From mkosek at redhat.com Wed Jun 1 07:41:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 01 Jun 2011 09:41:42 +0200 Subject: [Freeipa-devel] [PATCH] 072 Fix support for nss-pam-ldapd Message-ID: <1306914104.3496.11.camel@dhcp-25-52.brq.redhat.com> Test hints: 1) Test with nss-ldap package - install nss-ldap on the client machine - install IPA client with --no-sssd option - `id admin', logging to the machine should work (even after the restart, i.e. correct services are run after the restart) 2) Test with nss-pam-ldapd - uninstall nss-ldap, install nss-pam-ldapd - install IPA client with --no-sssd option - `id admin', logging to the machine should work 3) Test with SSSD - install IPA client - `id admin', logging to the machine should work --- Client installation with --no-sssd option was broken if the client was based on a nss-pam-ldap instead of nss_ldap. The main issue is with authconfig rewriting the nslcd.conf after it has been configured by ipa-client-install. This has been fixed by changing an order of installation steps. Additionally, nslcd daemon needed for nss-pam-ldap function is correctly started. https://fedorahosted.org/freeipa/ticket/1235 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-072-fix-support-for-nss-pam-ldapd.patch Type: text/x-patch Size: 4528 bytes Desc: not available URL: From mkosek at redhat.com Wed Jun 1 09:12:57 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 01 Jun 2011 11:12:57 +0200 Subject: [Freeipa-devel] [PATCH] 073 IPA installation with --no-host-dns fails Message-ID: <1306919578.2419.2.camel@dhcp-25-52.brq.redhat.com> Patch for both master and ipa-2-0 branch attached. --- --no-host-dns option should allow installing IPA server on a host without a DNS resolvable name. Update parse_ip_address and verify_ip_address functions has been changed not to return None and print error messages in case of an error, but rather let the Exception be handled by the calling routine. https://fedorahosted.org/freeipa/ticket/1246 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-073-ipa-installation-with-no-host-dns-fails.patch Type: text/x-patch Size: 7142 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-073-ipa-2-0.patch Type: text/x-patch Size: 1574 bytes Desc: not available URL: From ayoung at redhat.com Wed Jun 1 13:36:44 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 01 Jun 2011 09:36:44 -0400 Subject: [Freeipa-devel] [PATCH] 0231-redirect-on-error Message-ID: <4DE6406C.5010007@redhat.com> https://fedorahosted.org/freeipa/ticket/1227 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0231-redirect-on-error.patch Type: text/x-patch Size: 3744 bytes Desc: not available URL: From edewata at redhat.com Wed Jun 1 14:59:22 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 01 Jun 2011 09:59:22 -0500 Subject: [Freeipa-devel] [PATCH] 0231-redirect-on-error In-Reply-To: <4DE6406C.5010007@redhat.com> References: <4DE6406C.5010007@redhat.com> Message-ID: <4DE653CA.6090405@redhat.com> On 6/1/2011 8:36 AM, Adam Young wrote: > https://fedorahosted.org/freeipa/ticket/1227 ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Wed Jun 1 15:09:46 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 01 Jun 2011 11:09:46 -0400 Subject: [Freeipa-devel] [PATCH] 0229-automount-delete-key In-Reply-To: <4DE53C99.7060405@redhat.com> References: <4DE19959.4030405@redhat.com> <4DE4F3CD.9020705@redhat.com> <4DE4F46F.9010204@redhat.com> <4DE51E77.6040303@redhat.com> <4DE53C99.7060405@redhat.com> Message-ID: <4DE6563A.8020800@redhat.com> https://fedorahosted.org/freeipa/ticket/204 Comments for what was fixed are in the patch. Here's what I didn't change: > 4. Clicking 'Back to List' when viewing a map brings you back to list > of locations. Is this still intentional? Perhaps the label should be > changed to 'Back to Locations' or simply hidden. Left it as is. if UXD objects, we can change in a follow on patch. > > 5. The conditional fields in IPA.dialog are a little bit limited > because there is only one set of conditional fields which has to be > enabled/disabled together. It might be better to replace the > 'conditional' boolean paramter into 'field_group' then replace the > enable/disable methods to accept a field group. This could be done > later. Agreed. I'd like to merge this with the sections code used for aci > 8. In dialog.js line 626 and search.js line 253, the hasOwnProperty() > invocations are probably redundant because the key is obtained from > the object itself, so that method will always return true. This falls under the rules from "Javascript the good parts" and is probably a good idea to leave in, even though in our code it is strictly unnecessary. > > 10. The 3rd level tab for automount key was removed. At this point does > it makes sense to remove the 3rd level tabs completely? The 3rd tab will come back if/when we do autmountkey details. Leaving for now. > > 11. The option values for automount map adder dialog could be > simplified to "direct" and "indirect". > The values used are what is appended to the command's method. Had to leave them as is to keep that working. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0229-5-automount-delete-key.patch Type: text/x-patch Size: 12081 bytes Desc: not available URL: From mkosek at redhat.com Wed Jun 1 16:12:26 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 01 Jun 2011 18:12:26 +0200 Subject: [Freeipa-devel] [PATCH] 074 Handle LDAP search references Message-ID: <1306944748.2419.4.camel@dhcp-25-52.brq.redhat.com> LDAP search operation may return a search reference pointing to an LDAP resource. As the framework does not handle search references, skip these results to prevent result processing failures. Migrate operation crashed when the migrated DS contained search references. Now, it correctly skips these records and prints the failed references to user. https://fedorahosted.org/freeipa/ticket/1209 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-074-handle-ldap-search-references.patch Type: text/x-patch Size: 4747 bytes Desc: not available URL: From rcritten at redhat.com Wed Jun 1 19:59:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Jun 2011 15:59:43 -0400 Subject: [Freeipa-devel] [PATCH] 783 get group info when showing user In-Reply-To: <4DD678CC.5020301@redhat.com> References: <4DCD9051.3040908@redhat.com> <4DCDABA9.1030802@redhat.com> <4DCDC42F.7080107@redhat.com> <4DD678CC.5020301@redhat.com> Message-ID: <4DE69A2F.2030409@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> Adam Young wrote: >>> On 05/13/2011 04:10 PM, Rob Crittenden wrote: >>>> The UI team had asked that we provide some group info (GID, >>>> description) when showing users. This ads a special call to group_find >>>> to get this information. It is returned as a list of dicts. >>>> >>>> ticket 107 >>>> >>>> rob >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> >>> I wonder if this is the wrong abstraction. As we discussed today, we >>> need to do many of these types of cross referential searches. Bascially, >>> we need to be able to filter on 'member' and 'memberof' type >>> relationships. >>> >>> So if we did a group_find --member_user=ayoung it would return all >>> groups that I am a member of. This would work across the board for >>> association facets >> >> That works now, as specified in the ticket. I was under the impression >> this was rejected which is why I embedded it into user-show. What you >> suggested works now with: ipa group-find --users=ayoung >> >> memberof doesn't exist in the group, you have to look at the end entity. >> >> rob > > So what shall I do with this? Dump the patch and re-assign the ticket to > the UI? > > rob This patch is being pulled back, we'll find another way. From rcritten at redhat.com Wed Jun 1 20:18:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Jun 2011 16:18:34 -0400 Subject: [Freeipa-devel] [PATCH] 069 Improve interactive mode for DNS plugin In-Reply-To: <1306531626.31086.6.camel@dhcp-25-52.brq.redhat.com> References: <1306413148.2330.8.camel@dhcp-25-52.brq.redhat.com> <4DDF0ED5.20904@redhat.com> <1306482057.3416.7.camel@dhcp-25-52.brq.redhat.com> <4DE008D1.1020002@redhat.com> <1306531626.31086.6.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DE69E9A.1030600@redhat.com> Martin Kosek wrote: > On Fri, 2011-05-27 at 16:25 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Thu, 2011-05-26 at 22:39 -0400, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> Interactive mode for commands manipulating with DNS records >>>>> (dnsrecord-add, dnsrecord-del) is not usable. This patch enhances >>>>> the server framework with new callback for interactive mode, which >>>>> can be used by commands to inject their own interactive handling. >>>>> >>>>> The callback is then used to improve aforementioned commands' >>>>> interactive mode. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/1018 >>>> >>>> This works pretty nicely but it seems like with just a bit more it can >>>> be great. >>>> >>>> Can you add some doc examples for how this works? >>> >>> Done. At least user will know that we have a feature like that to offer. >>> >>>> >>>> And you display the records now and then prompt for each to delete. Can >>>> you combine the two? >>>> >>>> For example: >>>> >>>> ipa dnsrecord-del greyoak.com lion >>>> No option to delete specific record provided. >>>> Delete all? Yes/No (default No): >>>> Current DNS record contents: >>>> >>>> A record: 192.168.166.32 >>>> >>>> Enter value(s) to remove: >>>> [A record]: >>>> >>>> If we know there is an record why not just prompt for each value yes/no >>>> to delete? >>> >>> Actually, this is a very good idea, I like it. I updated the patch so >>> that the user can only do yes/no decision in ipa dnsrecord-del >>> interactive mode. This makes dnsrecord-del interactive mode very usable. >>> >>>> >>>> The yes/no function needs more documentation on what default does too. >>>> It appears that the possible values are None/True/False and that None >>>> means that '' can be returned (which could still be evaluated as False >>>> if this isn't used right). >>> >>> Done. '' shouldn't be returned as I return the value of "default" if it >>> is not None. But yes, it needed more documenting. >>> >>> Updated patch is attached. It may need some language corrections, I am >>> no native speaker. >>> >>> Martin >> >> Not to be too pedantic but... >> >> The result variable isn't really used, a while True: would suffice. >> >> I'm not really sure what the purpose of default = None is. I think a >> True/False is more appropriate, this 3rd answer of a binary question is >> confusing. > > I fixed the result variable. This was a left-over from function > evolution. > > I am not sure why is the yes/no function still confusing. Maybe I miss > something. I improved function help a bit. But let me explain: > > If default is None, that means that there is no default answer to yes/no > question and user has to answer either "y" or "n". He cannot skip the > answer and is prompted until the answer is given. > > When default is True, user can just enter empty answer, which is treated > as "yes" and True is returned. > > When default is False and user enters empty answer, it is treated as > "no" and False is returned. > > None shouldn't be returned at all... (Maybe only in a case of an error) > > Martin > Wow, this is very nice indeed. Ack. rob From edewata at redhat.com Wed Jun 1 23:05:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 01 Jun 2011 18:05:12 -0500 Subject: [Freeipa-devel] [PATCH] 0229-automount-delete-key In-Reply-To: <4DE6563A.8020800@redhat.com> References: <4DE19959.4030405@redhat.com> <4DE4F3CD.9020705@redhat.com> <4DE4F46F.9010204@redhat.com> <4DE51E77.6040303@redhat.com> <4DE53C99.7060405@redhat.com> <4DE6563A.8020800@redhat.com> Message-ID: <4DE6C5A8.1010400@redhat.com> On 6/1/2011 10:09 AM, Adam Young wrote: >> 11. The option values for automount map adder dialog could be >> simplified to "direct" and "indirect". > The values used are what is appended to the command's method. Had to > leave them as is to keep that working. The option values (direct & indirect) could be translated internally into method names (add and add_indirect). It wouldn't matter for users, but it could improve clarity of Selenium tests. This is no big deal, it can be fixed another time. One more issue: 12. The map type radio buttons in the automount map adder dialog retain the previous selection. Try creating an indirect map, then click Add again, the indirect radio is selected but the mount point and parent map fields are not shown. It's ACKed. Issue #12 could be fixed before push. -- Endi S. Dewata From ayoung at redhat.com Thu Jun 2 02:02:55 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 01 Jun 2011 22:02:55 -0400 Subject: [Freeipa-devel] [PATCH] 0232-scrollable-content-areas.patch Message-ID: <4DE6EF4F.2060606@redhat.com> Note that this patch does not yet deal with the add dialog for permissions, or other add dialogs, but contains code necessary to deal with it. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0232-scrollable-content-areas.patch Type: text/x-patch Size: 94049 bytes Desc: not available URL: From ayoung at redhat.com Thu Jun 2 02:16:10 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 01 Jun 2011 22:16:10 -0400 Subject: [Freeipa-devel] [PATCH] 0229-automount-delete-key In-Reply-To: <4DE6C5A8.1010400@redhat.com> References: <4DE19959.4030405@redhat.com> <4DE4F3CD.9020705@redhat.com> <4DE4F46F.9010204@redhat.com> <4DE51E77.6040303@redhat.com> <4DE53C99.7060405@redhat.com> <4DE6563A.8020800@redhat.com> <4DE6C5A8.1010400@redhat.com> Message-ID: <4DE6F26A.8090201@redhat.com> On 06/01/2011 07:05 PM, Endi Sukma Dewata wrote: > On 6/1/2011 10:09 AM, Adam Young wrote: >>> 11. The option values for automount map adder dialog could be >>> simplified to "direct" and "indirect". > >> The values used are what is appended to the command's method. Had to >> leave them as is to keep that working. > > The option values (direct & indirect) could be translated internally > into method names (add and add_indirect). It wouldn't matter for users, > but it could improve clarity of Selenium tests. This is no big deal, > it can be fixed another time. > > One more issue: > > 12. The map type radio buttons in the automount map adder dialog retain > the previous selection. Try creating an indirect map, then click Add > again, the indirect radio is selected but the mount point and parent > map fields are not shown. > > It's ACKed. Issue #12 could be fixed before push. > #12 was fixed and pushed. I also added sample data for automountmap_add_indirect. From jhrozek at redhat.com Thu Jun 2 06:23:19 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 02 Jun 2011 08:23:19 +0200 Subject: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install In-Reply-To: <4DE72B2D.6000902@redhat.com> References: <4DC97E8B.8050904@redhat.com> <4DD6B2A5.3010507@redhat.com> <4DD939C3.5080106@redhat.com> <4DD9F7E6.7070607@redhat.com> <4DE72B2D.6000902@redhat.com> Message-ID: <4DE72C57.3040000@redhat.com> On 06/02/2011 08:18 AM, Jakub Hrozek wrote: > On 05/23/2011 08:00 AM, Jan Cholasta wrote: >> On 22.5.2011 18:28, Jakub Hrozek wrote: >>> On 05/20/2011 08:27 PM, Jan Cholasta wrote: >>>> TODO: Clean unreachable code paths off of ipa-server-install (?) >>> >>> In general I agree even though I don't know exactly what code you have >>> in mind -- if the code is dead there's no reason to keep it. >> >> I've noticed that e.g. if the hostname can't be resolved, verify_fqdn >> raises an exception, so some of the checks below the "ip = >> resolve_host(host_name)" line in ipa-server-install are unnecessary, but >> I'm not yet sure if I'm not missing something. >> >>> >>>> TODO: Workarounds for netaddr bugs (?) >>> >>> Are these bugs reported upstream? I know you mentioned some in an >>> earlier e-mail, just wondering if they are the same. >>> >>> Long term, it might be better to fix them in netaddr rather than working >>> around them. >> >> Yes, they're the same and are already fixed (according to the netaddr >> bug tracker), but there's no release with the fixes yet (or it's not in >> Fedora). There are not any big issues that I'm aware of, it's just that >> if you specify incorrect netmask with an IPv4 address, the error message >> isn't very helpful to the user: >> >> netaddr.IPNetwork('192.168.1.1/33') >> ... >> UnboundLocalError: local variable 'ip' referenced before assignment >> >>> >>> Jakub >>> >> >> Honza >> > I cherry-picked a patch for that issue from upstream and built a fixed python-netaddr: https://admin.fedoraproject.org/updates/python-netaddr-0.7.5-3.fc15 Please test and add karma :-) From mkosek at redhat.com Thu Jun 2 07:10:13 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 02 Jun 2011 09:10:13 +0200 Subject: [Freeipa-devel] [PATCH] 069 Improve interactive mode for DNS plugin In-Reply-To: <4DE69E9A.1030600@redhat.com> References: <1306413148.2330.8.camel@dhcp-25-52.brq.redhat.com> <4DDF0ED5.20904@redhat.com> <1306482057.3416.7.camel@dhcp-25-52.brq.redhat.com> <4DE008D1.1020002@redhat.com> <1306531626.31086.6.camel@dhcp-25-52.brq.redhat.com> <4DE69E9A.1030600@redhat.com> Message-ID: <1306998615.2419.27.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-06-01 at 16:18 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-05-27 at 16:25 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> On Thu, 2011-05-26 at 22:39 -0400, Rob Crittenden wrote: > >>>> Martin Kosek wrote: > >>>>> Interactive mode for commands manipulating with DNS records > >>>>> (dnsrecord-add, dnsrecord-del) is not usable. This patch enhances > >>>>> the server framework with new callback for interactive mode, which > >>>>> can be used by commands to inject their own interactive handling. > >>>>> > >>>>> The callback is then used to improve aforementioned commands' > >>>>> interactive mode. > >>>>> > >>>>> https://fedorahosted.org/freeipa/ticket/1018 > >>>> > >>>> This works pretty nicely but it seems like with just a bit more it can > >>>> be great. > >>>> > >>>> Can you add some doc examples for how this works? > >>> > >>> Done. At least user will know that we have a feature like that to offer. > >>> > >>>> > >>>> And you display the records now and then prompt for each to delete. Can > >>>> you combine the two? > >>>> > >>>> For example: > >>>> > >>>> ipa dnsrecord-del greyoak.com lion > >>>> No option to delete specific record provided. > >>>> Delete all? Yes/No (default No): > >>>> Current DNS record contents: > >>>> > >>>> A record: 192.168.166.32 > >>>> > >>>> Enter value(s) to remove: > >>>> [A record]: > >>>> > >>>> If we know there is an record why not just prompt for each value yes/no > >>>> to delete? > >>> > >>> Actually, this is a very good idea, I like it. I updated the patch so > >>> that the user can only do yes/no decision in ipa dnsrecord-del > >>> interactive mode. This makes dnsrecord-del interactive mode very usable. > >>> > >>>> > >>>> The yes/no function needs more documentation on what default does too. > >>>> It appears that the possible values are None/True/False and that None > >>>> means that '' can be returned (which could still be evaluated as False > >>>> if this isn't used right). > >>> > >>> Done. '' shouldn't be returned as I return the value of "default" if it > >>> is not None. But yes, it needed more documenting. > >>> > >>> Updated patch is attached. It may need some language corrections, I am > >>> no native speaker. > >>> > >>> Martin > >> > >> Not to be too pedantic but... > >> > >> The result variable isn't really used, a while True: would suffice. > >> > >> I'm not really sure what the purpose of default = None is. I think a > >> True/False is more appropriate, this 3rd answer of a binary question is > >> confusing. > > > > I fixed the result variable. This was a left-over from function > > evolution. > > > > I am not sure why is the yes/no function still confusing. Maybe I miss > > something. I improved function help a bit. But let me explain: > > > > If default is None, that means that there is no default answer to yes/no > > question and user has to answer either "y" or "n". He cannot skip the > > answer and is prompted until the answer is given. > > > > When default is True, user can just enter empty answer, which is treated > > as "yes" and True is returned. > > > > When default is False and user enters empty answer, it is treated as > > "no" and False is returned. > > > > None shouldn't be returned at all... (Maybe only in a case of an error) > > > > Martin > > > > Wow, this is very nice indeed. Ack. > > rob Thanks :-) Pushed to master. Martin From mkosek at redhat.com Thu Jun 2 13:23:07 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 02 Jun 2011 15:23:07 +0200 Subject: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation In-Reply-To: <1306570392.2433.2.camel@dhcp-25-52.brq.redhat.com> References: <1306157956.2514.9.camel@dhcp-25-52.brq.redhat.com> <4DDAC65E.7080300@redhat.com> <1306224886.2514.24.camel@dhcp-25-52.brq.redhat.com> <4DE07598.4050000@redhat.com> <1306570392.2433.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1307020989.2419.31.camel@dhcp-25-52.brq.redhat.com> On Sat, 2011-05-28 at 10:13 +0200, Martin Kosek wrote: > On Sat, 2011-05-28 at 00:10 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote: > > >> Martin Kosek wrote: > > >>> This is a first version of connection checking program for replica > > >>> installation. See patch for program purpose description. Currently, > > >>> there is no man pages for the program. > > >>> > > >>> Note to Simo and Rob: I use password for logging as admin. Btw would it > > >>> be safe to have an admin keytab in the replica file? Replica file > > >>> contents are lying freely in /tmp after the replica installation. > > >>> > > >>> Martin > > >> > > >> nack, you aren't including the new binary in the spec. > > > > > > Oh, thanks for this one. > > > > > >> > > >> You should also: > > >> > > >> - set KRB5CCNAME to a temporary ccache and remove that when the install > > >> exists (successful or not) > > > > > > Done. > > > > > >> - remove the temporary krb5.conf you create > > > > > > Done. > > > > > >> - be a bit more explicit what we are doing, at least more than "Run > > >> connection check to master". > > > > > > Actually, I am if you run the new script separately. I removed "--quiet" > > > parameter passed to the script in ipa-replica-install so that it is more > > > verbose. Plus, I improved texts sent to the user. > > > > > >> - yes, we should remove the replica file contents > > > > > > I enhanced ipa-replica-install to do that. > > > > > > Martin > > > > > > > Works great until the very end: > > ... > > ... > > > > Execute check on remote master > > Check connection from master to remote replica 'slinky.greyoak.com': > > Directory Service: unsecure port (389): FAILED > > Directory Service: secure port (636): FAILED > > Kerberos (88): OK > > > > Remote master check failed with following error message(s): > > Could not chdir to home directory /home/admin: No such file or directory > > Port check failed! Unaccessible port(s): 389, 636 > > > > Connection check failed with following error: None > > > > rob > > Right, I introduced this wrong error message in the last patch. I fixed > this one and also one typo. Updated patch attached. > > Martin I created a man page for the new program. Please feel free to fix/propose a fix for any language errors that may be there. Missing records in Makefile.am for both man page and the new program have been added. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-068-4-connection-check-program-for-replica-installation.patch Type: text/x-patch Size: 31299 bytes Desc: not available URL: From ayoung at redhat.com Thu Jun 2 14:13:03 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Jun 2011 10:13:03 -0400 Subject: [Freeipa-devel] [PATCH] 0232-scrollable-content-areas.patch In-Reply-To: <4DE6EF4F.2060606@redhat.com> References: <4DE6EF4F.2060606@redhat.com> Message-ID: <4DE79A6F.8010707@redhat.com> On 06/01/2011 10:02 PM, Adam Young wrote: > Note that this patch does not yet deal with the add dialog for > permissions, or other add dialogs, but contains code necessary to deal > with it. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel rebased -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0232-1-scrollable-content-areas.patch Type: text/x-patch Size: 93178 bytes Desc: not available URL: From ayoung at redhat.com Thu Jun 2 14:22:29 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Jun 2011 10:22:29 -0400 Subject: [Freeipa-devel] [PATCH] 0232-scrollable-content-areas.patch In-Reply-To: <4DE79A6F.8010707@redhat.com> References: <4DE6EF4F.2060606@redhat.com> <4DE79A6F.8010707@redhat.com> Message-ID: <4DE79CA5.6000702@redhat.com> On 06/02/2011 10:13 AM, Adam Young wrote: > On 06/01/2011 10:02 PM, Adam Young wrote: >> Note that this patch does not yet deal with the add dialog for >> permissions, or other add dialogs, but contains code necessary to >> deal with it. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > rebased > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Reabsed again. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0232-2-scrollable-content-areas.patch Type: text/x-patch Size: 93151 bytes Desc: not available URL: From JR.Aquino at citrix.com Thu Jun 2 15:39:24 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 2 Jun 2011 15:39:24 +0000 Subject: [Freeipa-devel] FreeIPA Auto Membership CLI Message-ID: I need feed back from the group regarding how we should present the output for Clarity, the 389 Directory Server Auto Membership Plugin... Currently, the output looks like this: ---=== EXAMPLE ===--- [root at auth2 ~]# ipa clarityrule-show testrule --all dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com Clarity Rule: testrule Membership filter: objectclass=ipaHost Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com Inclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^web[1-9]+.example.com, cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^mail[1-9]+.example.com, cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^www[1-9]+.example.com Exclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com:blacklist www5:fqdn=^www5\.example\.com automembergroupingattr: member:dn automemberscope: dc=expertcity,dc=com objectclass: top, automemberdefinition ---=== EXAMPLE ===--- Each rule in the definition object is broken down into 3 distinct parts: Group to modify, Description, Attribute + Regular Expression to match. As time progresses it will be likely that these rules could get long and visually unappealing. I would like to know how we might better represent this info. Perhaps a breakout with indentation for each unique group defined in each rule? ---===SUGGESTION===--- [root at auth2 ~]# ipa clarityrule-show testrule --all dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com Clarity Rule: testrule Membership filter: objectclass=ipaHost Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com Inclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com FrontEnd: fqdn=^web[1-9]+.example.com, MainSite: fqdn=^www[1-9]+.example.com cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com SMTP: fqdn=^mail[1-9]+.example.com, Exclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com blacklist: www5:fqdn=^www5\.example\.com automembergroupingattr: member:dn automemberscope: dc=expertcity,dc=com objectclass: top, automemberdefinition ---===SUGGESTION===--- Using these rules, the Auto Membership Plugin monitors for insertions into the LDAP directory matching the Membership Filter; In this example, objectclass=ipaHost The object matching the filter is then compared against the exclusive rules to make sure there is not a marker which indicates the object should NOT be a member of a given group. Then the object is compared against the inclusive rules to determine if there is a match. If there is a match, the object is added to the group defined in the matching rule. If all rules are exhausted, the object is optionally added to the group defined by the Default Group attribute of the Definition. You can view the design document here for more details on the how the rules are represented within the raw directory. http://directory.fedoraproject.org/wiki/Auto_Membership_Design ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino, GCIH | Information Security Specialist Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 jr.aquino at citrixonline.com http://www.citrixonline.com From ayoung at redhat.com Thu Jun 2 16:28:18 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Jun 2011 12:28:18 -0400 Subject: [Freeipa-devel] [PATCH] 0232-scrollable-content-areas.patch In-Reply-To: <4DE79CA5.6000702@redhat.com> References: <4DE6EF4F.2060606@redhat.com> <4DE79A6F.8010707@redhat.com> <4DE79CA5.6000702@redhat.com> Message-ID: <4DE7BA22.6030803@redhat.com> On 06/02/2011 10:22 AM, Adam Young wrote: > On 06/02/2011 10:13 AM, Adam Young wrote: >> On 06/01/2011 10:02 PM, Adam Young wrote: >>> Note that this patch does not yet deal with the add dialog for >>> permissions, or other add dialogs, but contains code necessary to >>> deal with it. >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> rebased >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Reabsed again. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Now triggered on browser resize -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0232-3-scrollable-content-areas.patch Type: text/x-patch Size: 96133 bytes Desc: not available URL: From dpal at redhat.com Thu Jun 2 17:00:20 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 02 Jun 2011 13:00:20 -0400 Subject: [Freeipa-devel] FreeIPA Auto Membership CLI In-Reply-To: References: Message-ID: <4DE7C1A4.50708@redhat.com> On 06/02/2011 11:39 AM, JR Aquino wrote: > I need feed back from the group regarding how we should present the output for Clarity, the 389 Directory Server Auto Membership Plugin... > > Currently, the output looks like this: > > ---=== EXAMPLE ===--- > [root at auth2 ~]# ipa clarityrule-show testrule --all > dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com > Clarity Rule: testrule > Membership filter: objectclass=ipaHost > Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com > Inclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^web[1-9]+.example.com, cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^mail[1-9]+.example.com, > cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^www[1-9]+.example.com > Exclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com:blacklist www5:fqdn=^www5\.example\.com > automembergroupingattr: member:dn > automemberscope: dc=expertcity,dc=com > objectclass: top, automemberdefinition > ---=== EXAMPLE ===--- > > Each rule in the definition object is broken down into 3 distinct parts: Group to modify, Description, Attribute + Regular Expression to match. > > As time progresses it will be likely that these rules could get long and visually unappealing. I would like to know how we might better represent this info. > > Perhaps a breakout with indentation for each unique group defined in each rule? > > ---===SUGGESTION===--- > [root at auth2 ~]# ipa clarityrule-show testrule --all > dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com > Clarity Rule: testrule > Membership filter: objectclass=ipaHost > Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com > Inclusive Regex: > cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com > FrontEnd: fqdn=^web[1-9]+.example.com, > MainSite: fqdn=^www[1-9]+.example.com > cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com > SMTP: fqdn=^mail[1-9]+.example.com, > Exclusive Regex: > cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com > blacklist: www5:fqdn=^www5\.example\.com > automembergroupingattr: member:dn > automemberscope: dc=expertcity,dc=com > objectclass: top, automemberdefinition > ---===SUGGESTION===--- > This presentation assumes that the description is not empty. In general case it is not true so I would suggest fixed labels even if the values would have duplicates. Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com Description: Regex: fqdn=^web[1-9]+.example.com ----- Group: cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com Description: Regex: fqdn=^mail[1-9]+.example.com ----- Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com Description: Regex: fqdn=^www[1-9]+.example.com ----- Keep the indent that you proposed, it looks OK with the indent. > Using these rules, the Auto Membership Plugin monitors for insertions into the LDAP directory matching the Membership Filter; In this example, objectclass=ipaHost > > The object matching the filter is then compared against the exclusive rules to make sure there is not a marker which indicates the object should NOT be a member of a given group. > > Then the object is compared against the inclusive rules to determine if there is a match. > If there is a match, the object is added to the group defined in the matching rule. > If all rules are exhausted, the object is optionally added to the group defined by the Default Group attribute of the Definition. > > You can view the design document here for more details on the how the rules are represented within the raw directory. > http://directory.fedoraproject.org/wiki/Auto_Membership_Design > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jr Aquino, GCIH | Information Security Specialist > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > T: +1 805.690.3478 > jr.aquino at citrixonline.com > http://www.citrixonline.com > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Thu Jun 2 17:37:57 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Jun 2011 13:37:57 -0400 Subject: [Freeipa-devel] [PATCH] 0232-scrollable-content-areas.patch In-Reply-To: <4DE7BA22.6030803@redhat.com> References: <4DE6EF4F.2060606@redhat.com> <4DE79A6F.8010707@redhat.com> <4DE79CA5.6000702@redhat.com> <4DE7BA22.6030803@redhat.com> Message-ID: <4DE7CA75.90401@redhat.com> On 06/02/2011 12:28 PM, Adam Young wrote: > On 06/02/2011 10:22 AM, Adam Young wrote: >> On 06/02/2011 10:13 AM, Adam Young wrote: >>> On 06/01/2011 10:02 PM, Adam Young wrote: >>>> Note that this patch does not yet deal with the add dialog for >>>> permissions, or other add dialogs, but contains code necessary to >>>> deal with it. >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> rebased >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Reabsed again. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Now triggered on browser resize > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Changes from IRC review -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0232-4-scrollable-content-areas.patch Type: text/x-patch Size: 95895 bytes Desc: not available URL: From ayoung at redhat.com Thu Jun 2 18:32:39 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Jun 2011 14:32:39 -0400 Subject: [Freeipa-devel] [PATCH] 0232-scrollable-content-areas.patch In-Reply-To: <4DE7CA75.90401@redhat.com> References: <4DE6EF4F.2060606@redhat.com> <4DE79A6F.8010707@redhat.com> <4DE79CA5.6000702@redhat.com> <4DE7BA22.6030803@redhat.com> <4DE7CA75.90401@redhat.com> Message-ID: <4DE7D747.9030305@redhat.com> On 06/02/2011 01:37 PM, Adam Young wrote: > On 06/02/2011 12:28 PM, Adam Young wrote: >> On 06/02/2011 10:22 AM, Adam Young wrote: >>> On 06/02/2011 10:13 AM, Adam Young wrote: >>>> On 06/01/2011 10:02 PM, Adam Young wrote: >>>>> Note that this patch does not yet deal with the add dialog for >>>>> permissions, or other add dialogs, but contains code necessary to >>>>> deal with it. >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> rebased >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Reabsed again. >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Now triggered on browser resize >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Changes from IRC review > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel JSL and minor bug fix. ACKed in IRC, pushed to master. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 2 19:59:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 Jun 2011 15:59:45 -0400 Subject: [Freeipa-devel] FreeIPA Auto Membership CLI In-Reply-To: <4DE7C1A4.50708@redhat.com> References: <4DE7C1A4.50708@redhat.com> Message-ID: <4DE7EBB1.7090107@redhat.com> Dmitri Pal wrote: > On 06/02/2011 11:39 AM, JR Aquino wrote: >> I need feed back from the group regarding how we should present the output for Clarity, the 389 Directory Server Auto Membership Plugin... >> >> Currently, the output looks like this: >> >> ---=== EXAMPLE ===--- >> [root at auth2 ~]# ipa clarityrule-show testrule --all >> dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com >> Clarity Rule: testrule >> Membership filter: objectclass=ipaHost >> Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com >> Inclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^web[1-9]+.example.com, cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^mail[1-9]+.example.com, >> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^www[1-9]+.example.com >> Exclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com:blacklist www5:fqdn=^www5\.example\.com >> automembergroupingattr: member:dn >> automemberscope: dc=expertcity,dc=com >> objectclass: top, automemberdefinition >> ---=== EXAMPLE ===--- >> >> Each rule in the definition object is broken down into 3 distinct parts: Group to modify, Description, Attribute + Regular Expression to match. >> >> As time progresses it will be likely that these rules could get long and visually unappealing. I would like to know how we might better represent this info. >> >> Perhaps a breakout with indentation for each unique group defined in each rule? >> >> ---===SUGGESTION===--- >> [root at auth2 ~]# ipa clarityrule-show testrule --all >> dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com >> Clarity Rule: testrule >> Membership filter: objectclass=ipaHost >> Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com >> Inclusive Regex: >> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >> FrontEnd: fqdn=^web[1-9]+.example.com, >> MainSite: fqdn=^www[1-9]+.example.com >> cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com >> SMTP: fqdn=^mail[1-9]+.example.com, >> Exclusive Regex: >> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >> blacklist: www5:fqdn=^www5\.example\.com >> automembergroupingattr: member:dn >> automemberscope: dc=expertcity,dc=com >> objectclass: top, automemberdefinition >> ---===SUGGESTION===--- >> > > This presentation assumes that the description is not empty. > In general case it is not true so I would suggest fixed labels even if > the values would have duplicates. > > Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com > Description: > Regex: fqdn=^web[1-9]+.example.com > ----- > Group: cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com > Description: > Regex: fqdn=^mail[1-9]+.example.com > ----- > Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com > Description: > Regex: fqdn=^www[1-9]+.example.com > ----- > > Keep the indent that you proposed, it looks OK with the indent. Just note that the code that does the rendering is extremely simplistic so control over indention may require a fair bit of work. I think indention is handled via nesting, so returning data as lists of lists may do the trick. That or you are going to have to override output_for_cli() and do all the output manually but that should be a last resort. rob From dpal at redhat.com Thu Jun 2 20:51:47 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 02 Jun 2011 16:51:47 -0400 Subject: [Freeipa-devel] FreeIPA Auto Membership CLI In-Reply-To: <4DE7EBB1.7090107@redhat.com> References: <4DE7C1A4.50708@redhat.com> <4DE7EBB1.7090107@redhat.com> Message-ID: <4DE7F7E3.605@redhat.com> On 06/02/2011 03:59 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 06/02/2011 11:39 AM, JR Aquino wrote: >>> I need feed back from the group regarding how we should present the >>> output for Clarity, the 389 Directory Server Auto Membership Plugin... >>> >>> Currently, the output looks like this: >>> >>> ---=== EXAMPLE ===--- >>> [root at auth2 ~]# ipa clarityrule-show testrule --all >>> dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com >>> Clarity Rule: testrule >>> Membership filter: objectclass=ipaHost >>> Default Group: >>> cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com >>> Inclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^web[1-9]+.example.com, >>> cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^mail[1-9]+.example.com, >>> >>> >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^www[1-9]+.example.com >>> Exclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com:blacklist >>> www5:fqdn=^www5\.example\.com >>> automembergroupingattr: member:dn >>> automemberscope: dc=expertcity,dc=com >>> objectclass: top, automemberdefinition >>> ---=== EXAMPLE ===--- >>> >>> Each rule in the definition object is broken down into 3 distinct >>> parts: Group to modify, Description, Attribute + Regular Expression >>> to match. >>> >>> As time progresses it will be likely that these rules could get long >>> and visually unappealing. I would like to know how we might better >>> represent this info. >>> >>> Perhaps a breakout with indentation for each unique group defined in >>> each rule? >>> >>> ---===SUGGESTION===--- >>> [root at auth2 ~]# ipa clarityrule-show testrule --all >>> dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com >>> Clarity Rule: testrule >>> Membership filter: objectclass=ipaHost >>> Default Group: >>> cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com >>> Inclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>> FrontEnd: fqdn=^web[1-9]+.example.com, >>> MainSite: fqdn=^www[1-9]+.example.com >>> cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>> SMTP: fqdn=^mail[1-9]+.example.com, >>> Exclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>> blacklist: www5:fqdn=^www5\.example\.com >>> automembergroupingattr: member:dn >>> automemberscope: dc=expertcity,dc=com >>> objectclass: top, automemberdefinition >>> ---===SUGGESTION===--- >>> >> >> This presentation assumes that the description is not empty. >> In general case it is not true so I would suggest fixed labels even if >> the values would have duplicates. >> >> Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >> Description: >> Regex: fqdn=^web[1-9]+.example.com >> ----- >> Group: cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com >> Description: >> Regex: fqdn=^mail[1-9]+.example.com >> ----- >> Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >> Description: >> Regex: fqdn=^www[1-9]+.example.com >> ----- >> >> Keep the indent that you proposed, it looks OK with the indent. > > Just note that the code that does the rendering is extremely > simplistic so control over indention may require a fair bit of work. I > think indention is handled via nesting, so returning data as lists of > lists may do the trick. > > That or you are going to have to override output_for_cli() and do all > the output manually but that should be a last resort. Yeah, please do not make it more complex than needed. Creating a nested list and letting it render is probably the right approach. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Thu Jun 2 22:23:34 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 02 Jun 2011 17:23:34 -0500 Subject: [Freeipa-devel] [PATCH] 171 Temporary fix for indirect member tabs. Message-ID: <4DE80D66.7000904@redhat.com> Since the group-show command doesn't return indirect members, the tabs for group's indirect members have been reverted to call user-find with the --in-groups parameter to get the entries. However, this is only a temporary solution since the user-find command returns both direct and indirect members (ticket #1273). The Selenium test for groups has been modified to test nested groups and verify indirect members. The verification currently will fail due to the above issue. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0171-Temporary-fix-for-indirect-member-tabs.patch Type: text/x-patch Size: 22567 bytes Desc: not available URL: From JR.Aquino at citrix.com Thu Jun 2 22:23:59 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 2 Jun 2011 22:23:59 +0000 Subject: [Freeipa-devel] FreeIPA Auto Membership CLI In-Reply-To: <4DE7EBB1.7090107@redhat.com> References: <4DE7C1A4.50708@redhat.com> <4DE7EBB1.7090107@redhat.com> Message-ID: On Jun 2, 2011, at 12:59 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 06/02/2011 11:39 AM, JR Aquino wrote: >>> I need feed back from the group regarding how we should present the output for Clarity, the 389 Directory Server Auto Membership Plugin... >>> >>> Currently, the output looks like this: >>> >>> ---=== EXAMPLE ===--- >>> [root at auth2 ~]# ipa clarityrule-show testrule --all >>> dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com >>> Clarity Rule: testrule >>> Membership filter: objectclass=ipaHost >>> Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com >>> Inclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^web[1-9]+.example.com, cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^mail[1-9]+.example.com, >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^www[1-9]+.example.com >>> Exclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com:blacklist www5:fqdn=^www5\.example\.com >>> automembergroupingattr: member:dn >>> automemberscope: dc=expertcity,dc=com >>> objectclass: top, automemberdefinition >>> ---=== EXAMPLE ===--- >>> >>> Each rule in the definition object is broken down into 3 distinct parts: Group to modify, Description, Attribute + Regular Expression to match. >>> >>> As time progresses it will be likely that these rules could get long and visually unappealing. I would like to know how we might better represent this info. >>> >>> Perhaps a breakout with indentation for each unique group defined in each rule? >>> >>> ---===SUGGESTION===--- >>> [root at auth2 ~]# ipa clarityrule-show testrule --all >>> dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com >>> Clarity Rule: testrule >>> Membership filter: objectclass=ipaHost >>> Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com >>> Inclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>> FrontEnd: fqdn=^web[1-9]+.example.com, >>> MainSite: fqdn=^www[1-9]+.example.com >>> cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>> SMTP: fqdn=^mail[1-9]+.example.com, >>> Exclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>> blacklist: www5:fqdn=^www5\.example\.com >>> automembergroupingattr: member:dn >>> automemberscope: dc=expertcity,dc=com >>> objectclass: top, automemberdefinition >>> ---===SUGGESTION===--- >>> >> >> This presentation assumes that the description is not empty. >> In general case it is not true so I would suggest fixed labels even if >> the values would have duplicates. >> >> Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >> Description: >> Regex: fqdn=^web[1-9]+.example.com >> ----- >> Group: cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com >> Description: >> Regex: fqdn=^mail[1-9]+.example.com >> ----- >> Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >> Description: >> Regex: fqdn=^www[1-9]+.example.com >> ----- >> >> Keep the indent that you proposed, it looks OK with the indent. > > Just note that the code that does the rendering is extremely simplistic so control over indention may require a fair bit of work. I think indention is handled via nesting, so returning data as lists of lists may do the trick. Excellent! That is really good to know! I was worried I'd have to override output_for_cli() I'll repost once I have the suggested layout implemented. Thanks guys! > > That or you are going to have to override output_for_cli() and do all the output manually but that should be a last resort. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ayoung at redhat.com Fri Jun 3 00:12:59 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 02 Jun 2011 20:12:59 -0400 Subject: [Freeipa-devel] [PATCH] 171 Temporary fix for indirect member tabs. In-Reply-To: <4DE80D66.7000904@redhat.com> References: <4DE80D66.7000904@redhat.com> Message-ID: <4DE8270B.2050405@redhat.com> On 06/02/2011 06:23 PM, Endi Sukma Dewata wrote: > Since the group-show command doesn't return indirect members, the tabs > for group's indirect members have been reverted to call user-find with > the --in-groups parameter to get the entries. > > However, this is only a temporary solution since the user-find command > returns both direct and indirect members (ticket #1273). > > The Selenium test for groups has been modified to test nested groups > and verify indirect members. The verification currently will fail due > to the above issue. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Jun 3 08:28:52 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 03 Jun 2011 10:28:52 +0200 Subject: [Freeipa-devel] [PATCH] 788 remove automountinformation from automount dns In-Reply-To: <4DDAA9A7.6050302@redhat.com> References: <4DDAA9A7.6050302@redhat.com> Message-ID: <1307089734.12835.7.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-05-23 at 14:38 -0400, Rob Crittenden wrote: > In an attempt to support multiple direct maps we always included the > automountinformation in the key dn. This makes showing keys impossible a > bit of a catch-22. You want to get the mount info but to get it you need > the mount info. > > This patch drops requiring automountinfo but if provided it'll use it to > make the dn. This way we can have backwards compatibility for any > existing maps but going forward only direct maps will have the info in it. > > --key is still required when dealing with keys, no way around that > without doing a major API change, migrating data, etc. > > ticket 1229 > > rob I tested this patch and from CLI perspective, it makes things better. I think it is our best bet if we want to avoid major API changes and migration nightmares. I have only few minor issues regarding the patch: 1) API minor version has been bumped since this patch was out, it needs a rebase 2) check_key_uniqueness function needs to be fixed so that it doesn't search only for key/info DNs. Otherwise, it doesn't detect some duplicates which leads to inconvenient errors. For example when a duplicate indirect map is added: # ipa automountkey-find default auto.master Key: /- Mount information: auto.direct Key: /usr/share Mount information: auto.share # ipa automountkey-add default auto.master --key=/usr/share --info=auto.share2 ipa: ERROR: key named auto.master already exists Martin From mkosek at redhat.com Fri Jun 3 12:42:49 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 03 Jun 2011 14:42:49 +0200 Subject: [Freeipa-devel] [PATCH] 075 Add ignore lists to migrate-ds command Message-ID: <1307104970.12835.12.camel@dhcp-25-52.brq.redhat.com> How to test: 1) Create a custom DS instance with for example 60radius.ldif schema present (as in the original report in ticket #1266) 2) Populate DS with users/groups with custom unsupported object class/attribute 3) Try to migrate these users and groups to IPAv2. Only the enhanced migrate-ds command should be successful: # ipa migrate-ds ldap://vm-102.idm.lab.bos.redhat.com:389 --schema=RFC2307 --user-objectclass=posixAccount --group-objectclass=posixgroup --user-container='ou=People' --group-container='cn=Accounting Managers,ou=Groups' --user-ignore-objectclass=radiusprofile,radiusclientprofile --user-ignore-attribute=radiusclientsecret,radiusclientipaddress --- When user migrates users/groups from an old DS instance, the migration may fail on unsupported object classes and/or relevant LDAP object attributes. This patch implements a support for object class and attribute ignore lists that can be used to suppress these migration issues. Additionally, a redundant "dev/null" file is removed from git repo (originally added in 26b0e8fc9809a4cd9f2f9a2281f0894e2e0f8db2). https://fedorahosted.org/freeipa/ticket/1266 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-075-add-ignore-lists-to-migrate-ds-command.patch Type: text/x-patch Size: 10401 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 1266_repro_data.ldif Type: text/x-ldif Size: 3405 bytes Desc: not available URL: From ayoung at redhat.com Fri Jun 3 15:36:28 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 03 Jun 2011 11:36:28 -0400 Subject: [Freeipa-devel] [PATCH] 0233-dialog-scrolling-table Message-ID: <4DE8FF7C.6000808@redhat.com> Fixes an artifact created by yesterdays scrolling table patch. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0233-dialog-scrolling-table.patch Type: text/x-patch Size: 3165 bytes Desc: not available URL: From ayoung at redhat.com Fri Jun 3 16:15:18 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 03 Jun 2011 12:15:18 -0400 Subject: [Freeipa-devel] [PATCH] 0233-dialog-scrolling-table In-Reply-To: <4DE8FF7C.6000808@redhat.com> References: <4DE8FF7C.6000808@redhat.com> Message-ID: <4DE90896.8040603@redhat.com> On 06/03/2011 11:36 AM, Adam Young wrote: > Fixes an artifact created by yesterdays scrolling table patch. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel self NACK, just thought of a cleaner implementation. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jun 3 17:41:00 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 03 Jun 2011 13:41:00 -0400 Subject: [Freeipa-devel] [PATCH] 0233-dialog-scrolling-table In-Reply-To: <4DE90896.8040603@redhat.com> References: <4DE8FF7C.6000808@redhat.com> <4DE90896.8040603@redhat.com> Message-ID: <4DE91CAC.2020409@redhat.com> On 06/03/2011 12:15 PM, Adam Young wrote: > On 06/03/2011 11:36 AM, Adam Young wrote: >> Fixes an artifact created by yesterdays scrolling table patch. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > self NACK, just thought of a cleaner implementation. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This is a little simpler. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0233-1-dialog-scrolling-table.patch Type: text/x-patch Size: 3165 bytes Desc: not available URL: From gsr at redhat.com Fri Jun 3 19:11:40 2011 From: gsr at redhat.com (Gowrishankar Rajaiyan) Date: Sat, 04 Jun 2011 00:41:40 +0530 Subject: [Freeipa-devel] IPA Sudo queries. Message-ID: <4DE931EC.4050908@redhat.com> Hi All, 1. While adding a runasgroup I see its entry in its ipaUniqueID dn, however do not see it in "dn: cn=sudorule1" as it does while adding a group using "ipa sudorule-add-runasuser rulename --groups=group1". Not sure if this is as designed. [root at bumblebee ipa-sudo]# ipa sudorule-add-runasgroup sudorule1 --groups=group2 Rule name: sudorule1 Enabled: TRUE Sudo Deny Commands: /bin/ls Run As Group: group2 ------------------------- Number of members added 1 ------------------------- dn: ipaUniqueID=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: ipaassociation objectClass: ipasudorule ipaEnabledFlag: TRUE cn: sudorule1 ipaUniqueID: 78c97b54-8d01-11e0-b6e8-525400deab7b memberDenyCmd: sudocmd=/bin/ls,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com ipaSudoRunAs: cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com ipaSudoRunAsExtUser: test ipaSudoRunAsGroup: cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com <----- # sudorule1, sudoers, lab.eng.pnq.redhat.com dn: cn=sudorule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: sudoRole objectClass: extensibleObject objectClass: top sudoCommand: !/bin/ls sudorunasuser: test sudorunasuser: %group1 sudorunasgroup: group1 <---- added as "ipa sudorule-add-runasuser sudorule1 --groups=group1" {{{sudorunasgroup: group2}}} <------- expected here cn: sudorule1 2. Also, would like to know the difference between the following 2 commands: Command 1: ipa sudorule-add-runasuser --groups=LIST (comma-separated list of groups to add) # ipa help sudorule-add-runasuser Purpose: Add user for Sudo to execute as. [...] --users=LIST comma-separated list of users to add --groups=LIST comma-separated list of groups to add Command 2: ipa sudorule-add-runasgroup --groups=LIST (comma-separated list of groups to add) I see the following in DS after using these commands: 1. # ipa sudorule-add-runasuser rule1 --users=user1 --groups=group1 Rule name: rule1 Enabled: TRUE RunAs External User: user1 ------------------------- Number of members added 2 ------------------------- In DS: # rule1, sudoers, lab.eng.pnq.redhat.com dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: sudoRole objectClass: extensibleObject objectClass: top sudorunasuser: user1 <------ sudorunasuser: %group1 sudorunasgroup: group1 <------ cn: rule1 # 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo, lab.eng.pnq.redhat.com dn: ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: ipaassociation objectClass: ipasudorule ipaEnabledFlag: TRUE cn: rule1 ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b ipaSudoRunAs: cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com ipaSudoRunAsExtUser: user1 2. # ipa sudorule-add-runasgroup rule1 --groups=group2 Rule name: rule1 Enabled: TRUE Run As Group: group2 ------------------------- Number of members added 1 ------------------------- In DS: No group2 in cn=rule1 # rule1, sudoers, lab.eng.pnq.redhat.com dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: sudoRole objectClass: extensibleObject objectClass: top sudorunasuser: user1 sudorunasuser: %group1 sudorunasgroup: group1 cn: rule1 # 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo, lab.eng.pnq.redhat.com dn: ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: ipaassociation objectClass: ipasudorule ipaEnabledFlag: TRUE cn: rule1 ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b ipaSudoRunAs: cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com <--- ipaSudoRunAsExtUser: user1 ipaSudoRunAsGroup: cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com <---- 3. Should a normal user be given privileges to view all the sudorules and its details??? I do not think this is necessary except for host principals and admin users. Please comment. ~]$ klist Ticket cache: FILE:/tmp/krb5cc_1179400003 Default principal: shanks at LAB.ENG.PNQ.REDHAT.COM Valid starting Expires Service principal 06/03/11 09:34:33 06/04/11 09:34:28 krbtgt/LAB.ENG.PNQ.REDHAT.COM at LAB.ENG.PNQ.REDHAT.COM 06/03/11 09:34:37 06/04/11 09:34:28 HTTP/bumblebee.lab.eng.pnq.redhat.com at LAB.ENG.PNQ.REDHAT.COM ~]$ ipa sudorule-find --all dn: ipauniqueid=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Rule name: sudorule1 Enabled: TRUE Sudo Deny Commands: /bin/ls Run As Group: group2, group1 RunAs External User: test, test1 ipasudoopt: env_keep = LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE ipauniqueid: 78c97b54-8d01-11e0-b6e8-525400deab7b objectclass: ipaassociation, ipasudorule -- Regards, Shanks Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Fri Jun 3 19:18:39 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 03 Jun 2011 14:18:39 -0500 Subject: [Freeipa-devel] [PATCH] 172 Fixed blank dialog box on internal error. Message-ID: <4DE9338F.3050902@redhat.com> Previously when an internal error occurs on the server the UI will display a blank error dialog box. To fix the problem the string message thrown by Ajax has been converted into an object containing the error message. Ticket #1280 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0172-Fixed-blank-dialog-box-on-internal-error.patch Type: text/x-patch Size: 2773 bytes Desc: not available URL: From ayoung at redhat.com Fri Jun 3 19:24:05 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 03 Jun 2011 15:24:05 -0400 Subject: [Freeipa-devel] [PATCH] 0233-dialog-scrolling-table In-Reply-To: <4DE91CAC.2020409@redhat.com> References: <4DE8FF7C.6000808@redhat.com> <4DE90896.8040603@redhat.com> <4DE91CAC.2020409@redhat.com> Message-ID: <4DE934D5.70902@redhat.com> On 06/03/2011 01:41 PM, Adam Young wrote: > On 06/03/2011 12:15 PM, Adam Young wrote: >> On 06/03/2011 11:36 AM, Adam Young wrote: >>> Fixes an artifact created by yesterdays scrolling table patch. >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> self NACK, just thought of a cleaner implementation. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > This is a little simpler. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Fixed critique from IRC -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0233-2-dialog-scrolling-table.patch Type: text/x-patch Size: 3709 bytes Desc: not available URL: From ayoung at redhat.com Fri Jun 3 19:25:53 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 03 Jun 2011 15:25:53 -0400 Subject: [Freeipa-devel] [PATCH] 0233-dialog-scrolling-table In-Reply-To: <4DE934D5.70902@redhat.com> References: <4DE8FF7C.6000808@redhat.com> <4DE90896.8040603@redhat.com> <4DE91CAC.2020409@redhat.com> <4DE934D5.70902@redhat.com> Message-ID: <4DE93541.5050608@redhat.com> On 06/03/2011 03:24 PM, Adam Young wrote: > On 06/03/2011 01:41 PM, Adam Young wrote: >> On 06/03/2011 12:15 PM, Adam Young wrote: >>> On 06/03/2011 11:36 AM, Adam Young wrote: >>>> Fixes an artifact created by yesterdays scrolling table patch. >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> self NACK, just thought of a cleaner implementation. >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> This is a little simpler. >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Fixed critique from IRC > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Missed some changes -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0233-3-dialog-scrolling-table.patch Type: text/x-patch Size: 3588 bytes Desc: not available URL: From ayoung at redhat.com Fri Jun 3 19:47:47 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 03 Jun 2011 15:47:47 -0400 Subject: [Freeipa-devel] [PATCH] 0233-dialog-scrolling-table In-Reply-To: <4DE93541.5050608@redhat.com> References: <4DE8FF7C.6000808@redhat.com> <4DE90896.8040603@redhat.com> <4DE91CAC.2020409@redhat.com> <4DE934D5.70902@redhat.com> <4DE93541.5050608@redhat.com> Message-ID: <4DE93A63.1060402@redhat.com> On 06/03/2011 03:25 PM, Adam Young wrote: > On 06/03/2011 03:24 PM, Adam Young wrote: >> On 06/03/2011 01:41 PM, Adam Young wrote: >>> On 06/03/2011 12:15 PM, Adam Young wrote: >>>> On 06/03/2011 11:36 AM, Adam Young wrote: >>>>> Fixes an artifact created by yesterdays scrolling table patch. >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> self NACK, just thought of a cleaner implementation. >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> This is a little simpler. >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Fixed critique from IRC >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Missed some changes > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Previous versions of the patch missed a pretty major change I had made. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0233-4-dialog-scrolling-table.patch Type: text/x-patch Size: 5028 bytes Desc: not available URL: From ayoung at redhat.com Fri Jun 3 19:53:09 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 03 Jun 2011 15:53:09 -0400 Subject: [Freeipa-devel] [PATCH] 172 Fixed blank dialog box on internal error. In-Reply-To: <4DE9338F.3050902@redhat.com> References: <4DE9338F.3050902@redhat.com> Message-ID: <4DE93BA5.4080709@redhat.com> On 06/03/2011 03:18 PM, Endi Sukma Dewata wrote: > Previously when an internal error occurs on the server the UI will > display a blank error dialog box. To fix the problem the string > message thrown by Ajax has been converted into an object containing > the error message. > > Ticket #1280 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Jun 3 21:06:54 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 03 Jun 2011 17:06:54 -0400 Subject: [Freeipa-devel] IPA Sudo queries. In-Reply-To: <4DE931EC.4050908@redhat.com> References: <4DE931EC.4050908@redhat.com> Message-ID: <4DE94CEE.5050507@redhat.com> On 06/03/2011 03:11 PM, Gowrishankar Rajaiyan wrote: > Hi All, > > 1. While adding a runasgroup I see its entry in its ipaUniqueID > dn, however do not see it in "dn: cn=sudorule1" as it does while > adding a group using "ipa sudorule-add-runasuser rulename > --groups=group1". > Not sure if this is as designed. > > [root at bumblebee ipa-sudo]# ipa sudorule-add-runasgroup sudorule1 > --groups=group2 > Rule name: sudorule1 > Enabled: TRUE > Sudo Deny Commands: /bin/ls > Run As Group: group2 > ------------------------- > Number of members added 1 > ------------------------- > > dn: > ipaUniqueID=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > objectClass: ipaassociation > objectClass: ipasudorule > ipaEnabledFlag: TRUE > cn: sudorule1 > ipaUniqueID: 78c97b54-8d01-11e0-b6e8-525400deab7b > memberDenyCmd: > sudocmd=/bin/ls,cn=sudocmds,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > ipaSudoRunAs: > cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > ipaSudoRunAsExtUser: test > ipaSudoRunAsGroup: > cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > <----- > > # sudorule1, sudoers, lab.eng.pnq.redhat.com > dn: cn=sudorule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > objectClass: sudoRole > objectClass: extensibleObject > objectClass: top > sudoCommand: !/bin/ls > sudorunasuser: test > sudorunasuser: %group1 > sudorunasgroup: group1 <---- added as "ipa > sudorule-add-runasuser sudorule1 --groups=group1" > {{{sudorunasgroup: group2}}} > <------- expected here > cn: sudorule1 > > > 2. Also, would like to know the difference between the following 2 > commands: > > > Command 1: ipa sudorule-add-runasuser --groups=LIST (comma-separated > list of groups to add) > # ipa help sudorule-add-runasuser > Purpose: Add user for Sudo to execute as. > [...] > --users=LIST comma-separated list of users to add > --groups=LIST comma-separated list of groups to add > > > Command 2: ipa sudorule-add-runasgroup --groups=LIST (comma-separated > list of groups to add) > > > I see the following in DS after using these commands: > 1. # ipa sudorule-add-runasuser rule1 --users=user1 --groups=group1 > Rule name: rule1 > Enabled: TRUE > RunAs External User: user1 > ------------------------- > Number of members added 2 > ------------------------- > > In DS: > # rule1, sudoers, lab.eng.pnq.redhat.com > dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > objectClass: sudoRole > objectClass: extensibleObject > objectClass: top > sudorunasuser: user1 <------ > sudorunasuser: %group1 > sudorunasgroup: group1 <------ > cn: rule1 > > # 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo, > lab.eng.pnq.redhat.com > dn: > ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > objectClass: ipaassociation > objectClass: ipasudorule > ipaEnabledFlag: TRUE > cn: rule1 > ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b > ipaSudoRunAs: > cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > ipaSudoRunAsExtUser: user1 > > > 2. # ipa sudorule-add-runasgroup rule1 --groups=group2 > Rule name: rule1 > Enabled: TRUE > Run As Group: group2 > ------------------------- > Number of members added 1 > ------------------------- > > In DS: > No group2 in cn=rule1 > > # rule1, sudoers, lab.eng.pnq.redhat.com > dn: cn=rule1,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > objectClass: sudoRole > objectClass: extensibleObject > objectClass: top > sudorunasuser: user1 > sudorunasuser: %group1 > sudorunasgroup: group1 > cn: rule1 > > # 30f45cc8-8e40-11e0-bdf9-525400deab7b, sudorules, sudo, > lab.eng.pnq.redhat.com > dn: > ipaUniqueID=30f45cc8-8e40-11e0-bdf9-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > objectClass: ipaassociation > objectClass: ipasudorule > ipaEnabledFlag: TRUE > cn: rule1 > ipaUniqueID: 30f45cc8-8e40-11e0-bdf9-525400deab7b > ipaSudoRunAs: > cn=group1,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > <--- > ipaSudoRunAsExtUser: user1 > ipaSudoRunAsGroup: > cn=group2,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > <---- > > > 3. Should a normal user be given privileges to view all the sudorules > and its details??? I do not think this is necessary except for host > principals and admin users. Please comment. > ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_1179400003 > Default principal: shanks at LAB.ENG.PNQ.REDHAT.COM > > Valid starting Expires Service principal > 06/03/11 09:34:33 06/04/11 09:34:28 > krbtgt/LAB.ENG.PNQ.REDHAT.COM at LAB.ENG.PNQ.REDHAT.COM > 06/03/11 09:34:37 06/04/11 09:34:28 > HTTP/bumblebee.lab.eng.pnq.redhat.com at LAB.ENG.PNQ.REDHAT.COM > > ~]$ ipa sudorule-find --all > dn: > ipauniqueid=78c97b54-8d01-11e0-b6e8-525400deab7b,cn=sudorules,cn=sudo,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com > Rule name: sudorule1 > Enabled: TRUE > Sudo Deny Commands: /bin/ls > Run As Group: group2, group1 > RunAs External User: test, test1 > ipasudoopt: env_keep = LANG LC_ADDRESS LC_CTYPE LC_COLLATE > LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME > LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS > XDG_SESSION_COOKIE > ipauniqueid: 78c97b54-8d01-11e0-b6e8-525400deab7b > objectclass: ipaassociation, ipasudorule > Jr, it looks like there are more things related to the SUDO plugin. We will create tickets and assign some of them to you. We will see what we can do to help you out in addressing them. But do not be surprised to see more tickets coming your way. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mkosek at redhat.com Mon Jun 6 09:13:54 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 06 Jun 2011 11:13:54 +0200 Subject: [Freeipa-devel] [PATCH] 076 Localization fails for MaxArgumentError Message-ID: <1307351635.6714.17.camel@dhcp-25-52.brq.redhat.com> When MaxArgumentError si raised, the string localized by ngettext is not printed properly. https://fedorahosted.org/freeipa/ticket/1148 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-076-localization-fails-for-maxargumenterror.patch Type: text/x-patch Size: 1137 bytes Desc: not available URL: From jcholast at redhat.com Mon Jun 6 10:28:42 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 06 Jun 2011 12:28:42 +0200 Subject: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install In-Reply-To: <4DE72C57.3040000@redhat.com> References: <4DC97E8B.8050904@redhat.com> <4DD6B2A5.3010507@redhat.com> <4DD939C3.5080106@redhat.com> <4DD9F7E6.7070607@redhat.com> <4DE72B2D.6000902@redhat.com> <4DE72C57.3040000@redhat.com> Message-ID: <4DECABDA.6060701@redhat.com> On 2.6.2011 08:23, Jakub Hrozek wrote: > On 06/02/2011 08:18 AM, Jakub Hrozek wrote: >> On 05/23/2011 08:00 AM, Jan Cholasta wrote: >>> On 22.5.2011 18:28, Jakub Hrozek wrote: >>>> On 05/20/2011 08:27 PM, Jan Cholasta wrote: >>>>> TODO: Clean unreachable code paths off of ipa-server-install (?) >>>> >>>> In general I agree even though I don't know exactly what code you have >>>> in mind -- if the code is dead there's no reason to keep it. >>> >>> I've noticed that e.g. if the hostname can't be resolved, verify_fqdn >>> raises an exception, so some of the checks below the "ip = >>> resolve_host(host_name)" line in ipa-server-install are unnecessary, but >>> I'm not yet sure if I'm not missing something. >>> >>>> >>>>> TODO: Workarounds for netaddr bugs (?) >>>> >>>> Are these bugs reported upstream? I know you mentioned some in an >>>> earlier e-mail, just wondering if they are the same. >>>> >>>> Long term, it might be better to fix them in netaddr rather than >>>> working >>>> around them. >>> >>> Yes, they're the same and are already fixed (according to the netaddr >>> bug tracker), but there's no release with the fixes yet (or it's not in >>> Fedora). There are not any big issues that I'm aware of, it's just that >>> if you specify incorrect netmask with an IPv4 address, the error message >>> isn't very helpful to the user: >>> >>> netaddr.IPNetwork('192.168.1.1/33') >>> ... >>> UnboundLocalError: local variable 'ip' referenced before assignment >>> >>>> >>>> Jakub >>>> >>> >>> Honza >>> >> > > I cherry-picked a patch for that issue from upstream and built a fixed > python-netaddr: > https://admin.fedoraproject.org/updates/python-netaddr-0.7.5-3.fc15 > > Please test and add karma :-) > Done. -- Jan Cholasta From jcholast at redhat.com Mon Jun 6 13:54:53 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 06 Jun 2011 15:54:53 +0200 Subject: [Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer In-Reply-To: <4DB7309C.4010307@redhat.com> References: <4DB7309C.4010307@redhat.com> Message-ID: <4DECDC2D.7070803@redhat.com> On 26.4.2011 22:52, Rob Crittenden wrote: > The goal is to not import foreign certificates. > > This caused a bunch of tests to fail because we had a hardcoded server > certificate. Instead a developer will need to run make-testcert to > create a server certificate generated by the local CA to test against. > > ticket 1134 > > rob > NACK The certificate isn't verified in host-add. I suspect that certificates signed by an intermediate CA (i.e. when the certificate chain length > 2) are considered invalid. Is that the desired behavior? make-testcert fails with: Traceback (most recent call last): File "./make-testcert", line 126, in sys.exit(makecert(reqdir)) File "./make-testcert", line 105, in makecert add=True) File "./make-testcert", line 66, in run result = self.execute(method, *args, **options) File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in execute raise error #pylint: disable=E0702 ipalib.errors.CommandError: unknown command 'cert_request' This is probably an error on my part (tried running in on both my machine without IPA installed and on VM with IPA installed with no luck), but nonetheless it should be fixed to fail gracefully so that the tests in "make test" have a chance to run. Similarly, the tests which use the test certificate created by make-testcert should be skipped if the certificate isn't available. Honza -- Jan Cholasta From rcritten at redhat.com Mon Jun 6 14:51:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jun 2011 10:51:10 -0400 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <1306757151.2427.16.camel@dhcp-25-52.brq.redhat.com> References: <4D95F3AD.2000707@redhat.com> <1306320574.18222.20.camel@dhcp-25-52.brq.redhat.com> <4DDD204A.8010009@redhat.com> <1306395960.2330.7.camel@dhcp-25-52.brq.redhat.com> <4DDFFDDE.2040908@redhat.com> <1306757151.2427.16.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DECE95E.1010006@redhat.com> Martin Kosek wrote: > On Fri, 2011-05-27 at 15:39 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: >>>>>> The hostname is passed in during the server installation. We should use >>>>>> this hostname for the resulting server as well. It was being discarded >>>>>> and we always used the system hostname value. >>>>>> >>>>>> ticket 1052 >>>>>> >>>>>> rob >>>>> >>>>> I have to NACK this again. I have a problem communicating with IPA on a >>>>> master machine. I reproduced in on 2 different machines. Please, correct >>>>> my steps if I am wrong, I do the following procedure >>>>> >>>>> 1) I prepare a fresh minimal F-15 >>>>> 2) Install freeipa-server (current master with your patches) >>>>> 3) Add custom hostname to /etc/hosts >>>>> 4) Install IPA server: >>>>> ipa-server-install -p secret123 -a secret123 --hostname ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2 >>>>> 5) # kinit admin >>>>> Password for admin at IDM.LAB.BOS.REDHAT.COM: >>>>> 6) # ipa user-show admin >>>>> ipa: ERROR: cannot connect to 'any of the configured servers': >>>>> https://ipa.idm.lab.bos.redhat.com/ipa/xml, >>>>> https://ipa.idm.lab.bos.redhat.com/ipa/xml >>>>> >>>>> # ping -c 1 ipa.idm.lab.bos.redhat.com >>>>> PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data. >>>>> 64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1 >>>>> ttl=64 time=0.049 ms >>>>> >>>>> Apache error_log shows relevant errors: >>>>> >>>>> [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) >>>>> [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) >>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) in ignored >>>>> [Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down >>>>> [Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as context system_u:system_r:kernel_t:s0 >>>>> [Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest authentication ... >>>>> [Wed May 25 06:43:57 2011] [notice] Digest: done >>>>> [Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1 configured -- resuming normal operations >>>>> [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** >>>>> [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent call last): >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/share/ipa/wsgi.py", line 48, in application >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return api.Backend.session(environ, start_response) >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 141, in __call__ >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.create_context(ccache=environ.get('KRB5CCNAME')) >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 110, in create_context >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.Backend.ldap2.connect(ccache=ccache) >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 62, in connect >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] conn = self.create_connection(*args, **kw) >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return f(*new_args, **kwargs) >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 337, in create_connection >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] _handle_errors(e, **{}) >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 118, in _handle_errors >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] raise errors.DatabaseError(desc=desc, info=info) >>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] DatabaseError: Local error: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Hostname cannot be canonicalized) >>>>> [Wed May 25 06:45:26 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5193): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. >>>>> >>>>> >>>>> You can check the problem on vm-140.idm.lab.bos.redhat.com if you want to. >>>>> >>>>> Martin >>>>> >>>> >>>> The LDAP connection was still using the system hostname value. I added a >>>> conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) in the two places we >>>> initialize an LDAP connection and that seems to have fixed it. >>>> >>>> Updated patch attached >>>> >>>> rob >>> >>> NACK. The problem on a master is gone. However, now ipa-replica-install >>> is failing: >>> >>> # ipa-replica-install /home/mkosek/replica-info-vm-027.idm.lab.bos.redhat.com.gpg >>> Directory Manager (existing master) password: >>> >>> creation of replica failed: Can't contact LDAP server: >>> >>> >>> I found out that the root cause of the failure is in the change you just >>> made in ldap2.py: >>> >>> def create_connection(self, ccache=None, bind_dn='', bind_pw='', >>> tls_cacertfile=None, tls_certfile=None, tls_keyfile=None, >>> debug_level=0): >>> ... >>> try: >>> conn = _ldap.initialize(self.ldap_uri) >>> conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)<-- >>> if ccache is not None: >>> os.environ['KRB5CCNAME'] = ccache >>> ... >>> >>> because api.env.host points to the local host and not the remote master. >>> When I commented this line out, installation continued OK. Then, it >>> crashed again with our "favorite" dogtag's "invalid clone_uri" >>> exception. >>> >>> Since we see this error also in other scenarios (not only custom >>> --hostname) and the root cause is not in your patch I can ACK you patch >>> 762 once the replica install bug is fixed. >>> >>> Martin >>> >> >> Fixed both of these. We only need to set the hostname when using an >> ldapi URI, so fixed both of those. >> >> I also fixed the Invalid clone_uri bug. The problem was we weren't >> passing our new hostname to pkicreate so it was creating a CA for >> whatever the value of `hostname` was. There is an environment variable >> in pkicreate to pass in the hostname and doing that has fixed the problem. >> >> rob > > Yes, this issue was fixed. It's good you find a way how to deal with > clone_uri problem. However, I still hit some issues: > > 1) I think we have some Kerberos related problems when the custom > hostname is used (ipa.idm.lab.bos.redhat.com on a > vm-096.idm.lab.bos.redhat.com). Named and SSSD refuses to start on the > system. > > /var/log/messages: > May 30 05:04:35 vm-096 named[13932]: listening on IPv4 interface eth0, 10.16.78.96#53 > May 30 05:04:35 vm-096 named[13932]: generating session key for dynamic DNS > May 30 05:04:36 vm-096 named[13932]: Failed to init credentials (Preauthentication failed) > May 30 05:04:36 vm-096 named[13932]: loading configuration: failure > May 30 05:04:36 vm-096 named[13932]: exiting (due to fatal error) > May 30 05:04:36 vm-096 systemd[1]: named.service: control process exited, code=exited status=7 > May 30 05:04:36 vm-096 systemd[1]: Unit named.service entered failed state. > May 30 05:07:41 vm-096 sssd: Starting up > May 30 05:07:41 vm-096 sssd[be[idm.lab.bos.redhat.com]]: Starting up > May 30 05:07:41 vm-096 sssd[be[idm.lab.bos.redhat.com]]: Error processing keytab file [(null)]: Principal [host/vm-096.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM] was not found. Unable to create GSSAPI-encrypted LDAP connection. For the named issue I filed a bug against bind-dyndb-ldap for this, https://bugzilla.redhat.com/show_bug.cgi?id=710261 This is a similar problem I ran into where when you do an ldapi bind it defaults to using the system hostname value. To fix the sssd problem we just need to set the ipa_hostname option (they have lots of nice tuning options!). We just need to decide if we always set this value or only at install time when the hostnames differ. > 2) My dogtag powered replica still refuses to install (happened to me on > 2 fresh VMs) with "creation of replica failed: Configuration of CA > failed". > > I investigated the ipareplica-install.log, I found a error that may be > relevant. Maybe Ade will recognize some of them. > > ############################################# > Attempting to connect to: vm-028.idm.lab.bos.redhat.com:9445 > Connected. > Posting Query = https://vm-028.idm.lab.bos.redhat.com:9445//ca/admin/console/config/wizard?p=9&op=next&xml=true&host=vm-028.idm.lab.bos.redhat.com&port=7389&binddn=cn%3DDirectory+Manager&__bindpwd=XXXXXXXX&basedn=o%3Dipaca&database=ipaca&display=%24displayStr&cloneStartTLS=on > RESPONSE STATUS: HTTP/1.1 200 OK > RESPONSE HEADER: Server: Apache-Coyote/1.1 > RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 > RESPONSE HEADER: Date: Mon, 30 May 2011 11:26:29 GMT > RESPONSE HEADER: Connection: close > ... > > admin/console/config/databasepanel.vm > clone > > 7389 > (sensitive) > on > vm-028.idm.lab.bos.redhat.com > Master and clone should have the same base DN > > > The CA installation fails few error messages later. > > Providing excerpt of CA logs as they may be relevant: > > /var/log/pki-ca/catalina.out: > ... > CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| > ... > [Fatal Error] :2:15: Open quote is expected for attribute "BGCOLOR" associated with an element type "BODY". > > /var/log/pki-ca/system: > 2893.main - [30/May/2011:07:25:47 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate > 2893.main - [30/May/2011:07:25:47 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value > > Martin > Haven't had a chance to explore this one yet. It sure would be nice if dogtag would tell us what the two differing base DNs are though... rob From rcritten at redhat.com Mon Jun 6 17:16:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jun 2011 13:16:45 -0400 Subject: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes In-Reply-To: <35CEAC43-88AD-4D93-A2D3-BFD6EA13E8AD@citrixonline.com> References: <36AD4E47-C1BE-4603-8578-1823F2C89892@citrixonline.com> <4DB1DCD6.1060606@redhat.com> <0B1CC5CC-F36C-4EA7-B30D-472539E64D7E@citrixonline.com> <4DC9FD7F.1090505@redhat.com> <4DC9FF25.8070501@redhat.com> <7D243923-B3F9-4284-9FAF-550AC9E86AEE@citrixonline.com> <4DD68978.3040409@redhat.com> <35CEAC43-88AD-4D93-A2D3-BFD6EA13E8AD@citrixonline.com> Message-ID: <4DED0B7D.4050207@redhat.com> JR Aquino wrote: > On May 20, 2011, at 8:32 AM, Rob Crittenden wrote: > >> JR Aquino wrote: >>> On May 10, 2011, at 8:14 PM, Adam Young wrote: >>> >>>> On 05/10/2011 11:07 PM, Adam Young wrote: >>>>> On 05/10/2011 04:38 PM, JR Aquino wrote: >>>>>> On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote: >>>>>> >>>>>> >>>>>>> JR Aquino wrote: >>>>>>> >>>>>>>> On Apr 12, 2011, at 9:45 AM, JR Aquino wrote: >>>>>>>> >>>>>>>> >>>>>>>>> Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights. >>>>>>>>> >>>>>>>>> An Administrator should have the ability to quickly identify the rights a user will have in the system. >>>>>>>>> >>>>>>>>> For example. With the patch added, my user show looks like this: >>>>>>>>> >>>>>>>>> # ipa user-show tester --all >>>>>>>>> dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com >>>>>>>>> User login: tester >>>>>>>>> First name: Tester >>>>>>>>> Last name: Engineering >>>>>>>>> Full name: Tester Engineering >>>>>>>>> Display name: Tester Engineering >>>>>>>>> Initials: TE >>>>>>>>> Home directory: /home/tester >>>>>>>>> GECOS field: Tester Engineering >>>>>>>>> Login shell: /bin/sh >>>>>>>>> Kerberos principal: >>>>>>>>> tester at EXAMPLE.COM >>>>>>>>> >>>>>>>>> UID: 1829800388 >>>>>>>>> GID: 1829800388 >>>>>>>>> Account disabled: False >>>>>>>>> Member of groups: ipausers, auto-dev-deploy-tools, build-integration >>>>>>>>> ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0 >>>>>>>>> krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com >>>>>>>>> memberofindirect_HBAC rule: development >>>>>>>>> memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration >>>>>>>>> mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com >>>>>>>>> objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Freeipa-devel mailing list >>>>>>>>> >>>>>>>>> Freeipa-devel at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>> OPPS, forgot to have PATCH in the subject. >>>>>>>> >>>>>>>> >>>>>>> I think you need this as well, right? >>>>>>> >>>>>>> - 'memberof': ['group', 'netgroup', 'role'], >>>>>>> + 'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'], >>>>>>> >>>>>> Some scope change. >>>>>> >>>>>> Added memberof and memberofindirect >>>>>> >>>>>> Added to user.py host.py group.py hostgroup.py >>>>>> >>>>>> When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof. >>>>>> >>>>>> xmlrpc tests check out >>>>>> >>>>>> Please review >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> >>>>> >>>>> The reason that this shows up in the UI is that it is generating additional memberof attributes. It has nothing to do with the memberofindirect: >>>> >>>> You are also going to want need modify the sudo rule and HBAC rule to use the serial associator on some facets. It looks like group at least has things backwards. The group.js file I think needs a rule like this: >>>> >>>> >>>> association_facet({ >>>> name: 'memberof_sudorule', >>>> associator: IPA.serial_associator >>>> }). >>>> >>>> THis is because the API is for adding multiple groups to the sudo rule, but the default behaviour is for adding multiple>other entity> to. >>> >>> The above comment is regarding ticket: https://fedorahosted.org/freeipa/ticket/1218 which is dependent on this patch and ticket 1170 >>> >>> As for Patch 24 and ticket 1170, are there any other questions or does this look ready to go? >> >> Nack, this adds some additional API that isn't in API.txt. >> >> It would be nice to add test cases for this as well, perhaps in the sudo and hbac tests (create a rule, add a user to it, make sure when showing the user you can see the rule). > > > New patch attached to address API and Tests. > (Please note Ticket# 1263 incase there are problems testing) > > Please review and ack > ack, pushed to master. I also bumped up the API minor version because of the new options. JR, in the future when you resubmit a patch can you keep the same name and add an incrementing number so it is easier to tell which version of the patch we're dealing with? rob From rcritten at redhat.com Mon Jun 6 17:23:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jun 2011 13:23:46 -0400 Subject: [Freeipa-devel] [PATCH] 076 Localization fails for MaxArgumentError In-Reply-To: <1307351635.6714.17.camel@dhcp-25-52.brq.redhat.com> References: <1307351635.6714.17.