inclusive regex in the rule when > running hostgroupclarity-add-condition and > hostgroupclarity-remove-condition. > > > 8) Plugin incorrectly handles a situation when both inclusive and exclusive regex-es are being added: > > $ ipa hostgroupclarity-add --inclusive-hostname-regex=^www[1-9]+\.example\.com webservers > Hostgroup Clarity Rule: webservers > Inclusive Regex: fqdn=^www[1-9]+.example.com > $ ipa hostgroupclarity-add-condition --inclusive-hostname-regex=^web[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com webservers > Inclusive Regex: fqdn=^web[1-9]+.example.com, fqdn=^www[1-9]+.example.com > Exclusive Regex: www5.example.com > > Exclusive regex misses fqdn. > > > 9) Removing multiple conditions also works incorrectly: > > $ ipa hostgroupclarity-show webservers > Hostgroup Clarity Rule: webservers > Inclusive Regex: fqdn=^www[1-9]+.example.com, fqdn=^web[1-9]+.example.com > Exclusive Regex: fqdn=www5.example.com > $ ipa hostgroupclarity-remove-condition webservers --inclusive-hostname-regex=^www[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com > Inclusive Regex: fqdn=^web[1-9]+.example.com > $ ipa hostgroupclarity-show webservers > Hostgroup Clarity Rule: webservers > Inclusive Regex: fqdn=^web[1-9]+.example.com > Exclusive Regex: fqdn=www5.example.com > > > 10) When removing nonexistent regex I would expect more explaining error message: > > $ ipa hostgroupclarity-show webservers > Hostgroup Clarity Rule: webservers > Inclusive Regex: fqdn=^web[1-9]+.example.com > Exclusive Regex: fqdn=www5.example.com > $ ipa hostgroupclarity-remove-condition webservers --inclusive-hostname-regex=foo > ipa: ERROR: no modifications to be performed I think that with group_dn() you should use the api to get the entry rather than calling LDAP directly (I'd stick it into the clarity object). This is untested but I think it will work: def hostgroup_dn(self, hostgroup): entry = self.api.Command.user_show(hostgroup, all=True)['result'] return entry['dn'] rob From rcritten at redhat.com Fri Jul 15 15:11:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 11:11:39 -0400 Subject: [Freeipa-devel] [PATCH 29/29] Remove sudorule_mod, ticket 1307 In-Reply-To: <201107150102.p6F12rpJ018284@int-mx02.intmail.prod.int.phx2.redhat.com> References: <201107150102.p6F12rpJ018284@int-mx02.intmail.prod.int.phx2.redhat.com> Message-ID: <4E2058AB.5090201@redhat.com> John Dennis wrote: > sudorule_mod was ill-conceived, it does not respect the logic > surrounding external users. Suggested to use sudorule_add and > sudorule_del for modification. NACK. The sudorule-mod command is still needed to do things like modify the categories. I think you just need to add flags=['no_create', 'no_update'] to the Parameters externaluser, ipasudorunasextuser and ipasudorunasextgroup. rob From rcritten at redhat.com Fri Jul 15 15:34:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 11:34:39 -0400 Subject: [Freeipa-devel] [PATCH] 095 Fix ipa-dns-install In-Reply-To: <1310713573.32137.0.camel@dhcp-25-52.brq.redhat.com> References: <1310713573.32137.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E205E0F.1050001@redhat.com> Martin Kosek wrote: > When DNS plugin is installed via ipa-dns-install and user has a valid > Kerberos ticket at the time, the DNS installation is corrupt and named > won't start, reporting Preauthentication error. > > When the non-DM identity is used for authentication, krbprincipalkey > attribute in DNS service LDAP record is not created, thus leading > to the error. This patch makes sure that authentication with Directory > Manager password is used every time. > > https://fedorahosted.org/freeipa/ticket/1483 ACK. From mkosek at redhat.com Fri Jul 15 15:38:16 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 15 Jul 2011 17:38:16 +0200 Subject: [Freeipa-devel] [PATCH] 095 Fix ipa-dns-install In-Reply-To: <4E205E0F.1050001@redhat.com> References: <1310713573.32137.0.camel@dhcp-25-52.brq.redhat.com> <4E205E0F.1050001@redhat.com> Message-ID: <1310744298.32137.29.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-15 at 11:34 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > When DNS plugin is installed via ipa-dns-install and user has a valid > > Kerberos ticket at the time, the DNS installation is corrupt and named > > won't start, reporting Preauthentication error. > > > > When the non-DM identity is used for authentication, krbprincipalkey > > attribute in DNS service LDAP record is not created, thus leading > > to the error. This patch makes sure that authentication with Directory > > Manager password is used every time. > > > > https://fedorahosted.org/freeipa/ticket/1483 > > ACK. Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Fri Jul 15 15:58:30 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 15 Jul 2011 17:58:30 +0200 Subject: [Freeipa-devel] [PATCH] 817 Add option to wait for values In-Reply-To: <4E134CC9.307@redhat.com> References: <4E0E23D5.1070001@redhat.com> <4E0E3CDB.7070309@redhat.com> <4E134CC9.307@redhat.com> Message-ID: <1310745512.32137.31.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Rob Crittenden wrote: > >> 389-ds postop plugins, such as the managed entry and memberof plugins, > >> add values after the data has been returned to the client. In the case > >> of the managed entry plugin this affects the parent entry as well (adds > >> an objectclass value). > >> > >> This wreaks havoc on our tests as the values don't match what we expect. > >> > >> The solution is to wait for the postop plugins to finish their work, > >> then return. I've added this as an option. The downside is it is going > >> to naturally slow things down, so it is off by default. > >> > >> It is currently only used in the hostgroup plugin. > >> > >> The option is wait_for_attr. Add this to ~/.ipa/default.conf and set it > >> to True and all the current tests will pass (assuming you apply patches > >> 814-816 as well). > >> > >> So now we won't have any excuses for missing test failures in the unit > >> tests... > >> > >> rob > > > > Bah, found a small problem. Self-NACK. > > > > rob > > Updated patch attached. > > Note that I don't think there is a way for us to handle things like > memberof_indirect. We wouldn't know to wait. > > rob Works fine for the hostgroup entry. It's good it can be switched on/off. But what about other managed entries, like user entry? Would it make sense to add a wait here too? Or maybe something systematic to baseldap so that we wouldn't have to implement this wait to every managed entry. Martin From rmeggins at redhat.com Fri Jul 15 16:09:10 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 15 Jul 2011 10:09:10 -0600 Subject: [Freeipa-devel] [PATCH] 825 add dogtag replication management In-Reply-To: <4E20484F.5040900@redhat.com> References: <4E1FB70D.3000605@redhat.com> <4E2035F0.5020400@redhat.com> <1310737881.32137.26.camel@dhcp-25-52.brq.redhat.com> <4E20484F.5040900@redhat.com> Message-ID: <4E206626.2080406@redhat.com> On 07/15/2011 08:01 AM, Rob Crittenden wrote: > Martin Kosek wrote: >> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: >>> On 15.7.2011 05:42, Rob Crittenden wrote: >>>> Add a separate tool for now to do dogtag replication agreement >>>> management. The syntax is the same for IPA agreements with the >>>> exception >>>> that the DM password is always required and it isn't possible to >>>> delegate the management of this. >>>> >>>> ticket https://fedorahosted.org/freeipa/ticket/1250 >>>> >>>> rob >>>> >>> >>> NACK >>> >>> 'ipa-csreplica-manage list server' doesn't list the peers of the >>> specified server, but the peers of localhost. >>> >>> Connecting already connected pair of replicas duplicates the >>> replication >>> information ('ipa-csreplica-manage list server' shows the same hostname >>> twice). >>> >>> There is trailing whitespace on line 87 of the patch. >>> >>> BTW I don't understand why is it possible (or necessary?) to be able to >>> have CS replication topology that is different from the main IPA >>> replication topology (ipa-csreplica-manage allows you to do that). Is >>> there a reason for this? >>> >>> Honza >>> >> >> And some issues from me: >> >> 1) Unhelpful error message when force-syncing from a master without a >> replication agreement: >> >> # ipa-csreplica-manage force-sync --from=HOST >> Directory Manager password: >> ipa: ERROR: Unable to find replication agreement for >> vm-060.idm.lab.bos.redhat.com >> unexpected error: Unable to proceed >> >> 2) Minor stuff in man page: >> >> Unindented Exit statuses: >> EXIT STATUS >> 0 if the command was successful >> 1 if an error occurred >> >> Missing dot: The default is the machine on which the command is run Not >> honoured by the re-initialize command. >> >> >> Otherwise it looks good. >> >> Martin >> > > This should address all the issues raised. > > The reason for different topology has several reasons: > > 1. A given IPA server may not have a CA installed > 2. Some aspects of ipa-replica-manage can be delegated. We can't > delegate CS replica management because it is in a different directory > server. We don't have users stored there so can't map the GSSAPI > credentials. So only Directory Manager can operate on it for now. > 3. Flexibility. You may want way more connections for users than for > the CA. + if starttls: + self.conn = ipaldap.IPAdmin(hostname, port=port) + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) Why in the starttls case do you not call ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT) ? + managers = entry.getValues('nsDS5ReplicaBindDN') + if replica_binddn not in managers: You might want to use the dn.py code, or at least normalize the DNs in managers before comparing + if master is None: + entry.setValues('nsds5replicaupdateschedule', '0000-2359 0123456') You should just omit nsds5replicaupdateschedule suggest using the dn.py code in the new csreplica manage script > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jul 15 16:57:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 12:57:42 -0400 Subject: [Freeipa-devel] [PATCH] 825 add dogtag replication management In-Reply-To: <4E206626.2080406@redhat.com> References: <4E1FB70D.3000605@redhat.com> <4E2035F0.5020400@redhat.com> <1310737881.32137.26.camel@dhcp-25-52.brq.redhat.com> <4E20484F.5040900@redhat.com> <4E206626.2080406@redhat.com> Message-ID: <4E207186.6040509@redhat.com> Rich Megginson wrote: > On 07/15/2011 08:01 AM, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: >>>> On 15.7.2011 05:42, Rob Crittenden wrote: >>>>> Add a separate tool for now to do dogtag replication agreement >>>>> management. The syntax is the same for IPA agreements with the >>>>> exception >>>>> that the DM password is always required and it isn't possible to >>>>> delegate the management of this. >>>>> >>>>> ticket https://fedorahosted.org/freeipa/ticket/1250 >>>>> >>>>> rob >>>>> >>>> >>>> NACK >>>> >>>> 'ipa-csreplica-manage list server' doesn't list the peers of the >>>> specified server, but the peers of localhost. >>>> >>>> Connecting already connected pair of replicas duplicates the >>>> replication >>>> information ('ipa-csreplica-manage list server' shows the same hostname >>>> twice). >>>> >>>> There is trailing whitespace on line 87 of the patch. >>>> >>>> BTW I don't understand why is it possible (or necessary?) to be able to >>>> have CS replication topology that is different from the main IPA >>>> replication topology (ipa-csreplica-manage allows you to do that). Is >>>> there a reason for this? >>>> >>>> Honza >>>> >>> >>> And some issues from me: >>> >>> 1) Unhelpful error message when force-syncing from a master without a >>> replication agreement: >>> >>> # ipa-csreplica-manage force-sync --from=HOST >>> Directory Manager password: >>> ipa: ERROR: Unable to find replication agreement for >>> vm-060.idm.lab.bos.redhat.com >>> unexpected error: Unable to proceed >>> >>> 2) Minor stuff in man page: >>> >>> Unindented Exit statuses: >>> EXIT STATUS >>> 0 if the command was successful >>> 1 if an error occurred >>> >>> Missing dot: The default is the machine on which the command is run Not >>> honoured by the re-initialize command. >>> >>> >>> Otherwise it looks good. >>> >>> Martin >>> >> >> This should address all the issues raised. >> >> The reason for different topology has several reasons: >> >> 1. A given IPA server may not have a CA installed >> 2. Some aspects of ipa-replica-manage can be delegated. We can't >> delegate CS replica management because it is in a different directory >> server. We don't have users stored there so can't map the GSSAPI >> credentials. So only Directory Manager can operate on it for now. >> 3. Flexibility. You may want way more connections for users than for >> the CA. > > + if starttls: > + self.conn = ipaldap.IPAdmin(hostname, port=port) > + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) > > Why in the starttls case do you not call ipaldap.IPAdmin(hostname, > port=PORT, cacert=CACERT) ? Because the port is the non-secure port and opening an SSL connection to it failed. > > + managers = entry.getValues('nsDS5ReplicaBindDN') > + if replica_binddn not in managers: > > You might want to use the dn.py code, or at least normalize the DNs in > managers before comparing That's a good idea. > > + if master is None: > + entry.setValues('nsds5replicaupdateschedule', '0000-2359 > 0123456') > > You should just omit nsds5replicaupdateschedule It failed with an operations erorr when I tried removing the attribute either directly with a MOD_DELETE or doing a MOD_REPLACE with nothing. I assume this is another attribute in cn=config that once set cannot be undone. rob > > suggest using the dn.py code in the new csreplica manage script >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > From rmeggins at redhat.com Fri Jul 15 17:03:07 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 15 Jul 2011 11:03:07 -0600 Subject: [Freeipa-devel] [PATCH] 825 add dogtag replication management In-Reply-To: <4E207186.6040509@redhat.com> References: <4E1FB70D.3000605@redhat.com> <4E2035F0.5020400@redhat.com> <1310737881.32137.26.camel@dhcp-25-52.brq.redhat.com> <4E20484F.5040900@redhat.com> <4E206626.2080406@redhat.com> <4E207186.6040509@redhat.com> Message-ID: <4E2072CB.4030902@redhat.com> On 07/15/2011 10:57 AM, Rob Crittenden wrote: > Rich Megginson wrote: >> On 07/15/2011 08:01 AM, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: >>>>> On 15.7.2011 05:42, Rob Crittenden wrote: >>>>>> Add a separate tool for now to do dogtag replication agreement >>>>>> management. The syntax is the same for IPA agreements with the >>>>>> exception >>>>>> that the DM password is always required and it isn't possible to >>>>>> delegate the management of this. >>>>>> >>>>>> ticket https://fedorahosted.org/freeipa/ticket/1250 >>>>>> >>>>>> rob >>>>>> >>>>> >>>>> NACK >>>>> >>>>> 'ipa-csreplica-manage list server' doesn't list the peers of the >>>>> specified server, but the peers of localhost. >>>>> >>>>> Connecting already connected pair of replicas duplicates the >>>>> replication >>>>> information ('ipa-csreplica-manage list server' shows the same >>>>> hostname >>>>> twice). >>>>> >>>>> There is trailing whitespace on line 87 of the patch. >>>>> >>>>> BTW I don't understand why is it possible (or necessary?) to be >>>>> able to >>>>> have CS replication topology that is different from the main IPA >>>>> replication topology (ipa-csreplica-manage allows you to do that). Is >>>>> there a reason for this? >>>>> >>>>> Honza >>>>> >>>> >>>> And some issues from me: >>>> >>>> 1) Unhelpful error message when force-syncing from a master without a >>>> replication agreement: >>>> >>>> # ipa-csreplica-manage force-sync --from=HOST >>>> Directory Manager password: >>>> ipa: ERROR: Unable to find replication agreement for >>>> vm-060.idm.lab.bos.redhat.com >>>> unexpected error: Unable to proceed >>>> >>>> 2) Minor stuff in man page: >>>> >>>> Unindented Exit statuses: >>>> EXIT STATUS >>>> 0 if the command was successful >>>> 1 if an error occurred >>>> >>>> Missing dot: The default is the machine on which the command is >>>> run Not >>>> honoured by the re-initialize command. >>>> >>>> >>>> Otherwise it looks good. >>>> >>>> Martin >>>> >>> >>> This should address all the issues raised. >>> >>> The reason for different topology has several reasons: >>> >>> 1. A given IPA server may not have a CA installed >>> 2. Some aspects of ipa-replica-manage can be delegated. We can't >>> delegate CS replica management because it is in a different directory >>> server. We don't have users stored there so can't map the GSSAPI >>> credentials. So only Directory Manager can operate on it for now. >>> 3. Flexibility. You may want way more connections for users than for >>> the CA. >> >> + if starttls: >> + self.conn = ipaldap.IPAdmin(hostname, port=port) >> + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) >> >> Why in the starttls case do you not call ipaldap.IPAdmin(hostname, >> port=PORT, cacert=CACERT) ? > > Because the port is the non-secure port and opening an SSL connection > to it failed. Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps. > >> >> + managers = entry.getValues('nsDS5ReplicaBindDN') >> + if replica_binddn not in managers: >> >> You might want to use the dn.py code, or at least normalize the DNs in >> managers before comparing > > That's a good idea. > >> >> + if master is None: >> + entry.setValues('nsds5replicaupdateschedule', '0000-2359 >> 0123456') >> >> You should just omit nsds5replicaupdateschedule > > It failed with an operations erorr when I tried removing the attribute > either directly with a MOD_DELETE or doing a MOD_REPLACE with nothing. > I assume this is another attribute in cn=config that once set cannot > be undone. Right. Ok. When you add the agreement entry, you can just omit it. But if you are trying to modify an existing agreement entry, you can't MOD_DELETE it or MOD_REPLACE with an empty value. > > rob > >> >> suggest using the dn.py code in the new csreplica manage script >>> >>> rob >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > From rcritten at redhat.com Fri Jul 15 17:37:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 13:37:17 -0400 Subject: [Freeipa-devel] [PATCH] 094 Fix self-signed replica installation In-Reply-To: <1310645496.31842.5.camel@dhcp-25-52.brq.redhat.com> References: <1310645496.31842.5.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E207ACD.5090305@redhat.com> Martin Kosek wrote: > When a replica for self-signed server is being installed, the > installer crashes with "Not a dogtag CA installation". Make sure > that installation is handled correctly for both dogtag and > self-signed replicas. > > https://fedorahosted.org/freeipa/ticket/1479 ack, pushed to master and ipa-2-0 rob From rcritten at redhat.com Fri Jul 15 17:42:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 13:42:48 -0400 Subject: [Freeipa-devel] [PATCH] 093 Add new dnszone-find test In-Reply-To: <1310635103.31842.4.camel@dhcp-25-52.brq.redhat.com> References: <1310635103.31842.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E207C18.20000@redhat.com> Martin Kosek wrote: > Implement a test for new dnszone-find option --forward-only. > Fix example for reverse zone (zone was not fully qualified and > DNS plugin would forbid adding PTR records). > > https://fedorahosted.org/freeipa/ticket/1473 This looks ok, just one minor thing: can you add deleting the new reverse dnszone to the cleanup command? ACK with that. thanks rob From rcritten at redhat.com Fri Jul 15 19:24:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 15:24:16 -0400 Subject: [Freeipa-devel] [PATCH] 825 add dogtag replication management In-Reply-To: <4E2072CB.4030902@redhat.com> References: <4E1FB70D.3000605@redhat.com> <4E2035F0.5020400@redhat.com> <1310737881.32137.26.camel@dhcp-25-52.brq.redhat.com> <4E20484F.5040900@redhat.com> <4E206626.2080406@redhat.com> <4E207186.6040509@redhat.com> <4E2072CB.4030902@redhat.com> Message-ID: <4E2093E0.7070306@redhat.com> Rich Megginson wrote: > On 07/15/2011 10:57 AM, Rob Crittenden wrote: >> Rich Megginson wrote: >>> On 07/15/2011 08:01 AM, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: >>>>>> On 15.7.2011 05:42, Rob Crittenden wrote: >>>>>>> Add a separate tool for now to do dogtag replication agreement >>>>>>> management. The syntax is the same for IPA agreements with the >>>>>>> exception >>>>>>> that the DM password is always required and it isn't possible to >>>>>>> delegate the management of this. >>>>>>> >>>>>>> ticket https://fedorahosted.org/freeipa/ticket/1250 >>>>>>> >>>>>>> rob >>>>>>> >>>>>> >>>>>> NACK >>>>>> >>>>>> 'ipa-csreplica-manage list server' doesn't list the peers of the >>>>>> specified server, but the peers of localhost. >>>>>> >>>>>> Connecting already connected pair of replicas duplicates the >>>>>> replication >>>>>> information ('ipa-csreplica-manage list server' shows the same >>>>>> hostname >>>>>> twice). >>>>>> >>>>>> There is trailing whitespace on line 87 of the patch. >>>>>> >>>>>> BTW I don't understand why is it possible (or necessary?) to be >>>>>> able to >>>>>> have CS replication topology that is different from the main IPA >>>>>> replication topology (ipa-csreplica-manage allows you to do that). Is >>>>>> there a reason for this? >>>>>> >>>>>> Honza >>>>>> >>>>> >>>>> And some issues from me: >>>>> >>>>> 1) Unhelpful error message when force-syncing from a master without a >>>>> replication agreement: >>>>> >>>>> # ipa-csreplica-manage force-sync --from=HOST >>>>> Directory Manager password: >>>>> ipa: ERROR: Unable to find replication agreement for >>>>> vm-060.idm.lab.bos.redhat.com >>>>> unexpected error: Unable to proceed >>>>> >>>>> 2) Minor stuff in man page: >>>>> >>>>> Unindented Exit statuses: >>>>> EXIT STATUS >>>>> 0 if the command was successful >>>>> 1 if an error occurred >>>>> >>>>> Missing dot: The default is the machine on which the command is run >>>>> Not >>>>> honoured by the re-initialize command. >>>>> >>>>> >>>>> Otherwise it looks good. >>>>> >>>>> Martin >>>>> >>>> >>>> This should address all the issues raised. >>>> >>>> The reason for different topology has several reasons: >>>> >>>> 1. A given IPA server may not have a CA installed >>>> 2. Some aspects of ipa-replica-manage can be delegated. We can't >>>> delegate CS replica management because it is in a different directory >>>> server. We don't have users stored there so can't map the GSSAPI >>>> credentials. So only Directory Manager can operate on it for now. >>>> 3. Flexibility. You may want way more connections for users than for >>>> the CA. >>> >>> + if starttls: >>> + self.conn = ipaldap.IPAdmin(hostname, port=port) >>> + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) >>> >>> Why in the starttls case do you not call ipaldap.IPAdmin(hostname, >>> port=PORT, cacert=CACERT) ? >> >> Because the port is the non-secure port and opening an SSL connection >> to it failed. > Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps. >> >>> >>> + managers = entry.getValues('nsDS5ReplicaBindDN') >>> + if replica_binddn not in managers: >>> >>> You might want to use the dn.py code, or at least normalize the DNs in >>> managers before comparing >> >> That's a good idea. >> >>> >>> + if master is None: >>> + entry.setValues('nsds5replicaupdateschedule', '0000-2359 >>> 0123456') >>> >>> You should just omit nsds5replicaupdateschedule >> >> It failed with an operations erorr when I tried removing the attribute >> either directly with a MOD_DELETE or doing a MOD_REPLACE with nothing. >> I assume this is another attribute in cn=config that once set cannot >> be undone. > Right. Ok. When you add the agreement entry, you can just omit it. But > if you are trying to modify an existing agreement entry, you can't > MOD_DELETE it or MOD_REPLACE with an empty value. Ok, good point about normalizing, updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-825-3-replicamanage.patch Type: text/x-diff Size: 33708 bytes Desc: not available URL: From rcritten at redhat.com Fri Jul 15 19:32:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 15:32:53 -0400 Subject: [Freeipa-devel] [PATCH 29/29] Remove sudorule_mod, ticket 1307 In-Reply-To: <4E2058AB.5090201@redhat.com> References: <201107150102.p6F12rpJ018284@int-mx02.intmail.prod.int.phx2.redhat.com> <4E2058AB.5090201@redhat.com> Message-ID: <4E2095E5.4030002@redhat.com> Rob Crittenden wrote: > John Dennis wrote: >> sudorule_mod was ill-conceived, it does not respect the logic >> surrounding external users. Suggested to use sudorule_add and >> sudorule_del for modification. > > NACK. The sudorule-mod command is still needed to do things like modify > the categories. > > I think you just need to add flags=['no_create', 'no_update'] to the > Parameters externaluser, ipasudorunasextuser and ipasudorunasextgroup. > > rob Actually, now that I think about it, that would drop it from the API and we can't remove options in minor updates. The solution is probably going to entail using a pre_callback() in _mod and _add to either raise a deprecated exception or try to handle the input gracefully. rob From rcritten at redhat.com Fri Jul 15 19:41:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 15:41:58 -0400 Subject: [Freeipa-devel] [PATCH] 3 ipa-client-install tries to start non-existing nscd In-Reply-To: <4E0D9240.7070001@redhat.com> References: <4E0D9240.7070001@redhat.com> Message-ID: <4E209806.4060400@redhat.com> Alexander Bokovoy wrote: > nack. I don't believe this fixes the reported problem. This patch affects un-installation in which case whether sssd was selected or not doesn't matter, we're just trying to restore the previous state (so tangentially I wonder if we should store the state of at install time). The reported error is thrown at install time. See ipa-client ~ line 909: #Name Server Caching Daemon. Disable for SSSD, use otherwise (if installed) if ipautil.service_is_installed("nscd"): ... I wonder if service_is_installed() is broken. rob From rmeggins at redhat.com Fri Jul 15 19:46:33 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 15 Jul 2011 13:46:33 -0600 Subject: [Freeipa-devel] [PATCH] 825 add dogtag replication management In-Reply-To: <4E2093E0.7070306@redhat.com> References: <4E1FB70D.3000605@redhat.com> <4E2035F0.5020400@redhat.com> <1310737881.32137.26.camel@dhcp-25-52.brq.redhat.com> <4E20484F.5040900@redhat.com> <4E206626.2080406@redhat.com> <4E207186.6040509@redhat.com> <4E2072CB.4030902@redhat.com> <4E2093E0.7070306@redhat.com> Message-ID: <4E209919.6020704@redhat.com> On 07/15/2011 01:24 PM, Rob Crittenden wrote: > Rich Megginson wrote: >> On 07/15/2011 10:57 AM, Rob Crittenden wrote: >>> Rich Megginson wrote: >>>> On 07/15/2011 08:01 AM, Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>>>>> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: >>>>>>> On 15.7.2011 05:42, Rob Crittenden wrote: >>>>>>>> Add a separate tool for now to do dogtag replication agreement >>>>>>>> management. The syntax is the same for IPA agreements with the >>>>>>>> exception >>>>>>>> that the DM password is always required and it isn't possible to >>>>>>>> delegate the management of this. >>>>>>>> >>>>>>>> ticket https://fedorahosted.org/freeipa/ticket/1250 >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>> >>>>>>> NACK >>>>>>> >>>>>>> 'ipa-csreplica-manage list server' doesn't list the peers of the >>>>>>> specified server, but the peers of localhost. >>>>>>> >>>>>>> Connecting already connected pair of replicas duplicates the >>>>>>> replication >>>>>>> information ('ipa-csreplica-manage list server' shows the same >>>>>>> hostname >>>>>>> twice). >>>>>>> >>>>>>> There is trailing whitespace on line 87 of the patch. >>>>>>> >>>>>>> BTW I don't understand why is it possible (or necessary?) to be >>>>>>> able to >>>>>>> have CS replication topology that is different from the main IPA >>>>>>> replication topology (ipa-csreplica-manage allows you to do >>>>>>> that). Is >>>>>>> there a reason for this? >>>>>>> >>>>>>> Honza >>>>>>> >>>>>> >>>>>> And some issues from me: >>>>>> >>>>>> 1) Unhelpful error message when force-syncing from a master >>>>>> without a >>>>>> replication agreement: >>>>>> >>>>>> # ipa-csreplica-manage force-sync --from=HOST >>>>>> Directory Manager password: >>>>>> ipa: ERROR: Unable to find replication agreement for >>>>>> vm-060.idm.lab.bos.redhat.com >>>>>> unexpected error: Unable to proceed >>>>>> >>>>>> 2) Minor stuff in man page: >>>>>> >>>>>> Unindented Exit statuses: >>>>>> EXIT STATUS >>>>>> 0 if the command was successful >>>>>> 1 if an error occurred >>>>>> >>>>>> Missing dot: The default is the machine on which the command is run >>>>>> Not >>>>>> honoured by the re-initialize command. >>>>>> >>>>>> >>>>>> Otherwise it looks good. >>>>>> >>>>>> Martin >>>>>> >>>>> >>>>> This should address all the issues raised. >>>>> >>>>> The reason for different topology has several reasons: >>>>> >>>>> 1. A given IPA server may not have a CA installed >>>>> 2. Some aspects of ipa-replica-manage can be delegated. We can't >>>>> delegate CS replica management because it is in a different directory >>>>> server. We don't have users stored there so can't map the GSSAPI >>>>> credentials. So only Directory Manager can operate on it for now. >>>>> 3. Flexibility. You may want way more connections for users than for >>>>> the CA. >>>> >>>> + if starttls: >>>> + self.conn = ipaldap.IPAdmin(hostname, port=port) >>>> + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) >>>> >>>> Why in the starttls case do you not call ipaldap.IPAdmin(hostname, >>>> port=PORT, cacert=CACERT) ? >>> >>> Because the port is the non-secure port and opening an SSL connection >>> to it failed. >> Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps. >>> >>>> >>>> + managers = entry.getValues('nsDS5ReplicaBindDN') >>>> + if replica_binddn not in managers: >>>> >>>> You might want to use the dn.py code, or at least normalize the DNs in >>>> managers before comparing >>> >>> That's a good idea. >>> >>>> >>>> + if master is None: >>>> + entry.setValues('nsds5replicaupdateschedule', '0000-2359 >>>> 0123456') >>>> >>>> You should just omit nsds5replicaupdateschedule >>> >>> It failed with an operations erorr when I tried removing the attribute >>> either directly with a MOD_DELETE or doing a MOD_REPLACE with nothing. >>> I assume this is another attribute in cn=config that once set cannot >>> be undone. >> Right. Ok. When you add the agreement entry, you can just omit it. But >> if you are trying to modify an existing agreement entry, you can't >> MOD_DELETE it or MOD_REPLACE with an empty value. > > Ok, good point about normalizing, updated patch attached. The new script ipa-csreplica-manage does a lot of DN manipulation - would be better to use the DN class for creating, parsing, and formatting DN strings. > > rob From abokovoy at redhat.com Fri Jul 15 20:03:03 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 15 Jul 2011 23:03:03 +0300 Subject: [Freeipa-devel] [PATCH] 3 ipa-client-install tries to start non-existing nscd In-Reply-To: <4E209806.4060400@redhat.com> References: <4E0D9240.7070001@redhat.com> <4E209806.4060400@redhat.com> Message-ID: <4E209CF7.704@redhat.com> On 15.07.2011 22:41, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> > > nack. > > I don't believe this fixes the reported problem. This patch affects > un-installation in which case whether sssd was selected or not doesn't > matter, we're just trying to restore the previous state (so tangentially > I wonder if we should store the state of at install time). > > The reported error is thrown at install time. See ipa-client ~ line 909: > > #Name Server Caching Daemon. Disable for SSSD, use otherwise (if installed) > if ipautil.service_is_installed("nscd"): > ... > > I wonder if service_is_installed() is broken. I forgot to NACK that myself to save you from wasting time on it. Sorry for that. I have newer patch in works that goes over all cases but needs more testing. Unfortunately, original bug reporter went on vacation till August so the only chance to reproduce it is to try myself to mimic his steps. -- / Alexander Bokovoy From jcholast at redhat.com Fri Jul 15 20:52:35 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 15 Jul 2011 22:52:35 +0200 Subject: [Freeipa-devel] [PATCH] 825 add dogtag replication management In-Reply-To: <4E2093E0.7070306@redhat.com> References: <4E1FB70D.3000605@redhat.com> <4E2035F0.5020400@redhat.com> <1310737881.32137.26.camel@dhcp-25-52.brq.redhat.com> <4E20484F.5040900@redhat.com> <4E206626.2080406@redhat.com> <4E207186.6040509@redhat.com> <4E2072CB.4030902@redhat.com> <4E2093E0.7070306@redhat.com> Message-ID: <4E20A893.5050704@redhat.com> On 15.7.2011 21:24, Rob Crittenden wrote: > Rich Megginson wrote: >> On 07/15/2011 10:57 AM, Rob Crittenden wrote: >>> Rich Megginson wrote: >>>> On 07/15/2011 08:01 AM, Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>>>>> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: >>>>>>> On 15.7.2011 05:42, Rob Crittenden wrote: >>>>>>>> Add a separate tool for now to do dogtag replication agreement >>>>>>>> management. The syntax is the same for IPA agreements with the >>>>>>>> exception >>>>>>>> that the DM password is always required and it isn't possible to >>>>>>>> delegate the management of this. >>>>>>>> >>>>>>>> ticket https://fedorahosted.org/freeipa/ticket/1250 >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>> >>>>>>> NACK >>>>>>> >>>>>>> 'ipa-csreplica-manage list server' doesn't list the peers of the >>>>>>> specified server, but the peers of localhost. >>>>>>> >>>>>>> Connecting already connected pair of replicas duplicates the >>>>>>> replication >>>>>>> information ('ipa-csreplica-manage list server' shows the same >>>>>>> hostname >>>>>>> twice). >>>>>>> >>>>>>> There is trailing whitespace on line 87 of the patch. >>>>>>> >>>>>>> BTW I don't understand why is it possible (or necessary?) to be >>>>>>> able to >>>>>>> have CS replication topology that is different from the main IPA >>>>>>> replication topology (ipa-csreplica-manage allows you to do >>>>>>> that). Is >>>>>>> there a reason for this? >>>>>>> >>>>>>> Honza >>>>>>> >>>>>> >>>>>> And some issues from me: >>>>>> >>>>>> 1) Unhelpful error message when force-syncing from a master without a >>>>>> replication agreement: >>>>>> >>>>>> # ipa-csreplica-manage force-sync --from=HOST >>>>>> Directory Manager password: >>>>>> ipa: ERROR: Unable to find replication agreement for >>>>>> vm-060.idm.lab.bos.redhat.com >>>>>> unexpected error: Unable to proceed >>>>>> >>>>>> 2) Minor stuff in man page: >>>>>> >>>>>> Unindented Exit statuses: >>>>>> EXIT STATUS >>>>>> 0 if the command was successful >>>>>> 1 if an error occurred >>>>>> >>>>>> Missing dot: The default is the machine on which the command is run >>>>>> Not >>>>>> honoured by the re-initialize command. >>>>>> >>>>>> >>>>>> Otherwise it looks good. >>>>>> >>>>>> Martin >>>>>> >>>>> >>>>> This should address all the issues raised. >>>>> >>>>> The reason for different topology has several reasons: >>>>> >>>>> 1. A given IPA server may not have a CA installed >>>>> 2. Some aspects of ipa-replica-manage can be delegated. We can't >>>>> delegate CS replica management because it is in a different directory >>>>> server. We don't have users stored there so can't map the GSSAPI >>>>> credentials. So only Directory Manager can operate on it for now. >>>>> 3. Flexibility. You may want way more connections for users than for >>>>> the CA. >>>> >>>> + if starttls: >>>> + self.conn = ipaldap.IPAdmin(hostname, port=port) >>>> + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) >>>> >>>> Why in the starttls case do you not call ipaldap.IPAdmin(hostname, >>>> port=PORT, cacert=CACERT) ? >>> >>> Because the port is the non-secure port and opening an SSL connection >>> to it failed. >> Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps. >>> >>>> >>>> + managers = entry.getValues('nsDS5ReplicaBindDN') >>>> + if replica_binddn not in managers: >>>> >>>> You might want to use the dn.py code, or at least normalize the DNs in >>>> managers before comparing >>> >>> That's a good idea. >>> >>>> >>>> + if master is None: >>>> + entry.setValues('nsds5replicaupdateschedule', '0000-2359 >>>> 0123456') >>>> >>>> You should just omit nsds5replicaupdateschedule >>> >>> It failed with an operations erorr when I tried removing the attribute >>> either directly with a MOD_DELETE or doing a MOD_REPLACE with nothing. >>> I assume this is another attribute in cn=config that once set cannot >>> be undone. >> Right. Ok. When you add the agreement entry, you can just omit it. But >> if you are trying to modify an existing agreement entry, you can't >> MOD_DELETE it or MOD_REPLACE with an empty value. > > Ok, good point about normalizing, updated patch attached. > > rob > Everything I found is fixed. You might want to take a look at what Martin found, though. Honza -- Jan Cholasta From rcritten at redhat.com Fri Jul 15 21:20:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 17:20:40 -0400 Subject: [Freeipa-devel] [PATCH] 826 fix failing memberof tests Message-ID: <4E20AF28.8000108@redhat.com> With the recent object_name/label changes some tests were failing that were expecting the old value which contained a space. This fixes them. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-826-fixtest.patch Type: text/x-diff Size: 3855 bytes Desc: not available URL: From rcritten at redhat.com Fri Jul 15 21:23:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 17:23:05 -0400 Subject: [Freeipa-devel] [PATCH] 23 Add ability to specify DNS reverse zone name by IP network address In-Reply-To: <4E1EBF70.80203@redhat.com> References: <4E008B7B.6020404@redhat.com> <4E035324.4000607@redhat.com> <4E0A18AA.7040304@redhat.com> <4E1EBF70.80203@redhat.com> Message-ID: <4E20AFB9.5020607@redhat.com> Jan Cholasta wrote: > On 28.6.2011 20:08, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 21.6.2011 14:15, Jan Cholasta wrote: >>>> This patch adds a new option name_from_ip to dnszone commands. Default >>>> value of idnsname is created from this option. >>>> >>>> Honza >>>> >>> >>> Fixed the API version number, added usage example to dns plugin help. >>> >>> https://fedorahosted.org/freeipa/ticket/1045 >>> >>> Honza >> >> Had quickie code review in IRC this morning. I asked for a comment >> around the while loop, Honza suggested: This is to make chained >> default_from work - idnssoarname default is created from idnsname and >> idnsname default is created from name_from_ip - without this change, >> idnssoarname default value isn't created when only name_from_ip is >> specified. >> >> Would also be nice to have a test case for this new usage. >> >> rob > > Added the test case. > > The original ticket is now for the UI part, new ticket was opened for > the server-side part: > > https://fedorahosted.org/freeipa/ticket/1474 > > Honza > pushed to master From rcritten at redhat.com Fri Jul 15 21:26:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 17:26:27 -0400 Subject: [Freeipa-devel] [PATCH] 091 Improve long integer type validation In-Reply-To: <1310628067.31842.1.camel@dhcp-25-52.brq.redhat.com> References: <1310628067.31842.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E20B083.6060905@redhat.com> Martin Kosek wrote: > Passing a number of "long" type to IPA Int parameter invokes > user-unfriendly error message about incompatible types. This patch > improves Int parameter with user understandable message along with > maximum value he can pass. > > https://fedorahosted.org/freeipa/ticket/1346 nack. We need to limit Int to 32-bit values because that is what XML-RPC supports. So if maxvalue isn't set we need to compare against MAXINT and not sys.maxint. rob From rcritten at redhat.com Fri Jul 15 21:39:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 17:39:47 -0400 Subject: [Freeipa-devel] [PATCH] 30 Fix exit status of ipa-nis-manage-enable In-Reply-To: <4E1EA113.6050508@redhat.com> References: <4E1EA113.6050508@redhat.com> Message-ID: <4E20B3A3.606@redhat.com> Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1247 > > Honza ack, works as advertised. pushed to master and ipa-2-0 From rcritten at redhat.com Fri Jul 15 22:23:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 18:23:27 -0400 Subject: [Freeipa-devel] [PATCH] 817 Add option to wait for values In-Reply-To: <1310745512.32137.31.camel@dhcp-25-52.brq.redhat.com> References: <4E0E23D5.1070001@redhat.com> <4E0E3CDB.7070309@redhat.com> <4E134CC9.307@redhat.com> <1310745512.32137.31.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E20BDDF.3020100@redhat.com> Martin Kosek wrote: > On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> 389-ds postop plugins, such as the managed entry and memberof plugins, >>>> add values after the data has been returned to the client. In the case >>>> of the managed entry plugin this affects the parent entry as well (adds >>>> an objectclass value). >>>> >>>> This wreaks havoc on our tests as the values don't match what we expect. >>>> >>>> The solution is to wait for the postop plugins to finish their work, >>>> then return. I've added this as an option. The downside is it is going >>>> to naturally slow things down, so it is off by default. >>>> >>>> It is currently only used in the hostgroup plugin. >>>> >>>> The option is wait_for_attr. Add this to ~/.ipa/default.conf and set it >>>> to True and all the current tests will pass (assuming you apply patches >>>> 814-816 as well). >>>> >>>> So now we won't have any excuses for missing test failures in the unit >>>> tests... >>>> >>>> rob >>> >>> Bah, found a small problem. Self-NACK. >>> >>> rob >> >> Updated patch attached. >> >> Note that I don't think there is a way for us to handle things like >> memberof_indirect. We wouldn't know to wait. >> >> rob > > Works fine for the hostgroup entry. It's good it can be switched on/off. > > But what about other managed entries, like user entry? Would it make > sense to add a wait here too? Or maybe something systematic to baseldap > so that we wouldn't have to implement this wait to every managed entry. > > Martin > I can certainly add it to users to check for managed groups. Making it generic would be difficult because some are conditional (such as users). rob From rcritten at redhat.com Sun Jul 17 21:42:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Sun, 17 Jul 2011 17:42:56 -0400 Subject: [Freeipa-devel] [PATCH] 817 Add option to wait for values In-Reply-To: <4E20BDDF.3020100@redhat.com> References: <4E0E23D5.1070001@redhat.com> <4E0E3CDB.7070309@redhat.com> <4E134CC9.307@redhat.com> <1310745512.32137.31.camel@dhcp-25-52.brq.redhat.com> <4E20BDDF.3020100@redhat.com> Message-ID: <4E235760.6000407@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Rob Crittenden wrote: >>>>> 389-ds postop plugins, such as the managed entry and memberof plugins, >>>>> add values after the data has been returned to the client. In the case >>>>> of the managed entry plugin this affects the parent entry as well >>>>> (adds >>>>> an objectclass value). >>>>> >>>>> This wreaks havoc on our tests as the values don't match what we >>>>> expect. >>>>> >>>>> The solution is to wait for the postop plugins to finish their work, >>>>> then return. I've added this as an option. The downside is it is going >>>>> to naturally slow things down, so it is off by default. >>>>> >>>>> It is currently only used in the hostgroup plugin. >>>>> >>>>> The option is wait_for_attr. Add this to ~/.ipa/default.conf and >>>>> set it >>>>> to True and all the current tests will pass (assuming you apply >>>>> patches >>>>> 814-816 as well). >>>>> >>>>> So now we won't have any excuses for missing test failures in the unit >>>>> tests... >>>>> >>>>> rob >>>> >>>> Bah, found a small problem. Self-NACK. >>>> >>>> rob >>> >>> Updated patch attached. >>> >>> Note that I don't think there is a way for us to handle things like >>> memberof_indirect. We wouldn't know to wait. >>> >>> rob >> >> Works fine for the hostgroup entry. It's good it can be switched on/off. >> >> But what about other managed entries, like user entry? Would it make >> sense to add a wait here too? Or maybe something systematic to baseldap >> so that we wouldn't have to implement this wait to every managed entry. >> >> Martin >> > > I can certainly add it to users to check for managed groups. Making it > generic would be difficult because some are conditional (such as users). > > rob Added support for managed users as well. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-817-3-wait.patch Type: text/x-diff Size: 6456 bytes Desc: not available URL: From rcritten at redhat.com Sun Jul 17 21:45:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Sun, 17 Jul 2011 17:45:09 -0400 Subject: [Freeipa-devel] [PATCH] 827 change subject of RA Message-ID: <4E2357E5.8020806@redhat.com> Change the subject of the RA to not confuse dogtag users. We used 'RA Subsystem' and this might confuse some to think we're using the dogtag RA which we are not. This won't affect existing installations, only new ones. https://fedorahosted.org/freeipa/ticket/1236 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-827-ranickname.patch Type: text/x-diff Size: 1857 bytes Desc: not available URL: From rcritten at redhat.com Sun Jul 17 21:46:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Sun, 17 Jul 2011 17:46:36 -0400 Subject: [Freeipa-devel] [PATCH] 828 set plugin precedence Message-ID: <4E23583C.4080707@redhat.com> The default precedence of slapi plugins is 50 and all of them (ours and the 389-ds plugins) all have this level with the exception of one (Retro changelog). The IPA modrdn plugin should run after all of these so I've bumped up the precedence to 60 as recommended by the 389-ds team. https://fedorahosted.org/freeipa/ticket/1370 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-828-precedence.patch Type: text/x-diff Size: 1637 bytes Desc: not available URL: From rcritten at redhat.com Sun Jul 17 21:47:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Sun, 17 Jul 2011 17:47:22 -0400 Subject: [Freeipa-devel] [PATCH] 829 Generate a database password by default Message-ID: <4E23586A.2010805@redhat.com> If the password passed in when creating a NSS certificate database is None then a random password is generated. If it is empty ('') then an empty password is set. Because of this the HTTP instance on replicas were created with an empty password. https://fedorahosted.org/freeipa/ticket/1407 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-829-dbpasswd.patch Type: text/x-diff Size: 2136 bytes Desc: not available URL: From simo at redhat.com Sun Jul 17 23:18:44 2011 From: simo at redhat.com (Simo Sorce) Date: Sun, 17 Jul 2011 19:18:44 -0400 Subject: [Freeipa-devel] [PATCH] 827 change subject of RA In-Reply-To: <4E2357E5.8020806@redhat.com> References: <4E2357E5.8020806@redhat.com> Message-ID: <1310944724.23822.63.camel@willson.li.ssimo.org> On Sun, 2011-07-17 at 17:45 -0400, Rob Crittenden wrote: > Change the subject of the RA to not confuse dogtag users. We used 'RA > Subsystem' and this might confuse some to think we're using the dogtag > RA which we are not. > > This won't affect existing installations, only new ones. > > https://fedorahosted.org/freeipa/ticket/1236 ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Sun Jul 17 23:19:29 2011 From: simo at redhat.com (Simo Sorce) Date: Sun, 17 Jul 2011 19:19:29 -0400 Subject: [Freeipa-devel] [PATCH] 828 set plugin precedence In-Reply-To: <4E23583C.4080707@redhat.com> References: <4E23583C.4080707@redhat.com> Message-ID: <1310944769.23822.64.camel@willson.li.ssimo.org> On Sun, 2011-07-17 at 17:46 -0400, Rob Crittenden wrote: > The default precedence of slapi plugins is 50 and all of them (ours and > the 389-ds plugins) all have this level with the exception of one (Retro > changelog). The IPA modrdn plugin should run after all of these so I've > bumped up the precedence to 60 as recommended by the 389-ds team. > > https://fedorahosted.org/freeipa/ticket/1370 ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Sun Jul 17 23:20:24 2011 From: simo at redhat.com (Simo Sorce) Date: Sun, 17 Jul 2011 19:20:24 -0400 Subject: [Freeipa-devel] [PATCH] 829 Generate a database password by default In-Reply-To: <4E23586A.2010805@redhat.com> References: <4E23586A.2010805@redhat.com> Message-ID: <1310944824.23822.65.camel@willson.li.ssimo.org> On Sun, 2011-07-17 at 17:47 -0400, Rob Crittenden wrote: > If the password passed in when creating a NSS certificate database is > None then a random password is generated. If it is empty ('') then an > empty password is set. > > Because of this the HTTP instance on replicas were created with an empty > password. > > https://fedorahosted.org/freeipa/ticket/1407 ACK, Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Mon Jul 18 07:18:39 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Jul 2011 09:18:39 +0200 Subject: [Freeipa-devel] [PATCH] 091 Improve long integer type validation In-Reply-To: <4E20B083.6060905@redhat.com> References: <1310628067.31842.1.camel@dhcp-25-52.brq.redhat.com> <4E20B083.6060905@redhat.com> Message-ID: <1310973521.5922.0.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-15 at 17:26 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Passing a number of "long" type to IPA Int parameter invokes > > user-unfriendly error message about incompatible types. This patch > > improves Int parameter with user understandable message along with > > maximum value he can pass. > > > > https://fedorahosted.org/freeipa/ticket/1346 > > nack. We need to limit Int to 32-bit values because that is what XML-RPC > supports. So if maxvalue isn't set we need to compare against MAXINT and > not sys.maxint. > > rob You are right. Sending a fixed patch. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-091-2-improve-long-integer-type-validation.patch Type: text/x-patch Size: 1938 bytes Desc: not available URL: From mkosek at redhat.com Mon Jul 18 07:41:41 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Jul 2011 09:41:41 +0200 Subject: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools In-Reply-To: <4E204B44.6020405@redhat.com> References: <1308741564.13562.17.camel@dhcp-25-52.brq.redhat.com> <4E026696.2030600@redhat.com> <1308825546.3951.9.camel@dhcp-25-52.brq.redhat.com> <4E204B44.6020405@redhat.com> Message-ID: <1310974903.5922.1.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-15 at 10:14 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> Install tools may fail with unexpected error when IPA server is not > >>> installed on a system. Improve user experience by implementing > >>> a check to affected tools. > >>> > >>> https://fedorahosted.org/freeipa/ticket/1327 > >>> https://fedorahosted.org/freeipa/ticket/1347 > >> > >> Can you add a docstring to the check_server_configuration() function? > >> > >> Looking in each utility it isn't necessarily obvious what this does but > >> my meager attempts at renaming it all failed. I considered > >> is_server_installed() but that implies it would return True/False. Then > >> I considered require_server_configured() but that didn't seem to fit > >> either. We have lots of other check_* so I guess it is fine, but some > >> docs on where/why it is used would be nice. > >> > >> rob > > > > I see you undertake the same function naming dilemma as I do. I improved > > documentation for the function, it should help. > > > > Martin > > ACK Merged to current master. Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Mon Jul 18 07:51:39 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Jul 2011 09:51:39 +0200 Subject: [Freeipa-devel] [PATCH] 093 Add new dnszone-find test In-Reply-To: <4E207C18.20000@redhat.com> References: <1310635103.31842.4.camel@dhcp-25-52.brq.redhat.com> <4E207C18.20000@redhat.com> Message-ID: <1310975502.5922.2.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-15 at 13:42 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Implement a test for new dnszone-find option --forward-only. > > Fix example for reverse zone (zone was not fully qualified and > > DNS plugin would forbid adding PTR records). > > > > https://fedorahosted.org/freeipa/ticket/1473 > > This looks ok, just one minor thing: can you add deleting the new > reverse dnszone to the cleanup command? ACK with that. > > thanks > > rob Added 2 missing DNS zones to the test cleanup. Pushed to master. Martin From mkosek at redhat.com Mon Jul 18 08:48:55 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Jul 2011 10:48:55 +0200 Subject: [Freeipa-devel] [PATCH] 817 Add option to wait for values In-Reply-To: <4E235760.6000407@redhat.com> References: <4E0E23D5.1070001@redhat.com> <4E0E3CDB.7070309@redhat.com> <4E134CC9.307@redhat.com> <1310745512.32137.31.camel@dhcp-25-52.brq.redhat.com> <4E20BDDF.3020100@redhat.com> <4E235760.6000407@redhat.com> Message-ID: <1310978938.5922.11.camel@dhcp-25-52.brq.redhat.com> On Sun, 2011-07-17 at 17:42 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote: > >>> Rob Crittenden wrote: > >>>> Rob Crittenden wrote: > >>>>> 389-ds postop plugins, such as the managed entry and memberof plugins, > >>>>> add values after the data has been returned to the client. In the case > >>>>> of the managed entry plugin this affects the parent entry as well > >>>>> (adds > >>>>> an objectclass value). > >>>>> > >>>>> This wreaks havoc on our tests as the values don't match what we > >>>>> expect. > >>>>> > >>>>> The solution is to wait for the postop plugins to finish their work, > >>>>> then return. I've added this as an option. The downside is it is going > >>>>> to naturally slow things down, so it is off by default. > >>>>> > >>>>> It is currently only used in the hostgroup plugin. > >>>>> > >>>>> The option is wait_for_attr. Add this to ~/.ipa/default.conf and > >>>>> set it > >>>>> to True and all the current tests will pass (assuming you apply > >>>>> patches > >>>>> 814-816 as well). > >>>>> > >>>>> So now we won't have any excuses for missing test failures in the unit > >>>>> tests... > >>>>> > >>>>> rob > >>>> > >>>> Bah, found a small problem. Self-NACK. > >>>> > >>>> rob > >>> > >>> Updated patch attached. > >>> > >>> Note that I don't think there is a way for us to handle things like > >>> memberof_indirect. We wouldn't know to wait. > >>> > >>> rob > >> > >> Works fine for the hostgroup entry. It's good it can be switched on/off. > >> > >> But what about other managed entries, like user entry? Would it make > >> sense to add a wait here too? Or maybe something systematic to baseldap > >> so that we wouldn't have to implement this wait to every managed entry. > >> > >> Martin > >> > > > > I can certainly add it to users to check for managed groups. Making it > > generic would be difficult because some are conditional (such as users). > > > > rob > > Added support for managed users as well. > > rob Waiting for managed users work too. However, I have just noticed that the entire solution works only partially. It waits for mepOriginEntry objectclass, but it doesn't add the new LDAP attributes "mepmanagedentry" and "memberof" to the -add result: # ipa hostgroup-add hgroup3 --desc=foo --all --raw ------------------------- Added hostgroup "hgroup3" ------------------------- dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: hgroup3 description: foo ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 objectclass: ipaobject objectclass: ipahostgroup objectclass: nestedGroup objectclass: groupOfNames objectclass: top objectclass: mepOriginEntry # ipa hostgroup-show hgroup3 --all --raw dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com cn: hgroup3 description: foo ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 memberof: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com <==== mepmanagedentry: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com <==== objectclass: ipaobject objectclass: ipahostgroup objectclass: nestedGroup objectclass: groupOfNames objectclass: top objectclass: mepOriginEntry # ipa user-add --first=Foo --last=Bar fbar2 --all --raw ------------------ Added user "fbar2" ------------------ dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: fbar2 givenname: Foo sn: Bar cn: Foo Bar displayname: Foo Bar initials: FB homedirectory: /home/fbar2 gecos: Foo Bar loginshell: /bin/sh krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM uidnumber: 524600004 gidnumber: 524600004 ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: mepOriginEntry # ipa user-show fbar2 --all --raw dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: fbar2 givenname: Foo sn: Bar cn: Foo Bar displayname: Foo Bar initials: FB homedirectory: /home/fbar2 gecos: Foo Bar loginshell: /bin/sh krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM uidnumber: 524600004 gidnumber: 524600004 nsaccountlock: False ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com <==== mepmanagedentry: cn=fbar2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com <==== objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: mepOriginEntry I think there attributes should be added in post_callback (and to the tests). Martin From jcholast at redhat.com Mon Jul 18 09:02:15 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 18 Jul 2011 11:02:15 +0200 Subject: [Freeipa-devel] [PATCH] 824 make more sensible nicknames In-Reply-To: <4E1B6FB4.5030801@redhat.com> References: <4E1B6FB4.5030801@redhat.com> Message-ID: <4E23F697.3010703@redhat.com> On 11.7.2011 23:48, Rob Crittenden wrote: > When loading a chained CA from a PKCS#7 or PEM file we used to use very > generic nicknames, sometimes as bad as "Imported CA" in the case of > winsync. This will use the subject of the cert to get the nickname instead. > > I also extended the API of some of the x509 functions to optionally take > in the NSS database dir. I had originally used this in the patch but did > it another way but still thought the changes useful. > > ticket https://fedorahosted.org/freeipa/ticket/1141 > > Word of warning, this is going to require a fair bit of testing. The way > to test it is to install with an external CA, then install a replica > with a CA to be sure that works as well. Testing basic installs would be > handy as well. > > rob > ACK, everything seems to work fine. Honza -- Jan Cholasta From jcholast at redhat.com Mon Jul 18 10:55:00 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 18 Jul 2011 12:55:00 +0200 Subject: [Freeipa-devel] [PATCH] 826 fix failing memberof tests In-Reply-To: <4E20AF28.8000108@redhat.com> References: <4E20AF28.8000108@redhat.com> Message-ID: <4E241104.7090206@redhat.com> On 15.7.2011 23:20, Rob Crittenden wrote: > With the recent object_name/label changes some tests were failing that > were expecting the old value which contained a space. This fixes them. > > rob > ACK. Honza -- Jan Cholasta From mkosek at redhat.com Mon Jul 18 10:56:10 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Jul 2011 12:56:10 +0200 Subject: [Freeipa-devel] [PATCH] 096 Fix ipa-dns-install incorrect warning Message-ID: <1310986572.5922.13.camel@dhcp-25-52.brq.redhat.com> ipa-dns-install incorrectly warns about non-local IP addresses when installing without --ip-address parameter. https://fedorahosted.org/freeipa/ticket/1486 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-096-fix-ipa-dns-install-incorrect-warning.patch Type: text/x-patch Size: 994 bytes Desc: not available URL: From jcholast at redhat.com Mon Jul 18 11:49:59 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 18 Jul 2011 13:49:59 +0200 Subject: [Freeipa-devel] [PATCH] 096 Fix ipa-dns-install incorrect warning In-Reply-To: <1310986572.5922.13.camel@dhcp-25-52.brq.redhat.com> References: <1310986572.5922.13.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E241DE7.7010907@redhat.com> On 18.7.2011 12:56, Martin Kosek wrote: > ipa-dns-install incorrectly warns about non-local IP addresses > when installing without --ip-address parameter. > > https://fedorahosted.org/freeipa/ticket/1486 > IMO the warning message should be removed from parse_ip_address altogether, as the local IP address check is done in CheckedIPAddress.__init__. This makes both parse_ip_address and verify_ip_address unnecessary, because all they do is call CheckedIPAddress, so calls to them should be replaced with calls to CheckedIPAddress directly. I've made a patch that does all of this and also removes some redundant IP address checks from ipa-server-install, see attachment. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-31-clean-up-ip-address-checks.patch Type: text/x-patch Size: 5444 bytes Desc: not available URL: From jcholast at redhat.com Mon Jul 18 12:35:12 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 18 Jul 2011 14:35:12 +0200 Subject: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools In-Reply-To: <1310974903.5922.1.camel@dhcp-25-52.brq.redhat.com> References: <1308741564.13562.17.camel@dhcp-25-52.brq.redhat.com> <4E026696.2030600@redhat.com> <1308825546.3951.9.camel@dhcp-25-52.brq.redhat.com> <4E204B44.6020405@redhat.com> <1310974903.5922.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E242880.6040300@redhat.com> On 18.7.2011 09:41, Martin Kosek wrote: > On Fri, 2011-07-15 at 10:14 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> Install tools may fail with unexpected error when IPA server is not >>>>> installed on a system. Improve user experience by implementing >>>>> a check to affected tools. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/1327 >>>>> https://fedorahosted.org/freeipa/ticket/1347 >>>> >>>> Can you add a docstring to the check_server_configuration() function? >>>> >>>> Looking in each utility it isn't necessarily obvious what this does but >>>> my meager attempts at renaming it all failed. I considered >>>> is_server_installed() but that implies it would return True/False. Then >>>> I considered require_server_configured() but that didn't seem to fit >>>> either. We have lots of other check_* so I guess it is fine, but some >>>> docs on where/why it is used would be nice. >>>> >>>> rob >>> >>> I see you undertake the same function naming dilemma as I do. I improved >>> documentation for the function, it should help. >>> >>> Martin >> >> ACK > > Merged to current master. Pushed to master, ipa-2-0. > > Martin > I've just tried to build current master and got this: ./make-lint install/tools/ipa-replica-prepare:68: [E0602, parse_options] Undefined variable 'config' Does anyone run make-lint before submitting a patch or during review at all? :( Honza -- Jan Cholasta From mkosek at redhat.com Mon Jul 18 13:00:16 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Jul 2011 15:00:16 +0200 Subject: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools In-Reply-To: <4E242880.6040300@redhat.com> References: <1308741564.13562.17.camel@dhcp-25-52.brq.redhat.com> <4E026696.2030600@redhat.com> <1308825546.3951.9.camel@dhcp-25-52.brq.redhat.com> <4E204B44.6020405@redhat.com> <1310974903.5922.1.camel@dhcp-25-52.brq.redhat.com> <4E242880.6040300@redhat.com> Message-ID: <1310994018.5922.30.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-07-18 at 14:35 +0200, Jan Cholasta wrote: > On 18.7.2011 09:41, Martin Kosek wrote: > > On Fri, 2011-07-15 at 10:14 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: > >>>> Martin Kosek wrote: > >>>>> Install tools may fail with unexpected error when IPA server is not > >>>>> installed on a system. Improve user experience by implementing > >>>>> a check to affected tools. > >>>>> > >>>>> https://fedorahosted.org/freeipa/ticket/1327 > >>>>> https://fedorahosted.org/freeipa/ticket/1347 > >>>> > >>>> Can you add a docstring to the check_server_configuration() function? > >>>> > >>>> Looking in each utility it isn't necessarily obvious what this does but > >>>> my meager attempts at renaming it all failed. I considered > >>>> is_server_installed() but that implies it would return True/False. Then > >>>> I considered require_server_configured() but that didn't seem to fit > >>>> either. We have lots of other check_* so I guess it is fine, but some > >>>> docs on where/why it is used would be nice. > >>>> > >>>> rob > >>> > >>> I see you undertake the same function naming dilemma as I do. I improved > >>> documentation for the function, it should help. > >>> > >>> Martin > >> > >> ACK > > > > Merged to current master. Pushed to master, ipa-2-0. > > > > Martin > > > > I've just tried to build current master and got this: > > ./make-lint > install/tools/ipa-replica-prepare:68: [E0602, parse_options] Undefined > variable 'config' > > Does anyone run make-lint before submitting a patch or during review at > all? :( > > Honza > We don't - so that you can rant on the list :-) Of course we do, but this one slipped in. Thanks for catching this. Fixed and pushed under the one-liner rule (patch attached). Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-097-fix-typo-in-ipa-replica-prepare.patch Type: text/x-patch Size: 907 bytes Desc: not available URL: From jcholast at redhat.com Mon Jul 18 13:04:35 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 18 Jul 2011 15:04:35 +0200 Subject: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools In-Reply-To: <1310994018.5922.30.camel@dhcp-25-52.brq.redhat.com> References: <1308741564.13562.17.camel@dhcp-25-52.brq.redhat.com> <4E026696.2030600@redhat.com> <1308825546.3951.9.camel@dhcp-25-52.brq.redhat.com> <4E204B44.6020405@redhat.com> <1310974903.5922.1.camel@dhcp-25-52.brq.redhat.com> <4E242880.6040300@redhat.com> <1310994018.5922.30.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E242F63.2010809@redhat.com> On 18.7.2011 15:00, Martin Kosek wrote: > On Mon, 2011-07-18 at 14:35 +0200, Jan Cholasta wrote: >> On 18.7.2011 09:41, Martin Kosek wrote: >>> On Fri, 2011-07-15 at 10:14 -0400, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: >>>>>> Martin Kosek wrote: >>>>>>> Install tools may fail with unexpected error when IPA server is not >>>>>>> installed on a system. Improve user experience by implementing >>>>>>> a check to affected tools. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/1327 >>>>>>> https://fedorahosted.org/freeipa/ticket/1347 >>>>>> >>>>>> Can you add a docstring to the check_server_configuration() function? >>>>>> >>>>>> Looking in each utility it isn't necessarily obvious what this does but >>>>>> my meager attempts at renaming it all failed. I considered >>>>>> is_server_installed() but that implies it would return True/False. Then >>>>>> I considered require_server_configured() but that didn't seem to fit >>>>>> either. We have lots of other check_* so I guess it is fine, but some >>>>>> docs on where/why it is used would be nice. >>>>>> >>>>>> rob >>>>> >>>>> I see you undertake the same function naming dilemma as I do. I improved >>>>> documentation for the function, it should help. >>>>> >>>>> Martin >>>> >>>> ACK >>> >>> Merged to current master. Pushed to master, ipa-2-0. >>> >>> Martin >>> >> >> I've just tried to build current master and got this: >> >> ./make-lint >> install/tools/ipa-replica-prepare:68: [E0602, parse_options] Undefined >> variable 'config' >> >> Does anyone run make-lint before submitting a patch or during review at >> all? :( >> >> Honza >> > > We don't - so that you can rant on the list :-) Of course we do, but > this one slipped in. Thanks for catching this. > > Fixed and pushed under the one-liner rule (patch attached). > > Martin That's a relief, I got frightened for a moment :-) Honza -- Jan Cholasta From rcritten at redhat.com Mon Jul 18 13:43:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 09:43:40 -0400 Subject: [Freeipa-devel] [PATCH] 091 Improve long integer type validation In-Reply-To: <1310973521.5922.0.camel@dhcp-25-52.brq.redhat.com> References: <1310628067.31842.1.camel@dhcp-25-52.brq.redhat.com> <4E20B083.6060905@redhat.com> <1310973521.5922.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E24388C.3080400@redhat.com> Martin Kosek wrote: > On Fri, 2011-07-15 at 17:26 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> Passing a number of "long" type to IPA Int parameter invokes >>> user-unfriendly error message about incompatible types. This patch >>> improves Int parameter with user understandable message along with >>> maximum value he can pass. >>> >>> https://fedorahosted.org/freeipa/ticket/1346 >> >> nack. We need to limit Int to 32-bit values because that is what XML-RPC >> supports. So if maxvalue isn't set we need to compare against MAXINT and >> not sys.maxint. >> >> rob > > You are right. Sending a fixed patch. > > Martin ACK From mkosek at redhat.com Mon Jul 18 14:04:13 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Jul 2011 16:04:13 +0200 Subject: [Freeipa-devel] [PATCH] 091 Improve long integer type validation In-Reply-To: <4E24388C.3080400@redhat.com> References: <1310628067.31842.1.camel@dhcp-25-52.brq.redhat.com> <4E20B083.6060905@redhat.com> <1310973521.5922.0.camel@dhcp-25-52.brq.redhat.com> <4E24388C.3080400@redhat.com> Message-ID: <1310997855.5922.31.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-07-18 at 09:43 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-07-15 at 17:26 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> Passing a number of "long" type to IPA Int parameter invokes > >>> user-unfriendly error message about incompatible types. This patch > >>> improves Int parameter with user understandable message along with > >>> maximum value he can pass. > >>> > >>> https://fedorahosted.org/freeipa/ticket/1346 > >> > >> nack. We need to limit Int to 32-bit values because that is what XML-RPC > >> supports. So if maxvalue isn't set we need to compare against MAXINT and > >> not sys.maxint. > >> > >> rob > > > > You are right. Sending a fixed patch. > > > > Martin > > ACK Pushed to master, ipa-2-0. Martin From jcholast at redhat.com Mon Jul 18 15:16:30 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 18 Jul 2011 17:16:30 +0200 Subject: [Freeipa-devel] [PATCH] 32 Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable' Message-ID: <4E244E4E.3080005@redhat.com> https://fedorahosted.org/freeipa/ticket/1469 Honza -- Jan Cholasta From rcritten at redhat.com Mon Jul 18 15:34:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 11:34:22 -0400 Subject: [Freeipa-devel] [PATCH] 825 add dogtag replication management In-Reply-To: <4E20A893.5050704@redhat.com> References: <4E1FB70D.3000605@redhat.com> <4E2035F0.5020400@redhat.com> <1310737881.32137.26.camel@dhcp-25-52.brq.redhat.com> <4E20484F.5040900@redhat.com> <4E206626.2080406@redhat.com> <4E207186.6040509@redhat.com> <4E2072CB.4030902@redhat.com> <4E2093E0.7070306@redhat.com> <4E20A893.5050704@redhat.com> Message-ID: <4E24527E.8030803@redhat.com> Jan Cholasta wrote: > On 15.7.2011 21:24, Rob Crittenden wrote: >> Rich Megginson wrote: >>> On 07/15/2011 10:57 AM, Rob Crittenden wrote: >>>> Rich Megginson wrote: >>>>> On 07/15/2011 08:01 AM, Rob Crittenden wrote: >>>>>> Martin Kosek wrote: >>>>>>> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: >>>>>>>> On 15.7.2011 05:42, Rob Crittenden wrote: >>>>>>>>> Add a separate tool for now to do dogtag replication agreement >>>>>>>>> management. The syntax is the same for IPA agreements with the >>>>>>>>> exception >>>>>>>>> that the DM password is always required and it isn't possible to >>>>>>>>> delegate the management of this. >>>>>>>>> >>>>>>>>> ticket https://fedorahosted.org/freeipa/ticket/1250 >>>>>>>>> >>>>>>>>> rob >>>>>>>>> >>>>>>>> >>>>>>>> NACK >>>>>>>> >>>>>>>> 'ipa-csreplica-manage list server' doesn't list the peers of the >>>>>>>> specified server, but the peers of localhost. >>>>>>>> >>>>>>>> Connecting already connected pair of replicas duplicates the >>>>>>>> replication >>>>>>>> information ('ipa-csreplica-manage list server' shows the same >>>>>>>> hostname >>>>>>>> twice). >>>>>>>> >>>>>>>> There is trailing whitespace on line 87 of the patch. >>>>>>>> >>>>>>>> BTW I don't understand why is it possible (or necessary?) to be >>>>>>>> able to >>>>>>>> have CS replication topology that is different from the main IPA >>>>>>>> replication topology (ipa-csreplica-manage allows you to do >>>>>>>> that). Is >>>>>>>> there a reason for this? >>>>>>>> >>>>>>>> Honza >>>>>>>> >>>>>>> >>>>>>> And some issues from me: >>>>>>> >>>>>>> 1) Unhelpful error message when force-syncing from a master >>>>>>> without a >>>>>>> replication agreement: >>>>>>> >>>>>>> # ipa-csreplica-manage force-sync --from=HOST >>>>>>> Directory Manager password: >>>>>>> ipa: ERROR: Unable to find replication agreement for >>>>>>> vm-060.idm.lab.bos.redhat.com >>>>>>> unexpected error: Unable to proceed >>>>>>> >>>>>>> 2) Minor stuff in man page: >>>>>>> >>>>>>> Unindented Exit statuses: >>>>>>> EXIT STATUS >>>>>>> 0 if the command was successful >>>>>>> 1 if an error occurred >>>>>>> >>>>>>> Missing dot: The default is the machine on which the command is run >>>>>>> Not >>>>>>> honoured by the re-initialize command. >>>>>>> >>>>>>> >>>>>>> Otherwise it looks good. >>>>>>> >>>>>>> Martin >>>>>>> >>>>>> >>>>>> This should address all the issues raised. >>>>>> >>>>>> The reason for different topology has several reasons: >>>>>> >>>>>> 1. A given IPA server may not have a CA installed >>>>>> 2. Some aspects of ipa-replica-manage can be delegated. We can't >>>>>> delegate CS replica management because it is in a different directory >>>>>> server. We don't have users stored there so can't map the GSSAPI >>>>>> credentials. So only Directory Manager can operate on it for now. >>>>>> 3. Flexibility. You may want way more connections for users than for >>>>>> the CA. >>>>> >>>>> + if starttls: >>>>> + self.conn = ipaldap.IPAdmin(hostname, port=port) >>>>> + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) >>>>> >>>>> Why in the starttls case do you not call ipaldap.IPAdmin(hostname, >>>>> port=PORT, cacert=CACERT) ? >>>> >>>> Because the port is the non-secure port and opening an SSL connection >>>> to it failed. >>> Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps. >>>> >>>>> >>>>> + managers = entry.getValues('nsDS5ReplicaBindDN') >>>>> + if replica_binddn not in managers: >>>>> >>>>> You might want to use the dn.py code, or at least normalize the DNs in >>>>> managers before comparing >>>> >>>> That's a good idea. >>>> >>>>> >>>>> + if master is None: >>>>> + entry.setValues('nsds5replicaupdateschedule', '0000-2359 >>>>> 0123456') >>>>> >>>>> You should just omit nsds5replicaupdateschedule >>>> >>>> It failed with an operations erorr when I tried removing the attribute >>>> either directly with a MOD_DELETE or doing a MOD_REPLACE with nothing. >>>> I assume this is another attribute in cn=config that once set cannot >>>> be undone. >>> Right. Ok. When you add the agreement entry, you can just omit it. But >>> if you are trying to modify an existing agreement entry, you can't >>> MOD_DELETE it or MOD_REPLACE with an empty value. >> >> Ok, good point about normalizing, updated patch attached. >> >> rob >> > > Everything I found is fixed. You might want to take a look at what > Martin found, though. > > Honza > Updated patch to use the DN class a bit more. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-825-4-replicamanage.patch Type: text/x-diff Size: 35914 bytes Desc: not available URL: From rmeggins at redhat.com Mon Jul 18 15:38:27 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 18 Jul 2011 09:38:27 -0600 Subject: [Freeipa-devel] [PATCH] 825 add dogtag replication management In-Reply-To: <4E24527E.8030803@redhat.com> References: <4E1FB70D.3000605@redhat.com> <4E2035F0.5020400@redhat.com> <1310737881.32137.26.camel@dhcp-25-52.brq.redhat.com> <4E20484F.5040900@redhat.com> <4E206626.2080406@redhat.com> <4E207186.6040509@redhat.com> <4E2072CB.4030902@redhat.com> <4E2093E0.7070306@redhat.com> <4E20A893.5050704@redhat.com> <4E24527E.8030803@redhat.com> Message-ID: <4E245373.5030806@redhat.com> On 07/18/2011 09:34 AM, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 15.7.2011 21:24, Rob Crittenden wrote: >>> Rich Megginson wrote: >>>> On 07/15/2011 10:57 AM, Rob Crittenden wrote: >>>>> Rich Megginson wrote: >>>>>> On 07/15/2011 08:01 AM, Rob Crittenden wrote: >>>>>>> Martin Kosek wrote: >>>>>>>> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: >>>>>>>>> On 15.7.2011 05:42, Rob Crittenden wrote: >>>>>>>>>> Add a separate tool for now to do dogtag replication agreement >>>>>>>>>> management. The syntax is the same for IPA agreements with the >>>>>>>>>> exception >>>>>>>>>> that the DM password is always required and it isn't possible to >>>>>>>>>> delegate the management of this. >>>>>>>>>> >>>>>>>>>> ticket https://fedorahosted.org/freeipa/ticket/1250 >>>>>>>>>> >>>>>>>>>> rob >>>>>>>>>> >>>>>>>>> >>>>>>>>> NACK >>>>>>>>> >>>>>>>>> 'ipa-csreplica-manage list server' doesn't list the peers of the >>>>>>>>> specified server, but the peers of localhost. >>>>>>>>> >>>>>>>>> Connecting already connected pair of replicas duplicates the >>>>>>>>> replication >>>>>>>>> information ('ipa-csreplica-manage list server' shows the same >>>>>>>>> hostname >>>>>>>>> twice). >>>>>>>>> >>>>>>>>> There is trailing whitespace on line 87 of the patch. >>>>>>>>> >>>>>>>>> BTW I don't understand why is it possible (or necessary?) to be >>>>>>>>> able to >>>>>>>>> have CS replication topology that is different from the main IPA >>>>>>>>> replication topology (ipa-csreplica-manage allows you to do >>>>>>>>> that). Is >>>>>>>>> there a reason for this? >>>>>>>>> >>>>>>>>> Honza >>>>>>>>> >>>>>>>> >>>>>>>> And some issues from me: >>>>>>>> >>>>>>>> 1) Unhelpful error message when force-syncing from a master >>>>>>>> without a >>>>>>>> replication agreement: >>>>>>>> >>>>>>>> # ipa-csreplica-manage force-sync --from=HOST >>>>>>>> Directory Manager password: >>>>>>>> ipa: ERROR: Unable to find replication agreement for >>>>>>>> vm-060.idm.lab.bos.redhat.com >>>>>>>> unexpected error: Unable to proceed >>>>>>>> >>>>>>>> 2) Minor stuff in man page: >>>>>>>> >>>>>>>> Unindented Exit statuses: >>>>>>>> EXIT STATUS >>>>>>>> 0 if the command was successful >>>>>>>> 1 if an error occurred >>>>>>>> >>>>>>>> Missing dot: The default is the machine on which the command is >>>>>>>> run >>>>>>>> Not >>>>>>>> honoured by the re-initialize command. >>>>>>>> >>>>>>>> >>>>>>>> Otherwise it looks good. >>>>>>>> >>>>>>>> Martin >>>>>>>> >>>>>>> >>>>>>> This should address all the issues raised. >>>>>>> >>>>>>> The reason for different topology has several reasons: >>>>>>> >>>>>>> 1. A given IPA server may not have a CA installed >>>>>>> 2. Some aspects of ipa-replica-manage can be delegated. We can't >>>>>>> delegate CS replica management because it is in a different >>>>>>> directory >>>>>>> server. We don't have users stored there so can't map the GSSAPI >>>>>>> credentials. So only Directory Manager can operate on it for now. >>>>>>> 3. Flexibility. You may want way more connections for users than >>>>>>> for >>>>>>> the CA. >>>>>> >>>>>> + if starttls: >>>>>> + self.conn = ipaldap.IPAdmin(hostname, port=port) >>>>>> + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) >>>>>> >>>>>> Why in the starttls case do you not call ipaldap.IPAdmin(hostname, >>>>>> port=PORT, cacert=CACERT) ? >>>>> >>>>> Because the port is the non-secure port and opening an SSL connection >>>>> to it failed. >>>> Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps. >>>>> >>>>>> >>>>>> + managers = entry.getValues('nsDS5ReplicaBindDN') >>>>>> + if replica_binddn not in managers: >>>>>> >>>>>> You might want to use the dn.py code, or at least normalize the >>>>>> DNs in >>>>>> managers before comparing >>>>> >>>>> That's a good idea. >>>>> >>>>>> >>>>>> + if master is None: >>>>>> + entry.setValues('nsds5replicaupdateschedule', '0000-2359 >>>>>> 0123456') >>>>>> >>>>>> You should just omit nsds5replicaupdateschedule >>>>> >>>>> It failed with an operations erorr when I tried removing the >>>>> attribute >>>>> either directly with a MOD_DELETE or doing a MOD_REPLACE with >>>>> nothing. >>>>> I assume this is another attribute in cn=config that once set cannot >>>>> be undone. >>>> Right. Ok. When you add the agreement entry, you can just omit it. But >>>> if you are trying to modify an existing agreement entry, you can't >>>> MOD_DELETE it or MOD_REPLACE with an empty value. >>> >>> Ok, good point about normalizing, updated patch attached. >>> >>> rob >>> >> >> Everything I found is fixed. You might want to take a look at what >> Martin found, though. >> >> Honza >> > > Updated patch to use the DN class a bit more. ack > > rob From edewata at redhat.com Mon Jul 18 15:44:44 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 18 Jul 2011 10:44:44 -0500 Subject: [Freeipa-devel] [PATCH] 208 Entity select widget improvements Message-ID: <4E2454EC.1010503@redhat.com> The IPA.entity_select_widget has been modified into a searchable and editable drop down list. Ticket #1361 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0208-Entity-select-widget-improvements.patch Type: text/x-patch Size: 41361 bytes Desc: not available URL: From jhrozek at redhat.com Mon Jul 18 16:06:20 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 18 Jul 2011 18:06:20 +0200 Subject: [Freeipa-devel] [PATCH] 25 Update minimum required version of python-netaddr In-Reply-To: <4E0E1A22.7040905@redhat.com> References: <4E09CE73.1000503@redhat.com> <4E09E1B1.1070300@redhat.com> <4E0DA2E7.8040903@redhat.com> <4E0DDB08.1010201@redhat.com> <4E0E1A22.7040905@redhat.com> Message-ID: <4E2459FC.4000108@redhat.com> On 07/01/2011 09:04 PM, Jan Cholasta wrote: > On 1.7.2011 16:34, Jakub Hrozek wrote: >> On 07/01/2011 06:35 AM, Jan Cholasta wrote: >>> On 28.6.2011 16:14, Jakub Hrozek wrote: >>>> On 06/28/2011 08:52 AM, Jan Cholasta wrote: >>>>> https://fedorahosted.org/freeipa/ticket/1288 >>>>> >>>>> Honza >>>>> >>>> >>>> I gather this is done in order to get rid of the "try: except all" hack >>>> in installer? >>>> >>>> This works fine with F15 and F16 in mind. However, if the specfile is >>>> intended for being usable on RHEL as well (at least for development), >>>> some %if magic is required -- the fix is not there yet. >>>> >>> >>> Updated so that 0.7.5-3 is required on Fedora >= 15 and RHEL >= 6. >>> >>> Honza >>> >> >> Sorry, I wasn't clear in the previous message. >> >> The fix so far is *only* in Fedora, not in any RHEL versions. So the >> versioned requires must apply only to Fedora until we release >> python-netaddr errata, be it in 6.2 or 6.3 > > Thanks for the info. I really need to learn more about RHEL :-) > > Updated patch attached. > > Honza > I missed the new revision - sorry. Ack! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Mon Jul 18 16:08:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 12:08:38 -0400 Subject: [Freeipa-devel] [PATCH] 823 validate certificate subject base In-Reply-To: <1310544964.13088.5.camel@dhcp-25-52.brq.redhat.com> References: <4E15D895.8090908@redhat.com> <1310544964.13088.5.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E245A86.2020201@redhat.com> Martin Kosek wrote: > On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote: >> Use John's new DN class to verify that the subject base passed into >> ipa-server-install is valid. >> >> https://fedorahosted.org/freeipa/ticket/1176 >> >> rob > > Works fine for basic errors. But what if the DN is syntactically valid, > but it makes no sense for CA? For example: > > # ipa-server-install --subject="FOO=BAR" > ... > Configuring certificate server: Estimated time 6 minutes > [1/16]: creating certificate server user > [2/16]: creating pki-ca instance > [3/16]: restarting certificate server > [4/16]: configuring certificate server instance > root : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > vm-099.idm.lab.bos.redhat.com -cs_port 9445 > -client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd 'XXXXXXXX' > -preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin > -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject "CN=ipa-ca-agent,FOO=BAR" -ldap_host > vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory > Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca > -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true > -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name "CN=CA Subsystem,FOO=BAR" > -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,FOO=BAR" > -ca_server_cert_subject_name "CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR" > -ca_audit_signing_cert_subject_name "CN=CA Audit,FOO=BAR" > -ca_sign_cert_subject_name "CN=Certificate Authority,FOO=BAR" -external > false -clone false' returned non-zero exit status 255 > Unexpected error - see ipaserver-install.log for details: > Configuration of CA failed > > > Could we cover also these cases in the callback? > > Martin > Added list of allowed attributes. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-823-2-subjectbase.patch Type: text/x-diff Size: 2883 bytes Desc: not available URL: From mkosek at redhat.com Mon Jul 18 16:31:26 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Jul 2011 18:31:26 +0200 Subject: [Freeipa-devel] [PATCH] 823 validate certificate subject base In-Reply-To: <4E245A86.2020201@redhat.com> References: <4E15D895.8090908@redhat.com> <1310544964.13088.5.camel@dhcp-25-52.brq.redhat.com> <4E245A86.2020201@redhat.com> Message-ID: <1311006688.5922.33.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-07-18 at 12:08 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote: > >> Use John's new DN class to verify that the subject base passed into > >> ipa-server-install is valid. > >> > >> https://fedorahosted.org/freeipa/ticket/1176 > >> > >> rob > > > > Works fine for basic errors. But what if the DN is syntactically valid, > > but it makes no sense for CA? For example: > > > > # ipa-server-install --subject="FOO=BAR" > > ... > > Configuring certificate server: Estimated time 6 minutes > > [1/16]: creating certificate server user > > [2/16]: creating pki-ca instance > > [3/16]: restarting certificate server > > [4/16]: configuring certificate server instance > > root : CRITICAL failed to configure ca instance Command > > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > > vm-099.idm.lab.bos.redhat.com -cs_port 9445 > > -client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd 'XXXXXXXX' > > -preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin > > -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name > > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > > -agent_cert_subject "CN=ipa-ca-agent,FOO=BAR" -ldap_host > > vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory > > Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca > > -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true > > -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal > > -ca_subsystem_cert_subject_name "CN=CA Subsystem,FOO=BAR" > > -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,FOO=BAR" > > -ca_server_cert_subject_name "CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR" > > -ca_audit_signing_cert_subject_name "CN=CA Audit,FOO=BAR" > > -ca_sign_cert_subject_name "CN=Certificate Authority,FOO=BAR" -external > > false -clone false' returned non-zero exit status 255 > > Unexpected error - see ipaserver-install.log for details: > > Configuration of CA failed > > > > > > Could we cover also these cases in the callback? > > > > Martin > > > > Added list of allowed attributes. > > rob ACK, works fine. I would just recommend to split the line with VALID_SUBJECT_ATTRS before pushing, it's quite long. Martin From mkosek at redhat.com Mon Jul 18 16:48:05 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Jul 2011 18:48:05 +0200 Subject: [Freeipa-devel] [PATCH] 32 Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable' In-Reply-To: <4E244E4E.3080005@redhat.com> References: <4E244E4E.3080005@redhat.com> Message-ID: <1311007687.5922.41.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-07-18 at 17:16 +0200, Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1469 > > Honza > The patch is missing. Martin From edewata at redhat.com Mon Jul 18 16:52:00 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 18 Jul 2011 11:52:00 -0500 Subject: [Freeipa-devel] [PATCH] 208 Entity select widget improvements In-Reply-To: <4E2454EC.1010503@redhat.com> References: <4E2454EC.1010503@redhat.com> Message-ID: <4E2464B0.7030106@redhat.com> On 7/18/2011 10:44 AM, Endi Sukma Dewata wrote: > The IPA.entity_select_widget has been modified into a searchable and > editable drop down list. > > Ticket #1361 Fixed z-index problem and renamed base class to IPA.combobox_widget. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0208-2-Entity-select-widget-improvements.patch Type: text/x-patch Size: 41431 bytes Desc: not available URL: From rcritten at redhat.com Mon Jul 18 17:10:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 13:10:46 -0400 Subject: [Freeipa-devel] [PATCH] 823 validate certificate subject base In-Reply-To: <1311006688.5922.33.camel@dhcp-25-52.brq.redhat.com> References: <4E15D895.8090908@redhat.com> <1310544964.13088.5.camel@dhcp-25-52.brq.redhat.com> <4E245A86.2020201@redhat.com> <1311006688.5922.33.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E246916.4020302@redhat.com> Martin Kosek wrote: > On Mon, 2011-07-18 at 12:08 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote: >>>> Use John's new DN class to verify that the subject base passed into >>>> ipa-server-install is valid. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1176 >>>> >>>> rob >>> >>> Works fine for basic errors. But what if the DN is syntactically valid, >>> but it makes no sense for CA? For example: >>> >>> # ipa-server-install --subject="FOO=BAR" >>> ... >>> Configuring certificate server: Estimated time 6 minutes >>> [1/16]: creating certificate server user >>> [2/16]: creating pki-ca instance >>> [3/16]: restarting certificate server >>> [4/16]: configuring certificate server instance >>> root : CRITICAL failed to configure ca instance Command >>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >>> vm-099.idm.lab.bos.redhat.com -cs_port 9445 >>> -client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd 'XXXXXXXX' >>> -preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin >>> -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name >>> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >>> -agent_cert_subject "CN=ipa-ca-agent,FOO=BAR" -ldap_host >>> vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory >>> Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca >>> -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true >>> -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal >>> -ca_subsystem_cert_subject_name "CN=CA Subsystem,FOO=BAR" >>> -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,FOO=BAR" >>> -ca_server_cert_subject_name "CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR" >>> -ca_audit_signing_cert_subject_name "CN=CA Audit,FOO=BAR" >>> -ca_sign_cert_subject_name "CN=Certificate Authority,FOO=BAR" -external >>> false -clone false' returned non-zero exit status 255 >>> Unexpected error - see ipaserver-install.log for details: >>> Configuration of CA failed >>> >>> >>> Could we cover also these cases in the callback? >>> >>> Martin >>> >> >> Added list of allowed attributes. >> >> rob > > ACK, works fine. I would just recommend to split the line with > VALID_SUBJECT_ATTRS before pushing, it's quite long. > > Martin > Fixed and pushed to master and ipa-2-0 From rcritten at redhat.com Mon Jul 18 17:15:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 13:15:42 -0400 Subject: [Freeipa-devel] [PATCH] 824 make more sensible nicknames In-Reply-To: <4E23F697.3010703@redhat.com> References: <4E1B6FB4.5030801@redhat.com> <4E23F697.3010703@redhat.com> Message-ID: <4E246A3E.2020504@redhat.com> Jan Cholasta wrote: > On 11.7.2011 23:48, Rob Crittenden wrote: >> When loading a chained CA from a PKCS#7 or PEM file we used to use very >> generic nicknames, sometimes as bad as "Imported CA" in the case of >> winsync. This will use the subject of the cert to get the nickname >> instead. >> >> I also extended the API of some of the x509 functions to optionally take >> in the NSS database dir. I had originally used this in the patch but did >> it another way but still thought the changes useful. >> >> ticket https://fedorahosted.org/freeipa/ticket/1141 >> >> Word of warning, this is going to require a fair bit of testing. The way >> to test it is to install with an external CA, then install a replica >> with a CA to be sure that works as well. Testing basic installs would be >> handy as well. >> >> rob >> > > ACK, everything seems to work fine. > > Honza > pushed to master and ipa-2-0 From rcritten at redhat.com Mon Jul 18 17:21:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 13:21:22 -0400 Subject: [Freeipa-devel] [PATCH] 825 add dogtag replication management In-Reply-To: <4E245373.5030806@redhat.com> References: <4E1FB70D.3000605@redhat.com> <4E2035F0.5020400@redhat.com> <1310737881.32137.26.camel@dhcp-25-52.brq.redhat.com> <4E20484F.5040900@redhat.com> <4E206626.2080406@redhat.com> <4E207186.6040509@redhat.com> <4E2072CB.4030902@redhat.com> <4E2093E0.7070306@redhat.com> <4E20A893.5050704@redhat.com> <4E24527E.8030803@redhat.com> <4E245373.5030806@redhat.com> Message-ID: <4E246B92.5080009@redhat.com> Rich Megginson wrote: > On 07/18/2011 09:34 AM, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 15.7.2011 21:24, Rob Crittenden wrote: >>>> Rich Megginson wrote: >>>>> On 07/15/2011 10:57 AM, Rob Crittenden wrote: >>>>>> Rich Megginson wrote: >>>>>>> On 07/15/2011 08:01 AM, Rob Crittenden wrote: >>>>>>>> Martin Kosek wrote: >>>>>>>>> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote: >>>>>>>>>> On 15.7.2011 05:42, Rob Crittenden wrote: >>>>>>>>>>> Add a separate tool for now to do dogtag replication agreement >>>>>>>>>>> management. The syntax is the same for IPA agreements with the >>>>>>>>>>> exception >>>>>>>>>>> that the DM password is always required and it isn't possible to >>>>>>>>>>> delegate the management of this. >>>>>>>>>>> >>>>>>>>>>> ticket https://fedorahosted.org/freeipa/ticket/1250 >>>>>>>>>>> >>>>>>>>>>> rob >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> NACK >>>>>>>>>> >>>>>>>>>> 'ipa-csreplica-manage list server' doesn't list the peers of the >>>>>>>>>> specified server, but the peers of localhost. >>>>>>>>>> >>>>>>>>>> Connecting already connected pair of replicas duplicates the >>>>>>>>>> replication >>>>>>>>>> information ('ipa-csreplica-manage list server' shows the same >>>>>>>>>> hostname >>>>>>>>>> twice). >>>>>>>>>> >>>>>>>>>> There is trailing whitespace on line 87 of the patch. >>>>>>>>>> >>>>>>>>>> BTW I don't understand why is it possible (or necessary?) to be >>>>>>>>>> able to >>>>>>>>>> have CS replication topology that is different from the main IPA >>>>>>>>>> replication topology (ipa-csreplica-manage allows you to do >>>>>>>>>> that). Is >>>>>>>>>> there a reason for this? >>>>>>>>>> >>>>>>>>>> Honza >>>>>>>>>> >>>>>>>>> >>>>>>>>> And some issues from me: >>>>>>>>> >>>>>>>>> 1) Unhelpful error message when force-syncing from a master >>>>>>>>> without a >>>>>>>>> replication agreement: >>>>>>>>> >>>>>>>>> # ipa-csreplica-manage force-sync --from=HOST >>>>>>>>> Directory Manager password: >>>>>>>>> ipa: ERROR: Unable to find replication agreement for >>>>>>>>> vm-060.idm.lab.bos.redhat.com >>>>>>>>> unexpected error: Unable to proceed >>>>>>>>> >>>>>>>>> 2) Minor stuff in man page: >>>>>>>>> >>>>>>>>> Unindented Exit statuses: >>>>>>>>> EXIT STATUS >>>>>>>>> 0 if the command was successful >>>>>>>>> 1 if an error occurred >>>>>>>>> >>>>>>>>> Missing dot: The default is the machine on which the command is >>>>>>>>> run >>>>>>>>> Not >>>>>>>>> honoured by the re-initialize command. >>>>>>>>> >>>>>>>>> >>>>>>>>> Otherwise it looks good. >>>>>>>>> >>>>>>>>> Martin >>>>>>>>> >>>>>>>> >>>>>>>> This should address all the issues raised. >>>>>>>> >>>>>>>> The reason for different topology has several reasons: >>>>>>>> >>>>>>>> 1. A given IPA server may not have a CA installed >>>>>>>> 2. Some aspects of ipa-replica-manage can be delegated. We can't >>>>>>>> delegate CS replica management because it is in a different >>>>>>>> directory >>>>>>>> server. We don't have users stored there so can't map the GSSAPI >>>>>>>> credentials. So only Directory Manager can operate on it for now. >>>>>>>> 3. Flexibility. You may want way more connections for users than >>>>>>>> for >>>>>>>> the CA. >>>>>>> >>>>>>> + if starttls: >>>>>>> + self.conn = ipaldap.IPAdmin(hostname, port=port) >>>>>>> + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) >>>>>>> >>>>>>> Why in the starttls case do you not call ipaldap.IPAdmin(hostname, >>>>>>> port=PORT, cacert=CACERT) ? >>>>>> >>>>>> Because the port is the non-secure port and opening an SSL connection >>>>>> to it failed. >>>>> Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps. >>>>>> >>>>>>> >>>>>>> + managers = entry.getValues('nsDS5ReplicaBindDN') >>>>>>> + if replica_binddn not in managers: >>>>>>> >>>>>>> You might want to use the dn.py code, or at least normalize the >>>>>>> DNs in >>>>>>> managers before comparing >>>>>> >>>>>> That's a good idea. >>>>>> >>>>>>> >>>>>>> + if master is None: >>>>>>> + entry.setValues('nsds5replicaupdateschedule', '0000-2359 >>>>>>> 0123456') >>>>>>> >>>>>>> You should just omit nsds5replicaupdateschedule >>>>>> >>>>>> It failed with an operations erorr when I tried removing the >>>>>> attribute >>>>>> either directly with a MOD_DELETE or doing a MOD_REPLACE with >>>>>> nothing. >>>>>> I assume this is another attribute in cn=config that once set cannot >>>>>> be undone. >>>>> Right. Ok. When you add the agreement entry, you can just omit it. But >>>>> if you are trying to modify an existing agreement entry, you can't >>>>> MOD_DELETE it or MOD_REPLACE with an empty value. >>>> >>>> Ok, good point about normalizing, updated patch attached. >>>> >>>> rob >>>> >>> >>> Everything I found is fixed. You might want to take a look at what >>> Martin found, though. >>> >>> Honza >>> >> >> Updated patch to use the DN class a bit more. > ack >> >> rob > pushed to master and ipa-2-0 From rcritten at redhat.com Mon Jul 18 17:21:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 13:21:56 -0400 Subject: [Freeipa-devel] [PATCH] 826 fix failing memberof tests In-Reply-To: <4E241104.7090206@redhat.com> References: <4E20AF28.8000108@redhat.com> <4E241104.7090206@redhat.com> Message-ID: <4E246BB4.3040205@redhat.com> Jan Cholasta wrote: > On 15.7.2011 23:20, Rob Crittenden wrote: >> With the recent object_name/label changes some tests were failing that >> were expecting the old value which contained a space. This fixes them. >> >> rob >> > > ACK. > > Honza > pushed to master From rcritten at redhat.com Mon Jul 18 17:22:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 13:22:36 -0400 Subject: [Freeipa-devel] [PATCH] 827 change subject of RA In-Reply-To: <1310944724.23822.63.camel@willson.li.ssimo.org> References: <4E2357E5.8020806@redhat.com> <1310944724.23822.63.camel@willson.li.ssimo.org> Message-ID: <4E246BDC.9070705@redhat.com> Simo Sorce wrote: > On Sun, 2011-07-17 at 17:45 -0400, Rob Crittenden wrote: >> Change the subject of the RA to not confuse dogtag users. We used 'RA >> Subsystem' and this might confuse some to think we're using the dogtag >> RA which we are not. >> >> This won't affect existing installations, only new ones. >> >> https://fedorahosted.org/freeipa/ticket/1236 > > ACK. > Simo. > pushed to master and ipa-2-0 From rcritten at redhat.com Mon Jul 18 17:24:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 13:24:52 -0400 Subject: [Freeipa-devel] [PATCH] 828 set plugin precedence In-Reply-To: <1310944769.23822.64.camel@willson.li.ssimo.org> References: <4E23583C.4080707@redhat.com> <1310944769.23822.64.camel@willson.li.ssimo.org> Message-ID: <4E246C64.80407@redhat.com> Simo Sorce wrote: > On Sun, 2011-07-17 at 17:46 -0400, Rob Crittenden wrote: >> The default precedence of slapi plugins is 50 and all of them (ours and >> the 389-ds plugins) all have this level with the exception of one (Retro >> changelog). The IPA modrdn plugin should run after all of these so I've >> bumped up the precedence to 60 as recommended by the 389-ds team. >> >> https://fedorahosted.org/freeipa/ticket/1370 > > ACK. > > Simo. > pushed to master and ipa-2-0 From rcritten at redhat.com Mon Jul 18 17:26:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 13:26:45 -0400 Subject: [Freeipa-devel] [PATCH] 829 Generate a database password by default In-Reply-To: <1310944824.23822.65.camel@willson.li.ssimo.org> References: <4E23586A.2010805@redhat.com> <1310944824.23822.65.camel@willson.li.ssimo.org> Message-ID: <4E246CD5.1020008@redhat.com> Simo Sorce wrote: > On Sun, 2011-07-17 at 17:47 -0400, Rob Crittenden wrote: >> If the password passed in when creating a NSS certificate database is >> None then a random password is generated. If it is empty ('') then an >> empty password is set. >> >> Because of this the HTTP instance on replicas were created with an empty >> password. >> >> https://fedorahosted.org/freeipa/ticket/1407 > > ACK, > Simo. > pushed to master and ipa-2-0 From rcritten at redhat.com Mon Jul 18 17:44:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 13:44:39 -0400 Subject: [Freeipa-devel] [PATCH] 25 Update minimum required version of python-netaddr In-Reply-To: <4E2459FC.4000108@redhat.com> References: <4E09CE73.1000503@redhat.com> <4E09E1B1.1070300@redhat.com> <4E0DA2E7.8040903@redhat.com> <4E0DDB08.1010201@redhat.com> <4E0E1A22.7040905@redhat.com> <4E2459FC.4000108@redhat.com> Message-ID: <4E247107.2080903@redhat.com> Jakub Hrozek wrote: > On 07/01/2011 09:04 PM, Jan Cholasta wrote: >> On 1.7.2011 16:34, Jakub Hrozek wrote: >>> On 07/01/2011 06:35 AM, Jan Cholasta wrote: >>>> On 28.6.2011 16:14, Jakub Hrozek wrote: >>>>> On 06/28/2011 08:52 AM, Jan Cholasta wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/1288 >>>>>> >>>>>> Honza >>>>>> >>>>> >>>>> I gather this is done in order to get rid of the "try: except all" hack >>>>> in installer? >>>>> >>>>> This works fine with F15 and F16 in mind. However, if the specfile is >>>>> intended for being usable on RHEL as well (at least for development), >>>>> some %if magic is required -- the fix is not there yet. >>>>> >>>> >>>> Updated so that 0.7.5-3 is required on Fedora>= 15 and RHEL>= 6. >>>> >>>> Honza >>>> >>> >>> Sorry, I wasn't clear in the previous message. >>> >>> The fix so far is *only* in Fedora, not in any RHEL versions. So the >>> versioned requires must apply only to Fedora until we release >>> python-netaddr errata, be it in 6.2 or 6.3 >> >> Thanks for the info. I really need to learn more about RHEL :-) >> >> Updated patch attached. >> >> Honza >> > > I missed the new revision - sorry. > > Ack! pushed to master and ipa-2-0 From edewata at redhat.com Mon Jul 18 18:39:36 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 18 Jul 2011 13:39:36 -0500 Subject: [Freeipa-devel] [PATCH] 208 Entity select widget improvements In-Reply-To: <4E2464B0.7030106@redhat.com> References: <4E2454EC.1010503@redhat.com> <4E2464B0.7030106@redhat.com> Message-ID: <4E247DE8.3060701@redhat.com> On 7/18/2011 11:52 AM, Endi Sukma Dewata wrote: > On 7/18/2011 10:44 AM, Endi Sukma Dewata wrote: >> The IPA.entity_select_widget has been modified into a searchable and >> editable drop down list. >> >> Ticket #1361 > > Fixed z-index problem and renamed base class to IPA.combobox_widget. Included new icon provided by ayoung. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0208-3-Entity-select-widget-improvements.patch Type: text/x-patch Size: 42262 bytes Desc: not available URL: From ayoung at redhat.com Mon Jul 18 18:49:11 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 18 Jul 2011 14:49:11 -0400 Subject: [Freeipa-devel] [PATCH] 208 Entity select widget improvements In-Reply-To: <4E247DE8.3060701@redhat.com> References: <4E2454EC.1010503@redhat.com> <4E2464B0.7030106@redhat.com> <4E247DE8.3060701@redhat.com> Message-ID: <4E248027.9050007@redhat.com> On 07/18/2011 02:39 PM, Endi Sukma Dewata wrote: > On 7/18/2011 11:52 AM, Endi Sukma Dewata wrote: >> On 7/18/2011 10:44 AM, Endi Sukma Dewata wrote: >>> The IPA.entity_select_widget has been modified into a searchable and >>> editable drop down list. >>> >>> Ticket #1361 >> >> Fixed z-index problem and renamed base class to IPA.combobox_widget. > > Included new icon provided by ayoung. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Jul 18 19:15:37 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 18 Jul 2011 22:15:37 +0300 Subject: [Freeipa-devel] [PATCH] 3 ipa-client-install tries to start non-existing nscd In-Reply-To: <4E209806.4060400@redhat.com> References: <4E0D9240.7070001@redhat.com> <4E209806.4060400@redhat.com> Message-ID: <4E248659.6060408@redhat.com> On 15.07.2011 22:41, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> > > nack. > > I don't believe this fixes the reported problem. This patch affects > un-installation in which case whether sssd was selected or not doesn't > matter, we're just trying to restore the previous state (so tangentially > I wonder if we should store the state of at install time). Actually, the patch deals with installation, not uninstallation. As discussed on IRC, I've reworked it to add an alternative warning to sssd configuration path. New version attached. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0003-1-ticket-1373.patch URL: From edewata at redhat.com Mon Jul 18 19:16:04 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 18 Jul 2011 14:16:04 -0500 Subject: [Freeipa-devel] [PATCH] 209 Removed reverse zones from host adder dialog. Message-ID: <4E248674.9070307@redhat.com> The host adder dialog has been modified to specify the new flag for retrieving the forward zones only. Ticket #1458 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0209-Removed-reverse-zones-from-host-adder-dialog.patch Type: text/x-patch Size: 3059 bytes Desc: not available URL: From JR.Aquino at citrix.com Mon Jul 18 20:08:02 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 18 Jul 2011 20:08:02 +0000 Subject: [Freeipa-devel] 35 remove escapes from the cvs parser in ipaserver/install/ldapupdate Message-ID: <5C8C3AD8-84E6-4493-A286-560932CB616A@citrixonline.com> https://fedorahosted.org/freeipa/ticket/1472 Changeset 8e086fd7b8c1edd0ccfec527c0699d396a7954f9 introduced a bug with ldapupdate resulting in incorrect handling of uldif files. Particularly the schema_compat.uldif. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0035-remove-escapes-from-the-cvs-parser-in-ldapupdate.patch Type: application/octet-stream Size: 1192 bytes Desc: freeipa-jraquino-0035-remove-escapes-from-the-cvs-parser-in-ldapupdate.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT00001.txt URL: From JR.Aquino at citrix.com Mon Jul 18 20:08:39 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 18 Jul 2011 20:08:39 +0000 Subject: [Freeipa-devel] [PATCH] 35 remove escapes from the cvs parser in ipaserver/install/ldapupdate In-Reply-To: <5C8C3AD8-84E6-4493-A286-560932CB616A@citrixonline.com> References: <5C8C3AD8-84E6-4493-A286-560932CB616A@citrixonline.com> Message-ID: <684588FE-1D04-4460-9B87-4EFABCEC4813@citrixonline.com> On Jul 18, 2011, at 1:08 PM, wrote: > https://fedorahosted.org/freeipa/ticket/1472 > > Changeset 8e086fd7b8c1edd0ccfec527c0699d396a7954f9 introduced a bug with ldapupdate resulting in incorrect handling of uldif files. Particularly the schema_compat.uldif. > > Added PATCH to subject line. From edewata at redhat.com Mon Jul 18 20:13:23 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 18 Jul 2011 15:13:23 -0500 Subject: [Freeipa-devel] [PATCH] 210 Fixed host details fields. Message-ID: <4E2493E3.9000808@redhat.com> The host details facet has been fixed to remove a redundant field and include some missing fields. Ticket #1484 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0210-Fixed-host-details-fields.patch Type: text/x-patch Size: 1793 bytes Desc: not available URL: From ayoung at redhat.com Mon Jul 18 20:57:32 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 18 Jul 2011 16:57:32 -0400 Subject: [Freeipa-devel] [PATCH] 209 Removed reverse zones from host adder dialog. In-Reply-To: <4E248674.9070307@redhat.com> References: <4E248674.9070307@redhat.com> Message-ID: <4E249E3C.1050306@redhat.com> On 07/18/2011 03:16 PM, Endi Sukma Dewata wrote: > The host adder dialog has been modified to specify the new flag > for retrieving the forward zones only. > > Ticket #1458 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Jul 18 20:57:45 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 18 Jul 2011 16:57:45 -0400 Subject: [Freeipa-devel] [PATCH] 210 Fixed host details fields. In-Reply-To: <4E2493E3.9000808@redhat.com> References: <4E2493E3.9000808@redhat.com> Message-ID: <4E249E49.4050301@redhat.com> On 07/18/2011 04:13 PM, Endi Sukma Dewata wrote: > The host details facet has been fixed to remove a redundant field > and include some missing fields. > > Ticket #1484 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 18 21:58:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 17:58:04 -0400 Subject: [Freeipa-devel] [PATCH] specify ds-replication plugin by name Message-ID: <4E24AC6C.3020408@redhat.com> Like bind and bind-dyndb-ldap specify the replication package by name when it is not found. Pushed under the 1-liner rule. diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index da8e749..7186a18 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -84,7 +84,8 @@ def check_replication_plugin(): """ if not os.path.exists('/usr/lib/dirsrv/plugins/libreplication-plugin.so') and \ not os.path.exists('/usr/lib64/dirsrv/plugins/libreplication-plugin.so'): - print "The 389-ds replication plug-in was not found on this system" + print "The 389-ds replication plug-in was not found on this system." + print "Please install the 'ds-replication' package and start the installation again" return False return True From ayoung at redhat.com Mon Jul 18 22:22:21 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 18 Jul 2011 18:22:21 -0400 Subject: [Freeipa-devel] [PATCH] 091 Improve long integer type validation In-Reply-To: <4E20B083.6060905@redhat.com> References: <1310628067.31842.1.camel@dhcp-25-52.brq.redhat.com> <4E20B083.6060905@redhat.com> Message-ID: <4E24B21D.6@redhat.com> On 07/15/2011 05:26 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> Passing a number of "long" type to IPA Int parameter invokes >> user-unfriendly error message about incompatible types. This patch >> improves Int parameter with user understandable message along with >> maximum value he can pass. >> >> https://fedorahosted.org/freeipa/ticket/1346 > > nack. We need to limit Int to 32-bit values because that is what > XML-RPC supports. So if maxvalue isn't set we need to compare against > MAXINT and not sys.maxint. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Is this the wrong forum to point out how wrong XML-RPC is in limiting things to 32 bit values? From JR.Aquino at citrix.com Mon Jul 18 23:32:18 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 18 Jul 2011 23:32:18 +0000 Subject: [Freeipa-devel] [PATCH] 36 Removed "RunAs External Group" is removed in the output when "--all" switch is used. Message-ID: <204B4104-4551-4222-85E5-6ADE30AC2E57@citrixonline.com> https://fedorahosted.org/freeipa/ticket/1348 Corrected behavior for ipa sudorule-remove-runasgroup rule1 --groups=tgroup2 --all -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0036-Removed-RunAs-External-Group-is-removed-in-the-output.patch Type: application/octet-stream Size: 1969 bytes Desc: freeipa-jraquino-0036-Removed-RunAs-External-Group-is-removed-in-the-output.patch URL: From JR.Aquino at citrix.com Mon Jul 18 23:43:31 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 18 Jul 2011 23:43:31 +0000 Subject: [Freeipa-devel] [PATCH] 37 Correct sudo runasuser and runasgroup attributes in schema Message-ID: <2B86A5AB-F26C-4CAF-B5ED-0AAD7D703E28@citrixonline.com> https://fedorahosted.org/freeipa/ticket/1309 Added .update file to correct the sudo schema during freeipa updates on older systems. Modified Makefile.am to account for new .update file. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0037-Correct-sudo-runasuser-and-runasgroup-attributes.patch Type: application/octet-stream Size: 3007 bytes Desc: freeipa-jraquino-0037-Correct-sudo-runasuser-and-runasgroup-attributes.patch URL: From rcritten at redhat.com Tue Jul 19 02:33:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 22:33:20 -0400 Subject: [Freeipa-devel] [PATCH] 36 Removed "RunAs External Group" is removed in the output when "--all" switch is used. In-Reply-To: <204B4104-4551-4222-85E5-6ADE30AC2E57@citrixonline.com> References: <204B4104-4551-4222-85E5-6ADE30AC2E57@citrixonline.com> Message-ID: <4E24ECF0.9080203@redhat.com> JR Aquino wrote: > https://fedorahosted.org/freeipa/ticket/1348 > > Corrected behavior for ipa sudorule-remove-runasgroup rule1 --groups=tgroup2 --all > ack, pushed to master and ipa-2-0 From rcritten at redhat.com Tue Jul 19 02:49:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 22:49:08 -0400 Subject: [Freeipa-devel] [PATCH] 830 change enrollment principal prompt Message-ID: <4E24F0A4.6010504@redhat.com> Change the enrollment principal prompt to hopefully be more clear. ticket https://fedorahosted.org/freeipa/ticket/1449 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-830-enroll.patch Type: text/x-diff Size: 1166 bytes Desc: not available URL: From rcritten at redhat.com Tue Jul 19 03:03:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2011 23:03:26 -0400 Subject: [Freeipa-devel] [PATCH] 3 ipa-client-install tries to start non-existing nscd In-Reply-To: <4E248659.6060408@redhat.com> References: <4E0D9240.7070001@redhat.com> <4E209806.4060400@redhat.com> <4E248659.6060408@redhat.com> Message-ID: <4E24F3FE.3010809@redhat.com> Alexander Bokovoy wrote: > On 15.07.2011 22:41, Rob Crittenden wrote: >> Alexander Bokovoy wrote: >>> >> >> nack. >> >> I don't believe this fixes the reported problem. This patch affects >> un-installation in which case whether sssd was selected or not doesn't >> matter, we're just trying to restore the previous state (so tangentially >> I wonder if we should store the state of at install time). > Actually, the patch deals with installation, not uninstallation. > As discussed on IRC, I've reworked it to add an alternative warning to > sssd configuration path. > > New version attached. ack, pushed to master and ipa-2-0 From rcritten at redhat.com Tue Jul 19 04:14:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2011 00:14:35 -0400 Subject: [Freeipa-devel] [PATCH] 817 Add option to wait for values In-Reply-To: <1310978938.5922.11.camel@dhcp-25-52.brq.redhat.com> References: <4E0E23D5.1070001@redhat.com> <4E0E3CDB.7070309@redhat.com> <4E134CC9.307@redhat.com> <1310745512.32137.31.camel@dhcp-25-52.brq.redhat.com> <4E20BDDF.3020100@redhat.com> <4E235760.6000407@redhat.com> <1310978938.5922.11.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E2504AB.2090408@redhat.com> Martin Kosek wrote: > On Sun, 2011-07-17 at 17:42 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote: >>>>> Rob Crittenden wrote: >>>>>> Rob Crittenden wrote: >>>>>>> 389-ds postop plugins, such as the managed entry and memberof plugins, >>>>>>> add values after the data has been returned to the client. In the case >>>>>>> of the managed entry plugin this affects the parent entry as well >>>>>>> (adds >>>>>>> an objectclass value). >>>>>>> >>>>>>> This wreaks havoc on our tests as the values don't match what we >>>>>>> expect. >>>>>>> >>>>>>> The solution is to wait for the postop plugins to finish their work, >>>>>>> then return. I've added this as an option. The downside is it is going >>>>>>> to naturally slow things down, so it is off by default. >>>>>>> >>>>>>> It is currently only used in the hostgroup plugin. >>>>>>> >>>>>>> The option is wait_for_attr. Add this to ~/.ipa/default.conf and >>>>>>> set it >>>>>>> to True and all the current tests will pass (assuming you apply >>>>>>> patches >>>>>>> 814-816 as well). >>>>>>> >>>>>>> So now we won't have any excuses for missing test failures in the unit >>>>>>> tests... >>>>>>> >>>>>>> rob >>>>>> >>>>>> Bah, found a small problem. Self-NACK. >>>>>> >>>>>> rob >>>>> >>>>> Updated patch attached. >>>>> >>>>> Note that I don't think there is a way for us to handle things like >>>>> memberof_indirect. We wouldn't know to wait. >>>>> >>>>> rob >>>> >>>> Works fine for the hostgroup entry. It's good it can be switched on/off. >>>> >>>> But what about other managed entries, like user entry? Would it make >>>> sense to add a wait here too? Or maybe something systematic to baseldap >>>> so that we wouldn't have to implement this wait to every managed entry. >>>> >>>> Martin >>>> >>> >>> I can certainly add it to users to check for managed groups. Making it >>> generic would be difficult because some are conditional (such as users). >>> >>> rob >> >> Added support for managed users as well. >> >> rob > > Waiting for managed users work too. However, I have just noticed that > the entire solution works only partially. > > It waits for mepOriginEntry objectclass, but it doesn't add the new LDAP > attributes "mepmanagedentry" and "memberof" to the-add result: > > # ipa hostgroup-add hgroup3 --desc=foo --all --raw > ------------------------- > Added hostgroup "hgroup3" > ------------------------- > dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > cn: hgroup3 > description: foo > ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 > objectclass: ipaobject > objectclass: ipahostgroup > objectclass: nestedGroup > objectclass: groupOfNames > objectclass: top > objectclass: mepOriginEntry > # ipa hostgroup-show hgroup3 --all --raw > dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > cn: hgroup3 > description: foo > ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 > memberof: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<==== > mepmanagedentry: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<==== > objectclass: ipaobject > objectclass: ipahostgroup > objectclass: nestedGroup > objectclass: groupOfNames > objectclass: top > objectclass: mepOriginEntry > > # ipa user-add --first=Foo --last=Bar fbar2 --all --raw > ------------------ > Added user "fbar2" > ------------------ > dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > uid: fbar2 > givenname: Foo > sn: Bar > cn: Foo Bar > displayname: Foo Bar > initials: FB > homedirectory: /home/fbar2 > gecos: Foo Bar > loginshell: /bin/sh > krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM > uidnumber: 524600004 > gidnumber: 524600004 > ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 > krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > objectclass: top > objectclass: person > objectclass: organizationalperson > objectclass: inetorgperson > objectclass: inetuser > objectclass: posixaccount > objectclass: krbprincipalaux > objectclass: krbticketpolicyaux > objectclass: ipaobject > objectclass: mepOriginEntry > # ipa user-show fbar2 --all --raw > dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > uid: fbar2 > givenname: Foo > sn: Bar > cn: Foo Bar > displayname: Foo Bar > initials: FB > homedirectory: /home/fbar2 > gecos: Foo Bar > loginshell: /bin/sh > krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM > uidnumber: 524600004 > gidnumber: 524600004 > nsaccountlock: False > ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 > krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<==== > mepmanagedentry: cn=fbar2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<==== > objectclass: top > objectclass: person > objectclass: organizationalperson > objectclass: inetorgperson > objectclass: inetuser > objectclass: posixaccount > objectclass: krbprincipalaux > objectclass: krbticketpolicyaux > objectclass: ipaobject > objectclass: mepOriginEntry > > > I think there attributes should be added in post_callback (and to the > tests). > > Martin > Updated patch attached. The interesting change here is the entry_from_entry() function. Python calls functions passing by value the actual value passed may be an immutable reference. This means we can't simply fetch the new entry and replace what we already have, we have to do it value by value. We also have to wipe out what is already there first because it is possible an attribute has disappeared (I don't think one actually does in practice in these two calls but it is cleaner this way). For kicks you can see this in action with this snippet: def tryme(x): x = 5 y = 9 tryme(y) print y y is 9. Fun, isn't it? rob rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-817-4-wait.patch Type: text/x-diff Size: 18266 bytes Desc: not available URL: From jcholast at redhat.com Tue Jul 19 06:00:48 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 19 Jul 2011 08:00:48 +0200 Subject: [Freeipa-devel] [PATCH] 32 Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable' In-Reply-To: <1311007687.5922.41.camel@dhcp-25-52.brq.redhat.com> References: <4E244E4E.3080005@redhat.com> <1311007687.5922.41.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E251D90.3040906@redhat.com> On 18.7.2011 18:48, Martin Kosek wrote: > On Mon, 2011-07-18 at 17:16 +0200, Jan Cholasta wrote: >> https://fedorahosted.org/freeipa/ticket/1469 >> >> Honza >> > > The patch is missing. > > Martin > Is it? ...it is! Sorry. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-32-keep-netgroup-compat.patch Type: text/x-patch Size: 1262 bytes Desc: not available URL: From mkosek at redhat.com Tue Jul 19 06:47:50 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jul 2011 08:47:50 +0200 Subject: [Freeipa-devel] [PATCH] 830 change enrollment principal prompt In-Reply-To: <4E24F0A4.6010504@redhat.com> References: <4E24F0A4.6010504@redhat.com> Message-ID: <1311058072.10995.3.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-07-18 at 22:49 -0400, Rob Crittenden wrote: > Change the enrollment principal prompt to hopefully be more clear. > > ticket https://fedorahosted.org/freeipa/ticket/1449 ACK. Pushed to master, ipa-2-0. Adding Deon to CC, this will affect at lest the Fedora documentation. In the dobrien's documentation on FedoraPeople I see that sections 8.1.2. Installing the IPA Client on Red Hat Enterprise Linux 8.2.2. Installing the IPA Client on Fedora are affected. Martin From mkosek at redhat.com Tue Jul 19 07:51:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jul 2011 09:51:46 +0200 Subject: [Freeipa-devel] [PATCH] 35 remove escapes from the cvs parser in ipaserver/install/ldapupdate In-Reply-To: <684588FE-1D04-4460-9B87-4EFABCEC4813@citrixonline.com> References: <5C8C3AD8-84E6-4493-A286-560932CB616A@citrixonline.com> <684588FE-1D04-4460-9B87-4EFABCEC4813@citrixonline.com> Message-ID: <1311061909.10995.5.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-07-18 at 20:08 +0000, JR Aquino wrote: > On Jul 18, 2011, at 1:08 PM, wrote: > > > https://fedorahosted.org/freeipa/ticket/1472 > > > > Changeset 8e086fd7b8c1edd0ccfec527c0699d396a7954f9 introduced a bug with ldapupdate resulting in incorrect handling of uldif files. Particularly the schema_compat.uldif. > > > > > > Added PATCH to subject line. > ACK. SUDO LDAP compat plugin now works fine. Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Tue Jul 19 08:48:07 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jul 2011 10:48:07 +0200 Subject: [Freeipa-devel] [PATCH] 098 Fix sudorule-remove-user Message-ID: <1311065289.10995.7.camel@dhcp-25-52.brq.redhat.com> This is a follow up to JR's patch 36. --- Removed sudorule "External User" is displayed in the output when "--all" switch is used. https://fedorahosted.org/freeipa/ticket/1489 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-098-fix-sudorule-remove-user.patch Type: text/x-patch Size: 1306 bytes Desc: not available URL: From mkosek at redhat.com Tue Jul 19 09:20:51 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jul 2011 11:20:51 +0200 Subject: [Freeipa-devel] [PATCH] 37 Correct sudo runasuser and runasgroup attributes in schema In-Reply-To: <2B86A5AB-F26C-4CAF-B5ED-0AAD7D703E28@citrixonline.com> References: <2B86A5AB-F26C-4CAF-B5ED-0AAD7D703E28@citrixonline.com> Message-ID: <1311067254.10995.11.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-07-18 at 23:43 +0000, JR Aquino wrote: > https://fedorahosted.org/freeipa/ticket/1309 > > Added .update file to correct the sudo schema during freeipa updates on older systems. > Modified Makefile.am to account for new .update file. > NACK. This fixes the schema well, but sudoRunAsGroup attribute is still filled incorrectly. I think that the sudo LDAP compat plugin has to be fixed too. These 2 rules look suspicious: schema-compat-entry-attribute: sudoRunAsGroup=%{ipaSudoRunAsExtGroup} schema-compat-entry-attribute: sudoRunAsGroup=%deref("ipaSudoRunAs","cn") And one more minor issue I saw, please fix indentation in Makefile.am. Martin From mkosek at redhat.com Tue Jul 19 10:35:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jul 2011 12:35:46 +0200 Subject: [Freeipa-devel] [PATCH] 096 Fix ipa-dns-install incorrect warning In-Reply-To: <4E241DE7.7010907@redhat.com> References: <1310986572.5922.13.camel@dhcp-25-52.brq.redhat.com> <4E241DE7.7010907@redhat.com> Message-ID: <1311071749.10995.14.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-07-18 at 13:49 +0200, Jan Cholasta wrote: > On 18.7.2011 12:56, Martin Kosek wrote: > > ipa-dns-install incorrectly warns about non-local IP addresses > > when installing without --ip-address parameter. > > > > https://fedorahosted.org/freeipa/ticket/1486 > > > > IMO the warning message should be removed from parse_ip_address > altogether, as the local IP address check is done in > CheckedIPAddress.__init__. This makes both parse_ip_address and > verify_ip_address unnecessary, because all they do is call > CheckedIPAddress, so calls to them should be replaced with calls to > CheckedIPAddress directly. > > I've made a patch that does all of this and also removes some redundant > IP address checks from ipa-server-install, see attachment. > > Honza > I agree. This will clean up the mess around CheckedIPAddress. Pushed to master. Martin From mkosek at redhat.com Tue Jul 19 11:15:31 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jul 2011 13:15:31 +0200 Subject: [Freeipa-devel] [PATCH] 817 Add option to wait for values In-Reply-To: <4E2504AB.2090408@redhat.com> References: <4E0E23D5.1070001@redhat.com> <4E0E3CDB.7070309@redhat.com> <4E134CC9.307@redhat.com> <1310745512.32137.31.camel@dhcp-25-52.brq.redhat.com> <4E20BDDF.3020100@redhat.com> <4E235760.6000407@redhat.com> <1310978938.5922.11.camel@dhcp-25-52.brq.redhat.com> <4E2504AB.2090408@redhat.com> Message-ID: <1311074133.10995.16.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-07-19 at 00:14 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Sun, 2011-07-17 at 17:42 -0400, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> Martin Kosek wrote: > >>>> On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote: > >>>>> Rob Crittenden wrote: > >>>>>> Rob Crittenden wrote: > >>>>>>> 389-ds postop plugins, such as the managed entry and memberof plugins, > >>>>>>> add values after the data has been returned to the client. In the case > >>>>>>> of the managed entry plugin this affects the parent entry as well > >>>>>>> (adds > >>>>>>> an objectclass value). > >>>>>>> > >>>>>>> This wreaks havoc on our tests as the values don't match what we > >>>>>>> expect. > >>>>>>> > >>>>>>> The solution is to wait for the postop plugins to finish their work, > >>>>>>> then return. I've added this as an option. The downside is it is going > >>>>>>> to naturally slow things down, so it is off by default. > >>>>>>> > >>>>>>> It is currently only used in the hostgroup plugin. > >>>>>>> > >>>>>>> The option is wait_for_attr. Add this to ~/.ipa/default.conf and > >>>>>>> set it > >>>>>>> to True and all the current tests will pass (assuming you apply > >>>>>>> patches > >>>>>>> 814-816 as well). > >>>>>>> > >>>>>>> So now we won't have any excuses for missing test failures in the unit > >>>>>>> tests... > >>>>>>> > >>>>>>> rob > >>>>>> > >>>>>> Bah, found a small problem. Self-NACK. > >>>>>> > >>>>>> rob > >>>>> > >>>>> Updated patch attached. > >>>>> > >>>>> Note that I don't think there is a way for us to handle things like > >>>>> memberof_indirect. We wouldn't know to wait. > >>>>> > >>>>> rob > >>>> > >>>> Works fine for the hostgroup entry. It's good it can be switched on/off. > >>>> > >>>> But what about other managed entries, like user entry? Would it make > >>>> sense to add a wait here too? Or maybe something systematic to baseldap > >>>> so that we wouldn't have to implement this wait to every managed entry. > >>>> > >>>> Martin > >>>> > >>> > >>> I can certainly add it to users to check for managed groups. Making it > >>> generic would be difficult because some are conditional (such as users). > >>> > >>> rob > >> > >> Added support for managed users as well. > >> > >> rob > > > > Waiting for managed users work too. However, I have just noticed that > > the entire solution works only partially. > > > > It waits for mepOriginEntry objectclass, but it doesn't add the new LDAP > > attributes "mepmanagedentry" and "memberof" to the-add result: > > > > # ipa hostgroup-add hgroup3 --desc=foo --all --raw > > ------------------------- > > Added hostgroup "hgroup3" > > ------------------------- > > dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > cn: hgroup3 > > description: foo > > ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 > > objectclass: ipaobject > > objectclass: ipahostgroup > > objectclass: nestedGroup > > objectclass: groupOfNames > > objectclass: top > > objectclass: mepOriginEntry > > # ipa hostgroup-show hgroup3 --all --raw > > dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > cn: hgroup3 > > description: foo > > ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706 > > memberof: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<==== > > mepmanagedentry: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<==== > > objectclass: ipaobject > > objectclass: ipahostgroup > > objectclass: nestedGroup > > objectclass: groupOfNames > > objectclass: top > > objectclass: mepOriginEntry > > > > # ipa user-add --first=Foo --last=Bar fbar2 --all --raw > > ------------------ > > Added user "fbar2" > > ------------------ > > dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > uid: fbar2 > > givenname: Foo > > sn: Bar > > cn: Foo Bar > > displayname: Foo Bar > > initials: FB > > homedirectory: /home/fbar2 > > gecos: Foo Bar > > loginshell: /bin/sh > > krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM > > uidnumber: 524600004 > > gidnumber: 524600004 > > ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 > > krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > objectclass: top > > objectclass: person > > objectclass: organizationalperson > > objectclass: inetorgperson > > objectclass: inetuser > > objectclass: posixaccount > > objectclass: krbprincipalaux > > objectclass: krbticketpolicyaux > > objectclass: ipaobject > > objectclass: mepOriginEntry > > # ipa user-show fbar2 --all --raw > > dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > uid: fbar2 > > givenname: Foo > > sn: Bar > > cn: Foo Bar > > displayname: Foo Bar > > initials: FB > > homedirectory: /home/fbar2 > > gecos: Foo Bar > > loginshell: /bin/sh > > krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM > > uidnumber: 524600004 > > gidnumber: 524600004 > > nsaccountlock: False > > ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706 > > krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<==== > > mepmanagedentry: cn=fbar2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<==== > > objectclass: top > > objectclass: person > > objectclass: organizationalperson > > objectclass: inetorgperson > > objectclass: inetuser > > objectclass: posixaccount > > objectclass: krbprincipalaux > > objectclass: krbticketpolicyaux > > objectclass: ipaobject > > objectclass: mepOriginEntry > > > > > > I think there attributes should be added in post_callback (and to the > > tests). > > > > Martin > > > > Updated patch attached. The interesting change here is the > entry_from_entry() function. > > Python calls functions passing by value the actual value passed may be > an immutable reference. This means we can't simply fetch the new entry > and replace what we already have, we have to do it value by value. We > also have to wipe out what is already there first because it is possible > an attribute has disappeared (I don't think one actually does in > practice in these two calls but it is cleaner this way). > > For kicks you can see this in action with this snippet: > > def tryme(x): > x = 5 > > y = 9 > tryme(y) > print y > > y is 9. Fun, isn't it? > > rob You are right, Python references are fun sometimes :-) Fortunately, I learned this behavior earlier so it doesn't surprise me. But your patch works fine, I like it. All fixed tests passed. Pushed to master. Martin From mkosek at redhat.com Tue Jul 19 11:47:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jul 2011 13:47:36 +0200 Subject: [Freeipa-devel] [PATCH] 32 Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable' In-Reply-To: <4E251D90.3040906@redhat.com> References: <4E244E4E.3080005@redhat.com> <1311007687.5922.41.camel@dhcp-25-52.brq.redhat.com> <4E251D90.3040906@redhat.com> Message-ID: <1311076058.10995.17.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-07-19 at 08:00 +0200, Jan Cholasta wrote: > On 18.7.2011 18:48, Martin Kosek wrote: > > On Mon, 2011-07-18 at 17:16 +0200, Jan Cholasta wrote: > >> https://fedorahosted.org/freeipa/ticket/1469 > >> > >> Honza > >> > > > > The patch is missing. > > > > Martin > > > > Is it? > > ...it is! > > Sorry. > > Honza > ACK. Works as advertised. NG data are not removed. Pushed to master, ipa-2-0. Martin From jcholast at redhat.com Tue Jul 19 13:21:43 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 19 Jul 2011 15:21:43 +0200 Subject: [Freeipa-devel] [PATCH] 098 Fix sudorule-remove-user In-Reply-To: <1311065289.10995.7.camel@dhcp-25-52.brq.redhat.com> References: <1311065289.10995.7.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E2584E7.9030004@redhat.com> On 19.7.2011 10:48, Martin Kosek wrote: > This is a follow up to JR's patch 36. > > --- > Removed sudorule "External User" is displayed in the output when > "--all" switch is used. > > https://fedorahosted.org/freeipa/ticket/1489 > ACK. Honza -- Jan Cholasta From mkosek at redhat.com Tue Jul 19 13:24:47 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jul 2011 15:24:47 +0200 Subject: [Freeipa-devel] [PATCH] 098 Fix sudorule-remove-user In-Reply-To: <4E2584E7.9030004@redhat.com> References: <1311065289.10995.7.camel@dhcp-25-52.brq.redhat.com> <4E2584E7.9030004@redhat.com> Message-ID: <1311081889.10995.18.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-07-19 at 15:21 +0200, Jan Cholasta wrote: > On 19.7.2011 10:48, Martin Kosek wrote: > > This is a follow up to JR's patch 36. > > > > --- > > Removed sudorule "External User" is displayed in the output when > > "--all" switch is used. > > > > https://fedorahosted.org/freeipa/ticket/1489 > > > > ACK. > > Honza > Pushed to master, ipa-2-0. Martin From abokovoy at redhat.com Tue Jul 19 13:26:54 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 19 Jul 2011 16:26:54 +0300 Subject: [Freeipa-devel] [PATCH] 05 Fix sssd.conf to always have IPA certificate for the domain Message-ID: <4E25861E.9010809@redhat.com> https://fedorahosted.org/freeipa/ticket/1476 -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0005-ticket-1476.patch URL: From JR.Aquino at citrix.com Tue Jul 19 13:30:26 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 19 Jul 2011 13:30:26 +0000 Subject: [Freeipa-devel] [PATCH] 37 Correct sudo runasuser and runasgroup attributes in schema In-Reply-To: <1311067254.10995.11.camel@dhcp-25-52.brq.redhat.com> References: <2B86A5AB-F26C-4CAF-B5ED-0AAD7D703E28@citrixonline.com> <1311067254.10995.11.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E7995DA-20A4-456E-9D1A-FD5C42217208@citrix.com> On Jul 19, 2011, at 2:32 AM, "Martin Kosek" wrote: > On Mon, 2011-07-18 at 23:43 +0000, JR Aquino wrote: >> https://fedorahosted.org/freeipa/ticket/1309 >> >> Added .update file to correct the sudo schema during freeipa updates on older systems. >> Modified Makefile.am to account for new .update file. >> > > NACK. > > This fixes the schema well, but sudoRunAsGroup attribute is still filled > incorrectly. I think that the sudo LDAP compat plugin has to be fixed > too. These 2 rules look suspicious: > > schema-compat-entry-attribute: sudoRunAsGroup=%{ipaSudoRunAsExtGroup} > schema-compat-entry-attribute: sudoRunAsGroup=%deref("ipaSudoRunAs","cn") > > And one more minor issue I saw, please fix indentation in Makefile.am. > > Martin Thank you Martin, I will see about addressing the indentation in the make file. As for compat, please look at patch 31 which is also associated with this ticket as it addresses the concern you are referring to: https://fedorahosted.org/freeipa/ticket/1309 Sorry for the confusion, there was a long gap between fixes. From rcritten at redhat.com Tue Jul 19 13:34:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2011 09:34:02 -0400 Subject: [Freeipa-devel] [PATCH] 831 fix removing external netgroup hosts Message-ID: <4E2587CA.5050900@redhat.com> When removing an external host member it was still showing in the return data as a member despite being removed properly. ticket https://fedorahosted.org/freeipa/ticket/1492 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-831-netgroup.patch Type: text/x-diff Size: 1158 bytes Desc: not available URL: From abokovoy at redhat.com Tue Jul 19 13:36:45 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 19 Jul 2011 16:36:45 +0300 Subject: [Freeipa-devel] [PATCH] 4 (1) ipa-client-install complains about non-existing nss_ldap In-Reply-To: <4E1470A1.9060306@redhat.com> References: <4E0D96FF.2050406@redhat.com> <4E0DB57B.1070105@redhat.com> <4E0DB6F4.6040904@redhat.com> <4E0DBB32.9030804@redhat.com> <1309524027.2681.143.camel@willson.li.ssimo.org> <4E1470A1.9060306@redhat.com> Message-ID: <4E25886D.6090105@redhat.com> On 06.07.2011 17:26, Rob Crittenden wrote: >>>>> ipa-client-install should be usable on non-RH platforms (see >>>>> https://fedorahosted.org/freeipa/ticket/1374), so you shouldn't use >>>>> /bin/rpm, as that's platform-specific. Wouldn't just rephrasing the >>>>> warning message (as suggested in the ticket) be sufficient? >>>> If you want to support non-rpm-based platforms, you'll need to do much >>>> greater work than not depend on rpm. For example, /sbin/service and >>>> chkconfig might not be there. >>> >>> I'm not sure adding even more complexity is helpful, especially when >>> it's used just to print a warning message. But I'd like a second opinion >>> on this. >> >> I think it is time we start renaming ipautil.py to ipautil-rh.py and do >> ourselves, or invite someone to write ipautil-debian.py, then have code >> that loads the right module at runtime. >> >> Simo. >> > > I believe that nss-pam-ldapd uses a different configuration file than > nss_ldap, I think I'd rather use the existence of that to determine what > is being used. Calling out to rpm seems heavy-weight. In continuation of the same story, ticket 1368 asks for propagating hostname into static configuration (/etc/sysconfig/network, HOSTNAME variable on Red Hat systems). This is an example of system-specific common code where we want to ensure configuration is made and backed up but we don't care what is configuration's location and format. I.e. perfect example to write platform-specific support. I'm going to rework ipautil into providing common functions and loading platform-specific ones from separate files so that we can have Red Hat or Fedora (or LSB) platforms, Debian-based platforms and so on. Remeber, this is for ipa-client-install so some flexibility is welcomed here. I'll try to avoid using package management tools in such platform-specific code as much as possible also to avoid lock conflicts (if something is being installed in background you might get locked when asking a package database). We don't need to do platform detection at runtime as that is could be deferred to package maintainers. After all, IPA most likely will be packaged and ipa-client-install will come from such a package. Thus, providing proper ipautil-system.py file can be done as packaging effort. -- / Alexander Bokovoy From jcholast at redhat.com Tue Jul 19 13:52:38 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 19 Jul 2011 15:52:38 +0200 Subject: [Freeipa-devel] [PATCH] 831 fix removing external netgroup hosts In-Reply-To: <4E2587CA.5050900@redhat.com> References: <4E2587CA.5050900@redhat.com> Message-ID: <4E258C26.7080605@redhat.com> On 19.7.2011 15:34, Rob Crittenden wrote: > When removing an external host member it was still showing in the return > data as a member despite being removed properly. > > ticket https://fedorahosted.org/freeipa/ticket/1492 > You store the result of ldap.get_entry in a variable and never use it again. IMO you should either use the result (as Martin did in patch 98) or remove the ldap.get_entry line altogether (please correct me if I'm missing something). Honza -- Jan Cholasta From mkosek at redhat.com Tue Jul 19 13:54:52 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jul 2011 15:54:52 +0200 Subject: [Freeipa-devel] [PATCH] 820 make client errors clearer In-Reply-To: <4E147955.5070401@redhat.com> References: <4E147955.5070401@redhat.com> Message-ID: <1311083697.10995.21.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-06 at 11:03 -0400, Rob Crittenden wrote: > Some client errors were rather generic or outright misleading. This > cleans up some return values and displays output from the ipa-enrollment > extended operation. > > ticket https://fedorahosted.org/freeipa/ticket/1417 NACK. Good patch, but I found one issue: ipa-client/ipa-install/ipa-client-install: - if ret == -1 or not ds.getDomainName(): + if ret == ipadiscovery.NO_LDAP_SERVER or not ds.getDomainName(): You check for another error. That way the domain problem will not get caught there. Martin From rcritten at redhat.com Tue Jul 19 14:08:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2011 10:08:12 -0400 Subject: [Freeipa-devel] [PATCH] 831 fix removing external netgroup hosts In-Reply-To: <4E258C26.7080605@redhat.com> References: <4E2587CA.5050900@redhat.com> <4E258C26.7080605@redhat.com> Message-ID: <4E258FCC.30201@redhat.com> Jan Cholasta wrote: > On 19.7.2011 15:34, Rob Crittenden wrote: >> When removing an external host member it was still showing in the return >> data as a member despite being removed properly. >> >> ticket https://fedorahosted.org/freeipa/ticket/1492 >> > > You store the result of ldap.get_entry in a variable and never use it > again. IMO you should either use the result (as Martin did in patch 98) > or remove the ldap.get_entry line altogether (please correct me if I'm > missing something). > > Honza > Nope, goof on my part, updated patch attached. It worked in my test b/c I only had a single external host. Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-831-2-netgroup.patch Type: text/x-diff Size: 1820 bytes Desc: not available URL: From mkosek at redhat.com Tue Jul 19 14:10:29 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jul 2011 16:10:29 +0200 Subject: [Freeipa-devel] [PATCH] 810 fix re-enrolling a host with a OTP In-Reply-To: <4E0DEA60.5020003@redhat.com> References: <4E0A0B9F.9030402@redhat.com> <4E0CE134.8000809@redhat.com> <4E0DEA60.5020003@redhat.com> Message-ID: <1311084631.10995.23.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-01 at 11:40 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Rob Crittenden wrote: > >> Don't set krbLastPwdChange when setting a host OTP password. > >> > >> We have no visibility into whether an entry has a keytab or not so > >> krbLastPwdChange is used as a rough guide. > >> > >> If this value exists during enrollment then it fails because the host is > >> considered already joined. This was getting set when a OTP was added to > >> a host that had already been enrolled (e.g. you enroll a host, unenroll > >> it, set a OTP, then try to re-enroll). The second enrollment was failing > >> because the enrollment plugin thought it was still enrolled becaused > >> krbLastPwdChange was set. > >> > >> https://fedorahosted.org/freeipa/ticket/1357 > >> > >> rob > > > > self-nack, found a corner case. > > Updated patch. > > rob ACK. Works as advertised, no problem found. Martin From jcholast at redhat.com Tue Jul 19 14:29:07 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 19 Jul 2011 16:29:07 +0200 Subject: [Freeipa-devel] [PATCH] 831 fix removing external netgroup hosts In-Reply-To: <4E258FCC.30201@redhat.com> References: <4E2587CA.5050900@redhat.com> <4E258C26.7080605@redhat.com> <4E258FCC.30201@redhat.com> Message-ID: <4E2594B3.3040307@redhat.com> On 19.7.2011 16:08, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 19.7.2011 15:34, Rob Crittenden wrote: >>> When removing an external host member it was still showing in the return >>> data as a member despite being removed properly. >>> >>> ticket https://fedorahosted.org/freeipa/ticket/1492 >>> >> >> You store the result of ldap.get_entry in a variable and never use it >> again. IMO you should either use the result (as Martin did in patch 98) >> or remove the ldap.get_entry line altogether (please correct me if I'm >> missing something). >> >> Honza >> > > Nope, goof on my part, updated patch attached. It worked in my test b/c > I only had a single external host. > > Updated patch attached. > > rob ACK. Honza -- Jan Cholasta From mkosek at redhat.com Tue Jul 19 14:30:47 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jul 2011 16:30:47 +0200 Subject: [Freeipa-devel] [PATCH] 31 Correct behavior for sudorunasgroup vs sudorunasuser In-Reply-To: References: Message-ID: <1311085849.10995.28.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-14 at 19:03 +0000, JR Aquino wrote: > Adjustment to install/share/schema_compat.uldif to correctly assign sudorunasuser for both a user and group object respectively. > > The bug had to do with the compat plugin syntax needing to correctly identify the difference behind intent with the 'runas' attributes. > > The difference is handling is: > Sudo allowing someone to run a command as a user, or any user in a _group_. > vs > Sudo allowing someone to run a command as their own user but with a different _Group_ or GUID. > > This is a very subtle difference that can be frustrating to configure / think about. > > I have added a patch to address new standard installs and updates. > > (This Fix is blocked by https://bugzilla.redhat.com/show_bug.cgi?id=713209) NACK. 1) You forgot to update install/updates/Makefile.am so that the update is really executed. Please check that there won't be a conflict with your patch 37, they touch the same areas. 2) Syntax of the "replace" statement in .update files has changed since you submitted your patch. The old and the new value are delimited with "::" now, IIRC. Martin From rcritten at redhat.com Tue Jul 19 14:31:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2011 10:31:01 -0400 Subject: [Freeipa-devel] [PATCH] 831 fix removing external netgroup hosts In-Reply-To: <4E2594B3.3040307@redhat.com> References: <4E2587CA.5050900@redhat.com> <4E258C26.7080605@redhat.com> <4E258FCC.30201@redhat.com> <4E2594B3.3040307@redhat.com> Message-ID: <4E259525.3020005@redhat.com> Jan Cholasta wrote: > On 19.7.2011 16:08, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 19.7.2011 15:34, Rob Crittenden wrote: >>>> When removing an external host member it was still showing in the >>>> return >>>> data as a member despite being removed properly. >>>> >>>> ticket https://fedorahosted.org/freeipa/ticket/1492 >>>> >>> >>> You store the result of ldap.get_entry in a variable and never use it >>> again. IMO you should either use the result (as Martin did in patch 98) >>> or remove the ldap.get_entry line altogether (please correct me if I'm >>> missing something). >>> >>> Honza >>> >> >> Nope, goof on my part, updated patch attached. It worked in my test b/c >> I only had a single external host. >> >> Updated patch attached. >> >> rob > > ACK. > > Honza > pushed to master and ipa-2-0 From rcritten at redhat.com Tue Jul 19 14:34:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2011 10:34:41 -0400 Subject: [Freeipa-devel] [PATCH] 810 fix re-enrolling a host with a OTP In-Reply-To: <1311084631.10995.23.camel@dhcp-25-52.brq.redhat.com> References: <4E0A0B9F.9030402@redhat.com> <4E0CE134.8000809@redhat.com> <4E0DEA60.5020003@redhat.com> <1311084631.10995.23.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E259601.30008@redhat.com> Martin Kosek wrote: > On Fri, 2011-07-01 at 11:40 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Don't set krbLastPwdChange when setting a host OTP password. >>>> >>>> We have no visibility into whether an entry has a keytab or not so >>>> krbLastPwdChange is used as a rough guide. >>>> >>>> If this value exists during enrollment then it fails because the host is >>>> considered already joined. This was getting set when a OTP was added to >>>> a host that had already been enrolled (e.g. you enroll a host, unenroll >>>> it, set a OTP, then try to re-enroll). The second enrollment was failing >>>> because the enrollment plugin thought it was still enrolled becaused >>>> krbLastPwdChange was set. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1357 >>>> >>>> rob >>> >>> self-nack, found a corner case. >> >> Updated patch. >> >> rob > > ACK. Works as advertised, no problem found. > > Martin > pushed to master and ipa-2-0 From rcritten at redhat.com Tue Jul 19 14:40:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2011 10:40:08 -0400 Subject: [Freeipa-devel] [PATCH] 820 make client errors clearer In-Reply-To: <1311083697.10995.21.camel@dhcp-25-52.brq.redhat.com> References: <4E147955.5070401@redhat.com> <1311083697.10995.21.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E259748.1020006@redhat.com> Martin Kosek wrote: > On Wed, 2011-07-06 at 11:03 -0400, Rob Crittenden wrote: >> Some client errors were rather generic or outright misleading. This >> cleans up some return values and displays output from the ipa-enrollment >> extended operation. >> >> ticket https://fedorahosted.org/freeipa/ticket/1417 > > NACK. > > Good patch, but I found one issue: > > ipa-client/ipa-install/ipa-client-install: > - if ret == -1 or not ds.getDomainName(): > + if ret == ipadiscovery.NO_LDAP_SERVER or not ds.getDomainName(): > > You check for another error. That way the domain problem will not get > caught there. > > Martin > Updated patch attached, catching NOT_FQDN now. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-820-2-client.patch Type: text/x-diff Size: 10985 bytes Desc: not available URL: From rcritten at redhat.com Tue Jul 19 14:44:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2011 10:44:58 -0400 Subject: [Freeipa-devel] [PATCH] 05 Fix sssd.conf to always have IPA certificate for the domain In-Reply-To: <4E25861E.9010809@redhat.com> References: <4E25861E.9010809@redhat.com> Message-ID: <4E25986A.50009@redhat.com> Alexander Bokovoy wrote: > https://fedorahosted.org/freeipa/ticket/1476 > ack, pushed to master and ipa-2-0 From JR.Aquino at citrix.com Tue Jul 19 17:43:54 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 19 Jul 2011 17:43:54 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <4E2054E3.5060306@redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> Message-ID: <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> On Jul 15, 2011, at 7:55 AM, Rob Crittenden wrote: > Martin Kosek wrote: >> On Thu, 2011-07-14 at 23:05 +0000, JR Aquino wrote: >>> On Jul 14, 2011, at 11:55 AM, wrote: >>> >>>> https://fedorahosted.org/freeipa/ticket/1272 >>>> >>>> * Added new container in etc to hold the automembership configs. >>>> * Modified constants to point to the new container >>>> * Modified dsinstance to create the container >>>> * Modified hostgroup.py to add the new commands >>>> * Added xmlrpc test to verify functionality >>> >>> Minor adjustment: >>> Auto Membership Plugin isn't available until 1.2.9-0.2+ >>> >>> Modified freeipa.spec.in: >>> BuildRequires: 389-ds-base-devel>= 1.2.9-0.2 >> >> I have reviewed your patch. Basic functionality is OK but I have some >> concerns. >> >> 1) I am not sure with the command name, it is not really clear to me >> what this command does. But I know from my experience that inventing a >> cool name for something new may be the most difficult task at all :-) >> Maybe command name "hostgrouprule" or "hostgroupauto" would be more >> clear? Perhaps my example docs were too soft with fqdn=^www[1-9]+\.example\.com etc.. I should 'clarify'... perhaps what I need to do is add more useful information to the doc, for example If I were to add to the doc area examples where hostnames are like: w[1-9]+s2r8\.example\.com The real reason for the usefulness of this technology, is in SaaS, Cloud, and Cluster environments, where the hostnames tend to be non-human readable, and more like a serial number detailing their function, their rack location, or their vm-instance, etc... It is because of those scenarios that caused me so much grief as a security engineer trying to assign rights that it became clear that I could just define the reproducible pattern to match assignment into a host group. The hostnames needed clarity in order to understand where they belonged in the network. I'll give it one more chance to pass the censors since I've been internally calling it clarity for the last 2 1/2 years that I've been using it... >> >> >> 2) Overloading execute method in functions >> hostgroupclarity_add_condition and hostgroupclarity_remove_condition is >> an over-kill for me. I think we could just read current >> inclusive/exclusive regexes in pre_callback, modify them and let >> LDAPUpdate class do the standard LDAP operations. I'll recode to perform the actions in a pre_callback. >> >> >> 3) I miss hostgroupclarity-mod module. What would I do if I want to >> update Description? Thank you for catching this, I will add it. >> >> >> 4) I didn't like this construct in the code, its error prone to >> potential future parameter changes. >> + if len(options) == 2: # 'all' and 'raw' are always sent >> + raise errors.EmptyModlist() >> I know it's in baseldap.py but I still wouldn't like to see this in >> plugins. I should be able to omit that once the code is located in the pre_callback. >> >> >> 5) Test test_clarityrule_plugin.py: reference to inexistent python >> module: >> +Test the `ipalib/plugins/clarityrule.py` module. Thank you, that is left over from a previous attempt. I will remove it. >> >> >> Then I did some real testing of the new command: >> >> 6) Invalid examples, fqdn is not supposed to be a part of regex >> $ ipa hostgroupclarity-add --inclusive-hostname-regex=fqdn=^www[1-9]+\.example\.com webservers >> Hostgroup Clarity Rule: webservers >> Inclusive Regex: fqdn=fqdn=^www[1-9]+.example.com Also an oversight, thanks, I will correct it. >> >> >> 7) It does not make sense to have a rule with only an exclusive regex: >> $ ipa hostgroupclarity-add --exclusive-hostname-regex=^www5+\.example\.com webservers >> Hostgroup Clarity Rule: webservers >> $ ipa host-add --force foo.example.co >> $ ipa hostgroup-show webservers >> Host-group: webservers >> Description: Web Servers >> Member hosts: www1.example.com >> >> I think we should 1) hide exclusive regex option in hostgroupclarity-add >> and 2) check that there is at least one inclusive regex in the rule when >> running hostgroupclarity-add-condition and >> hostgroupclarity-remove-condition. I agree, I'll hide it during the creation, and force it to require an inclusive prior to adding an exclusive. >> >> >> 8) Plugin incorrectly handles a situation when both inclusive and exclusive regex-es are being added: >> >> $ ipa hostgroupclarity-add --inclusive-hostname-regex=^www[1-9]+\.example\.com webservers >> Hostgroup Clarity Rule: webservers >> Inclusive Regex: fqdn=^www[1-9]+.example.com >> $ ipa hostgroupclarity-add-condition --inclusive-hostname-regex=^web[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com webservers >> Inclusive Regex: fqdn=^web[1-9]+.example.com, fqdn=^www[1-9]+.example.com >> Exclusive Regex: www5.example.com >> >> Exclusive regex misses fqdn. Will look into this. >> >> >> 9) Removing multiple conditions also works incorrectly: >> >> $ ipa hostgroupclarity-show webservers >> Hostgroup Clarity Rule: webservers >> Inclusive Regex: fqdn=^www[1-9]+.example.com, fqdn=^web[1-9]+.example.com >> Exclusive Regex: fqdn=www5.example.com >> $ ipa hostgroupclarity-remove-condition webservers --inclusive-hostname-regex=^www[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com >> Inclusive Regex: fqdn=^web[1-9]+.example.com >> $ ipa hostgroupclarity-show webservers >> Hostgroup Clarity Rule: webservers >> Inclusive Regex: fqdn=^web[1-9]+.example.com >> Exclusive Regex: fqdn=www5.example.com Same as above likely. >> >> >> 10) When removing nonexistent regex I would expect more explaining error message: >> >> $ ipa hostgroupclarity-show webservers >> Hostgroup Clarity Rule: webservers >> Inclusive Regex: fqdn=^web[1-9]+.example.com >> Exclusive Regex: fqdn=www5.example.com >> $ ipa hostgroupclarity-remove-condition webservers --inclusive-hostname-regex=foo >> ipa: ERROR: no modifications to be performed I'll see what better exception can be thrown. Thanks! > > I think that with group_dn() you should use the api to get the entry rather than calling LDAP directly (I'd stick it into the clarity object). > > This is untested but I think it will work: > > def hostgroup_dn(self, hostgroup): > entry = self.api.Command.user_show(hostgroup, all=True)['result'] > return entry['dn'] > > rob I'll try this instead, thanks Rob! -JR From ayoung at redhat.com Tue Jul 19 19:05:12 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 19 Jul 2011 15:05:12 -0400 Subject: [Freeipa-devel] Bug fix tickets Message-ID: <4E25D568.90602@redhat.com> Petr, the report for UI tickets Is: https://fedorahosted.org/freeipa/report/12 I'd like you to take a look at the two 2.1.1 tickets: I've assigned them to pvoborni, but I am not sure that is the right Fedora Account name, please adjust as necessary. For 1477, please follow the second option, identify that there are no records left after a mod, report this using a dialog to the user, and redirect back to the search page. For 1481, I think we want to A) remove the retry button from the error reporting dialog B) Allow customization of the button message for the error dialog. By default it says "cancel" but for this we just want "OK" C) treat this error case as a success case: if the user does "add" close the "Add dialog," if the user does "add and edit," go to the edit page for the newly created host. From edewata at redhat.com Tue Jul 19 19:19:58 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 19 Jul 2011 14:19:58 -0500 Subject: [Freeipa-devel] [PATCH] 211 Added checkbox to remove hosts from DNS. Message-ID: <4E25D8DE.3000502@redhat.com> A custom deleter dialog for hosts has been added to provide an option whether to remove the hosts from DNS. Ticket #1470 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0211-Added-checkbox-to-remove-hosts-from-DNS.patch Type: text/x-patch Size: 7928 bytes Desc: not available URL: From rcritten at redhat.com Tue Jul 19 20:39:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2011 16:39:25 -0400 Subject: [Freeipa-devel] [PATCH] 832 fix netgroup regression Message-ID: <4E25EB7D.3090601@redhat.com> In my patch to fix netgroup calculation I convered one to many references to entry_attrs. The self tests caught this, too bad I didn't run them before submitting the patch. I pushed this as a one-liner. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-832-netgroup.patch Type: text/x-diff Size: 1104 bytes Desc: not available URL: From rcritten at redhat.com Tue Jul 19 20:41:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2011 16:41:16 -0400 Subject: [Freeipa-devel] [PATCH] 833 fix sudorule unit tests Message-ID: <4E25EBEC.7010704@redhat.com> With the external user/group management fixed, correct the unit tests. The unit tests were incorrectly expecting the removed data back when removing external users. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-833-sudorule.patch Type: text/x-diff Size: 1326 bytes Desc: not available URL: From JR.Aquino at citrix.com Tue Jul 19 21:05:58 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 19 Jul 2011 21:05:58 +0000 Subject: [Freeipa-devel] [PATCH] 31 Correct behavior for sudorunasgroup vs sudorunasuser In-Reply-To: <1311085849.10995.28.camel@dhcp-25-52.brq.redhat.com> References: <1311085849.10995.28.camel@dhcp-25-52.brq.redhat.com> Message-ID: <8C555B3B-921A-4781-ACF9-78E32AA9EC49@citrixonline.com> On Jul 19, 2011, at 7:30 AM, Martin Kosek wrote: > On Tue, 2011-06-14 at 19:03 +0000, JR Aquino wrote: >> Adjustment to install/share/schema_compat.uldif to correctly assign sudorunasuser for both a user and group object respectively. >> >> The bug had to do with the compat plugin syntax needing to correctly identify the difference behind intent with the 'runas' attributes. >> >> The difference is handling is: >> Sudo allowing someone to run a command as a user, or any user in a _group_. >> vs >> Sudo allowing someone to run a command as their own user but with a different _Group_ or GUID. >> >> This is a very subtle difference that can be frustrating to configure / think about. >> >> I have added a patch to address new standard installs and updates. >> >> (This Fix is blocked by https://bugzilla.redhat.com/show_bug.cgi?id=713209) > > NACK. > > 1) You forgot to update install/updates/Makefile.am so that the update > is really executed. Please check that there won't be a conflict with > your patch 37, they touch the same areas. Fixed > > 2) Syntax of the "replace" statement in .update files has changed since > you submitted your patch. The old and the new value are delimited with > "::" now, IIRC. And Fixed -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0031-Correct-behavior-for-sudorunasgroup-vs-sudorunasuser.patch Type: application/octet-stream Size: 1351 bytes Desc: freeipa-jraquino-0031-Correct-behavior-for-sudorunasgroup-vs-sudorunasuser.patch URL: From JR.Aquino at citrix.com Tue Jul 19 22:23:57 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 19 Jul 2011 22:23:57 +0000 Subject: [Freeipa-devel] [PATCH] 31 Correct behavior for sudorunasgroup vs sudorunasuser In-Reply-To: <8C555B3B-921A-4781-ACF9-78E32AA9EC49@citrixonline.com> References: <1311085849.10995.28.camel@dhcp-25-52.brq.redhat.com> <8C555B3B-921A-4781-ACF9-78E32AA9EC49@citrixonline.com> Message-ID: <7F93D666-9E26-4252-B129-FA54C1C436D4@citrixonline.com> On Jul 19, 2011, at 2:05 PM, JR Aquino wrote: > On Jul 19, 2011, at 7:30 AM, Martin Kosek wrote: > >> On Tue, 2011-06-14 at 19:03 +0000, JR Aquino wrote: >>> Adjustment to install/share/schema_compat.uldif to correctly assign sudorunasuser for both a user and group object respectively. >>> >>> The bug had to do with the compat plugin syntax needing to correctly identify the difference behind intent with the 'runas' attributes. >>> >>> The difference is handling is: >>> Sudo allowing someone to run a command as a user, or any user in a _group_. >>> vs >>> Sudo allowing someone to run a command as their own user but with a different _Group_ or GUID. >>> >>> This is a very subtle difference that can be frustrating to configure / think about. >>> >>> I have added a patch to address new standard installs and updates. >>> >>> (This Fix is blocked by https://bugzilla.redhat.com/show_bug.cgi?id=713209) >> >> NACK. >> >> 1) You forgot to update install/updates/Makefile.am so that the update >> is really executed. Please check that there won't be a conflict with >> your patch 37, they touch the same areas. > > Fixed > >> >> 2) Syntax of the "replace" statement in .update files has changed since >> you submitted your patch. The old and the new value are delimited with >> "::" now, IIRC. > > And Fixed Final Patch: -Fixed indentation of makefile to use tabs instead of spaces- -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0031-Correct-behavior-for-sudorunasgroup-vs-sudorunasuser.patch Type: application/octet-stream Size: 1338 bytes Desc: freeipa-jraquino-0031-Correct-behavior-for-sudorunasgroup-vs-sudorunasuser.patch URL: From JR.Aquino at citrix.com Tue Jul 19 22:24:42 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 19 Jul 2011 22:24:42 +0000 Subject: [Freeipa-devel] [PATCH] 37 Correct sudo runasuser and runasgroup attributes in schema In-Reply-To: <1311067254.10995.11.camel@dhcp-25-52.brq.redhat.com> References: <2B86A5AB-F26C-4CAF-B5ED-0AAD7D703E28@citrixonline.com> <1311067254.10995.11.camel@dhcp-25-52.brq.redhat.com> Message-ID: On Jul 19, 2011, at 2:20 AM, Martin Kosek wrote: > On Mon, 2011-07-18 at 23:43 +0000, JR Aquino wrote: >> https://fedorahosted.org/freeipa/ticket/1309 >> >> Added .update file to correct the sudo schema during freeipa updates on older systems. >> Modified Makefile.am to account for new .update file. >> > > NACK. > > This fixes the schema well, but sudoRunAsGroup attribute is still filled > incorrectly. I think that the sudo LDAP compat plugin has to be fixed > too. These 2 rules look suspicious: > > schema-compat-entry-attribute: sudoRunAsGroup=%{ipaSudoRunAsExtGroup} > schema-compat-entry-attribute: sudoRunAsGroup=%deref("ipaSudoRunAs","cn") > > And one more minor issue I saw, please fix indentation in Makefile.am. Fixed indentation from spaces to tabs. Also removed trailing whitespace. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0037-Correct-sudo-runasuser-and-runasgroup-attributes.patch Type: application/octet-stream Size: 3003 bytes Desc: freeipa-jraquino-0037-Correct-sudo-runasuser-and-runasgroup-attributes.patch URL: From ayoung at redhat.com Tue Jul 19 23:35:57 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 19 Jul 2011 19:35:57 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init Message-ID: <4E2614DD.4090301@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0270-removing-setters-setup-and-init.patch Type: text/x-patch Size: 187202 bytes Desc: not available URL: From ayoung at redhat.com Tue Jul 19 23:38:34 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 19 Jul 2011 19:38:34 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E2614DD.4090301@redhat.com> References: <4E2614DD.4090301@redhat.com> Message-ID: <4E26157A.5080609@redhat.com> On 07/19/2011 07:35 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Missed a change to fix the unit tests. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0270-1-removing-setters-setup-and-init.patch Type: text/x-patch Size: 187734 bytes Desc: not available URL: From rcritten at redhat.com Wed Jul 20 00:49:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2011 20:49:11 -0400 Subject: [Freeipa-devel] [PATCH] 834 Hide the HBAC access type attribute now that deny is deprecated. Message-ID: <4E262607.6090806@redhat.com> Hide the HBAC access type attribute now that deny is deprecated. It won't appear in the UI/CLI but is still available via XML-RPC. allow is the default and deny will be rejected. This is not tested in the UI. I'm not sure if this is due to a problem in my tree or something else. https://fedorahosted.org/freeipa/ticket/1495 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-834-hbacdeny.patch Type: text/x-diff Size: 7944 bytes Desc: not available URL: From rcritten at redhat.com Wed Jul 20 02:15:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2011 22:15:20 -0400 Subject: [Freeipa-devel] [PATCH] 835 set default min int, handle longs Message-ID: <4E263A38.4010200@redhat.com> Our handling of long values wasn't the best when dealing with negative values. Added a default minint similar to maxint and validate_scalar in Int to allow either int or long types. This lets it get to the min/max rules where we can compare properly and give a better error response. Note that I changed the language slightly from value 'must be at least x' to 'can be at least x'. It reads better to me this way but I'm flexible. https://fedorahosted.org/freeipa/ticket/1494 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-835-minint.patch Type: text/x-diff Size: 5400 bytes Desc: not available URL: From rcritten at redhat.com Wed Jul 20 03:25:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2011 23:25:14 -0400 Subject: [Freeipa-devel] [PATCH] 31 Correct behavior for sudorunasgroup vs sudorunasuser In-Reply-To: <7F93D666-9E26-4252-B129-FA54C1C436D4@citrixonline.com> References: <1311085849.10995.28.camel@dhcp-25-52.brq.redhat.com> <8C555B3B-921A-4781-ACF9-78E32AA9EC49@citrixonline.com> <7F93D666-9E26-4252-B129-FA54C1C436D4@citrixonline.com> Message-ID: <4E264A9A.1030707@redhat.com> JR Aquino wrote: > On Jul 19, 2011, at 2:05 PM, JR Aquino wrote: > >> On Jul 19, 2011, at 7:30 AM, Martin Kosek wrote: >> >>> On Tue, 2011-06-14 at 19:03 +0000, JR Aquino wrote: >>>> Adjustment to install/share/schema_compat.uldif to correctly assign sudorunasuser for both a user and group object respectively. >>>> >>>> The bug had to do with the compat plugin syntax needing to correctly identify the difference behind intent with the 'runas' attributes. >>>> >>>> The difference is handling is: >>>> Sudo allowing someone to run a command as a user, or any user in a _group_. >>>> vs >>>> Sudo allowing someone to run a command as their own user but with a different _Group_ or GUID. >>>> >>>> This is a very subtle difference that can be frustrating to configure / think about. >>>> >>>> I have added a patch to address new standard installs and updates. >>>> >>>> (This Fix is blocked by https://bugzilla.redhat.com/show_bug.cgi?id=713209) >>> >>> NACK. >>> >>> 1) You forgot to update install/updates/Makefile.am so that the update >>> is really executed. Please check that there won't be a conflict with >>> your patch 37, they touch the same areas. >> >> Fixed >> >>> >>> 2) Syntax of the "replace" statement in .update files has changed since >>> you submitted your patch. The old and the new value are delimited with >>> "::" now, IIRC. >> >> And Fixed > > Final Patch: -Fixed indentation of makefile to use tabs instead of spaces- This works fine for me, ack. pushed to master and ipa-2-0 From rcritten at redhat.com Wed Jul 20 03:25:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2011 23:25:26 -0400 Subject: [Freeipa-devel] [PATCH] 37 Correct sudo runasuser and runasgroup attributes in schema In-Reply-To: References: <2B86A5AB-F26C-4CAF-B5ED-0AAD7D703E28@citrixonline.com> <1311067254.10995.11.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E264AA6.9070100@redhat.com> JR Aquino wrote: > On Jul 19, 2011, at 2:20 AM, Martin Kosek wrote: > >> On Mon, 2011-07-18 at 23:43 +0000, JR Aquino wrote: >>> https://fedorahosted.org/freeipa/ticket/1309 >>> >>> Added .update file to correct the sudo schema during freeipa updates on older systems. >>> Modified Makefile.am to account for new .update file. >>> >> >> NACK. >> >> This fixes the schema well, but sudoRunAsGroup attribute is still filled >> incorrectly. I think that the sudo LDAP compat plugin has to be fixed >> too. These 2 rules look suspicious: >> >> schema-compat-entry-attribute: sudoRunAsGroup=%{ipaSudoRunAsExtGroup} >> schema-compat-entry-attribute: sudoRunAsGroup=%deref("ipaSudoRunAs","cn") >> >> And one more minor issue I saw, please fix indentation in Makefile.am. > > Fixed indentation from spaces to tabs. > > Also removed trailing whitespace. > ack, pushed to master and ipa-2-0 From mkosek at redhat.com Wed Jul 20 07:31:52 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 20 Jul 2011 09:31:52 +0200 Subject: [Freeipa-devel] [PATCH] 833 fix sudorule unit tests In-Reply-To: <4E25EBEC.7010704@redhat.com> References: <4E25EBEC.7010704@redhat.com> Message-ID: <1311147114.19914.0.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-07-19 at 16:41 -0400, Rob Crittenden wrote: > With the external user/group management fixed, correct the unit tests. > > The unit tests were incorrectly expecting the removed data back when > removing external users. > > rob NACK There is still one unit test failure. Test "test_a_sudorule_add_externaluser" needs to be fixed as well. Martin From mkosek at redhat.com Wed Jul 20 07:54:19 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 20 Jul 2011 09:54:19 +0200 Subject: [Freeipa-devel] [PATCH] 835 set default min int, handle longs In-Reply-To: <4E263A38.4010200@redhat.com> References: <4E263A38.4010200@redhat.com> Message-ID: <1311148461.19914.2.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-07-19 at 22:15 -0400, Rob Crittenden wrote: > Our handling of long values wasn't the best when dealing with negative > values. Added a default minint similar to maxint and validate_scalar in > Int to allow either int or long types. This lets it get to the min/max > rules where we can compare properly and give a better error response. > > Note that I changed the language slightly from value 'must be at least > x' to 'can be at least x'. It reads better to me this way but I'm flexible. > > https://fedorahosted.org/freeipa/ticket/1494 > > rob ACK, works fine, tests are OK. I won't argue with the wording of _rule_minvalue, both reads OK to me. Martin From mkosek at redhat.com Wed Jul 20 08:12:44 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 20 Jul 2011 10:12:44 +0200 Subject: [Freeipa-devel] [PATCH] 820 make client errors clearer In-Reply-To: <4E259748.1020006@redhat.com> References: <4E147955.5070401@redhat.com> <1311083697.10995.21.camel@dhcp-25-52.brq.redhat.com> <4E259748.1020006@redhat.com> Message-ID: <1311149566.19914.4.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-07-19 at 10:40 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-07-06 at 11:03 -0400, Rob Crittenden wrote: > >> Some client errors were rather generic or outright misleading. This > >> cleans up some return values and displays output from the ipa-enrollment > >> extended operation. > >> > >> ticket https://fedorahosted.org/freeipa/ticket/1417 > > > > NACK. > > > > Good patch, but I found one issue: > > > > ipa-client/ipa-install/ipa-client-install: > > - if ret == -1 or not ds.getDomainName(): > > + if ret == ipadiscovery.NO_LDAP_SERVER or not ds.getDomainName(): > > > > You check for another error. That way the domain problem will not get > > caught there. > > > > Martin > > > > Updated patch attached, catching NOT_FQDN now. > > rob ACK, works fine. Martin From rcritten at redhat.com Wed Jul 20 13:12:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jul 2011 09:12:42 -0400 Subject: [Freeipa-devel] [PATCH] 833 fix sudorule unit tests In-Reply-To: <1311147114.19914.0.camel@dhcp-25-52.brq.redhat.com> References: <4E25EBEC.7010704@redhat.com> <1311147114.19914.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E26D44A.1050001@redhat.com> Martin Kosek wrote: > On Tue, 2011-07-19 at 16:41 -0400, Rob Crittenden wrote: >> With the external user/group management fixed, correct the unit tests. >> >> The unit tests were incorrectly expecting the removed data back when >> removing external users. >> >> rob > > NACK > > There is still one unit test failure. Test > "test_a_sudorule_add_externaluser" needs to be fixed as well. > > Martin > Wow, not sure how I missed this one. Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-833-2-sudorule.patch Type: text/x-diff Size: 1640 bytes Desc: not available URL: From jhrozek at redhat.com Wed Jul 20 15:09:02 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 20 Jul 2011 17:09:02 +0200 Subject: [Freeipa-devel] [PATCH] 066 Remove wrong kpasswd sysconfig Message-ID: <4E26EF8E.5060902@redhat.com> I noticed that the file kpasswd init script reads is called "/etc/sysconfig/ipa-kpasswd" but krbinstance.py saved and wrote into "/etc/sysconfig/ipa_kpasswd". I removed the linkes rather than fixing them for two reasons: 1) /var/kerberos/krb5kdc/kpasswd.keytab is the default 2) it probably wouldn't have worked anyway because the ktname must be prefixed with "FILE:". -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-066-kpasswd-sysconfig.patch Type: text/x-patch Size: 1027 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From jhrozek at redhat.com Wed Jul 20 15:10:42 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 20 Jul 2011 17:10:42 +0200 Subject: [Freeipa-devel] [PATCH] 067 Silence a compilation warning in ipa_kpasswd Message-ID: <4E26EFF2.6010609@redhat.com> I was playing with ipa_kpasswd (long story short - I needed it running on a non-standard port) and I noticed there was a compilation warning - rtag was set but never checked. Also removes one unused #define. -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-067-kpasswd-warnings.patch Type: text/x-patch Size: 2595 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From mkosek at redhat.com Wed Jul 20 15:29:19 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 20 Jul 2011 17:29:19 +0200 Subject: [Freeipa-devel] [PATCH] 833 fix sudorule unit tests In-Reply-To: <4E26D44A.1050001@redhat.com> References: <4E25EBEC.7010704@redhat.com> <1311147114.19914.0.camel@dhcp-25-52.brq.redhat.com> <4E26D44A.1050001@redhat.com> Message-ID: <1311175761.19914.33.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-20 at 09:12 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Tue, 2011-07-19 at 16:41 -0400, Rob Crittenden wrote: > >> With the external user/group management fixed, correct the unit tests. > >> > >> The unit tests were incorrectly expecting the removed data back when > >> removing external users. > >> > >> rob > > > > NACK > > > > There is still one unit test failure. Test > > "test_a_sudorule_add_externaluser" needs to be fixed as well. > > > > Martin > > > > Wow, not sure how I missed this one. Updated patch attached. > > rob ACK. Pushed to master, ipa-2-0. Martin From rcritten at redhat.com Wed Jul 20 15:32:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jul 2011 11:32:57 -0400 Subject: [Freeipa-devel] [PATCH] 835 set default min int, handle longs In-Reply-To: <1311148461.19914.2.camel@dhcp-25-52.brq.redhat.com> References: <4E263A38.4010200@redhat.com> <1311148461.19914.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E26F529.6080300@redhat.com> Martin Kosek wrote: > On Tue, 2011-07-19 at 22:15 -0400, Rob Crittenden wrote: >> Our handling of long values wasn't the best when dealing with negative >> values. Added a default minint similar to maxint and validate_scalar in >> Int to allow either int or long types. This lets it get to the min/max >> rules where we can compare properly and give a better error response. >> >> Note that I changed the language slightly from value 'must be at least >> x' to 'can be at least x'. It reads better to me this way but I'm flexible. >> >> https://fedorahosted.org/freeipa/ticket/1494 >> >> rob > > ACK, works fine, tests are OK. > > I won't argue with the wording of _rule_minvalue, both reads OK to me. > > Martin > pushed to master and ipa-2-0 From rcritten at redhat.com Wed Jul 20 15:37:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jul 2011 11:37:59 -0400 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> Message-ID: <4E26F657.8030901@redhat.com> JR Aquino wrote: > On Jul 15, 2011, at 7:55 AM, Rob Crittenden wrote: > >> Martin Kosek wrote: >>> On Thu, 2011-07-14 at 23:05 +0000, JR Aquino wrote: >>>> On Jul 14, 2011, at 11:55 AM, wrote: >>>> >>>>> https://fedorahosted.org/freeipa/ticket/1272 >>>>> >>>>> * Added new container in etc to hold the automembership configs. >>>>> * Modified constants to point to the new container >>>>> * Modified dsinstance to create the container >>>>> * Modified hostgroup.py to add the new commands >>>>> * Added xmlrpc test to verify functionality >>>> >>>> Minor adjustment: >>>> Auto Membership Plugin isn't available until 1.2.9-0.2+ >>>> >>>> Modified freeipa.spec.in: >>>> BuildRequires: 389-ds-base-devel>= 1.2.9-0.2 >>> >>> I have reviewed your patch. Basic functionality is OK but I have some >>> concerns. >>> >>> 1) I am not sure with the command name, it is not really clear to me >>> what this command does. But I know from my experience that inventing a >>> cool name for something new may be the most difficult task at all :-) >>> Maybe command name "hostgrouprule" or "hostgroupauto" would be more >>> clear? > > Perhaps my example docs were too soft with fqdn=^www[1-9]+\.example\.com etc.. > I should 'clarify'... perhaps what I need to do is add more useful information to the doc, for example If I were to add to the doc area examples where hostnames are like: w[1-9]+s2r8\.example\.com > > The real reason for the usefulness of this technology, is in SaaS, Cloud, and Cluster environments, where the hostnames tend to be non-human readable, and more like a serial number detailing their function, their rack location, or their vm-instance, etc... > > It is because of those scenarios that caused me so much grief as a security engineer trying to assign rights that it became clear that I could just define the reproducible pattern to match assignment into a host group. The hostnames needed clarity in order to understand where they belonged in the network. > > I'll give it one more chance to pass the censors since I've been internally calling it clarity for the last 2 1/2 years that I've been using it... > >>> >>> >>> 2) Overloading execute method in functions >>> hostgroupclarity_add_condition and hostgroupclarity_remove_condition is >>> an over-kill for me. I think we could just read current >>> inclusive/exclusive regexes in pre_callback, modify them and let >>> LDAPUpdate class do the standard LDAP operations. > > I'll recode to perform the actions in a pre_callback. > >>> >>> >>> 3) I miss hostgroupclarity-mod module. What would I do if I want to >>> update Description? > > Thank you for catching this, I will add it. > >>> >>> >>> 4) I didn't like this construct in the code, its error prone to >>> potential future parameter changes. >>> + if len(options) == 2: # 'all' and 'raw' are always sent >>> + raise errors.EmptyModlist() >>> I know it's in baseldap.py but I still wouldn't like to see this in >>> plugins. > > I should be able to omit that once the code is located in the pre_callback. > >>> >>> >>> 5) Test test_clarityrule_plugin.py: reference to inexistent python >>> module: >>> +Test the `ipalib/plugins/clarityrule.py` module. > > Thank you, that is left over from a previous attempt. I will remove it. > >>> >>> >>> Then I did some real testing of the new command: >>> >>> 6) Invalid examples, fqdn is not supposed to be a part of regex >>> $ ipa hostgroupclarity-add --inclusive-hostname-regex=fqdn=^www[1-9]+\.example\.com webservers >>> Hostgroup Clarity Rule: webservers >>> Inclusive Regex: fqdn=fqdn=^www[1-9]+.example.com > > Also an oversight, thanks, I will correct it. > >>> >>> >>> 7) It does not make sense to have a rule with only an exclusive regex: >>> $ ipa hostgroupclarity-add --exclusive-hostname-regex=^www5+\.example\.com webservers >>> Hostgroup Clarity Rule: webservers >>> $ ipa host-add --force foo.example.co >>> $ ipa hostgroup-show webservers >>> Host-group: webservers >>> Description: Web Servers >>> Member hosts: www1.example.com >>> >>> I think we should 1) hide exclusive regex option in hostgroupclarity-add >>> and 2) check that there is at least one inclusive regex in the rule when >>> running hostgroupclarity-add-condition and >>> hostgroupclarity-remove-condition. > > I agree, I'll hide it during the creation, and force it to require an inclusive prior to adding an exclusive. > >>> >>> >>> 8) Plugin incorrectly handles a situation when both inclusive and exclusive regex-es are being added: >>> >>> $ ipa hostgroupclarity-add --inclusive-hostname-regex=^www[1-9]+\.example\.com webservers >>> Hostgroup Clarity Rule: webservers >>> Inclusive Regex: fqdn=^www[1-9]+.example.com >>> $ ipa hostgroupclarity-add-condition --inclusive-hostname-regex=^web[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com webservers >>> Inclusive Regex: fqdn=^web[1-9]+.example.com, fqdn=^www[1-9]+.example.com >>> Exclusive Regex: www5.example.com >>> >>> Exclusive regex misses fqdn. > > Will look into this. > >>> >>> >>> 9) Removing multiple conditions also works incorrectly: >>> >>> $ ipa hostgroupclarity-show webservers >>> Hostgroup Clarity Rule: webservers >>> Inclusive Regex: fqdn=^www[1-9]+.example.com, fqdn=^web[1-9]+.example.com >>> Exclusive Regex: fqdn=www5.example.com >>> $ ipa hostgroupclarity-remove-condition webservers --inclusive-hostname-regex=^www[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com >>> Inclusive Regex: fqdn=^web[1-9]+.example.com >>> $ ipa hostgroupclarity-show webservers >>> Hostgroup Clarity Rule: webservers >>> Inclusive Regex: fqdn=^web[1-9]+.example.com >>> Exclusive Regex: fqdn=www5.example.com > > Same as above likely. > >>> >>> >>> 10) When removing nonexistent regex I would expect more explaining error message: >>> >>> $ ipa hostgroupclarity-show webservers >>> Hostgroup Clarity Rule: webservers >>> Inclusive Regex: fqdn=^web[1-9]+.example.com >>> Exclusive Regex: fqdn=www5.example.com >>> $ ipa hostgroupclarity-remove-condition webservers --inclusive-hostname-regex=foo >>> ipa: ERROR: no modifications to be performed > > I'll see what better exception can be thrown. Thanks! > >> >> I think that with group_dn() you should use the api to get the entry rather than calling LDAP directly (I'd stick it into the clarity object). >> >> This is untested but I think it will work: >> >> def hostgroup_dn(self, hostgroup): >> entry = self.api.Command.user_show(hostgroup, all=True)['result'] >> return entry['dn'] >> >> rob > > I'll try this instead, thanks Rob! > > -JR > And on second thought you may be able to hook right into the hostgroup object get_dn() function. rob From rcritten at redhat.com Wed Jul 20 15:42:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jul 2011 11:42:16 -0400 Subject: [Freeipa-devel] [PATCH] 820 make client errors clearer In-Reply-To: <1311149566.19914.4.camel@dhcp-25-52.brq.redhat.com> References: <4E147955.5070401@redhat.com> <1311083697.10995.21.camel@dhcp-25-52.brq.redhat.com> <4E259748.1020006@redhat.com> <1311149566.19914.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E26F758.2000202@redhat.com> Martin Kosek wrote: > On Tue, 2011-07-19 at 10:40 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Wed, 2011-07-06 at 11:03 -0400, Rob Crittenden wrote: >>>> Some client errors were rather generic or outright misleading. This >>>> cleans up some return values and displays output from the ipa-enrollment >>>> extended operation. >>>> >>>> ticket https://fedorahosted.org/freeipa/ticket/1417 >>> >>> NACK. >>> >>> Good patch, but I found one issue: >>> >>> ipa-client/ipa-install/ipa-client-install: >>> - if ret == -1 or not ds.getDomainName(): >>> + if ret == ipadiscovery.NO_LDAP_SERVER or not ds.getDomainName(): >>> >>> You check for another error. That way the domain problem will not get >>> caught there. >>> >>> Martin >>> >> >> Updated patch attached, catching NOT_FQDN now. >> >> rob > > ACK, works fine. > > Martin > pushed to master and ipa-2-0 From ayoung at redhat.com Wed Jul 20 16:09:18 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 20 Jul 2011 12:09:18 -0400 Subject: [Freeipa-devel] [PATCH] 0271-no-dns. Message-ID: <4E26FDAE.2020309@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0271-no-dns.patch Type: text/x-patch Size: 2808 bytes Desc: not available URL: From edewata at redhat.com Wed Jul 20 16:10:52 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Jul 2011 11:10:52 -0500 Subject: [Freeipa-devel] [PATCH] 212 Creating reverse zones from IP address. Message-ID: <4E26FE0C.4060805@redhat.com> A custom adder dialog has been added for DNS zones to simplify creating reverse zones from IP address. The dialog provides a checkbox which indicates whether the content of the zone name field is an IP address. The IP address will be used to generate the reverse zone name and email address. Ticket #1045 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0212-Creating-reverse-zones-from-IP-address.patch Type: text/x-patch Size: 12061 bytes Desc: not available URL: From rcritten at redhat.com Wed Jul 20 16:44:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jul 2011 12:44:34 -0400 Subject: [Freeipa-devel] [PATCH] 0271-no-dns. In-Reply-To: <4E26FDAE.2020309@redhat.com> References: <4E26FDAE.2020309@redhat.com> Message-ID: <4E2705F2.2090502@redhat.com> Adam Young wrote: ack, works for me with and without dns rob From ayoung at redhat.com Wed Jul 20 16:51:03 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 20 Jul 2011 12:51:03 -0400 Subject: [Freeipa-devel] [PATCH] 0271-no-dns. In-Reply-To: <4E2705F2.2090502@redhat.com> References: <4E26FDAE.2020309@redhat.com> <4E2705F2.2090502@redhat.com> Message-ID: <4E270777.4040002@redhat.com> On 07/20/2011 12:44 PM, Rob Crittenden wrote: > Adam Young wrote: > > ack, works for me with and without dns > > rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0271-1-no-dns.patch Type: text/x-patch Size: 2680 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jul 20 17:30:21 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 20 Jul 2011 20:30:21 +0300 Subject: [Freeipa-devel] [WIP] ipapython/iputil.py refactoring for better cross-platform support In-Reply-To: <4E25886D.6090105@redhat.com> References: <4E0D96FF.2050406@redhat.com> <4E0DB57B.1070105@redhat.com> <4E0DB6F4.6040904@redhat.com> <4E0DBB32.9030804@redhat.com> <1309524027.2681.143.camel@willson.li.ssimo.org> <4E1470A1.9060306@redhat.com> <4E25886D.6090105@redhat.com> Message-ID: <4E2710AD.5010003@redhat.com> Hi, On 19.07.2011 16:36, Alexander Bokovoy wrote: >> I believe that nss-pam-ldapd uses a different configuration file than >> nss_ldap, I think I'd rather use the existence of that to determine what >> is being used. Calling out to rpm seems heavy-weight. > In continuation of the same story, ticket 1368 asks for propagating > hostname into static configuration (/etc/sysconfig/network, HOSTNAME > variable on Red Hat systems). This is an example of system-specific > common code where we want to ensure configuration is made and backed up > but we don't care what is configuration's location and format. I.e. > perfect example to write platform-specific support. > > I'm going to rework ipautil into providing common functions and loading > platform-specific ones from separate files so that we can have Red Hat > or Fedora (or LSB) platforms, Debian-based platforms and so on. Remeber, > this is for ipa-client-install so some flexibility is welcomed here. > > I'll try to avoid using package management tools in such > platform-specific code as much as possible also to avoid lock conflicts > (if something is being installed in background you might get locked when > asking a package database). > > We don't need to do platform detection at runtime as that is could be > deferred to package maintainers. After all, IPA most likely will be > packaged and ipa-client-install will come from such a package. Thus, > providing proper ipautil-system.py file can be done as packaging effort. Attached is a first cut for the refactoring. It introduces ipapython.services which is a container for service- and platform-specific methods and classes that would require different behavior depending on a distribution in question. I moved existing code to ipapython/platform/redhat.py. ipapython/services.py is auto-generated and basically is one-liner: ===== from ipapython.platform. import * ===== Actual value is substituted using top-level Makefile's SUPPORTED_PLAFTORM= variable (defaults to 'redhat', can be redefined without modifying Makefile, in package building scripts, for example) and then ipapython/services.py is generated from ipapython/services.py.in I have converted all users of ipapython.iputil to a new interface but haven't really tested the code yet apart from make dist and make-lint. As it is work in progress, all comments and suggestions are welcome! -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0006-iputil-refactor.patch URL: From abokovoy at redhat.com Wed Jul 20 17:36:06 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 20 Jul 2011 20:36:06 +0300 Subject: [Freeipa-devel] [WIP] ipapython/iputil.py refactoring for better cross-platform support In-Reply-To: <4E2710AD.5010003@redhat.com> References: <4E0D96FF.2050406@redhat.com> <4E0DB57B.1070105@redhat.com> <4E0DB6F4.6040904@redhat.com> <4E0DBB32.9030804@redhat.com> <1309524027.2681.143.camel@willson.li.ssimo.org> <4E1470A1.9060306@redhat.com> <4E25886D.6090105@redhat.com> <4E2710AD.5010003@redhat.com> Message-ID: <4E271206.5080903@redhat.com> On 20.07.2011 20:30, Alexander Bokovoy wrote: > I moved existing code to ipapython/platform/redhat.py. > ipapython/services.py is auto-generated and basically is one-liner: > ===== > from ipapython.platform. import * > ===== > > Actual value is substituted using top-level Makefile's > SUPPORTED_PLAFTORM= variable (defaults to 'redhat', can be redefined > without modifying Makefile, in package building scripts, for example) > and then ipapython/services.py is generated from ipapython/services.py.in The original patch misses ipapython/services.py.in. I'll update patch but the file is really one-liner (attached). -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: services.py.in URL: From ayoung at redhat.com Wed Jul 20 17:40:37 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 20 Jul 2011 13:40:37 -0400 Subject: [Freeipa-devel] [PATCH] 0271-no-dns. In-Reply-To: <4E270777.4040002@redhat.com> References: <4E26FDAE.2020309@redhat.com> <4E2705F2.2090502@redhat.com> <4E270777.4040002@redhat.com> Message-ID: <4E271315.8030802@redhat.com> On 07/20/2011 12:51 PM, Adam Young wrote: > On 07/20/2011 12:44 PM, Rob Crittenden wrote: >> Adam Young wrote: >> >> ack, works for me with and without dns >> >> rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by Edewata and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Jul 20 17:54:07 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 20 Jul 2011 13:54:07 -0400 Subject: [Freeipa-devel] [WIP] ipapython/iputil.py refactoring for better cross-platform support In-Reply-To: <4E271206.5080903@redhat.com> References: <4E0D96FF.2050406@redhat.com> <4E0DB57B.1070105@redhat.com> <4E0DB6F4.6040904@redhat.com> <4E0DBB32.9030804@redhat.com> <1309524027.2681.143.camel@willson.li.ssimo.org> <4E1470A1.9060306@redhat.com> <4E25886D.6090105@redhat.com> <4E2710AD.5010003@redhat.com> <4E271206.5080903@redhat.com> Message-ID: <1311184447.19717.86.camel@willson.li.ssimo.org> On Wed, 2011-07-20 at 20:36 +0300, Alexander Bokovoy wrote: > On 20.07.2011 20:30, Alexander Bokovoy wrote: > > I moved existing code to ipapython/platform/redhat.py. > > ipapython/services.py is auto-generated and basically is one-liner: > > ===== > > from ipapython.platform. import * > > ===== > > > > Actual value is substituted using top-level Makefile's > > SUPPORTED_PLAFTORM= variable (defaults to 'redhat', can be redefined > > without modifying Makefile, in package building scripts, for example) > > and then ipapython/services.py is generated from ipapython/services.py.in > The original patch misses ipapython/services.py.in. I'll update patch > but the file is really one-liner (attached). The direction looks good to me, please keep on. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Wed Jul 20 18:00:09 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 20 Jul 2011 14:00:09 -0400 Subject: [Freeipa-devel] [PATCH] 211 Added checkbox to remove hosts from DNS. In-Reply-To: <4E25D8DE.3000502@redhat.com> References: <4E25D8DE.3000502@redhat.com> Message-ID: <4E2717A9.3040109@redhat.com> On 07/19/2011 03:19 PM, Endi Sukma Dewata wrote: > A custom deleter dialog for hosts has been added to provide an option > whether to remove the hosts from DNS. > > Ticket #1470 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Jul 20 18:45:14 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 20 Jul 2011 14:45:14 -0400 Subject: [Freeipa-devel] [PATCH] 212 Creating reverse zones from IP address. In-Reply-To: <4E26FE0C.4060805@redhat.com> References: <4E26FE0C.4060805@redhat.com> Message-ID: <4E27223A.6040303@redhat.com> On 07/20/2011 12:10 PM, Endi Sukma Dewata wrote: > A custom adder dialog has been added for DNS zones to simplify creating > reverse zones from IP address. The dialog provides a checkbox which > indicates whether the content of the zone name field is an IP address. > The IP address will be used to generate the reverse zone name and email > address. > > Ticket #1045 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, but put in the space between the reverse checkbox line and the next row. Add a ticket for refactoring the dialogs to allow more layout options on a widget, so we can reduce the complexity of the code in the future. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Wed Jul 20 18:59:30 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 20 Jul 2011 14:59:30 -0400 Subject: [Freeipa-devel] [WIP] ipapython/iputil.py refactoring for better cross-platform support In-Reply-To: <4E2710AD.5010003@redhat.com> References: <4E0D96FF.2050406@redhat.com> <4E0DB57B.1070105@redhat.com> <4E0DB6F4.6040904@redhat.com> <4E0DBB32.9030804@redhat.com> <1309524027.2681.143.camel@willson.li.ssimo.org> <4E1470A1.9060306@redhat.com> <4E25886D.6090105@redhat.com> <4E2710AD.5010003@redhat.com> Message-ID: <4E272592.70309@redhat.com> On 07/20/2011 01:30 PM, Alexander Bokovoy wrote: > Actual value is substituted using top-level Makefile's > SUPPORTED_PLAFTORM= variable (defaults to 'redhat', can be redefined > without modifying Makefile, in package building scripts, for example) > and then ipapython/services.py is generated from ipapython/services.py.in Why can't the platform be resolved at runtime instead of part of a static build? That would be more flexible wouldn't it? We would ship the same code in each release which is a win for robustness and reproducibility. I guess I don't see the advantage of static build time code selection in a language like Python. Earlier you said: > I'll try to avoid using package management tools but since you're relying on build tools you're implicitly relying on package management tools. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Wed Jul 20 19:01:51 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Jul 2011 14:01:51 -0500 Subject: [Freeipa-devel] [PATCH] 212 Creating reverse zones from IP address. In-Reply-To: <4E27223A.6040303@redhat.com> References: <4E26FE0C.4060805@redhat.com> <4E27223A.6040303@redhat.com> Message-ID: <4E27261F.1020002@redhat.com> On 7/20/2011 1:45 PM, Adam Young wrote: > ACK, but put in the space between the reverse checkbox line and the next > row. > Add a ticket for refactoring the dialogs to allow more layout options on > a widget, so we can reduce the complexity of the code in the future. New patch attached. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0212-2-Creating-reverse-zones-from-IP-address.patch Type: text/x-patch Size: 12212 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 20 19:13:27 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 20 Jul 2011 15:13:27 -0400 Subject: [Freeipa-devel] [PATCH] 212 Creating reverse zones from IP address. In-Reply-To: <4E27261F.1020002@redhat.com> References: <4E26FE0C.4060805@redhat.com> <4E27223A.6040303@redhat.com> <4E27261F.1020002@redhat.com> Message-ID: <4E2728D7.80400@redhat.com> On 07/20/2011 03:01 PM, Endi Sukma Dewata wrote: > On 7/20/2011 1:45 PM, Adam Young wrote: >> ACK, but put in the space between the reverse checkbox line and the next >> row. >> Add a ticket for refactoring the dialogs to allow more layout options on >> a widget, so we can reduce the complexity of the code in the future. > > New patch attached. > ACK. Pushed to master From edewata at redhat.com Wed Jul 20 19:18:10 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Jul 2011 14:18:10 -0500 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E26157A.5080609@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> Message-ID: <4E2729F2.3010409@redhat.com> On 7/19/2011 6:38 PM, Adam Young wrote: > Missed a change to fix the unit tests. I haven't finished testing it, but here are some issues: 1. If DNS is disabled, the DNS zone entity throws an uncaught exception so the execution stops. 2. In add.js:41 the IPA.nav.show_entity_page() takes an array of primary keys instead of just a single primary key. 3. The metadata can be accessed in a simpler way, so instead of this: var pkey_name = IPA.metadata.objects[that.entity.name].primary_key; we can use this: var pkey_name = that.entity.metadata.primary_key; 4. The parentheses in association.js:718 is not necesary: spec = ({ name: spec }); 5. The combobox_open.png.white got added into the patch. 6. The author list got changed in entity.js. 7. In IPA.details_section.create() the
got changed into and the details-field removed class got deleted. 8. Triggering a stack trace by calling null function probably will only work with Firebug, normal users will not get any notification about the error. This happens in dialog.js:301 and widget.js:1137. 9. The code related to HBAC access time got removed. I think when we deferred this feature last time we decided to comment out the code but not delete it. 10. The expand/collapse all in details facet no longer works. 11. There are some whitespace warnings. -- Endi S. Dewata From abokovoy at redhat.com Wed Jul 20 19:24:09 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 20 Jul 2011 22:24:09 +0300 Subject: [Freeipa-devel] [WIP] ipapython/iputil.py refactoring for better cross-platform support In-Reply-To: <4E272592.70309@redhat.com> References: <4E0D96FF.2050406@redhat.com> <4E0DB57B.1070105@redhat.com> <4E0DB6F4.6040904@redhat.com> <4E0DBB32.9030804@redhat.com> <1309524027.2681.143.camel@willson.li.ssimo.org> <4E1470A1.9060306@redhat.com> <4E25886D.6090105@redhat.com> <4E2710AD.5010003@redhat.com> <4E272592.70309@redhat.com> Message-ID: <4E272B59.1060309@redhat.com> On 20.07.2011 21:59, John Dennis wrote: > On 07/20/2011 01:30 PM, Alexander Bokovoy wrote: >> Actual value is substituted using top-level Makefile's >> SUPPORTED_PLAFTORM= variable (defaults to 'redhat', can be redefined >> without modifying Makefile, in package building scripts, for example) >> and then ipapython/services.py is generated from ipapython/services.py.in > > Why can't the platform be resolved at runtime instead of part of a > static build? That would be more flexible wouldn't it? We would ship the > same code in each release which is a win for robustness and > reproducibility. I guess I don't see the advantage of static build time > code selection in a language like Python. The reason for it is that runtime platform selection simply gives no advantages in IPA case. A typical deployment is a distribution of a prepared package to multiple clients, not building freeipa code on every single client with a purpose to run ipa-client-install on it. At this point we already know the platform. Replacing this knowledge with run-time detection that can go wrong and would require more extensive knowledge and effort to verify that platform is detected reliably isn't really productive. > Earlier you said: > >> I'll try to avoid using package management tools > > but since you're relying on build tools you're implicitly relying on > package management tools. I was talking about using package management tools in runtime where one would incur computational costs. In proposed solution I'm trying to delegate a decision point to a package maintainer or a developer which already knows a platform s/he works with. There is no runtime overhead at all and single make SUPPORTED_PLATFORM=foobar would be equivalent to already utilised make -- / Alexander Bokovoy From ayoung at redhat.com Wed Jul 20 19:50:43 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 20 Jul 2011 15:50:43 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E2729F2.3010409@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> Message-ID: <4E273193.4080506@redhat.com> On 07/20/2011 03:18 PM, Endi Sukma Dewata wrote: > On 7/19/2011 6:38 PM, Adam Young wrote: >> Missed a change to fix the unit tests. > > I haven't finished testing it, but here are some issues: > > 1. If DNS is disabled, the DNS zone entity throws an uncaught > exception so the execution stops. Fixed. This was a combination of the patch pushed earlier today as well as code removed for exception handling. > > 2. In add.js:41 the IPA.nav.show_entity_page() takes an array of > primary keys instead of just a single primary key. It can take either. > > 3. The metadata can be accessed in a simpler way, so instead of this: > > var pkey_name = IPA.metadata.objects[that.entity.name].primary_key; > > we can use this: > > var pkey_name = that.entity.metadata.primary_key; Fixed > > 4. The parentheses in association.js:718 is not necesary: > > spec = ({ name: spec }); Removed > > 5. The combobox_open.png.white got added into the patch. Removed > > 6. The author list got changed in entity.js. Fixed. No offense! > > 7. In IPA.details_section.create() the
got changed into > and the details-field removed class got deleted. Fixed > > 8. Triggering a stack trace by calling null function probably will > only work with Firebug, normal users will not get any notification > about the error. This happens in dialog.js:301 and widget.js:1137. Gonna leave this, as we will catch things in development, and it won't happen on the live servers. These are "never reach" type conditions. > > 9. The code related to HBAC access time got removed. I think when we > deferred this feature last time we decided to comment out the code but > not delete it. As discussed, I've removed code that we don't want to have to support. We'll attach the widget to the ticket for the HBAC work > > 10. The expand/collapse all in details facet no longer works. Fixed > > 11. There are some whitespace warnings. I'll get these before pushing. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0270-2-removing-setters-setup-and-init.patch Type: text/x-patch Size: 187797 bytes Desc: not available URL: From jdennis at redhat.com Wed Jul 20 23:59:14 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 20 Jul 2011 19:59:14 -0400 Subject: [Freeipa-devel] [PATCH 31/31] Ticket 1485 - DN pairwise grouping Message-ID: <201107202359.p6KNxE5S022392@int-mx01.intmail.prod.int.phx2.redhat.com> The pairwise grouping used to form RDN's and AVA's proved to be confusing in practice, this patch removes that functionality thus requiring programmers to explicitly pair attr,value using a tuple or list. In addition it was discovered additional functionality was needed to support some DN operations in freeipa. DN objects now support startswith(), endswith() and the "in" membership test. These functions and operators will accept either a DN or RDN. The unittest was modified to remove the pairwise tests and add new explicit tests. The unittest was augmented to test the new functionality. In addition the unittest was cleaned up a bit to use common utilty functions for improved readabilty and robustness. The documentation was updated. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0031-Ticket-1485-DN-pairwise-grouping.patch Type: text/x-patch Size: 47012 bytes Desc: not available URL: From edewata at redhat.com Thu Jul 21 00:08:48 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Jul 2011 19:08:48 -0500 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E273193.4080506@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> Message-ID: <4E276E10.4010207@redhat.com> On 7/20/2011 2:50 PM, Adam Young wrote: >> 8. Triggering a stack trace by calling null function probably will >> only work with Firebug, normal users will not get any notification >> about the error. This happens in dialog.js:301 and widget.js:1137. > Gonna leave this, as we will catch things in development, and it won't > happen on the live servers. These are "never reach" type conditions. Would it be better to throw an exception instead? Still not done, but here are new findings: 12. The search filter doesn't work initially. Reload the UI main page, (make sure there's no URL parameters), enter a filter, then hit Enter or click the icon, there's nothing happening. Go to another tab, then come back to the main page. Now the filter will work. 13. The 'other_entity' still contains entity name instead of entity object. One solution for the circular dependency problem is to create all entity objects first, then create the facets & dialogs in the second stage. This requires simple modification to the entity_factories. 14. The comment "move into the table_widget" on association.js:710 might not be correct. I think we should try to reuse IPA.association_table_widget inside IPA.association_facet. 15. The assignment on association.js:733 is unused: var entity = that.entity; 16. Commented code in details.js:459 can be deleted. 17. The code in dialog.js lines 489 and 496 can be combined into: that.external_field = $('', { ... }).appendTo(external_panel); 18. Since the layout support is dropped, the install/ui/layouts can be removed as well. -- Endi S. Dewata From JR.Aquino at citrix.com Thu Jul 21 00:20:58 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 21 Jul 2011 00:20:58 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <4E26F657.8030901@redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> Message-ID: <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> On Jul 20, 2011, at 8:37 AM, Rob Crittenden wrote: > JR Aquino wrote: >> On Jul 15, 2011, at 7:55 AM, Rob Crittenden wrote: >> >>> Martin Kosek wrote: >>>> On Thu, 2011-07-14 at 23:05 +0000, JR Aquino wrote: >>>>> On Jul 14, 2011, at 11:55 AM, wrote: >>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/1272 >>>>>> >>>>>> * Added new container in etc to hold the automembership configs. >>>>>> * Modified constants to point to the new container >>>>>> * Modified dsinstance to create the container >>>>>> * Modified hostgroup.py to add the new commands >>>>>> * Added xmlrpc test to verify functionality >>>>> >>>>> Minor adjustment: >>>>> Auto Membership Plugin isn't available until 1.2.9-0.2+ >>>>> >>>>> Modified freeipa.spec.in: >>>>> BuildRequires: 389-ds-base-devel>= 1.2.9-0.2 >>>> >>>> I have reviewed your patch. Basic functionality is OK but I have some >>>> concerns. >>>> >>>> 1) I am not sure with the command name, it is not really clear to me >>>> what this command does. But I know from my experience that inventing a >>>> cool name for something new may be the most difficult task at all :-) >>>> Maybe command name "hostgrouprule" or "hostgroupauto" would be more >>>> clear? >> >> Perhaps my example docs were too soft with fqdn=^www[1-9]+\.example\.com etc.. >> I should 'clarify'... perhaps what I need to do is add more useful information to the doc, for example If I were to add to the doc area examples where hostnames are like: w[1-9]+s2r8\.example\.com >> >> The real reason for the usefulness of this technology, is in SaaS, Cloud, and Cluster environments, where the hostnames tend to be non-human readable, and more like a serial number detailing their function, their rack location, or their vm-instance, etc... >> >> It is because of those scenarios that caused me so much grief as a security engineer trying to assign rights that it became clear that I could just define the reproducible pattern to match assignment into a host group. The hostnames needed clarity in order to understand where they belonged in the network. >> >> I'll give it one more chance to pass the censors since I've been internally calling it clarity for the last 2 1/2 years that I've been using it... >> >>>> >>>> >>>> 2) Overloading execute method in functions >>>> hostgroupclarity_add_condition and hostgroupclarity_remove_condition is >>>> an over-kill for me. I think we could just read current >>>> inclusive/exclusive regexes in pre_callback, modify them and let >>>> LDAPUpdate class do the standard LDAP operations. >> >> I'll recode to perform the actions in a pre_callback. >> >>>> >>>> >>>> 3) I miss hostgroupclarity-mod module. What would I do if I want to >>>> update Description? >> >> Thank you for catching this, I will add it. >> >>>> >>>> >>>> 4) I didn't like this construct in the code, its error prone to >>>> potential future parameter changes. >>>> + if len(options) == 2: # 'all' and 'raw' are always sent >>>> + raise errors.EmptyModlist() >>>> I know it's in baseldap.py but I still wouldn't like to see this in >>>> plugins. >> >> I should be able to omit that once the code is located in the pre_callback. >> >>>> >>>> >>>> 5) Test test_clarityrule_plugin.py: reference to inexistent python >>>> module: >>>> +Test the `ipalib/plugins/clarityrule.py` module. >> >> Thank you, that is left over from a previous attempt. I will remove it. >> >>>> >>>> >>>> Then I did some real testing of the new command: >>>> >>>> 6) Invalid examples, fqdn is not supposed to be a part of regex >>>> $ ipa hostgroupclarity-add --inclusive-hostname-regex=fqdn=^www[1-9]+\.example\.com webservers >>>> Hostgroup Clarity Rule: webservers >>>> Inclusive Regex: fqdn=fqdn=^www[1-9]+.example.com >> >> Also an oversight, thanks, I will correct it. >> >>>> >>>> >>>> 7) It does not make sense to have a rule with only an exclusive regex: >>>> $ ipa hostgroupclarity-add --exclusive-hostname-regex=^www5+\.example\.com webservers >>>> Hostgroup Clarity Rule: webservers >>>> $ ipa host-add --force foo.example.co >>>> $ ipa hostgroup-show webservers >>>> Host-group: webservers >>>> Description: Web Servers >>>> Member hosts: www1.example.com >>>> >>>> I think we should 1) hide exclusive regex option in hostgroupclarity-add >>>> and 2) check that there is at least one inclusive regex in the rule when >>>> running hostgroupclarity-add-condition and >>>> hostgroupclarity-remove-condition. >> >> I agree, I'll hide it during the creation, and force it to require an inclusive prior to adding an exclusive. >> >>>> >>>> >>>> 8) Plugin incorrectly handles a situation when both inclusive and exclusive regex-es are being added: >>>> >>>> $ ipa hostgroupclarity-add --inclusive-hostname-regex=^www[1-9]+\.example\.com webservers >>>> Hostgroup Clarity Rule: webservers >>>> Inclusive Regex: fqdn=^www[1-9]+.example.com >>>> $ ipa hostgroupclarity-add-condition --inclusive-hostname-regex=^web[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com webservers >>>> Inclusive Regex: fqdn=^web[1-9]+.example.com, fqdn=^www[1-9]+.example.com >>>> Exclusive Regex: www5.example.com >>>> >>>> Exclusive regex misses fqdn. >> >> Will look into this. >> >>>> >>>> >>>> 9) Removing multiple conditions also works incorrectly: >>>> >>>> $ ipa hostgroupclarity-show webservers >>>> Hostgroup Clarity Rule: webservers >>>> Inclusive Regex: fqdn=^www[1-9]+.example.com, fqdn=^web[1-9]+.example.com >>>> Exclusive Regex: fqdn=www5.example.com >>>> $ ipa hostgroupclarity-remove-condition webservers --inclusive-hostname-regex=^www[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com >>>> Inclusive Regex: fqdn=^web[1-9]+.example.com >>>> $ ipa hostgroupclarity-show webservers >>>> Hostgroup Clarity Rule: webservers >>>> Inclusive Regex: fqdn=^web[1-9]+.example.com >>>> Exclusive Regex: fqdn=www5.example.com >> >> Same as above likely. >> >>>> >>>> >>>> 10) When removing nonexistent regex I would expect more explaining error message: >>>> >>>> $ ipa hostgroupclarity-show webservers >>>> Hostgroup Clarity Rule: webservers >>>> Inclusive Regex: fqdn=^web[1-9]+.example.com >>>> Exclusive Regex: fqdn=www5.example.com >>>> $ ipa hostgroupclarity-remove-condition webservers --inclusive-hostname-regex=foo >>>> ipa: ERROR: no modifications to be performed >> >> I'll see what better exception can be thrown. Thanks! >> >>> >>> I think that with group_dn() you should use the api to get the entry rather than calling LDAP directly (I'd stick it into the clarity object). >>> >>> This is untested but I think it will work: >>> >>> def hostgroup_dn(self, hostgroup): >>> entry = self.api.Command.user_show(hostgroup, all=True)['result'] >>> return entry['dn'] >>> >>> rob >> >> I'll try this instead, thanks Rob! >> >> -JR >> > > And on second thought you may be able to hook right into the hostgroup object get_dn() function. Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch Type: application/octet-stream Size: 29053 bytes Desc: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch URL: From ayoung at redhat.com Thu Jul 21 02:18:34 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 20 Jul 2011 22:18:34 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E276E10.4010207@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> Message-ID: <4E278C7A.1070802@redhat.com> On 07/20/2011 08:08 PM, Endi Sukma Dewata wrote: > On 7/20/2011 2:50 PM, Adam Young wrote: > >>> 8. Triggering a stack trace by calling null function probably will >>> only work with Firebug, normal users will not get any notification >>> about the error. This happens in dialog.js:301 and widget.js:1137. > >> Gonna leave this, as we will catch things in development, and it won't >> happen on the live servers. These are "never reach" type conditions. > > Would it be better to throw an exception instead? Possibly. This code is going to get caught by the catch block in ipa.js get_entity anyway, so there is not much difference. > > Still not done, but here are new findings: > > 12. The search filter doesn't work initially. Reload the UI main page, > (make sure there's no URL parameters), enter a filter, then hit Enter > or click the icon, there's nothing happening. Go to another tab, then > come back to the main page. Now the filter will work. > Fixed. Was a pre existing problem in navigation.js, around line 115 > 13. The 'other_entity' still contains entity name instead of entity > object. One solution for the circular dependency problem is to create > all entity objects first, then create the facets & dialogs in the > second stage. This requires simple modification to the entity_factories. Not sure I want to make that change in this patch, though. Circular dependencies would still be tricky to resolve, and the initialization code would be more complicated than it is now. > > 14. The comment "move into the table_widget" on association.js:710 > might not be correct. I think we should try to reuse > IPA.association_table_widget inside IPA.association_facet. Agreed. Comment changed > > 15. The assignment on association.js:733 is unused: > > var entity = that.entity; Gone > > 16. Commented code in details.js:459 can be deleted. Gone > > 17. The code in dialog.js lines 489 and 496 can be combined into: > > that.external_field = $('', { > ... > }).appendTo(external_panel); Done > > 18. Since the layout support is dropped, the install/ui/layouts can be > removed as well. > Doing this in another patch. It involves changes to the build process. I've stareted it, but it isn't ready to be posted for review. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0270-4-removing-setters-setup-and-init.patch Type: text/x-patch Size: 188638 bytes Desc: not available URL: From edewata at redhat.com Thu Jul 21 02:22:20 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Jul 2011 21:22:20 -0500 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E276E10.4010207@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> Message-ID: <4E278D5C.9020803@redhat.com> On 7/20/2011 7:08 PM, Endi Sukma Dewata wrote: > This is based on patch 270-2: 19. Updating HBAC and sudo rules doesn't work, the fields always reset to the original values. No undo buttons appear. 20. The Get & View buttons in host details page generate an error. Create a host called test.example.com, then create a new certificate with this CSR: MIIBezCB5QIBADA8MR8wHQYDVQQKDBZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMRkw FwYDVQQDDBB0ZXN0LmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDYOFeE6Y16kQ1gSvlnUU/LOaQlbsYnkfOCZ9UOaeg1RbKXFIJYB0s1DAa8 biI8gb6ZpzDjcAtNZHchOBtXnl0BBPOhkF6nD444SImz6eUBCmcCNeF4lgmNTxUS W2AkWl4vgXGwWSlxSrBIcylIqsIMMdYg71mUeTyuJLit8bGQdwIDAQABoAAwDQYJ KoZIhvcNAQEFBQADgYEAKb3/9gkJuOf3wRGe2n+FAfqBzStq8r5SLyVa5JyOxBhJ nKGrTcv95X+2ch8RPqvOg8lgn12Js/Rm3ipb0MlCkBYeq8b0RQv4N0sG2dqJG8a1 yxhxxIjovisey6F09cOyZljAhpJ6Qeqd7GHr7HFCPTDWrYDIb8QpiRrgNFvBtIQ= 21. The host's and service's managed_by facet contains duplicate 'host name' columns. 22. The DNS zone adder dialog is missing the buttons. 23. The field_name attribute is no longer needed in service.js:129. 24. Commented code in aci_tests.js:45,64 can be removed. 25. Commented code in details_tests.js:69 can be removed. 26. The assignment in widget_tests.js:44 should be spec = null. 27. Commented code in widget_tests.js:64,67,70,184 can be removed. 28. The unused parameter in widget_tests.js:82 can be removed. 29. The statement in user.js:175 is redundant: var entity = IPA.get_entity(that.entity.name); -- Endi S. Dewata From edewata at redhat.com Thu Jul 21 03:11:48 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Jul 2011 22:11:48 -0500 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E278C7A.1070802@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278C7A.1070802@redhat.com> Message-ID: <4E2798F4.3060007@redhat.com> On 7/20/2011 9:18 PM, Adam Young wrote: >>>> 8. Triggering a stack trace by calling null function probably will >>>> only work with Firebug, normal users will not get any notification >>>> about the error. This happens in dialog.js:301 and widget.js:1137. >> >>> Gonna leave this, as we will catch things in development, and it won't >>> happen on the live servers. These are "never reach" type conditions. >> >> Would it be better to throw an exception instead? > > Possibly. This code is going to get caught by the catch block in ipa.js > get_entity anyway, so there is not much difference. Let's use the more common way to report error, which in this case throw an exception rather than invoking null function to do the same thing. We can attach useful information there even though it's only for development. >> 12. The search filter doesn't work initially. Reload the UI main page, >> (make sure there's no URL parameters), enter a filter, then hit Enter >> or click the icon, there's nothing happening. Go to another tab, then >> come back to the main page. Now the filter will work. > Fixed. Was a pre existing problem in navigation.js, around line 115 It's still not working, now there's a js error in navigation.js:129. -- Endi S. Dewata From rcritten at redhat.com Thu Jul 21 03:17:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jul 2011 23:17:16 -0400 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> Message-ID: <4E279A3C.5040900@redhat.com> JR Aquino wrote: > On Jul 20, 2011, at 8:37 AM, Rob Crittenden wrote: > >> JR Aquino wrote: >>> On Jul 15, 2011, at 7:55 AM, Rob Crittenden wrote: >>> >>>> Martin Kosek wrote: >>>>> On Thu, 2011-07-14 at 23:05 +0000, JR Aquino wrote: >>>>>> On Jul 14, 2011, at 11:55 AM, wrote: >>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/1272 >>>>>>> >>>>>>> * Added new container in etc to hold the automembership configs. >>>>>>> * Modified constants to point to the new container >>>>>>> * Modified dsinstance to create the container >>>>>>> * Modified hostgroup.py to add the new commands >>>>>>> * Added xmlrpc test to verify functionality >>>>>> >>>>>> Minor adjustment: >>>>>> Auto Membership Plugin isn't available until 1.2.9-0.2+ >>>>>> >>>>>> Modified freeipa.spec.in: >>>>>> BuildRequires: 389-ds-base-devel>= 1.2.9-0.2 >>>>> >>>>> I have reviewed your patch. Basic functionality is OK but I have some >>>>> concerns. >>>>> >>>>> 1) I am not sure with the command name, it is not really clear to me >>>>> what this command does. But I know from my experience that inventing a >>>>> cool name for something new may be the most difficult task at all :-) >>>>> Maybe command name "hostgrouprule" or "hostgroupauto" would be more >>>>> clear? >>> >>> Perhaps my example docs were too soft with fqdn=^www[1-9]+\.example\.com etc.. >>> I should 'clarify'... perhaps what I need to do is add more useful information to the doc, for example If I were to add to the doc area examples where hostnames are like: w[1-9]+s2r8\.example\.com >>> >>> The real reason for the usefulness of this technology, is in SaaS, Cloud, and Cluster environments, where the hostnames tend to be non-human readable, and more like a serial number detailing their function, their rack location, or their vm-instance, etc... >>> >>> It is because of those scenarios that caused me so much grief as a security engineer trying to assign rights that it became clear that I could just define the reproducible pattern to match assignment into a host group. The hostnames needed clarity in order to understand where they belonged in the network. >>> >>> I'll give it one more chance to pass the censors since I've been internally calling it clarity for the last 2 1/2 years that I've been using it... >>> >>>>> >>>>> >>>>> 2) Overloading execute method in functions >>>>> hostgroupclarity_add_condition and hostgroupclarity_remove_condition is >>>>> an over-kill for me. I think we could just read current >>>>> inclusive/exclusive regexes in pre_callback, modify them and let >>>>> LDAPUpdate class do the standard LDAP operations. >>> >>> I'll recode to perform the actions in a pre_callback. >>> >>>>> >>>>> >>>>> 3) I miss hostgroupclarity-mod module. What would I do if I want to >>>>> update Description? >>> >>> Thank you for catching this, I will add it. >>> >>>>> >>>>> >>>>> 4) I didn't like this construct in the code, its error prone to >>>>> potential future parameter changes. >>>>> + if len(options) == 2: # 'all' and 'raw' are always sent >>>>> + raise errors.EmptyModlist() >>>>> I know it's in baseldap.py but I still wouldn't like to see this in >>>>> plugins. >>> >>> I should be able to omit that once the code is located in the pre_callback. >>> >>>>> >>>>> >>>>> 5) Test test_clarityrule_plugin.py: reference to inexistent python >>>>> module: >>>>> +Test the `ipalib/plugins/clarityrule.py` module. >>> >>> Thank you, that is left over from a previous attempt. I will remove it. >>> >>>>> >>>>> >>>>> Then I did some real testing of the new command: >>>>> >>>>> 6) Invalid examples, fqdn is not supposed to be a part of regex >>>>> $ ipa hostgroupclarity-add --inclusive-hostname-regex=fqdn=^www[1-9]+\.example\.com webservers >>>>> Hostgroup Clarity Rule: webservers >>>>> Inclusive Regex: fqdn=fqdn=^www[1-9]+.example.com >>> >>> Also an oversight, thanks, I will correct it. >>> >>>>> >>>>> >>>>> 7) It does not make sense to have a rule with only an exclusive regex: >>>>> $ ipa hostgroupclarity-add --exclusive-hostname-regex=^www5+\.example\.com webservers >>>>> Hostgroup Clarity Rule: webservers >>>>> $ ipa host-add --force foo.example.co >>>>> $ ipa hostgroup-show webservers >>>>> Host-group: webservers >>>>> Description: Web Servers >>>>> Member hosts: www1.example.com >>>>> >>>>> I think we should 1) hide exclusive regex option in hostgroupclarity-add >>>>> and 2) check that there is at least one inclusive regex in the rule when >>>>> running hostgroupclarity-add-condition and >>>>> hostgroupclarity-remove-condition. >>> >>> I agree, I'll hide it during the creation, and force it to require an inclusive prior to adding an exclusive. >>> >>>>> >>>>> >>>>> 8) Plugin incorrectly handles a situation when both inclusive and exclusive regex-es are being added: >>>>> >>>>> $ ipa hostgroupclarity-add --inclusive-hostname-regex=^www[1-9]+\.example\.com webservers >>>>> Hostgroup Clarity Rule: webservers >>>>> Inclusive Regex: fqdn=^www[1-9]+.example.com >>>>> $ ipa hostgroupclarity-add-condition --inclusive-hostname-regex=^web[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com webservers >>>>> Inclusive Regex: fqdn=^web[1-9]+.example.com, fqdn=^www[1-9]+.example.com >>>>> Exclusive Regex: www5.example.com >>>>> >>>>> Exclusive regex misses fqdn. >>> >>> Will look into this. >>> >>>>> >>>>> >>>>> 9) Removing multiple conditions also works incorrectly: >>>>> >>>>> $ ipa hostgroupclarity-show webservers >>>>> Hostgroup Clarity Rule: webservers >>>>> Inclusive Regex: fqdn=^www[1-9]+.example.com, fqdn=^web[1-9]+.example.com >>>>> Exclusive Regex: fqdn=www5.example.com >>>>> $ ipa hostgroupclarity-remove-condition webservers --inclusive-hostname-regex=^www[1-9]+\.example\.com --exclusive-hostname-regex=www5\.example\.com >>>>> Inclusive Regex: fqdn=^web[1-9]+.example.com >>>>> $ ipa hostgroupclarity-show webservers >>>>> Hostgroup Clarity Rule: webservers >>>>> Inclusive Regex: fqdn=^web[1-9]+.example.com >>>>> Exclusive Regex: fqdn=www5.example.com >>> >>> Same as above likely. >>> >>>>> >>>>> >>>>> 10) When removing nonexistent regex I would expect more explaining error message: >>>>> >>>>> $ ipa hostgroupclarity-show webservers >>>>> Hostgroup Clarity Rule: webservers >>>>> Inclusive Regex: fqdn=^web[1-9]+.example.com >>>>> Exclusive Regex: fqdn=www5.example.com >>>>> $ ipa hostgroupclarity-remove-condition webservers --inclusive-hostname-regex=foo >>>>> ipa: ERROR: no modifications to be performed >>> >>> I'll see what better exception can be thrown. Thanks! >>> >>>> >>>> I think that with group_dn() you should use the api to get the entry rather than calling LDAP directly (I'd stick it into the clarity object). >>>> >>>> This is untested but I think it will work: >>>> >>>> def hostgroup_dn(self, hostgroup): >>>> entry = self.api.Command.user_show(hostgroup, all=True)['result'] >>>> return entry['dn'] >>>> >>>> rob >>> >>> I'll try this instead, thanks Rob! >>> >>> -JR >>> >> >> And on second thought you may be able to hook right into the hostgroup object get_dn() function. > > Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) > > > Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? > Good point about the LDAP lookup. This looks a lot better but there are still a few issues: If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: INCLUDE_RE = 'automemberinclusiveregex' EXCLUDE_RE = 'automemberexclusiveregex' Is there a way to validate the regex? If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. Adding a clarity with no rules won't let you add rules: # ipa hostgroup-add --desc=hg1 hg1 # ipa hostgroupclarity-add hg1 # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 ipa: ERROR: no modifications to be performed The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. rob From JR.Aquino at citrix.com Thu Jul 21 03:37:15 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 21 Jul 2011 03:37:15 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <4E279A3C.5040900@redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> Message-ID: <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> >> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) >> >> >> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? >> > > Good point about the LDAP lookup. > > This looks a lot better but there are still a few issues: > > If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. Ok, I will give that a shot! > > Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. > > I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: > > INCLUDE_RE = 'automemberinclusiveregex' > EXCLUDE_RE = 'automemberexclusiveregex' That works, I'll swap em. > Is there a way to validate the regex? Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. > If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? > Adding a clarity with no rules won't let you add rules: > > # ipa hostgroup-add --desc=hg1 hg1 > # ipa hostgroupclarity-add hg1 > # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 > ipa: ERROR: no modifications to be performed This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. > The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. One final class I have been struggling with that I want to add? The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo " <- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? Any suggestions? From edewata at redhat.com Thu Jul 21 04:13:22 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Jul 2011 23:13:22 -0500 Subject: [Freeipa-devel] [PATCH] 213 Removed entitlement registration UUID field. Message-ID: <4E27A762.2090700@redhat.com> The UUID field has been removed from the entitlement registration dialog box because it's currently not supported. The code has been modified not to send empty UUID value should this become supported in the future. Ticket #1506 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0213-Removed-entitlement-registration-UUID-field.patch Type: text/x-patch Size: 1984 bytes Desc: not available URL: From mkosek at redhat.com Thu Jul 21 11:09:34 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 21 Jul 2011 13:09:34 +0200 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> Message-ID: <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: > >> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) > >> > >> > >> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? > >> Great, preparing the command parameters in pre_callback is much cleaner. > > > > Good point about the LDAP lookup. > > > > This looks a lot better but there are still a few issues: > > > > If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. > > Ok, I will give that a shot! > > > > > Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. > > > > I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: > > > > INCLUDE_RE = 'automemberinclusiveregex' > > EXCLUDE_RE = 'automemberexclusiveregex' > > That works, I'll swap em. I agree with Rob here, this will make the code better. > > > Is there a way to validate the regex? > > Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. > > > If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. > > Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? > > > Adding a clarity with no rules won't let you add rules: > > > > # ipa hostgroup-add --desc=hg1 hg1 > > # ipa hostgroupclarity-add hg1 > > # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 > > ipa: ERROR: no modifications to be performed > > This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. Yes, it is wise :-) But the error message is really not clear to the user. We should tell him that there must be at least one inclusive rule. I wonder if we shouldn't force user to create a hostgroupclarity object with at least one inclusive rule and than make sure that in all operations at least one inclusive rule stays here. Or we could delete the empty LDAP object after the last inclusive rule is removed, as we do with DNS record LDAP objects in dnsrecord-del. > > The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. > > Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. > > One final class I have been struggling with that I want to add? > > The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? > > The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo " <- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? > > Any suggestions? > > I think the best shot would be to create a new command and overload the execute method in that case. Like in hbacrule_enable. You would be able to set dn correctly here and do the update. Does it makes sense? Rob? Martin From mkosek at redhat.com Thu Jul 21 11:40:39 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 21 Jul 2011 13:40:39 +0200 Subject: [Freeipa-devel] [PATCH] 834 Hide the HBAC access type attribute now that deny is deprecated. In-Reply-To: <4E262607.6090806@redhat.com> References: <4E262607.6090806@redhat.com> Message-ID: <1311248442.17378.37.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-07-19 at 20:49 -0400, Rob Crittenden wrote: > Hide the HBAC access type attribute now that deny is deprecated. > > It won't appear in the UI/CLI but is still available via XML-RPC. allow > is the default and deny will be rejected. > > This is not tested in the UI. I'm not sure if this is due to a problem > in my tree or something else. > > https://fedorahosted.org/freeipa/ticket/1495 > > rob ACK for the CLI part, tests are clean. I checked WebUI, HBAC rules seem to be broken here. With or without your patch. I see a list of rules, the type column is still here. That's OK, there is already a ticket for this task - 1497. However, when I select a HBAC rule to modify it, its data are not filled at all to the edit fields. I will fill a ticket for this bug. Martin From jcholast at redhat.com Thu Jul 21 12:11:04 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 21 Jul 2011 14:11:04 +0200 Subject: [Freeipa-devel] [PATCH] 066 Remove wrong kpasswd sysconfig In-Reply-To: <4E26EF8E.5060902@redhat.com> References: <4E26EF8E.5060902@redhat.com> Message-ID: <4E281758.6010509@redhat.com> On 20.7.2011 17:09, Jakub Hrozek wrote: > I noticed that the file kpasswd init script reads is called > "/etc/sysconfig/ipa-kpasswd" but krbinstance.py saved and wrote into > "/etc/sysconfig/ipa_kpasswd". > > I removed the linkes rather than fixing them for two reasons: > 1) /var/kerberos/krb5kdc/kpasswd.keytab is the default > 2) it probably wouldn't have worked anyway because the ktname must be > prefixed with "FILE:". > ACK Honza -- Jan Cholasta From mkosek at redhat.com Thu Jul 21 12:27:39 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 21 Jul 2011 14:27:39 +0200 Subject: [Freeipa-devel] [PATCH 31/31] Ticket 1485 - DN pairwise grouping In-Reply-To: <201107202359.p6KNxE5S022392@int-mx01.intmail.prod.int.phx2.redhat.com> References: <201107202359.p6KNxE5S022392@int-mx01.intmail.prod.int.phx2.redhat.com> Message-ID: <1311251261.17378.40.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-20 at 19:59 -0400, John Dennis wrote: > The pairwise grouping used to form RDN's and AVA's proved to be > confusing in practice, this patch removes that functionality thus > requiring programmers to explicitly pair attr,value using a tuple or > list. > > In addition it was discovered additional functionality was needed to > support some DN operations in freeipa. DN objects now support > startswith(), endswith() and the "in" membership test. These functions > and operators will accept either a DN or RDN. > > The unittest was modified to remove the pairwise tests and add new > explicit tests. The unittest was augmented to test the new > functionality. In addition the unittest was cleaned up a bit to use > common utilty functions for improved readabilty and robustness. > > The documentation was updated. > The patch looks good to me. The removed form of creating DN's was indeed confusing. I went through current uses of DN class, I didn't find any using the removed form. DN tests also passes correctly. Martin From jcholast at redhat.com Thu Jul 21 12:40:12 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 21 Jul 2011 14:40:12 +0200 Subject: [Freeipa-devel] [PATCH] 067 Silence a compilation warning in ipa_kpasswd In-Reply-To: <4E26EFF2.6010609@redhat.com> References: <4E26EFF2.6010609@redhat.com> Message-ID: <4E281E2C.4030505@redhat.com> On 20.7.2011 17:10, Jakub Hrozek wrote: > I was playing with ipa_kpasswd (long story short - I needed it running > on a non-standard port) and I noticed there was a compilation warning - > rtag was set but never checked. > > Also removes one unused #define. > Found just a minor issue: you use spaces for indentation, but the rest of the file uses tabs. Honza -- Jan Cholasta From mkosek at redhat.com Thu Jul 21 12:53:17 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 21 Jul 2011 14:53:17 +0200 Subject: [Freeipa-devel] [PATCH] 067 Silence a compilation warning in ipa_kpasswd In-Reply-To: <4E281E2C.4030505@redhat.com> References: <4E26EFF2.6010609@redhat.com> <4E281E2C.4030505@redhat.com> Message-ID: <1311252799.17378.45.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-21 at 14:40 +0200, Jan Cholasta wrote: > On 20.7.2011 17:10, Jakub Hrozek wrote: > > I was playing with ipa_kpasswd (long story short - I needed it running > > on a non-standard port) and I noticed there was a compilation warning - > > rtag was set but never checked. > > > > Also removes one unused #define. > > > > Found just a minor issue: you use spaces for indentation, but the rest > of the file uses tabs. > > Honza > To put my 2 cents in - I don't like throwing the same error message in more places. When it really ends with this message we wouldn't know the exact spot with the error. IMO it would make the following investigation simpler if we fix this. Martin From gsr at redhat.com Thu Jul 21 13:22:43 2011 From: gsr at redhat.com (Gowrishankar Rajaiyan) Date: Thu, 21 Jul 2011 18:52:43 +0530 Subject: [Freeipa-devel] [PATCH] Adding message summary while adding and deleting automount location. Message-ID: <4E282823.70601@redhat.com> Hi All, This patch fixes - https://fedorahosted.org/freeipa/ticket/1510 - https://fedorahosted.org/freeipa/ticket/1509 -- Regards, Shanks Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Adding-message-summary-while-adding-and-deleting-aut.patch URL: From edewata at redhat.com Thu Jul 21 14:23:35 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 21 Jul 2011 09:23:35 -0500 Subject: [Freeipa-devel] [PATCH] 214 Fixed problem loading data in HBAC/sudo details page. Message-ID: <4E283667.8010002@redhat.com> In a recent change the details page was changed to create and locate field containers with 'details-field' CSS class. The HBAC and sudo custom details pages have been modified to use the same CSS class. Ticket #1508 -- Endi S. Dewata From edewata at redhat.com Thu Jul 21 14:27:52 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 21 Jul 2011 09:27:52 -0500 Subject: [Freeipa-devel] [PATCH] 214 Fixed problem loading data in HBAC/sudo details page. In-Reply-To: <4E283667.8010002@redhat.com> References: <4E283667.8010002@redhat.com> Message-ID: <4E283768.5070102@redhat.com> On 7/21/2011 9:23 AM, Endi Sukma Dewata wrote: > In a recent change the details page was changed to create and locate > field containers with 'details-field' CSS class. The HBAC and sudo > custom details pages have been modified to use the same CSS class. > > Ticket #1508 > Patch attached. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0214-Fixed-problem-loading-data-in-HBAC-sudo-details-page.patch Type: text/x-patch Size: 9437 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 21 14:31:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2011 10:31:38 -0400 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E28384A.708@redhat.com> Martin Kosek wrote: > On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: >>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) >>>> >>>> >>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? >>>> > > Great, preparing the command parameters in pre_callback is much cleaner. > >>> >>> Good point about the LDAP lookup. >>> >>> This looks a lot better but there are still a few issues: >>> >>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. >> >> Ok, I will give that a shot! >> >>> >>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. >>> >>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: >>> >>> INCLUDE_RE = 'automemberinclusiveregex' >>> EXCLUDE_RE = 'automemberexclusiveregex' >> >> That works, I'll swap em. > > I agree with Rob here, this will make the code better. > >> >>> Is there a way to validate the regex? >> >> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. >> >>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. >> >> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? >> >>> Adding a clarity with no rules won't let you add rules: >>> >>> # ipa hostgroup-add --desc=hg1 hg1 >>> # ipa hostgroupclarity-add hg1 >>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 >>> ipa: ERROR: no modifications to be performed >> >> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. > > Yes, it is wise :-) But the error message is really not clear to the > user. We should tell him that there must be at least one inclusive rule. > > I wonder if we shouldn't force user to create a hostgroupclarity object > with at least one inclusive rule and than make sure that in all > operations at least one inclusive rule stays here. Or we could delete > the empty LDAP object after the last inclusive rule is removed, as we do > with DNS record LDAP objects in dnsrecord-del. > >>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. >> >> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. >> >> One final class I have been struggling with that I want to add? >> >> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? >> >> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? >> >> Any suggestions? >> >> > > I think the best shot would be to create a new command and overload the > execute method in that case. Like in hbacrule_enable. You would be able > to set dn correctly here and do the update. Does it makes sense? Rob? > > Martin > I agree. We are better off abstracting things now so we can get the API right. I think we can stick more or less with the command names, just in a new plugin and some new arguments. I see the plugin with the following methods: Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. There is no mod to change types, you have to delete and re-add. automember-add Add an automember rule --type=ENUM (hostgroup, group) --desc=STR description of this auto membership rule --inclusive-regex=LIST Inclusive Regex --exclusive-regex=LIST Exclusive Regex automember-add-condition Add conditions to automember rule --inclusive-regex=LIST Inclusive Regex --exclusive-regex=LIST Exclusive Regex automember-del Delete an automember rule automember-find Search for automember rules --type=ENUM (hostgroup, group) automember-mod Modify an automember rule. automember-remove-condition Remove conditions from an automember rule --inclusive-regex=LIST Inclusive Regex --exclusive-regex=LIST Exclusive Regex automember-show Display an automember rule From edewata at redhat.com Thu Jul 21 14:34:44 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 21 Jul 2011 09:34:44 -0500 Subject: [Freeipa-devel] [PATCH] 215 Removed HBAC access time code. Message-ID: <4E283904.6070909@redhat.com> The HBAC access time is currently not supported, so the related UI code has been removed to reduce maintenance issue. When the feature becomes supported in the future the code may be restored/rewritten. Ticket #546 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0215-Removed-HBAC-access-time-code.patch Type: text/x-patch Size: 11691 bytes Desc: not available URL: From edewata at redhat.com Thu Jul 21 14:42:42 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 21 Jul 2011 09:42:42 -0500 Subject: [Freeipa-devel] [PATCH] 216 Removed custom layouts using HTML templates. Message-ID: <4E283AE2.2000907@redhat.com> The code for supporting custom layouts using HTML templates has been removed. If it's needed again in the future the code can be restored. Ticket #1501 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0216-Removed-custom-layouts-using-HTML-templates.patch Type: text/x-patch Size: 55375 bytes Desc: not available URL: From ayoung at redhat.com Thu Jul 21 14:47:08 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 21 Jul 2011 10:47:08 -0400 Subject: [Freeipa-devel] [PATCH] 213 Removed entitlement registration UUID field. In-Reply-To: <4E27A762.2090700@redhat.com> References: <4E27A762.2090700@redhat.com> Message-ID: <4E283BEC.1040801@redhat.com> On 07/21/2011 12:13 AM, Endi Sukma Dewata wrote: > The UUID field has been removed from the entitlement registration > dialog box because it's currently not supported. The code has been > modified not to send empty UUID value should this become supported > in the future. > > Ticket #1506 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Close to ACK, but: Either remove all of the references to the field, or comment them out. Suggest going the commented out route. Also, leave the commas inside the commented out code, so that you can just remove the comment and the code will be valid, even if it needs to be reformatted. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Thu Jul 21 14:52:44 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 21 Jul 2011 16:52:44 +0200 Subject: [Freeipa-devel] [PATCH] Adding message summary while adding and deleting automount location. In-Reply-To: <4E282823.70601@redhat.com> References: <4E282823.70601@redhat.com> Message-ID: <1311259967.17378.48.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-21 at 18:52 +0530, Gowrishankar Rajaiyan wrote: > Hi All, > > This patch fixes > - https://fedorahosted.org/freeipa/ticket/1510 > - https://fedorahosted.org/freeipa/ticket/1509 QEs sending patches for the bugs they found - good job there. I went one step further and updated all automount summary messages so that we are consistent on the plugin. The proposed patch is attached, tests are clean. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-099-add-missing-automount-summaries.patch Type: text/x-patch Size: 4125 bytes Desc: not available URL: From jcholast at redhat.com Thu Jul 21 14:54:43 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 21 Jul 2011 16:54:43 +0200 Subject: [Freeipa-devel] [PATCH] 33 Fix ipa-compat-manage Message-ID: <4E283DB3.205@redhat.com> Make ipa-compat-manage work again after the changes to ipa-nis-manage I've done in patch 32. (this also fixes https://fedorahosted.org/freeipa/ticket/1147) Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-33-ipa-compat-manage-fix.patch Type: text/x-patch Size: 7549 bytes Desc: not available URL: From edewata at redhat.com Thu Jul 21 14:59:13 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 21 Jul 2011 09:59:13 -0500 Subject: [Freeipa-devel] [PATCH] 213 Removed entitlement registration UUID field. In-Reply-To: <4E283BEC.1040801@redhat.com> References: <4E27A762.2090700@redhat.com> <4E283BEC.1040801@redhat.com> Message-ID: <4E283EC1.9010309@redhat.com> On 7/21/2011 9:47 AM, Adam Young wrote: > Close to ACK, but: > Either remove all of the references to the field, or comment them out. > Suggest going the commented out route. Also, leave the commas inside the > commented out code, so that you can just remove the comment and the code > will be valid, even if it needs to be reformatted. New patch attached. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0213-2-Removed-entitlement-registration-UUID-field.patch Type: text/x-patch Size: 2007 bytes Desc: not available URL: From ayoung at redhat.com Thu Jul 21 15:23:56 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 21 Jul 2011 11:23:56 -0400 Subject: [Freeipa-devel] [PATCH] 213 Removed entitlement registration UUID field. In-Reply-To: <4E283EC1.9010309@redhat.com> References: <4E27A762.2090700@redhat.com> <4E283BEC.1040801@redhat.com> <4E283EC1.9010309@redhat.com> Message-ID: <4E28448C.7070305@redhat.com> On 07/21/2011 10:59 AM, Endi Sukma Dewata wrote: > On 7/21/2011 9:47 AM, Adam Young wrote: >> Close to ACK, but: >> Either remove all of the references to the field, or comment them out. >> Suggest going the commented out route. Also, leave the commas inside the >> commented out code, so that you can just remove the comment and the code >> will be valid, even if it needs to be reformatted. > > New patch attached. > ACK From ayoung at redhat.com Thu Jul 21 15:25:09 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 21 Jul 2011 11:25:09 -0400 Subject: [Freeipa-devel] [PATCH] 214 Fixed problem loading data in HBAC/sudo details page. In-Reply-To: <4E283768.5070102@redhat.com> References: <4E283667.8010002@redhat.com> <4E283768.5070102@redhat.com> Message-ID: <4E2844D5.3080409@redhat.com> On 07/21/2011 10:27 AM, Endi Sukma Dewata wrote: > On 7/21/2011 9:23 AM, Endi Sukma Dewata wrote: >> In a recent change the details page was changed to create and locate >> field containers with 'details-field' CSS class. The HBAC and sudo >> custom details pages have been modified to use the same CSS class. >> >> Ticket #1508 >> > > Patch attached. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Jul 21 15:35:54 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 21 Jul 2011 10:35:54 -0500 Subject: [Freeipa-devel] [PATCH] 213 Removed entitlement registration UUID field. In-Reply-To: <4E28448C.7070305@redhat.com> References: <4E27A762.2090700@redhat.com> <4E283BEC.1040801@redhat.com> <4E283EC1.9010309@redhat.com> <4E28448C.7070305@redhat.com> Message-ID: <4E28475A.7080101@redhat.com> On 7/21/2011 10:23 AM, Adam Young wrote: > On 07/21/2011 10:59 AM, Endi Sukma Dewata wrote: >> On 7/21/2011 9:47 AM, Adam Young wrote: >>> Close to ACK, but: >>> Either remove all of the references to the field, or comment them out. >>> Suggest going the commented out route. Also, leave the commas inside the >>> commented out code, so that you can just remove the comment and the code >>> will be valid, even if it needs to be reformatted. >> >> New patch attached. >> > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Jul 21 15:36:33 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 21 Jul 2011 10:36:33 -0500 Subject: [Freeipa-devel] [PATCH] 214 Fixed problem loading data in HBAC/sudo details page. In-Reply-To: <4E2844D5.3080409@redhat.com> References: <4E283667.8010002@redhat.com> <4E283768.5070102@redhat.com> <4E2844D5.3080409@redhat.com> Message-ID: <4E284781.3000703@redhat.com> On 7/21/2011 10:25 AM, Adam Young wrote: > On 07/21/2011 10:27 AM, Endi Sukma Dewata wrote: >> On 7/21/2011 9:23 AM, Endi Sukma Dewata wrote: >>> In a recent change the details page was changed to create and locate >>> field containers with 'details-field' CSS class. The HBAC and sudo >>> custom details pages have been modified to use the same CSS class. >>> >>> Ticket #1508 >> Patch attached. > ACK Pushed to master. -- Endi S. Dewata From ayoung at redhat.com Thu Jul 21 15:44:33 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 21 Jul 2011 11:44:33 -0400 Subject: [Freeipa-devel] [PATCH] 215 Removed HBAC access time code. In-Reply-To: <4E283904.6070909@redhat.com> References: <4E283904.6070909@redhat.com> Message-ID: <4E284961.6000502@redhat.com> On 07/21/2011 10:34 AM, Endi Sukma Dewata wrote: > The HBAC access time is currently not supported, so the related UI > code has been removed to reduce maintenance issue. When the feature > becomes supported in the future the code may be restored/rewritten. > > Ticket #546 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Thu Jul 21 15:43:32 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 21 Jul 2011 17:43:32 +0200 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <4E28384A.708@redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> Message-ID: <1311263014.17378.59.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-21 at 10:31 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: > >>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) > >>>> > >>>> > >>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? > >>>> > > > > Great, preparing the command parameters in pre_callback is much cleaner. > > > >>> > >>> Good point about the LDAP lookup. > >>> > >>> This looks a lot better but there are still a few issues: > >>> > >>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. > >> > >> Ok, I will give that a shot! > >> > >>> > >>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. > >>> > >>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: > >>> > >>> INCLUDE_RE = 'automemberinclusiveregex' > >>> EXCLUDE_RE = 'automemberexclusiveregex' > >> > >> That works, I'll swap em. > > > > I agree with Rob here, this will make the code better. > > > >> > >>> Is there a way to validate the regex? > >> > >> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. > >> > >>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. > >> > >> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? > >> > >>> Adding a clarity with no rules won't let you add rules: > >>> > >>> # ipa hostgroup-add --desc=hg1 hg1 > >>> # ipa hostgroupclarity-add hg1 > >>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 > >>> ipa: ERROR: no modifications to be performed > >> > >> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. > > > > Yes, it is wise :-) But the error message is really not clear to the > > user. We should tell him that there must be at least one inclusive rule. > > > > I wonder if we shouldn't force user to create a hostgroupclarity object > > with at least one inclusive rule and than make sure that in all > > operations at least one inclusive rule stays here. Or we could delete > > the empty LDAP object after the last inclusive rule is removed, as we do > > with DNS record LDAP objects in dnsrecord-del. > > > >>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. > >> > >> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. > >> > >> One final class I have been struggling with that I want to add? > >> > >> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? > >> > >> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? > >> > >> Any suggestions? > >> > >> > > > > I think the best shot would be to create a new command and overload the > > execute method in that case. Like in hbacrule_enable. You would be able > > to set dn correctly here and do the update. Does it makes sense? Rob? > > > > Martin > > > > I agree. We are better off abstracting things now so we can get the API > right. > > I think we can stick more or less with the command names, just in a new > plugin and some new arguments. Yes, this will make more flexible API for the future. We will be able to implement new membership types easily if we want to. > > I see the plugin with the following methods: > > Each takes a single argument, the name of the rule. I don't think I'd > stick type into the DN so you wouldn't be able to use the same rule name > for different object types. If we want to allow that then we'd need to > add --type to a lot more commands. I think we have to leave the type in the DN as it is now, i.e. 1) cn=Hostgroups,cn=automembership,cn=etc,$SUFFIX 2) cn=Groups,cn=automembership,cn=etc,$SUFFIX 3) ... Otherwise we wouldn't be able to configure the membership plugin correctly (see automembership.ldif) and the rules would be mixed together. Plus, it would be then easier to list rules for one type via plain ldapsearch. > > There is no mod to change types, you have to delete and re-add. > > automember-add Add an automember rule > --type=ENUM (hostgroup, group) > --desc=STR description of this auto membership rule > --inclusive-regex=LIST Inclusive Regex > --exclusive-regex=LIST Exclusive Regex > > automember-add-condition Add conditions to automember rule > --inclusive-regex=LIST Inclusive Regex > --exclusive-regex=LIST Exclusive Regex > > automember-del Delete an automember rule > > automember-find Search for automember rules > --type=ENUM (hostgroup, group) > > automember-mod Modify an automember rule. > > automember-remove-condition Remove conditions from an automember rule > --inclusive-regex=LIST Inclusive Regex > --exclusive-regex=LIST Exclusive Regex > > automember-show Display an automember rule This looks good, I only miss an option to set a default group (when no rule matches). This would be located directly in cn=automembership,cn=etc,$SUFFIX as JR mentioned. Therefore this needs a different approach than the regular automembership rules - a new command possibly. Martin From ayoung at redhat.com Thu Jul 21 15:48:50 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 21 Jul 2011 11:48:50 -0400 Subject: [Freeipa-devel] [PATCH] 215 Removed HBAC access time code. In-Reply-To: <4E283904.6070909@redhat.com> References: <4E283904.6070909@redhat.com> Message-ID: <4E284A62.5010700@redhat.com> On 07/21/2011 10:34 AM, Endi Sukma Dewata wrote: > The HBAC access time is currently not supported, so the related UI > code has been removed to reduce maintenance issue. When the feature > becomes supported in the future the code may be restored/rewritten. > > Ticket #546 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Jul 21 15:49:05 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 21 Jul 2011 11:49:05 -0400 Subject: [Freeipa-devel] [PATCH] 216 Removed custom layouts using HTML templates. In-Reply-To: <4E283AE2.2000907@redhat.com> References: <4E283AE2.2000907@redhat.com> Message-ID: <4E284A71.8090309@redhat.com> On 07/21/2011 10:42 AM, Endi Sukma Dewata wrote: > The code for supporting custom layouts using HTML templates has been > removed. If it's needed again in the future the code can be restored. > > Ticket #1501 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Thu Jul 21 15:53:17 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 21 Jul 2011 15:53:17 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <4E28384A.708@redhat.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> Message-ID: <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: > Martin Kosek wrote: >> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: >>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) >>>>> >>>>> >>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? >>>>> >> >> Great, preparing the command parameters in pre_callback is much cleaner. >> >>>> >>>> Good point about the LDAP lookup. >>>> >>>> This looks a lot better but there are still a few issues: >>>> >>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. >>> >>> Ok, I will give that a shot! >>> >>>> >>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. >>>> >>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: >>>> >>>> INCLUDE_RE = 'automemberinclusiveregex' >>>> EXCLUDE_RE = 'automemberexclusiveregex' >>> >>> That works, I'll swap em. >> >> I agree with Rob here, this will make the code better. >> >>> >>>> Is there a way to validate the regex? >>> >>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. >>> >>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. >>> >>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? >>> >>>> Adding a clarity with no rules won't let you add rules: >>>> >>>> # ipa hostgroup-add --desc=hg1 hg1 >>>> # ipa hostgroupclarity-add hg1 >>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 >>>> ipa: ERROR: no modifications to be performed >>> >>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. >> >> Yes, it is wise :-) But the error message is really not clear to the >> user. We should tell him that there must be at least one inclusive rule. >> >> I wonder if we shouldn't force user to create a hostgroupclarity object >> with at least one inclusive rule and than make sure that in all >> operations at least one inclusive rule stays here. Or we could delete >> the empty LDAP object after the last inclusive rule is removed, as we do >> with DNS record LDAP objects in dnsrecord-del. >> >>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. >>> >>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. >>> >>> One final class I have been struggling with that I want to add? >>> >>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? >>> >>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? >>> >>> Any suggestions? >>> >>> >> >> I think the best shot would be to create a new command and overload the >> execute method in that case. Like in hbacrule_enable. You would be able >> to set dn correctly here and do the update. Does it makes sense? Rob? >> >> Martin >> > > I agree. We are better off abstracting things now so we can get the API right. > > I think we can stick more or less with the command names, just in a new plugin and some new arguments. > > I see the plugin with the following methods: > > Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. > > There is no mod to change types, you have to delete and re-add. > > automember-add Add an automember rule > --type=ENUM (hostgroup, group) > --desc=STR description of this auto membership rule > --inclusive-regex=LIST Inclusive Regex > --exclusive-regex=LIST Exclusive Regex > > automember-add-condition Add conditions to automember rule > --inclusive-regex=LIST Inclusive Regex > --exclusive-regex=LIST Exclusive Regex > > automember-del Delete an automember rule > > automember-find Search for automember rules > --type=ENUM (hostgroup, group) > > automember-mod Modify an automember rule. automember-default-group Set a default group for auto membership --group/hostgroup=STR > > automember-remove-condition Remove conditions from an automember rule > --inclusive-regex=LIST Inclusive Regex > --exclusive-regex=LIST Exclusive Regex > > automember-show Display an automember rule From mkosek at redhat.com Thu Jul 21 16:52:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 21 Jul 2011 18:52:42 +0200 Subject: [Freeipa-devel] [PATCH] 33 Fix ipa-compat-manage In-Reply-To: <4E283DB3.205@redhat.com> References: <4E283DB3.205@redhat.com> Message-ID: <1311267164.17378.62.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-21 at 16:54 +0200, Jan Cholasta wrote: > Make ipa-compat-manage work again after the changes to ipa-nis-manage > I've done in patch 32. > > (this also fixes https://fedorahosted.org/freeipa/ticket/1147) > > Honza Works fine. But I have few minor issues: 1) No action is printed when compat plugin is being disabled (as it is with enable action): # ipa-compat-manage disable Directory Manager password: This setting will not take effect until you restart Directory Server. 2) A big end line whitespace on line 77 of the patch Martin From jdennis at redhat.com Thu Jul 21 17:21:18 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 21 Jul 2011 13:21:18 -0400 Subject: [Freeipa-devel] [PATCH 31/31] Ticket 1485 - DN pairwise grouping In-Reply-To: <1311251261.17378.40.camel@dhcp-25-52.brq.redhat.com> References: <201107202359.p6KNxE5S022392@int-mx01.intmail.prod.int.phx2.redhat.com> <1311251261.17378.40.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E28600E.4010603@redhat.com> On 07/21/2011 08:27 AM, Martin Kosek wrote: > On Wed, 2011-07-20 at 19:59 -0400, John Dennis wrote: >> The pairwise grouping used to form RDN's and AVA's proved to be >> confusing in practice, this patch removes that functionality thus >> requiring programmers to explicitly pair attr,value using a tuple or >> list. >> >> In addition it was discovered additional functionality was needed to >> support some DN operations in freeipa. DN objects now support >> startswith(), endswith() and the "in" membership test. These functions >> and operators will accept either a DN or RDN. >> >> The unittest was modified to remove the pairwise tests and add new >> explicit tests. The unittest was augmented to test the new >> functionality. In addition the unittest was cleaned up a bit to use >> common utilty functions for improved readabilty and robustness. >> >> The documentation was updated. >> > > The patch looks good to me. > > The removed form of creating DN's was indeed confusing. I went through > current uses of DN class, I didn't find any using the removed form. DN > tests also passes correctly. > > Martin > Actually one of the tests was failing due to the removed form, not sure how I missed it (or how you missed it either). But in any case it's a one line fix test_role_plugin.py, I've rebased the patch to include that and attached it. Whoever commits please use this version with the test_role_plugin. Also, the patch comments failed to mention even though we had a unittest for dn.py, test/test_ipalib/test_dn.py it was not getting called by run-tests because it had the execute permission bit set, the patch fixes that so the unittest gets run by make-test. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0031-Ticket-1485-DN-pairwise-grouping.patch Type: text/x-patch Size: 47741 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 21 18:25:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2011 14:25:45 -0400 Subject: [Freeipa-devel] Proposal for Auto Membership plugin Message-ID: <4E286F29.9020407@redhat.com> To summarize, I think this is how we will proceed. Create a new plugin, automember, based heavily on the work already done. The container_dn will be cn=automember,cn=etc. If automembership is preferred I can be flexible but using the same name everywhere makes things easy to follow. The DN will be of the form: cn=,cn=,, The pre-defined automembership types (as defined by the type enumerator) will be group and hostgroup. The current LDIF will need to drop the plurality (to become cn=group,cn=automember,cn=etc,$SUFFIX) type is required for all commands. The available commands will be: automember-add Add an automember rule --type=ENUM (hostgroup, group) --desc=STR description of this auto membership rule --inclusive-regex=LIST Inclusive Regex --exclusive-regex=LIST Exclusive Regex automember-add-condition Add conditions to automember rule --type=ENUM (hostgroup, group) --inclusive-regex=LIST Inclusive Regex --exclusive-regex=LIST Exclusive Regex automember-del Delete an automember rule --type=ENUM (hostgroup, group) automember-find Search for automember rules --type=ENUM (hostgroup, group) automember-mod Modify an automember rule. --type=ENUM (hostgroup, group) --desc=STR NOTE: you cannot manage inclusive or exclusive conditions via the mod command, the helpers need to be used. automember-remove-condition Remove conditions from an automember rule --type=ENUM (hostgroup, group) --inclusive-regex=LIST Inclusive Regex --exclusive-regex=LIST Exclusive Regex automember-show Display an automember rule --type=ENUM (hostgroup, group) automember-default-group Set a default group for auto membership --type=ENUM (hostgroup, group) --name=STR Name of entity to put entries that don't match The current patch is really not very far off of this. Off the top of my head this is how I'd go about it: - freeipa.spec needs to have a Requires on 1.2.9, not a BuildRequires (though it doesn't hurt for them to be the same) - automembership.ldif, change the container and cns - constants.py, change the container - copy the clarity code from hostgroup.py to automember.py and rename everything - add flags=[no_update, no_create] to automemberinclusiveregex and automemberexclusiveregex. - replace group_dn() with a function dn_exists(). Use the type objects get_dn() to construct a dn and call ldap.get_entry() on it. Something like: class automember(LDAPObject): def dn_exists(type, groupname): ldap = self.api.Backend.ldap2 dn = self.api.Object[type].get_dn(groupname) try: (gdn, entry_attrs) = ldap.get_entry(dn, []) except errors.NotFound: self.obj.handle_not_found(groupname) return gdn - Use symbol names instead of a typle of attr names - Do some sort of validation on the regex. I'm not sure if the python re engine will match the 389-ds one but we should be able to do some sanity checks, like making sure the regex doesn't start with attr = ... - The setting of entry_attrs now looks something like: entry_attrs[attr] = ['fqdn=' + condition ... Since this will be generic it will need to look like: entry_attrs[attr] = ['%s' % self.api.Object[type].primary_key.name + condition ... - tests will need to be updated. I think that using the newer test format such as in test_user_plugin.py is easier to create and manage in the long-run and covers more ground that the older method. rob From rcritten at redhat.com Thu Jul 21 19:20:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2011 15:20:12 -0400 Subject: [Freeipa-devel] [PATCH] Adding message summary while adding and deleting automount location. In-Reply-To: <1311259967.17378.48.camel@dhcp-25-52.brq.redhat.com> References: <4E282823.70601@redhat.com> <1311259967.17378.48.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E287BEC.5060305@redhat.com> Martin Kosek wrote: > On Thu, 2011-07-21 at 18:52 +0530, Gowrishankar Rajaiyan wrote: >> Hi All, >> >> This patch fixes >> - https://fedorahosted.org/freeipa/ticket/1510 >> - https://fedorahosted.org/freeipa/ticket/1509 > > QEs sending patches for the bugs they found - good job there. > > I went one step further and updated all automount summary messages so > that we are consistent on the plugin. > > The proposed patch is attached, tests are clean. > > Martin ack, pushed to master From rcritten at redhat.com Thu Jul 21 19:30:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2011 15:30:07 -0400 Subject: [Freeipa-devel] [PATCH 31/31] Ticket 1485 - DN pairwise grouping In-Reply-To: <4E28600E.4010603@redhat.com> References: <201107202359.p6KNxE5S022392@int-mx01.intmail.prod.int.phx2.redhat.com> <1311251261.17378.40.camel@dhcp-25-52.brq.redhat.com> <4E28600E.4010603@redhat.com> Message-ID: <4E287E3F.2030007@redhat.com> John Dennis wrote: > On 07/21/2011 08:27 AM, Martin Kosek wrote: >> On Wed, 2011-07-20 at 19:59 -0400, John Dennis wrote: >>> The pairwise grouping used to form RDN's and AVA's proved to be >>> confusing in practice, this patch removes that functionality thus >>> requiring programmers to explicitly pair attr,value using a tuple or >>> list. >>> >>> In addition it was discovered additional functionality was needed to >>> support some DN operations in freeipa. DN objects now support >>> startswith(), endswith() and the "in" membership test. These functions >>> and operators will accept either a DN or RDN. >>> >>> The unittest was modified to remove the pairwise tests and add new >>> explicit tests. The unittest was augmented to test the new >>> functionality. In addition the unittest was cleaned up a bit to use >>> common utilty functions for improved readabilty and robustness. >>> >>> The documentation was updated. >>> >> >> The patch looks good to me. >> >> The removed form of creating DN's was indeed confusing. I went through >> current uses of DN class, I didn't find any using the removed form. DN >> tests also passes correctly. >> >> Martin >> > > Actually one of the tests was failing due to the removed form, not sure > how I missed it (or how you missed it either). But in any case it's a > one line fix test_role_plugin.py, I've rebased the patch to include that > and attached it. Whoever commits please use this version with the > test_role_plugin. > > Also, the patch comments failed to mention even though we had a unittest > for dn.py, test/test_ipalib/test_dn.py it was not getting called by > run-tests because it had the execute permission bit set, the patch fixes > that so the unittest gets run by make-test. > pushed to master and ipa-2-0. From rcritten at redhat.com Thu Jul 21 19:42:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2011 15:42:15 -0400 Subject: [Freeipa-devel] [PATCH] 066 Remove wrong kpasswd sysconfig In-Reply-To: <4E281758.6010509@redhat.com> References: <4E26EF8E.5060902@redhat.com> <4E281758.6010509@redhat.com> Message-ID: <4E288117.3020804@redhat.com> Jan Cholasta wrote: > On 20.7.2011 17:09, Jakub Hrozek wrote: >> I noticed that the file kpasswd init script reads is called >> "/etc/sysconfig/ipa-kpasswd" but krbinstance.py saved and wrote into >> "/etc/sysconfig/ipa_kpasswd". >> >> I removed the linkes rather than fixing them for two reasons: >> 1) /var/kerberos/krb5kdc/kpasswd.keytab is the default >> 2) it probably wouldn't have worked anyway because the ktname must be >> prefixed with "FILE:". >> > > ACK > > Honza > pushed to master and ipa-2-0 From rcritten at redhat.com Thu Jul 21 20:21:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2011 16:21:02 -0400 Subject: [Freeipa-devel] [PATCH] 834 Hide the HBAC access type attribute now that deny is deprecated. In-Reply-To: <1311248442.17378.37.camel@dhcp-25-52.brq.redhat.com> References: <4E262607.6090806@redhat.com> <1311248442.17378.37.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E288A2E.5070903@redhat.com> Martin Kosek wrote: > On Tue, 2011-07-19 at 20:49 -0400, Rob Crittenden wrote: >> Hide the HBAC access type attribute now that deny is deprecated. >> >> It won't appear in the UI/CLI but is still available via XML-RPC. allow >> is the default and deny will be rejected. >> >> This is not tested in the UI. I'm not sure if this is due to a problem >> in my tree or something else. >> >> https://fedorahosted.org/freeipa/ticket/1495 >> >> rob > > ACK for the CLI part, tests are clean. > > I checked WebUI, HBAC rules seem to be broken here. With or without your > patch. I see a list of rules, the type column is still here. That's OK, > there is already a ticket for this task - 1497. > > However, when I select a HBAC rule to modify it, its data are not filled > at all to the edit fields. I will fill a ticket for this bug. > > Martin > pushed to master and ipa-2-0 From rcritten at redhat.com Thu Jul 21 20:23:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2011 16:23:59 -0400 Subject: [Freeipa-devel] [PATCH] 836 Don't check for leading/trailing spaces on cert Message-ID: <4E288ADF.3090604@redhat.com> Don't check for leading/trailing spaces when loading an entitlement cert ticket https://fedorahosted.org/freeipa/ticket/1505 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-836-entitle.patch Type: text/x-diff Size: 1907 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 21 20:50:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2011 16:50:53 -0400 Subject: [Freeipa-devel] [PATCH] 836 Don't check for leading/trailing spaces on cert In-Reply-To: <4E288ADF.3090604@redhat.com> References: <4E288ADF.3090604@redhat.com> Message-ID: <4E28912D.2080506@redhat.com> Rob Crittenden wrote: > Don't check for leading/trailing spaces when loading an entitlement cert > > ticket https://fedorahosted.org/freeipa/ticket/1505 With API.txt update, doesn't affect wire protocol. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-836-2-entitle.patch Type: text/x-diff Size: 2750 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 21 20:52:30 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2011 16:52:30 -0400 Subject: [Freeipa-devel] [PATCH] 837 autofill default revocation reason Message-ID: <4E28918E.9090502@redhat.com> The default revocation reason wasn't autofilling so trying to retrieve it when it wasn't set caused things to blow up. ticket https://fedorahosted.org/freeipa/ticket/1514 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-837-revoke.patch Type: text/x-diff Size: 1427 bytes Desc: not available URL: From jgalipea at redhat.com Thu Jul 21 21:20:39 2011 From: jgalipea at redhat.com (Jenny Galipeau) Date: Thu, 21 Jul 2011 17:20:39 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Adding message summary while adding and deleting automount location. In-Reply-To: <1311259967.17378.48.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1316682892.189079.1311283239931.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Great Job Shanks!! ----- Original Message ----- > On Thu, 2011-07-21 at 18:52 +0530, Gowrishankar Rajaiyan wrote: > > Hi All, > > > > This patch fixes > > - https://fedorahosted.org/freeipa/ticket/1510 > > - https://fedorahosted.org/freeipa/ticket/1509 > > QEs sending patches for the bugs they found - good job there. > > I went one step further and updated all automount summary messages so > that we are consistent on the plugin. > > The proposed patch is attached, tests are clean. > > Martin > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From JR.Aquino at citrix.com Thu Jul 21 23:00:19 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 21 Jul 2011 23:00:19 +0000 Subject: [Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space. Message-ID: Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for migrating any and all custom Managed Entries from the cn=config space into the new container. The Managed Entries plugin configurations weren't being created on replica installs. This patch addresses two seperate tickets and accounts for new installs, replica installs, and upgrades. https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch Type: application/octet-stream Size: 14847 bytes Desc: freeipa-jraquino-0038-Move-Managed-Entries-into-their-own-container.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT00001.txt URL: From JR.Aquino at citrix.com Thu Jul 21 23:52:39 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 21 Jul 2011 23:52:39 +0000 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <1303747204.23464.19.camel@willson.li.ssimo.org> References: <28D50949-6CAB-4B58-BA3D-7F2C31EFEC35@citrixonline.com> <4DB085BB.6080104@redhat.com> <1303426875.26325.4.camel@willson.li.ssimo.org> <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> Message-ID: <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote: > On Mon, 2011-04-25 at 14:59 +0000, JR Aquino wrote: >> On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote: >> >>> On Thu, 2011-04-21 at 23:28 +0000, JR Aquino wrote: >>>> Hmmm >>>> Both Private Groups and the Hostgroup -> Netgroup Managed Entries >>>> create objects in the container: >>>> cn=Managed Entries,cn=plugins,cn=config >>>> >>>> Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX, >>>> and one in the cn=config >>>> >>>> How will these be treated by replication and the multi masters? >>> >>> Only the common objects in the public suffix are replicated. >>> I think at some point we discussed that we should use a filter in the >>> private config entry made so that we could enable/disable the plugin by >>> simply making the filter result true/false. >>> Thus not ever touch the entries in cn=config but simply >>> "enable"/"disable" the functionality by (not)adding the appropriate >>> attributes to objects so that filters would (not) match. >>> >>> Simo. >> >> This tool works by toggling the originfilter: objectclass=disabled in order to turn off the plugin. > > But this is backwards, because originfilter is defined in the > configuration entry stored in cn=config > > Meaning as soon as you change it one server will behave differently from > the others until you go and change it on each and every server. Finally able to revisit this Patch / Ticket: (To be used in conjunction with Patch 38) 25 Create Tool for Enabling/Disabling Managed Entry Plugins https://fedorahosted.org/freeipa/ticket/1181 Remove legacy ipa-host-net-manage Add ipa-managed-entries tool Add man page for ipa-managed-entries tool -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch Type: application/octet-stream Size: 26536 bytes Desc: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch URL: From ayoung at redhat.com Fri Jul 22 02:37:59 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 21 Jul 2011 22:37:59 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E2798F4.3060007@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278C7A.1070802@redhat.com> <4E2798F4.3060007@redhat.com> Message-ID: <4E28E287.3010004@redhat.com> On 07/20/2011 11:11 PM, Endi Sukma Dewata wrote: > On 7/20/2011 9:18 PM, Adam Young wrote: >>>>> 8. Triggering a stack trace by calling null function probably will >>>>> only work with Firebug, normal users will not get any notification >>>>> about the error. This happens in dialog.js:301 and widget.js:1137. >>> >>>> Gonna leave this, as we will catch things in development, and it won't >>>> happen on the live servers. These are "never reach" type conditions. >>> >>> Would it be better to throw an exception instead? >> >> Possibly. This code is going to get caught by the catch block in ipa.js >> get_entity anyway, so there is not much difference. > > Let's use the more common way to report error, which in this case > throw an exception rather than invoking null function to do the same > thing. We can attach useful information there even though it's only > for development. Fixed > >>> 12. The search filter doesn't work initially. Reload the UI main page, >>> (make sure there's no URL parameters), enter a filter, then hit Enter >>> or click the icon, there's nothing happening. Go to another tab, then >>> come back to the main page. Now the filter will work. > >> Fixed. Was a pre existing problem in navigation.js, around line 115 > > It's still not working, now there's a js error in navigation.js:129. > Fixed. Issues from the other email (20 on up ) are not yet addressed. From ayoung at redhat.com Fri Jul 22 03:04:36 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 21 Jul 2011 23:04:36 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E278D5C.9020803@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> Message-ID: <4E28E8C4.6040201@redhat.com> On 07/20/2011 10:22 PM, Endi Sukma Dewata wrote: > On 7/20/2011 7:08 PM, Endi Sukma Dewata wrote: >> > > This is based on patch 270-2: > > 19. Updating HBAC and sudo rules doesn't work, the fields always reset > to the original values. No undo buttons appear. Fixed > > 20. The Get & View buttons in host details page generate an error. > Create a host called test.example.com, then create a new certificate > with this CSR: > > MIIBezCB5QIBADA8MR8wHQYDVQQKDBZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMRkw > FwYDVQQDDBB0ZXN0LmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB > iQKBgQDYOFeE6Y16kQ1gSvlnUU/LOaQlbsYnkfOCZ9UOaeg1RbKXFIJYB0s1DAa8 > biI8gb6ZpzDjcAtNZHchOBtXnl0BBPOhkF6nD444SImz6eUBCmcCNeF4lgmNTxUS > W2AkWl4vgXGwWSlxSrBIcylIqsIMMdYg71mUeTyuJLit8bGQdwIDAQABoAAwDQYJ > KoZIhvcNAQEFBQADgYEAKb3/9gkJuOf3wRGe2n+FAfqBzStq8r5SLyVa5JyOxBhJ > nKGrTcv95X+2ch8RPqvOg8lgn12Js/Rm3ipb0MlCkBYeq8b0RQv4N0sG2dqJG8a1 > yxhxxIjovisey6F09cOyZljAhpJ6Qeqd7GHr7HFCPTDWrYDIb8QpiRrgNFvBtIQ= Not yet fixed. I need to generate a new CSR, as my REALM does not match the one used above. > > 21. The host's and service's managed_by facet contains duplicate 'host > name' columns. fixe > > 22. The DNS zone adder dialog is missing the buttons. Fixed. I did this by changing the layout on the adder. > > 23. The field_name attribute is no longer needed in service.js:129. gone > > 24. Commented code in aci_tests.js:45,64 can be removed. gone > > 25. Commented code in details_tests.js:69 can be removed. gone > > 26. The assignment in widget_tests.js:44 should be spec = null. fixed > > 27. Commented code in widget_tests.js:64,67,70,184 can be removed. gone > > 28. The unused parameter in widget_tests.js:82 can be removed. gone > > 29. The statement in user.js:175 is redundant: > > var entity = IPA.get_entity(that.entity.name); > gone -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0270-7-removing-setters-setup-and-init.patch Type: text/x-patch Size: 199910 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 22 03:34:46 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 21 Jul 2011 23:34:46 -0400 Subject: [Freeipa-devel] [PATCH] 0273-fix-navigation Message-ID: <4E28EFD6.8040609@redhat.com> This is a portion of patch 0270, with just the navigation changes. From ayoung at redhat.com Fri Jul 22 03:38:26 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 21 Jul 2011 23:38:26 -0400 Subject: [Freeipa-devel] [PATCH] 0273-fix-navigation In-Reply-To: <4E28EFD6.8040609@redhat.com> References: <4E28EFD6.8040609@redhat.com> Message-ID: <4E28F0B2.9060305@redhat.com> On 07/21/2011 11:34 PM, Adam Young wrote: > This is a portion of patch 0270, with just the navigation changes. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0273-fix-navigation.patch Type: text/x-patch Size: 2035 bytes Desc: not available URL: From mkosek at redhat.com Fri Jul 22 07:01:14 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 22 Jul 2011 09:01:14 +0200 Subject: [Freeipa-devel] [PATCH] 837 autofill default revocation reason In-Reply-To: <4E28918E.9090502@redhat.com> References: <4E28918E.9090502@redhat.com> Message-ID: <1311318076.12679.0.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-21 at 16:52 -0400, Rob Crittenden wrote: > The default revocation reason wasn't autofilling so trying to retrieve > it when it wasn't set caused things to blow up. > > ticket https://fedorahosted.org/freeipa/ticket/1514 ACK, works as advertised. Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Fri Jul 22 07:24:38 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 22 Jul 2011 09:24:38 +0200 Subject: [Freeipa-devel] [PATCH] 836 Don't check for leading/trailing spaces on cert In-Reply-To: <4E28912D.2080506@redhat.com> References: <4E288ADF.3090604@redhat.com> <4E28912D.2080506@redhat.com> Message-ID: <1311319480.12679.5.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-21 at 16:50 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Don't check for leading/trailing spaces when loading an entitlement cert > > > > ticket https://fedorahosted.org/freeipa/ticket/1505 > > With API.txt update, doesn't affect wire protocol. NACK. 1) I think we should disable extra whitespace rule for the entire File parameter. This parameter is most often filled with content of the referred file (as with entitle-import or cert-request) and we don't want to check whitespace inside of files. You can check that cert-request will also fail if there is a leading/trailing whitespace in the referred CSR. 2) There are changes in freeipa.spec.in in cyrus-sasl-gssapi. I think this should be in a separate patch, I don't see the relevance. Martin From jcholast at redhat.com Fri Jul 22 08:27:19 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 22 Jul 2011 10:27:19 +0200 Subject: [Freeipa-devel] [PATCH] 33 Fix ipa-compat-manage In-Reply-To: <1311267164.17378.62.camel@dhcp-25-52.brq.redhat.com> References: <4E283DB3.205@redhat.com> <1311267164.17378.62.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E293467.7030800@redhat.com> On 21.7.2011 18:52, Martin Kosek wrote: > On Thu, 2011-07-21 at 16:54 +0200, Jan Cholasta wrote: >> Make ipa-compat-manage work again after the changes to ipa-nis-manage >> I've done in patch 32. >> >> (this also fixes https://fedorahosted.org/freeipa/ticket/1147) >> >> Honza > > Works fine. But I have few minor issues: > > 1) No action is printed when compat plugin is being disabled (as it is > with enable action): > > # ipa-compat-manage disable > Directory Manager password: > > This setting will not take effect until you restart Directory Server. > > 2) A big end line whitespace on line 77 of the patch > > Martin > Fixed. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-33.1-ipa-compat-manage-fix.patch Type: text/x-patch Size: 7584 bytes Desc: not available URL: From mkosek at redhat.com Fri Jul 22 08:40:04 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 22 Jul 2011 10:40:04 +0200 Subject: [Freeipa-devel] [PATCH] 33 Fix ipa-compat-manage In-Reply-To: <4E293467.7030800@redhat.com> References: <4E283DB3.205@redhat.com> <1311267164.17378.62.camel@dhcp-25-52.brq.redhat.com> <4E293467.7030800@redhat.com> Message-ID: <1311324007.12679.6.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-22 at 10:27 +0200, Jan Cholasta wrote: > On 21.7.2011 18:52, Martin Kosek wrote: > > On Thu, 2011-07-21 at 16:54 +0200, Jan Cholasta wrote: > >> Make ipa-compat-manage work again after the changes to ipa-nis-manage > >> I've done in patch 32. > >> > >> (this also fixes https://fedorahosted.org/freeipa/ticket/1147) > >> > >> Honza > > > > Works fine. But I have few minor issues: > > > > 1) No action is printed when compat plugin is being disabled (as it is > > with enable action): > > > > # ipa-compat-manage disable > > Directory Manager password: > > > > This setting will not take effect until you restart Directory Server. > > > > 2) A big end line whitespace on line 77 of the patch > > > > Martin > > > > Fixed. > > Honza > ACK. Pushed to master, ipa-2-0. Martin From abokovoy at redhat.com Fri Jul 22 09:32:13 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 22 Jul 2011 12:32:13 +0300 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules Message-ID: <4E29439D.5040803@redhat.com> Hi, attached please find a first cut of an HBAC tester command to CLI, FreeIPA ticket https://fedorahosted.org/freeipa/ticket/386 The idea behind this plugin is to re-use pyhbac module provided by SSSD project which is Python bindings for SSSD's libipa_hbac code used for actual HBAC rule execution. This requires libipa_hbac-python package. There are four modes implemented by the plugin given (user, source host, target host, service), attempt to login user coming from source host to target host's service: 1. Use all enabled HBAC rules in IPA database to simulate [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- 2. Use all enabled HBAC rules in IPA database + explicitly specified (disabled) rules [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule -------------------- Access granted: True -------------------- 3. Use only explicitly specified HBAC rules [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,new-rule --validate -------------------- Access granted: True -------------------- Passed rules: new-rule Denied rules: my-second-rule 4. Get detailed result of simulation for all enabled HBAC rules: [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --validate -------------------- Access granted: True -------------------- Passed rules: allow_all Denied rules: my-second-rule, my-third-rule, myrule --validate option forces to run detailed simulation and report per-rule results. Results are: passed, denied, error. The latter one is for wrongly specified rules which should not be enabled. When --validate specified together with --rules, only HBAC rules specified on the command line are considered. I'm still not sure if running simulation against all disabled HBAC rules in databse is worth it. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: hbactest.py URL: From rcritten at redhat.com Fri Jul 22 13:31:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jul 2011 09:31:49 -0400 Subject: [Freeipa-devel] [PATCH] 838 pull in arch-specific cyrus-sasl-gssapi Message-ID: <4E297BC5.1090101@redhat.com> We need a specific requires on the arch-specific cyrus-sasl-gssapi. This was discovered by a user that had the 32-bit client package installed on a 64-bit server. The GSSAPI SASL mechanism wasn't available because he had only the 64-bit cyrus-sasl-gssapi library installed. This adds a more specific Requires that should fix it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-838-multilib.patch Type: application/mbox Size: 1553 bytes Desc: not available URL: From abokovoy at redhat.com Fri Jul 22 13:54:07 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 22 Jul 2011 16:54:07 +0300 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E29439D.5040803@redhat.com> References: <4E29439D.5040803@redhat.com> Message-ID: <4E2980FF.1090809@redhat.com> Now real patch: adds command, updates API.txt and VERSION files, along with freeipa.spec. On 22.07.2011 12:32, Alexander Bokovoy wrote: > Hi, > > attached please find a first cut of an HBAC tester command to CLI, > FreeIPA ticket https://fedorahosted.org/freeipa/ticket/386 > > The idea behind this plugin is to re-use pyhbac module provided by SSSD > project which is Python bindings for SSSD's libipa_hbac code used for > actual HBAC rule execution. This requires libipa_hbac-python package. > > There are four modes implemented by the plugin given (user, source host, > target host, service), attempt to login user coming from source host to > target host's service: > > 1. Use all enabled HBAC rules in IPA database to simulate > [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar > --service=ssh > -------------------- > Access granted: True > -------------------- > > 2. Use all enabled HBAC rules in IPA database + explicitly specified > (disabled) rules > [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar > --service=ssh --rules=my-second-rule > -------------------- > Access granted: True > -------------------- > > 3. Use only explicitly specified HBAC rules > [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar > --service=ssh --rules=my-second-rule,new-rule --validate > -------------------- > Access granted: True > -------------------- > Passed rules: new-rule > Denied rules: my-second-rule > > 4. Get detailed result of simulation for all enabled HBAC rules: > [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar > --service=ssh --validate > -------------------- > Access granted: True > -------------------- > Passed rules: allow_all > Denied rules: my-second-rule, my-third-rule, myrule > > --validate option forces to run detailed simulation and report per-rule > results. Results are: passed, denied, error. The latter one is for > wrongly specified rules which should not be enabled. > > When --validate specified together with --rules, only HBAC rules > specified on the command line are considered. > > I'm still not sure if running simulation against all disabled HBAC rules > in databse is worth it. > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0007-add-hbactest-command.patch URL: From mkosek at redhat.com Fri Jul 22 13:54:54 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 22 Jul 2011 15:54:54 +0200 Subject: [Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space. In-Reply-To: References: Message-ID: <1311342896.12679.9.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-21 at 23:00 +0000, JR Aquino wrote: > Create: cn=Managed Entries,cn=etc,$SUFFIX > Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX > Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX > > Create method for migrating any and all custom Managed Entries from > the cn=config space into the new container. > > The Managed Entries plugin configurations weren't being created on > replica installs. > > This patch addresses two seperate tickets and accounts for > new installs, replica installs, and upgrades. > > https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container > https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation I found few issues with the patch (tested along with 25): 1) When upgrading an old instance, NGP and UGP definitions in cn=Managed Entries,cn=plugins,cn=config were not deleted. This lead to 2 managed entries plugin definitions 2) Managed entries on a replica didn't work for me. For example UPG was created on a master, but was not on a replica Martin From mkosek at redhat.com Fri Jul 22 14:05:01 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 22 Jul 2011 16:05:01 +0200 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> References: <28D50949-6CAB-4B58-BA3D-7F2C31EFEC35@citrixonline.com> <4DB085BB.6080104@redhat.com> <1303426875.26325.4.camel@willson.li.ssimo.org> <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> Message-ID: <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-21 at 23:52 +0000, JR Aquino wrote: > On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote: > > > On Mon, 2011-04-25 at 14:59 +0000, JR Aquino wrote: > >> On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote: > >> > >>> On Thu, 2011-04-21 at 23:28 +0000, JR Aquino wrote: > >>>> Hmmm > >>>> Both Private Groups and the Hostgroup -> Netgroup Managed Entries > >>>> create objects in the container: > >>>> cn=Managed Entries,cn=plugins,cn=config > >>>> > >>>> Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX, > >>>> and one in the cn=config > >>>> > >>>> How will these be treated by replication and the multi masters? > >>> > >>> Only the common objects in the public suffix are replicated. > >>> I think at some point we discussed that we should use a filter in the > >>> private config entry made so that we could enable/disable the plugin by > >>> simply making the filter result true/false. > >>> Thus not ever touch the entries in cn=config but simply > >>> "enable"/"disable" the functionality by (not)adding the appropriate > >>> attributes to objects so that filters would (not) match. > >>> > >>> Simo. > >> > >> This tool works by toggling the originfilter: objectclass=disabled in order to turn off the plugin. > > > > But this is backwards, because originfilter is defined in the > > configuration entry stored in cn=config > > > > Meaning as soon as you change it one server will behave differently from > > the others until you go and change it on each and every server. > > Finally able to revisit this Patch / Ticket: > (To be used in conjunction with Patch 38) > > 25 Create Tool for Enabling/Disabling Managed Entry > Plugins https://fedorahosted.org/freeipa/ticket/1181 > > Remove legacy ipa-host-net-manage > Add ipa-managed-entries tool > Add man page for ipa-managed-entries tool > I have found few issues with the patch: 1) I don't think its necessary to change BuildRequires to 389-ds-base-devel >= 1.2.8 2) Invalid comment in get_dirman_password() function. There is no verification of the password. It just prompts it 3) ipa-managed entries man pages: copy & paste error: +Directory Server will need to be restarted after the schema compatibility plugin has been enabled. 4) Invalid help of the program: # ipa-managed-entries --help Usage: ipa-managed-entries [options] ipa-managed-entries [options] - status action is missing - running program without action is not allowed, i.e. should not be offered 5) I was thinking if there is a better solution to enabling/disabling of the plugin. Likes setting something like "managedEntryEnabled" attribute to on/off as we do with compat plugin. Current concept with disabling the definition by damaging the originFilter and then restoring it from an LDIF seems a bit awkward to me. 6) ipa-managed-entries crashes when managed entry is a wrong file: # ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif Directory Manager password: Traceback (most recent call last): File "/usr/sbin/ipa-managed-entries", line 245, in sys.exit(main()) File "/usr/sbin/ipa-managed-entries", line 141, in main originFilter = entry_attr['originFilter'][0] KeyError: 'originFilter' 7) What if there are more managed entries in the LDIF? This concept would not work correctly then. A behavior I would expect: a) User (optionally) passes a directory with managed entries LDIFs b) ipa-managed-entries analyzes all LDIFs and prints available Managed Entry definitions c) I would choose the one I want to enable/disable via ipa-managed-entries option Martin From rcritten at redhat.com Fri Jul 22 14:16:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jul 2011 10:16:48 -0400 Subject: [Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry In-Reply-To: <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> References: <28D50949-6CAB-4B58-BA3D-7F2C31EFEC35@citrixonline.com> <4DB085BB.6080104@redhat.com> <1303426875.26325.4.camel@willson.li.ssimo.org> <1303738997.23464.13.camel@willson.li.ssimo.org> <1303747204.23464.19.camel@willson.li.ssimo.org> <9F811DEC-2CF0-4E9E-B0E2-2EBF4D3B17CA@citrixonline.com> <1311343504.12679.17.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E298650.5090007@redhat.com> Martin Kosek wrote: > On Thu, 2011-07-21 at 23:52 +0000, JR Aquino wrote: >> On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote: >> >>> On Mon, 2011-04-25 at 14:59 +0000, JR Aquino wrote: >>>> On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote: >>>> >>>>> On Thu, 2011-04-21 at 23:28 +0000, JR Aquino wrote: >>>>>> Hmmm >>>>>> Both Private Groups and the Hostgroup -> Netgroup Managed Entries >>>>>> create objects in the container: >>>>>> cn=Managed Entries,cn=plugins,cn=config >>>>>> >>>>>> Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX, >>>>>> and one in the cn=config >>>>>> >>>>>> How will these be treated by replication and the multi masters? >>>>> >>>>> Only the common objects in the public suffix are replicated. >>>>> I think at some point we discussed that we should use a filter in the >>>>> private config entry made so that we could enable/disable the plugin by >>>>> simply making the filter result true/false. >>>>> Thus not ever touch the entries in cn=config but simply >>>>> "enable"/"disable" the functionality by (not)adding the appropriate >>>>> attributes to objects so that filters would (not) match. >>>>> >>>>> Simo. >>>> >>>> This tool works by toggling the originfilter: objectclass=disabled in order to turn off the plugin. >>> >>> But this is backwards, because originfilter is defined in the >>> configuration entry stored in cn=config >>> >>> Meaning as soon as you change it one server will behave differently from >>> the others until you go and change it on each and every server. >> >> Finally able to revisit this Patch / Ticket: >> (To be used in conjunction with Patch 38) >> >> 25 Create Tool for Enabling/Disabling Managed Entry >> Plugins https://fedorahosted.org/freeipa/ticket/1181 >> >> Remove legacy ipa-host-net-manage >> Add ipa-managed-entries tool >> Add man page for ipa-managed-entries tool >> > > I have found few issues with the patch: > > 1) I don't think its necessary to change BuildRequires to > 389-ds-base-devel>= 1.2.8 I think this is because the ability to move the config out of cn=config. It should probably be Requires and not BuildRequires though. > > 2) Invalid comment in get_dirman_password() function. There is no > verification of the password. It just prompts it > > 3) ipa-managed entries man pages: copy& paste error: > +Directory Server will need to be restarted after the schema > compatibility plugin has been enabled. > > 4) Invalid help of the program: > # ipa-managed-entries --help > Usage: ipa-managed-entries [options] > ipa-managed-entries [options] > > - status action is missing > - running program without action is not allowed, i.e. should not be > offered > > 5) I was thinking if there is a better solution to enabling/disabling of > the plugin. Likes setting something like "managedEntryEnabled" attribute > to on/off as we do with compat plugin. Current concept with disabling > the definition by damaging the originFilter and then restoring it from > an LDIF seems a bit awkward to me. We have to do it this way (or something like it) because cn=config is not replicated. > > 6) ipa-managed-entries crashes when managed entry is a wrong file: > > # ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif > Directory Manager password: > > Traceback (most recent call last): > File "/usr/sbin/ipa-managed-entries", line 245, in > sys.exit(main()) > File "/usr/sbin/ipa-managed-entries", line 141, in main > originFilter = entry_attr['originFilter'][0] > KeyError: 'originFilter' > > 7) What if there are more managed entries in the LDIF? This concept > would not work correctly then. A behavior I would expect: > a) User (optionally) passes a directory with managed entries LDIFs > b) ipa-managed-entries analyzes all LDIFs and prints available Managed > Entry definitions > c) I would choose the one I want to enable/disable via > ipa-managed-entries option > > Martin > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel rob From rcritten at redhat.com Fri Jul 22 14:25:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jul 2011 10:25:45 -0400 Subject: [Freeipa-devel] [PATCH] 836 Don't check for leading/trailing spaces on cert In-Reply-To: <1311319480.12679.5.camel@dhcp-25-52.brq.redhat.com> References: <4E288ADF.3090604@redhat.com> <4E28912D.2080506@redhat.com> <1311319480.12679.5.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E298869.5070705@redhat.com> Martin Kosek wrote: > On Thu, 2011-07-21 at 16:50 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Don't check for leading/trailing spaces when loading an entitlement cert >>> >>> ticket https://fedorahosted.org/freeipa/ticket/1505 >> >> With API.txt update, doesn't affect wire protocol. > > NACK. > > 1) I think we should disable extra whitespace rule for the entire File > parameter. This parameter is most often filled with content of the > referred file (as with entitle-import or cert-request) and we don't want > to check whitespace inside of files. You can check that cert-request > will also fail if there is a leading/trailing whitespace in the referred > CSR. > > 2) There are changes in freeipa.spec.in in cyrus-sasl-gssapi. I think > this should be in a separate patch, I don't see the relevance. > > Martin > Fixed. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-836-3-entitle.patch Type: application/mbox Size: 869 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 22 15:34:51 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Jul 2011 11:34:51 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E28E8C4.6040201@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> Message-ID: <4E29989B.4090209@redhat.com> While this version has a Navigation fix in it, it is going to be rebased on top of Endi Dewata's patch for putting the state inside each of the facets. On 07/21/2011 11:04 PM, Adam Young wrote: > On 07/20/2011 10:22 PM, Endi Sukma Dewata wrote: >> On 7/20/2011 7:08 PM, Endi Sukma Dewata wrote: >>> >> >> This is based on patch 270-2: >> >> 19. Updating HBAC and sudo rules doesn't work, the fields always >> reset to the original values. No undo buttons appear. > Fixed >> >> 20. The Get & View buttons in host details page generate an error. >> Create a host called test.example.com, then create a new certificate >> with this CSR: >> >> MIIBezCB5QIBADA8MR8wHQYDVQQKDBZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMRkw >> FwYDVQQDDBB0ZXN0LmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB >> iQKBgQDYOFeE6Y16kQ1gSvlnUU/LOaQlbsYnkfOCZ9UOaeg1RbKXFIJYB0s1DAa8 >> biI8gb6ZpzDjcAtNZHchOBtXnl0BBPOhkF6nD444SImz6eUBCmcCNeF4lgmNTxUS >> W2AkWl4vgXGwWSlxSrBIcylIqsIMMdYg71mUeTyuJLit8bGQdwIDAQABoAAwDQYJ >> KoZIhvcNAQEFBQADgYEAKb3/9gkJuOf3wRGe2n+FAfqBzStq8r5SLyVa5JyOxBhJ >> nKGrTcv95X+2ch8RPqvOg8lgn12Js/Rm3ipb0MlCkBYeq8b0RQv4N0sG2dqJG8a1 >> yxhxxIjovisey6F09cOyZljAhpJ6Qeqd7GHr7HFCPTDWrYDIb8QpiRrgNFvBtIQ= > > Not yet fixed. I need to generate a new CSR, as my REALM does not > match the one used above. > >> >> 21. The host's and service's managed_by facet contains duplicate >> 'host name' columns. > fixe >> >> 22. The DNS zone adder dialog is missing the buttons. > > Fixed. I did this by changing the layout on the adder. >> >> 23. The field_name attribute is no longer needed in service.js:129. > gone >> >> 24. Commented code in aci_tests.js:45,64 can be removed. > gone >> >> 25. Commented code in details_tests.js:69 can be removed. > gone >> >> 26. The assignment in widget_tests.js:44 should be spec = null. > fixed >> >> 27. Commented code in widget_tests.js:64,67,70,184 can be removed. > gone >> >> 28. The unused parameter in widget_tests.js:82 can be removed. > gone >> >> 29. The statement in user.js:175 is redundant: >> >> var entity = IPA.get_entity(that.entity.name); >> > gone > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0270-8-removing-setters-setup-and-init.patch Type: text/x-patch Size: 199985 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri Jul 22 15:59:48 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 22 Jul 2011 15:59:48 +0000 Subject: [Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space. In-Reply-To: <1311342896.12679.9.camel@dhcp-25-52.brq.redhat.com> References: <1311342896.12679.9.camel@dhcp-25-52.brq.redhat.com> Message-ID: <89B79318-CC34-4BF4-98C7-F796E06DA093@citrixonline.com> On Jul 22, 2011, at 6:54 AM, Martin Kosek wrote: > On Thu, 2011-07-21 at 23:00 +0000, JR Aquino wrote: >> Create: cn=Managed Entries,cn=etc,$SUFFIX >> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX >> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX >> >> Create method for migrating any and all custom Managed Entries from >> the cn=config space into the new container. >> >> The Managed Entries plugin configurations weren't being created on >> replica installs. >> >> This patch addresses two seperate tickets and accounts for >> new installs, replica installs, and upgrades. >> >> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container >> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation > > I found few issues with the patch (tested along with 25): > > 1) When upgrading an old instance, NGP and UGP definitions in > cn=Managed Entries,cn=plugins,cn=config were not deleted. This lead to 2 > managed entries plugin definitions > > 2) Managed entries on a replica didn't work for me. For example UPG was > created on a master, but was not on a replica Were you using 389 1.2.9? I believe the Requires should actually be present in /this/ patch instead of patch 25... 1.2.9 provides a means for directing the plugin to the NEW container in cn=etc, and after that is done, the old entries can be deleted by the code once they are no longer 'in use'. From edewata at redhat.com Fri Jul 22 16:00:40 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Jul 2011 11:00:40 -0500 Subject: [Freeipa-devel] [PATCH] 217 Refactored IPA.current_facet(). Message-ID: <4E299EA8.9070701@redhat.com> The IPA.current_facet() has been merged into IPA.entity.setup() and replaced by IPA.entity.get_facet(). The setup() will read the current facet's name from the -facet URL parameter and store the facet object in the entity object. The get_facet() without any parameter will return the current facet object. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0217-Refactored-IPA.current_facet.patch Type: text/x-patch Size: 10029 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 22 16:13:55 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Jul 2011 12:13:55 -0400 Subject: [Freeipa-devel] [PATCH] 217 Refactored IPA.current_facet(). In-Reply-To: <4E299EA8.9070701@redhat.com> References: <4E299EA8.9070701@redhat.com> Message-ID: <4E29A1C3.7000007@redhat.com> On 07/22/2011 12:00 PM, Endi Sukma Dewata wrote: > The IPA.current_facet() has been merged into IPA.entity.setup() > and replaced by IPA.entity.get_facet(). The setup() will read the > current facet's name from the -facet URL parameter and store > the facet object in the entity object. The get_facet() without any > parameter will return the current facet object. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Jul 22 16:16:23 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Jul 2011 11:16:23 -0500 Subject: [Freeipa-devel] [PATCH] 218 Fixed problem with navigation state loading. Message-ID: <4E29A257.5030101@redhat.com> The select event handler in the navigation tab has been modified to distinguish the source of the event. If the event is triggered by URL hash change, it will use the state specified in the URL. If the event is triggered by a mouse click, it will use the state stored internally. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0218-Fixed-problem-with-navigation-state-loading.patch Type: text/x-patch Size: 4072 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 22 16:17:34 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Jul 2011 11:17:34 -0500 Subject: [Freeipa-devel] [PATCH] 219 Fixed navigation problems. Message-ID: <4E29A29E.4020302@redhat.com> The navigation code has been modified store the facet's state separately in the facet object itself. The path state is stored in the navigation object. When the path is changed to view a new facet, only the path and the state of the new facet will be shown in the URL, thus keeping the URL short. This fixes pagination, bookmark and search filter problems as well. Ticket #1507, 1516, 1517 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0219-Fixed-navigation-problems.patch Type: text/x-patch Size: 11934 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 22 17:07:23 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Jul 2011 13:07:23 -0400 Subject: [Freeipa-devel] [PATCH] 218 Fixed problem with navigation state loading. In-Reply-To: <4E29A257.5030101@redhat.com> References: <4E29A257.5030101@redhat.com> Message-ID: <4E29AE4B.8030000@redhat.com> On 07/22/2011 12:16 PM, Endi Sukma Dewata wrote: > The select event handler in the navigation tab has been modified to > distinguish the source of the event. If the event is triggered by > URL hash change, it will use the state specified in the URL. If the > event is triggered by a mouse click, it will use the state stored > internally. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jul 22 17:07:33 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Jul 2011 13:07:33 -0400 Subject: [Freeipa-devel] [PATCH] 219 Fixed navigation problems. In-Reply-To: <4E29A29E.4020302@redhat.com> References: <4E29A29E.4020302@redhat.com> Message-ID: <4E29AE55.1000305@redhat.com> On 07/22/2011 12:17 PM, Endi Sukma Dewata wrote: > The navigation code has been modified store the facet's state > separately in the facet object itself. The path state is stored > in the navigation object. When the path is changed to view a new > facet, only the path and the state of the new facet will be shown > in the URL, thus keeping the URL short. > > This fixes pagination, bookmark and search filter problems as well. > > Ticket #1507, 1516, 1517 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Jul 22 17:18:34 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Jul 2011 12:18:34 -0500 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E29989B.4090209@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> Message-ID: <4E29B0EA.6010909@redhat.com> On 7/22/2011 10:34 AM, Adam Young wrote: > While this version has a Navigation fix in it, it is going to be rebased > on top of Endi Dewata's patch for putting the state inside each of the > facets. Rebased. I'll continue the review. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0270-9-removing-setters-setup-and-init.patch Type: text/x-patch Size: 198692 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 22 18:59:00 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Jul 2011 13:59:00 -0500 Subject: [Freeipa-devel] [PATCH] 220 Fixed navigation unit test. Message-ID: <4E29C874.6040704@redhat.com> The mock-up get_state() has been modified to return an empty object if it's called without parameter. It's the same as $bbq.getState(). Pushed under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0220-Fixed-navigation-unit-test.patch Type: text/x-patch Size: 1262 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 22 19:39:57 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Jul 2011 15:39:57 -0400 Subject: [Freeipa-devel] [PATCH] 0274-move-dns-to-identity-tab Message-ID: <4E29D20D.9050803@redhat.com> It makes a lot more sense here. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0274-move-dns-to-identity-tab.patch Type: text/x-patch Size: 1281 bytes Desc: not available URL: From rcritten at redhat.com Fri Jul 22 19:47:54 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jul 2011 15:47:54 -0400 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2980FF.1090809@redhat.com> References: <4E29439D.5040803@redhat.com> <4E2980FF.1090809@redhat.com> Message-ID: <4E29D3EA.5070903@redhat.com> Alexander Bokovoy wrote: > > Now real patch: adds command, updates API.txt and VERSION files, along > with freeipa.spec. > > > On 22.07.2011 12:32, Alexander Bokovoy wrote: >> Hi, >> >> attached please find a first cut of an HBAC tester command to CLI, >> FreeIPA ticket https://fedorahosted.org/freeipa/ticket/386 >> >> The idea behind this plugin is to re-use pyhbac module provided by SSSD >> project which is Python bindings for SSSD's libipa_hbac code used for >> actual HBAC rule execution. This requires libipa_hbac-python package. >> >> There are four modes implemented by the plugin given (user, source host, >> target host, service), attempt to login user coming from source host to >> target host's service: >> >> 1. Use all enabled HBAC rules in IPA database to simulate >> [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar >> --service=ssh >> -------------------- >> Access granted: True >> -------------------- >> >> 2. Use all enabled HBAC rules in IPA database + explicitly specified >> (disabled) rules >> [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar >> --service=ssh --rules=my-second-rule >> -------------------- >> Access granted: True >> -------------------- >> >> 3. Use only explicitly specified HBAC rules >> [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar >> --service=ssh --rules=my-second-rule,new-rule --validate >> -------------------- >> Access granted: True >> -------------------- >> Passed rules: new-rule >> Denied rules: my-second-rule >> >> 4. Get detailed result of simulation for all enabled HBAC rules: >> [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar >> --service=ssh --validate >> -------------------- >> Access granted: True >> -------------------- >> Passed rules: allow_all >> Denied rules: my-second-rule, my-third-rule, myrule >> >> --validate option forces to run detailed simulation and report per-rule >> results. Results are: passed, denied, error. The latter one is for >> wrongly specified rules which should not be enabled. >> >> When --validate specified together with --rules, only HBAC rules >> specified on the command line are considered. >> >> I'm still not sure if running simulation against all disabled HBAC rules >> in databse is worth it. For a first shot at writing a IPA plugin this is an excellent start, my comments are mostly corner cases. I wanted to see what would happen with an incomplete rule: $ ipa hbacrule-show test2 Rule name: test2 Enabled: TRUE $ ipa hbactest --rules=test2 User name: admin Source host: panther.example.com Target host: puma.example.com Service: login -------------------- Access granted: True -------------------- I believe this should have failed. If I pass in --validate with the same input I get: --------------------- Access granted: False --------------------- Denied rules: test2 So this is a little confusing. I thought --rules limited the rules that were considered. Maybe I'm misunderstanding it. It would also be nice to have a way to validate a rule without having to supply all the options, sort of a "is this rule even legal?". When first working with hbac rules it is hard to remember that all parts (users, services, hosts and sourcehosts) all need to be defined or the rule is invalid. You don't need to explicitly include required=True in your Parameters, it is the default. In output you can define them as Str instead of List. List is more for input, it automatically parses comma-separated data. The text in the examples wraps a fair bit on an 80-character screen. If you pass in an non-existing rule to --rules it is ignored, at least with --validate. I assume that unit tests are coming since this is still a WIP. Writing one at this point might help with the corner cases. rob From edewata at redhat.com Fri Jul 22 19:54:56 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Jul 2011 14:54:56 -0500 Subject: [Freeipa-devel] [PATCH] 221 Fixed click handlers on certificate buttons. Message-ID: <4E29D590.9060206@redhat.com> The click event handlers for certificate buttons have been fixed to stop standard event processing which causes the page to change. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0221-Fixed-click-handlers-on-certificate-buttons.patch Type: text/x-patch Size: 3756 bytes Desc: not available URL: From abokovoy at redhat.com Fri Jul 22 20:10:27 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 22 Jul 2011 23:10:27 +0300 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E29D3EA.5070903@redhat.com> References: <4E29439D.5040803@redhat.com> <4E2980FF.1090809@redhat.com> <4E29D3EA.5070903@redhat.com> Message-ID: <4E29D933.5090205@redhat.com> On 22.07.2011 22:47, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> >> Now real patch: adds command, updates API.txt and VERSION files, along >> with freeipa.spec. >> >> >> On 22.07.2011 12:32, Alexander Bokovoy wrote: >>> Hi, >>> >>> attached please find a first cut of an HBAC tester command to CLI, >>> FreeIPA ticket https://fedorahosted.org/freeipa/ticket/386 >>> >>> The idea behind this plugin is to re-use pyhbac module provided by SSSD >>> project which is Python bindings for SSSD's libipa_hbac code used for >>> actual HBAC rule execution. This requires libipa_hbac-python package. >>> >>> There are four modes implemented by the plugin given (user, source host, >>> target host, service), attempt to login user coming from source host to >>> target host's service: >>> >>> 1. Use all enabled HBAC rules in IPA database to simulate >>> [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar >>> --service=ssh >>> -------------------- >>> Access granted: True >>> -------------------- >>> >>> 2. Use all enabled HBAC rules in IPA database + explicitly specified >>> (disabled) rules >>> [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar >>> --service=ssh --rules=my-second-rule >>> -------------------- >>> Access granted: True >>> -------------------- >>> >>> 3. Use only explicitly specified HBAC rules >>> [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar >>> --service=ssh --rules=my-second-rule,new-rule --validate >>> -------------------- >>> Access granted: True >>> -------------------- >>> Passed rules: new-rule >>> Denied rules: my-second-rule >>> >>> 4. Get detailed result of simulation for all enabled HBAC rules: >>> [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar >>> --service=ssh --validate >>> -------------------- >>> Access granted: True >>> -------------------- >>> Passed rules: allow_all >>> Denied rules: my-second-rule, my-third-rule, myrule >>> >>> --validate option forces to run detailed simulation and report per-rule >>> results. Results are: passed, denied, error. The latter one is for >>> wrongly specified rules which should not be enabled. >>> >>> When --validate specified together with --rules, only HBAC rules >>> specified on the command line are considered. >>> >>> I'm still not sure if running simulation against all disabled HBAC rules >>> in databse is worth it. > > For a first shot at writing a IPA plugin this is an excellent start, my > comments are mostly corner cases. Thanks! > I wanted to see what would happen with an incomplete rule: > > $ ipa hbacrule-show test2 > Rule name: test2 > Enabled: TRUE > > $ ipa hbactest --rules=test2 > User name: admin > Source host: panther.example.com > Target host: puma.example.com > Service: login > -------------------- > Access granted: True > -------------------- > > I believe this should have failed. No, it shouldn't -- you are testing all enabled rules + one explicit (which would be tested anyway as it is enabled) -- this is mode (2) of my write up above. And most likely you have allow_all rule that gives you login. if you would run $ ipa hbactest --validate you would see it. > If I pass in --validate with the same input I get: > > --------------------- > Access granted: False > --------------------- > Denied rules: test2 > > So this is a little confusing. I thought --rules limited the rules that > were considered. Maybe I'm misunderstanding it. --validate + --rules gives limitation, --rules alone adds more rules to the existing test set which is all enabled rules in IPA. > It would also be nice to have a way to validate a rule without having to > supply all the options, sort of a "is this rule even legal?". When first > working with hbac rules it is hard to remember that all parts (users, > services, hosts and sourcehosts) all need to be defined or the rule is > invalid. libipa_hbac evaluates rule against (user, source host, target host, service) tuple so you need to have certain values in order to test the rule... > You don't need to explicitly include required=True in your Parameters, > it is the default. Ok. > In output you can define them as Str instead of List. List is more for > input, it automatically parses comma-separated data. Will change that. > The text in the examples wraps a fair bit on an 80-character screen. Yep. I'm interested also in seeing whether parameters as they are make sense. If they do, I'll rework examples. Particulary, this distinction between existing rules and --rules= needs clarification in order to avoid confusion for admins. > If you pass in an non-existing rule to --rules it is ignored, at least > with --validate. Should it cause an error? I do not check right now whether all rules from --rules= are found and added. > I assume that unit tests are coming since this is still a WIP. Writing > one at this point might help with the corner cases. yes. -- / Alexander Bokovoy From ayoung at redhat.com Fri Jul 22 20:26:21 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Jul 2011 16:26:21 -0400 Subject: [Freeipa-devel] [PATCH] 0275-remove-hardcoded-DNS-label-for-record-name Message-ID: <4E29DCED.7070302@redhat.com> Pushed under the one line rule. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0275-remove-hardcoded-DNS-label-for-record-name.patch Type: text/x-patch Size: 1010 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 22 20:26:34 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Jul 2011 15:26:34 -0500 Subject: [Freeipa-devel] [PATCH] 0274-move-dns-to-identity-tab In-Reply-To: <4E29D20D.9050803@redhat.com> References: <4E29D20D.9050803@redhat.com> Message-ID: <4E29DCFA.6060501@redhat.com> On 7/22/2011 2:39 PM, Adam Young wrote: > It makes a lot more sense here. ACK, but there's a jslint warning. -- Endi S. Dewata From ayoung at redhat.com Fri Jul 22 20:33:39 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Jul 2011 16:33:39 -0400 Subject: [Freeipa-devel] [PATCH] 221 Fixed click handlers on certificate buttons. In-Reply-To: <4E29D590.9060206@redhat.com> References: <4E29D590.9060206@redhat.com> Message-ID: <4E29DEA3.3000507@redhat.com> On 07/22/2011 03:54 PM, Endi Sukma Dewata wrote: > The click event handlers for certificate buttons have been fixed > to stop standard event processing which causes the page to change. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. PUshed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jul 22 20:34:58 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Jul 2011 16:34:58 -0400 Subject: [Freeipa-devel] [PATCH] 0274-move-dns-to-identity-tab In-Reply-To: <4E29DCFA.6060501@redhat.com> References: <4E29D20D.9050803@redhat.com> <4E29DCFA.6060501@redhat.com> Message-ID: <4E29DEF2.1000902@redhat.com> On 07/22/2011 04:26 PM, Endi Sukma Dewata wrote: > On 7/22/2011 2:39 PM, Adam Young wrote: >> It makes a lot more sense here. > > ACK, but there's a jslint warning. > Fixed and pushed to master From ayoung at redhat.com Fri Jul 22 21:40:00 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 22 Jul 2011 17:40:00 -0400 Subject: [Freeipa-devel] [PATCH ]0276-dns-section-header-i18n Message-ID: <4E29EE30.5010302@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0276-dns-section-header-i18n.patch Type: text/x-patch Size: 12023 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 22 23:24:08 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Jul 2011 18:24:08 -0500 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E29B0EA.6010909@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> Message-ID: <4E2A0698.6000402@redhat.com> On 7/22/2011 12:18 PM, Endi Sukma Dewata wrote: > On 7/22/2011 10:34 AM, Adam Young wrote: >> While this version has a Navigation fix in it, it is going to be rebased >> on top of Endi Dewata's patch for putting the state inside each of the >> facets. > > Rebased. I'll continue the review. Some issues: 30. The IPA.spacer_widget is used to create spacing for layout. Widgets should not be used this way because it diverges from the original design. Widgets are supposed to correspond to attribute. It has a name (required for storing in a map), metadata, load/save/undo methods, none of which is relevant for spacer. Also, it only handles a narrow case for creating a space between 2 fields which I think better be handled using sections. This should be addressed in a separate patch. 31. The create() should only be used to create the visual elements. Creating fields, columns, etc. should not be done inside create() because we might decide to destroy the HTML elements of hidden facets and recreate it again. In that case the fields will be duplicated. Also, by delaying the creation of the fields it makes the object incomplete after creation, which is the reason for removing init(). 32. This is an existing problem but it's worsening without init(). Since there is no class constructor, the initialization code is scattered throughout the class, making it difficult to maintain. Some code needs to be written in certain position, but in general should we move the initialization code to the bottom of the class (to make sure all methods are already defined)? Or should init() be used as a constructor and called at the bottom of the class? 33. In association.js:661 the spec object is referenced without ensuring it's not null. The code below it supposed to do that. 34. Commented code in entity.js:746 can be removed. 35. Commented code in widget_tests.js:181 can be removed. 36. The widget_create() is called twice in widget.js:1597. 37. Untranslated True/False labels in HBAC and sudo. 38. The file install/ui/rule.js~ got included. 39. There are jslint warnings. 40. The selenium tests could be fixed in separate patch and probably pushed earlier. I have not run them. -- Endi S. Dewata From mkosek at redhat.com Mon Jul 25 07:11:00 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 25 Jul 2011 09:11:00 +0200 Subject: [Freeipa-devel] [PATCH] 836 Don't check for leading/trailing spaces on cert In-Reply-To: <4E298869.5070705@redhat.com> References: <4E288ADF.3090604@redhat.com> <4E28912D.2080506@redhat.com> <1311319480.12679.5.camel@dhcp-25-52.brq.redhat.com> <4E298869.5070705@redhat.com> Message-ID: <1311577862.15492.11.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-22 at 10:25 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-07-21 at 16:50 -0400, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> Don't check for leading/trailing spaces when loading an entitlement cert > >>> > >>> ticket https://fedorahosted.org/freeipa/ticket/1505 > >> > >> With API.txt update, doesn't affect wire protocol. > > > > NACK. > > > > 1) I think we should disable extra whitespace rule for the entire File > > parameter. This parameter is most often filled with content of the > > referred file (as with entitle-import or cert-request) and we don't want > > to check whitespace inside of files. You can check that cert-request > > will also fail if there is a leading/trailing whitespace in the referred > > CSR. > > > > 2) There are changes in freeipa.spec.in in cyrus-sasl-gssapi. I think > > this should be in a separate patch, I don't see the relevance. > > > > Martin > > > > Fixed. ACK. Pushed to master. Martin From mkosek at redhat.com Mon Jul 25 07:49:45 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 25 Jul 2011 09:49:45 +0200 Subject: [Freeipa-devel] [PATCH] 100 Fix man page ipa-csreplica-manage Message-ID: <1311580187.15492.14.camel@dhcp-25-52.brq.redhat.com> Hm, this is a lame patch for number 100 :-) ---- Fix references to ipa-replica-manage in ipa-csreplica-manage. https://fedorahosted.org/freeipa/ticket/1519 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-100-fix-man-page-ipa-csreplica-manage.patch Type: text/x-patch Size: 1323 bytes Desc: not available URL: From pvoborni at redhat.com Mon Jul 25 08:37:26 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 25 Jul 2011 10:37:26 +0200 Subject: [Freeipa-devel] [PATCH] 001 fixed empty dns record update Message-ID: <1311583048.2338.41.camel@dhcp-25-197.brq.redhat.com> https://fedorahosted.org/freeipa/ticket/1477 Redirection after updating empty DNS Record (which is deleted). Added hook to details facet for post update operation. Petr -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0001-fixed-empty-dns-record-update.patch Type: text/x-patch Size: 4507 bytes Desc: not available URL: From jcholast at redhat.com Mon Jul 25 08:43:33 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 25 Jul 2011 10:43:33 +0200 Subject: [Freeipa-devel] [PATCH] 100 Fix man page ipa-csreplica-manage In-Reply-To: <1311580187.15492.14.camel@dhcp-25-52.brq.redhat.com> References: <1311580187.15492.14.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E2D2CB5.6080500@redhat.com> On 25.7.2011 09:49, Martin Kosek wrote: > Hm, this is a lame patch for number 100 :-) > > ---- > > Fix references to ipa-replica-manage in ipa-csreplica-manage. > > https://fedorahosted.org/freeipa/ticket/1519 > Despite the suggested lameness of the patch, ACK. (also congrats on your first 100!) Honza -- Jan Cholasta From mkosek at redhat.com Mon Jul 25 08:56:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 25 Jul 2011 10:56:46 +0200 Subject: [Freeipa-devel] [PATCH] 100 Fix man page ipa-csreplica-manage In-Reply-To: <4E2D2CB5.6080500@redhat.com> References: <1311580187.15492.14.camel@dhcp-25-52.brq.redhat.com> <4E2D2CB5.6080500@redhat.com> Message-ID: <1311584209.15492.20.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-07-25 at 10:43 +0200, Jan Cholasta wrote: > On 25.7.2011 09:49, Martin Kosek wrote: > > Hm, this is a lame patch for number 100 :-) > > > > ---- > > > > Fix references to ipa-replica-manage in ipa-csreplica-manage. > > > > https://fedorahosted.org/freeipa/ticket/1519 > > > > Despite the suggested lameness of the patch, ACK. > > (also congrats on your first 100!) > > Honza > Ok :-) Pushed to master, ipa-2-0. Martin From jcholast at redhat.com Mon Jul 25 08:59:27 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 25 Jul 2011 10:59:27 +0200 Subject: [Freeipa-devel] [PATCH] 838 pull in arch-specific cyrus-sasl-gssapi In-Reply-To: <4E297BC5.1090101@redhat.com> References: <4E297BC5.1090101@redhat.com> Message-ID: <4E2D306F.409@redhat.com> On 22.7.2011 15:31, Rob Crittenden wrote: > We need a specific requires on the arch-specific cyrus-sasl-gssapi. > > This was discovered by a user that had the 32-bit client package > installed on a 64-bit server. The GSSAPI SASL mechanism wasn't available > because he had only the 64-bit cyrus-sasl-gssapi library installed. This > adds a more specific Requires that should fix it. > > rob > ACK. Honza -- Jan Cholasta From mkosek at redhat.com Mon Jul 25 11:38:25 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 25 Jul 2011 13:38:25 +0200 Subject: [Freeipa-devel] [PATCH] 38 Move Managed Entries into their own container in the replicated space. In-Reply-To: <89B79318-CC34-4BF4-98C7-F796E06DA093@citrixonline.com> References: <1311342896.12679.9.camel@dhcp-25-52.brq.redhat.com> <89B79318-CC34-4BF4-98C7-F796E06DA093@citrixonline.com> Message-ID: <1311593907.15492.22.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-22 at 15:59 +0000, JR Aquino wrote: > On Jul 22, 2011, at 6:54 AM, Martin Kosek wrote: > > > On Thu, 2011-07-21 at 23:00 +0000, JR Aquino wrote: > >> Create: cn=Managed Entries,cn=etc,$SUFFIX > >> Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX > >> Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX > >> > >> Create method for migrating any and all custom Managed Entries from > >> the cn=config space into the new container. > >> > >> The Managed Entries plugin configurations weren't being created on > >> replica installs. > >> > >> This patch addresses two seperate tickets and accounts for > >> new installs, replica installs, and upgrades. > >> > >> https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container > >> https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation > > > > I found few issues with the patch (tested along with 25): > > > > 1) When upgrading an old instance, NGP and UGP definitions in > > cn=Managed Entries,cn=plugins,cn=config were not deleted. This lead to 2 > > managed entries plugin definitions > > > > 2) Managed entries on a replica didn't work for me. For example UPG was > > created on a master, but was not on a replica > > Were you using 389 1.2.9? I believe the Requires should actually be present in /this/ patch instead of patch 25... > > 1.2.9 provides a means for directing the plugin to the NEW container in cn=etc, and after that is done, the old entries can be deleted by the code once they are no longer 'in use'. I am, I checked this issue again today. The problem is in cn=Managed Entries,cn=plugins,cn=config. nsslapd-pluginConfigArea is not set on a replica. Martin From abokovoy at redhat.com Mon Jul 25 11:59:53 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Jul 2011 14:59:53 +0300 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E29D933.5090205@redhat.com> References: <4E29439D.5040803@redhat.com> <4E2980FF.1090809@redhat.com> <4E29D3EA.5070903@redhat.com> <4E29D933.5090205@redhat.com> Message-ID: <4E2D5AB9.4010104@redhat.com> On 22.07.2011 23:10, Alexander Bokovoy wrote: >> So this is a little confusing. I thought --rules limited the rules that >> were considered. Maybe I'm misunderstanding it. > --validate + --rules gives limitation, --rules alone adds more rules to > the existing test set which is all enabled rules in IPA. I reworked a bit command line interface to avoid confusion like that. # ipa hbactest --help Usage: ipa [global-options] hbactest [options] Options: -h, --help show this help message and exit --user=STR User name --srchost=STR Source host --host=STR Target host --service=STR Service --rules=LIST Rules to test. If not specified, all enabled rules are tested --detail Detail rule execution --all Include all enabled IPA rules into test Now if you specify --rules, hbactest will only try to simulate login using these rules. You would need to add --all to force considering all IPA enabled rules. When no --rules are specified, simulation is run against all enabled IPA rules. --validate got replaced by --detail which simply tries to run simulation one by one and report results for each rule. You can apply it for any run, with or without --rules and --all. If --rules contains a name of non-existent rule, it is simply ignored. So if I asked to verify against --rule=foobar where there is no such rule, Should there be error message for such cases? Right now you'll get False (access is not granted) and --detail will not show any rules. Now, the only mode left out is batch verification of all disabled rules for purpose of checking their correctness. Suppose we have a switch --show-invalid that takes all IPA rules and runs a simulation request against them, reporting the ones that are invalid only. Such a request could be done without any specific (user, source host, target host, service) tuple because we are only interested in HBAC_EVAL_ERROR return code which is independent of input parameters. Unfortunately all we can tell in this case is that rule is incorrect, without much details. Probably some improvement for libipa_hbac is needed, like converting request result into a bit field and returning detailed cause of error per tuple element. Current version is attached. It still lacks unit tests. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0007-1-add-hbactest-command.patch URL: From dpal at redhat.com Mon Jul 25 13:46:41 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 25 Jul 2011 09:46:41 -0400 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2D5AB9.4010104@redhat.com> References: <4E29439D.5040803@redhat.com> <4E2980FF.1090809@redhat.com> <4E29D3EA.5070903@redhat.com> <4E29D933.5090205@redhat.com> <4E2D5AB9.4010104@redhat.com> Message-ID: <4E2D73C1.40900@redhat.com> On 07/25/2011 07:59 AM, Alexander Bokovoy wrote: > On 22.07.2011 23:10, Alexander Bokovoy wrote: >>> So this is a little confusing. I thought --rules limited the rules that >>> were considered. Maybe I'm misunderstanding it. >> --validate + --rules gives limitation, --rules alone adds more rules to >> the existing test set which is all enabled rules in IPA. > I reworked a bit command line interface to avoid confusion like that. > > # ipa hbactest --help > Usage: ipa [global-options] hbactest [options] > > Options: > -h, --help show this help message and exit > --user=STR User name > --srchost=STR Source host > --host=STR Target host > --service=STR Service > --rules=LIST Rules to test. If not specified, all enabled rules are > tested > --detail Detail rule execution > --all Include all enabled IPA rules into test > > Now if you specify --rules, hbactest will only try to simulate login > using these rules. You would need to add --all to force considering all > IPA enabled rules. I like the functionality but --all does not sound right, may be it should be --enabled or something else. > When no --rules are specified, simulation is run against all enabled IPA > rules. > > --validate got replaced by --detail which simply tries to run simulation > one by one and report results for each rule. You can apply it for any > run, with or without --rules and --all. May me --detail should something like --each or --checkeach or --iterate. The expectation about the term "detail" is a bit different. The functionality seems OK though. > If --rules contains a name of non-existent rule, it is simply ignored. > So if I asked to verify against --rule=foobar where there is no such > rule, Should there be error message for such cases? Right now you'll get > False (access is not granted) and --detail will not show any rules. It should be an error IMO. The reason is that you might have miss-typed something and think you checked the rule that you miss-typed but it would turn out that you did not. > Now, the only mode left out is batch verification of all disabled rules > for purpose of checking their correctness. The more I think about it the more I lean towards just having --disabled to include all disabled rules instead of listing them explicitly in --rules. It is more a convenience aggregation than any different in behavior. > Suppose we have a switch > --show-invalid that takes all IPA rules and runs a simulation request > against them, reporting the ones that are invalid only. Invalid in what way? I am not sure we can detect validity of the rules. The whole point of the tool was to detect whether a real or test user will be denied or allowed and whether it is expected or not. > Such a request > could be done without any specific (user, source host, target host, > service) tuple because we are only interested in HBAC_EVAL_ERROR return I am not sure I understand. What kind of condition would return such an error? > code which is independent of input parameters. Unfortunately all we can > tell in this case is that rule is incorrect, without much details. > Probably some improvement for libipa_hbac is needed, like converting > request result into a bit field and returning detailed cause of error > per tuple element. > > > Current version is attached. It still lacks unit tests. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Jul 25 13:56:31 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 25 Jul 2011 09:56:31 -0400 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2D73C1.40900@redhat.com> References: <4E29439D.5040803@redhat.com> <4E2980FF.1090809@redhat.com> <4E29D3EA.5070903@redhat.com> <4E29D933.5090205@redhat.com> <4E2D5AB9.4010104@redhat.com> <4E2D73C1.40900@redhat.com> Message-ID: <4E2D760F.5000508@redhat.com> On 07/25/2011 09:46 AM, Dmitri Pal wrote: > On 07/25/2011 07:59 AM, Alexander Bokovoy wrote: >> On 22.07.2011 23:10, Alexander Bokovoy wrote: >>>> So this is a little confusing. I thought --rules limited the rules that >>>> were considered. Maybe I'm misunderstanding it. >>> --validate + --rules gives limitation, --rules alone adds more rules to >>> the existing test set which is all enabled rules in IPA. >> I reworked a bit command line interface to avoid confusion like that. >> >> # ipa hbactest --help >> Usage: ipa [global-options] hbactest [options] >> >> Options: >> -h, --help show this help message and exit >> --user=STR User name >> --srchost=STR Source host >> --host=STR Target host >> --service=STR Service >> --rules=LIST Rules to test. If not specified, all enabled rules are >> tested >> --detail Detail rule execution >> --all Include all enabled IPA rules into test >> >> Now if you specify --rules, hbactest will only try to simulate login >> using these rules. You would need to add --all to force considering all >> IPA enabled rules. > > I like the functionality but --all does not sound right, may be it > should be --enabled or something else. > >> When no --rules are specified, simulation is run against all enabled IPA >> rules. >> >> --validate got replaced by --detail which simply tries to run simulation >> one by one and report results for each rule. You can apply it for any >> run, with or without --rules and --all. > > May me --detail should something like --each or --checkeach or > --iterate. The expectation about the term "detail" is a bit different. > The functionality seems OK though. > >> If --rules contains a name of non-existent rule, it is simply ignored. >> So if I asked to verify against --rule=foobar where there is no such >> rule, Should there be error message for such cases? Right now you'll get >> False (access is not granted) and --detail will not show any rules. > > It should be an error IMO. The reason is that you might have > miss-typed something and think you checked the rule that you > miss-typed but it would turn out that you did not. > >> Now, the only mode left out is batch verification of all disabled rules >> for purpose of checking their correctness. > > The more I think about it the more I lean towards just having > --disabled to include all disabled rules instead of listing them > explicitly in --rules. It is more a convenience aggregation than any > different in behavior. > >> Suppose we have a switch >> --show-invalid that takes all IPA rules and runs a simulation request >> against them, reporting the ones that are invalid only. > > Invalid in what way? I am not sure we can detect validity of the > rules. The whole point of the tool was to detect whether a real or > test user will be denied or allowed and whether it is expected or not. Catching up with the thread I see that there is a discussion about the invalid rules i.e. incomplete rules. I thought that it is nearly impossible to create an "invalid" rule this way as the omitted parts have the default interpretation if the value is missing. Those should be clearly documented BTW. But I remember that the original designs touched on this subject. I looked here: http://www.freeipa.org/page/DS_Design_Summary#HBAC_object It is somewhat defined somewhat not. Let us clear what is the meaning of empty users attribute. Is it "any" possible user, "rule is ignored" or error. IMO it is any possible user. Same with host or service. But I am open for argument. > >> Such a request >> could be done without any specific (user, source host, target host, >> service) tuple because we are only interested in HBAC_EVAL_ERROR return > > I am not sure I understand. What kind of condition would return such > an error? > >> code which is independent of input parameters. Unfortunately all we can >> tell in this case is that rule is incorrect, without much details. >> Probably some improvement for libipa_hbac is needed, like converting >> request result into a bit field and returning detailed cause of error >> per tuple element. >> >> >> Current version is attached. It still lacks unit tests. >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jgalipea at redhat.com Mon Jul 25 14:06:41 2011 From: jgalipea at redhat.com (Jenny Galipeau) Date: Mon, 25 Jul 2011 10:06:41 -0400 (EDT) Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2D73C1.40900@redhat.com> Message-ID: <1575370435.223909.1311602801326.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- Original Message ----- On 07/25/2011 07:59 AM, Alexander Bokovoy wrote: On 22.07.2011 23:10, Alexander Bokovoy wrote: So this is a little confusing. I thought --rules limited the rules that were considered. Maybe I'm misunderstanding it. --validate + --rules gives limitation, --rules alone adds more rules to the existing test set which is all enabled rules in IPA. I reworked a bit command line interface to avoid confusion like that. # ipa hbactest --help Usage: ipa [global-options] hbactest [options] Options: -h, --help show this help message and exit --user=STR User name --srchost=STR Source host --host=STR Target host --service=STR Service --rules=LIST Rules to test. If not specified, all enabled rules are tested --detail Detail rule execution --all Include all enabled IPA rules into test Now if you specify --rules, hbactest will only try to simulate login using these rules. You would need to add --all to force considering all IPA enabled rules. I like the functionality but --all does not sound right, may be it should be --enabled or something else. how about : --disabled --all (both enabled and disabled) and default without specifying either would be just enabled. When no --rules are specified, simulation is run against all enabled IPA rules. --validate got replaced by --detail which simply tries to run simulation one by one and report results for each rule. You can apply it for any run, with or without --rules and --all. May me --detail should something like --each or --checkeach or --iterate. The expectation about the term "detail" is a bit different. The functionality seems OK though. I too am confused with --detail. What does " Detail rule execution" mean? I do not like --iterate, this is a developer term and not specific to what the user should expect as a behavior. If --rules contains a name of non-existent rule, it is simply ignored. So if I asked to verify against --rule=foobar where there is no such rule, Should there be error message for such cases? Right now you'll get False (access is not granted) and --detail will not show any rules. It should be an error IMO. The reason is that you might have miss-typed something and think you checked the rule that you miss-typed but it would turn out that you did not. +1 error - this would match the behavior of all other CLIs. Now, the only mode left out is batch verification of all disabled rules for purpose of checking their correctness. The more I think about it the more I lean towards just having --disabled to include all disabled rules instead of listing them explicitly in --rules. It is more a convenience aggregation than any different in behavior. Again ... how about : --disabled --all (both enabled and disabled) and default without specifying either would be just enabled. Suppose we have a switch --show-invalid that takes all IPA rules and runs a simulation request against them, reporting the ones that are invalid only. Invalid in what way? I am not sure we can detect validity of the rules. The whole point of the tool was to detect whether a real or test user will be denied or allowed and whether it is expected or not. Such a request could be done without any specific (user, source host, target host, service) tuple because we are only interested in HBAC_EVAL_ERROR return I am not sure I understand. What kind of condition would return such an error? code which is independent of input parameters. Unfortunately all we can tell in this case is that rule is incorrect, without much details. Probably some improvement for libipa_hbac is needed, like converting request result into a bit field and returning detailed cause of error per tuple element. Current version is attached. It still lacks unit tests. _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 25 14:08:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2011 10:08:05 -0400 Subject: [Freeipa-devel] [PATCH] 839 check for duplicate keys when adding indirect maps Message-ID: <4E2D78C5.60507@redhat.com> When adding an indirect map verify that the key doesn't already exist. There is still the chance of collision but checking first should limit it in any case. https://fedorahosted.org/freeipa/ticket/1520 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-839-automount.patch Type: application/mbox Size: 2197 bytes Desc: not available URL: From dpal at redhat.com Mon Jul 25 14:10:48 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 25 Jul 2011 10:10:48 -0400 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2D760F.5000508@redhat.com> References: <4E29439D.5040803@redhat.com> <4E2980FF.1090809@redhat.com> <4E29D3EA.5070903@redhat.com> <4E29D933.5090205@redhat.com> <4E2D5AB9.4010104@redhat.com> <4E2D73C1.40900@redhat.com> <4E2D760F.5000508@redhat.com> Message-ID: <4E2D7968.60200@redhat.com> On 07/25/2011 09:56 AM, Dmitri Pal wrote: > Suppose we have a switch > --show-invalid that takes all IPA rules and runs a simulation request > against them, reporting the ones that are invalid only. OK It seems to be the right behavior as described. Other parameters should be ignored and it should go through all the roles enabled and disabled and report the ones that are invalid (incomplete and would never match). -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Jul 25 14:12:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2011 10:12:49 -0400 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2D73C1.40900@redhat.com> References: <4E29439D.5040803@redhat.com> <4E2980FF.1090809@redhat.com> <4E29D3EA.5070903@redhat.com> <4E29D933.5090205@redhat.com> <4E2D5AB9.4010104@redhat.com> <4E2D73C1.40900@redhat.com> Message-ID: <4E2D79E1.20006@redhat.com> Dmitri Pal wrote: > On 07/25/2011 07:59 AM, Alexander Bokovoy wrote: >> On 22.07.2011 23:10, Alexander Bokovoy wrote: >>>> So this is a little confusing. I thought --rules limited the rules that >>>> were considered. Maybe I'm misunderstanding it. >>> --validate + --rules gives limitation, --rules alone adds more rules to >>> the existing test set which is all enabled rules in IPA. >> I reworked a bit command line interface to avoid confusion like that. >> >> # ipa hbactest --help >> Usage: ipa [global-options] hbactest [options] >> >> Options: >> -h, --help show this help message and exit >> --user=STR User name >> --srchost=STR Source host >> --host=STR Target host >> --service=STR Service >> --rules=LIST Rules to test. If not specified, all enabled rules are >> tested >> --detail Detail rule execution >> --all Include all enabled IPA rules into test >> >> Now if you specify --rules, hbactest will only try to simulate login >> using these rules. You would need to add --all to force considering all >> IPA enabled rules. > > I like the functionality but --all does not sound right, may be it > should be --enabled or something else. My only problem with --all is it means we'd have an option with different meaning in different contexts. Would this cause confusion? > >> When no --rules are specified, simulation is run against all enabled IPA >> rules. >> >> --validate got replaced by --detail which simply tries to run simulation >> one by one and report results for each rule. You can apply it for any >> run, with or without --rules and --all. > > May me --detail should something like --each or --checkeach or > --iterate. The expectation about the term "detail" is a bit different. > The functionality seems OK though. > >> If --rules contains a name of non-existent rule, it is simply ignored. >> So if I asked to verify against --rule=foobar where there is no such >> rule, Should there be error message for such cases? Right now you'll get >> False (access is not granted) and --detail will not show any rules. > > It should be an error IMO. The reason is that you might have miss-typed > something and think you checked the rule that you miss-typed but it > would turn out that you did not. > >> Now, the only mode left out is batch verification of all disabled rules >> for purpose of checking their correctness. > > The more I think about it the more I lean towards just having --disabled > to include all disabled rules instead of listing them explicitly in > --rules. It is more a convenience aggregation than any different in > behavior. > >> Suppose we have a switch >> --show-invalid that takes all IPA rules and runs a simulation request >> against them, reporting the ones that are invalid only. > > Invalid in what way? I am not sure we can detect validity of the rules. > The whole point of the tool was to detect whether a real or test user > will be denied or allowed and whether it is expected or not. An HBAC rule requires all 4 components be defined (user, host, sourcehost, service) or it is ignored by sssd. It is VERY easy to miss one component so having a way to find invalid rules would be handy. rob From dpal at redhat.com Mon Jul 25 14:13:47 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 25 Jul 2011 10:13:47 -0400 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2D79E1.20006@redhat.com> References: <4E29439D.5040803@redhat.com> <4E2980FF.1090809@redhat.com> <4E29D3EA.5070903@redhat.com> <4E29D933.5090205@redhat.com> <4E2D5AB9.4010104@redhat.com> <4E2D73C1.40900@redhat.com> <4E2D79E1.20006@redhat.com> Message-ID: <4E2D7A1B.5070205@redhat.com> On 07/25/2011 10:12 AM, Rob Crittenden wrote: > My only problem with --all is it means we'd have an option with > different meaning in different contexts. Would this cause confusion? Yes this is exactly where I am coming from too. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Jul 25 14:19:17 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 25 Jul 2011 10:19:17 -0400 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <1575370435.223909.1311602801326.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1575370435.223909.1311602801326.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4E2D7B65.3090406@redhat.com> On 07/25/2011 10:06 AM, Jenny Galipeau wrote: > > > ------------------------------------------------------------------------ > > On 07/25/2011 07:59 AM, Alexander Bokovoy wrote: > > On 22.07.2011 23:10, Alexander Bokovoy wrote: > > So this is a little confusing. I thought --rules limited the rules that > were considered. Maybe I'm misunderstanding it. > > --validate + --rules gives limitation, --rules alone adds more rules to > the existing test set which is all enabled rules in IPA. > > I reworked a bit command line interface to avoid confusion like that. > > # ipa hbactest --help > Usage: ipa [global-options] hbactest [options] > > Options: > -h, --help show this help message and exit > --user=STR User name > --srchost=STR Source host > --host=STR Target host > --service=STR Service > --rules=LIST Rules to test. If not specified, all enabled rules are > tested > --detail Detail rule execution > --all Include all enabled IPA rules into test > > Now if you specify --rules, hbactest will only try to simulate login > using these rules. You would need to add --all to force considering all > IPA enabled rules. > > > I like the functionality but --all does not sound right, may be it > should be --enabled or something else. > > how about : > --disabled > --all (both enabled and disabled) > > and default without specifying either would be just enabled. > > > When no --rules are specified, simulation is run against all enabled IPA > rules. > > --validate got replaced by --detail which simply tries to run simulation > one by one and report results for each rule. You can apply it for any > run, with or without --rules and --all. > > > May me --detail should something like --each or --checkeach or > --iterate. The expectation about the term "detail" is a bit > different. The functionality seems OK though. > > > I too am confused with --detail. What does "Detail rule execution" > mean? I do not like --iterate, this is a developer term and not > specific to what the user should expect as a behavior. > > > If --rules contains a name of non-existent rule, it is simply ignored. > So if I asked to verify against --rule=foobar where there is no such > rule, Should there be error message for such cases? Right now you'll get > False (access is not granted) and --detail will not show any rules. > > > It should be an error IMO. The reason is that you might have > miss-typed something and think you checked the rule that you > miss-typed but it would turn out that you did not. > > > +1 error - this would match the behavior of all other CLIs. > > > Now, the only mode left out is batch verification of all disabled rules > for purpose of checking their correctness. > > > The more I think about it the more I lean towards just having > --disabled to include all disabled rules instead of listing them > explicitly in --rules. It is more a convenience aggregation than > any different in behavior. > > Again ... > > how about : > --disabled > --all (both enabled and disabled) > > and default without specifying either would be just enabled. > > > Suppose we have a switch > --show-invalid that takes all IPA rules and runs a simulation request > against them, reporting the ones that are invalid only. > > > Invalid in what way? I am not sure we can detect validity of the > rules. The whole point of the tool was to detect whether a real or > test user will be denied or allowed and whether it is expected or not. > > Such a request > could be done without any specific (user, source host, target host, > service) tuple because we are only interested in HBAC_EVAL_ERROR return > > > I am not sure I understand. What kind of condition would return > such an error? > > code which is independent of input parameters. Unfortunately all we can > tell in this case is that rule is incorrect, without much details. > Probably some improvement for libipa_hbac is needed, like converting > request result into a bit field and returning detailed cause of error > per tuple element. > > > Current version is attached. It still lacks unit tests. > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > -- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > Jenny Galipeau > Principal Software QA Engineer > Red Hat, Inc. Security Engineering > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel How about: --all means all rules --enabled means all enabled rules; it can be used with the specific values like this --enabled=A,B,C then it will include only those enabled rules --disabled means all disabled rules; it can be used with the specific values like this --disabled=X,Y,Z then it will include only those disabled rules Eliminate --rules. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 25 14:24:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2011 10:24:57 -0400 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2D7B65.3090406@redhat.com> References: <1575370435.223909.1311602801326.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2D7B65.3090406@redhat.com> Message-ID: <4E2D7CB9.1010301@redhat.com> Dmitri Pal wrote: > How about: > > --all means all rules > --enabled means all enabled rules; it can be used with the specific > values like this --enabled=A,B,C then it will include only those enabled > rules > --disabled means all disabled rules; it can be used with the specific > values like this --disabled=X,Y,Z then it will include only those > disabled rules > Eliminate --rules. I don't think you can use an option in this way, as both a flag and something that takes values. So I think --enabled and --disabled would define the type of rule and --rules would be used to define the set to examine. --all and --rules would be mutually exclusive. rob From mkosek at redhat.com Mon Jul 25 15:02:18 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 25 Jul 2011 17:02:18 +0200 Subject: [Freeipa-devel] [PATCH] 839 check for duplicate keys when adding indirect maps In-Reply-To: <4E2D78C5.60507@redhat.com> References: <4E2D78C5.60507@redhat.com> Message-ID: <1311606141.15492.32.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-07-25 at 10:08 -0400, Rob Crittenden wrote: > When adding an indirect map verify that the key doesn't already exist. > > There is still the chance of collision but checking first should limit > it in any case. > > https://fedorahosted.org/freeipa/ticket/1520 > > rob This patch is OK functionally, but it can be improved. This command consists of 2 sub-commands. Checking for one sub-command's corner-case (by automountkey_show) may be OK for now, but it doesn't cover a situation when second sub-command fails for some other error. I think this is what we should to do: try: automountmap_add automountkey_add except Exception, e: Clean up - remove possibly created automountmap raise e That way we will be covered for more corner-cases + we will save one automountkey_show and speed up the command. Martin From rcritten at redhat.com Mon Jul 25 15:02:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2011 11:02:25 -0400 Subject: [Freeipa-devel] [PATCH] 838 pull in arch-specific cyrus-sasl-gssapi In-Reply-To: <4E2D306F.409@redhat.com> References: <4E297BC5.1090101@redhat.com> <4E2D306F.409@redhat.com> Message-ID: <4E2D8581.1070400@redhat.com> Jan Cholasta wrote: > On 22.7.2011 15:31, Rob Crittenden wrote: >> We need a specific requires on the arch-specific cyrus-sasl-gssapi. >> >> This was discovered by a user that had the 32-bit client package >> installed on a 64-bit server. The GSSAPI SASL mechanism wasn't available >> because he had only the 64-bit cyrus-sasl-gssapi library installed. This >> adds a more specific Requires that should fix it. >> >> rob >> > > ACK. > > Honza > pushed to ipa-2-0 and master From abokovoy at redhat.com Mon Jul 25 15:05:14 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Jul 2011 18:05:14 +0300 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2D7A1B.5070205@redhat.com> References: <4E29439D.5040803@redhat.com> <4E2980FF.1090809@redhat.com> <4E29D3EA.5070903@redhat.com> <4E29D933.5090205@redhat.com> <4E2D5AB9.4010104@redhat.com> <4E2D73C1.40900@redhat.com> <4E2D79E1.20006@redhat.com> <4E2D7A1B.5070205@redhat.com> Message-ID: <4E2D862A.7020207@redhat.com> On 25.07.2011 17:13, Dmitri Pal wrote: > On 07/25/2011 10:12 AM, Rob Crittenden wrote: >> My only problem with --all is it means we'd have an option with >> different meaning in different contexts. Would this cause confusion? > > Yes this is exactly where I am coming from too. I see where you are going but the problem here is that original --all has one important issue: - it changes CLI output even if I don't use output.Entry() in the plugin's has_output spec. This creates confusion from other perspective -- we can't use --all for saying 'I want the simulation to apply to ALL IPA enabled rules' and this makes impossible to distinguish two cases: - I want to run simulation against enabled IPA rules and the ones I specified in --rules command *with* detailed information which rules passed and which are not (ipa hbactest --rules=[list] --all --detail). - I want to run simulation against enabled IPA rules and the ones I specified in --rules command *without* detailed information which rules passed and which are not (ipa hbactest --rules=[list] --all). I had to override output_for_cli() to disable this behavior. I'd love to disable standard --all and --raw for hbactest command because they make little sense for it. If --all is seen as confusion with regards to uniform handling with other options, I can propose two following options: --enabled -- add all enabled IPA rules into simulation --disabled -- add all disabled IPA rules into simulation ipa [...] --rules=[list] --[enabled|disabled] [--detail] would cover: 1. Test user against rules specified in --rules, optionally adding all enabled (disabled) IPA rules and show detailed information which rules passed and which not. 2. Test user against rules specified in --rules, optionally adding all enabled (disabled) IPA rules and report whether user would pass the check. -- / Alexander Bokovoy From rcritten at redhat.com Mon Jul 25 15:08:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2011 11:08:14 -0400 Subject: [Freeipa-devel] [PATCH] 839 check for duplicate keys when adding indirect maps In-Reply-To: <1311606141.15492.32.camel@dhcp-25-52.brq.redhat.com> References: <4E2D78C5.60507@redhat.com> <1311606141.15492.32.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E2D86DE.1030304@redhat.com> Martin Kosek wrote: > On Mon, 2011-07-25 at 10:08 -0400, Rob Crittenden wrote: >> When adding an indirect map verify that the key doesn't already exist. >> >> There is still the chance of collision but checking first should limit >> it in any case. >> >> https://fedorahosted.org/freeipa/ticket/1520 >> >> rob > > This patch is OK functionally, but it can be improved. This command > consists of 2 sub-commands. Checking for one sub-command's corner-case > (by automountkey_show) may be OK for now, but it doesn't cover a > situation when second sub-command fails for some other error. > > I think this is what we should to do: > > try: > automountmap_add > automountkey_add > except Exception, e: > Clean up - remove possibly created automountmap > raise e > > That way we will be covered for more corner-cases + we will save one > automountkey_show and speed up the command. > > Martin > Except in the case where a user is delegated to only be able to add maps/keys and not remove them. Still, this method is easier to understand, I'll consider it. rob From abokovoy at redhat.com Mon Jul 25 15:15:29 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Jul 2011 18:15:29 +0300 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2D73C1.40900@redhat.com> References: <4E29439D.5040803@redhat.com> <4E2980FF.1090809@redhat.com> <4E29D3EA.5070903@redhat.com> <4E29D933.5090205@redhat.com> <4E2D5AB9.4010104@redhat.com> <4E2D73C1.40900@redhat.com> Message-ID: <4E2D8891.4090107@redhat.com> On 25.07.2011 16:46, Dmitri Pal wrote: >> Now if you specify --rules, hbactest will only try to simulate login >> using these rules. You would need to add --all to force considering all >> IPA enabled rules. > > I like the functionality but --all does not sound right, may be it > should be --enabled or something else. To keep discussion focused, see the other email where I'm going in detail about --all. >> --validate got replaced by --detail which simply tries to run simulation >> one by one and report results for each rule. You can apply it for any >> run, with or without --rules and --all. > > May me --detail should something like --each or --checkeach or > --iterate. The expectation about the term "detail" is a bit different. > The functionality seems OK though. There is no functional difference in rule checking with or without --detail -- in both cases pyhbac would go through all designated rules. The difference is only in how much information can we get from HBAC request -- it is single yes/no for whole ruleset or detailed yes/no per each rule in ruleset. The problem here is that it should have been --verbose option in first place. However, --verbose option is already a global one and it will give you additional information about functioning of the framework itself which is not that useful for an admin than understanding which rule is breaking the successful access (or which rule prevents access decline). Due to this ambiguity I had to select other option name. >> If --rules contains a name of non-existent rule, it is simply ignored. >> So if I asked to verify against --rule=foobar where there is no such >> rule, Should there be error message for such cases? Right now you'll get >> False (access is not granted) and --detail will not show any rules. > > It should be an error IMO. The reason is that you might have miss-typed > something and think you checked the rule that you miss-typed but it > would turn out that you did not. Ok, will look into how to implement that. >> Now, the only mode left out is batch verification of all disabled rules >> for purpose of checking their correctness. > > The more I think about it the more I lean towards just having --disabled > to include all disabled rules instead of listing them explicitly in > --rules. It is more a convenience aggregation than any different in > behavior. These are totally different use cases. I might have tons of disabled rules, for different reasons. A single or few disabled rules might be the ones I'm testing right now before putting them into production. It means that --rules has different use than --disabled. The latter is rather quick check for cases where all disabled rules are just new ones and not a mixture of historical accidents and new not-yet-applied rules. Given my experience with real world installations the mixture case is rather common in many deployments (not specifically IPA-related, but system administration at large). >> Such a request >> could be done without any specific (user, source host, target host, >> service) tuple because we are only interested in HBAC_EVAL_ERROR return > > I am not sure I understand. What kind of condition would return such an > error? This is the case when rule is incomplete from SSSD point of view. SSSD checks it and finds incomplete which causes deny for this specific rule and report back HBAC_EVAL_ERROR. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Jul 25 15:29:38 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Jul 2011 18:29:38 +0300 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <1575370435.223909.1311602801326.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1575370435.223909.1311602801326.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4E2D8BE2.6020707@redhat.com> On 25.07.2011 17:06, Jenny Galipeau wrote: > I like the functionality but --all does not sound right, may be it > should be --enabled or something else. > > how about : > --disabled > --all (both enabled and disabled) Checking against all enabled and disabled makes very little sense. Rules might be disabled for different reasons -- a rule might have been just created, a rule is temporary disabled, a rule is disabled permanently but not yet slated for removal due to SOX compliance work haven't been done, to name a few. A state of IPA database does not always reflect exact state of organizational madness or sanity... I would rather separate: - checking against all enabled IPA rules (default operation) - checking against specific IPA rules (--rules) - checking against specific IPA rules + standard check (all enabled IPA rules) - checking against all disabled IPA rules. These all are different cases. These cases would be covered by following option combination of [--enabled] [--disabled] and [--rules]: 1. No option specified. Default case, run simulation against all enabled IPA rules. 2. --rules specified. Run simulation against only those rules in --rules. 3. --rules and --enabled specified. Run simulation against all enabled IPA rules _and_ additionally enable those in --rules. This is a case of testing new HBAC rules before going to production. 4. --rules and --disabled specified. Run simulation against all disabled IPA rules and those in --rules. Could only make sense for cases of migration where all previous rules are switched off and then enabled one-by-one. 5. --disabled and --enabled specified together. Run simulation against all IPA rules, regardless of their state. Sort of similar to (4). 6. --disabled and --enabled, and --rules specified together. A bit too much as --disabled and --enabled together would cover all rules already and there is no space left for --rules (all rules you could mention in --rules are already enabled for simulation). > I too am confused with --detail. What does "Detail rule execution" > mean? I do not like --iterate, this is a developer term and not > specific to what the user should expect as a behavior. What we check with hbactest is whether user would be able to access specified service on the target host when coming from a source host. In order to grant such access, SSSD checks this combination of conditions against all enabled IPA rules (HBAC rules) and gives a single answer: yes/no, grant access or deny it. During test simulation of such access granting it is important to understand which rule has caused a problem, be it excessive access grant or premature deny. '--detail' is an option which allows to see how simulation went, which rules granted access and which denied. Conceptually it should have been --verbose but verbose is already global option taken by IPA framework. > +1 error - this would match the behavior of all other CLIs. Ok. -- / Alexander Bokovoy From jcholast at redhat.com Mon Jul 25 16:00:07 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 25 Jul 2011 18:00:07 +0200 Subject: [Freeipa-devel] [PATCH] 34 Make sure that hostname specified by user is not an IP address Message-ID: <4E2D9307.8000105@redhat.com> This is a quick fix to make sure that the hostname passed to ipa-server-install, ipa-client-install and ipa-replica-prepare is not an IP address. The other install tools that accept a hostname as a parameter aren't affected, as they already either doesn't accept IP addresses (ipa-replica-manage, ipa-csreplica-manage) or work fine with them (ipa-replica-conncheck). https://fedorahosted.org/freeipa/ticket/1375 I'm working on patch that does the (hopefully) right thing and uses a new type for storing hostnames, which does all the validation (similar to what we do with IP addresses in the installer), but I'll submit that later. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-34-hostname-ip-address.patch Type: text/x-patch Size: 2338 bytes Desc: not available URL: From edewata at redhat.com Mon Jul 25 16:19:22 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 25 Jul 2011 11:19:22 -0500 Subject: [Freeipa-devel] [PATCH] 222 New icons for entitlement buttons Message-ID: <4E2D978A.1050400@redhat.com> The entitlement facets have been modified to use the new icons provided by Kyle Baker. Ticket #1425 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0222-New-icons-for-entitlement-buttons.patch Type: text/x-patch Size: 6998 bytes Desc: not available URL: From ayoung at redhat.com Mon Jul 25 16:56:40 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Jul 2011 12:56:40 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E2A0698.6000402@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> <4E2A0698.6000402@redhat.com> Message-ID: <4E2DA048.8040507@redhat.com> Last patch introduced another JSL error with the use of true and false as object properties. This version access them as strings. On 07/22/2011 07:24 PM, Endi Sukma Dewata wrote: > On 7/22/2011 12:18 PM, Endi Sukma Dewata wrote: >> On 7/22/2011 10:34 AM, Adam Young wrote: >>> While this version has a Navigation fix in it, it is going to be >>> rebased >>> on top of Endi Dewata's patch for putting the state inside each of the >>> facets. >> >> Rebased. I'll continue the review. > > Some issues: > > 30. The IPA.spacer_widget is used to create spacing for layout. > Widgets should not be used this way because it diverges from the > original design. Widgets are supposed to correspond to attribute. It > has a name (required for storing in a map), metadata, load/save/undo > methods, none of which is relevant for spacer. Also, it only handles a > narrow case for creating a space between 2 fields which I think better > be handled using sections. This should be addressed in a separate patch. > > 31. The create() should only be used to create the visual elements. > Creating fields, columns, etc. should not be done inside create() > because we might decide to destroy the HTML elements of hidden facets > and recreate it again. In that case the fields will be duplicated. > Also, by delaying the creation of the fields it makes the object > incomplete after creation, which is the reason for removing init(). > > 32. This is an existing problem but it's worsening without init(). > Since there is no class constructor, the initialization code is > scattered throughout the class, making it difficult to maintain. Some > code needs to be written in certain position, but in general should we > move the initialization code to the bottom of the class (to make sure > all methods are already defined)? Or should init() be used as a > constructor and called at the bottom of the class? > > 33. In association.js:661 the spec object is referenced without > ensuring it's not null. The code below it supposed to do that. > > 34. Commented code in entity.js:746 can be removed. > > 35. Commented code in widget_tests.js:181 can be removed. > > 36. The widget_create() is called twice in widget.js:1597. > > 37. Untranslated True/False labels in HBAC and sudo. > > 38. The file install/ui/rule.js~ got included. > > 39. There are jslint warnings. > > 40. The selenium tests could be fixed in separate patch and probably > pushed earlier. I have not run them. > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0270-11-removing-setters-setup-and-init.patch Type: text/x-patch Size: 189668 bytes Desc: not available URL: From jgalipea at redhat.com Mon Jul 25 16:57:40 2011 From: jgalipea at redhat.com (Jenny Galipeau) Date: Mon, 25 Jul 2011 12:57:40 -0400 (EDT) Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2D8BE2.6020707@redhat.com> Message-ID: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > On 25.07.2011 17:06, Jenny Galipeau wrote: > > I like the functionality but --all does not sound right, may be > > it > > should be --enabled or something else. > > > > how about : > > --disabled > > --all (both enabled and disabled) > Checking against all enabled and disabled makes very little sense. > Rules > might be disabled for different reasons -- a rule might have been just > created, a rule is temporary disabled, a rule is disabled permanently > but not yet slated for removal due to SOX compliance work haven't been > done, to name a few. A state of IPA database does not always reflect > exact state of organizational madness or sanity... > > I would rather separate: > - checking against all enabled IPA rules (default operation) > - checking against specific IPA rules (--rules) > - checking against specific IPA rules + standard check (all enabled > IPA > rules) > - checking against all disabled IPA rules. > > These all are different cases. These cases would be covered by > following > option combination of [--enabled] [--disabled] and [--rules]: > > 1. No option specified. Default case, run simulation against all > enabled > IPA rules. > > 2. --rules specified. Run simulation against only those rules in > --rules. > > 3. --rules and --enabled specified. Run simulation against all enabled > IPA rules _and_ additionally enable those in --rules. This is a case > of > testing new HBAC rules before going to production. If you are not going to target specific rules, do you still have to supply the --rules option on the command line? I would think just --enabled or --disabled? > > 4. --rules and --disabled specified. Run simulation against all > disabled > IPA rules and those in --rules. Could only make sense for cases of > migration where all previous rules are switched off and then enabled > one-by-one. > > 5. --disabled and --enabled specified together. Run simulation against > all IPA rules, regardless of their state. Sort of similar to (4). > > 6. --disabled and --enabled, and --rules specified together. A bit too > much as --disabled and --enabled together would cover all rules > already > and there is no space left for --rules (all rules you could mention in > --rules are already enabled for simulation). > > > I too am confused with --detail. What does "Detail rule execution" > > mean? I do not like --iterate, this is a developer term and not > > specific to what the user should expect as a behavior. > What we check with hbactest is whether user would be able to access > specified service on the target host when coming from a source host. > In > order to grant such access, SSSD checks this combination of conditions > against all enabled IPA rules (HBAC rules) and gives a single answer: > yes/no, grant access or deny it. > > During test simulation of such access granting it is important to > understand which rule has caused a problem, be it excessive access > grant > or premature deny. '--detail' is an option which allows to see how > simulation went, which rules granted access and which denied. Got it , so maybe it was just the wording in the help output that confused me. "Details of the rule(s) being validated" ? > > Conceptually it should have been --verbose but verbose is already > global > option taken by IPA framework. > > > +1 error - this would match the behavior of all other CLIs. > Ok. > > > -- > / Alexander Bokovoy -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From abokovoy at redhat.com Mon Jul 25 17:01:45 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Jul 2011 20:01:45 +0300 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4E2DA179.9030906@redhat.com> On 25.07.2011 19:57, Jenny Galipeau wrote: >> 1. No option specified. Default case, run simulation against all >> enabled >> IPA rules. >> >> 2. --rules specified. Run simulation against only those rules in >> --rules. >> >> 3. --rules and --enabled specified. Run simulation against all enabled >> IPA rules _and_ additionally enable those in --rules. This is a case >> of >> testing new HBAC rules before going to production. > > If you are not going to target specific rules, do you still have to supply the --rules option on the command line? I would think just --enabled or --disabled? By default, if you don't supply --rules, --enabled, or --disabled, you are targeting all enabled IPA rules (case 1 above). This is default because this is what people would probably like to test: whether user is able to access the service. So, default one (no --rules, --enabled, or disabled) would imply --enabled. >> During test simulation of such access granting it is important to >> understand which rule has caused a problem, be it excessive access >> grant >> or premature deny. '--detail' is an option which allows to see how >> simulation went, which rules granted access and which denied. > > Got it , so maybe it was just the wording in the help output that confused me. "Details of the rule(s) being validated" ? May be "Show which rules are passed, denied, and invalid"? -- / Alexander Bokovoy From ayoung at redhat.com Mon Jul 25 18:04:07 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Jul 2011 14:04:07 -0400 Subject: [Freeipa-devel] [PATCH] 222 New icons for entitlement buttons In-Reply-To: <4E2D978A.1050400@redhat.com> References: <4E2D978A.1050400@redhat.com> Message-ID: <4E2DB017.4020902@redhat.com> On 07/25/2011 12:19 PM, Endi Sukma Dewata wrote: > The entitlement facets have been modified to use the new icons > provided by Kyle Baker. > > Ticket #1425 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Jul 25 18:41:38 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Jul 2011 14:41:38 -0400 Subject: [Freeipa-devel] [PATCH] 001 fixed empty dns record update In-Reply-To: <1311583048.2338.41.camel@dhcp-25-197.brq.redhat.com> References: <1311583048.2338.41.camel@dhcp-25-197.brq.redhat.com> Message-ID: <4E2DB8E2.5010904@redhat.com> On 07/25/2011 04:37 AM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/1477 > > Redirection after updating empty DNS Record (which is deleted). > Added hook to details facet for post update operation. > > Petr > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. However, before pusing, please update ipa_init.json -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon Jul 25 19:24:38 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 25 Jul 2011 14:24:38 -0500 Subject: [Freeipa-devel] [PATCH] 223 Fixed problem bookmarking Policy/IPA Server tabs Message-ID: <4E2DC2F6.60304@redhat.com> When opening a bookmark, each tab level will be updated separately from top to bottom according to the URL state. The navigation code has been modified to recognize when an ancestor tab is being updated and not change the URL state. Ticket #1521 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0223-Fixed-problem-bookmarking-Policy-IPA-Server-tabs.patch Type: text/x-patch Size: 3394 bytes Desc: not available URL: From rcritten at redhat.com Mon Jul 25 20:47:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2011 16:47:57 -0400 Subject: [Freeipa-devel] [PATCH] 34 Make sure that hostname specified by user is not an IP address In-Reply-To: <4E2D9307.8000105@redhat.com> References: <4E2D9307.8000105@redhat.com> Message-ID: <4E2DD67D.5060904@redhat.com> Jan Cholasta wrote: > This is a quick fix to make sure that the hostname passed to > ipa-server-install, ipa-client-install and ipa-replica-prepare is not an > IP address. The other install tools that accept a hostname as a > parameter aren't affected, as they already either doesn't accept IP > addresses (ipa-replica-manage, ipa-csreplica-manage) or work fine with > them (ipa-replica-conncheck). > > https://fedorahosted.org/freeipa/ticket/1375 > > I'm working on patch that does the (hopefully) right thing and uses a > new type for storing hostnames, which does all the validation (similar > to what we do with IP addresses in the installer), but I'll submit that > later. > > Honza Ack, pushed to master. rob From dpal at redhat.com Mon Jul 25 21:13:21 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 25 Jul 2011 17:13:21 -0400 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2DA179.9030906@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> Message-ID: <4E2DDC71.5080202@redhat.com> On 07/25/2011 01:01 PM, Alexander Bokovoy wrote: > On 25.07.2011 19:57, Jenny Galipeau wrote: >>> 1. No option specified. Default case, run simulation against all >>> enabled >>> IPA rules. >>> >>> 2. --rules specified. Run simulation against only those rules in >>> --rules. >>> >>> 3. --rules and --enabled specified. Run simulation against all enabled >>> IPA rules _and_ additionally enable those in --rules. This is a case >>> of >>> testing new HBAC rules before going to production. >> If you are not going to target specific rules, do you still have to supply the --rules option on the command line? I would think just --enabled or --disabled? --rules is needed to specify additional rules. > By default, if you don't supply --rules, --enabled, or --disabled, you > are targeting all enabled IPA rules (case 1 above). This is default > because this is what people would probably like to test: whether user is > able to access the service. > > So, default one (no --rules, --enabled, or disabled) would imply --enabled. > Ok are we settled on: --enabled (if all flags are omitted this is default) --disabled --rules=a,b,c or on --enabled=A, B, C (if all flags are omitted this is default) --disabled=X, Y, Z >>> During test simulation of such access granting it is important to >>> understand which rule has caused a problem, be it excessive access >>> grant >>> or premature deny. '--detail' is an option which allows to see how >>> simulation went, which rules granted access and which denied. >> Got it , so maybe it was just the wording in the help output that confused me. "Details of the rule(s) being validated" ? > May be "Show which rules are passed, denied, and invalid"? > > Makes sense. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Tue Jul 26 00:18:22 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 25 Jul 2011 19:18:22 -0500 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E2DA048.8040507@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> <4E2A0698.6000402@redhat.com> <4E2DA048.8040507@redhat.com> Message-ID: <4E2E07CE.5070902@redhat.com> On 7/25/2011 11:56 AM, Adam Young wrote: >> 30. The IPA.spacer_widget is used to create spacing for layout. >> Widgets should not be used this way because it diverges from the >> original design. Widgets are supposed to correspond to attribute. It >> has a name (required for storing in a map), metadata, load/save/undo >> methods, none of which is relevant for spacer. Also, it only handles >> a narrow case for creating a space between 2 fields which I think >> better be handled using sections. This should be addressed in a >> separate patch. > > Agreed. Fixing this will be easier to do on top of this patch. I think we should remove IPA.spacer_widget and leave the IPA.dnszone_adder_dialog unchanged for now. The current code, although it might not be very concise, is done correctly and does produce the desired layout (label on the right of the checkbox and a space below it). The IPA.spacer_widget on the other hand violates the design and still doesn't produce all the intended layout. Also, chances are the priority for fixing this afterward will be low. Suppose we change the IPA.widget to verify that all widgets have a name, this code will fail immediately. >> 31. The create() should only be used to create the visual elements. >> Creating fields, columns, etc. should not be done inside create() >> because we might decide to destroy the HTML elements of hidden facets >> and recreate it again. In that case the fields will be duplicated. >> Also, by delaying the creation of the fields it makes the object >> incomplete after creation, which is the reason for removing init(). > Agreed, but I'm going to postpone fixing this until after this patch. > Can you document where you see this as a problem? I think this should be done in this patch because moving the code from init() into create() changes how the code is executed (creating incomplete objects, changing the assumptions). I've listed the code that is affected in the new issues below. >> 32. This is an existing problem but it's worsening without init(). >> Since there is no class constructor, the initialization code is >> scattered throughout the class, making it difficult to maintain. Some >> code needs to be written in certain position, but in general should we >> move the initialization code to the bottom of the class (to make sure >> all methods are already defined)? Or should init() be used as a >> constructor and called at the bottom of the class? > Instead of making a generic init function call, I think making smaller > (potentially reusable) functions for related chunks of code, and then > calling all of them at the bottom of the "constructor" makes the most > sense. I did a little bit of this in this patch for the various sections > of rules details facets, and I think it will have the desired effect. Let me clarify the problem, in some of our code the initialization code is intermixed with attribute declarations and function definitions which makes it hard to understand and maintain. IPA.some_class = function() { ... ... ... ... ... ... ... ... ... ... }; It's not always clear what attributes the class has or when they are initialized. In many cases function invocation looks similar to function definition, so you'd have to carefully read it. Sometimes there are unexpected function invocation in the middle of the class definition. Removing the init() and moving the initialization code into the class definition (different from issue #31) exacerbates the problem further because it blurs the boundary between function definition and invocation. The solution is to move the initialization code into a single contiguous location and clearly mark it as constructor. One option is to wrap the initialization code in a function and call it from the bottom of the class. IPA.some_class = function() { ... ... ... ... that.init = function() { // Constructor ... ... ... ... }; ... ... ... ... that.init(); // Call constructor }; The new init() is different from the old init() because it's executed before the new instance is returned to the caller. The other option is to move the code to the bottom of the class and mark the area as constructor. IPA.some_class = function() { ... ... ... ... ... ... ... ... // Constructor ... ... ... ... }; I prefer to use the wrapper because it mimics the constructor definition in proper OO languages. Also we can keep the initialization code at the beginning of the class which is more intuitive and reduces the changes to the code. But either way will work just fine. We can still refactor the initialization code into reusable functions like you described. It should look like this: IPA.some_class = function() { ... ... ... ... that.init = function() { that.func1(); that.func2(); }; that.func1 = function() { ... ... }; that.func2 = function() { ... ... }; ... ... ... ... that.init(); }; But not like this: IPA.some_class = function() { ... ... ... ... that.func1 = function() { ... ... }; that.func1(); ... ... that.func2 = function() { ... ... }; ... ... that.func2(); }; Here are the itemized list of issues: 41. The radio buttons in the 'As Whom' section in sudo rule section are missing the labels. It should show the doc attributes of the ipasudorunasusercategory and ipasudorunasgroupcategory. 42. The code in widget.js:1124-1128 can be replaced with this: that.entity_name = spec.entity ? spec.entity.name : spec.entity_name; In general attribute declarations should be 1 liner. If it takes more than 1 line it should be done in the constructor. 43. The initialization code (set_param_info) in IPA.widget (widget.js:80) was originally in init(). It should be moved into the constructor. 44. The initialization code in IPA.column (widget.js:1135-1147) was originally in init(). It should be moved into the constructor. 45. The initialization code (field creation) in IPA.target_section (aci.js:401-433) should be moved into the constructor. This is an existing issue so it can be fixed separately, but this is just to show the problem we are dealing with. 46. The attribute declaration (target_types) in IPA.target_section (aci.js:458-592) should be moved to the beginning of the class. This is also an existing issue. 47. The initialization code (option creation) in IPA.rights_widget (aci.js:366-369) was originally in init(). It should be moved into the constructor. 48. The initialization code (button creation) in IPA.add_dialog (add.js:48-93) was moved from init() to create(). It should be moved into the constructor. 49. The initialization code (column creation) in IPA.association_adder_dialog (association.js:157-165) was moved from init() to create(). It should be moved into the constructor. 50. The attribute declaration (NORMAL_HEIGHT and WITH_EXTERNAL_HEIGHT) in IPA.adder_dialog (dialog.js:341-342) should be moved to the beginning of the class. 51. The initialization code (spec validation and table creation) in IPA.adder_dialog (dialog.js:305-311 and 345-367) was moved from init() to create(). It should be moved into the constructor. 52. The initialization code (table creation) in IPA.sudo.options_section (sudo.js:603-638) was originally in init(). It should be moved into the constructor. 53. The initialization code (field creation) in IPA.sudo.rule_details_command_section (sudo.js:784-823) was originally in init(). It should be moved into the constructor. 54. The initialization code (field creation) in IPA.sudo.rule_details_runas_section (sudo.js:967-1020) was moved from init() to create(). It should be moved into the constructor. 55. The initialization code (column creation) in IPA.sudo.rule_association_adder_dialog (sudo.js:1185-1208) were moved from init() into create(). It should be moved into the constructor. There maybe more of similar problems. It's a long patch... -- Endi S. Dewata From ayoung at redhat.com Tue Jul 26 01:59:19 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Jul 2011 21:59:19 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E2E07CE.5070902@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> <4E2A0698.6000402@redhat.com> <4E2DA048.8040507@redhat.com> <4E2E07CE.5070902@redhat.com> Message-ID: <4E2E1F77.1060209@redhat.com> On 07/25/2011 08:18 PM, Endi Sukma Dewata wrote: > I think we should remove IPA.spacer_widget and leave the > IPA.dnszone_adder_dialog unchanged for now. The current code, although > it might not be very concise, is done correctly and does produce the > desired layout (label on the right of the checkbox and a space below > it). The IPA.spacer_widget on the other hand violates the design and > still doesn't produce all the intended layout. Also, chances are the > priority for fixing this afterward will be low. Suppose we change the > IPA.widget to verify that all widgets have a name, this code will fail > immediately. Can't: the code you had working was based on the split of a couple of the functions, and now the pieces needed from the base class are not split out. Getting this to work again will require either significant code duplication or reworking of the DNS class, and neither is preferable to a short lived space_widget. The best we can do is remove the space_widget and not have any visual separation, and then do the visual separation in a different patch. I didn't want to change what you had working in this patch, but I had to do something to get it to work again. For the rest of the review issues, I think I would prefer the other option: "move the code to the bottom of the class and mark the area as constructor." However sometimes some code needs to be done prior to the baseclass call: modify_spec(spec); var that = IPA.base_class(spec); . . . And then, in many places, we do that.create = function(container){...} If we moved the code to the bottom, we'd have to do IPA.somthing = function(spec){ function create(container){} //constructor modify_spec(spec); var that = IPA.base_class(spec); that.create = create; } Which is probably a better coding practice, but would change a lot of code. our coding standard should probably be: NAMESPACE.function_name = function(spec){ //private variable declaration. //private member functions, to include function bodies that will be made public at the end //code that must run prior to baseclass call that = IPA.baseclass(spec); //public variables that.var_name = spec.var_name || ''; //public function definitions: that.create = create; } I'd like to get away from how we do super functions, too, but that is probably too ambitious. I feel like our current approach is fragile, and bucks the language, but the alternative is to use prototype inheritance, and again, that would change a lot of code, and the super method calling is not standardized anyway. I think that all the changes you have enumerated fall into the realm of "we need a standard but one has not been set yet." I'd like to get this patch in as is, and meanwhile we can hammer out what that standard should be. From ayoung at redhat.com Tue Jul 26 03:09:46 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 25 Jul 2011 23:09:46 -0400 Subject: [Freeipa-devel] [PATCH] 001 fixed empty dns record update In-Reply-To: <4E2DB8E2.5010904@redhat.com> References: <1311583048.2338.41.camel@dhcp-25-197.brq.redhat.com> <4E2DB8E2.5010904@redhat.com> Message-ID: <4E2E2FFA.9030107@redhat.com> On 07/25/2011 02:41 PM, Adam Young wrote: > On 07/25/2011 04:37 AM, Petr Vobornik wrote: >> https://fedorahosted.org/freeipa/ticket/1477 >> >> Redirection after updating empty DNS Record (which is deleted). >> Added hook to details facet for post update operation. >> >> Petr >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK. However, before pusing, please update ipa_init.json > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master. I realized that you don't have push permissions yet. We'll catch the ipa_init updates in the next patch that updates the ipa_init file. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Jul 26 03:23:13 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 26 Jul 2011 06:23:13 +0300 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2DDC71.5080202@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> Message-ID: <4E2E3321.3070704@redhat.com> On 26.07.2011 00:13, Dmitri Pal wrote: >> By default, if you don't supply --rules, --enabled, or --disabled, you >> are targeting all enabled IPA rules (case 1 above). This is default >> because this is what people would probably like to test: whether user is >> able to access the service. >> >> So, default one (no --rules, --enabled, or disabled) would imply --enabled. >> > > Ok are we settled on: > --enabled (if all flags are omitted this is default) > --disabled > --rules=a,b,c Yes, this is my proposal too. > or on > --enabled=A, B, C (if all flags are omitted this is default) > --disabled=X, Y, Z I would rather not use this form, it does create confusion. To an user of a command is more important to specify a rule rather than remember whether rule was enabled or disabled in the database. It is hbactest responsibility to find the rule, convert it to enabled if it was explicitly specified, and use for simulation. Making --enabled/--disabled taking arguments introduces unneeded information waste into operation. I'll send updated patch proposal today. -- / Alexander Bokovoy From edewata at redhat.com Tue Jul 26 04:33:07 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 25 Jul 2011 23:33:07 -0500 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E2E1F77.1060209@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> <4E2A0698.6000402@redhat.com> <4E2DA048.8040507@redhat.com> <4E2E07CE.5070902@redhat.com> <4E2E1F77.1060209@redhat.com> Message-ID: <4E2E4383.3020605@redhat.com> On 7/25/2011 8:59 PM, Adam Young wrote: >> I think we should remove IPA.spacer_widget and leave the >> IPA.dnszone_adder_dialog unchanged for now. The current code, although >> it might not be very concise, is done correctly and does produce the >> desired layout (label on the right of the checkbox and a space below >> it). The IPA.spacer_widget on the other hand violates the design and >> still doesn't produce all the intended layout. Also, chances are the >> priority for fixing this afterward will be low. Suppose we change the >> IPA.widget to verify that all widgets have a name, this code will fail >> immediately. > Can't: the code you had working was based on the split of a couple of > the functions, and now the pieces needed from the base class are not > split out. Getting this to work again will require either significant > code duplication or reworking of the DNS class, and neither is > preferable to a short lived space_widget. The best we can do is remove > the space_widget and not have any visual separation, and then do the > visual separation in a different patch. I didn't want to change what you > had working in this patch, but I had to do something to get it to work > again. Yes, let's remove the visual separation for now. > For the rest of the review issues, I think I would prefer the other > option: "move the code to the bottom of the class and mark the area as > constructor." However sometimes some code needs to be done prior to the > baseclass call: > > > modify_spec(spec); > > var that = IPA.base_class(spec); This is a normal issue that happens in other OO language too, for example: public class GoldenRectangle extends Rectangle { public GoldenRectangle (int width) { super(width, 1.618 * width /* height */); } } However, the parameter modification should be kept to a minimum. Like in Java it cannot/should not invoke any methods before calling super(). If it can't be done that way, the class need to be redesigned (i.e. pass the parameter after creation). > And then, in many places, we do > > that.create = function(container){...} > > If we moved the code to the bottom, we'd have to do > > IPA.somthing = function(spec){ > function create(container){} > //constructor > modify_spec(spec); > var that = IPA.base_class(spec); > that.create = create; > } > > Which is probably a better coding practice, but would change a lot of code. We don't need to change it like that. Even in the current code, the modify_spec cannot call public methods defined in 'that' because 'that' is not defined yet. It can only call private methods, which means the methods are already defined privately so we don't need to change it. See the following example, we can convert this class: IPA.something = function(spec) { ... modify spec ... var that = IPA.base_class(spec); that.init = function() { that.super_init(); ... initialize instance ... }; that.create = function(container) { ... create UI ... } return that; } into this with minimal changes: IPA.something = function(spec) { ... modify spec ... var that = IPA.base_class(spec); that.init = function() { // don't call super_init() ... initialize instance ... }; that.create = function(container) { ... create UI ... }; that.init(); // call constructor return that; } or without init(): IPA.something = function(spec) { ... modify spec ... var that = IPA.base_class(spec); that.create = function(container) { ... create UI ... }; // constructor ... initialize instance ... return that; } > our coding standard should probably be: > > NAMESPACE.function_name = function(spec){ > ... > } Agree on the class structure. Many classes that we have are following that format already or pretty close. > I'd like to get away from how we do super functions, too, but that is > probably too ambitious. I feel like our current approach is fragile, and > bucks the language, but the alternative is to use prototype inheritance, > and again, that would change a lot of code, and the super method calling > is not standardized anyway. I think to fix 'super' properly we'd have to use one of the commonly used class frameworks and convert everything. I'd rather not reinvent the wheel which will only be used in this project. That's why it's important to keep the code as close as possible to regular OO design so we are not stuck with arcane code. > I think that all the changes you have enumerated fall into the realm of > "we need a standard but one has not been set yet." I'd like to get this > patch in as is, and meanwhile we can hammer out what that standard > should be. As mentioned in ticket #1462, the first purpose of this patch is to remove the legacy init() which was written to delay initialization due to dependency on metadata. Since now the metadata is available much earlier, we can can create and initialize the object together. This is not about creating a new standard, but I think calling init() at the bottom of the class is the least invasive way to fix this. We should be able to do this without lowering the code readability. The second purpose is to ensure the object created is valid (i.e. complete). As mentioned in issue #31, some of the initialization code is moved from init() to create() which is called even later than the old init(), so these objects will be created incomplete. There's a big risk changing the assumptions so close to release date. The ticket also mentions about circular dependency issue. I've proposed a solution before by separating entity creation from facet/dialog creation, but we can fix this separately. Issue #41 is a regression. -- Endi S. Dewata From atkac at redhat.com Tue Jul 26 09:09:56 2011 From: atkac at redhat.com (Adam Tkac) Date: Tue, 26 Jul 2011 11:09:56 +0200 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: make internal caching more flexible Message-ID: <4E2E8464.5010400@redhat.com> Hello all, this series of 8 patches makes internal caching framework of the bind-dyndb-ldap more flexible. This flexibility is required by future persistent search changes. Any comments are welcomed. Regards, Adam -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-ldap_cache_-add-get-rdatalist-and-ldap_cache_ena.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Replace-cached_ldap_rdatalist_get-calls-by-ldap_cach.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Remove-unused-cached_ldap_rdatalist_get-function.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0004-Remove-unneeded-cache_node_create-parameter.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0005-Introduce-src-types.h-which-contains-declaration-of-.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0006-Move-per-LDAP-instance-RRs-cache-into-ldap_instance_.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0007-Remove-unneeded-INIT_LIST-calls.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0008-Improve-ldap_cache_addrdatalist-to-replace-cache-ent.patch URL: From atkac at redhat.com Tue Jul 26 09:13:18 2011 From: atkac at redhat.com (Adam Tkac) Date: Tue, 26 Jul 2011 11:13:18 +0200 Subject: [Freeipa-devel] [PATCH] bind-dyndb-ldap: allow to specify boolean yes/no config params Message-ID: <4E2E852E.30104@redhat.com> Hello, attached patch improves "settings" code to handle boolean yes/no parameters. Comments are welcomed. Regards, Adam -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Improve-settings_t-code-to-handle-yes-no-boolean-val.patch URL: From abokovoy at redhat.com Tue Jul 26 10:36:02 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 26 Jul 2011 13:36:02 +0300 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2E3321.3070704@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> Message-ID: <4E2E9892.8030402@redhat.com> On 26.07.2011 06:23, Alexander Bokovoy wrote: > I'll send updated patch proposal today. Here is new patch. $ ipa hbactest --help Usage: ipa [global-options] hbactest [options] Options: -h, --help show this help message and exit --user=STR User name --srchost=STR Source host --host=STR Target host --service=STR Service --rules=LIST Rules to test. If not specified, --enabled is assumed --detail Show which rules are passed, denied, or invalid --enabled Include all enabled IPA rules into test [default] --disabled Include all disabled IPA rules into test Following modes are implemented by the plugin given (user, source host, target host, service), attempt to login user coming from source host to target host's service: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- 2. Show detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail -------------------- Access granted: True -------------------- denied: my-second-rule, my-third-rule, myrule passed: allow_all 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- denied: my-second-rule, myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- denied: my-second-rule, my-third-rule, myrule passed: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --disabled --------------------- Access granted: False --------------------- denied: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- denied: my-second-rule, myrule, new-rule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --enabled --disabled -------------------- Access granted: True -------------------- denied: my-second-rule, my-third-rule, myrule, new-rule passed: allow_all -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0007-2-add-hbactest-command.patch URL: From abokovoy at redhat.com Tue Jul 26 10:41:45 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 26 Jul 2011 13:41:45 +0300 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2E9892.8030402@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> Message-ID: <4E2E99E9.6090601@redhat.com> On 26.07.2011 13:36, Alexander Bokovoy wrote: > On 26.07.2011 06:23, Alexander Bokovoy wrote: >> I'll send updated patch proposal today. > Here is new patch. Rebased against current master (9a4ce988df219565ab84602b1eea93e14700862b) -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0007-2-add-hbactest-command.patch URL: From pvoborni at redhat.com Tue Jul 26 11:27:08 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 26 Jul 2011 13:27:08 +0200 Subject: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone Message-ID: <1311679630.2338.61.camel@dhcp-25-197.brq.redhat.com> Fixed adding host without DNS reverse zone https://fedorahosted.org/freeipa/ticket/1481 Shows status dialog instead of error dialog (error 4304 is treated like success). This patch is fixing the problem, but maybe in a wrong way. Main problem was that error has to be treated like success. This decision is done in command.execute() method. There are two ways to do it 1) Interrupt error handling - transform error to success 2) Interrupt success handling - don't let success to be transformed into error. Solution is using the second option. But I think first option is better. But there are obstacles: - handling is done in private function (for me ipa.js line ~ 290) - there is an extend point - setting on_error method. Problem is that this method is executed only if command.retry is false (default is true). Setting it to false will disable usage of error dialog (which is private function). So I would lose functionality for normal errors. Reordering these lines isn't an option because it would affect a lot of code. - one way would be to extract code for error dialog and make it a regular reusable dialog (with command as parameter). This way it can be used in custom error handler. Is it ACKable, or is it better to do it as described? Petr -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0002-Fixed-adding-host-without-DNS-reverse-zone.patch Type: text/x-patch Size: 7119 bytes Desc: not available URL: From jgalipea at redhat.com Tue Jul 26 11:55:08 2011 From: jgalipea at redhat.com (Jenny Galipeau) Date: Tue, 26 Jul 2011 07:55:08 -0400 (EDT) Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2E9892.8030402@redhat.com> Message-ID: <2006723717.240829.1311681308348.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Looks great, thank Alexander! ----- Original Message ----- > On 26.07.2011 06:23, Alexander Bokovoy wrote: > > I'll send updated patch proposal today. > Here is new patch. > > $ ipa hbactest --help > Usage: ipa [global-options] hbactest [options] > > Options: > -h, --help show this help message and exit > --user=STR User name > --srchost=STR Source host > --host=STR Target host > --service=STR Service > --rules=LIST Rules to test. If not specified, --enabled is assumed > --detail Show which rules are passed, denied, or invalid > --enabled Include all enabled IPA rules into test [default] > --disabled Include all disabled IPA rules into test > > Following modes are implemented by the plugin given (user, source > host, > target host, service), attempt to login user coming from source host > to > target host's service: > > 1. Use all enabled HBAC rules in IPA database to simulate: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > -------------------- > Access granted: True > -------------------- > > 2. Show detailed summary of how rules were applied: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail > -------------------- > Access granted: True > -------------------- > denied: my-second-rule, my-third-rule, myrule > passed: allow_all > > 3. Test explicitly specified HBAC rules: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --rules=my-second-rule,myrule > --------------------- > Access granted: False > --------------------- > denied: my-second-rule, myrule > > 4. Use all enabled HBAC rules in IPA database + explicitly specified > rules: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --rules=my-second-rule,myrule --enabled > -------------------- > Access granted: True > -------------------- > denied: my-second-rule, my-third-rule, myrule > passed: allow_all > > 5. Test all disabled HBAC rules in IPA database: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --disabled > --------------------- > Access granted: False > --------------------- > denied: new-rule > > 6. Test all disabled HBAC rules in IPA database + explicitly specified > rules: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --rules=my-second-rule,myrule --disabled > --------------------- > Access granted: False > --------------------- > denied: my-second-rule, myrule, new-rule > > 7. Test all (enabled and disabled) HBAC rules in IPA database: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --enabled --disabled > -------------------- > Access granted: True > -------------------- > denied: my-second-rule, my-third-rule, myrule, new-rule > passed: allow_all > > > -- > / Alexander Bokovoy > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From jhrozek at redhat.com Tue Jul 26 12:26:25 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 26 Jul 2011 14:26:25 +0200 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2E99E9.6090601@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> <4E2E99E9.6090601@redhat.com> Message-ID: <4E2EB271.60401@redhat.com> On 07/26/2011 12:41 PM, Alexander Bokovoy wrote: > On 26.07.2011 13:36, Alexander Bokovoy wrote: >> On 26.07.2011 06:23, Alexander Bokovoy wrote: >>> I'll send updated patch proposal today. >> Here is new patch. > Rebased against current master (9a4ce988df219565ab84602b1eea93e14700862b) > > My only comment is that it would be nice to catch HbacError exceptions from evaluate() and turn them into a nice error message using the info they provide and the hbac_error_string() function. Otherwise, nice work! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: From abokovoy at redhat.com Tue Jul 26 12:48:11 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 26 Jul 2011 15:48:11 +0300 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2EB271.60401@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> <4E2E99E9.6090601@redhat.com> <4E2EB271.60401@redhat.com> Message-ID: <4E2EB78B.3030709@redhat.com> On 26.07.2011 15:26, Jakub Hrozek wrote: > On 07/26/2011 12:41 PM, Alexander Bokovoy wrote: >> On 26.07.2011 13:36, Alexander Bokovoy wrote: >>> On 26.07.2011 06:23, Alexander Bokovoy wrote: >>>> I'll send updated patch proposal today. >>> Here is new patch. >> Rebased against current master (9a4ce988df219565ab84602b1eea93e14700862b) >> >> > > My only comment is that it would be nice to catch HbacError exceptions > from evaluate() and turn them into a nice error message using the info > they provide and the hbac_error_string() function. That's the plan. :) I wanted first to get command line interface stabilized as it affected backend logic. Now, if there wouldn't be any objections anymore, time for harnessing and unit tests. -- / Alexander Bokovoy From jcholast at redhat.com Tue Jul 26 13:47:35 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 26 Jul 2011 15:47:35 +0200 Subject: [Freeipa-devel] [PATCH] 35 Fix external CA install Message-ID: <4E2EC577.6000005@redhat.com> This patch contains several small fixes of external CA install. https://fedorahosted.org/freeipa/ticket/1523 -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-35-external-ca-fix.patch Type: text/x-patch Size: 3659 bytes Desc: not available URL: From edewata at redhat.com Tue Jul 26 15:17:27 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Jul 2011 10:17:27 -0500 Subject: [Freeipa-devel] [PATCH] 224 Fixed problem setting host OTP. Message-ID: <4E2EDA87.5000706@redhat.com> The handler for host 'Set OTP' button has been modified to obtain the primary key from the entity and return false to stop the normal event processing. Ticket #1511 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0224-Fixed-problem-setting-host-OTP.patch Type: text/x-patch Size: 2887 bytes Desc: not available URL: From edewata at redhat.com Tue Jul 26 17:19:08 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Jul 2011 12:19:08 -0500 Subject: [Freeipa-devel] [PATCH] 225 Fixed hard-coded labels in sudo rules. Message-ID: <4E2EF70C.5010100@redhat.com> The sudo rule interface has been modified to remove unused labels and use translated dialog box title. Ticket #1518 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0225-Fixed-hard-coded-labels-in-sudo-rules.patch Type: text/x-patch Size: 3043 bytes Desc: not available URL: From rcritten at redhat.com Tue Jul 26 17:37:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Jul 2011 13:37:59 -0400 Subject: [Freeipa-devel] [PATCH] 35 Fix external CA install In-Reply-To: <4E2EC577.6000005@redhat.com> References: <4E2EC577.6000005@redhat.com> Message-ID: <4E2EFB77.1090607@redhat.com> Jan Cholasta wrote: > This patch contains several small fixes of external CA install. > > https://fedorahosted.org/freeipa/ticket/1523 > This is a good start at simplifying things but needs a bit more work. One thing I was bending over backwards for was to handle whatever options were thrown at us. Here is a situation this does not handle very gracefully: # ipa-server-install --external_cert_file=/home/rcrit/cadb/sub/ipa.crt --external_ca_file=/home/rcrit/cadb/sub/ca.crt --external-ca The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. CA is not installed yet. To install with an external CA is a two-stage process. First run the installer with --external-ca. rob From rcritten at redhat.com Tue Jul 26 18:26:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Jul 2011 14:26:59 -0400 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2EB78B.3030709@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> <4E2E99E9.6090601@redhat.com> <4E2EB271.60401@redhat.com> <4E2EB78B.3030709@redhat.com> Message-ID: <4E2F06F3.8030701@redhat.com> Alexander Bokovoy wrote: > On 26.07.2011 15:26, Jakub Hrozek wrote: >> On 07/26/2011 12:41 PM, Alexander Bokovoy wrote: >>> On 26.07.2011 13:36, Alexander Bokovoy wrote: >>>> On 26.07.2011 06:23, Alexander Bokovoy wrote: >>>>> I'll send updated patch proposal today. >>>> Here is new patch. >>> Rebased against current master (9a4ce988df219565ab84602b1eea93e14700862b) >>> >>> >> >> My only comment is that it would be nice to catch HbacError exceptions >> from evaluate() and turn them into a nice error message using the info >> they provide and the hbac_error_string() function. > That's the plan. :) I wanted first to get command line interface > stabilized as it affected backend logic. > > Now, if there wouldn't be any objections anymore, time for harnessing > and unit tests. > This works well. If I had any reservations at all it is with --detail. I created a bunch of rules and then played around with expected pass and fail given a different set of rules. Now maybe this was due to my just starting to use the tool but I found myself adding --detail to every execution so I could see exactly what was going on. I guess that particularly when we get details on the failures themselves (failed because host doesn't match, invalid rule, whatever) this could get a bit unwieldy. I think it's probably ok to leave it this way for now, by default providing just a yes/no answer. We'll need to decide before we commit it whether we want this to be --nodetail instead. I suspect it would be an easy thing to change. rob From dpal at redhat.com Tue Jul 26 19:55:47 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 26 Jul 2011 15:55:47 -0400 Subject: [Freeipa-devel] [WIP] Add command to test HBAC rules In-Reply-To: <4E2E9892.8030402@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> Message-ID: <4E2F1BC3.3050109@redhat.com> On 07/26/2011 06:36 AM, Alexander Bokovoy wrote: > On 26.07.2011 06:23, Alexander Bokovoy wrote: >> I'll send updated patch proposal today. > Here is new patch. > > $ ipa hbactest --help > Usage: ipa [global-options] hbactest [options] > > Options: > -h, --help show this help message and exit > --user=STR User name > --srchost=STR Source host > --host=STR Target host > --service=STR Service > --rules=LIST Rules to test. If not specified, --enabled is assumed > --detail Show which rules are passed, denied, or invalid > --enabled Include all enabled IPA rules into test [default] > --disabled Include all disabled IPA rules into test > > Following modes are implemented by the plugin given (user, source host, > target host, service), attempt to login user coming from source host to > target host's service: > > 1. Use all enabled HBAC rules in IPA database to simulate: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > -------------------- > Access granted: True > -------------------- > > 2. Show detailed summary of how rules were applied: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail > -------------------- > Access granted: True > -------------------- > denied: my-second-rule, my-third-rule, myrule > passed: allow_all > > 3. Test explicitly specified HBAC rules: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --rules=my-second-rule,myrule > --------------------- > Access granted: False > --------------------- > denied: my-second-rule, myrule > > 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --rules=my-second-rule,myrule --enabled > -------------------- > Access granted: True > -------------------- > denied: my-second-rule, my-third-rule, myrule > passed: allow_all > > 5. Test all disabled HBAC rules in IPA database: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --disabled > --------------------- > Access granted: False > --------------------- > denied: new-rule > > 6. Test all disabled HBAC rules in IPA database + explicitly specified > rules: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --rules=my-second-rule,myrule --disabled > --------------------- > Access granted: False > --------------------- > denied: my-second-rule, myrule, new-rule > > 7. Test all (enabled and disabled) HBAC rules in IPA database: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --enabled --disabled > -------------------- > Access granted: True > -------------------- > denied: my-second-rule, my-third-rule, myrule, new-rule > passed: allow_all > > The tests imply that there are deny rules. We removed them so very soon there would be no deny rules. Should the results of the test show something like: ------------------------------ Access granted : True ------------------------------ Granted by: ------------------------------ X Y Z Or ------------------------------ Access granted : False ------------------------------ Access not granted by any allow rule ------------------------------ (I do not think you have a test for this case...) Or (for backward compatibility) ------------------------------ Access granted : False ------------------------------ Granted by: ------------------------------ X Y Z ------------------------------ Denied by: ------------------------------ A B C This format seems to be more scriptable. You do not need to deal with excaping commas if they are used in the name of the rule. But I do not insist - this is just an example of potential output. Rob, Martin do you have any comments, suggestions? > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jul 26 20:36:15 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 26 Jul 2011 16:36:15 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E2E07CE.5070902@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> <4E2A0698.6000402@redhat.com> <4E2DA048.8040507@redhat.com> <4E2E07CE.5070902@redhat.com> Message-ID: <4E2F253F.9050608@redhat.com> On 07/25/2011 08:18 PM, Endi Sukma Dewata wrote: > > 41. The radio buttons in the 'As Whom' section in sudo rule section > are missing the labels. It should show the doc attributes of the > ipasudorunasusercategory and ipasudorunasgroupcategory. Fixed > > 42. The code in widget.js:1124-1128 can be replaced with this: > > that.entity_name = spec.entity ? spec.entity.name : spec.entity_name; > > In general attribute declarations should be 1 liner. If it takes more > than 1 line it should be done in the constructor. Fixed > > 43. The initialization code (set_param_info) in IPA.widget > (widget.js:80) was originally in init(). It should be moved into the > constructor. Well, it was already, but moved to the bottom of the function and commented, for clarity > > 44. The initialization code in IPA.column (widget.js:1135-1147) was > originally in init(). It should be moved into the constructor. Same as 43 > > 45. -47. Will defer > 48. The initialization code (button creation) in IPA.add_dialog > (add.js:48-93) was moved from init() to create(). It should be moved > into the constructor. Done > > 49. The initialization code (column creation) in > IPA.association_adder_dialog (association.js:157-165) was moved from > init() to create(). It should be moved into the constructor. > > 50. The attribute declaration (NORMAL_HEIGHT and WITH_EXTERNAL_HEIGHT) > in IPA.adder_dialog (dialog.js:341-342) should be moved to the > beginning of the class. Done For 51-55, all code that was moved to create is moved to the widget definition. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0270-13-removing-setters-setup-and-init.patch Type: text/x-patch Size: 193115 bytes Desc: not available URL: From ayoung at redhat.com Tue Jul 26 21:06:35 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 26 Jul 2011 17:06:35 -0400 Subject: [Freeipa-devel] [PATCH] 223 Fixed problem bookmarking Policy/IPA Server tabs In-Reply-To: <4E2DC2F6.60304@redhat.com> References: <4E2DC2F6.60304@redhat.com> Message-ID: <4E2F2C5B.1050705@redhat.com> On 07/25/2011 03:24 PM, Endi Sukma Dewata wrote: > When opening a bookmark, each tab level will be updated separately > from top to bottom according to the URL state. The navigation code > has been modified to recognize when an ancestor tab is being updated > and not change the URL state. > > Ticket #1521 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Tue Jul 26 21:35:34 2011 From: jdennis at redhat.com (John Dennis) Date: Tue, 26 Jul 2011 17:35:34 -0400 Subject: [Freeipa-devel] [PATCH 32/32] Make AVA, RDN & DN comparison case insensitive. No need for lowercase normalization. Message-ID: <201107262135.p6QLZYjf029106@int-mx12.intmail.prod.int.phx2.redhat.com> Replace deepcopy with constructor (i.e. type call) Can now "clone" with configuration changes by passing object of the same type to it's constructor, e.g. dn1 = DN(('cn', 'foo') dn2 = DN(dn1) dn2 = DN(dn1, first_key_match=False) Remove pairwise grouping for RDN's. Had previously removed it for DN's, left it in for RDN's because it seemed to make sense because of the way RDN's work but consistency is a higher goal. Add keyword constructor parameters to pass configuration options. Make first_key_match a configuration keyword. Updated documentation. Updated unit test. FWIW, I noticed the unittest is now running 2x faster, not sure why, removal of deepcopy? Anyway, hard to argue with performance doubling. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0032-Make-AVA-RDN-DN-comparison-case-insensitive.patch Type: text/x-patch Size: 31438 bytes Desc: not available URL: From ayoung at redhat.com Tue Jul 26 21:52:06 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 26 Jul 2011 17:52:06 -0400 Subject: [Freeipa-devel] [PATCH] 225 Fixed hard-coded labels in sudo rules. In-Reply-To: <4E2EF70C.5010100@redhat.com> References: <4E2EF70C.5010100@redhat.com> Message-ID: <4E2F3706.7090101@redhat.com> On 07/26/2011 01:19 PM, Endi Sukma Dewata wrote: > The sudo rule interface has been modified to remove unused labels > and use translated dialog box title. > > Ticket #1518 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jul 26 21:52:21 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 26 Jul 2011 17:52:21 -0400 Subject: [Freeipa-devel] [PATCH] 224 Fixed problem setting host OTP. In-Reply-To: <4E2EDA87.5000706@redhat.com> References: <4E2EDA87.5000706@redhat.com> Message-ID: <4E2F3715.9040909@redhat.com> On 07/26/2011 11:17 AM, Endi Sukma Dewata wrote: > The handler for host 'Set OTP' button has been modified to obtain > the primary key from the entity and return false to stop the normal > event processing. > > Ticket #1511 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Jul 26 23:09:38 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Jul 2011 18:09:38 -0500 Subject: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone In-Reply-To: <1311679630.2338.61.camel@dhcp-25-197.brq.redhat.com> References: <1311679630.2338.61.camel@dhcp-25-197.brq.redhat.com> Message-ID: <4E2F4932.3080409@redhat.com> On 7/26/2011 6:27 AM, Petr Vobornik wrote: > Fixed adding host without DNS reverse zone > > https://fedorahosted.org/freeipa/ticket/1481 > > Shows status dialog instead of error dialog (error 4304 is treated like > success). > > This patch is fixing the problem, but maybe in a wrong way. > > Main problem was that error has to be treated like success. This > decision is done in command.execute() method. > > There are two ways to do it > 1) Interrupt error handling - transform error to success > 2) Interrupt success handling - don't let success to be transformed into > error. > > Solution is using the second option. But I think first option is better. > But there are obstacles: > - handling is done in private function (for me ipa.js line ~ 290) > - there is an extend point - setting on_error method. Problem is that > this method is executed only if command.retry is false (default is > true). Setting it to false will disable usage of error dialog (which is > private function). So I would lose functionality for normal errors. > Reordering these lines isn't an option because it would affect a lot of > code. > - one way would be to extract code for error dialog and make it a > regular reusable dialog (with command as parameter). This way it can be > used in custom error handler. > > > Is it ACKable, or is it better to do it as described? > > Petr Hi Petr, The new is_custom_success and on_custom_success attributes in IPA.command somehow competes with the original on_success because they serve a similar purpose. I think it's better to make the default error dialog in IPA.command public so it can be used by other code as well. We have a global variable IPA.error_dialog which stores the DOM element for the error dialog. I think we can convert it into a global object which you can open/close to show the default error dialog. The original DOM element can be stored in a 'container' attribute in that object. In other words, convert dialog_open() into IPA.error_dialog.open(), move the original IPA.error_dialog into IPA.error_dialog.container. Set retry to false when invoking IPA.command, then specify an error handler which will catch error 4304. For other errors you'll display the default error dialog. There are also some warnings about trailing whitespaces when applying the patch. You can remove them by adding the --whitespace=fix option when applying the patch with git am. -- Endi S. Dewata From ayoung at redhat.com Wed Jul 27 01:32:06 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 26 Jul 2011 21:32:06 -0400 Subject: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone In-Reply-To: <4E2F4932.3080409@redhat.com> References: <1311679630.2338.61.camel@dhcp-25-197.brq.redhat.com> <4E2F4932.3080409@redhat.com> Message-ID: <4E2F6A96.706@redhat.com> On 07/26/2011 07:09 PM, Endi Sukma Dewata wrote: > On 7/26/2011 6:27 AM, Petr Vobornik wrote: >> Fixed adding host without DNS reverse zone >> >> https://fedorahosted.org/freeipa/ticket/1481 >> >> Shows status dialog instead of error dialog (error 4304 is treated like >> success). >> >> This patch is fixing the problem, but maybe in a wrong way. >> >> Main problem was that error has to be treated like success. This >> decision is done in command.execute() method. >> >> There are two ways to do it >> 1) Interrupt error handling - transform error to success >> 2) Interrupt success handling - don't let success to be transformed into >> error. >> >> Solution is using the second option. But I think first option is better. >> But there are obstacles: >> - handling is done in private function (for me ipa.js line ~ 290) >> - there is an extend point - setting on_error method. Problem is that >> this method is executed only if command.retry is false (default is >> true). Setting it to false will disable usage of error dialog (which is >> private function). So I would lose functionality for normal errors. >> Reordering these lines isn't an option because it would affect a lot of >> code. >> - one way would be to extract code for error dialog and make it a >> regular reusable dialog (with command as parameter). This way it can be >> used in custom error handler. >> >> >> Is it ACKable, or is it better to do it as described? >> >> Petr > > Hi Petr, > > The new is_custom_success and on_custom_success attributes in > IPA.command somehow competes with the original on_success because they > serve a similar purpose. I think it's better to make the default error > dialog in IPA.command public so it can be used by other code as well. > > We have a global variable IPA.error_dialog which stores the DOM > element for the error dialog. I think we can convert it into a global > object which you can open/close to show the default error dialog. The > original DOM element can be stored in a 'container' attribute in that > object. > > In other words, convert dialog_open() into IPA.error_dialog.open(), > move the original IPA.error_dialog into IPA.error_dialog.container. > Set retry to false when invoking IPA.command, then specify an error > handler which will catch error 4304. For other errors you'll display > the default error dialog. > > There are also some warnings about trailing whitespaces when applying > the patch. You can remove them by adding the --whitespace=fix option > when applying the patch with git am. > On the whitespace issue, if you are an emacs person, there is a command: alt-x whitespace-cleanup that you should run on a file after you make changes. I have '(show-trailing-whitespace t)) in my .emacs file, which shows all whitespace as red...which properly motivates you to clean it up as soon as possible. I'm not sure the comparable vi settings, but I know they exist. From edewata at redhat.com Wed Jul 27 05:51:56 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 27 Jul 2011 00:51:56 -0500 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E2F253F.9050608@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> <4E2A0698.6000402@redhat.com> <4E2DA048.8040507@redhat.com> <4E2E07CE.5070902@redhat.com> <4E2F253F.9050608@redhat.com> Message-ID: <4E2FA77C.3090709@redhat.com> On 7/26/2011 3:36 PM, Adam Young wrote: >> 41. The radio buttons in the 'As Whom' section in sudo rule section >> are missing the labels. It should show the doc attributes of the >> ipasudorunasusercategory and ipasudorunasgroupcategory. > Fixed These labels (sudo.js:1033,1069) should be followed by "a colon and a space" like the other labels (see the original code). 56. The IPA.spacer_widget should be removed from dns.js and widget.js as we discussed before. 57. The parameter validation in IPA.column (widget.js:1131) doesn't really look that different from other initialization code in line 1172, so we can move it into the initialization area too. 58. The create() in IPA.add_dialog (add.js:46) is unnecessary. 59. The initialization area in IPA.association_adder_dialog (association.js:212) should be marked with a comment. 60. The pkey_name in IPA.association_facet (association.js:664) should not be defined inside a block because it will be used outside the block. JS allows this but we should avoid that. Maybe it should be changed into an instance variable. 61. Instead of modifying spec.columns in IPA.association_facet (association.js:670-676), we can revert it back to call create_column() and move it into the initialization area along with the pkey_name in issue #60. Optional: A similar logic can be applied to adder_columns as well. This will eliminate create_adder_column() invocation in IPA.host_managedby_host_facet and maybe IPA.service_managedby_host_facet too. 62. Since the code in #60 and #61 is moved to initialization area, the spec.link can be reverted back to that.link. 63. This is an existing issue. There's an initialization code in IPA.association_facet that calls create_adder_column() (association.js:726-729), this can be moved down as well. 64. The code in setup_columns() in IPA.association_facet is originally from init(), so it should be called from the initialization area instead of from create_content(). 65. The parameter validation in IPA.adder_dialog (dialog.js:308) can be moved into the initialization area. Same reason as #57. 66. The add_section() invocations in IPA.hbacrule_details_facet should be moved into the initialization area because they are originally from init(). 67. The table widget initialization in IPA.search_facet (search.js:52-89) is originally from init(), so it should be moved into the initialization area. 68. The add_section() and host_section() invocations in IPA.sudorule_details_facet should be moved into the initialization area. 69. The initialization code in IPA.sudo.options_section (sudo.js:603-638) should be moved into the initialization area. 70. The initialization code in IPA.sudo.rule_details_command_section (sudo.js:784-823) should be moved into the initialization area. 71. The initialization area in IPA.sudo.rule_details_runas_section (sudo.js:1137) should be marked with a comment. 72. There's a whitespace warning. -- Endi S. Dewata From mkosek at redhat.com Wed Jul 27 09:05:44 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jul 2011 11:05:44 +0200 Subject: [Freeipa-devel] [PATCH] 101 Fix invalid issuer in unit tests Message-ID: <1311757546.12277.7.camel@dhcp-25-52.brq.redhat.com> Fix several test failures when issuer does not match the one generated by make-testcert (CN=Certificate Authority,O=). https://fedorahosted.org/freeipa/ticket/1527 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-101-fix-invalid-issuer-in-unit-tests.patch Type: text/x-patch Size: 2708 bytes Desc: not available URL: From mkosek at redhat.com Wed Jul 27 09:28:34 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jul 2011 11:28:34 +0200 Subject: [Freeipa-devel] [PATCH] 102 Fix automountkey-add summary Message-ID: <1311758916.12277.8.camel@dhcp-25-52.brq.redhat.com> The summary value was set to invalid primary key - automount map instead of automount key. https://fedorahosted.org/freeipa/ticket/1524 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-102-fix-automountkey-add-summary.patch Type: text/x-patch Size: 1129 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jul 27 13:01:37 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 27 Jul 2011 15:01:37 +0200 Subject: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone In-Reply-To: <4E2F6A96.706@redhat.com> References: <1311679630.2338.61.camel@dhcp-25-197.brq.redhat.com> <4E2F4932.3080409@redhat.com> <4E2F6A96.706@redhat.com> Message-ID: <1311771699.2079.6.camel@dhcp-25-197.brq.redhat.com> On Tue, 2011-07-26 at 21:32 -0400, Adam Young wrote: > On 07/26/2011 07:09 PM, Endi Sukma Dewata wrote: > > On 7/26/2011 6:27 AM, Petr Vobornik wrote: > >> Fixed adding host without DNS reverse zone > >> > >> https://fedorahosted.org/freeipa/ticket/1481 > >> > >> Shows status dialog instead of error dialog (error 4304 is treated like > >> success). > >> > >> This patch is fixing the problem, but maybe in a wrong way. > >> > >> Main problem was that error has to be treated like success. This > >> decision is done in command.execute() method. > >> > >> There are two ways to do it > >> 1) Interrupt error handling - transform error to success > >> 2) Interrupt success handling - don't let success to be transformed into > >> error. > >> > >> Solution is using the second option. But I think first option is better. > >> But there are obstacles: > >> - handling is done in private function (for me ipa.js line ~ 290) > >> - there is an extend point - setting on_error method. Problem is that > >> this method is executed only if command.retry is false (default is > >> true). Setting it to false will disable usage of error dialog (which is > >> private function). So I would lose functionality for normal errors. > >> Reordering these lines isn't an option because it would affect a lot of > >> code. > >> - one way would be to extract code for error dialog and make it a > >> regular reusable dialog (with command as parameter). This way it can be > >> used in custom error handler. > >> > >> > >> Is it ACKable, or is it better to do it as described? > >> > >> Petr > > > > Hi Petr, > > > > The new is_custom_success and on_custom_success attributes in > > IPA.command somehow competes with the original on_success because they > > serve a similar purpose. I think it's better to make the default error > > dialog in IPA.command public so it can be used by other code as well. > > > > We have a global variable IPA.error_dialog which stores the DOM > > element for the error dialog. I think we can convert it into a global > > object which you can open/close to show the default error dialog. The > > original DOM element can be stored in a 'container' attribute in that > > object. > > > > In other words, convert dialog_open() into IPA.error_dialog.open(), > > move the original IPA.error_dialog into IPA.error_dialog.container. > > Set retry to false when invoking IPA.command, then specify an error > > handler which will catch error 4304. For other errors you'll display > > the default error dialog. > > > > There are also some warnings about trailing whitespaces when applying > > the patch. You can remove them by adding the --whitespace=fix option > > when applying the patch with git am. > > > On the whitespace issue, if you are an emacs person, there is a > command: alt-x whitespace-cleanup that you should run on a file after > you make changes. > > > I have > '(show-trailing-whitespace t)) > in my .emacs file, which shows all whitespace as red...which properly > motivates you to clean it up as soon as possible. I'm not sure the > comparable vi settings, but I know they exist. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Reworked. -Refactored error dialog. -Changed context of calling command.on_success and command.on_error methods from $.ajax's object to command. -Added generic message dialog (IPA.message_dialog) (not changed form previous) Should be without trailing whitespaces. :) Petr -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0002-1-Fixed-adding-host-without-DNS-reverse-zone.patch Type: text/x-patch Size: 10445 bytes Desc: not available URL: From jcholast at redhat.com Wed Jul 27 13:08:20 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 27 Jul 2011 15:08:20 +0200 Subject: [Freeipa-devel] [PATCH] 35 Fix external CA install In-Reply-To: <4E2EFB77.1090607@redhat.com> References: <4E2EC577.6000005@redhat.com> <4E2EFB77.1090607@redhat.com> Message-ID: <4E300DC4.3060804@redhat.com> On 26.7.2011 19:37, Rob Crittenden wrote: > Jan Cholasta wrote: >> This patch contains several small fixes of external CA install. >> >> https://fedorahosted.org/freeipa/ticket/1523 >> > > This is a good start at simplifying things but needs a bit more work. > One thing I was bending over backwards for was to handle whatever > options were thrown at us. Here is a situation this does not handle very > gracefully: > > # ipa-server-install --external_cert_file=/home/rcrit/cadb/sub/ipa.crt > --external_ca_file=/home/rcrit/cadb/sub/ca.crt --external-ca > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > done configuring ntpd. > Configuring directory server for the CA: Estimated time 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > [3/3]: restarting directory server > done configuring pkids. > CA is not installed yet. To install with an external CA is a two-stage > process. > First run the installer with --external-ca. > > rob Moved the input validation to the beginning of main(), so that the errors are caught sooner. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-35.1-external-ca-fix.patch Type: text/x-patch Size: 6420 bytes Desc: not available URL: From mkosek at redhat.com Wed Jul 27 13:11:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jul 2011 15:11:42 +0200 Subject: [Freeipa-devel] [PATCH] 102 Fix automountkey-add summary In-Reply-To: <1311758916.12277.8.camel@dhcp-25-52.brq.redhat.com> References: <1311758916.12277.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1311772305.12277.11.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-27 at 11:28 +0200, Martin Kosek wrote: > The summary value was set to invalid primary key - automount map > instead of automount key. > > https://fedorahosted.org/freeipa/ticket/1524 > The other commands' summary may be wrong in some cases as well. Updated patch fixes summary for all automountkey commands. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-102-2-fix-automountkey-add-summary.patch Type: text/x-patch Size: 2810 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jul 27 13:12:16 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Jul 2011 16:12:16 +0300 Subject: [Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules In-Reply-To: <4E2F1BC3.3050109@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> <4E2F1BC3.3050109@redhat.com> Message-ID: <4E300EB0.2020205@redhat.com> On 26.07.2011 22:55, Dmitri Pal wrote: > The tests imply that there are deny rules. We removed them so very soon > there would be no deny rules. Should the results of the test show > something like: > > ------------------------------ > Access granted : True > ------------------------------ > Granted by: > ------------------------------ > X > Y > Z > > Or > ------------------------------ > Access granted : False > ------------------------------ > Access not granted by any allow rule > ------------------------------ > > > (I do not think you have a test for this case...) > > > Or (for backward compatibility) > ------------------------------ > Access granted : False > ------------------------------ > Granted by: > ------------------------------ > X > Y > Z > ------------------------------ > Denied by: > ------------------------------ > A > B > C > > > This format seems to be more scriptable. You do not need to deal with > excaping commas if they are used in the name of the rule. > But I do not insist - this is just an example of potential output. Rob, > Martin do you have any comments, suggestions? I decided to go with prefixed one rule per line output with 'matched'/'notmatched'/'error' prefix. I also changed default for detailed output and exposed --nodetail to inhibit it, as Rob has pointed out. $ ./ipa hbactest --user=a1a --host=f1f --srchost=f2f --service=ssh -------------------- Access granted: True -------------------- matched: allow_all notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: ?????, ??? This is scriptable and also returns granted/not-granted result in $? so you can easily test in shell whether ipa command was successful or not. Attached is the patch with unit tests and it can be considered for inclusion. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0007-3-add-hbactest-command.patch URL: From mkosek at redhat.com Wed Jul 27 13:31:38 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jul 2011 15:31:38 +0200 Subject: [Freeipa-devel] [PATCH] 103 Fix automountkey-mod Message-ID: <1311773501.12277.12.camel@dhcp-25-52.brq.redhat.com> Fix automountkey-mod so that automountkey attribute is correctly updated. Add this test case to the unit tests. https://fedorahosted.org/freeipa/ticket/1528 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-103-fix-automountkey-mod.patch Type: text/x-patch Size: 2858 bytes Desc: not available URL: From rcritten at redhat.com Wed Jul 27 13:54:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 09:54:55 -0400 Subject: [Freeipa-devel] [PATCH] 840 don't set host passwords as expired Message-ID: <4E3018AF.4060200@redhat.com> When setting a host password once the host has already been enrolled will result in an expired password (like most passwords we set). We can just skip setting this at all on hosts. Test using this method: * ipa host-add --random * ipa-client-install --password '***' * ipa-client-install --uninstall * ipa host-mod --random * ipa-client-install --password '***' If the second enrollment works the patch succeeded. Previously it would fail with "Password expired". rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-840-password.patch Type: application/mbox Size: 28696 bytes Desc: not available URL: From rcritten at redhat.com Wed Jul 27 14:10:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 10:10:22 -0400 Subject: [Freeipa-devel] [PATCH] 101 Fix invalid issuer in unit tests In-Reply-To: <1311757546.12277.7.camel@dhcp-25-52.brq.redhat.com> References: <1311757546.12277.7.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E301C4E.5080609@redhat.com> Martin Kosek wrote: > Fix several test failures when issuer does not match the one > generated by make-testcert (CN=Certificate Authority,O=). > > https://fedorahosted.org/freeipa/ticket/1527 > What kind of CA are you testing against? Right now the subject of the issue differs whether you are installing a dogtag CA or a self-signed CA. I think that unifying those will be needed as well. rob From rcritten at redhat.com Wed Jul 27 14:16:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 10:16:33 -0400 Subject: [Freeipa-devel] [PATCH] 840 don't set host passwords as expired In-Reply-To: <4E3018AF.4060200@redhat.com> References: <4E3018AF.4060200@redhat.com> Message-ID: <4E301DC1.7020107@redhat.com> Rob Crittenden wrote: > When setting a host password once the host has already been enrolled > will result in an expired password (like most passwords we set). We can > just skip setting this at all on hosts. > > Test using this method: > > * ipa host-add --random > * ipa-client-install --password '***' > * ipa-client-install --uninstall > * ipa host-mod --random > * ipa-client-install --password '***' > > If the second enrollment works the patch succeeded. Previously it would > fail with "Password expired". > > rob Sorry, talk about overcommit! Here is just the interesting bits. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-840-2-password.patch Type: application/mbox Size: 2539 bytes Desc: not available URL: From mkosek at redhat.com Wed Jul 27 14:17:38 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jul 2011 16:17:38 +0200 Subject: [Freeipa-devel] [PATCH] 101 Fix invalid issuer in unit tests In-Reply-To: <4E301C4E.5080609@redhat.com> References: <1311757546.12277.7.camel@dhcp-25-52.brq.redhat.com> <4E301C4E.5080609@redhat.com> Message-ID: <1311776260.12277.13.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-27 at 10:10 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Fix several test failures when issuer does not match the one > > generated by make-testcert (CN=Certificate Authority,O=). > > > > https://fedorahosted.org/freeipa/ticket/1527 > > > > What kind of CA are you testing against? Right now the subject of the > issue differs whether you are installing a dogtag CA or a self-signed > CA. I think that unifying those will be needed as well. > > rob That was tested against dogtag CA. We indeed need to unify this so that people are not confused by errors like this. Martin From rcritten at redhat.com Wed Jul 27 14:26:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 10:26:28 -0400 Subject: [Freeipa-devel] [PATCH] 839 check for duplicate keys when adding indirect maps In-Reply-To: <4E2D86DE.1030304@redhat.com> References: <4E2D78C5.60507@redhat.com> <1311606141.15492.32.camel@dhcp-25-52.brq.redhat.com> <4E2D86DE.1030304@redhat.com> Message-ID: <4E302014.3030607@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Mon, 2011-07-25 at 10:08 -0400, Rob Crittenden wrote: >>> When adding an indirect map verify that the key doesn't already exist. >>> >>> There is still the chance of collision but checking first should limit >>> it in any case. >>> >>> https://fedorahosted.org/freeipa/ticket/1520 >>> >>> rob >> >> This patch is OK functionally, but it can be improved. This command >> consists of 2 sub-commands. Checking for one sub-command's corner-case >> (by automountkey_show) may be OK for now, but it doesn't cover a >> situation when second sub-command fails for some other error. >> >> I think this is what we should to do: >> >> try: >> automountmap_add >> automountkey_add >> except Exception, e: >> Clean up - remove possibly created automountmap >> raise e >> >> That way we will be covered for more corner-cases + we will save one >> automountkey_show and speed up the command. >> >> Martin >> > > Except in the case where a user is delegated to only be able to add > maps/keys and not remove them. > > Still, this method is easier to understand, I'll consider it. > > rob Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-839-2-automount.patch Type: application/mbox Size: 2502 bytes Desc: not available URL: From rcritten at redhat.com Wed Jul 27 14:35:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 10:35:03 -0400 Subject: [Freeipa-devel] [PATCH] 102 Fix automountkey-add summary In-Reply-To: <1311772305.12277.11.camel@dhcp-25-52.brq.redhat.com> References: <1311758916.12277.8.camel@dhcp-25-52.brq.redhat.com> <1311772305.12277.11.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E302217.6090400@redhat.com> Martin Kosek wrote: > On Wed, 2011-07-27 at 11:28 +0200, Martin Kosek wrote: >> The summary value was set to invalid primary key - automount map >> instead of automount key. >> >> https://fedorahosted.org/freeipa/ticket/1524 >> > > The other commands' summary may be wrong in some cases as well. Updated > patch fixes summary for all automountkey commands. > > Martin nack ipalib/plugins/automount.py:926: [E0602, automountkey_show.execute] Undefined variable 'key' I think you meant to set result['value'] = options['automountkey'] rob From rcritten at redhat.com Wed Jul 27 14:41:50 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 10:41:50 -0400 Subject: [Freeipa-devel] [PATCH] 103 Fix automountkey-mod In-Reply-To: <1311773501.12277.12.camel@dhcp-25-52.brq.redhat.com> References: <1311773501.12277.12.