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DED0D22.6090304@redhat.com> Martin Kosek wrote: > When MaxArgumentError si raised, the string localized by ngettext > is not printed properly. > > https://fedorahosted.org/freeipa/ticket/1148 > ack, pushed to master and ipa-2-0 From rcritten at redhat.com Mon Jun 6 17:29:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jun 2011 13:29:48 -0400 Subject: [Freeipa-devel] [PATCH] Fix typos in help of sudorule and sudocmd In-Reply-To: <4DE341D6.7080002@redhat.com> References: <4DE341D6.7080002@redhat.com> Message-ID: <4DED0E8C.9010504@redhat.com> Gowrishankar Rajaiyan wrote: > > Hi, > > Fixed the following typos: > > 1. # ipa help sudorule > [...] > sudorule-show Dispaly Sudo Rule. > > 2. # ipa help sudocmd > [...] > Create a new commnad > Nack. These changes will be picked up the next time we generate a pot file (which should be soon). See install/po/README. rob From rcritten at redhat.com Mon Jun 6 17:47:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jun 2011 13:47:08 -0400 Subject: [Freeipa-devel] [PATCH] 792 Update translations Message-ID: <4DED129C.8090700@redhat.com> Our translation files haven't been updated for a few months, this brings things up to date. It is intended for master only. All I did to generate this patch was to run make update-po in install/po. It is otherwise untouched by human hands. 4Mb of changes, 810 new messages, so this patch is huge, sorry. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-792-pot.patch.gz Type: application/x-gzip Size: 813229 bytes Desc: not available URL: From rcritten at redhat.com Mon Jun 6 19:25:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jun 2011 15:25:44 -0400 Subject: [Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer In-Reply-To: <4DECDC2D.7070803@redhat.com> References: <4DB7309C.4010307@redhat.com> <4DECDC2D.7070803@redhat.com> Message-ID: <4DED29B8.8090607@redhat.com> Jan Cholasta wrote: > On 26.4.2011 22:52, Rob Crittenden wrote: >> The goal is to not import foreign certificates. >> >> This caused a bunch of tests to fail because we had a hardcoded server >> certificate. Instead a developer will need to run make-testcert to >> create a server certificate generated by the local CA to test against. >> >> ticket 1134 >> >> rob >> > > NACK > > The certificate isn't verified in host-add. > > I suspect that certificates signed by an intermediate CA (i.e. when the > certificate chain length > 2) are considered invalid. Is that the > desired behavior? That will work as long as the issuer is the IPA CA. I see that if we are given a service cert issued by another CA in the chain things could go badly. I'm not sure this is something to really worry about though. > > make-testcert fails with: > > Traceback (most recent call last): > File "./make-testcert", line 126, in > sys.exit(makecert(reqdir)) > File "./make-testcert", line 105, in makecert > add=True) > File "./make-testcert", line 66, in run > result = self.execute(method, *args, **options) > File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in execute > raise error #pylint: disable=E0702 > ipalib.errors.CommandError: unknown command 'cert_request' > > This is probably an error on my part (tried running in on both my > machine without IPA installed and on VM with IPA installed with no > luck), but nonetheless it should be fixed to fail gracefully so that the > tests in "make test" have a chance to run. Similarly, the tests which > use the test certificate created by make-testcert should be skipped if > the certificate isn't available. You need to take the certificate databases from a self-signed install and copy them to ~/.ipa/alias/ in order to do certificate testing. There is documentation on how to do this in tests/test_xmlrpc/test_cert.py I think this should be mandatory as certificates are a main feature of v2. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-779-2-cert.patch Type: text/x-diff Size: 19793 bytes Desc: not available URL: From dpal at redhat.com Mon Jun 6 23:23:44 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 06 Jun 2011 19:23:44 -0400 Subject: [Freeipa-devel] Summary of the 1204 ticket design Message-ID: <4DED6180.8090906@redhat.com> Hello, https://fedorahosted.org/freeipa/ticket/1204 I had an action item to define in more details the design for this ticket based on the design threads that we had in the past. For more details see thread called: [Freeipa-devel] Summary of Session discussion Several things have been looked together and we decided that we want to introduce server side session object to be able to reduce number of the kerberos re-negotiations. The ticket 1204 covers only the problem of IPA framework requesting a ticket to access LDAP service per request. For that we need: 1) Check that python-krbV supports a way of sticking a ticket into credential cache 2) On any incoming request try to get the cached ticket from cred cache. If it is there and not expired use it. If it is expired, drop it. 3) If there is no valid ticket acquire it and add to the cache The other part that is not covered in ticket 1204 is related to the using cookies for the XML-RPC client and Browser. These are tickets 215 (https://fedorahosted.org/freeipa/ticket/215) and 225 (https://fedorahosted.org/freeipa/ticket/225). These are not planned for IPA 2.1 at the moment. If we see that it makes sense to bring them in let me know but our plate is full enough. However it makes sense to mention that the idea about ticket 225 is similar to the one for 1204. The client will follow the same logic except that it will use the cookie issued by the server and stick the cookie into the credential cache on the client. As far as I understand there is no need to have anything stored on the server to match this cookie, right? If yes it might make sense to drill down into this as we implement the solution for 1204. Let me know if I missed anything. There we couple other things discussed in the same thread: The pagination is solved differently for now while the file upload has a bit different twist on the session object of the server. We will drill down into the details as the ticket 1225 (https://fedorahosted.org/freeipa/ticket/1225) is designed and implemented. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jhrozek at redhat.com Tue Jun 7 08:31:26 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 07 Jun 2011 10:31:26 +0200 Subject: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install In-Reply-To: <4DECABDA.6060701@redhat.com> References: <4DC97E8B.8050904@redhat.com> <4DD6B2A5.3010507@redhat.com> <4DD939C3.5080106@redhat.com> <4DD9F7E6.7070607@redhat.com> <4DE72B2D.6000902@redhat.com> <4DE72C57.3040000@redhat.com> <4DECABDA.6060701@redhat.com> Message-ID: <4DEDE1DE.5060204@redhat.com> On 06/06/2011 12:28 PM, Jan Cholasta wrote: > On 2.6.2011 08:23, Jakub Hrozek wrote: >> On 06/02/2011 08:18 AM, Jakub Hrozek wrote: >>> On 05/23/2011 08:00 AM, Jan Cholasta wrote: >>>> On 22.5.2011 18:28, Jakub Hrozek wrote: >>>>> On 05/20/2011 08:27 PM, Jan Cholasta wrote: >>>>>> TODO: Clean unreachable code paths off of ipa-server-install (?) >>>>> >>>>> In general I agree even though I don't know exactly what code you have >>>>> in mind -- if the code is dead there's no reason to keep it. >>>> >>>> I've noticed that e.g. if the hostname can't be resolved, verify_fqdn >>>> raises an exception, so some of the checks below the "ip = >>>> resolve_host(host_name)" line in ipa-server-install are unnecessary, >>>> but >>>> I'm not yet sure if I'm not missing something. >>>> >>>>> >>>>>> TODO: Workarounds for netaddr bugs (?) >>>>> >>>>> Are these bugs reported upstream? I know you mentioned some in an >>>>> earlier e-mail, just wondering if they are the same. >>>>> >>>>> Long term, it might be better to fix them in netaddr rather than >>>>> working >>>>> around them. >>>> >>>> Yes, they're the same and are already fixed (according to the netaddr >>>> bug tracker), but there's no release with the fixes yet (or it's not in >>>> Fedora). There are not any big issues that I'm aware of, it's just that >>>> if you specify incorrect netmask with an IPv4 address, the error >>>> message >>>> isn't very helpful to the user: >>>> >>>> netaddr.IPNetwork('192.168.1.1/33') >>>> ... >>>> UnboundLocalError: local variable 'ip' referenced before assignment >>>> >>>>> >>>>> Jakub >>>>> >>>> >>>> Honza >>>> >>> >> >> I cherry-picked a patch for that issue from upstream and built a fixed >> python-netaddr: >> https://admin.fedoraproject.org/updates/python-netaddr-0.7.5-3.fc15 >> >> Please test and add karma :-) >> > > Done. > The update went stable today in case you wanted to Require: the fixed version -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From jcholast at redhat.com Tue Jun 7 13:24:06 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 07 Jun 2011 15:24:06 +0200 Subject: [Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer In-Reply-To: <4DED29B8.8090607@redhat.com> References: <4DB7309C.4010307@redhat.com> <4DECDC2D.7070803@redhat.com> <4DED29B8.8090607@redhat.com> Message-ID: <4DEE2676.6070401@redhat.com> On 6.6.2011 21:25, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 26.4.2011 22:52, Rob Crittenden wrote: >>> The goal is to not import foreign certificates. >>> >>> This caused a bunch of tests to fail because we had a hardcoded server >>> certificate. Instead a developer will need to run make-testcert to >>> create a server certificate generated by the local CA to test against. >>> >>> ticket 1134 >>> >>> rob >>> >> >> NACK >> >> The certificate isn't verified in host-add. >> >> I suspect that certificates signed by an intermediate CA (i.e. when the >> certificate chain length > 2) are considered invalid. Is that the >> desired behavior? > > That will work as long as the issuer is the IPA CA. I see that if we are > given a service cert issued by another CA in the chain things could go > badly. I'm not sure this is something to really worry about though. I guess it's not. But I'd like a second opinion on that. > >> >> make-testcert fails with: >> >> Traceback (most recent call last): >> File "./make-testcert", line 126, in >> sys.exit(makecert(reqdir)) >> File "./make-testcert", line 105, in makecert >> add=True) >> File "./make-testcert", line 66, in run >> result = self.execute(method, *args, **options) >> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in execute >> raise error #pylint: disable=E0702 >> ipalib.errors.CommandError: unknown command 'cert_request' >> >> This is probably an error on my part (tried running in on both my >> machine without IPA installed and on VM with IPA installed with no >> luck), but nonetheless it should be fixed to fail gracefully so that the >> tests in "make test" have a chance to run. Similarly, the tests which >> use the test certificate created by make-testcert should be skipped if >> the certificate isn't available. > > You need to take the certificate databases from a self-signed install > and copy them to ~/.ipa/alias/ in order to do certificate testing. There > is documentation on how to do this in tests/test_xmlrpc/test_cert.py > > I think this should be mandatory as certificates are a main feature of v2. No matter what I do, I'm still getting the unknown command error. Can you describe the steps needed to make make-testcert successfully run? BTW, it would be nice if "make test" printed an informational message when the requirements to run the tests aren't met instead of failing with some random error. > > rob Honza -- Jan Cholasta From rcritten at redhat.com Tue Jun 7 13:50:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Jun 2011 09:50:42 -0400 Subject: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install In-Reply-To: <4DEDE1DE.5060204@redhat.com> References: <4DC97E8B.8050904@redhat.com> <4DD6B2A5.3010507@redhat.com> <4DD939C3.5080106@redhat.com> <4DD9F7E6.7070607@redhat.com> <4DE72B2D.6000902@redhat.com> <4DE72C57.3040000@redhat.com> <4DECABDA.6060701@redhat.com> <4DEDE1DE.5060204@redhat.com> Message-ID: <4DEE2CB2.1020502@redhat.com> Jakub Hrozek wrote: > On 06/06/2011 12:28 PM, Jan Cholasta wrote: >> On 2.6.2011 08:23, Jakub Hrozek wrote: >>> On 06/02/2011 08:18 AM, Jakub Hrozek wrote: >>>> On 05/23/2011 08:00 AM, Jan Cholasta wrote: >>>>> On 22.5.2011 18:28, Jakub Hrozek wrote: >>>>>> On 05/20/2011 08:27 PM, Jan Cholasta wrote: >>>>>>> TODO: Clean unreachable code paths off of ipa-server-install (?) >>>>>> >>>>>> In general I agree even though I don't know exactly what code you have >>>>>> in mind -- if the code is dead there's no reason to keep it. >>>>> >>>>> I've noticed that e.g. if the hostname can't be resolved, verify_fqdn >>>>> raises an exception, so some of the checks below the "ip = >>>>> resolve_host(host_name)" line in ipa-server-install are unnecessary, >>>>> but >>>>> I'm not yet sure if I'm not missing something. >>>>> >>>>>> >>>>>>> TODO: Workarounds for netaddr bugs (?) >>>>>> >>>>>> Are these bugs reported upstream? I know you mentioned some in an >>>>>> earlier e-mail, just wondering if they are the same. >>>>>> >>>>>> Long term, it might be better to fix them in netaddr rather than >>>>>> working >>>>>> around them. >>>>> >>>>> Yes, they're the same and are already fixed (according to the netaddr >>>>> bug tracker), but there's no release with the fixes yet (or it's not in >>>>> Fedora). There are not any big issues that I'm aware of, it's just that >>>>> if you specify incorrect netmask with an IPv4 address, the error >>>>> message >>>>> isn't very helpful to the user: >>>>> >>>>> netaddr.IPNetwork('192.168.1.1/33') >>>>> ... >>>>> UnboundLocalError: local variable 'ip' referenced before assignment >>>>> >>>>>> >>>>>> Jakub >>>>>> >>>>> >>>>> Honza >>>>> >>>> >>> >>> I cherry-picked a patch for that issue from upstream and built a fixed >>> python-netaddr: >>> https://admin.fedoraproject.org/updates/python-netaddr-0.7.5-3.fc15 >>> >>> Please test and add karma :-) >>> >> >> Done. >> > > The update went stable today in case you wanted to Require: the fixed > version Great, opened ticket https://fedorahosted.org/freeipa/ticket/1288 From jdennis at redhat.com Tue Jun 7 16:48:33 2011 From: jdennis at redhat.com (John Dennis) Date: Tue, 07 Jun 2011 12:48:33 -0400 Subject: [Freeipa-devel] Fwd: Re: Fwd: Re: [Freeipa-users] Issue with replication install Message-ID: <4DEE5661.7040702@redhat.com> Forwarding to proper list ... -------- Original Message -------- Subject: Re: Fwd: Re: [Freeipa-users] Issue with replication install Date: Tue, 07 Jun 2011 09:44:48 -0400 From: Ade Lee Reply-To: alee at redhat.com Organization: Red Hat To: dpal at redhat.com CC: John Dennis John/Dmitri, I just joined freeipa-users list, but I can't see any previous threads. Perhaps, you can post my reply (and then I should see your post and be able to respond further as needed). Reply: The pki-ca instance is trying to set up a replication agreement between the master instance and the new replica instance. Once that agreement is set up and initialized, pki-ca waits for all the entries to be replicated over before continuing. For some reason, the data has not been replicated over and pki-ca install code continues to wait. The error in catalina.out is a red herring. Some questions/suggestions: 1. Is this a reproducible situation? 2. Are the directory server ports (7389?) open and accessible on both boxes? 3. Can the boxes see each other? Are you using NAT between them - or are they both on the same subnet? 4. Looking in the directory server logs may provide some insight as to why the replication failed. Also, by examining the replication entry under cn=config, you should be able to see some kind of status string - as well as the variables (host/port etc). used in the replication. Ade On Mon, 2011-06-06 at 17:42 -0400, Dmitri Pal wrote: > If you know the answer please help the guy on the freeipa-users list. > > -------- Original Message -------- > Subject: > Re: [Freeipa-users] Issue with > replication install > Date: > Mon, 6 Jun 2011 16:27:34 -0400 > From: > Uzor Ide > To: > freeipa-users at redhat.com > > > Anybody with idea why my replication setup is hanging at stage 4 of > the 11 stage process. > > ######################################################### > Configuring directory server for the CA: Estimated time 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > [3/3]: restarting directory server > done configuring pkids. > Configuring certificate server: Estimated time 6 minutes > [1/11]: creating certificate server user > [2/11]: creating pki-ca instance > [3/11]: restarting certificate server > [4/11]: configuring certificate server instance > ############################################################### > > When I checked the pki-ca debug log, everything is okay until it gets > to the this stage and it keeps repeating the last entry. > > #################################################################### > [06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer: > initializeConsumer host: company.domain.com port: 7389 > [06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer: > start modifying > [06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer: > Finish modification. > [06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer: > thread sleeping for 5 seconds. > [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer: > finish sleeping. > [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer: > Successfully initialize consumer > [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel > comparetAndWaitEntries checking ou=people,o=ipaca > [06/Jun/2011:16:00:30][http-9445-1]: DatabasePanel > comparetAndWaitEntries ou=people,o=ipaca not found, let's wait! > [06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel > comparetAndWaitEntries checking ou=people,o=ipaca > [06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel > comparetAndWaitEntries ou=people,o=ipaca not found, let's wait! > ######################################################################## > > > If leave for hours, it will continue will keep repeating the last > entry. > In the catalina.out log, I get the following java execption > > > ########################################################################### > INFO: Deploying web application directory ca > Jun 6, 2011 3:58:36 PM org.apache.catalina.startup.Catalina stopServer > SEVERE: Catalina.stop: > java.net.ConnectException: Connection refused > at java.net.PlainSocketImpl.socketConnect(Native Method) > at > java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) > at > java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) > at > java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) > at java.net.Socket.connect(Socket.java:546) > at java.net.Socket.connect(Socket.java:495) > at java.net.Socket.(Socket.java:392) > at java.net.Socket.(Socket.java:206) > at > org.apache.catalina.startup.Catalina.stopServer(Catalina.java:412) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:616) > at > org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:338) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:416) > 32-bit osutil library loaded > 32-bit osutil library loaded > CMS Warning: FAILURE: Cannot build CA chain. Error > java.security.cert.CertificateException: Certificate is not a PKCS #11 > certificate|FAILURE: authz instance DirAclAuthz initialization failed > and skipped, error=Property internaldb.ldapconn.port missing value| > Server is started. > Jun 6, 2011 3:58:44 PM org.apache.catalina.startup.HostConfig > deployDirectory > INFO: Deploying web application directory ROOT > ############################################################# > > While this points to connection failure, I don't know why that is so > because there is not firewall running on the two boxes, also I > disabled selinux just to make sure but it did not make any difference. > > There is a bug number 643449 with this exception thrown here in > bugzilla but that issue was supposed to be caused by missing > xalan-j2-serializer.jar file in the tomcat5. This is tomcat6. > > Please any help will be appreciated. > > Thanks > > __Ide > > > On Fri, Jun 3, 2011 at 2:32 PM, Uzor Ide wrote: > I have corrected the problem with the ipa server, from the > broken tomcat/pki-ca; > > The problem comes a sym link that was created during the setup > of pki-ca from PKI-HOME for > jakarta-commons-collections.jar > to /usr/share/java/jakarta-commons-collections.jar. > This file is a member of jakarta-commons-collections rpm > package in fc14. In fc15 jakarta-commons-collections package > appears to have been renamed to apache-commons-collections and > an equivalent file apache-commons-collections.jar is > contained. > However when you upgrade, at least in my own case using > preupgrade, it leaves > /var/lib/pki-ca/webapps/ca/WEB-INF/lib/jakarta-commons-collections.jar link orphaned. recreating the sym link to /usr/share/java/apache-commons-collections.jar fixes the problem. > > I have create a new replica package and I see that it > contained the dogtagcert.p12 file. > > I will try to install the replica and see how it goes. > > Thanks > > __Ide > > > > > > > On Fri, Jun 3, 2011 at 10:28 AM, Uzor Ide > wrote: > The IPA server is version 2.0.0 R3 which is supposed > to install on fc14 with some packages from > updates-testing repo, while the replica install is on > server 2.0.1 > > Yes, there is no dogtagcert.p12 file; here are the > files contained: > realm_info/httpcert.p12 > realm_info/cacert.p12 > realm_info/ldappwd > realm_info/ra.p12 > realm_info/http_pin.txt > realm_info/realm_info > realm_info/configure.jar > realm_info/dscert.p12 > realm_info/dirsrv_pin.txt > realm_info/pwdfile.txt.ori > realm_info/pwdfile.txt > realm_info/kpasswd.keytab > realm_info/preferences.htm > realm_info/ca.crt > > I have upgraded the IPA box to fc15 and freeipa-2.0.1 > in the quest to get a correct replica package but that > seems to have created another problem as it has broken > the tomcat and thus pki-ca. > > Jun 3, 2011 10:09:29 AM > org.apache.catalina.loader.WebappLoader start > SEVERE: LifecycleException > java.io.IOException: Failed to access > resource /WEB-INF/lib/jakarta-commons-collections.jar > at > org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1050) > at > org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:681) > at > org.apache.catalina.core.StandardContext.start(StandardContext.java:4541) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546) > at > org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) > at > org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) > at > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) > at > org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) > at > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061) > at > org.apache.catalina.core.StandardHost.start(StandardHost.java:785) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) > at > org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463) > at > org.apache.catalina.core.StandardService.start(StandardService.java:525) > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:701) > at > org.apache.catalina.startup.Catalina.start(Catalina.java:585) > at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at > java.lang.reflect.Method.invoke(Method.java:616) > at > org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > Caused by: javax.naming.NamingException: Resource > jakarta-commons-collections.jar not found > at > org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:209) > at > org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1048) > ... 24 more > > It seems to me that it is looking for > jakarta-commons-collections.jar which exist but is a > package from the old tomcat6-6.0.26. > > > Thanks > > __Ide > > > > > On Thu, Jun 2, 2011 at 11:08 AM, Rob Crittenden > wrote: > Uzor Ide wrote: > Thanks Rob > > I did run the certutil -L > -d /etc/dirsrv/slapd-PKI-IPA command; > the > nssdb is empty > If the CA cert is supposed to exist > there at that stage of install, > then that would be the problem. > > Both the slapd-PKI-IPA error and > access does not contain much. I > attached them herein with the > ipareplica-install.log. > > > > How old is the prepared replica file, and was > it created with an older version of IPA? > > In one of the last release candidates we > started creating a separate SSL certificate > for the 389-ds instance used by dogtag. I get > the feeling that doesn't exist which would > explain why SSL is failing. > > You can check by doing something like: > # gpg -d replica-info-.gpg | tar > tvf - > > The file you're looking for is dogtagcert.p12 > > rob > thanks > > Ide > > > On Wed, Jun 1, 2011 at 11:40 AM, Rob > Crittenden > > wrote: > > Uzor Ide wrote: > > > Hi all > > We are trying to setup a backup > IPA server and decided to toe that > replication route. > The box is a fedora 14 with > freeipa-2.0-RC2 which I upgraded to > fedora > 15 and freeipa 2.0.1. > Note we first did > ipa-server-install --uninstall before > upgrading the > freeipa packages so as to make > sure that the server is > relatively clean. > > However when I run that > ipa-replica-install command, I end up > with the > following error in the > ipareplica-install.log > > 2011-05-31 23:54:33,352 DEBUG > args=/sbin/service dirsrv restart > PKI-IPA > 2011-05-31 23:54:33,353 DEBUG > stdout=Shutting down dirsrv: > PKI-IPA...[ OK ] > Starting dirsrv: > PKI-IPA...[FAILED] > *** Warning: 1 instance(s) > failed to start > > 2011-05-31 23:54:33,354 DEBUG > stderr=[31/May/2011:23:54:23 > -0400] - SSL > alert: Security Initialization: > Unable to authenticate (Netscape > Portable Runtime error -8192 - > An I/O error occurred during security > authorization.) > [31/May/2011:23:54:23 -0400] - > ERROR: SSL Initialization Failed. > > 2011-05-31 23:54:33,497 DEBUG > args=/sbin/service dirsrv status > 2011-05-31 23:54:33,500 DEBUG > stdout=dirsrv PKI-IPA is stopped > > 2011-05-31 23:54:33,501 DEBUG > stderr= > 2011-05-31 23:54:33,502 > CRITICAL Failed to restart the > directory > server. > See the installation log for > details. > > This are the tomcat rpms on the > server > > > tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch > > tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch > tomcat6-6.0.30-6.fc15.noarch > > tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch > > tomcat6-lib-6.0.30-6.fc15.noarch > > tomcat6-el-2.1-api-6.0.30-6.fc15.noarch > tomcatjss-2.1.1-1.fc15.noarch > > So the tomcat6 version is > definitely greater than > tomcat6-6-0.30-5. > > > The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any > other > thing different from same, > > [31/May/2011:23:54:23 -0400] - > SSL alert: Security Initialization: > Unable to authenticate > (Netscape Portable Runtime error -8192 > - > An I/O > error occurred during security > authorization.) > [31/May/2011:23:54:23 -0400] - > ERROR: SSL Initialization Failed > > > Any help will be greatly > appreciated > > Ide > > > I think we need more context. Can > you compress and send > /var/log/ipareplica-install.log ? > > I'd also suggest looking > at /var/log/dirsrv/PKI-IPA/access and > errors to see if there is anything > interesting there. > > And can you provide the output for: > > certutil -L > -d /etc/dirsrv/slapd-PKI-IPA > > It would seem that your 389-ds > instance is missing a copy of the CA > cert. > > thanks > > rob > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > From rcritten at redhat.com Tue Jun 7 18:10:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Jun 2011 14:10:11 -0400 Subject: [Freeipa-devel] [PATCH] 073 IPA installation with --no-host-dns fails In-Reply-To: <1306919578.2419.2.camel@dhcp-25-52.brq.redhat.com> References: <1306919578.2419.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DEE6983.2050207@redhat.com> Martin Kosek wrote: > Patch for both master and ipa-2-0 branch attached. > --- > --no-host-dns option should allow installing IPA server on a host > without a DNS resolvable name. > > Update parse_ip_address and verify_ip_address functions has been > changed not to return None and print error messages in case of > an error, but rather let the Exception be handled by the calling > routine. > > https://fedorahosted.org/freeipa/ticket/1246 > > https://www.redhat.com/mailman/listinfo/freeipa-devel Why remove the IP address validation from ipa-replica-prepare? rob From rcritten at redhat.com Tue Jun 7 18:38:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Jun 2011 14:38:15 -0400 Subject: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation In-Reply-To: <1307020989.2419.31.camel@dhcp-25-52.brq.redhat.com> References: <1306157956.2514.9.camel@dhcp-25-52.brq.redhat.com> <4DDAC65E.7080300@redhat.com> <1306224886.2514.24.camel@dhcp-25-52.brq.redhat.com> <4DE07598.4050000@redhat.com> <1306570392.2433.2.camel@dhcp-25-52.brq.redhat.com> <1307020989.2419.31.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DEE7017.6010305@redhat.com> Martin Kosek wrote: > On Sat, 2011-05-28 at 10:13 +0200, Martin Kosek wrote: >> On Sat, 2011-05-28 at 00:10 -0400, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>>>>> This is a first version of connection checking program for replica >>>>>> installation. See patch for program purpose description. Currently, >>>>>> there is no man pages for the program. >>>>>> >>>>>> Note to Simo and Rob: I use password for logging as admin. Btw would it >>>>>> be safe to have an admin keytab in the replica file? Replica file >>>>>> contents are lying freely in /tmp after the replica installation. >>>>>> >>>>>> Martin >>>>> >>>>> nack, you aren't including the new binary in the spec. >>>> >>>> Oh, thanks for this one. >>>> >>>>> >>>>> You should also: >>>>> >>>>> - set KRB5CCNAME to a temporary ccache and remove that when the install >>>>> exists (successful or not) >>>> >>>> Done. >>>> >>>>> - remove the temporary krb5.conf you create >>>> >>>> Done. >>>> >>>>> - be a bit more explicit what we are doing, at least more than "Run >>>>> connection check to master". >>>> >>>> Actually, I am if you run the new script separately. I removed "--quiet" >>>> parameter passed to the script in ipa-replica-install so that it is more >>>> verbose. Plus, I improved texts sent to the user. >>>> >>>>> - yes, we should remove the replica file contents >>>> >>>> I enhanced ipa-replica-install to do that. >>>> >>>> Martin >>>> >>> >>> Works great until the very end: >>> ... >>> ... >>> >>> Execute check on remote master >>> Check connection from master to remote replica 'slinky.greyoak.com': >>> Directory Service: unsecure port (389): FAILED >>> Directory Service: secure port (636): FAILED >>> Kerberos (88): OK >>> >>> Remote master check failed with following error message(s): >>> Could not chdir to home directory /home/admin: No such file or directory >>> Port check failed! Unaccessible port(s): 389, 636 >>> >>> Connection check failed with following error: None >>> >>> rob >> >> Right, I introduced this wrong error message in the last patch. I fixed >> this one and also one typo. Updated patch attached. >> >> Martin > > I created a man page for the new program. Please feel free to > fix/propose a fix for any language errors that may be there. > > Missing records in Makefile.am for both man page and the new program > have been added. > > Martin ack rob From rcritten at redhat.com Tue Jun 7 18:42:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Jun 2011 14:42:35 -0400 Subject: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation In-Reply-To: <4DEE7017.6010305@redhat.com> References: <1306157956.2514.9.camel@dhcp-25-52.brq.redhat.com> <4DDAC65E.7080300@redhat.com> <1306224886.2514.24.camel@dhcp-25-52.brq.redhat.com> <4DE07598.4050000@redhat.com> <1306570392.2433.2.camel@dhcp-25-52.brq.redhat.com> <1307020989.2419.31.camel@dhcp-25-52.brq.redhat.com> <4DEE7017.6010305@redhat.com> Message-ID: <4DEE711B.1040400@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Sat, 2011-05-28 at 10:13 +0200, Martin Kosek wrote: >>> On Sat, 2011-05-28 at 00:10 -0400, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote: >>>>>> Martin Kosek wrote: >>>>>>> This is a first version of connection checking program for replica >>>>>>> installation. See patch for program purpose description. Currently, >>>>>>> there is no man pages for the program. >>>>>>> >>>>>>> Note to Simo and Rob: I use password for logging as admin. Btw >>>>>>> would it >>>>>>> be safe to have an admin keytab in the replica file? Replica file >>>>>>> contents are lying freely in /tmp after the replica installation. >>>>>>> >>>>>>> Martin >>>>>> >>>>>> nack, you aren't including the new binary in the spec. >>>>> >>>>> Oh, thanks for this one. >>>>> >>>>>> >>>>>> You should also: >>>>>> >>>>>> - set KRB5CCNAME to a temporary ccache and remove that when the >>>>>> install >>>>>> exists (successful or not) >>>>> >>>>> Done. >>>>> >>>>>> - remove the temporary krb5.conf you create >>>>> >>>>> Done. >>>>> >>>>>> - be a bit more explicit what we are doing, at least more than "Run >>>>>> connection check to master". >>>>> >>>>> Actually, I am if you run the new script separately. I removed >>>>> "--quiet" >>>>> parameter passed to the script in ipa-replica-install so that it is >>>>> more >>>>> verbose. Plus, I improved texts sent to the user. >>>>> >>>>>> - yes, we should remove the replica file contents >>>>> >>>>> I enhanced ipa-replica-install to do that. >>>>> >>>>> Martin >>>>> >>>> >>>> Works great until the very end: >>>> ... >>>> ... >>>> >>>> Execute check on remote master >>>> Check connection from master to remote replica 'slinky.greyoak.com': >>>> Directory Service: unsecure port (389): FAILED >>>> Directory Service: secure port (636): FAILED >>>> Kerberos (88): OK >>>> >>>> Remote master check failed with following error message(s): >>>> Could not chdir to home directory /home/admin: No such file or >>>> directory >>>> Port check failed! Unaccessible port(s): 389, 636 >>>> >>>> Connection check failed with following error: None >>>> >>>> rob >>> >>> Right, I introduced this wrong error message in the last patch. I fixed >>> this one and also one typo. Updated patch attached. >>> >>> Martin >> >> I created a man page for the new program. Please feel free to >> fix/propose a fix for any language errors that may be there. >> >> Missing records in Makefile.am for both man page and the new program >> have been added. >> >> Martin > > ack > > rob Oh, I forgot. Before you push can you clean up the trailing whitespace? rob From rcritten at redhat.com Tue Jun 7 20:47:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Jun 2011 16:47:34 -0400 Subject: [Freeipa-devel] [PATCH] 071 Fix forward zone creation in ipa-replica-prepare In-Reply-To: <1306760247.2427.21.camel@dhcp-25-52.brq.redhat.com> References: <1306760247.2427.21.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DEE8E66.3080106@redhat.com> Martin Kosek wrote: > This case was missed in patch 070 Fix reverse zone creation in > ipa-replica-prepare. > > There are 2 patches, one for master and one for stable ipa-2-0 (without > the newest IP address enhancement). > > Martin ack for both From rcritten at redhat.com Tue Jun 7 21:50:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Jun 2011 17:50:47 -0400 Subject: [Freeipa-devel] [PATCH] 072 Fix support for nss-pam-ldapd In-Reply-To: <1306914104.3496.11.camel@dhcp-25-52.brq.redhat.com> References: <1306914104.3496.11.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DEE9D37.90608@redhat.com> Martin Kosek wrote: > Test hints: > 1) Test with nss-ldap package > - install nss-ldap on the client machine > - install IPA client with --no-sssd option > - `id admin', logging to the machine should work (even after the > restart, i.e. correct services are run after the restart) > 2) Test with nss-pam-ldapd > - uninstall nss-ldap, install nss-pam-ldapd > - install IPA client with --no-sssd option > - `id admin', logging to the machine should work > 3) Test with SSSD > - install IPA client > - `id admin', logging to the machine should work > > --- > > Client installation with --no-sssd option was broken if the client > was based on a nss-pam-ldap instead of nss_ldap. The main issue is > with authconfig rewriting the nslcd.conf after it has been > configured by ipa-client-install. > > This has been fixed by changing an order of installation steps. > Additionally, nslcd daemon needed for nss-pam-ldap function is > correctly started. > > https://fedorahosted.org/freeipa/ticket/1235 Ack, works great. Two requests: 1. Can you add this test information to the ticket? 2. There was some whitespace in the patch, can you remove it before pushing? thanks rob From mkosek at redhat.com Wed Jun 8 06:47:39 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Jun 2011 08:47:39 +0200 Subject: [Freeipa-devel] [PATCH] 073 IPA installation with --no-host-dns fails In-Reply-To: <4DEE6983.2050207@redhat.com> References: <1306919578.2419.2.camel@dhcp-25-52.brq.redhat.com> <4DEE6983.2050207@redhat.com> Message-ID: <1307515661.28590.2.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-07 at 14:10 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Patch for both master and ipa-2-0 branch attached. > > --- > > --no-host-dns option should allow installing IPA server on a host > > without a DNS resolvable name. > > > > Update parse_ip_address and verify_ip_address functions has been > > changed not to return None and print error messages in case of > > an error, but rather let the Exception be handled by the calling > > routine. > > > > https://fedorahosted.org/freeipa/ticket/1246 > > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Why remove the IP address validation from ipa-replica-prepare? > > rob Because it is redundant. As the ip_address parameter in IPAOptionParser has type="ipnet" it is automatically validated during parser.parse_args(). Martin From mkosek at redhat.com Wed Jun 8 07:18:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Jun 2011 09:18:42 +0200 Subject: [Freeipa-devel] [PATCH] 071 Fix forward zone creation in ipa-replica-prepare In-Reply-To: <4DEE8E66.3080106@redhat.com> References: <1306760247.2427.21.camel@dhcp-25-52.brq.redhat.com> <4DEE8E66.3080106@redhat.com> Message-ID: <1307517525.28590.12.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-07 at 16:47 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > This case was missed in patch 070 Fix reverse zone creation in > > ipa-replica-prepare. > > > > There are 2 patches, one for master and one for stable ipa-2-0 (without > > the newest IP address enhancement). > > > > Martin > > ack for both Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Wed Jun 8 07:47:00 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Jun 2011 09:47:00 +0200 Subject: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation In-Reply-To: <4DEE711B.1040400@redhat.com> References: <1306157956.2514.9.camel@dhcp-25-52.brq.redhat.com> <4DDAC65E.7080300@redhat.com> <1306224886.2514.24.camel@dhcp-25-52.brq.redhat.com> <4DE07598.4050000@redhat.com> <1306570392.2433.2.camel@dhcp-25-52.brq.redhat.com> <1307020989.2419.31.camel@dhcp-25-52.brq.redhat.com> <4DEE7017.6010305@redhat.com> <4DEE711B.1040400@redhat.com> Message-ID: <1307519222.28590.25.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-07 at 14:42 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Sat, 2011-05-28 at 10:13 +0200, Martin Kosek wrote: > >>> On Sat, 2011-05-28 at 00:10 -0400, Rob Crittenden wrote: > >>>> Martin Kosek wrote: > >>>>> On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote: > >>>>>> Martin Kosek wrote: > >>>>>>> This is a first version of connection checking program for replica > >>>>>>> installation. See patch for program purpose description. Currently, > >>>>>>> there is no man pages for the program. > >>>>>>> > >>>>>>> Note to Simo and Rob: I use password for logging as admin. Btw > >>>>>>> would it > >>>>>>> be safe to have an admin keytab in the replica file? Replica file > >>>>>>> contents are lying freely in /tmp after the replica installation. > >>>>>>> > >>>>>>> Martin > >>>>>> > >>>>>> nack, you aren't including the new binary in the spec. > >>>>> > >>>>> Oh, thanks for this one. > >>>>> > >>>>>> > >>>>>> You should also: > >>>>>> > >>>>>> - set KRB5CCNAME to a temporary ccache and remove that when the > >>>>>> install > >>>>>> exists (successful or not) > >>>>> > >>>>> Done. > >>>>> > >>>>>> - remove the temporary krb5.conf you create > >>>>> > >>>>> Done. > >>>>> > >>>>>> - be a bit more explicit what we are doing, at least more than "Run > >>>>>> connection check to master". > >>>>> > >>>>> Actually, I am if you run the new script separately. I removed > >>>>> "--quiet" > >>>>> parameter passed to the script in ipa-replica-install so that it is > >>>>> more > >>>>> verbose. Plus, I improved texts sent to the user. > >>>>> > >>>>>> - yes, we should remove the replica file contents > >>>>> > >>>>> I enhanced ipa-replica-install to do that. > >>>>> > >>>>> Martin > >>>>> > >>>> > >>>> Works great until the very end: > >>>> ... > >>>> ... > >>>> > >>>> Execute check on remote master > >>>> Check connection from master to remote replica 'slinky.greyoak.com': > >>>> Directory Service: unsecure port (389): FAILED > >>>> Directory Service: secure port (636): FAILED > >>>> Kerberos (88): OK > >>>> > >>>> Remote master check failed with following error message(s): > >>>> Could not chdir to home directory /home/admin: No such file or > >>>> directory > >>>> Port check failed! Unaccessible port(s): 389, 636 > >>>> > >>>> Connection check failed with following error: None > >>>> > >>>> rob > >>> > >>> Right, I introduced this wrong error message in the last patch. I fixed > >>> this one and also one typo. Updated patch attached. > >>> > >>> Martin > >> > >> I created a man page for the new program. Please feel free to > >> fix/propose a fix for any language errors that may be there. > >> > >> Missing records in Makefile.am for both man page and the new program > >> have been added. > >> > >> Martin > > > > ack > > > > rob > > Oh, I forgot. Before you push can you clean up the trailing whitespace? > > rob Pushed to master, whitespaces cleaned. I sent a heads up to QE team. It is true that this patch can break replica installation test. Martin From mkosek at redhat.com Wed Jun 8 08:02:52 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Jun 2011 10:02:52 +0200 Subject: [Freeipa-devel] [PATCH] 072 Fix support for nss-pam-ldapd In-Reply-To: <4DEE9D37.90608@redhat.com> References: <1306914104.3496.11.camel@dhcp-25-52.brq.redhat.com> <4DEE9D37.90608@redhat.com> Message-ID: <1307520174.28590.27.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-07 at 17:50 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Test hints: > > 1) Test with nss-ldap package > > - install nss-ldap on the client machine > > - install IPA client with --no-sssd option > > - `id admin', logging to the machine should work (even after the > > restart, i.e. correct services are run after the restart) > > 2) Test with nss-pam-ldapd > > - uninstall nss-ldap, install nss-pam-ldapd > > - install IPA client with --no-sssd option > > - `id admin', logging to the machine should work > > 3) Test with SSSD > > - install IPA client > > - `id admin', logging to the machine should work > > > > --- > > > > Client installation with --no-sssd option was broken if the client > > was based on a nss-pam-ldap instead of nss_ldap. The main issue is > > with authconfig rewriting the nslcd.conf after it has been > > configured by ipa-client-install. > > > > This has been fixed by changing an order of installation steps. > > Additionally, nslcd daemon needed for nss-pam-ldap function is > > correctly started. > > > > https://fedorahosted.org/freeipa/ticket/1235 > > Ack, works great. > > Two requests: > > 1. Can you add this test information to the ticket? Done. > > 2. There was some whitespace in the patch, can you remove it before pushing? Sure, I think this trailing whitespaces will make me implement a check to my patch sending script :-) Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Wed Jun 8 12:35:48 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Jun 2011 14:35:48 +0200 Subject: [Freeipa-devel] [PATCH] 077 Skip know_host check for ipa-replica-conncheck Message-ID: <1307536550.28590.31.camel@dhcp-25-52.brq.redhat.com> When IPA replica is installed and the master machine record is not in ~/.ssh/known_hosts, ipa-replica-install will prompt user to answer a question about adding a host to this file. This has, however, a potential to break automatic tests. ipa-replica-conncheck should not require any further user interaction when all mandatory options are filled. https://fedorahosted.org/freeipa/ticket/1305 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-077-skip-know_host-check-for-ipa-replica-conncheck.patch Type: text/x-patch Size: 1586 bytes Desc: not available URL: From simo at redhat.com Wed Jun 8 12:39:07 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Jun 2011 08:39:07 -0400 Subject: [Freeipa-devel] FreeIPA v3 development Message-ID: <1307536747.2613.219.camel@willson.li.ssimo.org> Dear fellow developers, it is time to start thinking about v3 development. The plan for v3 is to get cross-realm trust relationships with Windows Domains so that Freeipa domains can interoperate with them seamlessly. We need a lot of infrastructure based on Samba to achieve this goal, and we also need to change some core components of the KDC to be able to handle MS-PACs and other stuff. I've started working on a new MIT KDC DAL plugin, and more code will follow. Since current FreeIPA development is still focused on getting out FreeIPA v2.1 I had a chat with Rob and we decided to keep this new stuff out of tree for a while. Once v2.1 is finalized and can be branched off we will merge all the v3 code on top of master and officially turn master in the v3.0 development branch. Meanwhile I am keeping a semi-official branch in my fedorapeople git repository. The intention is to get all v3.0 patches still sent to the list, but they will be applied to my repository until we are ready to branch off 2.1. so if a patch is for v3, make sure to clearly mark it as such! My repository will be updated from time to time and force-rebased on top of FreeIPA master. So if you decide to use it as a remote repository, be prepared to reset/pull it from time to time. The repo can be found here: http://fedorapeople.org/gitweb?p=simo/public_git/freeipa.git;a=summary There are already 9 patches that constitute the core work of a new ipa-kdb backend. The work is not complete yet, but it is enough code to request some REVIEW from fellow developers. Please take a look at it and let me know in how many ways you do not like it :-) This code will be in a flux for some time. But as soon as I start receiving patches that go on top of it I will stop touching these patches except for the occasional rebase on top of the official master. Comments are very welcome. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Jun 8 12:45:16 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Jun 2011 08:45:16 -0400 Subject: [Freeipa-devel] [PATCH] 077 Skip know_host check for ipa-replica-conncheck In-Reply-To: <1307536550.28590.31.camel@dhcp-25-52.brq.redhat.com> References: <1307536550.28590.31.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1307537116.2613.220.camel@willson.li.ssimo.org> On Wed, 2011-06-08 at 14:35 +0200, Martin Kosek wrote: > When IPA replica is installed and the master machine record is not > in ~/.ssh/known_hosts, ipa-replica-install will prompt user to answer > a question about adding a host to this file. > > This has, however, a potential to break automatic tests. > ipa-replica-conncheck should not require any further user interaction > when all mandatory options are filled. > > https://fedorahosted.org/freeipa/ticket/1305 Instead of suppressing host check would it be possible to provide a properly formatted known_hosts entry that actually matches the master ssh host key ? Simo. -- Simo Sorce * Red Hat, Inc * New York From jcholast at redhat.com Wed Jun 8 13:21:12 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 08 Jun 2011 15:21:12 +0200 Subject: [Freeipa-devel] [PATCH] 21 Fix directory manager password validation in ipa-nis-manage Message-ID: <4DEF7748.9040105@redhat.com> https://fedorahosted.org/freeipa/ticket/1283 https://fedorahosted.org/freeipa/ticket/1284 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-21-ipa-nis-manage-input-validation.patch Type: text/x-patch Size: 2534 bytes Desc: not available URL: From jcholast at redhat.com Wed Jun 8 13:50:52 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 08 Jun 2011 15:50:52 +0200 Subject: [Freeipa-devel] [PATCH] 785 data type of certificates In-Reply-To: <4DD3E402.1050606@redhat.com> References: <4DD3E402.1050606@redhat.com> Message-ID: <4DEF7E3C.70806@redhat.com> On 18.5.2011 17:21, Rob Crittenden wrote: > Make data type of certificates more obvious/predictable internally. > > For the most part certificates will be treated as being in DER format. > When we load a certificate we will generally accept it in any format but > will convert it to DER before proceeding in normalize_certificate(). > > This also re-arranges a bit of code to pull some certificate-specific > functions out of ipalib/plugins/service.py into ipalib/x509.py. > > This also tries to use variable names to indicate what format the > certificate is in at any given point: > > dercert: DER > cert: PEM > nsscert: a python-nss Certificate object > rawcert: unknown format > > ticket 32 > > rob > NACK lint fails with: ipalib/plugins/host.py:380: [E0602, host_add.pre_callback] Undefined variable 'normalize_certificate' ipalib/plugins/host.py:381: [E0602, host_add.pre_callback] Undefined variable 'verify_cert_subject' Honza -- Jan Cholasta From rcritten at redhat.com Wed Jun 8 14:56:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Jun 2011 10:56:20 -0400 Subject: [Freeipa-devel] [PATCH] 785 data type of certificates In-Reply-To: <4DEF7E3C.70806@redhat.com> References: <4DD3E402.1050606@redhat.com> <4DEF7E3C.70806@redhat.com> Message-ID: <4DEF8D94.5000301@redhat.com> Jan Cholasta wrote: > On 18.5.2011 17:21, Rob Crittenden wrote: >> Make data type of certificates more obvious/predictable internally. >> >> For the most part certificates will be treated as being in DER format. >> When we load a certificate we will generally accept it in any format but >> will convert it to DER before proceeding in normalize_certificate(). >> >> This also re-arranges a bit of code to pull some certificate-specific >> functions out of ipalib/plugins/service.py into ipalib/x509.py. >> >> This also tries to use variable names to indicate what format the >> certificate is in at any given point: >> >> dercert: DER >> cert: PEM >> nsscert: a python-nss Certificate object >> rawcert: unknown format >> >> ticket 32 >> >> rob >> > > NACK > > lint fails with: > > ipalib/plugins/host.py:380: [E0602, host_add.pre_callback] Undefined > variable 'normalize_certificate' > ipalib/plugins/host.py:381: [E0602, host_add.pre_callback] Undefined > variable 'verify_cert_subject' > > Honza > Needed to be re-based with changes to 779. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-785-2-pem.patch Type: text/x-diff Size: 31489 bytes Desc: not available URL: From rcritten at redhat.com Wed Jun 8 15:32:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Jun 2011 11:32:20 -0400 Subject: [Freeipa-devel] [PATCH] 077 Skip know_host check for ipa-replica-conncheck In-Reply-To: <1307537116.2613.220.camel@willson.li.ssimo.org> References: <1307536550.28590.31.camel@dhcp-25-52.brq.redhat.com> <1307537116.2613.220.camel@willson.li.ssimo.org> Message-ID: <4DEF9604.5060605@redhat.com> Simo Sorce wrote: > On Wed, 2011-06-08 at 14:35 +0200, Martin Kosek wrote: >> When IPA replica is installed and the master machine record is not >> in ~/.ssh/known_hosts, ipa-replica-install will prompt user to answer >> a question about adding a host to this file. >> >> This has, however, a potential to break automatic tests. >> ipa-replica-conncheck should not require any further user interaction >> when all mandatory options are filled. >> >> https://fedorahosted.org/freeipa/ticket/1305 > > Instead of suppressing host check would it be possible to provide a > properly formatted known_hosts entry that actually matches the master > ssh host key ? > > Simo. > We decided that the Kerberos host key provides sufficient identity. A new ticket was opened to more gracefully handle the known_hosts entry. ack, pushed to master rob From rcritten at redhat.com Wed Jun 8 17:45:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Jun 2011 13:45:49 -0400 Subject: [Freeipa-devel] [PATCH] 793 add uid, gid and e-mail to user default attributes Message-ID: <4DEFB54D.6080202@redhat.com> Add uid, gid and e-mail to the default list of attributes for users. This will mostly affect user-show. ticket https://fedorahosted.org/freeipa/ticket/1265 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-793-user.patch Type: text/x-diff Size: 16000 bytes Desc: not available URL: From dpal at redhat.com Wed Jun 8 18:15:00 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Jun 2011 14:15:00 -0400 Subject: [Freeipa-devel] Visibility of the sensitive LDAP data Message-ID: <4DEFBC24.4000401@redhat.com> Hi, We have been through this some time before and the decision made then still left me uneasy. We said that LDAP is by nature something is a readable by an authenticated used. Other than special password and key related attributes everything else should be readable. Now we have a bug https://bugzilla.redhat.com/show_bug.cgi?id=711693 It seems reasonable to hide the SUDO information from the normal user and not make it widely available. I would argue that the HBAC should fall into the same category. I suspect there is a way to hide this information and if we implemented everything correctly the UI and CLI should not fail and respecting the effective rights will not present the UI or fail the CLI command. So what should we do: 1) Leave as is and not bother at all (i.e. it is what it is) 2) Leave as is and defer the solution till later (do not fix it in 2.1 defer to 2.2) 3) Leave as is but document how to do it using permissions & ACIs 4) Provide default ACIs that would hide the records for the broad user population Looking for an opinion here. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Wed Jun 8 18:30:20 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Jun 2011 14:30:20 -0400 Subject: [Freeipa-devel] Visibility of the sensitive LDAP data In-Reply-To: <4DEFBC24.4000401@redhat.com> References: <4DEFBC24.4000401@redhat.com> Message-ID: <1307557820.2613.230.camel@willson.li.ssimo.org> On Wed, 2011-06-08 at 14:15 -0400, Dmitri Pal wrote: > Hi, > > We have been through this some time before and the decision made then > still left me uneasy. > We said that LDAP is by nature something is a readable by an > authenticated used. Other than special password and key related > attributes everything else should be readable. > > Now we have a bug https://bugzilla.redhat.com/show_bug.cgi?id=711693 > It seems reasonable to hide the SUDO information from the normal user > and not make it widely available. I would argue that the HBAC should > fall into the same category. > I suspect there is a way to hide this information and if we implemented > everything correctly the UI and CLI should not fail and respecting the > effective rights will not present the UI or fail the CLI command. > So what should we do: > 1) Leave as is and not bother at all (i.e. it is what it is) > 2) Leave as is and defer the solution till later (do not fix it in 2.1 > defer to 2.2) > 3) Leave as is but document how to do it using permissions & ACIs > 4) Provide default ACIs that would hide the records for the broad user > population > > Looking for an opinion here. I am for (2) Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Wed Jun 8 19:10:29 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 8 Jun 2011 19:10:29 +0000 Subject: [Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option Message-ID: <2AE1C072-9099-44E1-A778-BB1A6F0AE955@citrixonline.com> https://fedorahosted.org/freeipa/ticket/1277 Raise DuplicateEntry Error when adding a duplicate sudo option -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch Type: application/octet-stream Size: 1122 bytes Desc: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch URL: From JR.Aquino at citrix.com Wed Jun 8 19:15:22 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 8 Jun 2011 19:15:22 +0000 Subject: [Freeipa-devel] Visibility of the sensitive LDAP data In-Reply-To: <1307557820.2613.230.camel@willson.li.ssimo.org> References: <4DEFBC24.4000401@redhat.com> <1307557820.2613.230.camel@willson.li.ssimo.org> Message-ID: <7AB04414-EBCD-49CB-8DEE-58594A35F342@citrixonline.com> On Jun 8, 2011, at 11:30 AM, Simo Sorce wrote: > On Wed, 2011-06-08 at 14:15 -0400, Dmitri Pal wrote: >> Hi, >> >> We have been through this some time before and the decision made then >> still left me uneasy. >> We said that LDAP is by nature something is a readable by an >> authenticated used. Other than special password and key related >> attributes everything else should be readable. >> >> Now we have a bug https://bugzilla.redhat.com/show_bug.cgi?id=711693 >> It seems reasonable to hide the SUDO information from the normal user >> and not make it widely available. I would argue that the HBAC should >> fall into the same category. >> I suspect there is a way to hide this information and if we implemented >> everything correctly the UI and CLI should not fail and respecting the >> effective rights will not present the UI or fail the CLI command. >> So what should we do: >> 1) Leave as is and not bother at all (i.e. it is what it is) >> 2) Leave as is and defer the solution till later (do not fix it in 2.1 >> defer to 2.2) >> 3) Leave as is but document how to do it using permissions & ACIs >> 4) Provide default ACIs that would hide the records for the broad user >> population >> >> Looking for an opinion here. > > I am for (2) > > Simo. > I am also for (2) This logic becomes quite tricky however, because controlling this via ACI's would have to be cognizant of the authenticated user to be able to make the decision to show them only their /OWN/ authorization/access rights... From dpal at redhat.com Wed Jun 8 19:29:51 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Jun 2011 15:29:51 -0400 Subject: [Freeipa-devel] Visibility of the sensitive LDAP data In-Reply-To: <7AB04414-EBCD-49CB-8DEE-58594A35F342@citrixonline.com> References: <4DEFBC24.4000401@redhat.com> <1307557820.2613.230.camel@willson.li.ssimo.org> <7AB04414-EBCD-49CB-8DEE-58594A35F342@citrixonline.com> Message-ID: <4DEFCDAF.10206@redhat.com> On 06/08/2011 03:15 PM, JR Aquino wrote: >>> 1) Leave as is and not bother at all (i.e. it is what it is) >>> >> 2) Leave as is and defer the solution till later (do not fix it in 2.1 >>> >> defer to 2.2) >>> >> 3) Leave as is but document how to do it using permissions & ACIs >>> >> 4) Provide default ACIs that would hide the records for the broad user >>> >> population >>> >> >>> >> Looking for an opinion here. >> > >> > I am for (2) >> > >> > Simo. >> > > I am also for (2) > > This logic becomes quite tricky however, because controlling this via ACI's would have to be cognizant of the authenticated user to be able to make the decision to show them only their /OWN/ authorization/access rights... I am not sure if the user really needs to see these things at all. The SUDO and HBAC rules should be seen by SSSD or the LDAP client on the host (until SUDO is SSSD integrated) the user does not need to see or fetch the rules for himself. I do not think that any system exposes its access control rules in a way that user can inspect and see in advance what he can do and what he can't. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Jun 8 19:39:40 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Jun 2011 15:39:40 -0400 Subject: [Freeipa-devel] Visibility of the sensitive LDAP data In-Reply-To: <4DEFCDAF.10206@redhat.com> References: <4DEFBC24.4000401@redhat.com> <1307557820.2613.230.camel@willson.li.ssimo.org> <7AB04414-EBCD-49CB-8DEE-58594A35F342@citrixonline.com> <4DEFCDAF.10206@redhat.com> Message-ID: <1307561980.2613.239.camel@willson.li.ssimo.org> On Wed, 2011-06-08 at 15:29 -0400, Dmitri Pal wrote: > On 06/08/2011 03:15 PM, JR Aquino wrote: > > > > 1) Leave as is and not bother at all (i.e. it is what it is) > > > > >> 2) Leave as is and defer the solution till later (do not fix it in 2.1 > > > > >> defer to 2.2) > > > > >> 3) Leave as is but document how to do it using permissions & ACIs > > > > >> 4) Provide default ACIs that would hide the records for the broad user > > > > >> population > > > > >> > > > > >> Looking for an opinion here. > > > > > > > > I am for (2) > > > > > > > > Simo. > > > > > > I am also for (2) > > > > This logic becomes quite tricky however, because controlling this via ACI's would have to be cognizant of the authenticated user to be able to make the decision to show them only their /OWN/ authorization/access rights... > I am not sure if the user really needs to see these things at all. The > SUDO and HBAC rules should be seen by SSSD or the LDAP client on the > host (until SUDO is SSSD integrated) the user does not need to see or > fetch the rules for himself. I do not think that any system exposes > its access control rules in a way that user can inspect and see in > advance what he can do and what he can't. Every file system does that. ls -al shows you standard posix permissions and getfacl gets you the whole acl. So if we consider SUDO rules like access control rules I do not see a big issue in showing them to all authenticated users. I am ok to allow people to toggle a switch that allows sudo rules to be viewed only by a subset of users (namely admins and computers), but that should be an option, as there may be legitimate reason for wanting the rules accessible to any authenticated entity. That said I think we want to carefully plan for this and not rush it in 2.1 so I am for deferring. Worst case admins can alwyas add their own ACIs to further restrict access to sudo/hbac rules for now. Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Wed Jun 8 19:42:50 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 8 Jun 2011 19:42:50 +0000 Subject: [Freeipa-devel] Visibility of the sensitive LDAP data In-Reply-To: <4DEFCDAF.10206@redhat.com> References: <4DEFBC24.4000401@redhat.com> <1307557820.2613.230.camel@willson.li.ssimo.org> <7AB04414-EBCD-49CB-8DEE-58594A35F342@citrixonline.com> <4DEFCDAF.10206@redhat.com> Message-ID: On Jun 8, 2011, at 12:29 PM, Dmitri Pal wrote: > On 06/08/2011 03:15 PM, JR Aquino wrote: >>>> 1) Leave as is and not bother at all (i.e. it is what it is) >>>> >>>> >> >>>> 2) Leave as is and defer the solution till later (do not fix it in 2.1 >>>> >>>> >> >>>> defer to 2.2) >>>> >>>> >> >>>> 3) Leave as is but document how to do it using permissions & ACIs >>>> >>>> >> >>>> 4) Provide default ACIs that would hide the records for the broad user >>>> >>>> >> >>>> population >>>> >>>> >> >>>> >> >>>> Looking for an opinion here. >>>> >>> > >>> > >>> I am for (2) >>> >>> > >>> > >>> Simo. >>> >>> > >> I am also for (2) >> >> This logic becomes quite tricky however, because controlling this via ACI's would have to be cognizant of the authenticated user to be able to make the decision to show them only their >> /OWN/ >> authorization/access rights... >> > I am not sure if the user really needs to see these things at all. The SUDO and HBAC rules should be seen by SSSD or the LDAP client on the host (until SUDO is SSSD integrated) the user does not need to see or fetch the rules for himself. I do not think that any system exposes its access control rules in a way that user can inspect and see in advance what he can do and what he can't. Correct, specifically... SSSD doesn't currently have support for SUDO, so a 'BindUser' is used to perform ldap lookups for sudo information, my point was, the Client/Server system is what is performing the ldap lookup, not the user itself. The system have the ability to review all entries in order to perform the decision making process. Whether the FreeIPA cli allows a user to run 'ipa hbacrule-find or ipa sudorule-find' is somewhat moot, as they can just do an ldap search to find that information out anyway (in the case of sudo, all of the needed information is present in the clear in /etc/nss_ldap.conf anyway -owned by root-) So Yes, I think that it is important for the CLI to limit an authenticated user's commands based on their authorization. BUT I think in addition to that, it is important to understand that the backend would be a way to short-circuit any prohibitions we implement via the cli. I suppose ideally, you want to introduce a change that satisfies both requirements. -JR From rcritten at redhat.com Wed Jun 8 20:02:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Jun 2011 16:02:15 -0400 Subject: [Freeipa-devel] [PATCH] 794 Fix external CA installations Message-ID: <4DEFD547.5090509@redhat.com> External CA installations were broken when we added a separate SSL certificate for the dogtag DS instance so that replication is done over SSL. We need to initialize the CADS instance with a bit more information so the certificate can be generated. https://fedorahosted.org/freeipa/ticket/1245 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-794-externalca.patch Type: text/x-diff Size: 3407 bytes Desc: not available URL: From edewata at redhat.com Wed Jun 8 23:35:37 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 08 Jun 2011 18:35:37 -0500 Subject: [Freeipa-devel] [PATCH] 793 add uid, gid and e-mail to user default attributes In-Reply-To: <4DEFB54D.6080202@redhat.com> References: <4DEFB54D.6080202@redhat.com> Message-ID: <4DF00749.1040805@redhat.com> On 6/8/2011 12:45 PM, Rob Crittenden wrote: > Add uid, gid and e-mail to the default list of attributes for users. > This will mostly affect user-show. > > ticket https://fedorahosted.org/freeipa/ticket/1265 ACK and pushed to master. -- Endi S. Dewata From mkosek at redhat.com Thu Jun 9 09:31:54 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 09 Jun 2011 11:31:54 +0200 Subject: [Freeipa-devel] [PATCH] 078 Improve DNS zone creation Message-ID: <1307611916.27281.3.camel@dhcp-25-52.brq.redhat.com> When a new DNS zone is being created a local hostname is set as a nameserver of the new zone. However, when the zone is created during ipa-replica-prepare, the the current master/replica doesn't have to be an IPA server with DNS support. This would lead to DNS zones with incorrect NS records as they wouldn't point to a valid name server. Now, a list of all master servers with DNS support is retrieved during DNS zone creation and added as NS records for a new DNS zone. https://fedorahosted.org/freeipa/ticket/1261 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-078-improve-dns-zone-creation.patch Type: text/x-patch Size: 8900 bytes Desc: not available URL: From mkosek at redhat.com Thu Jun 9 10:58:41 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 09 Jun 2011 12:58:41 +0200 Subject: [Freeipa-devel] [PATCH] 079 DNS installation fails when domain and host domain mismatch Message-ID: <1307617123.27281.8.camel@dhcp-25-52.brq.redhat.com> This patch depends on my patch 078. A special patch for stable branch attached. --- Create DNS domain for IPA server hostname first so that it's forward record can be added. This results in 2 forward DNS zones created when server hostname doesn't equal server domain. https://fedorahosted.org/freeipa/ticket/1194 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-079-dns-host-domain-mismatch.patch Type: text/x-patch Size: 2026 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-079-ipa-2-0.patch Type: text/x-patch Size: 1947 bytes Desc: not available URL: From simo at redhat.com Thu Jun 9 12:01:39 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Jun 2011 08:01:39 -0400 Subject: [Freeipa-devel] [PATCH] 079 DNS installation fails when domain and host domain mismatch In-Reply-To: <1307617123.27281.8.camel@dhcp-25-52.brq.redhat.com> References: <1307617123.27281.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1307620899.2613.252.camel@willson.li.ssimo.org> On Thu, 2011-06-09 at 12:58 +0200, Martin Kosek wrote: > This patch depends on my patch 078. A special patch for stable branch > attached. ACK Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Thu Jun 9 12:04:58 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Jun 2011 08:04:58 -0400 Subject: [Freeipa-devel] [PATCH] 078 Improve DNS zone creation In-Reply-To: <1307611916.27281.3.camel@dhcp-25-52.brq.redhat.com> References: <1307611916.27281.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1307621098.2613.253.camel@willson.li.ssimo.org> On Thu, 2011-06-09 at 11:31 +0200, Martin Kosek wrote: > When a new DNS zone is being created a local hostname is set as a > nameserver of the new zone. However, when the zone is created > during ipa-replica-prepare, the the current master/replica doesn't > have to be an IPA server with DNS support. This would lead to DNS > zones with incorrect NS records as they wouldn't point to a valid > name server. > > Now, a list of all master servers with DNS support is retrieved > during DNS zone creation and added as NS records for a new DNS > zone. > > https://fedorahosted.org/freeipa/ticket/1261 ACK, although I have not tested. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Thu Jun 9 12:50:54 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 09 Jun 2011 14:50:54 +0200 Subject: [Freeipa-devel] [PATCH] 21 Fix directory manager password validation in ipa-nis-manage In-Reply-To: <4DEF7748.9040105@redhat.com> References: <4DEF7748.9040105@redhat.com> Message-ID: <1307623856.27281.15.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-06-08 at 15:21 +0200, Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1283 > https://fedorahosted.org/freeipa/ticket/1284 > > Honza Patch works fine, but I'd like to improve code quality a bit. Please don't call sys.exit() from get_dirman_password(). It doesn't make really sense. I suggest just returning None in that case and then exiting in the main function. Or raising a proper exception and then exiting in the main function. The get_dirman_password() function can then be later reused easily. Martin From mkosek at redhat.com Thu Jun 9 12:56:05 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 09 Jun 2011 14:56:05 +0200 Subject: [Freeipa-devel] [PATCH] 792 Update translations In-Reply-To: <4DED129C.8090700@redhat.com> References: <4DED129C.8090700@redhat.com> Message-ID: <1307624168.27281.19.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-06-06 at 13:47 -0400, Rob Crittenden wrote: > Our translation files haven't been updated for a few months, this brings > things up to date. It is intended for master only. > > All I did to generate this patch was to run make update-po in > install/po. It is otherwise untouched by human hands. > > 4Mb of changes, 810 new messages, so this patch is huge, sorry. > > rob Eh, nice patch :-) Did you also pull new translations from Transifex? John wrote a howto in a mail "Transifex i18n translation changes". Btw if we also want to update ipa-2-0 translations, it would need a separate patch as those 2 branches have diverged. Martin From dpal at redhat.com Thu Jun 9 15:11:06 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 09 Jun 2011 11:11:06 -0400 Subject: [Freeipa-devel] [PATCH] 792 Update translations In-Reply-To: <1307624168.27281.19.camel@dhcp-25-52.brq.redhat.com> References: <4DED129C.8090700@redhat.com> <1307624168.27281.19.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF0E28A.4020209@redhat.com> On 06/09/2011 08:56 AM, Martin Kosek wrote: > On Mon, 2011-06-06 at 13:47 -0400, Rob Crittenden wrote: >> Our translation files haven't been updated for a few months, this brings >> things up to date. It is intended for master only. >> >> All I did to generate this patch was to run make update-po in >> install/po. It is otherwise untouched by human hands. >> >> 4Mb of changes, 810 new messages, so this patch is huge, sorry. >> >> rob > Eh, nice patch :-) Did you also pull new translations from Transifex? > John wrote a howto in a mail "Transifex i18n translation changes". > > Btw if we also want to update ipa-2-0 translations, it would need a > separate patch as those 2 branches have diverged. We want translations. > Martin > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mkosek at redhat.com Thu Jun 9 15:43:27 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 09 Jun 2011 17:43:27 +0200 Subject: [Freeipa-devel] [PATCH] 794 Fix external CA installations In-Reply-To: <4DEFD547.5090509@redhat.com> References: <4DEFD547.5090509@redhat.com> Message-ID: <1307634210.2318.2.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-06-08 at 16:02 -0400, Rob Crittenden wrote: > External CA installations were broken when we added a separate SSL > certificate for the dogtag DS instance so that replication is done over > SSL. We need to initialize the CADS instance with a bit more information > so the certificate can be generated. > > https://fedorahosted.org/freeipa/ticket/1245 > > rob ACK, works fine. Pushed to master, ipa-2-0. Martin From rcritten at redhat.com Thu Jun 9 17:21:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Jun 2011 13:21:40 -0400 Subject: [Freeipa-devel] [PATCH] 795 Remove root autobind search restriction, fix upgrade logging & error handling. Message-ID: <4DF10124.3020504@redhat.com> There was no point in limiting autobind root to just search cn=config since it could always just modify its way out of the box, so remove the restriction. The upgrade log wasn't being created. Clearing all other loggers before we calling logging.basicConfig() fixes this. Add a global exception when performing updates so we can gracefully catch and log problems without leaving the server in a bad state. https://fedorahosted.org/freeipa/ticket/1243 https://fedorahosted.org/freeipa/ticket/1254 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-795-upgrade.patch Type: text/x-diff Size: 6478 bytes Desc: not available URL: From rcritten at redhat.com Thu Jun 9 17:24:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Jun 2011 13:24:41 -0400 Subject: [Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option In-Reply-To: <2AE1C072-9099-44E1-A778-BB1A6F0AE955@citrixonline.com> References: <2AE1C072-9099-44E1-A778-BB1A6F0AE955@citrixonline.com> Message-ID: <4DF101D9.6000209@redhat.com> JR Aquino wrote: > https://fedorahosted.org/freeipa/ticket/1277 > > Raise DuplicateEntry Error when adding a duplicate sudo option nack, this will still fail if no ipasudoopt is passed in. Also, is this case-sensitive? rob From rcritten at redhat.com Thu Jun 9 18:10:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Jun 2011 14:10:22 -0400 Subject: [Freeipa-devel] [PATCH] 788 remove automountinformation from automount dns In-Reply-To: <1307089734.12835.7.camel@dhcp-25-52.brq.redhat.com> References: <4DDAA9A7.6050302@redhat.com> <1307089734.12835.7.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF10C8E.8060500@redhat.com> Martin Kosek wrote: > On Mon, 2011-05-23 at 14:38 -0400, Rob Crittenden wrote: >> In an attempt to support multiple direct maps we always included the >> automountinformation in the key dn. This makes showing keys impossible a >> bit of a catch-22. You want to get the mount info but to get it you need >> the mount info. >> >> This patch drops requiring automountinfo but if provided it'll use it to >> make the dn. This way we can have backwards compatibility for any >> existing maps but going forward only direct maps will have the info in it. >> >> --key is still required when dealing with keys, no way around that >> without doing a major API change, migrating data, etc. >> >> ticket 1229 >> >> rob > > I tested this patch and from CLI perspective, it makes things better. I > think it is our best bet if we want to avoid major API changes and > migration nightmares. > > I have only few minor issues regarding the patch: > 1) API minor version has been bumped since this patch was out, it needs > a rebase > 2) check_key_uniqueness function needs to be fixed so that it doesn't > search only for key/info DNs. Otherwise, it doesn't detect some > duplicates which leads to inconvenient errors. For example when a > duplicate indirect map is added: > > # ipa automountkey-find default auto.master > Key: /- > Mount information: auto.direct > > Key: /usr/share > Mount information: auto.share > # ipa automountkey-add default auto.master --key=/usr/share --info=auto.share2 > ipa: ERROR: key named auto.master already exists > > Martin > Ok, I think this addresses your concern. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-788-2-automount.patch Type: text/x-diff Size: 11655 bytes Desc: not available URL: From rcritten at redhat.com Thu Jun 9 18:14:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Jun 2011 14:14:07 -0400 Subject: [Freeipa-devel] [PATCH] 073 IPA installation with --no-host-dns fails In-Reply-To: <1306919578.2419.2.camel@dhcp-25-52.brq.redhat.com> References: <1306919578.2419.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF10D6F.1030904@redhat.com> Martin Kosek wrote: > Patch for both master and ipa-2-0 branch attached. > --- > --no-host-dns option should allow installing IPA server on a host > without a DNS resolvable name. > > Update parse_ip_address and verify_ip_address functions has been > changed not to return None and print error messages in case of > an error, but rather let the Exception be handled by the calling > routine. > > https://fedorahosted.org/freeipa/ticket/1246 ack for both From rcritten at redhat.com Thu Jun 9 19:04:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Jun 2011 15:04:24 -0400 Subject: [Freeipa-devel] [PATCH] 074 Handle LDAP search references In-Reply-To: <1306944748.2419.4.camel@dhcp-25-52.brq.redhat.com> References: <1306944748.2419.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF11938.1010609@redhat.com> Martin Kosek wrote: > LDAP search operation may return a search reference pointing to > an LDAP resource. As the framework does not handle search > references, skip these results to prevent result processing > failures. > > Migrate operation crashed when the migrated DS contained search > references. Now, it correctly skips these records and prints the > failed references to user. > > https://fedorahosted.org/freeipa/ticket/1209 Ack, reports failure as expected. rob From rcritten at redhat.com Thu Jun 9 19:14:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Jun 2011 15:14:20 -0400 Subject: [Freeipa-devel] [PATCH] 075 Add ignore lists to migrate-ds command In-Reply-To: <1307104970.12835.12.camel@dhcp-25-52.brq.redhat.com> References: <1307104970.12835.12.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF11B8C.4070309@redhat.com> Martin Kosek wrote: > How to test: > 1) Create a custom DS instance with for example 60radius.ldif schema > present (as in the original report in ticket #1266) > 2) Populate DS with users/groups with custom unsupported object > class/attribute > 3) Try to migrate these users and groups to IPAv2. Only the enhanced > migrate-ds command should be successful: > > # ipa migrate-ds ldap://vm-102.idm.lab.bos.redhat.com:389 > --schema=RFC2307 --user-objectclass=posixAccount > --group-objectclass=posixgroup --user-container='ou=People' > --group-container='cn=Accounting Managers,ou=Groups' > --user-ignore-objectclass=radiusprofile,radiusclientprofile > --user-ignore-attribute=radiusclientsecret,radiusclientipaddress > > --- > When user migrates users/groups from an old DS instance, the > migration may fail on unsupported object classes and/or > relevant LDAP object attributes. > > This patch implements a support for object class and attribute > ignore lists that can be used to suppress these migration issues. > > Additionally, a redundant "dev/null" file is removed from git repo > (originally added in 26b0e8fc9809a4cd9f2f9a2281f0894e2e0f8db2). > > https://fedorahosted.org/freeipa/ticket/1266 This isn't applying to master, the blacklists hunk and I wasn't sure either where it should go. I did notice one general problem though: objectclasses should be treated case insensitive. rob From rcritten at redhat.com Thu Jun 9 20:32:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Jun 2011 16:32:05 -0400 Subject: [Freeipa-devel] [PATCH] 795 Remove root autobind search restriction, fix upgrade logging & error handling. In-Reply-To: <4DF10124.3020504@redhat.com> References: <4DF10124.3020504@redhat.com> Message-ID: <4DF12DC5.2030205@redhat.com> Rob Crittenden wrote: > There was no point in limiting autobind root to just search cn=config > since it could always just modify its way out of the box, so remove the > restriction. > > The upgrade log wasn't being created. Clearing all other loggers before > we calling logging.basicConfig() fixes this. > > Add a global exception when performing updates so we can gracefully > catch and log problems without leaving the server in a bad state. > > https://fedorahosted.org/freeipa/ticket/1243 > https://fedorahosted.org/freeipa/ticket/1254 > > rob This was leaving a bogus entry in systrestore.index and an empty value in dse.ldif. I updated the patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-795-2-upgrade.patch Type: text/x-diff Size: 8561 bytes Desc: not available URL: From edewata at redhat.com Thu Jun 9 22:01:14 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 09 Jun 2011 17:01:14 -0500 Subject: [Freeipa-devel] [PATCH] 173 Fixed resizing issues. Message-ID: <4DF142AA.6070905@redhat.com> The UI has been modified to fix some resizing issues: Previously the size of scrollable facet content was roughly calculated using resize(). Now the size can be more accurately defined in CSS. Previously the UI width was fixed. The HTML layout and background images have been modified to support horizontal expansion. Demo is available here: http://edewata.fedorapeople.org/freeipa/install/ui/index.html -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0173-Fixed-resizing-issues.patch Type: text/x-patch Size: 52474 bytes Desc: not available URL: From edewata at redhat.com Thu Jun 9 23:03:54 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 09 Jun 2011 18:03:54 -0500 Subject: [Freeipa-devel] [PATCH] 174 Added selectable option for table widget. Message-ID: <4DF1515A.9010003@redhat.com> A selectable option has been added to the table widget to show/hide the checkbox column for selecting table rows. By default it's set to true. The indirect association facet has been modified to hide the column because it is non-editable. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0174-Added-selectable-option-for-table-widget.patch Type: text/x-patch Size: 5967 bytes Desc: not available URL: From edewata at redhat.com Thu Jun 9 23:36:47 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 09 Jun 2011 18:36:47 -0500 Subject: [Freeipa-devel] [PATCH] 175 Entitlement status. Message-ID: <4DF1590F.7010807@redhat.com> A new facet has been added to show entitlement status and download the registration certificate. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0175-Entitlement-status.patch Type: text/x-patch Size: 36599 bytes Desc: not available URL: From mkosek at redhat.com Fri Jun 10 06:32:14 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 10 Jun 2011 08:32:14 +0200 Subject: [Freeipa-devel] [PATCH] 073 IPA installation with --no-host-dns fails In-Reply-To: <4DF10D6F.1030904@redhat.com> References: <1306919578.2419.2.camel@dhcp-25-52.brq.redhat.com> <4DF10D6F.1030904@redhat.com> Message-ID: <1307687536.12662.2.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-06-09 at 14:14 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Patch for both master and ipa-2-0 branch attached. > > --- > > --no-host-dns option should allow installing IPA server on a host > > without a DNS resolvable name. > > > > Update parse_ip_address and verify_ip_address functions has been > > changed not to return None and print error messages in case of > > an error, but rather let the Exception be handled by the calling > > routine. > > > > https://fedorahosted.org/freeipa/ticket/1246 > > ack for both Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Fri Jun 10 06:36:09 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 10 Jun 2011 08:36:09 +0200 Subject: [Freeipa-devel] [PATCH] 074 Handle LDAP search references In-Reply-To: <4DF11938.1010609@redhat.com> References: <1306944748.2419.4.camel@dhcp-25-52.brq.redhat.com> <4DF11938.1010609@redhat.com> Message-ID: <1307687771.12662.3.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-06-09 at 15:04 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > LDAP search operation may return a search reference pointing to > > an LDAP resource. As the framework does not handle search > > references, skip these results to prevent result processing > > failures. > > > > Migrate operation crashed when the migrated DS contained search > > references. Now, it correctly skips these records and prints the > > failed references to user. > > > > https://fedorahosted.org/freeipa/ticket/1209 > > Ack, reports failure as expected. > > rob Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Fri Jun 10 11:40:09 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 10 Jun 2011 13:40:09 +0200 Subject: [Freeipa-devel] [PATCH] 075 Add ignore lists to migrate-ds command In-Reply-To: <4DF11B8C.4070309@redhat.com> References: <1307104970.12835.12.camel@dhcp-25-52.brq.redhat.com> <4DF11B8C.4070309@redhat.com> Message-ID: <1307706012.12662.6.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-06-09 at 15:14 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > How to test: > > 1) Create a custom DS instance with for example 60radius.ldif schema > > present (as in the original report in ticket #1266) > > 2) Populate DS with users/groups with custom unsupported object > > class/attribute > > 3) Try to migrate these users and groups to IPAv2. Only the enhanced > > migrate-ds command should be successful: > > > > # ipa migrate-ds ldap://vm-102.idm.lab.bos.redhat.com:389 > > --schema=RFC2307 --user-objectclass=posixAccount > > --group-objectclass=posixgroup --user-container='ou=People' > > --group-container='cn=Accounting Managers,ou=Groups' > > --user-ignore-objectclass=radiusprofile,radiusclientprofile > > --user-ignore-attribute=radiusclientsecret,radiusclientipaddress > > > > --- > > When user migrates users/groups from an old DS instance, the > > migration may fail on unsupported object classes and/or > > relevant LDAP object attributes. > > > > This patch implements a support for object class and attribute > > ignore lists that can be used to suppress these migration issues. > > > > Additionally, a redundant "dev/null" file is removed from git repo > > (originally added in 26b0e8fc9809a4cd9f2f9a2281f0894e2e0f8db2). > > > > https://fedorahosted.org/freeipa/ticket/1266 > > This isn't applying to master, the blacklists hunk and I wasn't sure > either where it should go. > > I did notice one general problem though: objectclasses should be treated > case insensitive. > > rob I rebased the patch. Objectclasses and attributes were already treated case insensitively, so no change needed there. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-075-2-add-ignore-lists-to-migrate-ds-command.patch Type: text/x-patch Size: 10430 bytes Desc: not available URL: From mkosek at redhat.com Fri Jun 10 13:20:30 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 10 Jun 2011 15:20:30 +0200 Subject: [Freeipa-devel] [PATCH] 788 remove automountinformation from automount dns In-Reply-To: <4DF10C8E.8060500@redhat.com> References: <4DDAA9A7.6050302@redhat.com> <1307089734.12835.7.camel@dhcp-25-52.brq.redhat.com> <4DF10C8E.8060500@redhat.com> Message-ID: <1307712033.12662.8.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-06-09 at 14:10 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-05-23 at 14:38 -0400, Rob Crittenden wrote: > >> In an attempt to support multiple direct maps we always included the > >> automountinformation in the key dn. This makes showing keys impossible a > >> bit of a catch-22. You want to get the mount info but to get it you need > >> the mount info. > >> > >> This patch drops requiring automountinfo but if provided it'll use it to > >> make the dn. This way we can have backwards compatibility for any > >> existing maps but going forward only direct maps will have the info in it. > >> > >> --key is still required when dealing with keys, no way around that > >> without doing a major API change, migrating data, etc. > >> > >> ticket 1229 > >> > >> rob > > > > I tested this patch and from CLI perspective, it makes things better. I > > think it is our best bet if we want to avoid major API changes and > > migration nightmares. > > > > I have only few minor issues regarding the patch: > > 1) API minor version has been bumped since this patch was out, it needs > > a rebase > > 2) check_key_uniqueness function needs to be fixed so that it doesn't > > search only for key/info DNs. Otherwise, it doesn't detect some > > duplicates which leads to inconvenient errors. For example when a > > duplicate indirect map is added: > > > > # ipa automountkey-find default auto.master > > Key: /- > > Mount information: auto.direct > > > > Key: /usr/share > > Mount information: auto.share > > # ipa automountkey-add default auto.master --key=/usr/share --info=auto.share2 > > ipa: ERROR: key named auto.master already exists > > > > Martin > > > > Ok, I think this addresses your concern. > > rob Yes, it does. ACK from me, I think it works fine.I did a basic UI testing, I didn't saw any problem there. Martin From mkosek at redhat.com Fri Jun 10 15:28:40 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 10 Jun 2011 17:28:40 +0200 Subject: [Freeipa-devel] [PATCH] 795 Remove root autobind search restriction, fix upgrade logging & error handling. In-Reply-To: <4DF12DC5.2030205@redhat.com> References: <4DF10124.3020504@redhat.com> <4DF12DC5.2030205@redhat.com> Message-ID: <1307719722.12662.14.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-06-09 at 16:32 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > There was no point in limiting autobind root to just search cn=config > > since it could always just modify its way out of the box, so remove the > > restriction. > > > > The upgrade log wasn't being created. Clearing all other loggers before > > we calling logging.basicConfig() fixes this. > > > > Add a global exception when performing updates so we can gracefully > > catch and log problems without leaving the server in a bad state. > > > > https://fedorahosted.org/freeipa/ticket/1243 > > https://fedorahosted.org/freeipa/ticket/1254 > > > > rob > > This was leaving a bogus entry in systrestore.index and an empty value > in dse.ldif. I updated the patch. > > rob Autobind portion works fine. However, upgrade failure processing can be improved: 1) When Exception is catched in IPAUpgrade, it is neither logged nor printed out. This can make it difficult to debug. 2) User running `ipa-ldap-updater --upgrade` cannot tell if the upgrade was wrong. Success status code is returned by the program and no info that something has failed is given. Martin From ayoung at redhat.com Fri Jun 10 18:41:03 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 10 Jun 2011 14:41:03 -0400 Subject: [Freeipa-devel] [PATCH] JSON-marshalling-list Message-ID: <4DF2653F.4040204@redhat.com> Pushed under the one line rule -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0234-JSON-marshalling-list.patch Type: text/x-patch Size: 931 bytes Desc: not available URL: From edewata at redhat.com Fri Jun 10 19:21:16 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 10 Jun 2011 14:21:16 -0500 Subject: [Freeipa-devel] [PATCH] 173 Fixed resizing issues. In-Reply-To: <4DF142AA.6070905@redhat.com> References: <4DF142AA.6070905@redhat.com> Message-ID: <4DF26EAC.3070009@redhat.com> On 6/9/2011 5:01 PM, Endi Sukma Dewata wrote: > The UI has been modified to fix some resizing issues: > > Previously the size of scrollable facet content was roughly calculated > using resize(). Now the size can be more accurately defined in CSS. > > Previously the UI width was fixed. The HTML layout and background > images have been modified to support horizontal expansion. > > Demo is available here: > http://edewata.fedorapeople.org/freeipa/install/ui/index.html Attached is an updated patch based on Kyle and Adam's feedback. The width has been set back to a fixed value, but the underlying code still supports horizontal resizing in case it's needed in the future. The min height has been removed. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0173-2-Fixed-resizing-issues.patch Type: text/x-patch Size: 52449 bytes Desc: not available URL: From rcritten at redhat.com Fri Jun 10 19:33:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Jun 2011 15:33:56 -0400 Subject: [Freeipa-devel] [PATCH] 796 better detection of CA DS installation status Message-ID: <4DF271A4.9090407@redhat.com> Do better detection on status of CA DS instance when installing. The conditional used to determine if thd CA 389-ds instance was already configured was rather poor so it was possible to pass command-line arguments in to confuse it. This would cause it to not be installed at all causing the dogtag installation to fail in a strange way. https://fedorahosted.org/freeipa/ticket/1244 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-796-external.patch Type: text/x-diff Size: 2702 bytes Desc: not available URL: From rcritten at redhat.com Fri Jun 10 19:41:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Jun 2011 15:41:11 -0400 Subject: [Freeipa-devel] [PATCH] 795 Remove root autobind search restriction, fix upgrade logging & error handling. In-Reply-To: <1307719722.12662.14.camel@dhcp-25-52.brq.redhat.com> References: <4DF10124.3020504@redhat.com> <4DF12DC5.2030205@redhat.com> <1307719722.12662.14.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF27357.5000502@redhat.com> Martin Kosek wrote: > On Thu, 2011-06-09 at 16:32 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> There was no point in limiting autobind root to just search cn=config >>> since it could always just modify its way out of the box, so remove the >>> restriction. >>> >>> The upgrade log wasn't being created. Clearing all other loggers before >>> we calling logging.basicConfig() fixes this. >>> >>> Add a global exception when performing updates so we can gracefully >>> catch and log problems without leaving the server in a bad state. >>> >>> https://fedorahosted.org/freeipa/ticket/1243 >>> https://fedorahosted.org/freeipa/ticket/1254 >>> >>> rob >> >> This was leaving a bogus entry in systrestore.index and an empty value >> in dse.ldif. I updated the patch. >> >> rob > > Autobind portion works fine. However, upgrade failure processing can be > improved: > > 1) When Exception is catched in IPAUpgrade, it is neither logged nor > printed out. This can make it difficult to debug. Yup, logging it now. > > 2) User running `ipa-ldap-updater --upgrade` cannot tell if the upgrade > was wrong. Success status code is returned by the program and no info > that something has failed is given. Gah, I had a return 1 there at some point...Added back. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-795-3-upgrade.patch Type: text/x-diff Size: 8894 bytes Desc: not available URL: From simo at redhat.com Fri Jun 10 20:18:34 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 10 Jun 2011 16:18:34 -0400 Subject: [Freeipa-devel] FreeIPA v3 development In-Reply-To: <1307536747.2613.219.camel@willson.li.ssimo.org> References: <1307536747.2613.219.camel@willson.li.ssimo.org> Message-ID: <1307737114.12323.17.camel@willson.li.ssimo.org> On Wed, 2011-06-08 at 08:39 -0400, Simo Sorce wrote: > The repo can be found here: > http://fedorapeople.org/gitweb?p=simo/public_git/freeipa.git;a=summary In order to make things clearer I have changed the branches slightly. Now the 'master' branch follows the upstream one. I moved the proposed rebase for the v3 development to the branch named freeipa-v3 And I added a branch called my-master where I push unfinished work and midpoint rebases while I dig though the features to add to freeipa-v3 > Comments are very welcome. This is still the case :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Jun 10 20:32:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Jun 2011 16:32:23 -0400 Subject: [Freeipa-devel] [PATCH] 797 fix re-initializing replica binding using GSSAPI Message-ID: <4DF27F57.3030204@redhat.com> Support initializing memberof during replication re-init using GSSAPI The last step of a replication re-initiailization is to run the memberof task. The current function would only authenticate using simple auth to monitor the task but we may be doing this using admin GSSAPI credentials so support that type of bind as well. In short this fixes: # kinit admin # ipa-replica-manage re-initialize --from=master.example.com https://fedorahosted.org/freeipa/ticket/1248 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-797-bind.patch Type: text/x-diff Size: 1495 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri Jun 10 22:11:05 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 10 Jun 2011 22:11:05 +0000 Subject: [Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option In-Reply-To: <4DF101D9.6000209@redhat.com> References: <2AE1C072-9099-44E1-A778-BB1A6F0AE955@citrixonline.com> <4DF101D9.6000209@redhat.com> Message-ID: <5AF8156E-C5D0-4B09-A279-4CD049AB54B6@citrixonline.com> On Jun 9, 2011, at 10:24 AM, Rob Crittenden wrote: > JR Aquino wrote: >> https://fedorahosted.org/freeipa/ticket/1277 >> >> Raise DuplicateEntry Error when adding a duplicate sudo option > > nack, this will still fail if no ipasudoopt is passed in. > > Also, is this case-sensitive? Yes, it is case sensitive (Example: sudoOption: env_keep+=SSH_AUTH_SOCK) Here is an adjusted patch to account for no ipasudoopt as well as an empty space. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch Type: application/octet-stream Size: 3414 bytes Desc: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT00001.txt URL: From JR.Aquino at citrix.com Fri Jun 10 22:32:31 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 10 Jun 2011 22:32:31 +0000 Subject: [Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option In-Reply-To: <5AF8156E-C5D0-4B09-A279-4CD049AB54B6@citrixonline.com> References: <2AE1C072-9099-44E1-A778-BB1A6F0AE955@citrixonline.com> <4DF101D9.6000209@redhat.com> <5AF8156E-C5D0-4B09-A279-4CD049AB54B6@citrixonline.com> Message-ID: <0D1AFB75-6A9B-40B0-848D-B6B08CC0A2B8@citrixonline.com> On Jun 10, 2011, at 3:11 PM, JR Aquino wrote: > On Jun 9, 2011, at 10:24 AM, Rob Crittenden wrote: > >> JR Aquino wrote: >>> https://fedorahosted.org/freeipa/ticket/1277 >>> >>> Raise DuplicateEntry Error when adding a duplicate sudo option >> >> nack, this will still fail if no ipasudoopt is passed in. >> >> Also, is this case-sensitive? > > Yes, it is case sensitive (Example: sudoOption: env_keep+=SSH_AUTH_SOCK) > > Here is an adjusted patch to account for no ipasudoopt as well as an empty space. > > Minor correction: Addressed the 1 character change needed to address #1276 Added notes to indicate this patch fixes: #1276 (Removed option from Sudo rule message is displayed even when the given option doesn't exist.) #1277 (Added option to Sudo rule message is displayed even when the given option already exists.) #1308 (Internal error while removing sudorule option without "--sudooption") -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch Type: application/octet-stream Size: 3776 bytes Desc: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch URL: From mkosek at redhat.com Mon Jun 13 07:53:52 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 13 Jun 2011 09:53:52 +0200 Subject: [Freeipa-devel] [PATCH] 795 Remove root autobind search restriction, fix upgrade logging & error handling. In-Reply-To: <4DF27357.5000502@redhat.com> References: <4DF10124.3020504@redhat.com> <4DF12DC5.2030205@redhat.com> <1307719722.12662.14.camel@dhcp-25-52.brq.redhat.com> <4DF27357.5000502@redhat.com> Message-ID: <1307951634.5021.0.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-06-10 at 15:41 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-06-09 at 16:32 -0400, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> There was no point in limiting autobind root to just search cn=config > >>> since it could always just modify its way out of the box, so remove the > >>> restriction. > >>> > >>> The upgrade log wasn't being created. Clearing all other loggers before > >>> we calling logging.basicConfig() fixes this. > >>> > >>> Add a global exception when performing updates so we can gracefully > >>> catch and log problems without leaving the server in a bad state. > >>> > >>> https://fedorahosted.org/freeipa/ticket/1243 > >>> https://fedorahosted.org/freeipa/ticket/1254 > >>> > >>> rob > >> > >> This was leaving a bogus entry in systrestore.index and an empty value > >> in dse.ldif. I updated the patch. > >> > >> rob > > > > Autobind portion works fine. However, upgrade failure processing can be > > improved: > > > > 1) When Exception is catched in IPAUpgrade, it is neither logged nor > > printed out. This can make it difficult to debug. > > Yup, logging it now. > > > > > 2) User running `ipa-ldap-updater --upgrade` cannot tell if the upgrade > > was wrong. Success status code is returned by the program and no info > > that something has failed is given. > > Gah, I had a return 1 there at some point...Added back. > > rob ACK. Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Mon Jun 13 10:21:31 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 13 Jun 2011 12:21:31 +0200 Subject: [Freeipa-devel] [PATCH] 796 better detection of CA DS installation status In-Reply-To: <4DF271A4.9090407@redhat.com> References: <4DF271A4.9090407@redhat.com> Message-ID: <1307960494.5021.3.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-06-10 at 15:33 -0400, Rob Crittenden wrote: > Do better detection on status of CA DS instance when installing. > > The conditional used to determine if thd CA 389-ds instance was already > configured was rather poor so it was possible to pass command-line > arguments in to confuse it. This would cause it to not be installed at > all causing the dogtag installation to fail in a strange way. > > https://fedorahosted.org/freeipa/ticket/1244 > > rob ACK, works for me. It would be better if we could detect these situations in option parsing phase, but its true that this particular problem is difficult to detect. Martin From jcholast at redhat.com Mon Jun 13 10:32:22 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 13 Jun 2011 12:32:22 +0200 Subject: [Freeipa-devel] [PATCH] 21 Fix directory manager password validation in ipa-nis-manage In-Reply-To: <1307623856.27281.15.camel@dhcp-25-52.brq.redhat.com> References: <4DEF7748.9040105@redhat.com> <1307623856.27281.15.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF5E736.7050906@redhat.com> On 9.6.2011 14:50, Martin Kosek wrote: > On Wed, 2011-06-08 at 15:21 +0200, Jan Cholasta wrote: >> https://fedorahosted.org/freeipa/ticket/1283 >> https://fedorahosted.org/freeipa/ticket/1284 >> >> Honza > > Patch works fine, but I'd like to improve code quality a bit. Please > don't call sys.exit() from get_dirman_password(). It doesn't make really > sense. > > I suggest just returning None in that case and then exiting in the main > function. Or raising a proper exception and then exiting in the main > function. The get_dirman_password() function can then be later reused > easily. Good point. Fixed. > > Martin > Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-21.1-ipa-nis-manage-input-validation.patch Type: text/x-patch Size: 2620 bytes Desc: not available URL: From mkosek at redhat.com Mon Jun 13 10:56:14 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 13 Jun 2011 12:56:14 +0200 Subject: [Freeipa-devel] [PATCH] 797 fix re-initializing replica binding using GSSAPI In-Reply-To: <4DF27F57.3030204@redhat.com> References: <4DF27F57.3030204@redhat.com> Message-ID: <1307962576.5021.4.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-06-10 at 16:32 -0400, Rob Crittenden wrote: > Support initializing memberof during replication re-init using GSSAPI > > The last step of a replication re-initiailization is to run the memberof > task. The current function would only authenticate using simple auth to > monitor the task but we may be doing this using admin GSSAPI credentials > so support that type of bind as well. > > In short this fixes: > > # kinit admin > # ipa-replica-manage re-initialize --from=master.example.com > > https://fedorahosted.org/freeipa/ticket/1248 > > rob ACK, works like a charm. Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Mon Jun 13 11:02:04 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 13 Jun 2011 13:02:04 +0200 Subject: [Freeipa-devel] [PATCH] 21 Fix directory manager password validation in ipa-nis-manage In-Reply-To: <4DF5E736.7050906@redhat.com> References: <4DEF7748.9040105@redhat.com> <1307623856.27281.15.camel@dhcp-25-52.brq.redhat.com> <4DF5E736.7050906@redhat.com> Message-ID: <1307962926.5021.5.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-06-13 at 12:32 +0200, Jan Cholasta wrote: > On 9.6.2011 14:50, Martin Kosek wrote: > > On Wed, 2011-06-08 at 15:21 +0200, Jan Cholasta wrote: > >> https://fedorahosted.org/freeipa/ticket/1283 > >> https://fedorahosted.org/freeipa/ticket/1284 > >> > >> Honza > > > > Patch works fine, but I'd like to improve code quality a bit. Please > > don't call sys.exit() from get_dirman_password(). It doesn't make really > > sense. > > > > I suggest just returning None in that case and then exiting in the main > > function. Or raising a proper exception and then exiting in the main > > function. The get_dirman_password() function can then be later reused > > easily. > > Good point. Fixed. ACK. Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Mon Jun 13 11:14:44 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 13 Jun 2011 13:14:44 +0200 Subject: [Freeipa-devel] [PATCH] JSON-marshalling-list In-Reply-To: <4DF2653F.4040204@redhat.com> References: <4DF2653F.4040204@redhat.com> Message-ID: <1307963686.5021.7.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-06-10 at 14:41 -0400, Adam Young wrote: > Pushed under the one line rule Does this bug affect also the "old" IPA 2.0 WebUI? In that case I think this patch should be pushed to branch ipa-2-0 as well. Martin From ayoung at redhat.com Mon Jun 13 13:46:27 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Jun 2011 09:46:27 -0400 Subject: [Freeipa-devel] [PATCH] JSON-marshalling-list In-Reply-To: <1307963686.5021.7.camel@dhcp-25-52.brq.redhat.com> References: <4DF2653F.4040204@redhat.com> <1307963686.5021.7.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF614B3.8060803@redhat.com> On 06/13/2011 07:14 AM, Martin Kosek wrote: > On Fri, 2011-06-10 at 14:41 -0400, Adam Young wrote: >> Pushed under the one line rule > Does this bug affect also the "old" IPA 2.0 WebUI? In that case I think > this patch should be pushed to branch ipa-2-0 as well. > > Martin > Haven't tested it. From mkosek at redhat.com Mon Jun 13 14:35:27 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 13 Jun 2011 16:35:27 +0200 Subject: [Freeipa-devel] [PATCH] 080 Add a list of managed hosts Message-ID: <1307975730.5021.8.camel@dhcp-25-52.brq.redhat.com> Enhance Host plugin to provide not only "Managed By" list but also a list of managed hosts. The new list is generated only when --all option is passed. https://fedorahosted.org/freeipa/ticket/993 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-080-add-a-list-of-managed-hosts.patch Type: text/x-patch Size: 3570 bytes Desc: not available URL: From ayoung at redhat.com Mon Jun 13 15:45:35 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Jun 2011 11:45:35 -0400 Subject: [Freeipa-devel] Fwd: Re: User Groups Message-ID: <4DF6309F.9070308@redhat.com> Dmitri, is this solution acceptable? -------- Original Message -------- Subject: Re: User Groups Date: Mon, 13 Jun 2011 11:39:46 -0400 (EDT) From: Kyle Baker To: Adam Young CC: Endi Sukma Dewata Attached the image. Kyle Baker Visual Designer Desk - 978 392 3116 IRC - kylebaker ----- Original Message ----- > On 06/13/2011 09:55 AM, Kyle Baker wrote: > > > > Kyle Baker > > Visual Designer > > Desk - 978 392 3116 > > IRC - kylebaker > > > > ----- Original Message ----- > >>>>>> I don't think it is at the right level of the heirarchy. > >>>>>> Probably > >>>>>> better > >>>>>> for us to find a way to munge direct and indirect into the same > >>>>>> facet. > >>>>> Maybe a checkbox in the facet content to show the indirect > >>>>> items? > >>> I like this solution the best. I think it is the simplest and > >>> clearest way to digest the information. Could we have a checkbox > >>> for > >>> direct also, if the user just wants to see indirect enrollment? > >> So we would show both in the same table, but only if the > >> appropriate > >> checkbox is selected? > > Right. I will send a mock up. > > No need, I get the concept. Thing is , I am not sure that it makes > sense overall. It munges together two concepts that the CLI keeps > separate, and I don't think we want to do that. I'd be ok with > "either/or". > > >>>> Can we just show them both? maybe two tables on the page, left to > >>>> right, with direct on the left and indirect on the right? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: user-groups.png Type: image/png Size: 121792 bytes Desc: not available URL: From ayoung at redhat.com Mon Jun 13 16:56:42 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Jun 2011 12:56:42 -0400 Subject: [Freeipa-devel] [PATCH] 173 Fixed resizing issues. In-Reply-To: <4DF26EAC.3070009@redhat.com> References: <4DF142AA.6070905@redhat.com> <4DF26EAC.3070009@redhat.com> Message-ID: <4DF6414A.1010002@redhat.com> On 06/10/2011 03:21 PM, Endi Sukma Dewata wrote: > On 6/9/2011 5:01 PM, Endi Sukma Dewata wrote: >> The UI has been modified to fix some resizing issues: >> >> Previously the size of scrollable facet content was roughly calculated >> using resize(). Now the size can be more accurately defined in CSS. >> >> Previously the UI width was fixed. The HTML layout and background >> images have been modified to support horizontal expansion. >> >> Demo is available here: >> http://edewata.fedorapeople.org/freeipa/install/ui/index.html > > Attached is an updated patch based on Kyle and Adam's feedback. The > width has been set back to a fixed value, but the underlying code > still supports horizontal resizing in case it's needed in the future. > The min height has been removed. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Jun 13 16:57:07 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Jun 2011 12:57:07 -0400 Subject: [Freeipa-devel] [PATCH] 174 Added selectable option for table widget. In-Reply-To: <4DF1515A.9010003@redhat.com> References: <4DF1515A.9010003@redhat.com> Message-ID: <4DF64163.3050504@redhat.com> On 06/09/2011 07:03 PM, Endi Sukma Dewata wrote: > A selectable option has been added to the table widget to show/hide > the checkbox column for selecting table rows. By default it's set > to true. The indirect association facet has been modified to hide > the column because it is non-editable. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Jun 13 16:57:15 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Jun 2011 12:57:15 -0400 Subject: [Freeipa-devel] [PATCH] 175 Entitlement status. In-Reply-To: <4DF1590F.7010807@redhat.com> References: <4DF1590F.7010807@redhat.com> Message-ID: <4DF6416B.30208@redhat.com> On 06/09/2011 07:36 PM, Endi Sukma Dewata wrote: > A new facet has been added to show entitlement status and download > the registration certificate. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Jun 13 17:31:59 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 13 Jun 2011 13:31:59 -0400 Subject: [Freeipa-devel] Fwd: Re: User Groups In-Reply-To: <4DF6309F.9070308@redhat.com> References: <4DF6309F.9070308@redhat.com> Message-ID: <4DF6498F.3060301@redhat.com> On 06/13/2011 11:45 AM, Adam Young wrote: > Dmitri, is this solution acceptable? > Should it be "direct" - "indirect" - "all"? What is the use case? IMO the main use cases are direct - who is the direct member of this group, and all - whom this group will affect if I use it in a policy. Indirect is a corner case. > > > -------- Original Message -------- > Subject: Re: User Groups > Date: Mon, 13 Jun 2011 11:39:46 -0400 (EDT) > From: Kyle Baker > To: Adam Young > CC: Endi Sukma Dewata > > > > Attached the image. > > Kyle Baker > Visual Designer > Desk - 978 392 3116 > IRC - kylebaker > > ----- Original Message ----- > > On 06/13/2011 09:55 AM, Kyle Baker wrote: > > > > > > Kyle Baker > > > Visual Designer > > > Desk - 978 392 3116 > > > IRC - kylebaker > > > > > > ----- Original Message ----- > > >>>>>> I don't think it is at the right level of the heirarchy. > > >>>>>> Probably > > >>>>>> better > > >>>>>> for us to find a way to munge direct and indirect into the same > > >>>>>> facet. > > >>>>> Maybe a checkbox in the facet content to show the indirect > > >>>>> items? > > >>> I like this solution the best. I think it is the simplest and > > >>> clearest way to digest the information. Could we have a checkbox > > >>> for > > >>> direct also, if the user just wants to see indirect enrollment? > > >> So we would show both in the same table, but only if the > > >> appropriate > > >> checkbox is selected? > > > Right. I will send a mock up. > > > > No need, I get the concept. Thing is , I am not sure that it makes > > sense overall. It munges together two concepts that the CLI keeps > > separate, and I don't think we want to do that. I'd be ok with > > "either/or". > > > > >>>> Can we just show them both? maybe two tables on the page, left to > > >>>> right, with direct on the left and indirect on the right? > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 13 17:37:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2011 13:37:32 -0400 Subject: [Freeipa-devel] Fwd: Re: User Groups In-Reply-To: <4DF6498F.3060301@redhat.com> References: <4DF6309F.9070308@redhat.com> <4DF6498F.3060301@redhat.com> Message-ID: <4DF64ADC.9070802@redhat.com> Dmitri Pal wrote: > On 06/13/2011 11:45 AM, Adam Young wrote: >> Dmitri, is this solution acceptable? >> > > Should it be "direct" - "indirect" - "all"? > > What is the use case? > IMO the main use cases are direct - who is the direct member of this > group, and all - whom this group will affect if I use it in a policy. > Indirect is a corner case. Well, indirect can become a bit of a rat hole too because then you start asking questions like "ok, how is this object" a member and you want to be able to drill down into things. I'm sure it becomes even more interesting when an object is an indirect member due to multiple other memberships. rob > > >> >> >> -------- Original Message -------- >> Subject: Re: User Groups >> Date: Mon, 13 Jun 2011 11:39:46 -0400 (EDT) >> From: Kyle Baker >> To: Adam Young >> CC: Endi Sukma Dewata >> >> >> >> Attached the image. >> >> Kyle Baker >> Visual Designer >> Desk - 978 392 3116 >> IRC - kylebaker >> >> ----- Original Message ----- >> > On 06/13/2011 09:55 AM, Kyle Baker wrote: >> > > >> > > Kyle Baker >> > > Visual Designer >> > > Desk - 978 392 3116 >> > > IRC - kylebaker >> > > >> > > ----- Original Message ----- >> > >>>>>> I don't think it is at the right level of the heirarchy. >> > >>>>>> Probably >> > >>>>>> better >> > >>>>>> for us to find a way to munge direct and indirect into the same >> > >>>>>> facet. >> > >>>>> Maybe a checkbox in the facet content to show the indirect >> > >>>>> items? >> > >>> I like this solution the best. I think it is the simplest and >> > >>> clearest way to digest the information. Could we have a checkbox >> > >>> for >> > >>> direct also, if the user just wants to see indirect enrollment? >> > >> So we would show both in the same table, but only if the >> > >> appropriate >> > >> checkbox is selected? >> > > Right. I will send a mock up. >> > >> > No need, I get the concept. Thing is , I am not sure that it makes >> > sense overall. It munges together two concepts that the CLI keeps >> > separate, and I don't think we want to do that. I'd be ok with >> > "either/or". >> > >> > >>>> Can we just show them both? maybe two tables on the page, left to >> > >>>> right, with direct on the left and indirect on the right? >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From JR.Aquino at citrix.com Mon Jun 13 18:45:18 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 13 Jun 2011 18:45:18 +0000 Subject: [Freeipa-devel] [PATCH] 30 Display remaining external hosts when removing from sudorule Message-ID: <0BBF240A-C933-4469-A38B-CEB9AAF75783@citrixonline.com> This small 2 line patch addresses 2 bugs: https://fedorahosted.org/freeipa/ticket/1269 - (Remaining external hosts not displayed while removing one from a sudorule.) https://fedorahosted.org/freeipa/ticket/1270 - (Removed external host is displayed in the output when "--all" switch is used) From rcritten at redhat.com Mon Jun 13 19:15:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2011 15:15:39 -0400 Subject: [Freeipa-devel] [PATCH] 796 better detection of CA DS installation status In-Reply-To: <1307960494.5021.3.camel@dhcp-25-52.brq.redhat.com> References: <4DF271A4.9090407@redhat.com> <1307960494.5021.3.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF661DB.2000109@redhat.com> Martin Kosek wrote: > On Fri, 2011-06-10 at 15:33 -0400, Rob Crittenden wrote: >> Do better detection on status of CA DS instance when installing. >> >> The conditional used to determine if thd CA 389-ds instance was already >> configured was rather poor so it was possible to pass command-line >> arguments in to confuse it. This would cause it to not be installed at >> all causing the dogtag installation to fail in a strange way. >> >> https://fedorahosted.org/freeipa/ticket/1244 >> >> rob > > ACK, works for me. > > It would be better if we could detect these situations in option parsing > phase, but its true that this particular problem is difficult to detect. > > Martin > pushed to master and ipa-2-0 rob From rcritten at redhat.com Mon Jun 13 19:45:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2011 15:45:38 -0400 Subject: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation Message-ID: <4DF668E2.6020903@redhat.com> Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. ticket https://fedorahosted.org/freeipa/ticket/1273 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-798-indirect.patch Type: text/x-diff Size: 16835 bytes Desc: not available URL: From rcritten at redhat.com Mon Jun 13 20:41:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2011 16:41:39 -0400 Subject: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local Message-ID: <4DF67603.5030508@redhat.com> Compare the configured interfaces with the supplied IP address and optional netmask to determine if the interface is available. Note the subtle change when comparing addresses. We have two object types, IPNetwork and IPAddress. We should only compare addresses when we don't have an IPNetwork otherwise we can end up comparing an address to an object with a netmask and get a bad result. https://fedorahosted.org/freeipa/ticket/1175 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-799-local.patch Type: text/x-diff Size: 1247 bytes Desc: not available URL: From rcritten at redhat.com Mon Jun 13 21:29:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2011 17:29:29 -0400 Subject: [Freeipa-devel] [PATCH] 800 remove extra call to version-update Message-ID: <4DF68139.5040908@redhat.com> Remove extra call to version-update in spec file. We had reports that the build would fail here when running with many jobs. ticket https://fedorahosted.org/freeipa/ticket/1215 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-800-make.patch Type: text/x-diff Size: 1123 bytes Desc: not available URL: From edewata at redhat.com Mon Jun 13 21:48:05 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 13 Jun 2011 16:48:05 -0500 Subject: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation In-Reply-To: <4DF668E2.6020903@redhat.com> References: <4DF668E2.6020903@redhat.com> Message-ID: <4DF68595.6040305@redhat.com> On 6/13/2011 2:45 PM, Rob Crittenden wrote: > Indirect membership is calculated by looking at each member and pulling > all the memberof out of it. What was missing was doing nested searches > on any members in that member group. > > So if group2 was a member of group1 and group3 was a member of group2 we > would miss group3 as being an indirect member of group1. > > I updated the nesting test to do deeper nested testing. I confirmed that > this test failed with the old code and works with the new. > > ticket https://fedorahosted.org/freeipa/ticket/1273 NACK. If a user is an indirect member of a group via 2 different paths, the user will be listed twice. Here is a test scenario: Group 1 has 2 members: group 2 and group 3. User X is a member of both group 2 and group 3. Group 1's indirect members should only list the user X once. Currently it is listed twice. -- Endi S. Dewata From rcritten at redhat.com Mon Jun 13 23:00:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2011 19:00:56 -0400 Subject: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation In-Reply-To: <4DF68595.6040305@redhat.com> References: <4DF668E2.6020903@redhat.com> <4DF68595.6040305@redhat.com> Message-ID: <4DF696A8.4040704@redhat.com> Endi Sukma Dewata wrote: > On 6/13/2011 2:45 PM, Rob Crittenden wrote: >> Indirect membership is calculated by looking at each member and pulling >> all the memberof out of it. What was missing was doing nested searches >> on any members in that member group. >> >> So if group2 was a member of group1 and group3 was a member of group2 we >> would miss group3 as being an indirect member of group1. >> >> I updated the nesting test to do deeper nested testing. I confirmed that >> this test failed with the old code and works with the new. >> >> ticket https://fedorahosted.org/freeipa/ticket/1273 > > NACK. If a user is an indirect member of a group via 2 different paths, > the user will be listed twice. Here is a test scenario: > > Group 1 has 2 members: group 2 and group 3. > User X is a member of both group 2 and group 3. > Group 1's indirect members should only list the user X once. Currently > it is listed twice. > Patch and test case updated. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-798-2-indirect.patch Type: text/x-diff Size: 18398 bytes Desc: not available URL: From edewata at redhat.com Mon Jun 13 23:28:31 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 13 Jun 2011 18:28:31 -0500 Subject: [Freeipa-devel] [PATCH] 176 Fixed tab navigation. Message-ID: <4DF69D1F.2070403@redhat.com> The buttons were previously skipped during tab navigation because they do not have an href attribute. The IPA.button has been fixed to always provide an href attribute. Ticket #983 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0176-Fixed-tab-navigation.patch Type: text/x-patch Size: 993 bytes Desc: not available URL: From edewata at redhat.com Tue Jun 14 00:00:41 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 13 Jun 2011 19:00:41 -0500 Subject: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation In-Reply-To: <4DF696A8.4040704@redhat.com> References: <4DF668E2.6020903@redhat.com> <4DF68595.6040305@redhat.com> <4DF696A8.4040704@redhat.com> Message-ID: <4DF6A4A9.3000901@redhat.com> On 6/13/2011 6:00 PM, Rob Crittenden wrote: > Endi Sukma Dewata wrote: >> On 6/13/2011 2:45 PM, Rob Crittenden wrote: >>> Indirect membership is calculated by looking at each member and pulling >>> all the memberof out of it. What was missing was doing nested searches >>> on any members in that member group. >>> >>> So if group2 was a member of group1 and group3 was a member of group2 we >>> would miss group3 as being an indirect member of group1. >>> >>> I updated the nesting test to do deeper nested testing. I confirmed that >>> this test failed with the old code and works with the new. >>> >>> ticket https://fedorahosted.org/freeipa/ticket/1273 >> >> NACK. If a user is an indirect member of a group via 2 different paths, >> the user will be listed twice. Here is a test scenario: >> >> Group 1 has 2 members: group 2 and group 3. >> User X is a member of both group 2 and group 3. >> Group 1's indirect members should only list the user X once. Currently >> it is listed twice. > > Patch and test case updated. NACK. If there's a circular membership the code will run into an infinite loop. Here's a test scenario: Group 1 has 2 members: group 2 and group 3. Group 2 is a member of group 3. Group 3 is a member of group 2. Run ipa group-show on group 1, the command doesn't return until it's killed. -- Endi S. Dewata From ayoung at redhat.com Tue Jun 14 00:48:32 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Jun 2011 20:48:32 -0400 Subject: [Freeipa-devel] [PATCH] 176 Fixed tab navigation. In-Reply-To: <4DF69D1F.2070403@redhat.com> References: <4DF69D1F.2070403@redhat.com> Message-ID: <4DF6AFE0.3020002@redhat.com> On 06/13/2011 07:28 PM, Endi Sukma Dewata wrote: > The buttons were previously skipped during tab navigation because > they do not have an href attribute. The IPA.button has been fixed > to always provide an href attribute. > > Ticket #983 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 14 03:28:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2011 23:28:23 -0400 Subject: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation In-Reply-To: <4DF6A4A9.3000901@redhat.com> References: <4DF668E2.6020903@redhat.com> <4DF68595.6040305@redhat.com> <4DF696A8.4040704@redhat.com> <4DF6A4A9.3000901@redhat.com> Message-ID: <4DF6D557.4000202@redhat.com> Endi Sukma Dewata wrote: > On 6/13/2011 6:00 PM, Rob Crittenden wrote: >> Endi Sukma Dewata wrote: >>> On 6/13/2011 2:45 PM, Rob Crittenden wrote: >>>> Indirect membership is calculated by looking at each member and pulling >>>> all the memberof out of it. What was missing was doing nested searches >>>> on any members in that member group. >>>> >>>> So if group2 was a member of group1 and group3 was a member of >>>> group2 we >>>> would miss group3 as being an indirect member of group1. >>>> >>>> I updated the nesting test to do deeper nested testing. I confirmed >>>> that >>>> this test failed with the old code and works with the new. >>>> >>>> ticket https://fedorahosted.org/freeipa/ticket/1273 >>> >>> NACK. If a user is an indirect member of a group via 2 different paths, >>> the user will be listed twice. Here is a test scenario: >>> >>> Group 1 has 2 members: group 2 and group 3. >>> User X is a member of both group 2 and group 3. >>> Group 1's indirect members should only list the user X once. Currently >>> it is listed twice. >> >> Patch and test case updated. > > NACK. If there's a circular membership the code will run into an > infinite loop. Here's a test scenario: > > Group 1 has 2 members: group 2 and group 3. > Group 2 is a member of group 3. > Group 3 is a member of group 2. > Run ipa group-show on group 1, the command doesn't return until it's > killed. > I think the solution will be to deny creating circular groups. rob From simo at redhat.com Tue Jun 14 03:37:45 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 13 Jun 2011 23:37:45 -0400 Subject: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation In-Reply-To: <4DF6D557.4000202@redhat.com> References: <4DF668E2.6020903@redhat.com> <4DF68595.6040305@redhat.com> <4DF696A8.4040704@redhat.com> <4DF6A4A9.3000901@redhat.com> <4DF6D557.4000202@redhat.com> Message-ID: <1308022665.3182.7.camel@willson.li.ssimo.org> On Mon, 2011-06-13 at 23:28 -0400, Rob Crittenden wrote: > Endi Sukma Dewata wrote: > > On 6/13/2011 6:00 PM, Rob Crittenden wrote: > >> Endi Sukma Dewata wrote: > >>> On 6/13/2011 2:45 PM, Rob Crittenden wrote: > >>>> Indirect membership is calculated by looking at each member and pulling > >>>> all the memberof out of it. What was missing was doing nested searches > >>>> on any members in that member group. > >>>> > >>>> So if group2 was a member of group1 and group3 was a member of > >>>> group2 we > >>>> would miss group3 as being an indirect member of group1. > >>>> > >>>> I updated the nesting test to do deeper nested testing. I confirmed > >>>> that > >>>> this test failed with the old code and works with the new. > >>>> > >>>> ticket https://fedorahosted.org/freeipa/ticket/1273 > >>> > >>> NACK. If a user is an indirect member of a group via 2 different paths, > >>> the user will be listed twice. Here is a test scenario: > >>> > >>> Group 1 has 2 members: group 2 and group 3. > >>> User X is a member of both group 2 and group 3. > >>> Group 1's indirect members should only list the user X once. Currently > >>> it is listed twice. > >> > >> Patch and test case updated. > > > > NACK. If there's a circular membership the code will run into an > > infinite loop. Here's a test scenario: > > > > Group 1 has 2 members: group 2 and group 3. > > Group 2 is a member of group 3. > > Group 3 is a member of group 2. > > Run ipa group-show on group 1, the command doesn't return until it's > > killed. > > > > I think the solution will be to deny creating circular groups. Although it would be nice to avoid creating circular groups as they are pointless we really can't assume we can prevent that. In a multi-master scenario it is possible that 2 admins operating on 2 different masters will end up creating a circular group dependency. Even though on each master they will not be, until replication takes place. So we MUST (capital as in RFCs) deal with circular groups in the UI and framework. Entering infinite loops is not an option, use a max-recursion limit if detecting circular deps is too hard. If you set the max-recursion limit high enough you will still operate properly in most scenarios with complex memberships w/o side effects. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Tue Jun 14 06:46:52 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 14 Jun 2011 08:46:52 +0200 Subject: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation In-Reply-To: <1308022665.3182.7.camel@willson.li.ssimo.org> References: <4DF668E2.6020903@redhat.com> <4DF68595.6040305@redhat.com> <4DF696A8.4040704@redhat.com> <4DF6A4A9.3000901@redhat.com> <4DF6D557.4000202@redhat.com> <1308022665.3182.7.camel@willson.li.ssimo.org> Message-ID: <1308034014.22442.1.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-06-13 at 23:37 -0400, Simo Sorce wrote: > On Mon, 2011-06-13 at 23:28 -0400, Rob Crittenden wrote: > > Endi Sukma Dewata wrote: > > > On 6/13/2011 6:00 PM, Rob Crittenden wrote: > > >> Endi Sukma Dewata wrote: > > >>> On 6/13/2011 2:45 PM, Rob Crittenden wrote: > > >>>> Indirect membership is calculated by looking at each member and pulling > > >>>> all the memberof out of it. What was missing was doing nested searches > > >>>> on any members in that member group. > > >>>> > > >>>> So if group2 was a member of group1 and group3 was a member of > > >>>> group2 we > > >>>> would miss group3 as being an indirect member of group1. > > >>>> > > >>>> I updated the nesting test to do deeper nested testing. I confirmed > > >>>> that > > >>>> this test failed with the old code and works with the new. > > >>>> > > >>>> ticket https://fedorahosted.org/freeipa/ticket/1273 > > >>> > > >>> NACK. If a user is an indirect member of a group via 2 different paths, > > >>> the user will be listed twice. Here is a test scenario: > > >>> > > >>> Group 1 has 2 members: group 2 and group 3. > > >>> User X is a member of both group 2 and group 3. > > >>> Group 1's indirect members should only list the user X once. Currently > > >>> it is listed twice. > > >> > > >> Patch and test case updated. > > > > > > NACK. If there's a circular membership the code will run into an > > > infinite loop. Here's a test scenario: > > > > > > Group 1 has 2 members: group 2 and group 3. > > > Group 2 is a member of group 3. > > > Group 3 is a member of group 2. > > > Run ipa group-show on group 1, the command doesn't return until it's > > > killed. > > > > > > > I think the solution will be to deny creating circular groups. > > Although it would be nice to avoid creating circular groups as they are > pointless we really can't assume we can prevent that. In a multi-master > scenario it is possible that 2 admins operating on 2 different masters > will end up creating a circular group dependency. Even though on each > master they will not be, until replication takes place. > > So we MUST (capital as in RFCs) deal with circular groups in the UI and > framework. Entering infinite loops is not an option, use a max-recursion > limit if detecting circular deps is too hard. > If you set the max-recursion limit high enough you will still operate > properly in most scenarios with complex memberships w/o side effects. > > Simo. > IIRC the algorithms for circular groups processing are already implemented in SSSD, so we don't have to reinvent the wheel and let us get some inspiration there :-) Martin From mkosek at redhat.com Tue Jun 14 08:25:51 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 14 Jun 2011 10:25:51 +0200 Subject: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local In-Reply-To: <4DF67603.5030508@redhat.com> References: <4DF67603.5030508@redhat.com> Message-ID: <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote: > Compare the configured interfaces with the supplied IP address and > optional netmask to determine if the interface is available. > > Note the subtle change when comparing addresses. We have two object > types, IPNetwork and IPAddress. We should only compare addresses when we > don't have an IPNetwork otherwise we can end up comparing an address to > an object with a netmask and get a bad result. > > https://fedorahosted.org/freeipa/ticket/1175 NACK. 1) This breaks ipa-replica-prepare: # ipa-replica-prepare vm-046.idm.lab.bos.redhat.com --ip-address=10.16.78.46 Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com) ipa-replica-prepare: error: option --ip-address: invalid IP address 10.16.78.46: No network interface matches the provided IP address and netmask Actually, this is not your fault, we just don't use IP address checking in IPAOptionParser correctly. --ip-address option in ipa-replica-prepare has type "ipnet" which is validated by the CheckedIPAddress. As match_local defaults to True, your new exception is raised. I think we need 2 new option types for IPAOptionParser such as "iplocal" and "ipnetlocal" which would be used for --ip-address option in ipa-server-install or ipa-dns-install and which would use match_local=True. Current types "ip" and "ipnet" should use match_local=False. 2) CheckedIPAddress functionality (i.e. this fix) is neither in ipa-2-0 stable branch nor in RHEL 6.1. But this should be OK since it is targeted for RHEL 6.2. Martin From jcholast at redhat.com Tue Jun 14 10:22:22 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Jun 2011 12:22:22 +0200 Subject: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local In-Reply-To: <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> References: <4DF67603.5030508@redhat.com> <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF7365E.9060001@redhat.com> On 14.6.2011 10:25, Martin Kosek wrote: > On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote: >> Compare the configured interfaces with the supplied IP address and >> optional netmask to determine if the interface is available. >> >> Note the subtle change when comparing addresses. We have two object >> types, IPNetwork and IPAddress. We should only compare addresses when we >> don't have an IPNetwork otherwise we can end up comparing an address to >> an object with a netmask and get a bad result. >> >> https://fedorahosted.org/freeipa/ticket/1175 > > NACK. > > 1) This breaks ipa-replica-prepare: > > # ipa-replica-prepare vm-046.idm.lab.bos.redhat.com > --ip-address=10.16.78.46 > Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com) > > ipa-replica-prepare: error: option --ip-address: invalid IP address > 10.16.78.46: No network interface matches the provided IP address and > netmask > > Actually, this is not your fault, we just don't use IP address checking > in IPAOptionParser correctly. --ip-address option in ipa-replica-prepare > has type "ipnet" which is validated by the CheckedIPAddress. As > match_local defaults to True, your new exception is raised. Well, it's my fault. I wasn't sure whether to force the use of local IP addresses or not, so only a warning is printed (in verify_ip_address) if the IP address isn't local. > > I think we need 2 new option types for IPAOptionParser such as "iplocal" > and "ipnetlocal" which would be used for --ip-address option in > ipa-server-install or ipa-dns-install and which would use > match_local=True. Current types "ip" and "ipnet" should use > match_local=False. That's what I had in a WIP version of my patches. Sorry for not keeping it in :) Actually, it probably makes more sense to use only one option type "ip" and add two new option attributes "ip_network" and "ip_local" to IPAOption, so that the validation details can be set through keyword arguments to add_option. Without that, we would end up having twice as much option types every time a new flag is added to CheckedIPAddress. > > 2) CheckedIPAddress functionality (i.e. this fix) is neither in ipa-2-0 > stable branch nor in RHEL 6.1. But this should be OK since it is > targeted for RHEL 6.2. > > Martin Honza -- Jan Cholasta From rcritten at redhat.com Tue Jun 14 12:56:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 08:56:40 -0400 Subject: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local In-Reply-To: <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> References: <4DF67603.5030508@redhat.com> <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF75A88.6080301@redhat.com> Martin Kosek wrote: > On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote: >> Compare the configured interfaces with the supplied IP address and >> optional netmask to determine if the interface is available. >> >> Note the subtle change when comparing addresses. We have two object >> types, IPNetwork and IPAddress. We should only compare addresses when we >> don't have an IPNetwork otherwise we can end up comparing an address to >> an object with a netmask and get a bad result. >> >> https://fedorahosted.org/freeipa/ticket/1175 > > NACK. > > 1) This breaks ipa-replica-prepare: > > # ipa-replica-prepare vm-046.idm.lab.bos.redhat.com > --ip-address=10.16.78.46 > Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com) > > ipa-replica-prepare: error: option --ip-address: invalid IP address > 10.16.78.46: No network interface matches the provided IP address and > netmask > > Actually, this is not your fault, we just don't use IP address checking > in IPAOptionParser correctly. --ip-address option in ipa-replica-prepare > has type "ipnet" which is validated by the CheckedIPAddress. As > match_local defaults to True, your new exception is raised. Ok, but is 10.16.78.46 a configured network interface? > > I think we need 2 new option types for IPAOptionParser such as "iplocal" > and "ipnetlocal" which would be used for --ip-address option in > ipa-server-install or ipa-dns-install and which would use > match_local=True. Current types "ip" and "ipnet" should use > match_local=False. > > 2) CheckedIPAddress functionality (i.e. this fix) is neither in ipa-2-0 > stable branch nor in RHEL 6.1. But this should be OK since it is > targeted for RHEL 6.2. Right, I wasn't planning on pushing this to 2.0. rob From rcritten at redhat.com Tue Jun 14 13:16:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 09:16:36 -0400 Subject: [Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer In-Reply-To: <4DEE2676.6070401@redhat.com> References: <4DB7309C.4010307@redhat.com> <4DECDC2D.7070803@redhat.com> <4DED29B8.8090607@redhat.com> <4DEE2676.6070401@redhat.com> Message-ID: <4DF75F34.2030409@redhat.com> Jan Cholasta wrote: > On 6.6.2011 21:25, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 26.4.2011 22:52, Rob Crittenden wrote: >>>> The goal is to not import foreign certificates. >>>> >>>> This caused a bunch of tests to fail because we had a hardcoded server >>>> certificate. Instead a developer will need to run make-testcert to >>>> create a server certificate generated by the local CA to test against. >>>> >>>> ticket 1134 >>>> >>>> rob >>>> >>> >>> NACK >>> >>> The certificate isn't verified in host-add. >>> >>> I suspect that certificates signed by an intermediate CA (i.e. when the >>> certificate chain length > 2) are considered invalid. Is that the >>> desired behavior? >> >> That will work as long as the issuer is the IPA CA. I see that if we are >> given a service cert issued by another CA in the chain things could go >> badly. I'm not sure this is something to really worry about though. > > I guess it's not. But I'd like a second opinion on that. We really only want to support those certs we issue otherwise things like revocation get tricky, because we can't manage things we don't issue. > >> >>> >>> make-testcert fails with: >>> >>> Traceback (most recent call last): >>> File "./make-testcert", line 126, in >>> sys.exit(makecert(reqdir)) >>> File "./make-testcert", line 105, in makecert >>> add=True) >>> File "./make-testcert", line 66, in run >>> result = self.execute(method, *args, **options) >>> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in execute >>> raise error #pylint: disable=E0702 >>> ipalib.errors.CommandError: unknown command 'cert_request' >>> >>> This is probably an error on my part (tried running in on both my >>> machine without IPA installed and on VM with IPA installed with no >>> luck), but nonetheless it should be fixed to fail gracefully so that the >>> tests in "make test" have a chance to run. Similarly, the tests which >>> use the test certificate created by make-testcert should be skipped if >>> the certificate isn't available. >> >> You need to take the certificate databases from a self-signed install >> and copy them to ~/.ipa/alias/ in order to do certificate testing. There >> is documentation on how to do this in tests/test_xmlrpc/test_cert.py >> >> I think this should be mandatory as certificates are a main feature of >> v2. > > No matter what I do, I'm still getting the unknown command error. Can > you describe the steps needed to make make-testcert successfully run? > > BTW, it would be nice if "make test" printed an informational message > when the requirements to run the tests aren't met instead of failing > with some random error. You need enable_ra = True in ~/.ipa/default.conf. What I tend to do is copy /etc/ipa/default.conf from my underlying install to ~/.ipa and comment out the xmlrpc_uri. This is now caught by the script. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-779-3-cert.patch Type: text/x-diff Size: 19898 bytes Desc: not available URL: From mkosek at redhat.com Tue Jun 14 13:39:12 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 14 Jun 2011 15:39:12 +0200 Subject: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local In-Reply-To: <4DF75A88.6080301@redhat.com> References: <4DF67603.5030508@redhat.com> <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> <4DF75A88.6080301@redhat.com> Message-ID: <1308058755.22442.18.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-14 at 08:56 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote: > >> Compare the configured interfaces with the supplied IP address and > >> optional netmask to determine if the interface is available. > >> > >> Note the subtle change when comparing addresses. We have two object > >> types, IPNetwork and IPAddress. We should only compare addresses when we > >> don't have an IPNetwork otherwise we can end up comparing an address to > >> an object with a netmask and get a bad result. > >> > >> https://fedorahosted.org/freeipa/ticket/1175 > > > > NACK. > > > > 1) This breaks ipa-replica-prepare: > > > > # ipa-replica-prepare vm-046.idm.lab.bos.redhat.com > > --ip-address=10.16.78.46 > > Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com) > > > > ipa-replica-prepare: error: option --ip-address: invalid IP address > > 10.16.78.46: No network interface matches the provided IP address and > > netmask > > > > Actually, this is not your fault, we just don't use IP address checking > > in IPAOptionParser correctly. --ip-address option in ipa-replica-prepare > > has type "ipnet" which is validated by the CheckedIPAddress. As > > match_local defaults to True, your new exception is raised. > > Ok, but is 10.16.78.46 a configured network interface? It is an IP address of new replica, i.e. its not a local network interface address. As I written, the problem is in a type of --ip-address option in ipa-replica-prepare. You can check Honza's mail for implementation hint. Martin > > > > > I think we need 2 new option types for IPAOptionParser such as "iplocal" > > and "ipnetlocal" which would be used for --ip-address option in > > ipa-server-install or ipa-dns-install and which would use > > match_local=True. Current types "ip" and "ipnet" should use > > match_local=False. > > > > 2) CheckedIPAddress functionality (i.e. this fix) is neither in ipa-2-0 > > stable branch nor in RHEL 6.1. But this should be OK since it is > > targeted for RHEL 6.2. > > Right, I wasn't planning on pushing this to 2.0. > > rob From simo at redhat.com Tue Jun 14 13:42:35 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 14 Jun 2011 09:42:35 -0400 Subject: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation In-Reply-To: <1308034014.22442.1.camel@dhcp-25-52.brq.redhat.com> References: <4DF668E2.6020903@redhat.com> <4DF68595.6040305@redhat.com> <4DF696A8.4040704@redhat.com> <4DF6A4A9.3000901@redhat.com> <4DF6D557.4000202@redhat.com> <1308022665.3182.7.camel@willson.li.ssimo.org> <1308034014.22442.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1308058955.3182.14.camel@willson.li.ssimo.org> On Tue, 2011-06-14 at 08:46 +0200, Martin Kosek wrote: > IIRC the algorithms for circular groups processing are already > implemented in SSSD, so we don't have to reinvent the wheel and let us > get some inspiration there :-) They are not very efficient and we have some ideas on how to improve the situation already, but yeah nothing impossible. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Tue Jun 14 13:44:05 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 14 Jun 2011 08:44:05 -0500 Subject: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation In-Reply-To: <4DF6D557.4000202@redhat.com> References: <4DF668E2.6020903@redhat.com> <4DF68595.6040305@redhat.com> <4DF696A8.4040704@redhat.com> <4DF6A4A9.3000901@redhat.com> <4DF6D557.4000202@redhat.com> Message-ID: <4DF765A5.7090809@redhat.com> On 6/13/2011 10:28 PM, Rob Crittenden wrote: > Endi Sukma Dewata wrote: >> NACK. If there's a circular membership the code will run into an >> infinite loop. Here's a test scenario: >> >> Group 1 has 2 members: group 2 and group 3. >> Group 2 is a member of group 3. >> Group 3 is a member of group 2. >> Run ipa group-show on group 1, the command doesn't return until it's >> killed. > I think the solution will be to deny creating circular groups. It might be possible to avoid infinite loop this way: for member in checkmembers: (result, truncated) = self.find_entries(...) for m in result[0][1].get('member', []): # make sure the member is only added once if m in checkmembers: continue checkmembers.append(m) -- Endi S. Dewata From rcritten at redhat.com Tue Jun 14 13:46:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 09:46:55 -0400 Subject: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation In-Reply-To: <4DF765A5.7090809@redhat.com> References: <4DF668E2.6020903@redhat.com> <4DF68595.6040305@redhat.com> <4DF696A8.4040704@redhat.com> <4DF6A4A9.3000901@redhat.com> <4DF6D557.4000202@redhat.com> <4DF765A5.7090809@redhat.com> Message-ID: <4DF7664F.8000708@redhat.com> Endi Sukma Dewata wrote: > On 6/13/2011 10:28 PM, Rob Crittenden wrote: >> Endi Sukma Dewata wrote: >>> NACK. If there's a circular membership the code will run into an >>> infinite loop. Here's a test scenario: >>> >>> Group 1 has 2 members: group 2 and group 3. >>> Group 2 is a member of group 3. >>> Group 3 is a member of group 2. >>> Run ipa group-show on group 1, the command doesn't return until it's >>> killed. > >> I think the solution will be to deny creating circular groups. > > It might be possible to avoid infinite loop this way: > > for member in checkmembers: > > (result, truncated) = self.find_entries(...) > > for m in result[0][1].get('member', []): > > # make sure the member is only added once > if m in checkmembers: > continue > > checkmembers.append(m) > I came to the same conclusion but I did: if m not in checkmembers: checkmembers.append(m) Updated patch attached rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-798-3-indirect.patch Type: text/x-diff Size: 18488 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 14 14:10:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 10:10:15 -0400 Subject: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local In-Reply-To: <1308058755.22442.18.camel@dhcp-25-52.brq.redhat.com> References: <4DF67603.5030508@redhat.com> <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> <4DF75A88.6080301@redhat.com> <1308058755.22442.18.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF76BC7.6080302@redhat.com> Martin Kosek wrote: > On Tue, 2011-06-14 at 08:56 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote: >>>> Compare the configured interfaces with the supplied IP address and >>>> optional netmask to determine if the interface is available. >>>> >>>> Note the subtle change when comparing addresses. We have two object >>>> types, IPNetwork and IPAddress. We should only compare addresses when we >>>> don't have an IPNetwork otherwise we can end up comparing an address to >>>> an object with a netmask and get a bad result. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1175 >>> >>> NACK. >>> >>> 1) This breaks ipa-replica-prepare: >>> >>> # ipa-replica-prepare vm-046.idm.lab.bos.redhat.com >>> --ip-address=10.16.78.46 >>> Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com) >>> >>> ipa-replica-prepare: error: option --ip-address: invalid IP address >>> 10.16.78.46: No network interface matches the provided IP address and >>> netmask >>> >>> Actually, this is not your fault, we just don't use IP address checking >>> in IPAOptionParser correctly. --ip-address option in ipa-replica-prepare >>> has type "ipnet" which is validated by the CheckedIPAddress. As >>> match_local defaults to True, your new exception is raised. >> >> Ok, but is 10.16.78.46 a configured network interface? > > It is an IP address of new replica, i.e. its not a local network > interface address. As I written, the problem is in a type of > --ip-address option in ipa-replica-prepare. You can check Honza's mail > for implementation hint. Ah, prepare. I tested with an existing replica file... Well, I wonder if an easier fix would be to set match_local=False by default and specifically ask to match_local when we want. > > Martin > >> >>> >>> I think we need 2 new option types for IPAOptionParser such as "iplocal" >>> and "ipnetlocal" which would be used for --ip-address option in >>> ipa-server-install or ipa-dns-install and which would use >>> match_local=True. Current types "ip" and "ipnet" should use >>> match_local=False. >>> >>> 2) CheckedIPAddress functionality (i.e. this fix) is neither in ipa-2-0 >>> stable branch nor in RHEL 6.1. But this should be OK since it is >>> targeted for RHEL 6.2. >> >> Right, I wasn't planning on pushing this to 2.0. >> >> rob > > From jcholast at redhat.com Tue Jun 14 14:57:02 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Jun 2011 16:57:02 +0200 Subject: [Freeipa-devel] [PATCH] 22 Improve IP address handling in the host-add command Message-ID: <4DF776BE.6060601@redhat.com> This patch enables the user to specify netmasks in the --ip-address option of host-add. They're used for proper DNS reverse zone and PTR record creation. Also the IP addresses are more strictly checked (just like in the install scripts). https://fedorahosted.org/freeipa/ticket/1234 -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-22-host-add-ip.patch Type: text/x-patch Size: 5128 bytes Desc: not available URL: From kybaker at redhat.com Tue Jun 14 15:47:14 2011 From: kybaker at redhat.com (Kyle Baker) Date: Tue, 14 Jun 2011 11:47:14 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 0017-List-page-spacing-changes In-Reply-To: <1711079319.14108.1308066273980.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <158825861.14164.1308066434956.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Endi, Adjusted the spacing on the patch Endi merged. Kyle Baker Visual Designer Desk - 978 392 3116 IRC - kylebaker -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-kylebaker-0017-List-page-spacing-changes.patch Type: text/x-patch Size: 675334 bytes Desc: not available URL: From edewata at redhat.com Tue Jun 14 15:58:50 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 14 Jun 2011 10:58:50 -0500 Subject: [Freeipa-devel] [PATCH] 176 Fixed tab navigation. In-Reply-To: <4DF6AFE0.3020002@redhat.com> References: <4DF69D1F.2070403@redhat.com> <4DF6AFE0.3020002@redhat.com> Message-ID: <4DF7853A.9010409@redhat.com> On 6/13/2011 7:48 PM, Adam Young wrote: > On 06/13/2011 07:28 PM, Endi Sukma Dewata wrote: >> The buttons were previously skipped during tab navigation because >> they do not have an href attribute. The IPA.button has been fixed >> to always provide an href attribute. >> >> Ticket #983 > ACK. Pushed to master. -- Endi S. Dewata From ayoung at redhat.com Tue Jun 14 16:41:15 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 14 Jun 2011 12:41:15 -0400 Subject: [Freeipa-devel] [PATCH] 0235-dns-multiple-records Message-ID: <4DF78F2B.8060708@redhat.com> https://fedorahosted.org/freeipa/ticket/1319 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0235-dns-multiple-records.patch Type: text/x-patch Size: 10000 bytes Desc: not available URL: From edewata at redhat.com Tue Jun 14 17:16:49 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 14 Jun 2011 12:16:49 -0500 Subject: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation In-Reply-To: <4DF7664F.8000708@redhat.com> References: <4DF668E2.6020903@redhat.com> <4DF68595.6040305@redhat.com> <4DF696A8.4040704@redhat.com> <4DF6A4A9.3000901@redhat.com> <4DF6D557.4000202@redhat.com> <4DF765A5.7090809@redhat.com> <4DF7664F.8000708@redhat.com> Message-ID: <4DF79781.7020303@redhat.com> On 6/14/2011 8:46 AM, Rob Crittenden wrote: > Endi Sukma Dewata wrote: >> On 6/13/2011 10:28 PM, Rob Crittenden wrote: >>> Endi Sukma Dewata wrote: >>>> NACK. If there's a circular membership the code will run into an >>>> infinite loop. Here's a test scenario: >>>> >>>> Group 1 has 2 members: group 2 and group 3. >>>> Group 2 is a member of group 3. >>>> Group 3 is a member of group 2. >>>> Run ipa group-show on group 1, the command doesn't return until it's >>>> killed. >> >>> I think the solution will be to deny creating circular groups. >> >> It might be possible to avoid infinite loop this way: >> >> for member in checkmembers: >> >> (result, truncated) = self.find_entries(...) >> >> for m in result[0][1].get('member', []): >> >> # make sure the member is only added once >> if m in checkmembers: >> continue >> >> checkmembers.append(m) > > I came to the same conclusion but I did: > > if m not in checkmembers: > checkmembers.append(m) > > Updated patch attached ACK and pushed to master. -- Endi S. Dewata From nalin at dahyabhai.net Tue Jun 14 17:33:03 2011 From: nalin at dahyabhai.net (Nalin Dahyabhai) Date: Tue, 14 Jun 2011 13:33:03 -0400 Subject: [Freeipa-devel] [PATCH] Select a server with a CA on it when submitting signing requests. Message-ID: <20110614173303.GA4985@redhat.com> This is a stab at fixing #1252 - teaching the RA to handle cases where the local server isn't a CA. When the RA is about to submit a signing request to a CA, it currently assumes that the CA is colocated. This modifies its behavior so that the first time it needs to submit a signing request, it: 1. Checks if the configured ca_host is actually a CA. If it is, use it. 2. Checks if the local host (if it's not also the configured ca_host) is a CA. If it is, use it. 3. Checks if there are any CAs in the domain. If there are, select one of them at random and use it. 4. Give up, behave as before, and let the error we previously would have gotten for trying to submit a signing request to a non-CA happen. Nalin -------------- next part -------------- >From 373fd1a878f39361a33c58e7ccf6057159d203be Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Wed, 8 Jun 2011 11:09:28 -0400 Subject: [PATCH] Select a server with a CA on it when submitting signing requests. When the RA is about to submit a signing request to a CA, check if the ca_host is actually a CA. If it isn't, and it isn't the local host, check if the local host is a CA. If that doesn't work, try to select a CA host at random. If there aren't any, just give up and pretend the ca_host is a CA so that we can fail to connect to it, as we would have before. Ticket #1252. --- ipaserver/plugins/dogtag.py | 68 +++++++++++++++++++++++++++++++++++++++++-- 1 files changed, 65 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 8563848..d1234a0 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1196,7 +1196,7 @@ from ipalib import api, SkipPluginModule if api.env.ra_plugin != 'dogtag': # In this case, abort loading this plugin module... raise SkipPluginModule(reason='dogtag not selected as RA plugin') -import os +import os, random, ldap from ipaserver.plugins import rabase from ipalib.errors import NetworkError, CertificateOperationError from ipalib.constants import TYPE_ERROR @@ -1218,6 +1218,7 @@ class ra(rabase.rabase): self.ipa_key_size = "2048" self.ipa_certificate_nickname = "ipaCert" self.ca_certificate_nickname = "caCert" + self.ca_host = None try: f = open(self.pwd_file, "r") self.password = f.readline().strip() @@ -1226,6 +1227,63 @@ class ra(rabase.rabase): self.password = '' super(ra, self).__init__() + def _host_has_service(self, host, service='CA'): + """ + :param host: A host which might be a master for a service. + :param service: The service for which the host might be a master. + :return: (true, false) + + Check if a specified host is a master for a specified service. + """ + base_dn = 'cn=%s,cn=masters,cn=ipa,cn=etc,%s' % (host, api.env.basedn) + filter = '(&(objectClass=ipaConfigObject)(cn=%s)(ipaConfigString=enabledService))' % service + try: + ldap2 = self.api.Backend.ldap2 + ent,trunc = ldap2.find_entries(filter=filter, base_dn=base_dn) + if len(ent): + return True + except Exception, e: + pass + return False + + def _select_any_master(self, service='CA'): + """ + :param service: The service for which we're looking for a master. + :return: host + as str + + Select any host which is a master for a specified service. + """ + base_dn = 'cn=masters,cn=ipa,cn=etc,%s' % api.env.basedn + filter = '(&(objectClass=ipaConfigObject)(cn=%s)(ipaConfigString=enabledService))' % service + try: + ldap2 = self.api.Backend.ldap2 + ent,trunc = ldap2.find_entries(filter=filter, base_dn=base_dn) + if len(ent): + entry = random.choice(ent) + return ldap.explode_dn(dn=entry[0],notypes=True)[1] + except Exception, e: + pass + return None + + def _select_ca(self): + """ + :return: host + as str + + Select our CA host. + """ + if self._host_has_service(host=api.env.ca_host): + return api.env.ca_host + if api.env.host != api.env.ca_host: + if self._host_has_service(host=api.env.host): + return api.env.host + host = self._select_any_master() + if host: + return host + else: + return api.env.ca_host + def _request(self, url, port, **kw): """ :param url: The URL to post to. @@ -1235,7 +1293,9 @@ class ra(rabase.rabase): Perform an HTTP request. """ - return dogtag.http_request(self.env.ca_host, port, url, **kw) + if self.ca_host == None: + self.ca_host = self._select_ca() + return dogtag.http_request(self.ca_host, port, url, **kw) def _sslget(self, url, port, **kw): """ @@ -1247,7 +1307,9 @@ class ra(rabase.rabase): Perform an HTTPS request """ - return dogtag.https_request(self.env.ca_host, port, url, self.sec_dir, self.password, self.ipa_certificate_nickname, **kw) + if self.ca_host == None: + self.ca_host = self._select_ca() + return dogtag.https_request(self.ca_host, port, url, self.sec_dir, self.password, self.ipa_certificate_nickname, **kw) def get_parse_result_xml(self, xml_text, parse_func): ''' -- 1.7.5.2 From rcritten at redhat.com Tue Jun 14 17:43:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 13:43:03 -0400 Subject: [Freeipa-devel] [PATCH] 075 Add ignore lists to migrate-ds command In-Reply-To: <1307706012.12662.6.camel@dhcp-25-52.brq.redhat.com> References: <1307104970.12835.12.camel@dhcp-25-52.brq.redhat.com> <4DF11B8C.4070309@redhat.com> <1307706012.12662.6.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF79DA7.20808@redhat.com> Martin Kosek wrote: > On Thu, 2011-06-09 at 15:14 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> How to test: >>> 1) Create a custom DS instance with for example 60radius.ldif schema >>> present (as in the original report in ticket #1266) >>> 2) Populate DS with users/groups with custom unsupported object >>> class/attribute >>> 3) Try to migrate these users and groups to IPAv2. Only the enhanced >>> migrate-ds command should be successful: >>> >>> # ipa migrate-ds ldap://vm-102.idm.lab.bos.redhat.com:389 >>> --schema=RFC2307 --user-objectclass=posixAccount >>> --group-objectclass=posixgroup --user-container='ou=People' >>> --group-container='cn=Accounting Managers,ou=Groups' >>> --user-ignore-objectclass=radiusprofile,radiusclientprofile >>> --user-ignore-attribute=radiusclientsecret,radiusclientipaddress >>> >>> --- >>> When user migrates users/groups from an old DS instance, the >>> migration may fail on unsupported object classes and/or >>> relevant LDAP object attributes. >>> >>> This patch implements a support for object class and attribute >>> ignore lists that can be used to suppress these migration issues. >>> >>> Additionally, a redundant "dev/null" file is removed from git repo >>> (originally added in 26b0e8fc9809a4cd9f2f9a2281f0894e2e0f8db2). >>> >>> https://fedorahosted.org/freeipa/ticket/1266 >> >> This isn't applying to master, the blacklists hunk and I wasn't sure >> either where it should go. >> >> I did notice one general problem though: objectclasses should be treated >> case insensitive. >> >> rob > > I rebased the patch. Objectclasses and attributes were already treated > case insensitively, so no change needed there. > > Martin Ack, works as advertised. rob From rcritten at redhat.com Tue Jun 14 17:53:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 13:53:34 -0400 Subject: [Freeipa-devel] [PATCH] 079 DNS installation fails when domain and host domain mismatch In-Reply-To: <1307617123.27281.8.camel@dhcp-25-52.brq.redhat.com> References: <1307617123.27281.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF7A01E.6060900@redhat.com> Martin Kosek wrote: > This patch depends on my patch 078. A special patch for stable branch > attached. > > --- > > Create DNS domain for IPA server hostname first so that it's forward > record can be added. This results in 2 forward DNS zones created > when server hostname doesn't equal server domain. > > https://fedorahosted.org/freeipa/ticket/1194 This look ok, just a style question. by definition fqdn is fully-qualified so is this necessary? + if '.' in self.fqdn: + self.host_domain = '.'.join(fqdn.split(".")[1:]) + else: + self.host_domain = self.domain The test will always be true, right? rob From rcritten at redhat.com Tue Jun 14 17:58:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 13:58:16 -0400 Subject: [Freeipa-devel] [PATCH] 078 Improve DNS zone creation In-Reply-To: <1307621098.2613.253.camel@willson.li.ssimo.org> References: <1307611916.27281.3.camel@dhcp-25-52.brq.redhat.com> <1307621098.2613.253.camel@willson.li.ssimo.org> Message-ID: <4DF7A138.6090304@redhat.com> Simo Sorce wrote: > On Thu, 2011-06-09 at 11:31 +0200, Martin Kosek wrote: >> When a new DNS zone is being created a local hostname is set as a >> nameserver of the new zone. However, when the zone is created >> during ipa-replica-prepare, the the current master/replica doesn't >> have to be an IPA server with DNS support. This would lead to DNS >> zones with incorrect NS records as they wouldn't point to a valid >> name server. >> >> Now, a list of all master servers with DNS support is retrieved >> during DNS zone creation and added as NS records for a new DNS >> zone. >> >> https://fedorahosted.org/freeipa/ticket/1261 > > ACK, although I have not tested. > > Simo. > Ack as well From rcritten at redhat.com Tue Jun 14 17:59:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 13:59:33 -0400 Subject: [Freeipa-devel] [PATCH] 788 remove automountinformation from automount dns In-Reply-To: <1307712033.12662.8.camel@dhcp-25-52.brq.redhat.com> References: <4DDAA9A7.6050302@redhat.com> <1307089734.12835.7.camel@dhcp-25-52.brq.redhat.com> <4DF10C8E.8060500@redhat.com> <1307712033.12662.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF7A185.1060900@redhat.com> Martin Kosek wrote: > On Thu, 2011-06-09 at 14:10 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Mon, 2011-05-23 at 14:38 -0400, Rob Crittenden wrote: >>>> In an attempt to support multiple direct maps we always included the >>>> automountinformation in the key dn. This makes showing keys impossible a >>>> bit of a catch-22. You want to get the mount info but to get it you need >>>> the mount info. >>>> >>>> This patch drops requiring automountinfo but if provided it'll use it to >>>> make the dn. This way we can have backwards compatibility for any >>>> existing maps but going forward only direct maps will have the info in it. >>>> >>>> --key is still required when dealing with keys, no way around that >>>> without doing a major API change, migrating data, etc. >>>> >>>> ticket 1229 >>>> >>>> rob >>> >>> I tested this patch and from CLI perspective, it makes things better. I >>> think it is our best bet if we want to avoid major API changes and >>> migration nightmares. >>> >>> I have only few minor issues regarding the patch: >>> 1) API minor version has been bumped since this patch was out, it needs >>> a rebase >>> 2) check_key_uniqueness function needs to be fixed so that it doesn't >>> search only for key/info DNs. Otherwise, it doesn't detect some >>> duplicates which leads to inconvenient errors. For example when a >>> duplicate indirect map is added: >>> >>> # ipa automountkey-find default auto.master >>> Key: /- >>> Mount information: auto.direct >>> >>> Key: /usr/share >>> Mount information: auto.share >>> # ipa automountkey-add default auto.master --key=/usr/share --info=auto.share2 >>> ipa: ERROR: key named auto.master already exists >>> >>> Martin >>> >> >> Ok, I think this addresses your concern. >> >> rob > > Yes, it does. ACK from me, I think it works fine.I did a basic UI > testing, I didn't saw any problem there. > > Martin > pushed to master From rcritten at redhat.com Tue Jun 14 18:06:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 14:06:20 -0400 Subject: [Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option In-Reply-To: <0D1AFB75-6A9B-40B0-848D-B6B08CC0A2B8@citrixonline.com> References: <2AE1C072-9099-44E1-A778-BB1A6F0AE955@citrixonline.com> <4DF101D9.6000209@redhat.com> <5AF8156E-C5D0-4B09-A279-4CD049AB54B6@citrixonline.com> <0D1AFB75-6A9B-40B0-848D-B6B08CC0A2B8@citrixonline.com> Message-ID: <4DF7A31C.4000403@redhat.com> JR Aquino wrote: > On Jun 10, 2011, at 3:11 PM, JR Aquino wrote: > >> On Jun 9, 2011, at 10:24 AM, Rob Crittenden wrote: >> >>> JR Aquino wrote: >>>> https://fedorahosted.org/freeipa/ticket/1277 >>>> >>>> Raise DuplicateEntry Error when adding a duplicate sudo option >>> >>> nack, this will still fail if no ipasudoopt is passed in. >>> >>> Also, is this case-sensitive? >> >> Yes, it is case sensitive (Example: sudoOption: env_keep+=SSH_AUTH_SOCK) >> >> Here is an adjusted patch to account for no ipasudoopt as well as an empty space. >> >> > > > Minor correction: Addressed the 1 character change needed to address #1276 > > Added notes to indicate this patch fixes: > #1276 (Removed option from Sudo rule message is displayed even when the given option doesn't exist.) > #1277 (Added option to Sudo rule message is displayed even when the given option already exists.) > #1308 (Internal error while removing sudorule option without "--sudooption") > NACK $ ipa sudorule-add test ---------------------- Added sudo rule "test" ---------------------- Rule name: test Enabled: TRUE $ ipa sudorule-remove-option test --sudooption=foo ----------------------- sudorule-remove-option: ----------------------- Rule name: test ipa: ERROR: KeyError: 'ipasudoopt' Traceback (most recent call last): File "/home/rcrit/redhat/freeipa-master/ipalib/cli.py", line 1141, in run sys.exit(api.Backend.cli.run(argv)) File "/home/rcrit/redhat/freeipa-master/ipalib/cli.py", line 965, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/sudorule.py", line 675, in output_for_cli textui.print_attribute('Sudo Options', result['result']['ipasudoopt']) KeyError: 'ipasudoopt' ipa: ERROR: an internal error has occurred Is this legal? $ ipa sudorule-add-option test --sudooption=foo -------------------- sudorule-add-option: -------------------- Rule name: test Sudo Options: foo $ ipa sudorule-add-option test --sudooption=foo ipa: ERROR: This entry already exists $ ipa sudorule-add-option test --sudooption=FOO -------------------- sudorule-add-option: -------------------- Rule name: test Sudo Options: foo Sudo Options: FOO I also noticed that ipasudoopt doesn't have a label and isn't shown in the rule by default. From rcritten at redhat.com Tue Jun 14 18:12:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 14:12:37 -0400 Subject: [Freeipa-devel] [PATCH] 080 Add a list of managed hosts In-Reply-To: <1307975730.5021.8.camel@dhcp-25-52.brq.redhat.com> References: <1307975730.5021.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF7A495.2060109@redhat.com> Martin Kosek wrote: > Enhance Host plugin to provide not only "Managed By" list but also > a list of managed hosts. The new list is generated only when --all > option is passed. > > https://fedorahosted.org/freeipa/ticket/993 ack From JR.Aquino at citrix.com Tue Jun 14 18:17:19 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 14 Jun 2011 18:17:19 +0000 Subject: [Freeipa-devel] [PATCH] 30 Display remaining external hosts when removing from sudorule In-Reply-To: <0BBF240A-C933-4469-A38B-CEB9AAF75783@citrixonline.com> References: <0BBF240A-C933-4469-A38B-CEB9AAF75783@citrixonline.com> Message-ID: On Jun 13, 2011, at 11:45 AM, wrote: > This small 2 line patch addresses 2 bugs: > https://fedorahosted.org/freeipa/ticket/1269 - (Remaining external hosts not displayed while removing one from a sudorule.) > https://fedorahosted.org/freeipa/ticket/1270 - (Removed external host is displayed in the output when "--all" switch is used) > It helps when a patch is actually attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0030-Display-remaning-external-hosts-when-removing-from-sudorule.patch Type: application/octet-stream Size: 1238 bytes Desc: freeipa-jraquino-0030-Display-remaning-external-hosts-when-removing-from-sudorule.patch URL: From rcritten at redhat.com Tue Jun 14 18:26:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 14:26:40 -0400 Subject: [Freeipa-devel] [PATCH] 22 Improve IP address handling in the host-add command In-Reply-To: <4DF776BE.6060601@redhat.com> References: <4DF776BE.6060601@redhat.com> Message-ID: <4DF7A7E0.5060206@redhat.com> Jan Cholasta wrote: > This patch enables the user to specify netmasks in the --ip-address > option of host-add. They're used for proper DNS reverse zone and PTR > record creation. Also the IP addresses are more strictly checked (just > like in the install scripts). > > https://fedorahosted.org/freeipa/ticket/1234 Do we want a reverse zone created automatically when a host is added? I think a warning that the reverse zone doesn't exist may be adequate. rob From rcritten at redhat.com Tue Jun 14 18:28:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 14:28:09 -0400 Subject: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation In-Reply-To: <4DF79781.7020303@redhat.com> References: <4DF668E2.6020903@redhat.com> <4DF68595.6040305@redhat.com> <4DF696A8.4040704@redhat.com> <4DF6A4A9.3000901@redhat.com> <4DF6D557.4000202@redhat.com> <4DF765A5.7090809@redhat.com> <4DF7664F.8000708@redhat.com> <4DF79781.7020303@redhat.com> Message-ID: <4DF7A839.2050605@redhat.com> Endi Sukma Dewata wrote: > On 6/14/2011 8:46 AM, Rob Crittenden wrote: >> Endi Sukma Dewata wrote: >>> On 6/13/2011 10:28 PM, Rob Crittenden wrote: >>>> Endi Sukma Dewata wrote: >>>>> NACK. If there's a circular membership the code will run into an >>>>> infinite loop. Here's a test scenario: >>>>> >>>>> Group 1 has 2 members: group 2 and group 3. >>>>> Group 2 is a member of group 3. >>>>> Group 3 is a member of group 2. >>>>> Run ipa group-show on group 1, the command doesn't return until it's >>>>> killed. >>> >>>> I think the solution will be to deny creating circular groups. >>> >>> It might be possible to avoid infinite loop this way: >>> >>> for member in checkmembers: >>> >>> (result, truncated) = self.find_entries(...) >>> >>> for m in result[0][1].get('member', []): >>> >>> # make sure the member is only added once >>> if m in checkmembers: >>> continue >>> >>> checkmembers.append(m) >> >> I came to the same conclusion but I did: >> >> if m not in checkmembers: >> checkmembers.append(m) >> >> Updated patch attached > > ACK and pushed to master. > pushed to ipa-2-0 as well From simo at redhat.com Tue Jun 14 18:54:19 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 14 Jun 2011 14:54:19 -0400 Subject: [Freeipa-devel] [PATCH] 22 Improve IP address handling in the host-add command In-Reply-To: <4DF7A7E0.5060206@redhat.com> References: <4DF776BE.6060601@redhat.com> <4DF7A7E0.5060206@redhat.com> Message-ID: <1308077659.3182.35.camel@willson.li.ssimo.org> On Tue, 2011-06-14 at 14:26 -0400, Rob Crittenden wrote: > Jan Cholasta wrote: > > This patch enables the user to specify netmasks in the --ip-address > > option of host-add. They're used for proper DNS reverse zone and PTR > > record creation. Also the IP addresses are more strictly checked (just > > like in the install scripts). > > > > https://fedorahosted.org/freeipa/ticket/1234 > > Do we want a reverse zone created automatically when a host is added? I > think a warning that the reverse zone doesn't exist may be adequate. A warning is preferable as we may not be controlling that reverse zone. Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Tue Jun 14 19:03:13 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 14 Jun 2011 19:03:13 +0000 Subject: [Freeipa-devel] [PATCH] 31 Correct behavior for sudorunasgroup vs sudorunasuser Message-ID: Adjustment to install/share/schema_compat.uldif to correctly assign sudorunasuser for both a user and group object respectively. The bug had to do with the compat plugin syntax needing to correctly identify the difference behind intent with the 'runas' attributes. The difference is handling is: Sudo allowing someone to run a command as a user, or any user in a _group_. vs Sudo allowing someone to run a command as their own user but with a different _Group_ or GUID. This is a very subtle difference that can be frustrating to configure / think about. I have added a patch to address new standard installs and updates. (This Fix is blocked by https://bugzilla.redhat.com/show_bug.cgi?id=713209) -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0031-Correct-behavior-for-sudorunasgroup-vs-sudorunasuser.patch Type: application/octet-stream Size: 1848 bytes Desc: freeipa-jraquino-0031-Correct-behavior-for-sudorunasgroup-vs-sudorunasuser.patch URL: From rcritten at redhat.com Tue Jun 14 19:04:30 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 15:04:30 -0400 Subject: [Freeipa-devel] [PATCH] 30 Display remaining external hosts when removing from sudorule In-Reply-To: References: <0BBF240A-C933-4469-A38B-CEB9AAF75783@citrixonline.com> Message-ID: <4DF7B0BE.5070508@redhat.com> JR Aquino wrote: > On Jun 13, 2011, at 11:45 AM, wrote: > >> This small 2 line patch addresses 2 bugs: >> https://fedorahosted.org/freeipa/ticket/1269 - (Remaining external hosts not displayed while removing one from a sudorule.) >> https://fedorahosted.org/freeipa/ticket/1270 - (Removed external host is displayed in the output when "--all" switch is used) >> > > It helps when a patch is actually attached. > ack, pushed to ipa-2-0 and master rob From rcritten at redhat.com Tue Jun 14 21:03:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 17:03:42 -0400 Subject: [Freeipa-devel] [PATCH] Select a server with a CA on it when submitting signing requests. In-Reply-To: <20110614173303.GA4985@redhat.com> References: <20110614173303.GA4985@redhat.com> Message-ID: <4DF7CCAE.1000207@redhat.com> Nalin Dahyabhai wrote: > This is a stab at fixing #1252 - teaching the RA to handle cases where > the local server isn't a CA. > > When the RA is about to submit a signing request to a CA, it currently > assumes that the CA is colocated. This modifies its behavior so that > the first time it needs to submit a signing request, it: > > 1. Checks if the configured ca_host is actually a CA. If it is, use it. > 2. Checks if the local host (if it's not also the configured ca_host) > is a CA. If it is, use it. > 3. Checks if there are any CAs in the domain. If there are, select one > of them at random and use it. > 4. Give up, behave as before, and let the error we previously would > have gotten for trying to submit a signing request to a non-CA happen. > > Nalin Ack, pushed to master. rob From rcritten at redhat.com Tue Jun 14 21:41:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 17:41:28 -0400 Subject: [Freeipa-devel] [PATCH] 792 Update translations In-Reply-To: <1307624168.27281.19.camel@dhcp-25-52.brq.redhat.com> References: <4DED129C.8090700@redhat.com> <1307624168.27281.19.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF7D588.9060603@redhat.com> Martin Kosek wrote: > On Mon, 2011-06-06 at 13:47 -0400, Rob Crittenden wrote: >> Our translation files haven't been updated for a few months, this brings >> things up to date. It is intended for master only. >> >> All I did to generate this patch was to run make update-po in >> install/po. It is otherwise untouched by human hands. >> >> 4Mb of changes, 810 new messages, so this patch is huge, sorry. >> >> rob > > Eh, nice patch :-) Did you also pull new translations from Transifex? > John wrote a howto in a mail "Transifex i18n translation changes". > > Btw if we also want to update ipa-2-0 translations, it would need a > separate patch as those 2 branches have diverged. > > Martin > There are no new translations upstream. Once this is pushed we can push it to Transifex as well rob From edewata at redhat.com Tue Jun 14 21:41:45 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 14 Jun 2011 16:41:45 -0500 Subject: [Freeipa-devel] [PATCH] 0017-List-page-spacing-changes In-Reply-To: <158825861.14164.1308066434956.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <158825861.14164.1308066434956.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4DF7D599.1000206@redhat.com> On 6/14/2011 10:47 AM, Kyle Baker wrote: > Endi, > Adjusted the spacing on the patch Endi merged. > > Kyle Baker > Visual Designer > Desk - 978 392 3116 > IRC - kylebaker I pushed patch #16 and #17 to master with some minor adjustments. You probably meant to remove the empty space between the page title and the buttons on the search page, but unfortunately it's causing the facet tabs and buttons to clash in the details page. So for now I had to skip this change: @@ -503,7 +503,7 @@ div.tabs { right: 0; bottom: 0; font-size: 10px; - margin: 0 10px 0; + margin: -40px 10px 0; } .entity-content div.content-buttons { Let's discuss how to address these issues tomorrow: - In the search page between the page title and the Add/Delete buttons there's an empty space because the facet tabs are hidden. - In the indirect association (member/member of) page there's an empty space between the facet tabs and the entry table because the Enroll/ Delete buttons are hidden. -- Endi S. Dewata From rcritten at redhat.com Tue Jun 14 21:52:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 17:52:39 -0400 Subject: [Freeipa-devel] [PATCH] 801 Don't lose JSON decoding error Message-ID: <4DF7D827.7020900@redhat.com> Don't let a JSON error get lost in cascading errors. If a JSON decoding error was found we were still trying to call the XML-RPC function, losing the original error. https://fedorahosted.org/freeipa/ticket/1322 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-801-json.patch Type: text/x-diff Size: 1681 bytes Desc: not available URL: From edewata at redhat.com Tue Jun 14 22:08:06 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 14 Jun 2011 17:08:06 -0500 Subject: [Freeipa-devel] [PATCH] 0017-List-page-spacing-changes In-Reply-To: <4DF7D599.1000206@redhat.com> References: <158825861.14164.1308066434956.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <4DF7D599.1000206@redhat.com> Message-ID: <4DF7DBC6.2070106@redhat.com> On 6/14/2011 4:41 PM, Endi Sukma Dewata wrote: > On 6/14/2011 10:47 AM, Kyle Baker wrote: >> Endi, >> Adjusted the spacing on the patch Endi merged. >> >> Kyle Baker >> Visual Designer >> Desk - 978 392 3116 >> IRC - kylebaker > > I pushed patch #16 and #17 to master with some minor adjustments. > > You probably meant to remove the empty space between the page title and > the buttons on the search page, but unfortunately it's causing the facet > tabs and buttons to clash in the details page. So for now I had to skip > this change: > > @@ -503,7 +503,7 @@ div.tabs { > right: 0; > bottom: 0; > font-size: 10px; > - margin: 0 10px 0; > + margin: -40px 10px 0; > } > > .entity-content div.content-buttons { > > Let's discuss how to address these issues tomorrow: > > - In the search page between the page title and the Add/Delete buttons > there's an empty space because the facet tabs are hidden. > > - In the indirect association (member/member of) page there's an empty > space between the facet tabs and the entry table because the Enroll/ > Delete buttons are hidden. Also in the main page of each entity the will be a space reserved for bread crumb which will be empty because there is no bread crumb on the main page. See https://fedorahosted.org/freeipa/ticket/1323. -- Endi S. Dewata From JR.Aquino at citrix.com Tue Jun 14 23:30:37 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 14 Jun 2011 23:30:37 +0000 Subject: [Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option In-Reply-To: <4DF7A31C.4000403@redhat.com> References: <2AE1C072-9099-44E1-A778-BB1A6F0AE955@citrixonline.com> <4DF101D9.6000209@redhat.com> <5AF8156E-C5D0-4B09-A279-4CD049AB54B6@citrixonline.com> <0D1AFB75-6A9B-40B0-848D-B6B08CC0A2B8@citrixonline.com> <4DF7A31C.4000403@redhat.com> Message-ID: <7AFFCA25-0FC3-41AD-81CF-7E8D3F83171D@citrixonline.com> On Jun 14, 2011, at 11:06 AM, Rob Crittenden wrote: > JR Aquino wrote: >> On Jun 10, 2011, at 3:11 PM, JR Aquino wrote: >> >>> On Jun 9, 2011, at 10:24 AM, Rob Crittenden wrote: >>> >>>> JR Aquino wrote: >>>>> https://fedorahosted.org/freeipa/ticket/1277 >>>>> >>>>> Raise DuplicateEntry Error when adding a duplicate sudo option >>>> >>>> nack, this will still fail if no ipasudoopt is passed in. >>>> >>>> Also, is this case-sensitive? >>> >>> Yes, it is case sensitive (Example: sudoOption: env_keep+=SSH_AUTH_SOCK) >>> >>> Here is an adjusted patch to account for no ipasudoopt as well as an empty space. >>> >>> >> >> >> Minor correction: Addressed the 1 character change needed to address #1276 >> >> Added notes to indicate this patch fixes: >> #1276 (Removed option from Sudo rule message is displayed even when the given option doesn't exist.) >> #1277 (Added option to Sudo rule message is displayed even when the given option already exists.) >> #1308 (Internal error while removing sudorule option without "--sudooption") >> > > NACK > > $ ipa sudorule-add test > ---------------------- > Added sudo rule "test" > ---------------------- > Rule name: test > Enabled: TRUE > $ ipa sudorule-remove-option test --sudooption=foo > ----------------------- > sudorule-remove-option: > ----------------------- > Rule name: test > ipa: ERROR: KeyError: 'ipasudoopt' > Traceback (most recent call last): > File "/home/rcrit/redhat/freeipa-master/ipalib/cli.py", line 1141, in run > sys.exit(api.Backend.cli.run(argv)) > File "/home/rcrit/redhat/freeipa-master/ipalib/cli.py", line 965, in run > rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) > File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/sudorule.py", line 675, in output_for_cli > textui.print_attribute('Sudo Options', result['result']['ipasudoopt']) > KeyError: 'ipasudoopt' > ipa: ERROR: an internal error has occurred > > Is this legal? > > $ ipa sudorule-add-option test --sudooption=foo > -------------------- > sudorule-add-option: > -------------------- > Rule name: test > Sudo Options: foo > $ ipa sudorule-add-option test --sudooption=foo > ipa: ERROR: This entry already exists > $ ipa sudorule-add-option test --sudooption=FOO > -------------------- > sudorule-add-option: > -------------------- > Rule name: test > Sudo Options: foo > Sudo Options: FOO This is legal ^ Or if you like double negatives, this is not illegal. However, the only options that will be respected are listed: http://www.gratisoft.us/sudo/man/1.8.1/sudoers.man.html in the SUDOERS OPTIONS section. Some of the values can be singular like: "sudoOption: !authenticate" which will allow you to run sudo without a password or "sudoOption: iolog_dir=/var/log/sudo-playback" > > I also noticed that ipasudoopt doesn't have a label and isn't shown in the rule by default. Here is a corrected patch to address the KeyError and the display issue. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch Type: application/octet-stream Size: 4309 bytes Desc: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch URL: From edewata at redhat.com Tue Jun 14 23:32:33 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 14 Jun 2011 18:32:33 -0500 Subject: [Freeipa-devel] [PATCH] 0235-dns-multiple-records In-Reply-To: <4DF78F2B.8060708@redhat.com> References: <4DF78F2B.8060708@redhat.com> Message-ID: <4DF7EF91.6000107@redhat.com> On 6/14/2011 11:41 AM, Adam Young wrote: > https://fedorahosted.org/freeipa/ticket/1319 ACK and pushed to master. -- Endi S. Dewata From jdennis at redhat.com Tue Jun 14 23:35:06 2011 From: jdennis at redhat.com (John Dennis) Date: Tue, 14 Jun 2011 19:35:06 -0400 Subject: [Freeipa-devel] [PATCH 24/24] Add utility classes for handling DN's along with their, unittest. Message-ID: <4DF7F02A.9090001@redhat.com> This adds a new module and set of classes to ipalib for handling DN's. Please see the module doc and class doc for full explanation. Included is a very complete unit test for the module. At close to 900 lines of code the unit test exercises just about every conceivable way these objects can be used. The module doc touches on some of the problems found in our existing code which handles DN's, which this module is meant to provide fixes for. A more complete write-up of the existing code issues will follow on the list. Comments welcome of course. Another patch will follow for comma's in privileges. The test_role_plugin.py unit test was modified to introduce a comma, but there were many failures because of improper DN handling in the core code (as well as limitations of the unit test framework). The next patch introduces a number of fixes, some of which are dependent upon the use of the classes introduced here. With the fixes in the next patch the test_role_plugin unit test once again fully succeeds. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0024-Add-utility-classes-for-handling-DN-s-along-with-the.patch Type: text/x-patch Size: 73735 bytes Desc: not available URL: From rcritten at redhat.com Wed Jun 15 01:36:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 21:36:41 -0400 Subject: [Freeipa-devel] [PATCH] 802 add message summary to sudorule Message-ID: <4DF80CA9.8000301@redhat.com> Some of the sudorule commands were missing a message summary. ticket https://fedorahosted.org/freeipa/ticket/1255 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-802-sudo.patch Type: text/x-diff Size: 1146 bytes Desc: not available URL: From rcritten at redhat.com Wed Jun 15 02:05:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2011 22:05:13 -0400 Subject: [Freeipa-devel] [PATCH] 803 disallow revocation reason 7 Message-ID: <4DF81359.7000509@redhat.com> Revocation reason 7 is undefined in the RFCs, disallow it. https://fedorahosted.org/freeipa/ticket/1318 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-803-cert.patch Type: text/x-diff Size: 1022 bytes Desc: not available URL: From mkosek at redhat.com Wed Jun 15 06:40:49 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 08:40:49 +0200 Subject: [Freeipa-devel] [PATCH] 075 Add ignore lists to migrate-ds command In-Reply-To: <4DF79DA7.20808@redhat.com> References: <1307104970.12835.12.camel@dhcp-25-52.brq.redhat.com> <4DF11B8C.4070309@redhat.com> <1307706012.12662.6.camel@dhcp-25-52.brq.redhat.com> <4DF79DA7.20808@redhat.com> Message-ID: <1308120051.11628.1.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-14 at 13:43 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-06-09 at 15:14 -0400, Rob Crittenden wrote: > >> Martin Kosek wrote: > >>> How to test: > >>> 1) Create a custom DS instance with for example 60radius.ldif schema > >>> present (as in the original report in ticket #1266) > >>> 2) Populate DS with users/groups with custom unsupported object > >>> class/attribute > >>> 3) Try to migrate these users and groups to IPAv2. Only the enhanced > >>> migrate-ds command should be successful: > >>> > >>> # ipa migrate-ds ldap://vm-102.idm.lab.bos.redhat.com:389 > >>> --schema=RFC2307 --user-objectclass=posixAccount > >>> --group-objectclass=posixgroup --user-container='ou=People' > >>> --group-container='cn=Accounting Managers,ou=Groups' > >>> --user-ignore-objectclass=radiusprofile,radiusclientprofile > >>> --user-ignore-attribute=radiusclientsecret,radiusclientipaddress > >>> > >>> --- > >>> When user migrates users/groups from an old DS instance, the > >>> migration may fail on unsupported object classes and/or > >>> relevant LDAP object attributes. > >>> > >>> This patch implements a support for object class and attribute > >>> ignore lists that can be used to suppress these migration issues. > >>> > >>> Additionally, a redundant "dev/null" file is removed from git repo > >>> (originally added in 26b0e8fc9809a4cd9f2f9a2281f0894e2e0f8db2). > >>> > >>> https://fedorahosted.org/freeipa/ticket/1266 > >> > >> This isn't applying to master, the blacklists hunk and I wasn't sure > >> either where it should go. > >> > >> I did notice one general problem though: objectclasses should be treated > >> case insensitive. > >> > >> rob > > > > I rebased the patch. Objectclasses and attributes were already treated > > case insensitively, so no change needed there. > > > > Martin > > Ack, works as advertised. > > rob Pushed to master. IPA_API_VERSION_MINOR bumped up before the push as it was changed during the review. Martin From mkosek at redhat.com Wed Jun 15 07:04:24 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 09:04:24 +0200 Subject: [Freeipa-devel] [PATCH] 078 Improve DNS zone creation In-Reply-To: <4DF7A138.6090304@redhat.com> References: <1307611916.27281.3.camel@dhcp-25-52.brq.redhat.com> <1307621098.2613.253.camel@willson.li.ssimo.org> <4DF7A138.6090304@redhat.com> Message-ID: <1308121467.11628.3.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-14 at 13:58 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 2011-06-09 at 11:31 +0200, Martin Kosek wrote: > >> When a new DNS zone is being created a local hostname is set as a > >> nameserver of the new zone. However, when the zone is created > >> during ipa-replica-prepare, the the current master/replica doesn't > >> have to be an IPA server with DNS support. This would lead to DNS > >> zones with incorrect NS records as they wouldn't point to a valid > >> name server. > >> > >> Now, a list of all master servers with DNS support is retrieved > >> during DNS zone creation and added as NS records for a new DNS > >> zone. > >> > >> https://fedorahosted.org/freeipa/ticket/1261 > > > > ACK, although I have not tested. > > > > Simo. > > > > Ack as well Pushed to master. Martin From mkosek at redhat.com Wed Jun 15 07:47:17 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 09:47:17 +0200 Subject: [Freeipa-devel] [PATCH] admiyo-0127-add-missing-files-in-rpm In-Reply-To: <4D30A1E7.3060803@redhat.com> References: <4D24CD19.8000503@redhat.com> <4D2587D0.9030502@redhat.com> <4D30A1E7.3060803@redhat.com> Message-ID: <1308124040.11628.6.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-01-14 at 14:20 -0500, Adam Young wrote: > On 01/06/2011 04:13 AM, Pavel Z?na wrote: > > On 2011-01-05 20:57, Adam Young wrote: > >> Had to move some files around, and added to both Makefile.am and > >> ipa.spec > >> > >> > > > > ACK. > > > > Pavel > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > Pushed to master NACK. This patch broke the build of master branch: make[5]: Entering directory `/home/mkosek/freeipa/rpmbuild/BUILD/freeipa-2.0.90GIT058e3d0/install/ui' make[5]: *** No rule to make target `FreeWay.otf', needed by `all-am'. Stop. make[5]: Leaving directory `/home/mkosek/freeipa/rpmbuild/BUILD/freeipa-2.0.90GIT058e3d0/install/ui' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/home/mkosek/freeipa/rpmbuild/BUILD/freeipa-2.0.90GIT058e3d0/install/ui' make[3]: *** [all-recursive] Error 1 Martin From mkosek at redhat.com Wed Jun 15 08:24:26 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 10:24:26 +0200 Subject: [Freeipa-devel] [PATCH] admiyo-0127-add-missing-files-in-rpm References: <4D24CD19.8000503@redhat.com> <4D2587D0.9030502@redhat.com> <4D30A1E7.3060803@redhat.com> Message-ID: <1308126269.11628.10.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-06-15 at 09:47 +0200, Martin Kosek wrote: > On Fri, 2011-01-14 at 14:20 -0500, Adam Young wrote: > > On 01/06/2011 04:13 AM, Pavel Z?na wrote: > > > On 2011-01-05 20:57, Adam Young wrote: > > >> Had to move some files around, and added to both Makefile.am and > > >> ipa.spec > > >> > > >> > > > > > > ACK. > > > > > > Pavel > > > > > > _______________________________________________ > > > Freeipa-devel mailing list > > > Freeipa-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Pushed to master > > NACK. This patch broke the build of master branch: > > make[5]: Entering directory > `/home/mkosek/freeipa/rpmbuild/BUILD/freeipa-2.0.90GIT058e3d0/install/ui' > make[5]: *** No rule to make target `FreeWay.otf', needed by `all-am'. > Stop. > make[5]: Leaving directory > `/home/mkosek/freeipa/rpmbuild/BUILD/freeipa-2.0.90GIT058e3d0/install/ui' > make[4]: *** [all-recursive] Error 1 > make[4]: Leaving directory > `/home/mkosek/freeipa/rpmbuild/BUILD/freeipa-2.0.90GIT058e3d0/install/ui' > make[3]: *** [all-recursive] Error 1 > > Martin I pointed my finger to incorrect patch, sorry Adam. The patch that broke the master build is Kyle's "0017-List-page-spacing-changes" (fb6f06d94dcfd664ba817ce61f84d600ee17c260). Martin From mkosek at redhat.com Wed Jun 15 10:52:18 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 12:52:18 +0200 Subject: [Freeipa-devel] [PATCH] 080 Add a list of managed hosts In-Reply-To: <4DF7A495.2060109@redhat.com> References: <1307975730.5021.8.camel@dhcp-25-52.brq.redhat.com> <4DF7A495.2060109@redhat.com> Message-ID: <1308135140.11628.13.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-14 at 14:12 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Enhance Host plugin to provide not only "Managed By" list but also > > a list of managed hosts. The new list is generated only when --all > > option is passed. > > > > https://fedorahosted.org/freeipa/ticket/993 > > ack Pushed to master. I didn't update unit tests with the new list, so I added a fix for 2 unit tests to the patch before pushing. Martin From mkosek at redhat.com Wed Jun 15 11:49:16 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 13:49:16 +0200 Subject: [Freeipa-devel] [PATCH] 081 Missing krbprincipalname when uid is not set Message-ID: <1308138558.11628.14.camel@dhcp-25-52.brq.redhat.com> When user_add command is executed without uid parameter filled, user account is created without 'krbprincipalname' attribute. This renders the user account unusable. https://fedorahosted.org/freeipa/ticket/1279 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-081-missing-krbprincipalname-when-uid-is-not-set.patch Type: text/x-patch Size: 1262 bytes Desc: not available URL: From mkosek at redhat.com Wed Jun 15 12:28:29 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 14:28:29 +0200 Subject: [Freeipa-devel] [PATCH] 082 Add port 9443 to replica port checking Message-ID: <1308140912.11628.15.camel@dhcp-25-52.brq.redhat.com> Port 9443 (Agent secure port on PKI-CA) was missing. Additionaly, checked port descriptions case consistency fixed. https://fedorahosted.org/freeipa/ticket/1321 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-082-add-port-9443-to-replica-port-checking.patch Type: text/x-patch Size: 1996 bytes Desc: not available URL: From mkosek at redhat.com Wed Jun 15 12:42:33 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 14:42:33 +0200 Subject: [Freeipa-devel] [PATCH] 079 DNS installation fails when domain and host domain mismatch In-Reply-To: <4DF7A01E.6060900@redhat.com> References: <1307617123.27281.8.camel@dhcp-25-52.brq.redhat.com> <4DF7A01E.6060900@redhat.com> Message-ID: <1308141755.11628.17.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-14 at 13:53 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > This patch depends on my patch 078. A special patch for stable branch > > attached. > > > > --- > > > > Create DNS domain for IPA server hostname first so that it's forward > > record can be added. This results in 2 forward DNS zones created > > when server hostname doesn't equal server domain. > > > > https://fedorahosted.org/freeipa/ticket/1194 > > This look ok, just a style question. > > by definition fqdn is fully-qualified so is this necessary? > > + if '.' in self.fqdn: > + self.host_domain = '.'.join(fqdn.split(".")[1:]) > + else: > + self.host_domain = self.domain > > The test will always be true, right? > > rob It should be. Maybe I was overcautious in this place. Attaching updated patches. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-079-2-dns-host-domain-mismatch.patch Type: text/x-patch Size: 1928 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-079-2-ipa-2-0.patch Type: text/x-patch Size: 1849 bytes Desc: not available URL: From mkosek at redhat.com Wed Jun 15 12:59:11 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 14:59:11 +0200 Subject: [Freeipa-devel] [PATCH] 801 Don't lose JSON decoding error In-Reply-To: <4DF7D827.7020900@redhat.com> References: <4DF7D827.7020900@redhat.com> Message-ID: <1308142753.11628.18.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-14 at 17:52 -0400, Rob Crittenden wrote: > Don't let a JSON error get lost in cascading errors. > > If a JSON decoding error was found we were still trying to call the > XML-RPC function, losing the original error. > > https://fedorahosted.org/freeipa/ticket/1322 > > rob Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Wed Jun 15 14:07:29 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 16:07:29 +0200 Subject: [Freeipa-devel] [PATCH] 802 add message summary to sudorule In-Reply-To: <4DF80CA9.8000301@redhat.com> References: <4DF80CA9.8000301@redhat.com> Message-ID: <1308146851.11628.20.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-14 at 21:36 -0400, Rob Crittenden wrote: > Some of the sudorule commands were missing a message summary. > > ticket https://fedorahosted.org/freeipa/ticket/1255 > > rob ACK. I checked if any unit test is broken because of newly returned summary field, but its OK. Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Wed Jun 15 14:45:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 16:45:46 +0200 Subject: [Freeipa-devel] [PATCH] 803 disallow revocation reason 7 In-Reply-To: <4DF81359.7000509@redhat.com> References: <4DF81359.7000509@redhat.com> Message-ID: <1308149149.11628.21.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-14 at 22:05 -0400, Rob Crittenden wrote: > Revocation reason 7 is undefined in the RFCs, disallow it. > > https://fedorahosted.org/freeipa/ticket/1318 ACK. Works fine. Pushed to master, ipa-2-0. Martin From rcritten at redhat.com Wed Jun 15 15:03:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Jun 2011 11:03:12 -0400 Subject: [Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option In-Reply-To: <7AFFCA25-0FC3-41AD-81CF-7E8D3F83171D@citrixonline.com> References: <2AE1C072-9099-44E1-A778-BB1A6F0AE955@citrixonline.com> <4DF101D9.6000209@redhat.com> <5AF8156E-C5D0-4B09-A279-4CD049AB54B6@citrixonline.com> <0D1AFB75-6A9B-40B0-848D-B6B08CC0A2B8@citrixonline.com> <4DF7A31C.4000403@redhat.com> <7AFFCA25-0FC3-41AD-81CF-7E8D3F83171D@citrixonline.com> Message-ID: <4DF8C9B0.1070202@redhat.com> JR Aquino wrote: > On Jun 14, 2011, at 11:06 AM, Rob Crittenden wrote: > >> JR Aquino wrote: >>> On Jun 10, 2011, at 3:11 PM, JR Aquino wrote: >>> >>>> On Jun 9, 2011, at 10:24 AM, Rob Crittenden wrote: >>>> >>>>> JR Aquino wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/1277 >>>>>> >>>>>> Raise DuplicateEntry Error when adding a duplicate sudo option >>>>> >>>>> nack, this will still fail if no ipasudoopt is passed in. >>>>> >>>>> Also, is this case-sensitive? >>>> >>>> Yes, it is case sensitive (Example: sudoOption: env_keep+=SSH_AUTH_SOCK) >>>> >>>> Here is an adjusted patch to account for no ipasudoopt as well as an empty space. >>>> >>>> >>> >>> >>> Minor correction: Addressed the 1 character change needed to address #1276 >>> >>> Added notes to indicate this patch fixes: >>> #1276 (Removed option from Sudo rule message is displayed even when the given option doesn't exist.) >>> #1277 (Added option to Sudo rule message is displayed even when the given option already exists.) >>> #1308 (Internal error while removing sudorule option without "--sudooption") >>> >> >> NACK >> >> $ ipa sudorule-add test >> ---------------------- >> Added sudo rule "test" >> ---------------------- >> Rule name: test >> Enabled: TRUE >> $ ipa sudorule-remove-option test --sudooption=foo >> ----------------------- >> sudorule-remove-option: >> ----------------------- >> Rule name: test >> ipa: ERROR: KeyError: 'ipasudoopt' >> Traceback (most recent call last): >> File "/home/rcrit/redhat/freeipa-master/ipalib/cli.py", line 1141, in run >> sys.exit(api.Backend.cli.run(argv)) >> File "/home/rcrit/redhat/freeipa-master/ipalib/cli.py", line 965, in run >> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) >> File "/home/rcrit/redhat/freeipa-master/ipalib/plugins/sudorule.py", line 675, in output_for_cli >> textui.print_attribute('Sudo Options', result['result']['ipasudoopt']) >> KeyError: 'ipasudoopt' >> ipa: ERROR: an internal error has occurred >> >> Is this legal? >> >> $ ipa sudorule-add-option test --sudooption=foo >> -------------------- >> sudorule-add-option: >> -------------------- >> Rule name: test >> Sudo Options: foo >> $ ipa sudorule-add-option test --sudooption=foo >> ipa: ERROR: This entry already exists >> $ ipa sudorule-add-option test --sudooption=FOO >> -------------------- >> sudorule-add-option: >> -------------------- >> Rule name: test >> Sudo Options: foo >> Sudo Options: FOO > > This is legal ^ Or if you like double negatives, this is not illegal. > > However, the only options that will be respected are listed: http://www.gratisoft.us/sudo/man/1.8.1/sudoers.man.html in the SUDOERS OPTIONS section. Some of the values can be singular like: > "sudoOption: !authenticate" which will allow you to run sudo without a password or "sudoOption: iolog_dir=/var/log/sudo-playback" > >> >> I also noticed that ipasudoopt doesn't have a label and isn't shown in the rule by default. > > Here is a corrected patch to address the KeyError and the display issue. > A minor issue and a question. The minor issue is you changed a couple of options from optional to mandatory, which is fine, but we need to bump up the minor version in VERSION (older clients otherwise could not send the string and blow things up). The question is, should we raise EmptyModList() when removing an option that doesn't exist or NotFound(reason=_())? I think the second might be more explanatory but might be harder for handle in scripts (how would you distinguish between entry not found and option not found)? rob From mkosek at redhat.com Wed Jun 15 15:04:02 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 17:04:02 +0200 Subject: [Freeipa-devel] [PATCH] 792 Update translations In-Reply-To: <4DF7D588.9060603@redhat.com> References: <4DED129C.8090700@redhat.com> <1307624168.27281.19.camel@dhcp-25-52.brq.redhat.com> <4DF7D588.9060603@redhat.com> Message-ID: <1308150244.11628.23.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-14 at 17:41 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-06-06 at 13:47 -0400, Rob Crittenden wrote: > >> Our translation files haven't been updated for a few months, this brings > >> things up to date. It is intended for master only. > >> > >> All I did to generate this patch was to run make update-po in > >> install/po. It is otherwise untouched by human hands. > >> > >> 4Mb of changes, 810 new messages, so this patch is huge, sorry. > >> > >> rob > > > > Eh, nice patch :-) Did you also pull new translations from Transifex? > > John wrote a howto in a mail "Transifex i18n translation changes". > > > > Btw if we also want to update ipa-2-0 translations, it would need a > > separate patch as those 2 branches have diverged. > > > > Martin > > > > There are no new translations upstream. Once this is pushed we can push > it to Transifex as well > > rob Ok, ACK from me then. Feel free to regenerate translations if some strings were changed before the review was completed. Martin From rcritten at redhat.com Wed Jun 15 15:19:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Jun 2011 11:19:06 -0400 Subject: [Freeipa-devel] [PATCH] 081 Missing krbprincipalname when uid is not set In-Reply-To: <1308138558.11628.14.camel@dhcp-25-52.brq.redhat.com> References: <1308138558.11628.14.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF8CD6A.8080300@redhat.com> Martin Kosek wrote: > When user_add command is executed without uid parameter filled, user > account is created without 'krbprincipalname' attribute. This renders > the user account unusable. > > https://fedorahosted.org/freeipa/ticket/1279 ack From rcritten at redhat.com Wed Jun 15 15:19:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Jun 2011 11:19:39 -0400 Subject: [Freeipa-devel] [PATCH] 082 Add port 9443 to replica port checking In-Reply-To: <1308140912.11628.15.camel@dhcp-25-52.brq.redhat.com> References: <1308140912.11628.15.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF8CD8B.1080806@redhat.com> Martin Kosek wrote: > Port 9443 (Agent secure port on PKI-CA) was missing. Additionaly, > checked port descriptions case consistency fixed. > > https://fedorahosted.org/freeipa/ticket/1321 ack From ayoung at redhat.com Wed Jun 15 15:24:37 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 15 Jun 2011 11:24:37 -0400 Subject: [Freeipa-devel] [PATCH] 0236-no-redirect-on-search Message-ID: <4DF8CEB5.1030101@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0236-no-redirect-on-search.patch Type: text/x-patch Size: 1203 bytes Desc: not available URL: From edewata at redhat.com Wed Jun 15 15:23:26 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 Jun 2011 10:23:26 -0500 Subject: [Freeipa-devel] [PATCH] 177 Fixed build break. Message-ID: <4DF8CE6E.6090904@redhat.com> The Makefile.am freeipa.spec.in have been updated according to the recent file changes. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0177-Fixed-build-break.patch Type: text/x-patch Size: 1757 bytes Desc: not available URL: From ayoung at redhat.com Wed Jun 15 15:28:56 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 15 Jun 2011 11:28:56 -0400 Subject: [Freeipa-devel] [PATCH] 0236-no-redirect-on-search In-Reply-To: <4DF8CEB5.1030101@redhat.com> References: <4DF8CEB5.1030101@redhat.com> Message-ID: <4DF8CFB8.20303@redhat.com> On 06/15/2011 11:24 AM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Removed extra whitespace -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0236-1-no-redirect-on-search.patch Type: text/x-patch Size: 991 bytes Desc: not available URL: From mkosek at redhat.com Wed Jun 15 15:25:07 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 17:25:07 +0200 Subject: [Freeipa-devel] [PATCH] 081 Missing krbprincipalname when uid is not set In-Reply-To: <4DF8CD6A.8080300@redhat.com> References: <1308138558.11628.14.camel@dhcp-25-52.brq.redhat.com> <4DF8CD6A.8080300@redhat.com> Message-ID: <1308151510.11628.24.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-06-15 at 11:19 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > When user_add command is executed without uid parameter filled, user > > account is created without 'krbprincipalname' attribute. This renders > > the user account unusable. > > > > https://fedorahosted.org/freeipa/ticket/1279 > > ack Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Wed Jun 15 15:25:20 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 17:25:20 +0200 Subject: [Freeipa-devel] [PATCH] 082 Add port 9443 to replica port checking In-Reply-To: <4DF8CD8B.1080806@redhat.com> References: <1308140912.11628.15.camel@dhcp-25-52.brq.redhat.com> <4DF8CD8B.1080806@redhat.com> Message-ID: <1308151522.11628.25.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-06-15 at 11:19 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Port 9443 (Agent secure port on PKI-CA) was missing. Additionaly, > > checked port descriptions case consistency fixed. > > > > https://fedorahosted.org/freeipa/ticket/1321 > > ack Pushed to master. Martin From jdennis at redhat.com Wed Jun 15 15:39:52 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 15 Jun 2011 11:39:52 -0400 Subject: [Freeipa-devel] [PATCH 25/25] assert_deepequal supports callback for equality Message-ID: <4DF8D248.7080302@redhat.com> The unit test framework recursively checks for equality between the "expected" and "got". When it finds a non-container object it checks for equality between the expected and got objects. However sometimes a simple equality test is insufficient. This can happen when two values are equivalent but not equal. For example the two values might be encoded differently, hence the encoded values differ, but when decoded they are identical. To support these special cases one can now insert callable object to the expected container. When assert_deepequal sees a callable it does not test for equality, rather it calls the callable passing it the got object. The callable returns True if the got value is expected. This can simply be done with a lambda expression with a closure on the expected value, for example: expected = { dn=lambda got: DN(got) == privilege1_dn } In this case the "got" dn value is passed to the function which converts it to a DN object which can be compared with privilege1_dn, a local DN object, privilege1_dn is bound by closure. The equality callback is necessary because DN's can be encoded differently. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0025-assert_deepequal-supports-callback-for-equality-test.patch Type: text/x-patch Size: 1959 bytes Desc: not available URL: From mkosek at redhat.com Wed Jun 15 15:51:14 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2011 17:51:14 +0200 Subject: [Freeipa-devel] [PATCH] 177 Fixed build break. In-Reply-To: <4DF8CE6E.6090904@redhat.com> References: <4DF8CE6E.6090904@redhat.com> Message-ID: <1308153077.11628.32.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-06-15 at 10:23 -0500, Endi Sukma Dewata wrote: > The Makefile.am freeipa.spec.in have been updated according to the > recent file changes. > ACK. Works fine. Martin From edewata at redhat.com Wed Jun 15 15:57:45 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 Jun 2011 10:57:45 -0500 Subject: [Freeipa-devel] [PATCH] 177 Fixed build break. In-Reply-To: <1308153077.11628.32.camel@dhcp-25-52.brq.redhat.com> References: <4DF8CE6E.6090904@redhat.com> <1308153077.11628.32.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF8D679.9030801@redhat.com> On 6/15/2011 10:51 AM, Martin Kosek wrote: > On Wed, 2011-06-15 at 10:23 -0500, Endi Sukma Dewata wrote: >> The Makefile.am freeipa.spec.in have been updated according to the >> recent file changes. > > ACK. Works fine. Pushed to master. Thanks! -- Endi S. Dewata From edewata at redhat.com Wed Jun 15 16:02:58 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 Jun 2011 11:02:58 -0500 Subject: [Freeipa-devel] [PATCH] 178 Removed FreeWay font files. Message-ID: <4DF8D7B2.4060101@redhat.com> The CSS files in install/html and install/migration have been modified to use the Overpass font. The changes can be verified here: http://edewata.fedorapeople.org/freeipa/install/html/unauthorized.html http://edewata.fedorapeople.org/freeipa/install/migration/index.html -- Endi S. Dewata From edewata at redhat.com Wed Jun 15 16:19:42 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 Jun 2011 11:19:42 -0500 Subject: [Freeipa-devel] [PATCH] 178 Removed FreeWay font files. In-Reply-To: <4DF8D7B2.4060101@redhat.com> References: <4DF8D7B2.4060101@redhat.com> Message-ID: <4DF8DB9E.1020006@redhat.com> On 6/15/2011 11:02 AM, Endi Sukma Dewata wrote: > The CSS files in install/html and install/migration have been > modified to use the Overpass font. > > The changes can be verified here: > http://edewata.fedorapeople.org/freeipa/install/html/unauthorized.html > http://edewata.fedorapeople.org/freeipa/install/migration/index.html Attached the patch. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0178-Removed-FreeWay-font-files.patch Type: text/x-patch Size: 152990 bytes Desc: not available URL: From ayoung at redhat.com Wed Jun 15 16:37:24 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 15 Jun 2011 12:37:24 -0400 Subject: [Freeipa-devel] [PATCH] 0236-no-redirect-on-search In-Reply-To: <4DF8CFB8.20303@redhat.com> References: <4DF8CEB5.1030101@redhat.com> <4DF8CFB8.20303@redhat.com> Message-ID: <4DF8DFC4.8090300@redhat.com> On 06/15/2011 11:28 AM, Adam Young wrote: > On 06/15/2011 11:24 AM, Adam Young wrote: >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Removed extra whitespace > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Facet can override what to do on error -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0236-2-no-redirect-on-search.patch Type: text/x-patch Size: 2219 bytes Desc: not available URL: From JR.Aquino at citrix.com Wed Jun 15 17:29:19 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 15 Jun 2011 17:29:19 +0000 Subject: [Freeipa-devel] [PATCH] 802 add message summary to sudorule In-Reply-To: <4DF80CA9.8000301@redhat.com> References: <4DF80CA9.8000301@redhat.com> Message-ID: <9AD9C30F-8704-4343-9CF4-F78F506697D5@citrixonline.com> On Jun 14, 2011, at 6:36 PM, Rob Crittenden wrote: > Some of the sudorule commands were missing a message summary. > > ticket https://fedorahosted.org/freeipa/ticket/1255 > > rob > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK error: patch failed: ipalib/plugins/sudorule.py:189 error: ipalib/plugins/sudorule.py: patch does not apply Appears to perhaps be off by 1 line number. You might have to rebase. From jdennis at redhat.com Wed Jun 15 17:33:15 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 15 Jun 2011 13:33:15 -0400 Subject: [Freeipa-devel] [PATCH 26/26] Add backslash escape support for csv reader Message-ID: <4DF8ECDB.4020004@redhat.com> The csv reader is used to break comma separated lists into individual items. However what if you want one of those items to have an embedded comma? The answer is to escape it by preceding the comma with a backslash. This patch adds support for escaping in the csv reader. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0026-Add-backslash-escape-support-for-cvs-reader.patch Type: text/x-patch Size: 1993 bytes Desc: not available URL: From edewata at redhat.com Wed Jun 15 17:50:11 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 Jun 2011 12:50:11 -0500 Subject: [Freeipa-devel] [PATCH] 0236-no-redirect-on-search In-Reply-To: <4DF8DFC4.8090300@redhat.com> References: <4DF8CEB5.1030101@redhat.com> <4DF8CFB8.20303@redhat.com> <4DF8DFC4.8090300@redhat.com> Message-ID: <4DF8F0D3.6020008@redhat.com> On 6/15/2011 11:37 AM, Adam Young wrote: >> Removed extra whitespace > Facet can override what to do on error There's a jslint warning, but other than that it can be pushed. This patch fixes the first item in ticket #1281. The second item is still a problem. Steps to reproduce: 1. Open a search page. 2. Run service dirsrv stop 3. Click one of the entries in the list. It will go to the details page and display an error dialog. If you close the dialog it will go back to search page and display another error dialog. See also the entitlements page, instead of displaying an error dialog it shows the error in the status bar below. Should we replace redirection with this? Or should we fix entitlements to show error dialog too? Normally the status bar in entitlements is used to show the enrollment status (which is not an error). -- Endi S. Dewata From ayoung at redhat.com Wed Jun 15 18:09:57 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 15 Jun 2011 14:09:57 -0400 Subject: [Freeipa-devel] [PATCH] 0236-no-redirect-on-search In-Reply-To: <4DF8F0D3.6020008@redhat.com> References: <4DF8CEB5.1030101@redhat.com> <4DF8CFB8.20303@redhat.com> <4DF8DFC4.8090300@redhat.com> <4DF8F0D3.6020008@redhat.com> Message-ID: <4DF8F575.70202@redhat.com> On 06/15/2011 01:50 PM, Endi Sukma Dewata wrote: > On 6/15/2011 11:37 AM, Adam Young wrote: >>> Removed extra whitespace >> Facet can override what to do on error > > There's a jslint warning, but other than that it can be pushed. > > This patch fixes the first item in ticket #1281. The second item is > still a problem. Steps to reproduce: > > 1. Open a search page. > 2. Run service dirsrv stop > 3. Click one of the entries in the list. > > It will go to the details page and display an error dialog. If you > close the dialog it will go back to search page and display another > error dialog. > > See also the entitlements page, instead of displaying an error dialog > it shows the error in the status bar below. Should we replace > redirection with this? Or should we fix entitlements to show error > dialog too? Normally the status bar in entitlements is used to show > the enrollment status (which is not an error). > > Fixed the JSL error and pushed to master From rcritten at redhat.com Wed Jun 15 18:29:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Jun 2011 14:29:59 -0400 Subject: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local In-Reply-To: <4DF76BC7.6080302@redhat.com> References: <4DF67603.5030508@redhat.com> <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> <4DF75A88.6080301@redhat.com> <1308058755.22442.18.camel@dhcp-25-52.brq.redhat.com> <4DF76BC7.6080302@redhat.com> Message-ID: <4DF8FA27.5040608@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Tue, 2011-06-14 at 08:56 -0400, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote: >>>>> Compare the configured interfaces with the supplied IP address and >>>>> optional netmask to determine if the interface is available. >>>>> >>>>> Note the subtle change when comparing addresses. We have two object >>>>> types, IPNetwork and IPAddress. We should only compare addresses >>>>> when we >>>>> don't have an IPNetwork otherwise we can end up comparing an >>>>> address to >>>>> an object with a netmask and get a bad result. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/1175 >>>> >>>> NACK. >>>> >>>> 1) This breaks ipa-replica-prepare: >>>> >>>> # ipa-replica-prepare vm-046.idm.lab.bos.redhat.com >>>> --ip-address=10.16.78.46 >>>> Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com) >>>> >>>> ipa-replica-prepare: error: option --ip-address: invalid IP address >>>> 10.16.78.46: No network interface matches the provided IP address and >>>> netmask >>>> >>>> Actually, this is not your fault, we just don't use IP address checking >>>> in IPAOptionParser correctly. --ip-address option in >>>> ipa-replica-prepare >>>> has type "ipnet" which is validated by the CheckedIPAddress. As >>>> match_local defaults to True, your new exception is raised. >>> >>> Ok, but is 10.16.78.46 a configured network interface? >> >> It is an IP address of new replica, i.e. its not a local network >> interface address. As I written, the problem is in a type of >> --ip-address option in ipa-replica-prepare. You can check Honza's mail >> for implementation hint. > > Ah, prepare. I tested with an existing replica file... > > Well, I wonder if an easier fix would be to set match_local=False by > default and specifically ask to match_local when we want. Updated patch attached. rob > >> >> Martin >> >>> >>>> >>>> I think we need 2 new option types for IPAOptionParser such as >>>> "iplocal" >>>> and "ipnetlocal" which would be used for --ip-address option in >>>> ipa-server-install or ipa-dns-install and which would use >>>> match_local=True. Current types "ip" and "ipnet" should use >>>> match_local=False. >>>> >>>> 2) CheckedIPAddress functionality (i.e. this fix) is neither in ipa-2-0 >>>> stable branch nor in RHEL 6.1. But this should be OK since it is >>>> targeted for RHEL 6.2. >>> >>> Right, I wasn't planning on pushing this to 2.0. >>> >>> rob >> >> > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-799-2-local.patch Type: text/x-diff Size: 2278 bytes Desc: not available URL: From ayoung at redhat.com Wed Jun 15 18:37:43 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 15 Jun 2011 14:37:43 -0400 Subject: [Freeipa-devel] [PATCH] 0237-no-redirect-on-unknown-error Message-ID: <4DF8FBF7.9040302@redhat.com> Part 2 https://fedorahosted.org/freeipa/ticket/1281 From ayoung at redhat.com Wed Jun 15 18:55:11 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 15 Jun 2011 14:55:11 -0400 Subject: [Freeipa-devel] [PATCH] 0237-no-redirect-on-unknown-error In-Reply-To: <4DF8FBF7.9040302@redhat.com> References: <4DF8FBF7.9040302@redhat.com> Message-ID: <4DF9000F.8010709@redhat.com> On 06/15/2011 02:37 PM, Adam Young wrote: > Part 2 > > https://fedorahosted.org/freeipa/ticket/1281 > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0237-no-redirect-on-unknown-error.patch Type: text/x-patch Size: 1934 bytes Desc: not available URL: From JR.Aquino at citrix.com Wed Jun 15 19:14:24 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 15 Jun 2011 19:14:24 +0000 Subject: [Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option In-Reply-To: <4DF8C9B0.1070202@redhat.com> References: <2AE1C072-9099-44E1-A778-BB1A6F0AE955@citrixonline.com> <4DF101D9.6000209@redhat.com> <5AF8156E-C5D0-4B09-A279-4CD049AB54B6@citrixonline.com> <0D1AFB75-6A9B-40B0-848D-B6B08CC0A2B8@citrixonline.com> <4DF7A31C.4000403@redhat.com> <7AFFCA25-0FC3-41AD-81CF-7E8D3F83171D@citrixonline.com> <4DF8C9B0.1070202@redhat.com> Message-ID: <7675EBF1-EFD1-4E2E-96EF-A168C20CC904@citrixonline.com> On Jun 15, 2011, at 8:03 AM, Rob Crittenden wrote: > A minor issue and a question. > > The minor issue is you changed a couple of options from optional to mandatory, which is fine, but we need to bump up the minor version in VERSION (older clients otherwise could not send the string and blow things up). Is there a rule of thumb or document that details when this is appropriate? > The question is, should we raise EmptyModList() when removing an option that doesn't exist or NotFound(reason=_())? I think the second might be more explanatory but might be harder for handle in scripts (how would you distinguish between entry not found and option not found)? > > rob As per IRC conversation: Added new Exception: AttrValueNotFound Incremented minor version in VERSION Adjusted API 1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule) 1277 (Raise DuplicateEntry Error when adding a duplicate sudo option) 1308 (Make sudooption a required option for sudorule_remove_option) -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch Type: application/octet-stream Size: 6843 bytes Desc: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch URL: From edewata at redhat.com Wed Jun 15 19:55:07 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 Jun 2011 14:55:07 -0500 Subject: [Freeipa-devel] Entity labels Message-ID: <4DF90E1B.6010506@redhat.com> Hi All, We need I18n labels for the entities to be used inside help messages and UI. Please take a look at the following tickets: https://fedorahosted.org/freeipa/ticket/1217 https://fedorahosted.org/freeipa/ticket/1249 Depending on the usage, we might need 4 different labels for each entity: Label #1: Lower-case singular label: e.g. user, DNS zone Label #2: Lower-case plural label: e.g. users, DNS zones Label #3: Upper-case singular label: e.g. User, DNS Zone Label #4: Upper-case plural label: e.g. Users, DNS Zones In the current code the lower-case labels are needed for server messages and the upper-case labels are needed for UI page titles. Due to the nature of untyped language, it's difficult to confirm whether upper-case labels are actually needed by the server, but there's a possibility. The server plugins currently define the following attributes: - object_name: It can be used as Label #1 (after fixing ticket #1217). - object_name_plural: It can be used as Label #2. - label: It can be used as Label #4. Here are the issues: Issue #1: There is no attribute that can be used as Label #3. Issue #2: The lower-case label is identical to the corresponding upper-case label (e.g. Label #1 & #3) except for the capitalization. Issue #3: Acronyms such as DNS need to remain upper-case in all labels. Some solutions have been proposed: Option #1: Define 4 different attributes, one for each label. By default translators only need to supply lower-case Label #1 and #2. The upper-case Label #3 and #4 will be generated automatically using a server-side method that will convert the first letters in each word in the label to upper case. Translators can also supply the upper-case labels if the method doesn't generate the correct conversion. Option #2: Define only the 2 lower-case attributes. Since it's unclear if the server needs the upper-case labels, we will just implement a client-side conversion method to generate upper-case labels for the UI. But if the server needs it too, we would have to add a similar method on the server-side. Also there will be no way to override the conversion. My personal preference is option #1. Any suggestions? Thanks. -- Endi S. Dewata From jdennis at redhat.com Wed Jun 15 20:02:48 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 15 Jun 2011 16:02:48 -0400 Subject: [Freeipa-devel] [PATCH 27/27] get_primary_key_from_dn returns decoded value Message-ID: <4DF90FE8.10606@redhat.com> DN's may be encoded. If we're going to return the value from one of the RDN's in the DN then we must decode the DN first, otherwise the returned value won't be what we're expecting. Specifically the value getting passed back through the RPC interface was not the value set because it included escaping specific only to DN's. We want to treat the value as the value set by the user, the fact it happens to live as part of a DN is an irrelevant implementation detail which shouldn't be visible in the values we exchange through the RPC mechanism. This patch takes the DN as returned by an ldap search and creates a DN object from it. The DN object allows us to robustly extract the value by name. The DN object also assures the components in the DN have been decoded back into normal unicode strings. There are many other places where we need to properly handle DN's by using a DN object, this is just one place, the minimum needed to get comma's working in privileges. I'd rather make very small incremental changes in the DN handling rather than introducing too many changes in this critical area of the code, let's be conservative at this juncture. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0027-get_primary_key_from_dn-returns-decoded-value.patch Type: text/x-patch Size: 1195 bytes Desc: not available URL: From jdennis at redhat.com Wed Jun 15 20:25:17 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 15 Jun 2011 16:25:17 -0400 Subject: [Freeipa-devel] [PATCH 28/28] Update test_role_plugin test to include a comma in a, privilege Message-ID: <4DF9152D.7060408@redhat.com> Update test_role_plugin test to include a comma in a privilege Introduce a comma into a privilege name to assure we can handle commas. Commas must be escaped for some parameters, add escape_comma() utility and invoke it for the necessary parameters. Utilize a DN object to properly construct a DN and most importantly to allow equality testing between the DN we expect and the one returned. This is necessary because a DN can be encoded according to different encoding syntaxes all of which are valid. DN objects always decode from their input. DN objects can test for equality between DN's without being affected by DN encoding. Add a equality callback for the dn in the expected dict. When the test framework tests for equality between the expected value and the returned value it will call back into a function we provide which will convert the returned dn into a DN object. An equality test is then performed between two DN objects. This is the only way to properly compare two dn's. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0028-Update-test_role_plugin-test-to-include-a-comma-in-a.patch Type: text/x-patch Size: 4111 bytes Desc: not available URL: From edewata at redhat.com Wed Jun 15 22:10:22 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 Jun 2011 17:10:22 -0500 Subject: [Freeipa-devel] [PATCH] 179 Fixed paging for indirect members. Message-ID: <4DF92DCE.604@redhat.com> Since ticket #1273 has been fixed, the indirect members can be shown using the regular association facet which supports paging. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0179-Fixed-paging-for-indirect-members.patch Type: text/x-patch Size: 3161 bytes Desc: not available URL: From edewata at redhat.com Wed Jun 15 22:24:34 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 Jun 2011 17:24:34 -0500 Subject: [Freeipa-devel] [PATCH] 180 Renamed associate.js to association.js. Message-ID: <4DF93122.5010404@redhat.com> -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0180-Renamed-associate.js-to-association.js.patch Type: text/x-patch Size: 6079 bytes Desc: not available URL: From ayoung at redhat.com Wed Jun 15 23:44:27 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 15 Jun 2011 19:44:27 -0400 Subject: [Freeipa-devel] [PATCH] 0237-no-redirect-on-unknown-error In-Reply-To: <4DF8FBF7.9040302@redhat.com> References: <4DF8FBF7.9040302@redhat.com> Message-ID: <4DF943DB.90201@redhat.com> On 06/15/2011 02:37 PM, Adam Young wrote: > Part 2 > > https://fedorahosted.org/freeipa/ticket/1281 > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Now iterates through a list of known error types. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0237-1-no-redirect-on-unknown-error.patch Type: text/x-patch Size: 2127 bytes Desc: not available URL: From edewata at redhat.com Thu Jun 16 01:23:23 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 Jun 2011 20:23:23 -0500 Subject: [Freeipa-devel] [PATCH] 0237-no-redirect-on-unknown-error In-Reply-To: <4DF943DB.90201@redhat.com> References: <4DF8FBF7.9040302@redhat.com> <4DF943DB.90201@redhat.com> Message-ID: <4DF95B0B.1010807@redhat.com> On 6/15/2011 6:44 PM, Adam Young wrote: > On 06/15/2011 02:37 PM, Adam Young wrote: >> Part 2 >> >> https://fedorahosted.org/freeipa/ticket/1281 > Now iterates through a list of known error types. If the server is down (service ipa stop) it throws an error with name 'NS_ERROR_NOT_AVAILABLE' which is not in the list, so it still does a redirection. There is another problem too, if the error name matches the list it doesn't call report_error(). Maybe this should be done the other way around. Instead of listing the errors not to redirect, we should list the errors which require redirection, i.e. IPA Error 4001 (entry not found). This is optional, in ipa.js:337 we could add the IPA error code into the error_thrown object. This way the error can be checked more reliably using error code rather than error name. -- Endi S. Dewata From mkosek at redhat.com Thu Jun 16 06:54:37 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 16 Jun 2011 08:54:37 +0200 Subject: [Freeipa-devel] [PATCH] 802 add message summary to sudorule In-Reply-To: <9AD9C30F-8704-4343-9CF4-F78F506697D5@citrixonline.com> References: <4DF80CA9.8000301@redhat.com> <9AD9C30F-8704-4343-9CF4-F78F506697D5@citrixonline.com> Message-ID: <1308207279.11003.1.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-06-15 at 17:29 +0000, JR Aquino wrote: > On Jun 14, 2011, at 6:36 PM, Rob Crittenden wrote: > > > Some of the sudorule commands were missing a message summary. > > > > ticket https://fedorahosted.org/freeipa/ticket/1255 > > > > rob > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > NACK > > error: patch failed: ipalib/plugins/sudorule.py:189 > error: ipalib/plugins/sudorule.py: patch does not apply > > Appears to perhaps be off by 1 line number. You might have to rebase. I already ack-ed and pushed this patch to master, ipa-2-0. It applied to the branches without any problem. Martin From mkosek at redhat.com Thu Jun 16 08:53:39 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 16 Jun 2011 10:53:39 +0200 Subject: [Freeipa-devel] [PATCH] 083 Improve IP address handling in IPA option parser Message-ID: <1308214421.11003.5.camel@dhcp-25-52.brq.redhat.com> Implements a way to pass match_local and parse_netmask parameters to IP option checker. Now, there is just one common option type "ip" with new optional attributes "ip_local" and "ip_netmask" which can be used to pass IP address validation parameters. https://fedorahosted.org/freeipa/ticket/1333 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-083-improve-ip-address-handling-in-ipa-option-parser.patch Type: text/x-patch Size: 6447 bytes Desc: not available URL: From mkosek at redhat.com Thu Jun 16 09:03:15 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 16 Jun 2011 11:03:15 +0200 Subject: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local In-Reply-To: <4DF8FA27.5040608@redhat.com> References: <4DF67603.5030508@redhat.com> <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> <4DF75A88.6080301@redhat.com> <1308058755.22442.18.camel@dhcp-25-52.brq.redhat.com> <4DF76BC7.6080302@redhat.com> <4DF8FA27.5040608@redhat.com> Message-ID: <1308214997.11003.13.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-06-15 at 14:29 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Tue, 2011-06-14 at 08:56 -0400, Rob Crittenden wrote: > >>> Martin Kosek wrote: > >>>> On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote: > >>>>> Compare the configured interfaces with the supplied IP address and > >>>>> optional netmask to determine if the interface is available. > >>>>> > >>>>> Note the subtle change when comparing addresses. We have two object > >>>>> types, IPNetwork and IPAddress. We should only compare addresses > >>>>> when we > >>>>> don't have an IPNetwork otherwise we can end up comparing an > >>>>> address to > >>>>> an object with a netmask and get a bad result. > >>>>> > >>>>> https://fedorahosted.org/freeipa/ticket/1175 > >>>> > >>>> NACK. > >>>> > >>>> 1) This breaks ipa-replica-prepare: > >>>> > >>>> # ipa-replica-prepare vm-046.idm.lab.bos.redhat.com > >>>> --ip-address=10.16.78.46 > >>>> Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com) > >>>> > >>>> ipa-replica-prepare: error: option --ip-address: invalid IP address > >>>> 10.16.78.46: No network interface matches the provided IP address and > >>>> netmask > >>>> > >>>> Actually, this is not your fault, we just don't use IP address checking > >>>> in IPAOptionParser correctly. --ip-address option in > >>>> ipa-replica-prepare > >>>> has type "ipnet" which is validated by the CheckedIPAddress. As > >>>> match_local defaults to True, your new exception is raised. > >>> > >>> Ok, but is 10.16.78.46 a configured network interface? > >> > >> It is an IP address of new replica, i.e. its not a local network > >> interface address. As I written, the problem is in a type of > >> --ip-address option in ipa-replica-prepare. You can check Honza's mail > >> for implementation hint. > > > > Ah, prepare. I tested with an existing replica file... > > > > Well, I wonder if an easier fix would be to set match_local=False by > > default and specifically ask to match_local when we want. > > Updated patch attached. > > rob I think this is still not right. When you let match_local default to False, --ip-address option in ipa-server-install is checked with match_local=False and thus the check required by BZ isn't made. Please check my patch 083 I sent this morning. It makes sure that IP address validation with CheckedIPAddress is run with correct parameters (i.e. match_local, parse_netmask). You may want to build your patch on top of this one. Should we be so strict and raise an exception when the IP address does not match any local interface? Maybe a warning would be enough. ipa-server-install will fail anyway few steps later in a scenario described in BZ. Martin From jcholast at redhat.com Thu Jun 16 09:13:50 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 16 Jun 2011 11:13:50 +0200 Subject: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local In-Reply-To: <4DF8FA27.5040608@redhat.com> References: <4DF67603.5030508@redhat.com> <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> <4DF75A88.6080301@redhat.com> <1308058755.22442.18.camel@dhcp-25-52.brq.redhat.com> <4DF76BC7.6080302@redhat.com> <4DF8FA27.5040608@redhat.com> Message-ID: <4DF9C94E.40001@redhat.com> On 15.6.2011 20:29, Rob Crittenden wrote: > Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Tue, 2011-06-14 at 08:56 -0400, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote: >>>>>> Compare the configured interfaces with the supplied IP address and >>>>>> optional netmask to determine if the interface is available. >>>>>> >>>>>> Note the subtle change when comparing addresses. We have two object >>>>>> types, IPNetwork and IPAddress. We should only compare addresses >>>>>> when we >>>>>> don't have an IPNetwork otherwise we can end up comparing an >>>>>> address to >>>>>> an object with a netmask and get a bad result. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/1175 >>>>> >>>>> NACK. >>>>> >>>>> 1) This breaks ipa-replica-prepare: >>>>> >>>>> # ipa-replica-prepare vm-046.idm.lab.bos.redhat.com >>>>> --ip-address=10.16.78.46 >>>>> Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com) >>>>> >>>>> ipa-replica-prepare: error: option --ip-address: invalid IP address >>>>> 10.16.78.46: No network interface matches the provided IP address and >>>>> netmask >>>>> >>>>> Actually, this is not your fault, we just don't use IP address >>>>> checking >>>>> in IPAOptionParser correctly. --ip-address option in >>>>> ipa-replica-prepare >>>>> has type "ipnet" which is validated by the CheckedIPAddress. As >>>>> match_local defaults to True, your new exception is raised. >>>> >>>> Ok, but is 10.16.78.46 a configured network interface? >>> >>> It is an IP address of new replica, i.e. its not a local network >>> interface address. As I written, the problem is in a type of >>> --ip-address option in ipa-replica-prepare. You can check Honza's mail >>> for implementation hint. >> >> Ah, prepare. I tested with an existing replica file... >> >> Well, I wonder if an easier fix would be to set match_local=False by >> default and specifically ask to match_local when we want. > > Updated patch attached. parse_ip_address and verify_ip_address still have match_local=True as default - it probably should be changed for the sake of consistency. The check for local IP address in parse_ip_address should be removed, it's not needed anymore, because you check it in CheckedIPAddress. > > rob > >> >>> >>> Martin >>> >>>> >>>>> >>>>> I think we need 2 new option types for IPAOptionParser such as >>>>> "iplocal" >>>>> and "ipnetlocal" which would be used for --ip-address option in >>>>> ipa-server-install or ipa-dns-install and which would use >>>>> match_local=True. Current types "ip" and "ipnet" should use >>>>> match_local=False. >>>>> >>>>> 2) CheckedIPAddress functionality (i.e. this fix) is neither in >>>>> ipa-2-0 >>>>> stable branch nor in RHEL 6.1. But this should be OK since it is >>>>> targeted for RHEL 6.2. >>>> >>>> Right, I wasn't planning on pushing this to 2.0. >>>> >>>> rob >>> >>> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Honza -- Jan Cholasta From jcholast at redhat.com Thu Jun 16 12:31:00 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 16 Jun 2011 14:31:00 +0200 Subject: [Freeipa-devel] [PATCH] 22 Improve IP address handling in the host-add command In-Reply-To: <1308077659.3182.35.camel@willson.li.ssimo.org> References: <4DF776BE.6060601@redhat.com> <4DF7A7E0.5060206@redhat.com> <1308077659.3182.35.camel@willson.li.ssimo.org> Message-ID: <4DF9F784.70002@redhat.com> On 14.6.2011 20:54, Simo Sorce wrote: > On Tue, 2011-06-14 at 14:26 -0400, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> This patch enables the user to specify netmasks in the --ip-address >>> option of host-add. They're used for proper DNS reverse zone and PTR >>> record creation. Also the IP addresses are more strictly checked (just >>> like in the install scripts). >>> >>> https://fedorahosted.org/freeipa/ticket/1234 >> >> Do we want a reverse zone created automatically when a host is added? I >> think a warning that the reverse zone doesn't exist may be adequate. > > A warning is preferable as we may not be controlling that reverse zone. > > Simo. > Updated patch attached. NonFatalError is raised when the reverse zone is not found. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-22.1-host-add-ip.patch Type: text/x-patch Size: 5124 bytes Desc: not available URL: From jcholast at redhat.com Thu Jun 16 12:58:21 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 16 Jun 2011 14:58:21 +0200 Subject: [Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer In-Reply-To: <4DF75F34.2030409@redhat.com> References: <4DB7309C.4010307@redhat.com> <4DECDC2D.7070803@redhat.com> <4DED29B8.8090607@redhat.com> <4DEE2676.6070401@redhat.com> <4DF75F34.2030409@redhat.com> Message-ID: <4DF9FDED.50602@redhat.com> On 14.6.2011 15:16, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 6.6.2011 21:25, Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> On 26.4.2011 22:52, Rob Crittenden wrote: >>>>> The goal is to not import foreign certificates. >>>>> >>>>> This caused a bunch of tests to fail because we had a hardcoded server >>>>> certificate. Instead a developer will need to run make-testcert to >>>>> create a server certificate generated by the local CA to test against. >>>>> >>>>> ticket 1134 >>>>> >>>>> rob >>>>> >>>> >>>> NACK >>>> >>>> The certificate isn't verified in host-add. >>>> >>>> I suspect that certificates signed by an intermediate CA (i.e. when the >>>> certificate chain length > 2) are considered invalid. Is that the >>>> desired behavior? >>> >>> That will work as long as the issuer is the IPA CA. I see that if we are >>> given a service cert issued by another CA in the chain things could go >>> badly. I'm not sure this is something to really worry about though. >> >> I guess it's not. But I'd like a second opinion on that. > > We really only want to support those certs we issue otherwise things > like revocation get tricky, because we can't manage things we don't issue. > >> >>> >>>> >>>> make-testcert fails with: >>>> >>>> Traceback (most recent call last): >>>> File "./make-testcert", line 126, in >>>> sys.exit(makecert(reqdir)) >>>> File "./make-testcert", line 105, in makecert >>>> add=True) >>>> File "./make-testcert", line 66, in run >>>> result = self.execute(method, *args, **options) >>>> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in execute >>>> raise error #pylint: disable=E0702 >>>> ipalib.errors.CommandError: unknown command 'cert_request' >>>> >>>> This is probably an error on my part (tried running in on both my >>>> machine without IPA installed and on VM with IPA installed with no >>>> luck), but nonetheless it should be fixed to fail gracefully so that >>>> the >>>> tests in "make test" have a chance to run. Similarly, the tests which >>>> use the test certificate created by make-testcert should be skipped if >>>> the certificate isn't available. >>> >>> You need to take the certificate databases from a self-signed install >>> and copy them to ~/.ipa/alias/ in order to do certificate testing. There >>> is documentation on how to do this in tests/test_xmlrpc/test_cert.py >>> >>> I think this should be mandatory as certificates are a main feature of >>> v2. >> >> No matter what I do, I'm still getting the unknown command error. Can >> you describe the steps needed to make make-testcert successfully run? >> >> BTW, it would be nice if "make test" printed an informational message >> when the requirements to run the tests aren't met instead of failing >> with some random error. > > You need enable_ra = True in ~/.ipa/default.conf. What I tend to do is > copy /etc/ipa/default.conf from my underlying install to ~/.ipa and > comment out the xmlrpc_uri. This is now caught by the script. > > rob These tests fail: test_host[19]: service_mod: Update u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' ... FAIL test_host[20]: service_show: Retrieve u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' to verify update ... FAIL because they expect the CN to be puma.greyoak.com. I'm not sure if this issue is in the scope of this patch - if it's not, then ACK. Honza -- Jan Cholasta From rcritten at redhat.com Thu Jun 16 13:04:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Jun 2011 09:04:56 -0400 Subject: [Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer In-Reply-To: <4DF9FDED.50602@redhat.com> References: <4DB7309C.4010307@redhat.com> <4DECDC2D.7070803@redhat.com> <4DED29B8.8090607@redhat.com> <4DEE2676.6070401@redhat.com> <4DF75F34.2030409@redhat.com> <4DF9FDED.50602@redhat.com> Message-ID: <4DF9FF78.10102@redhat.com> Jan Cholasta wrote: > On 14.6.2011 15:16, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 6.6.2011 21:25, Rob Crittenden wrote: >>>> Jan Cholasta wrote: >>>>> On 26.4.2011 22:52, Rob Crittenden wrote: >>>>>> The goal is to not import foreign certificates. >>>>>> >>>>>> This caused a bunch of tests to fail because we had a hardcoded >>>>>> server >>>>>> certificate. Instead a developer will need to run make-testcert to >>>>>> create a server certificate generated by the local CA to test >>>>>> against. >>>>>> >>>>>> ticket 1134 >>>>>> >>>>>> rob >>>>>> >>>>> >>>>> NACK >>>>> >>>>> The certificate isn't verified in host-add. >>>>> >>>>> I suspect that certificates signed by an intermediate CA (i.e. when >>>>> the >>>>> certificate chain length > 2) are considered invalid. Is that the >>>>> desired behavior? >>>> >>>> That will work as long as the issuer is the IPA CA. I see that if we >>>> are >>>> given a service cert issued by another CA in the chain things could go >>>> badly. I'm not sure this is something to really worry about though. >>> >>> I guess it's not. But I'd like a second opinion on that. >> >> We really only want to support those certs we issue otherwise things >> like revocation get tricky, because we can't manage things we don't >> issue. >> >>> >>>> >>>>> >>>>> make-testcert fails with: >>>>> >>>>> Traceback (most recent call last): >>>>> File "./make-testcert", line 126, in >>>>> sys.exit(makecert(reqdir)) >>>>> File "./make-testcert", line 105, in makecert >>>>> add=True) >>>>> File "./make-testcert", line 66, in run >>>>> result = self.execute(method, *args, **options) >>>>> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in execute >>>>> raise error #pylint: disable=E0702 >>>>> ipalib.errors.CommandError: unknown command 'cert_request' >>>>> >>>>> This is probably an error on my part (tried running in on both my >>>>> machine without IPA installed and on VM with IPA installed with no >>>>> luck), but nonetheless it should be fixed to fail gracefully so that >>>>> the >>>>> tests in "make test" have a chance to run. Similarly, the tests which >>>>> use the test certificate created by make-testcert should be skipped if >>>>> the certificate isn't available. >>>> >>>> You need to take the certificate databases from a self-signed install >>>> and copy them to ~/.ipa/alias/ in order to do certificate testing. >>>> There >>>> is documentation on how to do this in tests/test_xmlrpc/test_cert.py >>>> >>>> I think this should be mandatory as certificates are a main feature of >>>> v2. >>> >>> No matter what I do, I'm still getting the unknown command error. Can >>> you describe the steps needed to make make-testcert successfully run? >>> >>> BTW, it would be nice if "make test" printed an informational message >>> when the requirements to run the tests aren't met instead of failing >>> with some random error. >> >> You need enable_ra = True in ~/.ipa/default.conf. What I tend to do is >> copy /etc/ipa/default.conf from my underlying install to ~/.ipa and >> comment out the xmlrpc_uri. This is now caught by the script. >> >> rob > > These tests fail: > > test_host[19]: service_mod: Update > u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' ... FAIL > test_host[20]: service_show: Retrieve > u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' to > verify update ... FAIL > > because they expect the CN to be puma.greyoak.com. I'm not sure if this > issue is in the scope of this patch - if it's not, then ACK. I'll fix them up. rob From rcritten at redhat.com Thu Jun 16 13:06:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Jun 2011 09:06:27 -0400 Subject: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local In-Reply-To: <4DF9C94E.40001@redhat.com> References: <4DF67603.5030508@redhat.com> <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> <4DF75A88.6080301@redhat.com> <1308058755.22442.18.camel@dhcp-25-52.brq.redhat.com> <4DF76BC7.6080302@redhat.com> <4DF8FA27.5040608@redhat.com> <4DF9C94E.40001@redhat.com> Message-ID: <4DF9FFD3.3070408@redhat.com> Jan Cholasta wrote: > On 15.6.2011 20:29, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Tue, 2011-06-14 at 08:56 -0400, Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>>>>> On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote: >>>>>>> Compare the configured interfaces with the supplied IP address and >>>>>>> optional netmask to determine if the interface is available. >>>>>>> >>>>>>> Note the subtle change when comparing addresses. We have two object >>>>>>> types, IPNetwork and IPAddress. We should only compare addresses >>>>>>> when we >>>>>>> don't have an IPNetwork otherwise we can end up comparing an >>>>>>> address to >>>>>>> an object with a netmask and get a bad result. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/1175 >>>>>> >>>>>> NACK. >>>>>> >>>>>> 1) This breaks ipa-replica-prepare: >>>>>> >>>>>> # ipa-replica-prepare vm-046.idm.lab.bos.redhat.com >>>>>> --ip-address=10.16.78.46 >>>>>> Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com) >>>>>> >>>>>> ipa-replica-prepare: error: option --ip-address: invalid IP address >>>>>> 10.16.78.46: No network interface matches the provided IP address and >>>>>> netmask >>>>>> >>>>>> Actually, this is not your fault, we just don't use IP address >>>>>> checking >>>>>> in IPAOptionParser correctly. --ip-address option in >>>>>> ipa-replica-prepare >>>>>> has type "ipnet" which is validated by the CheckedIPAddress. As >>>>>> match_local defaults to True, your new exception is raised. >>>>> >>>>> Ok, but is 10.16.78.46 a configured network interface? >>>> >>>> It is an IP address of new replica, i.e. its not a local network >>>> interface address. As I written, the problem is in a type of >>>> --ip-address option in ipa-replica-prepare. You can check Honza's mail >>>> for implementation hint. >>> >>> Ah, prepare. I tested with an existing replica file... >>> >>> Well, I wonder if an easier fix would be to set match_local=False by >>> default and specifically ask to match_local when we want. >> >> Updated patch attached. > > parse_ip_address and verify_ip_address still have match_local=True as > default - it probably should be changed for the sake of consistency. parse_ip_address is only used by ipa-replica-install and in that case we do want to enforce match_local, so True is fine. Similarly verify_ip_address are run on the local machine, we want enforcement. > > The check for local IP address in parse_ip_address should be removed, > it's not needed anymore, because you check it in CheckedIPAddress. > >> >> rob >> >>> >>>> >>>> Martin >>>> >>>>> >>>>>> >>>>>> I think we need 2 new option types for IPAOptionParser such as >>>>>> "iplocal" >>>>>> and "ipnetlocal" which would be used for --ip-address option in >>>>>> ipa-server-install or ipa-dns-install and which would use >>>>>> match_local=True. Current types "ip" and "ipnet" should use >>>>>> match_local=False. >>>>>> >>>>>> 2) CheckedIPAddress functionality (i.e. this fix) is neither in >>>>>> ipa-2-0 >>>>>> stable branch nor in RHEL 6.1. But this should be OK since it is >>>>>> targeted for RHEL 6.2. >>>>> >>>>> Right, I wasn't planning on pushing this to 2.0. >>>>> >>>>> rob >>>> >>>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Honza > From rcritten at redhat.com Thu Jun 16 13:07:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Jun 2011 09:07:19 -0400 Subject: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local In-Reply-To: <1308214997.11003.13.camel@dhcp-25-52.brq.redhat.com> References: <4DF67603.5030508@redhat.com> <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> <4DF75A88.6080301@redhat.com> <1308058755.22442.18.camel@dhcp-25-52.brq.redhat.com> <4DF76BC7.6080302@redhat.com> <4DF8FA27.5040608@redhat.com> <1308214997.11003.13.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DFA0007.9010607@redhat.com> Martin Kosek wrote: > On Wed, 2011-06-15 at 14:29 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Tue, 2011-06-14 at 08:56 -0400, Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>>>>> On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote: >>>>>>> Compare the configured interfaces with the supplied IP address and >>>>>>> optional netmask to determine if the interface is available. >>>>>>> >>>>>>> Note the subtle change when comparing addresses. We have two object >>>>>>> types, IPNetwork and IPAddress. We should only compare addresses >>>>>>> when we >>>>>>> don't have an IPNetwork otherwise we can end up comparing an >>>>>>> address to >>>>>>> an object with a netmask and get a bad result. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/1175 >>>>>> >>>>>> NACK. >>>>>> >>>>>> 1) This breaks ipa-replica-prepare: >>>>>> >>>>>> # ipa-replica-prepare vm-046.idm.lab.bos.redhat.com >>>>>> --ip-address=10.16.78.46 >>>>>> Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com) >>>>>> >>>>>> ipa-replica-prepare: error: option --ip-address: invalid IP address >>>>>> 10.16.78.46: No network interface matches the provided IP address and >>>>>> netmask >>>>>> >>>>>> Actually, this is not your fault, we just don't use IP address checking >>>>>> in IPAOptionParser correctly. --ip-address option in >>>>>> ipa-replica-prepare >>>>>> has type "ipnet" which is validated by the CheckedIPAddress. As >>>>>> match_local defaults to True, your new exception is raised. >>>>> >>>>> Ok, but is 10.16.78.46 a configured network interface? >>>> >>>> It is an IP address of new replica, i.e. its not a local network >>>> interface address. As I written, the problem is in a type of >>>> --ip-address option in ipa-replica-prepare. You can check Honza's mail >>>> for implementation hint. >>> >>> Ah, prepare. I tested with an existing replica file... >>> >>> Well, I wonder if an easier fix would be to set match_local=False by >>> default and specifically ask to match_local when we want. >> >> Updated patch attached. >> >> rob > > I think this is still not right. When you let match_local default to > False, --ip-address option in ipa-server-install is checked with > match_local=False and thus the check required by BZ isn't made. Yes but it is checked again later. Try it, enforcement happens. > Please check my patch 083 I sent this morning. It makes sure that IP > address validation with CheckedIPAddress is run with correct parameters > (i.e. match_local, parse_netmask). You may want to build your patch on > top of this one. > > Should we be so strict and raise an exception when the IP address does > not match any local interface? Maybe a warning would be enough. > ipa-server-install will fail anyway few steps later in a scenario > described in BZ. We should fail as soon as possible. By doing this before installation starts they don't have to uninstall. rob From rcritten at redhat.com Thu Jun 16 13:12:38 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Jun 2011 09:12:38 -0400 Subject: [Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer In-Reply-To: <4DF9FF78.10102@redhat.com> References: <4DB7309C.4010307@redhat.com> <4DECDC2D.7070803@redhat.com> <4DED29B8.8090607@redhat.com> <4DEE2676.6070401@redhat.com> <4DF75F34.2030409@redhat.com> <4DF9FDED.50602@redhat.com> <4DF9FF78.10102@redhat.com> Message-ID: <4DFA0146.5030801@redhat.com> Rob Crittenden wrote: > Jan Cholasta wrote: >> On 14.6.2011 15:16, Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> On 6.6.2011 21:25, Rob Crittenden wrote: >>>>> Jan Cholasta wrote: >>>>>> On 26.4.2011 22:52, Rob Crittenden wrote: >>>>>>> The goal is to not import foreign certificates. >>>>>>> >>>>>>> This caused a bunch of tests to fail because we had a hardcoded >>>>>>> server >>>>>>> certificate. Instead a developer will need to run make-testcert to >>>>>>> create a server certificate generated by the local CA to test >>>>>>> against. >>>>>>> >>>>>>> ticket 1134 >>>>>>> >>>>>>> rob >>>>>>> >>>>>> >>>>>> NACK >>>>>> >>>>>> The certificate isn't verified in host-add. >>>>>> >>>>>> I suspect that certificates signed by an intermediate CA (i.e. when >>>>>> the >>>>>> certificate chain length > 2) are considered invalid. Is that the >>>>>> desired behavior? >>>>> >>>>> That will work as long as the issuer is the IPA CA. I see that if we >>>>> are >>>>> given a service cert issued by another CA in the chain things could go >>>>> badly. I'm not sure this is something to really worry about though. >>>> >>>> I guess it's not. But I'd like a second opinion on that. >>> >>> We really only want to support those certs we issue otherwise things >>> like revocation get tricky, because we can't manage things we don't >>> issue. >>> >>>> >>>>> >>>>>> >>>>>> make-testcert fails with: >>>>>> >>>>>> Traceback (most recent call last): >>>>>> File "./make-testcert", line 126, in >>>>>> sys.exit(makecert(reqdir)) >>>>>> File "./make-testcert", line 105, in makecert >>>>>> add=True) >>>>>> File "./make-testcert", line 66, in run >>>>>> result = self.execute(method, *args, **options) >>>>>> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in execute >>>>>> raise error #pylint: disable=E0702 >>>>>> ipalib.errors.CommandError: unknown command 'cert_request' >>>>>> >>>>>> This is probably an error on my part (tried running in on both my >>>>>> machine without IPA installed and on VM with IPA installed with no >>>>>> luck), but nonetheless it should be fixed to fail gracefully so that >>>>>> the >>>>>> tests in "make test" have a chance to run. Similarly, the tests which >>>>>> use the test certificate created by make-testcert should be >>>>>> skipped if >>>>>> the certificate isn't available. >>>>> >>>>> You need to take the certificate databases from a self-signed install >>>>> and copy them to ~/.ipa/alias/ in order to do certificate testing. >>>>> There >>>>> is documentation on how to do this in tests/test_xmlrpc/test_cert.py >>>>> >>>>> I think this should be mandatory as certificates are a main feature of >>>>> v2. >>>> >>>> No matter what I do, I'm still getting the unknown command error. Can >>>> you describe the steps needed to make make-testcert successfully run? >>>> >>>> BTW, it would be nice if "make test" printed an informational message >>>> when the requirements to run the tests aren't met instead of failing >>>> with some random error. >>> >>> You need enable_ra = True in ~/.ipa/default.conf. What I tend to do is >>> copy /etc/ipa/default.conf from my underlying install to ~/.ipa and >>> comment out the xmlrpc_uri. This is now caught by the script. >>> >>> rob >> >> These tests fail: >> >> test_host[19]: service_mod: Update >> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' ... FAIL >> test_host[20]: service_show: Retrieve >> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' to >> verify update ... FAIL >> >> because they expect the CN to be puma.greyoak.com. I'm not sure if this >> issue is in the scope of this patch - if it's not, then ACK. > > I'll fix them up. attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-779-4-cert.patch Type: text/x-diff Size: 19906 bytes Desc: not available URL: From edewata at redhat.com Thu Jun 16 13:55:30 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 16 Jun 2011 08:55:30 -0500 Subject: [Freeipa-devel] [PATCH] 181 Fixed self-service links. Message-ID: <4DFA0B52.4060901@redhat.com> In self-service mode the user's association facets have been modified such that the entries are not linked since the only available entity is the user entity. A 'link' parameter has been added to IPA.association_facet and IPA.column to control whether to link the entries. The link_handler() method can be used to define how to handle the link. Ticket #1072 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0181-Fixed-self-service-links.patch Type: text/x-patch Size: 19922 bytes Desc: not available URL: From jcholast at redhat.com Thu Jun 16 14:53:55 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 16 Jun 2011 16:53:55 +0200 Subject: [Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer In-Reply-To: <4DFA0146.5030801@redhat.com> References: <4DB7309C.4010307@redhat.com> <4DECDC2D.7070803@redhat.com> <4DED29B8.8090607@redhat.com> <4DEE2676.6070401@redhat.com> <4DF75F34.2030409@redhat.com> <4DF9FDED.50602@redhat.com> <4DF9FF78.10102@redhat.com> <4DFA0146.5030801@redhat.com> Message-ID: <4DFA1903.5010205@redhat.com> On 16.6.2011 15:12, Rob Crittenden wrote: > Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 14.6.2011 15:16, Rob Crittenden wrote: >>>> Jan Cholasta wrote: >>>>> On 6.6.2011 21:25, Rob Crittenden wrote: >>>>>> Jan Cholasta wrote: >>>>>>> On 26.4.2011 22:52, Rob Crittenden wrote: >>>>>>>> The goal is to not import foreign certificates. >>>>>>>> >>>>>>>> This caused a bunch of tests to fail because we had a hardcoded >>>>>>>> server >>>>>>>> certificate. Instead a developer will need to run make-testcert to >>>>>>>> create a server certificate generated by the local CA to test >>>>>>>> against. >>>>>>>> >>>>>>>> ticket 1134 >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>> >>>>>>> NACK >>>>>>> >>>>>>> The certificate isn't verified in host-add. >>>>>>> >>>>>>> I suspect that certificates signed by an intermediate CA (i.e. when >>>>>>> the >>>>>>> certificate chain length > 2) are considered invalid. Is that the >>>>>>> desired behavior? >>>>>> >>>>>> That will work as long as the issuer is the IPA CA. I see that if we >>>>>> are >>>>>> given a service cert issued by another CA in the chain things >>>>>> could go >>>>>> badly. I'm not sure this is something to really worry about though. >>>>> >>>>> I guess it's not. But I'd like a second opinion on that. >>>> >>>> We really only want to support those certs we issue otherwise things >>>> like revocation get tricky, because we can't manage things we don't >>>> issue. >>>> >>>>> >>>>>> >>>>>>> >>>>>>> make-testcert fails with: >>>>>>> >>>>>>> Traceback (most recent call last): >>>>>>> File "./make-testcert", line 126, in >>>>>>> sys.exit(makecert(reqdir)) >>>>>>> File "./make-testcert", line 105, in makecert >>>>>>> add=True) >>>>>>> File "./make-testcert", line 66, in run >>>>>>> result = self.execute(method, *args, **options) >>>>>>> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in >>>>>>> execute >>>>>>> raise error #pylint: disable=E0702 >>>>>>> ipalib.errors.CommandError: unknown command 'cert_request' >>>>>>> >>>>>>> This is probably an error on my part (tried running in on both my >>>>>>> machine without IPA installed and on VM with IPA installed with no >>>>>>> luck), but nonetheless it should be fixed to fail gracefully so that >>>>>>> the >>>>>>> tests in "make test" have a chance to run. Similarly, the tests >>>>>>> which >>>>>>> use the test certificate created by make-testcert should be >>>>>>> skipped if >>>>>>> the certificate isn't available. >>>>>> >>>>>> You need to take the certificate databases from a self-signed install >>>>>> and copy them to ~/.ipa/alias/ in order to do certificate testing. >>>>>> There >>>>>> is documentation on how to do this in tests/test_xmlrpc/test_cert.py >>>>>> >>>>>> I think this should be mandatory as certificates are a main >>>>>> feature of >>>>>> v2. >>>>> >>>>> No matter what I do, I'm still getting the unknown command error. Can >>>>> you describe the steps needed to make make-testcert successfully run? >>>>> >>>>> BTW, it would be nice if "make test" printed an informational message >>>>> when the requirements to run the tests aren't met instead of failing >>>>> with some random error. >>>> >>>> You need enable_ra = True in ~/.ipa/default.conf. What I tend to do is >>>> copy /etc/ipa/default.conf from my underlying install to ~/.ipa and >>>> comment out the xmlrpc_uri. This is now caught by the script. >>>> >>>> rob >>> >>> These tests fail: >>> >>> test_host[19]: service_mod: Update >>> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' ... FAIL >>> test_host[20]: service_show: Retrieve >>> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' to >>> verify update ... FAIL >>> >>> because they expect the CN to be puma.greyoak.com. I'm not sure if this >>> issue is in the scope of this patch - if it's not, then ACK. >> >> I'll fix them up. > > attached ACK Honza -- Jan Cholasta From rcritten at redhat.com Thu Jun 16 15:01:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Jun 2011 11:01:05 -0400 Subject: [Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option In-Reply-To: <7675EBF1-EFD1-4E2E-96EF-A168C20CC904@citrixonline.com> References: <2AE1C072-9099-44E1-A778-BB1A6F0AE955@citrixonline.com> <4DF101D9.6000209@redhat.com> <5AF8156E-C5D0-4B09-A279-4CD049AB54B6@citrixonline.com> <0D1AFB75-6A9B-40B0-848D-B6B08CC0A2B8@citrixonline.com> <4DF7A31C.4000403@redhat.com> <7AFFCA25-0FC3-41AD-81CF-7E8D3F83171D@citrixonline.com> <4DF8C9B0.1070202@redhat.com> <7675EBF1-EFD1-4E2E-96EF-A168C20CC904@citrixonline.com> Message-ID: <4DFA1AB1.6040403@redhat.com> JR Aquino wrote: > On Jun 15, 2011, at 8:03 AM, Rob Crittenden wrote: > >> A minor issue and a question. >> >> The minor issue is you changed a couple of options from optional to mandatory, which is fine, but we need to bump up the minor version in VERSION (older clients otherwise could not send the string and blow things up). > > Is there a rule of thumb or document that details when this is appropriate? > > >> The question is, should we raise EmptyModList() when removing an option that doesn't exist or NotFound(reason=_())? I think the second might be more explanatory but might be harder for handle in scripts (how would you distinguish between entry not found and option not found)? >> >> rob > > > As per IRC conversation: > Added new Exception: AttrValueNotFound > Incremented minor version in VERSION > Adjusted API > 1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule) > 1277 (Raise DuplicateEntry Error when adding a duplicate sudo option) > 1308 (Make sudooption a required option for sudorule_remove_option) > This is very close, found a couple more issues: I don't think I was very clear in what to update in VERSION, you want it to look like this: diff --git a/VERSION b/VERSION index 6cbf732..e31f0d0 100644 --- a/VERSION +++ b/VERSION @@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=5 +IPA_API_VERSION_MINOR=6 Two tests are failing. One is failing because externalhost is returned as a tuple (rather than not at all). The second because sudorule_remove_option has changed the type of data being returned. rob From ayoung at redhat.com Thu Jun 16 15:11:33 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 16 Jun 2011 11:11:33 -0400 Subject: [Freeipa-devel] [PATCH] 179 Fixed paging for indirect members. In-Reply-To: <4DF92DCE.604@redhat.com> References: <4DF92DCE.604@redhat.com> Message-ID: <4DFA1D25.8030601@redhat.com> On 06/15/2011 06:10 PM, Endi Sukma Dewata wrote: > Since ticket #1273 has been fixed, the indirect members can be shown > using the regular association facet which supports paging. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 16 15:34:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Jun 2011 11:34:34 -0400 Subject: [Freeipa-devel] [PATCH] 804 slight perf improvement Message-ID: <4DFA228A.1050905@redhat.com> This patch adds the production mode test to a few more places in the code. The speed increase is slight, a few hundred ms in my tests, but every little bit helps. ticket 1023 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-804-perf.patch Type: text/x-diff Size: 2562 bytes Desc: not available URL: From ayoung at redhat.com Thu Jun 16 15:49:58 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 16 Jun 2011 11:49:58 -0400 Subject: [Freeipa-devel] [PATCH] 180 Renamed associate.js to association.js. In-Reply-To: <4DF93122.5010404@redhat.com> References: <4DF93122.5010404@redhat.com> Message-ID: <4DFA2626.5080800@redhat.com> On 06/15/2011 06:24 PM, Endi Sukma Dewata wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Jun 16 16:07:46 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 16 Jun 2011 12:07:46 -0400 Subject: [Freeipa-devel] [PATCH] 181 Fixed self-service links. In-Reply-To: <4DFA0B52.4060901@redhat.com> References: <4DFA0B52.4060901@redhat.com> Message-ID: <4DFA2A52.3070704@redhat.com> On 06/16/2011 09:55 AM, Endi Sukma Dewata wrote: > In self-service mode the user's association facets have been modified > such that the entries are not linked since the only available entity > is the user entity. > > A 'link' parameter has been added to IPA.association_facet and > IPA.column to control whether to link the entries. The link_handler() > method can be used to define how to handle the link. > > Ticket #1072 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Thu Jun 16 16:18:05 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 16 Jun 2011 18:18:05 +0200 Subject: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local In-Reply-To: <4DFA0007.9010607@redhat.com> References: <4DF67603.5030508@redhat.com> <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> <4DF75A88.6080301@redhat.com> <1308058755.22442.18.camel@dhcp-25-52.brq.redhat.com> <4DF76BC7.6080302@redhat.com> <4DF8FA27.5040608@redhat.com> <1308214997.11003.13.camel@dhcp-25-52.brq.redhat.com> <4DFA0007.9010607@redhat.com> Message-ID: <1308241088.11003.18.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-06-16 at 09:07 -0400, Rob Crittenden wrote: > > I think this is still not right. When you let match_local default to > > False, --ip-address option in ipa-server-install is checked with > > match_local=False and thus the check required by BZ isn't made. > > Yes but it is checked again later. Try it, enforcement happens. Yes. > > > Please check my patch 083 I sent this morning. It makes sure that IP > > address validation with CheckedIPAddress is run with correct parameters > > (i.e. match_local, parse_netmask). You may want to build your patch on > > top of this one. > > > > Should we be so strict and raise an exception when the IP address does > > not match any local interface? Maybe a warning would be enough. > > ipa-server-install will fail anyway few steps later in a scenario > > described in BZ. > > We should fail as soon as possible. By doing this before installation > starts they don't have to uninstall. > > rob In fact, if we apply your patch on top of my patch 083 it works just fine and --ip-address is checked against network interfaces in option parsing phase. So ACK from me if it is applied on top of my patch 083 (not reviewed yet). Martin From ayoung at redhat.com Thu Jun 16 16:46:30 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 16 Jun 2011 12:46:30 -0400 Subject: [Freeipa-devel] [PATCH] 0238-test-for-dirty Message-ID: <4DFA3366.3060706@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0238-test-for-dirty.patch Type: text/x-patch Size: 2183 bytes Desc: not available URL: From edewata at redhat.com Thu Jun 16 17:28:36 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 16 Jun 2011 12:28:36 -0500 Subject: [Freeipa-devel] [PATCH] 0238-test-for-dirty In-Reply-To: <4DFA3366.3060706@redhat.com> References: <4DFA3366.3060706@redhat.com> Message-ID: <4DFA3D44.7030500@redhat.com> On 6/16/2011 11:46 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From JR.Aquino at citrix.com Thu Jun 16 19:21:54 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 16 Jun 2011 19:21:54 +0000 Subject: [Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option In-Reply-To: <4DFA1AB1.6040403@redhat.com> References: <2AE1C072-9099-44E1-A778-BB1A6F0AE955@citrixonline.com> <4DF101D9.6000209@redhat.com> <5AF8156E-C5D0-4B09-A279-4CD049AB54B6@citrixonline.com> <0D1AFB75-6A9B-40B0-848D-B6B08CC0A2B8@citrixonline.com> <4DF7A31C.4000403@redhat.com> <7AFFCA25-0FC3-41AD-81CF-7E8D3F83171D@citrixonline.com> <4DF8C9B0.1070202@redhat.com> <7675EBF1-EFD1-4E2E-96EF-A168C20CC904@citrixonline.com> <4DFA1AB1.6040403@redhat.com> Message-ID: <3306D90C-5005-4B1D-B195-C9CB7FBC31C7@citrixonline.com> On Jun 16, 2011, at 8:01 AM, Rob Crittenden wrote: > JR Aquino wrote: >> On Jun 15, 2011, at 8:03 AM, Rob Crittenden wrote: >> >>> A minor issue and a question. >>> >>> The minor issue is you changed a couple of options from optional to mandatory, which is fine, but we need to bump up the minor version in VERSION (older clients otherwise could not send the string and blow things up). >> >> Is there a rule of thumb or document that details when this is appropriate? >> >> >>> The question is, should we raise EmptyModList() when removing an option that doesn't exist or NotFound(reason=_())? I think the second might be more explanatory but might be harder for handle in scripts (how would you distinguish between entry not found and option not found)? >>> >>> rob >> >> >> As per IRC conversation: >> Added new Exception: AttrValueNotFound >> Incremented minor version in VERSION >> Adjusted API >> 1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule) >> 1277 (Raise DuplicateEntry Error when adding a duplicate sudo option) >> 1308 (Make sudooption a required option for sudorule_remove_option) >> > > This is very close, found a couple more issues: > > I don't think I was very clear in what to update in VERSION, you want it to look like this: > > diff --git a/VERSION b/VERSION > index 6cbf732..e31f0d0 100644 > --- a/VERSION > +++ b/VERSION > @@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000 > # # > ######################################################## > IPA_API_VERSION_MAJOR=2 > -IPA_API_VERSION_MINOR=5 > +IPA_API_VERSION_MINOR=6 > > Two tests are failing. One is failing because externalhost is returned as a tuple (rather than not at all). The second because sudorule_remove_option has changed the type of data being returned. > > rob Ok, the VERSION issue is resolved, and the ipasudoopt test issue is solved. I have created: https://fedorahosted.org/freeipa/ticket/1339 to address the externalhost tuple as it is separate from the sudo options effort. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch Type: application/octet-stream Size: 8167 bytes Desc: freeipa-jraquino-0029-Raise-DuplicateEntry-Error-when-adding-a-duplicate.patch URL: From ayoung at redhat.com Thu Jun 16 19:26:10 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 16 Jun 2011 15:26:10 -0400 Subject: [Freeipa-devel] [PATCH] 0239-test-dirty-multivalue Message-ID: <4DFA58D2.6050907@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0239-test-dirty-multivalue.patch Type: text/x-patch Size: 1924 bytes Desc: not available URL: From ayoung at redhat.com Thu Jun 16 19:26:52 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 16 Jun 2011 15:26:52 -0400 Subject: [Freeipa-devel] One liner for test dirty on textareas. Message-ID: <4DFA58FC.9070206@redhat.com> Pushed to master diff --git a/install/ui/widget.js b/install/ui/widget.js index 4dc2d5f..445b949 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -1017,7 +1017,7 @@ IPA.textarea_widget = function (spec) { var input = $('textarea[name="'+that.name+'"]', that.container); input.keyup(function() { - that.set_dirty(true); + that.set_dirty(that.test_dirty()); that.validate(); }); From JR.Aquino at citrix.com Thu Jun 16 19:29:27 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 16 Jun 2011 19:29:27 +0000 Subject: [Freeipa-devel] 32 Don't add empty tuple to entry_attrs['externalhost'] Message-ID: <2991C8DD-F701-4276-9118-2132BCD6D66C@citrixonline.com> https://fedorahosted.org/freeipa/ticket/1339 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jraquino-0032-Dont-add-empty-tuple-to-entry_attrs-externalhost.patch Type: application/octet-stream Size: 993 bytes Desc: freeipa-jraquino-0032-Dont-add-empty-tuple-to-entry_attrs-externalhost.patch URL: From ayoung at redhat.com Thu Jun 16 19:39:11 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 16 Jun 2011 15:39:11 -0400 Subject: [Freeipa-devel] [PATCH]0240-test-dirty-onchange Message-ID: <4DFA5BDF.4060906@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0240-test-dirty-onchange.patch Type: text/x-patch Size: 3820 bytes Desc: not available URL: From edewata at redhat.com Thu Jun 16 20:49:40 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 16 Jun 2011 15:49:40 -0500 Subject: [Freeipa-devel] [PATCH] 0239-test-dirty-multivalue In-Reply-To: <4DFA58D2.6050907@redhat.com> References: <4DFA58D2.6050907@redhat.com> Message-ID: <4DFA6C64.5090608@redhat.com> On 6/16/2011 2:26 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Jun 16 20:50:00 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 16 Jun 2011 15:50:00 -0500 Subject: [Freeipa-devel] [PATCH]0240-test-dirty-onchange In-Reply-To: <4DFA5BDF.4060906@redhat.com> References: <4DFA5BDF.4060906@redhat.com> Message-ID: <4DFA6C78.5040802@redhat.com> On 6/16/2011 2:39 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Jun 16 23:25:55 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 16 Jun 2011 18:25:55 -0500 Subject: [Freeipa-devel] [PATCH] 182 Merged direct and indirect association facets Message-ID: <4DFA9103.8020900@redhat.com> The direct and indirect associations are now displayed in the same facet. The type of association to be displayed can be selected using radio buttons. Ticket #1338 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0182-Merged-direct-and-indirect-association-facets.patch Type: text/x-patch Size: 8400 bytes Desc: not available URL: From ayoung at redhat.com Fri Jun 17 00:11:45 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 16 Jun 2011 20:11:45 -0400 Subject: [Freeipa-devel] [PATCH] 182 Merged direct and indirect association facets In-Reply-To: <4DFA9103.8020900@redhat.com> References: <4DFA9103.8020900@redhat.com> Message-ID: <4DFA9BC1.5000809@redhat.com> On 06/16/2011 07:25 PM, Endi Sukma Dewata wrote: > The direct and indirect associations are now displayed in the same > facet. The type of association to be displayed can be selected > using radio buttons. > > Ticket #1338 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Jun 17 09:11:34 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 17 Jun 2011 11:11:34 +0200 Subject: [Freeipa-devel] [PATCH] 084 Multi-process build problems Message-ID: <1308301896.29284.0.camel@dhcp-25-52.brq.redhat.com> Fix a problem when a target missed a version-update requirement. This caused build problems, especially in a parallel build environment. https://fedorahosted.org/freeipa/ticket/1215 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-084-multi-process-build-problems.patch Type: text/x-patch Size: 1510 bytes Desc: not available URL: From mkosek at redhat.com Fri Jun 17 11:02:40 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 17 Jun 2011 13:02:40 +0200 Subject: [Freeipa-devel] [PATCH] 085 Fix doc for sudorule runasuser commands Message-ID: <1308308563.29284.1.camel@dhcp-25-52.brq.redhat.com> https://fedorahosted.org/freeipa/ticket/1324 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-085-sudorule-runasuser-doc.patch Type: text/x-patch Size: 1243 bytes Desc: not available URL: From mkosek at redhat.com Fri Jun 17 12:44:58 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 17 Jun 2011 14:44:58 +0200 Subject: [Freeipa-devel] [PATCH] 086 Fix IPA install for secure umask Message-ID: <1308314701.29284.2.camel@dhcp-25-52.brq.redhat.com> Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-086-fix-ipa-install-for-secure-umask.patch Type: text/x-patch Size: 1569 bytes Desc: not available URL: From rcritten at redhat.com Fri Jun 17 13:33:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Jun 2011 09:33:42 -0400 Subject: [Freeipa-devel] [PATCH] 085 Fix doc for sudorule runasuser commands In-Reply-To: <1308308563.29284.1.camel@dhcp-25-52.brq.redhat.com> References: <1308308563.29284.1.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DFB57B6.5060502@redhat.com> Martin Kosek wrote: > https://fedorahosted.org/freeipa/ticket/1324 ack From mkosek at redhat.com Fri Jun 17 13:37:28 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 17 Jun 2011 15:37:28 +0200 Subject: [Freeipa-devel] [PATCH] 086 Fix IPA install for secure umask In-Reply-To: <1308314701.29284.2.camel@dhcp-25-52.brq.redhat.com> References: <1308314701.29284.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1308317850.29284.7.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-06-17 at 14:44 +0200, Martin Kosek wrote: > Make sure that IPA can be installed with root umask set to secure > value 077. ipa-server-install was failing in DS configuration phase > when dirsrv tried to read boot.ldif created during installation. > > https://fedorahosted.org/freeipa/ticket/1282 > Self-Nack. Even though install didn't fail, I didn't notice there are still issues with other files. For example dirsrv schema ldifs. This needs to be fixed. Martin From ayoung at redhat.com Fri Jun 17 13:59:24 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 17 Jun 2011 09:59:24 -0400 Subject: [Freeipa-devel] UX: Settings to the left Message-ID: <4DFB5DBC.4050704@redhat.com> Disagree. The ordering seems to make sense to people with the settings in the middle. THe settings are not the most important facet for most entities, it is the collections of things they maintain that is most important. Remember, we origianlly went with this ordering to solve that issue. The alternative is to put the settings to the left, but to open a different tab by default, but that will be just as confusing. From mkosek at redhat.com Fri Jun 17 13:56:09 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 17 Jun 2011 15:56:09 +0200 Subject: [Freeipa-devel] [PATCH] 085 Fix doc for sudorule runasuser commands In-Reply-To: <4DFB57B6.5060502@redhat.com> References: <1308308563.29284.1.camel@dhcp-25-52.brq.redhat.com> <4DFB57B6.5060502@redhat.com> Message-ID: <1308318971.29284.8.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-06-17 at 09:33 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > https://fedorahosted.org/freeipa/ticket/1324 > > ack Pushed to master, ipa-2-0. Martin From rcritten at redhat.com Fri Jun 17 14:23:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Jun 2011 10:23:06 -0400 Subject: [Freeipa-devel] [PATCH] 29 Raise DuplicateEntry Error when adding a duplicate sudo option In-Reply-To: <3306D90C-5005-4B1D-B195-C9CB7FBC31C7@citrixonline.com> References: <2AE1C072-9099-44E1-A778-BB1A6F0AE955@citrixonline.com> <4DF101D9.6000209@redhat.com> <5AF8156E-C5D0-4B09-A279-4CD049AB54B6@citrixonline.com> <0D1AFB75-6A9B-40B0-848D-B6B08CC0A2B8@citrixonline.com> <4DF7A31C.4000403@redhat.com> <7AFFCA25-0FC3-41AD-81CF-7E8D3F83171D@citrixonline.com> <4DF8C9B0.1070202@redhat.com> <7675EBF1-EFD1-4E2E-96EF-A168C20CC904@citrixonline.com> <4DFA1AB1.6040403@redhat.com> <3306D90C-5005-4B1D-B195-C9CB7FBC31C7@citrixonline.com> Message-ID: <4DFB634A.1030301@redhat.com> JR Aquino wrote: > On Jun 16, 2011, at 8:01 AM, Rob Crittenden wrote: > >> JR Aquino wrote: >>> On Jun 15, 2011, at 8:03 AM, Rob Crittenden wrote: >>> >>>> A minor issue and a question. >>>> >>>> The minor issue is you changed a couple of options from optional to mandatory, which is fine, but we need to bump up the minor version in VERSION (older clients otherwise could not send the string and blow things up). >>> >>> Is there a rule of thumb or document that details when this is appropriate? >>> >>> >>>> The question is, should we raise EmptyModList() when removing an option that doesn't exist or NotFound(reason=_())? I think the second might be more explanatory but might be harder for handle in scripts (how would you distinguish between entry not found and option not found)? >>>> >>>> rob >>> >>> >>> As per IRC conversation: >>> Added new Exception: AttrValueNotFound >>> Incremented minor version in VERSION >>> Adjusted API >>> 1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule) >>> 1277 (Raise DuplicateEntry Error when adding a duplicate sudo option) >>> 1308 (Make sudooption a required option for sudorule_remove_option) >>> >> >> This is very close, found a couple more issues: >> >> I don't think I was very clear in what to update in VERSION, you want it to look like this: >> >> diff --git a/VERSION b/VERSION >> index 6cbf732..e31f0d0 100644 >> --- a/VERSION >> +++ b/VERSION >> @@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000 >> # # >> ######################################################## >> IPA_API_VERSION_MAJOR=2 >> -IPA_API_VERSION_MINOR=5 >> +IPA_API_VERSION_MINOR=6 >> >> Two tests are failing. One is failing because externalhost is returned as a tuple (rather than not at all). The second because sudorule_remove_option has changed the type of data being returned. >> >> rob > > Ok, the VERSION issue is resolved, and the ipasudoopt test issue is solved. > > I have created: https://fedorahosted.org/freeipa/ticket/1339 to address the externalhost tuple as it is separate from the sudo options effort. > ack, pushed to master From rcritten at redhat.com Fri Jun 17 14:23:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Jun 2011 10:23:15 -0400 Subject: [Freeipa-devel] 32 Don't add empty tuple to entry_attrs['externalhost'] In-Reply-To: <2991C8DD-F701-4276-9118-2132BCD6D66C@citrixonline.com> References: <2991C8DD-F701-4276-9118-2132BCD6D66C@citrixonline.com> Message-ID: <4DFB6353.7060800@redhat.com> JR Aquino wrote: > https://fedorahosted.org/freeipa/ticket/1339 > ack, pushed to master From rcritten at redhat.com Fri Jun 17 14:27:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Jun 2011 10:27:43 -0400 Subject: [Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer In-Reply-To: <4DFA1903.5010205@redhat.com> References: <4DB7309C.4010307@redhat.com> <4DECDC2D.7070803@redhat.com> <4DED29B8.8090607@redhat.com> <4DEE2676.6070401@redhat.com> <4DF75F34.2030409@redhat.com> <4DF9FDED.50602@redhat.com> <4DF9FF78.10102@redhat.com> <4DFA0146.5030801@redhat.com> <4DFA1903.5010205@redhat.com> Message-ID: <4DFB645F.2040504@redhat.com> Jan Cholasta wrote: > On 16.6.2011 15:12, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> On 14.6.2011 15:16, Rob Crittenden wrote: >>>>> Jan Cholasta wrote: >>>>>> On 6.6.2011 21:25, Rob Crittenden wrote: >>>>>>> Jan Cholasta wrote: >>>>>>>> On 26.4.2011 22:52, Rob Crittenden wrote: >>>>>>>>> The goal is to not import foreign certificates. >>>>>>>>> >>>>>>>>> This caused a bunch of tests to fail because we had a hardcoded >>>>>>>>> server >>>>>>>>> certificate. Instead a developer will need to run make-testcert to >>>>>>>>> create a server certificate generated by the local CA to test >>>>>>>>> against. >>>>>>>>> >>>>>>>>> ticket 1134 >>>>>>>>> >>>>>>>>> rob >>>>>>>>> >>>>>>>> >>>>>>>> NACK >>>>>>>> >>>>>>>> The certificate isn't verified in host-add. >>>>>>>> >>>>>>>> I suspect that certificates signed by an intermediate CA (i.e. when >>>>>>>> the >>>>>>>> certificate chain length > 2) are considered invalid. Is that the >>>>>>>> desired behavior? >>>>>>> >>>>>>> That will work as long as the issuer is the IPA CA. I see that if we >>>>>>> are >>>>>>> given a service cert issued by another CA in the chain things >>>>>>> could go >>>>>>> badly. I'm not sure this is something to really worry about though. >>>>>> >>>>>> I guess it's not. But I'd like a second opinion on that. >>>>> >>>>> We really only want to support those certs we issue otherwise things >>>>> like revocation get tricky, because we can't manage things we don't >>>>> issue. >>>>> >>>>>> >>>>>>> >>>>>>>> >>>>>>>> make-testcert fails with: >>>>>>>> >>>>>>>> Traceback (most recent call last): >>>>>>>> File "./make-testcert", line 126, in >>>>>>>> sys.exit(makecert(reqdir)) >>>>>>>> File "./make-testcert", line 105, in makecert >>>>>>>> add=True) >>>>>>>> File "./make-testcert", line 66, in run >>>>>>>> result = self.execute(method, *args, **options) >>>>>>>> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in >>>>>>>> execute >>>>>>>> raise error #pylint: disable=E0702 >>>>>>>> ipalib.errors.CommandError: unknown command 'cert_request' >>>>>>>> >>>>>>>> This is probably an error on my part (tried running in on both my >>>>>>>> machine without IPA installed and on VM with IPA installed with no >>>>>>>> luck), but nonetheless it should be fixed to fail gracefully so >>>>>>>> that >>>>>>>> the >>>>>>>> tests in "make test" have a chance to run. Similarly, the tests >>>>>>>> which >>>>>>>> use the test certificate created by make-testcert should be >>>>>>>> skipped if >>>>>>>> the certificate isn't available. >>>>>>> >>>>>>> You need to take the certificate databases from a self-signed >>>>>>> install >>>>>>> and copy them to ~/.ipa/alias/ in order to do certificate testing. >>>>>>> There >>>>>>> is documentation on how to do this in tests/test_xmlrpc/test_cert.py >>>>>>> >>>>>>> I think this should be mandatory as certificates are a main >>>>>>> feature of >>>>>>> v2. >>>>>> >>>>>> No matter what I do, I'm still getting the unknown command error. Can >>>>>> you describe the steps needed to make make-testcert successfully run? >>>>>> >>>>>> BTW, it would be nice if "make test" printed an informational message >>>>>> when the requirements to run the tests aren't met instead of failing >>>>>> with some random error. >>>>> >>>>> You need enable_ra = True in ~/.ipa/default.conf. What I tend to do is >>>>> copy /etc/ipa/default.conf from my underlying install to ~/.ipa and >>>>> comment out the xmlrpc_uri. This is now caught by the script. >>>>> >>>>> rob >>>> >>>> These tests fail: >>>> >>>> test_host[19]: service_mod: Update >>>> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' ... >>>> FAIL >>>> test_host[20]: service_show: Retrieve >>>> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' to >>>> verify update ... FAIL >>>> >>>> because they expect the CN to be puma.greyoak.com. I'm not sure if this >>>> issue is in the scope of this patch - if it's not, then ACK. >>> >>> I'll fix them up. >> >> attached > > ACK > > Honza > pushed to master and ipa-2-0 From rcritten at redhat.com Fri Jun 17 15:30:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Jun 2011 11:30:52 -0400 Subject: [Freeipa-devel] [PATCH] 079 DNS installation fails when domain and host domain mismatch In-Reply-To: <1308141755.11628.17.camel@dhcp-25-52.brq.redhat.com> References: <1307617123.27281.8.camel@dhcp-25-52.brq.redhat.com> <4DF7A01E.6060900@redhat.com> <1308141755.11628.17.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DFB732C.7040404@redhat.com> Martin Kosek wrote: > On Tue, 2011-06-14 at 13:53 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> This patch depends on my patch 078. A special patch for stable branch >>> attached. >>> >>> --- >>> >>> Create DNS domain for IPA server hostname first so that it's forward >>> record can be added. This results in 2 forward DNS zones created >>> when server hostname doesn't equal server domain. >>> >>> https://fedorahosted.org/freeipa/ticket/1194 >> >> This look ok, just a style question. >> >> by definition fqdn is fully-qualified so is this necessary? >> >> + if '.' in self.fqdn: >> + self.host_domain = '.'.join(fqdn.split(".")[1:]) >> + else: >> + self.host_domain = self.domain >> >> The test will always be true, right? >> >> rob > > It should be. Maybe I was overcautious in this place. Attaching updated > patches. > > Martin ack From edewata at redhat.com Fri Jun 17 19:12:09 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 17 Jun 2011 14:12:09 -0500 Subject: [Freeipa-devel] [PATCH] 183 Storing page number in URL. Message-ID: <4DFBA709.7020304@redhat.com> The association facet has been modified to store the current page number in the browser's URL. This way page changes are stored in browser's history allowing the back button to work properly. Ticket #1264 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0183-Storing-page-number-in-URL.patch Type: text/x-patch Size: 9011 bytes Desc: not available URL: From ayoung at redhat.com Fri Jun 17 20:00:43 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 17 Jun 2011 16:00:43 -0400 Subject: [Freeipa-devel] [PATCH] 0237-no-redirect-on-unknown-error In-Reply-To: <4DF95B0B.1010807@redhat.com> References: <4DF8FBF7.9040302@redhat.com> <4DF943DB.90201@redhat.com> <4DF95B0B.1010807@redhat.com> Message-ID: <4DFBB26B.5080506@redhat.com> On 06/15/2011 09:23 PM, Endi Sukma Dewata wrote: > On 6/15/2011 6:44 PM, Adam Young wrote: >> On 06/15/2011 02:37 PM, Adam Young wrote: >>> Part 2 >>> >>> https://fedorahosted.org/freeipa/ticket/1281 > >> Now iterates through a list of known error types. > > If the server is down (service ipa stop) it throws an error with name > 'NS_ERROR_NOT_AVAILABLE' which is not in the list, so it still does a > redirection. > > There is another problem too, if the error name matches the list it > doesn't call report_error(). > > Maybe this should be done the other way around. Instead of listing the > errors not to redirect, we should list the errors which require > redirection, i.e. IPA Error 4001 (entry not found). > > This is optional, in ipa.js:337 we could add the IPA error code into > the error_thrown object. This way the error can be checked more > reliably using error code rather than error name. > This version does the whitelist approach -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0237-2-no-redirect-on-unknown-error.patch Type: text/x-patch Size: 2164 bytes Desc: not available URL: From ayoung at redhat.com Fri Jun 17 20:06:30 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 17 Jun 2011 16:06:30 -0400 Subject: [Freeipa-devel] [PATCH] 183 Storing page number in URL. In-Reply-To: <4DFBA709.7020304@redhat.com> References: <4DFBA709.7020304@redhat.com> Message-ID: <4DFBB3C6.7060005@redhat.com> On 06/17/2011 03:12 PM, Endi Sukma Dewata wrote: > The association facet has been modified to store the current page > number in the browser's URL. This way page changes are stored in > browser's history allowing the back button to work properly. > > Ticket #1264 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jun 17 21:00:32 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 17 Jun 2011 17:00:32 -0400 Subject: [Freeipa-devel] 0241-enforce-proper-capitalization-with-stylesheet. Message-ID: <4DFBC070.80108@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0241-enforce-proper-capitalization-with-stylesheet.patch Type: text/x-patch Size: 1805 bytes Desc: not available URL: From rcritten at redhat.com Fri Jun 17 21:06:51 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Jun 2011 17:06:51 -0400 Subject: [Freeipa-devel] [PATCH] 805 make dogtag optionally installable on replicas Message-ID: <4DFBC1EB.6060702@redhat.com> A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. https://fedorahosted.org/freeipa/ticket/1251 See the ticket for testing suggestions. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-805-dogtag.patch Type: text/x-diff Size: 23640 bytes Desc: not available URL: From edewata at redhat.com Fri Jun 17 22:03:12 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 17 Jun 2011 17:03:12 -0500 Subject: [Freeipa-devel] 0241-enforce-proper-capitalization-with-stylesheet. In-Reply-To: <4DFBC070.80108@redhat.com> References: <4DFBC070.80108@redhat.com> Message-ID: <4DFBCF20.1040206@redhat.com> On 6/17/2011 4:00 PM, Adam Young wrote: > Please take a look at the following capitalization. If these are considered OK feel free to push. Host-group => Host-group (the g is not capitalized) Max lifetime (days) => Max Lifetime (Days) (unit is capitalized) Min lifetime (hours) => Min Lifetime (Hours) (unit is capitalized) Usually the term "time to live" is hyphenated. Currently in our code it's not, so the capitalization will look like this: SOA time to live => SOA Time To Live But suppose it's changed later, it will look like this: SOA time-to-live => SOA Time-to-live (to-live is not capitalized) The fields in HBAC Rule and SUDO Rule details page are not capitalized because it's using a table instead of dl/dt/dd. This can be addressed in a separate patch. We might want to define a 'field-label' CSS class. -- Endi S. Dewata From dpal at redhat.com Fri Jun 17 22:59:50 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 17 Jun 2011 18:59:50 -0400 Subject: [Freeipa-devel] Management of the CS instances. Message-ID: <4DFBDC66.6020402@redhat.com> Hi, Before we went too far with implementing the CS decoupling here is a stupid idea I have. We can proceed with the plans described in tickets: https://fedorahosted.org/freeipa/ticket/1250 https://fedorahosted.org/freeipa/ticket/1251 https://fedorahosted.org/freeipa/ticket/1252 However what we can do is store the CS instance DM password encrypted in the main instance. Then the management utility (ticket 1250) would first have to fetch this encrypted attribute from the main instance. We would be able to define ACIs on it and use the kerberos authentication against the main instance instead of prompting user for the DM password. It is a little bit more work but much better and consistent user experience and administrative model. What do you think? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ayoung at redhat.com Fri Jun 17 23:48:49 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 17 Jun 2011 19:48:49 -0400 Subject: [Freeipa-devel] 0241-enforce-proper-capitalization-with-stylesheet. In-Reply-To: <4DFBCF20.1040206@redhat.com> References: <4DFBC070.80108@redhat.com> <4DFBCF20.1040206@redhat.com> Message-ID: <4DFBE7E1.1030908@redhat.com> THis is how hyphenation is supposed to work. We should remove the hyphenation in the cases that you have enumerated below. The capitailzationg of Days and Hours units is fine. Agreed on the field label class. On 06/17/2011 06:03 PM, Endi Sukma Dewata wrote: > On 6/17/2011 4:00 PM, Adam Young wrote: >> > > Please take a look at the following capitalization. If these are > considered OK feel free to push. > > Host-group => Host-group (the g is not capitalized) > Max lifetime (days) => Max Lifetime (Days) (unit is capitalized) > Min lifetime (hours) => Min Lifetime (Hours) (unit is capitalized) > > Usually the term "time to live" is hyphenated. Currently in our code > it's not, so the capitalization will look like this: > > SOA time to live => SOA Time To Live > > But suppose it's changed later, it will look like this: > > SOA time-to-live => SOA Time-to-live (to-live is not capitalized) > > The fields in HBAC Rule and SUDO Rule details page are not capitalized > because it's using a table instead of dl/dt/dd. This can be addressed > in a separate patch. We might want to define a 'field-label' CSS class. > From ayoung at redhat.com Fri Jun 17 23:53:12 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 17 Jun 2011 19:53:12 -0400 Subject: [Freeipa-devel] Management of the CS instances. In-Reply-To: <4DFBDC66.6020402@redhat.com> References: <4DFBDC66.6020402@redhat.com> Message-ID: <4DFBE8E8.7010201@redhat.com> On 06/17/2011 06:59 PM, Dmitri Pal wrote: > Hi, > > Before we went too far with implementing the CS decoupling here is a > stupid idea I have. > > We can proceed with the plans described in tickets: > https://fedorahosted.org/freeipa/ticket/1250 > https://fedorahosted.org/freeipa/ticket/1251 > https://fedorahosted.org/freeipa/ticket/1252 > > However what we can do is store the CS instance DM password encrypted in > the main instance. > Then the management utility (ticket 1250) would first have to fetch this > encrypted attribute from the main instance. > We would be able to define ACIs on it and use the kerberos > authentication against the main instance instead of prompting user for > the DM password. > It is a little bit more work but much better and consistent user > experience and administrative model. Makes sense at a first pass. I haven't worked that deeply with the CS stuff to say for sure, but treting the IPA DS as cannonical and thus giving it the keys to the kingdom seems to be the right call. It all depends on which (CS or IPA) you want to treat as the most critical to lock down. I see nothing wrong with keeping IPA in that role. > What do you think? > From ayoung at redhat.com Sat Jun 18 00:12:17 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 17 Jun 2011 20:12:17 -0400 Subject: [Freeipa-devel] [PATCH] 0242-hide-automount-tabs Message-ID: <4DFBED61.7040008@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0242-hide-automount-tabs.patch Type: text/x-patch Size: 1901 bytes Desc: not available URL: From simo at redhat.com Sat Jun 18 15:18:40 2011 From: simo at redhat.com (Simo Sorce) Date: Sat, 18 Jun 2011 11:18:40 -0400 Subject: [Freeipa-devel] Management of the CS instances. In-Reply-To: <4DFBDC66.6020402@redhat.com> References: <4DFBDC66.6020402@redhat.com> Message-ID: <1308410320.3182.205.camel@willson.li.ssimo.org> On Fri, 2011-06-17 at 18:59 -0400, Dmitri Pal wrote: > Hi, > > Before we went too far with implementing the CS decoupling here is a > stupid idea I have. > > We can proceed with the plans described in tickets: > https://fedorahosted.org/freeipa/ticket/1250 > https://fedorahosted.org/freeipa/ticket/1251 > https://fedorahosted.org/freeipa/ticket/1252 > > However what we can do is store the CS instance DM password encrypted in > the main instance. > Then the management utility (ticket 1250) would first have to fetch this > encrypted attribute from the main instance. > We would be able to define ACIs on it and use the kerberos > authentication against the main instance instead of prompting user for > the DM password. > It is a little bit more work but much better and consistent user > experience and administrative model. > > What do you think? This is something we can try I guess. But in order to do something like that we will have to create a special extend operation or add a special search control in the password-extop plugin so that it can perform access control and decrypt the secret before handing it back. Although if we are going this route we could also see if we can use some temporary token instead that allows access to the CS instance for a few minutes w/o giving away the actual DM password. I will think a bit how hard it would be. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Sat Jun 18 15:32:50 2011 From: simo at redhat.com (Simo Sorce) Date: Sat, 18 Jun 2011 11:32:50 -0400 Subject: [Freeipa-devel] Management of the CS instances. In-Reply-To: <1308410320.3182.205.camel@willson.li.ssimo.org> References: <4DFBDC66.6020402@redhat.com> <1308410320.3182.205.camel@willson.li.ssimo.org> Message-ID: <1308411170.3182.206.camel@willson.li.ssimo.org> On Sat, 2011-06-18 at 11:18 -0400, Simo Sorce wrote: > On Fri, 2011-06-17 at 18:59 -0400, Dmitri Pal wrote: > > Hi, > > > > Before we went too far with implementing the CS decoupling here is a > > stupid idea I have. > > > > We can proceed with the plans described in tickets: > > https://fedorahosted.org/freeipa/ticket/1250 > > https://fedorahosted.org/freeipa/ticket/1251 > > https://fedorahosted.org/freeipa/ticket/1252 > > > > However what we can do is store the CS instance DM password encrypted in > > the main instance. > > Then the management utility (ticket 1250) would first have to fetch this > > encrypted attribute from the main instance. > > We would be able to define ACIs on it and use the kerberos > > authentication against the main instance instead of prompting user for > > the DM password. > > It is a little bit more work but much better and consistent user > > experience and administrative model. > > > > What do you think? > > This is something we can try I guess. > But in order to do something like that we will have to create a special > extend operation or add a special search control in the password-extop > plugin so that it can perform access control and decrypt the secret > before handing it back. > > Although if we are going this route we could also see if we can use some > temporary token instead that allows access to the CS instance for a few > minutes w/o giving away the actual DM password. > > I will think a bit how hard it would be. I have created ticket https://fedorahosted.org/freeipa/ticket/1353 to capture this task. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Sun Jun 19 01:18:34 2011 From: ayoung at redhat.com (Adam Young) Date: Sat, 18 Jun 2011 21:18:34 -0400 Subject: [Freeipa-devel] [PATCH] 0243-entity-select-widget-for-manager Message-ID: <4DFD4E6A.3030709@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0243-entity-select-widget-for-manager.patch Type: text/x-patch Size: 1586 bytes Desc: not available URL: From ayoung at redhat.com Sun Jun 19 01:26:57 2011 From: ayoung at redhat.com (Adam Young) Date: Sat, 18 Jun 2011 21:26:57 -0400 Subject: [Freeipa-devel] [PATCH] 0244-service-host-entity-select Message-ID: <4DFD5061.5040706@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0244-service-host-entity-select.patch Type: text/x-patch Size: 975 bytes Desc: not available URL: From ayoung at redhat.com Sun Jun 19 01:46:13 2011 From: ayoung at redhat.com (Adam Young) Date: Sat, 18 Jun 2011 21:46:13 -0400 Subject: [Freeipa-devel] 0245-entity-select-undo Message-ID: <4DFD54E5.4030003@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0245-entity-select-undo.patch Type: text/x-patch Size: 1352 bytes Desc: not available URL: From ayoung at redhat.com Mon Jun 20 13:46:31 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Jun 2011 09:46:31 -0400 Subject: [Freeipa-devel] [PATCH] 0246-editable-entity_select Message-ID: <4DFF4F37.1060202@redhat.com> https://fedorahosted.org/freeipa/ticket/1043 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0246-editable-entity_select.patch Type: text/x-patch Size: 4773 bytes Desc: not available URL: From rcritten at redhat.com Mon Jun 20 14:01:59 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Jun 2011 10:01:59 -0400 Subject: [Freeipa-devel] [PATCH 24/24] Add utility classes for handling DN's along with their, unittest. In-Reply-To: <4DF7F02A.9090001@redhat.com> References: <4DF7F02A.9090001@redhat.com> Message-ID: <4DFF52D7.9010001@redhat.com> John Dennis wrote: > This adds a new module and set of classes to ipalib for handling DN's. > Please see the module doc and class doc for full explanation. > > Included is a very complete unit test for the module. At close to 900 > lines of code the unit test exercises just about every conceivable way > these objects can be used. > > The module doc touches on some of the problems found in our existing > code which handles DN's, which this module is meant to provide fixes > for. A more complete write-up of the existing code issues will follow on > the list. > > Comments welcome of course. > > Another patch will follow for comma's in privileges. The > test_role_plugin.py unit test was modified to introduce a comma, but > there were many failures because of improper DN handling in the core > code (as well as limitations of the unit test framework). The next patch > introduces a number of fixes, some of which are dependent upon the use > of the classes introduced here. With the fixes in the next patch the > test_role_plugin unit test once again fully succeeds. > Am I misreading the documentation on how one can create a DN? >>> print container cn=users,cn=accounts >>> print basedn dc=example,dc=com >>> str(DN(container, basedn)) 'cn=users,cn=accounts=dc\\=example\\,dc\\=com' >>> uid='rcrit' >>> rdnattr='uid' >>> str(DN('%s=%s' % (rdnattr, uid), container, basedn)) 'uid=rcrit=cn\\=users\\,cn\\=accounts,dc=example,dc=com' The patch requires one very minor change, the import from dn should be from ipalib.dn import ... We run the tests from the top-level. rob From ayoung at redhat.com Mon Jun 20 15:01:03 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Jun 2011 11:01:03 -0400 Subject: [Freeipa-devel] [PATCH] 0247-entity-select-for-password-policy Message-ID: <4DFF60AF.9070003@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0247-entity-select-for-password-policy.patch Type: text/x-patch Size: 1037 bytes Desc: not available URL: From rcritten at redhat.com Mon Jun 20 15:14:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Jun 2011 11:14:46 -0400 Subject: [Freeipa-devel] [PATCH] 083 Improve IP address handling in IPA option parser In-Reply-To: <1308214421.11003.5.camel@dhcp-25-52.brq.redhat.com> References: <1308214421.11003.5.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DFF63E6.10101@redhat.com> Martin Kosek wrote: > Implements a way to pass match_local and parse_netmask parameters > to IP option checker. > > Now, there is just one common option type "ip" with new optional > attributes "ip_local" and "ip_netmask" which can be used to > pass IP address validation parameters. > > https://fedorahosted.org/freeipa/ticket/1333 ack, pushed to master From jcholast at redhat.com Mon Jun 20 15:24:24 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Jun 2011 17:24:24 +0200 Subject: [Freeipa-devel] [PATCH] 22 Improve IP address handling in the host-add command In-Reply-To: <4DF9F784.70002@redhat.com> References: <4DF776BE.6060601@redhat.com> <4DF7A7E0.5060206@redhat.com> <1308077659.3182.35.camel@willson.li.ssimo.org> <4DF9F784.70002@redhat.com> Message-ID: <4DFF6628.5060207@redhat.com> On 16.6.2011 14:31, Jan Cholasta wrote: > On 14.6.2011 20:54, Simo Sorce wrote: >> On Tue, 2011-06-14 at 14:26 -0400, Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> This patch enables the user to specify netmasks in the --ip-address >>>> option of host-add. They're used for proper DNS reverse zone and PTR >>>> record creation. Also the IP addresses are more strictly checked (just >>>> like in the install scripts). >>>> >>>> https://fedorahosted.org/freeipa/ticket/1234 >>> >>> Do we want a reverse zone created automatically when a host is added? I >>> think a warning that the reverse zone doesn't exist may be adequate. >> >> A warning is preferable as we may not be controlling that reverse zone. >> >> Simo. >> > > Updated patch attached. NonFatalError is raised when the reverse zone is > not found. > > Honza > Fixed commit message. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-22.2-host-add-ip.patch Type: text/x-patch Size: 5069 bytes Desc: not available URL: From rcritten at redhat.com Mon Jun 20 15:29:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Jun 2011 11:29:09 -0400 Subject: [Freeipa-devel] [PATCH] 084 Multi-process build problems In-Reply-To: <1308301896.29284.0.camel@dhcp-25-52.brq.redhat.com> References: <1308301896.29284.0.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DFF6745.1050701@redhat.com> Martin Kosek wrote: > Fix a problem when a target missed a version-update requirement. > This caused build problems, especially in a parallel build > environment. > > https://fedorahosted.org/freeipa/ticket/1215 ack, pushed to master and ipa-2-0 From rcritten at redhat.com Mon Jun 20 16:00:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Jun 2011 12:00:41 -0400 Subject: [Freeipa-devel] [PATCH] 22 Improve IP address handling in the host-add command In-Reply-To: <4DFF6628.5060207@redhat.com> References: <4DF776BE.6060601@redhat.com> <4DF7A7E0.5060206@redhat.com> <1308077659.3182.35.camel@willson.li.ssimo.org> <4DF9F784.70002@redhat.com> <4DFF6628.5060207@redhat.com> Message-ID: <4DFF6EA9.9010504@redhat.com> Jan Cholasta wrote: > On 16.6.2011 14:31, Jan Cholasta wrote: >> On 14.6.2011 20:54, Simo Sorce wrote: >>> On Tue, 2011-06-14 at 14:26 -0400, Rob Crittenden wrote: >>>> Jan Cholasta wrote: >>>>> This patch enables the user to specify netmasks in the --ip-address >>>>> option of host-add. They're used for proper DNS reverse zone and PTR >>>>> record creation. Also the IP addresses are more strictly checked (just >>>>> like in the install scripts). >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/1234 >>>> >>>> Do we want a reverse zone created automatically when a host is added? I >>>> think a warning that the reverse zone doesn't exist may be adequate. >>> >>> A warning is preferable as we may not be controlling that reverse zone. >>> >>> Simo. >>> >> >> Updated patch attached. NonFatalError is raised when the reverse zone is >> not found. >> >> Honza >> > > Fixed commit message. > ack, pushed to master rob From ayoung at redhat.com Mon Jun 20 16:32:22 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Jun 2011 12:32:22 -0400 Subject: [Freeipa-devel] [PATCH] 0242-hide-automount-tabs In-Reply-To: <4DFBED61.7040008@redhat.com> References: <4DFBED61.7040008@redhat.com> Message-ID: <4DFF7616.6070009@redhat.com> On 06/17/2011 08:12 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0242-1-hide-automount-tabs.patch Type: text/x-patch Size: 2049 bytes Desc: not available URL: From edewata at redhat.com Mon Jun 20 16:31:03 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 20 Jun 2011 11:31:03 -0500 Subject: [Freeipa-devel] [PATCH] 0243-entity-select-widget-for-manager In-Reply-To: <4DFD4E6A.3030709@redhat.com> References: <4DFD4E6A.3030709@redhat.com> Message-ID: <4DFF75C7.60604@redhat.com> On 6/18/2011 8:18 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon Jun 20 16:43:41 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 20 Jun 2011 11:43:41 -0500 Subject: [Freeipa-devel] [PATCH] 0242-hide-automount-tabs In-Reply-To: <4DFF7616.6070009@redhat.com> References: <4DFBED61.7040008@redhat.com> <4DFF7616.6070009@redhat.com> Message-ID: <4DFF78BD.1030902@redhat.com> On 6/20/2011 11:32 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Mon Jun 20 17:02:45 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Jun 2011 13:02:45 -0400 Subject: [Freeipa-devel] [PATCH] 178 Removed FreeWay font files. In-Reply-To: <4DF8DB9E.1020006@redhat.com> References: <4DF8D7B2.4060101@redhat.com> <4DF8DB9E.1020006@redhat.com> Message-ID: <4DFF7D35.6080009@redhat.com> On 06/15/2011 12:19 PM, Endi Sukma Dewata wrote: > On 6/15/2011 11:02 AM, Endi Sukma Dewata wrote: >> The CSS files in install/html and install/migration have been >> modified to use the Overpass font. >> >> The changes can be verified here: >> http://edewata.fedorapeople.org/freeipa/install/html/unauthorized.html >> http://edewata.fedorapeople.org/freeipa/install/migration/index.html > > Attached the patch. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon Jun 20 17:34:30 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 20 Jun 2011 12:34:30 -0500 Subject: [Freeipa-devel] 0245-entity-select-undo In-Reply-To: <4DFD54E5.4030003@redhat.com> References: <4DFD54E5.4030003@redhat.com> Message-ID: <4DFF84A6.9030003@redhat.com> On 6/18/2011 8:46 PM, Adam Young wrote: > ACK and pushed to master. The set_dirty() invocation in reset() is no longer needed. This can be fixed later. -- Endi S. Dewata From rcritten at redhat.com Mon Jun 20 18:36:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Jun 2011 14:36:52 -0400 Subject: [Freeipa-devel] [PATCH] 079 DNS installation fails when domain and host domain mismatch In-Reply-To: <4DFB732C.7040404@redhat.com> References: <1307617123.27281.8.camel@dhcp-25-52.brq.redhat.com> <4DF7A01E.6060900@redhat.com> <1308141755.11628.17.camel@dhcp-25-52.brq.redhat.com> <4DFB732C.7040404@redhat.com> Message-ID: <4DFF9344.50102@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Tue, 2011-06-14 at 13:53 -0400, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> This patch depends on my patch 078. A special patch for stable branch >>>> attached. >>>> >>>> --- >>>> >>>> Create DNS domain for IPA server hostname first so that it's forward >>>> record can be added. This results in 2 forward DNS zones created >>>> when server hostname doesn't equal server domain. >>>> >>>> https://fedorahosted.org/freeipa/ticket/1194 >>> >>> This look ok, just a style question. >>> >>> by definition fqdn is fully-qualified so is this necessary? >>> >>> + if '.' in self.fqdn: >>> + self.host_domain = '.'.join(fqdn.split(".")[1:]) >>> + else: >>> + self.host_domain = self.domain >>> >>> The test will always be true, right? >>> >>> rob >> >> It should be. Maybe I was overcautious in this place. Attaching updated >> patches. >> >> Martin > > ack pushed the respective patches to ipa-2-0 and master rob From edewata at redhat.com Mon Jun 20 18:51:25 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 20 Jun 2011 13:51:25 -0500 Subject: [Freeipa-devel] [PATCH] 0237-no-redirect-on-unknown-error In-Reply-To: <4DFBB26B.5080506@redhat.com> References: <4DF8FBF7.9040302@redhat.com> <4DF943DB.90201@redhat.com> <4DF95B0B.1010807@redhat.com> <4DFBB26B.5080506@redhat.com> Message-ID: <4DFF96AD.5010900@redhat.com> On 6/17/2011 3:00 PM, Adam Young wrote: > This version does the whitelist approach ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Mon Jun 20 19:16:34 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Jun 2011 15:16:34 -0400 Subject: [Freeipa-devel] [PATCH] 0248-ipaddress-for-host-add Message-ID: <4DFF9C92.4010508@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0248-ipaddress-for-host-add.patch Type: text/x-patch Size: 11221 bytes Desc: not available URL: From ayoung at redhat.com Mon Jun 20 19:17:30 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Jun 2011 15:17:30 -0400 Subject: [Freeipa-devel] [PATCH] 0246-editable-entity_select In-Reply-To: <4DFF4F37.1060202@redhat.com> References: <4DFF4F37.1060202@redhat.com> Message-ID: <4DFF9CCA.7030601@redhat.com> On 06/20/2011 09:46 AM, Adam Young wrote: > https://fedorahosted.org/freeipa/ticket/1043 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0246-1-editable-entity_select.patch Type: text/x-patch Size: 4817 bytes Desc: not available URL: From ayoung at redhat.com Mon Jun 20 19:38:03 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Jun 2011 15:38:03 -0400 Subject: [Freeipa-devel] [PATCH] 0246-editable-entity_select In-Reply-To: <4DFF9CCA.7030601@redhat.com> References: <4DFF4F37.1060202@redhat.com> <4DFF9CCA.7030601@redhat.com> Message-ID: <4DFFA19B.6040502@redhat.com> On 06/20/2011 03:17 PM, Adam Young wrote: > On 06/20/2011 09:46 AM, Adam Young wrote: >> https://fedorahosted.org/freeipa/ticket/1043 >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata Made minor tweak from code review and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Mon Jun 20 19:44:54 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Jun 2011 15:44:54 -0400 Subject: [Freeipa-devel] [PATCH] 0248-ipaddress-for-host-add In-Reply-To: <4DFF9C92.4010508@redhat.com> References: <4DFF9C92.4010508@redhat.com> Message-ID: <4DFFA336.8030801@redhat.com> On 06/20/2011 03:16 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0248-1-ipaddress-for-host-add.patch Type: text/x-patch Size: 11221 bytes Desc: not available URL: From rcritten at redhat.com Mon Jun 20 19:42:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Jun 2011 15:42:20 -0400 Subject: [Freeipa-devel] [PATCH] 806 configure sssd to talk to local master Message-ID: <4DFFA29C.4090906@redhat.com> On masters configure sssd to only talk to the local master rather than having _srv_ as well. If we use _srv_ and a remote master is down the local master will have problems as well. ticket https://fedorahosted.org/freeipa/ticket/1187 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-806-sssd.patch Type: text/x-diff Size: 1420 bytes Desc: not available URL: From jdennis at redhat.com Mon Jun 20 19:55:59 2011 From: jdennis at redhat.com (John Dennis) Date: Mon, 20 Jun 2011 15:55:59 -0400 Subject: [Freeipa-devel] [PATCH 24/24] Add utility classes for handling DN's along with their, unittest. In-Reply-To: <4DFF52D7.9010001@redhat.com> References: <4DF7F02A.9090001@redhat.com> <4DFF52D7.9010001@redhat.com> Message-ID: <4DFFA5CF.5090803@redhat.com> On 06/20/2011 10:01 AM, Rob Crittenden wrote: > Am I misreading the documentation on how one can create a DN? > > >>> print container > cn=users,cn=accounts > >>> print basedn > dc=example,dc=com > >>> str(DN(container, basedn)) > 'cn=users,cn=accounts=dc\\=example\\,dc\\=com' > >>> uid='rcrit' > >>> rdnattr='uid' > >>> str(DN('%s=%s' % (rdnattr, uid), container, basedn)) > 'uid=rcrit=cn\\=users\\,cn\\=accounts,dc=example,dc=com' Either you misread the documentation, or I wrote it poorly. In either case it's obvious it needs to be reworked to be clearer. Let me take another crack at explaining :-) [Caveat: I've made some simplifying assumptions below, e.g. RDN's can be multi-valued, the classes handle everything correctly but only if you use them properly, if you're working with multi-valued RDN's you'll have to dig just a tad deeper to use the classes correctly.] When you supply a sequence of strings those strings are assumed to be the type (e.g. name) and value of a RDN. But of course since they must be pairs the parser looks for adjacent pairs of strings in the sequence. So taking your example cn=users forms the first RDN, thus: 'cn', 'users' is the pair of an RDN. If that were followed by: 'cn', 'accounts' the next RDN would be: cn=accounts and the sequence: 'cn', 'users', 'cn', 'accounts' would produce: cn=users,cn=accounts O.K. so why wouldn't you just say: 'cn=users,cn=accounts' instead of the 2 pairs: 'cn', 'users', 'cn', 'accounts' it's so much simpler right? The reason, and this is key, is because 'cn=users,cn=accounts' is DN syntax and is subject to DN encoding rules. What is on the left and right side of the equal sign may NOT be the string values you expect them to be, rather they might be encoded. The only way to treat the LHS and RHS of an RDN as the ORIGINAL strings you're expecting is to reference them individually via the classes in the module. The classes know how to encode and decode and they can do it in a "smart" fashion. It's NEVER a good idea to construct DN's from DN strings. Why? Because DN strings are subject to various escaping rules which after being applied produces what I call the encoded value of the DN. To complicate matters different encodings can produce the same DN. Once you get into these edge cases most simple expectations go out the window. The simple coding answer is to always work with DN, RDN, or AVA objects and never with DN string syntax. The objects are aware of each other and perform the correct class conversions. The only time you need DN string syntax is at the moment you pass the DN into a LDAP library, and that is as simple as calling str() on the object. O.K. so why do the classes accept DN syntax, you just told me never to use it! Well welcome to the real world, where not everything has been converted to use the new classes yet and the reality is sometimes you get strings in DN syntax. We don't want to be so rigid we barf, rather than being pedantic we support DN syntax but it comes with a GIANT WARNING of programmer beware, use at your own risk only if you know what you're doing. So if DN syntax is a string and the type and value of an RDN are also strings how do the classes tell the difference when it's looking at a sequence of values used to construct a DN? It does it by looking for contiguous pairs of strings in the sequence, when it finds two adjacent strings it pulls them from the sequence and forms an RDN from them. A string is interpreted as DN syntax to be independently parsed if and only if it's not a member of a pair of strings in the sequence. Recall the sequence can include DN, RDN and AVA classes as well as strings. Thus in your case what happened was you had two strings in the constructor sequence: 'cn=users,cn=accounts', 'dc=example,dc=com' and that got interpreted as the LHS and RHS of an RDN. The right way to have done this would have been to construct two DN's, one for the base and one for the container, for example: base_dn = DN('dc', 'example', 'dc', 'com') container_dn = DN('cn', 'users, 'cn', 'accounts') then any new DN can be constructed via: user_dn = DN('cn', 'Bob', container_dn, base_dn) Make sense? Note the syntax for constructing the DN objects is very flexible, you could build it up from a sequence of RDN objects or you could put the values in a list and pass the list to the constructor, e.g. base_dn_list = ['dc', 'example', 'dc', 'com'] base_dn = DN(*base_dn_list) or even: base_dn_list = [RDN('dc', 'example'), RDN('dc', 'com')] base_dn = DN(*base_dn_list) > The patch requires one very minor change, the import from dn should be > from ipalib.dn import ... We run the tests from the top-level. O.K. will do. Also I added some new functionality I discovered was useful when I was making other fixes, such as the ability to use in-place addition (+= operator) and concatenation (+ operator) with DN syntax on the RHS. The unit test was enhanced to support those cases. I'll resubmit the patch with better doc (please comment on what was clear and what was not clear), the import fix, and the enhancements I just mentioned. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Jun 20 20:06:57 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Jun 2011 16:06:57 -0400 Subject: [Freeipa-devel] [PATCH 24/24] Add utility classes for handling DN's along with their, unittest. In-Reply-To: <4DFFA5CF.5090803@redhat.com> References: <4DF7F02A.9090001@redhat.com> <4DFF52D7.9010001@redhat.com> <4DFFA5CF.5090803@redhat.com> Message-ID: <4DFFA861.7070603@redhat.com> John Dennis wrote: > On 06/20/2011 10:01 AM, Rob Crittenden wrote: >> Am I misreading the documentation on how one can create a DN? >> >> >>> print container >> cn=users,cn=accounts >> >>> print basedn >> dc=example,dc=com >> >>> str(DN(container, basedn)) >> 'cn=users,cn=accounts=dc\\=example\\,dc\\=com' >> >>> uid='rcrit' >> >>> rdnattr='uid' >> >>> str(DN('%s=%s' % (rdnattr, uid), container, basedn)) >> 'uid=rcrit=cn\\=users\\,cn\\=accounts,dc=example,dc=com' > > Either you misread the documentation, or I wrote it poorly. In either > case it's obvious it needs to be reworked to be clearer. Let me take > another crack at explaining :-) > > [Caveat: I've made some simplifying assumptions below, e.g. RDN's can be > multi-valued, the classes handle everything correctly but only if you > use them properly, if you're working with multi-valued RDN's you'll have > to dig just a tad deeper to use the classes correctly.] > > When you supply a sequence of strings those strings are assumed to be > the type (e.g. name) and value of a RDN. But of course since they must > be pairs the parser looks for adjacent pairs of strings in the sequence. > So taking your example cn=users forms the first RDN, thus: > > 'cn', 'users' > > is the pair of an RDN. > > If that were followed by: > > 'cn', 'accounts' > > the next RDN would be: cn=accounts and the sequence: > > 'cn', 'users', 'cn', 'accounts' > > would produce: > > cn=users,cn=accounts > > O.K. so why wouldn't you just say: > > 'cn=users,cn=accounts' > > instead of the 2 pairs: > > 'cn', 'users', 'cn', 'accounts' > > it's so much simpler right? > > The reason, and this is key, is because 'cn=users,cn=accounts' is DN > syntax and is subject to DN encoding rules. What is on the left and > right side of the equal sign may NOT be the string values you expect > them to be, rather they might be encoded. The only way to treat the LHS > and RHS of an RDN as the ORIGINAL strings you're expecting is to > reference them individually via the classes in the module. The classes > know how to encode and decode and they can do it in a "smart" fashion. > > It's NEVER a good idea to construct DN's from DN strings. Why? Because > DN strings are subject to various escaping rules which after being > applied produces what I call the encoded value of the DN. To complicate > matters different encodings can produce the same DN. Once you get into > these edge cases most simple expectations go out the window. > > The simple coding answer is to always work with DN, RDN, or AVA objects > and never with DN string syntax. The objects are aware of each other and > perform the correct class conversions. The only time you need DN string > syntax is at the moment you pass the DN into a LDAP library, and that is > as simple as calling str() on the object. > > O.K. so why do the classes accept DN syntax, you just told me never to > use it! Well welcome to the real world, where not everything has been > converted to use the new classes yet and the reality is sometimes you > get strings in DN syntax. We don't want to be so rigid we barf, rather > than being pedantic we support DN syntax but it comes with a GIANT > WARNING of programmer beware, use at your own risk only if you know what > you're doing. > > So if DN syntax is a string and the type and value of an RDN are also > strings how do the classes tell the difference when it's looking at a > sequence of values used to construct a DN? It does it by looking for > contiguous pairs of strings in the sequence, when it finds two adjacent > strings it pulls them from the sequence and forms an RDN from them. A > string is interpreted as DN syntax to be independently parsed if and > only if it's not a member of a pair of strings in the sequence. Recall > the sequence can include DN, RDN and AVA classes as well as strings. > > Thus in your case what happened was you had two strings in the > constructor sequence: > > 'cn=users,cn=accounts', 'dc=example,dc=com' > > and that got interpreted as the LHS and RHS of an RDN. > > The right way to have done this would have been to construct two DN's, > one for the base and one for the container, for example: > > base_dn = DN('dc', 'example', 'dc', 'com') > container_dn = DN('cn', 'users, 'cn', 'accounts') > > then any new DN can be constructed via: > > user_dn = DN('cn', 'Bob', container_dn, base_dn) > > Make sense? > > Note the syntax for constructing the DN objects is very flexible, you > could build it up from a sequence of RDN objects or you could put the > values in a list and pass the list to the constructor, e.g. > > base_dn_list = ['dc', 'example', 'dc', 'com'] > base_dn = DN(*base_dn_list) > > or even: > > base_dn_list = [RDN('dc', 'example'), RDN('dc', 'com')] > base_dn = DN(*base_dn_list) > > >> The patch requires one very minor change, the import from dn should be >> from ipalib.dn import ... We run the tests from the top-level. > > O.K. will do. Also I added some new functionality I discovered was > useful when I was making other fixes, such as the ability to use > in-place addition (+= operator) and concatenation (+ operator) with DN > syntax on the RHS. The unit test was enhanced to support those cases. > I'll resubmit the patch with better doc (please comment on what was > clear and what was not clear), the import fix, and the enhancements I > just mentioned. > Take a look at ipalib/constants.py, it is full of containers like this. It is hard to review this patch without seeing how it will be used in the framework, are you planning on replacing all of these with DN constructors? Multi-valued RDNs are 100% guaranteed in IPA so the easier it is to work with them the better. rob From sgallagh at redhat.com Mon Jun 20 20:38:27 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 20 Jun 2011 16:38:27 -0400 Subject: [Freeipa-devel] [PATCH] 806 configure sssd to talk to local master In-Reply-To: <4DFFA29C.4090906@redhat.com> References: <4DFFA29C.4090906@redhat.com> Message-ID: <1308602308.2387.43.camel@sgallagh520.bos.redhat.com> On Mon, 2011-06-20 at 15:42 -0400, Rob Crittenden wrote: > On masters configure sssd to only talk to the local master rather than > having _srv_ as well. If we use _srv_ and a remote master is down the > local master will have problems as well. > > ticket https://fedorahosted.org/freeipa/ticket/1187 Ack -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From jdennis at redhat.com Mon Jun 20 20:51:11 2011 From: jdennis at redhat.com (John Dennis) Date: Mon, 20 Jun 2011 16:51:11 -0400 Subject: [Freeipa-devel] [PATCH 24/24] Add utility classes for handling DN's along with their, unittest. In-Reply-To: <4DFFA861.7070603@redhat.com> References: <4DF7F02A.9090001@redhat.com> <4DFF52D7.9010001@redhat.com> <4DFFA5CF.5090803@redhat.com> <4DFFA861.7070603@redhat.com> Message-ID: <4DFFB2BF.8010605@redhat.com> On 06/20/2011 04:06 PM, Rob Crittenden wrote: > Take a look at ipalib/constants.py, it is full of containers like this. > It is hard to review this patch without seeing how it will be used in > the framework, are you planning on replacing all of these with DN > constructors? Yup, I'm aware of these. There are two easy solutions: 1) Leave the containers as they are. They can always be used with DN class. This is another one of the reasons the DN class accepts DN syntax (for legacy and simplicity). The existing containers are all simple DN's, their encoded value and decoded values are identical. So as long as any programmer who adds a new container understands the encoding rules all will be good. (The problem with your example test was simply you didn't use the constructor correctly. See "[PATCH 28/28]" for just one way to construct a DN using the existing container and base strings as we currently have them defined.) 2) Convert the containers to DN objects. From a robustness point of view this is preferred. Converting them would be trivial. Once the containers are DN objects the programmer can't make unintentional mistakes and the objects combine correctly. The problem we were having is you CANNOT treat DN's as simple strings, they aren't simple strings, they are complex objects which in some instances are equivalent to simple strings. My thought was to do the conversion to DN objects incrementally. I deliberately wrote the classes to support incremental migration. We start with the bugs which we know are due to problems with DN handling and convert those first on an as needed basis rather than as a potentially large disruptive modification. The bottom line is we need to have some way to form DN's correctly from pieces and pick DN components apart into component pieces again. We want common utility code to do this and not have everybody take a crack at it in isolated cases when trying to fix bugs. We also want it to support our legacy implementation and be simple to use (at least those were the goals I tried to hit). > Multi-valued RDNs are 100% guaranteed in IPA so the easier it is to work > with them the better. I believe the classes make handling multi-valued RDN's quite easy. It's just when you start to try and explain things it seems easier to not fill the explanation with a bunch of caveats. If you understand mutli-valued RDN's and the AVA's they're composed from the classes will make perfect sense and combine easily. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jdennis at redhat.com Mon Jun 20 23:24:55 2011 From: jdennis at redhat.com (John Dennis) Date: Mon, 20 Jun 2011 19:24:55 -0400 Subject: [Freeipa-devel] [PATCH 24/24] Add utility classes for handling DN's along with their, unittest. In-Reply-To: <4DFFB2BF.8010605@redhat.com> References: <4DF7F02A.9090001@redhat.com> <4DFF52D7.9010001@redhat.com> <4DFFA5CF.5090803@redhat.com> <4DFFA861.7070603@redhat.com> <4DFFB2BF.8010605@redhat.com> Message-ID: <4DFFD6C7.7040902@redhat.com> On 06/20/2011 04:51 PM, John Dennis wrote: > On 06/20/2011 04:06 PM, Rob Crittenden wrote: >> Take a look at ipalib/constants.py, it is full of containers like this. >> It is hard to review this patch without seeing how it will be used in >> the framework, are you planning on replacing all of these with DN >> constructors? > > Yup, I'm aware of these. There are two easy solutions: > > 1) Leave the containers as they are. They can always be used with DN > class. This is another one of the reasons the DN class accepts DN syntax > (for legacy and simplicity). The existing containers are all simple > DN's, their encoded value and decoded values are identical. So as long > as any programmer who adds a new container understands the encoding > rules all will be good. (The problem with your example test was simply > you didn't use the constructor correctly. See "[PATCH 28/28]" for just > one way to construct a DN using the existing container and base strings > as we currently have them defined.) > > 2) Convert the containers to DN objects. From a robustness point of view > this is preferred. Converting them would be trivial. Once the containers > are DN objects the programmer can't make unintentional mistakes and the > objects combine correctly. The problem we were having is you CANNOT > treat DN's as simple strings, they aren't simple strings, they are > complex objects which in some instances are equivalent to simple strings. I meant to add that if the container and base definitions in constants.py are converted to DN objects (a good idea I believe and easy) then in theory everything should still "just work" because when a DN object is evaluated in a string context (the only way these constants are used I believe) you get the identical string as to what we currently have in constants.py. The pay-off comes mostly with user supplied values which get used in conjunction with the container+base DN's because unlike what's in constants.py user supplied values are not crafted by programmers aware of the rules of LDAP syntax. It's the DN's which result from user supplied values which are the primary problem areas. It really doesn't make much sense to use DN objects in selected known problem areas, for consistency and robustness we should use just one idiom throughout the code base, things should just work much better all around. But the design of the classes allow for incremental conversion of the code as we converge on more consistent DN handling (a win/win situation). BTW, it was very difficult to track down how some values were getting "corrupted" along the way. After looking at both the client and server side of things and the way we designed the RPC API mechanism it became clear to me there was no easy fix, no band-aids, you really have to treat a DN string as data with known properties and behavior, e.g. an object that knows how to operate on it's internal data, everything else just has different failure modes. > My thought was to do the conversion to DN objects incrementally. I > deliberately wrote the classes to support incremental migration. We > start with the bugs which we know are due to problems with DN handling > and convert those first on an as needed basis rather than as a > potentially large disruptive modification. > > The bottom line is we need to have some way to form DN's correctly from > pieces and pick DN components apart into component pieces again. We want > common utility code to do this and not have everybody take a crack at it > in isolated cases when trying to fix bugs. We also want it to support > our legacy implementation and be simple to use (at least those were the > goals I tried to hit). > >> Multi-valued RDNs are 100% guaranteed in IPA so the easier it is to work >> with them the better. > > I believe the classes make handling multi-valued RDN's quite easy. > > It's just when you start to try and explain things it seems easier to > not fill the explanation with a bunch of caveats. If you understand > mutli-valued RDN's and the AVA's they're composed from the classes will > make perfect sense and combine easily. > > -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Tue Jun 21 00:07:27 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 20 Jun 2011 19:07:27 -0500 Subject: [Freeipa-devel] [PATCH] 0248-ipaddress-for-host-add In-Reply-To: <4DFFA336.8030801@redhat.com> References: <4DFF9C92.4010508@redhat.com> <4DFFA336.8030801@redhat.com> Message-ID: <4DFFE0BF.2010701@redhat.com> On 6/20/2011 2:44 PM, Adam Young wrote: > ACK. As mentioned over IRC, it's better to show the IP address field before the force checkbox. This can be fixed before push. -- Endi S. Dewata From ayoung at redhat.com Tue Jun 21 00:53:40 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Jun 2011 20:53:40 -0400 Subject: [Freeipa-devel] [PATCH] 0248-ipaddress-for-host-add In-Reply-To: <4DFFE0BF.2010701@redhat.com> References: <4DFF9C92.4010508@redhat.com> <4DFFA336.8030801@redhat.com> <4DFFE0BF.2010701@redhat.com> Message-ID: <4DFFEB94.6090204@redhat.com> On 06/20/2011 08:07 PM, Endi Sukma Dewata wrote: > On 6/20/2011 2:44 PM, Adam Young wrote: >> > > ACK. As mentioned over IRC, it's better to show the IP address field > before the force checkbox. This can be fixed before push. > Changed and pushed to master From edewata at redhat.com Tue Jun 21 01:16:15 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 20 Jun 2011 20:16:15 -0500 Subject: [Freeipa-devel] [PATCH] 0247-entity-select-for-password-policy In-Reply-To: <4DFF60AF.9070003@redhat.com> References: <4DFF60AF.9070003@redhat.com> Message-ID: <4DFFF0DF.3000605@redhat.com> On 6/20/2011 10:01 AM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Tue Jun 21 01:25:14 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 20 Jun 2011 21:25:14 -0400 Subject: [Freeipa-devel] [PATCH] 0249-optional-uid. Message-ID: <4DFFF2FA.7090103@redhat.com> Note that this patch needs a review by UXD in addition to code review -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0249-optional-uid.patch Type: text/x-patch Size: 4238 bytes Desc: not available URL: From mkosek at redhat.com Tue Jun 21 08:21:50 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 21 Jun 2011 10:21:50 +0200 Subject: [Freeipa-devel] [PATCH] 086 Fix IPA install for secure umask In-Reply-To: <1308317850.29284.7.camel@dhcp-25-52.brq.redhat.com> References: <1308314701.29284.2.camel@dhcp-25-52.brq.redhat.com> <1308317850.29284.7.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1308644512.28247.2.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-06-17 at 15:37 +0200, Martin Kosek wrote: > On Fri, 2011-06-17 at 14:44 +0200, Martin Kosek wrote: > > Make sure that IPA can be installed with root umask set to secure > > value 077. ipa-server-install was failing in DS configuration phase > > when dirsrv tried to read boot.ldif created during installation. > > > > https://fedorahosted.org/freeipa/ticket/1282 > > > > Self-Nack. Even though install didn't fail, I didn't notice there are > still issues with other files. For example dirsrv schema ldifs. This > needs to be fixed. > > Martin Sending a fixed version of the patch. See ticket for instructions how to test. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-086-2-fix-ipa-install-for-secure-umask.patch Type: text/x-patch Size: 8422 bytes Desc: not available URL: From jcholast at redhat.com Tue Jun 21 12:15:55 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2011 14:15:55 +0200 Subject: [Freeipa-devel] [PATCH] 23 Add ability to specify DNS reverse zone name by IP network address Message-ID: <4E008B7B.6020404@redhat.com> This patch adds a new option name_from_ip to dnszone commands. Default value of idnsname is created from this option. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-23-dnszone-reverse-ip.patch Type: text/x-patch Size: 13126 bytes Desc: not available URL: From simo at redhat.com Tue Jun 21 13:10:48 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 21 Jun 2011 09:10:48 -0400 Subject: [Freeipa-devel] [v3 patches] Review request Message-ID: <1308661848.25324.30.camel@willson.li.ssimo.org> Hi, I have a pile of patches in [1], which I'd like some review on. As explained in a mail to the list some time ago, this is code that will land in master once we are comfortable in branching it for v3 work. The first patch is named "Fix build warnings" and all patches on top of it prefixed with ipa-pwd-extop: or krbinstance: [2] should be safe to be committed on master even now if someone is willing to test and give acks. All the patches prefixed with ipa-kdb: [3] are instead the real v3 work, and I'd like comments on them. Keep in mind that this tree keeps being rebased on the current master, and I still squash in fixes if I find bugs into ipa-kdb patches. But the work is sort of settled and only minor bugfixing is going to be squashed in. I will request additional functional ACKs before merging this work in master later on, but that will be mostly install/test, I am looking for a source code level review at this stage. Thanks, Simo. [1] http://fedorapeople.org/gitweb?p=simo/public_git/freeipa.git;a=log;h=refs/heads/freeipa-v3 [2] ipa-pwd-extop: Move encoding in common too ipa-pwd-extop: Move encryption of keys in common ipa-pwd-extop: Use common krb5 structs from kdb.h ipa-pwd-extop: re-indent code using old style ipa-pwd-extop: Use the proper mkvno number in keys ipa-pwd-extop: do not append mkvno to krbExtraData ipa-pwd-extop: Remove unused variables and code to... krbinstance: use helper function to get realm suffix ipa-pwd_extop: use endian.h instead of nih function Fix build warnings [3] ipa-kdb: Restrict add/del operations for now freeipa-v3 ipa-kdb: Get/Store Master Key directly from LDAP ipa-kdb: add functions to manipulate principals ipa-kdb: add function to iterate over principals ipa-kdb: add functions to delete principals ipa-kdb: add function to free principals ipa-kdb: functions to get principal ipa-kdb: add common utility ldap wrapper functions ipa-kdb: implement get_time function ipa-kdb: initialize module functions ipa-kdb: Initial plugin skeleton -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Tue Jun 21 14:04:22 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 21 Jun 2011 10:04:22 -0400 Subject: [Freeipa-devel] [PATCH] 23 Add ability to specify DNS reverse zone name by IP network address In-Reply-To: <4E008B7B.6020404@redhat.com> References: <4E008B7B.6020404@redhat.com> Message-ID: <4E00A4E6.1070103@redhat.com> On 06/21/2011 08:15 AM, Jan Cholasta wrote: > This patch adds a new option name_from_ip to dnszone commands. Default > value of idnsname is created from this option. > > Honza > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Some questions: Is the field name_from_ip conditional? I assume that either we want to provide the name, or calculate the name from the IP address. Should the field be a checkbox? Will you code to calculate the reverse zone for an IPv6 Address work for the shorthand notation like this? feco:aaaa:bbbb::1111 What is the point of the code + while True: + default = self.get_default(**params) + if len(default) == 0: + break + params.update(default) I am guessing that there is no risk of an infinite loop here. Just seems like this code is meant to run for things other than dns. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Jun 21 14:00:35 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 21 Jun 2011 10:00:35 -0400 Subject: [Freeipa-devel] [PATCH] 23 Add ability to specify DNS reverse zone name by IP network address In-Reply-To: <4E008B7B.6020404@redhat.com> References: <4E008B7B.6020404@redhat.com> Message-ID: <4E00A403.6000601@redhat.com> On 06/21/2011 08:15 AM, Jan Cholasta wrote: > This patch adds a new option name_from_ip to dnszone commands. Default > value of idnsname is created from this option. > > Honza > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel What ticket it is for? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Jun 21 14:10:24 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 21 Jun 2011 16:10:24 +0200 Subject: [Freeipa-devel] [PATCH] 806 configure sssd to talk to local master In-Reply-To: <1308602308.2387.43.camel@sgallagh520.bos.redhat.com> References: <4DFFA29C.4090906@redhat.com> <1308602308.2387.43.camel@sgallagh520.bos.redhat.com> Message-ID: <1308665427.28247.3.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-06-20 at 16:38 -0400, Stephen Gallagher wrote: > On Mon, 2011-06-20 at 15:42 -0400, Rob Crittenden wrote: > > On masters configure sssd to only talk to the local master rather than > > having _srv_ as well. If we use _srv_ and a remote master is down the > > local master will have problems as well. > > > > ticket https://fedorahosted.org/freeipa/ticket/1187 > > > Ack Pushed to master, ipa-2-0. Martin From mkosek at redhat.com Tue Jun 21 14:20:04 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 21 Jun 2011 16:20:04 +0200 Subject: [Freeipa-devel] [PATCH] 23 Add ability to specify DNS reverse zone name by IP network address In-Reply-To: <4E008B7B.6020404@redhat.com> References: <4E008B7B.6020404@redhat.com> Message-ID: <1308666006.28247.7.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-06-21 at 14:15 +0200, Jan Cholasta wrote: > This patch adds a new option name_from_ip to dnszone commands. Default > value of idnsname is created from this option. > > Honza One more comment - we don't want major API version change. This would make existing v2 clients/server incompatible until both are updated. In this case only a minor API version bump is needed as the API remains backwards compatible with the old one. Martin From jcholast at redhat.com Tue Jun 21 14:22:01 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2011 16:22:01 +0200 Subject: [Freeipa-devel] [PATCH] 23 Add ability to specify DNS reverse zone name by IP network address In-Reply-To: <4E00A403.6000601@redhat.com> References: <4E008B7B.6020404@redhat.com> <4E00A403.6000601@redhat.com> Message-ID: <4E00A909.1080200@redhat.com> On 21.6.2011 16:00, Dmitri Pal wrote: > On 06/21/2011 08:15 AM, Jan Cholasta wrote: >> This patch adds a new option name_from_ip to dnszone commands. Default >> value of idnsname is created from this option. >> >> Honza >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > What ticket it is for? https://fedorahosted.org/freeipa/ticket/1045 > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > -- Jan Cholasta From jcholast at redhat.com Tue Jun 21 14:32:32 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2011 16:32:32 +0200 Subject: [Freeipa-devel] [PATCH] 23 Add ability to specify DNS reverse zone name by IP network address In-Reply-To: <4E00A4E6.1070103@redhat.com> References: <4E008B7B.6020404@redhat.com> <4E00A4E6.1070103@redhat.com> Message-ID: <4E00AB80.1020903@redhat.com> On 21.6.2011 16:04, Adam Young wrote: > On 06/21/2011 08:15 AM, Jan Cholasta wrote: >> This patch adds a new option name_from_ip to dnszone commands. Default >> value of idnsname is created from this option. >> >> Honza >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Some questions: > > Is the field name_from_ip conditional? I assume that either we want to > provide the name, or calculate the name from the IP address. If name_from_ip is used, the default value for idnsname is created from it. Thus, if both idnsname and name_from_ip are specified, idnsname has precedence. > > Should the field be a checkbox? Possibly. I'll leave that to you (and the rest of you UI developers) to decide. > > Will you code to calculate the reverse zone for an IPv6 Address work for > the shorthand notation like this? > > feco:aaaa:bbbb::1111 It is handled by python-netaddr, so yes. > > What is the point of the code > + while True: > + default = self.get_default(**params) > + if len(default) == 0: > + break > + params.update(default) > > I am guessing that there is no risk of an infinite loop here. Just > seems like this code is meant to run for things other than dns. This is to make chained default_from work - idnssoarname default is created from idnsname and idnsname default is created from name_from_ip - without this change, idnssoarname default value isn't created when only name_from_ip is specified. Honza -- Jan Cholasta From jcholast at redhat.com Tue Jun 21 14:33:13 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2011 16:33:13 +0200 Subject: [Freeipa-devel] [PATCH] 23 Add ability to specify DNS reverse zone name by IP network address In-Reply-To: <1308666006.28247.7.camel@dhcp-25-52.brq.redhat.com> References: <4E008B7B.6020404@redhat.com> <1308666006.28247.7.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E00ABA9.8030903@redhat.com> On 21.6.2011 16:20, Martin Kosek wrote: > On Tue, 2011-06-21 at 14:15 +0200, Jan Cholasta wrote: >> This patch adds a new option name_from_ip to dnszone commands. Default >> value of idnsname is created from this option. >> >> Honza > > One more comment - we don't want major API version change. This would > make existing v2 clients/server incompatible until both are updated. > > In this case only a minor API version bump is needed as the API remains > backwards compatible with the old one. OK. > > Martin > Honza -- Jan Cholasta From edewata at redhat.com Tue Jun 21 15:06:26 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 21 Jun 2011 10:06:26 -0500 Subject: [Freeipa-devel] [PATCH] 0249-optional-uid. In-Reply-To: <4DFFF2FA.7090103@redhat.com> References: <4DFFF2FA.7090103@redhat.com> Message-ID: <4E00B372.20309@redhat.com> On 6/20/2011 8:25 PM, Adam Young wrote: > Note that this patch needs a review by UXD in addition to code review Some issues: 1. The patch tries to find the elements to be hidden using span.find('input'). This will not work with all widgets because some widgets use other elements or some combination. I think it's better to add the link outside the span, then hide the span itself to hide the entire widget. 2. Hiding the optional widgets but not the labels might not be enough to simplify the screen because they still occupy some space. Another solution is to hide both the labels and the widgets (i.e. the entire row) then have a link for to hide/show all optional fields somewhere else. -- Endi S. Dewata From edewata at redhat.com Tue Jun 21 15:15:45 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 21 Jun 2011 10:15:45 -0500 Subject: [Freeipa-devel] [PATCH] 184 Fixed problem with navigation tabs on reload. Message-ID: <4E00B5A1.7020803@redhat.com> The navigation have been fixed to show the correct active tabs after browser reload. Ticket #1362 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0184-Fixed-problem-with-navigation-tabs-on-reload.patch Type: text/x-patch Size: 2106 bytes Desc: not available URL: From ayoung at redhat.com Tue Jun 21 15:39:53 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 21 Jun 2011 11:39:53 -0400 Subject: [Freeipa-devel] [PATCH] 0249-optional-uid. In-Reply-To: <4E00B372.20309@redhat.com> References: <4DFFF2FA.7090103@redhat.com> <4E00B372.20309@redhat.com> Message-ID: <4E00BB49.7070701@redhat.com> On 06/21/2011 11:06 AM, Endi Sukma Dewata wrote: > On 6/20/2011 8:25 PM, Adam Young wrote: >> Note that this patch needs a review by UXD in addition to code review > > Some issues: > > 1. The patch tries to find the elements to be hidden using > span.find('input'). This will not work with all widgets because > some widgets use other elements or some combination. I think it's > better to add the link outside the span, then hide the span itself > to hide the entire widget. That makes sense. We'd have an input span and an optional_link span. > > 2. Hiding the optional widgets but not the labels might not be enough > to simplify the screen because they still occupy some space. Another > solution is to hide both the labels and the widgets (i.e. the entire > row) then have a link for to hide/show all optional fields somewhere > else. > No, since optional fields are not necessarily related. From kybaker at redhat.com Tue Jun 21 16:09:39 2011 From: kybaker at redhat.com (Kyle Baker) Date: Tue, 21 Jun 2011 12:09:39 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 0009-Tab-and-spacing-on-list In-Reply-To: <2052010110.124313.1308672402368.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1364899868.124363.1308672579824.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Changes some spacing on the list and facet tab pages as well as styles the tabs. This patch and 0010 should result in the attached screen shot. Kyle Baker Visual Designer Desk - 978 392 3116 IRC - kylebaker -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen shot.png Type: image/png Size: 102675 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-kybaker-0009-Tab-and-spacing-on-list.patch Type: text/x-patch Size: 7480 bytes Desc: not available URL: From kybaker at redhat.com Tue Jun 21 16:13:55 2011 From: kybaker at redhat.com (Kyle Baker) Date: Tue, 21 Jun 2011 12:13:55 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 0010-Facet-icon-swap-and-tab-sizing In-Reply-To: <1505856350.124390.1308672774438.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <166584433.124417.1308672835768.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Minor tweaks to the sizing of the facet tabs as well as new icons under the facets. Attached a screen shot of 0009 and 0010 results. The same screen shot is attached in 0009 as well. Kyle Baker Visual Designer Desk - 978 392 3116 IRC - kylebaker -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-kybaker-0010-Facet-icon-swap-and-tab-sizing.patch Type: text/x-patch Size: 6145 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen shot.png Type: image/png Size: 102675 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 21 17:14:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Jun 2011 13:14:17 -0400 Subject: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local In-Reply-To: <1308241088.11003.18.camel@dhcp-25-52.brq.redhat.com> References: <4DF67603.5030508@redhat.com> <1308039954.22442.14.camel@dhcp-25-52.brq.redhat.com> <4DF75A88.6080301@redhat.com> <1308058755.22442.18.camel@dhcp-25-52.brq.redhat.com> <4DF76BC7.6080302@redhat.com> <4DF8FA27.5040608@redhat.com> <1308214997.11003.13.camel@dhcp-25-52.brq.redhat.com> <4DFA0007.9010607@redhat.com> <1308241088.11003.18.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E00D169.90308@redhat.com> Martin Kosek wrote: > On Thu, 2011-06-16 at 09:07 -0400, Rob Crittenden wrote: >>> I think this is still not right. When you let match_local default to >>> False, --ip-address option in ipa-server-install is checked with >>> match_local=False and thus the check required by BZ isn't made. >> >> Yes but it is checked again later. Try it, enforcement happens. > > Yes. > >> >>> Please check my patch 083 I sent this morning. It makes sure that IP >>> address validation with CheckedIPAddress is run with correct parameters >>> (i.e. match_local, parse_netmask). You may want to build your patch on >>> top of this one. >>> >>> Should we be so strict and raise an exception when the IP address does >>> not match any local interface? Maybe a warning would be enough. >>> ipa-server-install will fail anyway few steps later in a scenario >>> described in BZ. >> >> We should fail as soon as possible. By doing this before installation >> starts they don't have to uninstall. >> >> rob > > In fact, if we apply your patch on top of my patch 083 it works just > fine and --ip-address is checked against network interfaces in option > parsing phase. > > So ACK from me if it is applied on top of my patch 083 (not reviewed > yet). > > Martin > pushed to master From edewata at redhat.com Tue Jun 21 17:27:04 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 21 Jun 2011 12:27:04 -0500 Subject: [Freeipa-devel] [PATCH] 0009-Tab-and-spacing-on-list In-Reply-To: <1364899868.124363.1308672579824.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1364899868.124363.1308672579824.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4E00D468.1040009@redhat.com> On 6/21/2011 11:09 AM, Kyle Baker wrote: > Changes some spacing on the list and facet tab pages as well as styles the tabs. This patch and 0010 should result in the attached screen shot. Some issues: 1. This is actually an existing problem, but it looks like we're relying a lot on button labels which will be translated so the styling will not work in other languages. [title="Enroll"] { font-size: 1.3em !important; padding: 0 0 2px 6px; } I think we should use the 'facet-controls' CSS class instead. 2. The patch defines the styling for individual facets such as: [name="member_role"] { margin-top: 30px; margin-left: 7px; } This will be a maintenance issue. I think we should use the 'facet' CSS class instead. -- Endi S. Dewata From kybaker at redhat.com Tue Jun 21 17:32:30 2011 From: kybaker at redhat.com (Kyle Baker) Date: Tue, 21 Jun 2011 13:32:30 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 0009-Tab-and-spacing-on-list In-Reply-To: <4E00D468.1040009@redhat.com> Message-ID: <1732034926.125538.1308677550724.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Both of those suggestions would be great, but it will require new styles to be created 1. we need a style for facet-controls on a list page and a totally separate style for controls on the detail pages. 2. This will require a umbrella style for all facet controls. Kyle Baker Visual Designer Desk - 978 392 3116 IRC - kylebaker ----- Original Message ----- > On 6/21/2011 11:09 AM, Kyle Baker wrote: > > Changes some spacing on the list and facet tab pages as well as > > styles the tabs. This patch and 0010 should result in the attached > > screen shot. > > Some issues: > > 1. This is actually an existing problem, but it looks like we're > relying > a lot on button labels which will be translated so the styling will > not > work in other languages. > > [title="Enroll"] { > font-size: 1.3em !important; > padding: 0 0 2px 6px; > } > > I think we should use the 'facet-controls' CSS class instead. > > 2. The patch defines the styling for individual facets such as: > > [name="member_role"] { > margin-top: 30px; > margin-left: 7px; > } > > This will be a maintenance issue. I think we should use the 'facet' > CSS > class instead. > > -- > Endi S. Dewata From ayoung at redhat.com Tue Jun 21 18:45:19 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 21 Jun 2011 14:45:19 -0400 Subject: [Freeipa-devel] [PATCH] 184 Fixed problem with navigation tabs on reload. In-Reply-To: <4E00B5A1.7020803@redhat.com> References: <4E00B5A1.7020803@redhat.com> Message-ID: <4E00E6BF.8040400@redhat.com> On 06/21/2011 11:15 AM, Endi Sukma Dewata wrote: > The navigation have been fixed to show the correct active tabs after > browser reload. > > Ticket #1362 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jun 21 18:52:41 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 21 Jun 2011 14:52:41 -0400 Subject: [Freeipa-devel] [PATCH] 0250-tooltips-for-host-add Message-ID: <4E00E879.60103@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0250-tooltips-for-host-add.patch Type: text/x-patch Size: 1603 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 21 20:10:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Jun 2011 16:10:14 -0400 Subject: [Freeipa-devel] [PATCH] 807 get schema in json handler Message-ID: <4E00FAA6.60406@redhat.com> If the first request the web server handles is for a bad ticket (e.g. expired) then it is possible to get past the point where the lazy LDAP schema retrieval would happen causing a backtrace in the json handler. Add a call to get the schema which will be skipped if a valid schema has already been retrieved. ticket https://fedorahosted.org/freeipa/ticket/1354 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-807-schema.patch Type: text/x-diff Size: 886 bytes Desc: not available URL: From ayoung at redhat.com Tue Jun 21 20:40:36 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 21 Jun 2011 16:40:36 -0400 Subject: [Freeipa-devel] [PATCH] 807 get schema in json handler In-Reply-To: <4E00FAA6.60406@redhat.com> References: <4E00FAA6.60406@redhat.com> Message-ID: <4E0101C4.9040606@redhat.com> On 06/21/2011 04:10 PM, Rob Crittenden wrote: > If the first request the web server handles is for a bad ticket (e.g. > expired) then it is possible to get past the point where the lazy LDAP > schema retrieval would happen causing a backtrace in the json handler. > Add a call to get the schema which will be skipped if a valid schema > has already been retrieved. > > ticket https://fedorahosted.org/freeipa/ticket/1354 > > rob > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master. Seems to fix 1354 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Jun 21 22:28:36 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 21 Jun 2011 18:28:36 -0400 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <20110621160610.6613cb5f@lembas.zaitcev.lan> References: <20110621160610.6613cb5f@lembas.zaitcev.lan> Message-ID: <4E011B14.1030404@redhat.com> On 06/21/2011 06:06 PM, Pete Zaitcev wrote: > Dear Sumit: > > I heard from Mike Orazi that Dmitry recommened you as an expert in > Kerberos issues. I am working on adding authentication/authorization > to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented > with GNU Microhttpd. The general plan is to use FreeIPA as the > auth provider, but for now I have a different question: what protocol > should I implement for HTTP transactions? > > The client is expected to use Kerberos to obtain a session ticket, > and something like that happens on the server as well. Then, the HTTP > is authenticated and authorized. > > So far, I gather that so-called "SPNEGO" protocol is what everyone > uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121). > There's also a "Kerberos on Widows" thing (4559), which actually > defines the key pieces such as "WWW-Authenticate: Negotiate". > > The one strange thing though is that curl seems to imply having a > support for "Negotiate" authentication type separate from SPNEGO. > Fedora, while being the main target for FreeIPA, ships curl without > SPNEGO. So, I suspect that I may be missing a protocol to implement. > > Yours, > -- Pete SPNEGO is the MSFT flavor of the negotiation protocol. http://en.wikipedia.org/wiki/SPNEGO I do not remember the details but it is different from "Negotiate", which is the pure GSSAPI with Kerberos what is used everywhere in Fedora and RHEL. What web server you are using? It is mostly something that is used outside the application by the web server itself. Like with Apache you can use/configure mod_auth_kerb and if the client is configured to negotiate kerberos and the apache server has a keytab and an service principal (name) in KDC (freeIPA) you are all set. This is how the Katello prototype has been set up. So the point is that you do not need to implement the Kerberos Negotiation the web server should do it for you. Katello is currently set up with the Apache server in the proxy mode so that it does the negotiation and then proxies the traffic to the actual app. The transactions would require a state. You can try to do something that we are planning to do in IPA to reduce the cost of the re-negotiation on every request. We plan to use a cookie. But it all depends what are your transactions are for. Do they define the "commit" boundaries or they are just to reduce renegotiation? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From zaitcev at redhat.com Tue Jun 21 22:06:10 2011 From: zaitcev at redhat.com (Pete Zaitcev) Date: Tue, 21 Jun 2011 16:06:10 -0600 Subject: [Freeipa-devel] Kerberos implementation issues Message-ID: <20110621160610.6613cb5f@lembas.zaitcev.lan> Dear Sumit: I heard from Mike Orazi that Dmitry recommened you as an expert in Kerberos issues. I am working on adding authentication/authorization to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented with GNU Microhttpd. The general plan is to use FreeIPA as the auth provider, but for now I have a different question: what protocol should I implement for HTTP transactions? The client is expected to use Kerberos to obtain a session ticket, and something like that happens on the server as well. Then, the HTTP is authenticated and authorized. So far, I gather that so-called "SPNEGO" protocol is what everyone uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121). There's also a "Kerberos on Widows" thing (4559), which actually defines the key pieces such as "WWW-Authenticate: Negotiate". The one strange thing though is that curl seems to imply having a support for "Negotiate" authentication type separate from SPNEGO. Fedora, while being the main target for FreeIPA, ships curl without SPNEGO. So, I suspect that I may be missing a protocol to implement. Yours, -- Pete From edewata at redhat.com Wed Jun 22 02:19:40 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 21 Jun 2011 21:19:40 -0500 Subject: [Freeipa-devel] [PATCH] 0250-tooltips-for-host-add In-Reply-To: <4E00E879.60103@redhat.com> References: <4E00E879.60103@redhat.com> Message-ID: <4E01513C.4070005@redhat.com> On 6/21/2011 1:52 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Wed Jun 22 03:09:30 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 21 Jun 2011 22:09:30 -0500 Subject: [Freeipa-devel] [PATCH] 185 Converted entity header into facet header. Message-ID: <4E015CEA.20103@redhat.com> The content and the size of entity header changes depending on the facet being displayed, so the entity header has been converted into a facet header to allow better control via CSS. The DNS record facet has been updated to use the same styles and support scrolling. To help styling and testing, all buttons have been assigned a name. This patch requires Kyle's patch #9 and #10. Demo is available here: http://edewata.fedorapeople.org/freeipa/install/ui/index.html -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0185-Converted-entity-header-into-facet-header.patch Type: text/x-patch Size: 44406 bytes Desc: not available URL: From mkosek at redhat.com Wed Jun 22 08:07:54 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 22 Jun 2011 10:07:54 +0200 Subject: [Freeipa-devel] [PATCH] 087 Allow recursion by default Message-ID: <1308730076.13562.16.camel@dhcp-25-52.brq.redhat.com> I suggest adding the following doc to the end of chapter "5.6. DNS" (after the paragraphs about forwarders): Any host is permitted to issue recursive queries against configured forwarders by default. When required, this behavior can be changed in /etc/named.conf in "allow-recursion" statement. Please consult name server documentation for details how to edit the configuration statement. ---- How to test: 1) install IPA with --setup-dns and defined --forwarder 2) query record not-managed by installed IPA (e.g. www.freeipa.org) from localhost - should pass both with and without the patch 3) query record not-managed by installed IPA from other computer from different subnet - fails without the patch and should pass with the patch ---- Update name server configuration file to allow any host to issue recursive queries (allow-recursion statement). https://fedorahosted.org/freeipa/ticket/1335 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-087-allow-recursion-by-default.patch Type: text/x-patch Size: 975 bytes Desc: not available URL: From sbose at redhat.com Wed Jun 22 09:13:45 2011 From: sbose at redhat.com (Sumit Bose) Date: Wed, 22 Jun 2011 11:13:45 +0200 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <20110621164808.48fa8064@lembas.zaitcev.lan> References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> Message-ID: <20110622091345.GM2197@localhost.localdomain> On Tue, Jun 21, 2011 at 04:48:08PM -0600, Pete Zaitcev wrote: > On Tue, 21 Jun 2011 18:28:36 -0400 > Dmitri Pal wrote: > > Dear Dmitri, thanks for the reply. I am reading curl source code > now and I notice the distinction between "Negotiate" that comes > from SPNEGO, and "GSS-Negotiate". I'm looking for the definition > of the latter. > > > > I am working on adding authentication/authorization > > > to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented > > > with GNU Microhttpd. [...] > > > > So far, I gather that so-called "SPNEGO" protocol is what everyone > > > uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121). > > > There's also a "Kerberos on Widows" thing (4559), which actually > > > defines the key pieces such as "WWW-Authenticate: Negotiate". > > > What web server you are using? It is mostly something that is used > > outside the application by the web server itself. > > As I mentioned, iwhd relies on GNU Microhttpd library to implement > a webserver. According to http://www.gnu.org/software/libmicrohttpd/ there is only "Support for basic and digest authentication (optional)". As Dmitri already mentioned there is mod_auth_kerb for Apache which offers the Negotiate. It does GSSAPI but can handle SPNEGO as well and can authenticate an SPNEGO client if it can handle GSSAPI (SPNEGO is basically used to choose between GSSAPI or NTLMSSP). As long as GNU Microhttpd library does not support at least GSSAPI, but SPNEGO would be important for Windows clients, or can use Apache's mod_auth_kerb somehow, I would recommend like Dmitri to use an Apache in front of iwhd and let Apache forward the principal of the authenticated user in e.g. X_FORWARDED_USER header variable. > > > Like with Apache you can use/configure mod_auth_kerb and if the client > > is configured to negotiate kerberos and the apache server has a keytab > > and an service principal (name) in KDC (freeIPA) you are all set. > > This is how the Katello prototype has been set up. > > I see, the vital part here is the need to register the service principal > with the KDC. I was wondering about that too. Yes, both the client/user principal and the service principal must be know to the KDC so that both can trust each other. With freeIPA every user automatically will have it's own principal and every server added to the IPA domain (ipa-client-install or ipa host-add) gets a host principal host/fully.qualified.domain.name at YOUR.KERBEROS.REALM. For a web service you typically do not want to use the host principal but create one for the specific service HTTP/fully.qualified.domain.name at YOUR.KERBEROS.REALM with ipa service-add. If you don't have freeIPA but a plain KDC you have to use the kadmin utility to create the principals (and their keys). HTH bye, Sumit > > > The transactions would require a state. You can try to do something that > > we are planning to do in IPA to reduce the cost of the re-negotiation on > > every request. We plan to use a cookie. But it all depends what are your > > transactions are for. Do they define the "commit" boundaries or they are > > just to reduce renegotiation? > > I am somewhat disaffected with cookies, as they have a lot of > weaknesses (usually).. Certainly, turning around the 401 replies costs > a lot, but until I know for myself that it cannot be avoided (by posting > Authenticate header preventively), I am going to examine the facts > a little more. However, if FreeIPA team comes up with "standard" > way to keep tickets in cookies, I would like to hear the details. > > Thanks again, > -- Pete From mkosek at redhat.com Wed Jun 22 11:19:22 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 22 Jun 2011 13:19:22 +0200 Subject: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools Message-ID: <1308741564.13562.17.camel@dhcp-25-52.brq.redhat.com> Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools. https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-088-check-ipa-configuration-in-install-tools.patch Type: text/x-patch Size: 8436 bytes Desc: not available URL: From jcholast at redhat.com Wed Jun 22 11:36:31 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 22 Jun 2011 13:36:31 +0200 Subject: [Freeipa-devel] [PATCH] 785 data type of certificates In-Reply-To: <4DEF8D94.5000301@redhat.com> References: <4DD3E402.1050606@redhat.com> <4DEF7E3C.70806@redhat.com> <4DEF8D94.5000301@redhat.com> Message-ID: <4E01D3BF.4080802@redhat.com> On 8.6.2011 16:56, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 18.5.2011 17:21, Rob Crittenden wrote: >>> Make data type of certificates more obvious/predictable internally. >>> >>> For the most part certificates will be treated as being in DER format. >>> When we load a certificate we will generally accept it in any format but >>> will convert it to DER before proceeding in normalize_certificate(). >>> >>> This also re-arranges a bit of code to pull some certificate-specific >>> functions out of ipalib/plugins/service.py into ipalib/x509.py. >>> >>> This also tries to use variable names to indicate what format the >>> certificate is in at any given point: >>> >>> dercert: DER >>> cert: PEM >>> nsscert: a python-nss Certificate object >>> rawcert: unknown format >>> >>> ticket 32 >>> >>> rob >>> >> >> NACK >> >> lint fails with: >> >> ipalib/plugins/host.py:380: [E0602, host_add.pre_callback] Undefined >> variable 'normalize_certificate' >> ipalib/plugins/host.py:381: [E0602, host_add.pre_callback] Undefined >> variable 'verify_cert_subject' >> >> Honza >> > > Needed to be re-based with changes to 779. > > rob ACK Honza -- Jan Cholasta From jim at meyering.net Wed Jun 22 11:44:35 2011 From: jim at meyering.net (Jim Meyering) Date: Wed, 22 Jun 2011 13:44:35 +0200 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <20110622091345.GM2197@localhost.localdomain> (Sumit Bose's message of "Wed, 22 Jun 2011 11:13:45 +0200") References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> <20110622091345.GM2197@localhost.localdomain> Message-ID: <87d3i6t7j0.fsf@rho.meyering.net> Sumit Bose wrote: > On Tue, Jun 21, 2011 at 04:48:08PM -0600, Pete Zaitcev wrote: >> On Tue, 21 Jun 2011 18:28:36 -0400 >> Dmitri Pal wrote: >> >> Dear Dmitri, thanks for the reply. I am reading curl source code >> now and I notice the distinction between "Negotiate" that comes >> from SPNEGO, and "GSS-Negotiate". I'm looking for the definition >> of the latter. >> >> > > I am working on adding authentication/authorization >> > > to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented >> > > with GNU Microhttpd. [...] >> >> > > So far, I gather that so-called "SPNEGO" protocol is what everyone >> > > uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121). >> > > There's also a "Kerberos on Widows" thing (4559), which actually >> > > defines the key pieces such as "WWW-Authenticate: Negotiate". >> >> > What web server you are using? It is mostly something that is used >> > outside the application by the web server itself. >> >> As I mentioned, iwhd relies on GNU Microhttpd library to implement >> a webserver. > > According to http://www.gnu.org/software/libmicrohttpd/ there is only > "Support for basic and digest authentication (optional)". As Dmitri > already mentioned there is mod_auth_kerb for Apache which offers the > Negotiate. It does GSSAPI but can handle SPNEGO as well and can > authenticate an SPNEGO client if it can handle GSSAPI (SPNEGO is > basically used to choose between GSSAPI or NTLMSSP). > > As long as GNU Microhttpd library does not support at least GSSAPI, but > SPNEGO would be important for Windows clients, or can use Apache's > mod_auth_kerb somehow, I would recommend like Dmitri to use an Apache in > front of iwhd and let Apache forward the principal of the authenticated > user in e.g. X_FORWARDED_USER header variable. Unfortunately, replacing (in iwhd) an embedded component like libmicrohttpd may be er, ... challenging. iwhd can be configured to as both server and client, and can use arbitrary port numbers, so deferring to "Apache" seems infeasible. For example, one use case is to run two interconnected iwhd servers, one upstream and another downstream, as demonstrated in iwhd's t/replication test case. Even if we were to give up this functionality (currently not required by any iwhd client), requiring an additional, private-to-iwhd, kerb-enabled Apache server sounds like disproportionate overhead for an otherwise small daemon. Our best bet may be to find an embeddable httpd server that supports GSSAPI. Do any of you know of one? From rcritten at redhat.com Wed Jun 22 12:51:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Jun 2011 08:51:04 -0400 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <4DECE95E.1010006@redhat.com> References: <4D95F3AD.2000707@redhat.com> <1306320574.18222.20.camel@dhcp-25-52.brq.redhat.com> <4DDD204A.8010009@redhat.com> <1306395960.2330.7.camel@dhcp-25-52.brq.redhat.com> <4DDFFDDE.2040908@redhat.com> <1306757151.2427.16.camel@dhcp-25-52.brq.redhat.com> <4DECE95E.1010006@redhat.com> Message-ID: <4E01E538.50706@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Fri, 2011-05-27 at 15:39 -0400, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>>>>> On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: >>>>>>> The hostname is passed in during the server installation. We >>>>>>> should use >>>>>>> this hostname for the resulting server as well. It was being >>>>>>> discarded >>>>>>> and we always used the system hostname value. >>>>>>> >>>>>>> ticket 1052 >>>>>>> >>>>>>> rob >>>>>> >>>>>> I have to NACK this again. I have a problem communicating with IPA >>>>>> on a >>>>>> master machine. I reproduced in on 2 different machines. Please, >>>>>> correct >>>>>> my steps if I am wrong, I do the following procedure >>>>>> >>>>>> 1) I prepare a fresh minimal F-15 >>>>>> 2) Install freeipa-server (current master with your patches) >>>>>> 3) Add custom hostname to /etc/hosts >>>>>> 4) Install IPA server: >>>>>> ipa-server-install -p secret123 -a secret123 --hostname >>>>>> ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2 >>>>>> 5) # kinit admin >>>>>> Password for admin at IDM.LAB.BOS.REDHAT.COM: >>>>>> 6) # ipa user-show admin >>>>>> ipa: ERROR: cannot connect to 'any of the configured servers': >>>>>> https://ipa.idm.lab.bos.redhat.com/ipa/xml, >>>>>> https://ipa.idm.lab.bos.redhat.com/ipa/xml >>>>>> >>>>>> # ping -c 1 ipa.idm.lab.bos.redhat.com >>>>>> PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data. >>>>>> 64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1 >>>>>> ttl=64 time=0.049 ms >>>>>> >>>>>> Apache error_log shows relevant errors: >>>>>> >>>>>> [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start >>>>>> IPA: Unable to retrieve LDAP schema: Invalid credentials: >>>>>> SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>>> Minor code may provide more information (Permission denied) >>>>>> [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start >>>>>> IPA: Unable to retrieve LDAP schema: Invalid credentials: >>>>>> SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>>> Minor code may provide more information (Permission denied) >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: >>>>>> KeyError(140250828974112,) in>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: >>>>>> KeyError(140250828974112,) in>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: >>>>>> KeyError(140250828974112,) in>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: >>>>>> KeyError(140250828974112,) in>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: >>>>>> KeyError(140250828974112,) in>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: >>>>>> KeyError(140250828974112,) in>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: >>>>>> KeyError(140250828974112,) in>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: >>>>>> KeyError(140250828974112,) in>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: >>>>>> KeyError(140250828974112,) in>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: >>>>>> KeyError(140250828974112,) in>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored >>>>>> [Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down >>>>>> [Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd >>>>>> running as context system_u:system_r:kernel_t:s0 >>>>>> [Wed May 25 06:43:57 2011] [notice] Digest: generating secret for >>>>>> digest authentication ... >>>>>> [Wed May 25 06:43:57 2011] [notice] Digest: done >>>>>> [Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2 >>>>>> mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 >>>>>> Python/2.7.1 configured -- resuming normal operations >>>>>> [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** >>>>>> [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi >>>>>> (pid=5192): Exception occurred processing WSGI script >>>>>> '/usr/share/ipa/wsgi.py'. >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback >>>>>> (most recent call last): >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File >>>>>> "/usr/share/ipa/wsgi.py", line 48, in application >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return >>>>>> api.Backend.session(environ, start_response) >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line >>>>>> 141, in __call__ >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] >>>>>> self.create_context(ccache=environ.get('KRB5CCNAME')) >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 110, in >>>>>> create_context >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] >>>>>> self.Backend.ldap2.connect(ccache=ccache) >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 62, in >>>>>> connect >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] conn = >>>>>> self.create_connection(*args, **kw) >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in >>>>>> new_f >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return >>>>>> f(*new_args, **kwargs) >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", >>>>>> line 337, in create_connection >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] >>>>>> _handle_errors(e, **{}) >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", >>>>>> line 118, in _handle_errors >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] raise >>>>>> errors.DatabaseError(desc=desc, info=info) >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] >>>>>> DatabaseError: Local error: SASL(-1): generic failure: GSSAPI >>>>>> Error: An invalid name was supplied (Hostname cannot be >>>>>> canonicalized) >>>>>> [Wed May 25 06:45:26 2011] [error] [client 10.16.78.140] mod_wsgi >>>>>> (pid=5193): Exception occurred processing WSGI script >>>>>> '/usr/share/ipa/wsgi.py'. >>>>>> >>>>>> >>>>>> You can check the problem on vm-140.idm.lab.bos.redhat.com if you >>>>>> want to. >>>>>> >>>>>> Martin >>>>>> >>>>> >>>>> The LDAP connection was still using the system hostname value. I >>>>> added a >>>>> conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) in the two >>>>> places we >>>>> initialize an LDAP connection and that seems to have fixed it. >>>>> >>>>> Updated patch attached >>>>> >>>>> rob >>>> >>>> NACK. The problem on a master is gone. However, now ipa-replica-install >>>> is failing: >>>> >>>> # ipa-replica-install >>>> /home/mkosek/replica-info-vm-027.idm.lab.bos.redhat.com.gpg >>>> Directory Manager (existing master) password: >>>> >>>> creation of replica failed: Can't contact LDAP server: >>>> >>>> >>>> I found out that the root cause of the failure is in the change you >>>> just >>>> made in ldap2.py: >>>> >>>> def create_connection(self, ccache=None, bind_dn='', bind_pw='', >>>> tls_cacertfile=None, tls_certfile=None, tls_keyfile=None, >>>> debug_level=0): >>>> ... >>>> try: >>>> conn = _ldap.initialize(self.ldap_uri) >>>> conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)<-- >>>> if ccache is not None: >>>> os.environ['KRB5CCNAME'] = ccache >>>> ... >>>> >>>> because api.env.host points to the local host and not the remote >>>> master. >>>> When I commented this line out, installation continued OK. Then, it >>>> crashed again with our "favorite" dogtag's "invalid clone_uri" >>>> exception. >>>> >>>> Since we see this error also in other scenarios (not only custom >>>> --hostname) and the root cause is not in your patch I can ACK you patch >>>> 762 once the replica install bug is fixed. >>>> >>>> Martin >>>> >>> >>> Fixed both of these. We only need to set the hostname when using an >>> ldapi URI, so fixed both of those. >>> >>> I also fixed the Invalid clone_uri bug. The problem was we weren't >>> passing our new hostname to pkicreate so it was creating a CA for >>> whatever the value of `hostname` was. There is an environment variable >>> in pkicreate to pass in the hostname and doing that has fixed the >>> problem. >>> >>> rob >> >> Yes, this issue was fixed. It's good you find a way how to deal with >> clone_uri problem. However, I still hit some issues: >> >> 1) I think we have some Kerberos related problems when the custom >> hostname is used (ipa.idm.lab.bos.redhat.com on a >> vm-096.idm.lab.bos.redhat.com). Named and SSSD refuses to start on the >> system. >> >> /var/log/messages: >> May 30 05:04:35 vm-096 named[13932]: listening on IPv4 interface eth0, >> 10.16.78.96#53 >> May 30 05:04:35 vm-096 named[13932]: generating session key for >> dynamic DNS >> May 30 05:04:36 vm-096 named[13932]: Failed to init credentials >> (Preauthentication failed) >> May 30 05:04:36 vm-096 named[13932]: loading configuration: failure >> May 30 05:04:36 vm-096 named[13932]: exiting (due to fatal error) >> May 30 05:04:36 vm-096 systemd[1]: named.service: control process >> exited, code=exited status=7 >> May 30 05:04:36 vm-096 systemd[1]: Unit named.service entered failed >> state. >> May 30 05:07:41 vm-096 sssd: Starting up >> May 30 05:07:41 vm-096 sssd[be[idm.lab.bos.redhat.com]]: Starting up >> May 30 05:07:41 vm-096 sssd[be[idm.lab.bos.redhat.com]]: Error >> processing keytab file [(null)]: Principal >> [host/vm-096.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM] was not >> found. Unable to create GSSAPI-encrypted LDAP connection. > > For the named issue I filed a bug against bind-dyndb-ldap for this, > https://bugzilla.redhat.com/show_bug.cgi?id=710261 > > This is a similar problem I ran into where when you do an ldapi bind it > defaults to using the system hostname value. > > To fix the sssd problem we just need to set the ipa_hostname option > (they have lots of nice tuning options!). We just need to decide if we > always set this value or only at install time when the hostnames differ. > >> 2) My dogtag powered replica still refuses to install (happened to me on >> 2 fresh VMs) with "creation of replica failed: Configuration of CA >> failed". >> >> I investigated the ipareplica-install.log, I found a error that may be >> relevant. Maybe Ade will recognize some of them. >> >> ############################################# >> Attempting to connect to: vm-028.idm.lab.bos.redhat.com:9445 >> Connected. >> Posting Query = >> https://vm-028.idm.lab.bos.redhat.com:9445//ca/admin/console/config/wizard?p=9&op=next&xml=true&host=vm-028.idm.lab.bos.redhat.com&port=7389&binddn=cn%3DDirectory+Manager&__bindpwd=XXXXXXXX&basedn=o%3Dipaca&database=ipaca&display=%24displayStr&cloneStartTLS=on >> >> RESPONSE STATUS: HTTP/1.1 200 OK >> RESPONSE HEADER: Server: Apache-Coyote/1.1 >> RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 >> RESPONSE HEADER: Date: Mon, 30 May 2011 11:26:29 GMT >> RESPONSE HEADER: Connection: close >> ... >> >> admin/console/config/databasepanel.vm >> clone >> >> 7389 >> (sensitive) >> on >> vm-028.idm.lab.bos.redhat.com >> Master and clone should have the same base DN >> >> >> The CA installation fails few error messages later. >> >> Providing excerpt of CA logs as they may be relevant: >> >> /var/log/pki-ca/catalina.out: >> ... >> CMS Warning: FAILURE: Cannot build CA chain. Error >> java.security.cert.CertificateException: Certificate is not a PKCS #11 >> certificate|FAILURE: authz instance DirAclAuthz initialization failed >> and skipped, error=Property internaldb.ldapconn.port missing value| >> ... >> [Fatal Error] :2:15: Open quote is expected for attribute "BGCOLOR" >> associated with an element type "BODY". >> >> /var/log/pki-ca/system: >> 2893.main - [30/May/2011:07:25:47 EDT] [3] [3] Cannot build CA chain. >> Error java.security.cert.CertificateException: Certificate is not a >> PKCS #11 certificate >> 2893.main - [30/May/2011:07:25:47 EDT] [13] [3] authz instance >> DirAclAuthz initialization failed and skipped, error=Property >> internaldb.ldapconn.port missing value >> >> Martin >> > > Haven't had a chance to explore this one yet. It sure would be nice if > dogtag would tell us what the two differing base DNs are though... This patch should resolve the remaining issues. It requires a patch to bind-dyndb-ldap, I have a candidate patch in https://bugzilla.redhat.com/show_bug.cgi?id=710261 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-762-4-host.patch Type: text/x-diff Size: 9780 bytes Desc: not available URL: From rcritten at redhat.com Wed Jun 22 13:16:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Jun 2011 09:16:05 -0400 Subject: [Freeipa-devel] [PATCH] 807 get schema in json handler In-Reply-To: <4E0101C4.9040606@redhat.com> References: <4E00FAA6.60406@redhat.com> <4E0101C4.9040606@redhat.com> Message-ID: <4E01EB15.3050105@redhat.com> Adam Young wrote: > On 06/21/2011 04:10 PM, Rob Crittenden wrote: >> If the first request the web server handles is for a bad ticket (e.g. >> expired) then it is possible to get past the point where the lazy LDAP >> schema retrieval would happen causing a backtrace in the json handler. >> Add a call to get the schema which will be skipped if a valid schema >> has already been retrieved. >> >> ticket https://fedorahosted.org/freeipa/ticket/1354 >> >> rob >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK. Pushed to master. Seems to fix 1354 pushed to ipa-2-0 From dpal at redhat.com Wed Jun 22 13:50:04 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 22 Jun 2011 09:50:04 -0400 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <20110621164808.48fa8064@lembas.zaitcev.lan> References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> Message-ID: <4E01F30C.7090001@redhat.com> On 06/21/2011 06:48 PM, Pete Zaitcev wrote: > I am somewhat disaffected with cookies, as they have a lot of > weaknesses (usually).. Certainly, turning around the 401 replies costs > a lot, but until I know for myself that it cannot be avoided (by posting > Authenticate header preventively), I am going to examine the facts > a little more. However, if FreeIPA team comes up with "standard" > way to keep tickets in cookies, I would like to hear the details. We will see what we would be able to come up. Tickets to watch: https://fedorahosted.org/freeipa/ticket/215 https://fedorahosted.org/freeipa/ticket/225 Both are in "Deferred" bucket as there are no firm plans. We will see when we would be able look into these tickets. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Jun 22 14:07:08 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 22 Jun 2011 10:07:08 -0400 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <87d3i6t7j0.fsf@rho.meyering.net> References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> <20110622091345.GM2197@localhost.localdomain> <87d3i6t7j0.fsf@rho.meyering.net> Message-ID: <4E01F70C.7030301@redhat.com> On 06/22/2011 07:44 AM, Jim Meyering wrote: > Our best bet may be to find an embeddable httpd server that supports GSSAPI. > Do any of you know of one? > Quick search on the internet did not reveal any. I found a Ruby GSSAPI library if this is of any help. https://github.com/zenchild/gssapi/wiki -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From zaitcev at redhat.com Tue Jun 21 22:48:08 2011 From: zaitcev at redhat.com (Pete Zaitcev) Date: Tue, 21 Jun 2011 16:48:08 -0600 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <4E011B14.1030404@redhat.com> References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> Message-ID: <20110621164808.48fa8064@lembas.zaitcev.lan> On Tue, 21 Jun 2011 18:28:36 -0400 Dmitri Pal wrote: Dear Dmitri, thanks for the reply. I am reading curl source code now and I notice the distinction between "Negotiate" that comes from SPNEGO, and "GSS-Negotiate". I'm looking for the definition of the latter. > > I am working on adding authentication/authorization > > to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented > > with GNU Microhttpd. [...] > > So far, I gather that so-called "SPNEGO" protocol is what everyone > > uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121). > > There's also a "Kerberos on Widows" thing (4559), which actually > > defines the key pieces such as "WWW-Authenticate: Negotiate". > What web server you are using? It is mostly something that is used > outside the application by the web server itself. As I mentioned, iwhd relies on GNU Microhttpd library to implement a webserver. > Like with Apache you can use/configure mod_auth_kerb and if the client > is configured to negotiate kerberos and the apache server has a keytab > and an service principal (name) in KDC (freeIPA) you are all set. > This is how the Katello prototype has been set up. I see, the vital part here is the need to register the service principal with the KDC. I was wondering about that too. > The transactions would require a state. You can try to do something that > we are planning to do in IPA to reduce the cost of the re-negotiation on > every request. We plan to use a cookie. But it all depends what are your > transactions are for. Do they define the "commit" boundaries or they are > just to reduce renegotiation? I am somewhat disaffected with cookies, as they have a lot of weaknesses (usually).. Certainly, turning around the 401 replies costs a lot, but until I know for myself that it cannot be avoided (by posting Authenticate header preventively), I am going to examine the facts a little more. However, if FreeIPA team comes up with "standard" way to keep tickets in cookies, I would like to hear the details. Thanks again, -- Pete From ayoung at redhat.com Wed Jun 22 14:14:38 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 22 Jun 2011 10:14:38 -0400 Subject: [Freeipa-devel] [PATCH] 0251-absolute-to-relative Message-ID: <4E01F8CE.2050006@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0251-absolute-to-relative.patch Type: text/x-patch Size: 1528 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0220-update-ipa-init.patch Type: text/x-patch Size: 1407 bytes Desc: not available URL: From rcritten at redhat.com Wed Jun 22 14:13:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Jun 2011 10:13:31 -0400 Subject: [Freeipa-devel] [PATCH] 785 data type of certificates In-Reply-To: <4E01D3BF.4080802@redhat.com> References: <4DD3E402.1050606@redhat.com> <4DEF7E3C.70806@redhat.com> <4DEF8D94.5000301@redhat.com> <4E01D3BF.4080802@redhat.com> Message-ID: <4E01F88B.20502@redhat.com> Jan Cholasta wrote: > On 8.6.2011 16:56, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 18.5.2011 17:21, Rob Crittenden wrote: >>>> Make data type of certificates more obvious/predictable internally. >>>> >>>> For the most part certificates will be treated as being in DER format. >>>> When we load a certificate we will generally accept it in any format >>>> but >>>> will convert it to DER before proceeding in normalize_certificate(). >>>> >>>> This also re-arranges a bit of code to pull some certificate-specific >>>> functions out of ipalib/plugins/service.py into ipalib/x509.py. >>>> >>>> This also tries to use variable names to indicate what format the >>>> certificate is in at any given point: >>>> >>>> dercert: DER >>>> cert: PEM >>>> nsscert: a python-nss Certificate object >>>> rawcert: unknown format >>>> >>>> ticket 32 >>>> >>>> rob >>>> >>> >>> NACK >>> >>> lint fails with: >>> >>> ipalib/plugins/host.py:380: [E0602, host_add.pre_callback] Undefined >>> variable 'normalize_certificate' >>> ipalib/plugins/host.py:381: [E0602, host_add.pre_callback] Undefined >>> variable 'verify_cert_subject' >>> >>> Honza >>> >> >> Needed to be re-based with changes to 779. >> >> rob > > ACK > > Honza > pushed to master and ipa-2-0 rob From jim at meyering.net Wed Jun 22 14:18:04 2011 From: jim at meyering.net (Jim Meyering) Date: Wed, 22 Jun 2011 16:18:04 +0200 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <4E01F70C.7030301@redhat.com> (Dmitri Pal's message of "Wed, 22 Jun 2011 10:07:08 -0400") References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> <20110622091345.GM2197@localhost.localdomain> <87d3i6t7j0.fsf@rho.meyering.net> <4E01F70C.7030301@redhat.com> Message-ID: <87d3i6rlur.fsf@rho.meyering.net> Dmitri Pal wrote: > On 06/22/2011 07:44 AM, Jim Meyering wrote: >> Our best bet may be to find an embeddable httpd server that supports GSSAPI. >> Do any of you know of one? >> > Quick search on the internet did not reveal any. > I found a Ruby GSSAPI library if this is of any help. > https://github.com/zenchild/gssapi/wiki If only iwhd were written in Ruby rather than C. From rcritten at redhat.com Wed Jun 22 14:22:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Jun 2011 10:22:02 -0400 Subject: [Freeipa-devel] [PATCH] 792 Update translations In-Reply-To: <1308150244.11628.23.camel@dhcp-25-52.brq.redhat.com> References: <4DED129C.8090700@redhat.com> <1307624168.27281.19.camel@dhcp-25-52.brq.redhat.com> <4DF7D588.9060603@redhat.com> <1308150244.11628.23.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E01FA8A.90703@redhat.com> Martin Kosek wrote: > On Tue, 2011-06-14 at 17:41 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Mon, 2011-06-06 at 13:47 -0400, Rob Crittenden wrote: >>>> Our translation files haven't been updated for a few months, this brings >>>> things up to date. It is intended for master only. >>>> >>>> All I did to generate this patch was to run make update-po in >>>> install/po. It is otherwise untouched by human hands. >>>> >>>> 4Mb of changes, 810 new messages, so this patch is huge, sorry. >>>> >>>> rob >>> >>> Eh, nice patch :-) Did you also pull new translations from Transifex? >>> John wrote a howto in a mail "Transifex i18n translation changes". >>> >>> Btw if we also want to update ipa-2-0 translations, it would need a >>> separate patch as those 2 branches have diverged. >>> >>> Martin >>> >> >> There are no new translations upstream. Once this is pushed we can push >> it to Transifex as well >> >> rob > > Ok, ACK from me then. Feel free to regenerate translations if some > strings were changed before the review was completed. > > Martin > Pushed to master From ayoung at redhat.com Wed Jun 22 14:30:01 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 22 Jun 2011 10:30:01 -0400 Subject: [Freeipa-devel] [PATCH] 185 Converted entity header into facet header. In-Reply-To: <4E015CEA.20103@redhat.com> References: <4E015CEA.20103@redhat.com> Message-ID: <4E01FC69.7010707@redhat.com> On 06/21/2011 11:09 PM, Endi Sukma Dewata wrote: > The content and the size of entity header changes depending on the > facet being displayed, so the entity header has been converted into > a facet header to allow better control via CSS. > > The DNS record facet has been updated to use the same styles and > support scrolling. > > To help styling and testing, all buttons have been assigned a name. > > This patch requires Kyle's patch #9 and #10. > > Demo is available here: > http://edewata.fedorapeople.org/freeipa/install/ui/index.html > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Close. The commonality of config and krbticket policy is that they have no search. INstead of putting a specific name= class for them, use a single class, something like .no-search. That way if we have others, we just reuse that class, instead of having css for each entity. The CSS should be oblivious to the domain model. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Jun 22 14:43:09 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 22 Jun 2011 10:43:09 -0400 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <87d3i6rlur.fsf@rho.meyering.net> References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> <20110622091345.GM2197@localhost.localdomain> <87d3i6t7j0.fsf@rho.meyering.net> <4E01F70C.7030301@redhat.com> <87d3i6rlur.fsf@rho.meyering.net> Message-ID: <4E01FF7D.2070707@redhat.com> > Dmitri Pal wrote: >> On 06/22/2011 07:44 AM, Jim Meyering wrote: >>> Our best bet may be to find an embeddable httpd server that supports GSSAPI. >>> Do any of you know of one? >>> >> Quick search on the internet did not reveal any. >> I found a Ruby GSSAPI library if this is of any help. >> https://github.com/zenchild/gssapi/wiki > If only iwhd were written in Ruby rather than C. Hm I thought everything is written on Ruby nowadays :-) at least most of the cloud infrusturucture services we integrate. Good to hear that something is still written in plain old C. Is there any architectural diagram and high level overview of the project that we can take a look at? > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jim at meyering.net Wed Jun 22 16:14:39 2011 From: jim at meyering.net (Jim Meyering) Date: Wed, 22 Jun 2011 18:14:39 +0200 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <4E01FF7D.2070707@redhat.com> (Dmitri Pal's message of "Wed, 22 Jun 2011 10:43:09 -0400") References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> <20110622091345.GM2197@localhost.localdomain> <87d3i6t7j0.fsf@rho.meyering.net> <4E01F70C.7030301@redhat.com> <87d3i6rlur.fsf@rho.meyering.net> <4E01FF7D.2070707@redhat.com> Message-ID: <87hb7hrggg.fsf@rho.meyering.net> Dmitri Pal wrote: >> Dmitri Pal wrote: >>> On 06/22/2011 07:44 AM, Jim Meyering wrote: >>>> Our best bet may be to find an embeddable httpd server that supports GSSAPI. >>>> Do any of you know of one? >>>> >>> Quick search on the internet did not reveal any. >>> I found a Ruby GSSAPI library if this is of any help. >>> https://github.com/zenchild/gssapi/wiki >> If only iwhd were written in Ruby rather than C. > > Hm I thought everything is written on Ruby nowadays :-) > at least most of the cloud infrusturucture services we integrate. > > Good to hear that something is still written in plain old C. > Is there any architectural diagram and high level overview of the > project that we can take a look at? Sure, http://git.fedorahosted.org/git?p=iwhd.git;a=blob;f=doc/image_repo.odt From dpal at redhat.com Wed Jun 22 16:40:51 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 22 Jun 2011 12:40:51 -0400 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <87hb7hrggg.fsf@rho.meyering.net> References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> <20110622091345.GM2197@localhost.localdomain> <87d3i6t7j0.fsf@rho.meyering.net> <4E01F70C.7030301@redhat.com> <87d3i6rlur.fsf@rho.meyering.net> <4E01FF7D.2070707@redhat.com> <87hb7hrggg.fsf@rho.meyering.net> Message-ID: <4E021B13.7060303@redhat.com> On 06/22/2011 12:14 PM, Jim Meyering wrote: > Sure, > > http://git.fedorahosted.org/git?p=iwhd.git;a=blob;f=doc/image_repo.odt > Does not open for me. I tried saving but it saves as 0-byte doc -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Jun 22 16:59:49 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 22 Jun 2011 12:59:49 -0400 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <87hb7hrggg.fsf@rho.meyering.net> References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> <20110622091345.GM2197@localhost.localdomain> <87d3i6t7j0.fsf@rho.meyering.net> <4E01F70C.7030301@redhat.com> <87d3i6rlur.fsf@rho.meyering.net> <4E01FF7D.2070707@redhat.com> <87hb7hrggg.fsf@rho.meyering.net> Message-ID: <4E021F85.60304@redhat.com> On 06/22/2011 12:14 PM, Jim Meyering wrote: > Dmitri Pal wrote: > >>> Dmitri Pal wrote: >>>> On 06/22/2011 07:44 AM, Jim Meyering wrote: >>>>> Our best bet may be to find an embeddable httpd server that supports GSSAPI. >>>>> Do any of you know of one? >>>>> >>>> Quick search on the internet did not reveal any. >>>> I found a Ruby GSSAPI library if this is of any help. >>>> https://github.com/zenchild/gssapi/wiki >>> If only iwhd were written in Ruby rather than C. >> Hm I thought everything is written on Ruby nowadays :-) >> at least most of the cloud infrusturucture services we integrate. >> >> Good to hear that something is still written in plain old C. >> Is there any architectural diagram and high level overview of the >> project that we can take a look at? > Sure, > > http://git.fedorahosted.org/git?p=iwhd.git;a=blob;f=doc/image_repo.odt I figured it out. How about this? http://www.webdav.org/neon/ Seems like the only one alive and active. > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Jun 22 17:03:34 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 22 Jun 2011 13:03:34 -0400 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <4E021F85.60304@redhat.com> References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> <20110622091345.GM2197@localhost.localdomain> <87d3i6t7j0.fsf@rho.meyering.net> <4E01F70C.7030301@redhat.com> <87d3i6rlur.fsf@rho.meyering.net> <4E01FF7D.2070707@redhat.com> <87hb7hrggg.fsf@rho.meyering.net> <4E021F85.60304@redhat.com> Message-ID: <4E022066.3070301@redhat.com> On 06/22/2011 12:59 PM, Dmitri Pal wrote: > On 06/22/2011 12:14 PM, Jim Meyering wrote: >> Dmitri Pal wrote: >> >>>> Dmitri Pal wrote: >>>>> On 06/22/2011 07:44 AM, Jim Meyering wrote: >>>>>> Our best bet may be to find an embeddable httpd server that supports GSSAPI. >>>>>> Do any of you know of one? >>>>>> >>>>> Quick search on the internet did not reveal any. >>>>> I found a Ruby GSSAPI library if this is of any help. >>>>> https://github.com/zenchild/gssapi/wiki >>>> If only iwhd were written in Ruby rather than C. >>> Hm I thought everything is written on Ruby nowadays :-) >>> at least most of the cloud infrusturucture services we integrate. >>> >>> Good to hear that something is still written in plain old C. >>> Is there any architectural diagram and high level overview of the >>> project that we can take a look at? >> Sure, >> >> http://git.fedorahosted.org/git?p=iwhd.git;a=blob;f=doc/image_repo.odt > I figured it out. > > How about this? > > http://www.webdav.org/neon/ > > Seems like the only one alive and active. It is the client lib though. Not sure how much can be reused on the server side. May be it is worth asking on the libmicrohttpd list about what is available or on neon mailing list. People might know what is going on and what options are. >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Wed Jun 22 17:27:48 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 22 Jun 2011 12:27:48 -0500 Subject: [Freeipa-devel] [PATCH] 185 Converted entity header into facet header. In-Reply-To: <4E01FC69.7010707@redhat.com> References: <4E015CEA.20103@redhat.com> <4E01FC69.7010707@redhat.com> Message-ID: <4E022614.1090905@redhat.com> On 6/22/2011 9:30 AM, Adam Young wrote: >> This patch requires Kyle's patch #9 and #10. >> >> Demo is available here: >> http://edewata.fedorapeople.org/freeipa/install/ui/index.html > Close. The commonality of config and krbticket policy is that they have > no search. INstead of putting a specific name= class for them, use a > single class, something like .no-search. That way if we have others, we > just reuse that class, instead of having css for each entity. The CSS > should be oblivious to the domain model. Attached is an updated patch. I added no-facet-tabs CSS class because it's more generic. I also made some additional changes to simplify the code. The demo site has been updated as well. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0185-2-Converted-entity-header-into-facet-header.patch Type: text/x-patch Size: 44828 bytes Desc: not available URL: From simo at redhat.com Wed Jun 22 17:30:35 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 22 Jun 2011 13:30:35 -0400 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <87d3i6rlur.fsf@rho.meyering.net> References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> <20110622091345.GM2197@localhost.localdomain> <87d3i6t7j0.fsf@rho.meyering.net> <4E01F70C.7030301@redhat.com> <87d3i6rlur.fsf@rho.meyering.net> Message-ID: <1308763835.25324.43.camel@willson.li.ssimo.org> On Wed, 2011-06-22 at 16:18 +0200, Jim Meyering wrote: > Dmitri Pal wrote: > > On 06/22/2011 07:44 AM, Jim Meyering wrote: > >> Our best bet may be to find an embeddable httpd server that supports GSSAPI. > >> Do any of you know of one? > >> > > Quick search on the internet did not reveal any. > > I found a Ruby GSSAPI library if this is of any help. > > https://github.com/zenchild/gssapi/wiki > > If only iwhd were written in Ruby rather than C. Maybe you can take mod_auth_kerb sources and adapt it for libmicrohttp, shouldn't be too much work, the crypto details are handled by libgssapi anyways. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Wed Jun 22 17:53:36 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 22 Jun 2011 12:53:36 -0500 Subject: [Freeipa-devel] [PATCH] 0251-absolute-to-relative In-Reply-To: <4E01F8CE.2050006@redhat.com> References: <4E01F8CE.2050006@redhat.com> Message-ID: <4E022C20.1040102@redhat.com> On 6/22/2011 9:14 AM, Adam Young wrote: > As discussed over IRC, in this particular case the absolute positioning still has advantages over relative because it allows the elements in the header (e.g. title, back link, facet tabs, controls) to attach 'relative' to the header's borders. This way when we change the elements in the header (e.g. hiding the facet tabs) the only thing that might need to change is the header height, which is the same as facet content's top position. I think this is easier to maintain rather than having to rely on the heights of each element in the header. -- Endi S. Dewata From zaitcev at redhat.com Wed Jun 22 18:03:55 2011 From: zaitcev at redhat.com (Pete Zaitcev) Date: Wed, 22 Jun 2011 12:03:55 -0600 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <4E01EB04.6000009@redhat.com> References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> <20110622091345.GM2197@localhost.localdomain> <87d3i6t7j0.fsf@rho.meyering.net> <4E01EB04.6000009@redhat.com> Message-ID: <20110622120355.3189aa7d@lembas.zaitcev.lan> On Wed, 22 Jun 2011 09:15:48 -0400 Jeff Darcy wrote: > (1) Have we definitively concluded that it's not possible to implement > the pieces we need "on top of" the core libmicrohttpd code? I hooked into rest.c:access_handler_0(), using MHD_lookup_connection_value and friends for now. Seems working, without SSL at least. > (2) Has anyone tried looking at the libmicrohttpd code, or talking to > the libmicrohttpd authors, to evaluate the feasibility of adding the > features we need there? No, I haven't. Actually once I'm done maybe we can send them a patch to implement "Negotiate" authentication. -- Pete From zaitcev at redhat.com Wed Jun 22 18:06:43 2011 From: zaitcev at redhat.com (Pete Zaitcev) Date: Wed, 22 Jun 2011 12:06:43 -0600 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <20110622091345.GM2197@localhost.localdomain> References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> <20110622091345.GM2197@localhost.localdomain> Message-ID: <20110622120643.11f55121@lembas.zaitcev.lan> On Wed, 22 Jun 2011 11:13:45 +0200 Sumit Bose wrote: > For a web service you typically do not want to use the host principal > but create one for the specific service > HTTP/fully.qualified.domain.name at YOUR.KERBEROS.REALM with ipa > service-add. > > If you don't have freeIPA but a plain KDC you have to use the kadmin > utility to create the principals (and their keys). Understood, thanks a lot. I have my local FreeIPA instance where I can do that, without filing a helpdesk ticket. -- Pete From jdennis at redhat.com Wed Jun 22 18:42:22 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 22 Jun 2011 14:42:22 -0400 Subject: [Freeipa-devel] [PATCH 24/24] Add utility classes for handling DN's along with their, unittest. In-Reply-To: <4DFFD6C7.7040902@redhat.com> References: <4DF7F02A.9090001@redhat.com> <4DFF52D7.9010001@redhat.com> <4DFFA5CF.5090803@redhat.com> <4DFFA861.7070603@redhat.com> <4DFFB2BF.8010605@redhat.com> <4DFFD6C7.7040902@redhat.com> Message-ID: <4E02378E.7040205@redhat.com> Revised patch attached. Added copyright notice. Added support for concatenation and in-place addition for a few more types. Updated the unit test for the new functionality. Correct import statement in unit test. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: dn_module.patch Type: text/x-patch Size: 75983 bytes Desc: not available URL: From rcritten at redhat.com Wed Jun 22 18:45:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Jun 2011 14:45:16 -0400 Subject: [Freeipa-devel] [PATCH] 086 Fix IPA install for secure umask In-Reply-To: <1308644512.28247.2.camel@dhcp-25-52.brq.redhat.com> References: <1308314701.29284.2.camel@dhcp-25-52.brq.redhat.com> <1308317850.29284.7.camel@dhcp-25-52.brq.redhat.com> <1308644512.28247.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E02383C.9010605@redhat.com> Martin Kosek wrote: > On Fri, 2011-06-17 at 15:37 +0200, Martin Kosek wrote: >> On Fri, 2011-06-17 at 14:44 +0200, Martin Kosek wrote: >>> Make sure that IPA can be installed with root umask set to secure >>> value 077. ipa-server-install was failing in DS configuration phase >>> when dirsrv tried to read boot.ldif created during installation. >>> >>> https://fedorahosted.org/freeipa/ticket/1282 >>> >> >> Self-Nack. Even though install didn't fail, I didn't notice there are >> still issues with other files. For example dirsrv schema ldifs. This >> needs to be fixed. >> >> Martin > > Sending a fixed version of the patch. See ticket for instructions how to > test. > > Martin Ack, pushed to master and ipa-2-0 rob From jdennis at redhat.com Wed Jun 22 19:34:44 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 22 Jun 2011 15:34:44 -0400 Subject: [Freeipa-devel] FreeIPA LDAP DN handling issues (part 1) Message-ID: <4E0243D4.9090108@redhat.com> -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: dn_errors.txt URL: From jdennis at redhat.com Wed Jun 22 19:35:16 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 22 Jun 2011 15:35:16 -0400 Subject: [Freeipa-devel] FreeIPA LDAP DN handling issues (part 2) Message-ID: <4E0243F4.9090601@redhat.com> -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: dn_module.txt URL: From rcritten at redhat.com Wed Jun 22 19:54:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Jun 2011 15:54:47 -0400 Subject: [Freeipa-devel] [PATCH 24/24] Add utility classes for handling DN's along with their, unittest. In-Reply-To: <4E02378E.7040205@redhat.com> References: <4DF7F02A.9090001@redhat.com> <4DFF52D7.9010001@redhat.com> <4DFFA5CF.5090803@redhat.com> <4DFFA861.7070603@redhat.com> <4DFFB2BF.8010605@redhat.com> <4DFFD6C7.7040902@redhat.com> <4E02378E.7040205@redhat.com> Message-ID: <4E024887.6040101@redhat.com> John Dennis wrote: > Revised patch attached. > > Added copyright notice. > > Added support for concatenation and in-place addition for a few more types. > > Updated the unit test for the new functionality. > > Correct import statement in unit test. > > I can work with the updated patch you sent but it isn't in a format that git-am can handle. See this wiki page for patch naming conventions and patch generation commands: https://fedorahosted.org/freeipa/wiki/PatchFormat rob From rcritten at redhat.com Wed Jun 22 21:06:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Jun 2011 17:06:43 -0400 Subject: [Freeipa-devel] [PATCH 24/24] Add utility classes for handling DN's along with their, unittest. In-Reply-To: <4E02378E.7040205@redhat.com> References: <4DF7F02A.9090001@redhat.com> <4DFF52D7.9010001@redhat.com> <4DFFA5CF.5090803@redhat.com> <4DFFA861.7070603@redhat.com> <4DFFB2BF.8010605@redhat.com> <4DFFD6C7.7040902@redhat.com> <4E02378E.7040205@redhat.com> Message-ID: <4E025963.5000001@redhat.com> John Dennis wrote: > Revised patch attached. > > Added copyright notice. > > Added support for concatenation and in-place addition for a few more types. > > Updated the unit test for the new functionality. > > Correct import statement in unit test. > > Ack, pushed to master and ipa-2-0 From rcritten at redhat.com Wed Jun 22 21:06:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Jun 2011 17:06:53 -0400 Subject: [Freeipa-devel] [PATCH 25/25] assert_deepequal supports callback for equality In-Reply-To: <4DF8D248.7080302@redhat.com> References: <4DF8D248.7080302@redhat.com> Message-ID: <4E02596D.4040107@redhat.com> John Dennis wrote: > The unit test framework recursively checks for equality between the > "expected" and "got". When it finds a non-container object it checks for > equality between the expected and got objects. However sometimes a > simple equality test is insufficient. This can happen when two values > are equivalent but not equal. For example the two values might be > encoded differently, hence the encoded values differ, but when decoded > they are identical. > > To support these special cases one can now insert callable object to > the expected container. When assert_deepequal sees a callable it does > not test for equality, rather it calls the callable passing it the got > object. The callable returns True if the got value is expected. This can > simply be done with a lambda expression with a closure on the expected > value, for example: > > expected = { > dn=lambda got: DN(got) == privilege1_dn > } > > In this case the "got" dn value is passed to the function which converts > it to a DN object which can be compared with privilege1_dn, a local DN > object, privilege1_dn is bound by closure. The equality callback is > necessary because DN's can be encoded differently. > > > Ack, pushed to master and ipa-2-0 From rcritten at redhat.com Wed Jun 22 21:07:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Jun 2011 17:07:02 -0400 Subject: [Freeipa-devel] [PATCH 26/26] Add backslash escape support for csv reader In-Reply-To: <4DF8ECDB.4020004@redhat.com> References: <4DF8ECDB.4020004@redhat.com> Message-ID: <4E025976.8060903@redhat.com> John Dennis wrote: > The csv reader is used to break comma separated lists into individual > items. However what if you want one of those items to have an embedded > comma? The answer is to escape it by preceding the comma with a > backslash. This patch adds support for escaping in the csv reader. > ack, pushed to master and ipa-2-0 From rcritten at redhat.com Wed Jun 22 21:07:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Jun 2011 17:07:12 -0400 Subject: [Freeipa-devel] [PATCH 27/27] get_primary_key_from_dn returns decoded value In-Reply-To: <4DF90FE8.10606@redhat.com> References: <4DF90FE8.10606@redhat.com> Message-ID: <4E025980.4050300@redhat.com> John Dennis wrote: > DN's may be encoded. If we're going to return the value from one of the > RDN's in the DN then we must decode the DN first, otherwise the returned > value won't be what we're expecting. Specifically the value getting > passed back through the RPC interface was not the value set because it > included escaping specific only to DN's. We want to treat the value as > the value set by the user, the fact it happens to live as part of a DN > is an irrelevant implementation detail which shouldn't be visible in the > values we exchange through the RPC mechanism. > > This patch takes the DN as returned by an ldap search and creates a DN > object from it. The DN object allows us to robustly extract the value by > name. The DN object also assures the components in the DN have been > decoded back into normal unicode strings. > > There are many other places where we need to properly handle DN's by > using a DN object, this is just one place, the minimum needed to get > comma's working in privileges. I'd rather make very small incremental > changes in the DN handling rather than introducing too many changes in > this critical area of the code, let's be conservative at this juncture. > ack, pushed to master and ipa-2-0 From rcritten at redhat.com Wed Jun 22 21:07:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Jun 2011 17:07:24 -0400 Subject: [Freeipa-devel] [PATCH 28/28] Update test_role_plugin test to include a comma in a, privilege In-Reply-To: <4DF9152D.7060408@redhat.com> References: <4DF9152D.7060408@redhat.com> Message-ID: <4E02598C.3090104@redhat.com> John Dennis wrote: > Update test_role_plugin test to include a comma in a privilege > > Introduce a comma into a privilege name to assure we can handle > commas. > > Commas must be escaped for some parameters, add escape_comma() utility > and invoke it for the necessary parameters. > > Utilize a DN object to properly construct a DN and most importantly to > allow equality testing between the DN we expect and the one > returned. This is necessary because a DN can be encoded according to > different encoding syntaxes all of which are valid. DN objects always > decode from their input. DN objects can test for equality between DN's > without being affected by DN encoding. > > Add a equality callback for the dn in the expected dict. When the test > framework tests for equality between the expected value and the > returned value it will call back into a function we provide which will > convert the returned dn into a DN object. An equality test is then > performed between two DN objects. This is the only way to properly > compare two dn's. > ack, pushed to master and ipa-2-0 From ayoung at redhat.com Thu Jun 23 01:33:22 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 22 Jun 2011 21:33:22 -0400 Subject: [Freeipa-devel] [PATCH] 0251-absolute-to-relative In-Reply-To: <4E022C20.1040102@redhat.com> References: <4E01F8CE.2050006@redhat.com> <4E022C20.1040102@redhat.com> Message-ID: <4E0297E2.6010508@redhat.com> On 06/22/2011 01:53 PM, Endi Sukma Dewata wrote: > On 6/22/2011 9:14 AM, Adam Young wrote: >> > > As discussed over IRC, in this particular case the absolute > positioning still has advantages over relative because it allows the > elements in the header (e.g. title, back link, facet tabs, controls) > to attach 'relative' to the header's borders. > > This way when we change the elements in the header (e.g. hiding the > facet tabs) the only thing that might need to change is the header > height, which is the same as facet content's top position. I think > this is easier to maintain rather than having to rely on the heights > of each element in the header. > In short, NACK From edewata at redhat.com Thu Jun 23 03:39:31 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 22 Jun 2011 22:39:31 -0500 Subject: [Freeipa-devel] [PATCH] 186 Added navigation breadcrumb. Message-ID: <4E02B573.8050807@redhat.com> Navigation breadcrumb has been added to the facet header. The breadcrumb will appear on details, association, and automount facets. Ticket #1323 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0186-Added-navigation-breadcrumb.patch Type: text/x-patch Size: 12883 bytes Desc: not available URL: From abokovoy at redhat.com Thu Jun 23 05:48:39 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 23 Jun 2011 08:48:39 +0300 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <1308763835.25324.43.camel@willson.li.ssimo.org> References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> <20110622091345.GM2197@localhost.localdomain> <87d3i6t7j0.fsf@rho.meyering.net> <4E01F70C.7030301@redhat.com> <87d3i6rlur.fsf@rho.meyering.net> <1308763835.25324.43.camel@willson.li.ssimo.org> Message-ID: <4E02D3B7.70507@redhat.com> Hi, On 22.06.2011 20:30, Simo Sorce wrote: >>> Quick search on the internet did not reveal any. >>> I found a Ruby GSSAPI library if this is of any help. >>> https://github.com/zenchild/gssapi/wiki >> >> If only iwhd were written in Ruby rather than C. > > Maybe you can take mod_auth_kerb sources and adapt it for libmicrohttp, > shouldn't be too much work, the crypto details are handled by libgssapi > anyways. That seems to be a common case -- at least for nginx people did go the same way https://github.com/fintler/nginx-mod-auth-kerb -- / Alexander Bokovoy From jim at meyering.net Thu Jun 23 06:14:49 2011 From: jim at meyering.net (Jim Meyering) Date: Thu, 23 Jun 2011 08:14:49 +0200 Subject: [Freeipa-devel] Kerberos implementation issues In-Reply-To: <4E02D3B7.70507@redhat.com> (Alexander Bokovoy's message of "Thu, 23 Jun 2011 08:48:39 +0300") References: <20110621160610.6613cb5f@lembas.zaitcev.lan> <4E011B14.1030404@redhat.com> <20110621164808.48fa8064@lembas.zaitcev.lan> <20110622091345.GM2197@localhost.localdomain> <87d3i6t7j0.fsf@rho.meyering.net> <4E01F70C.7030301@redhat.com> <87d3i6rlur.fsf@rho.meyering.net> <1308763835.25324.43.camel@willson.li.ssimo.org> <4E02D3B7.70507@redhat.com> Message-ID: <87pqm5nkfa.fsf@rho.meyering.net> Alexander Bokovoy wrote: > On 22.06.2011 20:30, Simo Sorce wrote: >>>> Quick search on the internet did not reveal any. >>>> I found a Ruby GSSAPI library if this is of any help. >>>> https://github.com/zenchild/gssapi/wiki >>> >>> If only iwhd were written in Ruby rather than C. >> >> Maybe you can take mod_auth_kerb sources and adapt it for libmicrohttp, >> shouldn't be too much work, the crypto details are handled by libgssapi >> anyways. > That seems to be a common case -- at least for nginx people did go the > same way https://github.com/fintler/nginx-mod-auth-kerb Thanks to both of you for the tips. From mkosek at redhat.com Thu Jun 23 09:12:38 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 23 Jun 2011 11:12:38 +0200 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <4E01E538.50706@redhat.com> References: <4D95F3AD.2000707@redhat.com> <1306320574.18222.20.camel@dhcp-25-52.brq.redhat.com> <4DDD204A.8010009@redhat.com> <1306395960.2330.7.camel@dhcp-25-52.brq.redhat.com> <4DDFFDDE.2040908@redhat.com> <1306757151.2427.16.camel@dhcp-25-52.brq.redhat.com> <4DECE95E.1010006@redhat.com> <4E01E538.50706@redhat.com> Message-ID: <1308820360.3951.4.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-06-22 at 08:51 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Fri, 2011-05-27 at 15:39 -0400, Rob Crittenden wrote: > >>> Martin Kosek wrote: > >>>> On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote: > >>>>> Martin Kosek wrote: > >>>>>> On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: > >>>>>>> The hostname is passed in during the server installation. We > >>>>>>> should use > >>>>>>> this hostname for the resulting server as well. It was being > >>>>>>> discarded > >>>>>>> and we always used the system hostname value. > >>>>>>> > >>>>>>> ticket 1052 > >>>>>>> > >>>>>>> rob > >>>>>> > >>>>>> I have to NACK this again. I have a problem communicating with IPA > >>>>>> on a > >>>>>> master machine. I reproduced in on 2 different machines. Please, > >>>>>> correct > >>>>>> my steps if I am wrong, I do the following procedure > >>>>>> > >>>>>> 1) I prepare a fresh minimal F-15 > >>>>>> 2) Install freeipa-server (current master with your patches) > >>>>>> 3) Add custom hostname to /etc/hosts > >>>>>> 4) Install IPA server: > >>>>>> ipa-server-install -p secret123 -a secret123 --hostname > >>>>>> ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2 > >>>>>> 5) # kinit admin > >>>>>> Password for admin at IDM.LAB.BOS.REDHAT.COM: > >>>>>> 6) # ipa user-show admin > >>>>>> ipa: ERROR: cannot connect to 'any of the configured servers': > >>>>>> https://ipa.idm.lab.bos.redhat.com/ipa/xml, > >>>>>> https://ipa.idm.lab.bos.redhat.com/ipa/xml > >>>>>> > >>>>>> # ping -c 1 ipa.idm.lab.bos.redhat.com > >>>>>> PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data. > >>>>>> 64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1 > >>>>>> ttl=64 time=0.049 ms > >>>>>> > >>>>>> Apache error_log shows relevant errors: > >>>>>> > >>>>>> [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start > >>>>>> IPA: Unable to retrieve LDAP schema: Invalid credentials: > >>>>>> SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > >>>>>> Minor code may provide more information (Permission denied) > >>>>>> [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start > >>>>>> IPA: Unable to retrieve LDAP schema: Invalid credentials: > >>>>>> SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > >>>>>> Minor code may provide more information (Permission denied) > >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: > >>>>>> KeyError(140250828974112,) in >>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored > >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: > >>>>>> KeyError(140250828974112,) in >>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored > >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: > >>>>>> KeyError(140250828974112,) in >>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored > >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: > >>>>>> KeyError(140250828974112,) in >>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored > >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: > >>>>>> KeyError(140250828974112,) in >>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored > >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: > >>>>>> KeyError(140250828974112,) in >>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored > >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: > >>>>>> KeyError(140250828974112,) in >>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored > >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: > >>>>>> KeyError(140250828974112,) in >>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored > >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: > >>>>>> KeyError(140250828974112,) in >>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored > >>>>>> [Wed May 25 06:43:55 2011] [error] Exception KeyError: > >>>>>> KeyError(140250828974112,) in >>>>>> '/usr/lib64/python2.7/threading.pyc'> ignored > >>>>>> [Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down > >>>>>> [Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd > >>>>>> running as context system_u:system_r:kernel_t:s0 > >>>>>> [Wed May 25 06:43:57 2011] [notice] Digest: generating secret for > >>>>>> digest authentication ... > >>>>>> [Wed May 25 06:43:57 2011] [notice] Digest: done > >>>>>> [Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2 > >>>>>> mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 > >>>>>> Python/2.7.1 configured -- resuming normal operations > >>>>>> [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** > >>>>>> [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi > >>>>>> (pid=5192): Exception occurred processing WSGI script > >>>>>> '/usr/share/ipa/wsgi.py'. > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback > >>>>>> (most recent call last): > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File > >>>>>> "/usr/share/ipa/wsgi.py", line 48, in application > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return > >>>>>> api.Backend.session(environ, start_response) > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File > >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line > >>>>>> 141, in __call__ > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] > >>>>>> self.create_context(ccache=environ.get('KRB5CCNAME')) > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File > >>>>>> "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 110, in > >>>>>> create_context > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] > >>>>>> self.Backend.ldap2.connect(ccache=ccache) > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File > >>>>>> "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 62, in > >>>>>> connect > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] conn = > >>>>>> self.create_connection(*args, **kw) > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File > >>>>>> "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in > >>>>>> new_f > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return > >>>>>> f(*new_args, **kwargs) > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File > >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", > >>>>>> line 337, in create_connection > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] > >>>>>> _handle_errors(e, **{}) > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File > >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", > >>>>>> line 118, in _handle_errors > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] raise > >>>>>> errors.DatabaseError(desc=desc, info=info) > >>>>>> [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] > >>>>>> DatabaseError: Local error: SASL(-1): generic failure: GSSAPI > >>>>>> Error: An invalid name was supplied (Hostname cannot be > >>>>>> canonicalized) > >>>>>> [Wed May 25 06:45:26 2011] [error] [client 10.16.78.140] mod_wsgi > >>>>>> (pid=5193): Exception occurred processing WSGI script > >>>>>> '/usr/share/ipa/wsgi.py'. > >>>>>> > >>>>>> > >>>>>> You can check the problem on vm-140.idm.lab.bos.redhat.com if you > >>>>>> want to. > >>>>>> > >>>>>> Martin > >>>>>> > >>>>> > >>>>> The LDAP connection was still using the system hostname value. I > >>>>> added a > >>>>> conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) in the two > >>>>> places we > >>>>> initialize an LDAP connection and that seems to have fixed it. > >>>>> > >>>>> Updated patch attached > >>>>> > >>>>> rob > >>>> > >>>> NACK. The problem on a master is gone. However, now ipa-replica-install > >>>> is failing: > >>>> > >>>> # ipa-replica-install > >>>> /home/mkosek/replica-info-vm-027.idm.lab.bos.redhat.com.gpg > >>>> Directory Manager (existing master) password: > >>>> > >>>> creation of replica failed: Can't contact LDAP server: > >>>> > >>>> > >>>> I found out that the root cause of the failure is in the change you > >>>> just > >>>> made in ldap2.py: > >>>> > >>>> def create_connection(self, ccache=None, bind_dn='', bind_pw='', > >>>> tls_cacertfile=None, tls_certfile=None, tls_keyfile=None, > >>>> debug_level=0): > >>>> ... > >>>> try: > >>>> conn = _ldap.initialize(self.ldap_uri) > >>>> conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)<-- > >>>> if ccache is not None: > >>>> os.environ['KRB5CCNAME'] = ccache > >>>> ... > >>>> > >>>> because api.env.host points to the local host and not the remote > >>>> master. > >>>> When I commented this line out, installation continued OK. Then, it > >>>> crashed again with our "favorite" dogtag's "invalid clone_uri" > >>>> exception. > >>>> > >>>> Since we see this error also in other scenarios (not only custom > >>>> --hostname) and the root cause is not in your patch I can ACK you patch > >>>> 762 once the replica install bug is fixed. > >>>> > >>>> Martin > >>>> > >>> > >>> Fixed both of these. We only need to set the hostname when using an > >>> ldapi URI, so fixed both of those. > >>> > >>> I also fixed the Invalid clone_uri bug. The problem was we weren't > >>> passing our new hostname to pkicreate so it was creating a CA for > >>> whatever the value of `hostname` was. There is an environment variable > >>> in pkicreate to pass in the hostname and doing that has fixed the > >>> problem. > >>> > >>> rob > >> > >> Yes, this issue was fixed. It's good you find a way how to deal with > >> clone_uri problem. However, I still hit some issues: > >> > >> 1) I think we have some Kerberos related problems when the custom > >> hostname is used (ipa.idm.lab.bos.redhat.com on a > >> vm-096.idm.lab.bos.redhat.com). Named and SSSD refuses to start on the > >> system. > >> > >> /var/log/messages: > >> May 30 05:04:35 vm-096 named[13932]: listening on IPv4 interface eth0, > >> 10.16.78.96#53 > >> May 30 05:04:35 vm-096 named[13932]: generating session key for > >> dynamic DNS > >> May 30 05:04:36 vm-096 named[13932]: Failed to init credentials > >> (Preauthentication failed) > >> May 30 05:04:36 vm-096 named[13932]: loading configuration: failure > >> May 30 05:04:36 vm-096 named[13932]: exiting (due to fatal error) > >> May 30 05:04:36 vm-096 systemd[1]: named.service: control process > >> exited, code=exited status=7 > >> May 30 05:04:36 vm-096 systemd[1]: Unit named.service entered failed > >> state. > >> May 30 05:07:41 vm-096 sssd: Starting up > >> May 30 05:07:41 vm-096 sssd[be[idm.lab.bos.redhat.com]]: Starting up > >> May 30 05:07:41 vm-096 sssd[be[idm.lab.bos.redhat.com]]: Error > >> processing keytab file [(null)]: Principal > >> [host/vm-096.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM] was not > >> found. Unable to create GSSAPI-encrypted LDAP connection. > > > > For the named issue I filed a bug against bind-dyndb-ldap for this, > > https://bugzilla.redhat.com/show_bug.cgi?id=710261 > > > > This is a similar problem I ran into where when you do an ldapi bind it > > defaults to using the system hostname value. > > > > To fix the sssd problem we just need to set the ipa_hostname option > > (they have lots of nice tuning options!). We just need to decide if we > > always set this value or only at install time when the hostnames differ. > > > >> 2) My dogtag powered replica still refuses to install (happened to me on > >> 2 fresh VMs) with "creation of replica failed: Configuration of CA > >> failed". > >> > >> I investigated the ipareplica-install.log, I found a error that may be > >> relevant. Maybe Ade will recognize some of them. > >> > >> ############################################# > >> Attempting to connect to: vm-028.idm.lab.bos.redhat.com:9445 > >> Connected. > >> Posting Query = > >> https://vm-028.idm.lab.bos.redhat.com:9445//ca/admin/console/config/wizard?p=9&op=next&xml=true&host=vm-028.idm.lab.bos.redhat.com&port=7389&binddn=cn%3DDirectory+Manager&__bindpwd=XXXXXXXX&basedn=o%3Dipaca&database=ipaca&display=%24displayStr&cloneStartTLS=on > >> > >> RESPONSE STATUS: HTTP/1.1 200 OK > >> RESPONSE HEADER: Server: Apache-Coyote/1.1 > >> RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 > >> RESPONSE HEADER: Date: Mon, 30 May 2011 11:26:29 GMT > >> RESPONSE HEADER: Connection: close > >> ... > >> > >> admin/console/config/databasepanel.vm > >> clone > >> > >> 7389 > >> (sensitive) > >> on > >> vm-028.idm.lab.bos.redhat.com > >> Master and clone should have the same base DN > >> > >> > >> The CA installation fails few error messages later. > >> > >> Providing excerpt of CA logs as they may be relevant: > >> > >> /var/log/pki-ca/catalina.out: > >> ... > >> CMS Warning: FAILURE: Cannot build CA chain. Error > >> java.security.cert.CertificateException: Certificate is not a PKCS #11 > >> certificate|FAILURE: authz instance DirAclAuthz initialization failed > >> and skipped, error=Property internaldb.ldapconn.port missing value| > >> ... > >> [Fatal Error] :2:15: Open quote is expected for attribute "BGCOLOR" > >> associated with an element type "BODY". > >> > >> /var/log/pki-ca/system: > >> 2893.main - [30/May/2011:07:25:47 EDT] [3] [3] Cannot build CA chain. > >> Error java.security.cert.CertificateException: Certificate is not a > >> PKCS #11 certificate > >> 2893.main - [30/May/2011:07:25:47 EDT] [13] [3] authz instance > >> DirAclAuthz initialization failed and skipped, error=Property > >> internaldb.ldapconn.port missing value > >> > >> Martin > >> > > > > Haven't had a chance to explore this one yet. It sure would be nice if > > dogtag would tell us what the two differing base DNs are though... > > This patch should resolve the remaining issues. It requires a patch to > bind-dyndb-ldap, I have a candidate patch in > https://bugzilla.redhat.com/show_bug.cgi?id=710261 > > rob Hmm, good work there. Bind, SSSD on custom-hostname IPA master is working now. IPA client and CA-powered replica too. I found only one issue - ipactl is not working because it uses socket.gethostname() instead of api.env.host. So if you fix this one-liner its ACK from me. Martin From mkosek at redhat.com Thu Jun 23 10:39:04 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 23 Jun 2011 12:39:04 +0200 Subject: [Freeipa-devel] [PATCH] 088 Check IPA configuration in install tools In-Reply-To: <4E026696.2030600@redhat.com> References: <1308741564.13562.17.camel@dhcp-25-52.brq.redhat.com> <4E026696.2030600@redhat.com> Message-ID: <1308825546.3951.9.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-06-22 at 18:03 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Install tools may fail with unexpected error when IPA server is not > > installed on a system. Improve user experience by implementing > > a check to affected tools. > > > > https://fedorahosted.org/freeipa/ticket/1327 > > https://fedorahosted.org/freeipa/ticket/1347 > > Can you add a docstring to the check_server_configuration() function? > > Looking in each utility it isn't necessarily obvious what this does but > my meager attempts at renaming it all failed. I considered > is_server_installed() but that implies it would return True/False. Then > I considered require_server_configured() but that didn't seem to fit > either. We have lots of other check_* so I guess it is fine, but some > docs on where/why it is used would be nice. > > rob I see you undertake the same function naming dilemma as I do. I improved documentation for the function, it should help. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-088-2-check-ipa-configuration-in-install-tools.patch Type: text/x-patch Size: 8890 bytes Desc: not available URL: From mkosek at redhat.com Thu Jun 23 11:19:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 23 Jun 2011 13:19:36 +0200 Subject: [Freeipa-devel] [PATCH] 804 slight perf improvement In-Reply-To: <4DFA228A.1050905@redhat.com> References: <4DFA228A.1050905@redhat.com> Message-ID: <1308827978.3951.12.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-06-16 at 11:34 -0400, Rob Crittenden wrote: > This patch adds the production mode test to a few more places in the > code. The speed increase is slight, a few hundred ms in my tests, but > every little bit helps. > > ticket 1023 > > rob I didn't notice much of a speed up on my VM. But if it does in your tests I am not against this patch. It doesn't seem to have a potential to break things. Martin From mkosek at redhat.com Thu Jun 23 12:41:06 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 23 Jun 2011 14:41:06 +0200 Subject: [Freeipa-devel] [PATCH] 805 make dogtag optionally installable on replicas In-Reply-To: <4DFBC1EB.6060702@redhat.com> References: <4DFBC1EB.6060702@redhat.com> Message-ID: <1308832869.3951.18.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-06-17 at 17:06 -0400, Rob Crittenden wrote: > A dogtag replica file is created as usual. When the replica is installed > dogtag is optional and not installed by default. Adding the --setup-ca > option will configure it when the replica is installed. > > A new tool ipa-ca-install will configure dogtag if it wasn't configured > when the replica was initially installed. > > https://fedorahosted.org/freeipa/ticket/1251 > > See the ticket for testing suggestions. > > rob I have found some issues with the patch: 1) Man page: - missing man file in man folder's Makefile.am - missing man file in the spec -> man is not installed 2) Missing ipa-ca-install in install/po/Makefile.in 3) ipa-ca-install: - expand_info, read_info, get_host_name or install_ca: functions are copied from ipa-replica-install tool. Having a lot of redundant code leads to the dark side. Calling these functions from a common library seems more convenient to me. 4) man ipa-ca-install: +\fB\-p\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR is not consistent with +\fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR= \fIADMIN_PASSWORD\fR (missing DM_PASSWORD placeholder after "-p") 5) Now the real problem - when I am installing a replica I got a strange error: # ipa-replica-install /home/mkosek/replica-info-vm-060.idm.lab.bos.redhat.com.gpg --setup-ca -w secret123 Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'vm-099.idm.lab.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos (88): OK PKI-CA: Directory Service port (7389): OK PKI-CA: Agent secure port (9443): OK PKI-CA: EE secure port (9444): OK PKI-CA: Admin secure port (9445): OK PKI-CA: EE secure client auth port (9446): OK PKI-CA: Unsecure port (9180): OK Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Execute check on remote master Check connection from master to remote replica 'vm-060.idm.lab.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos (88): OK PKI-CA: Directory Service port (7389): OK PKI-CA: Agent secure port (9443): OK PKI-CA: EE secure port (9444): OK PKI-CA: Admin secure port (9445): OK PKI-CA: EE secure client auth port (9446): OK PKI-CA: Unsecure port (9180): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. creation of replica failed: Incorrect padding Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. /var/log/ipareplica-install.log: ... 2011-06-23 08:37:35,907 DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-PKI-IPA/ -L -n Server-Cert -a 2011-06-23 08:37:35,908 DEBUG stdout=-----BEGIN CERTIFICATE----- MIIDnjCCAoagAwIBAgIBEDANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0u^M TEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3Jp^M dHkwHhcNMTEwNjIzMTIzNjM0WhcNMTExMjIwMTIzNjM0WjBJMR8wHQYDVQQKExZJ^M RE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjAuaWRtLmxhYi5i^M b3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMM^M 8FypUbIwR0NRcIEJ5GHbL54D5gh0ao5PoA8LRmcz6QdMjDtA/1aeg9fskdkQ6Peh^M TTjlvL5Y9b/TVDxx4KrzbMiBCDdMecsbUSK32pJjw6DJCFhcBTwuAj/zZIrvsicT^M jtnTmeRQCEqGjRmizQHCDDdh+zx0Rh3mbzmxsZ4XaSafksm/y3tMBbw2S0Q7agNF^M 3Z95qQH9CZ1ManH90zMjOwJxknpxGrwaou9OsPJ1b7M6cvBVLW9kuEDO4c7qTcqa^M h7BRDQD/XVQn31/UFyLRxl+F4cTp6eBhb9B1+Mv18ZAw9xNhpb1xsWsNDqLh0zY4^M 5ZeUKTkZS4+WuJOYHFUCAwEAAaOBmDCBlTAfBgNVHSMEGDAWgBQZX7pLjCg+Fol2^M vkqZQBQRB7w67jBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGGMWh0dHA6Ly92^M bS0wOTkuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo5MTgwL2NhL29jc3AwDgYDVR0P^M AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IB^M AQBzy0uiVeNGZpUHolgOsyKRl4Q3gpZg/25ai8HHylLSSjYXqy5WmNBy4NPIbVe8^M p6ZAjW7Lc5BwNTWwkbJoB9JTmhyIRRCWO1hf3qZC1eO9/Ax7XN2nCXka6NRoSxz7^M Ci7G6RsqM/egbBCUqgbRNz4DJntcrOdFYaOK03Jpfl0lsW0B6l2d+rIuZI5uVK/0^M uPsKdjCemzVsMOySBchnd/Cy8mXiP6ah7FZIpi9rZScA+UjTUou6PDGcft6jyAj9^M oeqol6t/6Otd+OFbAYwlccG73rq49sOB9GTjSQelMrHK/hunxIczwYrK2ZHvw2Hy^M HMOJrmcjFGoa/eL65JwmiFVl -----END CERTIFICATE----- 2011-06-23 08:37:35,908 DEBUG stderr= 2011-06-23 08:37:35,914 DEBUG Incorrect padding File "/usr/sbin/ipa-replica-install", line 560, in main() File "/usr/sbin/ipa-replica-install", line 502, in main (CA, cs) = install_ca(config) File "/usr/sbin/ipa-replica-install", line 173, in install_ca cs.load_pkcs12() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 325, in load_pkcs12 self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 449, in get_cert_from_db dercert = base64.b64decode(cert) File "/usr/lib64/python2.7/base64.py", line 76, in b64decode raise TypeError(msg) Any idea what could cause this? This was run on clean VMs with your patch on top of master branch. Martin From loris at lgs.com.ve Thu Jun 23 13:02:40 2011 From: loris at lgs.com.ve (Loris Santamaria) Date: Thu, 23 Jun 2011 08:32:40 -0430 Subject: [Freeipa-devel] Trust relationship between IPA and samba4 Message-ID: <1308834163.5070.51.camel@arepa.pzo.lgs.com.ve> Hi, this week I tried to establish a trust relationship between freeipa v2 and a samba 4 domain. In that setup most workstations live in the samba 4 domain and most servers in the freeIPA domain so I am mainly interested in having windows being able to authenticate to the linux servers. First I set up the kerberos 5 trust from the "AD Domains and Trusts" control panel, then using kadmin.local I added the proper principals to the kerberos database in freeIPA (krbtgt/IPA.CORPFBK at WIN.CORPFBK and krbtgt/WIN.CORPFBK at IPA.CORPFBK). Second I added a sasl mapping to 389 DS to have windows users mapped one to one to IPA users: dn: cn=zz,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping nsSaslMapRegexString: \(.*\)@WIN.CORPFBK cn: zz nsSaslMapBaseDNTemplate: dc=ipa,dc=corpfbk nsSaslMapFilterTemplate: (krbPrincipalName=\1 at IPA.CORPFBK) And... everything worked beautifully! I can obtain a ticket from samba 4 and use it to browse 389DS or connect via ssh to a Linux server. Ok this is all well with services that just need to authenticate a user and then don't care with the realm part of the username, but it is not enough with services that use the complete principal to gather group membership of the users, I'm thinking of squid_kerb_auth + squid_ldap_group or mod_auth_kerb + mod_authzn_ldap. To have the trust relationship work with these services I should store the samba4 user complete principal name in some attribute of the corresponding freeIPA user. What would be the proper attribute? krbPrincipalAliases? Thanks in advance. -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ -O9 -omg-optimize -fomit-instructions -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5909 bytes Desc: not available URL: From rcritten at redhat.com Thu Jun 23 13:26:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Jun 2011 09:26:18 -0400 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <1308820360.3951.4.camel@dhcp-25-52.brq.redhat.com> References: <4D95F3AD.2000707@redhat.com> <1306320574.18222.20.camel@dhcp-25-52.brq.redhat.com> <4DDD204A.8010009@redhat.com> <1306395960.2330.7.camel@dhcp-25-52.brq.redhat.com> <4DDFFDDE.2040908@redhat.com> <1306757151.2427.16.camel@dhcp-25-52.brq.redhat.com> <4DECE95E.1010006@redhat.com> <4E01E538.50706@redhat.com> <1308820360.3951.4.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E033EFA.7010001@redhat.com> Martin Kosek wrote: > On Wed, 2011-06-22 at 08:51 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> >>> Haven't had a chance to explore this one yet. It sure would be nice if >>> dogtag would tell us what the two differing base DNs are though... >> >> This patch should resolve the remaining issues. It requires a patch to >> bind-dyndb-ldap, I have a candidate patch in >> https://bugzilla.redhat.com/show_bug.cgi?id=710261 >> >> rob > > Hmm, good work there. Bind, SSSD on custom-hostname IPA master is > working now. IPA client and CA-powered replica too. > > I found only one issue - ipactl is not working because it uses > socket.gethostname() instead of api.env.host. So if you fix this > one-liner its ACK from me. > > Martin > Fixed rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-762-5-host.patch Type: text/x-diff Size: 10354 bytes Desc: not available URL: From simo at redhat.com Thu Jun 23 13:26:42 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 23 Jun 2011 09:26:42 -0400 Subject: [Freeipa-devel] Trust relationship between IPA and samba4 In-Reply-To: <1308834163.5070.51.camel@arepa.pzo.lgs.com.ve> References: <1308834163.5070.51.camel@arepa.pzo.lgs.com.ve> Message-ID: <1308835602.25324.68.camel@willson.li.ssimo.org> On Thu, 2011-06-23 at 08:32 -0430, Loris Santamaria wrote: > Hi, > > this week I tried to establish a trust relationship between freeipa v2 > and a samba 4 domain. In that setup most workstations live in the samba > 4 domain and most servers in the freeIPA domain so I am mainly > interested in having windows being able to authenticate to the linux > servers. > > First I set up the kerberos 5 trust from the "AD Domains and Trusts" > control panel, then using kadmin.local I added the proper principals to > the kerberos database in freeIPA (krbtgt/IPA.CORPFBK at WIN.CORPFBK and > krbtgt/WIN.CORPFBK at IPA.CORPFBK). > > Second I added a sasl mapping to 389 DS to have windows users mapped one > to one to IPA users: > > dn: cn=zz,cn=mapping,cn=sasl,cn=config > objectClass: top > objectClass: nsSaslMapping > nsSaslMapRegexString: \(.*\)@WIN.CORPFBK > cn: zz > nsSaslMapBaseDNTemplate: dc=ipa,dc=corpfbk > nsSaslMapFilterTemplate: (krbPrincipalName=\1 at IPA.CORPFBK) > > And... everything worked beautifully! I can obtain a ticket from samba 4 > and use it to browse 389DS or connect via ssh to a Linux server. > > Ok this is all well with services that just need to authenticate a user > and then don't care with the realm part of the username, but it is not > enough with services that use the complete principal to gather group > membership of the users, I'm thinking of squid_kerb_auth + > squid_ldap_group or mod_auth_kerb + mod_authzn_ldap. > > To have the trust relationship work with these services I should store > the samba4 user complete principal name in some attribute of the > corresponding freeIPA user. What would be the proper attribute? > krbPrincipalAliases? > > Thanks in advance. Hi Loris, great work there. We are actually starting working right now to support trust relationships in FreeIPA, but we haven't attacked the problem of representing user memberships for external accounts. Given you are mapping krbPrincipalName to the IPA one you shouldn't need to add anything else from the IPA point of view. When you log-in into DirSrv your group memberships will be those of the user that has the same name in IPA. The AD domain groups will not be seen at all of course. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Jun 23 13:31:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Jun 2011 09:31:46 -0400 Subject: [Freeipa-devel] [PATCH] 805 make dogtag optionally installable on replicas In-Reply-To: <1308832869.3951.18.camel@dhcp-25-52.brq.redhat.com> References: <4DFBC1EB.6060702@redhat.com> <1308832869.3951.18.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E034042.9070903@redhat.com> Martin Kosek wrote: > On Fri, 2011-06-17 at 17:06 -0400, Rob Crittenden wrote: >> A dogtag replica file is created as usual. When the replica is installed >> dogtag is optional and not installed by default. Adding the --setup-ca >> option will configure it when the replica is installed. >> >> A new tool ipa-ca-install will configure dogtag if it wasn't configured >> when the replica was initially installed. >> >> https://fedorahosted.org/freeipa/ticket/1251 >> >> See the ticket for testing suggestions. >> >> rob > > I have found some issues with the patch: > > 1) Man page: > - missing man file in man folder's Makefile.am > - missing man file in the spec -> man is not installed Yeah, I realized that after I submitted it. > > 2) Missing ipa-ca-install in install/po/Makefile.in Oh, ipa-dns-install is missing too, I'll fix it. > > 3) ipa-ca-install: > - expand_info, read_info, get_host_name or install_ca: functions are > copied from ipa-replica-install tool. Having a lot of redundant code > leads to the dark side. Calling these functions from a common library > seems more convenient to me. Yeah, I'll see about pulling some of that into installutils.py. install_ca is different depending on context though, I'll have to see how complex the conditionals become if I combine them. > > 4) man ipa-ca-install: > > +\fB\-p\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR > > is not consistent with > > +\fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR= > \fIADMIN_PASSWORD\fR > > (missing DM_PASSWORD placeholder after "-p") Ok, we'll need to check the ipa-replica-install man page too, I based this on that. > > > 5) Now the real problem - when I am installing a replica I got a strange > error: > > # > ipa-replica-install /home/mkosek/replica-info-vm-060.idm.lab.bos.redhat.com.gpg --setup-ca -w secret123 > Directory Manager (existing master) password: > > Run connection check to master > Check connection from replica to remote master > 'vm-099.idm.lab.bos.redhat.com': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos (88): OK > PKI-CA: Directory Service port (7389): OK > PKI-CA: Agent secure port (9443): OK > PKI-CA: EE secure port (9444): OK > PKI-CA: Admin secure port (9445): OK > PKI-CA: EE secure client auth port (9446): OK > PKI-CA: Unsecure port (9180): OK > > Connection from replica to master is OK. > Start listening on required ports for remote master check > Get credentials to log in to remote master > Execute check on remote master > Check connection from master to remote replica > 'vm-060.idm.lab.bos.redhat.com': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos (88): OK > PKI-CA: Directory Service port (7389): OK > PKI-CA: Agent secure port (9443): OK > PKI-CA: EE secure port (9444): OK > PKI-CA: Admin secure port (9445): OK > PKI-CA: EE secure client auth port (9446): OK > PKI-CA: Unsecure port (9180): OK > > Connection from master to replica is OK. > > Connection check OK > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > done configuring ntpd. > Configuring directory server for the CA: Estimated time 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > [3/3]: restarting directory server > done configuring pkids. > creation of replica failed: Incorrect padding > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > /var/log/ipareplica-install.log: > ... > 2011-06-23 08:37:35,907 DEBUG args=/usr/bin/certutil > -d /etc/dirsrv/slapd-PKI-IPA/ -L -n Server-Cert -a > 2011-06-23 08:37:35,908 DEBUG stdout=-----BEGIN CERTIFICATE----- > MIIDnjCCAoagAwIBAgIBEDANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0u^M > TEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3Jp^M > dHkwHhcNMTEwNjIzMTIzNjM0WhcNMTExMjIwMTIzNjM0WjBJMR8wHQYDVQQKExZJ^M > RE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjAuaWRtLmxhYi5i^M > b3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMM^M > 8FypUbIwR0NRcIEJ5GHbL54D5gh0ao5PoA8LRmcz6QdMjDtA/1aeg9fskdkQ6Peh^M > TTjlvL5Y9b/TVDxx4KrzbMiBCDdMecsbUSK32pJjw6DJCFhcBTwuAj/zZIrvsicT^M > jtnTmeRQCEqGjRmizQHCDDdh+zx0Rh3mbzmxsZ4XaSafksm/y3tMBbw2S0Q7agNF^M > 3Z95qQH9CZ1ManH90zMjOwJxknpxGrwaou9OsPJ1b7M6cvBVLW9kuEDO4c7qTcqa^M > h7BRDQD/XVQn31/UFyLRxl+F4cTp6eBhb9B1+Mv18ZAw9xNhpb1xsWsNDqLh0zY4^M > 5ZeUKTkZS4+WuJOYHFUCAwEAAaOBmDCBlTAfBgNVHSMEGDAWgBQZX7pLjCg+Fol2^M > vkqZQBQRB7w67jBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGGMWh0dHA6Ly92^M > bS0wOTkuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo5MTgwL2NhL29jc3AwDgYDVR0P^M > AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IB^M > AQBzy0uiVeNGZpUHolgOsyKRl4Q3gpZg/25ai8HHylLSSjYXqy5WmNBy4NPIbVe8^M > p6ZAjW7Lc5BwNTWwkbJoB9JTmhyIRRCWO1hf3qZC1eO9/Ax7XN2nCXka6NRoSxz7^M > Ci7G6RsqM/egbBCUqgbRNz4DJntcrOdFYaOK03Jpfl0lsW0B6l2d+rIuZI5uVK/0^M > uPsKdjCemzVsMOySBchnd/Cy8mXiP6ah7FZIpi9rZScA+UjTUou6PDGcft6jyAj9^M > oeqol6t/6Otd+OFbAYwlccG73rq49sOB9GTjSQelMrHK/hunxIczwYrK2ZHvw2Hy^M > HMOJrmcjFGoa/eL65JwmiFVl > -----END CERTIFICATE----- > > 2011-06-23 08:37:35,908 DEBUG stderr= > 2011-06-23 08:37:35,914 DEBUG Incorrect padding > File "/usr/sbin/ipa-replica-install", line 560, in > main() > > File "/usr/sbin/ipa-replica-install", line 502, in main > (CA, cs) = install_ca(config) > > File "/usr/sbin/ipa-replica-install", line 173, in install_ca > cs.load_pkcs12() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 325, in load_pkcs12 > self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", > line 449, in get_cert_from_db > dercert = base64.b64decode(cert) > > File "/usr/lib64/python2.7/base64.py", line 76, in b64decode > raise TypeError(msg) > > > Any idea what could cause this? This was run on clean VMs with your > patch on top of master branch. It means that the blob I ended up with wasn't properly base64-encoded. It could mean I missed a header/footer or something else. I'll see if I can reproduce. thanks rob From jcholast at redhat.com Thu Jun 23 14:33:25 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 23 Jun 2011 16:33:25 +0200 Subject: [Freeipa-devel] [PATCH] 24 Verify that the hostname is fully-qualified Message-ID: <4E034EB5.7060603@redhat.com> This patch makes ipactl fail if the hostname isn't fully-qualified. It also fixes ipa-server-install to fail gracefully in such case, instead of failing with unexpected error. https://fedorahosted.org/freeipa/ticket/1035 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-24-verify-fqdn.patch Type: text/x-patch Size: 2263 bytes Desc: not available URL: From mkosek at redhat.com Thu Jun 23 14:40:36 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 23 Jun 2011 16:40:36 +0200 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <4E033EFA.7010001@redhat.com> References: <4D95F3AD.2000707@redhat.com> <1306320574.18222.20.camel@dhcp-25-52.brq.redhat.com> <4DDD204A.8010009@redhat.com> <1306395960.2330.7.camel@dhcp-25-52.brq.redhat.com> <4DDFFDDE.2040908@redhat.com> <1306757151.2427.16.camel@dhcp-25-52.brq.redhat.com> <4DECE95E.1010006@redhat.com> <4E01E538.50706@redhat.com> <1308820360.3951.4.camel@dhcp-25-52.brq.redhat.com> <4E033EFA.7010001@redhat.com> Message-ID: <1308840038.2890.5.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-06-23 at 09:26 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-06-22 at 08:51 -0400, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> > >>> Haven't had a chance to explore this one yet. It sure would be nice if > >>> dogtag would tell us what the two differing base DNs are though... > >> > >> This patch should resolve the remaining issues. It requires a patch to > >> bind-dyndb-ldap, I have a candidate patch in > >> https://bugzilla.redhat.com/show_bug.cgi?id=710261 > >> > >> rob > > > > Hmm, good work there. Bind, SSSD on custom-hostname IPA master is > > working now. IPA client and CA-powered replica too. > > > > I found only one issue - ipactl is not working because it uses > > socket.gethostname() instead of api.env.host. So if you fix this > > one-liner its ACK from me. > > > > Martin > > > > Fixed > > rob Great, ACK from me. I think we can push it to our tree and do some small bugfixes if we find some more custom hostname related issues. However, the nameserver portion won't work until a new version of bind-dyndb-ldap with your patch included is released. We may want to bump up bind-dyndb-ldap version in our spec then. Martin From jcholast at redhat.com Thu Jun 23 14:52:20 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 23 Jun 2011 16:52:20 +0200 Subject: [Freeipa-devel] [PATCH] 23 Add ability to specify DNS reverse zone name by IP network address In-Reply-To: <4E008B7B.6020404@redhat.com> References: <4E008B7B.6020404@redhat.com> Message-ID: <4E035324.4000607@redhat.com> On 21.6.2011 14:15, Jan Cholasta wrote: > This patch adds a new option name_from_ip to dnszone commands. Default > value of idnsname is created from this option. > > Honza > Fixed the API version number, added usage example to dns plugin help. https://fedorahosted.org/freeipa/ticket/1045 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-23.1-dnszone-reverse-ip.patch Type: text/x-patch Size: 13513 bytes Desc: not available URL: From mkosek at redhat.com Thu Jun 23 15:19:44 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 23 Jun 2011 17:19:44 +0200 Subject: [Freeipa-devel] [PATCH] 24 Verify that the hostname is fully-qualified In-Reply-To: <4E034EB5.7060603@redhat.com> References: <4E034EB5.7060603@redhat.com> Message-ID: <1308842386.2890.15.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-06-23 at 16:33 +0200, Jan Cholasta wrote: > This patch makes ipactl fail if the hostname isn't fully-qualified. It > also fixes ipa-server-install to fail gracefully in such case, instead > of failing with unexpected error. > > https://fedorahosted.org/freeipa/ticket/1035 > > Honza You may want to coordinate yourself with Rob here. His patch 762 for custom hostname was sent yesterday and was ACK-ed today. Otherwise your 2 patches will clash. You fixed the same line in ipactl for example. Martin From loris at lgs.com.ve Thu Jun 23 17:03:36 2011 From: loris at lgs.com.ve (Loris Santamaria) Date: Thu, 23 Jun 2011 12:33:36 -0430 Subject: [Freeipa-devel] Trust relationship between IPA and samba4 In-Reply-To: <1308835602.25324.68.camel@willson.li.ssimo.org> References: <1308834163.5070.51.camel@arepa.pzo.lgs.com.ve> <1308835602.25324.68.camel@willson.li.ssimo.org> Message-ID: <1308848619.2075.8.camel@arepa.pzo.lgs.com.ve> El jue, 23-06-2011 a las 09:26 -0400, Simo Sorce escribi?: > On Thu, 2011-06-23 at 08:32 -0430, Loris Santamaria wrote: > > Hi, > > > > this week I tried to establish a trust relationship between freeipa v2 > > and a samba 4 domain. In that setup most workstations live in the samba > > 4 domain and most servers in the freeIPA domain so I am mainly > > interested in having windows being able to authenticate to the linux > > servers. > > > > First I set up the kerberos 5 trust from the "AD Domains and Trusts" > > control panel, then using kadmin.local I added the proper principals to > > the kerberos database in freeIPA (krbtgt/IPA.CORPFBK at WIN.CORPFBK and > > krbtgt/WIN.CORPFBK at IPA.CORPFBK). > > > > Second I added a sasl mapping to 389 DS to have windows users mapped one > > to one to IPA users: > > > > dn: cn=zz,cn=mapping,cn=sasl,cn=config > > objectClass: top > > objectClass: nsSaslMapping > > nsSaslMapRegexString: \(.*\)@WIN.CORPFBK > > cn: zz > > nsSaslMapBaseDNTemplate: dc=ipa,dc=corpfbk > > nsSaslMapFilterTemplate: (krbPrincipalName=\1 at IPA.CORPFBK) > > > > And... everything worked beautifully! I can obtain a ticket from samba 4 > > and use it to browse 389DS or connect via ssh to a Linux server. > > > > Ok this is all well with services that just need to authenticate a user > > and then don't care with the realm part of the username, but it is not > > enough with services that use the complete principal to gather group > > membership of the users, I'm thinking of squid_kerb_auth + > > squid_ldap_group or mod_auth_kerb + mod_authzn_ldap. > > > > To have the trust relationship work with these services I should store > > the samba4 user complete principal name in some attribute of the > > corresponding freeIPA user. What would be the proper attribute? > > krbPrincipalAliases? > > > > Thanks in advance. > > Hi Loris, > great work there. > > We are actually starting working right now to support trust > relationships in FreeIPA, but we haven't attacked the problem of > representing user memberships for external accounts. > > Given you are mapping krbPrincipalName to the IPA one you shouldn't need > to add anything else from the IPA point of view. When you log-in into > DirSrv your group memberships will be those of the user that has the > same name in IPA. The AD domain groups will not be seen at all of > course. That is not enough for all applications, see this example: 1) User logs in in windows workstation and obtains AD (or samba 4) or kerberos ticket, say loris at WIN.CORPFBK 2) User tries to browse the web, which is filtered by a kerberized Squid proxy 3) Thanks to the trust relationship the user is authenticated by squid_kerb_auth. Squid receives its full principal name, loris at WIN.CORPFBK 4) To manage squid authorization the administrator set up squid_ldap_group to search in ldap for the group membership of the authenticated user. 5) Since the mentioned principal isn't stored anywhere in the IPA directory, squid authorization fails. So, I think one should store the foreign principal in some attribute of the IPA user for applications that need it. Another application which uses the full principal is apache's mod_auth_kerb. -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ -O9 -omg-optimize -fomit-instructions -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5909 bytes Desc: not available URL: From simo at redhat.com Thu Jun 23 17:32:00 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 23 Jun 2011 13:32:00 -0400 Subject: [Freeipa-devel] Trust relationship between IPA and samba4 In-Reply-To: <1308848619.2075.8.camel@arepa.pzo.lgs.com.ve> References: <1308834163.5070.51.camel@arepa.pzo.lgs.com.ve> <1308835602.25324.68.camel@willson.li.ssimo.org> <1308848619.2075.8.camel@arepa.pzo.lgs.com.ve> Message-ID: <1308850320.25324.74.camel@willson.li.ssimo.org> On Thu, 2011-06-23 at 12:33 -0430, Loris Santamaria wrote: > El jue, 23-06-2011 a las 09:26 -0400, Simo Sorce escribi?: > > On Thu, 2011-06-23 at 08:32 -0430, Loris Santamaria wrote: > > > Hi, > > > > > > this week I tried to establish a trust relationship between freeipa v2 > > > and a samba 4 domain. In that setup most workstations live in the samba > > > 4 domain and most servers in the freeIPA domain so I am mainly > > > interested in having windows being able to authenticate to the linux > > > servers. > > > > > > First I set up the kerberos 5 trust from the "AD Domains and Trusts" > > > control panel, then using kadmin.local I added the proper principals to > > > the kerberos database in freeIPA (krbtgt/IPA.CORPFBK at WIN.CORPFBK and > > > krbtgt/WIN.CORPFBK at IPA.CORPFBK). > > > > > > Second I added a sasl mapping to 389 DS to have windows users mapped one > > > to one to IPA users: > > > > > > dn: cn=zz,cn=mapping,cn=sasl,cn=config > > > objectClass: top > > > objectClass: nsSaslMapping > > > nsSaslMapRegexString: \(.*\)@WIN.CORPFBK > > > cn: zz > > > nsSaslMapBaseDNTemplate: dc=ipa,dc=corpfbk > > > nsSaslMapFilterTemplate: (krbPrincipalName=\1 at IPA.CORPFBK) > > > > > > And... everything worked beautifully! I can obtain a ticket from samba 4 > > > and use it to browse 389DS or connect via ssh to a Linux server. > > > > > > Ok this is all well with services that just need to authenticate a user > > > and then don't care with the realm part of the username, but it is not > > > enough with services that use the complete principal to gather group > > > membership of the users, I'm thinking of squid_kerb_auth + > > > squid_ldap_group or mod_auth_kerb + mod_authzn_ldap. > > > > > > To have the trust relationship work with these services I should store > > > the samba4 user complete principal name in some attribute of the > > > corresponding freeIPA user. What would be the proper attribute? > > > krbPrincipalAliases? > > > > > > Thanks in advance. > > > > Hi Loris, > > great work there. > > > > We are actually starting working right now to support trust > > relationships in FreeIPA, but we haven't attacked the problem of > > representing user memberships for external accounts. > > > > Given you are mapping krbPrincipalName to the IPA one you shouldn't need > > to add anything else from the IPA point of view. When you log-in into > > DirSrv your group memberships will be those of the user that has the > > same name in IPA. The AD domain groups will not be seen at all of > > course. > > That is not enough for all applications, see this example: > > 1) User logs in in windows workstation and obtains AD (or samba 4) or > kerberos ticket, say loris at WIN.CORPFBK > > 2) User tries to browse the web, which is filtered by a kerberized Squid > proxy > > 3) Thanks to the trust relationship the user is authenticated by > squid_kerb_auth. Squid receives its full principal name, > loris at WIN.CORPFBK > > 4) To manage squid authorization the administrator set up > squid_ldap_group to search in ldap for the group membership of the > authenticated user. > > 5) Since the mentioned principal isn't stored anywhere in the IPA > directory, squid authorization fails. > > So, I think one should store the foreign principal in some attribute of > the IPA user for applications that need it. Another application which > uses the full principal is apache's mod_auth_kerb. Ah so you need this for external applications that do searches on their own. In that case you could set krbCanonicalName to be the IPA's principal and add another krbPrincipalName with the AD principal. This is untested though, and might cause issues to the management framework and potentially the KDC. If you can specify the attribute where to look for in these applications I would suggest to extent your local schema with an additional class/attribute pair to add to user where you store the mapping for now. This will also make it simpler to migrate later to whatever solution we will come up in IPA as you won't have conflicts. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Thu Jun 23 18:20:35 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 23 Jun 2011 14:20:35 -0400 Subject: [Freeipa-devel] [PATCH] 0252 Automount keys details Message-ID: <4E0383F3.5000109@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0252-automountkey-details.patch Type: text/x-patch Size: 7376 bytes Desc: not available URL: From ayoung at redhat.com Thu Jun 23 18:44:20 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 23 Jun 2011 14:44:20 -0400 Subject: [Freeipa-devel] [PATCH] 186 Added navigation breadcrumb. In-Reply-To: <4E02B573.8050807@redhat.com> References: <4E02B573.8050807@redhat.com> Message-ID: <4E038984.7040308@redhat.com> On 06/22/2011 11:39 PM, Endi Sukma Dewata wrote: > Navigation breadcrumb has been added to the facet header. The > breadcrumb will appear on details, association, and automount > facets. > > Ticket #1323 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Needs rebase -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Jun 23 19:36:51 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 23 Jun 2011 14:36:51 -0500 Subject: [Freeipa-devel] [PATCH] 0009-Tab-and-spacing-on-list In-Reply-To: <1732034926.125538.1308677550724.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1732034926.125538.1308677550724.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4E0395D3.7000403@redhat.com> On 6/21/2011 12:32 PM, Kyle Baker wrote: > Both of those suggestions would be great, but it will require new > styles to be created > > 1. we need a style for facet-controls on a list page and a totally > separate style for controls on the detail pages. > > 2. This will require a umbrella style for all facet controls. ACK and pushed to master. I made some modifications in my patch #185-2 to address these issues. -- Endi S. Dewata From edewata at redhat.com Thu Jun 23 19:37:18 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 23 Jun 2011 14:37:18 -0500 Subject: [Freeipa-devel] [PATCH] 0010-Facet-icon-swap-and-tab-sizing In-Reply-To: <166584433.124417.1308672835768.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <166584433.124417.1308672835768.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4E0395EE.90406@redhat.com> On 6/21/2011 11:13 AM, Kyle Baker wrote: > Minor tweaks to the sizing of the facet tabs as well as new icons under the facets. Attached a screen shot of 0009 and 0010 results. The same screen shot is attached in 0009 as well. ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Thu Jun 23 21:01:22 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 23 Jun 2011 17:01:22 -0400 Subject: [Freeipa-devel] [PATCH] 186 Added navigation breadcrumb. In-Reply-To: <4E038984.7040308@redhat.com> References: <4E02B573.8050807@redhat.com> <4E038984.7040308@redhat.com> Message-ID: <4E03A9A2.6080203@redhat.com> On 06/23/2011 02:44 PM, Adam Young wrote: > On 06/22/2011 11:39 PM, Endi Sukma Dewata wrote: >> Navigation breadcrumb has been added to the facet header. The >> breadcrumb will appear on details, association, and automount >> facets. >> >> Ticket #1323 >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Needs rebase > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Jun 23 21:01:40 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 23 Jun 2011 17:01:40 -0400 Subject: [Freeipa-devel] [PATCH] 185 Converted entity header into facet header. In-Reply-To: <4E022614.1090905@redhat.com> References: <4E015CEA.20103@redhat.com> <4E01FC69.7010707@redhat.com> <4E022614.1090905@redhat.com> Message-ID: <4E03A9B4.4080003@redhat.com> On 06/22/2011 01:27 PM, Endi Sukma Dewata wrote: > On 6/22/2011 9:30 AM, Adam Young wrote: >>> This patch requires Kyle's patch #9 and #10. >>> >>> Demo is available here: >>> http://edewata.fedorapeople.org/freeipa/install/ui/index.html > >> Close. The commonality of config and krbticket policy is that they have >> no search. INstead of putting a specific name= class for them, use a >> single class, something like .no-search. That way if we have others, we >> just reuse that class, instead of having css for each entity. The CSS >> should be oblivious to the domain model. > > Attached is an updated patch. I added no-facet-tabs CSS class because > it's more generic. I also made some additional changes to simplify the > code. The demo site has been updated as well. > ACK. Pushed to master From rcritten at redhat.com Thu Jun 23 21:00:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Jun 2011 17:00:37 -0400 Subject: [Freeipa-devel] [PATCH] 805 make dogtag optionally installable on replicas In-Reply-To: <4E034042.9070903@redhat.com> References: <4DFBC1EB.6060702@redhat.com> <1308832869.3951.18.camel@dhcp-25-52.brq.redhat.com> <4E034042.9070903@redhat.com> Message-ID: <4E03A975.3000000@redhat.com> Rob Crittenden wrote: > Martin Kosek wrote: >> On Fri, 2011-06-17 at 17:06 -0400, Rob Crittenden wrote: >>> A dogtag replica file is created as usual. When the replica is installed >>> dogtag is optional and not installed by default. Adding the --setup-ca >>> option will configure it when the replica is installed. >>> >>> A new tool ipa-ca-install will configure dogtag if it wasn't configured >>> when the replica was initially installed. >>> >>> https://fedorahosted.org/freeipa/ticket/1251 >>> >>> See the ticket for testing suggestions. >>> >>> rob >> >> I have found some issues with the patch: >> >> 1) Man page: >> - missing man file in man folder's Makefile.am >> - missing man file in the spec -> man is not installed > > Yeah, I realized that after I submitted it. > >> >> 2) Missing ipa-ca-install in install/po/Makefile.in > > Oh, ipa-dns-install is missing too, I'll fix it. > >> >> 3) ipa-ca-install: >> - expand_info, read_info, get_host_name or install_ca: functions are >> copied from ipa-replica-install tool. Having a lot of redundant code >> leads to the dark side. Calling these functions from a common library >> seems more convenient to me. > > Yeah, I'll see about pulling some of that into installutils.py. > install_ca is different depending on context though, I'll have to see > how complex the conditionals become if I combine them. > >> >> 4) man ipa-ca-install: >> >> +\fB\-p\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR >> >> is not consistent with >> >> +\fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR= >> \fIADMIN_PASSWORD\fR >> >> (missing DM_PASSWORD placeholder after "-p") > > Ok, we'll need to check the ipa-replica-install man page too, I based > this on that. > >> >> >> 5) Now the real problem - when I am installing a replica I got a strange >> error: >> >> # >> ipa-replica-install >> /home/mkosek/replica-info-vm-060.idm.lab.bos.redhat.com.gpg --setup-ca >> -w secret123 >> Directory Manager (existing master) password: >> >> Run connection check to master >> Check connection from replica to remote master >> 'vm-099.idm.lab.bos.redhat.com': >> Directory Service: Unsecure port (389): OK >> Directory Service: Secure port (636): OK >> Kerberos (88): OK >> PKI-CA: Directory Service port (7389): OK >> PKI-CA: Agent secure port (9443): OK >> PKI-CA: EE secure port (9444): OK >> PKI-CA: Admin secure port (9445): OK >> PKI-CA: EE secure client auth port (9446): OK >> PKI-CA: Unsecure port (9180): OK >> >> Connection from replica to master is OK. >> Start listening on required ports for remote master check >> Get credentials to log in to remote master >> Execute check on remote master >> Check connection from master to remote replica >> 'vm-060.idm.lab.bos.redhat.com': >> Directory Service: Unsecure port (389): OK >> Directory Service: Secure port (636): OK >> Kerberos (88): OK >> PKI-CA: Directory Service port (7389): OK >> PKI-CA: Agent secure port (9443): OK >> PKI-CA: EE secure port (9444): OK >> PKI-CA: Admin secure port (9445): OK >> PKI-CA: EE secure client auth port (9446): OK >> PKI-CA: Unsecure port (9180): OK >> >> Connection from master to replica is OK. >> >> Connection check OK >> Configuring ntpd >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> done configuring ntpd. >> Configuring directory server for the CA: Estimated time 30 seconds >> [1/3]: creating directory server user >> [2/3]: creating directory server instance >> [3/3]: restarting directory server >> done configuring pkids. >> creation of replica failed: Incorrect padding >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> >> /var/log/ipareplica-install.log: >> ... >> 2011-06-23 08:37:35,907 DEBUG args=/usr/bin/certutil >> -d /etc/dirsrv/slapd-PKI-IPA/ -L -n Server-Cert -a >> 2011-06-23 08:37:35,908 DEBUG stdout=-----BEGIN CERTIFICATE----- >> MIIDnjCCAoagAwIBAgIBEDANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0u^M >> TEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3Jp^M >> dHkwHhcNMTEwNjIzMTIzNjM0WhcNMTExMjIwMTIzNjM0WjBJMR8wHQYDVQQKExZJ^M >> RE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjAuaWRtLmxhYi5i^M >> b3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMM^M >> 8FypUbIwR0NRcIEJ5GHbL54D5gh0ao5PoA8LRmcz6QdMjDtA/1aeg9fskdkQ6Peh^M >> TTjlvL5Y9b/TVDxx4KrzbMiBCDdMecsbUSK32pJjw6DJCFhcBTwuAj/zZIrvsicT^M >> jtnTmeRQCEqGjRmizQHCDDdh+zx0Rh3mbzmxsZ4XaSafksm/y3tMBbw2S0Q7agNF^M >> 3Z95qQH9CZ1ManH90zMjOwJxknpxGrwaou9OsPJ1b7M6cvBVLW9kuEDO4c7qTcqa^M >> h7BRDQD/XVQn31/UFyLRxl+F4cTp6eBhb9B1+Mv18ZAw9xNhpb1xsWsNDqLh0zY4^M >> 5ZeUKTkZS4+WuJOYHFUCAwEAAaOBmDCBlTAfBgNVHSMEGDAWgBQZX7pLjCg+Fol2^M >> vkqZQBQRB7w67jBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGGMWh0dHA6Ly92^M >> bS0wOTkuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo5MTgwL2NhL29jc3AwDgYDVR0P^M >> AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IB^M >> AQBzy0uiVeNGZpUHolgOsyKRl4Q3gpZg/25ai8HHylLSSjYXqy5WmNBy4NPIbVe8^M >> p6ZAjW7Lc5BwNTWwkbJoB9JTmhyIRRCWO1hf3qZC1eO9/Ax7XN2nCXka6NRoSxz7^M >> Ci7G6RsqM/egbBCUqgbRNz4DJntcrOdFYaOK03Jpfl0lsW0B6l2d+rIuZI5uVK/0^M >> uPsKdjCemzVsMOySBchnd/Cy8mXiP6ah7FZIpi9rZScA+UjTUou6PDGcft6jyAj9^M >> oeqol6t/6Otd+OFbAYwlccG73rq49sOB9GTjSQelMrHK/hunxIczwYrK2ZHvw2Hy^M >> HMOJrmcjFGoa/eL65JwmiFVl >> -----END CERTIFICATE----- >> >> 2011-06-23 08:37:35,908 DEBUG stderr= >> 2011-06-23 08:37:35,914 DEBUG Incorrect padding >> File "/usr/sbin/ipa-replica-install", line 560, in >> main() >> >> File "/usr/sbin/ipa-replica-install", line 502, in main >> (CA, cs) = install_ca(config) >> >> File "/usr/sbin/ipa-replica-install", line 173, in install_ca >> cs.load_pkcs12() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line >> 325, in load_pkcs12 >> self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >> line 449, in get_cert_from_db >> dercert = base64.b64decode(cert) >> >> File "/usr/lib64/python2.7/base64.py", line 76, in b64decode >> raise TypeError(msg) >> >> >> Any idea what could cause this? This was run on clean VMs with your >> patch on top of master branch. > > It means that the blob I ended up with wasn't properly base64-encoded. > It could mean I missed a header/footer or something else. I'll see if I > can reproduce. I think I've addressed all your concerns. I wasn't able to reproduce the crash but I can see what caused it: we passed in a cert with a header/footer to base64.b64decode(). I added a call to x509.strip_header() which should fix it up. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-805-2-dogtag.patch Type: text/x-diff Size: 33959 bytes Desc: not available URL: From rcritten at redhat.com Thu Jun 23 21:10:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Jun 2011 17:10:14 -0400 Subject: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname In-Reply-To: <1308840038.2890.5.camel@dhcp-25-52.brq.redhat.com> References: <4D95F3AD.2000707@redhat.com> <1306320574.18222.20.camel@dhcp-25-52.brq.redhat.com> <4DDD204A.8010009@redhat.com> <1306395960.2330.7.camel@dhcp-25-52.brq.redhat.com> <4DDFFDDE.2040908@redhat.com> <1306757151.2427.16.camel@dhcp-25-52.brq.redhat.com> <4DECE95E.1010006@redhat.com> <4E01E538.50706@redhat.com> <1308820360.3951.4.camel@dhcp-25-52.brq.redhat.com> <4E033EFA.7010001@redhat.com> <1308840038.2890.5.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E03ABB6.3050609@redhat.com> Martin Kosek wrote: > On Thu, 2011-06-23 at 09:26 -0400, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On Wed, 2011-06-22 at 08:51 -0400, Rob Crittenden wrote: >>>> Rob Crittenden wrote: >>>>> >>>>> Haven't had a chance to explore this one yet. It sure would be nice if >>>>> dogtag would tell us what the two differing base DNs are though... >>>> >>>> This patch should resolve the remaining issues. It requires a patch to >>>> bind-dyndb-ldap, I have a candidate patch in >>>> https://bugzilla.redhat.com/show_bug.cgi?id=710261 >>>> >>>> rob >>> >>> Hmm, good work there. Bind, SSSD on custom-hostname IPA master is >>> working now. IPA client and CA-powered replica too. >>> >>> I found only one issue - ipactl is not working because it uses >>> socket.gethostname() instead of api.env.host. So if you fix this >>> one-liner its ACK from me. >>> >>> Martin >>> >> >> Fixed >> >> rob > > Great, ACK from me. > > I think we can push it to our tree and do some small bugfixes if we find > some more custom hostname related issues. However, the nameserver > portion won't work until a new version of bind-dyndb-ldap with your > patch included is released. We may want to bump up bind-dyndb-ldap > version in our spec then. > > Martin > pushed to master and ipa-2-0 From ayoung at redhat.com Thu Jun 23 21:18:57 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 23 Jun 2011 17:18:57 -0400 Subject: [Freeipa-devel] [PATCH] 0252 Automount keys details In-Reply-To: <4E0383F3.5000109@redhat.com> References: <4E0383F3.5000109@redhat.com> Message-ID: <4E03ADC1.10507@redhat.com> On 06/23/2011 02:20 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0252-1-automountkey-details.patch Type: text/x-patch Size: 7559 bytes Desc: not available URL: From edewata at redhat.com Thu Jun 23 22:09:48 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 23 Jun 2011 17:09:48 -0500 Subject: [Freeipa-devel] [PATCH] 0252 Automount keys details In-Reply-To: <4E03ADC1.10507@redhat.com> References: <4E0383F3.5000109@redhat.com> <4E03ADC1.10507@redhat.com> Message-ID: <4E03B9AC.4090006@redhat.com> On 6/23/2011 4:18 PM, Adam Young wrote: > Some issues: 1. Breadcrumb is not displayed in the automount key details facet. This is because usually when an entity only has 1 facet it will not have a back link/breadcrumb. That's not the case for automount key, so it has to be explicitly enabled. 2. The Add and Edit for automount key works but generates an error. This is because the show_edit_page() the key and info are arrays so we need to get the first elements in the arrays. The patch can be pushed with the following changes: diff --git a/install/ui/automount.js b/install/ui/automount.js index cb7798001b1400613a1bc7b25da7513184d4bbfd..6ef97054495211763421989efd779fdc79589bc4 100644 --- a/install/ui/automount.js +++ b/install/ui/automount.js @@ -130,6 +130,7 @@ IPA.entity_factories.automountkey = function() { 'automountinformation'] } ], + disable_breadcrumb: false, back_link_text: 'Back to Locations', pre_execute_hook : function (command){ var entity_name = this.entity_name; @@ -151,8 +152,8 @@ IPA.entity_factories.automountkey = function() { }). adder_dialog({ show_edit_page : function(entity_name, result){ - var key = result.automountkey; - var info = result.automountinformation; + var key = result.automountkey[0]; + var info = result.automountinformation[0]; var state = IPA.nav.get_path_state(entity_name); state[entity_name + '-facet'] = 'default'; state[entity_name + '-info'] = info; diff --git a/install/ui/details.js b/install/ui/details.js index 1046890ac89d4d977771bb8a2196361e42b6c6c6..8a43818b5984e1fd88c8487542b166384410961f 100644 --- a/install/ui/details.js +++ b/install/ui/details.js @@ -338,8 +338,8 @@ IPA.details_facet = function(spec) { that.create = function(container) { if (that.entity.facets.length == 1) { - that.disable_breadcrumb = true; - that.disable_facet_tabs = true; + if (that.disable_breadcrumb === undefined) that.disable_breadcrumb = true; + if (that.disable_facet_tabs === undefined) that.disable_facet_tabs = true; } that.facet_create(container); -- Endi S. Dewata From edewata at redhat.com Fri Jun 24 00:18:43 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 23 Jun 2011 19:18:43 -0500 Subject: [Freeipa-devel] [PATCH] 187 Added record count into association facet tabs. Message-ID: <4E03D7E3.7080203@redhat.com> The details and association facets have been modified to show the number of records in each association in the corresponding facet tab. Ticket #1386 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0187-Added-record-count-into-association-facet-tabs.patch Type: text/x-patch Size: 11266 bytes Desc: not available URL: From ayoung at redhat.com Fri Jun 24 00:25:04 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 23 Jun 2011 20:25:04 -0400 Subject: [Freeipa-devel] [PATCH] 0252 Automount keys details In-Reply-To: <4E03B9AC.4090006@redhat.com> References: <4E0383F3.5000109@redhat.com> <4E03ADC1.10507@redhat.com> <4E03B9AC.4090006@redhat.com> Message-ID: <4E03D960.5070004@redhat.com> On 06/23/2011 06:09 PM, Endi Sukma Dewata wrote: > On 6/23/2011 4:18 PM, Adam Young wrote: >> > > Some issues: > > 1. Breadcrumb is not displayed in the automount key details facet. > This is because usually when an entity only has 1 facet it will not > have a back link/breadcrumb. That's not the case for automount key, so > it has to be explicitly enabled. > > 2. The Add and Edit for automount key works but generates an error. > This is because the show_edit_page() the key and info are arrays so we > need to get the first elements in the arrays. > > The patch can be pushed with the following changes: > > diff --git a/install/ui/automount.js b/install/ui/automount.js > index > cb7798001b1400613a1bc7b25da7513184d4bbfd..6ef97054495211763421989efd779fdc79589bc4 > 100644 > --- a/install/ui/automount.js > +++ b/install/ui/automount.js > @@ -130,6 +130,7 @@ IPA.entity_factories.automountkey = function() { > 'automountinformation'] > } > ], > + disable_breadcrumb: false, > back_link_text: 'Back to Locations', > pre_execute_hook : function (command){ > var entity_name = this.entity_name; > @@ -151,8 +152,8 @@ IPA.entity_factories.automountkey = function() { > }). > adder_dialog({ > show_edit_page : function(entity_name, result){ > - var key = result.automountkey; > - var info = result.automountinformation; > + var key = result.automountkey[0]; > + var info = result.automountinformation[0]; > var state = IPA.nav.get_path_state(entity_name); > state[entity_name + '-facet'] = 'default'; > state[entity_name + '-info'] = info; > diff --git a/install/ui/details.js b/install/ui/details.js > index > 1046890ac89d4d977771bb8a2196361e42b6c6c6..8a43818b5984e1fd88c8487542b166384410961f > 100644 > --- a/install/ui/details.js > +++ b/install/ui/details.js > @@ -338,8 +338,8 @@ IPA.details_facet = function(spec) { > > that.create = function(container) { > if (that.entity.facets.length == 1) { > - that.disable_breadcrumb = true; > - that.disable_facet_tabs = true; > + if (that.disable_breadcrumb === undefined) > that.disable_breadcrumb = true; > + if (that.disable_facet_tabs === undefined) > that.disable_facet_tabs = true; > } > > that.facet_create(container); > > Change made and pushed to master. From mkosek at redhat.com Fri Jun 24 10:48:46 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 24 Jun 2011 12:48:46 +0200 Subject: [Freeipa-devel] [PATCH] 805 make dogtag optionally installable on replicas In-Reply-To: <4E03A975.3000000@redhat.com> References: <4DFBC1EB.6060702@redhat.com> <1308832869.3951.18.camel@dhcp-25-52.brq.redhat.com> <4E034042.9070903@redhat.com> <4E03A975.3000000@redhat.com> Message-ID: <1308912528.12273.20.camel@dhcp-25-52.brq.redhat.com> On Thu, 2011-06-23 at 17:00 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Fri, 2011-06-17 at 17:06 -0400, Rob Crittenden wrote: > >>> A dogtag replica file is created as usual. When the replica is installed > >>> dogtag is optional and not installed by default. Adding the --setup-ca > >>> option will configure it when the replica is installed. > >>> > >>> A new tool ipa-ca-install will configure dogtag if it wasn't configured > >>> when the replica was initially installed. > >>> > >>> https://fedorahosted.org/freeipa/ticket/1251 > >>> > >>> See the ticket for testing suggestions. > >>> > >>> rob > >> > >> I have found some issues with the patch: > >> > >> 1) Man page: > >> - missing man file in man folder's Makefile.am > >> - missing man file in the spec -> man is not installed > > > > Yeah, I realized that after I submitted it. > > > >> > >> 2) Missing ipa-ca-install in install/po/Makefile.in > > > > Oh, ipa-dns-install is missing too, I'll fix it. > > > >> > >> 3) ipa-ca-install: > >> - expand_info, read_info, get_host_name or install_ca: functions are > >> copied from ipa-replica-install tool. Having a lot of redundant code > >> leads to the dark side. Calling these functions from a common library > >> seems more convenient to me. > > > > Yeah, I'll see about pulling some of that into installutils.py. > > install_ca is different depending on context though, I'll have to see > > how complex the conditionals become if I combine them. > > > >> > >> 4) man ipa-ca-install: > >> > >> +\fB\-p\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR > >> > >> is not consistent with > >> > >> +\fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR= > >> \fIADMIN_PASSWORD\fR > >> > >> (missing DM_PASSWORD placeholder after "-p") > > > > Ok, we'll need to check the ipa-replica-install man page too, I based > > this on that. > > > >> > >> > >> 5) Now the real problem - when I am installing a replica I got a strange > >> error: > >> > >> # > >> ipa-replica-install > >> /home/mkosek/replica-info-vm-060.idm.lab.bos.redhat.com.gpg --setup-ca > >> -w secret123 > >> Directory Manager (existing master) password: > >> > >> Run connection check to master > >> Check connection from replica to remote master > >> 'vm-099.idm.lab.bos.redhat.com': > >> Directory Service: Unsecure port (389): OK > >> Directory Service: Secure port (636): OK > >> Kerberos (88): OK > >> PKI-CA: Directory Service port (7389): OK > >> PKI-CA: Agent secure port (9443): OK > >> PKI-CA: EE secure port (9444): OK > >> PKI-CA: Admin secure port (9445): OK > >> PKI-CA: EE secure client auth port (9446): OK > >> PKI-CA: Unsecure port (9180): OK > >> > >> Connection from replica to master is OK. > >> Start listening on required ports for remote master check > >> Get credentials to log in to remote master > >> Execute check on remote master > >> Check connection from master to remote replica > >> 'vm-060.idm.lab.bos.redhat.com': > >> Directory Service: Unsecure port (389): OK > >> Directory Service: Secure port (636): OK > >> Kerberos (88): OK > >> PKI-CA: Directory Service port (7389): OK > >> PKI-CA: Agent secure port (9443): OK > >> PKI-CA: EE secure port (9444): OK > >> PKI-CA: Admin secure port (9445): OK > >> PKI-CA: EE secure client auth port (9446): OK > >> PKI-CA: Unsecure port (9180): OK > >> > >> Connection from master to replica is OK. > >> > >> Connection check OK > >> Configuring ntpd > >> [1/4]: stopping ntpd > >> [2/4]: writing configuration > >> [3/4]: configuring ntpd to start on boot > >> [4/4]: starting ntpd > >> done configuring ntpd. > >> Configuring directory server for the CA: Estimated time 30 seconds > >> [1/3]: creating directory server user > >> [2/3]: creating directory server instance > >> [3/3]: restarting directory server > >> done configuring pkids. > >> creation of replica failed: Incorrect padding > >> > >> Your system may be partly configured. > >> Run /usr/sbin/ipa-server-install --uninstall to clean up. > >> > >> > >> /var/log/ipareplica-install.log: > >> ... > >> 2011-06-23 08:37:35,907 DEBUG args=/usr/bin/certutil > >> -d /etc/dirsrv/slapd-PKI-IPA/ -L -n Server-Cert -a > >> 2011-06-23 08:37:35,908 DEBUG stdout=-----BEGIN CERTIFICATE----- > >> MIIDnjCCAoagAwIBAgIBEDANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0u^M > >> TEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3Jp^M > >> dHkwHhcNMTEwNjIzMTIzNjM0WhcNMTExMjIwMTIzNjM0WjBJMR8wHQYDVQQKExZJ^M > >> RE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjAuaWRtLmxhYi5i^M > >> b3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMM^M > >> 8FypUbIwR0NRcIEJ5GHbL54D5gh0ao5PoA8LRmcz6QdMjDtA/1aeg9fskdkQ6Peh^M > >> TTjlvL5Y9b/TVDxx4KrzbMiBCDdMecsbUSK32pJjw6DJCFhcBTwuAj/zZIrvsicT^M > >> jtnTmeRQCEqGjRmizQHCDDdh+zx0Rh3mbzmxsZ4XaSafksm/y3tMBbw2S0Q7agNF^M > >> 3Z95qQH9CZ1ManH90zMjOwJxknpxGrwaou9OsPJ1b7M6cvBVLW9kuEDO4c7qTcqa^M > >> h7BRDQD/XVQn31/UFyLRxl+F4cTp6eBhb9B1+Mv18ZAw9xNhpb1xsWsNDqLh0zY4^M > >> 5ZeUKTkZS4+WuJOYHFUCAwEAAaOBmDCBlTAfBgNVHSMEGDAWgBQZX7pLjCg+Fol2^M > >> vkqZQBQRB7w67jBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGGMWh0dHA6Ly92^M > >> bS0wOTkuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo5MTgwL2NhL29jc3AwDgYDVR0P^M > >> AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IB^M > >> AQBzy0uiVeNGZpUHolgOsyKRl4Q3gpZg/25ai8HHylLSSjYXqy5WmNBy4NPIbVe8^M > >> p6ZAjW7Lc5BwNTWwkbJoB9JTmhyIRRCWO1hf3qZC1eO9/Ax7XN2nCXka6NRoSxz7^M > >> Ci7G6RsqM/egbBCUqgbRNz4DJntcrOdFYaOK03Jpfl0lsW0B6l2d+rIuZI5uVK/0^M > >> uPsKdjCemzVsMOySBchnd/Cy8mXiP6ah7FZIpi9rZScA+UjTUou6PDGcft6jyAj9^M > >> oeqol6t/6Otd+OFbAYwlccG73rq49sOB9GTjSQelMrHK/hunxIczwYrK2ZHvw2Hy^M > >> HMOJrmcjFGoa/eL65JwmiFVl > >> -----END CERTIFICATE----- > >> > >> 2011-06-23 08:37:35,908 DEBUG stderr= > >> 2011-06-23 08:37:35,914 DEBUG Incorrect padding > >> File "/usr/sbin/ipa-replica-install", line 560, in > >> main() > >> > >> File "/usr/sbin/ipa-replica-install", line 502, in main > >> (CA, cs) = install_ca(config) > >> > >> File "/usr/sbin/ipa-replica-install", line 173, in install_ca > >> cs.load_pkcs12() > >> > >> File > >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > >> 325, in load_pkcs12 > >> self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) > >> > >> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", > >> line 449, in get_cert_from_db > >> dercert = base64.b64decode(cert) > >> > >> File "/usr/lib64/python2.7/base64.py", line 76, in b64decode > >> raise TypeError(msg) > >> > >> > >> Any idea what could cause this? This was run on clean VMs with your > >> patch on top of master branch. > > > > It means that the blob I ended up with wasn't properly base64-encoded. > > It could mean I missed a header/footer or something else. I'll see if I > > can reproduce. > > I think I've addressed all your concerns. I wasn't able to reproduce the > crash but I can see what caused it: we passed in a cert with a > header/footer to base64.b64decode(). I added a call to > x509.strip_header() which should fix it up. > > rob Yep, it fixed the Incorrect padding error. I successfully tested certificate operations (cert-request, cert-show) on a replica and both CA replication when CA was installed on replica and CA operation redirection worked fine. I have just one certificate related issue: 1) When CA on a replica was installed using ipa-ca-install and not ipa-replica-install REPLICA_FILE --setup-ca the certificate serial number in cert-request operation was from the same number range. In my case it was s.no. 22 after ipa-ca-install and 268369922 in ipa-replica-install --setup-ca scenario. Then I found some more minor documentation issues: 2) man ipa-ca-install - wrong formatting in --debug option - entire line is bold - description on the first line needs to be fixed 3) man ipa-replica-install - missing setup-ca option To sum it up, when these 3 issues are fixed I think the patch is ready to be acked. Martin From rcritten at redhat.com Fri Jun 24 14:56:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Jun 2011 10:56:35 -0400 Subject: [Freeipa-devel] [PATCH] 805 make dogtag optionally installable on replicas In-Reply-To: <1308912528.12273.20.camel@dhcp-25-52.brq.redhat.com> References: <4DFBC1EB.6060702@redhat.com> <1308832869.3951.18.camel@dhcp-25-52.brq.redhat.com> <4E034042.9070903@redhat.com> <4E03A975.3000000@redhat.com> <1308912528.12273.20.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E04A5A3.40603@redhat.com> Martin Kosek wrote: > On Thu, 2011-06-23 at 17:00 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On Fri, 2011-06-17 at 17:06 -0400, Rob Crittenden wrote: >>>>> A dogtag replica file is created as usual. When the replica is installed >>>>> dogtag is optional and not installed by default. Adding the --setup-ca >>>>> option will configure it when the replica is installed. >>>>> >>>>> A new tool ipa-ca-install will configure dogtag if it wasn't configured >>>>> when the replica was initially installed. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/1251 >>>>> >>>>> See the ticket for testing suggestions. >>>>> >>>>> rob >>>> >>>> I have found some issues with the patch: >>>> >>>> 1) Man page: >>>> - missing man file in man folder's Makefile.am >>>> - missing man file in the spec -> man is not installed >>> >>> Yeah, I realized that after I submitted it. >>> >>>> >>>> 2) Missing ipa-ca-install in install/po/Makefile.in >>> >>> Oh, ipa-dns-install is missing too, I'll fix it. >>> >>>> >>>> 3) ipa-ca-install: >>>> - expand_info, read_info, get_host_name or install_ca: functions are >>>> copied from ipa-replica-install tool. Having a lot of redundant code >>>> leads to the dark side. Calling these functions from a common library >>>> seems more convenient to me. >>> >>> Yeah, I'll see about pulling some of that into installutils.py. >>> install_ca is different depending on context though, I'll have to see >>> how complex the conditionals become if I combine them. >>> >>>> >>>> 4) man ipa-ca-install: >>>> >>>> +\fB\-p\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR >>>> >>>> is not consistent with >>>> >>>> +\fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR= >>>> \fIADMIN_PASSWORD\fR >>>> >>>> (missing DM_PASSWORD placeholder after "-p") >>> >>> Ok, we'll need to check the ipa-replica-install man page too, I based >>> this on that. >>> >>>> >>>> >>>> 5) Now the real problem - when I am installing a replica I got a strange >>>> error: >>>> >>>> # >>>> ipa-replica-install >>>> /home/mkosek/replica-info-vm-060.idm.lab.bos.redhat.com.gpg --setup-ca >>>> -w secret123 >>>> Directory Manager (existing master) password: >>>> >>>> Run connection check to master >>>> Check connection from replica to remote master >>>> 'vm-099.idm.lab.bos.redhat.com': >>>> Directory Service: Unsecure port (389): OK >>>> Directory Service: Secure port (636): OK >>>> Kerberos (88): OK >>>> PKI-CA: Directory Service port (7389): OK >>>> PKI-CA: Agent secure port (9443): OK >>>> PKI-CA: EE secure port (9444): OK >>>> PKI-CA: Admin secure port (9445): OK >>>> PKI-CA: EE secure client auth port (9446): OK >>>> PKI-CA: Unsecure port (9180): OK >>>> >>>> Connection from replica to master is OK. >>>> Start listening on required ports for remote master check >>>> Get credentials to log in to remote master >>>> Execute check on remote master >>>> Check connection from master to remote replica >>>> 'vm-060.idm.lab.bos.redhat.com': >>>> Directory Service: Unsecure port (389): OK >>>> Directory Service: Secure port (636): OK >>>> Kerberos (88): OK >>>> PKI-CA: Directory Service port (7389): OK >>>> PKI-CA: Agent secure port (9443): OK >>>> PKI-CA: EE secure port (9444): OK >>>> PKI-CA: Admin secure port (9445): OK >>>> PKI-CA: EE secure client auth port (9446): OK >>>> PKI-CA: Unsecure port (9180): OK >>>> >>>> Connection from master to replica is OK. >>>> >>>> Connection check OK >>>> Configuring ntpd >>>> [1/4]: stopping ntpd >>>> [2/4]: writing configuration >>>> [3/4]: configuring ntpd to start on boot >>>> [4/4]: starting ntpd >>>> done configuring ntpd. >>>> Configuring directory server for the CA: Estimated time 30 seconds >>>> [1/3]: creating directory server user >>>> [2/3]: creating directory server instance >>>> [3/3]: restarting directory server >>>> done configuring pkids. >>>> creation of replica failed: Incorrect padding >>>> >>>> Your system may be partly configured. >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>> >>>> >>>> /var/log/ipareplica-install.log: >>>> ... >>>> 2011-06-23 08:37:35,907 DEBUG args=/usr/bin/certutil >>>> -d /etc/dirsrv/slapd-PKI-IPA/ -L -n Server-Cert -a >>>> 2011-06-23 08:37:35,908 DEBUG stdout=-----BEGIN CERTIFICATE----- >>>> MIIDnjCCAoagAwIBAgIBEDANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0u^M >>>> TEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3Jp^M >>>> dHkwHhcNMTEwNjIzMTIzNjM0WhcNMTExMjIwMTIzNjM0WjBJMR8wHQYDVQQKExZJ^M >>>> RE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0wNjAuaWRtLmxhYi5i^M >>>> b3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMM^M >>>> 8FypUbIwR0NRcIEJ5GHbL54D5gh0ao5PoA8LRmcz6QdMjDtA/1aeg9fskdkQ6Peh^M >>>> TTjlvL5Y9b/TVDxx4KrzbMiBCDdMecsbUSK32pJjw6DJCFhcBTwuAj/zZIrvsicT^M >>>> jtnTmeRQCEqGjRmizQHCDDdh+zx0Rh3mbzmxsZ4XaSafksm/y3tMBbw2S0Q7agNF^M >>>> 3Z95qQH9CZ1ManH90zMjOwJxknpxGrwaou9OsPJ1b7M6cvBVLW9kuEDO4c7qTcqa^M >>>> h7BRDQD/XVQn31/UFyLRxl+F4cTp6eBhb9B1+Mv18ZAw9xNhpb1xsWsNDqLh0zY4^M >>>> 5ZeUKTkZS4+WuJOYHFUCAwEAAaOBmDCBlTAfBgNVHSMEGDAWgBQZX7pLjCg+Fol2^M >>>> vkqZQBQRB7w67jBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGGMWh0dHA6Ly92^M >>>> bS0wOTkuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTo5MTgwL2NhL29jc3AwDgYDVR0P^M >>>> AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IB^M >>>> AQBzy0uiVeNGZpUHolgOsyKRl4Q3gpZg/25ai8HHylLSSjYXqy5WmNBy4NPIbVe8^M >>>> p6ZAjW7Lc5BwNTWwkbJoB9JTmhyIRRCWO1hf3qZC1eO9/Ax7XN2nCXka6NRoSxz7^M >>>> Ci7G6RsqM/egbBCUqgbRNz4DJntcrOdFYaOK03Jpfl0lsW0B6l2d+rIuZI5uVK/0^M >>>> uPsKdjCemzVsMOySBchnd/Cy8mXiP6ah7FZIpi9rZScA+UjTUou6PDGcft6jyAj9^M >>>> oeqol6t/6Otd+OFbAYwlccG73rq49sOB9GTjSQelMrHK/hunxIczwYrK2ZHvw2Hy^M >>>> HMOJrmcjFGoa/eL65JwmiFVl >>>> -----END CERTIFICATE----- >>>> >>>> 2011-06-23 08:37:35,908 DEBUG stderr= >>>> 2011-06-23 08:37:35,914 DEBUG Incorrect padding >>>> File "/usr/sbin/ipa-replica-install", line 560, in >>>> main() >>>> >>>> File "/usr/sbin/ipa-replica-install", line 502, in main >>>> (CA, cs) = install_ca(config) >>>> >>>> File "/usr/sbin/ipa-replica-install", line 173, in install_ca >>>> cs.load_pkcs12() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line >>>> 325, in load_pkcs12 >>>> self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>> line 449, in get_cert_from_db >>>> dercert = base64.b64decode(cert) >>>> >>>> File "/usr/lib64/python2.7/base64.py", line 76, in b64decode >>>> raise TypeError(msg) >>>> >>>> >>>> Any idea what could cause this? This was run on clean VMs with your >>>> patch on top of master branch. >>> >>> It means that the blob I ended up with wasn't properly base64-encoded. >>> It could mean I missed a header/footer or something else. I'll see if I >>> can reproduce. >> >> I think I've addressed all your concerns. I wasn't able to reproduce the >> crash but I can see what caused it: we passed in a cert with a >> header/footer to base64.b64decode(). I added a call to >> x509.strip_header() which should fix it up. >> >> rob > > Yep, it fixed the Incorrect padding error. I successfully tested > certificate operations (cert-request, cert-show) on a replica and both > CA replication when CA was installed on replica and CA operation > redirection worked fine. > > I have just one certificate related issue: > > 1) When CA on a replica was installed using ipa-ca-install and not > ipa-replica-install REPLICA_FILE --setup-ca the certificate serial > number in cert-request operation was from the same number range. In my > case it was s.no. 22 after ipa-ca-install and 268369922 in > ipa-replica-install --setup-ca scenario. > > Then I found some more minor documentation issues: > > 2) man ipa-ca-install > - wrong formatting in --debug option - entire line is bold > - description on the first line needs to be fixed > > 3) man ipa-replica-install > - missing setup-ca option > > To sum it up, when these 3 issues are fixed I think the patch is ready > to be acked. > > Martin > Fixed and pushed to master and ipa-2-0 The serial number problem was not reproducable. If a CA is not installed locally then it will forward requests to a remote master, I think that is what happened. rob From jcholast at redhat.com Fri Jun 24 15:00:11 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 24 Jun 2011 17:00:11 +0200 Subject: [Freeipa-devel] [PATCH] 24 Verify that the hostname is fully-qualified In-Reply-To: <1308842386.2890.15.camel@dhcp-25-52.brq.redhat.com> References: <4E034EB5.7060603@redhat.com> <1308842386.2890.15.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E04A67B.7070407@redhat.com> On 23.6.2011 17:19, Martin Kosek wrote: > On Thu, 2011-06-23 at 16:33 +0200, Jan Cholasta wrote: >> This patch makes ipactl fail if the hostname isn't fully-qualified. It >> also fixes ipa-server-install to fail gracefully in such case, instead >> of failing with unexpected error. >> >> https://fedorahosted.org/freeipa/ticket/1035 >> >> Honza > > You may want to coordinate yourself with Rob here. His patch 762 for > custom hostname was sent yesterday and was ACK-ed today. Otherwise your > 2 patches will clash. You fixed the same line in ipactl for example. > > Martin > > Rebased the patch to master. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-24.1-verify-fqdn.patch Type: text/x-patch Size: 1873 bytes Desc: not available URL: From edewata at redhat.com Fri Jun 24 15:22:32 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 24 Jun 2011 10:22:32 -0500 Subject: [Freeipa-devel] [PATCH] 188 Added singular entity labels. Message-ID: <4E04ABB8.6010608@redhat.com> A new attribute label_singular has been added to all entities which contains the singular form of the entity label in lower cases except for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web UI, this label can be capitalized using CSS text-transform. The existing 'label' attribute is intentionally left unchanged due to inconsistencies in the current values. It contains mostly the plural form of capitalized entity label, but some are singular. Also, it seems currently there is no comparable capitalization method on the server-side. So more work is needed before the label can be changed. Ticket #1249 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0188-Added-singular-entity-labels.patch Type: text/x-patch Size: 22973 bytes Desc: not available URL: From ayoung at redhat.com Fri Jun 24 16:26:16 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 24 Jun 2011 12:26:16 -0400 Subject: [Freeipa-devel] [PATCH] 187 Added record count into association facet tabs. In-Reply-To: <4E03D7E3.7080203@redhat.com> References: <4E03D7E3.7080203@redhat.com> Message-ID: <4E04BAA8.5030908@redhat.com> On 06/23/2011 08:18 PM, Endi Sukma Dewata wrote: > The details and association facets have been modified to show the > number of records in each association in the corresponding facet tab. > > Ticket #1386 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jun 24 18:26:08 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 24 Jun 2011 14:26:08 -0400 Subject: [Freeipa-devel] [PATCH] 0249-optional-uid. In-Reply-To: <4E00BB49.7070701@redhat.com> References: <4DFFF2FA.7090103@redhat.com> <4E00B372.20309@redhat.com> <4E00BB49.7070701@redhat.com> Message-ID: <4E04D6C0.6020400@redhat.com> On 06/21/2011 11:39 AM, Adam Young wrote: > On 06/21/2011 11:06 AM, Endi Sukma Dewata wrote: >> On 6/20/2011 8:25 PM, Adam Young wrote: >>> Note that this patch needs a review by UXD in addition to code review >> >> Some issues: >> >> 1. The patch tries to find the elements to be hidden using >> span.find('input'). This will not work with all widgets because >> some widgets use other elements or some combination. I think it's >> better to add the link outside the span, then hide the span itself >> to hide the entire widget. > > That makes sense. We'd have an input span and an optional_link span. > >> >> 2. Hiding the optional widgets but not the labels might not be enough >> to simplify the screen because they still occupy some space. Another >> solution is to hide both the labels and the widgets (i.e. the entire >> row) then have a link for to hide/show all optional fields somewhere >> else. >> > No, since optional fields are not necessarily related. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0249-1-optional-uid.patch Type: text/x-patch Size: 4222 bytes Desc: not available URL: From rcritten at redhat.com Fri Jun 24 18:41:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Jun 2011 14:41:02 -0400 Subject: [Freeipa-devel] [PATCH] 808 don't allow leading/trailing whitespace in strings Message-ID: <4E04DA3E.1040600@redhat.com> This started as a problem in allowing leading/trailing whitespaces on primary keys. In nearly every command other than add query is True so all rules were ignored on the primary key. This meant that to enforce whitespace we would need to define a validator for each one. I decided instead to set self.all_rules to just the class rules if query == True. So the minimum set of validators will be executed against each type but param-specific validators will only run on add. I talked to Martin about this a bit this morning. My original intention was to make some pretty invasive changes related to query and he talked me out of them. He felt that in anything other than an add the validators shouldn't be run. We compromised on letting Paramter-specific validators be run. This has pretty big implications on primary keys so test carefully. https://fedorahosted.org/freeipa/ticket/1285 https://fedorahosted.org/freeipa/ticket/1286 https://fedorahosted.org/freeipa/ticket/1287 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-808-whitespace.patch Type: text/x-diff Size: 2679 bytes Desc: not available URL: From rcritten at redhat.com Fri Jun 24 18:44:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Jun 2011 14:44:42 -0400 Subject: [Freeipa-devel] [PATCH] 804 slight perf improvement In-Reply-To: <1308827978.3951.12.camel@dhcp-25-52.brq.redhat.com> References: <4DFA228A.1050905@redhat.com> <1308827978.3951.12.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E04DB1A.6000403@redhat.com> Martin Kosek wrote: > On Thu, 2011-06-16 at 11:34 -0400, Rob Crittenden wrote: >> This patch adds the production mode test to a few more places in the >> code. The speed increase is slight, a few hundred ms in my tests, but >> every little bit helps. >> >> ticket 1023 >> >> rob > > I didn't notice much of a speed up on my VM. But if it does in your > tests I am not against this patch. It doesn't seem to have a potential > to break things. I'll take that as an ack, pushed to master and ipa-2-0 From edewata at redhat.com Fri Jun 24 18:52:58 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 24 Jun 2011 13:52:58 -0500 Subject: [Freeipa-devel] [PATCH] 189 Fixed entity labels. Message-ID: <4E04DD0A.1010505@redhat.com> The entity labels in the following locations have been fixed: - search facet title: plural - details facet title: singular - association facet title: singular - breadcrumb: plural - adder dialog title: singular - deleter dialog title: plural Some entity labels have been changed into the correct plural form. Unused file install/ui/test/data/i18n_messages.json has been removed. Ticket #1249 Ticket #1387 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0189-Fixed-entity-labels.patch Type: text/x-patch Size: 48733 bytes Desc: not available URL: From edewata at redhat.com Fri Jun 24 19:09:17 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 24 Jun 2011 14:09:17 -0500 Subject: [Freeipa-devel] [PATCH] 0249-optional-uid. In-Reply-To: <4E04D6C0.6020400@redhat.com> References: <4DFFF2FA.7090103@redhat.com> <4E00B372.20309@redhat.com> <4E00BB49.7070701@redhat.com> <4E04D6C0.6020400@redhat.com> Message-ID: <4E04E0DD.3060908@redhat.com> On 6/24/2011 1:26 PM, Adam Young wrote: > The old code on dialog.js:325-331 can be removed. It would be nice to set the focus to the input field automatically once you 'click to show'. But this might require adding focus() to all widgets. This can be done later. Other than that it's ACKed. -- Endi S. Dewata From rcritten at redhat.com Fri Jun 24 19:10:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Jun 2011 15:10:17 -0400 Subject: [Freeipa-devel] [PATCH] 808 don't allow leading/trailing whitespace in strings In-Reply-To: <4E04DA3E.1040600@redhat.com> References: <4E04DA3E.1040600@redhat.com> Message-ID: <4E04E119.7080205@redhat.com> Rob Crittenden wrote: > This started as a problem in allowing leading/trailing whitespaces on > primary keys. In nearly every command other than add query is True so > all rules were ignored on the primary key. This meant that to enforce > whitespace we would need to define a validator for each one. > > I decided instead to set self.all_rules to just the class rules if query > == True. So the minimum set of validators will be executed against each > type but param-specific validators will only run on add. > > I talked to Martin about this a bit this morning. My original intention > was to make some pretty invasive changes related to query and he talked > me out of them. He felt that in anything other than an add the > validators shouldn't be run. We compromised on letting Paramter-specific > validators be run. > > This has pretty big implications on primary keys so test carefully. > > https://fedorahosted.org/freeipa/ticket/1285 > https://fedorahosted.org/freeipa/ticket/1286 > https://fedorahosted.org/freeipa/ticket/1287 > > rob self-NACK, found a problem. rob From edewata at redhat.com Fri Jun 24 19:24:36 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 24 Jun 2011 14:24:36 -0500 Subject: [Freeipa-devel] [PATCH] 190 Removed invalid associations. Message-ID: <4E04E474.4020005@redhat.com> The following invalid associations have been removed: - group's memberindirect netgroup and role - hostgroup's memberofindirect host Ticket #1366 Ticket #1367 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0190-Removed-invalid-associations.patch Type: text/x-patch Size: 1739 bytes Desc: not available URL: From edewata at redhat.com Fri Jun 24 19:43:11 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 24 Jun 2011 14:43:11 -0500 Subject: [Freeipa-devel] [PATCH] 191 Fixed DNS records page title. Message-ID: <4E04E8CF.2030803@redhat.com> The DNS records are presented as a facet in the DNS zone details page, so the page title should say DNS Zone. -- Endi S. Dewata From rcritten at redhat.com Fri Jun 24 20:24:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Jun 2011 16:24:20 -0400 Subject: [Freeipa-devel] [PATCH] 24 Verify that the hostname is fully-qualified In-Reply-To: <4E04A67B.7070407@redhat.com> References: <4E034EB5.7060603@redhat.com> <1308842386.2890.15.camel@dhcp-25-52.brq.redhat.com> <4E04A67B.7070407@redhat.com> Message-ID: <4E04F274.7000700@redhat.com> Jan Cholasta wrote: > On 23.6.2011 17:19, Martin Kosek wrote: >> On Thu, 2011-06-23 at 16:33 +0200, Jan Cholasta wrote: >>> This patch makes ipactl fail if the hostname isn't fully-qualified. It >>> also fixes ipa-server-install to fail gracefully in such case, instead >>> of failing with unexpected error. >>> >>> https://fedorahosted.org/freeipa/ticket/1035 >>> >>> Honza >> >> You may want to coordinate yourself with Rob here. His patch 762 for >> custom hostname was sent yesterday and was ACK-ed today. Otherwise your >> 2 patches will clash. You fixed the same line in ipactl for example. >> >> Martin >> >> > > Rebased the patch to master. > > Honza ack, pushed to master and ipa-2-0 It occurred to me that we haven't really documented anywhere the behavior of setting host in /etc/ipa/default.conf. I opened a ticket to document this for ipactl. rob From rcritten at redhat.com Fri Jun 24 20:37:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Jun 2011 16:37:36 -0400 Subject: [Freeipa-devel] [PATCH] 808 don't allow leading/trailing whitespace in strings In-Reply-To: <4E04E119.7080205@redhat.com> References: <4E04DA3E.1040600@redhat.com> <4E04E119.7080205@redhat.com> Message-ID: <4E04F590.2030408@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> This started as a problem in allowing leading/trailing whitespaces on >> primary keys. In nearly every command other than add query is True so >> all rules were ignored on the primary key. This meant that to enforce >> whitespace we would need to define a validator for each one. >> >> I decided instead to set self.all_rules to just the class rules if query >> == True. So the minimum set of validators will be executed against each >> type but param-specific validators will only run on add. >> >> I talked to Martin about this a bit this morning. My original intention >> was to make some pretty invasive changes related to query and he talked >> me out of them. He felt that in anything other than an add the >> validators shouldn't be run. We compromised on letting Paramter-specific >> validators be run. >> >> This has pretty big implications on primary keys so test carefully. >> >> https://fedorahosted.org/freeipa/ticket/1285 >> https://fedorahosted.org/freeipa/ticket/1286 >> https://fedorahosted.org/freeipa/ticket/1287 >> >> rob > > self-NACK, found a problem. > > rob Add only to Str class, fixed pylint error. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-808-2-whitespace.patch Type: text/x-diff Size: 2932 bytes Desc: not available URL: From JR.Aquino at citrix.com Fri Jun 24 21:27:08 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Fri, 24 Jun 2011 21:27:08 +0000 Subject: [Freeipa-devel] [PATCH] 33 oneliner correct typo in ipasudorunas_group Message-ID: https://fedorahosted.org/freeipa/ticket/1326 In case I haven't sent this out before. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino, GCIH | Information Security Specialist Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 jr.aquino at citrixonline.com http://www.citrixonline.com From ayoung at redhat.com Fri Jun 24 22:52:27 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 24 Jun 2011 18:52:27 -0400 Subject: [Freeipa-devel] [PATCH] 33 oneliner correct typo in ipasudorunas_group In-Reply-To: References: Message-ID: <4E05152B.6050803@redhat.com> On 06/24/2011 05:27 PM, JR Aquino wrote: > https://fedorahosted.org/freeipa/ticket/1326 > > In case I haven't sent this out before. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jr Aquino, GCIH | Information Security Specialist > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > T: +1 805.690.3478 > jr.aquino at citrixonline.com > http://www.citrixonline.com > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK From ayoung at redhat.com Fri Jun 24 22:53:40 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 24 Jun 2011 18:53:40 -0400 Subject: [Freeipa-devel] [PATCH] 189 Fixed entity labels. In-Reply-To: <4E04DD0A.1010505@redhat.com> References: <4E04DD0A.1010505@redhat.com> Message-ID: <4E051574.10707@redhat.com> On 06/24/2011 02:52 PM, Endi Sukma Dewata wrote: > The entity labels in the following locations have been fixed: > - search facet title: plural > - details facet title: singular > - association facet title: singular > - breadcrumb: plural > - adder dialog title: singular > - deleter dialog title: plural > > Some entity labels have been changed into the correct plural form. > Unused file install/ui/test/data/i18n_messages.json has been removed. > > Ticket #1249 > Ticket #1387 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jun 24 22:54:51 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 24 Jun 2011 18:54:51 -0400 Subject: [Freeipa-devel] [PATCH] 188 Added singular entity labels. In-Reply-To: <4E04ABB8.6010608@redhat.com> References: <4E04ABB8.6010608@redhat.com> Message-ID: <4E0515BB.2030007@redhat.com> On 06/24/2011 11:22 AM, Endi Sukma Dewata wrote: > A new attribute label_singular has been added to all entities which > contains the singular form of the entity label in lower cases except > for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web > UI, this label can be capitalized using CSS text-transform. > > The existing 'label' attribute is intentionally left unchanged due to > inconsistencies in the current values. It contains mostly the plural > form of capitalized entity label, but some are singular. Also, it > seems currently there is no comparable capitalization method on the > server-side. So more work is needed before the label can be changed. > > Ticket #1249 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jun 24 22:55:59 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 24 Jun 2011 18:55:59 -0400 Subject: [Freeipa-devel] [PATCH] 191 Fixed DNS records page title. In-Reply-To: <4E04E8CF.2030803@redhat.com> References: <4E04E8CF.2030803@redhat.com> Message-ID: <4E0515FF.6080901@redhat.com> On 06/24/2011 03:43 PM, Endi Sukma Dewata wrote: > The DNS records are presented as a facet in the DNS zone details > page, so the page title should say DNS Zone. > Forgot to add the patch From edewata at redhat.com Fri Jun 24 23:27:30 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 24 Jun 2011 18:27:30 -0500 Subject: [Freeipa-devel] [PATCH] 191 Fixed DNS records page title. In-Reply-To: <4E0515FF.6080901@redhat.com> References: <4E04E8CF.2030803@redhat.com> <4E0515FF.6080901@redhat.com> Message-ID: <4E051D62.60004@redhat.com> On 6/24/2011 5:55 PM, Adam Young wrote: > On 06/24/2011 03:43 PM, Endi Sukma Dewata wrote: >> The DNS records are presented as a facet in the DNS zone details >> page, so the page title should say DNS Zone. >> > Forgot to add the patch Patch attached. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0191-Fixed-DNS-records-page-title.patch Type: text/x-patch Size: 937 bytes Desc: not available URL: From ayoung at redhat.com Sat Jun 25 02:31:06 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 24 Jun 2011 22:31:06 -0400 Subject: [Freeipa-devel] [PATCH] 191 Fixed DNS records page title. In-Reply-To: <4E051D62.60004@redhat.com> References: <4E04E8CF.2030803@redhat.com> <4E0515FF.6080901@redhat.com> <4E051D62.60004@redhat.com> Message-ID: <4E05486A.7030503@redhat.com> On 06/24/2011 07:27 PM, Endi Sukma Dewata wrote: > On 6/24/2011 5:55 PM, Adam Young wrote: >> On 06/24/2011 03:43 PM, Endi Sukma Dewata wrote: >>> The DNS records are presented as a facet in the DNS zone details >>> page, so the page title should say DNS Zone. >>> >> Forgot to add the patch > > Patch attached. > ack From abokovoy at redhat.com Mon Jun 27 12:50:50 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 27 Jun 2011 15:50:50 +0300 Subject: [Freeipa-devel] [PATCH] 1 Convert boolean to TRUE/FALSE when writing to LDAP Message-ID: <4E087CAA.2070808@redhat.com> Hi, my first patch :) -- attempts to fix https://fedorahosted.org/freeipa/ticket/1259 Minor difference for IPA is that IPA command line tools are now reporting nsAccountLock in upper case (TRUE/FALSE instead of True/False previously). This does not affect functionality as far as I can see, and Web UI works fine. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0001-Convert-Bool-to-TRUE-FALSE-when-working-with-LDAP-ba.patch URL: From simo at redhat.com Mon Jun 27 13:16:03 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 27 Jun 2011 09:16:03 -0400 Subject: [Freeipa-devel] [PATCH] 1 Convert boolean to TRUE/FALSE when writing to LDAP In-Reply-To: <4E087CAA.2070808@redhat.com> References: <4E087CAA.2070808@redhat.com> Message-ID: <1309180563.2681.3.camel@willson.li.ssimo.org> On Mon, 2011-06-27 at 15:50 +0300, Alexander Bokovoy wrote: > Hi, > > my first patch :) -- attempts to fix > https://fedorahosted.org/freeipa/ticket/1259 > > Minor difference for IPA is that IPA command line tools are now > reporting nsAccountLock in upper case (TRUE/FALSE instead of > True/False > previously). This does not affect functionality as far as I can see, > and > Web UI works fine. Ack. Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Mon Jun 27 13:17:46 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 27 Jun 2011 16:17:46 +0300 Subject: [Freeipa-devel] [PATCH] 0002 Minor typos in examples Message-ID: <4E0882FA.9060703@redhat.com> Hi, while reading through the code and examples, few typos were identified and fixed. Really minor patch. -- / Alexander Bokovoy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-abbra-0002-Minor-typos-in-the-examples.patch URL: From rmeggins at redhat.com Mon Jun 27 15:02:51 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 27 Jun 2011 09:02:51 -0600 Subject: [Freeipa-devel] [PATCH] winsync enables disabled users in AD Message-ID: <4E089B9B.1080103@redhat.com> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-rmeggins-0001-winsync-enables-disabled-users-in-AD.patch URL: From rmeggins at redhat.com Mon Jun 27 15:03:26 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 27 Jun 2011 09:03:26 -0600 Subject: [Freeipa-devel] [PATCH] modify user deleted in AD crashes winsync Message-ID: <4E089BBE.9040705@redhat.com> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-rmeggins-0002-modify-user-deleted-in-AD-crashes-winsync.patch URL: From rmeggins at redhat.com Mon Jun 27 15:03:55 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 27 Jun 2011 09:03:55 -0600 Subject: [Freeipa-devel] [PATCH] memory leak in ipa_winsync_get_new_ds_user_dn_cb Message-ID: <4E089BDB.8040001@redhat.com> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-rmeggins-0003-memory-leak-in-ipa_winsync_get_new_ds_user_dn_cb.patch URL: From rcritten at redhat.com Mon Jun 27 15:31:06 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Jun 2011 11:31:06 -0400 Subject: [Freeipa-devel] [PATCH] 33 oneliner correct typo in ipasudorunas_group In-Reply-To: <4E05152B.6050803@redhat.com> References: <4E05152B.6050803@redhat.com> Message-ID: <4E08A23A.7080504@redhat.com> Adam Young wrote: > On 06/24/2011 05:27 PM, JR Aquino wrote: >> https://fedorahosted.org/freeipa/ticket/1326 >> >> In case I haven't sent this out before. >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Jr Aquino, GCIH | Information Security Specialist >> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >> T: +1 805.690.3478 >> jr.aquino at citrixonline.com >> http://www.citrixonline.com >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK pushed to master and ipa-2-0 From ayoung at redhat.com Mon Jun 27 16:17:38 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 27 Jun 2011 12:17:38 -0400 Subject: [Freeipa-devel] One liner to fix permissions-add page Message-ID: <4E08AD22.3050306@redhat.com> 1. diff --git a/install/ui/aci.js b/install/ui/aci.js 2. index 077cbeb..1a95af0 100644 3. --- a/install/ui/aci.js 4. +++ b/install/ui/aci.js 5. @@ -393,6 +393,7 @@ IPA.target_section = function(spec) { 6. spec = spec || {}; 7. 8. var that = IPA.details_section(spec); 9. + that.section = true; 10. that.undo = typeof spec.undo == 'undefined' ? true : spec.undo; 11. 12. that.filter_text = IPA.text_widget({name: 'filter', undo: that.undo}); Pushed to master under the one line rule. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 27 18:42:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Jun 2011 14:42:16 -0400 Subject: [Freeipa-devel] [PATCH] 809 entitle_register using uuid unsupported Message-ID: <4E08CF08.9060504@redhat.com> Document registering to an entitlement server with a UUID as not implemented. It was my understanding that we would be able to pass in an existing UUID when registering to connect to an existing registration (for the case where IPA is re-installed). This is supported in the REST API but not python-rhsm. I've filed an RFE to get this added but for now this is a way to not do major surgery to the API and still be at least somewhat user-friendly. https://fedorahosted.org/freeipa/ticket/1216 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-809-rhsm.patch Type: text/x-diff Size: 1644 bytes Desc: not available URL: From ayoung at redhat.com Mon Jun 27 20:42:13 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 27 Jun 2011 16:42:13 -0400 Subject: [Freeipa-devel] [PATCH] 0249-optional-uid. In-Reply-To: <4E04E0DD.3060908@redhat.com> References: <4DFFF2FA.7090103@redhat.com> <4E00B372.20309@redhat.com> <4E00BB49.7070701@redhat.com> <4E04D6C0.6020400@redhat.com> <4E04E0DD.3060908@redhat.com> Message-ID: <4E08EB25.4090401@redhat.com> On 06/24/2011 03:09 PM, Endi Sukma Dewata wrote: > On 6/24/2011 1:26 PM, Adam Young wrote: >> > > The old code on dialog.js:325-331 can be removed. > > It would be nice to set the focus to the input field automatically > once you 'click to show'. But this might require adding focus() to all > widgets. This can be done later. > > Other than that it's ACKed. > removed commented out code and Pushed to master From ayoung at redhat.com Mon Jun 27 20:58:07 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 27 Jun 2011 16:58:07 -0400 Subject: [Freeipa-devel] [PATCH] 0253-validate-required-fields Message-ID: <4E08EEDF.8000906@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0253-validate-required-fields.patch Type: text/x-patch Size: 1796 bytes Desc: not available URL: From ayoung at redhat.com Mon Jun 27 21:43:53 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 27 Jun 2011 17:43:53 -0400 Subject: [Freeipa-devel] [PATCH] 0244-service-host-entity-select In-Reply-To: <4DFD5061.5040706@redhat.com> References: <4DFD5061.5040706@redhat.com> Message-ID: <4E08F999.6080809@redhat.com> On 06/18/2011 09:26 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon Jun 27 23:40:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 27 Jun 2011 18:40:57 -0500 Subject: [Freeipa-devel] [PATCH] 0253-validate-required-fields In-Reply-To: <4E08EEDF.8000906@redhat.com> References: <4E08EEDF.8000906@redhat.com> Message-ID: <4E091509.9020708@redhat.com> On 6/27/2011 3:58 PM, Adam Young wrote: > Since the optional attribute is now added into IPA.widget, the following line on dialog.js:347 is no longer needed: field.optional = field_spec.optional || false; Other than that it's ACKed. -- Endi S. Dewata From edewata at redhat.com Mon Jun 27 23:42:16 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 27 Jun 2011 18:42:16 -0500 Subject: [Freeipa-devel] [PATCH] 192 Fixed undo all problem. Message-ID: <4E091558.4010904@redhat.com> The IPA.multivalued_text_widget has been modified such that the 'undo all' will appear only if at least one of the values is dirty. Ticket #1109 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0192-Fixed-undo-all-problem.patch Type: text/x-patch Size: 5510 bytes Desc: not available URL: From ayoung at redhat.com Mon Jun 27 23:57:11 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 27 Jun 2011 19:57:11 -0400 Subject: [Freeipa-devel] 0245-entity-select-undo In-Reply-To: <4DFF84A6.9030003@redhat.com> References: <4DFD54E5.4030003@redhat.com> <4DFF84A6.9030003@redhat.com> Message-ID: <4E0918D7.8070205@redhat.com> On 06/20/2011 01:34 PM, Endi Sukma Dewata wrote: > On 6/18/2011 8:46 PM, Adam Young wrote: >> > > ACK and pushed to master. > > The set_dirty() invocation in reset() is no longer needed. This can be > fixed later. > Pushed to master From ayoung at redhat.com Mon Jun 27 23:59:28 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 27 Jun 2011 19:59:28 -0400 Subject: [Freeipa-devel] 0241-enforce-proper-capitalization-with-stylesheet. In-Reply-To: <4DFBE7E1.1030908@redhat.com> References: <4DFBC070.80108@redhat.com> <4DFBCF20.1040206@redhat.com> <4DFBE7E1.1030908@redhat.com> Message-ID: <4E091960.5070204@redhat.com> Have not pushed this yet. SHould I considere it ACKed and push it, or should we re-think it? On 06/17/2011 07:48 PM, Adam Young wrote: > THis is how hyphenation is supposed to work. We should remove the > hyphenation in the cases that you have enumerated below. The > capitailzationg of Days and Hours units is fine. > > > Agreed on the field label class. > > > On 06/17/2011 06:03 PM, Endi Sukma Dewata wrote: >> On 6/17/2011 4:00 PM, Adam Young wrote: >>> >> >> Please take a look at the following capitalization. If these are >> considered OK feel free to push. >> >> Host-group => Host-group (the g is not capitalized) >> Max lifetime (days) => Max Lifetime (Days) (unit is capitalized) >> Min lifetime (hours) => Min Lifetime (Hours) (unit is capitalized) >> >> Usually the term "time to live" is hyphenated. Currently in our code >> it's not, so the capitalization will look like this: >> >> SOA time to live => SOA Time To Live >> >> But suppose it's changed later, it will look like this: >> >> SOA time-to-live => SOA Time-to-live (to-live is not capitalized) >> >> The fields in HBAC Rule and SUDO Rule details page are not >> capitalized because it's using a table instead of dl/dt/dd. This can >> be addressed in a separate patch. We might want to define a >> 'field-label' CSS class. >> > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From ayoung at redhat.com Tue Jun 28 00:09:44 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 27 Jun 2011 20:09:44 -0400 Subject: [Freeipa-devel] [PATCH] admiyo-0220-update-ipa-init In-Reply-To: <4D95F60D.3000108@redhat.com> References: <4D95F60D.3000108@redhat.com> Message-ID: <4E091BC8.1030106@redhat.com> On 04/01/2011 11:58 AM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed by edewata and Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Jun 28 00:16:20 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 27 Jun 2011 20:16:20 -0400 Subject: [Freeipa-devel] [PATCH] 0253-validate-required-fields In-Reply-To: <4E091509.9020708@redhat.com> References: <4E08EEDF.8000906@redhat.com> <4E091509.9020708@redhat.com> Message-ID: <4E091D54.4070508@redhat.com> On 06/27/2011 07:40 PM, Endi Sukma Dewata wrote: > On 6/27/2011 3:58 PM, Adam Young wrote: >> > > Since the optional attribute is now added into IPA.widget, the > following line on dialog.js:347 is no longer needed: > > field.optional = field_spec.optional || false; > > Other than that it's ACKed. > Line removed and Pushed to master From ayoung at redhat.com Tue Jun 28 00:59:20 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 27 Jun 2011 20:59:20 -0400 Subject: [Freeipa-devel] [PATCH] 192 Fixed undo all problem. In-Reply-To: <4E091558.4010904@redhat.com> References: <4E091558.4010904@redhat.com> Message-ID: <4E092768.2050605@redhat.com> On 06/27/2011 07:42 PM, Endi Sukma Dewata wrote: > The IPA.multivalued_text_widget has been modified such that the > 'undo all' will appear only if at least one of the values is dirty. > > Ticket #1109 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK . Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Jun 28 01:21:58 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 27 Jun 2011 21:21:58 -0400 Subject: [Freeipa-devel] [PATCH] 0244-service-host-entity-select In-Reply-To: <4E08F999.6080809@redhat.com> References: <4DFD5061.5040706@redhat.com> <4E08F999.6080809@redhat.com> Message-ID: <1309224118.2681.44.camel@willson.li.ssimo.org> On Mon, 2011-06-27 at 17:43 -0400, Adam Young wrote: > On 06/18/2011 09:26 PM, Adam Young wrote: > > > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK and pushed to master Usually the ack should come for another developer, or am I missing something ? -- Simo Sorce * Red Hat, Inc * New York From jcholast at redhat.com Tue Jun 28 12:52:03 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 28 Jun 2011 14:52:03 +0200 Subject: [Freeipa-devel] [PATCH] 25 Update minimum required version of python-netaddr Message-ID: <4E09CE73.1000503@redhat.com> https://fedorahosted.org/freeipa/ticket/1288 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-25-require-python-netaddr.patch Type: text/x-patch Size: 961 bytes Desc: not available URL: From jcholast at redhat.com Tue Jun 28 12:57:36 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 28 Jun 2011 14:57:36 +0200 Subject: [Freeipa-devel] [PATCH] 26 Remove redundant configuration values from krb5.conf Message-ID: <4E09CFC0.4040804@redhat.com> https://fedorahosted.org/freeipa/ticket/1358 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-26-krb5-conf-redundant.patch Type: text/x-patch Size: 1635 bytes Desc: not available URL: From ayoung at redhat.com Tue Jun 28 13:50:39 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 28 Jun 2011 09:50:39 -0400 Subject: [Freeipa-devel] [PATCH] 0244-service-host-entity-select In-Reply-To: <1309224118.2681.44.camel@willson.li.ssimo.org> References: <4DFD5061.5040706@redhat.com> <4E08F999.6080809@redhat.com> <1309224118.2681.44.camel@willson.li.ssimo.org> Message-ID: <4E09DC2F.8000905@redhat.com> On 06/27/2011 09:21 PM, Simo Sorce wrote: > On Mon, 2011-06-27 at 17:43 -0400, Adam Young wrote: >> On 06/18/2011 09:26 PM, Adam Young wrote: >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> ACK and pushed to master > Usually the ack should come for another developer, or am I missing > something ? > I should have said "ACKed in IRC by edewata." From jhrozek at redhat.com Tue Jun 28 14:14:09 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 28 Jun 2011 10:14:09 -0400 Subject: [Freeipa-devel] [PATCH] 25 Update minimum required version of python-netaddr In-Reply-To: <4E09CE73.1000503@redhat.com> References: <4E09CE73.1000503@redhat.com> Message-ID: <4E09E1B1.1070300@redhat.com> On 06/28/2011 08:52 AM, Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1288 > > Honza > I gather this is done in order to get rid of the "try: except all" hack in installer? This works fine with F15 and F16 in mind. However, if the specfile is intended for being usable on RHEL as well (at least for development), some %if magic is required -- the fix is not there yet. From jcholast at redhat.com Tue Jun 28 14:55:07 2011 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 28 Jun 2011 16:55:07 +0200 Subject: [Freeipa-devel] [PATCH] 27 Replace the 'private' option in netgroup-find with, 'managed' Message-ID: <4E09EB4B.2000904@redhat.com> This patch effectively renames the netgroup-find option 'private' to 'managed'. 'private' is kept in to maintain API compatibility, but hidden from the user. https://fedorahosted.org/freeipa/ticket/1120 Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-27-netgroup-find-private.patch Type: text/x-patch Size: 4161 bytes Desc: not available URL: From ayoung at redhat.com Tue Jun 28 16:03:29 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 28 Jun 2011 12:03:29 -0400 Subject: [Freeipa-devel] [PATCH] 0254-Generate-record-type-list-from-metadata Message-ID: <4E09FB51.2050000@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0254-Generate-record-type-list-from-metadata.patch Type: text/x-patch Size: 1404 bytes Desc: not available URL: From ayoung at redhat.com Tue Jun 28 16:04:18 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 28 Jun 2011 12:04:18 -0400 Subject: [Freeipa-devel] [PATCH] 0254-Generate-record-type-list-from-metadata In-Reply-To: <4E09FB51.2050000@redhat.com> References: <4E09FB51.2050000@redhat.com> Message-ID: <4E09FB82.7060107@redhat.com> On 06/28/2011 12:03 PM, Adam Young wrote: > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This is for https://fedorahosted.org/freeipa/ticket/945 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 28 17:13:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jun 2011 13:13:03 -0400 Subject: [Freeipa-devel] [PATCH] 810 fix re-enrolling a host with a OTP Message-ID: <4E0A0B9F.9030402@redhat.com> Don't set krbLastPwdChange when setting a host OTP password. We have no visibility into whether an entry has a keytab or not so krbLastPwdChange is used as a rough guide. If this value exists during enrollment then it fails because the host is considered already joined. This was getting set when a OTP was added to a host that had already been enrolled (e.g. you enroll a host, unenroll it, set a OTP, then try to re-enroll). The second enrollment was failing because the enrollment plugin thought it was still enrolled becaused krbLastPwdChange was set. https://fedorahosted.org/freeipa/ticket/1357 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-810-enroll.patch Type: text/x-diff Size: 5329 bytes Desc: not available URL: From ayoung at redhat.com Tue Jun 28 18:07:30 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 28 Jun 2011 14:07:30 -0400 Subject: [Freeipa-devel] [PATCH] 0254-Generate-record-type-list-from-metadata In-Reply-To: <4E09FB82.7060107@redhat.com> References: <4E09FB51.2050000@redhat.com> <4E09FB82.7060107@redhat.com> Message-ID: <4E0A1862.6040200@redhat.com> On 06/28/2011 12:04 PM, Adam Young wrote: > On 06/28/2011 12:03 PM, Adam Young wrote: >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > This is for > > https://fedorahosted.org/freeipa/ticket/945 > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0254-1-Generate-record-type-list-from-metadata.patch Type: text/x-patch Size: 1494 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 28 18:04:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jun 2011 14:04:48 -0400 Subject: [Freeipa-devel] [PATCH] 1 Convert boolean to TRUE/FALSE when writing to LDAP In-Reply-To: <1309180563.2681.3.camel@willson.li.ssimo.org> References: <4E087CAA.2070808@redhat.com> <1309180563.2681.3.camel@willson.li.ssimo.org> Message-ID: <4E0A17C0.9030601@redhat.com> Simo Sorce wrote: > On Mon, 2011-06-27 at 15:50 +0300, Alexander Bokovoy wrote: >> Hi, >> >> my first patch :) -- attempts to fix >> https://fedorahosted.org/freeipa/ticket/1259 >> >> Minor difference for IPA is that IPA command line tools are now >> reporting nsAccountLock in upper case (TRUE/FALSE instead of >> True/False >> previously). This does not affect functionality as far as I can see, >> and >> Web UI works fine. > > Ack. > > Simo. > Removed some trailing whitespace and pushed to master and ipa-2-0 From rcritten at redhat.com Tue Jun 28 18:05:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jun 2011 14:05:02 -0400 Subject: [Freeipa-devel] [PATCH] 0002 Minor typos in examples In-Reply-To: <4E0882FA.9060703@redhat.com> References: <4E0882FA.9060703@redhat.com> Message-ID: <4E0A17CE.70706@redhat.com> Alexander Bokovoy wrote: > Hi, > > while reading through the code and examples, few typos were identified > and fixed. Really minor patch. ack, pushed to master and ipa-2-0 From rcritten at redhat.com Tue Jun 28 18:08:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jun 2011 14:08:42 -0400 Subject: [Freeipa-devel] [PATCH] 23 Add ability to specify DNS reverse zone name by IP network address In-Reply-To: <4E035324.4000607@redhat.com> References: <4E008B7B.6020404@redhat.com> <4E035324.4000607@redhat.com> Message-ID: <4E0A18AA.7040304@redhat.com> Jan Cholasta wrote: > On 21.6.2011 14:15, Jan Cholasta wrote: >> This patch adds a new option name_from_ip to dnszone commands. Default >> value of idnsname is created from this option. >> >> Honza >> > > Fixed the API version number, added usage example to dns plugin help. > > https://fedorahosted.org/freeipa/ticket/1045 > > Honza Had quickie code review in IRC this morning. I asked for a comment around the while loop, Honza suggested: This is to make chained default_from work - idnssoarname default is created from idnsname and idnsname default is created from name_from_ip - without this change, idnssoarname default value isn't created when only name_from_ip is specified. Would also be nice to have a test case for this new usage. rob From edewata at redhat.com Tue Jun 28 18:11:02 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 28 Jun 2011 13:11:02 -0500 Subject: [Freeipa-devel] [PATCH] 0254-Generate-record-type-list-from-metadata In-Reply-To: <4E0A1862.6040200@redhat.com> References: <4E09FB51.2050000@redhat.com> <4E09FB82.7060107@redhat.com> <4E0A1862.6040200@redhat.com> Message-ID: <4E0A1936.1060603@redhat.com> On 6/28/2011 1:07 PM, Adam Young wrote: >> This is for >> >> https://fedorahosted.org/freeipa/ticket/945 ACK and pushed to master. -- Endi S. Dewata From rcritten at redhat.com Tue Jun 28 18:15:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jun 2011 14:15:27 -0400 Subject: [Freeipa-devel] [PATCH] 087 Allow recursion by default In-Reply-To: <1308730076.13562.16.camel@dhcp-25-52.brq.redhat.com> References: <1308730076.13562.16.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4E0A1A3F.5060802@redhat.com> Martin Kosek wrote: > I suggest adding the following doc to the end of chapter "5.6. > DNS" (after the paragraphs about forwarders): > > Any host is permitted to issue recursive queries against configured > forwarders by default. When required, this behavior can be changed > in /etc/named.conf in "allow-recursion" statement. Please consult name > server documentation for details how to edit the configuration > statement. > > ---- > How to test: > 1) install IPA with --setup-dns and defined --forwarder > 2) query record not-managed by installed IPA (e.g. www.freeipa.org) from > localhost - should pass both with and without the patch > 3) query record not-managed by installed IPA from other computer from > different subnet - fails without the patch and should pass with the > patch > > ---- > Update name server configuration file to allow any host to issue > recursive queries (allow-recursion statement). > > https://fedorahosted.org/freeipa/ticket/1335 > ack, pushed to master and ipa-2-0 Deon, this won't affect existing installations so this would be a candidate for Release Notes. Users will need to manually update named.conf if they want this feature. rob From ayoung at redhat.com Tue Jun 28 19:13:29 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 28 Jun 2011 15:13:29 -0400 Subject: [Freeipa-devel] [PATCH] shorten-url Message-ID: <4E0A27D9.4080100@redhat.com> One known issue: uses the wrong style for automount tabs, leaving excess white space -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0255-shorten-url.patch Type: text/x-patch Size: 20808 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 28 19:12:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jun 2011 15:12:12 -0400 Subject: [Freeipa-devel] [PATCH] winsync enables disabled users in AD In-Reply-To: <4E089B9B.1080103@redhat.com> References: <4E089B9B.1080103@redhat.com> Message-ID: <4E0A278C.1040107@redhat.com> Rich Megginson wrote: > > > ack, pushed to master and ipa-2-0 rob From rcritten at redhat.com Tue Jun 28 19:12:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jun 2011 15:12:21 -0400 Subject: [Freeipa-devel] [PATCH] modify user deleted in AD crashes winsync In-Reply-To: <4E089BBE.9040705@redhat.com> References: <4E089BBE.9040705@redhat.com> Message-ID: <4E0A2795.4050109@redhat.com> Rich Megginson wrote: > > ack, pushed to master and ipa-2-0 From rcritten at redhat.com Tue Jun 28 19:12:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jun 2011 15:12:31 -0400 Subject: [Freeipa-devel] [PATCH] memory leak in ipa_winsync_get_new_ds_user_dn_cb In-Reply-To: <4E089BDB.8040001@redhat.com> References: <4E089BDB.8040001@redhat.com> Message-ID: <4E0A279F.2060400@redhat.com> Rich Megginson wrote: > > ack, pushed to master and ipa-2-0 From ayoung at redhat.com Tue Jun 28 19:33:28 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 28 Jun 2011 15:33:28 -0400 Subject: [Freeipa-devel] [PATCH] shorten-url In-Reply-To: <4E0A27D9.4080100@redhat.com> References: <4E0A27D9.4080100@redhat.com> Message-ID: <4E0A2C88.4010902@redhat.com> On 06/28/2011 03:13 PM, Adam Young wrote: > One known issue: uses the wrong style for automount tabs, leaving > excess white space > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0255-1-shorten-url.patch Type: text/x-patch Size: 21734 bytes Desc: not available URL: From edewata at redhat.com Tue Jun 28 20:18:34 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 28 Jun 2011 15:18:34 -0500 Subject: [Freeipa-devel] [PATCH] shorten-url In-Reply-To: <4E0A2C88.4010902@redhat.com> References: <4E0A27D9.4080100@redhat.com> <4E0A2C88.4010902@redhat.com> Message-ID: <4E0A371A.1070005@redhat.com> On 6/28/2011 2:33 PM, Adam Young wrote: > On 06/28/2011 03:13 PM, Adam Young wrote: >> One known issue: uses the wrong style for automount tabs, leaving >> excess white space Some issues: 1. Reloading the some pages will bring you to a different page (i.e. bookmarking wouldn't work). Try reloading these pages: - Groups details/association facet - HBAC Rule search facet It looks like the state JS variable should be initialized with values from the URL. 2. The following statement in navigation.js:123: key2.search('^'+entity) might match more keys than we want (e.g sudo will match sudorule, sudocmd, sudocmdgroup). It might be better to do the matching twice, one for exact matching and the other for -* prefix. 3. I haven't verified this, but the removeAttribute() is supposed to be used with DOM elements. To remove a JS object property we should use: delete state[key]; 4. As discussed over IRC, the logic for calculating tab depth assumes that only the leaf nodes can be hidden. This can be slightly improved by moving this code if (tab.hidden) { depth = depth -1; } from navigation.js line 258 into 253. This way any hidden tabs along the tab hierarchy will not be counted toward depth. 5. There's a whitespace warning. -- Endi S. Dewata From rcritten at redhat.com Tue Jun 28 20:19:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jun 2011 16:19:42 -0400 Subject: [Freeipa-devel] [PATCH] 26 Remove redundant configuration values from krb5.conf In-Reply-To: <4E09CFC0.4040804@redhat.com> References: <4E09CFC0.4040804@redhat.com> Message-ID: <4E0A375E.4020906@redhat.com> Jan Cholasta wrote: > https://fedorahosted.org/freeipa/ticket/1358 > > Honza ack, pushed to master and ipa-2-0 From ayoung at redhat.com Tue Jun 28 20:51:37 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 28 Jun 2011 16:51:37 -0400 Subject: [Freeipa-devel] [PATCH] shorten-url In-Reply-To: <4E0A371A.1070005@redhat.com> References: <4E0A27D9.4080100@redhat.com> <4E0A2C88.4010902@redhat.com> <4E0A371A.1070005@redhat.com> Message-ID: <4E0A3ED9.9080708@redhat.com> On 06/28/2011 04:18 PM, Endi Sukma Dewata wrote: > On 6/28/2011 2:33 PM, Adam Young wrote: >> On 06/28/2011 03:13 PM, Adam Young wrote: >>> One known issue: uses the wrong style for automount tabs, leaving >>> excess white space > > Some issues: > > 1. Reloading the some pages will bring you to a different page (i.e. > bookmarking wouldn't work). Try reloading these pages: > - Groups details/association facet > - HBAC Rule search facet > It looks like the state JS variable should be initialized with > values from the URL. > > 2. The following statement in navigation.js:123: > > key2.search('^'+entity) > > might match more keys than we want (e.g sudo will match sudorule, > sudocmd, sudocmdgroup). It might be better to do the matching twice, > one for exact matching and the other for -* prefix. > > 3. I haven't verified this, but the removeAttribute() is supposed to be > used with DOM elements. To remove a JS object property we should use: > > delete state[key]; > > 4. As discussed over IRC, the logic for calculating tab depth assumes > that only the leaf nodes can be hidden. This can be slightly improved > by moving this code > > if (tab.hidden) { > depth = depth -1; > } > > from navigation.js line 258 into 253. This way any hidden tabs along > the tab hierarchy will not be counted toward depth. > > 5. There's a whitespace warning. > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0255-4-shorten-url.patch Type: text/x-patch Size: 22714 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 28 20:59:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jun 2011 16:59:55 -0400 Subject: [Freeipa-devel] [PATCH] 27 Replace the 'private' option in netgroup-find with, 'managed' In-Reply-To: <4E09EB4B.2000904@redhat.com> References: <4E09EB4B.2000904@redhat.com> Message-ID: <4E0A40CB.2010408@redhat.com> Jan Cholasta wrote: > This patch effectively renames the netgroup-find option 'private' to > 'managed'. 'private' is kept in to maintain API compatibility, but > hidden from the user. > > https://fedorahosted.org/freeipa/ticket/1120 Very nice, I like the idea of hiding the old option. Tested with updated and old client and both work great. pushed to master rob From ayoung at redhat.com Tue Jun 28 21:31:59 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 28 Jun 2011 17:31:59 -0400 Subject: [Freeipa-devel] [PATCH] 0256-check-required-on-entity-select Message-ID: <4E0A484F.9030906@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0256-check-required-on-entity-select.patch Type: text/x-patch Size: 1958 bytes Desc: not available URL: From ayoung at redhat.com Tue Jun 28 21:45:02 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 28 Jun 2011 17:45:02 -0400 Subject: [Freeipa-devel] [PATCH] shorten-url In-Reply-To: <4E0A3ED9.9080708@redhat.com> References: <4E0A27D9.4080100@redhat.com> <4E0A2C88.4010902@redhat.com> <4E0A371A.1070005@redhat.com> <4E0A3ED9.9080708@redhat.com> Message-ID: <4E0A4B5E.5000807@redhat.com> On 06/28/2011 04:51 PM, Adam Young wrote: > On 06/28/2011 04:18 PM, Endi Sukma Dewata wrote: >> On 6/28/2011 2:33 PM, Adam Young wrote: >>> On 06/28/2011 03:13 PM, Adam Young wrote: >>>> One known issue: uses the wrong style for automount tabs, leaving >>>> excess white space >> >> Some issues: >> >> 1. Reloading the some pages will bring you to a different page (i.e. >> bookmarking wouldn't work). Try reloading these pages: >> - Groups details/association facet >> - HBAC Rule search facet >> It looks like the state JS variable should be initialized with >> values from the URL. >> >> 2. The following statement in navigation.js:123: >> >> key2.search('^'+entity) >> >> might match more keys than we want (e.g sudo will match sudorule, >> sudocmd, sudocmdgroup). It might be better to do the matching twice, >> one for exact matching and the other for -* prefix. >> >> 3. I haven't verified this, but the removeAttribute() is supposed to be >> used with DOM elements. To remove a JS object property we should use: >> >> delete state[key]; >> >> 4. As discussed over IRC, the logic for calculating tab depth assumes >> that only the leaf nodes can be hidden. This can be slightly improved >> by moving this code >> >> if (tab.hidden) { >> depth = depth -1; >> } >> >> from navigation.js line 258 into 253. This way any hidden tabs along >> the tab hierarchy will not be counted toward depth. >> >> 5. There's a whitespace warning. >> > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0255-5-shorten-url.patch Type: text/x-patch Size: 22456 bytes Desc: not available URL: From ayoung at redhat.com Tue Jun 28 21:57:04 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 28 Jun 2011 17:57:04 -0400 Subject: [Freeipa-devel] [PATCH] shorten-url In-Reply-To: <4E0A4B5E.5000807@redhat.com> References: <4E0A27D9.4080100@redhat.com> <4E0A2C88.4010902@redhat.com> <4E0A371A.1070005@redhat.com> <4E0A3ED9.9080708@redhat.com> <4E0A4B5E.5000807@redhat.com> Message-ID: <4E0A4E30.1040708@redhat.com> On 06/28/2011 05:45 PM, Adam Young wrote: > On 06/28/2011 04:51 PM, Adam Young wrote: >> On 06/28/2011 04:18 PM, Endi Sukma Dewata wrote: >>> On 6/28/2011 2:33 PM, Adam Young wrote: >>>> On 06/28/2011 03:13 PM, Adam Young wrote: >>>>> One known issue: uses the wrong style for automount tabs, leaving >>>>> excess white space >>> >>> Some issues: >>> >>> 1. Reloading the some pages will bring you to a different page (i.e. >>> bookmarking wouldn't work). Try reloading these pages: >>> - Groups details/association facet >>> - HBAC Rule search facet >>> It looks like the state JS variable should be initialized with >>> values from the URL. >>> >>> 2. The following statement in navigation.js:123: >>> >>> key2.search('^'+entity) >>> >>> might match more keys than we want (e.g sudo will match sudorule, >>> sudocmd, sudocmdgroup). It might be better to do the matching twice, >>> one for exact matching and the other for -* prefix. >>> >>> 3. I haven't verified this, but the removeAttribute() is supposed to be >>> used with DOM elements. To remove a JS object property we should >>> use: >>> >>> delete state[key]; >>> >>> 4. As discussed over IRC, the logic for calculating tab depth assumes >>> that only the leaf nodes can be hidden. This can be slightly >>> improved >>> by moving this code >>> >>> if (tab.hidden) { >>> depth = depth -1; >>> } >>> >>> from navigation.js line 258 into 253. This way any hidden tabs along >>> the tab hierarchy will not be counted toward depth. >>> >>> 5. There's a whitespace warning. >>> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0255-6-shorten-url.patch Type: text/x-patch Size: 22452 bytes Desc: not available URL: From edewata at redhat.com Tue Jun 28 22:42:39 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 28 Jun 2011 17:42:39 -0500 Subject: [Freeipa-devel] [PATCH] shorten-url In-Reply-To: <4E0A4E30.1040708@redhat.com> References: <4E0A27D9.4080100@redhat.com> <4E0A2C88.4010902@redhat.com> <4E0A371A.1070005@redhat.com> <4E0A3ED9.9080708@redhat.com> <4E0A4B5E.5000807@redhat.com> <4E0A4E30.1040708@redhat.com> Message-ID: <4E0A58DF.2060306@redhat.com> On 6/28/2011 4:57 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From ayoung at redhat.com Wed Jun 29 13:37:24 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 29 Jun 2011 09:37:24 -0400 Subject: [Freeipa-devel] [PATCH] 0257-containing-entity-pkeys Message-ID: <4E0B2A94.2050900@redhat.com> Better solution than the algorithm in 256 for nested entities. From ayoung at redhat.com Wed Jun 29 14:34:32 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 29 Jun 2011 10:34:32 -0400 Subject: [Freeipa-devel] [PATCH] 0257-containing-entity-pkeys In-Reply-To: <4E0B2A94.2050900@redhat.com> References: <4E0B2A94.2050900@redhat.com> Message-ID: <4E0B37F8.5020501@redhat.com> On 06/29/2011 09:37 AM, Adam Young wrote: > Better solution than the algorithm in 256 for nested entities. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0257-containing-entity-pkeys.patch Type: text/x-patch Size: 1833 bytes Desc: not available URL: From ayoung at redhat.com Wed Jun 29 16:30:25 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 29 Jun 2011 12:30:25 -0400 Subject: [Freeipa-devel] [PATCH] 0257-containing-entity-pkeys In-Reply-To: <4E0B37F8.5020501@redhat.com> References: <4E0B2A94.2050900@redhat.com> <4E0B37F8.5020501@redhat.com> Message-ID: <4E0B5321.5090908@redhat.com> On 06/29/2011 10:34 AM, Adam Young wrote: > On 06/29/2011 09:37 AM, Adam Young wrote: >> Better solution than the algorithm in 256 for nested entities. >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Changes for Hyphen and pkey names -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0257-1-containing-entity-pkeys.patch Type: text/x-patch Size: 2707 bytes Desc: not available URL: From edewata at redhat.com Wed Jun 29 16:52:53 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 29 Jun 2011 11:52:53 -0500 Subject: [Freeipa-devel] [PATCH] 0257-containing-entity-pkeys In-Reply-To: <4E0B5321.5090908@redhat.com> References: <4E0B2A94.2050900@redhat.com> <4E0B37F8.5020501@redhat.com> <4E0B5321.5090908@redhat.com> Message-ID: <4E0B5865.7020401@redhat.com> On 6/29/2011 11:30 AM, Adam Young wrote: > On 06/29/2011 10:34 AM, Adam Young wrote: >> On 06/29/2011 09:37 AM, Adam Young wrote: >>> Better solution than the algorithm in 256 for nested entities. > Changes for Hyphen and pkey names Some issues: 1. This statement will store undefined values into url_state: url_state[key_name] = state[key_name]; We need to check whether the state[key_name] is undefined. To test, open the UI, click the 'User Group' tab. 2. The following line should be located outside the for loop that iterates through the key names for that entity: current_entity = current_entity.containing_entity; This will cause a problem when there are more than 1 key name. 3. Optionally, the get_key_names() could just return 'pkey' instead of the full '-pkey'. The navigation code can add the prefix. -- Endi S. Dewata From rcritten at redhat.com Wed Jun 29 19:08:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Jun 2011 15:08:40 -0400 Subject: [Freeipa-devel] [PATCH] 811 Set the client auth callback after creating the SSL connection. Message-ID: <4E0B7838.7060200@redhat.com> If we set the callback before calling connect() then if the connection tries a network family type and fails, it will try other family types. If this happens then the callback set on the first socket will be lost when a new socket is created. There is no way to query for the callback in an existing socket. https://fedorahosted.org/freeipa/ticket/1349 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-811-dogtag.patch Type: text/x-diff Size: 1535 bytes Desc: not available URL: From rcritten at redhat.com Wed Jun 29 19:12:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Jun 2011 15:12:04 -0400 Subject: [Freeipa-devel] [PATCH] 812 Use RunAs in labels, not Run As Message-ID: <4E0B7904.5060509@redhat.com> For consistency we should use RunAs in sudo labels and not Run As. The API changes don't affect the wire API, label is in there to make one think twice about making changes :-) https://fedorahosted.org/freeipa/ticket/1328 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rcrit-812-runas.patch Type: text/x-diff Size: 8631 bytes Desc: not available URL: From sgallagh at redhat.com Wed Jun 29 20:00:28 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 29 Jun 2011 16:00:28 -0400 Subject: [Freeipa-devel] Proposal: drop DENY rules from HBAC Message-ID: <1309377629.6189.32.camel@sgallagh520.bos.redhat.com> We discussed today on the FreeIPA status meeting the possibility of dropping support for DENY rules from the HBAC specification. I'm submitting it for discussion. Specifically, I'm looking to hear whether there any any FreeIPA admins out there that have a strong opinion on whether the DENY rules need to be included. The current design of HBAC specifies that 1) If no ALLOW rules match, access is denied 2) If one or more ALLOW rules match and no DENY rules match, access is allowed. 3) If one or more DENY rules match, access is denied. Thus, DENY rules exist only to provide exceptions from the ALLOW rules. There exists no ALLOW+DENY combination that cannot be constructed from ALLOW rules only.[1] DENY rules introduce a lot of edge-cases for evaluation. The most important of which is the availability of the group membership for the user logging in. Depending on the mechanism used to log in (for example, GSSAPI over SSH or cross-realm Kerberos trust where the user is provided by the PAC), SSSD's cache may not have a complete list of groups for this user. If the login is occurring during offline mode (where SSSD cannot contact the LDAP server to refresh the user's groups), SSSD cannot determine whether DENY rules would match for the user. This therefore translates into a potential security issue. We implemented a workaround in the SSSD evaluator to resolve this by guaranteeing that we do a full lookup of all groups referenced by rules while we are retrieving the rules from FreeIPA. However, this requires at least one additional lookup against the LDAP server (possibly many if there is need to resolve nestings). This results in a significantly slower login while online. We also have issues related to source host evaluation. Some applications will provide an IP address instead of a hostname in the pam_rhost attribute. Our only recourse here is to perform a reverse-DNS lookup to try and identify the real hostname(s) of the server. However, in many real-world environments, reverse DNS is unavailable or misconfigured. In the case of ALLOW rules, this would lead to a match failure and an implicit denial. However, a failure to properly match a DENY rule can result in unexpected access being granted. This is a potentially serious security issue. Given these edge cases (and performance issues of the noted workaround), I propose that we should drop DENY rules from the HBAC specification and limit ourselves only to ALLOW rules (which are much safer). Beyond the obvious advantages for our implementation, I believe that this will be less complex for users to write their rules. [1] Some rules are complex to simulate, such as "Allow access from all PAM services EXCEPT telnet". But in a sane environment, all access should be via whitelist. If a customer is using an exception rule, they should re-evaluate this. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From jdennis at redhat.com Wed Jun 29 20:08:28 2011 From: jdennis at redhat.com (John Dennis) Date: Wed, 29 Jun 2011 16:08:28 -0400 Subject: [Freeipa-devel] [PATCH] 811 Set the client auth callback after creating the SSL connection. In-Reply-To: <4E0B7838.7060200@redhat.com> References: <4E0B7838.7060200@redhat.com> Message-ID: <4E0B863C.6030501@redhat.com> On 06/29/2011 03:08 PM, Rob Crittenden wrote: > If we set the callback before calling connect() then if the connection > tries a network family type and fails, it will try other family types. > If this happens then the callback set on the first socket will be lost > when a new socket is created. There is no way to query for the callback > in an existing socket. I'm tempted to NAK this. In part because I don't really understand why it works, but more because nsslib.py doesn't seem to be handling addresses, sockets and connections correctly. At first glance it appears to only create a new socket when switching families. I also don't understand the logic behind the family code. But most importantly it seems to shutdown NSS every time you make a connection. What happens when you want more than one simultaneous connection? Maybe we need to open a ticket to review nsslib.py. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From adam at younglogic.com Wed Jun 29 20:24:33 2011 From: adam at younglogic.com (Adam Young) Date: Wed, 29 Jun 2011 16:24:33 -0400 Subject: [Freeipa-devel] [PATCH] 0258-undefined-pkeys Message-ID: <4E0B8A01.405@younglogic.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0258-undefined-pkeys.patch Type: text/x-patch Size: 1844 bytes Desc: not available URL: From jhrozek at redhat.com Wed Jun 29 20:25:01 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 29 Jun 2011 16:25:01 -0400 Subject: [Freeipa-devel] Proposal: drop DENY rules from HBAC In-Reply-To: <1309377629.6189.32.camel@sgallagh520.bos.redhat.com> References: <1309377629.6189.32.camel@sgallagh520.bos.redhat.com> Message-ID: <4E0B8A1D.6000505@redhat.com> On 06/29/2011 04:00 PM, Stephen Gallagher wrote: > We discussed today on the FreeIPA status meeting the possibility of > dropping support for DENY rules from the HBAC specification. I'm > submitting it for discussion. Specifically, I'm looking to hear whether > there any any FreeIPA admins out there that have a strong opinion on > whether the DENY rules need to be included. > > The current design of HBAC specifies that > 1) If no ALLOW rules match, access is denied > 2) If one or more ALLOW rules match and no DENY rules match, access is > allowed. > 3) If one or more DENY rules match, access is denied. > > Thus, DENY rules exist only to provide exceptions from the ALLOW rules. > There exists no ALLOW+DENY combination that cannot be constructed from > ALLOW rules only.[1] > > DENY rules introduce a lot of edge-cases for evaluation. The most > important of which is the availability of the group membership for the > user logging in. Depending on the mechanism used to log in (for example, > GSSAPI over SSH or cross-realm Kerberos trust where the user is provided > by the PAC), SSSD's cache may not have a complete list of groups for > this user. If the login is occurring during offline mode (where SSSD > cannot contact the LDAP server to refresh the user's groups), SSSD > cannot determine whether DENY rules would match for the user. This > therefore translates into a potential security issue. > > We implemented a workaround in the SSSD evaluator to resolve this by > guaranteeing that we do a full lookup of all groups referenced by rules > while we are retrieving the rules from FreeIPA. However, this requires > at least one additional lookup against the LDAP server (possibly many if > there is need to resolve nestings). This results in a significantly > slower login while online. > > We also have issues related to source host evaluation. Some applications > will provide an IP address instead of a hostname in the pam_rhost > attribute. Our only recourse here is to perform a reverse-DNS lookup to > try and identify the real hostname(s) of the server. However, in many > real-world environments, reverse DNS is unavailable or misconfigured. In > the case of ALLOW rules, this would lead to a match failure and an > implicit denial. However, a failure to properly match a DENY rule can > result in unexpected access being granted. This is a potentially serious > security issue. > > Given these edge cases (and performance issues of the noted workaround), > I propose that we should drop DENY rules from the HBAC specification and > limit ourselves only to ALLOW rules (which are much safer). Beyond the > obvious advantages for our implementation, I believe that this will be > less complex for users to write their rules. > > > [1] Some rules are complex to simulate, such as "Allow access from all > PAM services EXCEPT telnet". But in a sane environment, all access > should be via whitelist. If a customer is using an exception rule, they > should re-evaluate this. > I think that an explicit allow list is usually way better because with deny rules it's easy to fail to enumerate all entities that should be denied, resulting in allowing access we didn't want to. However, does anyone still remember why we opted for deny rules during design phase in the first place? Was it a compatibility with some existing system (that our users might be migrating from) or just to provide a convenient construct to our users? By removing the deny rules, do we break compatibility with anything else than the IPA tech preview in RHEL and upstream FreeIPA 2.0? From ayoung at redhat.com Wed Jun 29 20:47:23 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 29 Jun 2011 16:47:23 -0400 Subject: [Freeipa-devel] [PATCH] 0257-containing-entity-pkeys In-Reply-To: <4E0B5865.7020401@redhat.com> References: <4E0B2A94.2050900@redhat.com> <4E0B37F8.5020501@redhat.com> <4E0B5321.5090908@redhat.com> <4E0B5865.7020401@redhat.com> Message-ID: <4E0B8F5B.9080701@redhat.com> On 06/29/2011 12:52 PM, Endi Sukma Dewata wrote: > On 6/29/2011 11:30 AM, Adam Young wrote: >> On 06/29/2011 10:34 AM, Adam Young wrote: >>> On 06/29/2011 09:37 AM, Adam Young wrote: >>>> Better solution than the algorithm in 256 for nested entities. >> Changes for Hyphen and pkey names > > Some issues: > > 1. This statement will store undefined values into url_state: > > url_state[key_name] = state[key_name]; > > We need to check whether the state[key_name] is undefined. > To test, open the UI, click the 'User Group' tab. > > 2. The following line should be located outside the for loop that > iterates through the key names for that entity: > > current_entity = current_entity.containing_entity; > > This will cause a problem when there are more than 1 key name. > > 3. Optionally, the get_key_names() could just return 'pkey' instead > of the full '-pkey'. The navigation code can add the > prefix. > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0257-2-containing-entity-pkeys.patch Type: text/x-patch Size: 2786 bytes Desc: not available URL: From rcritten at redhat.com Wed Jun 29 20:58:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Jun 2011 16:58:56 -0400 Subject: [Freeipa-devel] [PATCH] 811 Set the client auth callback after creating the SSL connection. In-Reply-To: <4E0B863C.6030501@redhat.com> References: <4E0B7838.7060200@redhat.com> <4E0B863C.6030501@redhat.com> Message-ID: <4E0B9210.6040603@redhat.com> John Dennis wrote: > On 06/29/2011 03:08 PM, Rob Crittenden wrote: >> If we set the callback before calling connect() then if the connection >> tries a network family type and fails, it will try other family types. >> If this happens then the callback set on the first socket will be lost >> when a new socket is created. There is no way to query for the callback >> in an existing socket. > > I'm tempted to NAK this. In part because I don't really understand why > it works, but more because nsslib.py doesn't seem to be handling > addresses, sockets and connections correctly. At first glance it appears > to only create a new socket when switching families. I also don't > understand the logic behind the family code. It works like this: - We create an NSSConnection() with automatically gives us an SSL socket - We can add the callback here but if the connection fails a new socket will be created. There is no way I can see to find the callback call. I don't think this is even part of the C API so this isn't a deficiency in python-nss. - The connect() call just makes a network connection. NSS doesn't do anything until the first bit of data gets written to the socket so we can set the callback after the connection is completed. The default family is UNSPEC which is treated as IPv4. > But most importantly it seems to shutdown NSS every time you make a > connection. What happens when you want more than one simultaneous > connection? NSS is still very limited regarding having multiple NSS databases open at once. This code is meant to allow one to switch databases. Runnning within Apache (and our framework) the shutdown will fail because things in the database are in use, so this is a bit of a no-op. It is really just needed in the installer where things are done serially, so again no problem. > > Maybe we need to open a ticket to review nsslib.py. > A review of nsslib would't hurt, it has had a lot tacked on since inception, but we'd still have to deal with multiple databases, family failover, etc. I'd rather do that as a next step. rob From ayoung at redhat.com Wed Jun 29 21:10:51 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 29 Jun 2011 17:10:51 -0400 Subject: [Freeipa-devel] [PATCH] 0257-containing-entity-pkeys In-Reply-To: <4E0B8F5B.9080701@redhat.com> References: <4E0B2A94.2050900@redhat.com> <4E0B37F8.5020501@redhat.com> <4E0B5321.5090908@redhat.com> <4E0B5865.7020401@redhat.com> <4E0B8F5B.9080701@redhat.com> Message-ID: <4E0B94DB.4000503@redhat.com> On 06/29/2011 04:47 PM, Adam Young wrote: > On 06/29/2011 12:52 PM, Endi Sukma Dewata wrote: >> On 6/29/2011 11:30 AM, Adam Young wrote: >>> On 06/29/2011 10:34 AM, Adam Young wrote: >>>> On 06/29/2011 09:37 AM, Adam Young wrote: >>>>> Better solution than the algorithm in 256 for nested entities. >>> Changes for Hyphen and pkey names >> >> Some issues: >> >> 1. This statement will store undefined values into url_state: >> >> url_state[key_name] = state[key_name]; >> >> We need to check whether the state[key_name] is undefined. >> To test, open the UI, click the 'User Group' tab. >> >> 2. The following line should be located outside the for loop that >> iterates through the key names for that entity: >> >> current_entity = current_entity.containing_entity; >> >> This will cause a problem when there are more than 1 key name. >> >> 3. Optionally, the get_key_names() could just return 'pkey' instead >> of the full '-pkey'. The navigation code can add the >> prefix. >> > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by edewata and pushed to master with a minor tweak for a JSL warning -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Jun 29 21:23:47 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 29 Jun 2011 17:23:47 -0400 Subject: [Freeipa-devel] Proposal: drop DENY rules from HBAC In-Reply-To: <4E0B8A1D.6000505@redhat.com> References: <1309377629.6189.32.camel@sgallagh520.bos.redhat.com> <4E0B8A1D.6000505@redhat.com> Message-ID: <1309382627.2681.71.camel@willson.li.ssimo.org> On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote: > On 06/29/2011 04:00 PM, Stephen Gallagher wrote: > > We discussed today on the FreeIPA status meeting the possibility of > > dropping support for DENY rules from the HBAC specification. I'm > > submitting it for discussion. Specifically, I'm looking to hear whether > > there any any FreeIPA admins out there that have a strong opinion on > > whether the DENY rules need to be included. > > > > The current design of HBAC specifies that > > 1) If no ALLOW rules match, access is denied > > 2) If one or more ALLOW rules match and no DENY rules match, access is > > allowed. > > 3) If one or more DENY rules match, access is denied. > > > > Thus, DENY rules exist only to provide exceptions from the ALLOW rules. > > There exists no ALLOW+DENY combination that cannot be constructed from > > ALLOW rules only.[1] > > > > DENY rules introduce a lot of edge-cases for evaluation. The most > > important of which is the availability of the group membership for the > > user logging in. Depending on the mechanism used to log in (for example, > > GSSAPI over SSH or cross-realm Kerberos trust where the user is provided > > by the PAC), SSSD's cache may not have a complete list of groups for > > this user. If the login is occurring during offline mode (where SSSD > > cannot contact the LDAP server to refresh the user's groups), SSSD > > cannot determine whether DENY rules would match for the user. This > > therefore translates into a potential security issue. > > > > We implemented a workaround in the SSSD evaluator to resolve this by > > guaranteeing that we do a full lookup of all groups referenced by rules > > while we are retrieving the rules from FreeIPA. However, this requires > > at least one additional lookup against the LDAP server (possibly many if > > there is need to resolve nestings). This results in a significantly > > slower login while online. > > > > We also have issues related to source host evaluation. Some applications > > will provide an IP address instead of a hostname in the pam_rhost > > attribute. Our only recourse here is to perform a reverse-DNS lookup to > > try and identify the real hostname(s) of the server. However, in many > > real-world environments, reverse DNS is unavailable or misconfigured. In > > the case of ALLOW rules, this would lead to a match failure and an > > implicit denial. However, a failure to properly match a DENY rule can > > result in unexpected access being granted. This is a potentially serious > > security issue. > > > > Given these edge cases (and performance issues of the noted workaround), > > I propose that we should drop DENY rules from the HBAC specification and > > limit ourselves only to ALLOW rules (which are much safer). Beyond the > > obvious advantages for our implementation, I believe that this will be > > less complex for users to write their rules. > > > > > > [1] Some rules are complex to simulate, such as "Allow access from all > > PAM services EXCEPT telnet". But in a sane environment, all access > > should be via whitelist. If a customer is using an exception rule, they > > should re-evaluate this. > > > > I think that an explicit allow list is usually way better because with > deny rules it's easy to fail to enumerate all entities that should be > denied, resulting in allowing access we didn't want to. This is exactly the problem with Deny rules in general > However, does anyone still remember why we opted for deny rules during > design phase in the first place? Was it a compatibility with some > existing system (that our users might be migrating from) or just to > provide a convenient construct to our users? I think we overlooked the drawbacks to implementations when we decided the format. I think I raised some mild concern due to the pain I see with Ms-ACLs and deny rules, but there it is worse because rules are also ordered. So I think I acked deny rules as a convenient construct hoping deny rules wouldn't be that bad if not ordered. Clearly that was a mistake. I now think deny rules are really a technical issue, and convenience shouldn't be allowed to rule in this case. > By removing the deny rules, do we break compatibility with anything else > than the IPA tech preview in RHEL and upstream FreeIPA 2.0? No. Simo. -- Simo Sorce * Red Hat, Inc * New York From edewata at redhat.com Wed Jun 29 21:26:36 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 29 Jun 2011 16:26:36 -0500 Subject: [Freeipa-devel] [PATCH] 0258-undefined-pkeys In-Reply-To: <4E0B8A01.405@younglogic.com> References: <4E0B8A01.405@younglogic.com> Message-ID: <4E0B988C.6060109@redhat.com> On 6/29/2011 3:24 PM, Adam Young wrote: > ACK and pushed to master. -- Endi S. Dewata From edewata at redhat.com Wed Jun 29 21:44:18 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 29 Jun 2011 16:44:18 -0500 Subject: [Freeipa-devel] [PATCH] 1396 Fixed hard-coded messages. Message-ID: <4E0B9CB2.1060402@redhat.com> Hard-coded messages in the UI have been replaced with I18n messages. Ticket #1396 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0193-Fixed-hard-coded-messages.patch Type: text/x-patch Size: 113746 bytes Desc: not available URL: From dpal at redhat.com Wed Jun 29 22:06:19 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 29 Jun 2011 18:06:19 -0400 Subject: [Freeipa-devel] Proposal: drop DENY rules from HBAC In-Reply-To: <4E0B8A1D.6000505@redhat.com> References: <1309377629.6189.32.camel@sgallagh520.bos.redhat.com> <4E0B8A1D.6000505@redhat.com> Message-ID: <4E0BA1DB.3010809@redhat.com> > > I think that an explicit allow list is usually way better because with > deny rules it's easy to fail to enumerate all entities that should be > denied, resulting in allowing access we didn't want to. > > However, does anyone still remember why we opted for deny rules during > design phase in the first place? IMO it was convenience. > Was it a compatibility with some existing system (that our users might > be migrating from) or just to provide a convenient construct to our > users? No other system we know of does this. > > By removing the deny rules, do we break compatibility with anything > else than the IPA tech preview in RHEL and upstream FreeIPA 2.0? Not that we know of. We break Fedora compatibility but we can handle it with the smart upgrade script that detects the presence of the deny rules and bails out before updating the system asking user to fix deny rules manually before updating. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From JR.Aquino at citrix.com Wed Jun 29 22:21:22 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 29 Jun 2011 22:21:22 +0000 Subject: [Freeipa-devel] Proposal: drop DENY rules from HBAC In-Reply-To: <4E0BA1DB.3010809@redhat.com> References: <1309377629.6189.32.camel@sgallagh520.bos.redhat.com> <4E0B8A1D.6000505@redhat.com> <4E0BA1DB.3010809@redhat.com> Message-ID: <9D62EBD7-14FE-4699-B227-2E70F9DF4AB6@citrixonline.com> > >> >> I think that an explicit allow list is usually way better because with >> deny rules it's easy to fail to enumerate all entities that should be >> denied, resulting in allowing access we didn't want to. >> >> However, does anyone still remember why we opted for deny rules during >> design phase in the first place? > > IMO it was convenience. > >> Was it a compatibility with some existing system (that our users might >> be migrating from) or just to provide a convenient construct to our >> users? > > No other system we know of does this. > >> >> By removing the deny rules, do we break compatibility with anything >> else than the IPA tech preview in RHEL and upstream FreeIPA 2.0? > > > Not that we know of. We break Fedora compatibility but we can handle it > with the smart upgrade script that detects the presence of the deny > rules and bails out before updating the system asking user to fix deny > rules manually before updating. >> The Sudo implementation for FreeIPA has looked to HBAC for direction and similarity in a lot of ways. I would ask if we are going to remove 'deny' that we leave those pieces in reach for reference in future use when Sudo will need to try to integrate, as Sudo want to have both permit and deny rules. From ayoung at redhat.com Thu Jun 30 02:28:15 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 29 Jun 2011 22:28:15 -0400 Subject: [Freeipa-devel] [PATCH]0259-config-fields Message-ID: <4E0BDF3F.7070105@redhat.com> See attached screenshot -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0259-config-fields.patch Type: text/x-patch Size: 83079 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: config_screen-with_sections.jpg Type: image/jpeg Size: 178671 bytes Desc: not available URL: From ayoung at redhat.com Thu Jun 30 02:31:11 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 29 Jun 2011 22:31:11 -0400 Subject: [Freeipa-devel] [PATCH]0259-config-fields In-Reply-To: <4E0BDF3F.7070105@redhat.com> References: <4E0BDF3F.7070105@redhat.com> Message-ID: <4E0BDFEF.4070708@redhat.com> On 06/29/2011 10:28 PM, Adam Young wrote: > See attached screenshot > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel https://fedorahosted.org/freeipa/ticket/1406 as well -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Thu Jun 30 14:04:41 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 30 Jun 2011 10:04:41 -0400 Subject: [Freeipa-devel] [PATCH] 811 Set the client auth callback after creating the SSL connection. In-Reply-To: <4E0B9210.6040603@redhat.com> References: <4E0B7838.7060200@redhat.com> <4E0B863C.6030501@redhat.com> <4E0B9210.6040603@redhat.com> Message-ID: <4E0C8279.50702@redhat.com> On 06/29/2011 04:58 PM, Rob Crittenden wrote: > John Dennis wrote: >> On 06/29/2011 03:08 PM, Rob Crittenden wrote: >>> If we set the callback before calling connect() then if the connection >>> tries a network family type and fails, it will try other family types. >>> If this happens then the callback set on the first socket will be lost >>> when a new socket is created. There is no way to query for the callback >>> in an existing socket. >> >> I'm tempted to NAK this. In part because I don't really understand why >> it works, but more because nsslib.py doesn't seem to be handling >> addresses, sockets and connections correctly. At first glance it appears >> to only create a new socket when switching families. I also don't >> understand the logic behind the family code. > > It works like this: > > - We create an NSSConnection() with automatically gives us an SSL socket > - We can add the callback here but if the connection fails a new socket > will be created. There is no way I can see to find the callback call. I > don't think this is even part of the C API so this isn't a deficiency in > python-nss. > - The connect() call just makes a network connection. NSS doesn't do > anything until the first bit of data gets written to the socket so we > can set the callback after the connection is completed. > > The default family is UNSPEC which is treated as IPv4. > >> But most importantly it seems to shutdown NSS every time you make a >> connection. What happens when you want more than one simultaneous >> connection? > > NSS is still very limited regarding having multiple NSS databases open > at once. This code is meant to allow one to switch databases. Runnning > within Apache (and our framework) the shutdown will fail because things > in the database are in use, so this is a bit of a no-op. It is really > just needed in the installer where things are done serially, so again no > problem. > >> >> Maybe we need to open a ticket to review nsslib.py. >> > > A review of nsslib would't hurt, it has had a lot tacked on since > inception, but we'd still have to deal with multiple databases, family > failover, etc. I'd rather do that as a next step. > > rob O.K. agree with all above. ACK -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From edewata at redhat.com Thu Jun 30 14:37:50 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2011 09:37:50 -0500 Subject: [Freeipa-devel] [PATCH] 193 Fixed hard-coded messages. Message-ID: <4E0C8A3E.9080708@redhat.com> Hard-coded messages in the UI have been replaced with I18n messages. Ticket #1396 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0193-Fixed-hard-coded-messages.patch Type: text/x-patch Size: 113746 bytes Desc: not available URL: From ayoung at redhat.com Thu Jun 30 15:21:25 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 30 Jun 2011 11:21:25 -0400 Subject: [Freeipa-devel] [PATCH]0259-config-fields In-Reply-To: <4E0BDFEF.4070708@redhat.com> References: <4E0BDF3F.7070105@redhat.com> <4E0BDFEF.4070708@redhat.com> Message-ID: <4E0C9475.8080407@redhat.com> On 06/29/2011 10:31 PM, Adam Young wrote: > On 06/29/2011 10:28 PM, Adam Young wrote: >> See attached screenshot >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > https://fedorahosted.org/freeipa/ticket/1406 as well > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0259-1-config-fields.patch Type: text/x-patch Size: 83383 bytes Desc: not available URL: From edewata at redhat.com Thu Jun 30 16:45:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2011 11:45:57 -0500 Subject: [Freeipa-devel] [PATCH] 193 Fixed hard-coded messages. In-Reply-To: <4E0C8A3E.9080708@redhat.com> References: <4E0C8A3E.9080708@redhat.com> Message-ID: <4E0CA845.90905@redhat.com> On 6/30/2011 9:37 AM, Endi Sukma Dewata wrote: > Hard-coded messages in the UI have been replaced with I18n messages. > > Ticket #1396 Rebased. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0193-Fixed-hard-coded-messages.patch Type: text/x-patch Size: 113746 bytes Desc: not available URL: From edewata at redhat.com Thu Jun 30 16:47:58 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2011 11:47:58 -0500 Subject: [Freeipa-devel] [PATCH] 194 Removed unused images. Message-ID: <4E0CA8BE.2060507@redhat.com> Images that are no longer used have been removed. Ticket #990 -- Endi S. Dewata From edewata at redhat.com Thu Jun 30 17:43:43 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2011 12:43:43 -0500 Subject: [Freeipa-devel] [PATCH] 194 Removed unused images. In-Reply-To: <4E0CA8BE.2060507@redhat.com> References: <4E0CA8BE.2060507@redhat.com> Message-ID: <4E0CB5CF.5070501@redhat.com> On 6/30/2011 11:47 AM, Endi Sukma Dewata wrote: > Images that are no longer used have been removed. > > Ticket #990 Patch attached. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0194-Removed-unused-images.patch Type: text/x-patch Size: 63951 bytes Desc: not available URL: From ayoung at redhat.com Thu Jun 30 17:57:47 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 30 Jun 2011 13:57:47 -0400 Subject: [Freeipa-devel] [PATCH] 0260-config-widgets Message-ID: <4E0CB91B.7090305@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0260-config-widgets.patch Type: text/x-patch Size: 2241 bytes Desc: not available URL: From ayoung at redhat.com Thu Jun 30 18:09:19 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 30 Jun 2011 14:09:19 -0400 Subject: [Freeipa-devel] [PATCH] 194 Removed unused images. In-Reply-To: <4E0CB5CF.5070501@redhat.com> References: <4E0CA8BE.2060507@redhat.com> <4E0CB5CF.5070501@redhat.com> Message-ID: <4E0CBBCF.8030307@redhat.com> On 06/30/2011 01:43 PM, Endi Sukma Dewata wrote: > On 6/30/2011 11:47 AM, Endi Sukma Dewata wrote: >> Images that are no longer used have been removed. >> >> Ticket #990 > > Patch attached. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Jun 30 18:10:34 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 30 Jun 2011 14:10:34 -0400 Subject: [Freeipa-devel] [PATCH]0259-config-fields In-Reply-To: <4E0C9475.8080407@redhat.com> References: <4E0BDF3F.7070105@redhat.com> <4E0BDFEF.4070708@redhat.com> <4E0C9475.8080407@redhat.com> Message-ID: <4E0CBC1A.6080705@redhat.com> On 06/30/2011 11:21 AM, Adam Young wrote: > On 06/29/2011 10:31 PM, Adam Young wrote: >> On 06/29/2011 10:28 PM, Adam Young wrote: >>> See attached screenshot >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> https://fedorahosted.org/freeipa/ticket/1406 as well >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACKed in IRC by rcrit and edewata, pushed to master -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Jun 30 18:56:55 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 30 Jun 2011 14:56:55 -0400 Subject: [Freeipa-devel] [PATCH] 193 Fixed hard-coded messages. In-Reply-To: <4E0CA845.90905@redhat.com> References: <4E0C8A3E.9080708@redhat.com> <4E0CA845.90905@redhat.com> Message-ID: <4E0CC6F7.6070407@redhat.com> On 06/30/2011 12:45 PM, Endi Sukma Dewata wrote: > On 6/30/2011 9:37 AM, Endi Sukma Dewata wrote: >> Hard-coded messages in the UI have been replaced with I18n messages. >> >> Ticket #1396 > > Rebased. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ACK I had a problem applying your patch, so I regenerated the ipa_init.json file , rechecked it, added it to the rest of the patch, and pushed it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Jun 30 18:54:31 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2011 13:54:31 -0500 Subject: [Freeipa-devel] [PATCH] 193 Fixed hard-coded messages. In-Reply-To: <4E0CA845.90905@redhat.com> References: <4E0C8A3E.9080708@redhat.com> <4E0CA845.90905@redhat.com> Message-ID: <4E0CC667.3010201@redhat.com> On 6/30/2011 11:45 AM, Endi Sukma Dewata wrote: > On 6/30/2011 9:37 AM, Endi Sukma Dewata wrote: >> Hard-coded messages in the UI have been replaced with I18n messages. >> >> Ticket #1396 > > Rebased. Sent the wrong patch, attached should be the right one. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-edewata-0193-2-Fixed-hard-coded-messages.patch Type: text/x-patch Size: 38463 bytes Desc: not available URL: From rcritten at redhat.com Thu Jun 30 20:48:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Jun 2011 16:48:52 -0400 Subject: [Freeipa-devel] [PATCH] 810 fix re-enrolling a host with a OTP In-Reply-To: <4E0A0B9F.9030402@redhat.com> References: <4E0A0B9F.9030402@redhat.com> Message-ID: <4E0CE134.8000809@redhat.com> Rob Crittenden wrote: > Don't set krbLastPwdChange when setting a host OTP password. > > We have no visibility into whether an entry has a keytab or not so > krbLastPwdChange is used as a rough guide. > > If this value exists during enrollment then it fails because the host is > considered already joined. This was getting set when a OTP was added to > a host that had already been enrolled (e.g. you enroll a host, unenroll > it, set a OTP, then try to re-enroll). The second enrollment was failing > because the enrollment plugin thought it was still enrolled becaused > krbLastPwdChange was set. > > https://fedorahosted.org/freeipa/ticket/1357 > > rob self-nack, found a corner case. rob From ayoung at redhat.com Thu Jun 30 20:54:43 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 30 Jun 2011 16:54:43 -0400 Subject: [Freeipa-devel] [PATCH] 23 Add ability to specify DNS reverse zone name by IP network address In-Reply-To: <4E0A18AA.7040304@redhat.com> References: <4E008B7B.6020404@redhat.com> <4E035324.4000607@redhat.com> <4E0A18AA.7040304@redhat.com> Message-ID: <4E0CE293.1050109@redhat.com> On 06/28/2011 02:08 PM, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 21.6.2011 14:15, Jan Cholasta wrote: >>> This patch adds a new option name_from_ip to dnszone commands. Default >>> value of idnsname is created from this option. >>> >>> Honza >>> >> >> Fixed the API version number, added usage example to dns plugin help. >> >> https://fedorahosted.org/freeipa/ticket/1045 >> >> Honza > > Had quickie code review in IRC this morning. I asked for a comment > around the while loop, Honza suggested: This is to make chained > default_from work - idnssoarname default is created from idnsname and > idnsname default is created from name_from_ip - without this change, > idnssoarname default value isn't created when only name_from_ip is > specified. > > Would also be nice to have a test case for this new usage. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel NACK Finally got the code to run, and I realize that it is completely a client side operation. That won't work for the WebUI. The WebUI needs to use the same business logic as the CLI, but it cannot execute client side Python. Thus the API needs to accept the IP address, and calculate the reverse zone on it. The reverse zone should honor the netmask. A discussion earlier today decided that if no netmask is specifified, use an assumed netmask of /64 for IPv6 and of /24 for IPv4. From ayoung at redhat.com Thu Jun 30 21:42:33 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 30 Jun 2011 17:42:33 -0400 Subject: [Freeipa-devel] [PATCH] 0261-entity-link-for-password-policy Message-ID: <4E0CEDC9.8010001@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-admiyo-0261-entity-link-for-password-policy.patch Type: text/x-patch Size: 3290 bytes Desc: not available URL: From edewata at redhat.com Thu Jun 30 23:46:57 2011 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2011 18:46:57 -0500 Subject: [Freeipa-devel] [PATCH] 0260-config-widgets In-Reply-To: <4E0CB91B.7090305@redhat.com> References: <4E0CB91B.7090305@redhat.com> Message-ID: <4E0D0AF1.6020706@redhat.com> On 6/30/2011 12:57 PM, Adam Young wrote: > As mentioned in ticket #1409, the checkbox should have a label (i.e. Enabled). Otherwise it's not clear what the checkbox means for migration mode. Other than that it's ACKed. -- Endi S. Dewata