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E3023AE.4060500@redhat.com> Martin Kosek wrote: > Fix automountkey-mod so that automountkey attribute is correctly > updated. Add this test case to the unit tests. > > https://fedorahosted.org/freeipa/ticket/1528 It fixes the problem but I've found another: --key isn't required so if you don't pass it in then a backtrace will occur: Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-master/ipaserver/rpcserver.py", line 220, in wsgi_execute result = self.Command[name](*args, **options) File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line 425, in __call__ ret = self.run(*args, **options) File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line 731, in run return self.execute(*args, **options) File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/automount.py", line 873, in execute keys += (self.obj.get_pk(options['automountkey'], KeyError: 'automountkey' Also, automountinformation is already required. This may be a leftover from when we used it in description, this can probably be lifted too. rob From mkosek at redhat.com Wed Jul 27 14:42:11 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jul 2011 16:42:11 +0200 Subject: [Freeipa-devel] [PATCH] 839 check for duplicate keys when adding indirect maps In-Reply-To: <4E302014.3030607@redhat.com> References: <4E2D78C5.60507@redhat.com> <1311606141.15492.32.camel@dhcp-25-52.brq.redhat.com> <4E2D86DE.1030304@redhat.com> <4E302014.3030607@redhat.com> Message-ID: <1311777733.12277.17.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-27 at 10:26 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Mon, 2011-07-25 at 10:08 -0400, Rob Crittenden wrote: > >>> When adding an indirect map verify that the key doesn't already exist. > >>> > >>> There is still the chance of collision but checking first should limit > >>> it in any case. > >>> > >>> https://fedorahosted.org/freeipa/ticket/1520 > >>> > >>> rob > >> > >> This patch is OK functionally, but it can be improved. This command > >> consists of 2 sub-commands. Checking for one sub-command's corner-case > >> (by automountkey_show) may be OK for now, but it doesn't cover a > >> situation when second sub-command fails for some other error. > >> > >> I think this is what we should to do: > >> > >> try: > >> automountmap_add > >> automountkey_add > >> except Exception, e: > >> Clean up - remove possibly created automountmap > >> raise e > >> > >> That way we will be covered for more corner-cases + we will save one > >> automountkey_show and speed up the command. > >> > >> Martin > >> > > > > Except in the case where a user is delegated to only be able to add > > maps/keys and not remove them. > > > > Still, this method is easier to understand, I'll consider it. > > > > rob > > Updated patch attached. > > rob ACK. It could be useful to check that automountmap created by faulty automountmap_add_indirect is really not created. But since you are already working on rewriting automount unit tests it would be OK to add it there. Martin From mkosek at redhat.com Wed Jul 27 15:00:03 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jul 2011 17:00:03 +0200 Subject: [Freeipa-devel] [PATCH] 102 Fix automountkey-add summary In-Reply-To: <4E302217.6090400@redhat.com> References: <1311758916.12277.8.camel@dhcp-25-52.brq.redhat.com> <1311772305.12277.11.camel@dhcp-25-52.brq.redhat.com> <4E302217.6090400@redhat.com> Message-ID: <1311778805.12277.20.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-27 at 10:35 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-07-27 at 11:28 +0200, Martin Kosek wrote: > >> The summary value was set to invalid primary key - automount map > >> instead of automount key. > >> > >> https://fedorahosted.org/freeipa/ticket/1524 > >> > > > > The other commands' summary may be wrong in some cases as well. Updated > > patch fixes summary for all automountkey commands. > > > > Martin > > nack > > ipalib/plugins/automount.py:926: [E0602, automountkey_show.execute] > Undefined variable 'key' > > I think you meant to set result['value'] = options['automountkey'] > > rob Ah, that's embarrassing. That happens when one makes "just one small change before commit". Attaching fixed patch. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-102-3-fix-automountkey-add-summary.patch Type: text/x-patch Size: 2830 bytes Desc: not available URL: From rcritten at redhat.com Wed Jul 27 15:13:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 11:13:11 -0400 Subject: [Freeipa-devel] [PATCH] 102 Fix automountkey-add summary In-Reply-To: <1311778805.12277.20.camel@dhcp-25-52.brq.redhat.com> References: <1311758916.12277.8.camel@dhcp-25-52.brq.redhat.com> <1311772305.12277.11.camel@dhcp-25-52.brq.redhat.com> <4E302217.6090400@redhat.com> <1311778805.12277.20.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E302B07.3040306@redhat.com> Martin Kosek wrote: > On Wed, 2011-07-27 at 10:35 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Wed, 2011-07-27 at 11:28 +0200, Martin Kosek wrote: >>>> The summary value was set to invalid primary key - automount map >>>> instead of automount key. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1524 >>>> >>> >>> The other commands' summary may be wrong in some cases as well. Updated >>> patch fixes summary for all automountkey commands. >>> >>> Martin >> >> nack >> >> ipalib/plugins/automount.py:926: [E0602, automountkey_show.execute] >> Undefined variable 'key' >> >> I think you meant to set result['value'] = options['automountkey'] >> >> rob > > Ah, that's embarrassing. That happens when one makes "just one small > change before commit". Attaching fixed patch. > > Martin ack From ayoung at redhat.com Wed Jul 27 15:35:47 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 27 Jul 2011 11:35:47 -0400 Subject: [Freeipa-devel] [PATCH] 102 Fix automountkey-add summary In-Reply-To: <4E302B07.3040306@redhat.com> References: <1311758916.12277.8.camel@dhcp-25-52.brq.redhat.com> <1311772305.12277.11.camel@dhcp-25-52.brq.redhat.com> <4E302217.6090400@redhat.com> <1311778805.12277.20.camel@dhcp-25-52.brq.redhat.com> <4E302B07.3040306@redhat.com> Message-ID: <4E303053.10102@redhat.com> On 07/27/2011 11:13 AM, Rob Crittenden wrote: > Martin Kosek wrote: >> On Wed, 2011-07-27 at 10:35 -0400, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Wed, 2011-07-27 at 11:28 +0200, Martin Kosek wrote: >>>>> The summary value was set to invalid primary key - automount map >>>>> instead of automount key. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/1524 >>>>> >>>> >>>> The other commands' summary may be wrong in some cases as well. >>>> Updated >>>> patch fixes summary for all automountkey commands. >>>> >>>> Martin >>> >>> nack >>> >>> ipalib/plugins/automount.py:926: [E0602, automountkey_show.execute] >>> Undefined variable 'key' >>> >>> I think you meant to set result['value'] = options['automountkey'] >>> >>> rob >> >> Ah, that's embarrassing. That happens when one makes "just one small >> change before commit". Attaching fixed patch. >> >> Martin > > ack > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Before you push: was it tested against the UI? From jhrozek at redhat.com Wed Jul 27 15:37:05 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 27 Jul 2011 17:37:05 +0200 Subject: [Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules In-Reply-To: <4E300EB0.2020205@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> <4E2F1BC3.3050109@redhat.com> <4E300EB0.2020205@redhat.com> Message-ID: <4E3030A1.1000409@redhat.com> On 07/27/2011 03:12 PM, Alexander Bokovoy wrote: > + for ipa_rule in rules: > + try: > + res = request.evaluate([ipa_rule]) > + if res == pyhbac.HBAC_EVAL_ALLOW: > + matched_rules.append(ipa_rule.name) > + if res == pyhbac.HBAC_EVAL_DENY: > + notmatched_rules.append(ipa_rule.name) > + except pyhbac.HbacError as (code, rule_name): > + if code == pyhbac.HBAC_EVAL_ERROR: > + error_rules.append(rule_name) > + except (TypeError, IOError) as (info): > + self.log.error('Native IPA HBAC module error: %s' % (info)) > + I think this is OK. The only other exception the bindings might raise is a MemoryError, but I think this should just propagate all the way up.. One suggestion might be to extend the branch that catches pyhbac.HbacError with a string representation of the error. Something like: self.log.error("Error while evaluating rule %s: %s" % (rule_name, hbac_result_string(core)) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Wed Jul 27 15:46:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 11:46:17 -0400 Subject: [Freeipa-devel] [PATCH] 102 Fix automountkey-add summary In-Reply-To: <4E303053.10102@redhat.com> References: <1311758916.12277.8.camel@dhcp-25-52.brq.redhat.com> <1311772305.12277.11.camel@dhcp-25-52.brq.redhat.com> <4E302217.6090400@redhat.com> <1311778805.12277.20.camel@dhcp-25-52.brq.redhat.com> <4E302B07.3040306@redhat.com> <4E303053.10102@redhat.com> Message-ID: <4E3032C9.2040807@redhat.com> Adam Young wrote: > On 07/27/2011 11:13 AM, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Wed, 2011-07-27 at 10:35 -0400, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On Wed, 2011-07-27 at 11:28 +0200, Martin Kosek wrote: >>>>>> The summary value was set to invalid primary key - automount map >>>>>> instead of automount key. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/1524 >>>>>> >>>>> >>>>> The other commands' summary may be wrong in some cases as well. >>>>> Updated >>>>> patch fixes summary for all automountkey commands. >>>>> >>>>> Martin >>>> >>>> nack >>>> >>>> ipalib/plugins/automount.py:926: [E0602, automountkey_show.execute] >>>> Undefined variable 'key' >>>> >>>> I think you meant to set result['value'] = options['automountkey'] >>>> >>>> rob >>> >>> Ah, that's embarrassing. That happens when one makes "just one small >>> change before commit". Attaching fixed patch. >>> >>> Martin >> >> ack >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Before you push: was it tested against the UI? > This is just summary information, the banner printed when a command is completed. I didn't think you used the summary in the UI but in any case it will still just be text. rob From mkosek at redhat.com Wed Jul 27 16:00:08 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jul 2011 18:00:08 +0200 Subject: [Freeipa-devel] [PATCH] 103 Fix automountkey-mod In-Reply-To: <4E3023AE.4060500@redhat.com> References: <1311773501.12277.12.camel@dhcp-25-52.brq.redhat.com> <4E3023AE.4060500@redhat.com> Message-ID: <1311782411.12277.24.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-27 at 10:41 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Fix automountkey-mod so that automountkey attribute is correctly > > updated. Add this test case to the unit tests. > > > > https://fedorahosted.org/freeipa/ticket/1528 > > It fixes the problem but I've found another: --key isn't required so if > you don't pass it in then a backtrace will occur: > > Traceback (most recent call last): > File "/home/rcrit/redhat/freeipa-master/ipaserver/rpcserver.py", line > 220, in wsgi_execute > result = self.Command[name](*args, **options) > File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line > 425, in __call__ > ret = self.run(*args, **options) > File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line > 731, in run > return self.execute(*args, **options) > File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/automount.py", > line 873, in execute > keys += (self.obj.get_pk(options['automountkey'], > KeyError: 'automountkey' > > Also, automountinformation is already required. This may be a leftover > from when we used it in description, this can probably be lifted too. > > rob Good catch. I fixed this bug too and I also made --newinfo optional so that automountkey may be just renamed without changing its info attribute. I didn't bump up API VERSION as these are either compatible changes or they caused server internal error. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-103-2-fix-automountkey-mod.patch Type: text/x-patch Size: 9048 bytes Desc: not available URL: From dpal at redhat.com Wed Jul 27 16:11:51 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 27 Jul 2011 12:11:51 -0400 Subject: [Freeipa-devel] [PATCH] 103 Fix automountkey-mod In-Reply-To: <1311782411.12277.24.camel@dhcp-25-52.brq.redhat.com> References: <1311773501.12277.12.camel@dhcp-25-52.brq.redhat.com> <4E3023AE.4060500@redhat.com> <1311782411.12277.24.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E3038C7.4090205@redhat.com> On 07/27/2011 12:00 PM, Martin Kosek wrote: > On Wed, 2011-07-27 at 10:41 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> Fix automountkey-mod so that automountkey attribute is correctly >>> updated. Add this test case to the unit tests. >>> >>> https://fedorahosted.org/freeipa/ticket/1528 >> It fixes the problem but I've found another: --key isn't required so if >> you don't pass it in then a backtrace will occur: >> >> Traceback (most recent call last): >> File "/home/rcrit/redhat/freeipa-master/ipaserver/rpcserver.py", line >> 220, in wsgi_execute >> result = self.Command[name](*args, **options) >> File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line >> 425, in __call__ >> ret = self.run(*args, **options) >> File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line >> 731, in run >> return self.execute(*args, **options) >> File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/automount.py", >> line 873, in execute >> keys += (self.obj.get_pk(options['automountkey'], >> KeyError: 'automountkey' >> >> Also, automountinformation is already required. This may be a leftover >> from when we used it in description, this can probably be lifted too. >> >> rob > Good catch. I fixed this bug too and I also made --newinfo optional so > that automountkey may be just renamed without changing its info > attribute. > > I didn't bump up API VERSION as these are either compatible changes or > they caused server internal error. > > Martin Should the ticket be moved into 2.1 July sprint then? > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Jul 27 16:15:18 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jul 2011 18:15:18 +0200 Subject: [Freeipa-devel] [PATCH] 103 Fix automountkey-mod In-Reply-To: <4E3038C7.4090205@redhat.com> References: <1311773501.12277.12.camel@dhcp-25-52.brq.redhat.com> <4E3023AE.4060500@redhat.com> <1311782411.12277.24.camel@dhcp-25-52.brq.redhat.com> <4E3038C7.4090205@redhat.com> Message-ID: <1311783321.12277.26.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-27 at 12:11 -0400, Dmitri Pal wrote: > On 07/27/2011 12:00 PM, Martin Kosek wrote: > > On Wed, 2011-07-27 at 10:41 -0400, Rob Crittenden wrote: > > > Martin Kosek wrote: > > > > Fix automountkey-mod so that automountkey attribute is correctly > > > > updated. Add this test case to the unit tests. > > > > > > > > https://fedorahosted.org/freeipa/ticket/1528 > > > It fixes the problem but I've found another: --key isn't required so if > > > you don't pass it in then a backtrace will occur: > > > > > > Traceback (most recent call last): > > > File "/home/rcrit/redhat/freeipa-master/ipaserver/rpcserver.py", line > > > 220, in wsgi_execute > > > result = self.Command[name](*args, **options) > > > File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line > > > 425, in __call__ > > > ret = self.run(*args, **options) > > > File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line > > > 731, in run > > > return self.execute(*args, **options) > > > File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/automount.py", > > > line 873, in execute > > > keys += (self.obj.get_pk(options['automountkey'], > > > KeyError: 'automountkey' > > > > > > Also, automountinformation is already required. This may be a leftover > > > from when we used it in description, this can probably be lifted too. > > > > > > rob > > Good catch. I fixed this bug too and I also made --newinfo optional so > > that automountkey may be just renamed without changing its info > > attribute. > > > > I didn't bump up API VERSION as these are either compatible changes or > > they caused server internal error. > > > > Martin > > Should the ticket be moved into 2.1 July sprint then? Yes, I would like this to be included in 2.1. I will move ticket to correct milestone (2.1) if we manage to review&push it before release. Martin From mkosek at redhat.com Wed Jul 27 16:26:51 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Jul 2011 18:26:51 +0200 Subject: [Freeipa-devel] [PATCH] 102 Fix automountkey-add summary In-Reply-To: <4E302B07.3040306@redhat.com> References: <1311758916.12277.8.camel@dhcp-25-52.brq.redhat.com> <1311772305.12277.11.camel@dhcp-25-52.brq.redhat.com> <4E302217.6090400@redhat.com> <1311778805.12277.20.camel@dhcp-25-52.brq.redhat.com> <4E302B07.3040306@redhat.com> Message-ID: <1311784013.12277.27.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-27 at 11:13 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-07-27 at 10:35 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> On Wed, 2011-07-27 at 11:28 +0200, Martin Kosek wrote: > >>>> The summary value was set to invalid primary key - automount map > >>>> instead of automount key. > >>>> > >>>> https://fedorahosted.org/freeipa/ticket/1524 > >>>> > >>> > >>> The other commands' summary may be wrong in some cases as well. Updated > >>> patch fixes summary for all automountkey commands. > >>> > >>> Martin > >> > >> nack > >> > >> ipalib/plugins/automount.py:926: [E0602, automountkey_show.execute] > >> Undefined variable 'key' > >> > >> I think you meant to set result['value'] = options['automountkey'] > >> > >> rob > > > > Ah, that's embarrassing. That happens when one makes "just one small > > change before commit". Attaching fixed patch. > > > > Martin > > ack Pushed to master, ipa-2-0 (this version had to be merged). Martin From ayoung at redhat.com Wed Jul 27 16:33:44 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 27 Jul 2011 12:33:44 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E2FA77C.3090709@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> <4E2A0698.6000402@redhat.com> <4E2DA048.8040507@redhat.com> <4E2E07CE.5070902@redhat.com> <4E2F253F.9050608@redhat.com> <4E2FA77C.3090709@redhat.com> Message-ID: <4E303DE8.6080902@redhat.com> This applies on top of my old patch 270 version 13. Changes are in a separate patch due to the size of the original. When submitted, I can squash the two patches into one. I have not rebased on top of the latest changes, as that would involve changing patch 270. I will do so prior to pushing. On 07/27/2011 01:51 AM, Endi Sukma Dewata wrote: > On 7/26/2011 3:36 PM, Adam Young wrote: >>> 41. The radio buttons in the 'As Whom' section in sudo rule section >>> are missing the labels. It should show the doc attributes of the >>> ipasudorunasusercategory and ipasudorunasgroupcategory. >> Fixed > > These labels (sudo.js:1033,1069) should be followed by "a colon and a > space" like the other labels (see the original code). Done > > 56. The IPA.spacer_widget should be removed from dns.js and widget.js > as we discussed before. Done > > 57. The parameter validation in IPA.column (widget.js:1131) doesn't > really look that different from other initialization code in line > 1172, so we can move it into the initialization area too. This is precondition checking. Note that it merely throws an exception if the entity_name is not set. I want this stuff at the top of the function so that it is obvious to people looking to use them what is required. I added a comment to make this clear, but I'd like to keep precondition checking at the top of the function. > > 58. The create() in IPA.add_dialog (add.js:46) is unnecessary. removed > > 59. The initialization area in IPA.association_adder_dialog > (association.js:212) should be marked with a comment. Done > > 60. The pkey_name in IPA.association_facet (association.js:664) should > not be defined inside a block because it will be used outside the > block. JS allows this but we should avoid that. Maybe it should be > changed into an instance variable. > > 61. Instead of modifying spec.columns in IPA.association_facet > (association.js:670-676), we can revert it back to call > create_column() and move it into the initialization area along with > the pkey_name in issue #60. Moved the whole thing to setup_columns, and use the tah. variables instead of the spec > > Optional: A similar logic can be applied to adder_columns as well. > This will eliminate create_adder_column() invocation in > IPA.host_managedby_host_facet and maybe > IPA.service_managedby_host_facet too. Lets do this in its own patch. > > 62. Since the code in #60 and #61 is moved to initialization area, the > spec.link can be reverted back to that.link. Removed link. I don't see where it is used. Tested without it and everything seems to work fine. > > 63. This is an existing issue. There's an initialization code in > IPA.association_facet that calls create_adder_column() > (association.js:726-729), this can be moved down as well. > Done > 64. The code in setup_columns() in IPA.association_facet is originally > from init(), so it should be called from the initialization area > instead of from create_content(). done > > 65. The parameter validation in IPA.adder_dialog (dialog.js:308) can > be moved into the initialization area. Same reason as #57. Leaving. Same reason. > > 66. The add_section() invocations in IPA.hbacrule_details_facet should > be moved into the initialization area because they are originally from > init(). Done > > 67. The table widget initialization in IPA.search_facet > (search.js:52-89) is originally from init(), so it should be moved > into the initialization area. Has to be here, or you have endless recursion due to get_entity circular references. > > 68. The add_section() and host_section() invocations in > IPA.sudorule_details_facet should be moved into the initialization area. Done > > 69. The initialization code in IPA.sudo.options_section > (sudo.js:603-638) should be moved into the initialization area. Done > > 70. The initialization code in IPA.sudo.rule_details_command_section > (sudo.js:784-823) should be moved into the initialization area. Done > > 71. The initialization area in IPA.sudo.rule_details_runas_section > (sudo.js:1137) should be marked with a comment. Done > > 72. There's a whitespace warning. Fixed -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0278-init-and-setup-method-removal.patch Type: text/x-patch Size: 23108 bytes Desc: not available URL: From ayoung at redhat.com Wed Jul 27 16:35:09 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 27 Jul 2011 12:35:09 -0400 Subject: [Freeipa-devel] [PATCH] 103 Fix automountkey-mod In-Reply-To: <1311783321.12277.26.camel@dhcp-25-52.brq.redhat.com> References: <1311773501.12277.12.camel@dhcp-25-52.brq.redhat.com> <4E3023AE.4060500@redhat.com> <1311782411.12277.24.camel@dhcp-25-52.brq.redhat.com> <4E3038C7.4090205@redhat.com> <1311783321.12277.26.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E303E3D.9030903@redhat.com> On 07/27/2011 12:15 PM, Martin Kosek wrote: > On Wed, 2011-07-27 at 12:11 -0400, Dmitri Pal wrote: >> On 07/27/2011 12:00 PM, Martin Kosek wrote: >>> On Wed, 2011-07-27 at 10:41 -0400, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> Fix automountkey-mod so that automountkey attribute is correctly >>>>> updated. Add this test case to the unit tests. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/1528 >>>> It fixes the problem but I've found another: --key isn't required so if >>>> you don't pass it in then a backtrace will occur: >>>> >>>> Traceback (most recent call last): >>>> File "/home/rcrit/redhat/freeipa-master/ipaserver/rpcserver.py", line >>>> 220, in wsgi_execute >>>> result = self.Command[name](*args, **options) >>>> File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line >>>> 425, in __call__ >>>> ret = self.run(*args, **options) >>>> File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line >>>> 731, in run >>>> return self.execute(*args, **options) >>>> File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/automount.py", >>>> line 873, in execute >>>> keys += (self.obj.get_pk(options['automountkey'], >>>> KeyError: 'automountkey' >>>> >>>> Also, automountinformation is already required. This may be a leftover >>>> from when we used it in description, this can probably be lifted too. >>>> >>>> rob >>> Good catch. I fixed this bug too and I also made --newinfo optional so >>> that automountkey may be just renamed without changing its info >>> attribute. >>> >>> I didn't bump up API VERSION as these are either compatible changes or >>> they caused server internal error. >>> >>> Martin >> Should the ticket be moved into 2.1 July sprint then? > Yes, I would like this to be included in 2.1. I will move ticket to > correct milestone (2.1) if we manage to review&push it before release. > > Martin > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Please test with the UI, to ensure you haven;t broken the mod functionality. Specificially,test the Automount key details page. From rcritten at redhat.com Wed Jul 27 17:30:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 13:30:36 -0400 Subject: [Freeipa-devel] [PATCH] 35 Fix external CA install In-Reply-To: <4E300DC4.3060804@redhat.com> References: <4E2EC577.6000005@redhat.com> <4E2EFB77.1090607@redhat.com> <4E300DC4.3060804@redhat.com> Message-ID: <4E304B3C.6070309@redhat.com> Jan Cholasta wrote: > On 26.7.2011 19:37, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> This patch contains several small fixes of external CA install. >>> >>> https://fedorahosted.org/freeipa/ticket/1523 >>> >> >> This is a good start at simplifying things but needs a bit more work. >> One thing I was bending over backwards for was to handle whatever >> options were thrown at us. Here is a situation this does not handle very >> gracefully: >> >> # ipa-server-install --external_cert_file=/home/rcrit/cadb/sub/ipa.crt >> --external_ca_file=/home/rcrit/cadb/sub/ca.crt --external-ca >> The following operations may take some minutes to complete. >> Please wait until the prompt is returned. >> >> Configuring ntpd >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> done configuring ntpd. >> Configuring directory server for the CA: Estimated time 30 seconds >> [1/3]: creating directory server user >> [2/3]: creating directory server instance >> [3/3]: restarting directory server >> done configuring pkids. >> CA is not installed yet. To install with an external CA is a two-stage >> process. >> First run the installer with --external-ca. >> >> rob > > Moved the input validation to the beginning of main(), so that the > errors are caught sooner. > > Honza > Working great, ack. pushed to master and ipa-2-0 rob From rcritten at redhat.com Wed Jul 27 17:52:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 13:52:35 -0400 Subject: [Freeipa-devel] [PATCH 32/32] Make AVA, RDN & DN comparison case insensitive. No need for lowercase normalization. In-Reply-To: <201107262135.p6QLZYjf029106@int-mx12.intmail.prod.int.phx2.redhat.com> References: <201107262135.p6QLZYjf029106@int-mx12.intmail.prod.int.phx2.redhat.com> Message-ID: <4E305063.7070608@redhat.com> John Dennis wrote: > Replace deepcopy with constructor (i.e. type call) > Can now "clone" with configuration changes by passing object > of the same type to it's constructor, e.g. > dn1 = DN(('cn', 'foo') > dn2 = DN(dn1) > dn2 = DN(dn1, first_key_match=False) > > Remove pairwise grouping for RDN's. Had previously removed it > for DN's, left it in for RDN's because it seemed to make sense > because of the way RDN's work but consistency is a higher goal. > > Add keyword constructor parameters to pass configuration options. > > Make first_key_match a configuration keyword. > > Updated documentation. > > Updated unit test. > > FWIW, I noticed the unittest is now running 2x faster, not sure why, > removal of deepcopy? Anyway, hard to argue with performance doubling. The constructor for RDN changed. It now requires tuples, is this the pairwise grouping you mention in the commit message? I played around with creating a variety of DNs, RDNs and AVAs and everything seems to work as expected, so a qualified ack. I'm just curious why RDNs require tuples. rob From rcritten at redhat.com Wed Jul 27 18:53:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 14:53:47 -0400 Subject: [Freeipa-devel] [PATCH] 103 Fix automountkey-mod In-Reply-To: <1311783321.12277.26.camel@dhcp-25-52.brq.redhat.com> References: <1311773501.12277.12.camel@dhcp-25-52.brq.redhat.com> <4E3023AE.4060500@redhat.com> <1311782411.12277.24.camel@dhcp-25-52.brq.redhat.com> <4E3038C7.4090205@redhat.com> <1311783321.12277.26.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E305EBB.8090708@redhat.com> Martin Kosek wrote: > On Wed, 2011-07-27 at 12:11 -0400, Dmitri Pal wrote: >> On 07/27/2011 12:00 PM, Martin Kosek wrote: >>> On Wed, 2011-07-27 at 10:41 -0400, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> Fix automountkey-mod so that automountkey attribute is correctly >>>>> updated. Add this test case to the unit tests. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/1528 >>>> It fixes the problem but I've found another: --key isn't required so if >>>> you don't pass it in then a backtrace will occur: >>>> >>>> Traceback (most recent call last): >>>> File "/home/rcrit/redhat/freeipa-master/ipaserver/rpcserver.py", line >>>> 220, in wsgi_execute >>>> result = self.Command[name](*args, **options) >>>> File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line >>>> 425, in __call__ >>>> ret = self.run(*args, **options) >>>> File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line >>>> 731, in run >>>> return self.execute(*args, **options) >>>> File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/automount.py", >>>> line 873, in execute >>>> keys += (self.obj.get_pk(options['automountkey'], >>>> KeyError: 'automountkey' >>>> >>>> Also, automountinformation is already required. This may be a leftover >>>> from when we used it in description, this can probably be lifted too. >>>> >>>> rob >>> Good catch. I fixed this bug too and I also made --newinfo optional so >>> that automountkey may be just renamed without changing its info >>> attribute. >>> >>> I didn't bump up API VERSION as these are either compatible changes or >>> they caused server internal error. >>> >>> Martin >> >> Should the ticket be moved into 2.1 July sprint then? > > Yes, I would like this to be included in 2.1. I will move ticket to > correct milestone (2.1) if we manage to review&push it before release. > > Martin nack. Something is up with _mod. I can't be sure it is this patch or it was always here. In the UI every change wanted to try to rename the entry. On the command-line I wasn't able to update the info at all. rob From rcritten at redhat.com Wed Jul 27 19:02:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 15:02:55 -0400 Subject: [Freeipa-devel] [PATCH] 839 check for duplicate keys when adding indirect maps In-Reply-To: <1311777733.12277.17.camel@dhcp-25-52.brq.redhat.com> References: <4E2D78C5.60507@redhat.com> <1311606141.15492.32.camel@dhcp-25-52.brq.redhat.com> <4E2D86DE.1030304@redhat.com> <4E302014.3030607@redhat.com> <1311777733.12277.17.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E3060DF.60707@redhat.com> Martin Kosek wrote: > On Wed, 2011-07-27 at 10:26 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Mon, 2011-07-25 at 10:08 -0400, Rob Crittenden wrote: >>>>> When adding an indirect map verify that the key doesn't already exist. >>>>> >>>>> There is still the chance of collision but checking first should limit >>>>> it in any case. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/1520 >>>>> >>>>> rob >>>> >>>> This patch is OK functionally, but it can be improved. This command >>>> consists of 2 sub-commands. Checking for one sub-command's corner-case >>>> (by automountkey_show) may be OK for now, but it doesn't cover a >>>> situation when second sub-command fails for some other error. >>>> >>>> I think this is what we should to do: >>>> >>>> try: >>>> automountmap_add >>>> automountkey_add >>>> except Exception, e: >>>> Clean up - remove possibly created automountmap >>>> raise e >>>> >>>> That way we will be covered for more corner-cases + we will save one >>>> automountkey_show and speed up the command. >>>> >>>> Martin >>>> >>> >>> Except in the case where a user is delegated to only be able to add >>> maps/keys and not remove them. >>> >>> Still, this method is easier to understand, I'll consider it. >>> >>> rob >> >> Updated patch attached. >> >> rob > > ACK. > > It could be useful to check that automountmap created by faulty > automountmap_add_indirect is really not created. But since you are > already working on rewriting automount unit tests it would be OK to add > it there. > > Martin > pushed to master and ipa-2-0 From edewata at redhat.com Wed Jul 27 19:56:19 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 27 Jul 2011 14:56:19 -0500 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E303DE8.6080902@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> <4E2A0698.6000402@redhat.com> <4E2DA048.8040507@redhat.com> <4E2E07CE.5070902@redhat.com> <4E2F253F.9050608@redhat.com> <4E2FA77C.3090709@redhat.com> <4E303DE8.6080902@redhat.com> Message-ID: <4E306D63.50500@redhat.com> On 7/27/2011 11:33 AM, Adam Young wrote: > This applies on top of my old patch 270 version 13. Changes are in a > separate patch due to the size of the original. When submitted, I can > squash the two patches into one. > > I have not rebased on top of the latest changes, as that would involve > changing patch 270. I will do so prior to pushing. As mentioned over IRC, I had to rebase your patches (see attachments) on top of my patch 224 and 225 in order to do proper testing. Please use this when making further changes. >> 57. The parameter validation in IPA.column (widget.js:1131) doesn't >> really look that different from other initialization code in line >> 1172, so we can move it into the initialization area too. > This is precondition checking. Note that it merely throws an exception > if the entity_name is not set. I want this stuff at the top of the > function so that it is obvious to people looking to use them what is > required. I added a comment to make this clear, but I'd like to keep > precondition checking at the top of the function. This is fine for now, although in general precondition checking could become complex, and in other OO languages the checking is done inside the constructor (i.e. in the initialization area, not in the attribute declaration area). >> 59. The initialization area in IPA.association_adder_dialog >> (association.js:212) should be marked with a comment. > Done The default_columns() invocation should be moved into the initialization area because this is not a precondition checking like in #57. The default_columns() function itself should be moved outside of the initialization area because the area should not contain function definition, only invocations. >> 62. Since the code in #60 and #61 is moved to initialization area, the >> spec.link can be reverted back to that.link. > > Removed link. I don't see where it is used. Tested without it and > everything seems to work fine. The link flag is used to create a link from the association facet to the target entity (see association.js:723 and widget.js:1152). The original code sets the flag to true by default. To test, create a netgroup and enroll a user. The user should be linked. 73. Patch 270 added options with empty labels to the cmdcategory in IPA.sudo.rule_details_command_section (sudo.js:786). This is not necessary because the widget is rendered in line 842-879, not using the radio_widget's create(). It might be possible to move the tables outside of cmdcategory's span and use radio_widget's create(), but that can be done in another patch. 74. This is probably a separate issue. The hbacrule-find doesn't return the rule type by default so the column is empty in HBAC rule search page. It needs an --all option. 75. In sudo rule details page, click the Add button to add users under the Who section. When there are many users, the external field covers the list of users. Prior to this patch the external field covers the list too, but not as much, so maybe it just needs some adjustments. 76. This is an existing problem. The click handler for the Find button in IPA.adder_dialog (dialog.js:466) should return false like the remove & add buttons below it. This can be fixed separately. 77. Regression: Changing the Allow command category in sudo rule doesn't work. It doesn't show undo button and reverts back when saved. 78. There are jslint and whitespace warnings in patch 278. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0270-14-removing-setters-setup-and-init.patch Type: text/x-patch Size: 193135 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0278-1-init-and-setup-method-removal.patch Type: text/x-patch Size: 22954 bytes Desc: not available URL: From edewata at redhat.com Thu Jul 28 00:03:58 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 27 Jul 2011 19:03:58 -0500 Subject: [Freeipa-devel] [PATCH] 224 Fixed problem setting host OTP. In-Reply-To: <4E2F3715.9040909@redhat.com> References: <4E2EDA87.5000706@redhat.com> <4E2F3715.9040909@redhat.com> Message-ID: <4E30A76E.8080608@redhat.com> On 7/26/2011 4:52 PM, Adam Young wrote: > On 07/26/2011 11:17 AM, Endi Sukma Dewata wrote: >> The handler for host 'Set OTP' button has been modified to obtain >> the primary key from the entity and return false to stop the normal >> event processing. >> >> Ticket #1511 > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Jul 28 00:04:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 27 Jul 2011 19:04:12 -0500 Subject: [Freeipa-devel] [PATCH] 225 Fixed hard-coded labels in sudo rules. In-Reply-To: <4E2F3706.7090101@redhat.com> References: <4E2EF70C.5010100@redhat.com> <4E2F3706.7090101@redhat.com> Message-ID: <4E30A77C.6060609@redhat.com> On 7/26/2011 4:52 PM, Adam Young wrote: > On 07/26/2011 01:19 PM, Endi Sukma Dewata wrote: >> The sudo rule interface has been modified to remove unused labels >> and use translated dialog box title. >> >> Ticket #1518 > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Jul 28 00:05:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 27 Jul 2011 19:05:12 -0500 Subject: [Freeipa-devel] [PATCH] 226 Fixed hard-coded label in Find button. Message-ID: <4E30A7B8.1020900@redhat.com> The IPA.adder_dialog has been modified to use translated label for the Find button. Pushed to master under one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0226-Fixed-hard-coded-label-in-Find-button.patch Type: text/x-patch Size: 873 bytes Desc: not available URL: From ayoung at redhat.com Thu Jul 28 01:14:08 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 27 Jul 2011 21:14:08 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E306D63.50500@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> <4E2A0698.6000402@redhat.com> <4E2DA048.8040507@redhat.com> <4E2E07CE.5070902@redhat.com> <4E2F253F.9050608@redhat.com> <4E2FA77C.3090709@redhat.com> <4E303DE8.6080902@redhat.com> <4E306D63.50500@redhat.com> Message-ID: <4E30B7E0.90707@redhat.com> On 07/27/2011 03:56 PM, Endi Sukma Dewata wrote: > On 7/27/2011 11:33 AM, Adam Young wrote: >> This applies on top of my old patch 270 version 13. Changes are in a >> separate patch due to the size of the original. When submitted, I can >> squash the two patches into one. >> >> I have not rebased on top of the latest changes, as that would involve >> changing patch 270. I will do so prior to pushing. > > As mentioned over IRC, I had to rebase your patches (see attachments) > on top of my patch 224 and 225 in order to do proper testing. Please > use this when making further changes. > >>> 57. The parameter validation in IPA.column (widget.js:1131) doesn't >>> really look that different from other initialization code in line >>> 1172, so we can move it into the initialization area too. > >> This is precondition checking. Note that it merely throws an exception >> if the entity_name is not set. I want this stuff at the top of the >> function so that it is obvious to people looking to use them what is >> required. I added a comment to make this clear, but I'd like to keep >> precondition checking at the top of the function. > > This is fine for now, although in general precondition checking could > become complex, and in other OO languages the checking is done inside > the constructor (i.e. in the initialization area, not in the attribute > declaration area). > >>> 59. The initialization area in IPA.association_adder_dialog >>> (association.js:212) should be marked with a comment. >> Done > > The default_columns() invocation should be moved into the > initialization area because this is not a precondition checking like > in #57. The default_columns() function itself should be moved outside > of the initialization area because the area should not contain > function definition, only invocations. The columns need to be defined before the table setup in the base class, which is why it is done at the top of the function, prior to calling the baseclass. Going to leave this as is. > >>> 62. Since the code in #60 and #61 is moved to initialization area, the >>> spec.link can be reverted back to that.link. >> >> Removed link. I don't see where it is used. Tested without it and >> everything seems to work fine. > > The link flag is used to create a link from the association facet to > the target entity (see association.js:723 and widget.js:1152). The > original code sets the flag to true by default. > > To test, create a netgroup and enroll a user. The user should be linked. Still works. True is deduced by default. I think at this point you would have to send link = false to disable, and that probably makes no sense. Going to leave this as is. > > 73. Patch 270 added options with empty labels to the cmdcategory in > IPA.sudo.rule_details_command_section (sudo.js:786). This is not > necessary because the widget is rendered in line 842-879, not using > the radio_widget's create(). > Removed the empty labels > It might be possible to move the tables outside of cmdcategory's span > and use radio_widget's create(), but that can be done in another patch. > > 74. This is probably a separate issue. The hbacrule-find doesn't > return the rule type by default so the column is empty in HBAC rule > search page. It needs an --all option. Fixed > > 75. In sudo rule details page, click the Add button to add users under > the Who section. When there are many users, the external field covers > the list of users. Fixed > > Prior to this patch the external field covers the list too, but not as > much, so maybe it just needs some adjustments. > > 76. This is an existing problem. The click handler for the Find button > in IPA.adder_dialog (dialog.js:466) should return false like the > remove & add buttons below it. This can be fixed separately. Fixed > > 77. Regression: Changing the Allow command category in sudo rule > doesn't work. It doesn't show undo button and reverts back when saved. Fixed > > 78. There are jslint and whitespace warnings in patch 278. > Fixed -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0278-4-init-and-setup-method-removal.patch Type: text/x-patch Size: 26434 bytes Desc: not available URL: From edewata at redhat.com Thu Jul 28 05:26:00 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 28 Jul 2011 00:26:00 -0500 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E30B7E0.90707@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> <4E2A0698.6000402@redhat.com> <4E2DA048.8040507@redhat.com> <4E2E07CE.5070902@redhat.com> <4E2F253F.9050608@redhat.com> <4E2FA77C.3090709@redhat.com> <4E303DE8.6080902@redhat.com> <4E306D63.50500@redhat.com> <4E30B7E0.90707@redhat.com> Message-ID: <4E30F2E8.6030802@redhat.com> On 7/27/2011 8:14 PM, Adam Young wrote: >>>> 59. The initialization area in IPA.association_adder_dialog >>>> (association.js:212) should be marked with a comment. >>> Done >> >> The default_columns() invocation should be moved into the >> initialization area because this is not a precondition checking like >> in #57. The default_columns() function itself should be moved outside >> of the initialization area because the area should not contain >> function definition, only invocations. > > The columns need to be defined before the table setup in the base class, > which is why it is done at the top of the function, prior to calling the > baseclass. Going to leave this as is. Please add a note near default_columns() definition saying that the columns map in IPA.adder_dialog should be removed and the add_column() should be modified to add the column directly into the available_table and selected_table. This way IPA.association_adder_dialog can call create_column() from the initialization area, no need to modify the parameters. >>>> 62. Since the code in #60 and #61 is moved to initialization area, the >>>> spec.link can be reverted back to that.link. >>> >>> Removed link. I don't see where it is used. Tested without it and >>> everything seems to work fine. >> >> The link flag is used to create a link from the association facet to >> the target entity (see association.js:723 and widget.js:1152). The >> original code sets the flag to true by default. >> >> To test, create a netgroup and enroll a user. The user should be linked. > Still works. True is deduced by default. I think at this point you would > have to send link = false to disable, and that probably makes no sense. > Going to leave this as is. It still doesn't work for me. Make sure you are looking at "Members Users" facet in Netgroup, not the other way around. The reverse link from user to netgroup works because the flag is explicitly set in user.js. In netgroup.js and other files the link is not set, so it will use the default. All variables are undefined by default and considered false. The original code reversed the default. 79. Regression: The Unprovision button in host details page doesn't work. To test, enroll a host with this command: ipa-getkeytab -s localhost -p host/test.example.com -k test.keytab Then open the host details page. Click the "Delete Key, Unprovision" button, click Unprovision again, it will fail. The that.entity_name in host.js:381 should be changed to that.entity.name. -- Endi S. Dewata From abokovoy at redhat.com Thu Jul 28 07:44:18 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 28 Jul 2011 10:44:18 +0300 Subject: [Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules In-Reply-To: <4E3030A1.1000409@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> <4E2F1BC3.3050109@redhat.com> <4E300EB0.2020205@redhat.com> <4E3030A1.1000409@redhat.com> Message-ID: <4E311352.5080104@redhat.com> On 27.07.2011 18:37, Jakub Hrozek wrote: > On 07/27/2011 03:12 PM, Alexander Bokovoy wrote: >> + for ipa_rule in rules: >> + try: >> + res = request.evaluate([ipa_rule]) >> + if res == pyhbac.HBAC_EVAL_ALLOW: >> + matched_rules.append(ipa_rule.name) >> + if res == pyhbac.HBAC_EVAL_DENY: >> + notmatched_rules.append(ipa_rule.name) >> + except pyhbac.HbacError as (code, rule_name): >> + if code == pyhbac.HBAC_EVAL_ERROR: >> + error_rules.append(rule_name) >> + except (TypeError, IOError) as (info): >> + self.log.error('Native IPA HBAC module error: %s' % (info)) >> + > > I think this is OK. The only other exception the bindings might raise is > a MemoryError, but I think this should just propagate all the way up.. > > One suggestion might be to extend the branch that catches > pyhbac.HbacError with a string representation of the error. Something like: > > self.log.error("Error while evaluating rule %s: %s" % (rule_name, > hbac_result_string(core)) Thanks. That was actually implied (with self.log.info() as we want to continue and report them as 'error' rules in the command's result) but I overlooked it. Fixed this now and also removed some residual debug prints in unit tests. Patch attached. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0007-4-add-hbactest-command.patch URL: From mkosek at redhat.com Thu Jul 28 09:49:20 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jul 2011 11:49:20 +0200 Subject: [Freeipa-devel] [PATCH] 103 Fix automountkey-mod In-Reply-To: <4E305EBB.8090708@redhat.com> References: <1311773501.12277.12.camel@dhcp-25-52.brq.redhat.com> <4E3023AE.4060500@redhat.com> <1311782411.12277.24.camel@dhcp-25-52.brq.redhat.com> <4E3038C7.4090205@redhat.com> <1311783321.12277.26.camel@dhcp-25-52.brq.redhat.com> <4E305EBB.8090708@redhat.com> Message-ID: <1311846562.4103.2.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-27 at 14:53 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-07-27 at 12:11 -0400, Dmitri Pal wrote: > >> On 07/27/2011 12:00 PM, Martin Kosek wrote: > >>> On Wed, 2011-07-27 at 10:41 -0400, Rob Crittenden wrote: > >>>> Martin Kosek wrote: > >>>>> Fix automountkey-mod so that automountkey attribute is correctly > >>>>> updated. Add this test case to the unit tests. > >>>>> > >>>>> https://fedorahosted.org/freeipa/ticket/1528 > >>>> It fixes the problem but I've found another: --key isn't required so if > >>>> you don't pass it in then a backtrace will occur: > >>>> > >>>> Traceback (most recent call last): > >>>> File "/home/rcrit/redhat/freeipa-master/ipaserver/rpcserver.py", line > >>>> 220, in wsgi_execute > >>>> result = self.Command[name](*args, **options) > >>>> File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line > >>>> 425, in __call__ > >>>> ret = self.run(*args, **options) > >>>> File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line > >>>> 731, in run > >>>> return self.execute(*args, **options) > >>>> File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/automount.py", > >>>> line 873, in execute > >>>> keys += (self.obj.get_pk(options['automountkey'], > >>>> KeyError: 'automountkey' > >>>> > >>>> Also, automountinformation is already required. This may be a leftover > >>>> from when we used it in description, this can probably be lifted too. > >>>> > >>>> rob > >>> Good catch. I fixed this bug too and I also made --newinfo optional so > >>> that automountkey may be just renamed without changing its info > >>> attribute. > >>> > >>> I didn't bump up API VERSION as these are either compatible changes or > >>> they caused server internal error. > >>> > >>> Martin > >> > >> Should the ticket be moved into 2.1 July sprint then? > > > > Yes, I would like this to be included in 2.1. I will move ticket to > > correct milestone (2.1) if we manage to review&push it before release. > > > > Martin > > nack. Something is up with _mod. I can't be sure it is this patch or it > was always here. > > In the UI every change wanted to try to rename the entry. On the > command-line I wasn't able to update the info at all. > > rob Hm, I think this problem was in the _mod command all the time. 'description' field was being filled every time which triggered rename operation. This caused problems. I rewrote _mod command so that 'description' (i.e. rename) is filled only when needed. I checked UI and automountkey_mod command worked OK for me. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-103-3-fix-automountkey-mod.patch Type: text/x-patch Size: 10055 bytes Desc: not available URL: From jdennis at redhat.com Thu Jul 28 14:02:43 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 28 Jul 2011 10:02:43 -0400 Subject: [Freeipa-devel] [PATCH 32/32] Make AVA, RDN & DN comparison case insensitive. No need for lowercase normalization. In-Reply-To: <4E305063.7070608@redhat.com> References: <201107262135.p6QLZYjf029106@int-mx12.intmail.prod.int.phx2.redhat.com> <4E305063.7070608@redhat.com> Message-ID: <4E316C03.2020204@redhat.com> On 07/27/2011 01:52 PM, Rob Crittenden wrote: > John Dennis wrote: >> Replace deepcopy with constructor (i.e. type call) >> Can now "clone" with configuration changes by passing object >> of the same type to it's constructor, e.g. >> dn1 = DN(('cn', 'foo') >> dn2 = DN(dn1) >> dn2 = DN(dn1, first_key_match=False) >> >> Remove pairwise grouping for RDN's. Had previously removed it >> for DN's, left it in for RDN's because it seemed to make sense >> because of the way RDN's work but consistency is a higher goal. >> >> Add keyword constructor parameters to pass configuration options. >> >> Make first_key_match a configuration keyword. >> >> Updated documentation. >> >> Updated unit test. >> >> FWIW, I noticed the unittest is now running 2x faster, not sure why, >> removal of deepcopy? Anyway, hard to argue with performance doubling. > > The constructor for RDN changed. It now requires tuples, is this the > pairwise grouping you mention in the commit message? > > I played around with creating a variety of DNs, RDNs and AVAs and > everything seems to work as expected, so a qualified ack. I'm just > curious why RDNs require tuples. I changed it for API consistency. RDN's can be multi-valued (but almost never are). So the way the constructor was originally written was to just to accept 2 args, e.g. RDN(attr, value), if the RDN was multi-valued you would pass 4 args (2 pairs), e.g. RDN(attr1, value1, attr2, value2). This was exactly how the DN constructor used to work (in fact the DN constructor was originally based on the RDN constructor). But as you discovered the behavior was confusing and we changed the DN constructor to require tuples (or lists). When I changed the DN constructor I left the RDN constructor with the old previous form because it's seldom called with an arg list like the confusing DN arg list. But in hind sight I felt it was better to have consistent API's with the constructors, that ultimately it was less confusing. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Thu Jul 28 14:30:33 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Jul 2011 10:30:33 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E30F2E8.6030802@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> <4E2A0698.6000402@redhat.com> <4E2DA048.8040507@redhat.com> <4E2E07CE.5070902@redhat.com> <4E2F253F.9050608@redhat.com> <4E2FA77C.3090709@redhat.com> <4E303DE8.6080902@redhat.com> <4E306D63.50500@redhat.com> <4E30B7E0.90707@redhat.com> <4E30F2E8.6030802@redhat.com> Message-ID: <4E317289.6070105@redhat.com> On 07/28/2011 01:26 AM, Endi Sukma Dewata wrote: > On 7/27/2011 8:14 PM, Adam Young wrote: >>>>> 59. The initialization area in IPA.association_adder_dialog >>>>> (association.js:212) should be marked with a comment. >>>> Done >>> >>> The default_columns() invocation should be moved into the >>> initialization area because this is not a precondition checking like >>> in #57. The default_columns() function itself should be moved outside >>> of the initialization area because the area should not contain >>> function definition, only invocations. >> >> The columns need to be defined before the table setup in the base class, >> which is why it is done at the top of the function, prior to calling the >> baseclass. Going to leave this as is. > > Please add a note near default_columns() definition saying that the > columns map in IPA.adder_dialog should be removed and the add_column() > should be modified to add the column directly into the available_table > and selected_table. This way IPA.association_adder_dialog can call > create_column() from the initialization area, no need to modify the > parameters. Done > >>>>> 62. Since the code in #60 and #61 is moved to initialization area, >>>>> the >>>>> spec.link can be reverted back to that.link. >>>> >>>> Removed link. I don't see where it is used. Tested without it and >>>> everything seems to work fine. >>> >>> The link flag is used to create a link from the association facet to >>> the target entity (see association.js:723 and widget.js:1152). The >>> original code sets the flag to true by default. >>> >>> To test, create a netgroup and enroll a user. The user should be >>> linked. >> Still works. True is deduced by default. I think at this point you would >> have to send link = false to disable, and that probably makes no sense. >> Going to leave this as is. OK, back to being spec.link, as it has to be set prior to the call to the base class. Put a comment in to this effect. > > It still doesn't work for me. Make sure you are looking at "Members > Users" facet in Netgroup, not the other way around. The reverse link > from user to netgroup works because the flag is explicitly set in > user.js. In netgroup.js and other files the link is not set, so it > will use the default. All variables are undefined by default and > considered false. The original code reversed the default. > > 79. Regression: The Unprovision button in host details page doesn't > work. To test, enroll a host with this command: > > ipa-getkeytab -s localhost -p host/test.example.com -k test.keytab Fixed > > Then open the host details page. Click the "Delete Key, Unprovision" > button, click Unprovision again, it will fail. The that.entity_name in > host.js:381 should be changed to that.entity.name. > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0280-1-additional-fixes-for-removal-of-init-and-setup.patch Type: text/x-patch Size: 2894 bytes Desc: not available URL: From jgalipea at redhat.com Thu Jul 28 14:34:57 2011 From: jgalipea at redhat.com (Jenny Galipeau) Date: Thu, 28 Jul 2011 10:34:57 -0400 (EDT) Subject: [Freeipa-devel] Setting Host OTP Message-ID: <2089847415.283955.1311863697144.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Hi Adam and Rob: I have some questions about setting a Host OTP and what use cases should be supported. In testing the Web UI and setting the OTP for a host, it became apparent that their is now way to retrieve an existing OTP. Is this on purpose? It confused me a bit that the UI did not change to indicate that an OTP existed. I think this is a bug. Also, is it on purpose that you can not retrieve and existing OTP? Else, you would need to set a new one if you could not remember what it was? If it is the later, I would think the Web UI could indicate that one is set, but changing the button maybe to "Set New OTP"?? Thanks Jenny -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From mkosek at redhat.com Thu Jul 28 14:41:50 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Jul 2011 16:41:50 +0200 Subject: [Freeipa-devel] [PATCH] 101 Fix invalid issuer in unit tests In-Reply-To: <1311776260.12277.13.camel@dhcp-25-52.brq.redhat.com> References: <1311757546.12277.7.camel@dhcp-25-52.brq.redhat.com> <4E301C4E.5080609@redhat.com> <1311776260.12277.13.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1311864112.3597.1.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-27 at 16:17 +0200, Martin Kosek wrote: > On Wed, 2011-07-27 at 10:10 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > Fix several test failures when issuer does not match the one > > > generated by make-testcert (CN=Certificate Authority,O=). > > > > > > https://fedorahosted.org/freeipa/ticket/1527 > > > > > > > What kind of CA are you testing against? Right now the subject of the > > issue differs whether you are installing a dogtag CA or a self-signed > > CA. I think that unifying those will be needed as well. > > > > rob > > That was tested against dogtag CA. We indeed need to unify this so that > people are not confused by errors like this. > > Martin > I improved the tests by creating a new fuzzy attribute - fuzzy_issuer which will allow both issuer alternatives. It should now pass on both self-signed and dogtag IPA. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-101-2-fix-invalid-issuer-in-unit-tests.patch Type: text/x-patch Size: 5396 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 28 14:46:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 10:46:02 -0400 Subject: [Freeipa-devel] Setting Host OTP In-Reply-To: <2089847415.283955.1311863697144.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <2089847415.283955.1311863697144.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4E31762A.9020600@redhat.com> Jenny Galipeau wrote: > Hi Adam and Rob: > I have some questions about setting a Host OTP and what use cases should be supported. In testing the Web UI and setting the OTP for a host, it became apparent that their is now way to retrieve an existing OTP. Is this on purpose? It confused me a bit that the UI did not change to indicate that an OTP existed. I think this is a bug. > > Also, is it on purpose that you can not retrieve and existing OTP? Else, you would need to set a new one if you could not remember what it was? If it is the later, I would think the Web UI could indicate that one is set, but changing the button maybe to "Set New OTP"?? > > Thanks > Jenny > Yes, it is on purpose that you can't retrieve an existing OTP, it is a password after all. There is no way to know if a password has been set or not. Please open a bug if you'd like to be able to tell. rob From jgalipea at redhat.com Thu Jul 28 14:51:44 2011 From: jgalipea at redhat.com (Jenny Galipeau) Date: Thu, 28 Jul 2011 10:51:44 -0400 (EDT) Subject: [Freeipa-devel] Setting Host OTP In-Reply-To: <4E31762A.9020600@redhat.com> Message-ID: <1473288735.284413.1311864704215.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > Jenny Galipeau wrote: > > Hi Adam and Rob: > > I have some questions about setting a Host OTP and what use cases > > should be supported. In testing the Web UI and setting the OTP for a > > host, it became apparent that their is now way to retrieve an > > existing OTP. Is this on purpose? It confused me a bit that the UI > > did not change to indicate that an OTP existed. I think this is a > > bug. > > > > Also, is it on purpose that you can not retrieve and existing OTP? > > Else, you would need to set a new one if you could not remember what > > it was? If it is the later, I would think the Web UI could indicate > > that one is set, but changing the button maybe to "Set New OTP"?? > > > > Thanks > > Jenny > > > > Yes, it is on purpose that you can't retrieve an existing OTP, it is a > password after all. > > There is no way to know if a password has been set or not. Please open > a > bug if you'd like to be able to tell. Okay, obviously this would mean addition flag to the CLI yes?? > > rob -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From rcritten at redhat.com Thu Jul 28 15:56:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 11:56:35 -0400 Subject: [Freeipa-devel] [PATCH] 101 Fix invalid issuer in unit tests In-Reply-To: <1311864112.3597.1.camel@dhcp-25-52.brq.redhat.com> References: <1311757546.12277.7.camel@dhcp-25-52.brq.redhat.com> <4E301C4E.5080609@redhat.com> <1311776260.12277.13.camel@dhcp-25-52.brq.redhat.com> <1311864112.3597.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E3186B3.3020308@redhat.com> Martin Kosek wrote: > On Wed, 2011-07-27 at 16:17 +0200, Martin Kosek wrote: >> On Wed, 2011-07-27 at 10:10 -0400, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> Fix several test failures when issuer does not match the one >>>> generated by make-testcert (CN=Certificate Authority,O=). >>>> >>>> https://fedorahosted.org/freeipa/ticket/1527 >>>> >>> >>> What kind of CA are you testing against? Right now the subject of the >>> issue differs whether you are installing a dogtag CA or a self-signed >>> CA. I think that unifying those will be needed as well. >>> >>> rob >> >> That was tested against dogtag CA. We indeed need to unify this so that >> people are not confused by errors like this. >> >> Martin >> > > I improved the tests by creating a new fuzzy attribute - fuzzy_issuer > which will allow both issuer alternatives. It should now pass on both > self-signed and dogtag IPA. > > Martin ack, pushed to master and ipa-2-0 From rcritten at redhat.com Thu Jul 28 15:59:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 11:59:47 -0400 Subject: [Freeipa-devel] [PATCH 32/32] Make AVA, RDN & DN comparison case insensitive. No need for lowercase normalization. In-Reply-To: <4E316C03.2020204@redhat.com> References: <201107262135.p6QLZYjf029106@int-mx12.intmail.prod.int.phx2.redhat.com> <4E305063.7070608@redhat.com> <4E316C03.2020204@redhat.com> Message-ID: <4E318773.4030705@redhat.com> John Dennis wrote: > On 07/27/2011 01:52 PM, Rob Crittenden wrote: >> John Dennis wrote: >>> Replace deepcopy with constructor (i.e. type call) >>> Can now "clone" with configuration changes by passing object >>> of the same type to it's constructor, e.g. >>> dn1 = DN(('cn', 'foo') >>> dn2 = DN(dn1) >>> dn2 = DN(dn1, first_key_match=False) >>> >>> Remove pairwise grouping for RDN's. Had previously removed it >>> for DN's, left it in for RDN's because it seemed to make sense >>> because of the way RDN's work but consistency is a higher goal. >>> >>> Add keyword constructor parameters to pass configuration options. >>> >>> Make first_key_match a configuration keyword. >>> >>> Updated documentation. >>> >>> Updated unit test. >>> >>> FWIW, I noticed the unittest is now running 2x faster, not sure why, >>> removal of deepcopy? Anyway, hard to argue with performance doubling. >> >> The constructor for RDN changed. It now requires tuples, is this the >> pairwise grouping you mention in the commit message? >> >> I played around with creating a variety of DNs, RDNs and AVAs and >> everything seems to work as expected, so a qualified ack. I'm just >> curious why RDNs require tuples. > > I changed it for API consistency. RDN's can be multi-valued (but almost > never are). So the way the constructor was originally written was to > just to accept 2 args, e.g. RDN(attr, value), if the RDN was > multi-valued you would pass 4 args (2 pairs), e.g. RDN(attr1, value1, > attr2, value2). This was exactly how the DN constructor used to work (in > fact the DN constructor was originally based on the RDN constructor). > But as you discovered the behavior was confusing and we changed the DN > constructor to require tuples (or lists). When I changed the DN > constructor I left the RDN constructor with the old previous form > because it's seldom called with an arg list like the confusing DN arg > list. But in hind sight I felt it was better to have consistent API's > with the constructors, that ultimately it was less confusing. > OK, pushed to master and ipa-2-0 I added a missing paren to the end of one of the examples in the commit message. Feeling pedantic this morning. rob From edewata at redhat.com Thu Jul 28 16:26:31 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 28 Jul 2011 11:26:31 -0500 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E317289.6070105@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> <4E2A0698.6000402@redhat.com> <4E2DA048.8040507@redhat.com> <4E2E07CE.5070902@redhat.com> <4E2F253F.9050608@redhat.com> <4E2FA77C.3090709@redhat.com> <4E303DE8.6080902@redhat.com> <4E306D63.50500@redhat.com> <4E30B7E0.90707@redhat.com> <4E30F2E8.6030802@redhat.com> <4E317289.6070105@redhat.com> Message-ID: <4E318DB7.1020701@redhat.com> On 7/28/2011 9:30 AM, Adam Young wrote: > ACK 270-14, 278-4, and 280-1. Please squash before push. Thanks. -- Endi S. Dewata From dpal at redhat.com Thu Jul 28 17:02:20 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 28 Jul 2011 13:02:20 -0400 Subject: [Freeipa-devel] Setting Host OTP In-Reply-To: <1473288735.284413.1311864704215.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1473288735.284413.1311864704215.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4E31961C.1080403@redhat.com> On 07/28/2011 10:51 AM, Jenny Galipeau wrote: > > ----- Original Message ----- >> Jenny Galipeau wrote: >>> Hi Adam and Rob: >>> I have some questions about setting a Host OTP and what use cases >>> should be supported. In testing the Web UI and setting the OTP for a >>> host, it became apparent that their is now way to retrieve an >>> existing OTP. Is this on purpose? It confused me a bit that the UI >>> did not change to indicate that an OTP existed. I think this is a >>> bug. >>> >>> Also, is it on purpose that you can not retrieve and existing OTP? >>> Else, you would need to set a new one if you could not remember what >>> it was? If it is the later, I would think the Web UI could indicate >>> that one is set, but changing the button maybe to "Set New OTP"?? >>> >>> Thanks >>> Jenny >>> >> Yes, it is on purpose that you can't retrieve an existing OTP, it is a >> password after all. >> >> There is no way to know if a password has been set or not. Please open >> a >> bug if you'd like to be able to tell. > Okay, obviously this would mean addition flag to the CLI yes?? > >> rob AFAIR according to spec and design the presence of the OTP should be seen in the UI. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu Jul 28 17:22:03 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 28 Jul 2011 13:22:03 -0400 Subject: [Freeipa-devel] Setting Host OTP In-Reply-To: <4E31961C.1080403@redhat.com> References: <1473288735.284413.1311864704215.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E31961C.1080403@redhat.com> Message-ID: <4E319ABB.30608@redhat.com> On 07/28/2011 01:02 PM, Dmitri Pal wrote: > On 07/28/2011 10:51 AM, Jenny Galipeau wrote: >> ----- Original Message ----- >>> Jenny Galipeau wrote: >>>> Hi Adam and Rob: >>>> I have some questions about setting a Host OTP and what use cases >>>> should be supported. In testing the Web UI and setting the OTP for a >>>> host, it became apparent that their is now way to retrieve an >>>> existing OTP. Is this on purpose? It confused me a bit that the UI >>>> did not change to indicate that an OTP existed. I think this is a >>>> bug. >>>> >>>> Also, is it on purpose that you can not retrieve and existing OTP? >>>> Else, you would need to set a new one if you could not remember what >>>> it was? If it is the later, I would think the Web UI could indicate >>>> that one is set, but changing the button maybe to "Set New OTP"?? >>>> >>>> Thanks >>>> Jenny >>>> >>> Yes, it is on purpose that you can't retrieve an existing OTP, it is a >>> password after all. >>> >>> There is no way to know if a password has been set or not. Please open >>> a >>> bug if you'd like to be able to tell. >> Okay, obviously this would mean addition flag to the CLI yes?? >> >>> rob > AFAIR according to spec and design the presence of the OTP should be > seen in the UI. > But we can defer it to 2.2 at this point. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Thu Jul 28 17:53:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 13:53:06 -0400 Subject: [Freeipa-devel] Setting Host OTP In-Reply-To: <1473288735.284413.1311864704215.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1473288735.284413.1311864704215.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4E31A202.5070807@redhat.com> Jenny Galipeau wrote: > > > ----- Original Message ----- >> Jenny Galipeau wrote: >>> Hi Adam and Rob: >>> I have some questions about setting a Host OTP and what use cases >>> should be supported. In testing the Web UI and setting the OTP for a >>> host, it became apparent that their is now way to retrieve an >>> existing OTP. Is this on purpose? It confused me a bit that the UI >>> did not change to indicate that an OTP existed. I think this is a >>> bug. >>> >>> Also, is it on purpose that you can not retrieve and existing OTP? >>> Else, you would need to set a new one if you could not remember what >>> it was? If it is the later, I would think the Web UI could indicate >>> that one is set, but changing the button maybe to "Set New OTP"?? >>> >>> Thanks >>> Jenny >>> >> >> Yes, it is on purpose that you can't retrieve an existing OTP, it is a >> password after all. >> >> There is no way to know if a password has been set or not. Please open >> a >> bug if you'd like to be able to tell. > > Okay, obviously this would mean addition flag to the CLI yes?? We would represent it as an attribute on output, there wouldn't be any options changes for this. rob From jgalipea at redhat.com Thu Jul 28 17:54:53 2011 From: jgalipea at redhat.com (Jenny Galipeau) Date: Thu, 28 Jul 2011 13:54:53 -0400 (EDT) Subject: [Freeipa-devel] Setting Host OTP In-Reply-To: <4E31A202.5070807@redhat.com> Message-ID: <1983545799.288255.1311875693907.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > Jenny Galipeau wrote: > > > > > > ----- Original Message ----- > >> Jenny Galipeau wrote: > >>> Hi Adam and Rob: > >>> I have some questions about setting a Host OTP and what use cases > >>> should be supported. In testing the Web UI and setting the OTP for > >>> a > >>> host, it became apparent that their is now way to retrieve an > >>> existing OTP. Is this on purpose? It confused me a bit that the UI > >>> did not change to indicate that an OTP existed. I think this is a > >>> bug. > >>> > >>> Also, is it on purpose that you can not retrieve and existing OTP? > >>> Else, you would need to set a new one if you could not remember > >>> what > >>> it was? If it is the later, I would think the Web UI could > >>> indicate > >>> that one is set, but changing the button maybe to "Set New OTP"?? > >>> > >>> Thanks > >>> Jenny > >>> > >> > >> Yes, it is on purpose that you can't retrieve an existing OTP, it > >> is a > >> password after all. > >> > >> There is no way to know if a password has been set or not. Please > >> open > >> a > >> bug if you'd like to be able to tell. > > > > Okay, obviously this would mean addition flag to the CLI yes?? > > We would represent it as an attribute on output, there wouldn't be any > options changes for this. Oh good! Bug logged ... https://bugzilla.redhat.com/show_bug.cgi?id=726454 > > rob -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From ayoung at redhat.com Thu Jul 28 18:18:33 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Jul 2011 14:18:33 -0400 Subject: [Freeipa-devel] [PATCH] 0270-removing-setters-setup-and-init In-Reply-To: <4E318DB7.1020701@redhat.com> References: <4E2614DD.4090301@redhat.com> <4E26157A.5080609@redhat.com> <4E2729F2.3010409@redhat.com> <4E273193.4080506@redhat.com> <4E276E10.4010207@redhat.com> <4E278D5C.9020803@redhat.com> <4E28E8C4.6040201@redhat.com> <4E29989B.4090209@redhat.com> <4E29B0EA.6010909@redhat.com> <4E2A0698.6000402@redhat.com> <4E2DA048.8040507@redhat.com> <4E2E07CE.5070902@redhat.com> <4E2F253F.9050608@redhat.com> <4E2FA77C.3090709@redhat.com> <4E303DE8.6080902@redhat.com> <4E306D63.50500@redhat.com> <4E30B7E0.90707@redhat.com> <4E30F2E8.6030802@redhat.com> <4E317289.6070105@redhat.com> <4E318DB7.1020701@redhat.com> Message-ID: <4E31A7F9.6050801@redhat.com> On 07/28/2011 12:26 PM, Endi Sukma Dewata wrote: > On 7/28/2011 9:30 AM, Adam Young wrote: >> > > ACK 270-14, 278-4, and 280-1. Please squash before push. Thanks. > Squashed, rebased, and pushed to master From rcritten at redhat.com Thu Jul 28 18:31:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 14:31:23 -0400 Subject: [Freeipa-devel] [PATCH] 841 require pki-ca >= 9.0.10 Message-ID: <4E31AAFB.8030908@redhat.com> The IPA server cert profile was updated in 9.0.10 to allow the server certs to act as clients. We need pki-ca 9.0.10 for this. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-841-dogtag.patch Type: application/mbox Size: 1329 bytes Desc: not available URL: From adam at younglogic.com Thu Jul 28 18:52:43 2011 From: adam at younglogic.com (Adam Young) Date: Thu, 28 Jul 2011 14:52:43 -0400 Subject: [Freeipa-devel] [PATCH] 0281-dns-section-header-i18n Message-ID: <4E31AFFB.80204@younglogic.com> From ayoung at redhat.com Thu Jul 28 19:00:51 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Jul 2011 15:00:51 -0400 Subject: [Freeipa-devel] [PATCH] 0281-dns-section-header-i18n Message-ID: <4E31B1E3.2070900@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0281-dns-section-header-i18n.patch Type: text/x-patch Size: 3308 bytes Desc: not available URL: From edewata at redhat.com Thu Jul 28 19:12:27 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 28 Jul 2011 14:12:27 -0500 Subject: [Freeipa-devel] [PATCH] 0281-dns-section-header-i18n In-Reply-To: <4E31B1E3.2070900@redhat.com> References: <4E31B1E3.2070900@redhat.com> Message-ID: <4E31B49B.9030901@redhat.com> On 7/28/2011 2:00 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Jul 28 19:13:43 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 28 Jul 2011 14:13:43 -0500 Subject: [Freeipa-devel] [PATCH] 227 Fixed missing section header in sudo command group. Message-ID: <4E31B4E7.3000107@redhat.com> The sudo command group details page has been fixed to use the correct label name. Ticket #1537. Pushed to master under one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0227-Fixed-missing-section-header-in-sudo-command-group.patch Type: text/x-patch Size: 919 bytes Desc: not available URL: From jdennis at redhat.com Thu Jul 28 19:27:41 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 28 Jul 2011 15:27:41 -0400 Subject: [Freeipa-devel] [PATCH 33/33] Clean up existing DN object usage Message-ID: <4E31B82D.7040506@redhat.com> Clean up existing DN object usage: DN's support iteration, no need for loop index. get_cert_nickname() now returns a DN object instead of a dn string. Use DN equality testing instead of string equality. Replace use DN syntax strings with DN constructor args. Remove ipaldap.IPAdmin.normalizeDN() -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0033-Clean-up-existing-DN-object-usage.patch Type: text/x-patch Size: 7129 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 28 20:42:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 16:42:43 -0400 Subject: [Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules In-Reply-To: <4E311352.5080104@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> <4E2F1BC3.3050109@redhat.com> <4E300EB0.2020205@redhat.com> <4E3030A1.1000409@redhat.com> <4E311352.5080104@redhat.com> Message-ID: <4E31C9C3.7080904@redhat.com> Alexander Bokovoy wrote: > On 27.07.2011 18:37, Jakub Hrozek wrote: >> On 07/27/2011 03:12 PM, Alexander Bokovoy wrote: >>> + for ipa_rule in rules: >>> + try: >>> + res = request.evaluate([ipa_rule]) >>> + if res == pyhbac.HBAC_EVAL_ALLOW: >>> + matched_rules.append(ipa_rule.name) >>> + if res == pyhbac.HBAC_EVAL_DENY: >>> + notmatched_rules.append(ipa_rule.name) >>> + except pyhbac.HbacError as (code, rule_name): >>> + if code == pyhbac.HBAC_EVAL_ERROR: >>> + error_rules.append(rule_name) >>> + except (TypeError, IOError) as (info): >>> + self.log.error('Native IPA HBAC module error: %s' % (info)) >>> + >> >> I think this is OK. The only other exception the bindings might raise is >> a MemoryError, but I think this should just propagate all the way up.. >> >> One suggestion might be to extend the branch that catches >> pyhbac.HbacError with a string representation of the error. Something like: >> >> self.log.error("Error while evaluating rule %s: %s" % (rule_name, >> hbac_result_string(core)) > Thanks. That was actually implied (with self.log.info() as we want to > continue and report them as 'error' rules in the command's result) but I > overlooked it. > > Fixed this now and also removed some residual debug prints in unit > tests. Patch attached. > nack There is an EXAMPLES section in the help but it just explains the options and provides no examples. I think we can just drop the EXAMPLES header. Providing examples for this might be rather convoluted, though seeing a couple of command-lines might provide enough context. It should probably mention that user, srchost, host and service are all required but that becomes rather obvious when you try to execute the command. If you provide a single, not found rule to test against a ValueError is thrown when validating that the output is valid. $ ipa hbactest --user=rcrit --srchost=foo --host=bar --service=baz --rules=testnotfound ipa: ERROR: non-public: ValueError: hbactest.validate_output(): missing keys ['matched', 'notmatched'] in {'error': [u'test22'], 'value': u'False', 'summary': u'Unresolved rules in --rules'} Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-master/ipaserver/rpcserver.py", line 220, in wsgi_execute result = self.Command[name](*args, **options) File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line 436, in __call__ self.validate_output(ret) File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line 883, in validate_output nice, missing, output) ValueError: hbactest.validate_output(): missing keys ['matched', 'notmatched'] in {'error': [u'test22'], 'value': u'False', 'summary': u'Unresolved rules in --rules'} ipa: DEBUG: response: InternalError: an internal error has occurred From rcritten at redhat.com Thu Jul 28 21:05:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 17:05:16 -0400 Subject: [Freeipa-devel] [PATCH] one-liner fix test case Message-ID: <4E31CF0C.7010009@redhat.com> John pointed out that I didn't update the test case when I changed the min value exception message. Pushed as a one-liner to master and ipa-2-0 index c082029..e63bbb7 100644 --- a/tests/test_ipalib/test_parameters.py +++ b/tests/test_ipalib/test_parameters.py @@ -1194,7 +1194,7 @@ class test_Int(ClassChecker): rule(dummy, value), translation % dict(minvalue=3) ) - assert dummy.message == 'can be at least %(minvalue)d' + assert dummy.message == 'must be at least %(minvalue)d' assert dummy.called() is True dummy.reset() From edewata at redhat.com Thu Jul 28 21:48:21 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 28 Jul 2011 16:48:21 -0500 Subject: [Freeipa-devel] [PATCH] 228 Fixed problem unprovisioning service. Message-ID: <4E31D925.4030405@redhat.com> The IPA.service_provisioning_status_widget has been modified to execute the disable command with the right entity name. Ticket #1543 Pushed under one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0228-Fixed-problem-unprovisioning-service.patch Type: text/x-patch Size: 1113 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 28 22:53:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 18:53:20 -0400 Subject: [Freeipa-devel] [PATCH] 842 deprecation some sudorule options Message-ID: <4E31E860.2080207@redhat.com> The sudorule command had options to be able to manage external users and runas external users/groups via the add/mod commands. These had no logic behind them to actually do the right thing, that's what the helpers were for. I created a validator for each of these three to disallow management. This would be a major API change to remove them. They are useful in the find command so I hedged my bet and didn't mark the docs as deprecated, just as for -find only. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-842-sudorule.patch Type: application/mbox Size: 9627 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 29 00:03:52 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 28 Jul 2011 19:03:52 -0500 Subject: [Freeipa-devel] [PATCH] 229 Fixed missing memberof definition in HBAC service. Message-ID: <4E31F8E8.10906@redhat.com> The HBAC service class has been modified to define the memberof relationship with HBAC service group. Ticket #1546 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0229-Fixed-missing-memberof-definition-in-HBAC-service.patch Type: text/x-patch Size: 1163 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 29 00:05:50 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 28 Jul 2011 19:05:50 -0500 Subject: [Freeipa-devel] [PATCH] 230 Added association facets for HBAC and sudo. Message-ID: <4E31F95E.7030007@redhat.com> The HBAC service, HBAC service group, sudo command and sudo command group have been modified to show the associations as facets. Ticket #1536 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0230-Added-association-facets-for-HBAC-and-sudo.patch Type: text/x-patch Size: 7921 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 29 01:40:36 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Jul 2011 21:40:36 -0400 Subject: [Freeipa-devel] [PATCH] 230 Added association facets for HBAC and sudo. In-Reply-To: <4E31F95E.7030007@redhat.com> References: <4E31F95E.7030007@redhat.com> Message-ID: <4E320F94.10707@redhat.com> On 07/28/2011 08:05 PM, Endi Sukma Dewata wrote: > The HBAC service, HBAC service group, sudo command and sudo command > group have been modified to show the associations as facets. > > Ticket #1536 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jul 29 01:40:44 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Jul 2011 21:40:44 -0400 Subject: [Freeipa-devel] [PATCH] 229 Fixed missing memberof definition in HBAC service. In-Reply-To: <4E31F8E8.10906@redhat.com> References: <4E31F8E8.10906@redhat.com> Message-ID: <4E320F9C.5040306@redhat.com> On 07/28/2011 08:03 PM, Endi Sukma Dewata wrote: > The HBAC service class has been modified to define the memberof > relationship with HBAC service group. > > Ticket #1546 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jul 29 02:30:23 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 28 Jul 2011 22:30:23 -0400 Subject: [Freeipa-devel] [PATCH] 0282-use-other_entity-for-adder-columns Message-ID: <4E321B3F.9030107@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0282-1-use-other_entity-for-adder-columns.patch Type: text/x-patch Size: 1787 bytes Desc: not available URL: From abokovoy at redhat.com Fri Jul 29 03:38:11 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 06:38:11 +0300 Subject: [Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules In-Reply-To: <4E31C9C3.7080904@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> <4E2F1BC3.3050109@redhat.com> <4E300EB0.2020205@redhat.com> <4E3030A1.1000409@redhat.com> <4E311352.5080104@redhat.com> <4E31C9C3.7080904@redhat.com> Message-ID: <4E322B23.1040300@redhat.com> On 28.07.2011 23:42, Rob Crittenden wrote: >> Fixed this now and also removed some residual debug prints in unit >> tests. Patch attached. >> > > nack > > There is an EXAMPLES section in the help but it just explains the > options and provides no examples. I think we can just drop the EXAMPLES > header. Providing examples for this might be rather convoluted, though > seeing a couple of command-lines might provide enough context. I decided to add examples. > It should probably mention that user, srchost, host and service are all > required but that becomes rather obvious when you try to execute the > command. Added this. > If you provide a single, not found rule to test against a ValueError is > thrown when validating that the output is valid. > > $ ipa hbactest --user=rcrit --srchost=foo --host=bar --service=baz > --rules=testnotfound > > ipa: ERROR: non-public: ValueError: hbactest.validate_output(): missing > keys ['matched', 'notmatched'] in {'error': [u'test22'], 'value': > u'False', 'summary': u'Unresolved rules in --rules'} > Traceback (most recent call last): > File "/home/rcrit/redhat/freeipa-master/ipaserver/rpcserver.py", line > 220, in wsgi_execute > result = self.Command[name](*args, **options) > File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line 436, > in __call__ > self.validate_output(ret) > File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line 883, > in validate_output > nice, missing, output) > ValueError: hbactest.validate_output(): missing keys ['matched', > 'notmatched'] in {'error': [u'test22'], 'value': u'False', 'summary': > u'Unresolved rules in --rules'} > ipa: DEBUG: response: InternalError: an internal error has occurred > My bad (two returns taking different paths). Fixed that all and added unit test for non-existing rules. Modified description to be more detailed and added real examples. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0007-5-add-hbactest-command.patch URL: From abokovoy at redhat.com Fri Jul 29 03:42:51 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 06:42:51 +0300 Subject: [Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules In-Reply-To: <4E322B23.1040300@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> <4E2F1BC3.3050109@redhat.com> <4E300EB0.2020205@redhat.com> <4E3030A1.1000409@redhat.com> <4E311352.5080104@redhat.com> <4E31C9C3.7080904@redhat.com> <4E322B23.1040300@redhat.com> Message-ID: <4E322C3B.5060904@redhat.com> On 29.07.2011 06:38, Alexander Bokovoy wrote: > Fixed that all and added unit test for non-existing rules. > Modified description to be more detailed and added real examples. Scratch previous version, while nicely renaming unit tests before commit and after patch testing I didn't keep right order of cleanup and the non-existing rule test. Fixed version. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0007-5-add-hbactest-command.patch URL: From rcritten at redhat.com Fri Jul 29 04:41:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jul 2011 00:41:44 -0400 Subject: [Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules In-Reply-To: <4E322C3B.5060904@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> <4E2F1BC3.3050109@redhat.com> <4E300EB0.2020205@redhat.com> <4E3030A1.1000409@redhat.com> <4E311352.5080104@redhat.com> <4E31C9C3.7080904@redhat.com> <4E322B23.1040300@redhat.com> <4E322C3B.5060904@redhat.com> Message-ID: <4E323A08.1050306@redhat.com> Alexander Bokovoy wrote: > On 29.07.2011 06:38, Alexander Bokovoy wrote: >> Fixed that all and added unit test for non-existing rules. >> Modified description to be more detailed and added real examples. > Scratch previous version, while nicely renaming unit tests before commit > and after patch testing I didn't keep right order of cleanup and the > non-existing rule test. > > Fixed version. Nack, two very minor issues: ipalib/plugins/hbactest.py:126: [E0602] Undefined variable 'sys' This code can probably be done away with since we have a Requires for it. I won't insist on it though. There is a slew of trailing white-space. rob From jcholast at redhat.com Fri Jul 29 06:17:19 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 29 Jul 2011 08:17:19 +0200 Subject: [Freeipa-devel] [PATCH] 841 require pki-ca >= 9.0.10 In-Reply-To: <4E31AAFB.8030908@redhat.com> References: <4E31AAFB.8030908@redhat.com> Message-ID: <4E32506F.2080208@redhat.com> On 28.7.2011 20:31, Rob Crittenden wrote: > The IPA server cert profile was updated in 9.0.10 to allow the server > certs to act as clients. We need pki-ca 9.0.10 for this. > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Honza -- Jan Cholasta From abokovoy at redhat.com Fri Jul 29 06:34:41 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 09:34:41 +0300 Subject: [Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules In-Reply-To: <4E323A08.1050306@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> <4E2F1BC3.3050109@redhat.com> <4E300EB0.2020205@redhat.com> <4E3030A1.1000409@redhat.com> <4E311352.5080104@redhat.com> <4E31C9C3.7080904@redhat.com> <4E322B23.1040300@redhat.com> <4E322C3B.5060904@redhat.com> <4E323A08.1050306@redhat.com> Message-ID: <4E325481.8040405@redhat.com> On 29.07.2011 07:41, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> On 29.07.2011 06:38, Alexander Bokovoy wrote: >>> Fixed that all and added unit test for non-existing rules. >>> Modified description to be more detailed and added real examples. >> Scratch previous version, while nicely renaming unit tests before commit >> and after patch testing I didn't keep right order of cleanup and the >> non-existing rule test. >> >> Fixed version. > > Nack, two very minor issues: > > ipalib/plugins/hbactest.py:126: [E0602] Undefined variable 'sys' > > This code can probably be done away with since we have a Requires for > it. I won't insist on it though. Yes, removed since package with ipalib will have the dependency. > There is a slew of trailing white-space. Fixed. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0007-5-add-hbactest-command.patch URL: From mkosek at redhat.com Fri Jul 29 07:58:04 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jul 2011 09:58:04 +0200 Subject: [Freeipa-devel] [PATCH] 842 deprecation some sudorule options In-Reply-To: <4E31E860.2080207@redhat.com> References: <4E31E860.2080207@redhat.com> Message-ID: <1311926286.2582.2.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-07-28 at 18:53 -0400, Rob Crittenden wrote: > > I created a validator for each of these three to disallow management. > This would be a major API change to remove them. > > They are useful in the find command so I hedged my bet and didn't > mark > the docs as deprecated, just as for -find only. > > rob > > NACK. The approach looks OK, I just think that the error message is not really what we want: # ipa sudorule-mod srule1 --externaluser=foo ipa: ERROR: invalid 'externaluser': The deny type has been deprecated. Martin From jcholast at redhat.com Fri Jul 29 07:59:17 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 29 Jul 2011 09:59:17 +0200 Subject: [Freeipa-devel] [PATCH 33/33] Clean up existing DN object usage In-Reply-To: <4E31B82D.7040506@redhat.com> References: <4E31B82D.7040506@redhat.com> Message-ID: <4E326855.8050505@redhat.com> On 28.7.2011 21:27, John Dennis wrote: > Clean up existing DN object usage: > > DN's support iteration, no need for loop index. > > get_cert_nickname() now returns a DN object instead of a dn string. > > Use DN equality testing instead of string equality. > > Replace use DN syntax strings with DN constructor args. > > Remove ipaldap.IPAdmin.normalizeDN() > Works fine, ACK. Honza -- Jan Cholasta From mkosek at redhat.com Fri Jul 29 08:29:11 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jul 2011 10:29:11 +0200 Subject: [Freeipa-devel] [PATCH] 840 don't set host passwords as expired In-Reply-To: <4E301DC1.7020107@redhat.com> References: <4E3018AF.4060200@redhat.com> <4E301DC1.7020107@redhat.com> Message-ID: <1311928153.2582.3.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-07-27 at 10:16 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > When setting a host password once the host has already been enrolled > > will result in an expired password (like most passwords we set). We can > > just skip setting this at all on hosts. > > > > Test using this method: > > > > * ipa host-add --random > > * ipa-client-install --password '***' > > * ipa-client-install --uninstall > > * ipa host-mod --random > > * ipa-client-install --password '***' > > > > If the second enrollment works the patch succeeded. Previously it would > > fail with "Password expired". > > > > rob > > Sorry, talk about overcommit! Here is just the interesting bits. > > rob ACK. Works fine. Pushed to master, ipa-2-0. Martin From abokovoy at redhat.com Fri Jul 29 08:42:23 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 11:42:23 +0300 Subject: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname Message-ID: <4E32726F.60500@redhat.com> https://fedorahosted.org/freeipa/ticket/1368 also replaces a tab by spaces in one else statement (cosmetic). -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0008-ticket-1368.patch URL: From mkosek at redhat.com Fri Jul 29 09:01:03 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jul 2011 11:01:03 +0200 Subject: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname In-Reply-To: <4E32726F.60500@redhat.com> References: <4E32726F.60500@redhat.com> Message-ID: <1311930065.2582.9.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-29 at 11:42 +0300, Alexander Bokovoy wrote: > https://fedorahosted.org/freeipa/ticket/1368 > > also replaces a tab by spaces in one else statement (cosmetic). This works fine. But I have few suggestion for improvement: 1) Shouldn't we also run `hostname NEW_HOSTNAME` so that the new hostname is properly set on the system? 2) I would enhance our man pages/help and state that we are changing the system hostname. Current --hostname option is confusing: --hostname The hostname of this server (FQDN). By default of nodename from uname(2) is used. Martin From mkosek at redhat.com Fri Jul 29 09:20:28 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jul 2011 11:20:28 +0200 Subject: [Freeipa-devel] [PATCH] 841 require pki-ca >= 9.0.10 In-Reply-To: <4E32506F.2080208@redhat.com> References: <4E31AAFB.8030908@redhat.com> <4E32506F.2080208@redhat.com> Message-ID: <1311931230.2582.10.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-29 at 08:17 +0200, Jan Cholasta wrote: > On 28.7.2011 20:31, Rob Crittenden wrote: > > The IPA server cert profile was updated in 9.0.10 to allow the server > > certs to act as clients. We need pki-ca 9.0.10 for this. > > > > rob > > > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > ACK. > > Honza > Pushed to master. Martin From abokovoy at redhat.com Fri Jul 29 09:21:06 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 12:21:06 +0300 Subject: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname In-Reply-To: <1311930065.2582.9.camel@dhcp-25-52.brq.redhat.com> References: <4E32726F.60500@redhat.com> <1311930065.2582.9.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E327B82.1060703@redhat.com> On 29.07.2011 12:01, Martin Kosek wrote: > On Fri, 2011-07-29 at 11:42 +0300, Alexander Bokovoy wrote: >> https://fedorahosted.org/freeipa/ticket/1368 >> >> also replaces a tab by spaces in one else statement (cosmetic). > > This works fine. But I have few suggestion for improvement: > > 1) Shouldn't we also run `hostname NEW_HOSTNAME` so that the new > hostname is properly set on the system? Makes sense. > 2) I would enhance our man pages/help and state that we are changing the > system hostname. Current --hostname option is confusing: > > --hostname > The hostname of this server (FQDN). By default of nodename from > uname(2) is used. Oh, this is not informative at all. I'll get this updated. Thanks for review! -- / Alexander Bokovoy From abokovoy at redhat.com Fri Jul 29 09:46:12 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 12:46:12 +0300 Subject: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname In-Reply-To: <4E327B82.1060703@redhat.com> References: <4E32726F.60500@redhat.com> <1311930065.2582.9.camel@dhcp-25-52.brq.redhat.com> <4E327B82.1060703@redhat.com> Message-ID: <4E328164.1030508@redhat.com> On 29.07.2011 12:21, Alexander Bokovoy wrote: > On 29.07.2011 12:01, Martin Kosek wrote: >> On Fri, 2011-07-29 at 11:42 +0300, Alexander Bokovoy wrote: >>> https://fedorahosted.org/freeipa/ticket/1368 >>> >>> also replaces a tab by spaces in one else statement (cosmetic). >> >> This works fine. But I have few suggestion for improvement: >> >> 1) Shouldn't we also run `hostname NEW_HOSTNAME` so that the new >> hostname is properly set on the system? > Makes sense. > >> 2) I would enhance our man pages/help and state that we are changing the >> system hostname. Current --hostname option is confusing: >> >> --hostname >> The hostname of this server (FQDN). By default of nodename from >> uname(2) is used. > Oh, this is not informative at all. I'll get this updated. Updated patch attached. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0008-1-ticket-1368.patch URL: From abokovoy at redhat.com Fri Jul 29 10:09:08 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 13:09:08 +0300 Subject: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install Message-ID: <4E3286C4.7000406@redhat.com> Hi, another attempt to refine error/configuration reporting when configuring means to access LDAP on a client. Previous one tried to use rpm to find out package name but this approach is avoiding package names. Instead, it tries to tell configuration file. Ticker https://fedorahosted.org/freeipa/ticket/1369 -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0004-2-ticket-1369.patch URL: From mkosek at redhat.com Fri Jul 29 10:52:54 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jul 2011 12:52:54 +0200 Subject: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname In-Reply-To: <4E328164.1030508@redhat.com> References: <4E32726F.60500@redhat.com> <1311930065.2582.9.camel@dhcp-25-52.brq.redhat.com> <4E327B82.1060703@redhat.com> <4E328164.1030508@redhat.com> Message-ID: <1311936777.2582.17.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-29 at 12:46 +0300, Alexander Bokovoy wrote: > On 29.07.2011 12:21, Alexander Bokovoy wrote: > > On 29.07.2011 12:01, Martin Kosek wrote: > >> On Fri, 2011-07-29 at 11:42 +0300, Alexander Bokovoy wrote: > >>> https://fedorahosted.org/freeipa/ticket/1368 > >>> > >>> also replaces a tab by spaces in one else statement (cosmetic). > >> > >> This works fine. But I have few suggestion for improvement: > >> > >> 1) Shouldn't we also run `hostname NEW_HOSTNAME` so that the new > >> hostname is properly set on the system? > > Makes sense. > > > >> 2) I would enhance our man pages/help and state that we are changing the > >> system hostname. Current --hostname option is confusing: > >> > >> --hostname > >> The hostname of this server (FQDN). By default of nodename from > >> uname(2) is used. > > Oh, this is not informative at all. I'll get this updated. > Updated patch attached. > Ok, hostname is properly changed now. I still have some issues: 1) Updated --hostname help doc line in the source code is too long. This should be split. 2) I miss new --hostname help in ipa-client-install man pages (there can be the same text as it is in the inline help) 3) When IPA client is uninstalled, I would consider changing the hostname back to where it was. sysrestore.StateFile could be used for storing the old hostname value. Martin From mkosek at redhat.com Fri Jul 29 11:13:03 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jul 2011 13:13:03 +0200 Subject: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install In-Reply-To: <4E3286C4.7000406@redhat.com> References: <4E3286C4.7000406@redhat.com> Message-ID: <1311937985.2582.25.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-29 at 13:09 +0300, Alexander Bokovoy wrote: > Hi, > > another attempt to refine error/configuration reporting when configuring > means to access LDAP on a client. Previous one tried to use rpm to find > out package name but this approach is avoiding package names. Instead, > it tries to tell configuration file. > > Ticker https://fedorahosted.org/freeipa/ticket/1369 NACK. 1) Return info from LDAP config functions gets overwritten: if not options.sssd: (retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 (retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 Only one function will do the real configuration, in my case it was the configure_ldap_conf (nslcd was not installed). Due to the overwrite, my ipa-client-install reported invalid information: # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled NSLCD configured using configuration file /etc/nslcd.conf <<<< Unable to use DNS discovery! Recognized configuration: NSLCD Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. We need to indicate in the return triple that the service was not configured so that we output correct information. 2) Returning tuple instead of triple (will raise exception when used): - return 1 + return (1, 'nslcd') Plus, NSLCD is referred in upper case in other return statements. Martin From mkosek at redhat.com Fri Jul 29 11:14:53 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jul 2011 13:14:53 +0200 Subject: [Freeipa-devel] [PATCH 33/33] Clean up existing DN object usage In-Reply-To: <4E326855.8050505@redhat.com> References: <4E31B82D.7040506@redhat.com> <4E326855.8050505@redhat.com> Message-ID: <1311938096.2582.26.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-29 at 09:59 +0200, Jan Cholasta wrote: > On 28.7.2011 21:27, John Dennis wrote: > > Clean up existing DN object usage: > > > > DN's support iteration, no need for loop index. > > > > get_cert_nickname() now returns a DN object instead of a dn string. > > > > Use DN equality testing instead of string equality. > > > > Replace use DN syntax strings with DN constructor args. > > > > Remove ipaldap.IPAdmin.normalizeDN() > > > > Works fine, ACK. > > Honza > Pushed to master, ipa-2-0. Martin From abokovoy at redhat.com Fri Jul 29 11:53:54 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 14:53:54 +0300 Subject: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname In-Reply-To: <1311936777.2582.17.camel@dhcp-25-52.brq.redhat.com> References: <4E32726F.60500@redhat.com> <1311930065.2582.9.camel@dhcp-25-52.brq.redhat.com> <4E327B82.1060703@redhat.com> <4E328164.1030508@redhat.com> <1311936777.2582.17.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E329F52.6070501@redhat.com> On 29.07.2011 13:52, Martin Kosek wrote: >>> Oh, this is not informative at all. I'll get this updated. >> Updated patch attached. > Ok, hostname is properly changed now. I still have some issues: > > 1) Updated --hostname help doc line in the source code is too long. This > should be split. Now it uses multiple lines. > 2) I miss new --hostname help in ipa-client-install man pages (there can > be the same text as it is in the inline help) Copied the same text to ipa-client-install.1 > 3) When IPA client is uninstalled, I would consider changing the > hostname back to where it was. sysrestore.StateFile could be used for > storing the old hostname value. Added use of sysrestore.StateFile and restoring the hostname from it. Note that /etc/sysconfig/network is restored already via sysrestore.FileStore. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0008-2-ticket-1368.patch URL: From rcritten at redhat.com Fri Jul 29 12:51:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jul 2011 08:51:57 -0400 Subject: [Freeipa-devel] [PATCH] 842 deprecation some sudorule options In-Reply-To: <1311926286.2582.2.camel@dhcp-25-52.brq.redhat.com> References: <4E31E860.2080207@redhat.com> <1311926286.2582.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E32ACED.70601@redhat.com> Martin Kosek wrote: > On Thu, 2011-07-28 at 18:53 -0400, Rob Crittenden wrote: >> >> I created a validator for each of these three to disallow management. >> This would be a major API change to remove them. >> >> They are useful in the find command so I hedged my bet and didn't >> mark >> the docs as deprecated, just as for -find only. >> >> rob >> >> > > NACK. > > The approach looks OK, I just think that the error message is not really > what we want: > > # ipa sudorule-mod srule1 --externaluser=foo > ipa: ERROR: invalid 'externaluser': The deny type has been deprecated. > > Martin > Yikes, I had meant to go back and fix that up. Updated patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-842-2-sudorule.patch Type: application/mbox Size: 9620 bytes Desc: not available URL: From abokovoy at redhat.com Fri Jul 29 12:59:52 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 15:59:52 +0300 Subject: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install In-Reply-To: <1311937985.2582.25.camel@dhcp-25-52.brq.redhat.com> References: <4E3286C4.7000406@redhat.com> <1311937985.2582.25.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E32AEC8.5020707@redhat.com> On 29.07.2011 14:13, Martin Kosek wrote: > On Fri, 2011-07-29 at 13:09 +0300, Alexander Bokovoy wrote: >> Hi, >> >> another attempt to refine error/configuration reporting when configuring >> means to access LDAP on a client. Previous one tried to use rpm to find >> out package name but this approach is avoiding package names. Instead, >> it tries to tell configuration file. >> >> Ticker https://fedorahosted.org/freeipa/ticket/1369 > > NACK. > > 1) Return info from LDAP config functions gets overwritten: > > if not options.sssd: > (retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) > if retcode: > return 1 > (retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) > if retcode: > return 1 > > Only one function will do the real configuration, in my case it was the > configure_ldap_conf (nslcd was not installed). Due to the overwrite, my > ipa-client-install reported invalid information: Yes, fixed. > # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd > ... > LDAP enabled > Kerberos 5 enabled > NSLCD configured using configuration file /etc/nslcd.conf <<<< > Unable to use DNS discovery! Recognized configuration: NSLCD > Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com > NTP enabled > Client configuration complete. > > We need to indicate in the return triple that the service was not > configured so that we output correct information. I did this now by returning None: return (0, None, None). > 2) Returning tuple instead of triple (will raise exception when used): > > - return 1 > + return (1, 'nslcd') > > Plus, NSLCD is referred in upper case in other return statements. Fixed. Version 3 attached. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0004-3-ticket-1369.patch URL: From rcritten at redhat.com Fri Jul 29 13:02:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jul 2011 09:02:27 -0400 Subject: [Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules In-Reply-To: <4E325481.8040405@redhat.com> References: <1383009380.228321.1311613060175.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4E2DA179.9030906@redhat.com> <4E2DDC71.5080202@redhat.com> <4E2E3321.3070704@redhat.com> <4E2E9892.8030402@redhat.com> <4E2F1BC3.3050109@redhat.com> <4E300EB0.2020205@redhat.com> <4E3030A1.1000409@redhat.com> <4E311352.5080104@redhat.com> <4E31C9C3.7080904@redhat.com> <4E322B23.1040300@redhat.com> <4E322C3B.5060904@redhat.com> <4E323A08.1050306@redhat.com> <4E325481.8040405@redhat.com> Message-ID: <4E32AF63.7060309@redhat.com> Alexander Bokovoy wrote: > On 29.07.2011 07:41, Rob Crittenden wrote: >> Alexander Bokovoy wrote: >>> On 29.07.2011 06:38, Alexander Bokovoy wrote: >>>> Fixed that all and added unit test for non-existing rules. >>>> Modified description to be more detailed and added real examples. >>> Scratch previous version, while nicely renaming unit tests before commit >>> and after patch testing I didn't keep right order of cleanup and the >>> non-existing rule test. >>> >>> Fixed version. >> >> Nack, two very minor issues: >> >> ipalib/plugins/hbactest.py:126: [E0602] Undefined variable 'sys' >> >> This code can probably be done away with since we have a Requires for >> it. I won't insist on it though. > Yes, removed since package with ipalib will have the dependency. > >> There is a slew of trailing white-space. > Fixed. > ack Minor rebase because freeipa.spec.in was updated, pushed to master. rob From abokovoy at redhat.com Fri Jul 29 13:05:25 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 16:05:25 +0300 Subject: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname In-Reply-To: <4E329F52.6070501@redhat.com> References: <4E32726F.60500@redhat.com> <1311930065.2582.9.camel@dhcp-25-52.brq.redhat.com> <4E327B82.1060703@redhat.com> <4E328164.1030508@redhat.com> <1311936777.2582.17.camel@dhcp-25-52.brq.redhat.com> <4E329F52.6070501@redhat.com> Message-ID: <4E32B015.3000402@redhat.com> On 29.07.2011 14:53, Alexander Bokovoy wrote: > On 29.07.2011 13:52, Martin Kosek wrote: >>>> Oh, this is not informative at all. I'll get this updated. >>> Updated patch attached. >> Ok, hostname is properly changed now. I still have some issues: Updated again to use more reliable regexp for parsing. Thanks to ConfParse project for inspiration (http://code.google.com/p/confparse/source/browse/trunk/confparse.py) -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0008-3-ticket-1368.patch URL: From mkosek at redhat.com Fri Jul 29 13:25:09 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jul 2011 15:25:09 +0200 Subject: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname In-Reply-To: <4E32B015.3000402@redhat.com> References: <4E32726F.60500@redhat.com> <1311930065.2582.9.camel@dhcp-25-52.brq.redhat.com> <4E327B82.1060703@redhat.com> <4E328164.1030508@redhat.com> <1311936777.2582.17.camel@dhcp-25-52.brq.redhat.com> <4E329F52.6070501@redhat.com> <4E32B015.3000402@redhat.com> Message-ID: <1311945912.2582.33.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-29 at 16:05 +0300, Alexander Bokovoy wrote: > On 29.07.2011 14:53, Alexander Bokovoy wrote: > > On 29.07.2011 13:52, Martin Kosek wrote: > >>>> Oh, this is not informative at all. I'll get this updated. > >>> Updated patch attached. > >> Ok, hostname is properly changed now. I still have some issues: > Updated again to use more reliable regexp for parsing. Thanks to > ConfParse project for inspiration > (http://code.google.com/p/confparse/source/browse/trunk/confparse.py) > Hm, the new regex looks robust. 1) But it didn't find hostname in my case: # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --hostname=foo.idm.lab.bos.redhat.com ... Client configuration complete. No sysrestore.state was created, i.e. no hostname was backup-ed. # ls /var/lib/ipa-client/sysrestore/ 688988a01b73872d-network d35eec0a8128e435-krb5.conf eada0d7ba116bfd7-sssd.conf 9cf989cb60307725-ntp.conf e4d8b217dfce5043-ntpd sysrestore.index IPA client then failed with an exception because we didn't have the hostname: # ipa-client-install --uninstall --unattended Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Restoring client configuration files Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1071, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 737, in main return uninstall(options, env) File "/usr/sbin/ipa-client-install", line 245, in uninstall ipautil.run(['/bin/hostname', old_hostname]) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 218, in run close_fds=True, env=env) File "/usr/lib64/python2.7/subprocess.py", line 672, in __init__ errread, errwrite) File "/usr/lib64/python2.7/subprocess.py", line 1202, in _execute_child raise child_exception TypeError: coercing to Unicode: need string or buffer, NoneType found There should be a check that if we don't have the hostname, we don't restore it. My network configration was: # cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=vm-131.idm.lab.bos.redhat.com 2) Why do we call for backup_and_replace_hostname() only in configure_sssd_conf()? If we run client installation with --no-sssd, hostname wouldn't get backup-ed. Martin From mkosek at redhat.com Fri Jul 29 13:42:33 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jul 2011 15:42:33 +0200 Subject: [Freeipa-devel] [PATCH] 842 deprecation some sudorule options In-Reply-To: <4E32ACED.70601@redhat.com> References: <4E31E860.2080207@redhat.com> <1311926286.2582.2.camel@dhcp-25-52.brq.redhat.com> <4E32ACED.70601@redhat.com> Message-ID: <1311946956.2582.34.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-29 at 08:51 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-07-28 at 18:53 -0400, Rob Crittenden wrote: > >> > >> I created a validator for each of these three to disallow management. > >> This would be a major API change to remove them. > >> > >> They are useful in the find command so I hedged my bet and didn't > >> mark > >> the docs as deprecated, just as for -find only. > >> > >> rob > >> > >> > > > > NACK. > > > > The approach looks OK, I just think that the error message is not really > > what we want: > > > > # ipa sudorule-mod srule1 --externaluser=foo > > ipa: ERROR: invalid 'externaluser': The deny type has been deprecated. > > > > Martin > > > > Yikes, I had meant to go back and fix that up. Updated patch attached. > > rob Yeah, that's better :-) ACK. Pushed to master, ipa-2-0. Martin From abokovoy at redhat.com Fri Jul 29 14:06:35 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 17:06:35 +0300 Subject: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname In-Reply-To: <1311945912.2582.33.camel@dhcp-25-52.brq.redhat.com> References: <4E32726F.60500@redhat.com> <1311930065.2582.9.camel@dhcp-25-52.brq.redhat.com> <4E327B82.1060703@redhat.com> <4E328164.1030508@redhat.com> <1311936777.2582.17.camel@dhcp-25-52.brq.redhat.com> <4E329F52.6070501@redhat.com> <4E32B015.3000402@redhat.com> <1311945912.2582.33.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E32BE6B.5050404@redhat.com> On 29.07.2011 16:25, Martin Kosek wrote: > On Fri, 2011-07-29 at 16:05 +0300, Alexander Bokovoy wrote: >> On 29.07.2011 14:53, Alexander Bokovoy wrote: >>> On 29.07.2011 13:52, Martin Kosek wrote: >>>>>> Oh, this is not informative at all. I'll get this updated. >>>>> Updated patch attached. >>>> Ok, hostname is properly changed now. I still have some issues: >> Updated again to use more reliable regexp for parsing. Thanks to >> ConfParse project for inspiration >> (http://code.google.com/p/confparse/source/browse/trunk/confparse.py) >> > > Hm, the new regex looks robust. > > 1) But it didn't find hostname in my case: There was wrong comparison (I wanted to check if option is not None and then compare it to 'HOSTNAME' but brain short-circuited. My bad. > # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com > --domain=idm.lab.bos.redhat.com --hostname=foo.idm.lab.bos.redhat.com > ... > Client configuration complete. > > No sysrestore.state was created, i.e. no hostname was backup-ed. > > # ls /var/lib/ipa-client/sysrestore/ > 688988a01b73872d-network d35eec0a8128e435-krb5.conf > eada0d7ba116bfd7-sssd.conf > 9cf989cb60307725-ntp.conf e4d8b217dfce5043-ntpd sysrestore.index > > IPA client then failed with an exception because we didn't have the > hostname: > > # ipa-client-install --uninstall --unattended > Unenrolling client from IPA server > Removing Kerberos service principals from /etc/krb5.keytab > Disabling client Kerberos and LDAP configurations > Restoring client configuration files > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1071, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 737, in main > return uninstall(options, env) > File "/usr/sbin/ipa-client-install", line 245, in uninstall > ipautil.run(['/bin/hostname', old_hostname]) > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line > 218, in run > close_fds=True, env=env) > File "/usr/lib64/python2.7/subprocess.py", line 672, in __init__ > errread, errwrite) > File "/usr/lib64/python2.7/subprocess.py", line 1202, in > _execute_child > raise child_exception > TypeError: coercing to Unicode: need string or buffer, NoneType found > > There should be a check that if we don't have the hostname, we don't > restore it. Added both checks (it was there in uninstall but checking hostname instead of old_hostname). -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0008-3-ticket-1368.patch URL: From abokovoy at redhat.com Fri Jul 29 14:19:53 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 17:19:53 +0300 Subject: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname In-Reply-To: <4E32BE6B.5050404@redhat.com> References: <4E32726F.60500@redhat.com> <1311930065.2582.9.camel@dhcp-25-52.brq.redhat.com> <4E327B82.1060703@redhat.com> <4E328164.1030508@redhat.com> <1311936777.2582.17.camel@dhcp-25-52.brq.redhat.com> <4E329F52.6070501@redhat.com> <4E32B015.3000402@redhat.com> <1311945912.2582.33.camel@dhcp-25-52.brq.redhat.com> <4E32BE6B.5050404@redhat.com> Message-ID: <4E32C189.5040503@redhat.com> On 29.07.2011 17:06, Alexander Bokovoy wrote: > There was wrong comparison (I wanted to check if option is not None and > then compare it to 'HOSTNAME' but brain short-circuited. My bad. ... and one more update, to get common style for comparisons. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0008-4-ticket-1368.patch URL: From mkosek at redhat.com Fri Jul 29 14:29:31 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jul 2011 16:29:31 +0200 Subject: [Freeipa-devel] [PATCH] 0008 Modify /etc/sysconfig/network on a client when IPA manages hostname In-Reply-To: <4E32BE6B.5050404@redhat.com> References: <4E32726F.60500@redhat.com> <1311930065.2582.9.camel@dhcp-25-52.brq.redhat.com> <4E327B82.1060703@redhat.com> <4E328164.1030508@redhat.com> <1311936777.2582.17.camel@dhcp-25-52.brq.redhat.com> <4E329F52.6070501@redhat.com> <4E32B015.3000402@redhat.com> <1311945912.2582.33.camel@dhcp-25-52.brq.redhat.com> <4E32BE6B.5050404@redhat.com> Message-ID: <1311949773.2582.36.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-29 at 17:06 +0300, Alexander Bokovoy wrote: > On 29.07.2011 16:25, Martin Kosek wrote: > > On Fri, 2011-07-29 at 16:05 +0300, Alexander Bokovoy wrote: > >> On 29.07.2011 14:53, Alexander Bokovoy wrote: > >>> On 29.07.2011 13:52, Martin Kosek wrote: > >>>>>> Oh, this is not informative at all. I'll get this updated. > >>>>> Updated patch attached. > >>>> Ok, hostname is properly changed now. I still have some issues: > >> Updated again to use more reliable regexp for parsing. Thanks to > >> ConfParse project for inspiration > >> (http://code.google.com/p/confparse/source/browse/trunk/confparse.py) > >> > > > > Hm, the new regex looks robust. > > > > 1) But it didn't find hostname in my case: > There was wrong comparison (I wanted to check if option is not None and > then compare it to 'HOSTNAME' but brain short-circuited. My bad. > > > # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com > > --domain=idm.lab.bos.redhat.com --hostname=foo.idm.lab.bos.redhat.com > > ... > > Client configuration complete. > > > > No sysrestore.state was created, i.e. no hostname was backup-ed. > > > > # ls /var/lib/ipa-client/sysrestore/ > > 688988a01b73872d-network d35eec0a8128e435-krb5.conf > > eada0d7ba116bfd7-sssd.conf > > 9cf989cb60307725-ntp.conf e4d8b217dfce5043-ntpd sysrestore.index > > > > IPA client then failed with an exception because we didn't have the > > hostname: > > > > # ipa-client-install --uninstall --unattended > > Unenrolling client from IPA server > > Removing Kerberos service principals from /etc/krb5.keytab > > Disabling client Kerberos and LDAP configurations > > Restoring client configuration files > > Traceback (most recent call last): > > File "/usr/sbin/ipa-client-install", line 1071, in > > sys.exit(main()) > > File "/usr/sbin/ipa-client-install", line 737, in main > > return uninstall(options, env) > > File "/usr/sbin/ipa-client-install", line 245, in uninstall > > ipautil.run(['/bin/hostname', old_hostname]) > > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line > > 218, in run > > close_fds=True, env=env) > > File "/usr/lib64/python2.7/subprocess.py", line 672, in __init__ > > errread, errwrite) > > File "/usr/lib64/python2.7/subprocess.py", line 1202, in > > _execute_child > > raise child_exception > > TypeError: coercing to Unicode: need string or buffer, NoneType found > > > > There should be a check that if we don't have the hostname, we don't > > restore it. > Added both checks (it was there in uninstall but checking hostname > instead of old_hostname). > ACK. Before pushing, I just replaced constructs like "not var is None" with "var is not None" - its more pythonic. Pushed to master. Martin From edewata at redhat.com Fri Jul 29 14:43:19 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 29 Jul 2011 09:43:19 -0500 Subject: [Freeipa-devel] [PATCH] 0282-use-other_entity-for-adder-columns In-Reply-To: <4E321B3F.9030107@redhat.com> References: <4E321B3F.9030107@redhat.com> Message-ID: <4E32C707.8040307@redhat.com> On 7/28/2011 9:30 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Fri Jul 29 14:58:05 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 29 Jul 2011 10:58:05 -0400 Subject: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone In-Reply-To: <1311771699.2079.6.camel@dhcp-25-197.brq.redhat.com> References: <1311679630.2338.61.camel@dhcp-25-197.brq.redhat.com> <4E2F4932.3080409@redhat.com> <4E2F6A96.706@redhat.com> <1311771699.2079.6.camel@dhcp-25-197.brq.redhat.com> Message-ID: <4E32CA7D.9090909@redhat.com> Due to my recent huge patch, version -1 patch will not apply. I had to rebase by hand. Please confirm that it still works as intended. On 07/27/2011 09:01 AM, Petr Vobornik wrote: > On Tue, 2011-07-26 at 21:32 -0400, Adam Young wrote: >> On 07/26/2011 07:09 PM, Endi Sukma Dewata wrote: >>> On 7/26/2011 6:27 AM, Petr Vobornik wrote: >>>> Fixed adding host without DNS reverse zone >>>> >>>> https://fedorahosted.org/freeipa/ticket/1481 >>>> >>>> Shows status dialog instead of error dialog (error 4304 is treated like >>>> success). >>>> >>>> This patch is fixing the problem, but maybe in a wrong way. >>>> >>>> Main problem was that error has to be treated like success. This >>>> decision is done in command.execute() method. >>>> >>>> There are two ways to do it >>>> 1) Interrupt error handling - transform error to success >>>> 2) Interrupt success handling - don't let success to be transformed into >>>> error. >>>> >>>> Solution is using the second option. But I think first option is better. >>>> But there are obstacles: >>>> - handling is done in private function (for me ipa.js line ~ 290) >>>> - there is an extend point - setting on_error method. Problem is that >>>> this method is executed only if command.retry is false (default is >>>> true). Setting it to false will disable usage of error dialog (which is >>>> private function). So I would lose functionality for normal errors. >>>> Reordering these lines isn't an option because it would affect a lot of >>>> code. >>>> - one way would be to extract code for error dialog and make it a >>>> regular reusable dialog (with command as parameter). This way it can be >>>> used in custom error handler. >>>> >>>> >>>> Is it ACKable, or is it better to do it as described? >>>> >>>> Petr >>> Hi Petr, >>> >>> The new is_custom_success and on_custom_success attributes in >>> IPA.command somehow competes with the original on_success because they >>> serve a similar purpose. I think it's better to make the default error >>> dialog in IPA.command public so it can be used by other code as well. >>> >>> We have a global variable IPA.error_dialog which stores the DOM >>> element for the error dialog. I think we can convert it into a global >>> object which you can open/close to show the default error dialog. The >>> original DOM element can be stored in a 'container' attribute in that >>> object. >>> >>> In other words, convert dialog_open() into IPA.error_dialog.open(), >>> move the original IPA.error_dialog into IPA.error_dialog.container. >>> Set retry to false when invoking IPA.command, then specify an error >>> handler which will catch error 4304. For other errors you'll display >>> the default error dialog. >>> >>> There are also some warnings about trailing whitespaces when applying >>> the patch. You can remove them by adding the --whitespace=fix option >>> when applying the patch with git am. >>> >> On the whitespace issue, if you are an emacs person, there is a >> command: alt-x whitespace-cleanup that you should run on a file after >> you make changes. >> >> >> I have >> '(show-trailing-whitespace t)) >> in my .emacs file, which shows all whitespace as red...which properly >> motivates you to clean it up as soon as possible. I'm not sure the >> comparable vi settings, but I know they exist. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Reworked. > > -Refactored error dialog. > -Changed context of calling command.on_success and command.on_error > methods from $.ajax's object to command. > -Added generic message dialog (IPA.message_dialog) (not changed form > previous) > > Should be without trailing whitespaces. :) > > Petr > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0002-2-Fixed-adding-host-without-DNS-reverse-zone.patch Type: text/x-patch Size: 2024 bytes Desc: not available URL: From ayoung at redhat.com Fri Jul 29 15:00:13 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 29 Jul 2011 11:00:13 -0400 Subject: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone In-Reply-To: <4E32CA7D.9090909@redhat.com> References: <1311679630.2338.61.camel@dhcp-25-197.brq.redhat.com> <4E2F4932.3080409@redhat.com> <4E2F6A96.706@redhat.com> <1311771699.2079.6.camel@dhcp-25-197.brq.redhat.com> <4E32CA7D.9090909@redhat.com> Message-ID: <4E32CAFD.2030009@redhat.com> On 07/29/2011 10:58 AM, Adam Young wrote: > Due to my recent huge patch, version -1 patch will not apply. I had > to rebase by hand. > > Please confirm that it still works as intended. Missed a few files in my commit. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0002-3-Fixed-adding-host-without-DNS-reverse-zone.patch Type: text/x-patch Size: 9952 bytes Desc: not available URL: From rcritten at redhat.com Fri Jul 29 14:57:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jul 2011 10:57:35 -0400 Subject: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install In-Reply-To: <4E32AEC8.5020707@redhat.com> References: <4E3286C4.7000406@redhat.com> <1311937985.2582.25.camel@dhcp-25-52.brq.redhat.com> <4E32AEC8.5020707@redhat.com> Message-ID: <4E32CA5F.6060703@redhat.com> Alexander Bokovoy wrote: > On 29.07.2011 14:13, Martin Kosek wrote: >> On Fri, 2011-07-29 at 13:09 +0300, Alexander Bokovoy wrote: >>> Hi, >>> >>> another attempt to refine error/configuration reporting when configuring >>> means to access LDAP on a client. Previous one tried to use rpm to find >>> out package name but this approach is avoiding package names. Instead, >>> it tries to tell configuration file. >>> >>> Ticker https://fedorahosted.org/freeipa/ticket/1369 >> >> NACK. >> >> 1) Return info from LDAP config functions gets overwritten: >> >> if not options.sssd: >> (retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) >> if retcode: >> return 1 >> (retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) >> if retcode: >> return 1 >> >> Only one function will do the real configuration, in my case it was the >> configure_ldap_conf (nslcd was not installed). Due to the overwrite, my >> ipa-client-install reported invalid information: > Yes, fixed. > >> # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd >> ... >> LDAP enabled >> Kerberos 5 enabled >> NSLCD configured using configuration file /etc/nslcd.conf<<<< >> Unable to use DNS discovery! Recognized configuration: NSLCD >> Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com >> NTP enabled >> Client configuration complete. >> >> We need to indicate in the return triple that the service was not >> configured so that we output correct information. > I did this now by returning None: return (0, None, None). > >> 2) Returning tuple instead of triple (will raise exception when used): >> >> - return 1 >> + return (1, 'nslcd') >> >> Plus, NSLCD is referred in upper case in other return statements. > Fixed. > > Version 3 attached. nack, we shouldn't reference /etc/ldap.conf directly because this file may not actually exist or be used. nslcd uses /etc/nslcd.conf, for example. We would need to collect the files that get updated display them all, I guess. Or stick with the generic message. rob From jhrozek at redhat.com Fri Jul 29 15:02:49 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 29 Jul 2011 17:02:49 +0200 Subject: [Freeipa-devel] [PATCH] 067 Silence a compilation warning in ipa_kpasswd In-Reply-To: <1311252799.17378.45.camel@dhcp-25-52.brq.redhat.com> References: <4E26EFF2.6010609@redhat.com> <4E281E2C.4030505@redhat.com> <1311252799.17378.45.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E32CB99.8020107@redhat.com> On 07/21/2011 02:53 PM, Martin Kosek wrote: > On Thu, 2011-07-21 at 14:40 +0200, Jan Cholasta wrote: >> On 20.7.2011 17:10, Jakub Hrozek wrote: >>> I was playing with ipa_kpasswd (long story short - I needed it running >>> on a non-standard port) and I noticed there was a compilation warning - >>> rtag was set but never checked. >>> >>> Also removes one unused #define. >>> >> >> Found just a minor issue: you use spaces for indentation, but the rest >> of the file uses tabs. >> >> Honza >> > > To put my 2 cents in - I don't like throwing the same error message in > more places. > > When it really ends with this message we wouldn't know the exact spot > with the error. IMO it would make the following investigation simpler if > we fix this. > > Martin > A new patch is attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: jhrozek-freeipa-067-02-kpasswd-warnings.patch Type: text/x-patch Size: 2235 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: From mkosek at redhat.com Fri Jul 29 15:02:24 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jul 2011 17:02:24 +0200 Subject: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install In-Reply-To: <4E32AEC8.5020707@redhat.com> References: <4E3286C4.7000406@redhat.com> <1311937985.2582.25.camel@dhcp-25-52.brq.redhat.com> <4E32AEC8.5020707@redhat.com> Message-ID: <1311951747.2582.41.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-07-29 at 15:59 +0300, Alexander Bokovoy wrote: > On 29.07.2011 14:13, Martin Kosek wrote: > > On Fri, 2011-07-29 at 13:09 +0300, Alexander Bokovoy wrote: > >> Hi, > >> > >> another attempt to refine error/configuration reporting when configuring > >> means to access LDAP on a client. Previous one tried to use rpm to find > >> out package name but this approach is avoiding package names. Instead, > >> it tries to tell configuration file. > >> > >> Ticker https://fedorahosted.org/freeipa/ticket/1369 > > > > NACK. > > > > 1) Return info from LDAP config functions gets overwritten: > > > > if not options.sssd: > > (retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) > > if retcode: > > return 1 > > (retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) > > if retcode: > > return 1 > > > > Only one function will do the real configuration, in my case it was the > > configure_ldap_conf (nslcd was not installed). Due to the overwrite, my > > ipa-client-install reported invalid information: > Yes, fixed. > > > # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd > > ... > > LDAP enabled > > Kerberos 5 enabled > > NSLCD configured using configuration file /etc/nslcd.conf <<<< > > Unable to use DNS discovery! Recognized configuration: NSLCD > > Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com > > NTP enabled > > Client configuration complete. > > > > We need to indicate in the return triple that the service was not > > configured so that we output correct information. > I did this now by returning None: return (0, None, None). > > > 2) Returning tuple instead of triple (will raise exception when used): > > > > - return 1 > > + return (1, 'nslcd') > > > > Plus, NSLCD is referred in upper case in other return statements. > Fixed. > > Version 3 attached. Getting closer, but still not there (although I really like your "for configurer in ..." construct): # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled LDAP configured using configuration file /etc/ldap.conf Unable to use DNS discovery! Recognized configuration: None <<<<<<<< Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. Martin From rcritten at redhat.com Fri Jul 29 15:09:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jul 2011 11:09:24 -0400 Subject: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install In-Reply-To: <1311951747.2582.41.camel@dhcp-25-52.brq.redhat.com> References: <4E3286C4.7000406@redhat.com> <1311937985.2582.25.camel@dhcp-25-52.brq.redhat.com> <4E32AEC8.5020707@redhat.com> <1311951747.2582.41.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E32CD24.5040008@redhat.com> Martin Kosek wrote: > On Fri, 2011-07-29 at 15:59 +0300, Alexander Bokovoy wrote: >> On 29.07.2011 14:13, Martin Kosek wrote: >>> On Fri, 2011-07-29 at 13:09 +0300, Alexander Bokovoy wrote: >>>> Hi, >>>> >>>> another attempt to refine error/configuration reporting when configuring >>>> means to access LDAP on a client. Previous one tried to use rpm to find >>>> out package name but this approach is avoiding package names. Instead, >>>> it tries to tell configuration file. >>>> >>>> Ticker https://fedorahosted.org/freeipa/ticket/1369 >>> >>> NACK. >>> >>> 1) Return info from LDAP config functions gets overwritten: >>> >>> if not options.sssd: >>> (retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) >>> if retcode: >>> return 1 >>> (retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) >>> if retcode: >>> return 1 >>> >>> Only one function will do the real configuration, in my case it was the >>> configure_ldap_conf (nslcd was not installed). Due to the overwrite, my >>> ipa-client-install reported invalid information: >> Yes, fixed. >> >>> # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd >>> ... >>> LDAP enabled >>> Kerberos 5 enabled >>> NSLCD configured using configuration file /etc/nslcd.conf<<<< >>> Unable to use DNS discovery! Recognized configuration: NSLCD >>> Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com >>> NTP enabled >>> Client configuration complete. >>> >>> We need to indicate in the return triple that the service was not >>> configured so that we output correct information. >> I did this now by returning None: return (0, None, None). >> >>> 2) Returning tuple instead of triple (will raise exception when used): >>> >>> - return 1 >>> + return (1, 'nslcd') >>> >>> Plus, NSLCD is referred in upper case in other return statements. >> Fixed. >> >> Version 3 attached. > > Getting closer, but still not there (although I really like your "for > configurer in ..." construct): > > # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com > --domain=idm.lab.bos.redhat.com --no-sssd > ... > LDAP enabled > Kerberos 5 enabled > LDAP configured using configuration file /etc/ldap.conf > Unable to use DNS discovery! Recognized configuration: None<<<<<<<< > Changing configuration of /etc/ldap.conf to use hardcoded server name: > vm-059.idm.lab.bos.redhat.com > NTP enabled > Client configuration complete. > > Martin Backtrace on sssd-based install: # ipa-client-install --server=panther.greyoak.com --domain=greyoak.com --realm=GREYOAK.COM -p admin DNS domain 'greyoak.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: slinky.greyoak.com Realm: GREYOAK.COM DNS Domain: greyoak.com IPA Server: panther.greyoak.com BaseDN: dc=greyoak,dc=com Continue to configure the system with these values? [no]: y Password for admin at GREYOAK.COM: Enrolled in IPA realm GREYOAK.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm GREYOAK.COM SSSD enabled Kerberos 5 enabled Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1079, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1054, in main print "Unable to use DNS discovery! Recognized configuration: %s" % (conf) UnboundLocalError: local variable 'conf' referenced before assignment From abokovoy at redhat.com Fri Jul 29 15:35:58 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 18:35:58 +0300 Subject: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install In-Reply-To: <4E32CD24.5040008@redhat.com> References: <4E3286C4.7000406@redhat.com> <1311937985.2582.25.camel@dhcp-25-52.brq.redhat.com> <4E32AEC8.5020707@redhat.com> <1311951747.2582.41.camel@dhcp-25-52.brq.redhat.com> <4E32CD24.5040008@redhat.com> Message-ID: <4E32D35E.8060703@redhat.com> On 29.07.2011 18:09, Rob Crittenden wrote: > Backtrace on sssd-based install: > > # ipa-client-install --server=panther.greyoak.com --domain=greyoak.com > --realm=GREYOAK.COM -p admin > DNS domain 'greyoak.com' is not configured for automatic KDC address > lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname: slinky.greyoak.com > Realm: GREYOAK.COM > DNS Domain: greyoak.com > IPA Server: panther.greyoak.com > BaseDN: dc=greyoak,dc=com > > > Continue to configure the system with these values? [no]: y > Password for admin at GREYOAK.COM: > > Enrolled in IPA realm GREYOAK.COM > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm GREYOAK.COM > SSSD enabled > Kerberos 5 enabled > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1079, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1054, in main > print "Unable to use DNS discovery! Recognized configuration: %s" % > (conf) > UnboundLocalError: local variable 'conf' referenced before assignment Yes. Fixed that. What we also want to show is that after all effort to configure LDAP, DNS, etc, we are unable to find user admin. I have changed the printed statements to be clear. So in case we are unable to find admin, we'll print: ---------------- Unable to find 'admin' user with 'getent passwd admin'! ---------------- If we know what we were working with (SSSD, NSLCD, or LDAP), we'll also print: ---------------- Recognized configuration: (one of SSSD, NSLCD, LDAP) ---------------- otherwise it will show following statement: ---------------- No recognized configuration, please check manually NSS setup ---------------- and will try to hardcode LDAP server in /etc/ldap.conf if that exists. If the latter attempt succeeds, user will see: ---------------- Changed configuration of /etc/ldap.conf to use hardcoded server name: (name of server) ---------------- I think it is at most what we can do without referencing hardcoded config files directly (except for /etc/ldap.conf) in 2.1. Ideally, all this code for configuring specific services should go into platform-specific backend and be re-used from there but that is something for 2.1.1 as it would need my cross-platform enablers which are too big for 2.1. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0004-4-ticket-1369.patch URL: From dpal at redhat.com Fri Jul 29 15:45:38 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 29 Jul 2011 11:45:38 -0400 Subject: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install In-Reply-To: <4E32D35E.8060703@redhat.com> References: <4E3286C4.7000406@redhat.com> <1311937985.2582.25.camel@dhcp-25-52.brq.redhat.com> <4E32AEC8.5020707@redhat.com> <1311951747.2582.41.camel@dhcp-25-52.brq.redhat.com> <4E32CD24.5040008@redhat.com> <4E32D35E.8060703@redhat.com> Message-ID: <4E32D5A2.70307@redhat.com> On 07/29/2011 11:35 AM, Alexander Bokovoy wrote: > ---------------- > No recognized configuration, please check manually NSS setup > ---------------- May be reword: "Unknown configuration, please check NSS setup manually" But some time ago, somewhere, some person from doc told me not to use "please" in any error massages, man pages or help. I do not know whether this is relevant or not but should we avoid using "please"? So how about: "Unknown configuration, check NSS setup manually" or "Detected unknown configuration, check NSS setup manually" -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From abokovoy at redhat.com Fri Jul 29 15:54:25 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jul 2011 18:54:25 +0300 Subject: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install In-Reply-To: <4E32D5A2.70307@redhat.com> References: <4E3286C4.7000406@redhat.com> <1311937985.2582.25.camel@dhcp-25-52.brq.redhat.com> <4E32AEC8.5020707@redhat.com> <1311951747.2582.41.camel@dhcp-25-52.brq.redhat.com> <4E32CD24.5040008@redhat.com> <4E32D35E.8060703@redhat.com> <4E32D5A2.70307@redhat.com> Message-ID: <4E32D7B1.9070207@redhat.com> On 29.07.2011 18:45, Dmitri Pal wrote: > On 07/29/2011 11:35 AM, Alexander Bokovoy wrote: >> ---------------- >> No recognized configuration, please check manually NSS setup >> ---------------- > May be reword: > > "Unknown configuration, please check NSS setup manually" > > But some time ago, somewhere, some person from doc told me not to use "please" in any error massages, man pages or help. > I do not know whether this is relevant or not but should we avoid using "please"? > > So how about: > > "Unknown configuration, check NSS setup manually" Thought about it and I think this would be better: ------------ Unable to reliably detect configuration. Check NSS setup manually. ------------ > or > > "Detected unknown configuration, check NSS setup manually" I decided to remove all 'please' (there are plenty!). Hopefully, this will not make installing IPA on a client less pleasing process. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0004-5-ticket-1369.patch URL: From pvoborni at redhat.com Fri Jul 29 16:12:49 2011 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 29 Jul 2011 18:12:49 +0200 Subject: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone In-Reply-To: <4E32CAFD.2030009@redhat.com> References: <1311679630.2338.61.camel@dhcp-25-197.brq.redhat.com> <4E2F4932.3080409@redhat.com> <4E2F6A96.706@redhat.com> <1311771699.2079.6.camel@dhcp-25-197.brq.redhat.com> <4E32CA7D.9090909@redhat.com> <4E32CAFD.2030009@redhat.com> Message-ID: <1311955971.10002.11.camel@dhcp-25-197.brq.redhat.com> There was a small error in add.js:162. Fixed! On Fri, 2011-07-29 at 11:00 -0400, Adam Young wrote: > On 07/29/2011 10:58 AM, Adam Young wrote: > > Due to my recent huge patch, version -1 patch will not apply. I > > had to rebase by hand. > > > > Please confirm that it still works as intended. > > > Missed a few files in my commit. > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0002-4-Fixed-adding-host-without-DNS-reverse-zone.patch Type: text/x-patch Size: 10365 bytes Desc: not available URL: From rcritten at redhat.com Fri Jul 29 16:26:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jul 2011 12:26:04 -0400 Subject: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install In-Reply-To: <4E32D7B1.9070207@redhat.com> References: <4E3286C4.7000406@redhat.com> <1311937985.2582.25.camel@dhcp-25-52.brq.redhat.com> <4E32AEC8.5020707@redhat.com> <1311951747.2582.41.camel@dhcp-25-52.brq.redhat.com> <4E32CD24.5040008@redhat.com> <4E32D35E.8060703@redhat.com> <4E32D5A2.70307@redhat.com> <4E32D7B1.9070207@redhat.com> Message-ID: <4E32DF1C.7000201@redhat.com> Alexander Bokovoy wrote: > On 29.07.2011 18:45, Dmitri Pal wrote: >> On 07/29/2011 11:35 AM, Alexander Bokovoy wrote: >>> ---------------- >>> No recognized configuration, please check manually NSS setup >>> ---------------- >> May be reword: >> >> "Unknown configuration, please check NSS setup manually" >> >> But some time ago, somewhere, some person from doc told me not to use "please" in any error massages, man pages or help. >> I do not know whether this is relevant or not but should we avoid using "please"? >> >> So how about: >> >> "Unknown configuration, check NSS setup manually" > Thought about it and I think this would be better: > > ------------ > Unable to reliably detect configuration. Check NSS setup manually. > ------------ > >> or >> >> "Detected unknown configuration, check NSS setup manually" > I decided to remove all 'please' (there are plenty!). Hopefully, this > will not make installing IPA on a client less pleasing process. ack, pushed to master rob From edewata at redhat.com Fri Jul 29 17:11:56 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 29 Jul 2011 12:11:56 -0500 Subject: [Freeipa-devel] [PATCH] 002 Fixed adding host without DNS reverse zone In-Reply-To: <1311955971.10002.11.camel@dhcp-25-197.brq.redhat.com> References: <1311679630.2338.61.camel@dhcp-25-197.brq.redhat.com> <4E2F4932.3080409@redhat.com> <4E2F6A96.706@redhat.com> <1311771699.2079.6.camel@dhcp-25-197.brq.redhat.com> <4E32CA7D.9090909@redhat.com> <4E32CAFD.2030009@redhat.com> <1311955971.10002.11.camel@dhcp-25-197.brq.redhat.com> Message-ID: <4E32E9DC.2060609@redhat.com> On 7/29/2011 11:12 AM, Petr Vobornik wrote: > There was a small error in add.js:162. Fixed! Nice job on the dialog boxes. There's a problem though, the Retry doesn't quite work. This is because 'this' object passed to IPA.error_dialog actually points to Ajax context instead of the IPA.command, so calling execute() on it will fail. When Ajax call returns, it passes a context via 'this' object to the callback function. The object might contain some useful information which we would not be able to get any other way. The original code tries to maintain the context by passing 'this' object along the chain using call(). Feel free to add comments in the code to clarify this. So in dialog_open() you should pass 'that' into the 'command' parameter. You also need pass 'this' using another parameter so you can use it to call the error handler if you click Cancel. Also these changes should be reverted back to maintain the Ajax context: - that.on_error.call(this, xhr, text_status, error_thrown); + that.on_error(xhr, text_status, error_thrown); - that.on_success.call(this, data, text_status, xhr); + that.on_success(data, text_status, xhr); The IPA.add_dialog can store the command object as an instance variable so the IPA.host_adder_dialog can refer to it from the error handler. Another thing, in the init() you can access the spec object directly, so don't really have to pass it as a parameter. -- Endi S. Dewata From JR.Aquino at citrix.com Sat Jul 30 00:54:11 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Sat, 30 Jul 2011 00:54:11 +0000 Subject: [Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin In-Reply-To: <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> References: <99CC5FCC-73CE-43C1-9B73-4DDD69A4637D@citrixonline.com> <1310730613.32137.22.camel@dhcp-25-52.brq.redhat.com> <4E2054E3.5060306@redhat.com> <84A3F669-CCF3-4C6C-9525-5BD4A71E6E1E@citrixonline.com> <4E26F657.8030901@redhat.com> <3D1116E1-B782-4F43-B6DA-08E8FCFC34A1@citrixonline.com> <4E279A3C.5040900@redhat.com> <328D74A5-F560-4DC6-8E5F-413AFDCCAABC@citrixonline.com> <1311246577.17378.28.camel@dhcp-25-52.brq.redhat.com> <4E28384A.708@redhat.com> <0BF013EE-B1ED-4953-94ED-F3BA825CFE78@citrixonline.com> Message-ID: <60FB2C65-DFB4-41B4-A51F-78FE89BB1A1E@citrixonline.com> On Jul 21, 2011, at 8:53 AM, JR Aquino wrote: > On Jul 21, 2011, at 7:31 AM, Rob Crittenden wrote: > >> Martin Kosek wrote: >>> On Thu, 2011-07-21 at 03:37 +0000, JR Aquino wrote: >>>>>> Rob, I'm afraid I believe that ldap lookup is necessary. The user inputs a standard string to represent the possible host group? If i simply perform a get_dn it will indeed provide a dn, however, it won't verify that the host group actually exists? (you don't want to create an assignment rule for a non existent target host group) >>>>>> >>>>>> >>>>>> Martin, (except for the name Clarity), I have addressed your observations in this latest patch. Could you please have a look and let me know if there is anything else I need to take care of? >>>>>> >>> >>> Great, preparing the command parameters in pre_callback is much cleaner. >>> >>>>> >>>>> Good point about the LDAP lookup. >>>>> >>>>> This looks a lot better but there are still a few issues: >>>>> >>>>> If group_dn is in the object then you can use self.obj.handle_not_found(*keys) for the NotFound. >>>> >>>> Ok, I will give that a shot! >>>> >>>>> >>>>> Or if it can't be moved, in the calls to group_dn() you can use the ldap handle passed into pre_callback. >>>>> >>>>> I guess you are using the includetype tuple to avoid coding long variable names everywhere? Would a symbol be better, eg: >>>>> >>>>> INCLUDE_RE = 'automemberinclusiveregex' >>>>> EXCLUDE_RE = 'automemberexclusiveregex' >>>> >>>> That works, I'll swap em. >>> >>> I agree with Rob here, this will make the code better. >>> >>>> >>>>> Is there a way to validate the regex? >>>> >>>> Now that you mention it, I believe if I import re, we should be able to validate the initial regex and raise an exception if it is bogus. >>>> >>>>> If we were to add an equivalent user group handler would it be the same code in add_condition and remove_condition? It is sort of nice to have everything together at the moment, I suspect it will need to be generalized at some point. >>>> >>>> Well. For the groups, I was thinking it starts to get a little different. I would still reuse the condition, but I believe I would pivot users into groups based upon something like their manager? >>>> >>>>> Adding a clarity with no rules won't let you add rules: >>>>> >>>>> # ipa hostgroup-add --desc=hg1 hg1 >>>>> # ipa hostgroupclarity-add hg1 >>>>> # ipa hostgroupclarity-add-condition --exclusive-hostname-regex=^web5\.example\.com hg1 >>>>> ipa: ERROR: no modifications to be performed >>>> >>>> This ^ is deliberate, you cannot add an exclusion rule if there is no existing or simultaneous inclusive rule. :) Martin asked for that, and I think its wise. >>> >>> Yes, it is wise :-) But the error message is really not clear to the >>> user. We should tell him that there must be at least one inclusive rule. >>> >>> I wonder if we shouldn't force user to create a hostgroupclarity object >>> with at least one inclusive rule and than make sure that in all >>> operations at least one inclusive rule stays here. Or we could delete >>> the empty LDAP object after the last inclusive rule is removed, as we do >>> with DNS record LDAP objects in dnsrecord-del. >>> >>>>> The way you explained clarity today in IRC, how it brings clarity to managing membership with names no human can grok, I got it. Still, clarity is a bit awkward as a name. automember might be a better choice. >>>> >>>> Fair enough ;) I tried, perhaps I can /allude/ to it in the help / docs. automember it is. >>>> >>>> One final class I have been struggling with that I want to add? >>>> >>>> The object and attribute which defines the 'default group' is the parent of the actual rules? i.e. cn=hostgroup,cn=automember,cn=etc? >>>> >>>> The ipa cli seems to only want to let me make mods that assume I am specifying a target object on the cli? "ipa hostgroupautomember-default-group=foo"<- in this scenario, we don't actually want or need a rule name because its the container above? I have had success making the writes, but the cli syntax just doesn't lend itself to that level of abstraction? >>>> >>>> Any suggestions? >>>> >>>> >>> >>> I think the best shot would be to create a new command and overload the >>> execute method in that case. Like in hbacrule_enable. You would be able >>> to set dn correctly here and do the update. Does it makes sense? Rob? >>> >>> Martin >>> >> >> I agree. We are better off abstracting things now so we can get the API right. >> >> I think we can stick more or less with the command names, just in a new plugin and some new arguments. >> >> I see the plugin with the following methods: >> >> Each takes a single argument, the name of the rule. I don't think I'd stick type into the DN so you wouldn't be able to use the same rule name for different object types. If we want to allow that then we'd need to add --type to a lot more commands. >> >> There is no mod to change types, you have to delete and re-add. >> >> automember-add Add an automember rule >> --type=ENUM (hostgroup, group) >> --desc=STR description of this auto membership rule >> --inclusive-regex=LIST Inclusive Regex >> --exclusive-regex=LIST Exclusive Regex >> >> automember-add-condition Add conditions to automember rule >> --inclusive-regex=LIST Inclusive Regex >> --exclusive-regex=LIST Exclusive Regex >> >> automember-del Delete an automember rule >> >> automember-find Search for automember rules >> --type=ENUM (hostgroup, group) >> >> automember-mod Modify an automember rule. > > automember-default-group Set a default group for auto membership > --group/hostgroup=STR > >> >> automember-remove-condition Remove conditions from an automember rule >> --inclusive-regex=LIST Inclusive Regex >> --exclusive-regex=LIST Exclusive Regex >> >> automember-show Display an automember rule New Patch attached. I believe I have addressed the issues highlighted in the thread. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch Type: application/octet-stream Size: 47026 bytes Desc: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT00001.txt URL: